Not sure why this is on the front page, but to clarify it's required by the FCC [0] for carriers. Microtik, just like every other network vendor, has this in their product (port mirroring for law enforcement) so that they can check the box. CALEA has been around since the 90s [1].
Specifically, _1994_, another banner year for undermining civil liberties and privacy, what with the passage of the new sentencing provisions of the federal crime bill and continuing effort to prevent wider use of encryption by individuals through action against PGP: all by a "liberal" US administration that would also accelerate consolidation of mass media in the hands of a few big corporations.
Yes, 1994 and 1996 [0] were both horrible years for bad "telecomm" policy. I remember debating this in my "Regulations" class in the early 2000s and how, even by then, we could see the potential longer term damages emerging. I think it also played a role in influencing the markets (with respect to tech companies) to think how they do (continuous growth / continuous significant increase in QoQ profits). The late 80s and early 90s were a wild ride of ignorance in policy making. The Clipper Chip, interesting takes on crypto export control all the way through the advent of the DMCA.
Interesting times with many unfortunate decisions.
It was passed in the 90s, but it wasn't required for ISPs until 2007. I was working at a small ISP at the time. I remember they picked a vendor and installed the box with a week or two to spare.
I found this interesting insofar as it is somewhat rare for endpoint CPEs to have these features baked in, in particular with any sort of CALEA semantics. This is almost always a burden pushed on the transitory service providers upstream from the device. Network device OEMs, in my experience running an ISP (in addition to both making routers and white-labeling them for our service), have never been held to the CALEA requirements historically.
The wikipedia article you shared actually states this pretty clearly as well:
>" The IP-based "soft switches" typically do not contain a built-in CALEA intercept feature; and other IP-transport elements (routers, switches, access multiplexers) almost always delegate the CALEA function to elements dedicated to inspecting and intercepting traffic. In such cases, hardware taps or switch/router mirror-ports are employed to deliver copies of all of a network's data to dedicated IP probes."
(I realize that Microtik's RouterOS may end up on headend router devices and that is likely why this exists, but the implementation details here are just a little odd when you can just port mirror on a switch instead)
> I found this interesting insofar as it is somewhat rare for endpoint CPEs to have these features baked in, in particular with any sort of CALEA semantics.
This isn't targeting CPE equipment - MicroTik is baking into their unified OS. If you're a service provider you don't configure CALEA in the CPE, you configure it upstream in the headend where all traffic from your customers egress your network. It's much easier to grab it all at the bottleneck than to have data streaming over your expensive last mile twice for each customer, that doesn't make any network architecture or OpEx sense. It's just easier to make CALEA a function of RouterOS vs target specific models. There's nothing specific about the hardware that's required to implement the functionality.
Welp. That's news to me. Thought it was just Telco's and not bleedy every bloody Networking equipment vendor out there. And especially not on every MitM VoiP providers. This clinches the death of Skype though. This is why we can't have nice things.
I need to stop reading these things. I just become more and more misanthropic as days go by.
Good! It's important for you to understand how privacy is never guaranteed. Sniffing and tracking who you are talking to is the oldest page in the FBI, CIA, and NSA playbook.
The venerable PC Engines APU2 is a fanless x86 AMD 10W TDP router with 4GB ECC RAM, TPM 2.0 and GPIO pins, open schematics and coreboot, which can run pfSense, OPNsense, OpenBSD, Linux, FreeBSD and OpenWRT, with virtualization support. Constrained by supply chain at present. mPCIe slots for WiFi, LTE & mSATA.
Ubiquiti ERLite-3 can run Linux and OpenBSD (octeon/MIPS).
Go address some of the posters "why is the front page worthy" - I'm not surprised that 3 letter agencies get all the data they want, but very often it's very covert and not so "official".
Lawful interception is not for "three letter agencies", but for the police (TLAs have their own totally different ways to get this data, in the US they even have their own courts for this). So these are generally documented, judicial processes.
Lawful interception is precisely not made for "three letter agencies", since the latter derive the majority of their power from not spying on the law subjects of their own country. Although the US have of course intentionally muddled this with FISC and at times outright disregard for that simple principle.
The US really needs a distinction between executive powers (which exist because legislative bodies grant the executive branch wide latitude), and legislative powers (specific things the legislature has said to do).
The whole point of the law was to add the ability to tap in, which is what this is. You still need someone to log into the router and setup the account which can do the tap, it can't be remotely activated by spooks.
Though if there are other remote access vulnerabilities, someone may be able to use the feature maliciously once they're in.
> Calea provided options are available only for specific RouterOS user, as Calea server configuration as "tap" configuration. Specific user should have 'sniff' policy enabled at RouterOS user configuration
So the admin has to set up a user account on the device.
To be clear, this is not a "backdoor" in the traditional sense. Nobody can log into your router without your consent.
This is a way for the router administrator (you) to manually give the police access to a copy of traffic in response to a warrant. The assumption here is that this router is being run at an ISP, and you're a netadmin responsible for handling legal compliance requests.
Seems like a feature for mandatory "intercept and log network traffic" is interesting enough for hackers for the story to land on the frontpage.
I didn't know about CALEA since before but I've dealt with lots of network infrastructure (never in the US though), so I found this interesting, and upvoted it.
if you're on HN there is a level of confidence that you understand basic networking, and that you are aware your traffic goes through a multitude of devices before you get the data you requested.
it should come as no surprise that those devices can log the data passing through it.
> why not ? i believe it is especially as i imagine most people are not aware that such things exist in freedom lands
Do you mean firewall rules? Because firewall rules definitely exist in "freedom lands."
A lot of the comments here seem to show an eagerness to misunderstand this. Even in a "freedom land" law enforcement still needs the power to intrusively investigate criminal suspects, because ineffective law enforcement is a bad thing and a threat to liberty.
in freedom land people generally believe that things they own will not call the cops on them. in contrast in soviet russia people generally belived everything they owned called the cops on them
Just to be clear, this has nothing to do with a thing someone owns calling the cops on them. A CALEA intercept would be implemented before the data reaches the end user.
im taking the liberty to talk figuratively. but yeah the thing you own instead of calling the cops will by design and purpose snitch on you when they come knocking
You're misinterpreting it. CALEA requires that service providers have the capability to do interceptions when requested by law enforcement. It has absolutely nothing to do with end-user devices.
They are not. This is broadband. This goes far beyond pen-registers.
This is bloody everything from a particular endpoint, and not in an application specific manner. There is very little but storage reqs and someone getting uppity keeping this from becoming a dragnet type of surveillance mechanism.
I find that nephile mentality quite ignorant of the fact that the negative and bad things aren’t just ephemeral, regardless of whether you would like to move on to next-thing. But I guess to people with your mindset the slippery slope is no slope at all, but rather a flat plane as you are sliding down it.
“Why are you so concerned with the old Constitution” you proclaim, “we have the patriot act instead. It even has the word patriot in its title and the iPatriot act is on the way to replace the old patriot act. I support next-thing.”
It depends, I've got some junipers that only pass the application processor the first N bytes of a packet, and even captures are limited to the first N bytes. Vendor docs say that if you need captures, you should do them on the switch, or use DPI and route everything through the application processor.
You could probably develop a "NSA sniffer" to determine when captures are happening by noting network degradation, especially if it forces everything onto the application processor and off of fast-path.
like putting a script on the switch that says the cpu utilization is x% higher? Do higher end switches report out utilization of the packet processing asic? I have a few high end switches in my homelab, I can of course tell the utilization of the management processor but I have never tried to delve into what the actual switch chip is doing.
I was thinking more remotely noticing that throughput dropped - my switches can route at line speed if they avoid the CPU, but if the CPU is involved it drops to about half line speed.
If you're the one controlling the network router, you know when the sniffing is going on - this would be trying to detect that your ISP has turned the "NSA button" on.
>don't blame the cops (because: if you get ripped off on eBay or your child goes missing, you do want some kind of resolution, right?)
I'm not sure where you live, but in my neck of the woods, going to the cops in these scenarios might even be slightly worse than not going to them, let alone better.
So they can watch everything that you do and then punish you if you look on the wrong parts of the internet instead of blocking the wrongs parts of the internet and tackling the root of the problem in the first place.
That process says more about the people in power than the people using the internet especially when you see how leading search engines can be with their results, its like they want you to fail in order to consolidate their top tier position in society, intellectual feudalism.
Not sure why this is on the front page, but to clarify it's required by the FCC [0] for carriers. Microtik, just like every other network vendor, has this in their product (port mirroring for law enforcement) so that they can check the box. CALEA has been around since the 90s [1].
[0] https://www.fcc.gov/public-safety-and-homeland-security/poli... [1] https://en.wikipedia.org/wiki/Communications_Assistance_for_...
Specifically, _1994_, another banner year for undermining civil liberties and privacy, what with the passage of the new sentencing provisions of the federal crime bill and continuing effort to prevent wider use of encryption by individuals through action against PGP: all by a "liberal" US administration that would also accelerate consolidation of mass media in the hands of a few big corporations.
Yes, 1994 and 1996 [0] were both horrible years for bad "telecomm" policy. I remember debating this in my "Regulations" class in the early 2000s and how, even by then, we could see the potential longer term damages emerging. I think it also played a role in influencing the markets (with respect to tech companies) to think how they do (continuous growth / continuous significant increase in QoQ profits). The late 80s and early 90s were a wild ride of ignorance in policy making. The Clipper Chip, interesting takes on crypto export control all the way through the advent of the DMCA.
Interesting times with many unfortunate decisions.
[0] https://en.wikipedia.org/wiki/Telecommunications_Act_of_1996
Media consolidation was bipartisan.
Regan rolled back enforcement of many rules, and the rules were changed to exand Clear Channel's (and other) monopolies under W.
Doesn't hurt to hit the front page occasionally. I'll bet someone is learning about CALEA for the first time from this post.
Exactly.
I just learned bout it for the first time.
It was passed in the 90s, but it wasn't required for ISPs until 2007. I was working at a small ISP at the time. I remember they picked a vendor and installed the box with a week or two to spare.
I found this interesting insofar as it is somewhat rare for endpoint CPEs to have these features baked in, in particular with any sort of CALEA semantics. This is almost always a burden pushed on the transitory service providers upstream from the device. Network device OEMs, in my experience running an ISP (in addition to both making routers and white-labeling them for our service), have never been held to the CALEA requirements historically.
The wikipedia article you shared actually states this pretty clearly as well:
>" The IP-based "soft switches" typically do not contain a built-in CALEA intercept feature; and other IP-transport elements (routers, switches, access multiplexers) almost always delegate the CALEA function to elements dedicated to inspecting and intercepting traffic. In such cases, hardware taps or switch/router mirror-ports are employed to deliver copies of all of a network's data to dedicated IP probes."
(I realize that Microtik's RouterOS may end up on headend router devices and that is likely why this exists, but the implementation details here are just a little odd when you can just port mirror on a switch instead)
> I found this interesting insofar as it is somewhat rare for endpoint CPEs to have these features baked in, in particular with any sort of CALEA semantics.
This isn't targeting CPE equipment - MicroTik is baking into their unified OS. If you're a service provider you don't configure CALEA in the CPE, you configure it upstream in the headend where all traffic from your customers egress your network. It's much easier to grab it all at the bottleneck than to have data streaming over your expensive last mile twice for each customer, that doesn't make any network architecture or OpEx sense. It's just easier to make CALEA a function of RouterOS vs target specific models. There's nothing specific about the hardware that's required to implement the functionality.
Welp. That's news to me. Thought it was just Telco's and not bleedy every bloody Networking equipment vendor out there. And especially not on every MitM VoiP providers. This clinches the death of Skype though. This is why we can't have nice things.
I need to stop reading these things. I just become more and more misanthropic as days go by.
Good! It's important for you to understand how privacy is never guaranteed. Sniffing and tracking who you are talking to is the oldest page in the FBI, CIA, and NSA playbook.
I feel you. But don't give up hope. The guy behind the I2P protocol has some thoughts about the free internet on his blog https://medium.com/@zlatinbalevsky/im-not-a-prophet-but-i-pl...
It's a small router world.
Some SOHO networking devices made by Microtik, QNAP and Ubiquiti contain Arm SoCs made by AWS (Annapurna Labs), https://en.wikipedia.org/wiki/Annapurna_Labs
The venerable PC Engines APU2 is a fanless x86 AMD 10W TDP router with 4GB ECC RAM, TPM 2.0 and GPIO pins, open schematics and coreboot, which can run pfSense, OPNsense, OpenBSD, Linux, FreeBSD and OpenWRT, with virtualization support. Constrained by supply chain at present. mPCIe slots for WiFi, LTE & mSATA.
Ubiquiti ERLite-3 can run Linux and OpenBSD (octeon/MIPS).
There are some generic Intel-based small routers, https://www.servethehome.com/topton-intel-j4125-4x-i225-fanl...
Go address some of the posters "why is the front page worthy" - I'm not surprised that 3 letter agencies get all the data they want, but very often it's very covert and not so "official".
"why is this on the front page?"
because someone found and read this wiki and decided to share it with others who also found it interesting so they upvoted it. now here we are
No no, I'm in agreement of this post being relevant, I typoed :(
Lawful interception is not for "three letter agencies", but for the police (TLAs have their own totally different ways to get this data, in the US they even have their own courts for this). So these are generally documented, judicial processes.
Lawful interception is precisely not made for "three letter agencies", since the latter derive the majority of their power from not spying on the law subjects of their own country. Although the US have of course intentionally muddled this with FISC and at times outright disregard for that simple principle.
The US really needs a distinction between executive powers (which exist because legislative bodies grant the executive branch wide latitude), and legislative powers (specific things the legislature has said to do).
Edit: I meant to type To, not Go. Go makes no grammatical sense :/
"This page was last edited on 28 May 2012, at 07:46."
Maybe better to add this date to the title.
Might be dumb question, but won't this configuration need admin ssh access to add required rules and local server to log that traffic?
The whole point of the law was to add the ability to tap in, which is what this is. You still need someone to log into the router and setup the account which can do the tap, it can't be remotely activated by spooks.
Though if there are other remote access vulnerabilities, someone may be able to use the feature maliciously once they're in.
Not admin access:
> Calea provided options are available only for specific RouterOS user, as Calea server configuration as "tap" configuration. Specific user should have 'sniff' policy enabled at RouterOS user configuration
So the admin has to set up a user account on the device.
On RouterOS, the default 'admin' user is a member of the 'full' group, which has 'sniff' policy enabled.
So it can be both - dedicated user with the appropriate permission, or admin himself.
I see now why my cybersecurity friends source router hardware that allows them own the OS.
Is there any way to not have a backdoor built into my router?
To be clear, this is not a "backdoor" in the traditional sense. Nobody can log into your router without your consent.
This is a way for the router administrator (you) to manually give the police access to a copy of traffic in response to a warrant. The assumption here is that this router is being run at an ISP, and you're a netadmin responsible for handling legal compliance requests.
This is put into place before it hits your router
Every router is technically capable of doing this.
It's just firewall rules and pcap.
Not sure this is front-page worthy.
Seems like a feature for mandatory "intercept and log network traffic" is interesting enough for hackers for the story to land on the frontpage.
I didn't know about CALEA since before but I've dealt with lots of network infrastructure (never in the US though), so I found this interesting, and upvoted it.
> Not sure this is front-page worthy
why not ? i believe it is especially as i imagine most people are not aware that such things exist in freedom lands
if you're on HN there is a level of confidence that you understand basic networking, and that you are aware your traffic goes through a multitude of devices before you get the data you requested.
it should come as no surprise that those devices can log the data passing through it.
Just wait... someone will complain this is a GDPR violation. ;)
> why not ? i believe it is especially as i imagine most people are not aware that such things exist in freedom lands
Do you mean firewall rules? Because firewall rules definitely exist in "freedom lands."
A lot of the comments here seem to show an eagerness to misunderstand this. Even in a "freedom land" law enforcement still needs the power to intrusively investigate criminal suspects, because ineffective law enforcement is a bad thing and a threat to liberty.
in freedom land people generally believe that things they own will not call the cops on them. in contrast in soviet russia people generally belived everything they owned called the cops on them
Just to be clear, this has nothing to do with a thing someone owns calling the cops on them. A CALEA intercept would be implemented before the data reaches the end user.
im taking the liberty to talk figuratively. but yeah the thing you own instead of calling the cops will by design and purpose snitch on you when they come knocking
How so? Unless you own a router with CALEA capabilities and specifically configure it to log all of your data, it's not going to snitch on you.
> router with CALEA capabilities and specifically configure it to log all of your data
the point is that in the US this [the device you own snitching on you] is required by law
https://en.m.wikipedia.org/wiki/Communications_Assistance_fo...
You're misinterpreting it. CALEA requires that service providers have the capability to do interceptions when requested by law enforcement. It has absolutely nothing to do with end-user devices.
> It has absolutely nothing to do with end-user devices.
absolutely nothing ? are you sure about that
To be fair, this makes perfect sense. It allows compliance with wiretap warrants. Which are perfectly reasonable.
They are not. This is broadband. This goes far beyond pen-registers.
This is bloody everything from a particular endpoint, and not in an application specific manner. There is very little but storage reqs and someone getting uppity keeping this from becoming a dragnet type of surveillance mechanism.
The warrant is part that makes it not a dragnet.
Depends on how specific and difficult the warrants are.
I find that nephile mentality quite ignorant of the fact that the negative and bad things aren’t just ephemeral, regardless of whether you would like to move on to next-thing. But I guess to people with your mindset the slippery slope is no slope at all, but rather a flat plane as you are sliding down it.
“Why are you so concerned with the old Constitution” you proclaim, “we have the patriot act instead. It even has the word patriot in its title and the iPatriot act is on the way to replace the old patriot act. I support next-thing.”
It depends, I've got some junipers that only pass the application processor the first N bytes of a packet, and even captures are limited to the first N bytes. Vendor docs say that if you need captures, you should do them on the switch, or use DPI and route everything through the application processor.
You could probably develop a "NSA sniffer" to determine when captures are happening by noting network degradation, especially if it forces everything onto the application processor and off of fast-path.
like putting a script on the switch that says the cpu utilization is x% higher? Do higher end switches report out utilization of the packet processing asic? I have a few high end switches in my homelab, I can of course tell the utilization of the management processor but I have never tried to delve into what the actual switch chip is doing.
I was thinking more remotely noticing that throughput dropped - my switches can route at line speed if they avoid the CPU, but if the CPU is involved it drops to about half line speed.
If you're the one controlling the network router, you know when the sniffing is going on - this would be trying to detect that your ISP has turned the "NSA button" on.
>don't blame the cops (because: if you get ripped off on eBay or your child goes missing, you do want some kind of resolution, right?)
I'm not sure where you live, but in my neck of the woods, going to the cops in these scenarios might even be slightly worse than not going to them, let alone better.
So they can watch everything that you do and then punish you if you look on the wrong parts of the internet instead of blocking the wrongs parts of the internet and tackling the root of the problem in the first place.
That process says more about the people in power than the people using the internet especially when you see how leading search engines can be with their results, its like they want you to fail in order to consolidate their top tier position in society, intellectual feudalism.