C.A.L.E.A vulnerabilities

http://www.pbs.org/cringely/pulpit/pulpit20030710.html

(Applicable portion of article included for our "government" readers - informational only).

"Shooting Ourselves in the Foot
Grandiose Schemes for Electronic Eavesdropping May Hurt More Than They Help

By Robert X. Cringely



Whom do you trust? If you are a policeman, you trust the police. How much information is enough? When it comes to the electronic gathering of intelligence information, it appears that no amount of information is enough. These two concepts have collided in America with the result that creating the very capability of gathering electronic intelligence is putting all of us in greater danger. The supposed cure may be worse than the disease. Maybe -- and only maybe -- we know a little more about what the bad guys in our society are doing, but it is coming at what might be a horrible cost. And a big part of the problem is that if you are a policeman, you trust the police.

The Federal Bureau of Investigation administers the Communications Assistance to Law Enforcement Act (CALEA), which was passed by Congress in 1994. CALEA was a response to advances in digital communications. It was a way for law enforcement and intelligence agencies to go beyond old-fashioned phone taps and listen in on mobile phone calls, pagers, the Internet and any other form of electronic messaging that might be used by enemies of the state. CALEA made the phone companies and pager companies and Internet companies responsible for building into their equipment the capability to tap all types of communications on the order of a judge or -- in the case of foreign surveillance -- of the U.S. Attorney General. Every telephone switch installed in the U.S. since 1995 is supposed to have this surveillance capability, paid for, by the way, with $500 million of your tax dollars. Not only can the authorities listen to your phone calls, they can follow those phone calls back upstream and listen to the phones from which calls were made. They can listen to what you say while you think you are on hold. This is scary stuff.

But not nearly as scary as the way CALEA's own internal security is handled. The typical CALEA installation on a Siemens ESWD or a Lucent 5E or a Nortel DMS 500 runs on a Sun workstation sitting in the machine room down at the phone company. The workstation is password protected, but it typically doesn't run Secure Solaris. It often does not lie behind a firewall. Heck, it usually doesn't even lie behind a door. It has a direct connection to the Internet because, believe it or not, that is how the wiretap data is collected and transmitted. And by just about any measure, that workstation doesn't meet federal standards for evidence integrity.

And it can be hacked.

And it has been.

Israeli companies, spies, and gangsters have hacked CALEA for fun and profit, as have the Russians and probably others, too. They have used our own system of electronic wiretaps to wiretap US, because you see that's the problem: CALEA works for anyone who knows how to run it. Not all smart programmers are Americans or wear white hats. We should know that by now. CALEA has probably given up as much information as it has gathered. Part of this is attributable to poor design and execution, part to pure laziness, part to the impossibility of keeping such a complex yet accessible system totally secure, and part because hey, they're cops, they're good guys. Give 'em a break. Have a donut.

This vulnerability is never discussed in public because it is an embarrassment to law enforcement and because the agencies that pay for CALEA don't want its vulnerability to be known. That might compromise national security. Alas, national security is already compromised by the system itself, and the people who might take advantage of the vulnerability have known about it for years. Only we are kept in the dark.

In a sense I think the problem comes down to the "dumbing down of IT." The biggest problem with CALEA is the people managing it. They don't know it needs to be secured. This column, for example, will be widely distributed, but will have no impact whatsoever on the folks it should because they simply won't get it.

I suspect the people actually running the system know a bit more and probably have suggested it from time to time. Like many government systems, you can't fix it until you're TOLD to fix it, and you won't be told to fix it until there is funding. And the funding will usually be accompanied by explicit instructions on how to fix it, right or wrong. In the corporate world IT has been under attack and downsized for years. Forget training. Forget expertise. There is a belief that by just buying a firewall, you solve all your security issues. If you have a firewall, why do you need to have someone track and install all those security patches on all your computers? Many of IT's biggest problems are simply repeats of past problems. Through this "dumbing down" process we've lost the ability to stop the cycle.

Even if CALEA were secure, it would still be a danger because of its capability to do what are called "roving wiretaps." Old-fashioned wiretaps did just that, they tapped wires, but today's criminals and terrorists are mobile. They use throwaway cell phones and conference calls and 800 numbers to mask their communications so CALEA targets the criminal, not the phone line. This means that CALEA effectively taps every phone that is connected at any time to the roving subject. Phone conversations can be followed from line to line and each of those phone lines becomes, at least for a while, a target. Dozens, hundreds, thousands of numbers can get swept up and recorded whether it is a conversation with a lawyer, a priest, or a journalist.

That's what led me to this story. In the Lacie Peterson murder case in California, thousands of Scott Peterson's phone conversations were recorded using CALEA technology. Some of those conversations were between Peterson and his lawyer, some between Peterson and the press. None of them were with me. I have no idea whether Scott Peterson is guilty or innocent, and it doesn't matter at all to this column. What matters is that a few days ago 176 new phone conversations were "discovered."

How do you "discover" a recorded phone conversation in a totally automated system? If you can discover a conversation, then you can also lose one a la Rosemary Woods and the famous 17-minute gap in that Watergate tape. The whole system becomes suspect and subject to abuse.

And abuse does happen. In the late 1990s the Los Angeles Police Department conducted illegal wiretaps with CALEA technology involving thousands of phone lines and potentially hundreds of thousands of people at a time when the official annual report on wiretaps compiled by the Department of Justice said L.A. was conducting an average of around 100 wiretaps per year. Illegal convictions were obtained, property was illegally confiscated, civilian careers and lives were ruined, yet nobody was punished."

(Hopefully, our government-employee-readers can get this all straightened out for us - Pete).