Susan Landau on Government Surveillance of the Internet
Excellent House testimony.
Excellent House testimony.
Jim • February 23, 2011 8:25 AM
-What if someone were monitoring communications to Google and determined that the U.S. was about to suffer a flu pandemic and used that information to corner the market for the flu vaccine?
Just what we need, more government claptrap about needing to fear this or that. And if we don’t get more authorizations, more equipment, more surveillance systems, we won’t be able to stop whatever fear we are selling today or tomorrow.
Where does it end?
The above statement she made was right down the party line. Look, if we don’t get this together, Pot Bellied pigs made turn into giant Pigs that could slaughter us all. Thus we need to get more money, and more gadgets installed now before that happens. Because if not, pot bellied pigs could kill us all.
This is the state of the security industry today. In order for them to survive, they need to ratchet up the fear so they can get more money to buy more gear to sell more fear later on. This industry is a never ending vicious cycle of greed and fear mongering.
“Scare the shit out of them!”
Aaron Barr is … the Man who Knew too Little
RSA 2011: Winning the War But Losing Our Soul
“Its harder to explain away the substance of many other e-mail messages which have emerged in reporting by Ars Technica as well as others. They show a company executives like HBGary Federal CEO Aaron Barr mining social networks for data to “scare the s***” out of potential customers, in theory to win their business. While “scare ’em and snare ’em” may be business as usual in the IT security industry, other HBGary Federal skunk works projects clearly crossed a line: a proposal for a major U.S. bank, allegedly Bank of America, to launch offensive cyber attacks on the servers that host the whistle blower site Wikileaks. … Bruce Schneier – our industry’s Obi-Wan Kenobi – has warned about this very phenomena …”
Spaceman Spiff • February 23, 2011 9:16 AM
How typical and irritating of our government, to use a proprietary video format (realmedia msi files) for their web site! I had to run it in a Windows VM in order to view it since the realplayer software for 64-bit RHEL 6 is not up to date and requires a version of the h264 libraries that is older than all the other video software on the system use! A farking PITA, for sure! — Sorry, getting a bit cranky here… 🙂
Peter A. • February 23, 2011 9:28 AM
@Spaceman Spiff: transcripts (or rather pre-submitted papers) are on the left. In PDF. Proprietary, too, but much wider readable.
BTW I haven’t event tried the video, text is more comprehensible for me – even in my native language, which isn’t English.
Anonymous Moi • February 23, 2011 10:09 AM
“Just what we need, more government claptrap ..”
My reading of this particular paragraph is that allowing the proposal (extending wiretap) is somewhat irrelevant because data is readily available in open network traffic and can be mined by a bad actor.
The whole testimony argues against the proposal and points out several things that instead of achieving the intended increase in security have, in fact, done the reverse.
Jim Milles • February 23, 2011 11:04 AM
Is there any way to get that video to play on a Mac?
David Thornley • February 23, 2011 11:16 AM
@Peter A.: PDF used to be proprietary. It now has an ISO standard (available for free, I believe, from Adobe’s website – don’t offhand remember where I got my copy), and is implemented by multiple projects (most of which don’t implement the whole PDF standard). It’s still heavily linked to Adobe and partners, who may try to lock people in with vendor-specific extensions, but it’s open now.
@giannis • February 23, 2011 11:22 AM
No PDFs on the side… were they removed?
BF Skinner • February 23, 2011 12:30 PM
It is said that unless we open every door; every door. It is fear that guides all our actions.
Do you think that if budget owners were not driven by fear, or it’s wonder twin, compliance, they would be adequately (if at all) funding security at all?
dave-ilsw • February 23, 2011 12:39 PM
@giannis: Click the “Hearings for the 112th Congress” link on the left, then find the transcript you want (in this case, Hearing on: “Going Dark: Lawful Electronic Surveillance in the Face of New Technologies”).
Richard Schwartz • February 23, 2011 12:45 PM
Click on Susan Landau’s name on the right side of the page. That brings up the PDF.
BTW: She’s my 2nd cousin. My much smarter 2nd cousin 🙂
Clive Robinson • February 23, 2011 1:15 PM
Speaking of the PDF’s (I’m another non MS user so the video is a waste of resources).
It is worth reading the last page (of four) by IAcP President Mark Marshall. He is basicaly pushing for a “custom LEA listening post”.
And yes the old push buttons are in there with “protecting from increasing… …Specter of Terrorism”.
So on that alone he gets a 10 out of 10 for “pork grabbing”.
I will have a dig around and see if I can find the LEEF report he talks about as it may be more interesting than the title suggests.
Charlotte • February 23, 2011 2:04 PM
@Spaceman Spiff: Works fine on Ubuntu 10.04 with Totem.
Molly • February 23, 2011 2:17 PM
If you have VLC on your Mac, VLC plays the video nicely
Clive Robinson • February 23, 2011 4:15 PM
Having read Susan Landau’s testimony, I can see she is presenting a position that is behind the reality curve.
That is she is arguing that the infrastructure not be weakened by legislated “wire taps” for good and proper reasons, but that LEA’s be “dynamic” in what they do. She has either not considered or not stated what the implications of the “dynamic” solutions.
To understand this you first need to consider the assumptions behind “infrastructure wiretaps” and if they are still valid.
That is does the “infrastructure wiretap” argument rests on a flawed assumption?
The answer is yes and is due in part to the simplification of the Shannon model that is,
‘Communications follow a single observable path and have a single start point and single end point. and the path has no storage.’
This can be shown to be an over simplification in many ways and thus a false assumption. That is,
‘A communication can have multiple start points multiple destinations and multiple paths through multiple storage systems and those communicating can look at stored messages at different times amongst multiple users.’
For instance take something like a private message board or wall in a popular social network system. An investigator sitting on the infrastructure wire can see an SSH connection going in from their suspect to the service. But if SSH is working correctly the investigator has no idea what message board or wall the suspect is viewing and which individual message of those available has meaning (if any) to the suspect.
Nor does the investigator know which of the myriad of other connections made to the service might have posted or viewed messages on an individual message board or wall the suspect has used.
Further the investigator does not know if the message has been spread in some method across many messages on different message boards or walls from different points (think drive by WiFi use on open nodes or TOR or a myriad of other methods).
Because of this disconnect in time, place and size it is difficult at best for the investigator to determine with any certainty what an individual suspect is upto.
It could be likened to the real world old school field craft examples of blind message drops facilitated by “graffiti/litter/vandalism/etc viewed from a moving train window or a walk or drive down a road or through a park etc.
The difference being that due to the fact that every point on the Internet can be considered local there is an almost infinate nummber of parks for those seaking covert communications to walk and thus talk through. But worse for the investigators they cannot in many cases “follow the suspect into the park” because they don’t have lawfull access to the park or storage service.
Worse is a disconect in “message location”, as I have pointed out in the past it is possible to use the likes of Google, Bing and other search engines and web caches to decouple the communicating parties from each other and build the equivalent of an Anonymous One Time Message system (AOTM’s).
That is the sending party using a prearanged One Time Identifier (OTI) and at a prearanged time posts a message on a random message board. The recipient of the message has no idea where the random message board is nor do they care or need to know. All they simply do is after the agreed time search for the OTI and download the message not from the random site but from the search engine cach.
There are further refinments that can be done through open or semi open web caches or other systems that provide ‘anonymous storage’ by the implicit way they work in providing “shared access”.
Such intermediate storage systems can always be used to build “covert channels” even at quite low levels and bandwidths.
For instance there are services set up for people that have no fixed IP address for their servers. Their server communicates it’s “Current IP address” to the service where many people can openly observe the current IP address and thus access the server.
It is entirely possible for quite legitimate reasons (multiple site fail-over) for small organisations to use such services even though they have sites with fixed IP addresses.
Thus the server owner and can switch which IP address is current at will. Thus switching the current IP address can be used as a low bandwidth communications path.
Thus with a little thought many will realise that an investigator who only has at best partial access to the infrastructure has the significant problem of not being able to see even one end of the communications path reliably via a conventional “infrastructure wiretap”.
Which gives rise to the notion that the only way investigators will be able to “wiretap” effectivly is to “see what the suspect sees” and there is only one or two ways to do that.
Effectivly the investigator has to be continuously inside the suspects communications loop at the last point between the suspect and the communications path and effectivly “end run” around all the security precautions they have put in place.
One way to do this if the suspects system has a physicaly fixed position is to “evesdrop” in some fairly conventional manner (bugging / TEMPEST /etc).
However this does not work with “mobile devices” that can connect at will to “multiple networks”, thus the investigator has to somehow “backdoor” the users equipment via the usual malware methods and make it do an “ET”.
This effectivly means that the “Going Dark” “dynamic” solution Susan Landau is effectivly prescribing can only be done by modifing the end users equipment…
To do this reliably means that all end user equipment must possess the ability to be “backdoored” in some possibly mandated way.
Personaly I find that more worrying than mandating “infrastructure wiretaps”…
It can also be seen that all the argument Susan Landau has put forward over not having “mandated infrastructure wiretaps” also applies to not having “mandated end user equipment backdoors” or exploitation of zero day weaknesses.
As we have seen by the very prevalence of malware being exploited by criminals for botnets and the like(s of the Chinese APT) she aludes to in her statment we have the real issues of “Open to one means Open to All”.
So the “dynamic” solution she aludes to by her own arguments is just as unjustifable mandated or otherwise. Either we have secure systems to prevent industrial or other espionage or we have systems that LEA’s can access. You can’t have it both ways and you would be inevitable be proved a fool if you tried.
Thus the enquiry being held by this commity is the wrong one.
BF Skinner • February 23, 2011 5:05 PM
@Clive “the enquiry being held by this commity is the wrong one.”
Scully once said “Several men on this committee are lawyers. It is my experience that lawyers ask the wrong question only when they don’t want the right answer. “
Dirk Praet • February 23, 2011 6:11 PM
Kudos to former Sun colleague Susan for making a well-argumented stand against extending CALEA to IP-based communications. Whether or not she is presenting a position behind the reality curve IMHO is less relevant than the eloquent and understandable way she speaks out against these proposals without even once mentioning privacy issues, knowing this would derail the debate.
However much I agree with Clive, complicating the issue by presenting technological arguments in front of a layman’s audience why a wiretapping infrastructure is pointless would only have strengthened their beliefs. And the HBGaries of this world would only be too keen to approach them with all kinds of multi million dollar proposals to prove her wrong. Although I concur that backdooring user equipment solution would be a more effective way to proceed, I don’t see Susan making an explicit case for this, and I’m pretty sure she’d be just as much against it as against the infrastructure wiretapping solution.
For all practical purposes, I think this is a very well-balanced and highly diplomatic testimony from someone who’s got both her heart and her brains in the right place and knows only too well how to adapt to a specific audience for maximum impact.
BF Skinner • February 23, 2011 7:41 PM
@Dirk ” presenting technological arguments in front of a layman’s audience ”
No offense Dirk but this sounds like an echo of the ‘they too stoopid to understand what I do’ technical arrogance.
Do you know the one place they can pick up a phone and get dozens of expert, and I mean EXPERT, opinions in ANY given field, in a heartbeat?
Sure the Reps and Senators may not be technical but they are backed by staff who only have to call people and say “I’m calling on behalf of Senator XXX. and we’d like you to comment on…”
All of that staff work and expert testimony and written statements comes to a point at the hearing but there’s lots of back story that brings them to that point.
Dirk Praet • February 23, 2011 8:07 PM
@ BF Skinner
I’m fully aware that all of them undoubtedly have access to plenty of experts in any field and will not hesitate to bring them in. The point I was trying to make was that over the years I have learned to be very careful using technical arguments – especially those of the scary kind – with a non-technical audience. These days, I try to stay as high-level as possible while remaining open for a more indepth discussion with technical crews once they’re called in and the original audience goes for a coffee break or moves on to the next meeting. It has proven way more effective than pleading a completely solid case with the wrong arguments in front of the wrong people and then have it blown up in your face. My best guess is that Susan Landau must have done the same here.
Clive Robinson • February 24, 2011 4:04 AM
@ Dirk Praet,
“However much I agree with Clive, complicating the issue by presenting technological arguments in front of a layman’s audience why a wiretapping infrastructure is pointless would only have strengthened their belief.”
Yup I put my hand up I did not reread my post befor posting.
The points I was trying to bring about where,
1, A wiretap no mater where is going to fail when the communicating parties are sophisticated (as you cann’t do an end run inside somebodies head currently).
2, You cannot have a wiretap facility in an information system without it being abused either by cyber-LEO’s or cyber-crooks or the plain curious that is the way of the world.
And the “real issue” for society that arises from these points.
These two points are not about “privacy” as such they are the cold hard realities of life and how that plays out in a society where a small fraction are criminals.
One mistake I made was, whilst arguing Point 2 I was also trying to show Point 1 without stating it which is bad argument style.
Point 1 is the first unstated crux of the real issue.
1.A, Wiretaps will only work against those less sophisticated than those doing the eavesdropping.
1.B, Wiretapping will fail in a similar way to all technical solutions against adaptive and motivated individuals (targets) who become more sophisticated as other technology alows.
We have seen this already in that as good quality encryption has become available to the surveillance targets, it’s use has started to force the use of “traffic flow analysis” by LEA investigators (and surprisingly to some has actually proved more benifficial than the simple “plain text” monitoring).
Thus we are seeing more sophisticated aproaches being adopted by targets to the way they communicate like the notion of “One Use Mobiles” actualy becoming a reality. With quite ordinary criminals now using low cost cash bought “pay as you go” phones for “One Time Communications” and then being thrown in lakes, rivers and waste bins (sometimes without the target dropping the call first).
In turn this “One Time Communication” issue has caused the LEA’s to ask for all call records to be kept indefinatly, so that like CCTV video footage they can try to work backwards from an event to individuals.
However this “working backwards” has the same problem as that of “cause and effect” when you argue backwards from effect to cause and end up with “Magic Thinking” or “Conspiracy Theories” and are thus guaranteed to get miscarriages of justice at some point.
LEA’s and those who legislate for them have to realise that there are no “magic bullet” solutions when dealing with the communications of sophisticated targets.
This is because the sophisticated target has many avenues available and leaving aside the simple case of bribery of officials to keep their activities legal (lobbying), the sophisticated target will develop a “cloak of invisability”. That is they will use information entropy to “hide beneath the noise” or use patsies / cutouts as State Level players have done with “spycraft” throughout the centuries. Either way the sophisticated target wins against time and resource limited LEA’s.
Thus wire tapping in it’s various forms is plain and simple an arms race. It is directly equivalent to ECM/ECCM/ECCM… arms race that gave rise to amongst other things stealth technology.
However unlike conventional arms races wiretapping is also asymetric in favour of the sophisticated target. And worse for the LEA’s as information systems and techniques do not have to be physical or expensive they can and will just like the “hoodie -v- CCTV” become available to less and less sophisticated targets with time and then be in common use by the general public.
Worse still for LEA’s wiretapping in it’s various forms is like playing “high stakes poker” where they are handicapped by having to show their hand via “due process” rules of “chains of evidence” whereby “methods and sources” can be forced into the open.
It is thus for LEA’s at best a “Red Queen’s” race which they can never win only run as hard as they can to stay where they are.
As I noted Susan Landau did not in any way address Point 1 she simply obsficated / hand waved around it with the notion of LEA’s having a “dynamic” response to the techniques sophisticated targets will bring into use as a response to LEA activities.
With regard to Point 2, which is the second crux in the real issue.
In Susan Landau’s testimony she gave a number of examples pointing out the sailient issue that all technology is double edged, and further that it is agnostic in that if a technology is available it will be used one way or another. Further that this issue has been known publicaly for nearly 40 years.
However, even though her examples are valid against ALL wire taps she argued only against “mandated infrastructure wiretaps”.
Which effectivly gives the false impression that other wiretap techniques (“ET phome home” systems etc) are “still golden” when they are probably not to sophisticated targets.
She did however allude to the fact that it is “authentication” that failed at some level when wiretap systems are misused.
But she failed to mention “authentication of a physical entity” is an unsolvable issue in an information only system. As at the end of the day all “authentication” in such a system is based on “information” which can be trivialy disclosed and copied without it necessarily being obvious or more importantly even looked for.
[ As an aside to explain this : To an information system there is no such thing as “something you own” there is just the intangable “information” that describes some asspect of the tangable physical object “you own”. It is thus directly equivalent to “something you know” which is again just “information”. Further we currently have the notion of a “token we own” making the running. However all of the tokens are devices with known or disclosable charecteristics used to hold a “secret” which is again just “information” which in turn can be disclosed or discovered in some manner. That is to an intangable information processing system at some point everything physical effectivly becomes intangable information that can in some way be “spoofed”. It is a point that most information security gurus wave their hands over by talking about logs and auditing (not that anybody looks at them till something is known to be wrong.]
The problem as I noted is that the remit the commity is working to appears to be the wrong, and thus is guaranteed to fail in it’s “apparent mission”.
The real issue is what the two points effect which is, the resources involved with the two sides of secrecy or “confidentiality” that is “hiding information from non autheticated entities” and “aquiring information as a non authenticated entity”.
All of mankinds endevors are bassed on information and energy and the application of both to problems.
As information can be very effective at reducing the energy needed to achive any particular desired outcome, it means that although it is intangable, information has a very real value. Thus real advantage can be gained in concealing information from others or keeping it secret or confidential.
However as humans we also have the concepts of good and bad thus we get a problem.
That is it is a “given” in society that a “good person” concealing information is “good” and a “bad person” concealing information is “bad”.
However a person good or bad who is concealing information will view all attempts to access the concealed information by an unautherised person as bad or an “attack”. They will therefore try to prevent such access and will expend a certain degree of resources to keep the information concealed. The consiquence of this is increasing the resources required by the “attacker” to gain access making the chancess of an attack that much less likely.
With modern cryptography the resources required to conceal information securely can be very low in comparison to the resources required to access the information without authorisation.
Which is “very good” if a good person is concealing information against a bad person but “very bad” if it is a bad person concealing information.
Thus it becomes a societal issue, what value to society is gained by the use of modern crypto and other information concealing techniques and what value to society is lost by those seaking to conceal crimes etc using the same technology and how do those tasked with dealing with those crimes address the issue within the acceptable norms of society.
And it is a question that political nobody realy wishes to be asked.
That said there is the “Pandora’s Box” issue, strong cryptography and other technology are now in the public domain and will remain so. And as Susan Landau noted the likes of the NSA unlike various LEA’s appear on the face of it to have come to terms with this. That is they have through the likes of NIST certified a number of public domain crypto algorithms and methods.
That said as Bruce has been known to note security rests on the weakest link and the strength of modern crypto algorithms is not of real issue in modern systems.
Also the likes of the NSA, GCHQ et al and their forbears have been concentrating on other asspects of ComSec such as EmSec and traffic analysis for quite a long time (nearly a century on EmSec and over seventy years on traffic analysis). Unlike the open/academic communities who have only realy started taking an interest in them in the past ten years or so.
As I said the days of wiretapping in the current sense are effectivly numbered. The required storage and access to “billing” and “geographic” information will, in very short order be the chosen route especialy if corelated against other databases such as credit card and loyalty card databases and transport systems such as parking and toll systems.
For instance how long do yo think it would take to identify your car registration plate from your mobile phone number using the London congestion charge database and the mobile phone time/geolocation data?
All but a few very sophisticated users will be able to lead a normal life and also be able to avoid leaving footprints in these databases that could be used to “nail them cold” in front of an unsophisticated jury.
RonK • February 24, 2011 7:49 AM
Everyone is approaching this from the naive point of view that surveillance tech would be implemented in order to catch dangerous criminals. Unfortunately, the most likely scenario is that this will be implemented in the name of doing so, but the real push which could get this through the Congress will actually be spearheaded by MPAA and RIAA lobbyists hoping it could be used to keep unsophisticated users from feeling secure when doing minor infractions like copyright infringement.
rogue7 • February 24, 2011 12:06 PM
I don’t really have anything to add here but I do have a question. Given Clive’s tour-de-force description of the current situation, which I think is right on, how does a person minimize (or mitigate) the effects of a) the existing infrastructure and b) the new infrastructure with the extensive wiretap capabilities as described in Susan Landau’s presentation?
Richard Steven Hack • February 24, 2011 2:08 PM
Clive: Superb analysis. Kudos.
Landau also missed a direct example of the problem with CALEA. CALEA was at one time being implemented by an Israeli company. A faction in the FBI was extremely upset about this, especially when it came to light that employees of this company were revealing wiretap information to narcotics gangs in the LA area. The FBI faction argued that to allow a company with close ties to a foreign entity – the state of Israel, which is always very high on the list of countries with major active espionage apparatus directed against the US in both military and commercial sectors – was insane. Eventually maintenance of CALEA was removed from this company’s purview, if I remember correctly.
OTOH, given the Israel Lobby, the likelihood that Landau could have referenced this case before the committee without getting into some sort of trouble is probably nil. Better to concentrate on Greece and other far away places.
Dirk Praet • February 24, 2011 5:28 PM
Absolutely great analysis, Clive. Nothing to add to that.
Yada Yada Yada • February 25, 2011 2:41 PM
She could have said all that using less than a couple dozen sentences.
Ninho • February 27, 2011 6:11 AM
@Clive: very interesting points made by you (as always). Re. the method of finding a message without prior knowledge of a URL, viz. using search and (specificly) accessing the message via Google cache : isn’t that flawed inasmuch as the google results present cached versions for only some results (seems rather unpredictable which, and furthermore often the URL to a google-cached version doesn’t in fact work, as I’ve noticed more and more often during the last several years). Do you have some insight on the G. cache-of-results strategy ? Alternatively, you might’ve been thinking of non-google search engines with a reliable caching strategy ?
Clive Robinson • February 27, 2011 4:27 PM
“… how does a person minimize (or mitigate) the effects…”
The glib answer is opt out which is obviously not realistic, the sensible answer I’m still thinking about as it’s got further issues that are not immediatly obvious (latency -v- active traffic flow analysis such as correlations by delay fuzzing being just one).
“using search and (specificly) accessing the message via Google cache : isn’t that flawed inasmuch as the google results present cached versions for onlysome results”
Yes if the message originator puts up more than one post under any given identifier.
If you use say a One Time ID (OTI) such as a posting name of “bundlebreaches4” there is a reasonable chance it is unique thus you should either get one hit or no hit. The next time you use say “depthofcrack7” the same should apply.
The question then goes in one of two ways,
1, If not a unique OTID what is the cache threashold.
2, If OTID is unique how does the recipient know what it is.
The first direction is a threasholding issue that there are various statistical models that can be used (think about “signals in noise” for instance).
The second direction can be either provably secure along exactly the same model as the One Time Pad. However it gets all the KeyMat issues OTP’s have.
Another method would be to use a subliminal channel of some kind to send a “seed” to some kind of generator. The generator is then clocked at some agreed rate to produce a time variant number. This number could fairly trivialy be turned into the OTI unique identifiers using something like a pronouncable password generator.
“furthermore often the URL to a google cached version doesn’t in fact work, as I’ve noticed more and more often during the last several years”
Yes I’ve noticed this as well and it might well be a sign that Google has crossed a reliability threashold not just for this but even for certain types of searching.
“Do you have some insight on the G. cache- of-results strategy?”
No more than “black box” testing provides and the limited results sugest that Google has some “evolving” processes. The cause may well be due to Googles atempts to stop what they see as various types of fraud or attack on their systems.
“Alternatively, you might’ve been thinking of non-google search engines with a reliable caching strategy ?”
Yes I have been thinking of a number of ways to do it over the past few years, quite a few ways don’t involve the big search engines but are harder for people to get a grip on conceptualy.
Some of the ways I’ve thought of, are due to other security issues becoming less available. Such as open University web caches that could be used as a cache element (they used to be left open because off site paid for resources needed by off campaus student used simplistic “IP address” based access control).
If you think about it any open access cache system can be used as a storage element or subliminal channel and there are a lot of those for various services including DNS.
The trick is first getting the One Time Message in the cache from any random point and secondly reading it back in a fully decoupled way.
However things are changing, social network sites with encrypted user access are adding a new dimension to this.
And… think what will become available as social network sites start to interact with each other so that say you could access a German based social network site “wall” from an account on say a Japanese social site which pulls the wall in, and in turn you access that wall through another wall or account in a different country. Currently these social network sites are rivals but eventually they will allow cross access or other people will set up services to act as bridges just as we see with the likes of SMS and Email and Voice mail and Instant messaging. All of these provide message caching and subliminal channels with some a suitable decoupling mechanism.
Another decoupled cache mechanism with searching is auction sites such as Ebay with secondary shoping services “pulling” data across to their caches to give you the best deals etc. I won’t give the specifics of how to do it but most people can with a little thought work out a system and as with the proverbial “skinning of cats” there is more than one way to do it. Another is book reviews on Amazon that get copied across to othoeo
So even if all the standard search engines become less reliable for whatever reason there will be plenty of other channels you can use.
Once you get a firm grip on the concept you start to see possabilities every where.
I originaly thought the concept up as a way to have botnets be “headless” in terms of a control channel. Currently the biggest weakness of visable botnets (ie Spam and DDos bots) is the control channel in that they go to an IP address or DNS name that can be blocked or taken over.
But think if you wanted an intel gathering network you need a channel that is “normal in use” to stay below the noise floor of ordinary users and for various reasons are services that won’t get blocked. Google, Ebay and many others with more coming on stream every day fit this bill.
The next hurdle you would have to jump is getting a two way flow of information which is a simple extension for “online” systems.
But what about “air gapped” systems I worked out a way to do this and talked about just the control channel side online around about the time Stuxnet appears to have been written…
Now I’m not making any claims other than it was an idea who’s time had come and had probably occured to a number of people within a short time interval.
The original reason for thinking about using blog sites came about because this site had a number of strange posts and I just joked at Bruce that he was being used as an anonymous channel.
But all you need as I said is a couple of caches some kind of automated “push” or “pull” mechanism (search engine bots or RSS feeds) and a search mechanism by which you can find the message once it has been moved from one cache to another.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Leave a comment