[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Speak of the Devil
On Thu, 18 May 2006, Mike Perry wrote:
A few varying thoughts here:
I can't speak for the british government, but if someone came to me and
said "someone is using your SSL-enabled webmail system to traffic kiddie
porn" and felt that somehow the easiest way to sniff their traffic was
with my private key (as opposed to just asking me to tap their spool
dir, tar up their homedir, and gladly hand over any information
associated with them), I'd be more than willing to cooperate. With
probable cause. I know warrants are difficult, but I come from a law
Sadly, the truth here is that if someone is using my server, then the
fedgov HAS to act as if I am in on this, and will likely blow their
investigation if they contact me -- at least this is how procedural rules
are set up for them.
I've investigated kiddie porn complaints on my network, and let me say
this in total seriousness -- while we've all seen the maxim-like young
looking models that are just recently 18 (hell, they advertise on regular
cable here in the states)...every once in a while you come across a site
like the ones in question that is so blatant, so disgusting -- where
there's no question in your mind that yes, that's thirteen. Following
that, there's a fit of nausea and a willingness to research some drug or
amount of voltage that can remove the images you've just seen from your
mind. I'm told the sensation is about ten times worse if you're a parent.
With that said, however...
There's nothing stopping governments from logging the traffic (possibly at
a higher level, like the upstream level) and then getting a subpoena for
whatever key was used to encrypt it.
The PROBLEM with this method is that once the length of the warrant has
expired, 99 percent of people out there DO NOT check CRL's. I myself am
guilty of this. I.e. once the government HAS your key, they've got it for
the lifetime of your cert -- and while you can certainly retire that cert
from use, there's no way to prevent the now-compromised cert and key from
being used creatively for the remainder of the validity period.
Or am I wrong here?
British govt just started pushing for Part III of RIPA citing
terrorism and kiddie porn as major reasons to require people to
disclose encryption keys...
Seems we may have a strong ally on our side on this one. International
bankers might not want the local police requiring them to hand over
keys either, though they certainly have enough political influence to
stop investigations before they start I'm sure...
The UK Crypto thread that spawned this article is here:
One can only hope that the Bill of Rights is enough to keep this
bullshit out of the US, but who knows.
"Don't be so depressed dear."
"I have no endorphins, what am I supposed to do?"
-DM and SK, February 10th, 1999
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM