Michael N. Dundas

I signed up and started periodically using last.fm in Feb 2006. I stopped in August 2006 and didn’t go back to it just this past December. If you are wondering how I know that in such detail it has to do with how last.fm keeps a profile on you, but I’ll save that for another post. I have found that the selection of music it picks for me has greatly improved since I first signed up.

There are different encoding formats for video and audio that affect the bandwidth and timing requirements for the transmission of streaming content. Ignoring the technical details around this for now, if a end user decides to stream audio from a service such as last.fm, how much bandwidth do they require to listen to that single stream? To test this, I selected a track that was approximately 120 seconds in length and captured the audio stream while it played. The track played fine with no delays or problems. I captured the audio stream in two places, the laptop where the song was being played and on my service provider’s network at the demarcation point between my service provider and their upstream service provider. Capturing the same stream at two points allowed me to compare both captures for issues such as dropped packets or other anomalies or problems. My provider actually has two upstream providers, but a quick check of the BGP routing table showed all the data for last.fm coming from just one of the upstream providers.

Using simple math, if a service provider has 5000 subscribers and we assume that at peak 1% are listening to streaming audio in their home via one of the many services available on the Internet, that is a minimum rate of 7.85 Mb/s of bandwidth allocation the service provider must provide for the subscribers just listening to streaming audio. This does not include services such as web browsing, online gaming, watching video, downloading, or any other of the tasks that can be done over the internet. The demand to have more bits per second to the home is going to constantly increase. Weather service providers are able to keep up with this demand is a subject of debate.

More news articles from stv.tv and EFF have been published on China working with Skype for chat conversations searching for key words etc. from the investigative work done by a Toronto based researcher. Although this is not a good thing for Skype, I wonder about other IM platforms such as MSN. I have friends in China that also use MSN regularly. If China has a policy to monitor IM transmissions for Skype, logic would dictate that they are doing the same with MSN and other chat programs as well.

This is not a surprise. There have been suggestions of Skype being monitored before. A research paper by Nart Villeneuve about the Chinese monitoring of Skype messaging has been published as well as a news article about the paper.

Just because something is encrypted does not mean it is secure. The fundamental problem is that of control. When businesses outsource their data to storage or processing to third parties, or one uses social networking sites, it may no longer be your data. Even if it is your data, you have given up some if not all control of the data. Deleting data such as a record, audio file or photograph does not mean it is actually deleted. Chances are very high the data is never really deleted and can be brought back. Try deleting your facebook profile for a week, then re-create it. You’ll find everything comes back, just as you left it.

I came across this article. It is a great synopsis of how easy it is to track the location of someone using thier own mobile phone. Third party companies are popping up to offer services like this. How do they do it? It is easy since some service providers are selling location data to anyone that wants it. What interested me about the article is it highlights how security analysis is changing. If you look at many of the current research papers and projects they involve using statistical data to determine patterns and what a particular user or group of users is up to. This removes the need for signatures, and also can yield useful information even if encryption is present.

Some key statements in the article that caught my attention:

• Anyone can, for instance, sign up – at £29.99 a year – to mapAmobile.com (‘you’ll always know where your loved ones are’), which allows you to follow the movements of your ‘family and friends’ on a computer screen
• That this sort of enterprising solution is possible is the result of the major networks – in the UK, Vodafone, Orange, O2 and T-Mobile – having decided, in around 2002, to sell their location data to any company willing to pay for it.
• the information your phone provides is out there anyway. It doesn’t belong to you, and anyone with the required resources can do with it what they will.
• Everyone on a network, he said, is part of a group; most groups talk to other groups, creating a spider’s web of interactions.
• The remaining groups ranged in size from two to 142 subscribers. Members of these groups only ever called each other – clear evidence of antisocial behaviour – and, in one extreme case, a group was identified in which all the subscribers only ever called a single number at the centre of the web. This section of the ThorpeGlen presentation ended with one word: ‘WHY??’
• It also sells ‘profiling’ systems, which measure the behaviour pattern of an individual subscriber and, using statistical analysis, determine whether that same pattern is now appearing from another source.

A recent example of this type of research is the Switzerland project which is currently in alpha at the time of this post. This is an open source project designed to detect when service providers modify or change subscriber packets before letting them continue on in the network.

Another research project was able to detect what movie you were watching via a Slingbox even though it was encrypted.

Ever wonder how you can track someone on the Internet or prove that someone did something. How do the bad guys do it? How do the good guys do it? This is an excellent example! Good investigative work and a little social engineering thrown in for good measure.

An article expressing concern that Skype has a backdoor. There may or may not be a backdoor. Regardless it is important that everyone that uses Skype assume there is a backdoor. Why? The client they produce is closed source so the code is not reviewed independently of the company. The protocol they used is encrypted and closed source as well. This protocol is not reviewed by anyone outside the company. The authentication servers are completely under their control. The entire functionality of the Skype system, the clients, servers, data routing, data encryption is all under their control, not yours.

Assuming the above is true, let’s pretend that Skype has inserted a backdoor. Why would they do this? There are several reasons. Testing is the first one that comes to mind. A new version of the client is being developed and the ability to test and analyze for any issues is necessary. A backdoor permits developers and testers to capture calls to check for problems, call quality and anything else that would be necessary to diagnose. Maybe the country where head office is located requires all VoIP providers to have the ability to intercept VoIP calls. If they wish to do business in this county they have no choice but to comply. I have consulted for companies where the government requires that Skype be blocked because it can not be intercepted. If Skype wishes to get presence in these countries it makes sense for it to comply.

If Skype adds interception and monitoring capabilities, and they have competition with other VoIP vendors for market share, it may not make good business sense for them to announce this publically. Especially if they have no legal reason to do so.

This problem is not Skype specific. As more and more online services such as Gmail, Google Docs, CRM vendors, backup vendors and others (this list is not conclusive and it will grow) stop offering systems to purchase and offer a ’service’ where your data is in their possession this is a risk. Companies need to assess this risk. If you choose to put confidential client information on GoogleDocs, or use Gmail for confidential email you should always assume that someone at Google has the ability or can create the ability to extract the data if necessary. The company may state that they will not do this, but if they are ordered to by Government, Law Enforcement or the have a ‘bad’ employee that is willing to do it then you are out of luck.

A perfect example of this happening in the past is with Hushmail. The news article is here. Hushmail was considered a free email service that was ’secure’. They originally sold themselves as using encryption where only you had the password to unlock the data. They stated that even Hushmail and its employees could not unlock the data without your passphrase. Then one day ’surprise’ they provided a bunch of CDs containing unencrypted emails of a Hushmail account to officials when requested. If you think about it, the ability to do this makes complete sense. They offered a Java program where an individual would type in their passphrase which would unlock the encryption key stored on the Hushmail server and permit the java program to decrypt the stored e-mail to display in clear text. It would be trivial to write the code to include a ’switch’ on an account that would send a copy of the passphrase to Hushmail when the user keyed it in. Now on the Hushmail servers is the encrypted secret key and the passphrase to decrypt it. Using this key, they can now decrypt all your email which is stored on the servers and do with it as required.

At any point if a company chooses to store its data off site, use programs or services from third parties that have control of the source code and/or the associated services there is a risk of data being lost or ending up in unintended hands. This is a buisness risk that needs to be evaluated in each case. These type of issues will only increase as more and more services are offered over the Internet.

This post caught my attention. I actually had a call from a customer asking me if I was aware of any internet outages or large scale attacks happening. We pulled data from one of his links. You can clearly see the increase in streaming. The dotted red line shows a typical day on this particular link. Note the times are in Eastern Daylight Saving Time (EDT).

U.S. Open Championship Day

It is easy to see how a service provider might think they are under a DDoS attack. It is important that solutions that detect DDoS attack use behavioural metrics to remove false positives. This is a perfect use case example. Often security vendors that can not differentiate between surges of popular sites or peer to peer files from a DDoS attack will tell you that it can’t be done. This is simply not true. There are products that do this effectively. By combining metrics from different points on a network, using protocol analysis, and other vectors, real DDos attacks can be properly identified from these types of unexpected increases in bandwidth.

If you ever wonder about the ability of a vendor that claims they can detect and block DDoS attacks, this is a great test case.

Today on CBC Search Engine, there was discussion about companies that read employee e-mail, why companies read e-mail and the fact that many have a manual process for accomplishing this task. The company that was interviewed by Search Engine was Proofpoint. They make several automated solutions to accomplish monitoring e-mail. One of the comments made was that they can monitor e-mails via Hyper Text Transfer Protocol (HTTP) or web based e-mail, such as Gmail, Hotmail or other type of web based mail services. This is all true and very possible.

What I find amusing is there are so many simple ways to smuggle out information from a company that monitoring e-mail seems to be a waste of time and money. One could copy the information to a laptop and download it to a computer at home. Copy the information to a USB key, CD or DVD and take it home. One could print the information out on paper (since most companies don’t monitor what is printed). None of these methods require expensive, or complicated technology. If I wanted to get information out of the office and I even suspected that e-mail, IM or transmissions were being monitored these ways are the simplest and least to arouse suspicion. Unless a company plans to manually search you and your belongings every time you enter or exit the building including checks of laptops, USB keys, and other media investment in technology to monitor e-mail I don’t see the point.

Proofpoint stated that it is often used to watch for employees spending too much time on personal versus work related issues. I suppose this is a valid use, but personally I don’t manage that way and I doubt I would ever work for a company that did manage that way. If people are getting their work done then I’m not going to worry if they send personal e-mail, surf the web or decide to take an extra 10 minutes at lunch. I believe it is important that you can trust your employees and they feel a sense of responsibility towards their work. If this is missing then the company has bigger issues that monitoring e-mail or other flows of information will not solve.

The other concern I have with all this “monitoring” going on is that it will increase the adoption rate of encryption and other stealth technologies . Governments, businesses, and law enforcement wanting to monitor people’s e-mail, web surfing, files shared and download will force software and developers to add encryption and other forms of covert data transmission into the software more quickly. Most E-Mail servers for example have encryption (TLS) support now. As encryption becomes more available in e-mail clients and set to be the default mode of communication the encryption will be transparent to the user. Encryption is something that law enforcement is running into more and more. It hampers their investigations. This is bad when you are actually trying to catch the bad people distributing drugs or child pornography. I picture an Internet where all communication is encrypted or obfuscated in different ways to avoid “monitoring.” What will we do then? Probably have discussions about key escrow,outlawing encryption, and other silly conversations we have had in the past and never worked.

In Canada most citizens will have a Soical Insurance Number, commonly referred to as a SIN number. I recall getting mine when I was a teenager and was going to start working. Nowadays, you get one almost as soon as you are born. My daughter obtained one within months of her birth. I recall that, because I was surprised and for some reason I recall it was required. Of course, that immediately triggered thoughts of why do they need to do this now? Tracking? More detailed history of people? These and other conspiracy thoughts went through my mind.

Here is an article about an individual in Ontario, Canada, who was the culprit of identify theft through no fault of his own. The government, unable to properly secure sensitive information had his identity stolen. In the article it is stated:

“I don’t want any money — not a dime,” he said. “I just want a new social insurance number so that I can disassociate myself from the fraud and start my life over again.”

Seman said he has been fighting for a new SIN number in writing, in person and on the telephone for five years, but hasn’t been able to get one.

Unfortunately, very hard. This is very difficult and expensive problem, and even trying to solve it will not guarantee a solution. Today, a SIN number is the one thing that connects you the most. Almost any form you send to the government will have your SIN number. This number will be linked with all medical information on procedures that you have had, doctors you have seen, prescriptions you have been given. Financial corporations require it for financial transactions, bank accounts, mortgages, loans, stock trading. It is the key to your credit rating. Companies you work for require so they can submit income and other financial information to the government. This one number links you throughout the government, throughout the medial and financial worlds both in public and private databases and paper file systems. It really is a ‘key’ to finding out everything about you. And that is exactly how it is used.

In order to offer the ability to change your SIN number, the government would have to have a way to change every record in every database both public and private. It would have to be able to change this number on forms and records that have been filled out that are not electronic. If any mistake is made, then information on you is effectively lost. For example, suppose you were rushed to a hospital unconscious from a car accident. From the Identification on you, a drivers license confirmed your identity, which led them to your SIN number. The SIN number permitted the hospital to pull your medial records. Now suppose you had your SIN number changed, and a major medical procedure you had a few years ago at a medical facility did not change the SIN number. That information is now lost and is not available to the medical staff getting ready to treat you in the current emergency situation. One could argue that they can use name, birth date, and other details to find the required information. Although this is somewhat true, it is not as guaranteed as a SIN number. The SIN number is the best assurance of the accuracy of the linking of the information. Is this a bad thing? Maybe or maybe not.

The risk of giving individuals the ability to have their SIN number changed is not worth the overall risk or not being able to gather information or missing information by government, law enforcement and any one else looking to obtain details about you. That is why the solution is to give you negligible amounts of money, and offer you free credit report checking. It is easier and much less risky. Currently the number of people that have their identity stolen versus those that don’t is small.

Of course identity theft will only increase and this problem will get worse. Eventually, they will be forced to deal with it on a global scale. There are procedures I believe to obtain a new SIN number. Witness protection program and things of that nature, but these are very few scenarios, few people and are manageable.

Today, the problem is expensive to solve, difficult to solve with no guarantees of not having information lost, and it affects a few minor people’s lives. Government response is unfortunate, but logical. Personally, I don’t agree with it, but until it gets more visibility either by many more people being affected or a few very public people having their identities stolen not much will happen beyond the preventative steps you see today.