FBI is at it again

Per the following article: http://www.foxnews.com/story/0,2933,37203,00.html it appears as if the FBI now wants to route ALL Internet traffic through it’s central servers!!!

What gall!! What nerve!!!

Now, for all of you who said, “Hey, I’m not doing anything wrong, let the FBI monitor what it wants to.” can go shove hot spikes up your nose.

I don’t think the FBI really wants to control the Internet, they want to destabilize it. As tyranny approaches the only thing more dangerous than an armed populace is an informed one. If they can monitor all the traffic, they can certainly control it.

The ISP’s (whatever those are) need to collectively tell the FBI to go jump off a bridge. Information campaigns need to be sent to the customers to alert them of the potential loss of civil liberties.

I’m gonna stop before I say something that will get me arrested.

Regards,

Larry Diffey

If you don’t like it, contact the ACLU, I’m sure they’ll be moving quickly for a constitutionality challenge.

Brian

Be weary of such distinguished sources as "lawyers familiar with the FBI's
plans".

Congrats to Fox News. Media hypes = ratings, whether the information is
accurate or not. Write your local congressman about your privacy
concerns, and take this story about the "FBI's plans" with a grain of
salt.

Oh please stop before this goes into a another full blown session of having to delete junk from my nanog folder again be rational and consider the situation.

(1) Media rumor
(2) You have got to be kidding
(3) Businesses will not let this happen as it will cost them money so the PACs will go nuts
(4) Privacy groups will sue
(5) Law enforcement and military makes plans for everything and I mean every crazy next to impossible scenario. Thinking about something is not wrong
(6) Partisan politics will come into play
(7) Individuals will lobby and make noise

But for all this to happen they have to DO something not just acknowledge making plans and thinking. Now sit down the wolf is not here yet.

:Per the following article: <SNIP> it appears as if the FBI now wants to
:route ALL Internet traffic through it's central servers!!!!
:
:I'm gonna stop before I say something that will get me arrested.

Or mocked mercilessly.

I'm willing to bet that it's not an issue of routing all traffic, but
the ability to route any traffic. Far be it from me to speculate
wildly, but I think this screams CenterTrack.

I say the FBI just wants the ability to pick routes
an transit them transparently through their network for sniffage. This
could be done easily with existing technology (GRE tunnels, MPLS VPN,
and others)

It would be substantially cheaper to have a vpn that passed through
the FBI's AS, whereby they can arbitrarily tell a remote router
to route a prefix through their tunnel interface, which goes to fedland,
gets looped back to the original router, which also starts advertising
the prefix via the other fbi tunnel interface.

It's pretty straight forward technically, and almost impossible to
detect from layer 3 from the users perspective. It's also way
cheaper than a $5-10k PC that requires staff with clearances to
operate or even be in the same room with.

I would imagine that with the new legislation being passed, you won't
so much see g-men with carnivores knocking on your door, but a new
configuration requirement for a particular tier of network provider.

Just a guess tho.

I suspect that the FBI is the least of your worries:

http://www.acq.osd.mil/dsb/dio.pdf

http://www.homelandsecurity.org/

Lucy E. Lynch Academic User Services
Computing Center University of Oregon
llynch@darkwing.uoregon.edu (541) 346-1774/Cell: 912-7998

Larry,

Are you kidding? The problems with this are numerous. First, the source is Fox News, which is about a half step up from the Drudge Report. Secondly, what is the basis for believing that this is even possible? I am unaware of any technology that would allow all internet traffic to be proxied through a single location.

Finally, your assetion that you should stop before saying something that will get you arrested is an interesting one. Larry - nothing you can say, short of threatening people or yelling fire in a crowded theater will get you arrested.

Thank you for your opinion, and be sure to wear your tinfoil hat, when walking outdoors…

• Daniel Golding

The fact that something is unworkable or impossible or just plain stupid
hasn't stopped UCITA shrink-wrapped licenses, the DMCA anti-circumvention
clause, proposed requirements for key escrow for crypto... the list goes on.

        Valdis Kletnieks
        Operating Systems Analyst
        Virginia Tech

Daniel,

Are you kidding? The problems with this are numerous. First, the source is
Fox News, which is about a half step up from the Drudge Report. Secondly,
what is the basis for believing that this is even possible? I am unaware of
any technology that would allow all internet traffic to be proxied through a
single location.

Unfortunately, just because we know how difficult it is to provide a
solution to this problem, does not mean that everyone subscribes to it. One
should not discount the argument made based purely on the source,
especially since recently a few very "interesting" articles showed up in a
number of publications, including current issue of Forbes. The author, whose
name escapes me at this time, is under the ill-belief that since the
internet traffic does flow though hubs, it would be possible to intercept it
and store it on the computers located in those hubs. It is more likely that
a white paper describing the issues arising from attempts to intercept and
store that much data would do better than an argument about unreliability
of the source.

Alex

Unfortunately, just because we know how difficult it is to provide a
solution to this problem, does not mean that everyone subscribes to it.

One

should not discount the argument made based purely on the source,
especially since recently a few very "interesting" articles showed up in a
number of publications, including current issue of Forbes. The author,

whose

name escapes me at this time, is under the ill-belief that since the
internet traffic does flow though hubs, it would be possible to intercept

it

and store it on the computers located in those hubs. It is more likely

that

a white paper describing the issues arising from attempts to intercept and
store that much data would do better than an argument about unreliability
of the source.

Alex

It's obvious that many people spreading this information (no matter how
credible the source, have little knowledge of how much data flows through
such hubs). If I remember correctly, AOL-TW for example does over 100
Terabits of traffic every day. No storage system in the world (that I know
of) can write at 10 GB/sec (not forgetting that at OC-192 speeds we are
writing 36 Terabytes of Data per hour). Not even the most prestigious
government agencies have the ability to sort through petabytes of data per
day.

Well, writing data at that speed is relatively easy (hint - get a box
which does IP trunk bonding based on SRC/DST hash to step down OC-192 or
whatever to, say, 64x OC-3s - which is within range of commercial RAIDs).

The cost of such solution (including disk storage, about 40 exabytes) will
be about US$200 mil per OC-192 trunk per year.

Now the question is how to extract any useful information out of it.

I guess the only feasible option would be to analyze data in real time,
and record only "interesting" bits. As a guesstimate, this would require
about 1000 PC boxes per OC-192 trunk. A specialized hardware
(pattern-recognition chips, etc) could make it a lot easier.

Not cheap, but doable, and it is well within the budget of NSA to sift
through all overseas Internet traffic.

Of course, encrypting data makes all that pretty irrelevant. That's why
FBI and NSA are so keen to stall public adoption of encryption. (When
encrypted communications are rare, they can record them and break them at
their leasure; when everybody's using it - they're helpless).

Particle physicists are doing very high volume real-time data analysis
on comparable scale routinely, sifting through trillions of particle
interactions to find dozen or two of interesting ones.

So i wouldn't dismiss their ability to do that kind of surveiliance as a
technical or economical impossibility. It is certainly doable with todays
technology and a bit of cleverness.

--vadim

The Dutch NAO organisation has tried to describe that problem. NAO is a
colaborate effort of most of the Dutch ISP/Telco's (note: not Colocation
facilities or webhosters) who faced these exact requirements half a year ago
when the Dutch mandatory tapping requirement became effective. They managed
to produce a presentation on "possible network topologies" that ISP's might
face.

http://www.nlip.nl/nl/nao/spec/main/main.html

Their workgroup "topologie" produced something as well, but I can't find it
on their on site (There is a confusing policy on what parts are government
secrets and what parts are public information, which is so badly specified
that I as an ISP can't get any tapping specification, while I need to comply
to the tapping laws). Here's the copy of the document on Opentap:

http://www.opentap.org/documents/ExamplesOfTopologies.pdf

I went to the vendor day that was helt by NAO to bring vendors of tapping
boxes closer to their potential ISP clients.
There were two kind's of products

1) Vapourware ("Do you have something ready that complies to Dutch law NOW?")
2) standard sniffing boxes/carnivore compatibles ("Do you have something
   ready that complies to Dutch law NOW?")

For the vendors who claimed to be "almost ready" or my favourite one "already
doing labtesting on some secret location within the NL" I asked them how
the box plugged in, parallell on the network, or as a link in the chain.
If they answered it was a link in the chain, I asked them about redundancy,
high availability and failover, and asked them how to convince my boss that
a single point of failure should be added to our network. If they said in
parallel I asked them how I could catch all traffic. If they tried to say
something clever about puttings ports in management mode to see the traffic
of all ports, I asked them why I should tell my boss to reduce our backbone
to the capacity of a single 100MB ethernet port.

Needless to say, I was in awe. So I wrote:
http://www.opentap.org/ct/ct.aftappen-eng.html

And later added some comments: http://cryptome.org/nl-tap2.htm

For the Law Enforcement Agencies (LEA's) the answer is always quite simple.
"You should be able to tap everything we want". From the ISP's point of view
this is often impossible. He's not allowed to change the service of a user,
in case the user might detect that, but how is an ISP going to tap traffic
that never gets onto his network. Two neighbouring cable users, two dailin
users in the same local modem pool. And last but not least, the entire VPOP
structures where lots of smaller ISP's buy "national dailup" from the big
guys. They don't even have access to the infrastructure to add a tapping box.

The government's answer "Administrative issue, can be dealt with by bilateral
talks". My interpretation for that is "You've broken the law, you will do
everything we say". Our government learned that trick from the US government.

The FBI will face similar problems, the interpop traffic is not going to be
captured. It's not a big problem, since the terrible crimes on that traffic
will mostly be copying illegal movies and songs. If two terrorists are
neighbours, I'd assume they would go to a sauna (I loved Icepick) to talk.
The problem will become worse with all the 802.11 networks popping up
everywhere (esp if people are using things like IPSec with oppurtunistic)

Paul