MikroTik

I voluntarily run a very small, non-profit wireless system in New Zealand for our little isolated community because there is no profit for anyone from outside to do it.

A Bill presently under consideration by the NZ Parliament (The Telecommunications (Interception Capability and Security) Bill) would designate me a "telecommunications services provider" and require me to a) let our security services eavesdrop on our network, and b) " decrypt telecommunications where the operator or provider has provided or applied the encryption."

This potential for Government snooping offends me deeply, and while there is nothing I could likely do to stand in the way of a), I'm wondering if there is any way I could put encryption in the hands of our subscribers - ie a way they can set up their own encryption across the network either by way of WPA2 or encrypted PPP, so that in the event of b) above I could respond that I don't have access to the decryption keys - only the user can do that.

We use Mikrotik and RouterOS both as APs and CPEs and I can't see any way of doing it, but if there is a devious way to do it I'd love to know.

Thanks.

The encryption is effectively in the hands of the user anytime that they use https:// URLs. That should protect them from intermediate grade snoopers though not from the high end national agencies.

Making the users aware of the issues is probably the best approach. If their user session are https:// / SSL then the WPA2 keys are only one layer of security.

Thank you for finding this offensive. The best approach for the moment is to very bluntly alert the user of what is happening. This way they can still use the service you provide and group together to maybe put a stop to such dangerous practices.

What are people's thoughts about using SSL proxies? It's something I could draw to the attention of our subscribers, and if they choose to use one there's nothing I can do to 'assist' the authorities as a service provider. But are the free ones safe? Are the paid-for ones any safer? I've heard that even Tor is now compromised, and that the various 'security' agencies are even setting SSL proxies up as honey-pots.

Here's the thing. A gang of us all share an ISP plan through one NATted gateway with one public IP. So if one of us did attract the attention of 'the authorities' what could I, as telecommunications service provider, to do help the authorities? All they would have, presumably, would be a warrant saying that someone used that IP on such and such a date at such and such a time for nefarious reasons. Beause of the NATting there's no way I could identify who that was, is there? Even if the spooks elected to keep a real-time watch on our traffic passing through the router is there any way they could discover who was accessing the undesireable address before NATting occurs? Particularly if the naughty one was using Tor or a proxy?

Under the Bill if it becomes law I as a small-time 'telecommunications provider' could be forced to do what the major public network operators are being required to do, which is to "pre-invest in interception capability'. Anyone know what that actually means?

Setup a PPTP server in a different country, and let everyone connect to it. It requires of course, that each user will install or have a PPTP client and you need to issue passwords to them (maybe randomly). But it is the best "security". So if the government wants to "listen" to the traffic, it will be all encrypted.

Here's the thing. A gang of us all share an ISP plan through one NATted gateway with one public IP. So if one of us did attract the attention of 'the authorities' what could I, as telecommunications service provider, to do help the authorities? All they would have, presumably, would be a warrant saying that someone used that IP on such and such a date at such and such a time for nefarious reasons. Beause of the NATting there's no way I could identify who that was, is there? Even if the spooks elected to keep a real-time watch on our traffic passing through the router is there any way they could discover who was accessing the undesireable address before NATting occurs? Particularly if the naughty one was using Tor or a proxy?

Under the Bill if it becomes law I as a small-time 'telecommunications provider' could be forced to do what the major public network operators are being required to do, which is to "pre-invest in interception capability'. Anyone know what that actually means?

you could possibly be required to log ips and Nat associations.

Gesendet von meinem XT890 mit Tapatalk 2

Although laws like this haven't arrived in the US yet (at least not affecting small ISPs like me), I planned for the eventuality by being sure to assign one IP address per subscriber, and not performing NAT for them (any NAT is done by the subscriber's router, which I do not own or control). So I do not need to keep track of who is who : the spooks can do that themselves if they so desire.