Friday, March 30, 2007

Full Content Monitoring as a Wiretap

I received cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following question today:

When installing Sguil, what legal battles have you fought/won about full packet capture and its vulnerability to open records requests from outside parties? I am getting concerns, from various management, regarding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 legal ramifications of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 installation of a system similar to Sguil in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 state government arena. Do you have any advice for easing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir worries? I know how important full data capture is to investigating incidents, and I consider it of paramount importance to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security of our state that we do so. Are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re any legal precedents that can be cited?

Before I say anything else it is important to realize I am not a lawyer, I don't play one on YouTube, and I recommend you consult your lawyer racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than listen to anything I might say.

With that out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way, I have written about wiretaps a few times before. Let me get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se generic wiretapping issues out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way before addressing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 question specifically.

The pertinent Federal law is 18 U.S.C. §2511.

A great place to look for commentary and precedents on digital security issues is Orin Kerr's Computer Crime Case Updates. This search for wiretap may or may not be helpful.

Finally, for recent commentary by a lawyer (but not your lawyer), I recommend Sysadmins, Network Managers, and Wiretap Law (.pdf slides) by Alex Muentz. These notes from his LISA 2006 talk are helpful too.

I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 key element of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 question originally posed was full packet capture and its vulnerability to open records requests from outside parties. It sounds like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 question asker is worried about discoverability of full content data. I touched on this briefly in The Revolution Will Be Monitored.

My answer to this problem is what I would consider both practical and technically limiting: do not store more full content data than you need. For any modern production network, capturing and storing days or weeks of full content traffic can be an expensive proposition. For example, in one client location I have about 200 GB of space available for full content storage. That space allows me to save a little more than 10 days of full content, even with fairly draconian BPFs limiting what is stored. If for some reason I needed to produce that data to management or attorneys, I could only provide cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last 10 days of information. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 event in question occured prior to that period, I just don't have it.

I do know of some locations that operate massive storage area networks to save TBs of full content. I do not advocate that for anyone but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most specialized of clients. I do recommend collecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 amount of full content (if possible, legally and technically) that works for your investigative window. For example, if you have a requirement to review your alert and session data such that you are never more than 5 days past an event of interest, you might want to save 7 days of full content. From an investigation point of view, more is always better. From a practical point of view, it might be too costly.

Remember that any network data collection should be considered a wiretap. Full content is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 form of network data that most resembles a wiretap.

With respect to session data, I recommend saving as much of that as possible. In practical terms it comes down to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 amount of space you're willing to devote to database files. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same client I am collecting as many sessions as I can, without filters. 30 days of such session data is producing about 20 GB of uncompressed MySQL table files. As you can see I can store many more days of session data as compared to full content data. That means much more session data is discoverable. I might choose to limit storage of that session data to meet whatever guidance corporate legal counsel might provide.

Session data is like pen register/trap and trace data, because it does reveal content. I still treat it like a wiretap but it probably does not meet cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same standards.

Event data, i.e. IDS alerts, take so little space as to not require any real storage consideration (compared to full content and session data). Therefore, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 primary limiting factor is legal and policy, not technical.

I think anyone who really wants a better answer would do well to check our Prof Kerr's list, and potentially ask him. Alex Muentz would be anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r good resource.

1 comment:

Jimmycá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365Geek said...

I work for a state agency. I contacted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 assistant atty general responsible for our sector, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y wrote a necessarily limited memo. The law is really unclear, but on balance I feel that memo gives me cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 o.k. to pursue NSM with authorization from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization's executives. It is really important that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 monitoring be routine and to protect your property interest. You can't just decide to snoop because you are nosy.

(I also got a bit of "feedback" regarding contacting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AAG directly. My boss felt that was a prerogative of his boss, or his boss's boss. Everything winds up at OSI Layer 8.)