For many years people have been debating whether or not surveillance capabilities should be built into the Internet. Cypherpunks see a future of perfect end to end encryption while telecom companies are hard at work building surveillance interfaces into their networks. Do these lawful intercept interfaces create unnecessary security risks?
This talk will review published architectures for lawful intercept and explain how a number of different technical weaknesses in their design and implementation could be exploited to gain unauthorized access and spy on communications without leaving a trace. The talk will explain how these systems are deployed in practice and how unauthorized access is likely to be obtained in real world scenarios. The talk will also introduce several architectural changes that would improve their resilience to attack if adopted. Finally, we'll consider what all this means for the future of surveillance in the Internet - what are the possible scenarios and what is actually likely to happen over time.
IBM X-Force Tom Cross is the manager of IBM Internet Security System's X-Force Advanced Research team. Tom's team is engaged in a daily effort to identify, analyze, and mitigate computer security vulnerabilities. Tom has a six year history with ISS, during which he has served as a vulnerability researcher and software developer. He is credited with discovering a number of critical security vulnerabilities in enterprise class software and he also wrote one of the first academic papers suggesting the use of trust metrics in Wikipedia. Tom frequently speaks on computer security issues at conferences around the world. He holds a Bachelor's degree in Computer Engineering from Georgia Tech.