What do you think about communications data collection and storage?

Roland Perry ukcrypto at chiark.greenend.org.uk
Sun, 3 May 2009 22:47:14 +0100 

In article 
<a2b6592c0905011421t3f97515di69d2c7f0072df7eb@mail.gmail.com>, Igor 
Mozolevsky <igor@hybrid-lab.co.uk> writes
>2009/5/1 Roland Perry:
>
>> I'm struggling to understand how the criminal sat at his ADSL PC in London
>> mounts that attack on an indeterminate bit of network the other end of the
>> county.
>
>Quite simply - if, say, you are using DPI to sniff out the network,
>all the attacker has to do is (ask BBC how to ;-)) hire a bot-net then
>start having fun with fragmentation, although a single DSL connection
>is probably enough for this, depending on the method.

So you are proposing that a criminal can throw out so much chaff that 
his communications are obscured. This chaff permeating the whole path 
that his various communications take (ie past all the probes)?

You don't think someone might notice that?

>Unless you start doing data mining on the logs or pay someone monitor
>them 24/7, I don't see how one could home-in on a particular incident
>just in time when such logging probably generates millions of events
>per second, especially when the whole infrastructure is distributed.

Criminals don't tend to do just one illegal thing in their lives (and 
even gangs of suicide bombers don't set them all off simultaneously). 
Once you've got an idea who it is that you should be looking at (based 
on historical illegal acts you've detected) then looking at their 
communications and associates will help you catch them in the act 
eventually. Which will prevent any further acts.

>> I'm not sure clock drift matters much when all you are doing is making a
>> list of the web pages I surf to, and who I send emails to.
>
>Well, it depends, if an ISP offered dynamic addresses, I don't think
>anyone would want to get a knock on their door at 5am if they
>disconnected and someone, who went to KP sites, got the same IP
>address couple of minutes later.

This all seems to be "fighting the last war but two". I thought you were 
talking about clock drift in millisecends, not minutes. And who accesses 
the Internet by dynamic-IP dialup any more?

>>> The problem with the postal analogy is that a) the whole address is
>>> written on the packet
>>
>> It isn't. None of the depots in between have their addresses written on the
>> outside, nor do they have the licence number of the delivery van. That's a
>> fundamental part of the analogy.
>
>No, the depots don't write the routing address, but the addressee (for
>the purposes of the application layer, say "RCPT TO: ...") is written
>on the outside of the box. The internet protocol allows you to have a
>lot of fun overwriting any data (above the link layer) that you've
>already sent, a post card/letter/package does not.

But didn't I already say that the comms data associated with a 
communication changes as the communication progresses?

>>> and b) whatever is going to that address is nicely wrapped inside and can
>>> be viewed with an x-ray machine or opened up for inspection.
>>
>> Isn't that what DPI is supposed to do?
>
>Yup, but the DPI would have no clue if the data wasn't in clear text,

Are you suggesting that the comms data is encrypted too? Because what 
people are saying doesn't matter as much as who they are saying it to.

>how many third party proxies that reside outside of the UK
>jurisdiction now offer SSL?

If some data escapes, that doesn't invalidate capturing the data which 
doesn't. Despite what some people think, criminals don't universally 
employ avoidance techniques.

>If all of your traffic is encrypted, do you automatically qualify as a 
>`person of interest'?

Depends who you are sending the encrypted data to.
-- 
Roland Perry