An Education In Deep Packet Inspection

← Back to Stories (view on slashdot.org)

An Education In Deep Packet Inspection

Posted by kdawson on Tuesday April 7, 2009 @09:24AM from the opening-all-the-envelopes dept.

Deep Packet Inspection, or DPI, is at the heart of the debate over Network Neutrality — this relatively new technology threatens to upset the balance of power among consumers, ISPs, and information suppliers. An anonymous reader notes that the Canadian Privacy Commissioner has published a Web site, for Canadians and others, to educate about DPI technology. Online are a number of essays from different interested parties, ranging from DPI company officers to Internet law specialists to security professionals. The articles are open for comments. Here is the CBC's report on the launch.

126 comments

Min score:

Reason:

Sort:

Deep inspection up your authorities by b0ttle · 2009-04-07 09:28 · Score: 5, Funny

How would the authorities like to be deep inspected?
1. Re:Deep inspection up your authorities by Anonymous Coward · 2009-04-07 09:39 · Score: 3, Funny
  
  How would the authorities like to be deep inspected?
  If there's a Slashdot achievement for getting a +5 on a Goatse link, you just missed your chance at it.
2. Re:Deep inspection up your authorities by causality · 2009-04-07 09:39 · Score: 4, Insightful
  
  How would the authorities like to be deep inspected?
  That's a good question.
  
  This summary mentions education about deep packet inspection. To me that's a very simple thing that boils down to a few questions:
  
  Do you want your ISP and potential unknown/unaccountable parties to be able to easily monitor, intercept, and record some or all of your Internet traffic? Do you want profiles built on this information that will compromise your privacy and could be used to serve advertisements or to micromanage your Internet usage? Do you feel like QoS, which will be the given reason/excuse, is such a good and desirable thing that it's worth all of these disadvantages?
  
  Like so many things that are not the result of overwhelming customer demand, this is a bad idea that is open to all sorts of abuse.
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
3. Re:Deep inspection up your authorities by memorycardfull · 2009-04-07 09:43 · Score: 4, Funny
  
  When Larry Craig taps his foot that means he is up for a deep inspection if you are...
4. Re:Deep inspection up your authorities by Anonymous Coward · 2009-04-07 10:03 · Score: 4, Insightful
  
  it's just going to push more and more protocols to use TLS wrappers and to use random "legit looking" ports (like 20, 21, 80, 443, 110), a la Skype and most IM clients nowadays Good luck deep inspecting that crap
5. Re:Deep inspection up your authorities by RiotingPacifist · 2009-04-07 10:03 · Score: 1, Informative
  
  It wouldn't be the first time somebody got +5 for linking to goatsem im just waiting for the editors to let it slip into a summary.
  
  --
  IranAir Flight 655 never forget!
6. Re:Deep inspection up your authorities by causality · 2009-04-07 10:08 · Score: 4, Insightful
  
  it's just going to push more and more protocols to use TLS wrappers and to use random "legit looking" ports (like 20, 21, 80, 443, 110), a la Skype and most IM clients nowadays Good luck deep inspecting that crap
  
  That's true. You'd think that "spam vs anti-spam measures" alone or "windows viruses vs windows virus scanners" alone would have taught us, by now, how to recognize an arms race when we're about to start one. This is what I mean when I say that our culture does not value foresight.
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
7. Re:Deep inspection up your authorities by sexconker · 2009-04-07 10:24 · Score: 2, Funny
  
  Our culture doesn't value foreskin either (aside from grinding it up for use in cosmetics).
  Such a thought is sure to put any intact man in your position, causality.
8. Re:Deep inspection up your authorities by HTH+NE1 · 2009-04-07 10:31 · Score: 4, Interesting
  
  Do you want your ISP and potential unknown/unaccountable parties to be able to easily monitor, intercept, and record some or all of your Internet traffic? Do you want profiles built on this information that will compromise your privacy and could be used to serve advertisements or to micromanage your Internet usage? Do you feel like QoS, which will be the given reason/excuse, is such a good and desirable thing that it's worth all of these disadvantages?
  
  The Internet will become more like an airport: all your packetages will be subject to inspection without need for a warrant or probable cause and denied travel accordingly.
  
  --
  Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
9. Re:Deep inspection up your authorities by memorycardfull · 2009-04-07 10:47 · Score: 1, Redundant
  
  I got "Troll" for this? I'm honestly sorry if I offended someone, just trying to make a joke...
10. Re:Deep inspection up your authorities by memorycardfull · 2009-04-07 11:52 · Score: 1, Offtopic
  
  I got "Redundant" for this? I wasn't repeating myself, just trying to be polite...;)
11. Re:Deep inspection up your authorities by davidsyes · 2009-04-07 12:34 · Score: 2, Insightful
  
  HAHA... this reminds me of the circa 1997/98 near-bust (or was it an actual bust?) of a famous sports player who got caught up in a Mountain View Police raid on a "massage parlor". His plea to the cops to not be cited or charged was that he wasn't there having sex; he was getting "deep tissue therapy"....
  In hind site, umm, hind SIGHT, ummm, hell, RETROspect, this may have been a form of "deep PACK IT" inspection. If things were non-condomnable, it might have ended up as a 32-bit insemination, vice inscription....
  AND, 32-bit inscription me of CNET Radio, in 99 or 2000 when Desmond Crisis (IIRC) got a call from a lady who had problems with technology. She said something like, "The instructions told me i need a system capable of 32-bit inscription..." Desmond said, "No, Mary, that's 32-bit enCRYPtion. 32-bit inSCRIPtion would be, 'The Lord is my Shepherd'", LOL
  Wow, amazing how all this ties into vices (sex, sportsballers & cops) & biblical things and radio....
  
  --
  Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
12. Re:Deep inspection up your authorities by severoon · 2009-04-07 12:39 · Score: 2, Insightful
  
  Is it time for strong encryption of packet payloads yet? ssh? Ostiary? However it goes, I'm good...just need to know the new standard for basic web browsing...
  
  --
  but have you considered the following argument: shut up.
13. Re:Deep inspection up your authorities by spazdor · 2009-04-07 14:10 · Score: 1
  
  And I am in this thread too!
  
  --
  DRM: Terminator crops for your mind!
14. Re:Deep inspection up your authorities by Anonymous Coward · 2009-04-07 14:25 · Score: 0
  
  Check out Bluecoat Systems, http://www.bluecoat.com/. In any sufficiently important organization (state, government, ISP, HUGE company), they can mandate hidden proxies from Bluecoat systems. Unless you are extremely diligent and verify the cert **every time**, your company may proxy SSL connections and your browser will still show an encrypted connection, just not directly from the site the user thinks. BTW, the product is NOT listed on the website.
  A large US-based telecom/ISP deployed DPI in 2006. I don't recall there being any headlines about it.
15. Re:Deep inspection up your authorities by Anonymous Coward · 2009-04-07 15:27 · Score: 0
  
  You can only proxy SSL connections if you can install a trusted CA on the client. If you control the local trust of CAs, and don't simply ignore the warnings that essentially every SSL/TLS system provides by default, MitM is not plausible.
16. Re:Deep inspection up your authorities by Anonymous Coward · 2009-04-07 15:47 · Score: 2, Funny
  
  That's why the rest of us, knowing we're posting off-topic to complain about moderation of our posts will do so anonymously, and make the criticism of the moderation sound like it's coming from an impartial third party. :p
17. Re:Deep inspection up your authorities by Anonymous Coward · 2009-04-07 22:06 · Score: 0
  
  shut the fuck up
18. Re:Deep inspection up your authorities by Anonymous Coward · 2009-04-08 01:24 · Score: 0
  
  Free-as-in-beer (or at least really cheap) SSL certificates are easy to acquire and install in your web server of choice...
19. Re:Deep inspection up your authorities by Anonymous Coward · 2009-04-08 02:38 · Score: 0
  
  Actually, they take removed foreskins and grow them into skin grafts for burn victims.
20. Re:Deep inspection up your authorities by Hatta · 2009-04-08 02:38 · Score: 1
  
  Apparently it's going to push more people to use fixed width fonts too.
  
  --
  Give me Classic Slashdot or give me death!
21. Re:Deep inspection up your authorities by Anonymous Coward · 2009-04-08 03:07 · Score: 0
  
  The modz are in ur posts killing ur karmaz!
22. Re:Deep inspection up your authorities by sp3cialk79 · 2009-04-08 06:53 · Score: 1
  
  Actually lots of DPI product can detect all that, we inspect Application Layer stuff, down to the signature. Yes Skype can be a little tricky detecting but its getting better at narrowing it down. Specially when you have ISPs like telstra not allowing skype on their network. Is a scary world out there.
23. Re:Deep inspection up your authorities by Mozk · 2009-04-08 07:14 · Score: 1
  
  Actually, they take removed foreskins and grow them into skin grafts for burn victims.
  My neighbor got burns on his scalp and had that done. The funny thing is that his name was already Mr. Forehead.
  
  --
  No existe.
24. Re:Deep inspection up your authorities by HTH+NE1 · 2009-04-08 07:40 · Score: 1
  
  It wouldn't be the first time somebody got +5 for linking to goatsem im just waiting for the editors to let it slip into a summary.
  If the AP believes so strongly that aggregation steals their content instead of drives more visitors to them, they may yet resort to using Referrer headers to make off-site links to their stories redirect to goatse.
  
  --
  Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
25. Re:Deep inspection up your authorities by Anonymous Coward · 2009-04-08 17:05 · Score: 0
  
  Selling something like that as "The Internet" is consumer fraud and deceptive advertising. Network Neutrality is an integral aspect of what makes that network what we know as "The internet".
26. Re:Deep inspection up your authorities by Hurricane78 · 2009-04-09 13:16 · Score: 1
  
  Well, I already run an OpenVPN tunnel to a ...ehem... unrelated server of mine, registered in some offshore island, by some company that is... ehem... not mine...
  Not that expensive, and that server keeps no logs of my activity at all, and runs everything you can imagine. SElinux, IDN, DPI-firewall, honeypot, remote security audits and so on. Of course bribing the government keeps foreign inquirers off my back. They have a vivid business down there, based on being able to trust that they don't give foreign questioners your data. They are not going to fuck that business up anytime soon. ^^
  
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
27. Re:Deep inspection up your authorities by Hurricane78 · 2009-04-09 13:18 · Score: 1
  
  Oh, and, yeah. My e-mail address and everything else go trough that pipe too. Everything's fake. So in case you thought you are a wise crack for pointing out that I did not post anonymously: I simply don't need to. :)
  
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
28. Re:Deep inspection up your authorities by lsatenstein · 2009-04-11 17:06 · Score: 0
  
  Do you think that the ISPs can be thwarted, if each email or send packet contains the keywords that they are using as a trigger. Suppose they trigger on Bomb, then everyone who sends an email should contain this word. I am sure that every hour they would be able to analyse 3 or 4 million emails with the word bomb. So much for DPI.
  
  --
  Leslie Satenstein Montreal Quebec Canada
29. Re:Deep inspection up your authorities by severoon · 2009-04-13 06:41 · Score: 1
  
  What company does this? Sign me up...
  
  --
  but have you considered the following argument: shut up.
The description's a little "excited" by davecb · 2009-04-07 09:30 · Score: 4, Insightful

It's a hacky technology to implement QOS because folks don't like setting the QOS bits and protocol in the headers. Usually because some Microsoft firewall only allows http on port 80 (;-))
It's the use of it by the famous "men of good will but little understanding" that is bad, plus of course the use of it by men of ill will.
--dave

--
davecb@spamcop.net
1. Re:The description's a little "excited" by causality · 2009-04-07 09:46 · Score: 4, Insightful
  
  It's the use of it by the famous "men of good will but little understanding" that is bad, plus of course the use of it by men of ill will.
  
  The former category is much more dangerous. At least most people recognize ill-will when they see it. By far people with good intentions and no comprehension of the "law of unintended consequences" do more damage to the world than do people with openly evil intentions.
  
  No politician ever increased state power by saying "I'd like to see this nation become a totalitarian state and you should support me because this law will bring it closer to that goal." They do it by saying "this is for your safety" or "this is to stop terrorism" and the people who mean well and don't understand the damage they can do will eagerly eat that shit up. That's true whether or not the politician himself believes anything he is saying.
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
2. Re:The description's a little "excited" by Ungrounded+Lightning · 2009-04-07 10:18 · Score: 4, Interesting
  
  As I understand it:
  ISPs don't implement the QoS (Type of Service) field because (back before THEY needed it for services) Microsoft deployed an IP stack in Windows that "improved" their own file transfers and other IP traffic by demanding high QoS for everything.
  Because of that (and the threat of bad guys cheating) the ISPs don't trust the field when coming from a customer. So there wasn't a strong driver for implementing QoS in the ISPs and backbone
  IMHO the right solution is for ISPs to:
  - Write service level agreements that guarantee a certain bandwidth of high QoS traffic - for the whole feed to the customer, not per flow.
  - Start honoring the ToS field and policing the data rate at the edge router, and
  - When a packet would be dropped for exceeding the data rate for the enhanced service, instead REWRITE THE ToS FIELD for best-effort delivery (or whatever lower service level seems appropriate) and try to forward it under those terms.
  That way:
  - The ISP doesn't have to classify the flow according to traffic type to give the user high QoS for his critical services.
  - The ISP doesn't have to do a packet-recombine if the packet is fragmented to identify the flow for the trailing fragments (which don't carry the TCP/UDP port number).
  - The user / application can specify what special handling he / it wants.
  - Applications that try to "cheat" can only do so up to the bandwidth cap for the special handling. (But the user paid for that. So he can use his bandwidth for whatever he wants. It's not "cheating" any more.)
  - Excess traffic will still go through as well as it does now.
  - A "cheating" application WILL hurt the user's own really-needs-high-QoS service, giving users and applications providers an incentive not to request excessive QoS. (But it won't hurt ANYBODY ELSE's traffic.)
  - Authors of applications that need high QoS will have an incentive to specify it, since doing so will work.
  
  --
  Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
3. Re:The description's a little "excited" by Red+Flayer · 2009-04-07 11:00 · Score: 2, Interesting
  
  No politician ever increased state power by saying "I'd like to see this nation become a totalitarian state and you should support me because this law will bring it closer to that goal." They do it by saying "this is for your safety" or "this is to stop terrorism" and the people who mean well and don't understand the damage they can do will eagerly eat that shit up. That's true whether or not the politician himself believes anything he is saying.
  Well, that brings up an interesting philosophical question -- assuming the politician in charge IS evil, who, actually, is responsible for the evil of the totalitarian state? Do the people cause the harm, by supporting the disingenuous politician? Or does the evil politician cause the harm?
  
  I'd say the evil politician causes the harm, because but for his actions, the harm would not happen. Ability to prevent harm, and lack of exercise of that ability due to good intentions, does not imply responsibility for causation -- the people who mean well and don't understand the implications are not the cause of the harm.
  
  That doesn't mean that failure to understand the ramifications is an excuse, it just means that the actual cause should be attributed to the person of bad will, not to the people of good will and little understanding.
  
  --
  "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
4. Re:The description's a little "excited" by Anonymous Coward · 2009-04-07 11:22 · Score: 2, Insightful
  
  Meaning well does not remove you from the causation of harm.
  Example:
  Just because I don't understand that shooting someone with a gun can kill them doesn't mean I didn't cause that person to die. It just means I am an ignorant fool who killed someone.
  Then again if you follow the train back far enough we can just blame *insert how you think the world came about here* for all evil.
5. Re:The description's a little "excited" by causality · 2009-04-07 12:04 · Score: 4, Insightful
  
  Then again if you follow the train back far enough we can just blame *insert how you think the world came about here* for all evil.
  That's why it makes more sense to look at it in terms of enablers who could have chosen differently. The people could study statecraft and propaganda techniques. They could study dictatorships like the Third Reich or Italy under Mussolini to learn how these leaders came to power by preying on the desperation and the weaknesses of the people. They can familiarize themselves with the sorts of excuses and justifications that are given for the expansion of state power. They can learn argumentation and research so that they are equipped to investigate things on their own instead of requiring that premade conclusions be spoonfed to them. In short, they can shed the naivete and the ignorance that must be present before such horrors can arise.
  
  Any literate adult with Internet access can do all of these things. The only obstacle they could encounter would be their own laziness or unwillingness. I would say that we have a responsibility to do these things because everything that is good about the way of life that we presently enjoy depends on an informed citizenry. Our civilization is on the decline because people think this does not apply to them, or they think that someone else will take care of it, or they think that the latest celebrity-worship is more important.
  
  The evil politicians are like organisms in an environment. The environment in which they thrive consists of ignorant people who are far too naive and trusting and do not guard themselves against being deceived. If you set up this sort of environment, those organisms will appear in it and will prosper. Thus, I believe it is the people and their ignorance and lack of priorities that are far more to blame, for they provide fertile soil without which this organism could never succeed. It should be assumed that evil men will come along who will try to take advantage of our way of life to suit their selfish purposes. We should be prepared for this and well-able to deal with it by never rewarding it with the power it seeks to have. We are not. We think our enemies are our friends because they know how to tell us what we want to hear. That is the problem.
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
6. Re:The description's a little "excited" by Dataovercable · 2009-04-07 12:44 · Score: 1
  
  Brilliant! Just Brilliant.... Anybody poke a hole or two in this yet? JR
7. Re:The description's a little "excited" by Anonymous Coward · 2009-04-07 15:25 · Score: 1, Insightful
  
  You, my friend, do not understand human nature.
8. Re:The description's a little "excited" by BigMeanBear · 2009-04-08 00:08 · Score: 1
  
  Let me get this straight.
  You propose that ISP's should count packets tied to a subscriber account in such a real-time fashion as to put this logic to use in rewriting the packet headers in-transit?
  Once you're done actually building a system even capable of that, how do you keep such a bad-ass future network from becoming Skynet?
  Real-time accounting is hard enough--having the networking devices actually make decisions about header mangling based on that accounting on a packet-by-packet basis is not something that exists yet and isn't going to invent itself for free or cheap.
  
  --
  += E
9. Re:The description's a little "excited" by locallyunscene · 2009-04-08 01:19 · Score: 1
  
  Wouldn't this still destroy network neutrality? All the customers that have "nothing to hide" and have their packets deep inspected so they can be "more efficiently routed"(true is most cases to be sure, but opens the door to:"you meant to go to the that search engine? Sorry, but all our packets redirect to this search engine because it provides better QoS") and all the "free" customers would be stuck with the bandwidth leftovers.
10. Re:The description's a little "excited" by Chelloveck · 2009-04-09 01:01 · Score: 1
  
  Sorry, it ain't gonna work. You're still trusting the end-user to set the QoS properly. That's just not going to happen. Even someone with good intentions who wouldn't otherwise try to subvert the system is going to get suckered into using a "web accelerator" that munges the QoS. And then he's going to complain about crappy VoIP quality, because he doesn't know he used up all his high-quality allocation downloading a torrent of the Star Wars Holiday Special.
  Any system which relies on the cooperation of the user to declare the relative importance of the packets is going to get abused beyond hope.
  
  --
  Chelloveck
  I give up on debugging. From now on, SIGSEGV is a feature.
21st Century Government Work by mrbene · 2009-04-07 09:36 · Score: 5, Informative

Taking a quick look through the content at the government site, I must say I'm surprised. CC licensed content, links to external resources, a collection of international points of view. I'd be truly impressed if they'd managed to get all these folks in a room together.
Regardless, kudos to Canada for hitting the 21st century.
And I was doubly impressed to notice the absence of web beacons / analytics scripts.
1. Re:21st Century Government Work by snowraver1 · 2009-04-07 09:41 · Score: 4, Informative
  
  Judging by the things that I have viewed by the Gov't of Canada, that seems par for the Course.
  
  --
  Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
2. Re:21st Century Government Work by Nerdfest · 2009-04-07 09:51 · Score: 3, Funny
  
  Well, we do have other problems. ACTA is still on the table, and Bill C-61 is about to pop up again soon. We've recently been blamed by the US as the major source of film piracy.
  
  It's also snowing.
3. Re:21st Century Government Work by Anonymous Coward · 2009-04-07 09:56 · Score: 2, Funny
  
  We've recently been blamed by the US as the major source of film piracy.
  I thought that was China...
  no wait.. its Russia...
  Can they ever get their facts straight?
4. Re:21st Century Government Work by JO_DIE_THE_STAR_F*** · 2009-04-07 10:00 · Score: 1
  
  Canada Strong and Free
  This kind of open and honest debate is what makes me proud to be Canadian. The Office of the Privacy Commissioner of Canada seems to 'get' the technology of DPI and why we should be concerned about it.
  On a side note I'm not so proud of the dirty oil being produced here in Alberta. But, at least no one is being killed for our oil. - well except for migratory birds.
5. Re:21st Century Government Work by Anonymous Coward · 2009-04-07 10:02 · Score: 0
  
  Speaking in heavy generalities, the distinguishing characteristic of Canada is a history of Consensus rather than Conflict. It hasn't been applied perfectly by any means, but the result has been we tend to shoot at each other over minor and major issues a lot less than most countries, and less than any other country I can think of that is such a non-homogeneous mix. An aspect of this difference is our government information services tend to be informative, rather than promotive.
6. Re:21st Century Government Work by bencoder · 2009-04-07 11:17 · Score: 4, Funny
  
  Can they ever get their facts straight?
  What are you talking about? Everyone knows it's the terrorists. It's always been the terrorists. We will fight them with our allies: Canada, China and Russia.
7. Re:21st Century Government Work by PReDiToR · 2009-04-07 20:56 · Score: 1
  
  Yes, but there was never a time when we weren't at war with Eurasia.
  
  I defy you to find a reference to it anywhere in history!
  
  And don't give me that "here is some paper that proves it" crap, everyone knows that paper can be counterfeited. Only the internet can be believed.
  
  --
  
  Do not meddle in the affairs of geeks for they are subtle and quick to anger
obligatory by Dan667 · 2009-04-07 09:46 · Score: 5, Funny

inspect this! ... askjdkasjdlajsldkjaskl djaksjdklasjdklajsldaskljdaljdaslkdjalkdjalsdj ... \
1. Re:obligatory by Em+Emalb · 2009-04-07 09:52 · Score: 5, Funny
  
  I did not know you could do that with a kielbasa, you dirty, dirty young man.
  
  --
  Sent from your iPad.
2. Re:obligatory by Em+Emalb · 2009-04-07 10:13 · Score: 2, Funny
  
  Oh come the fuck on, what it is with retards with mod points?
  That was a troll?
  No, not in the slightest. A troll would be me suggesting that whomever moderated the above as troll go fondle themselves with a razor blade while watching their mother sate the insane raging lust of a Brahma bull.
  the above was a joke...*sigh*
  
  --
  Sent from your iPad.
3. Re:obligatory by Dan667 · 2009-04-07 10:15 · Score: 1
  
  I took it as a joke. Oh well.
4. Re:obligatory by ushdfgakj · 2009-04-07 11:56 · Score: 1
  
  I don't think you understand what constitutes trolling.
Deep Inspection is not the Problem by rob_benson · 2009-04-07 09:52 · Score: 4, Insightful

D.I. is neither good or bad, it is the illegal or immoral application of the technology that is the problem. I really am amazed that no-one on a technology site noted that the heart of the debate on net neutrality is free speech, not deep inspection.
1. Re:Deep Inspection is not the Problem by causality · 2009-04-07 09:55 · Score: 3, Insightful
  
  D.I. is neither good or bad, it is the illegal or immoral application of the technology that is the problem.
  It's a technology that almost no one wants except for those who are in a position to abuse it. That makes it difficult or impossible to view it as a "neutral" thing.
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
2. Re:Deep Inspection is not the Problem by 99BottlesOfBeerInMyF · 2009-04-07 10:09 · Score: 4, Insightful
  
  It's a technology that almost no one wants except for those who are in a position to abuse it. That makes it difficult or impossible to view it as a "neutral" thing.
  I've seen quite a few "good" uses of DPI, from filtering out content trying to contact worm control channels to gathering statistics on Web site usage for academia. You can use DPI to slow down traffic going to any video hosting site not paying you a kickback or you can use it to filter out a DDoS attack on one of your network's clients. The technology is useful today, but we do need legislation to keep it from being abused.
3. Re:Deep Inspection is not the Problem by myVarNamesAreTooLon · 2009-04-07 10:13 · Score: 1
  
  D.I. is neither good or bad, it is the illegal or immoral application of the technology that is the problem.
  It's a technology that almost no one wants except for those who are in a position to abuse it. That makes it difficult or impossible to view it as a "neutral" thing.
  What about this? http://dpi.priv.gc.ca/index.php/what-is-deep-packet-inspection/
  
  DPI has been used for several years to maintain the integrity and security of networks, searching for signs of protocol non-compliance, viruses, malicious code, SPAM and other threats.
  Are you suggesting people don't want a less SPAMy, more secure internet? There's more to it than "oh noes, the isp's are spying my internets!"
  
  I'm not saying I want them to, there's just more to it than some people realize.
4. Re:Deep Inspection is not the Problem by causality · 2009-04-07 11:06 · Score: 1
  
  D.I. is neither good or bad, it is the illegal or immoral application of the technology that is the problem.
  It's a technology that almost no one wants except for those who are in a position to abuse it. That makes it difficult or impossible to view it as a "neutral" thing.
  What about this? http://dpi.priv.gc.ca/index.php/what-is-deep-packet-inspection/
  
  DPI has been used for several years to maintain the integrity and security of networks, searching for signs of protocol non-compliance, viruses, malicious code, SPAM and other threats.
  Are you suggesting people don't want a less SPAMy, more secure internet? There's more to it than "oh noes, the isp's are spying my internets!" I'm not saying I want them to, there's just more to it than some people realize.
  You and another person suggested using it to thwart spam or worm attacks. I am replying to you since the other person was more reasonable. That is, he did not say "are you suggesting people don't want a less spamy [sic], more secure internet" as though that's the same thing as criticising another wrong solution that cannot solve our problems. The way you did that reminds me of people who say "you mean you don't want to be safe from terrorists?" when you point out that it's wrong to infringe on civil liberties. It's an intimidation tactic that's designed to shut down healthy debate. It won't work on me or anyone else who can see that for what it is.
  
  I am not a fan of "solutions" that don't address the actual causes of problems. They inevitably open up more problems, many of which can be unanticipated. It may be obvious, but we should get one thing out of the way: the presence of many insecure Windows machines is what enables the modern spam problem and the modern malware problem. If I ever see successful worms thriving "in the wild" for Unix-like operating systems, I'll gladly revise that statement, but for now, that's the reality.
  
  The solution to that is to secure those Windows machines. Any other proposed solution is aimed at symptoms of the problem and not the actual problem which is why it will fail. Whether the users should secure those machines by obtaining a clue or whether Microsoft should do that as part of taking care of its customers is the debatable part. This is the part I want to emphasize: nothing other than securing those insecure machines, and perhaps their users, is going to solve this problem. Our efforts and our ability to create novel solutions should be directed towards that goal. Deep packet inspection is a network operation and does not constitute host security. What you are referring to there is damage control, which is about detection and containment. It is emphatically not security, which is about prevention.
  
  If you start using DPI to target spam and worms, you'll run into all of the problems we currently have with filters and virus/malware scanners. The reason why there is not a final ultimate solution for those problems is that this approach does not address the real cause. It only treats the immediate symptoms of that cause. That's why there isn't going to be a final ultimate solution to those problems. What you will end up with is an arms race where it will be a contest between those who maintain the DPI systems and those who produce spam and malware. The contest will consist of how quickly spammers and malware authors can modify their traffic to be "missed" by the DPI filters and at some point will also consist of how well they can disguise their traffic to make it look legitimate. To be successful, the DPI filters would need to catch every possible spam/malware pattern; to be successful, the attackers would only need to find one that was missed. Thus, this scenario favors the attacker.
  
  The arms race that this will trigger is predictable be
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
5. Re:Deep Inspection is not the Problem by AK+Marc · 2009-04-07 11:30 · Score: 1
  
  It's a technology that almost no one wants except for those who are in a position to abuse it.
  
  It's a technology that everyone except abusers should love, if used well. Think of it this way, when congestion happens, something must be dropped. So, what do you drop? Do you drop random packets? Or do you identify someting that's drop-tolerant and delay-tolerant and drop those first (up to some point where you'll be dropping more)? Personally, I'd think that people would be happy that their VoIP is prioritized over their bittorrent and FTPs. Oh, sure, they have to wait a couple minutes longer for a download to have low-latency and drop-free calls, but that is worth it, right?
  
  --
  Learn to love Alaska
6. Re:Deep Inspection is not the Problem by Anonymous Coward · 2009-04-07 13:42 · Score: 1, Insightful
  
  "Do you drop random packets? Or do you identify someting that's drop-tolerant and delay-tolerant and drop those first?"
  There's no need to look into the packet to tell what the priority should be. Check the header, and see what priority the user gave it, but limit the amount of "high priority" traffic per user if there is congestion. The user doesn't gain anything by "cheating" and labeling their bittorrent or FTP as high priority - all they'll do is hurt their VoIP or streaming video.
  The TCP headers already have a priority field, which is easy to check and is fair. Why would you want to implement a CPU intensive, privacy-violating scheme like DPI to get around that? Only makes sense if you're a marketer, or in the business of selling expensive routers.
7. Re:Deep Inspection is not the Problem by rob_benson · 2009-04-07 14:31 · Score: 2, Insightful
  
  I use it for worm control and attack detection on a corporate network: nothing wrong with that at all. It is completely untrue that the only application of DI is for spying or nefarious activity. Its like blaming bit torrent protocol for piracy. Again, it is use of the tool that is the problem.
8. Re:Deep Inspection is not the Problem by Anonymous Coward · 2009-04-07 14:36 · Score: 1
  
  The post office reading every letter mailed is the modern day equivalent to DPI.
  How in the bloody fuck can you say the post office reading every delivered letter on any terms is good at ANY time for ANY reason?
  DPI is the same, there is no legit usage for this tech NONE AT ALL.
9. Re:Deep Inspection is not the Problem by smash · 2009-04-07 21:32 · Score: 1
  
  Why would you want to implement a CPU intensive, privacy-violating scheme like DPI to get around that?
  
  So you'll happily let my malware through at high priority, simply because it puts a high priority in its TCP header?
  Cheers dude.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
10. Re:Deep Inspection is not the Problem by Hatta · 2009-04-08 02:43 · Score: 1
  
  It's a technology that everyone except abusers should love, if used well.
  Of course. If you don't have anything to hide, you have nothing to fear.
  
  --
  Give me Classic Slashdot or give me death!
11. Re:Deep Inspection is not the Problem by Anonymous Coward · 2009-04-08 18:23 · Score: 0
  
  Casuality I have to disagree with you.
  DPI works at mitigating the spread of worms etc not because they have definitions for the worms but because there are definitions for LEGIT traffic. If you have a company that uses web, email, ftp, rtp or whatever list of apps, you create definitions for them, guarantee them bandwidth/priority and then you can give whatever else to the scavenger traffic or drop it altogether. So it is not the same thing as an 'arms race' between AV and Malicious Coders because the programmers of DPI modules don't give a rats ass about virus X. That is going to fall under traffic that is NOT going to be inspected and dropped.
  I really like how you act like you know what you're talking about though. It's funny.
Deep Panty Inspection by SirBitBucket · 2009-04-07 09:54 · Score: 5, Funny

Oh, must be in the wrong thread...
Encryption stops this correct? by koan · 2009-04-07 09:56 · Score: 4, Insightful

Doesn't a good encryption system stop DPI from giving any useful information?

--
"If any question why we died, Tell them because our fathers lied."
1. Re:Encryption stops this correct? by gsgleason · 2009-04-07 10:00 · Score: 5, Informative
  
  Yes. If using ssl to secure whatever application is in question, they cannot see past the transport layer.
2. Re:Encryption stops this correct? by BitterOak · 2009-04-07 10:07 · Score: 4, Insightful
  
  Doesn't a good encryption system stop DPI from giving any useful information?
  Any useful information? Sure! There is lots of useful information that can be gleaned even when encryption is used. Who are you communicating with? What protocol are you using? By looking at packet timing and packet sizes, much more information can be obtained than you might think, such as: are you web surfing vs. interactive keyboard login? Are you tranferring large files or reading short web pages? And if the structure of the web pages of the target site is known, the size of the packets transferred might even reveal which pages you were visiting. Some have even reported the ability to make educated guesses about keystrokes in interactive sessions based on timing of packets. Admittedly some of these features will have to wait for the next generation of DPI technology, but even today, a great deal of information can be collected.
  
  --
  If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
3. Re:Encryption stops this correct? by green1 · 2009-04-07 10:10 · Score: 4, Interesting
  
  They can however arbitrarily assume all encrypted data to be hostile and filter accordingly...
4. Re:Encryption stops this correct? by Anonymous Coward · 2009-04-07 10:11 · Score: 0
  
  Doesn't a good encryption system stop DPI from giving any useful information?
  Not really, they have other methods for looking at the traffic, despite being encrypted, to make a very good guess on what kind of information is in the packets.
5. Re:Encryption stops this correct? by Chabo · 2009-04-07 10:13 · Score: 1
  
  Some have even reported the ability to make educated guesses about keystrokes in interactive sessions based on timing of packets.
  So that's how the Comcast employee was able to beat me at CS -- he knew my bunny-hopping pattern!
  
  --
  Convert FLACs to a portable format with FlacSquisher
6. Re:Encryption stops this correct? by token_username · 2009-04-07 10:14 · Score: 2, Insightful
  
  Slightly off the point from this, but related: QoS mechanisms will probably just default encrypted traffic to a lower service class. That's the quick and easy way to handle it.
7. Re:Encryption stops this correct? by Anonymous Coward · 2009-04-07 10:18 · Score: 1, Insightful
  
  Yes, analyzing packet sizes and frequencies can work in theory... until it is put into practice, because then it would be trivial for the encryption users to rewrite their servers and clients to send random-sized encrypted packets at random intervals and mess up any information you may have gained.
8. Re:Encryption stops this correct? by click2005 · 2009-04-07 10:24 · Score: 3, Insightful
  
  I was going to say that wont work very well because of VoIP but as most ISPs are phone companies they probably dont want VoIP working too well either.
  
  --
  I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
9. Re:Encryption stops this correct? by gweeks · 2009-04-07 10:31 · Score: 4, Interesting
  
  Take a look at:
  SSLIA
  Deep packet inspection inside SSL sessions. It's not the only one either.
10. Re:Encryption stops this correct? by Anonymous Coward · 2009-04-07 10:38 · Score: 0
  
  These swines!!!!! >:(
11. Re:Encryption stops this correct? by Anonymous Coward · 2009-04-07 11:07 · Score: 1, Interesting
  
  Uh, no, not with some of the new devices comeing along for firewalls. I know my company is preparing to upgrade their firewalling (global presence, 100K+ employees) with such technology explicitly for 2 "big" problem areas as they see it: 1. Intellectual property theft; 2. "Inappropriate" site access (porn, etc.).
  As I read the proposal (as part of a wide list of reviewers as potential stakeholders due to my 2-bit role in web administation) I was appalled to realize that this is commercial off-the-shelf technology to instantly decrypt SSL packets, check for the verboten stuff, then pass along the encrypted originals with no hint that your "secure" connection is anything but.
  I am not interested in that off-limits stuff, but doing any of my payroll/medical/personal banking stuff on the corporate network with https is now very unappealing to me, but the corporate related "personal" functions have no alternative.
  When I mentioned this forthcoming capability to other colleagues at an orientation session after hearing the moderator extol the wonders of doing our HR stuff "securely" online, many were disturbed by my revelation.
  Anything for the "bottom line" and "corporate governannce", eh?
  Also, this means that the (intentional) bad guys can buy and use this stuff...
  FWIW,
  RO
12. Re:Encryption stops this correct? by AK+Marc · 2009-04-07 11:22 · Score: 3, Informative
  
  Doesn't a good encryption system stop DPI from giving any useful information?
  
  Mostly. However, many DPI boxes are now including heuristics as well. Encrypted stream of 20k in and out to a single IP? Sounds like VoIP to me, toss it in that bucket. Encrypted 10k out and 1M in to a single IP? Sounds like a file download, toss it in that bucket. Encrypted 10k in from 20 hosts and 5k out to 15 hosts? Sounds like P2P, toss it in that bucket. If I can make such guesses easily, someone smarter than me has already coded those in and knows what your encrypted data is. Not what it contains, as that's never the goal of DPI, but what you are using it for. So encrypt it all you want. They'll know what you are up to anyway. Unless you do someting like Tor downloads and then it'll look more like P2P and you'll get even worse performance. Or, as someone else mentioned, if it isn't easily identifiable encryption, then they treat it like the least desired traffic. Hide all you want and they can still get you for it.
  
  --
  Learn to love Alaska
13. Re:Encryption stops this correct? by Anonymous Coward · 2009-04-07 13:42 · Score: 0
  
  If you mean in the context of an ISP, this would be the point where every customer they have calls them up to complain they can no longer do any online banking.
14. Re:Encryption stops this correct? by spazdor · 2009-04-07 14:29 · Score: 1
  
  Oh, don't worry, customer! You can still bank securely using our "Transparent Security Service" man-in-the-middle atta-er, I mean, proxy server! Just click OK to that certificate there. It's safe, I promise.
  
  --
  DRM: Terminator crops for your mind!
15. Re:Encryption stops this correct? by TheSpoom · 2009-04-07 14:54 · Score: 1
  
  Why would that mess anything up? The whole point, usually, is to throttle people using P2P software like BitTorrent. All your suggestion would do would be to put a big neon arrow over their heads.
  
  --
  It's better to vote for what you want and not get it than to vote for what you don't want and get it.
  - E. Debs
16. Re:Encryption stops this correct? by green1 · 2009-04-07 15:50 · Score: 1
  
  sure you can do online banking, because your bank has paid the filtering company to be on the whitelist...
17. Re:Encryption stops this correct? by PReDiToR · 2009-04-07 21:02 · Score: 1
  
  The regulatory bodies would love that.
  
  The answer to so many questions is encryption, "they" would love a way to make it painful to use.
  
  --
  
  Do not meddle in the affairs of geeks for they are subtle and quick to anger
18. Re:Encryption stops this correct? by Anonymous Coward · 2009-04-09 08:26 · Score: 0
  
  Please point me in the direction of this magical software that renders proper SSL implementations completely ineffective.
  If you are unable to do so, I will have to dismiss your post as utter nonsense.
Your Action, My Reaction by Nom+du+Keyboard · 2009-04-07 10:05 · Score: 4, Interesting

You go for DPI.
I go for encryption, SSL, and HTTPS. Even my slowest home system can easily handle this.

--
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
1. Re:Your Action, My Reaction by jfclavette · 2009-04-07 10:58 · Score: 1
  
  If my DPI reveals encrypted data, I give you the lowest QoS. What's your reaction now ?
2. Re:Your Action, My Reaction by Anonymous Coward · 2009-04-07 11:21 · Score: 0
  
  Steganography will bypass your DPI easily.
3. Re:Your Action, My Reaction by Anonymous Coward · 2009-04-07 11:25 · Score: 0
  
  Stenography and lots and lots of pigeons.
4. Re:Your Action, My Reaction by Anonymous Coward · 2009-04-07 11:51 · Score: 0
  
  Honestly? Go to the IT guy and legal at work, and have them rake you over the coals for deliberate interference with the corporate VPN on any grounds they can think of ...legitimate or not. Oh...it's in your AUP that you can do that and nobody *actually* has grounds to sue? Do you want the company to announce that all home/VPN users will have to change ISPs to your competitor, and advise all of our customers do the same to avoid your willful interference with delivery of our secure site to the users...
  It'd require a message of the day, a whitepaper for IT departments of the resellers... possibly even a few guides on how to find a new ISP with a list of ones we know will work better but don't endorse.
  Seriously--how long do you think comcast/local DSL provider of choice would last with QoS on crypted traffic? Every single corporate home user on the planet would be crying foul when they could no longer VPN into the office effectively. They might try to upsell to "VPN edition" or some such crap, and it might work until the moment they complained to any IT department that just told them to change ISPs.
  And don't get me started about users wanting to do online banking...
5. Re:Your Action, My Reaction by Anonymous Coward · 2009-04-07 11:55 · Score: 0
  
  Now you have business class lawsuits from companies that depend on high-traffic SSL. What's their reaction now?
6. Re:Your Action, My Reaction by domatic · 2009-04-07 11:56 · Score: 1
  
  Arms race of course as various and ever changing schemes are used to make the encryption appear to be something else.
7. Re:Your Action, My Reaction by Antique+Geekmeister · 2009-04-07 15:07 · Score: 1
  
  And luring you into accepting a man-in-the-middle SSL key is.... how difficult? Or stealing your target website's keys, aor getting them with a warrant-free patriot act request?
8. Re:Your Action, My Reaction by Hal_Porter · 2009-04-07 17:52 · Score: 1
  
  Tell them that they are welcome to pay more for an "enterprise class" connection, at which point I disable the check.
  
  --
  echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
9. Re:Your Action, My Reaction by Anonymous Coward · 2009-04-07 19:40 · Score: 0
  
  My reaction: I will put a fake innocent looking wrapper around that data, to keep the QoS up.
10. Re:Your Action, My Reaction by jonaskoelker · 2009-04-08 01:53 · Score: 2
  
  I go for encryption, SSL, and HTTPS.
  Then how do you log in on slashdot?
  It takes two paranoid people to use encryption. We really need everyone to be paranoid, which is a hard sell.
  
  Even my slowest home system can easily handle this.
  Can the server you're slashdotting handle one thousand (or million) times what your home PC can handle?
  Sometimes, when I'm transferring stuff around at home, ssh (sshfs) or kcryptd is the bottleneck, not the disk/wire.
  Damn, that makes me sad :(
11. Re:Your Action, My Reaction by Anonymous Coward · 2009-04-08 02:05 · Score: 0
  
  Promote BTNS, so that a large percentage of all traffic is encrypted.
I'd be more impressed ... by Ungrounded+Lightning · 2009-04-07 10:21 · Score: 1

... if they'd managed to build a web site that displayed correctly (or displayed the essay collection AT ALL) on Firefox 2.0.0.8.

--
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Easy Fix by bobbuck · 2009-04-07 10:46 · Score: 3, Interesting

Charge more for higher QoS. Give a discount for lower QoS.
1. Re:Easy Fix by Anonymous Coward · 2009-04-07 13:00 · Score: 0
  
  Charge more for higher QoS quota.
  I like it that way.
2. Re:Easy Fix by Ungrounded+Lightning · 2009-04-07 13:05 · Score: 2, Interesting
  
  Charge more for higher QoS. Give a discount for lower QoS.
  That's a given.
  I'd expect plans to include some small amount of VoIP quality 2-way high-QoS as standard (about a couple phone calls' worth plus whatever is needed for the plan's special services). Higher amounts could be obtained by subscribing to a higher-priced plan or dynamically-configured as needed - perhaps for a fee (like dialing a toll phone call or subscribing to a pay-per-view).
  Want your packets to get reserved bandwidth and better treatment on the backbone? Pay up your fair share (and let the ISPs and backbone providers split the swag according to their contracts). Or take best effort delivery, in competition with file transfers and whatnot, and accept the hiccups when the intertubes get cloggerated.
  
  --
  Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
3. Re:Easy Fix by Kozz · 2009-04-07 15:49 · Score: 1
  
  I think you've got the first part right, anyhow. What business have you ever known to reduce price in such a manner? Any "low" QoS traffic will continue to be billed at pre-QoS billing rates.
  
  --
  I only post comments when someone on the internet is wrong.
Your reaction, my re-reaction by Anonymous Coward · 2009-04-07 11:01 · Score: 0

You go ssl.
I go man in the middle. I handle your connections and key exchanges between both ends and look at your unecrypted traffic before I forward it on encrypted.
1. Re:Your reaction, my re-reaction by GravityStar · 2009-04-07 12:32 · Score: 3, Interesting
  
  MITM's. The answer to this is SSL ofcourse, and "don't allow SSL exceptions". (Don't run with scissors)
  
  But there has to be a better way for establishing the 'CA - domain' trust. Why isn't the trust chain 'ICANN CA - country domain operator CA - registrar CA - domain'?
  
  But first you need DNSSec anyway, otherwise you can validate the PKI chain, but not that everybody is who they say they are. (For example: Registrar CA's should only be valid on DNS records where they are listed as the Registrar.)
  
  After that, default to https and deprecate http for bonus points.
Re:Deep Party Inspection by Anonymous Coward · 2009-04-07 11:36 · Score: 0

In Soviet Russia, Party deep inspect you!
Question... by SuperCharlie · 2009-04-07 11:42 · Score: 1

If an ISP decides to inspect all traffic, doesn't this make them responsible for the traffic? As in... you are not a common carrier, you do not have the "I didnt know" defense and now anything (virus's, copyright,child porn, etc..) that goes through you is your responsibility? I assume there is a money solution to this that will make this problem disappear, like buying a few laws or stacking some judicial BB's somewhere.. but I thought you either let it all go or you buy the responsibility..
1. Re:Question... by John+Hasler · 2009-04-07 11:58 · Score: 1
  
  > If an ISP decides to inspect all traffic, doesn't this make them responsible for the
  > traffic?
  No.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
2. Re:Question... by chemguru · 2009-04-08 04:32 · Score: 1
  
  Well, thanks for clearing that right up...
  
  --
  --Chemguru
Advertisers by Stan92057 · 2009-04-07 12:14 · Score: 0

On what grounds do advertisers have the right to spy on anyone? to make a bigger dollar. Of all the reasons this DPI is bad,allowing advertisers to use this is out right criminal. and if anyone would would abuse it the advertisers would be the first. DPI is nothing more then wire tapping and the last time i hurd you need a warrant to wire tap anyone. And that the only reason it should be used,with a warrant

--
Jack of all trades,master of none
Anonymous by Anonymous Coward · 2009-04-07 12:14 · Score: 0

"The articles are open to comment"
But if you disagree with us, we'll inspect all your pron out of existence.
I would worry slightly less. by Anonymous Coward · 2009-04-07 13:17 · Score: 0

As has been mentioned here before, this is a new arms race. And while there MAY be some DPI's that work, but my previous employers' was pretty unreliable. Because we, in support, were not privy to even a hint on how this black-box part of the software worked, the failures I saw left me wondering if any of it worked at all.
The signatures must be pretty hardware-dependent: if your DSP's are not fast enough, you're going to be limited to port and maybe a teeny amount of header info. We were told our DSPs (IBM's) were more than fast enough to do the active signatures (a subset of the total) and service 1gig ethernet. And "deep" seemed to be pretty shallow, "port + header" seemed to be a major part of it. "Encrypted" torrents simply obfuscated the header a little and changed port-behavior and we totally lost track of it.
So having said all of this, I would wager that we have the upper hand, albeit slightly, in this arms race. (Witness torrent traffic, and virtually everything P2P in China.) So support the FOSS of your choice to keep ahead. Ultimately, the big ISPs will be hardest pressed to catch stuff because the volume of traffic, the economic slowdown, and pressures to NOT spend money. I'd worry more about the small & medium tier simply because they can benefit from having 1 smart person being listened to. That's where an asymmetrical leap might happen.
My 2 cents, sorry to post anonymously.
No Tales from the Encrypt by SoupIsGood+Food · 2009-04-07 14:38 · Score: 2, Interesting

Unencrypted data will always get you in trouble. There is no reason in the year two thousand and nine to send or receive anything over the internet without encapsulating it in a SSH or SSL tunnel. Whine all you like about performance hits, but if the technology has reached the point where your residential ISP can look inside every packet you send to see what's there - in real time - then the point has come to spend some processing power on protecting your data in mid-flight, or invest in some encryption hardware.
I'm more than half convinced that this is how everything =inside= a LAN should communicate with each other, too. The firewall should allow port 22, port 443, and drop the rest.
While we're at it, everything should be firewalled right at the VLAN, on the switch.
1. Re:No Tales from the Encrypt by Derleth · 2009-04-07 16:14 · Score: 2, Funny
  
  The obvious solution is to block or severely slow down all encrypted traffic (that is, all traffic the ISP can’t interpret). This would have the obvious effect on online banking, which could be solved by the ISP’s computers handling it: The SSL tunnel stops at your ISP, which inspects the decrypted packets before handing them to you. You know the ISP isn’t going to do anything bad with the information because they told you so (in specific, there’s both a contract and fraud laws stopping them). This might hinder the adoption of new streaming video codecs and the like, but it’s a small price to pay for increased profits.
  
  --
  How can you use my intestines as a gift? -Actual Hong Kong subtitle.
2. Re:No Tales from the Encrypt by Hal_Porter · 2009-04-07 17:59 · Score: 1
  
  Actually it should work like this
  1) Measure the bandwidth usage of encrypted data per month.
  2) If it is over some limit, throttle the speed.
  That way torrents will work for a while and then slow down. Even a throttled connection should be able to handle online banking. This is only on the cheap service.
  I'd also sell a more expensive service with higher limits, static IP addresses and less contention. In fact I'd have a load of options, at the top of which you'd basically be able to max out the connection 24x7. Cheaper connections would have published limits and would throttle speed once people went over them. Actually, who cares what the data is, just count the bits.
  
  --
  echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
3. Re:No Tales from the Encrypt by PReDiToR · 2009-04-07 21:10 · Score: 1
  
  Here in the UK on Virgin's (possibly Phorm-laced offering we have that on a daily basis.
  
  There are currently two "prime time" zones in the day and if you use too much bandwidth during those times you get your service cut in half until midnight.
  
  Sure, they are giving us a free upgrade in speed, but it's totally asynchronous and potentially Phorm riddled.
  
  On the upside, they are reliable (once you have it working), cheap (enough), let you have any port you want all the time and don't throttle BitTorrent.
  
  --
  
  Do not meddle in the affairs of geeks for they are subtle and quick to anger
4. Re:No Tales from the Encrypt by Anonymous Coward · 2009-04-07 22:14 · Score: 0
  
  Hm....
  So, all my friends who do not feel like being this paranoid, I should get rid of those right ? Cause "there is no reason ...". And all the servers I use that don't support encryption, I should stop visiting those right ? Cause "there is no reason ...". Now, of course, all my friends also run normal machines (not very secure) and typically use email servers, either owned by their ISP or a third party. So can I trust that nobody breaks into their computer, thereby being able to read all our communication ? Can I be sure that our 3.rd party email provider does not itself read my email and that it is secure enough to stop others from doing it ?
  All this is assuming I have the knowledge and time to keep my own computer completely safe.
  The point here is, if they get into any of these places, the whole security setup was for nothing. They get to read the data anyway. And the cost of what you suggest is far from negligible given all maintentance and other costs together. And all the servers I cannot use anymore.
  To sum up, security in 2009 is a complete mess. And I think the only reason why you don't see this is that you have a geek mindset, thinking of technology and not cost.
How is it protected? by anonymous+cowshed · 2009-04-07 20:16 · Score: 2, Insightful

As the DPI box has access to, and holds records of, an extroardinary stream of data that mnust make it an incredibly tempting target for hackers. What have they put in place to prevent it being compromised?
Not really by Any+Web+Loco · 2009-04-07 23:58 · Score: 1

Not really - there's always going to be a legitimate consumer need for encrypted traffic eg anything involving money (banking, purchasing goods). If you have to allow some encrypted traffic and there's no way to tell the difference between legitimate and "illegitimate" encrypted traffic then you can't arbitrarily assume all encrypted data to be hostile and filter accordingly...
I think you can find that elsewhere... by jonaskoelker · 2009-04-08 01:49 · Score: 1

Deep Panty Inspection
Performed for (and/or on) you by the Female Body Inspectors in cooperation with the Clitoris Investigation Agency.
(note: I didn't say pus*y or any other naughty word)
i guess i'm the one who has to ask by logjon · 2009-04-08 03:38 · Score: 1

vpn? pgp? why is this news?

--
The stories and info posted here are artistic works of fiction and falsehood.
Only fools would take it as fact.
Bad kdawson Summary... again by Anonymous Coward · 2009-04-08 04:15 · Score: 0

Since when was DPI a new or relatively new technology?
- Developer who has been involved with DPI for a decade
The uneducated .. by tsreyb · 2009-04-08 16:26 · Score: 2, Insightful

.. boggle my mind.
Here's what I say to all you paranoid conspiracy freaks ..
go ahead and encrypt your dang traffic. The Internet companies don't really care about the CONTENT of your traffic.
Rather, they want to know what TYPE of traffic you're using - file transfer, web browsing, voice, video.
You think I'm wrong that they don't care about your content. I'm sure you think I'm wrong - because every one of you posting on this thread is f*cking paranoid.
But I can tell you first hand - they don't give a damn.
You also don't want them using DPI to sell you stuff, or to hinder access to competing products.
Fine .. they all provide opt-out capabilities for sales pitches .. and simple legislation would suffice to keep them from slowing down, say, skype, on their network.
They can do many legit things with this data. For example ..
1. Yes, they can set the QoS for you, so that video and voice can be allocated high priority, low latency resources, while file transfers can be assigned to more appropriate resources.
2. They can trend the patterns of traffic in their network, fine tuning it for the type of data being sent, and adding capacity prior to bottlenecks occurring.
3. They can more precisely understand events on their network - e.g., associating the release of a new version of some browser, or video player, or VOIP tool, or social website, etc. with a sudden rise in traffic on their network.
For them, it is all about understanding what TYPES of applications run over their network. It is NOT about reading your email or facebook profile - they really couldn't give a sh*t about that.
So, DPI technology has the potential for abuse? Sure .. and I'm sure some countries will try to take advantage of that.
Does that frighten you? OK .. then by all means, go ahead and use encryption and port hopping !!! Contrary to what 99.99% of you on this board believe - encryption and port hopping won't prevent DPI and similar technologies from identifying WHAT you're doing. It does hide the content, for sure - which is what you want, right?
So, buzz off already about this net neuter stuff. You can have your privacy. The companies can have their trending analysis tools. These things are NOT mutually exclusive.