Why "carnivore" type systems can't be (entirely) open source

[Richard Clayton]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <l03102800b69e18bad209@[158.152.121.6]>, Ian Miller
<Ian_Miller@singularis.ltd.uk> writes

>Richard Clayton <richard@highwayman.com>
>>The bottom line message is that "sniffing" is not particularly simple to
>>do when the traffic pattern is deliberately making it hard.... and this
>>is all ignoring issues about performance, bandwidth etc etc
>>
>This also ignores the issue that if you wish to avoid being tracking by
>something like carnivore, you want to avoid conspicuous traffic patterns
>like enormous numbers of fragmented packets like the plague.  

If the detector treats attempts to avoid detection as suspicious (as it
might, to take another example, treat the use of encryption programs)
then it would be wise to avoid drawing special attention to particular
messages by taking special protective steps.

However, I think you've missed the scenario.... which is that someone
(or someone's leased line) is already under surveillance -- the question
is how much traffic can be locally discarded as irrelevant before it is
passed to NTAC (and indeed before it is then placed before a human).

A lot of traffic goes up and down a 2MB leased line ... one cannot
imagine humans doing the filtering of what may be relevant.

>I could be
>mistaken about this, but I was under the impression that packet
>fragmentation is in practice pretty rare.  

yes - it does happen from time to time though ... so in the IDS realm
waking up a sysadmin to report it ("danger will robinson, there is a
hack going on") is almost certainly a mistake. [that's not to say that
an IDS shouldn't be spotting particular forms of fragmentation and
getting very excited indeed]

So, I would agree that at first sight it might be worth reporting on
fragmentation in an interception scenario....

>Sufficiently rare that, like
>encrypted traffic, something like carnivore will capture the lot of later
>analysis.  Traffic that consists of contradictory fragments should be
>ringing alarm bells in any analysis system.

... but someone who thought they might be monitored could, at the cost
of some bandwidth loss, completely overload the detectors (and also
overload the humans who are trying to extract intelligence from what is
being reported).

>Whereas the criteria for capture in a system like carnivore, probably do
>need to be secret.  I would argue that that is effectively 'key'
>information.  The design of the system as a whole can still be open source,
>and gain from it.  I don't see anything in the article you quote to the
>contrary.

Indeed.

Everything else being equal, all parts of the system should, in my view,
be open source. There are significant practical advantages to this.

However, I don't currently see an operational need, from the ISP
perspective, for the logic which decides which parts of a data stream
are worth reporting upon to be published, or inspectable by the ISP.
Since the nature of this part of the system turns out to be sensitive
the conclusion I draw is that it should be a "proprietary" component
within an otherwise open source system.  

Lest that be misunderstood, I DO see a need for ISPs to be in a position
to be sure that only traffic for the smallest possible range of IP
addresses is being fed to the detector module. I also see a need to
ensure that the proprietary part is not directly accessing the ISPs
network in any way.

As a final clarification - this would not apply to material sought under
an 8(4) warrant - where completely different issues would arise.

- -- 
richard                     richard.clayton  @  h i g h w a y m a n . com

"Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBOnivHRfnRQV/feRLEQK3vQCdESLTDA/bbje9iMIg3Zm2R/rAAdcAoPGM
Yy3yG8lNpduezbgcNHyWaQCd
=2b7x
-----END PGP SIGNATURE-----