Surveillance of the Internet Backbone

Vice has an article about how data brokers sell access to the Internet backbone. This is netflow data. It’s useful for cybersecurity forensics, but can also be used for things like tracing VPN activity.

At a high level, netflow data creates a picture of traffic flow and volume across a network. It can show which server communicated with another, information that may ordinarily only be available to the server owner or the ISP carrying the traffic. Crucially, this data can be used for, among other things, tracking traffic through virtual private networks, which are used to mask where someone is connecting to a server from, and by extension, their approximate physical location.

In the hands of some governments, that could be dangerous.

Tags: , , , , , ,

Posted on August 25, 2021 at 10:13 AM44 Comments

Comments

ResearcherZero August 25, 2021 11:06 AM

I am also

“concerned that netflow data being offered for commercial purposes is a path to a dark fxxking place,”

echo August 25, 2021 11:15 AM

So traffic analysis for plebs? This makes what happens at the governance layer at the top more important.

Because of its huge size the US has a massive distorting effect internationally due to its refusal to bring UN obligations within its own legal framework. I have been “advised” by legal scholars at the very top of the US legal system this is a “done deal”. Myself I feel this falls more into “they would say that”. It naturally follows regulation as well as cultural and business practice and other issues come under the spotlight. These data brokers are the end result of this sausage factory.

Then include individual silos buying and selling data and de-anonymisation.

No I don’t trust the US and wonder how much espionage plays its role in things like Koch Industries of all people taking over Morrisons, and the ARM takeover, and Liberty Media buying up Virgin Media (which is really a takeover of the branding obtained by NTL which bought up Telewest and everyone else), and Lockheed processing census data, and Palantair getting its grubby mits on NHS data to a level only UK security services had previously.

Also I never did get an answer to who owned Team Cymru and where they were based. I’m also very doubtful about any “security” company focusing on “tech” which does’t place things in the bigger context. Oh, wait. They have a product to sell: “Pure Signal Recon”. That explains a lot.

AN August 25, 2021 12:37 PM

@echo

It’s all used to screw us over.

I too wonder which country is responsible for that group?

name.withheld.for.obvious.reasons August 25, 2021 3:08 PM

Uh Oh, sounds like a Cisco firewall problem…

If I remember, GCHQ was very interested in something like this back in the late oughts and early teens.

name.withheld.for.obvious.reasons August 25, 2021 3:21 PM

@Guessing or #Not2FunnyEither

There is a server or two somewhere chewing away at this, probably to flatten the Basyian nodes and improve the Kalman filtering of raw signal.

Hedo August 25, 2021 3:28 PM

I, a nobody, figured it out a long time ago. I am very saddened by the fact that “Freedom” in America is still being “sold” to her citizens and the rest of the world. We the People are financing it all and can’t do shite about it. DISGUSTING.

Clive Robinson August 25, 2021 4:01 PM

@ ALL,

This is kind of old news…

OK it’s nice of Vice-Motherboard to tie a bow around and name one of several names involved[1] but lets be honest folks who realy did not think this sort of surveillance was happening?

I’ve mentioned for years that people realy need to look at the geo-map of the Internet and where it physicallt was/is. That is where all the choke and landing points are along with the geo-politics of who’s jurisdictions they fall in and the fact the Internet is built on an “All Roads Lead to Rome” format with the US being like the female spider sitting in the middle of the web listing to the vibrations.

I’ve even mentiond the UN ITU 2014 meeting in Doha, where the Internet very nearly ceased to be, with various nations voting to split out most of the services currently under US control.

Also how many times do people need reminding that in the US the idea is to “market everything” no matter how worthless or how much harm it causes.

So at the end of the day there will always be “bottom feeders” looking for Angels to invest in their pointless and frequently worthless schemes. With the idea of puffing it up and selling it on, more than half those ICT Startups have no product or customers, yet they chase investors…

With such toxic behaviour being rife, it must surely have made people realise that every byte that moves on the internet was turned into a product years ago, all it needed was slick presentation.

[1] By the way “Cmyru” is Welsh for Wales (that small country attached to the West sied of England). Whilst the company has US and English offices, I do bot believesve they have anywhere in Wales… Kind of makes a statment about them realy.

Sok Puppette August 25, 2021 6:46 PM

So, Clive, Cymru started out as a personal project of a guy named Rob Thomas, must’ve been 20 years ago. I vaguely remember that it was around when DDoS got popular and there was a desire to trace the stimulus streams. He’s still the CEO over there. I don’t know how he picked the name, but then and now he calls himself “Rabbi”, so I’m guessing he’s just into random naems that resonate with him.

I very much doubt Cymru ever had any angel or VC funding, and I’m not sure there was ever a plan to make that much money off of the whole thing. Presumably there’s been som effort to make it self sustaining, because you gotta eat.

“Threat intelligence” seemed like a good idea back in the mists of time even to me, and I’m as anti-surveillance as they come. And, perhaps oddly, Rob Thomas is on the Tor Project’s board of directors, so one may assume he has a more complex relationship with surveillance than you’re giving credit for.

So please stop with the “startup bottom feeders” stuff.

And, by the way, I would be SHOCKED if pretty much every company involved with this stuff isn’t getting TONS of data from outside the US.

I do think it’s time for everybody to stop collecting Netflow, though. I never liked the whole concept.

SysRq August 25, 2021 9:10 PM

So the Cymru is Janus, the Two-Faced God. Pretends to be ethical cybersecurity company, but at the same time helps to spy on us.

This infosec industry is really fscked up in a very bad bad way.

SpaceLifeForm August 25, 2021 10:51 PM

“Old Age and Treachery Will Triumph Over Youth and Skill”

We shall see. At this point in time, I could go with this variant:

“Traffic Analysis Will Triumph Over End-To-End Encryption”

Winter August 26, 2021 12:38 AM

@All
This is not a USA thing. It helps to take a look at the Internet Exchanges in the world:

Here is a list by size:
ht tps://en.wikipedia.org/wiki/List_of_Internet_exchange_points_by_size

Here is a map:
ht tps://www.internetexchangemap.com/

The 10 largest IEX nodes are outside the USA, the three largest being in Brazil, Germany, and the Netherlands.

I for one know that Dutch Intelligence regularly installs “monitors” inside the Amsterdam IEX. AIEX is the node where the cable between the US and continental Europe lands.

Winter August 26, 2021 1:43 AM

And China knows about the importance of this too:
ht tps://www.theregister.com/2021/08/25/china_singapore_net_link/

“Moving forward, the China-Singapore (Chongqing) Demonstration Initiative on Strategic Connectivity (CCI) will continue to serve as a strong catalyst for wider collaboration between Western China and ASEAN, which is Chongqing’s largest trading partner,” said Singapore’s Infocomm Media Development Authority (IMDA) in a canned statement.

This connects ASEAN to the Sichuan Basin in China, pop. ~100M.

name.withheld.for.obvious.reasons August 26, 2021 1:52 AM

@echo
I was spending some time a few years back at Silicon Fen, was an interesting time. Met this guy named James Woolsey, seemed bright enough–just didn’t understand where he was going.

@SysRq
That’s funny, and not.

Wanted to contribute: fsck’d all to /dev/null, or fsck’d to bell.

Okay, not too funny but had to take it somewhere it bit, or nibble in this case, lighter.

With all the FDDI and Sonnet long haul fiber trunks, the management interfaces are quite simple (some of the management protocols are less simplistic OSI 1/2, but X.25 is a good friend)–and many times accessible. And with Software Defined Networks, it portends to get just at little bit more interesting.

When it comes to line, switch, and packet management, the tendency is to simplify access for admins. It is interesting to see over that past two years for example, switch and router CatOS vulnerabilities pop up all over the place. Though Ciscos layer two management is a decent platform to design well functioning networks, that layer two management falls down hard in inter-manufacturer interfaces. Extended VLANS, multicast BPDU storms/ID problems, SPT funniness, and other neat features that are interesting before ever getting to layer three.

name.withheld.for.obvious.reasons August 26, 2021 2:16 AM

One problem that works to the top of this cross-connecting and trunk/link aggregation, many protocols work on the assumption that any one stream is available, to any one person, at any one time. What happens next; any and all streams, by anyone, all the time? Sounds bad, thanks Bradbury.

Just had an analogous brain fart, imagine a window in your home looking out into the backyard, roughy 2 1/2m high, 3m wide. A full picture window, but, the blinds are opaque and can be controlled to display any another other similar picture window from anywhere in the world. Being able to see the backyard of any and all people is interesting, but I don’t find it compelling. Seems to me that smacks of the suffering endured by those diagnosed with Encino Complex.

Who? August 26, 2021 5:37 AM

@Bruce, ALL

In the hands of some governments, that could be dangerous.

In the hands of which government that is not dangerous?

Winter August 26, 2021 5:41 AM

@Who?
“In the hands of which government that is not dangerous?”

Iceland? Switzerland?

Who? August 26, 2021 6:01 AM

From the VICE’s article:

ISPs are quietly distributing “netflow” data that can, among other things, trace traffic through VPNs.

I think people does not understand what a VPN is. In the last years VPNs have been used as an obfuscation layer that “drops” traffic coming from our machines at a random place on the Internet. This is not the way VPNs [should] work, this one is not the problem VPNs solve. A VPN should be end-to-end—it starts on our network’s router and ends on a remote network we want to reach. VPNs should provide some sort of “network isolation”, in the sense we can restrict what services and hosts are reachable, and privacy for traffic between those networks, making both networks work together as a single one by setting up an encrypted –i.e. private– link between them, but it has certainly not been designed to drop traffic anywhere on the world so we feel “safer”.

Certainly we should not expect privacy from the Internet backbone; anything technically possible on the backbone is being done right now from capturing and storing that traffic up to labelling it so it is fully traceable. Netflow is a well-known protocol proposed in the nineties. Why are we surprised it is being used? Why are we surprised data brokers had been built around the Internet backbone? Seriuosly, why?

Who? August 26, 2021 6:08 AM

@ Winter

From hxxps://www.state.gov/u-s-relations-with-switzerland-2/:

The United States and Switzerland have signed a number of agreements creating mechanisms that deepen cooperation and improve the relationship […] and the revised Operative Working Arrangement on Law Enforcement Cooperation on Counterterrorism. […] Another vehicle for bilateral cooperation is the U.S.-Swiss Joint Economic Commission, which covers anti-money laundering efforts, counterterrorism, regulatory cooperation, and intellectual property rights, among other topics.

So I have serious doubts with relation to Switzerland at least. And, indeed, it is sad adding the United States to the list of countries that cannot be trusted.

Winter August 26, 2021 6:38 AM

@Who?
“So I have serious doubts with relation to Switzerland at least. And, indeed, it is sad adding the United States to the list of countries that cannot be trusted.”

For non-Americans, the USA have never been trustworthy. And honestly, I trust the Swiss better in protecting my privacy than any US institution.

Untitled August 26, 2021 6:56 AM

@Who?
Only now adding the United States to the list of countries that cannot be trusted? It’s been public knowledge since 2013 that the US cannot be trusted, and most of us here surely knew that long before.

echo August 26, 2021 6:56 AM

@Who

Knowing how the US has abused its position I’m not reading the officialese in the best light. Words can be very malleable and the plain reading isn’t necessarily what is meant. I’m left wondering where the next punch is coming from.

I’ve now heard of two reports from different sources on different problems which indicate the view of staff and the official policy position do not always coincide. One is relating to the US and the other to the UK and they both paint a worrying picture of politicians and senior officials being out of step both with the law as-is and society as it is today.

As I was writing this I’ve just read another report uncovering secret meetings between officials and bad actors currently subject to a pending legal case. (I can claim to have initiated this case but I don’t get along with the people involved so you won’t find me anywhere near it. There’s also a case making its way to the ECJ I was asked to be a co-sponsor of and much the same can be said of that too. It was actually my idea and someone else stole it but I’m not objecting too much as they’re doing all the work.) The point I’d like to make with this comment is that internet data flows aren’t where the action is happening. They can be more a symptom of allegiances and discussions and decisions being made. More of a reaction than an action.

By and large people are not rational but social and emotional beings more than they would like to think.

One last thought is the people who create these tools and the people who buy and sell, or who simply buy the data aren’t necessarily people equiped with the skills to see the big picture or put things in an ethical and social context. Some of these people are also decidedly unpleasant and have lobbying and other influence. There’s times when I find it hard to tell the difference between them and the likes of the Taliban if there is a difference at all.

MrC August 26, 2021 7:03 AM

Perhaps now would be a good time to revisit the question How does one evade traffic analysis?”

Fleet broadcast works. But full-on all-to-all fleet broadcast doesn’t scale.

To the best of my knowledge, any form of partial fleet broadcast will fall to traffic analysis because the list of who received the most packets originating from you will eventually wind up with your real communications partners concentrated near the top. Can anyone comment on whether this is unavoidable (as I believe it to be)? If it’s not, please kindly explain how to avoid it.

TOR’s issues are well documented. If I understand correctly, traffic analysis can only be evaded by presenting as a new node under a new IP every few days. That might be fine for actual hackers war-driving or hopping cyber-cafes, but it’s pretty useless for ordinary people who would just like some damn privacy.

The only thing I can think of with any promise is detouring traffic through (a network of) private hardware with multiple points of egress to the internet. A “dark onion,” if you will.

Lilia August 26, 2021 2:02 PM

The only thing I can think of with any promise is detouring traffic through (a network of) private hardware with multiple points of egress to the internet. A “dark onion,” if you will.

That’s very difficult to do securely—you’re screwed as soon as someone figures out who owns all that hardware, which is why the Navy people developed Tor. They needed non-Navy people on the same network, so that people wouldn’t be able to infer that everyone on the “anonymous” network was in the Navy. That’s kind of why Tor remains the standard suggestion for avoiding network surveillance, despite its known shortcomings. It’s used by a large group of people—not just a few hundred cypherpunks—and can access regular internet services (…not just those run by cypherpunks), while giving some protection against casual traffic analysis. It’ll protect people reasonably well against their own ISPs, and maybe still give some protection against more powerful adversaries (after all, the NSA famously said “Tor stinks” in a secret presentation; and we’ve seen authorities use zero-day browser exploits rather than attacking Tor itself—which could be parallel construction, though it would be worrying if they were willing to burn zero-days just for that).

SpaceLifeForm August 26, 2021 3:24 PM

@ MrC

Traffic Analysis can be defeated.

It just requires a lot of Nodes, and a lot of Noise. Simple, right?

SpaceLifeForm August 26, 2021 5:25 PM

@ Joshua

Do you control both endpoints of your VPN?

VPN is semi-trustable if you need to access your org remotely.

Otherwise, never use a VPN. Or TOR.

Oh, and do some research into BGP and DNS.

HTH. HAND.

Lilia August 26, 2021 6:01 PM

@Joshua Herzig-Marx

For someone only medium smart like me – how does this kind of traffic analysis expose my VPN traffic?

If your VPN is forwarding your traffic back out to the internet (as opposed to a corporate-type VPN used to access “local” servers), the attacker might find correlations. For example, update.microsoft.com sends packets to the VPN server at 1234 kb/s, and the VPN sends you encrypted packets at 1234 kb/s. And there’s an acknowledgement packet sent from the VPN to Microsoft every time you send a small encrypted packet to the VPN. Someone who sees both those traffic flows might be able to expose you as a closeted Windows fan—even though all the traffic was encrypted and other people were using the VPN.

unusual suspect August 26, 2021 6:04 PM

@ Sok Puppette re: Rob Thomas: You apparently have concluded (or wish the readers of this blog to conclude) that Mr. Thomas’ connection with Tor casts a benign glow upon him, rather than a shroud of suspicion upon that alleged privacy-enhanced network. Why? Can you propose a procedure by which we might root out the answer to that question?

unusual suspect August 26, 2021 6:15 PM

@SpaceLifeForm @Joshua re: VPN use – While I agree with your premise, I think your conclusion/advice lacks suitable nuance. VPN IP address obfuscation can be useful and effective against “nuisance threats” from commercial entities and less-skilled hackers. Against the security apparatus of nation-states, not at all. Of course, regarding those latter adversaries, there is a concomitant risk that use of a VPN could attract their attention in and of itself…

SpaceLifeForm August 27, 2021 1:08 AM

@ unusual suspect

“nuisance threat”? Whatever your think that is. One does not become invisible just because you use a VPN.

You are better off not using VPN or TOR, because then you become part of the NOISE, and not the SIGNAL.

If you are up to no good, then all I can say is: “good luck”

Winter August 27, 2021 1:29 AM

@unusal suspect
“Against the security apparatus of nation-states, not at all.”

But then, is there anything that helps to protect you against the security apparatus of nation-states?

But you can always delay the inevitable.

My impression is that the only thing that can help you against the security apparatus a nation-state is the security apparatus of another nation-state. Edward Snowden is still alive and lives with his family because he was able to delay detection long enough to end up at a place that would protect him.

If you do not want to run a risk, you should keep silent, do nothing, and say nothing.

There is an old parable about teaching a horse to talk, that has relevance to online security of political activists:

Many years ago in a far away country a wise old teacher was in trouble with his King. The King sentenced the teacher to death, but listened to the teacher’s appeal.

The teacher pleaded for the King to give him five years in which to teach the King’s horse to talk. The King liked to own unusual things and a talking horse would certainly be unusual and after considerable thought said “yes”.

A friend of the teacher said to the teacher “Why did you make such a rash promise? You know no one has ever taught a horse to talk.” The teacher said in reply: “Sometime before the end of five years:

1. The King might change his mind and pardon me.

2. The King might forget that he sentenced me to death.

3. The King might die.

4. I might die.

5. I might teach the horse to talk.

In any event, I gain five years.”

ht tps://naomistanford.com/2009/02/09/teaching-the-horse-to-talk/

ResearcherZero August 27, 2021 2:21 AM

@Clive Robinson

Australia has a rather brilliant approach to the entire problem of freedom.
There is simply no Bill of Rights and a duty of care is applied at the governments convenience when it is of a political convenience.

Australia is a signatory to the Universal Declaration of Human Rights, but that does not mean it is in anyway enforced in law, and there are many out clauses contained in amendments to Australia’s constitution.

Australia’s telecommunications laws?

Failure to comply with reporting requirements could see the provider slapped with a AU$555,000 fine, the draft rules also build in encryption-busting expectations.
hxxps://www.zdnet.com/article/canberra-asks-big-tech-to-introduce-detection-capabilities-in-encrypted-communication/

This could all be done secretly for a very long time to gather intelligence against individuals, but now it can be done by law enforcement to directly gather evidence for prosecution, targeted and/or in bulk, to avoid legal constraints.

Rather than have to hack a targets content server or device, netflow data overcomes many problems when you just want to find a target fast for Tomahawk or drone deployment, and overcome all those lengthy legal procedures. It is also very useful for law enforcement operations.

ResearcherZero August 27, 2021 3:27 AM

This bill recently was passed by parliament.

The Surveillance Legislation Amendment (Identify and Disrupt) bill has created three new types of warrants that enable the Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) to modify and delete data belonging to cybercriminal suspects and take over their accounts.

hxxps://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r6623

We have been waiting on a Federal Corruption body, but they are really holding out on making it retrospective. Money Bag’s Morrison has really been dragging his feet on the issue for a few years now, and really did promise one before the election.
He didn’t drag his feet when he was running off with those money bags, many years ago, before being crash tackled to the ground, then promptly crapping his pants, which is sometimes a very real reaction to being caught by the police. He was made to walk up to Hungry Jacks (Burger King), to clean him self, before being allowed into the police vehicle. Probably the worst aspect was when he tipped an elderly woman’s shopping out of her trolley, then tried to steal the trolley, unsuccessfully, we assume to carry the rest of the money on the back seat of his car.

The moral of the story is, always fill up with fuel before transporting large quantities of dirty cash, don’t illegally park in a clear lane on a busy street, and for heaven’s sake, don’t let cash blow off down the street in the wind, it’s going to attract attention. Finally, don’t try and fake a heart attack to stall for time.

Winter August 27, 2021 3:28 AM

@SLF
“One’s goal in life should be to teach.”

Make that: Teach and Learn.

But as they say: The best way to learn is to teach

Peter Galbavy August 27, 2021 8:43 AM

Sorry, but this is news to anyone? Could have told you this 20-25 years ago.

Also, in reply to someone’s earlier ridiculous assertion – there is slightly more than “one” cable / landing place from the US to Europe, and it’s not only Amsterdam. An IX is not any form of exclusive transit location, just a desirable one.

Sok Puppette August 27, 2021 5:20 PM

@unusual suspect: Being associated with the Tor project is a (mild) PR negative with a lot of people Cymru might want to work with. The fact that Rob Thomas is willing to do that says that he’s prepared not only to get involved with privacy issues, but to do so visibly and at a certain cost.

That doesn’t mean that privacy is an overriding concern for him. It doesn’t mean that he agrees with you or me about how anynymous anybody should be. It doesn’t mean that passing around Netflow data doesn’t tend to undermine Tor. It does mean that you’re probably dealing with somebody who is at least aware of the issues in a way that your typical Johnny-come-lately security snake oil salesman is not. And what I was reacting to was Clive blindly sticking that Johnny-come-lately-security-snake-oil-salesman label on Cymru.

As for casting a negative light on Tor itself, I guess maybe, but being visibly on the board would be a really lousy, ineffective way to influence the project covertly. For all I know, maybe he’s openly arguing to weaken the privacy of Tor itself. Also for all I know, maybe he’s trying to find ways for Tor to get around his own data distribution. But if the Forces of Surveillance wanted to secretly subvert Tor, they’d be better off to do it, um, secretly.

echo August 27, 2021 5:56 PM

As for casting a negative light on Tor itself, I guess maybe, but being visibly on the board would be a really lousy, ineffective way to influence the project covertly. For all I know, maybe he’s openly arguing to weaken the privacy of Tor itself. Also for all I know, maybe he’s trying to find ways for Tor to get around his own data distribution. But if the Forces of Surveillance wanted to secretly subvert Tor, they’d be better off to do it, um, secretly.

Chocolate fireguards spring to mind. As For “Team Cymru” which has nothing to do with and never has had anything to d with “Cymru”, or Wales… I haven’t been impressed with them since the first time I heard of them nor other companies providing similar services in this domain. They make a lot of money off not solving anything.

The seat on the board gives credibility. The alleged expertise cashes the cheques. One hand washes the other. Nothing which matters changes. And that’s how it works. Anyone who claims to competence as a board member or domain expert should know this.

I’ve seen all this before with other issues right up to the point where people perjured themselves deliberately or not.

jay August 31, 2021 9:21 AM

It is worse than imagined. Its a mish mosh of A*holes, from private contractors, gang stalk networks, law enforcement, Any network can be accessed without conventional detection. Also. Like anything this has time limit until a *hit the fan and a new internet is developed with new chip sets void of the manufactured security defects and more complex tempest like signal detection.

If you have a means start this on your own.

Tim Shimeall September 15, 2021 1:17 PM

The collection and analysis of netflow data is not new (or threatening). CISCO developed the netflow v5 and v9 data format in the late 90s, and IETF developed the IPFIX transport format in the early 2000s (see RFC 7011). Among several other tool suites (see Argus, cFlow, or sFlow), CERT/CC at Carnegie Mellon University has been distributing an open-source suite of tools that collect and analysis netflow data (see https://tools.netsa.cert.org) since 2003, and described by a fairly large collection of documentation (the analyst’s handbook alone is approximately 350 pages). Since 2004, CERT/CC has sponsored FloCon, an international workshop on netflow analysis (https://www.flocon.org) with annual attendance in the 150-200 range currently (the next one will be held virtually in January 2022). This workshop is technical, and focused on detection of security threats.

Based on all of this experience, let me point out that the article somewhat overblows the threat posed by netflow data. Yes, you can collect netflow at high-volume network collections (our analysis tool suite is actually named the “System for internet-Level Knowledge” or SiLK, a capitalization that memorializes Suresh L. Konda who led the early development of the suite). But there are three distinguishing characteristics of this collection:
– The collection aggregates traffic between endpoints across specific ports and protocols, closely proximate by time. This aggregation summarizes traffic volumes (count of bytes, count of packets, Or of TCP flags, earliest time, latest time, etc.) but this suppresses packet-specific information.
– The collection ignores packet data content -all of the aggregation is done on protocol-level information already exposed by routing and protocol stacks. (IPFIX does have options that allow for recording of more application-level information (i.e., web URLs, email subject lines, etc.)
– The collectors are passive and do no proxies. This means that the encrypted traffic through https, other SSL connections, VPNs, etc. are only recorded at the surface level. Yes, you can identify that two VPN concentrators communicated (e.g., by noting a UDP/500 or ESP protocol traffic happened), but you cannot identify what applications were used through that VPN.
This basically puts netflow records at the level of the phone records (phone number X called phone Y at 11:12AM on 9/15/21 and they spoke for 35 seconds). While this does allow for indicators of suspicious traffic (particularly if number X or number Y is on a watchlist), it says nothing about what information was exchanged.

As a review of the FloCon archives displays this information has been used over an extended time, and by a large number of network operators. You can even contract for netflow information across cloud infrastructures your organization operates from most of the major cloud service providers. It’s been in the hands of governments around the world for over 15 years now – and hasn’t been associated with any dangers to users. You could more clearly state that packet capture technologies (such as Wireshark) and intrusion detection environments (such as Zeek) pose a danger in the hands of some governments – since netflow provides only a small subset of the information provided by packet captures or by intrusion detection. I would argue that the clearer danger is criticism and suppression of information needed by network security teams worldwide.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.