What do you think about communications data collection and storage?

[Igor Mozolevsky]

2009/5/3 Roland Perry:

> So you are proposing that a criminal can throw out so much chaff that his
> communications are obscured. This chaff permeating the whole path that his
> various communications take (ie past all the probes)?

What are the chances of all DPI boxes being made by a small number of
manufacturers? This "chaff" is not really like chaff, as it doesn't
disintegrate -  it will be delivered to the destination and
consequently to every single DPI box along the route.

> You don't think someone might notice that?

How often do you watch your logs? I heard (from a reliable source)
that some IDS boxes will fail silently if you know what packets to
send...


> Criminals don't tend to do just one illegal thing in their lives (and even
> gangs of suicide bombers don't set them all off simultaneously). Once you've
> got an idea who it is that you should be looking at (based on historical
> illegal acts you've detected) then looking at their communications and
> associates will help you catch them in the act eventually. Which will
> prevent any further acts.

So you don't really need the whole surveillance infrastructure, just
one box close to the perp. then!


> This all seems to be "fighting the last war but two". I thought you were
> talking about clock drift in millisecends, not minutes. And who accesses the
> Internet by dynamic-IP dialup any more?

Quite a few people I would imagine, given that a lot of ISPs bill
static IP addresses as a premium feature, and all those USB ADSL
modems essentially provide a link on-demand, emulating dial-up
behaviourally.


>> No, the depots don't write the routing address, but the addressee (for
>> the purposes of the application layer, say "RCPT TO: ...") is written
>> on the outside of the box. The internet protocol allows you to have a
>> lot of fun overwriting any data (above the link layer) that you've
>> already sent, a post card/letter/package does not.
>
> But didn't I already say that the comms data associated with a communication
> changes as the communication progresses?

Yes, but you are confusing "things that change due to the protocol"
vs. "things that change due to the attacker". For example, I can send
a packet with "RCPT TO: good@example.com" and overwrite that with
"evil@example.com" and the SMTP daemon would only see "RCPT TO:
evil@example.com" because I manipulated the packets as they were going
through the IP stack on the host...

>>>> and b) whatever is going to that address is nicely wrapped inside and
>>>> can
>>>> be viewed with an x-ray machine or opened up for inspection.
>>>
>>> Isn't that what DPI is supposed to do?
>>
>> Yup, but the DPI would have no clue if the data wasn't in clear text,
>
> Are you suggesting that the comms data is encrypted too? Because what people
> are saying doesn't matter as much as who they are saying it to.

Huh? Of course application layer data is encrypted - if I have a TLS
connection to a mail/web server you only get link layer stuff from the
IP headers, DPI isn't going to help here. You will only be able to
find out what IP address I'm connecting to, and for all you know this
connection may merely be a first hop in a relay chain...

>> how many third party proxies that reside outside of the UK
>> jurisdiction now offer SSL?
>
> If some data escapes, that doesn't invalidate capturing the data which
> doesn't. Despite what some people think, criminals don't universally employ
> avoidance techniques.
>
>> If all of your traffic is encrypted, do you automatically qualify as a
>> `person of interest'?
>
> Depends who you are sending the encrypted data to.
> --
> Roland Perry
>
>