[PLUG-TALK] Who /is/ watching the watchers?

Keith Lofstrom keithl at gate.kl-ic.com
Wed Aug 6 15:33:30 UTC 2014


Postulate bad guys with significant resources who want to spy
on the United States - lets call them "AQ".

----

During World War II, the British MI5 counterintelligence ran
a successful counterintelligence organization, controlling
/every/ German agent in Britain, sending the Abwehr information
the Allies wanted them to believe.  Unknown(?) to MI5, a Soviet
spy named Anthony Blunt, along with four others, sent Stalin a
complete picture of everything MI5 and MI6 were doing, including
the ULTRA intercepts of German ENIGMA-encrypted traffic.  We
now realize that if even one German spy had learned of this by
spying on the Soviets, ULTRA would become useless, the Normandy
invasion would have failed, and the Germans might have won the
war.  If all the proceeding sounds convoluted and twisty,
welcome to the world of spy vs. spy (vs. spy (vs. spy)).

Fast forward to the NSA and Snowden.  We've learned that NSA
is watching every electronic message - and that one guy, on his
own without external support, can watch all of that and extract
massive amounts of the information NSA collected, as well as
NSA internal operations information, without being caught. 

If one guy by himself can do that, what could AQ do?  If AQ
wants a complete intelligence picture of the United States, what
better way than tapping the flow that the NSA so conveniently
collects and stores?  How would we ever know that this happened? 
How would Congress know?  How would the NSA know?  How many
Anthony Blunts are employed by the NSA, actually working for
how many foreign intelligence services?  If NSA internal
monitoring is so piss-poor that Snowdon can walk off with all
the information he gathered, who else is walking off with what?

Internal spying on American citizens is wrong, and a violation
of the Constitution.  It must be stopped, and the parties
responsible - civil service and political office holder -
should be punished severely.  Internal spying is not only
wrong, it poses an enormous risk to the national security
of the United States, creating crippling vulnerabilities.

This is the terrifying practical reason why we must never allow
any organization, whether it is NSA, Experian, Google, or Apple,
to collect detailed data about communications without public
oversight, if for no other reason than to prevent them from 
acting as the unwitting dupes of AQ.

---

For systems with surveillance capability, whether activated
and used intentionally or not,  postulate a tamper-proof system
for aggregate message counting, "double entry bookkeeping". 
Count the sum total of all messages known to be sent, and all
messages known to be received, for an entire network.  if
there is a difference in the sums, there may be messages going
where they are not supposed to, or not being delivered as
expected (protocol failures should be counted and latency
compensated for, of course).  Aggregate counts spanning an
entire network do not much reveal private information.  On
the other hand, accurately measured discrepancies (handwaving
madly, this is HARD) can reveal much about the existence of
errors or exploits, which can be identified with detailed
audits.  We do this with money for huge organizations;  why
not digital messages?

Everyone with a computer should know how many messages their
computer actually sends and receives.  If the aggregate counts
do not match expectations, there's a problem (spyware, spam,
software failures, etc.).  Audit - track down all discrepancies
to their root cause.  This will make networks more reliable.

Protocols like UDP are "fire-and-forget", but we can still
count the UDP packets going out, and compare that to the
count of packets sent by the programs we know about.  UDP
is the network equivalent of petty cash, not suitable for
big transactions.  If a program or computer is using UDP
when verified transactions are possible, at very least the
design is bad, and in the worst case, evidence of enemy action.

When we learn how to do this correctly, we can implement the
counters in hardware, incrementable and readable by user-space
programs, but tamper-proof and not resettable.  Given the way
packet networks segment and re-assemble messages, it seems
possible to build hardware state machines that can turn
interface packet patterns into accurate message counts.  

Perhaps there will be problems with tunnelled protocols like
OpenVPN and OpenSSH, and of course we want to avoid "traffic
analysis" that spies on who talks to whom.  There are plenty
of wrong ways to arrive at aggregate counts that leak too
much information.

So, help me think this through.  There are numerous straw-
man methods that are easy to knock down - but that is not
proof that no method can possibly work.  A careful attempt
at such proof might lead to properly-design counting methods,
and techniques to evaluate them with precision.

Keith

-- 
Keith Lofstrom          keithl at keithl.com



More information about the PLUG-talk mailing list