[Dshield] Patriot spies?

Johannes Ullrich jullrich at euclidian.com
Mon Aug 4 14:43:53 GMT 2003

> It's called Remote SPAN, and it's not very universally 
> deployed (yet).

There are a number of ways to wiretap a connection. Such a
'span port' on a switch is frequently used for intrusion 
detection systems. A 'span port' will see all traffic that
goes through a switch.

However, there are other methods:
- 'tap'. This is essentially a read only connection. Kind of like a hub.
It can be plugged into an existing ethernet connection (fiber or

- hub. just a simple hub will allow you to 'listen in'. Unlike
a tap, such a hub allows the listening machine to send data to the
network with may make it harder to hide.

Of course, there are numerous other ways. E-mail could just be copied to
a second account from the mail server, or a sniffer could be installed
on an existing machine. 

Of course, there are various laws regulating this. In the US, the
following laws apply:

- Electronic Privacy Act: It prohibits your ISP from sharing
any intercepted communications with others (including law
enforcement). The ISP can be held liable for violating this

- Wiretap Act: It restricts how anybody is permitted to 'sniff' a
connection. In general, law enforcement has to have a court order. Even
an ISP is not permitted to listen in on its own network unless they have
permission from the user to do so, or they do so in a limited way to
ensure network security (however, whatever they find is still protected
by the privacy act). The ISP is not required to notify law enforcement
of illegal activity, with the only exception of child pornography.

- constitution (4th amendment). It protects you from unlawful
wiretapping by the government. However, it does nothing about your ISP
or other non-govt entities.

AFAIK, the first Patriot act did not change this all that substantially.
The only thing that got added is that it permitted the government to
assist private companies in wiretapping if the private company requests
this and does not have the ability to do so themselves. 


Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
   "We regret to inform you that we do not enable any of the 
    security functions within the routers that we install."
         support at covad.net

More information about the list mailing list