Search Mailing List Archives
[liberationtech] Massive passive wiretapper: How to technically troll them?
dan at disman.tl
Mon Sep 16 09:25:48 PDT 2013
Interesting ideas...don't know about the feasibility, but it's worth
For generating raw data that can have the potential to confuse automated
analysis and flagging, or to otherwise hide/obfuscate legit comms, I
wrote a proof-of-concept project called NOISE: http://disman.tl/noise.html.
It basically includes a Markov generator for creating "real-looking"
text from a reference corpus, and periodically sending that in emails,
tweets, web searches, etc. Use a reference corpus of 'suspicious' texts,
stuff that would get flagged by surveillance filters, and you'd be
generating plenty of red herrings. It can even generate fake
I don't have a lot of background knowledge on how the mass digital
surveillance systems are architected or run, so I have no idea whether
this type of approach is effective. But I think it's an avenue worth
investigating further. Helen Nissenbaum's recent talk on obfuscation at
PETS was enlightening on the subject, and she has some relevant
publications as well.
On 09/16/2013 06:16 AM, Claudio wrote:
> Run a Tor exit node? ;)
> On 09/14/2013 05:35 PM, Fabio Pietrosanti (naif) wrote:
>> i was wondering how it could be possible to bring some kind of denial of
>> service to impact the functionalities and/or reduce the performance of
>> the systems users by massive passive wiretapper listening on the fibers.
>> So, what a massive passive tapping is listening and how it's processing
>> it's data?
>> I expect that's recording:
>> - Content of all traffic, with very specific exception to record only
>> what's useful 
>> - Database's stored transaction of all new connection with timestamp,
>> source, destination
>> - Database's stored metadata of processed traffic's content
>> On the recorded data, there's a set of batchs that process the internet
>> traffic to apply "normalization" and "parsing" logic, that extract
>> useful metadata and load that into a database. This is to enable
>> analyst's automated and manual query over that data.
>> So, given the previously defined assumption, what cipherpunks can do to
>> engage in trolling the massive passive wiretapper?
>> We can use different strategies:
>> - Fill up the transaction records, stored into the database
>> - Fill up the metadata records, stored into the database
>> - Fill up what is being recorded into the Petabyte storage (raw records)
>> - Attacks the backend processing's batch process that analize the data
>> to extract metdata
>> This can be done by carefully generating internet traffic, specifically
>> targeting our goals, and only "good traffic" that must be recorded and
>> The first thing to do is to choose the two phisical locations between
>> where to generate the traffic.
>> We want "inject" our traffico into the massive passive wirtapper system,
>> so can choose to target their wiretapping system on international fiber
>> that are known to be recorded, for example between UK and US.
>> Bandwidth in US and UK is also quite cheap, so this would be a nice
>> place to work on.
>> We may choose to make traffic between UK and US, where bandwidth is
>> cheap and there's a reasonable evidence that fibers are being massively
>> Then we need to prepare the right pattern of traffic, being cleartext
>> SMTP, HTTP, POP3, other, that will be exchanged between the two peers at
>> full speed.
>> The traffic we need to generate has to be compressed, in order to
>> increase the load we put on the massive passive wiretapper decoding
>> processes, amplifying the amount of data generated. If we assume a
>> properly done 400% protocol compression ratio, with 100TB monthly data
>> we may generate 400TB of data on wiretapper system.
>> By some calculation 100TB of traffic can cost $250/month, so two peer
>> could cost $500/month generating on the target system 400TB of data
>> (100TB with an amplification factor of 400% due to protocol compression) .
>> If 100 volounteer invest $500/month, so $50.000/month, we would be
>> generating 40.000TB/month, 40 Petabyte/month, on the massive passvie
>> wiretapper infrastructure.
>> Those would be only "good traffic to be processed" and not
>> youtube/youporn traffic that the wiretapper is likely to discard.
>> It would be a nice way to technically troll them?
>>  It's reasonable that there are exception not recording traffic to
>> very high bandwidth video services (such as youtube or netfliex) because
>> they are not very useful from intelligence perspective but represent
>> between 50-70% of internet traffic. So, unuseful traffic recorded would
>> use 50-70% of storage? Just don't record it!
OpenPGP key: http://disman.tl/pgp.asc
Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9
More information about the liberationtech