AT&T's Plan to Play Internet Cop 272
Ponca City, We Love You writes "Tim Wu has an interesting (and funny) article on Slate that says that AT&T's recent proposal to examine all the traffic it carries for potential violations of US intellectual property laws is not just bad but corporate seppuku bad. At present AT&T is shielded by a federal law they wrote themselves that provides they have no liability for 'Transitory Digital Network Communications' — content AT&T carries over the Internet. To maintain that immunity, AT&T must transmit data 'without selection of the material by the service provider' and 'without modification of its content' but if AT&T gets into the business of choosing what content travels over its network, it runs the serious risk of losing its all-important immunity. 'As the world's largest gatekeeper,' Wu writes, 'AT&T would immediately become the world's largest target for copyright infringement lawsuits.' ATT's new strategy 'exposes it to so much potential liability that adopting it would arguably violate AT&T's fiduciary duty to its shareholders,' concludes Wu."
we've already done this to death (Score:3, Informative)
Nothing new here
Re:Not just copyright .... (Score:5, Informative)
Re:Encryption... (Score:5, Informative)
I think you misunderstand how a Virtual Private Network works. The first thing you must understand is that there is not spoon^W ports. Once you realize that there are no ports, then you only need to route packets over a secure channel that's indistinguishable from valid business. Is this user networking with his small-business employer, or a pirate spreading illegal wares? Impossible to tell from the traffic itself.
They just buy NEW LAWS (Score:3, Informative)
Re:Who do I use for Internet access now then?? (Score:5, Informative)
Nick
Re:How to beat it (Score:1, Informative)
Re:we've already done this to death (Score:5, Informative)
Because AT&T is so large this will affect a good chunk of the Internet - especially US networks.
Hell their backbone runs the entire length of the us.
This map is from 2000 so it's probably much more invasive now:
http://www.cybergeography.org/atlas/att_backbone_large.gif [cybergeography.org]
Re:Encryption... (Score:3, Informative)
I know that ssh takes steps to store the public keys and warn you if they've changed. Why would it bother doing that if man-in-the-middle attacks aren't possible?
My understanding is as follows:
Party A contacts Party B and sends it's public key. Party E (evil guy) intercepts this public key and replaces it with his own. Party B replies with his public key, which is also intercepted and replaced. Party A and B are now "encrypting" the traffic with the public key provided by Party E, whom decrypts it, and re-encrypts it with the original public keys provided by A and B prior to forwarding that traffic on to them. Party E now has access to the complete conversation between A and B whom are none the wiser, unless they have an outside method of verifying the keys they received.
I fail to see how an exchange of a random number stops this, when Party A never actually received Party B's key to begin with, because said key was replaced by Party E.
Re:Encryption... (Score:3, Informative)
How about the first paragraph... "Out-of-band is a technical term with different uses in communications and telecommunication. It refers to communications which occur outside of a previously established communications method or channel." Seeing as how this is a discussion about AT&T messing with stuff in the communication channel, I would think it was obvious. OOB communications would be a thumb drive, shipping a configured router, telling you the shared key over the phone (not AT&T phone), or a properly encrypted e-mail.
-sigh.. Why Man-In-The-Middle is easily stopped (Score:4, Informative)
In a nutshell, a "man-in-the-middle" attack is no more to be feared than a "dictionary" attack on a password: the attack only works if the security is implemented poorly. In the same way that you wouldn't say, "They use a password? How useless --simply do a dictionary attack!", you would not say, "Encryption? Just do a man-in-the-middle attack!" For the same reason that they warn you when you change your password: "Your password is too short!" or "Your password is dictionary-guessable!" etc. Why would it bother doing that if dictionary attacks aren't possible?
You said: This is a common question about public key encryption. I'm going to quote my own post:
Hope that clarifies things for anyone who's still confused about WHY public key encryption works. The GP poster is correct.
Re:we've already done this to death (Score:2, Informative)
The real challenge is "inspecting" packets in real-time with no degradation of service... That would take some powerful hardware.
Re:Encrypted internet - sooner than I thought (Score:3, Informative)
To give a very abbreviated answer, the network effect [wikipedia.org] for this has not yet taken off. There has been no technical barrier to widespread encryption for over a decade, but there are two social barriers which remain to be overcome:
In order for you to use crypto, you have to know how it works. Most other technologies are not like this, in that they can just kind of operate in the background. But cryptographic communications operate between defined endpoints, and you are one of those endpoints. Understanding takes considerable effort. At minimum, people need to understand how asymmetric crypto works in both message signing and message encryption, and they also must develop some insight into what motivates key distribution, because otherwise they won't be able to make sense of the public key infrastructure in which they must participate. I think it's important enough that ultimately it will be taught as part of the standard school curriculum. But we're a long way from that at the moment.
Message encryption is the last in a fairly involved series of steps. This delays the network effect. Participants first have to generate their cryptographic keys and then have them signed by a trusted third party. Then they have to begin signing their own messages with them. As these messages go out, a side effect is to distribute the public keys which are in turn necessary for message encryption. Finally, participants can begin to encrypt messages.
This explains why adoption has proven to be very slow. There have been many early adopters, of course, but so far evidently not enough to inspire the public at large.
The good news is that we've seen this kind of phenomenon lots of times before. The Internet itself was widely ignored for a long time, despite being completely satisfactory from a technical perspective. Something eventually kicks it into public awareness, and then, if those of us who engineer these things have done our job right, it takes off without a backwards glance.