Re: Email tapping by ISPs, forwarder addresses, and crypto proxies
At 10:12 AM 7/19/04 -0400, Tyler Durden wrote:
"Gimme an intel IXA network processor and no problem. ATM is fixed size data, not as tricky as IP decoding. Predicatable bandwidth. Stream all into megadisks, analyze later."
I'm gonna have to challenge this bit here, Variola.
Please. Truth requires skepticism. Be bold.
Let's back up. You've got an OC-48 or OC-192 fiber and you want to grab ALL of the data in this fiber. Now I'll grant that in real life there's going to be a lot telephony circuit in there, but let's take a worst-case and assume you need ALL the data.
As cryptographers, we must assume this.
What's in this OC-192? Right now it definitely ain't 10Gb/s of packets. It's going to have LOTS of DS1s, DS3s and, if you're lucky, and STS-3c or two. So you'll need to first of all demux ALL of the tributaries.
Next, you've got to un-map any ATM in each of the DS1s, etc, and then
And how much *dark fiber* is there? Lots and lots, thanks to irrational exuberance. Guess what? SiO2 doesn't care which direction the beam is pumped into. pull
out the IP data from the ATM cells, remembering to reassemble fragmented packets (and there will be plenty with ATM). And remember, you may have to do this for 5000 simultaneous DS1s.
Yawn. You underestimate the Adversary. Never ever do that. Isn't there some chink who wrote that?
Oh, and let's not forget pointer adjustments.
And that's just one fiber. How will you actually get all of this
Oh no, not pointers! What next, MPLS? traffic
back to HQ? Remember, it keeps coming and won't stop.
Dark fiber.
No, I think I'm becomming convinced that they can't yet get ALL of it.
Enjoy your childhood while it lasts. Its a beautiful time.
At 09:00 PM 7/20/2004, Major Variola (ret) wrote:
At 10:12 AM 7/19/04 -0400, Tyler Durden wrote:
No, I think I'm becoming convinced that they can't yet get ALL of it. Enjoy your childhood while it lasts. Its a beautiful time.
I think you're talking at cross-purposes. If you're the Good Guy, trying to keep from being wiretapped, you need to assume that the Bad Guys are going to get everything, or at least everything of _yours_. If you're the Wiretapper, trying to figure out how to get everything, it's still difficult and expensive and annoying, and much easier to just administrative-subpoena-gag-order the ISP, limiting the number of people at the ISP who know anything.
Tape Drives How will you do _that_ quietly? You don't put the tape drives on ISP premises, you put the extra fiber connections to the Homeland Security Office there, and put the tape drives somewhere convenient - or if the ISP also runs a colo center, you put them there in a cage rented by the Maryland Procurement Agency or something.
OC192s full of ATM and T1s and T3s, oh my! Most ISPs can roughly be divided into the access-side connections (lots of small circuits out to end users), backbones (fat pipes to your other POPs and other ISPs), and processing/hosting/etc. equipment. Wiretapping the backbone doesn't get you everything, but it's a small number of fat pipes, and you don't need to go tracking and demuxing all the thousands of little access circuits or demodulating the modems or whatever - just get the good stuff, where it's all been routed together on a fat IP channel (possibly running MPLS, but that's just a few extra headers.) If an ISP is buying an access ring from an access ring provider, you can subpoena _that_ provider to find out which channels or wavelengths are probably the ones you want and do a passive tap there.
Tapping fibers under the ocean. Most big US ISP backbones these days run OC48 or OC192 between bigger cities; connections to small cities vary a lot depending on concentrator-deployment philosophies. The OC48 and OC192 are usually wavelengths on big DWDM pipes, though in concentrated areas like New York to Boston you'll see a certain amount of large bundles of fiber running single wavelengths. Some of the older undersea cables are still one or two OC48s, but most of the new stuff is DWDM, typically with bandwidths of 40-160 Gbps now which can be fired up to faster speeds if demand grows.
Legacy ATM equipment Oh, right, you work at one of those _little_ ISPs :-) Actually, there is a huge amount of ATM equipment out there, because DSL usually runs ATM protocols on the access lines, so CLECs and LEC DSL providers usually hand it to the ISPs as ATM. There's also a lot of ATM and frame for enterprise use within companies, but in the big ISP world it's mostly phased out except for DSL, because the router companies and ethernet switching caught up with ATM speeds a few years ago and are now long past them. MPLS is pretty much reimplementing all the things that ATM was good at, and for the last few years everybody's been hyping how MPLS will make
[ how much data there is ] AT&T's Internet Protect security service collects IP headers from our peering points and hub locations, analyzing trends
JYA's web site, by the way, has some absolutely terrific maps and photographs of a lot of undersea cable systems; we occasionally use the stuff at work (it's especially good when you're giving talks, because it's public material you don't have to clear with bureaucrats...) things really cool real soon now, and it's gradually taking over. like rapid increases in uses of some protocols. We saw the Slammer worm make a couple of startup attempts or trial runs (not sure which) for about four days before it hit, so we had filters ready, and we've seen similar things on a number of other viruses and port-scanning attacks. It also lets us see things like "Yes, there's a big spike in use of Protocol _x_ but it's just a DDOS against one university machine", and it's starting to be helpful in blocking DDOSs. The system uses passive optical taps (there are lots of vendors who sell gear like that), and collects over 10TB a day (our total Internet traffic is about 1.4PB/day, so this is about 1%.) The database at the head end is a bit less flexible than MS Access or MySQL, but it's a lot larger than typical databases can handle, and the kinds of calculations that make sense at that scale are a bit different than what you could use if you were targeting a smaller data set. Some of the most useful calculations are "what percentage of bits/packets/flows are protocol X or TCP or UDP to/from port Y." Disclaimer: None of this is an official statement from any three-and-a-half-letter-acronym organization. ---- Bill Stewart bill.stewart@pobox.com
Let's back up. You've got an OC-48 or OC-192 fiber and you want to grab ALL of the data in this fiber. Now I'll grant that in real life there's
A. You don't want all data. A nice illustration on ether speeds is obtained by using simple tools like putting the NIC in promiscuous mode, using simple reassembler and filter that discards everything but smtp/pop text parts. This can be trivially done with tcpdump+awk. The percentage of mail texts is usually less than 2-3% of all traffic. And it's not even because of porn - it's stupidity of html generators (humans & software). B. Even 'All data' is far less than line speed. Average fiber utilisation is under 4% in US. Buffers! ===== end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail
There's a trial underway in New York City which involves extensive testimony from the FBI on its means and methods of tapping phone, fax and e-mail as well as covert video tapping and audio recording of the three defendants, one of whom is a NYC lawyer, Lynne Stewart, the other two usual Muslim suspects. The daily transcripts: http://cryptome.org/usa-v-ssy-dt.htm A lot of the early proceeding is dry legal maneurvering so you got to dig for the technical testimony. One defendant had 85,000 interceptions over several years, and as intercept systems changed from analogue (Lockheed Martin) to digital (Raytheon) the conversion and archiving process lost a crucial portion of the intercepts, a basis of charges. Defense lawyers are hammering the FBI witnesses on how this could have occurred, and in the process eliciting a good bit of interesting info on the means and methods, as well as the reputation and ability of the witnesses and the Lockheed and Raytheon interception, manipulation and archiving systems. Testimony shows that the FBI continues to rely upon service providers and contractors for the technical intercepts and freely admit that the bureau could not do it otherwise. What is done with the raw intercepts afterwards by the FBI collection, analysis and technical staff in the field and at the Quantico Engineering Research Facility, meticulously directed by US Attorneys to pick and choose among the data to support the charges, is what the defense is challenging. At some point the contractors will be called to describe what takes place beyond FBI capability. The prosecution appears not to want to go there, so accustomed are they to using the FBI as expert witnesses to set the limits of jury and the public exposure to the possibilities of counter-interception. Not a word yet about encryption, although some of the testimony has been sealed.
participants (4)
-
Bill Stewart -
John Young -
Major Variola (ret) -
Morlock Elloi