Email tapping by ISPs, forwarder addresses, and crypto proxies

[Bill Stewart]

At 09:00 PM 7/20/2004, Major Variola (ret) wrote:
>At 10:12 AM 7/19/04 -0400, Tyler Durden wrote:
> >No, I think I'm becoming convinced that they can't yet get ALL of it.
>Enjoy your childhood while it lasts.  Its a beautiful time.

I think you're talking at cross-purposes.
If you're the Good Guy, trying to keep from being wiretapped,
you need to assume that the Bad Guys are going to get everything,
or at least everything of _yours_.
If you're the Wiretapper, trying to figure out how to get everything,
it's still difficult and expensive and annoying,
and much easier to just administrative-subpoena-gag-order the ISP,
limiting the number of people at the ISP who know anything.

 > > Tape Drives
 > How will you do _that_ quietly?
You don't put the tape drives on ISP premises, you put the extra
fiber connections to the Homeland Security Office there,
and put the tape drives somewhere convenient -
or if the ISP also runs a colo center, you put them there
in a cage rented by the Maryland Procurement Agency or something.

 > OC192s full of ATM and T1s and T3s, oh my!
Most ISPs can roughly be divided into the
access-side connections (lots of small circuits out to end users),
backbones (fat pipes to your other POPs and other ISPs),
and processing/hosting/etc. equipment.
Wiretapping the backbone doesn't get you everything,
but it's a small number of fat pipes, and you don't need to go
tracking and demuxing all the thousands of little access circuits
or demodulating the modems or whatever - just get the good stuff,
where it's all been routed together on a fat IP channel
(possibly running MPLS, but that's just a few extra headers.)
If an ISP is buying an access ring from an access ring provider,
you can subpoena _that_ provider to find out which channels or
wavelengths are probably the ones you want and do a passive tap there.

 > Tapping fibers under the ocean.
Most big US ISP backbones these days run OC48 or OC192
between bigger cities; connections to small cities vary a lot
depending on concentrator-deployment philosophies.
The OC48 and OC192 are usually wavelengths on big DWDM pipes,
though in concentrated areas like New York to Boston you'll
see a certain amount of large bundles of fiber running single wavelengths.
Some of the older undersea cables are still one or two OC48s,
but most of the new stuff is DWDM, typically with bandwidths of
40-160 Gbps now which can be fired up to faster speeds if demand grows.

JYA's web site, by the way, has some absolutely terrific maps and
photographs of a lot of undersea cable systems; we occasionally
use the stuff at work (it's especially good when you're giving talks,
because it's public material you don't have to clear with bureaucrats...)

 > Legacy ATM equipment
Oh, right, you work at one of those _little_ ISPs :-)
Actually, there is a huge amount of ATM equipment out there,
because DSL usually runs ATM protocols on the access lines,
so CLECs and LEC DSL providers usually hand it to the ISPs as ATM.
There's also a lot of ATM and frame for enterprise use
within companies, but in the big ISP world it's mostly phased out
except for DSL, because the router companies and ethernet switching
caught up with ATM speeds a few years ago and are now long past them.
MPLS is pretty much reimplementing all the things that ATM was good at,
and for the last few years everybody's been hyping how MPLS will make
things really cool real soon now, and it's gradually taking over.

 > [ how much data there is ]
AT&T's Internet Protect security service collects IP headers
from our peering points and hub locations, analyzing trends
like rapid increases in uses of some protocols.  We saw the
Slammer worm make a couple of startup attempts or trial runs
(not sure which) for about four days before it hit,
so we had filters ready, and we've seen similar things on
a number of other viruses and port-scanning attacks.
It also lets us see things like "Yes, there's a big spike in
use of Protocol _x_ but it's just a DDOS against one university machine",
and it's starting to be helpful in blocking DDOSs.

The system uses passive optical taps (there are lots of vendors
who sell gear like that), and collects over 10TB a day
(our total Internet traffic is about 1.4PB/day, so this is about 1%.)
The database at the head end is a bit less flexible than MS Access or MySQL,
but it's a lot larger than typical databases can handle,
and the kinds of calculations that make sense at that scale
are a bit different than what you could use if you were
targeting a smaller data set.  Some of the most useful calculations are
"what percentage of bits/packets/flows are protocol X
or TCP or UDP to/from port Y."

Disclaimer: None of this is an official statement from
any three-and-a-half-letter-acronym organization.

----
Bill Stewart  bill.stewart at pobox.com