Index Home About
From: floyd@tanana.polarnet.com (Floyd Davidson)
Newsgroups: comp.dcom.isdn,comp.dcom.telecom.tech
Subject: Re: ISDN security (was Re: 64 vs 56k per channel)
Date: 11 May 1998 01:01:23 GMT

Robert Blackshaw <blckshaw@clark.net> wrote:
>Jan Ceuleers <jan.ceuleers@computer.org> wrote:
>
>>Thomas Dekkit wrote:
>>> The SAGE 930A is a great device for decoding PCM data and playing the audio
>>> equivalent through it's speaker.  It will duplex both sides of the
>>> conversation as well, if you wish.
>>>
>>> As far as FAXes, modems and other "digital" analog devices go, it's rather
>>> simple to do DSP analysis on the raw data and then decipher the resulting
>>> waveforms (how convenient for the protocols to be so well documented by
>>> EIA/TIA!)
>
>>I can see how that would work for group III fax transmission, which is
>>half duplex. However, I would imagine that this is much more difficult
>>for modem traffic, at least for those modulation schemes which use the
>>entire voice band for transmission in both directions. The modems, which
>>have knowledge of the waveforms they transmit, can cancel out echoes of
>>those transmitted waveforms in order to obtain the waveform they are
>>supposed to receive.
>
>>An "eavesdropping" device however, does not have this knowledge of the
...
>>Anyway, would anyone care to comment on how such devices separate out
>>the waveforms corresponding with the two directions of transmission?
>
>To begin the poster wrote that his device could decode a PCM stream and
>play it through the speakers. The problem is that you first have to find
>the PCM in 2B1Q - no easy task. In fact the FBI and the RBOCs have
>been knocking heads over a method of wiretapping ISDN.

Whatever makes you suggest that is not an easy task?  The
telephone company manages to do it on every single ISDN BRI
line.  The equipment at a customer location does it too.  And at
the point where the telephone company is going to monitor a
line, it has already been done and the 2B1Q line encoding has no
significance.

The FBI and the RBOC's are not knocking heads over a method,
just which of many methods.  They have no difficulty with how to
do it, just who is going to pay for it.

It is exactly as Thomas described above, "simple to do DSP
analysis on the raw data and then decipher the resulting
waveforms (how convenient for the protocols to be so well
documented by EIA/TIA!)".

  Floyd

--
Floyd L. Davidson                                floyd@ptialaska.net
Ukpeagvik (Barrow, Alaska)


From: floyd@tanana.polarnet.com (Floyd Davidson)
Newsgroups: comp.dcom.isdn,comp.dcom.telecom.tech
Subject: Re: ISDN security (was Re: 64 vs 56k per channel)
Date: 11 May 1998 12:13:52 GMT

Robert Blackshaw <blckshaw@clark.net> wrote:
>floyd@tanana.polarnet.com (Floyd Davidson) wrote:
>>Robert Blackshaw <blckshaw@clark.net> wrote:
>>>Jan Ceuleers <jan.ceuleers@computer.org> wrote:
>>>>Thomas Dekkit wrote:
>>>>> The SAGE 930A is a great device for decoding PCM data and playing the audio
>>>>> equivalent through it's speaker.  It will duplex both sides of the
>>>>> conversation as well, if you wish.
>>>>>
>>>>> As far as FAXes, modems and other "digital" analog devices go, it's rather
>>>>> simple to do DSP analysis on the raw data and then decipher the resulting
>>>>> waveforms (how convenient for the protocols to be so well documented by
>>>>> EIA/TIA!)
>>>
>>>>I can see how that would work for group III fax transmission, which is
>>>>half duplex. However, I would imagine that this is much more difficult
>>>>for modem traffic, at least for those modulation schemes which use the
>>>>entire voice band for transmission in both directions. The modems, which
>>>>have knowledge of the waveforms they transmit, can cancel out echoes of
>>>>those transmitted waveforms in order to obtain the waveform they are
>>>>supposed to receive.
>>>
>>>>An "eavesdropping" device however, does not have this knowledge of the
>>...
>>>>Anyway, would anyone care to comment on how such devices separate out
>>>>the waveforms corresponding with the two directions of transmission?
>>>
>>>To begin the poster wrote that his device could decode a PCM stream and
>>>play it through the speakers. The problem is that you first have to find
>>>the PCM in 2B1Q - no easy task. In fact the FBI and the RBOCs have
>>>been knocking heads over a method of wiretapping ISDN.
>
>>Whatever makes you suggest that is not an easy task?  The
>>telephone company manages to do it on every single ISDN BRI
>>line.  The equipment at a customer location does it too.  And at
>>the point where the telephone company is going to monitor a
>>line, it has already been done and the 2B1Q line encoding has no
>>significance.
>
>Then read what I wrote.

Well, I read it again and it still says the same things.  Let me
make my three points as clear as I can:

  1) it is a trivial task, technically.
  2) it is a trivial task, technically..
  3) it is a trivial task, technically...

OK?

>>The FBI and the RBOC's are not knocking heads over a method,
>>just which of many methods.  They have no difficulty with how to
>>do it, just who is going to pay for it.
>
>If it is all so easy then why is it going to cost so much?

What, to retrofit a tap on every line in every switch?  Just
the labor involved is a gross expense!  What does an El Cheapo
device that is $100 per line and $65 an hour to install cost
on a 10,000 line switch?  It ain't peanuts and you don't want
it on your telephone bill any more than I do.

The FBI doesn't want a wiretap that is installed by a technician
on demand.  They want every line in the switch tapped and they
control the taps without ever involving the telephone company.
(Which is a nice way to maintain that illegal wiretapping is
never done, and there are no witnesses to say otherwise.)

>>It is exactly as Thomas described above, "simple to do DSP
>>analysis on the raw data and then decipher the resulting
>>waveforms (how convenient for the protocols to be so well
>>documented by EIA/TIA!)".
>
>Then I submit that this is not a wire tap in the normal sense
>that phrase is used.

Well, I've installed wiretaps, and I would say that it is
exactly the way that most _legal_ taps are done.  You might have
been watching too many James Bond movies...

>  I wrote that it is not a trivial task to tap
>into 2B1Q - OK? So then you come back and tell me that
>it is no longer 2B1Q on the user or CO side of the line. Is
>this not a cse of comparing apples and oranges?

Why would anyone normally bother looking at the 2B1Q side if
they can do it at the CO?  (Actually, the reason to "bother" is
if the wiretap isn't legal or if there is some other reason that
security is not well enough controlled at the CO.)  However,
that doesn't mean that it is exactly difficult to do where it is
2B1Q.  After all, as I've mentioned above that exact conversion
is necessary on every single line anyway, so it isn't some
mysterious process that happens only by magic in the light of
the moon!  Thomas is exactly right that some very simple and
well understood DSP analysis is all it takes.  The same thing as
is used in every ISDN BRI line card and every ISDN test set and
every ISDN TA.  Nothing unusual at all, just a little spendy
when you want 10,000 of them in a single switch!

It isn't necessarily _that_ expensive either, as such.  But with
this business of tapping every single line in a switch, it is
big bucks if each tap costs only a few dollars.  And if we are
talking equipment as nice as the Sage 930A, then we talking
multi-megabucks.

But it is technically trivial regardless of the price.

  Floyd

--
Floyd L. Davidson                                floyd@ptialaska.net
Ukpeagvik (Barrow, Alaska)


Newsgroups: comp.dcom.isdn,comp.dcom.telecom.tech
Subject: Re: ISDN security (was Re: 64 vs 56k per channel)
From: fgoldstein@bbn.NO$LUNCHMEAT.com (Fred R. Goldstein)
Date: Mon, 11 May 1998 16:10:48 GMT

In article <6j6q20$sn0@bgtnsc02.worldnet.att.net>, floyd@tanana.polarnet.com
says...

>  1) it is a trivial task, technically.
>  2) it is a trivial task, technically..
>  3) it is a trivial task, technically...
...
>Why would anyone normally bother looking at the 2B1Q side if
>they can do it at the CO?  (Actually, the reason to "bother" is
>if the wiretap isn't legal or if there is some other reason that
>security is not well enough controlled at the CO.)  However,
>that doesn't mean that it is exactly difficult to do where it is
>2B1Q.  After all, as I've mentioned above that exact conversion
>is necessary on every single line anyway, so it isn't some
>mysterious process that happens only by magic in the light of
>the moon!  Thomas is exactly right that some very simple and
>well understood DSP analysis is all it takes.  The same thing as
>is used in every ISDN BRI line card and every ISDN test set and
>every ISDN TA.  Nothing unusual at all, just a little spendy
>when you want 10,000 of them in a single switch!

Nope, I'm with Bob, I don't believe it.

It's certainly trivial to tap AT THE SWITCH END, wherein the FBI installs
tap ports into the switch fabric.  But what's difficult is MID-SPAN PASSIVE
tapping, which is trivial on an analog line or a half-duplex (e.g., old T1)
line.

On 2B1Q, the two directions are on the same wire.  At the ends, echo
cancellation takes into account the measured echo time and level, and
near-end output is simply cancelled.  In the middle, you hear both ends plus
echo.  Not trivial.  You can, of course, do like a protocol analyzer and play
"man in the middle", demodulating and remodulating, which is more detectable.
But I suspect the DSP would be too hard for the FBI (hell, a 300 baud
FSK modem is a challenge for them) in the middle.

So obviously the FBI is doing its tapping at the switch end, where it's
trival, and not at mid-span, where it's tough.
--
Fred R. Goldstein   k1io    fgoldstein"at"bbn.com
GTE Internetworking - BBN Technologies, Cambridge MA USA  +1 617 873 3850
Opinions are mine alone; sharing requires permission.



From: floyd@tanana.polarnet.com (Floyd Davidson)
Newsgroups: comp.dcom.isdn,comp.dcom.telecom.tech
Subject: Re: ISDN security (was Re: 64 vs 56k per channel)
Date: 12 May 1998 01:59:46 GMT

Fred R. Goldstein <fgoldstein@bbn.NO$LUNCHMEAT.com> wrote:
>floyd@tanana.polarnet.com says...
>
>>  1) it is a trivial task, technically.
>>  2) it is a trivial task, technically..
>>  3) it is a trivial task, technically...

    4) it is a trivial task, technically....

>...
>>Why would anyone normally bother looking at the 2B1Q side if
>>they can do it at the CO?  (Actually, the reason to "bother" is
>>if the wiretap isn't legal or if there is some other reason that
>>security is not well enough controlled at the CO.)  However,
>>that doesn't mean that it is exactly difficult to do where it is
>>2B1Q.  After all, as I've mentioned above that exact conversion
>>is necessary on every single line anyway, so it isn't some
>>mysterious process that happens only by magic in the light of
>>the moon!  Thomas is exactly right that some very simple and
>>well understood DSP analysis is all it takes.  The same thing as
>>is used in every ISDN BRI line card and every ISDN test set and
>>every ISDN TA.  Nothing unusual at all, just a little spendy
>>when you want 10,000 of them in a single switch!
>
>Nope, I'm with Bob, I don't believe it.
>
>It's certainly trivial to tap AT THE SWITCH END, wherein the FBI installs
>tap ports into the switch fabric.  But what's difficult is MID-SPAN PASSIVE
>tapping, which is trivial on an analog line or a half-duplex (e.g., old T1)
>line.

Actually, the technical feat required to provide secure wiretap
facilities as part of the switching fabric is probably greater
than that required to design a system that functions external to
the switch.  The "ease" of a switch fabric solution would be
more related to the cost and flexibility.  That is true because
a switch fabric design is almost totally a software project to
utilized existing hardware in a different way.  The external
solution requires design and production of hardware, and has
limited flexibility because there is no access to switch data.
Hence the external solution is going to be a more "simple" one.

>On 2B1Q, the two directions are on the same wire.  At the ends, echo
>cancellation takes into account the measured echo time and level, and
>near-end output is simply cancelled.  In the middle, you hear both ends plus
>echo.  Not trivial.  You can, of course, do like a protocol analyzer and play

Ahem, Fred...  you are saying that it is hard if you do it the
hard way (standing on your head chewing bubble gum and skipping
rope) but easy if you do it the simple way, standing upright
with a cup of coffee in one hand.  That does seem logical, eh?

It is a trivial technical task to design and install a "drop and
insert" type of wiretap facility on every local loop in
existance.  It is not cheap, but technically it is not hard.

>"man in the middle", demodulating and remodulating, which is more detectable.

How is it more detectable?  They want _every_ line equipped.
The problem of "detection" is one of determining if it is
enabled on, or not.  It will be a _given_ that a tap is
physically there!

>But I suspect the DSP would be too hard for the FBI (hell, a 300 baud
>FSK modem is a challenge for them) in the middle.

Which is why they are forcing the industry to design and install
it for them.  Note that they are operating only within their
area of expertize (force by coersion and fear).  The concept of
"trivial technically" applies only to the usual telephone
industry design engineers.  Telecom engineers probably can't
operate thumbscrews any better than FBI agents can design
wiretaps, but that doesn't make either of them difficult to do.

>So obviously the FBI is doing its tapping at the switch end, where it's
>trival, and not at mid-span, where it's tough.

It might be 2 times as difficult at this "mid-span" point, but
just as 2 times 0 is still 0, so is 2 times trivial still
trivial.  Technically it is a breeze.  The difficult parts are
the legal and the financial parts.  The added reasons for
actually locating the tap point inside the switch fabric is
flexibility and increased functionality for such things as
following conference calls, call forwarding, etc.  My
understanding is that call data is as much what they want as is
a recording of the call itself.

  Floyd


--
Floyd L. Davidson                                floyd@ptialaska.net
Ukpeagvik (Barrow, Alaska)


From: Floyd Davidson <floyd@ptialaska.net>
Newsgroups: comp.dcom.telecom.tech
Subject: Re: lacing cables?
Date: 11 Jun 2000 23:19:53 -0800

Steve Uhrig <suhrig@bright.net> wrote:
>Steven Lichter wrote:
>>
>> >
>> >I'd love for you to elaborate on that statement.  I thought the Feds
>> >stopped bugging people from inside C.O.s about the mid-1970s or so.
>>
>> I can tell you for a fact the both local ad federal law enforcement still do it
>> from the main frame.
>
>	By the end of this year or the first part of next year they
>won't even have to come near the office. The new remote tap
>equipment will be installed by then. Our mag tape bay is
>being removed this year to make room for the federally
>mandated surveillance equipment.

And that is absolutely *frightening*.

--
Floyd L. Davidson                          floyd@barrow.com
Ukpeagvik (Barrow, Alaska)

Index Home About