Surveillance or Security?: The Risks Posed by New Wiretapping Technologies (62 page)

12. (p. 227) A peculiar exception-peculiar only to those who do not know the
network fiber-optic cable topology-affected South African users seeking access to
Internet domains ending in "za" (South Africa). If the cached entry in the local
servers had expired, the South African servers queried the root server, which could
not be reached (Committee on the Internet under Crisis Conditions, The Internet
under Crisis Conditions, 32-33).

13. (p. 227) Rendleman, "Verizon Went Right Back to Work."

14. (p. 227) Committee on the Internet under Crisis Conditions, The Internet under
Crisis Conditions, 29-30.

15. (p. 227) Committee on the Internet under Crisis Conditions, The Internet under
Crisis Conditions, 3.

16. (p. 227) Peter Meyers, "In Crisis Zone, a Wireless Patch," New York Times, October
4, 2001.

17. (p. 227) U.S. Congress, House of Representatives, Select Bipartisan Committee to
Investigate the Preparation for and Response to Hurricane Katrina, A Failure of Initiative, One Hundred and Ninth Congress, Second Session, February 15, 2006, 164.

18. (p. 227) Kenneth P. Moran, written testimony, U.S. Congress, Senate, Committee
on Commerce, Science and Transportation, Hearing on Hurricane Katrina and Coininunications Interoperability (September 29, 2005), 3-4.

19. (p. 228) Christopher Rhoads, "Cut Off: At Center of Crisis, City Officials Faced
Struggle to Keep in Touch," Wall Street Journal, September 9, 2005.

20. (p. 228) UN News Center, "Communications between `First Responders' in Haiti
to Be Strengthened-U.N. Agency," February 16, 2010.

21. (p. 228) U.S. Congress, House of Representatives, Select Bipartisan Committee,
A Failure of Initiative, 172.

22. (p. 229) Jim Dwyer, Kevin Flynn, and Ford Fessenden, "Fatal Confusion: A
Troubled Emergency Response; 9/11 Exposed Deadly Flaws in Rescue Plan," New
York Dines, July 7, 2002.

23. (p. 229) National Commission on Terrorist Attacks, The 9/11 Commission Report, 310.

24. (p. 229) National Commission on Terrorist Attacks, The 9/11 Commission Report, 301.

25. (p. 229) National Commission on Terrorist Attacks, The 9/11 Commission Report, 307.

26. (p. 229) Dwyer, Flynn, and Fessenden, "Fatal Confusion."

27. (p. 229) Dwyer, Flynn, and Fessenden, "Fatal Confusion."

28. (p. 229) Meyers, "In Crisis Zone, a Wireless Patch."

29. (p. 230) Gerald Faulhaber, "Solving the Interoperability Problem: Are We All on
the Same Channel? An Essay on the Problems and Prospects for Public Safety Radio,"
Federal Communications Law Journal 59 (June 2007): 496.

30. (p. 230) Department of Homeland Security, National Emergency Communications
Plan (rev. August 7, 2008), 11.

31. (p. 230) Faulhaber, "Solving the Interoperability Problem," 497.

32. (p. 231) Faulhaber, "Solving the Interoperability Problem," 509.

33. (p. 231) Jerry Brito, "Sending Out an S.O.S.: Public Safety Communications
Interoperability as a Collective Action Problem," Federal Communications Law Journal
59 (2007): 479.

34. (p. 231) Charles Werner, personal communication, March 3, 2010.

35. (p. 231) Chris Essid, personal communication, March 4, 2010.

36. (p. 231) "The nation does not have unlimited resources to address deficiencies
in emergency communications" (Department of Homeland Security, National
Emergency Communications Plan, ES-2).

37. (p. 231) Department of Homeland Security, National Emergency Communications
Plan, ES-2, 24.

38. (p. 231) Dickie George, personal communication, February 26, 2010.

Chapter 11

1. (p. 233) Helen Nissenbaum, "Where Computer Security Meets National Security,"
in Jack Balkin, James Grimmelmann, Eddan Katz, Nimrod Kozlovski, Shlomit
Wagman, and Tal Zarsky, eds., Cybercrime: Digital Cops in a Networked Environment
(New York: New York University Press, 2007), 63.

2. (p. 233) Nissenbaum, "Where Computer Security Meets National Security," 63.

3. (p. 233) Einstein 3's "checking the road" is limited to examining communications
bound for federal systems.

4. (p. 233) Nissenbaum, "Where Computer Security Meets National Security," 75.

5. (p. 234) This included plans for rocket-engine designs, for the design and testing
of satellite command-and-control software, for the shuttle-engine design, and for
rockets for intercontinental missiles.

6. (p. 235) Bernard Esambert, former French cabinet minister, said, "We are living
in a state of world economic war and this is not just a military metaphor ... the
companies are training the armies and the unemployed are the casualties" (Wanja
Eric Naef, "Economic and Industrial Espionage: A Threat to Corporate America,"
Infocon Magazine 1 (October 2003): http://www.iwar.org.uk/infocon/economic
-espionage.htm.

7. (p. 235) The U.S. Cyber Command is a multibillion dollar effort to develop U.S.
cyberwarfare capabilities. Part of the offensive work being proposed and worked on
is actually defensive. One example is developing the capability to enter a foreign
system and destroy the command-and-control system for botnets poised to attack
U.S. sites (David Sanger, John Markoff, and Thom Shanker, "U.S. Steps Up Effort on
Digital Defenses," New York Times, April 27, 2009).

8. (p. 235) William A. Owens, Kenneth W. Dam, and Herbert S. Lin, Technology,
Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities
(Washington, DC: National Academies Press, 2009), 1.

9. (p. 235) Bryan Krekel, Capabilities of the People's Republic of China to Conduct
Cyber Warfare and Computer Network Exploitation, Prepared for the US-China Economic and Security Review Commission (2009), http://www.uscc.gov/researchpapers/
2009/NorthropGrumman_PRC_Cyber_Paper_FINAL_Approved%20Report
_16Oct2009.pdf, 72-74.

10. (p. 235) David Barboza, "Hacking for Fun and Profit in the Chinese Underworld," New York Times (February 1, 2010).

11. (p. 236) David D. Clark, "Toward the Design of a Future Internet," Version 7.0, October
10, 2009, http://groups.csail.mit.edu/ana/People/DDC/Working%20Papers.html, 7.

12. (p. 236) Jerome H. Saltzer, David P. Reed, and David D. Clark, "End-to-End Arguments in System Design," ACM Transactions on Computer Systems, 2, no. 4,
(November 1984), 278.

13. (p. 237) Committee on Science and Technology for Countering Terrorism,
National Research Council, Making the Nation Safer (Washington, DC: National
Research Council, 2002 ), 150.

14. (p. 237) Tom Cross, "Exploiting Lawful Intercept to Wiretap the Internet," Black
Hat DC 2010 (February 2010).

15. (p. 237) Cross, "Exploiting Lawful Intercept," 11.

16. (p. 237) Cross, "Exploiting Lawful Intercept," 8-9.

17. (p. 237) Cross, "Exploiting Lawful Intercept," 4-6.

18. (p. 237) State crimes were a different matter.

19. (p. 238) Clark, "Future Internet," 15.

20. (p. 238) One example of this is that not all packets are created equal. Quality
of Service (QoS)-whether a packet should have priority in traversing the networkcan make or break an application; VoIP and streaming video are two examples of
this. VoIP packets should not take longer than 150 milliseconds to traverse the
network; more delay than that disrupts conversation flow (D. Richard Kuhn, Thomas
J. Walsh, and Steffen Fries, Security Considerations for Voice over IP Systems, National
Institute for Standards and Technology Special Publication 800-58, Gaithersberg
MD: National Institute for Standards and Technology, January 2005, 19). With the
minor exception that NSFNet gave priority to remote login packets, Internet 1.0the Internet designed by the DARPA project-did not discriminate on the basis of
content type. In a future Internet, QoS will need to be more deeply embedded in
network protocols; at the same time, carriers will need to be able to determine
content type to determine whether a packet should have priority treatment.

21. (p. 238) Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru Parulkar,
Larry Peterson, Jennifer Rexford, Scott Shenker, and Jonathan Turner, "Open
Flow: Enabling Innovation in Campus Networks," CCR Online March 14, 2008,
http://ccr.sigcomm.org/online/?q=node/328.

22. (p. 239) Martin Casado, Michael J. Freedman, Justin Pettit, Jianying Luo, Natasha
Gude, Nick McKeown, and Scott Shenker, "Rethinking Enterprise Network Control,"
IEEE/ACM Transactions on Networking 17, no. 4 (August 2009): 1271.

23. (p. 239) Casado et al., "Rethinking Enterprise Network Control," 1283.

24. (p. 239) "When we consider the problem of attacks on hosts, we must accept
that general-purpose end-node operating systems such as Windows or Unix will
always have flaws that present vulnerabilities" (Clark, "Future Internet," 18).

25. (p. 239) Clark, "Future Internet," 19-20.

26. (p. 240) This includes building trustworthy components, creating modifications
in application-level communications, and developing controls on connectivity
(Clark, "Future Internet," 19).

27. (p. 240) Clark, "Future Internet," 21.

28. (p. 240) Steven M. Bellovin, Whifield Diffie, Susan Landau, Peter Neumann, and
Jennifer Rexford, "Risking Communications Security: Potential Hazards of the
Protect America Act," IEEE Security and Privacy 6, no. 1 (January/February 2008), 30.

29. (p. 240) This was the case with the collection resulting from the FISA Amendments Act (Lichtblau and Risen, "Officials Say U.S. Wiretaps Exceeded Law," New
York Times, April 16, 2009); whether it was the case from the PSP is unclear.

30. (p. 240) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Board, A Review of the Federal Bureau of Investigation's Use of ExigentLetters
and Other Informal Requests for Telephone Records, (January 2010), 33.

31. (p. 241) Note that the Greek system involved eavesdropping on a cellular
network, while the Cisco architecture was an IP-based surveillance system.

32. (p. 241) Tom Cross made this point as well (Cross, "Exploiting Lawful Intercept.").

33. (p. 241) Protecting against an individual intent on such violent activities requires
an inordinate amount of surveillance. This is different from protecting against a
complex plot involving dozens of participants.

34. (p. 241) As the size of the community increases, more third-party software
becomes available, making the system more attractive, and in turn, this helps
increase the number of users.

35. (p. 242) Ross Anderson, "Closing the Phishing Hole-Fraud, Risk and Nonbanks," Conference on Nonbanks in the Payment System: Innovation, Competition,
and Risk, Santa Fe, NM, May 2007.

36. (p. 242) Hal Varian, "Managing Online Security Risks," New York Dines, June 1, 2000.

37. (p. 242) The classic case regarding standard of care concerns two oceangoing
tugboats traveling between Norfolk, Virginia, and New York during a gale. Each tug
was towing three barges loaded with coal. The tugs lacked working radios and the
captains did not know of the approaching weather; they did not put into harbor.
Each tug lost its final barge. Although having a radio was not yet standard industry
practice, Circuit Court Judge Learned Hand ruled that "there are precautions so
imperative that even their universal disregard will not excuse their omission" (The
T. J. Hooper v. Northern Barge Corporation; N. Hartwell & Son, Inc. v. Same, Circuit Court
of Appeals, Second Circuit 60 F.2d 737, 1932, 740).

38. (p. 242) Seymour Goodman and Herbert Lin, eds., Toward a Safer and More Secure
Cyberspace (Washington, DC: National Academies Press, 2007), 165-166.

39. (p. 242) In "two-party" states such as Maryland, both parties must consent
before the interception is permitted.

40. (p. 242) 18 U.S.C. §2511 (2).

41. (p. 243) Under the Bush administration warrantless wiretapping and the subsequent Protect America Act and FISA Amendments Act, no purely domestic calls were
supposed to be targeted; some were, however (Lichtblau and Risen, "Officials Say
U.S. Wiretaps Exceeded Law").

42. (p. 244) Pub. L. 100-235.

43. (p. 244) At the time of the passage of the act, NIST was known as the National
Bureau of Standards.

44. (p. 244) Whitfield Diffie and Susan Landau, Privacy on the Line: The Politics of
Wiretapping and Encryption, rev. ed. (Cambridge, MA: MIT Press, 2007), 74-85.

45. (p. 244) Diffie and Landau, Privacy on the Line, 78.

46. (p. 245) Infragard is one such.

47. (p. 246) Notable examples of secure communications include ssh for securing
data exchange between two networked devices (used for remote login, secure file
transfer, etc.); secure browser communication or https, which is used for passwords
for secure login and for financial transactions (although in January 2010 Google
started employing it for Gmail); and Skype. VPNs are securely encrypted between
an end host and gateway rather than securing the communication end to end.

48. (p. 246) U.S. Congress, House of Representatives, Committee on Energy and
Commerce, Subcommittee on Telecommunications and the Internet, Law Enforcement Access to Communications Systems in the Digital Age, One Hundred and Eighth
Congress, Second Session, Serial No. 108-115 (September 8, 2004).

49. (p. 246) Bellovin et al., "Security Implications."

50. (p. 247) Bellovin et al., "Security Implications."

51. (p. 248) Administrative Office of the United States Courts, James C. Duff, Director, 2009 WiretapReport, 8.

52. (p. 249) The ability to capture sound at a distance means that parabolic microphones are used for collecting nature recordings.

53. (p. 249) This works through aiming a laser beam at a glass window; if there is
a mirror in the room, the beam is aimed at that. Otherwise the window provides
ample reflection. Voices in the room bounce off hard surfaces including the window;
the modulations are picked up by the reflected beam. The slight disruption of the
reflected beam is analyzed and reveals the communication.

54. (p. 250) Jed Rubenfeld, "The End of Privacy," Stanford Law Review 61, no. 1
(October 2008): 122.