Interesting People mailing list archives
IP: " I read this article and I can't help wondering." Beyond Carnivore: FBI Eyes Packet Taps
From: David Farber <dave () farber net>
Date: Sun, 21 Oct 2001 15:39:58 -0400
Date: Sun, 21 Oct 2001 15:35:27 -0400 From: Dan Steinberg <synthesis () videotron ca> X-Mailer: Mozilla 4.78 [en] (Win98; U) X-Accept-Language: en To: farber () cis upenn edu Subject: Re: IP: Beyond Carnivore: FBI Eyes Packet Taps Dave, I read this article and I can't help wondering.... how on earth do they think they can do this? It reads like someone who barely understands how the phone system works, not the internet. It really reads like someone talking through their hat.Even if they could actually 'centralize' all the packets in one room (or a seriesof rooms), what on earth would they do with them?Consider the magnitude of the processing power required to deal with this kind of(packet-level) data. The power required to process e-mail in devices like carnivore...that's known. Now consider that tapping e-mail requires only oneaction at the file level. You can do that with a box at each ISP. And you know whatkinda traffic you are looking for: mail traffic. Difficult, but feasible. OK. Now go to the packet level. First of all you can't do all your processinglocally at each ISP. You want to know what someone is doing, you have to see where his/her packets are going. And its at least an order of magnitude more difficult since you deal with the packets and not the whole message before it goes out. Howmany packets does a typical e-mail use these days? Hard to say. My colleage Richard Sexton's messages (always known for brevity and cutting out old text)probably fit in one packet most of the time. But he's an exception. Seems like everyone is using yahoo or some equivalent that puts ads right in the mal message. Or html messages. Were talking many packets/message. And that's just mail. Now with most people surfing using high-speed internet connections, what about thoselarge files flying about?That's just e-mail. There is web traffic, conferencing systems, videoconference, file-sharing like Napster, good ol' ftp (still a lot of that flying about), variouschat protocols (most of which support file transfer and contain ad traffic),various keep-alive packets sent by boxes, the list goes on and on. The problemgoes from..... 'what mail is going through this ISP now' to .... 'where does every packet go?'yes you have to look at *every* packet. And you have re-assemble all the traffic into e-mail messages, images, conference sessions, http requests, etc. You don't know who you are looking for. If you did, you woulnd't need the central place to track packets. You could just go to an ISP or better stilll go tap their phone or something traditional. And since you dont know who you are looking for, you dont know where you are going to find information. It could be in that e-mail, it could be someone scanned the page of a book and e-mailed it (so you have to check everyimage). So someone has to actually 'look' at everything. It could be in someprivate section of a chat room. Someone could be telling someone where the next target it by sending a nice pic of it (just hypothetically since theres no evidence this was done). But before 9/11 who would have worried about someones pic of the World Trade Center "hi from New York" message. So if someone sends a pic of the Hoover dam....should the FBI be worried? or is it just my folks finally going on atrip to California and visiting some sites along the way. So its not justorder-of-magnitude bigger problem, once you get there...you have another problem:how to analyze.What about worms and other things that dump excess traffic on the net? If you go to http://www.matrix.net/research/history/20010720.html they have information onjust how much traffic happens on a 'bad day'. and....taking a deep breath....think about spoofed packets.....uh oh.... just how much information are they ever gonna get out of that?????You know, when I read the post, my first thought was 'ok I better get some facts to back this up' so for a few brief moments I tried to find information on how manypackets are flying around at any time...ok. bad idea. the number is so great,apparently no one bothers to measure it. Is it even possible to measure how many hosts are there on the net? According to matrix.net (a great source btw) in 2000 it was 105,728,000. Over a hundred million hosts. Thats hosts, not users. But even the definition of hosts blurs these days, with many people on high-speed full oreffectively full-time connections. A few years ago you could probably safelyassume that traffic from users was mostly http requests going one way and resultscoming back. Now with file sharing, everyone can sorta be a host. Ok so we went from checking mail messages at individual ISPs, to checking allpackets all the time. It's making me long for the good ol' days of 'all anthraxall the time'. At least that stuff wasn't orders of magnitude off the mark.It's staggering to think that someone would say they can do this now. Do they have any idea how many packets are flying about? and how much web traffic is going aftercached pages? packet loss? I'm sure they can apply packet-level filtering toeliminate much of what goes through whatever pipe the choose to monitor, and thisfiltering could cut down on some of the noise...but enough to bring it down to something they can manage? I think not.Since I don't have an engineering degree it would probably be better if you foundsomeone with more credibility, but I don't mind if you publish this, Dave.
For archives see: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- IP: " I read this article and I can't help wondering." Beyond Carnivore: FBI Eyes Packet Taps David Farber (Oct 21)