NSA Patents a Way To Spot Network Snoops

narramissic writes "The National Security Agency has patented a technique for figuring out whether someone is messing with your network by measuring the amount of time it takes to send different types of data and sounding an alert if something takes too long. 'The neat thing about this particular patent is that they look at the differences between the network layers,' said Tadayoshi Kohno, an assistant professor of computer science at the University of Washington. But IOActive security researcher Dan Kaminsky wasn't so impressed: 'Think of it as — if your network gets a little slower, maybe a bad guy has physically inserted a device that is intercepting and retransmitting packets. Sure, that's possible. Or perhaps you're routing through a slower path for one of a billion reasons.'"

Averages

[Yvan256]

Of course there can be a billion reasons as to why some packets will take longer than others to reach their destinations.

However, if you do enough sampling over a period of time, you can make averages and see if some types/destinations of packets are possibly being messed with.

It's not perfect, but neither are averages in general, etc.

What makes it newsworthy is that such a simple idea was granted a patent.

Re:Averages

[mr_mischief]

In an all-switched network that has any chance of being secure, a hub is a snooping device.

How was the mountain of prior art missed?

[Andy_R]

The patent was filed May 24, 2005. Googling for 'computer slow spyware 2004' gives 127,000 hits.

Re:NSA patenting it because...

a simple linux box with a listen only cable plugged in

Would not alter the packet delay, but inserting

a small hub in a key location

to a network that didn't have one before would. And yes, the delay is noticeable, which is why proper network design limits the number of hubs as well as the length of the longest run in a single network segment.