RE: JAP back doored

["Rainer Gerhards" <rgerhards () hq adiscon com>]

Drew & others,

Read on, this is not the usual rant... 

I think we need to keep two things separate:

1. the behaviour of the JAP team
2. the German law system 

If we discuss #1, I am fully in agreement with you - they have screwed
up. I tried to research the actual court order, but unfortunately it is
not online. What I found was interesting, though. If you look at their
statements in the excellent independent Heise news site, you will see a
lot of insight. It is in German, but you can run it through
babelfish.altavista.com - the translation is good enough to get the
idea...

http://www.heise.de/newsticker/data/uma-19.08.03-001/

The bottom line is that at least I read it in that way that the kind of
cooperated because (as they said) they found it reasonable to do so. But
this is not the failure of the German law system - it is the projects
failure... 

And, BTW, I don't have an issue with them trying to monitor a suspect
criminal (the child pornography site), but the fact that they are still
saying the service is totally anonymous, which simply is a lie.

But coming to #2... 
> Carnivore is supposed to only tap suspects, not everyone. 

Yes, and this is exactly what happens here. *If* you trust their
statemenst (I don't) then they are only tap those suspects that are
trying to access a (suspect) criminal site. The more I think about it,
the more it is exactly the same as with phone taping, carnivore ... You
name it.

Look at phone tapping. I assume even in the US the FBI can get a court
order to tap a suspect criminal's phone line if there is sufficient
evidence. Now let's assume they have this court order. Now you, the
innocent, try to contact this suspect criminal (e.g. to order some child
for sexual abuse ;)). Even though there is no court order against you,
you are still tapped. Now let's assume that you really tried to "order"
a child for sexual absuse. I Germany, you can become presecuted in this
case, even though that court order was not specifically to tap you but
the person you called. I am note sure if that is the same in the US. As
a side note, every user of the phone system could potentially have been
tapped if he had called the party.

Now look at JAP. As I do not see any reason to defned the JAP project
(#1 above), let's simply assume there statement is correct and only a
single target IP is tapped. Let's further assume this is actually a site
that offers child pornography. I assume this is forbidden in the US,
too, but again, I am not sure about this (it also doesn't matter,
because you are using a German server, so local law applies *to this
server* - not you). OK, so any internet user is at risk at being tapped
- as is any phone user in the above sample. However, as with the phone,
the tap only "engages" if the innocent child pornography user tries to
connect to the suspect criminal's servers (that one under the tap
order). Now the "innocent" user is recorded. If he haden't "called" that
server, nothing would have happened. 

You get the idea? I think technically what happens is very similar to
the risk any phone user runs when using the phone system...

What makes the big difference, though, is that nobody really beliefes
the phone system is secure - but the JAP project made you believe you
were totally anonymous. Effectivly, they were breaching their user's
risk... But, honestly, isn't it a little too simple thinking to trust
your privacy to a remote project in a foreign country (whom's laws you
don't know) which is funded by the gouvernment? As some pointed out,
code review does not help here as you are in need of some server
ressources and you can't verify the code that actually runs on those
servers. The only good thing the JAP team made was to make that modified
source public. Just think about, they had simply had installed the tap
and nobody would have noticed...

I think this re-strenghtens an old wisdom: never trust somebody else but
yourself with your security ;) Just think about the potential of a
corrupt mix... What they could do with all the traffic passing by. And
keep in mind, there can be criminals among those that run mixes (I have
to admit that every now and then some criminals were found among German
policie offiecers as probably everywhere else in the world).

> Carnivore captures on the addresses and subject lines of 
> emails, not even the content.

I think (but don't know) JAP captures only the IP addresses. This will
also keep you away from German jurisdiction. Let's theoretically think
they only capture your IP address. So they need the cooperation of your
ISP. No big deal if you are in Germany. But you in the US are protected
from German police by the virtue of your citizenship and location.
However... If German police talks to US police and a US judge finds the
request reasonable, then you will as will be reached by the German
police. But all of this within the boundaries of the US law system.
Fortunately, again, you are still protected by US jurisdiction which
will ultimately decide if that is a valid request. Of course, things
change when you enter German soil (and you have been identified before),
but this is the same in any country including the US. 

> You compare this to the German police forcing German 
> developers to secretly trojanize German software.

Again, although I am not a lawyer, I doubt it is possible to force a
developer to install a backdoor or trojanize software. In this case, if
you look at #1 above, it was not really forced. Even if there was a
court order, it was not defended by the JAP team. If they had, it would
have created much more publicity and taken quite a while...

This reminds me a little bit of PGP: In the intial days, there were many
threads and court orders. But there was Phil Zimermann who defended all
of them. If there had been a Phil Zimmerman an JAP, things may look
different now. And, yes, I have to admit I think there are more Phil
Zimmermanns in the US than over here...

This case teaches us one important point: it is dagerous to believe
anyone who is promising you privacy AND doing this via eiter software
you can't review or ressources you don't control. And keep in mind that
your ability to review software does not only mean you have access to
the source but the time and ability to actually understand what it does
- every part of it...

One second finding is - I think - interesting: the Internet is finally
becoming mainstream which means law enforcement also begins to
understand it and begins to use it. IMHO, this has pros and cons. But it
is a fact that we need to become aware of. In a few years, POTS will be
legacy and all tapping will be done by tapping IP traffic. I guess we
have better chances to keep privacy - but we need to be aware of this
changing world.

Finally, a personal opinion on this case: while I find that JAP has
severely failed and the law enforcement system is working reasonably
well, I also think that in suspect crime cases as this (IF it is the
truth), it is actually justified to tap aspecific site's users. It is as
much justified as I think it is important to stop terrorist from
conductiong their crimes, whereever they try to strike.

I hope I haven't provided too much noise, but I really think this thread
has reminded us of some basics and changes that we may slowly forget...

Rainer

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html