[IP] more on The Shadow Internet

David Farber dave at farber.net
Thu Dec 30 16:53:48 PST 2004


------ Forwarded Message
From: Joel M Snyder <Joel.Snyder at Opus1.COM>
Date: Thu, 30 Dec 2004 17:18:55 -0700
To: <dave at farber.net>
Cc: Ip <ip at v2.listbox.com>, <dpaull at svpal.org>
Subject: Re: [IP] more on The Shadow Internet

> Is it really possible that the government is unable to identify
> the topsites and find out which servers connect to them?

It's harder than you might think.  Let's say you have some person who
you think is A Bad Guy.  If they're a US person, and you're USG, then
you can probably get their ISP to let you tap their wires.  After you go
to a judge.

OK, so that's fine, except that everything they do is encrypted.  We
can't decrypt that (wrong part of the USG), but fortunately the IP
address is not encrypted.

So that leads us off to some OTHER ISP.  Let's, for the sake of
argument, assume that the ISP is in the US.  Now USG treks over to that
ISP and says "we want to peek."  The ISP says "no," of course, so USG
goes back to Judge and gets a warrant and ISP (if you're lucky) suddenly
becomes cooperative.  Except that the server is one of ten thousand
piece-o-junk Linux boxes that some hosting company stuck in the data
center which they sell web sites off at $2.50/month and so the best
thing the ISP can do is point you at the box and disclose who is paying
the bill.

OK, go back to the judge, go back to the hosting company that owns the
boxes and say "show us."  The hosting company says, "that system is
being rented by a light bulb distributor out of Reno." (I'm putting them
in the US to make things easier, OK?)  The hosting company passes over
the passwords, the USG logs in (MAYBE or maybe not) and assuming that
they don't screw it up (MAYBE or maybe not) they discover that the light
bulb distributor has no idea what the hell is going on except that they
used to pay $2.50 a month and now they're about to get a $1300 bandwidth
bill, which they're going to take out of their system administrator's
salary for using 'p4ssword' as the password.

Anyway, enough of this easy stuff: now the trail gets interesting---the
logs show that the connections to this box come from Canada.  No, let's
make it Korea.  So what is Mr. G-man going to do?  Yeah, he'll send off
a couple of email messages which will either (a) get ignored or (b) get
response telling him to get a Korean search warrant.

And then it stops, because Mr. G-man ain't got no Korean judge and he
ain't got no budget to go over to Korea and plead his case.

But let's say that he does.  By this time, the trail is so cold that the
logs are gone (if there were any logs in the first place, which there
generally are not), and now he's got to go back to Step 1, or maybe Step
2 or Step 3 but this time he's got to find a German judge or an Italian
judge and so on and so on...

Now, if the money were REALLY big and the problem were REALLY
aggravating and this was the "once a year case that we want to send out
press releases on," maybe he'd get some budget to deal with this.  But
they seem to do this about once a year, maybe twice if there's an
election.  Fundamentally, though, without someone driving the
investigation via major powerful and highly funded friends in
Washington, it's not going to happen.

The existence of large piles of bandwidth concentrated in very large
rooms which have thousands of poorly protected servers in them across at
least 5 continents means that without really trying very hard the folks
who want to keep things a secret are able to do that, simply by being
mobile, IP-wise, finding new systems to hack into (trivial), and keeping
  redundant piles of data around.  With a very small amount of care, you
could hide your steps from all but the best funded and most persistent
of investigators.

And what might be interesting to Wired and its readers probably doesn't
match the drugs-and-terrorism program at the Dep't of Justice.

I've got people ONE hop away from me who WANT to cooperate but cannot
produce the necessary logs to even point at who the bad guys are that
are breaking into their machines.

jms

--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 (voice)  +1 520 324 0495 (FAX)
jms at Opus1.COM    http://www.opus1.com/jms    Opus One


------ End of Forwarded Message


-------------------------------------
You are subscribed as eugen at leitl.org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07078, 11.61144            http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org         http://nanomachines.net

[demime 1.01d removed an attachment of type application/pgp-signature]





More information about the cypherpunks-legacy mailing list