[147884] in cryptography@c2.net mail archive
Re: [Cryptography] DSL modems - how would we detect wholesale
daemon@ATHENA.MIT.EDU (David Mercer)
Tue Oct 29 18:44:49 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <201310281956.r9SJurqQ032287@new.toad.com>
Date: Wed, 30 Oct 2013 02:27:00 +0800
From: David Mercer <radix42@gmail.com>
To: John Gilmore <gnu@toad.com>
Cc: Cryptography <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============8798163614327290372==
Content-Type: multipart/alternative; boundary=089e01681470d3e63704e9e55c88
--089e01681470d3e63704e9e55c88
Content-Type: text/plain; charset=UTF-8
On Tue, Oct 29, 2013 at 3:56 AM, John Gilmore <gnu@toad.com> wrote:
> > Many DSL modems contain a small switch, which if it's the only switch
> > in a small home or office network, would make all packets among local
> > nodes accessible to malware running in that DSL modem.
>
> And most DSL modems are provided by your giant telco DSL provider --
> such as AT&T -- which we already know has a long history of covertly
> sucking up to NSA. Besides their longstanding cooperation on domestic
> and foreign fiber taps, they also produced the first-and-only Clipper
> Chip subverted "telephone security device" for making voice calls that
> "nobody but NSA" could listen to. How hard would it be, really, for
> them to subvert all their DSL modems to wiretap your LAN?
>
Easier than you think. Nearly all DSL modems use the ATM protocol to
connect to the telco network. The ATM switch, if not the modem itself, can
usually be configured to setup virtual circuits that mirror traffic from an
interface or another virtual circuit.
So all that would be needed is for your local Older Brother to get the
telco to setup their network to allow them to turn up virtual circuits that
are
pre-configured to send either local LAN switchport traffic or mirror your
WAN traffic. It's a config option, no subversion needed. My past life in
network engineering let me confirm in a minute or 3 via google that at
the very least Juniper gear can do this. I doubt Cisco would leave out such
a feature. There are of course non-surveillance use cases given for all
such things.
And we're now off in infosec land off of the crypto path, and I'll just
leave it there.
-David Mercer
--089e01681470d3e63704e9e55c88
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">On Tue, Oct 29, 2013 at 3:56 AM, John Gilmore <span dir=3D=
"ltr"><<a href=3D"mailto:gnu@toad.com" target=3D"_blank">gnu@toad.com</a=
>></span> wrote:<br><div class=3D"gmail_extra"><div class=3D"gmail_quote=
"><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:=
1px #ccc solid;padding-left:1ex">
> Many DSL modems contain a small switch, which if it's the only swi=
tch<br>
> in a small home or office network, would make all packets among local<=
br>
> nodes accessible to malware running in that DSL modem.<br>
<br>
And most DSL modems are provided by your giant telco DSL provider --<br>
such as AT&T -- which we already know has a long history of covertly<br=
>
sucking up to NSA. =C2=A0Besides their longstanding cooperation on domestic=
<br>
and foreign fiber taps, they also produced the first-and-only Clipper<br>
Chip subverted "telephone security device" for making voice calls=
that<br>
"nobody but NSA" could listen to. =C2=A0How hard would it be, rea=
lly, for<br>
them to subvert all their DSL modems to wiretap your LAN?<br>
</blockquote></div><br></div><div class=3D"gmail_extra">Easier than you thi=
nk. Nearly all DSL modems use the ATM protocol to</div><div class=3D"gmail_=
extra">connect to the telco network. The ATM switch, if not the modem itsel=
f, can usually be configured to setup virtual circuits that mirror traffic =
from an</div>
<div class=3D"gmail_extra">interface or another virtual circuit.=C2=A0</div=
><div class=3D"gmail_extra"><br></div><div class=3D"gmail_extra">So all tha=
t would be needed is for your local Older Brother to get the telco to setup=
their network to allow them to turn up virtual circuits that are</div>
<div class=3D"gmail_extra">pre-configured to send either local LAN switchpo=
rt traffic or mirror your WAN traffic. It's a config option, no subvers=
ion needed. My past life in network engineering let me confirm in a minute =
or 3 via google that at=C2=A0</div>
<div class=3D"gmail_extra">the very least Juniper gear can do this. I doubt=
Cisco would leave out such a feature. There are of course non-surveillance=
use cases given for all such things.</div><div class=3D"gmail_extra"><br><=
/div>
<div class=3D"gmail_extra">And we're now off in infosec land off of the=
crypto path, and I'll just leave it there.</div><div class=3D"gmail_ex=
tra"><br></div><div class=3D"gmail_extra">-David Mercer</div><div class=3D"=
gmail_extra">
<br></div></div>
--089e01681470d3e63704e9e55c88--
--===============8798163614327290372==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============8798163614327290372==--
