Re: Email tapping by ISPs, forwarder addresses, and crypto proxies

older
RE: FIPS chassis/linux security...

Tyler Durden

7 Jul 2004 7 Jul '04

9:46 a.m.

"If you think the cable landings in Va/Md are coincidental, you are smoking something I've run out of. Its all recorded. I'm sure the archiving and database groups in Ft. Meade will get a chuckle out of your "the right to" idioms." Well, I don't actually believe it's all recorded. As I've attempted to explain previously, "they" almost certainly have risk models in place. When several variables twinkle enough (eg, origination area, IP address, presence of crypto...) some rule fires and then diverts a copy into the WASP'S Nest. There's probably some kind of key word search that either diverts the copy into storage or into the short list for an analyst to peek it. -TD

...

From: "Major Variola (ret)" <mv@cdc.gov> To: "cypherpunks@al-qaeda.net" <cypherpunks@al-qaeda.net> Subject: Re: Email tapping by ISPs, forwarder addresses, and crypto proxies Date: Tue, 06 Jul 2004 21:40:29 -0700

At 02:47 PM 7/6/04 -0700, Hal Finney wrote:

...
...
Messages in storage have much lower judicial protection than messages in transit. (This does not have much technical merit, in the current atmosphere of "damn the laws - there are terrorists around the corner", but can be seen as a nice little potential benefit.)

Ie zero.

...
One thing I haven't understood in all the commentary is whether law enforcment still needs a warrant to access emails stored in this way. Apparently the ISP can read them without any notice or liability, but what about the police?

You are state meat, whether 5150'd or not.

...
Also, what if you run your own mail spool, so the email is never stored

...
at the ISP, it just passes through the routers controlled by the ISP (just like it passed through a dozen other routers on the internet). Does this give the ISP (and all the other router owners) the right to read your email? I don't think so, it seems like that would definitely

...
cross over the line from "mail in storage" to "mail in transit".

If you think the cable landings in Va/Md are coincidental, you are smoking something I've run out of. Its all recorded. I'm sure the archiving and database groups in Ft. Meade will get a chuckle out of your "the right to" idioms.

_________________________________________________________________ MSN 9 Dial-up Internet Access helps fight spam and pop-ups now 2 months FREE! http://join.msn.click-url.com/go/onm00200361ave/direct/01/

Show replies by date

Eugen Leitl

7 Jul 7 Jul

10:23 a.m.

New subject: Email tapping by ISPs, forwarder addresses, and crypto proxies

On Wed, Jul 07, 2004 at 10:28:01AM -0400, Tyler Durden wrote:

...

Well, I don't actually believe it's all recorded. As I've attempted to explain previously, "they" almost certainly have risk models in place. When several variables twinkle enough (eg, origination area, IP address, presence of crypto...) some rule fires and then diverts a copy into the WASP'S Nest. There's probably some kind of key word search that either diverts the copy into storage or into the short list for an analyst to peek it.

How much plain text can ~10^9 online monkeys daily enter into their keyboard? A ~10^3 average ballpark gives you a TByte/day (minus the redundancy), which is currently a 1U worth of SATA RAID/day, or 3 years worth of world's entire traffic in a 10^3 node cluster, which is on the low side these days. Hard drive storage density goes up exponentially, and probably faster than people can go online (the old world has saturated) -- it isn't a problem, given that population increase doesn't occur at these growth rates. You don't have to delete anything, ever. Given what Google manages with some 10^4..10^5 nodes, this problem set looks puny in comparison. Keeping the data on a cluster gives you the local crunch to do some very nontrivial data mining, especially if you narrow the scope down sufficiently to be able to lock the data in memory and crunch it there. Fax OCR/telex is just as easy, speech recognition doable, given the budget. We don't know whether they are actually doing it (I *think* these people are too conservative to be doing clusters right now, so they're probably doing storage hierarchies with tape libraries -- but then they as well could be MIB types years ahead of the mainstream), the point it is that they could, given the documented amount of hired talent and official budget. -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]

Steve Schear

2:15 p.m.

New subject: Email tapping by ISPs, forwarder addresses, and crypto proxies

At 07:28 AM 7/7/2004, Tyler Durden wrote:

...

"If you think the cable landings in Va/Md are coincidental, you are smoking something I've run out of. Its all recorded. I'm sure the archiving and database groups in Ft. Meade will get a chuckle out of your "the right to" idioms."

Well, I don't actually believe it's all recorded. As I've attempted to explain previously, "they" almost certainly have risk models in place. When several variables twinkle enough (eg, origination area, IP address, presence of crypto...) some rule fires and then diverts a copy into the WASP'S Nest. There's probably some kind of key word search that either diverts the copy into storage or into the short list for an analyst to peek it.

Perhaps, but at a Bay Area meeting a few years back held to discuss NSA/SIGINT, I think it was held on the Stanford campus, a developer disclosed that an American contractor manufacturer had won a contract to install 250,000 high-capacity disk drives at one of these agenicies. stveve

J.A. Terranson

3:01 p.m.

New subject: Email tapping by ISPs, forwarder addresses, and crypto proxies

On Wed, 7 Jul 2004, Steve Schear wrote:

...

Perhaps, but at a Bay Area meeting a few years back held to discuss NSA/SIGINT, I think it was held on the Stanford campus, a developer disclosed that an American contractor manufacturer had won a contract to install 250,000 high-capacity disk drives at one of these agenicies.

stveve

Lets look at that for a second. "A few years ago". Lets call it two years ago. That would make the average hi-cap drive around 30gb. We'll have to assume they want these to be fault-tolerant and with host stanbys, since this *is* the standard implementation, so: 250,000 drives divie by 5 to get RAID groups = 50K groups of 90gb each, or ~4.6 petabytes for this one order. 4.6pb may be a lot, but it wouldn't hold much of the worlds traffic - there's a hell of a lot of filtering going on. -- Yours, J.A. Terranson sysadmin@mfn.org "...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them." Osama Bin Laden

Bill Stewart

17 Jul 17 Jul

11:26 p.m.

New subject: Email tapping by ISPs, forwarder addresses, and crypto proxies

At 12:11 PM 7/7/2004, Steve Schear wrote:

...

Perhaps, but at a Bay Area meeting a few years back held to discuss NSA/SIGINT, I think it was held on the Stanford campus, a developer disclosed that an American contractor manufacturer had won a contract to install 250,000 high-capacity disk drives at one of these agenicies.

On the other hand, 100,000 employees times two disk drives per desktop and a few departmental servers can get you that much capacity.

Eugen Leitl

18 Jul 18 Jul

5:31 a.m.

New subject: Email tapping by ISPs, forwarder addresses, and crypto proxies

On Sat, Jul 17, 2004 at 02:06:40PM -0700, Bill Stewart wrote:

...

On the other hand, 100,000 employees times two disk drives per desktop and a few departmental servers can get you that much capacity.

I understand there is this thing called a black budget. The production rate limit of plain text is human fingers. If you want to keep it all online, your burn rate is a kilobuck/day for hardware. Filtering traffic to extract relevant parts is going to cost a bit more, especially if you're using centralized taps and not server clouds in the periphery. For those of you who have worked at major ISPs, can the fact that traffic is routed through a few "customer" boxes be hidden from employees? -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]

J.A. Terranson

6:03 a.m.

New subject: Email tapping by ISPs, forwarder addresses, and crypto proxies

On Sun, 18 Jul 2004, Eugen Leitl wrote:

...

For those of you who have worked at major ISPs, can the fact that traffic is routed through a few "customer" boxes be hidden from employees?

Speaking as someone who qualifies: no. However, the fact that you even asked the question begs another question, namely, what do you consider "major"? Savvis was, in my opinion, at the very lower end of "major", operating in ~140 countries, although most of that was vpn and multicast. Lets guess that internet was considerably less, say ~15-20 countries directly. In short, the trouble with trying to stuff all this through a choke point (or even 10 choke points) is it's going to be either seen directly as a router hop (if at layer3), or seen indirectly at layer two. And the kind of detailed troubleshooting that goes on in the first through third level support groups just wouldn't be able to miss this - sooner or later someone whold see something, and then the whole place would know. Now, *mirroring* to a couple of choke points, sure, but then you ave transit and other associated costs (you gotta haul the data to all of the collectors). Just not feasible to do it quietly. Note, I said quietly. -- Yours, J.A. Terranson sysadmin@mfn.org 0xBD4A95BF "...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them." Osama Bin Laden - - - "There aught to be limits to freedom!" George Bush - - - Which one scares you more?

Eugen Leitl

6:18 a.m.

New subject: Email tapping by ISPs, forwarder addresses, and crypto proxies

On Sun, Jul 18, 2004 at 05:55:02AM -0500, J.A. Terranson wrote:

...

Now, *mirroring* to a couple of choke points, sure, but then you ave transit and other associated costs (you gotta haul the data to all of the collectors).

I was thinking about a box at each incoming/outgoing point with a NIC in passive mode. Filtered traffic is a tiny fraction of total, and should be easy to send to a central location (I presume because it's feasible to process and store world's entire relevant text traffic in a pretty small central facility, no one is going to bother with true distributed processing; though filtering at the periphery already qualifies as such). Otoh, presence of a number of such boxes is goign to need a gag order, and a really major ISP. Small shops are too informal to be able to hide something like that.

...

Just not feasible to do it quietly. Note, I said quietly.

Hardware required for tapping major arteries is going to need modified high-end routers (filtering of cloned traffic), no? I don't see how this is going to be a limit on organization of the size of NSA & consorts. -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]

J.A. Terranson

6:22 a.m.

New subject: Email tapping by ISPs, forwarder addresses, and crypto proxies

On Sun, 18 Jul 2004, Eugen Leitl wrote:

...

I was thinking about a box at each incoming/outgoing point with a NIC in passive mode.

A NIC? You gotta realize that we're talking about mesh circuits here: OC3-OC48 trunks, OC192 backbones... This is no small job. A mom/pop or midsized regional maybe you could do this - you know, the guy with a half a dozen DS3s. -- Yours, J.A. Terranson sysadmin@mfn.org 0xBD4A95BF "...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them." Osama Bin Laden - - - "There aught to be limits to freedom!" George Bush - - - Which one scares you more?

Eugen Leitl

7:54 a.m.

New subject: Email tapping by ISPs, forwarder addresses, and crypto proxies

On Sun, Jul 18, 2004 at 06:13:49AM -0500, J.A. Terranson wrote:

...

A NIC? You gotta realize that we're talking about mesh circuits here: OC3-OC48 trunks, OC192 backbones... This is no small job. A mom/pop or

At times of 10 GBit Ethernet, OC192 data rate doesn't seem all that intimidating. A standard 1U Dell should have enough crunch to just filter out the plain text packets of a 1 GBps Ethernet line.

...

midsized regional maybe you could do this - you know, the guy with a half a dozen DS3s.

-- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]

J.A. Terranson

7:58 a.m.

New subject: Email tapping by ISPs, forwarder addresses, and crypto proxies

On Sun, 18 Jul 2004, Eugen Leitl wrote:

...

On Sun, Jul 18, 2004 at 06:13:49AM -0500, J.A. Terranson wrote:

...
A NIC? You gotta realize that we're talking about mesh circuits here: OC3-OC48 trunks, OC192 backbones... This is no small job. A mom/pop or

At times of 10 GBit Ethernet, OC192 data rate doesn't seem all that intimidating.

A standard 1U Dell should have enough crunch to just filter out the plain text packets of a 1 GBps Ethernet line.

I have seen a passive tap on a gig line used for IDS, true, but that's pretty close to the state of the art right now. There's an issue with getting the interfaces for the 1U Dell, and then you have the secondary issues of just how much encapsulated crap do you need to strip off, and how fast. Remeber, you only get 1 shot, and you *can't* ask for more time - if your buffer runneth over, you be screwed. It's not as easy as it feels. -- Yours, J.A. Terranson sysadmin@mfn.org 0xBD4A95BF "...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them." Osama Bin Laden - - - "There aught to be limits to freedom!" George Bush - - - Which one scares you more?

Eugen Leitl

8:42 a.m.

New subject: Email tapping by ISPs, forwarder addresses, and crypto proxies

On Sun, Jul 18, 2004 at 07:50:16AM -0500, J.A. Terranson wrote:

...

I have seen a passive tap on a gig line used for IDS, true, but that's pretty close to the state of the art right now. There's an issue with

There are dedicated network processors, though, and one can outsorce the filter bottlenecks into an FPGA board. This is still reasonably small and cheap.

...

getting the interfaces for the 1U Dell, and then you have the secondary issues of just how much encapsulated crap do you need to strip off, and how fast. Remeber, you only get 1 shot, and you *can't* ask for more time - if your buffer runneth over, you be screwed.

It's not as easy as it feels.

I think it would be far easier if WAN protocols were plain GBit Ethernet. -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]

Sunder

7 Jul 7 Jul

2:23 p.m.

New subject: Email tapping by ISPs, forwarder addresses, and crypto proxies

On Wed, 7 Jul 2004, Tyler Durden wrote:

...

"If you think the cable landings in Va/Md are coincidental, you are smoking something I've run out of. Its all recorded. I'm sure the archiving and database groups in Ft. Meade will get a chuckle out of your "the right to" idioms."

Well, I don't actually believe it's all recorded. As I've attempted to explain previously, "they" almost certainly have risk models in place. When several variables twinkle enough (eg, origination area, IP address, presence of crypto...) some rule fires and then diverts a copy into the WASP'S Nest. There's probably some kind of key word search that either diverts the copy into storage or into the short list for an analyst to peek it.

To channel Mr. May: "All of this of course can be put to rest by reading some Bamford. (Body of Secrets, Puzzle Palace.)"

7462

Age (days ago)

7473

Last active (days ago)

List overview

Download

12 comments

6 participants

participants (6)

Bill Stewart
Eugen Leitl
J.A. Terranson
Steve Schear
Sunder
Tyler Durden