Deep packet inspection in the USA?

[Cain]

Looks possible, according to this:

http://www.wired.com/threatlevel/2009/06/deep-packet-inspection/

Following a report last week that Iran is spying on domestic internet users with western-supplied technology, advocacy groups are pressuring federal lawmakers to scrutinize the use of the same technology in the U.S.

The Open Internet Coalition sent a letter to all members of the House and Senate urging them to launch hearings aimed at examining and possibly regulating the so-called deep-packet inspection technology.

...

But similar technology is being installed at ISPs in the U.S.

It spurred extensive controversy last year when Charter Communications, one of the country's largest ISPs, announced that it planned to use deep-packet inspection to spy on broadband customers to help advertisers deliver targeted ads.

The plan sparked a backlash and heated congressional hearings. Publicity about the issue died down, however, after Charter retreated from its plan, and Congress moved on to other matters. But deep-packet inspection didn't go away.

ISPs insist they need it to help combat spam and malware. But the technology is ripe for abuse, not only by ISPs but also by the U.S. government, which could force providers to retain and hand over data they collect about users.

I did wonder about this at the time.  I'm glad to see people with more clout were thinking the same thing.

[Rumckle]

I wish I could say I was surprised.

Though, one think I've been thinking about, is how does DPI cope with cryptography and stenography?

[navkat]

We need to violate people's rights so we can protect their freedom.

[Requia ☣]

I wish I could say I was surprised.

Though, one think I've been thinking about, is how does DPI cope with cryptography and stenography?

DPI?

[Rumckle]

Deep Packet Inspection

[Xooxe]

Though, one think I've been thinking about, is how does DPI cope with cryptography and stenography?

If I remember correctly from a conversation with a friend who seems to know plenty about this kind of thing, it doesn't. I'm having a few pints with him in a few days, so I'll bring it up.

[Template]

I wish I could say I was surprised.

Though, one think I've been thinking about, is how does DPI cope with cryptography and stenography?

Doubt that it can, directly.  Might give a good enough sample to crack some encryptions, though.  Also, it's steganography, unless you're talking about using snail mail and your secretary's computer for your sekrit bidness.

[Requia ☣]

Modern crypto schemes are effectively unbreakable*, DPI won't do crap to them, and knowing whose talking to who is still useful, but DPI isn't needed for that.  I suppose the NSA might have cracked RSA or AES-256 and not told us, but if they did they probably would have stopped using them.  Side channel attacks are pretty much the only thing you have to worry about, and those rely on issues on your system, like Debian's infamous botched PRNG, or the backdoor into Window's PRNG they found a while back.

*A new attack was just published on how to break AES-256.  It requires 2^119 steps, or about 20,000,000,000,000 years with a multi petaflop system, thus effectively unbreakable.

[Rumckle]

Also, it's steganography, unless you're talking about using snail mail and your secretary's computer for your sekrit bidness.

[Cain]

petaflop

I just wanna say, I love this word.  Though I think it should be used every time PETA unveil another media initiative.

Prima: Hey have you heard?  PETA have hired nudists to chain themselves to major takeaway food stores because of the conditions the animals are kept in before slaughter.
Secunda: Oh, really?  Sounds like another PETAflop to me.

[Requia ☣]

damn, now i need to figure out how to harness the new PETAflop benchmark.

How many PETAflops would you say the Seinfeld/Microsoft commercial was?  How about all the Ford commercials on American Idol?

[Bebek Sincap Ratatosk]

Modern crypto schemes are effectively unbreakable*, DPI won't do crap to them, and knowing whose talking to who is still useful, but DPI isn't needed for that.  I suppose the NSA might have cracked RSA or AES-256 and not told us, but if they did they probably would have stopped using them.  Side channel attacks are pretty much the only thing you have to worry about, and those rely on issues on your system, like Debian's infamous botched PRNG, or the backdoor into Window's PRNG they found a while back.

*A new attack was just published on how to break AES-256.  It requires 2^119 steps, or about 20,000,000,000,000 years with a multi petaflop system, thus effectively unbreakable.

Correct... Deep Packet Inspection is basically like the ISP opening your mail, reading it, looking for marketing hooks, sticking it back in the envelope and sending it on to you. Sure, it is a good way to combat spam, but opening and reading all of your mail to stop mail fraud would probably be seen as ludicrous to most people.

Encryption as Requia points out will protect you, since they open the envelope and see gibberish.

[Triple Zero]

> ISPs insist they need it to help combat spam and malware.

this is bullshit and plain wrong.

I wish I could say I was surprised.

"I may not be surprised, but I'm damn well making a big stink about it." Nokia=Siemens=Fascism Enablers.

Encryption as Requia points out will protect you, since they open the envelope and see gibberish.

Wow that's just great, so eh, who of you guys is already using encrypted channels for the majority of your communications?

Nobody? Oh

ok snide cynicism aside, one concept in crypto security is that as long as everybody is writing on postcards, anyone sending a letter in an envelope will stand out of the crowd, regardless of how hard it is to open and read the envelope.

twitter is not encrypted. neither is over 99% of all email. or the websites you're visiting. the forum posts you make. the AIM/MSN/IRC conversations you have.

(just before anyone points it out, the fact that GMail uses SSL/https, or maybe your IMAP mailserver does, that's just the authentication protocol between server and client. the protocol between the mailservers themselves remains unencrypted, and probably already DPIed, as ever)

what does help, is using TOR.

you know why TOR is so slow right? because nobody wants to be a TOR exit node. cause they fear they might aid pedophiles*. or terrorism.

and because the law isnt entirely clear about whether or not you are liable for these things when you allow your TOR client to be an exit node.

of course, if everybody would be an exit node, the TOR network would both be more anonymous and a lot faster (although still slower than regular internet, but I do not think by much)

oh and by the way, TOR is insecure in other ways, since any exit node can (illegaly) inspect the plaintext output of any TOR clients (except they dont know who they are), any passwords sent along in plaintext are insecure. so that would be where this SSL/https stuff comes in handy, since that takes care of the plaintext password side of the situation

* and, I won't lie, as current (illegal) TOR exit node analysis points out, this indeed seems to be the case. for pedophilia that is, not terrorism.

[Rumckle]

ok snide cynicism aside, one concept in crypto security is that as long as everybody is writing on postcards, anyone sending a letter in an envelope will stand out of the crowd, regardless of how hard it is to open and read the envelope.

That's why you'd want to use steganography. I guess it could also lead to be cryptography being illegal, (except for banking stuff etc I suppose).

Actually, it kinda reminds me of this:http://xkcd.com/538/

Which in cases where you are suspected of something illegal being encrypted would be pretty close to what would happen.



Ok, I'm not sure how computer cryptography works, so correct me please if I'm wrong. But wouldn't the two communicators have to trade an encryption key at some point, thus if the all packets being sent can be read, couldn't the key be picked up as well (and used to decrypt the message)?

[Triple Zero]

ok snide cynicism aside, one concept in crypto security is that as long as everybody is writing on postcards, anyone sending a letter in an envelope will stand out of the crowd, regardless of how hard it is to open and read the envelope.

That's why you'd want to use steganography. I guess it could also lead to be cryptography being illegal, (except for banking stuff etc I suppose).

no, because stego means you're still hiding.

also it won't work anymore if everybody uses it, cause then you can scan for the patterns. and the goal is for everyone to be able to communicate without being snooped upon right?

another reason why you dont want to use stego is that you need to agree upon the secret channel before you can send someone a steganographed message. if I were to send you a JPEG photo, you wouldnt know whether the message is the photo, maybe some visual riddle pertaining the photo, or the message is hidden in the least significant bit, in the JPEG comment, or in only every fifth red pixel or whatever.

but if the secret channel is always the same, it can be deep packet inspected again.

furthermore, you *really* gotta know what you're doing. the basic idea of hiding a message in the least significant bits of an image is in fact real easy to detect, because the LSB's of a real world image such as a photograph have a completely different pattern than when replaced with an encoded message. some stego articles even state incorrectly that the LSB of an image is similar to random noise. check it for yourself, it's not. if it was, you can replace random noise with encrypted data or compressed data and it's pretty hard to tell the difference, but there are in fact not many secret channels that contain random noise by default and can be replaced with different "noise" without much problems.

finally, getting past all these disadvantages, proper, secure stego, requires several orders of magnitude in additional bandwidth.

IMO, stego is only useful for extra-special secrecy, or having to improvise smuggling something past a watchful eye.

no, the proper way to get this right is to take a look at our postal system. the solution is already in the example I gave. most snail mail is encased in envelopes ("encrypted") and only a small part of the mail is on postcards ("plaintext"). it is regarded as "normal" to put your mail in an envelope, and not regarded as "he has something to hide".
if much more people would get into the habit of using PGP on their email, even, no especially if they have nothing to hide, it would just become the normal thing to do "yeah of course I PGP my email, who knows where the data might end up? this way only aunt Betty can open the message. that just makes sense, right"

Actually, it kinda reminds me of this:http://xkcd.com/538/

Which in cases where you are suspected of something illegal being encrypted would be pretty close to what would happen.

doesn't apply to DPI. it's too large scale. they can't rubberhose all people that send encrypted packets.

and if they only do it with people that "are suspected of something illegal being encrypted", this is not a problem of DPI but with why or how these people were suspected.

which is a lot harder is all data on the internet that is assumed to be private is in fact really private and encrypted properly.

they don't need to DPI communications in order to torture suspected dissidents either.

Ok, I'm not sure how computer cryptography works, so correct me please if I'm wrong. But wouldn't the two communicators have to trade an encryption key at some point, thus if the all packets being sent can be read, couldn't the key be picked up as well (and used to decrypt the message)?

yes but there are a bunch of very neat tricks to minimize this danger. look up the Diffie Hellman key exchange protocol, for an example.

also public/private key schemes (such as in PGP) only run this risk once, when the public keys are exchanged, so if you meet in person once, that is enough to be able to securely communicate from then on. also with "key signing" you can have friends vouching for the authenticity of other people that you may not have met, there are key signing authorities ... lots of stuff.

it is something to be aware of, yes. but fortunately not impossible to get around.