From: Tom Rollins <trollins@hns.com>
Date: Thu, 5 Oct 95 07:25:21 PDT
To: cypherpunks@toad.com
Subject: Re: Oct 14 meeting Agenda ? (DC Cypherpunks)
Message-ID: <199510051425.KAA00813@dcn92.hns.com>
MIME-Version: 1.0
Content-Type: text


> >>I figure that as long as we are going to receive...
> >>       ? a commercial message from Digex ?
> >>
> >>We might be able to tap their knowledge base in assesing
> >>the various risks and rewards available by using a Commercial
> >>ISP.
> >>
> >>After all, with the FBI and Scientologists waging war on
> >>the Internet ( capturing keystroaks, siezing computers,
> >>and rummaging through everyones E-mail ), There may be a
> >>way to make life a little more interesting for them.
> 
> >I will be glad to send in my two cents worth - I am not sure that
> >I understand the question though.
> 
> While, I believe in strong crypto for everyone (what cypherpunks doesn't),
> I also believe that much can be done to prevent the wholesale snooping
> of Commercial ISP customers data.  I believe that this data is snooped
> because the ISP's and large number of customers (ignorant of security)
> make this data too easy a target (cost effective).
> 
> While the NSA may follow it's motto (In GOD we trust, the rest we monitor).
> Others may take hostile actions agenst someone whose password or
> personal information has been obtained. (ex. drain bank account, or just
> send spam)
> 
> Some questions that I would like to ask...
> 
> 1 - Assuming that someone from an agengy or someone pretending to
>     be from an agency wanted to capture one or all the ISP customers
>     key presses.  What method would they use ?
> 
>     Would they capture the data at the phone company?
>     Would they tap the raw data stream at the initial ISP router ?
>     Would they route IP packets from the initial ISP router through their
>         own equipment before arriving at the ISP maching running the shell
>         account ?
>     Would they use a Trojin Shell (or telnetd) on a shell account ?
>     Would they inform the ISP and get his help or root access ?
> 
> 2 - What methods could be put into place by the ISP or it's customers
>     to help prevent this snooping activity ?
> 
>     Perhaps an alternative login method (like deslogin or idealogin)
>         trying to protect data through the phone company and IP route
>         to the target machine.
>     Perhaps having a crypto checksum on the shell (telnetd) to detect
>         trojin software.
>     Perhaps sendmail could public key encrypt mail on it's way to the
>         customers directory.
>     Perhaps just raising the customer awareness of security issues
>         and methods at the ISP.  This could affect the mainstream
>         user (joe sixpack) as well as the PGP user.
>     Perhaps ISPs could offer a data archive service/site (foreign site)
>         where data in the form of PGP encrypted E-mail can be saved and
>         retrieved via a robot (something like majordomo).  That way,
>         if your home computer breaks, burns, is stolen, or siezed. You
>         can still retrieve your data at a later time.
> 
> Granted these methods do not prevent a determined attacker from squashing
> an ISP cutomer.  However, it does raise the cost of the effort to single
> out a user and attack him rather that grab cleartext from everyone.
> 
> -tom
>