id: Гость   вход   регистрация
текущее время 10:56 29/03/2024
создать
просмотр
редакции
ссылки

Это старая редакция страницы Библиотека / Статьи / Certified Lies / Evidence за 30/03/2010 14:35.


5. Свидетельства


5 Evidence
In October 2009, one of the authors of this paper at-
tended an invitation only conference for the surveil-
lance and lawful interception industry in Washing-
ton, DC.10


10
The author caused national headlines in December of

2009, when he released an audio recording of one of the panel
discussions at the same conference in which telecommunica-
tions company employees bragged about the extent of their
cooperation with government agencies, including the extent
to which they provide consumers' GPS location information
[21, 22].


Among the many vendor booths on the
trade show floor was Packet Forensics, an Arizona
based company that sells extremely small, covert
surveillance devices for networks.

The marketing materials (an excerpt of which is

included in this paper as Appendix A) for the com-
pany's 5-series device reveal that it is a 4 square inch
"turnkey intercept solution," designed for "defense


and (counter) intelligence applications," capable of
"packet modification, injection and replay capabil-
ities" at Gb/sec throughput levels. The company
proudly boasts that the surveillance device is per-
fect for the "Internet cafe problem." Most alarming
is the device's ability to engage in active man-in-
the-middle attacks:

"Packet Forensics' devices are designed to
be inserted-into and removed-from busy
networks without causing any noticeable
interruption [. . . ] This allows you to con-
ditionally intercept web, e-mail, VoIP and
other traffic at-will, even while it remains
protected inside an encrypted tunnel on
the wire. Using `man-in-the-middle' to in-
tercept TLS or SSL is essentially an at-
tack against the underlying Diffie-Hellman
cryptographic key agreement protocol [. . . ]
To use our product in this scenario, [gov-
ernment] users have the ability to import a
copy of any legitimate key they obtain (po-
tential ly by court order) or they can
generate `look-alike' keys designed to give
the sub ject a false sense of confidence in its
authenticity."
The company has essentially packaged sslstrip

into a 4 square inch appliance,11 ready for govern-
ment customers to drop onto networks, at a price
that is "so cost effective, they're disposable."

The company's CEO, Victor Oppelman con-

firmed, in a conversation with the author at the
company's booth, the claims made in their mar-
keting materials: That government customers have
compelled CAs into issuing certificates for use in
surveillance operations. While Mr Oppelman would
not reveal which governments have purchased the
5-series device, he did confirm that it has been sold
both domestically and to foreign customers.

Due to the fact that Packet Forensics' products

contain encryption technology, anyone wishing to
export the 5-series device to foreign countries other
than Canada must submit semi-annual reports to
both the US Department of Commerce, Bureau of
Industry and Security and the National Security

11
It is quite possible that the company has created its own

implementation of this attack, and is not using the actual
sslstrip tool. We have no way of knowing what code it is
shipping without a device to analyze.
Agency [23]. In late October 2009, we submitted a
formal request to the Commerce Department to get
a list of the foreign purchasers of Packet Forensics's
5-series device. That request has gone unanswered.


Назад | Оглавление | Дальше