White House to Propose System for Wide Monitoring of Internet (fwd)

[This just jumped into the operational arena. Are you prepared
with the router port for John Poindexter's vacuum? What changes
will you need to make? What will they cost? Who will pay?]

<http://www.nytimes.com/2002/12/20/technology/20MONI.html?pagewanted=print&position=top>

December 20, 2002

White House to Propose System for Wide Monitoring of Internet

By JOHN MARKOFF and JOHN SCHWARTZ

The Bush administration is planning to propose requiring Internet
service providers to help build a centralized system to enable
broad monitoring of the Internet and, potentially, surveillance
of its users.

The proposal is part of a final version of a report, "The National
Strategy to Secure Cyberspace," set for release early next year,
according to several people who have been briefed on the report. It
is a component of the effort to increase national security after
the Sept. 11 attacks.

The President's Critical Infrastructure Protection Board is
preparing the report, and it is intended to create public and
private cooperation to regulate and defend the national computer
networks, not only from everyday hazards like viruses but also
from terrorist attack. Ultimately the report is intended to provide
an Internet strategy for the new Department of Homeland Security.

..............................

I read this in the paper this morning. The article is a summary of a summary
of a briefing, and contains contradictory statements, ranging from the
tracking of end-users web browsing (bad) to a clearing house to gather
real-time information of attacks in progress (which sounds like a good
idea to me).

I'm reserving judgement until there are some actual facts.

The -real- challenge is to create a system -capable- of monitoring
the entire internet.... Today there isn't enough horsepower to
accomplish such a thing, except by "exception to the rule",
rather than "the rule".

In analogy: We can adjust the flows of the Hoover
(remember him ?) Damn, we cannot however stop to count
bacteria in each and every drop, using today's technology.

As I recall,
  didn't Hitler have basically the same problem in WWII ?

Now we have to ask ourselves: What can we learn from history ?

David Lesher wrote:

Heard about this on the news this morning and you know, I am so not
worried about it.

IMO, it's so completely unfeasable at every level as to be actually
funny.

So they want us to monitor our customers. Okay, define that. You mean
you want me to snarf packets off a fully loaded OC-48 link and analyze
them in real time? No? You mean you just want it at the customer
boundries? So now I have to hook this up to each of perhaps 250
routers? Are you going to pay for this? No? You mean you consider it a
"cost of doing business." So who makes this gear? Thats something that
the router vendors have to do and integrate them into their systems?
And who is going to pay for that cost? "Cost of doing business" again,
eh? And naturally, those costs get passed onto us, the providers and
we pass them along to the customers. What about your cries for
"affordable internet" for the "underprivileged"? Okay, back to the
technical questions... You want me to track the hack-of-the-day and
track it back to its source despite the fact that it takes no small
amount of effort to correlate this stuff? You say you want coppies of
all email meeting certain criteria? You say you want me to keep track
of each web page users visit to watch for patterns? Now you want to
know what they're buying online too? Oh, and while you're at it, you
say you also want to use this convenient access to look into other
areas of potentially criminal activity?

Oh, REALLY? Just keeping track of the gigabytes of data per hour even
a moderately sized ISP can generate poses its own technical
challenge. (And sifting through that borders on impossible.) Not to
mention deploying systems all over the U.S., maintaining those
systems, altering various other systems to permit their use, and
maintaining an open pipeline to Big Brother (probably several) at our
own expense, yadda, yadda, yadda.

The whole thing is just not practical if, indeed, it's even
possible. But it is good for a laugh.

-Wayne

Freud, your slip is showing ?

"Robert E. Seastrom" wrote:

"Wayne E. Bouchard" wrote:

But it is good for a laugh.

  Or a cry.

  :) :*

  FWIW, One American Government Legislative body,
  all full of itself, had all but passed an act
  requiring the value of PI to be legislated to 3,
  from 3.1415..~etc....

  "Suits" don't like to be bothered with details, eh ?

  ...Never forget "A Divine Comedy", really isn't.

-Wayne

http://www.urbanlegends.com/legal/pi_indiana.html

All the same, I suggest you forward the rest of your quite well-reasoned
comments to your congresscritter and/or the White House. Remember that the
idea was probably propsed by people who have little or no clue of what the
actual impact would be - and the final decision will likely be made by
somebody with even less technical edge.

The truly scary part is that it could actually be approved....

:[This just jumped into the operational arena. Are you prepared
:with the router port for John Poindexter's vacuum? What changes
:will you need to make? What will they cost? Who will pay?]

There is a really easy way to accomplish this, and it has been
apparently partially implemented within UUNet as an overlaid
network of GRE tunnels for a few years, at least based on a
Nanog presentaton from October 1999.

This can be accomplished quite cost effectively, provided the
government doesn't want to archive *everything*.

I keep mentioning this, and for some reason few people seem to
recognize how profoundly simple it would be for the government
to legislate themselves into exchange points and have
the authority to announce certain prefixes to the IX, tunnel
the traffic of the affected route into their own network,
and monitor it without ever showing up in a traceroute.

MPLS makes this even simpler, where certain routes can be
tagged and switched invisibly into the Total Information Awareness
network for monitoring, and switched back out with nobody being
the wiser. Technically this is simple. The infrastructure is
in place, it just needs some legal teeth.

As soon as they figure out BGP, governments could seek
authority over exchange point routing tables so that they can
implement data sanctions against foreign and/or non-compliant
ASN's. It's pretty easy to imagine, we'll just have to see
how it plays out.

Also, if you want to monitor massive amounts of data (something
people say can't be done easily) you just demux it using a device
like those at www.toplayer.com, or
http://www.radware.com/content/products/fire.asp .
Both solutions are adequate for breaking up massive amounts
of data.

I could write snort signatures that will trigger
a session to be re-routed based on packet content. It's fugly,
but if I can do it in my basement, a multi-billion dollar
agency acting on behalf of the only global superpower can
probably think up something a little more elegant.

Cough!

:[This just jumped into the operational arena. Are you prepared
:with the router port for John Poindexter's vacuum? What changes
:will you need to make? What will they cost? Who will pay?]

There is a really easy way to accomplish this, and it has been
apparently partially implemented within UUNet as an overlaid
network of GRE tunnels for a few years, at least based on a
Nanog presentaton from October 1999.

This is incorrect, this isn't implemented, its not implementable, current
routing gear doesn't gre tunnel a) fast enough, b) at all.... HOWEVER,
juniper will allow you to copy packets on an interface in 5.5 or perhaps a
bit later code, this is one way to implement this... however having a new
oc-X for each oc-X you wanna monitor. I wonder if there is a limit to the
amount of fiber the OCS/NCS/NPIC wants to monitor?

This can be accomplished quite cost effectively, provided the
government doesn't want to archive *everything*.

even if the gre tunnel (Center Track (c) Robert Stone, et al.) idea worked
right and scaled correctly things would still be 'expensive'... to
monitor/maintain/manage.

I keep mentioning this, and for some reason few people seem to
recognize how profoundly simple it would be for the government
to legislate themselves into exchange points and have
the authority to announce certain prefixes to the IX, tunnel
the traffic of the affected route into their own network,
and monitor it without ever showing up in a traceroute.

Sure, or they could ask carriers to tap lines for them silently... in fact
they can do that today with a court order.

-Chris

"Christopher L. Morrow" wrote:

Cough!
Sure, or they could ask carriers to tap lines for them silently... in fact
they can do that today with a court order.

  Nope. USA Patriot Act, No Court Order Needed.

  :(

  Civil Liberties for Tax Refunds, Takers ?

  A COO I know is actually enthused, all he can say is
   "Do you know how much money that means to me ?!"

  Dohh!

  The Myopia of the Rich, eh ?

  He also spouted the philosophy, one day:
  "Give the money to the Rich, and they can put it into the Bank...
  and the rest of you can borrow it.... it will stimulate the economy."

  A verbatim quote. ( He is GOP, FWIW. )

  * shudder *

  So, we can borrow it -=without=- a source of income ?

Methinks they'll try the Russian SORM model. Since this country is hell bent on establishing a police-state, this seems logical. Why not use the one thats been developed?

http://www.libertarium.ru/eng/sorm/

:Cough!

Heh. Bless you.

:This is incorrect, this isn't implemented, its not implementable, current
:routing gear doesn't gre tunnel a) fast enough, b) at all.... HOWEVER,
:juniper will allow you to copy packets on an interface in 5.5 or perhaps a
:bit later code, this is one way to implement this... however having a new
:oc-X for each oc-X you wanna monitor. I wonder if there is a limit to the
:amount of fiber the OCS/NCS/NPIC wants to monitor?

I was told it was implemented when I called security a couple
of years ago, and then my other questions were met with "no comment".
"No comment" is the appropriate response to a stranger calling and
asking for security information, and doesn't imply any other answer,
and I am willing to accept that it is no longer implemented, but
somebody told me it was. I am willing to accept that the person I
spoke to misinterpreted my question.

That said, I don't think it's economical to want to tap an oc-X,
but being able to grab single sessions doesn't necessarily have to scale
if they aren't grabbing lots of them, and can access them relatively
close to their source. It's the same issues as running IDS's.

Lets say you have a an IDS load balancer sitting on a GigE span
port with a few sensors watching everything go by. If an alert is
triggered, a script is executed which goes out to the router closest
to the origin of the session and initiates the overlaid tunnel.

:even if the gre tunnel (Center Track (c) Robert Stone, et al.) idea worked
:right and scaled correctly things would still be 'expensive'... to
:monitor/maintain/manage.

Well, one would assume that these features would be necessary for the
maintainance of a robust security policy and architecture
implementation. The value is the same value that you get from
regular IDS's, just with a new customer.

:Sure, or they could ask carriers to tap lines for them silently... in fact
:they can do that today with a court order.

Indeed, and building features for automating the initialization of
those taps into the network is not extrordinarily difficult. (I
retract my "profoundly simple" comment.) The cost of doing so is
another loss avoidance cost that would be integrated into the overhead
cost that we currently call security anyway.

Are you suggesting that there might be money to be made by someone
who offered to integrate this sort of surviellence architecture into
a network?

A White House spokesperson has already denied the report in the New York
Times. Of course, the US Government is a big place.

Sure, or they could ask carriers to tap lines for them silently... in fact
they can do that today with a court order.

or "lawful authority"

Information from the FBI
http://www.askcalea.net/

Information from Cisco
http://www.cisco.com/wwl/regaffairs/lawful_intercept/

Verisign already offers out-sourced, one-stop wiretapping for voice.

http://www.verisign.com/telecom/products/network/netDiscovery.html
  One Connection to all LEAs
  Instead of maintaining multiple delivery connections from every switch
  to every LEA, carriers only need one connection to VeriSign, who in turn
  connects to LEA facilities.

http://www.csoonline.com/csoresearch/report49.html
  CSO survey of nearly 800 senior security executives found that 24
  percent were willing to share information about customers with law
  enforcement without a court order. If law enforcement agents claim that
  their investigation concerns national security, the percentage of
  executives willing to share information without a court order rises to
  41 percent.

http://www.ala.org/alaorg/oif/guidelineslibrary.html
  Librarians professional ethics require that personally identifiable
  information about library users be kept confidential. This principle is
  reflected in Article III of the Code of Ethics, which states that
  [librarians] protect each library users right to privacy and
  confidentiality with respect to information sought or received, and
  resources consulted, borrowed, acquired, or transmitted.

:Cough!

Heh. Bless you.

its this damned changing weather

:This is incorrect, this isn't implemented, its not implementable, current
:routing gear doesn't gre tunnel a) fast enough, b) at all.... HOWEVER,
:juniper will allow you to copy packets on an interface in 5.5 or perhaps a
:bit later code, this is one way to implement this... however having a new
:oc-X for each oc-X you wanna monitor. I wonder if there is a limit to the
:amount of fiber the OCS/NCS/NPIC wants to monitor?

I was told it was implemented when I called security a couple
of years ago, and then my other questions were met with "no comment".
"No comment" is the appropriate response to a stranger calling and
asking for security information, and doesn't imply any other answer,
and I am willing to accept that it is no longer implemented, but
somebody told me it was. I am willing to accept that the person I
spoke to misinterpreted my question.

its not that they misinterpretted, its that its NOT EVER been implemented.

That said, I don't think it's economical to want to tap an oc-X,
but being able to grab single sessions doesn't necessarily have to scale
if they aren't grabbing lots of them, and can access them relatively
close to their source. It's the same issues as running IDS's.

Except rarely (for larger pipes) are things symetrically routed. So, lets
take my favorite example: ebay. Your session to ebay is only really
reliably symetric at the router upstream from your workstation... all
other paths become highly asymetric quickly, most likely.

Lets say you have a an IDS load balancer sitting on a GigE span
port with a few sensors watching everything go by. If an alert is
triggered, a script is executed which goes out to the router closest
to the origin of the session and initiates the overlaid tunnel.

For this I'd think 'riverhead box' and again, only at the datacenter where
the LB was, or at your facility infront of your workstation.

:even if the gre tunnel (Center Track (c) Robert Stone, et al.) idea worked
:right and scaled correctly things would still be 'expensive'... to
:monitor/maintain/manage.

Well, one would assume that these features would be necessary for the
maintainance of a robust security policy and architecture
implementation. The value is the same value that you get from
regular IDS's, just with a new customer.

Ok, so lets say you wanted to IDS the 'internet' or 'any large ISP'
(Verio/UU/AOL/ATT/Sprint... make your list) there is little gig-e to
monitor, alot of oc-12/48/192. There isn't an IDS that can truely monitor
a oc-12 yet, never mind multipath oc-12's (dual/tri/quad paths in the same
box)

The CenterTrack concept was never supposed to IDS traffic, it incurs a
large latency for the traffic and actually isn't implementable on 90% or
more of the edge routing gear of these providers.

:Sure, or they could ask carriers to tap lines for them silently... in fact
:they can do that today with a court order.

Indeed, and building features for automating the initialization of
those taps into the network is not extrordinarily difficult. (I
retract my "profoundly simple" comment.) The cost of doing so is
another loss avoidance cost that would be integrated into the overhead
cost that we currently call security anyway.

Hmm, actually it is pretty darned simple, no-export+no-advertise do this
for you quickly, then trigger when you want to watch paul vixie's hotmail
activities... simple enough really. This gets back to distributing
'sensors' to each pop, on each carrier and having dedicated ports on
routers to support this... This seems like a very large cost to bear, more
than 'cost of doing business'.

Are you suggesting that there might be money to be made by someone
who offered to integrate this sort of surviellence architecture into
a network?

I'm not, but lots of people are already selling this very thing...

riverhead
arbor
mazu
cloudshield
toplayer

all of these vendors provide products capable of this kind of
'surveillance', whether or not thats the touted talking point or not, each
can provide this 'surveillance'.

Also, if you want to monitor massive amounts of data (something
people say can't be done easily) you just demux it using a device
like those at www.toplayer.com, or
http://www.radware.com/content/products/fire.asp .
Both solutions are adequate for breaking up massive amounts
of data.

I could write snort signatures that will trigger
a session to be re-routed based on packet content. It's fugly,
but if I can do it in my basement, a multi-billion dollar
agency acting on behalf of the only global superpower can
probably think up something a little more elegant.

The problem with this argument is you have to know exactly what you are looking for *before* the event. Foresight is almost never 20/20.

How many times have we all encountered a variation of the following?:

1. Get a call from an FBI agent (or insert any other gov't agency)
2. Play phone tag for a week.
3. Finally get each other on the phone.
4. Special Agent So&so requests a log file or packet trace from X months ago.
  The value of X usually = 6 months or more.
  Only when it was a murder case have I seen a request
  come in under 3 months.
5. Laugh and say... "OK, we'll try."
6. Dig and Dig... if lucky, find a 200+ megabyte log file.
7. Call agent back, offer to FTP/burn to a CD and send.
8. Agent replies: "Can you look at it for us, we are real busy."
9. Reply: "Uh... so are we, we'll let you know if we have a minute..."
10. Lather, rinse, repeat.

I have personally had this exact scenario play out four times so far in 2002.

That said, the way we have chosen to empower our government to act is as a tool of justice (after the act), not prevention. I have no problem with that setup, and really don't like the 'shoot first, ask later" direction drift of the current administration.

Too many packets, not enough time, too many cooks in the government's kitchen all looking over their shoulders at all the *other* cooks and closely guarding their little corner of counter space and utensils.

Nothing to see, carry on...

--chuck

<insert ironic sig>....

On any major backbone the IDS function becomes

GlobalIDSFunction() {
   While (1) {
  printf("Attack Detected!");
   }
}

Do you really want an automatic wiretap installed on your line
every time an attack is detected? Have you recently connected a
system to the Internet that hasn't been attacked?

> Lets say you have a an IDS load balancer sitting on a GigE span
> port with a few sensors watching everything go by. If an alert is
> triggered, a script is executed which goes out to the router closest
> to the origin of the session and initiates the overlaid tunnel.

On any major backbone the IDS function becomes

GlobalIDSFunction() {
   While (1) {
  printf("Attack Detected!");
   }
}

An overlaid tunnel initiates each time THIS MANY attack is detected?
Wow... I'd imagine...:

System restarted by error - a Software forced crash, PC 0x602E3780

  -hc

:On any major backbone the IDS function becomes
:
:GlobalIDSFunction() {
: While (1) {
: printf("Attack Detected!");
: }
:}
:
:Do you really want an automatic wiretap installed on your line
:every time an attack is detected? Have you recently connected a
:system to the Internet that hasn't been attacked?

It depends on the attack you are looking for. All signatures are not
created equal. Also, the actual logic is a little more like:

For each attack_source_ip, if all attacks in attack_source are
the same, send low alert. If attacks from any single attack_source
are different, with a range of more than 2 distinct attacks,
look into it. attack_source can be anything from a /32 to a /24,
with monthly reports breaking it down into the diversity of attacks
originating from certain ASN's so that followup can be done with
the ISP.

The idea being that you only respond to incidents where followup
may yeild meaningful results. Those incidents can be recognized
by the diversity of attacks originating from a single area and
followed up based on their ISP. The diversity of attacks will
provide compelling evidence that there is someone making a
concerted effort to crack a network, instead of just worm
activity.

You will miss script kids that bounce all over their compromised
machines around the world, but even if you collected all the information
about those attacks, there is little value in tracking them down anyway.
The interjurisdictional administrative hell makes it more cost
effective to just lock down your network than to re-enact The Cuckoos
Egg.

Back to the law enforcement access issue, they could really just be
collecting intelligence from the sensors, to inform their decision
on who to follow up with an investigation on. IDS's aren't as useful
for giving evidence (IMHO) because there are too many variables
(like asymmetry, log integrity, chain of evidence etc) to take into
account. What they can do very well is tell you where suspicious
activity is originating from and tell you whether further analysis
is warranted. eg, whether to have someone sieze the machine as
physical evidence, as that's where it's all got to come from
for prosecution anyway, or to monitor that sites traffic for
more information before launching a full seizure.

So, the value of an IDS, or law enforcement access to IDS-like
devices for sifting information, is to assess who they should be
investigating, not to be used as an investigative tool by itself.

As for how they can do it, they can't put it in a core somewhere.
They would have to put inexpensive ones connected as close
to the customer equipment as possible.
This could be at the edge of a CUG as some people call it, or
as Chris Morrow mentioned, one in each POP.

As far as doing it at an exchange point, it is still possible to
redirect all traffic originating from within a large ISP and
destined to a single site through a secondary GigE monitoring
network. I would be suprised if anyone currently sustains 500Mb/s
of traffic from one of customers to any single IP address that
is outside their own network. It doesn't matter if I am wrong,
as for the purposes of monitoring for further information,
it still works.

Adding them to POP's would make sense as there is a geographical
basis for their distribution, something law enforcement likes
and understands quite well, as that's how their jurisdictions
are laid out.

The reason I am persuing this is that I would hate for
people to waste their energy insisting that ubiquitous intelligence
and law enforcement access to Internet traffic is impossible.

It can be made very possible, just not in the way, or for the
same reasons, some people might imagine it.

Unfortunately, this is (or should be) part of the threat model. What makes
you think that J Random Cyberterrorist is any stupider than the guys Stoll
was chasing?

:Unfortunately, this is (or should be) part of the threat model. What makes
:you think that J Random Cyberterrorist is any stupider than the guys Stoll
:was chasing?

Because Random J Cyberterrorist would know that the probability of
success and scope of damage of his action is substantially less
than that of a physical attack, given the resources he has to spend
on it.

Also, this threat can be mitigated more cost effectively through
system and network hardening than by expanding the monitoring
infrastructure to be able to handle such a difficult to
codify threat (in any general sense).

Cyberattacks (again IMHO) are still in the realm of being opportunistic,
as we have seen that given as little as $5-10,000, the resources necessary
to reliably cause widespread damage are better spent on a plane ticket than
a hacker.

The cyberterrorist threat is based upon the exposure of network systems
and the motivation of the attacker. What is not taken into account in
this threat description is the other, more reliable and severe options
available to someone with the same resources and motives.

In the triage of sorting out what to protect and how to protect it,
we can exercise lots of control over our technology, and given a limited
threat model, we can be relatively successful. However, some threats
are best dealt with by limiting our assets exposure to them instead of
building in safeguards whose reliability is inversely proportional to
their complexity. Thus (IMHO again) there is limited value in using
what is ultimately a passive monitoring technology to combat the most
agile and directed threats against the network.

These agile threats being sophisticated hackers using multiple source
hosts and jurisdictions, who can evade sensors and who leverage the
inherant administrative overhead of tracking them. The only
defense against them is to keep your patch levels current, your
firewalls strict, and watch until they get lazy and make a mistake.

The only way to catch them is if they use multiple sources over a short
period of time with diverse attacks, thus your search token in the logs
would be the timeframe. Needless to say, given the amount of cruft
that sensors amass, this isn't very reliable.

I have a hacker koan that expresses this problem:

It does not matter who is watching if you are invisible. A
sensor can only see what it is looking for. A hacker cannot
be seen merely by looking.

Cheers:)