IP: " I read this article and I can't help wondering." Beyond Carnivore: FBI Eyes Packet Taps

[David Farber <dave () farber net>]

> Date: Sun, 21 Oct 2001 15:35:27 -0400
> From: Dan Steinberg <synthesis () videotron ca>
> X-Mailer: Mozilla 4.78 [en] (Win98; U)
> X-Accept-Language: en
> To: farber () cis upenn edu
> Subject: Re: IP: Beyond Carnivore: FBI Eyes Packet Taps
>
>  Dave, I read this article and I can't help wondering....
> how on earth do they think they can do this? It reads like someone who barely
> understands how the phone system works, not the internet. It really reads like
> someone talking through their hat.
>
> Even if they could actually 'centralize' all the packets in one room (or a 
> series
> of rooms), what on earth would they do with them?
> Consider the magnitude of the processing power required to deal with this 
> kind of
> (packet-level) data.  The power required to process e-mail in devices like
> carnivore...that's known.  Now consider that tapping e-mail requires only one
> action at the file level. You can do that with a box at each ISP. And you 
> know what
> kinda traffic you are looking for: mail traffic.  Difficult, but feasible.
>
> OK. Now go to the packet level. First of all you can't do all your processing
> locally  at each ISP. You want to know what someone is doing, you have to 
> see where
> his/her packets are going.  And its at least an order of magnitude more 
> difficult
> since you deal with the packets and not the whole message before it goes 
> out. How
> many packets does a typical e-mail use these days?  Hard to say. My colleage
> Richard Sexton's messages (always known for brevity and cutting out old text)
> probably fit in one packet most of the time.  But he's an 
> exception.  Seems like
> everyone is using yahoo or some equivalent that puts ads right in the mal 
> message.
> Or html messages.  Were talking many packets/message.  And that's just 
> mail.  Now
> with most people surfing using high-speed internet connections, what about 
> those
> large files flying about?
>
> That's just e-mail. There is web traffic, conferencing systems, 
> videoconference,
> file-sharing like Napster, good ol' ftp (still a lot of that flying 
> about), various
> chat protocols (most of which support file transfer and contain ad traffic),
> various keep-alive packets sent by boxes, the list goes on and on.  The 
> problem
> goes from.....
>
> 'what mail is going through this ISP now' to ....
> 'where does every packet go?'
>
> yes you have to look at *every* packet.  And you have re-assemble all the 
> traffic
> into e-mail messages, images, conference sessions, http requests, 
> etc.  You don't
> know who you are looking for.  If you did, you woulnd't need the central 
> place to
> track packets. You could just go to an ISP or better stilll go tap their 
> phone or
> something traditional.  And since you dont know who you are looking 
> for,  you dont
> know where you are going to find information.  It could be in that e-mail, 
> it could
> be someone scanned the page of a book and e-mailed it (so you have to 
> check every
> image). So someone has to actually 'look' at everything.  It could be in some
> private section of a chat room.  Someone could be telling someone where 
> the next
> target it by sending a nice pic of it (just hypothetically since theres no 
> evidence
> this was done). But before 9/11 who would have worried about someones pic 
> of the
> World Trade Center "hi from New York" message.  So if someone sends a pic 
> of the
> Hoover dam....should the FBI be worried? or is it just my folks finally 
> going on a
> trip to California and visiting some sites along the way. So its not just
> order-of-magnitude bigger problem, once you get there...you have another 
> problem:
> how to analyze.
>
> What about worms and other things that dump excess traffic on the 
> net?   If you go
> to http://www.matrix.net/research/history/20010720.html they have 
> information on
> just how much traffic happens on a 'bad day'.
>
> and....taking a deep breath....think about spoofed packets.....uh oh....
> just how much information are they ever gonna get out of that?????
>
> You know, when I read the post, my first thought was 'ok I better get some 
> facts to
> back this up' so for a few brief moments I tried to find information on 
> how many
> packets are flying around at any time...ok. bad idea. the number is so great,
> apparently no one bothers to measure it. Is it even possible to measure 
> how many
> hosts are there on the net?  According to matrix.net (a great source btw) 
> in 2000
> it was 105,728,000.  Over a hundred million hosts. Thats hosts, not users. 
> But even
> the definition of hosts blurs these days, with many people on high-speed 
> full or
> effectively full-time connections.  A few years ago you could probably safely
> assume that traffic from users was mostly http requests going one way and 
> results
> coming back. Now with file sharing, everyone can sorta be a host.
>
> Ok so we went from checking mail messages at individual ISPs, to checking all
> packets all the time.  It's making me long for the good ol' days of 'all 
> anthrax
> all the time'.  At least that stuff wasn't orders of magnitude off the mark.
>
> It's staggering to think that someone would say they can do this now. Do 
> they have
> any idea how many packets are flying about? and how much web traffic is 
> going after
> cached pages? packet loss?  I'm sure they can apply packet-level filtering to
> eliminate much of what goes through whatever pipe the choose to monitor, 
> and this
> filtering could cut down on some of the noise...but enough to bring it down to
> something they can manage? I think not.
>
> Since I don't have an engineering degree it would probably be better if 
> you found
> someone with more credibility, but I don't mind if you publish this, Dave.


For archives see:
http://www.interesting-people.org/archives/interesting-people/