What do you think about communications data collection and storage?

Igor Mozolevsky ukcrypto at chiark.greenend.org.uk
Fri, 1 May 2009 22:21:18 +0100 

2009/5/1 Roland Perry:

> I'm struggling to understand how the criminal sat at his ADSL PC in London
> mounts that attack on an indeterminate bit of network the other end of the
> county.

Quite simply - if, say, you are using DPI to sniff out the network,
all the attacker has to do is (ask BBC how to ;-)) hire a bot-net then
start having fun with fragmentation, although a single DSL connection
is probably enough for this, depending on the method.

To have a proper DPI, you have to reassemble fragmented packets.
Different OSes reassemble overlapping packets differently- some keep
the first seen packet and discard any new data that overlaps, others
overwrite overlapping regions with new data. Which of the two is the
DPI box going to use? What's the same DPI box going to do if it sees
gaps in data - is it going to sit there waiting for more data to
arrive until some arbitrarily large timeout occurs? Some IDSes can be
set to do the reassembly one way or another at the startup time,
others like Snort have a virtual assembly "line" which tries to
assemble the packets in all way possible. I don't think any of those
reassembly solutions are scalable to a large ISP level however, and if
you have bits missing, i. e. one fragment 0-40 and another fragment
50-60, how long is the DPI box going to sit there waiting for the
missing bytes? You can't simply discard packets with the MF flag as
"dodgy", because there are lots of legitimate uses for it (e. g.
misconfigured MTU on VPN connections).

> It is always the case that some criminals will try to cloak their
> activities, but the majority simply don't bother (or even know how).

Of course we still have people who ask law enforcement whether saving
a word document leaves provenance data (classic case in the States!),
but again, those who do that probably generate enough evidence without
the logging initiative to guarantee themselves a cosy place for a
while. Meanwhile, those who commit tech. crimes would still probably
go undetected.

>> Besides, this reflects the situation with CCTV - the whole logging
>> initiative is not going prevent crime. Instead, it merely *may*
>> provide some corroborating evidence of a crime.
>
> I think it may help prevent some crimes, if you can home in on the
> conspirators just before they act.

Unless you start doing data mining on the logs or pay someone monitor
them 24/7, I don't see how one could home-in on a particular incident
just in time when such logging probably generates millions of events
per second, especially when the whole infrastructure is distributed.

> I'm not sure clock drift matters much when all you are doing is making a
> list of the web pages I surf to, and who I send emails to.

Well, it depends, if an ISP offered dynamic addresses, I don't think
anyone would want to get a knock on their door at 5am if they
disconnected and someone, who went to KP sites, got the same IP
address couple of minutes later. You'd probably worry if there was a
drift between the RADIUS server and the DPI box that implicated the
wrong person...

>> The problem with the postal analogy is that a) the whole address is
>> written on the packet
>
> It isn't. None of the depots in between have their addresses written on the
> outside, nor do they have the licence number of the delivery van. That's a
> fundamental part of the analogy.

No, the depots don't write the routing address, but the addressee (for
the purposes of the application layer, say "RCPT TO: ...") is written
on the outside of the box. The internet protocol allows you to have a
lot of fun overwriting any data (above the link layer) that you've
already sent, a post card/letter/package does not.

>> and b) whatever is going to that address is nicely wrapped inside and can
>> be viewed with an x-ray machine or opened up for inspection.
>
> Isn't that what DPI is supposed to do?

Yup, but the DPI would have no clue if the data wasn't in clear text,
how many third party proxies that reside outside of the UK
jurisdiction now offer SSL? If all of your traffic is encrypted, do
you automatically qualify as a `person of interest'? Again, the
fragmentation argument applies here.


--
Igor