Re: [perpass] On men at the end

Brian Trammell <trammell@tik.ee.ethz.ch> Mon, 19 August 2013 07:03 UTC

Return-Path: <trammell@tik.ee.ethz.ch>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 379DC11E8204 for <perpass@ietfa.amsl.com>; Mon, 19 Aug 2013 00:03:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kJvguRGa8Jdc for <perpass@ietfa.amsl.com>; Mon, 19 Aug 2013 00:03:06 -0700 (PDT)
Received: from smtp.ee.ethz.ch (smtp.ee.ethz.ch [129.132.2.219]) by ietfa.amsl.com (Postfix) with ESMTP id 1FF0921F9926 for <perpass@ietf.org>; Mon, 19 Aug 2013 00:03:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by smtp.ee.ethz.ch (Postfix) with ESMTP id 81EEED930B; Mon, 19 Aug 2013 09:03:05 +0200 (MEST)
X-Virus-Scanned: by amavisd-new on smtp.ee.ethz.ch
Received: from smtp.ee.ethz.ch ([127.0.0.1]) by localhost (.ee.ethz.ch [127.0.0.1]) (amavisd-new, port 10024) with LMTP id fmmTBXBoBJGn; Mon, 19 Aug 2013 09:03:05 +0200 (MEST)
Received: from [10.0.27.100] (cust-integra-122-165.antanet.ch [80.75.122.165]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: briant) by smtp.ee.ethz.ch (Postfix) with ESMTPSA id 3FE0ED9308; Mon, 19 Aug 2013 09:03:05 +0200 (MEST)
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Brian Trammell <trammell@tik.ee.ethz.ch>
In-Reply-To: <521140EE.1080309@cs.tcd.ie>
Date: Mon, 19 Aug 2013 09:03:04 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <B2FA906B-DB1A-4704-8CAB-936324CBA7E0@tik.ee.ethz.ch>
References: <2941892B-9F23-46F9-B993-446D7800A0DF@tik.ee.ethz.ch> <521140EE.1080309@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.1508)
Cc: perpass@ietf.org
Subject: Re: [perpass] On men at the end
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2013 07:03:12 -0000

hi Stephen, all,

and on a third topic, briefly...

On Aug 18, 2013, at 11:47 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:

> 
> Hi Brian,
> 
> First, thanks for the thoughtful post. You make some good points.
> A few responses below. Might be better to follow up in separate
> mails, since you raise too many interesting points probably:-)
> 
> On 08/18/2013 07:45 PM, Brian Trammell wrote:
>> 
>> However, being a perfect passive adversary is terribly expensive and
>> doesn't work nearly as well as just compromising the end systems,
>> whether through the traditional phishing, social engineering,
>> rootkits and keyloggers or through cooperation and court orders, as
>> recent revelations have shown. 
> 
> One interpretation of the current news stories might be that its
> not so expensive to compromise some almost random but "nearby" end
> systems and have those contribute to your monitoring network. I
> could believe that its more expensive to very specifically target
> an attack at one end-system, particularly if you want to disguise
> the fact that you tried.

True. Bots get more expensive the more specific you want to be about where and what they are. But here you're compromising end systems and using them as middle systems, which is a bit different than owning the end host of a targeted individual, turning on his webcam, and having a look around his flat.

One of the points of the perfect passive adversary attack model is that it illustrates that you don't really _need_ to compromise the ends to get a _whole lot_ of information. When the passive monitoring is done at the physical layer, you can't even detect its presence from the ends. Sitting at the endpoints is infinitely more detectable, and you have to conceal your presence through technical and/or legal countermeasures. 

>> This illustrates the first
>> limitation:
>> 
>> (1) The most serious threats today reside outside the scope of the
>> network and its protocols. It's not the men in the middle we should
>> be worried about, it's the men at the end. It's not clear that we can
>> do anything about this at all.
> 
> I'd quibble a bit there. We spec protocols at many layers, and what's
> an endpoint for one, is the middle for others.

Point. I don't mean that it's useless to work on better securing the middle -- anything we can do to increase the cost of indiscriminate, pervasive passive surveillance is a Good Thing. I'm just saying that we shouldn't be surprised when the reaction to the increased cost of pervasive passive monitoring at layers 1 through 7 is a layer 9 attack: new legislation compelling every access provider, service provider, and blogger with comments on in a given jurisdiction to deliver detailed application-level logging information to the authority designated for the purpose.

Best regards,

Brian