CircleID

Wired Magazine recently published an article called "The Shadow Internet", where it says:

But what are the difficulties in tracking and identifying these so-called topsites? Joel Snyder, a senior network consultant responds:

It's harder than you might think. Let's say you have some person who you think is A Bad Guy. If they're a US person, and you are the United States Government (USG), then you can probably get their ISP to let you tap their wires. After you go to a judge.

OK, so that's fine, except that everything they do is encrypted. We can't decrypt that (wrong part of the USG), but fortunately the IP address is not encrypted.

So that leads us off to some OTHER ISP. Let's, for the sake of argument, assume that the ISP is in the US. Now USG treks over to that ISP and says "we want to peek." The ISP says "no," of course, so USG goes back to Judge and gets a warrant and ISP (if you're lucky) suddenly becomes cooperative. Except that the server is one of ten thousand piece-o-junk Linux boxes that some hosting company stuck in the data center which they sell web sites off at $2.50/month and so the best thing the ISP can do is point you at the box and disclose who is paying the bill.

OK, go back to the judge, go back to the hosting company that owns the boxes and say "show us." The hosting company says, "that system is being rented by a light bulb distributor out of Reno." (I'm putting them in the US to make things easier, OK?) The hosting company passes over the passwords, the USG logs in (MAYBE or maybe not) and assuming that they don't screw it up (MAYBE or maybe not) they discover that the light bulb distributor has no idea what the hell is going on except that they used to pay $2.50 a month and now they're about to get a $1300 bandwidth bill, which they're going to take out of their system administrator's salary for using 'p4ssword' as the password.

Anyway, enough of this easy stuff: now the trail gets interesting — the logs show that the connections to this box come from Canada. No, let's make it Korea. So what is Mr. G-man going to do? Yeah, he'll send off a couple of email messages which will either (a) get ignored or (b) get response telling him to get a Korean search warrant.

And then it stops, because Mr. G-man ain't got no Korean judge and he ain't got no budget to go over to Korea and plead his case.

But let's say that he does. By this time, the trail is so cold that the logs are gone (if there were any logs in the first place, which there generally are not), and now he's got to go back to Step 1, or maybe Step 2 or Step 3 but this time he's got to find a German judge or an Italian judge and so on and so on…

Now, if the money were REALLY big and the problem were REALLY aggravating and this was the "once a year case that we want to send out press releases on," maybe he'd get some budget to deal with this. But they seem to do this about once a year, maybe twice if there's an election. Fundamentally, though, without someone driving the investigation via major powerful and highly funded friends in Washington, it's not going to happen.

The existence of large piles of bandwidth concentrated in very large rooms which have thousands of poorly protected servers in them across at least 5 continents means that without really trying very hard the folks who want to keep things a secret are able to do that, simply by being mobile, IP-wise, finding new systems to hack into (trivial), and keeping redundant piles of data around. With a very small amount of care, you could hide your steps from all but the best funded and most persistent of investigators.

And what might be interesting to Wired and its readers probably doesn't match the drugs-and-terrorism program at the Dep't of Justice.

I've got people ONE hop away from me who WANT to cooperate but cannot produce the necessary logs to even point at who the bad guys are that are breaking into their machines.

By Joel Snyder, Network Consultant

Related topics: IP Addressing