ITU Approves Deep Packet Inspection

← Back to Stories (view on slashdot.org)

ITU Approves Deep Packet Inspection

Posted by Soulskill on Tuesday December 4, 2012 @01:19PM from the inspect-my-encryption-all-you'd-like dept.

dsinc sends this quote from Techdirt about the International Telecommunications Union's ongoing conference in Dubai that will have an effect on the internet everywhere: "One of the concerns is that decisions taken there may make the Internet less a medium that can be used to enhance personal freedom than a tool for state surveillance and oppression. The new Y.2770 standard is entitled 'Requirements for deep packet inspection in Next Generation Networks', and seeks to define an international standard for deep packet inspection (DPI). As the Center for Democracy & Technology points out, it is thoroughgoing in its desire to specify technologies that can be used to spy on people. One of the big issues surrounding WCIT and the ITU has been the lack of transparency — or even understanding what real transparency might be. So it will comes as no surprise that the new DPI standard was negotiated behind closed doors, with no drafts being made available."

36 of 152 comments (clear)

Min score:

Reason:

Sort:

can you say hell no by lister+king+of+smeg · 2012-12-04 13:26 · Score: 4, Interesting

lets assume that the governments don't say no, they would still have to overturn wiretapping laws in the US at least. but maybe we could use this to get our security complacent friends to use strong encryption.

--
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
1. Re:can you say hell no by TheRealMindChild · 2012-12-04 14:30 · Score: 4, Insightful
  
  No they won't. It is a matter of "national security"
  
  --
  
  "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
2. Re:can you say hell no by BlueStrat · 2012-12-04 14:37 · Score: 4, Interesting
  
  ...they would still have to overturn wiretapping laws in the US...
  Except that treaties that the US agrees to trump all domestic laws, regulations, and statutes...everything but the US Constitution, and as much as that meant to halting anything the government/politicians really wanted over the last few decades, I wouldn't put a lot of faith in that "goddamn piece of paper!"
  Treaties entered into by the Executive Branch need to be ratified by Congress, but even if Congress fails to ratify it, that would not necessarily kill it. In many instances over the last decade, Congress has been bypassed by Executive Orders and similar Executive Branch power tactics to achieve their goals and simulaneously grab more Executive Branch power despite Congressional inaction and/or opposition, Congressional and/or popular.
  There has to be a BIG push-back on this to stop it. Whether or not that push-back materializes to the strength and magnitude required to stop it is anyone's guess at this point, although I admit being pessimistic.
  Strat
  
  --
  Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
3. Re:can you say hell no by Mashiki · 2012-12-04 14:41 · Score: 4, Informative
  
  This is Canada's response on DPI from the privacy commissioner. For what it's worth, this won't fly here.
  
  --
  Om, nomnomnom...
End-to-end encryption by characterZer0 · 2012-12-04 13:27 · Score: 4, Interesting

End-to-end encryption. Problem solved.

--
Go green: turn off your refrigerator.
1. Re:End-to-end encryption by MichaelSmith · 2012-12-04 13:35 · Score: 3, Insightful
  
  You terrorist you.
  
  --
  http://michaelsmith.id.au
2. Re:End-to-end encryption by BitterOak · 2012-12-04 13:54 · Score: 5, Informative
  
  End-to-end encryption. Problem solved.
  That's not quite the ultimate solution that many believe it to be. There are firewalls and routers on the market now that have man in the middle programming right in the hardware, and decryption is a basic part of the DPI system. How many people actually check that the certificates match who their supposed to, and how do we know which root authorities can be trusted? I imagine the vast majority of people don't even look at the certificate information. And how many ssh users actually check the key fingerprints and verify they match those stored on the remote host? Is that even possible in most circumstances? And if you do discover something's up, what then? If a router is doing man in the middle DPI, your choices are pretty much accept it, or don't communicate with the remote host at all. Most people just sigh and go on doing what they're doing.
  And that doesn't even take into account hacks on your computer, like browser attacks which quietly install new trusted certificate authorities, or more aggressive malware like keyloggers and such. Encryption is much harder to use properly than most people realize, and it is highly unlikely that people on BOTH ends of the connection are using it properly.
  
  --
  If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
3. Re:End-to-end encryption by lister+king+of+smeg · 2012-12-04 14:09 · Score: 2
  
  double public key is hard to man in the middle when you exchange public keys in meatspace
  
  --
  ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
4. Re:End-to-end encryption by davester666 · 2012-12-04 16:06 · Score: 2
  
  The standard provides for the possibility you wish to have an encrypted connection. All you need to do is have the data transmitted both encrypted and unencrypted. That way, DPI can still effectively enable your government to know what you are doing.
  
  --
  Sleep your way to a whiter smile...date a dentist!
5. Re:End-to-end encryption by grumpy_old_grandpa · 2012-12-04 18:56 · Score: 2
  
  Please, can we get over the "OMG! Encryption is difficult, it is not meant for mere mortals". That mantra is completely counter productive.
  
  Any security solution has to be aligned to the enemy you are facing. In this case, we are up against dragnet surveillance. We are not defending against James Bond style keyloggers, nor other directed attacks, or even automated malware. The fact is that even the most basic encryption settings would have been enough to render the current dragnets cost ineffective, perhaps with the exception of China's systems. Yet, we are still sending all e-mails on open postcards, because security "experts" want to defend against James Bond and other completely unlikely attacks.
  
  Regarding the MIM DPI routers, they are not widely deployed, again perhaps with the exception of China. How do I know? Well, because if they were, your hand-shake would trip over constantly, as you moved your laptop from network to network. There are currently no widespread claims that that is the case.
  
  The current danger is that western "democracies" are still deploying their surveillance in a fly-by-night manner. This can easily be countered through basic levels of encryption. Once they are forced out in the open, and everybody are aware what is happening, like China's great firewall, then we can start upgrading our countermeasures. However, first we have to get the basics installed and in widespread use. Putting people off through FUD is not helpful.
6. Re:End-to-end encryption by Roman+Mamedov · 2012-12-04 19:01 · Score: 3, Informative
  
  And how many ssh users actually check the key fingerprints and verify they match those stored on the remote host? Is that even possible in most circumstances?
  Hello, have you ever used ssh? As in, at all? It raises a holy hell if the keys have been tampered with.
  $ ssh hostname.tld @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @ The RSA host key for hostname.tld has changed, and the key for the corresponding IP address xxxxxxxxxxxxxxxxxx is unknown. This could either mean that DNS SPOOFING is happening or the IP address for the host and its host key have changed at the same time. @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz. Please contact your system administrator. Add correct host key in /home/username/.ssh/known_hosts to get rid of this message. Offending RSA key in /home/username/.ssh/known_hosts:76 RSA host key for hostname.tld has changed and you have requested strict checking. Host key verification failed.
7. Re:End-to-end encryption by L4t3r4lu5 · 2012-12-04 22:34 · Score: 2
  
  The whole point of public key encryption (RSA, for example) is that you wouldn't have to exchange keys outside of the communication channel. If you're going to meet in person, you should probably exchange data there as well. Sneakernet is always an option; It's just inconvenient.
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
Deep by JustOK · 2012-12-04 13:30 · Score: 2

Deep pockets fund deep packets

--
rewriting history since 2109
Re:Ancient Chinese secret, huh? by Jeremiah+Cornelius · 2012-12-04 13:30 · Score: 2, Funny

ITU approves of transparency... For your packet payload!

--
"Flyin' in just a sweet place,
Never been known to fail..."
fucking politicians... by wierd_w · 2012-12-04 13:31 · Score: 5, Interesting

Sorry for the flamebait here, but goddamn!
They *clearly* know that these measures are against the public interest, and are only desirable for reasons that are directly counter to a free and legitimate government; that the voting publics that they represent would never willingly agree to this kind of "microscope colonoscopy" type surveylence if they knew what it really meant.
That's why the fuckers do closed room and secret fucking "negotiations" to plan, orchestrate, and implemet bullshit like this.
About the only way to combat this is to make closed room negotiations so undesirable from a political career standpoint that the slimeballs treat like radioactive waste.
Something like immediate no-confidence being enacted for mere participation or something, and blacklisting from ever running for public office ever again.
Of course, such strong measures would never make it passed the slimeballs to begin with.
Fox fucking owns the henhouse.
1. Re:fucking politicians... by Anonymous Coward · 2012-12-04 13:45 · Score: 5, Informative
  
  You should do some research on what the ITU is. It is mostly old fogy bureaucrats from state owned telcos, and not elected politicians. Or even unelected ones. And the old fogy bureaucrats that sit on ITU committees are the worst of the bunch, as they specialize in creating standards and rules. So they do nothing but create rules and standards.
  The ITU is why it costs more to call one country than another, even though sending an email to Egypt or Portugal is the same price. Why do phone calls have different rates? It is 2012.
  The ITU voted in 2011, to confirm that FAX was the only authorized way to distribute committee documents! Email was determined to be not widespread enough (?), and less reliable. That should just you some idea of the mindset you are dealing with.
  And even with their so called "stewardship" of the public switched telephone network, it is still riddled with fraud and scams. In fact, there has been accusations that some of the ITU members benefit from these scams, and are creating a regulatory framework to allow them to continue.
2. Re:fucking politicians... by mikeiver1 · 2012-12-04 13:53 · Score: 2
  
  Hard to argue with one letter from all of the above. The next killer app, an easy to use seamless end to end encryption tool. I may just encrypt all my BS communication for the fun of knowing that they can't read it but think they should. Think of the countless hours that are going to be wasted by the watchers trying to decrypt shopping list and sexting between married couples. The mind boggles...
3. Re:fucking politicians... by wierd_w · 2012-12-04 14:14 · Score: 5, Insightful
  
  Then their little good-ol-boys club should be shuttered in place of an organization with some fucking public oversight, that CAN be policed against this bullshit!
  A room of wrinkled old penises whacking off to violating the public trust should never be accepted. Ever!
4. Re:fucking politicians... by baKanale · 2012-12-04 15:27 · Score: 2
  
  But we're not talking about any of those clubs right now. We can show outrage about them when we discuss their respective issues. If people had to enumerate everything they get angry about every time they express some rage then every post would be a mile long and threads would take forever to read.
5. Re:fucking politicians... by elashish14 · 2012-12-04 16:32 · Score: 2
  
  Unfortunately, far too many stupid people are allowed to vote.
  Look at the recent US election. How many politicians who approved NDAA were re-elected? Here's one for example: the President.
  
  --
  I have left slashdot and am now on Soylent News. FUCK YOU DICE.
6. Re:fucking politicians... by ghostdoc · 2012-12-04 18:51 · Score: 4, Insightful
  
  Except this is not politicians making these deals. It's unelected bureaucrats, effectively outside the control of the politicians because a senior bureaucrat can do a lot more damage to a politician's career than the other way around.
  You don't vote for these people, so they don't care about your opinion.
  The treaty they come up with will need to be ratified by each country's politicians, but it'll either go through unannounced and unremarked, or there'll be a convincing 'If you've done nothing wrong you've got nothing to fear' campaign to lull the moron majority into complacence.
  I hate to sound defeatist on this, but we are going to have to start building darknets if we want truly free communication in the future.
  
  --
  Business/App ideas are like arseholes: everyone's got one, they're mostly shit, but very rarely they contain a diamond
Over My Cold Dead Body by Anonymous Coward · 2012-12-04 13:33 · Score: 2, Insightful

Over My Cold Dead Body will the ITU introspect anything of mine.
The ITU, previously known as the CCITT is a body known for promulgating overcomplex incomprehensible standards that no one in their right mind uses.
Now, without sanction, these blowhards are trying to capture regulation and management of the WORKING internet.
Both Corporations and country blocks have found it far too easy to pack/suborn these institutions and then claim control of really important issues like exergy (Climat Change).
As a Swiss, the best thing the US could do for Democracy is to de-fund and send home this den of Dictators, like many things it started off well intentioned but has become a turd.
MFG, omb
1. Re:Over My Cold Dead Body by fustakrakich · 2012-12-04 13:57 · Score: 2
  
  Over My Cold Dead Body...
  Your proposal is acceptable. -- ITU
  
  --
  “He’s not deformed, he’s just drunk!”
The answer to 1984 is RFC 1984 by WaffleMonster · 2012-12-04 13:34 · Score: 4, Interesting

Props to Bellovin et al for arranging the numbering coincidence.
DPI != spying by sgt+scrub · 2012-12-04 13:40 · Score: 3, Insightful

You do not have to do deep packet inspection to spy on traffic. In fact, you have to spy on traffic to do deep packet inspection. The vast majority of information gleaned about people has absolutely nothing to do with traffic filtering. Things like redirecting DNS queries, logging x-forwared-for headers, persistent HTTP connections, are vastly more popular for garnishing user information. It is easier, and much less expensive, to drop information gathering warez on a large number of machines than implementing DPI. DPI is best used to protect networks from stupid people. Yes it is used to filter access. Only a really stupid network engineer would use it for spying.

--
Having to work for a living is the root of all evil.
1. Re:DPI != spying by Anonymous Coward · 2012-12-04 14:03 · Score: 2, Interesting
  
  Seriously. DPI means the forwarding router being able to check against protocol signatures at more or less line rate, so that you can have forwarding/firewall/QoS rules that say things like "from application-group [VOICE | GAMING | PEER-TO-PEER | ETC]" instead of dumb rules based on tcp/udp and port. Yes, as an ISP, you want to be able to give preferential treatment to voip and gaming packets over filesharing, since everything is always oversubscribed, by necessity. The government has your packets if they want them, and they don't need "DPI" to see what is in them.
Fragmentation by XeLiTuS · 2012-12-04 13:45 · Score: 4, Interesting

This type of all of your data are belong to us mentality is simply going to drive fragmentation of the Internet as well as a rush to spawn unrouted networks and darknets. These governments and agencies pushing for this would be better served leaving things as is since everything is on one network at this point. They're just going to make it more difficult for themselves since people will simply encrypt data and adapt.
Yeah, well... by Bluecobra · 2012-12-04 13:48 · Score: 2, Funny

... I'm gonna go build my own Internet! With blackjack and hookers! In fact, forget the Internet!
What lack of transparency? by Attila+Dimedici · 2012-12-04 14:10 · Score: 3, Funny

One of the big issues surrounding WCIT and the ITU has been the lack of transparency — or even understanding what real transparency might be.

I am confused. Why would you say that the WCIT and the ITU have lacked transparency? Something that is transparent can be seen through. I don't know about you, but I saw right through them when they said they were doing this to "enhance freedom".

--
The truth is that all men having power ought to be mistrusted. James Madison
Re:I looked into encryption for a game... by Albanach · 2012-12-04 14:23 · Score: 2

I looked into encryption for a game I'm working on. I think that's a good example of the "opportunistic encryption" you speak of.
IPSec Programs like FreeS/WAN whic hwas followed by Openswan and Strongswan take care of this automatically. If both endpoints have this set up, the traffic will be automatically encrypted. No further user intervention is necessary.
http://en.wikipedia.org/wiki/Opportunistic_encryption
Good reasons to not give ITU Internet control by manu0601 · 2012-12-04 14:57 · Score: 2

If we were looking for good reasons to not give Internet governance to ITU, here we are. Of course one could argue that the current Internet steward, USA, is also a spying big player, but at least it does not openly brag about it.
Handing the Internet's control to the UN eh? by fufufang · 2012-12-04 15:02 · Score: 5, Insightful

I think ITU's action shows the true colour of the United Nation. I think it is simply too dangerous to pass on the control of the Internet to the United Nation.
1. Re:Handing the Internet's control to the UN eh? by fyi101 · 2012-12-05 01:36 · Score: 4, Interesting
  
  This might surprise you, but the United Nations is a big organization, and different parts of it act and think in different ways, sometimes with great disagreements. In fact, that's the whole purpose of the UN: to gather all this people together in one place and make them lob disagreements at each other instead of grenades. Just because one organization associated to the UN misbehaves doesn't mean the World Government is out to get you. Your comment about the UN's "true colours" betrays somewhat of a misconception of the way things work there. It's messy like all human things, but if you don't like the UN, just wait until the world drops any pretense of working together for a unified civilization, and the dictators participating in the Human Rights Commission leave it and drop any pretense of caring for them, then things will get really fun (at least now they admit Human Rights exist and pay lip service to them, that alone is already an ideological victory, which is more important that you might think).
Meatspace?! by formfeed · 2012-12-04 16:11 · Score: 2

double public key is hard to man in the middle when you exchange public keys in meatspace
Whoever uses the term meatspace should be slapped with a pound of raw bacon.
Also, there should be a xkcd about it.
Re:DPI isn't a problem. by smellotron · 2012-12-04 16:30 · Score: 3, Informative

But if someone sets up BT on 80, how do you verify the protocol without looking at the payload? Even then, there are "tricks" where P2P protocols can use HTTP GET and PUT in the payload to be able to manipulate inspection.

Ugh. I had to do some research on SOAP as a part of an internship at an "Enterprisey" software shop. Many SOAP software stacks advertised themselves as firewall-friendly because they would "punch through the firewall on port 80". That is, the SOAP service was encapsulated in HTTP, with the implication that this was superior to getting permission from your network admins. Of course, these same service providers also provided "SOAP firewalls" so they could profit off of your company's internal dysfunction. What a pile of garbage, all of it.
Anyhow, I can see why BT would want to encapsulate itself in HTTP, but it stinks of an arms race.
Re:DPI always gets it wrong and breaks traffic by epyT-R · 2012-12-04 16:33 · Score: 2

It's not 'abuse' when the ISP refuses to set hard limits as part of the contract.. go fuck yourself.