Netintercept and SSH Decryption

Fri Nov 21 17:22:00 CST 2003

 I'm not particularly concerned about this ability to decrypt ssh traffic.
What seemed nefarious at first (and which following the post I've seen
nobody else has investigated) isn't exactly cracking ssh to begin with.

If you follow the link that Jonathan Hutchins provided, you'll see the
product.  Click on it and you will wind up here:
http://www.sandstorm.net/products/netintercept/

A quick glance at the product description gives you this:
Decrypts SSH2 from Modified Servers 
Monitors Traffic while Invisible on the Network 
Finds Cleartext Passwords 
Offers Secure Remote Administration 
Filters or Records all Your Traffic 
Enables Users to Drill Down through Connections 
Catches Header and Port Spoofing 
Reassembles Packets into Streams 
Full-Content Inspection & Analysis 
View Email, Web Pages, and File Contents 

Note that "Modified Servers" is used in this instance.  The point here is
this device/software is designed to allow an employer to keep tabs on their
systems, and what their users are doing with them.  IANAL, but I'm pretty
sure there is precedence out there that makes this perfectly legal,
considering the systems are owned by the company, and so is the employee
while on the clock.  (Or using the systems even while off the clock, for
that matter.)

While it has been discussed that sending an e-book or some other such item
could put the company at risk, this stuff doesn't really decrypt those
anyway.  If you've independently encrypted a file, and your activity has put
you on the radar, I expect human resources would be within their rights to
terminate you if said activity is in violation of the acceptable use policy
of the company.  While it's possible there may be a company stupid enough to
use a product like this without having an AUP in place, I doubt it.  To much
$$$ at stake.

Just my $.02 Euro
Dustin

-----Original Message-----
From: owner-kclug at marauder.illiana.net
[mailto:owner-kclug at marauder.illiana.net] On Behalf Of Jonathan Hutchins
Sent: Thursday, November 20, 2003 9:35 AM
To: kclug at kclug.org
Subject: Netintercept and SSH Decryption

There's a spyware program advertised in the December SysAdmin, Netintercept
from www.sandstorm.net.  Clearly pitched for employers to spy on employee
activity, it offers some disturbing features:

"View Email, Webpages, Images & File Contents".  "Guaranteed Invisible &
Silent on Your Network".  "Custom Reports Including Cleartext Passwords".

This is not exceptional, except for the hint that they're decrypting
passwords, which might not be necessary if they can link to the actual hosts
and pull them from the original password files.  

More troubling though is this:

"Patent Pending SSH & SSL Decryption".

Now, I know that the government has been pressing encryption providers to
leave back doors for NSA and other "legitimate" surveillance, but I didn't
think that SSH had caved on this.  I was under the impression that SSH was
still un-cracked.  Can they actually offer to decrypt SSH streams now?