[ntp:questions] Secure NTP

Dave Hart davehart at gmail.com
Fri Mar 25 05:46:20 UTC 2011


On Fri, Mar 25, 2011 at 01:36 UTC, Chris Albertson
<albertson.chris at gmail.com> wrote:
> The most obvious and easy way is that I cut the wire that goes from
> your house to your ISP and place a computer (and modems)  at the cut
> point.  It can change any bit in any packet.  I would not bother with
> your house but a bank, maybe.

It may be the most obvious way, but it sure isn't the easiest.
Physical access on the last mile?  How 1930s.

The easiest way is to snoop and/or man-in-the-middle traffic at a
point close enough to the end user that all the user's traffic is on
one wire, yes.  Such as the ISP PoP.  There you can intercept or
man-in-the-middle using commodity ethernet tools, avoiding expensive
specialized equipment specific to the access technology (DSL, cable,
wireless).

Now, ISP Points of Presense are not palatial, they are likely to be
crammed with equipment and only the minimum space available for human
operators, who largely configure and control them remotely.  Getting a
piece of gear in there is challenging on several levels.

But not to fear, at least here in the Land of Liberty, the so-called
birthplace of freedom, where 1994's CALEA (revised in 2005)
intentionally has opened up our telecommunications networks to easy
remote-controlled interception, and probably provides much of what's
needed for remote MiTM, especially with CALEA access to both source
and destination networks.  Telcos and ISPs much provision and pay for
equipment and services scaled to spy on 10% of their traffic at any
one time, IIRC.

To understand just how evil this law is, you must appreciate that much
if not most government wiretapping in the US is extralegal.  That's a
polite way of saying unconstitutional, illegal, and known to be so to
the government agents committing said crimes.  CALEA doesn't have
anything to say about what is legal to wiretap, that's left to the
courts.  It is simply ensuring that telecommunications have a gaping
backdoor that at least the few legal wiretaps can use, with the
convenient side effect that such automated spying can be easily abused
by those who do not need to be able to produce the evidence at trial
and therefore actually concern themselves with the Constitution.

I bet CALEA-mandated backdoors are used much more by private
detectives, intelligence agencies, and law enforcement more interested
in information than legally-defensible wiretapping, than it is for the
supposedly primary purpose.  I may be paranoid and deluded, or I may
be a realist familiar with the long history of illegal wiretapping by
government agents.  I'm no expert.  I am a fundamentalist when it
comes to the US Constitution and Bill of Rights, so I've intentionally
avoided learning more than broad generalities about CALEA, for fear of
suicidal depression or revolutionary violence.  I know enough about
the requirements to realize 10% is orders of magnitude
overprovisioning for legal intercepts, and can only infer those behind
CALEA very much intended to support criminal wiretapping, at least by
governments.  I take it for granted that anyone with money or
government power can intercept any telecommunciations they care to,
and it's my responsibility to encrypt things I don't want others to
see.

Revolutionarily depressed,
Dave Hart



More information about the questions mailing list