Re: Comcast man-in-the-middle attack - ethics

From: J Edgar Hoover (zorchat_private)
Date: Sat Feb 09 2002 - 15:45:20 PST

Next message: J Edgar Hoover: "rtsp"

Previous message: J Edgar Hoover: "Re: Comcast man-in-the-middle attack - tech"
In reply to: Alen Capalik: "Re: Comcast man-in-the-middle attack"
Next in thread: Blue Boar: "Re: Comcast man-in-the-middle attack - ethics"
Next in thread: Thomas J. Arseneault: "RE: Comcast man-in-the-middle attack"
Reply: Blue Boar: "Re: Comcast man-in-the-middle attack - ethics"
Reply: John Hall: "Re: Comcast man-in-the-middle attack - ethics"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In the tech thread, I'm wearing my "comcast customer" hat. In this thread,
I'm wearing my "security professional" hat.

Here's an example of the off-list mail I've been getting on this;

-----------
I'm sorry I'm replying off-list, but I'm not a security professional and
don't feel comfortable doing anything other than lurking.

But I wanted to say how surprised I was by the response you got to your
post.  I felt like no one else "gets it".
-----------

Frankly, I'm outraged at the response of my fellow admins. The predominant
argument seems to be "We already own all of your traffic, what's the big
deal?"

The big deal is, I've always used discretion when observing traffic, and
that seems like a new concept to many of you.

As a general rule, I consider the header to be like the outside of a
postal envelope, and the packet data to be the letter inside.

I routinely use IDS and realtime tools to monitor traffic, but as a rule
go no higher than OSI layer 4. In other words, I look at source and
destination IPs and ports, and aggregate traffic data.

Looking at or logging session layer and higher is reserved for
troubleshooting problems and specific incidents. (with some exceptions for
virus/worm filtering)

This is consistent with how I understand the applicable federal law as
posted at;

http://www4.law.cornell.edu/uscode/18/2511.html

To observe, or worse yet log, all of the user session data is ethically
and legally questionable. To do so in order to sell that data to a third
party is morally reprehensible.

Particularly when you are talking about someone's personal, private, home
connection. This isn't some workplace where the employer owns your
computer and your time, this is people's homes. This is people's free
speech. This is people's personal privacy.

In as much as an internet connection is analagous to a telephone call,
defending comcast's use of a proxy in this manner is analagous to
defending the phone company listening, recording and participating in your
conversations.

I'm surprised and dismayed that somewhere along the line, many of you have
become oblivious to ethical obligations associated with administration.

The windows networks behind my equipment survived both CodeRed and Nimda
without a single infection and without violating user privacy. Snooping is
not required to provide security.

z

Next message: J Edgar Hoover: "rtsp"
Previous message: J Edgar Hoover: "Re: Comcast man-in-the-middle attack - tech"
In reply to: Alen Capalik: "Re: Comcast man-in-the-middle attack"
Next in thread: Blue Boar: "Re: Comcast man-in-the-middle attack - ethics"
Next in thread: Thomas J. Arseneault: "RE: Comcast man-in-the-middle attack"
Reply: Blue Boar: "Re: Comcast man-in-the-middle attack - ethics"
Reply: John Hall: "Re: Comcast man-in-the-middle attack - ethics"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Feb 09 2002 - 16:12:09 PST