ietf
[Top] [All Lists]

Re: PATRIOT/USA followup: ongoing House debate

2001-10-12 12:50:02
On Fri, 12 Oct 2001 15:16:38 EDT, Neil Carpenter 
<primate(_at_)mindspring(_dot_)com>  said:
Perhaps I missed it -- this has what to do with Internet engineering?

At least some readings of the original bill would require ISP's to save
"addressing information", such that the ISP would basically have to log
every SYN or SYN/ACK packet.  Forever.

You should worry about that as an engineering issue.

There was also the equating of "hacking" to "terrorism".  With the retroactive
removal of a statute of limitations.  And provisions for "providing significant
aid" to terrorists.  This means that Steve Bellovin could (under the original
proposals) end up in jail for life, because he wrote a paper on TCP sequence
numbers, because Mitnick used a sequence number attack on somebody.  Anybody
who has ever posted to the Bugtraq or comp.risks or IETF lists regarding
security issues is similarly vulnerable under the original draft.  This
would probably include most of the IAB and IESG.

You should worry about that just out of self-preservation.

I'm told that the Senate bill as amended fixes a lot of the worst aspects
of the hacking side, and I'm also told that an amendment was proposed to
exempt ISPs from the most onerous of the logging requirements.  However,
I have *NOT* tracked down pointers to the current legislation as being
discussed to verify how much things have improved.

-- 
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech


Attachment: pgpDXaiYqHF1S.pgp
Description: PGP signature