Slashdot Mirror
Deep Packet Inspection and Net Neutrality
EncryptKeeper writes "Ars Technica has an in-depth feature on deep packet inspection, and it's a disturbing read. ISPs are starting to turn to DPI to monitor their networks, and, more troubling, to look at how they can use it to shape, block, monitor, and prioritize traffic. 'The "deep" in deep packet inspection refers to the fact that these boxes don't simply look at the header information as packets pass through them. Rather, they move beyond the IP and TCP header information to look at the payload of the packet. The goal is to identify the applications being used on the network, but some of these devices can go much further; those from a company like Narus, for instance, can look inside all traffic from a specific IP address, pick out the HTTP traffic, then drill even further down to capture only traffic headed to and from Gmail, and can even reassemble emails as they are typed out by the user.'"
Queue Vonage stock selloff in 3, 2, 1....
(20,000,000th post?)
What if the Hokey Pokey really is what it's all about?
Perhaps this also has something to do with the article earlier today about filtering internet content?
Cheers!
Atheist: Buddhist in a Prius
I read the article this morning, and considered submitting it myself. For a tech site like Ars I thought the article was really very evenhanded.
/., but really, the article is worth reading.
I know this is
Hmm, I need some help with this one, since my networking kungfu sucks... When I login to Gmail, I am in a https mode, and this persists through my whole session. I was under the impression, perhaps naively, that this meant my session to Gmail was encrypted and that only I and the Gmail server could decipher the contents of my mail, that is until I click send, and it goes from the Gmail server to wherever I send to. So if this is true, how would someone be able to reassemble my email as I type?
If you use Firefox and Gmail's web UI, use this extension to make sure your Gmail session is encrypted:
... and check the box labeled "Secure (switch to https)" in the Gmail section.
CustomizeGoogle: Improve Your Google Experience -- Firefox Extension
If you are using POP3 access to Gmail, you are already using SSL.
If I understand packet sniffing correctly (I'm no programmer), that just shows the source and destination but the contents are encrypted. Please let me know if I'm incorrect.
i am a soviet space shuttle
All Google e-mail, calendar and document services can be accessed by https instead of http. If your using http, you are effectively inviting anyone to read your traffic anyways..
I've recently started using a full-time encrypted personal VPN to one of my boxes which is 1 hop (data center's router) from several backbones. I add direct (non-vpn) routing for services which are particularly latency sensitive (gaming).
I don't currently suspect my home ISP of doing this sort of deep analysis or otherwise interfering with my data stream, but in this way I also don't have to worry about it.
IMHO this sort of thing will become the standard if this trend of ISPs snooping and changing our data continues.
Slay a dragon... over lunch!
It really is time to start encrypting everything from everywhere/to everywhere.
The NSA wiretapping with the collusion of the US telecom industry is just the start.
This technology is going to be seen as a data mining opportunity. Want to bet that some of the big data aggregators are going to start installing this technology - or paying ISPs or backbone providers for the privelege.
The sad part is a lot of people will buy into the "only terr'rists need privacy" argument as justification.
Kevin Smith on Prince
It's a snowballing system. The new tech companies want to come up with new technology. The government wants to make use of new technology. The new tech companies want to come up with new technology to appease the government regulations which make use of the new (-1) technology. The government wants to make use of the new technology. The new tech companies want to come up with new technology to appease the government regulations which make use of the new (-1) and new (-2) technology. Repeat.
I, as a private system admin, would simplify the entire problem and choose not to engage in packet inspection unless there were absolutely blatant abuses--like setting a threshold. There are ethical reasons why I wouldn't feel that it's proper to go delving through each and every packet. Once government becomes involved, though, then there's no way to turn it off. In order to receive the money for an ISP start-up, for example, one must demonstrate that they can play within the ever shrinking boundaries defined by the laws.
The article (and summary) mentions reassembling e-mails as their being typed. Is this accurate? I have, for some time, wondered if some text entry forms in web pages are "active" in that they exchange keystrokes with the remote end at real-time intervals. Again, from an ethical point of view, I would never make use of anything but passive entry boxes where none of the user's text is transferred across the network until they actually deliberately send it. What possible reason, as an admin, could I have in wanting to watch a user as they type text into an entry form?
I guess the argument can be made for automatically modifying forms. Pfizer uses this for their online resume submission. For example, the available options in the various locations (country, state, county, city, zip, etc.) are pared down as soon as one makes a selection in the heirarchical predecessor. While I appreciate the "wow! neat!" factor I just don't see how it's really necessary and, although I don't see that Pfizer would be using it for some uber-nefarious conspiracy scheme, I can liken it to the desensitization similar to "Click OK if you wish to allow this action" and EULAs.
the NPG electrode was replaced with carbon blac
"Ask a Ninja" about "Network Neutrality" and learn about Robin Williams
and hotdog on a stick girl, too. The video is fun, and educational, and brought to you by your friendly neighborhood, endangered, Neutral Network.
--
make install -not war
Looking for Packets of Mass Destruction (to the highest bidder's interests)?
I've become more and more convinced that information sent over the internet should afford the same protections that federal mail does. Net neutrality is a step in that direction. But, it's just a step.
ISP's currently have no limits that keep them from violating the privacy of their subscribers. Well, nothing short of market forces. Which in this case is laughable. Since packets can travel through a number of networks before ending up at their destinations, there is no guarantee it won't travel through an ISP the consumer doesn't support financially.
Star Pirates
So basically...
if you do not use VPN then your traffic is monitored by your ISP with not warning or notice. They probably don't even need any kind of warrant, no doubt it would be covered in the T and C.
if you do use a VPN then you are declaring you have something to hide and arousing suspicion.
or you can hope for a "lost in the noise" solution - but against ubiquitous packet surveillance that would seem optimistic.
hmmmm.
bugger.
They can't sell this as adequate internet viral prophylaxis to anyone using Linux or a beefed-up Firefox and script-blocking configuration. It also won't fly as a means of managing streaming quantities because innovations in fiber optics technology will allow for greater amounts of data to be passed along existing "tubes." Maybe I'm just naive, but DPI won't stand up to free market capitalism. Anyone aware of the fact that their information is being closely scrutinized won't be as comfortable handing their money over to an ISP which condones the practice. I can imagine a "Googlenet" (or what have you) being created in response to market demand for a Net Neutral internet service provider. Maybe I'm not seeing the whole picture, though.
Inserting [insert witty signature here] here does not constitute a witty signature.
If an isp wants to do this, I think they should simply loose any common-carrier status. that is, deep inspection means that they become responsible for content: accomplices in any crime committed via that traffic.
So, they're skipping over the destination IP address field, which would identify a packet going to a gmail server, and looking at the contents of the packet to work out that the destination IP address is gmail? Cunning!
The whole point of common carrier protection should be that if they do any tampering to the content, it is assumed that they knew what was passing through their network. It should be a protection that only exists when the company is in 100% compliance. The moment they insert ads into web pages they didn't buy, rewrite an email, censor someone, etc. even if it is one group in a 100,000+ employee company, the entire company should lose common carrier status and be open to litigation from everyone who has any copyright or other type of valid complaint otherwise shielded by common carrier status.
This is actually pretty amazingly terrific tech and I can see the potential uses for profiling network efficiency and for maintenance. Of course, despite this are the obviously horrible things ISPs are going to do with this sort of software (barring unforeseen radical change in government, industry, and/or user mentality).
Can they peek inside SMTP sessions too? My internets aren't secure when my interns send them over a 20 hop route to some smtp server in the hope that I will get them next week?
If you're worried about packet inspection, use port 443 or 22 for all your real time traffic, and gpg (OpenPGP) for email.
rogue bittorrent clients to add in "encryption" to screw with the asshats doing the deep packet inspection.
Hell a standard key would keep the network tards that support this at bay for at least a couple of years.
To hell with anyone wanting to look at my payload.
And if nothing else it's possible to tunnel a lot of information through SSH and other techniques.
OK, one day the encryption may be broken, or that some ISP thinks that all SSH must go through a gateway first... In that case the net will really start to die...
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
...there is another option, though it be inferior and probably fairly unfamiliar to most of us: do not do or say anything over the internet that you would not want being completely public, i.e. known by everyone in the world. I'm not advancing it as a reason this tech doesn't matter: it does, and I pray we can all embrace workarounds [as there is no putting these genies back in the bottle]. I advance it only as the pragmatic solution I have found to an increasingly transparent internet. It can be impractical, particularly for those conversations with far-distant associates, but unless and until you have a completely secure solution, the practical reaction is to avoid the technology altogether for sensitive materials.
I read my agreement with Comcast and I don't see anything specific about this. Is there any way to get verifiable information which ISPs may be doing this? The article does not give any. If I were to find my ISP doing this I would probably switch ISPs. I do a lot of sensitive govt. work via my home ISP and this would violate the terms my contracts are based on.
Someone like The Consumerist would be a place where I would expect a list... just got off the phone with my provider. The CSR on the other end of the line could barely speak let alone understand what I was asking about. Do ISPs farm out their CS phone centers to 3rd world countries where ESL to obscure & hide things like this??
I'm pretty agitated about this actually....
...that others are surprised about this capability. we do this on the corporate network all the time. this is the same thing, just on a larger scale.
if you don't think you can trust your isp, encrypt it. otherwise they can see everything, they always could...
Sounds like the name of a porn film.
"Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
Hmm, I need some help with this one, since my networking kungfu sucks... When I login to Gmail, I am in a https mode, and this persists through my whole session. I was under the impression, perhaps naively, that this meant my session to Gmail was encrypted and that only I and the Gmail server could decipher the contents of my mail, that is until I click send, and it goes from the Gmail server to wherever I send to. So if this is true, how would someone be able to reassemble my email as I type?
What about before your email gets to Google? Carnivore/Eschelon doesn't care where the email is sent from, it will see it when it goes through AT&T's secret rooms. Use gpg if you actually care about secure email.
Is this the post to cross 2000000?
The network neutrality argument seems to be about wanting to charge the content producers more money for better access. Why not just charge the content consumers? If I want better response time, I pay for it. If I can't afford it I can still use the network, it will just go slow. If I want the throughput to stream video in real time I just pay more money. If I am fine with the Slashdot homepage taking 3 minutes to download because of the poor network connection I paid for that's my choice.
Its now a fairly democratic system. Anybody can say anything they want, every body can read it, but if you want to read it fast it will cost you.
Maybe. Damn
In the Plus.net plan screenshot (http://media.arstechnica.com/news.media/plus_net. png), they show the different tiers you can purchase, differing by usage allowance and gaming usability. What's really interesting is that right below the GB's allowed they say: "Looking for unlimited broadband? There's a good reason it's not listed here." That then links to here: http://www.plus.net/unlimited_broadband/
From the site:
Every ISP has a finite amount of capacity - there's only so much traffic that you can get through the network at one time. If a broadband provider offers unlimited broadband, and users actually try and use it as an unlimited service, then the provider's network will grind to a halt (find out more about how you share broadband capacity). To try and combat these slow downs a provider can add more broadband capacity, but this is expensive and traffic such as peer-to-peer quickly fills up the new space on the network.
Expensive huh? Much like how you're charging $20 for one gigabyte a month? Anyways, I like my current "unlimited" plan, even if it has a hidden cap (Comcast, rumored to be at 200GB/month).
Reviewing just the first hour of video games.
not quite, good sir. perhaps me?
But that's what Gmail is doing, according to the earlier poster: redirecting him to the non-encrypted site. If you look up at your address bar and don't see "https://", then you are not in secure mode, regardless of how you logged in or what else you've done on the site.
I'm rather dismayed by the number of people immediately chiming in and saying "well, fuck the ISP, I'll just encrypt everything." While that would address privacy concerns, it does nothing for the main issue, which is the traffic-shaping itself. Your encrypted packets will be unrecognized, and thus shunted to the lowest priority. Problem solved, from the ISP's perspective.
Karma: Frotzed (mostly due to the Frobozz Magic Karma Company)
As a network administrator, I have to say that I don't want to spend the time/money/bother of setting up DPI, but the proliferation of services that actively try to evade standard packet filtering make it necessary. My company can't afford unlimited bandwidth, so we must prioritize out Internet traffic.
Once upon a time we could filter and shape by port, but increasingly every new streaming/p2p/social app that comes along will probe until it finds a way to make a connection. I don't have the time to track play whack-a-mole with each user and explain why they can't stream internet radio (fine for one person, problematic for 100), video, run BitTorrent, etc.
So, DPI is coming and will be used to regain control. I don't care about reassembling your Gmail messages, I just need an option other than "a bigger pipe".
To prevent the ISP from messing with one's e-mails (like, say, rewriting or blocking them in transit) before the mail server can send them (assumes that, as in the case of Gmail, the mail provider isn't the same company as the ISP).
Of course, that seems a bit farfetched to me, but then having the ISP doing deep packet inspection on one's e-mail traffic seems a bit weird, too.
"My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."
I wonder how long until SSL and other encryption technologies become the standard due to things like this.
Deep packet inspection technology was developed by the likes of Cisco for the sole purpose of obtaining access to the Chinese market. The Communist Party wanted the power of the internet, but they also wanted the power to control it. With deep packet inspection and a suite of other related solutions, I think it's reasonable to say they got their wish. There are millions of Chinese internet users and the country is father from a revolution now that it was in 1989.
It's not just China. Countries like Saudi Arabia and Iran are also taking advantage of this new technology, every byte of it developed by corporations right here in the "free" west.
And now? The technology is simply being marketed here to. Exported back into the west if you will. ISP, companies, governments are all being given the power to put the internet genie back in the bottle. Time was that corporations were developing technology to help make democracy stronger. Now they're simply giving democracy the rope it needs to throughly hang itself.
I'd like to be optimistic about our society, but frankly it's too tiring in this day and age of fear and surveillance. The worst part is the overwhelming acceptance, nay approval, of our loss of freedoms. The Net Neutrality debate is not an isolated argument. It's a symptom of the underlying shift in Western society, back into a dark age.
May the Maths Be with you!
We're running on a technology that at its base depends on encoding, transmitting and decoding copies of digital information. Based on that:
When we use it on them, information wants to be free, it's not stealing since the original remains, and they knew this is how it worked when they started using it.
When they use it on us, it's wiretapping, invasion of privacy, and they'll use it to control what we can do (and charge us, monetarily or legally, accordingly).
You can have it both ways. You can *only* have it both ways, because the untenable alternative is to drop its use after it's been adopted. So it goes with all technology. It's neutral. Its uses aren't because they're based on specific intentions, and those are based on subjective opinions. I don't expect that to change, I just expect the inherent contradictions to be made visible as the pros and cons constantly switch places.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
Are they doing some kind of man in the middle thing to get the keys for Gmail traffic? Since Gmail uses SSL (or if you use a mail client to connect SSL to the POP server and TLS to the SMTP server) one would think that you couldn't just "peice together" an email message and just read it. You would have to decrypt it first.
Beware of bugs in the above code; I have only proved it correct, not tried it.
This has already been done.
See Relakks.
I am sure there are more.
A few months ago I set up a configuration where I tunnel all of my HTTP traffic from my home system through Open VPN to my colo box using Squid. (I have squid running on port 443 to keep the possibly of port-based traffic shaping from my ISP)
It works extremely well and is very secure (packet sniffers just see jibberish). Any thoughts from anyone on how DPI would affect encrypted traffic?
Cheers,
imag0
Although this seems disturbing on the surface, and truthfully is a little disturbing, I guess I kind of always assumed that my ISP was able to see anything/everything I do online that wasn't done over an encyrpted connection. TFA synopsis cites that this tool can reassemble your email...okay...number 1 I'm already sharing my email with one huge corporation and 2, since when are people assuming that anything you say over email is private?? I guess I'm saying that even if ISPs traditionally do not scrutinize packets from their users to this degree, I'd always kind of assumed they were, or at least that they could. And prioritizing certain traffic based on protocol doesn't scare me. When it's prioritized based on application or user however is another story.
"The problem with internet quotations is that many are not genuine" -Abraham Lincoln
Best way to do it is just to create a bookmark to https://mail.google.com/mail/ and then ALWAYS use that link to get your mail (don't click on any of Google's Gmail links from your homepage, etc.).
If you use POP access, you can enable SSL both for incoming and outgoing mail, I believe.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
...they want their layer 7 switch back!
Tsunami -- You can't bring a good wave down!
Btw, that was a long article for Ars Technica.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
And in other news, your data isn't secure anyhow..
...
:/
Now if you'll excuse me, I gotta setup a mirror port and plug in my laptop running ethereal...
From that standing that any level of QoS/packet prioritization is anti-netneutral, the reality question VoIP.. most people will not want their Voice clobbered in the same space as joe-schome bit-torrenting the latest warez/pr0n... imagine the issues that would occur if something like that happened to the 911 system..
I think everyone (except maybe the big companies that would do it) would agree that doing something like redirecting any search terms for 'TV' to your particular Cable TV provider(because they are you internet) would be bad.
We should perform a deep pocket (just watch out for the "banana" there) inspection of the ISPs that are doing this.
What?
..for years. It's called F5 Networks. Take a look at what a Big-IP can do with some custom iRules. Sure, it can be used to deeply-inspect packets at gigabit speeds, but if you are so concerned about your traffic getting sniffed why don't you proxy yourself or use some sort of tunneling.
I agree, some of these ISPs are jerks and they use these products against us. There are ways to obfuscate what we do on the net these days though.
For the simple reason that if they try to prioritize some application traffic over another, application developers (and perhaps router developers) will just make their traffic look like the "prioritized" traffic. Thus starting an arms race which the traffic prioritizers are bound to lose. Also think of the fact that ever-sophisticated packet inspection takes more and more computing power.
Bandwidth is cheap, and continues to get cheaper. Why treat it as a precious resource when there's more of it every day?
AccountKiller
They won't even do egress filtering of IPs not in their address ranges because it would "slow down traffic too much" and you expect them to seriously consider this? It's far easier just to throttle down the problem users who are bittorrenting terabytes of goat pr0n every month. Actually investing in the architecture for a tiny incremental gain over that is not something ISPs are likely to do.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
just use a firewall that can duplicate the packets elsewhere and use that remote system to rebuild the traffic and apply filtering rules for viewing. it's nothing astronomically brilliant here. the remote system can then send back rules to assist the filtering further.
from my point of view a firewall, router, bridge *should not* do this level of inspection on packets in transit, that's just going to really piss people off on an incredible level if this is done at the core of an ISP. the only exception would be to have a HUGE cluster of these, but then they'd all have to synchronise, that'd just get messy.
Why UNIX?
Well, this just means soon websites will start offering SSL on every thing, even the stuff they normally wouldn't need to.
P2P sites will start doing the same.
- I voted for Nintendo and against Bush
I'm surprised it took them this long. If they can look into what packets are being sent, they're going to sort them according to desirability, which is defined in the context of their bottom line profits. That is fair play under capitalism, although I think most of it find it disturbing, but then again, we don't have to see the havoc caused by abject morons downloading petabytes of pornography every night while updating their myspace pages with another 400 youtube videos.
technical writing / development
But I thought that if you were to capture the entire keys exchange between two parties, that you could reconstruct the encrypted string. It'd be like having both of the keys to a PGP message. How does having all of the communique not allow you to reconstruct the en/de-cryption key?
Okay, yeah I get that the server in the middle would need to be hideously fast to not only capture the packets on the stream, but also to reconstruct all of the happenings and log them all out at one time in "english"** but I'm sure with enough hardware it could be done.
**my language agnostic term implying a human readable form in the log. How the log of one particular communication thread is seperated from all others is beyond the scope of my term
2^3 * 31 * 647
just in creating terror, and guess who has the resources and the time on your dollar to be doing this shit? anymore of-fucking-course-they-abused-their-new-spy-power fbi/cia/hsa/tla of the week story?
Look at how voters/tax payers/citizens work seamlessly with business and government is put the US on the map as #1?
No? I don't see it either.
Is everyone in the US so lame that they would fight over a buck to hard that they would allow the nation to return to it's no so long ago status as a third world nation?
Since the highest level of government is the voters, I can only say "What's wrong with you people!?"
I sure hope there's a cream for this problem. Vote, write letter, run for office, get involved, or sit on your ass and tax taxes to less lazy people.
-- Prepared at the direction of, or to be sent to Legal Counsel, in anticipation of litigation. Attorney Client Pri
I worked on developing one of these boxes. Not Naurus, but a competitor (who's name starts with "P"). You are absolutely spot on. But you, and many here, are really not understanding the scale or the scope intended, or what is possible. This stuff is kept well out of the mainstream press, for good reason.
First, it's not just ISP's and the NSA, but also Universities. U.C. Berkeley is the biggest fanboi of this stuff. Any new tech, they want. And their IT department has been all over this. Nor are they aren't the only University.
And yes, the RIAA is promoting this stuff too. Very eagerly. And every other control freak out there.
The next obvious step is to network these boxes across the global, to keep track of traffic in realtime. Yes, that's a jump up. But it's doable. And it will happen. That is, people will be able to keep track of what you're doing on the internet in real time.
Also, what people aren't thinking about is the abilitiy to preserve this information. Vast storage is cheap, and getting cheaper. People are targeting saving two-years of realtime data. That's pushing things, but this is what people want. And they want to be able to preserve it longer. There's a huge amount of potential datamining there. Especially when they are able to preserve Internet traffic for longer and longer periods.
In short, the goal is to not only be able to track your every Internet connection, and what you did, but to preserve it for years. Some folks want cradle-to-grave. While they won't get it for a while, that's the direction this stuff is headed.
The bottom line is that encryption is one key defense. Necessary but not sufficient. Just be grateful that the PGP battle was won back in the 90's. If the battle for publically available strong cryptography had been lost then, you wouldn't be having this option. Connections are the other item. The support for obscuring this is lagging, and some cases broken. But it's still critical.
Finally, everyone should be aware that all of these boxes are hackable. If you know why Ethereal/Wireshark was kicked out of OpenBSD, you understand what's going on. The development environments common in this industry are also prevalent here. Harried developers don't care about buffer overflows. That's a total afterthought with minimal risk in the commercial space.
Or, to put it simply, you should in theory be able to not only detect when your traffic is being sniffed, but also be able hijack the sniffing as well.
So in summary, yes, encryption is useful. But it's not sufficient. And there's a heck of a lot more going on in this field than people are aware of, or even thinking about.
Come on - I know I'm not the only one who had to look it up!
http://dictionary.reference.com/browse/ubiquitous
the NPG electrode was replaced with carbon blac
The tubes are getting filters now. Must be to screen out all those movies streaming through them.
If someome used an encryption algorithm that was copyrighted, could deep packet inspection be considered a way to circumvent a copy protected piece of digital information?
OUCH!
That hurt reading that.
Kinda like reading a sub-par Babel-Fish translation of the message.
What was your point again? (and no, not the one on top of your head)
It's a sad day when we all have to start using https just to get back "normal" privacy rights. The phone company doesn't deeply inspect every phone call for keywords (I don't think) so what should it be okay for my ISP to do?
I don't want my ISP reading my gmail. There is a lot of chatter about that. But I don't want my ISP knowing I read Slashdot either. Or anything else for that matter. Unfortunately, most "general" web sites don't allow https. For example, Slashdot supports https, but it just refers you back to http. (I assume that is for performance reasons.)
First, it's not just ISP's and the NSA, but also Universities. U.C. Berkeley is the biggest fanboi of this stuff. Any new tech, they want. And their IT department has been all over this. Nor are they aren't the only University.
Just curious - I'm not seeing the connection here. Why would universities be big on this? Is it primarily as a data source for data mining research?
I've gotten the impression that most universities aren't taking kindly to RIAAs shenanigans - well, outside of Kansas at least. This would seem to play right into their hands.
I don't have much problem with the ads, and if Google ever starts going in a direction I don't like, I can leave them.
If the backbone networks start with DPI, where can I go? Well, let's just say I'll have to study the foreign languages a bit harder.
What kind of dumbass doesn't know that you can tell what's going to and from mail.google.com by seeing the IP address in the header and doing a PTR lookup?
Saying, "oooh, they can tell what's bound for GMail with this, and that goes beyond the header info" makes it sound like the IP address isn't already in the damned header or the people doing the snooping don't know a) that it's in the header b) that they do a PTR lookup to find the hostname from and IP address and/or c) that mail.google.com is GMail.
How is that market segmentation any different from segmenting by packet usage, rather than packet type? If you want to segment out the high-traffic users you don't need DPI - and the associated capital costs and overhead - to do it.
There are a number of anti-consumer applications that I could see; charging this or that company for packets to or from them is the example that leaps (obviously) to mind. Recording your traffic usage, so as to better nail you with marketing would be another example. In theory, I suppose it would make it easier to focus in on where spam is coming from.
But, in short, I don't know that this constitutes a substantive new risk.
[Ego]out
In order to keep the internet open and free we have to.....let the government regulate it? You lost me somewhere in there. I think you've fallen for Google's propaganda campaign.
Creative Demolition
You have a problem with Iran and China having control of the internet in those countries but in order to save us from the same fate you want OUR government to start regulating it with "net neutrality"? Don't you understand it is precisely BECAUSE these governments got control of the internet that it became less free. Giving the government the power to control something makes it LESS free not more free. Why Slashdot? Why do you believe net neutrality can possibly save the openness of the internet?
"Government is essentially the negation of liberty" -Ludwig von Mises
Creative Demolition
With Gmail, I know who's reading my mail. Google is - they told me so.
With packet inspection, anyone on the internet backbone between me and Google could be reading my email - my local ISP, plus anyone they peer with.
Granted, this is also true of standard unencrypted email...
To a Lisp hacker, XML is S-expressions in drag.
Doesn't this mean that we will all start to use https and other ssl transports.
Either way, its wiretapping.
Have gnu, will travel.
could someone care to explain that further, please?
This is great, if they're going to do deep packet inspection they can tell which machines are sending thousands of e-mails an hour to thousands of hosts and kill the botnet problem forthwith.
Or not do so and prove their complicity with the system. Their call - we're watching.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Since the decode is hardware based and not software based, you introduce encryption and the hardware can't recognize it.
Say AT&T downgrades skype traffic. Skype decides to start encrypting calls between it's call centers and the app. What can then be done?
Say AOL Time Warner starts blocking Gnutella 2 traffic. Shareaza patches with a basic cipher, their hardware isn't worth shit.
It's expensive and ultimately ineffective for anything but a gateway application for a small business that wants a good QOS for high-bandwidth applications.
I didn't get the idea of limited government from Goldwater or Reagan. I got it from people like Adam Smith, Frederic Bastiat, and Thomas Jefferson. I would be willing to bet that for every instance you can come up with where government regulation gave us MORE liberty I could come up with ten where it took it away. Government regulation is not that answer to keep the internet "safe".
Creative Demolition
Nate at Ars Technica is being either an ignoramus or an arse, let's be blunt. He doesn't know jack about DPI. I can tell, because I do know... What Nate did is talk to two vendors who sell sort-of-deep packet inspection. Basically, they sell traffic shaping. While that's a function that DPI can be used for, it's only the easy tip of the DPI iceberg. Traffic shaping can be done with much less "deep" inspection than many boxes can perform, and really is adequate with lower-level shaping. I don't mind selling different qualities of service, for an open fee; I object to reading the payload of packets and doing something with my private data, be it assigning bandwidth, blocking it, or saving it for their commercial or other use.
p . Randall's portfolio includes Bytemobile, which acquired Proquent's DPI box. It does a lot more than Nate talked about. It can go deep inside the payload of the layer 7 protocol and figure out what's going on. In 2002, when I got the Pitch from them (my NDA is up), it ran at 600 Mbps. The key market was mobile players -- they were already allowed to sell "walled garden" data services, and this was a very big wall.
Nate did not, for instance, watch Rod Randall's 2005 IEC presentation, which featured the tag line http://www.iec.org/online/iforums/iec_3/choose.as
For instance, one application is to monitor for email traffic (POP and SMTP). It can then log and create charging records for every email message that passes on the wire. Not that uses the ISP's server, but that goes on the wire. The pitch -- Randall makes this in his show -- is that wireless providers sell SMS for about a dime a message, and email by kilobyte is tons cheaper, so they should charge a dime for each email. VoIP competes with their phone calls, so it should be blocked or at least billed by the call.
But it gets worse. AT&T has made noise about charging for the value of ecommerce transactions. So if you make an online purchase, they'd get a fee for using their wire. Hell, Visa already does, for using their card, so AT&T wants to get their cut too, just for using their wire.
And it gets worse. They can decide what web sites are okay and which ones aren't. Others have already mentioned the Great Firewall of China. DPI lets its user tilt performance, so, for instance, Fox News gets better results than CNN, or Hollywood Fred's web site gets better performance than Barack's, John's, or Hillary's. This is all legal today for ISPs to do.
And it gets worse. Since DPI detects applications, it can block any new application -- leaving innovation in the hands of the phone companies who control the wire. After all, if it doesn't recognize the application, it must go to the lowest category, either blocked or relegated to what Randall calls "hobo class". Think modem speed, on a noisy line.
I do suggest reading Data Foundry's comments; author Scott McCollough is one of the best communications lawyers out there. He notes that the Ts and Cs of many "broadband" services give the wire owner the ownership rights on packets passing over their wire. No privacy -- so if you're a lawyer, you technically have waived your lawyer-client privilege by using their network! DPI makes this practical -- they can monitor emails for certain keywords, addresses, etc., even if it's not using their servers.
DPI is the tool for replacing Internet access with a "broadband" data service that is more like 1982's Compuserve, which charged by the hour and surcharged by the minute based on what application you ran (CB Simulator, email, etc.). It will happen if current (as of 2006) US rules, which kick independent ISPs off of ILEC DSL networks, are retained. It cannot happen if open competition for ISP services is restored, because the public wouldn't buy such a service if there were a choice. That's why the Bells got their buddies at the FCC to remove common carrier status from the telephone company networks.
If they attach ad's or anything else that I did not personally put into the email I will nail them for unlawful intercept of a communication. It would be no different if they started playing ad's on a phone conversation between 2 people.
In fact since it's mime encoded I could probably get them on DMCA charges. It would be about time the law was put to good use.
Just inspect the payload to detect your application makes you disturbing? Phew...you weak westerns
Here in Soviet China, we inspect the payload to detect your name, your home address, and your ideology
but in order to save us from the same fate you want OUR government to start regulating it with "net neutrality"
Huh? Isn't that exactly the opposite of what he said? Can't believe you've been modded up. Either you're not the only one who didn't read it, or your moderator just agreed with your message and modded it up without considering context.
I have often wondered about doing just this sort of thing.
For example, I rent web hosting space from a web host provider. I often wondered why I couldn't install some kind of program on my rented web server that basically I routed all my communications through, encrypted.
It still wouldn't stop people from sniffing/snooping in between my rented server and the world, but at least it would put a layer of abstraction between ME and the world.
So how do you do what you did? How do you set up a remote "box" like you did?
A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
Yes, but it sounds like you are talking about what to do on the client side. That's the easy part. The hard part is how do you get a remote system somewhere on the Internet that you can establish a tunnel to, like the GP did?
A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
Just curious - I'm not seeing the connection here. Why would universities be big on this?
Because they don't want the volume of peer-to-peer videos of the topless chicks at last weekend's frat party/orgy — over any protocol — to take up so much of the bandwidth capacity on the school's network backbone that a professor down the hall spends three hours having his connecton time out while trying to submit an application for a twenty megabuck grant to Big Government Agency on the last day before the deadline. This, by the way, is not a random example. For bonus points, the responsible party was finally tracked down nine minutes after the deadline closed... and was one of the professor's graduate student minions. Who, was of course informed, that if said BGA did not provide aforementioned grant (low chance, given the missed deadline), the professor would doubtless be short of funds for minion positions the next year, so the student should probably make efforts to finish his graduate degree by the end of the current semester. Which, once word got around, reduced the number of such incidents.
Locally, the IT staffers generally don't care much about students sharing their homemade pr0n with the available bandwidth, and if it wasn't for the legal issues (and threats by the MafIAA, and so on), they wouldn't give a fsck about the music and movie sharing per se either. They do, however, want to make sure these uses don't interfere with the serious educational and research operations of the school. Ergo, the Central Powers traffic shape some of the nastier bandwidth sucking protocols. IIR, top priorities are DNS, https, and ssh, which get a minimum reserved of 15%, plus up to 75% more of the bandwith capacity if needed; FTP, http of non-hog files (IE, not recognized as video nor audio), rsync, Email, and one or two others I forget have a 10% reserved load, plus as much as they can hog of what's not used by or reserved for the top tier; after that, everything else (from torrent to irc to IM and so on) gets whatever bandwidth is left. That can be as much as 95% of the OC3 uplink... or sometimes nothing at all.
Packet inspection facilitates moving stupid bandwidth hogs into the lower-priority traffic zone, so mission-critical protocols go through. For a university, "mission critical" is usually defined in a sensible manner. The problem occurs when a for-profit ISP does it; "mission critical" becomes "whatever we can get paid the most for", by the legally required nature of corporate entities. I'd have no problem with AT&T and the like reserving a few percent to insure that internal network management traffic (BGP, DNS, SNMP, etc.) go through no matter what. However, when "Corporate Customer's VOIP" gets a priority, what's left for everyone else is no longer "Internet Service" in my book; that's selling "Surplus Capacity Available Margin" (or perhaps "Surplus Hardline Internet Transmission"), and ought to be distinctly labeled as such, and sold as a suitably discount product.
//Information does not want to be free; it wants to breed.
Encrypt everything. What's the problem with this? We already have secure protocols, just use them. Who cares how deep they inspect. All they'll see is garbage.
I can't WAIT for this to happen. Finally a return to the internet of old, where the bar to entry was high enough to keep the "ASL?! meTOO!oneone!!11" crowd off.
Most of your claims could just as easily be attributed to government and not free enterprise. Would slavery even have been profitable without government protecting the institution? How would masters reclaim runaway slaves if the "police" didn't return them and others were barred by law from helping them escape? Yes that's right. Government regulation made slavery a profitable enterprise.
You say that medical care can't be left up to the market because it is necessary to survival, but food and water are necessary for survival as well and yet the market provides cheaper and better quality food and cleaner water than at any other time in history. Regulation is sometimes very helpful but if it is too pervasive than it cripples that which it is trying to help. The medical industry in the U.S. is NOT repeat NOT anywhere near a free market. In fact a single payer system might even be preferable to what we have now. The U.S. medical industry is so heavily regulated and subsidized that people are insulated from their health care costs and so supply and demand are distorted and prices are pushed up to astronomical levels.
To claim that the U.S. health care is free from government intervention is absolutely mind-numbing considering that the U.S. government pays more per person for health care than any other country in the world including the ones with a universal system.
Creative Demolition
They must have noticed the productivity drop when everyone took extended lunch breaks and left early. :)
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
The old-AT&T Internet backbone migrated off ATM back in the 90s, except for access to a few smaller countries. On the other hand, business customers buy a lot of ATM and Frame Relay for private networks, and the frame networks use an ATM backbone. The old SBC network used a lot of ATM and frame to transport everything, at least in California, but I'm not sure if that's what you mean.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I don't know how ownership of easements along highways works, but that also depends on whether the telcos are buying easements from the highway departments or adjacent landowners. one reason there's so little carrier infrastructure in North Dakota, besides low population, is that the state highway department didn't want to provide access to carriers for a long time on the main east-west route across the state, so instead there was a trickle of fiber coming in from the eastern side.
I don't know how ownership relations work for the local telco portions between the telco office and the customer's home or business - it's a lot more varied, and the scale is different. Where the wiring is aerial, there are lots of different relationships depending on whether the poles are owned by the telco or the power company (and who rents them from the other one under what arrangements.) When I owned a house in a small town, my deed did include a "utility easement" that let the telco and power company run wires and poles along the six feet near the road, and in general underground utilities have similar easements. But it bigger cities, it's a lot messier, and the cities often extort various deals from the utility companies in return for giving them access to the streets - that's most visible with cable TV.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Part of it's a concern about viruses, and part of it's a concern about cost management, because applications like BitTorrent can really suck down your relatively-expensive corporate bandwidth, and partly it's general fear about having applications like Skype running servers in your network that are providing services to outsiders and aren't under the control of your corporate computer security or even desktop support organizations. Now, it's true that a lot of that fear is FUD generated by people who want to sell you fancier firewalls, but there are some legitimate concerns as well.
In general, what you really want to do is prioritize the VOIP so it gets high priority, but doesn't crowd out your latency-sensitive database applications, and put BitTorrent at lowest priority, because it's good at scavenging anything left over after web, email, and FTP get what they need, assuming of course that it's being used for work-related activity (Linux Distros good, music downloading maybe not.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks