Speak of the Devil

Dan Mahoney, System Admin danm at prime.gushi.org
Fri May 19 07:59:46 UTC 2006

On Thu, 18 May 2006, Mike Perry wrote:

A few varying thoughts here:

I can't speak for the british government, but if someone came to me and 
said "someone is using your SSL-enabled webmail system to traffic kiddie 
porn" and felt that somehow the easiest way to sniff their traffic was 
with my private key (as opposed to just asking me to tap their spool 
dir, tar up their homedir, and gladly hand over any information 
associated with them), I'd be more than willing to cooperate.  With 
probable cause.  I know warrants are difficult, but I come from a law 
enforcement family.

Sadly, the truth here is that if someone is using my server, then the 
fedgov HAS to act as if I am in on this, and will likely blow their 
investigation if they contact me -- at least this is how procedural rules 
are set up for them.

I've investigated kiddie porn complaints on my network, and let me say 
this in total seriousness -- while we've all seen the maxim-like young 
looking models that are just recently 18 (hell, they advertise on regular 
cable here in the states)...every once in a while you come across a site 
like the ones in question that is so blatant, so disgusting -- where 
there's no question in your mind that yes, that's thirteen.  Following 
that, there's a fit of nausea and a willingness to research some drug or 
amount of voltage that can remove the images you've just seen from your 
mind.  I'm told the sensation is about ten times worse if you're a parent.

With that said, however...

There's nothing stopping governments from logging the traffic (possibly at 
a higher level, like the upstream level) and then getting a subpoena for 
whatever key was used to encrypt it.

The PROBLEM with this method is that once the length of the warrant has 
expired, 99 percent of people out there DO NOT check CRL's.  I myself am 
guilty of this.  I.e. once the government HAS your key, they've got it for 
the lifetime of your cert -- and while you can certainly retire that cert 
from use, there's no way to prevent the now-compromised cert and key from 
being used creatively for the remainder of the validity period.

Or am I wrong here?


> British govt just started pushing for Part III of RIPA citing
> terrorism and kiddie porn as major reasons to require people to
> disclose encryption keys...
> http://arstechnica.com/news.ars/post/20060518-6870.html
> Seems we may have a strong ally on our side on this one. International
> bankers might not want the local police requiring them to hand over
> keys either, though they certainly have enough political influence to
> stop investigations before they start I'm sure...
> The UK Crypto thread that spawned this article is here:
> http://www.chiark.greenend.org.uk/pipermail/ukcrypto/2006-May/080742.html
> One can only hope that the Bill of Rights is enough to keep this
> bullshit out of the US, but who knows.


"Don't be so depressed dear."

"I have no endorphins, what am I supposed to do?"

-DM and SK, February 10th, 1999

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org

More information about the tor-talk mailing list