Slashdot Mirror
NSA Patents a Way To Spot Network Snoops
narramissic writes "The National Security Agency has patented a technique for figuring out whether someone is messing with your network by measuring the amount of time it takes to send different types of data and sounding an alert if something takes too long. 'The neat thing about this particular patent is that they look at the differences between the network layers,' said Tadayoshi Kohno, an assistant professor of computer science at the University of Washington. But IOActive security researcher Dan Kaminsky wasn't so impressed: 'Think of it as — if your network gets a little slower, maybe a bad guy has physically inserted a device that is intercepting and retransmitting packets. Sure, that's possible. Or perhaps you're routing through a slower path for one of a billion reasons.'"
Or perhaps you're routing through a slower path for one of a billion reasons.
I knew taking that left turn at Albuquerque was a bad idea...
They don't want any of US to have access to such technology when THEY slap the monitoring devices on our network.
âoeAny society that would give up a little liberty to gain a little security will deserve neither and lose both.
They had something like this years ago on an episode of 'Alias'. The good guys had infiltrated the bad guy base and were siphoning off date...
Of course there can be a billion reasons as to why some packets will take longer than others to reach their destinations.
However, if you do enough sampling over a period of time, you can make averages and see if some types/destinations of packets are possibly being messed with.
It's not perfect, but neither are averages in general, etc.
What makes it newsworthy is that such a simple idea was granted a patent.
Or maybe you're by chance experiencing more CSMA collisions, or the network's now has more active nodes or higher traffic?
It is not immoral to create the human species - with or without ceremony, Samuel Clemens.
This is another example of the broken patent system. No government should be able to patent something--that technology was funded by the taxpayer and should thus be owned by the taxpayer, meaning that it is public and thus not patentable.
Colin Dean Go a year without DRM
Uh oh, someone stole the plans for the NSA Tape Dispenser, it is missing from their Domestic Technology Transfer Program website! http://www.nsa.gov/techtrans/techt00075.cfm
these false positives really begin to add up. Couple this will all the lame-brained terrorist detection schemes that create millions of false positives and we can see the plan to get America out of recession is to have every single citizen working for the government hunting snipe.
on your network the more the terrorists will win right?
The patent was filed May 24, 2005. Googling for 'computer slow spyware 2004' gives 127,000 hits.
A pizza of radius z and thickness a has a volume of pi z z a
It is not just measuring speed of network it is apparently measure differences in speeds of different network layers, or types of network traffic. Network congestion affects generally all types of packets the same. Snooping presumably may take longer to identify certain types of packets.
Oh and a passive tap will only work with certain protocols, it can't work (or not easily) with Gigabit ethernet for example.
NSA: We are going to send more troops and guns!
Terrorist: Sure, bring 'em on... We'll be waiting and we'll fight to the death
NSA: No wait... We will PATENT things! Then we will send LAWYERS to you and get your for INFRINGEMENT!
Terrorist: Oh nooo! Not the LAWYERS! Have mercy, please! We surrender...
Sure, that will work..
To Terminate, or not to Terminate, that's the question - SCSIROB
The Network Snoop Is
MICROSOFT SOFTWARE BLOAT.
Now please return to regular scheduled Homeland Security
Department Chistmas shopping spree with MY FEDERAL
TAX DOLLARS.
Cheers,
Kilgore Trout
I was under the impression that anything produced by the government was in the public domain. Any lawyers here that can rebut or verify?
Free Martian Whores!
"NSAapp: Latency change detected in segment AA23. No idea what it might mean. Send the intern."
http://room.bogthistle.com - this is real...
I could think of a few possible prior art areas that may destroy this patent. There is one I'm not sure about. Does anyone remember what technique L0pht used (I think it was them) in the program they released to detect sniffers on an ethernet? That was a while back. Maybe it was the ARP technique, but I don't think it was? Here's a quick page I found, but I don't have time to look further:
http://cns.tstc.edu/cpate/LINUX/Linux_How2/Sniffers.htm
Looking at the article, (and having skimmed but not read all of the patent), isn't AntiSniff (released by DilDog of L0pht in 1999) using this technique? (Slashdot article, Aug '99)
Original tech paper was on l0pht.com (now defunct) - looks like archive.org doesn't have a mirror, here's the best copy I could find in Google: http://servv89pn0aj.sn.sourcedns.com/~gbpprorg/l0pht/antisniff/tech-paper.html
o/~ Join us now and share the software
How come I have the sneaky feeling, that if the NSA discovered anything really spectacular ... I wouldn't be reading about it on Slashdot?
"Cracking WPA2? No problem but it is patented by the NSA and documented by the USPTO" ... so you can read about it, but you have to license it from the NSA, if you want to use it.
That business model ought to work.
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
How can a governmental agency hold patents anyway? Otherwise they wouldn't have any incentive to invent things that will eventually be useful to the public, or what?
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
There goes my patent on patenting network snoop detection so nobody can detect my snooping.
We figured out a long time ago that it's easier to elect seven judges than to elect 132 legislators.
Putting a regen fiber tap inline doesn't cause ANY latency difference...it's all physical layer optics. I can sniff your frames all day and you'll never know anything about it.
It's not like this would be the first time the US government came up with false positives...
Ah, a way to force disclosure of NSA documents!
Think of it as a way for the NSA to publish prior art without giving up any top secret status or saying when they first implemented it.
It is still a bit annoying that they get the patents starting at disclosure date rather than at filing date. Oh well, at least this way they might actually file instead of suppressing the tech via goons.
I don't think it's of any use to the average home user or small business. Too much weird stuff can happen on a run of the mill network. But, if you're someone like the NSA where every device is scrutinized closely and the network itself is managed tightly, an unexpected slow down at some layer of some stream of network traffic could be useful in finding a snoop... at the very least, it'll highlight potential bottlenecks in the network.
Dan Kaminsky's Blackhat US 2006 and 2007 talks (as I recall) metioned using techniques similar to this to detect protocol based bandwidth throttling, and used it to detect P2P traffic shaping. I would personlly say that this would work to detect a layer 2 man in the middle attack using something like ettercap. Or as Dan said, to detect some kind of inline intercept box on the network. In order to do that, you'd need to hoave a pretty good idea what the latency nubers should be to start with. In my experience, most networks of any size (1000+ users) couldn't even tell you if every SPAN port on there network was authorized and currently in use, so I don't think this technique is currently viable in industry. In highly controlled networks, like I assume classifed networks are, this may be useful.
Spyder
It only works on copper 10/100 networks. Plugging into a GigE network will cause major problems, especially if you're plugging it in where there is likely good information to be sniffed (i.e. close to the locations POP/DMARC).
Yes, you can buy commercial taps for Gig, but I wonder if those would insert any delay into the network (both certainly do when you have to unplug the cables to plug in your tap...)
Grandpa: My Homer is not a communist. He may be a liar, a pig, an idiot, a communist, but he is not a porn star.
that randomly adds delay to each packet before rebroadcasting it...making it impossible to get a good bearing on the latency in the network once it's installed.
Is Mr Kaminsky now our go-to-guy on all matters of security?
I would imagine that the NSA method would take where the slow down occured into account. If it's happening at while you're dealing with interchangable routes (ie. before it hits your network, or the junction box at the bottom of the road) then chances are the problem is not the result of a targeted man in the middle attack. If it was, it would have to be one of hell of an operation, tapping each possible route to the target.
Nice one NSA, sounds interesting.
from "Borging" an existing/profitable patent; licensing out the technology. Then using said profits to fund non-budget allocated black projects. Since the patent office will side with the NSA already.
I'm just sayin'...
You know, kinda like RAMBUS except instead of black projects; you use lines of cocaine for executives.
Or maybe in 1861? Because the idea you were referring to the American Revolution is a bit of a chuckle.
You better watch out, there may be dogs about . .
what if my connectivity just plain sucks on my wireless router?
Frank Herbert wrote about this idea in 1977.
I don't know what GP was referring to but why is referring to the american revolution a chuckle in this context?
Because you don't see it happen? Well, then doesn't that prove his point that the government apparently does some things right?
is laughable at this point. . . the last REAL insurrection was the Civil War and it was put down with extreme prejudice. Expect the same for more, which is why the whole idea of threatening revolution is amusing.
You better watch out, there may be dogs about . .
Well, GP didn't talk about a threat, maybe check your reading comprehension?
In fact, GP argued that the lack of tendencies towards a revolution in our spoiled society indicates that the government can't be *that* bad after all.
That would be news to Justus von Liebig in 1835, who perfected the silvering of glass to make them affordable!
This process sounds (like me) a lot like the NEWS plug-in for Azureus/Vuze. It measures network speed and latency and compares it to peers in order to try to detect filtering/shaping.
There's an old saying that says pretty much whatever you want it to.
It's more useful for closed networks between various locales. For open networks you would need to time the end-points so traffic overhead doesn't interfere. It wouldn't work so well if you were going to test your home workstation to the corporate office over layers of wifi, network, internet, corporate, to network... etc... I still don't get why the NSA would need to patent something that seems very simple. Maybe it's a hint... lol.
If the gov't only did bad, well we know what happend the last time we got really pissed at our gov't.
My point was the last few times the gov't did really bad (Civil War the most notable) the revolt was shut down with extreme prejudice by said government. Arguing that "since we haven't had a revolution in a while it can't be all bad" is a little amusing, don't you think?
You better watch out, there may be dogs about . .
The idea that "if things get so bad, we'll revolt!" is amusing because it's a naive position, uninformed by previous attempts to wrest power from the state. If you have to explain it, etc
Anyone else recall a similar methodology for detecting packet sniffing released years ago by The L0pht?
But IOActive security researcher Dan Kaminsky wasn't so impressed: 'Think of it as -- if your network gets a little slower, maybe a bad guy has physically inserted a device that is intercepting and retransmitting packets. Sure, that's possible. Or perhaps you're routing through a slower path for one of a billion reasons.'"
It's either flawless or worthless, right, Danny?
What a series of tubes...
As a government agency, I didn't think they could copyright or patent things because it is done with taxpayer money.
"Back in 2005, the same NSA inventor, Michael Reifer, and a colleague were granted a patent called 'Method for Geolocating Logical Network Addresses'... It was a technique for matching IP addresses to physical geographical locations, based solely on packet timing information. One hurdle for geolocating IP addresses using this technique is that content filters, firewalls and other devices can add to the latency time of a route, thus skewing the results and diminishing the accuracy. Furthermore, attackers could intercept and retransmit traffic, also skewing results. To effectively geolocate an IP address, the NSA would need more information about the devices on the path.
"Enter last week's patent by the same inventor, 'Method of detecting an intermediary communication device,' (Michael Reifer). This new patent is built on the same general technique- it uses timing information alone to detect stepping stones on a path, and identify their functions. Using this second patent in conjunction with the first, the NSA could track Internet users with better accuracy, and also maintain an increasingly comprehensive map of Internet topology and devices."
http://philosecurity.org/2008/12/29/nsa-another-blow-against-internet-anonymity