Pages

Sunday, 8 September 2013

Hey, hey, NSA, did you read my blog today?

Hey, hey, NSA, did you read my blog today?

I don't think so. Not because it's encrypted, it isn't. Not because they can't, because they could read it as easily as you can. But ...

Well.

It's like this.

During WW2, we set up a huge organisation at Bletchley Park to read the German Enigma traffic. It was worth doing, because all of the communications were between military units, and many of the communications have valuable intelligence. It was even more worth while to crack Tunny, because that was the most secret communications between OKW (armed forces HQ) and the generals in the field. Hence Colossus; indeed, hence ten Colossuses. You can see one of them in action at the National Computer Museum in Bletchly Park - recommended.
The point is, a large percentage of what was intercepted, was useful.

Now consider the internet. Quigglebytes of information every day, mostly pictures of kittens doing cute things and teenagers sending each other pictures of what they did at the party. Millions of bloggers blurting unconfirmed guesses to each other, endless Facebook posts about outings to Disneyworld and a flood of tweets about what I just had for breakfast.

Somewhere in that lot, there's maybe a few people plotting to do something bad.

The problem is, there's only going to be a few such things. And some of them will be in an unbreakable code.

Many people think that there's no such thing as an unbreakable code. To them, I have the following message:

G

You can subject the "G" above to as powerful a computer as you like, and you won't be able to decide whether the cleartext is "Buy another cabbage" or "Please send me two dollars" or any other of an unlimited number of possible messages. That's just one example of an unbreakable code. There's lots of others.

If you were, for example, wanting to discuss the planning of something very naughty, you'd talk about a "stag party". Or a barmitzvah. Or lunch. And the recipient would know what you were actually meaning.

Bad guys probably know this already. And so that reduces even more the number of messages that you might intercept that lead to bad things for bad guys. Oh, and the other thing that most bad guys probably know is that if you use the internet, or the phone system, for plotting to do bad things, you're barmy.

So, we're looking for a needle in a very large haystack. That's bad enough, but one of the big rules for searching for a needle in a haystack is, "don't start off by making the haystack a lot bigger".

So that's why I don't believe the stories that are going round about the NSA reading and analysing all internet communications. It fails a test that is commonly not applied - "does this actually make sense?"

If I were the NSA, which thank the lord I'm not,sir, then what I'd do is analyse email headers. Email headers tell you who the email came from, and who it's destined for. And those cannot be encrypted, because email works by being stored and forwarded from server to server, and that can only work if each server in the chain knows where the email is trying to get to.

Here's a typical chain of servers that handled one of the emails I received recently:

virus-l.demon.co.uk
smtp.demon.co.uk
tch.inty.net
internal.ip.redacted (the IP is 121.74.243.168 which actually turns out to be telstraclear.net, which is Vodafone new Zealand, which fits in with what I already knew about where my correspondent lives)
drsolly.com

That's a list of the servers that handled the email as an email. So from this, I know who sent the email (my pal Nick), and who it was for (me).  And all the servers in between also know this. But there's more servers in the chain, those that just store-and-forward packets, not caring whether it's an email or a web access.  So I did a traceroute to virus-l.demon.co.uk, and here's a list of the servers that it passed through:

drsolly.com
se3-1-0-1-2-4-3-0.ar06.hx2.bb.gxn.net
te0-1-0-0.cr02.ts1.bb.daisyplc.net
ae0-1802-xcr1.lsw.cw.net
ae10-xcr1.lns.cw.net
xe-11-2-0-xur1.lns.uk.cw.net
warr-inside-1-g7-0-0.router.demon.net
gi6-1-0-dar3.lah.uk.cw.net
warr-inside-1-g7-0-0.router.demon.net
war1-access-1-175.router.demon.net




cw.net is Cable and Wireless, a very big noise in the internet packet transit business. So if you can persuade them to give you a copy of all their traffic, you have a copy of my emails to
virus-l.demon.co.uk.

And you could do the same with the other big packet transiters, there's not a great many that you'd have to talk to. And the info in that header isn't encrypted (it can't be if you want your email to arrive) and it's public, in the sense that it's read by every server in the chain.

So, given that information, what I'd do is make a map of who is communicating with who. And if I had someone who I knew was a major bad person (because some reliable source gave me that info) I'd be able to easily see who he was communicating with, and who they were communicatiing with, and so on, and maybe match that up with other known-bad-people. So you could build a map of bad-guy clusters.And to do that wouldn't be an awfully big job; it wouldn't need the ridiculous amount of storage and processing power that you'd need if you tried to embrace the full haystack.

But, given the email address, how do you get the street address? Because the email is delivered to a particular IP address, and with a suitable court order, you can get an ISP to give you the real-world details of who was using that IP address at that time. Tough luck if that turns out to be an internet cafe, or a public wifi access point, but you could always do a stake-out and hope to scoop them up later.

So I don't think that the NSA, or GCHQ are reading the unconfirmed guesses in this blog, even though I used the word "lunch".

4 comments:

  1. 'So I don’t think that the NSA, or GCHQ are reading the unconfirmed guesses in this blog, even though I used the word “lunch”.'

    Yeah, but if the NSA had got you in their camp, you would say that. ;)

    (Actually, I agree with the assessment. I have always said that the – almost – freely available metadata of the communications and the behaviour patterns are as valuable as, if not more valuable than, the content.)

    ReplyDelete
  2. Actually, Doc, I'm surprised they haven't come to you to build the system!! It would give you something to do on rainy days!! I'm sure all those old stories you did with Reindeers will help you!!

    ReplyDelete
  3. I'm suprised you haven't moved into the Internet encryption business ;)

    ReplyDelete
  4. Ah, Rudolf the Red, the reindeer's shop steward.

    ReplyDelete