Это старая редакция страницы Библиотека / Статьи / Certified Lies / Evidence за 30/03/2010 14:35.
5. Свидетельства
5 Evidence
In October 2009, one of the authors of this paper at-
tended an invitation only conference for the surveil-
lance and lawful interception industry in Washing-
ton, DC.10
2009, when he released an audio recording of one of the panel
discussions at the same conference in which telecommunica-
tions company employees bragged about the extent of their
cooperation with government agencies, including the extent
to which they provide consumers' GPS location information
[21, 22].
Among the many vendor booths on the
trade show floor was Packet Forensics, an Arizona
based company that sells extremely small, covert
surveillance devices for networks.
included in this paper as Appendix A) for the com-
pany's 5-series device reveal that it is a 4 square inch
"turnkey intercept solution," designed for "defense
and (counter) intelligence applications," capable of
"packet modification, injection and replay capabil-
ities" at Gb/sec throughput levels. The company
proudly boasts that the surveillance device is per-
fect for the "Internet cafe problem." Most alarming
is the device's ability to engage in active man-in-
the-middle attacks:
be inserted-into and removed-from busy
networks without causing any noticeable
interruption [. . . ] This allows you to con-
ditionally intercept web, e-mail, VoIP and
other traffic at-will, even while it remains
protected inside an encrypted tunnel on
the wire. Using `man-in-the-middle' to in-
tercept TLS or SSL is essentially an at-
tack against the underlying Diffie-Hellman
cryptographic key agreement protocol [. . . ]
To use our product in this scenario, [gov-
ernment] users have the ability to import a
copy of any legitimate key they obtain (po-
tential ly by court order) or they can
generate `look-alike' keys designed to give
the sub ject a false sense of confidence in its
authenticity."
into a 4 square inch appliance,11 ready for govern-
ment customers to drop onto networks, at a price
that is "so cost effective, they're disposable."
firmed, in a conversation with the author at the
company's booth, the claims made in their mar-
keting materials: That government customers have
compelled CAs into issuing certificates for use in
surveillance operations. While Mr Oppelman would
not reveal which governments have purchased the
5-series device, he did confirm that it has been sold
both domestically and to foreign customers.
contain encryption technology, anyone wishing to
export the 5-series device to foreign countries other
than Canada must submit semi-annual reports to
both the US Department of Commerce, Bureau of
Industry and Security and the National Security
implementation of this attack, and is not using the actual
sslstrip tool. We have no way of knowing what code it is
shipping without a device to analyze.
Agency [23]. In late October 2009, we submitted a
formal request to the Commerce Department to get
a list of the foreign purchasers of Packet Forensics's
5-series device. That request has gone unanswered.
Назад | Оглавление | Дальше