Slashdot Mirror
Deep Packet Inspection and Net Neutrality
EncryptKeeper writes "Ars Technica has an in-depth feature on deep packet inspection, and it's a disturbing read. ISPs are starting to turn to DPI to monitor their networks, and, more troubling, to look at how they can use it to shape, block, monitor, and prioritize traffic. 'The "deep" in deep packet inspection refers to the fact that these boxes don't simply look at the header information as packets pass through them. Rather, they move beyond the IP and TCP header information to look at the payload of the packet. The goal is to identify the applications being used on the network, but some of these devices can go much further; those from a company like Narus, for instance, can look inside all traffic from a specific IP address, pick out the HTTP traffic, then drill even further down to capture only traffic headed to and from Gmail, and can even reassemble emails as they are typed out by the user.'"
Hmm, I need some help with this one, since my networking kungfu sucks... When I login to Gmail, I am in a https mode, and this persists through my whole session. I was under the impression, perhaps naively, that this meant my session to Gmail was encrypted and that only I and the Gmail server could decipher the contents of my mail, that is until I click send, and it goes from the Gmail server to wherever I send to. So if this is true, how would someone be able to reassemble my email as I type?
If you use Firefox and Gmail's web UI, use this extension to make sure your Gmail session is encrypted:
... and check the box labeled "Secure (switch to https)" in the Gmail section.
CustomizeGoogle: Improve Your Google Experience -- Firefox Extension
If you are using POP3 access to Gmail, you are already using SSL.
If I understand packet sniffing correctly (I'm no programmer), that just shows the source and destination but the contents are encrypted. Please let me know if I'm incorrect.
i am a soviet space shuttle
I've recently started using a full-time encrypted personal VPN to one of my boxes which is 1 hop (data center's router) from several backbones. I add direct (non-vpn) routing for services which are particularly latency sensitive (gaming).
I don't currently suspect my home ISP of doing this sort of deep analysis or otherwise interfering with my data stream, but in this way I also don't have to worry about it.
IMHO this sort of thing will become the standard if this trend of ISPs snooping and changing our data continues.
Slay a dragon... over lunch!
It really is time to start encrypting everything from everywhere/to everywhere.
The NSA wiretapping with the collusion of the US telecom industry is just the start.
This technology is going to be seen as a data mining opportunity. Want to bet that some of the big data aggregators are going to start installing this technology - or paying ISPs or backbone providers for the privelege.
It's a snowballing system. The new tech companies want to come up with new technology. The government wants to make use of new technology. The new tech companies want to come up with new technology to appease the government regulations which make use of the new (-1) technology. The government wants to make use of the new technology. The new tech companies want to come up with new technology to appease the government regulations which make use of the new (-1) and new (-2) technology. Repeat.
I, as a private system admin, would simplify the entire problem and choose not to engage in packet inspection unless there were absolutely blatant abuses--like setting a threshold. There are ethical reasons why I wouldn't feel that it's proper to go delving through each and every packet. Once government becomes involved, though, then there's no way to turn it off. In order to receive the money for an ISP start-up, for example, one must demonstrate that they can play within the ever shrinking boundaries defined by the laws.
The article (and summary) mentions reassembling e-mails as their being typed. Is this accurate? I have, for some time, wondered if some text entry forms in web pages are "active" in that they exchange keystrokes with the remote end at real-time intervals. Again, from an ethical point of view, I would never make use of anything but passive entry boxes where none of the user's text is transferred across the network until they actually deliberately send it. What possible reason, as an admin, could I have in wanting to watch a user as they type text into an entry form?
I guess the argument can be made for automatically modifying forms. Pfizer uses this for their online resume submission. For example, the available options in the various locations (country, state, county, city, zip, etc.) are pared down as soon as one makes a selection in the heirarchical predecessor. While I appreciate the "wow! neat!" factor I just don't see how it's really necessary and, although I don't see that Pfizer would be using it for some uber-nefarious conspiracy scheme, I can liken it to the desensitization similar to "Click OK if you wish to allow this action" and EULAs.
the NPG electrode was replaced with carbon blac
I've become more and more convinced that information sent over the internet should afford the same protections that federal mail does. Net neutrality is a step in that direction. But, it's just a step.
ISP's currently have no limits that keep them from violating the privacy of their subscribers. Well, nothing short of market forces. Which in this case is laughable. Since packets can travel through a number of networks before ending up at their destinations, there is no guarantee it won't travel through an ISP the consumer doesn't support financially.
Star Pirates
I smell an opportunity for someone to start selling a personal VPN service, where all your communications are encrypted, and carried across the backbone encrypted to a data center as close as possible (network topology wise) to the destination before being sent plain text across the last segment.
Slay a dragon... over lunch!
If an isp wants to do this, I think they should simply loose any common-carrier status. that is, deep inspection means that they become responsible for content: accomplices in any crime committed via that traffic.
The whole point of common carrier protection should be that if they do any tampering to the content, it is assumed that they knew what was passing through their network. It should be a protection that only exists when the company is in 100% compliance. The moment they insert ads into web pages they didn't buy, rewrite an email, censor someone, etc. even if it is one group in a 100,000+ employee company, the entire company should lose common carrier status and be open to litigation from everyone who has any copyright or other type of valid complaint otherwise shielded by common carrier status.
I wonder about this somewhat.
I work for a telephone coop in their internet dept. We've been drilled about the evils of Vonage/Skype, etc cutting in to our MUCH more lucrative-than-internet-or-tv-depts for a while now.
But, as all of our customers have access to our's and other's(namely cable) broadband. I don't know that filtering out VoIP would be a good move. We've had a few customers whine that their VOiP isnt reliable(duh) on our service. (mine seems to work just fine) So the first thing they do is go to the cable company for service(not that this makes any difference in their reliability)
So with the cable and other non-dialtone companies, filtering VoIP causes phoe co's to loose not only an internet customer but a landline costomer as well. As we require a landline for our broadband, we stil get the best of both worlds while still providing VoIP access.
/. AND reading the article in the same sentence? you must be new here...
Using a VPN doesn't exactly protect you from this type of thing. A VPN sets up a point to point encrypted tunnel to send your traffic over. Your network traffic is sent to the other end of the tunnel, and then transmitted plaintext from there.
So if you use a VPN tunnel to visit gmail your network traffic is safe from snooping by your ISP, but may be intercepted anywhere between the other end of the tunnel and the gmail servers themselves.
What you really need is to encrypt all traffic between your system and your destination system. This can be done with VPN technologies if all servers you want to talk to support those technologies, but more commonly this is done with SSL.
A) There probably isn't any way for you to see if your ISP is doing this.
B) Even if you could, it doesn't matter. You may be able to switch your last-mile provider, but you probably can't switch their upstream provider. It's the upstream/backbone providers who will be racing to do this.
Basically, if providers are doing this, you're hosed. It's going to be real, real difficult for you to somehow make sure your traffic doesn't route across Level3's (or Cogent's, or whomever's) network at any point.
Reality has a conservative bias: it conserves mass, energy, momentum...
I'm rather dismayed by the number of people immediately chiming in and saying "well, fuck the ISP, I'll just encrypt everything." While that would address privacy concerns, it does nothing for the main issue, which is the traffic-shaping itself. Your encrypted packets will be unrecognized, and thus shunted to the lowest priority. Problem solved, from the ISP's perspective.
Karma: Frotzed (mostly due to the Frobozz Magic Karma Company)
Deep packet inspection technology was developed by the likes of Cisco for the sole purpose of obtaining access to the Chinese market. The Communist Party wanted the power of the internet, but they also wanted the power to control it. With deep packet inspection and a suite of other related solutions, I think it's reasonable to say they got their wish. There are millions of Chinese internet users and the country is father from a revolution now that it was in 1989.
It's not just China. Countries like Saudi Arabia and Iran are also taking advantage of this new technology, every byte of it developed by corporations right here in the "free" west.
And now? The technology is simply being marketed here to. Exported back into the west if you will. ISP, companies, governments are all being given the power to put the internet genie back in the bottle. Time was that corporations were developing technology to help make democracy stronger. Now they're simply giving democracy the rope it needs to throughly hang itself.
I'd like to be optimistic about our society, but frankly it's too tiring in this day and age of fear and surveillance. The worst part is the overwhelming acceptance, nay approval, of our loss of freedoms. The Net Neutrality debate is not an isolated argument. It's a symptom of the underlying shift in Western society, back into a dark age.
May the Maths Be with you!
The priveleged workingman is paid 7 sp/day.
The favored workingman is paid 10 sp/day.
The cost of a coal shovel is 100 sp.
The cost of a coal shovel +1 is 110 sp.
The cost of a coal shovel +2 is 120 sp.
A coal shovel breaks after 19 days.
A coal shovel +1 breaks after 15 days.
A coal shovel +2 breaks after 13 days.
The favored workingman offers loans to the priveleged workingman in amounts of 20 sp per loan, with an interest rate which causes the total repayment to be 30 sp.
In this system the favored workingman can always afford a new shovel when it breaks and has the money to make loans to the priveleged workingman. The priveleged workingman can afford a new shovel whenever it breaks but is kept in debt by loaning money to the general workingman whose coal shovel always breaks one day before he can afford to replace it. In this fashion the general workingman is kept in a state of alarm, always needing 5 more sp, the priveleged workingman is kept on a hamster wheel, always needing to find four more general workingmen to loan money to, and the favored workingman never has a problem.
the NPG electrode was replaced with carbon blac
It's more like gmail keeps track...If you go to http://gmail.com/ it will redirect you to https to log in, and then back to http for your mail. However, if you go to https://gmail.com/ then you will stay in https the whole time. This is exactly the way it's supposed to work, where your status is maintained, though it can be argued that they should default you to https for security.
If you use the "Gmail notifier" plug in for Firefox, it defaults to https. There is also a "gmail customizer" app that will let you specify HTTPS as the default, but I've never used it.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
This has already been done.
See Relakks.
I am sure there are more.
Right. But it doesn't have anything to do with relative URLs. Relative URLs are relative to everything that comes before, including the protocol (http vs https). It's not the https protocol remembering that everything you're doing should be secure.
Best way to do it is just to create a bookmark to https://mail.google.com/mail/ and then ALWAYS use that link to get your mail (don't click on any of Google's Gmail links from your homepage, etc.).
If you use POP access, you can enable SSL both for incoming and outgoing mail, I believe.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Err...
Anyone who actually makes investment decisions based on reak information and not on slashdot line noise have made that consideration 2 years ago.
That was roughly the time when Ellacoya, Taz, P-Cube and their like went into trials with major telcos. Unfortunately they were all private at the time, otherwise I would have been seriously tempted to buy some stock. The telcos and ISPs that intended to deploy them have already done so. The ones that have not are looking at flexible bandwidth management and quotas as an alternative.
In either case Vonage is screwed unless it negotiates directly with the ISP to have its packets marked correctly. I am surprised they are not openly advertising for the position of transit/peering manager while openly stating that they will double the industry average for the position (that is what I would have done).
Nothing to see here people, move along.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
I worked on developing one of these boxes. Not Naurus, but a competitor (who's name starts with "P"). You are absolutely spot on. But you, and many here, are really not understanding the scale or the scope intended, or what is possible. This stuff is kept well out of the mainstream press, for good reason.
First, it's not just ISP's and the NSA, but also Universities. U.C. Berkeley is the biggest fanboi of this stuff. Any new tech, they want. And their IT department has been all over this. Nor are they aren't the only University.
And yes, the RIAA is promoting this stuff too. Very eagerly. And every other control freak out there.
The next obvious step is to network these boxes across the global, to keep track of traffic in realtime. Yes, that's a jump up. But it's doable. And it will happen. That is, people will be able to keep track of what you're doing on the internet in real time.
Also, what people aren't thinking about is the abilitiy to preserve this information. Vast storage is cheap, and getting cheaper. People are targeting saving two-years of realtime data. That's pushing things, but this is what people want. And they want to be able to preserve it longer. There's a huge amount of potential datamining there. Especially when they are able to preserve Internet traffic for longer and longer periods.
In short, the goal is to not only be able to track your every Internet connection, and what you did, but to preserve it for years. Some folks want cradle-to-grave. While they won't get it for a while, that's the direction this stuff is headed.
The bottom line is that encryption is one key defense. Necessary but not sufficient. Just be grateful that the PGP battle was won back in the 90's. If the battle for publically available strong cryptography had been lost then, you wouldn't be having this option. Connections are the other item. The support for obscuring this is lagging, and some cases broken. But it's still critical.
Finally, everyone should be aware that all of these boxes are hackable. If you know why Ethereal/Wireshark was kicked out of OpenBSD, you understand what's going on. The development environments common in this industry are also prevalent here. Harried developers don't care about buffer overflows. That's a total afterthought with minimal risk in the commercial space.
Or, to put it simply, you should in theory be able to not only detect when your traffic is being sniffed, but also be able hijack the sniffing as well.
So in summary, yes, encryption is useful. But it's not sufficient. And there's a heck of a lot more going on in this field than people are aware of, or even thinking about.
See http://en.wikipedia.org/wiki/Diffie-Hellman_key_ex change
A passive attacker (Eve) can witness the entire key exchange and be unable to work out the key.
-----------
100% pure freak
"I've gotten the impression that most universities aren't taking kindly to RIAAs shenanigans - well, outside of Kansas at least."
That impression is mistaken. While the Uni's generally haven't been thrilled with the RIAA's actions, they have generally bent over in response to any RIAA action. This type of technology allows them to immediately shutdown any P2P activity, regardless of what port is being used. If the RIAA tells them to implement this, or risk a lawsuit, what do you think the majority of them are going to do?
And if you know how this game is played, you'll know that the next step is Washington, to make this type of filtering mandatory among all ISPs. Indeed, there's been some talk of it already.
At UCB, when this was first deployed, the very first person busted was a new hire on the IT staff. He fired up KaZaa one afternoon, and within minutes someone had a chat with him. His stunned response was basically "How did you find out?".
In order to keep the internet open and free we have to.....let the government regulate it? You lost me somewhere in there. I think you've fallen for Google's propaganda campaign.
Creative Demolition
With Gmail, I know who's reading my mail. Google is - they told me so.
With packet inspection, anyone on the internet backbone between me and Google could be reading my email - my local ISP, plus anyone they peer with.
Granted, this is also true of standard unencrypted email...
To a Lisp hacker, XML is S-expressions in drag.
Nate at Ars Technica is being either an ignoramus or an arse, let's be blunt. He doesn't know jack about DPI. I can tell, because I do know... What Nate did is talk to two vendors who sell sort-of-deep packet inspection. Basically, they sell traffic shaping. While that's a function that DPI can be used for, it's only the easy tip of the DPI iceberg. Traffic shaping can be done with much less "deep" inspection than many boxes can perform, and really is adequate with lower-level shaping. I don't mind selling different qualities of service, for an open fee; I object to reading the payload of packets and doing something with my private data, be it assigning bandwidth, blocking it, or saving it for their commercial or other use.
p . Randall's portfolio includes Bytemobile, which acquired Proquent's DPI box. It does a lot more than Nate talked about. It can go deep inside the payload of the layer 7 protocol and figure out what's going on. In 2002, when I got the Pitch from them (my NDA is up), it ran at 600 Mbps. The key market was mobile players -- they were already allowed to sell "walled garden" data services, and this was a very big wall.
Nate did not, for instance, watch Rod Randall's 2005 IEC presentation, which featured the tag line http://www.iec.org/online/iforums/iec_3/choose.as
For instance, one application is to monitor for email traffic (POP and SMTP). It can then log and create charging records for every email message that passes on the wire. Not that uses the ISP's server, but that goes on the wire. The pitch -- Randall makes this in his show -- is that wireless providers sell SMS for about a dime a message, and email by kilobyte is tons cheaper, so they should charge a dime for each email. VoIP competes with their phone calls, so it should be blocked or at least billed by the call.
But it gets worse. AT&T has made noise about charging for the value of ecommerce transactions. So if you make an online purchase, they'd get a fee for using their wire. Hell, Visa already does, for using their card, so AT&T wants to get their cut too, just for using their wire.
And it gets worse. They can decide what web sites are okay and which ones aren't. Others have already mentioned the Great Firewall of China. DPI lets its user tilt performance, so, for instance, Fox News gets better results than CNN, or Hollywood Fred's web site gets better performance than Barack's, John's, or Hillary's. This is all legal today for ISPs to do.
And it gets worse. Since DPI detects applications, it can block any new application -- leaving innovation in the hands of the phone companies who control the wire. After all, if it doesn't recognize the application, it must go to the lowest category, either blocked or relegated to what Randall calls "hobo class". Think modem speed, on a noisy line.
I do suggest reading Data Foundry's comments; author Scott McCollough is one of the best communications lawyers out there. He notes that the Ts and Cs of many "broadband" services give the wire owner the ownership rights on packets passing over their wire. No privacy -- so if you're a lawyer, you technically have waived your lawyer-client privilege by using their network! DPI makes this practical -- they can monitor emails for certain keywords, addresses, etc., even if it's not using their servers.
DPI is the tool for replacing Internet access with a "broadband" data service that is more like 1982's Compuserve, which charged by the hour and surcharged by the minute based on what application you ran (CB Simulator, email, etc.). It will happen if current (as of 2006) US rules, which kick independent ISPs off of ILEC DSL networks, are retained. It cannot happen if open competition for ISP services is restored, because the public wouldn't buy such a service if there were a choice. That's why the Bells got their buddies at the FCC to remove common carrier status from the telephone company networks.