Re: [GNUnet-developers] port knocking?

[Christian Grothoff]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 25 February 2004 11:44 am, you wrote:
> On Wed, 25 Feb 2004, Christian Grothoff wrote:
> > Of course, the biggest question is if there's anyone who'd care for this
> > tiny extra bit of security (or maybe more appropriately, obscurity).  As
> > I said before, portknocking would not help against an adversary that
> > either joins GNUnet or that can perform traffic sniffing.  It only
> > protects against lazy, clueless random adversaries.
>
> What would a lazy, clueless random adversary benefit from the knowledge
> that some random host is running GNUnet? Anti-GNUnet-personnel
> can find better ways, and do not fit the profile of lazy, clueless
> and random.

I'm not thinking about adversaries that specifically target GNUnet here.

> ISPs, on the other hand, can look at the traffic patterns
> and decide that the activity looks p2p'ish enough to take action,
> and besides take the crypted nature of GNUnet dataflow as additional
> evidence for villaincy, blackguarding and heinous crime being
> purported all the time.
>
> Just my 3c. Maybe I'm just a bit slow as usual and don't
> get the implications.

Well, imagine for a second that you're AT&T.  You have a shitload of 
second-tier ISPs below you, and you're trying to manage "The Internet".  Your 
tech-people fight spam and customers that use excessive (in their opinion) 
amounts of traffic.  What do you do?  Sniff all 30 Million hosts connected to 
your network and do some heavy-weight traffic analysis? Nonsense.  What those 
people do is they do port-scans.  For now, probably just 25, maybe some other 
common ports (open windows-shares, etc).  If they detect an open port where 
there should be none, they notify the second-tier ISP to do something about 
it (i.e. shutdown the machine, tell the customer to remove the virus, 
whatever).  

Now, for these guys, a quick & dirty portscan is all they can afford. 
Similarly, what's a university going to do?  Yes, they may scan their campus 
network for open ports to detect vulnerable machines, to enfore policies ("no 
p2p"), but it's much less likely that their tech-support has the knowledge 
(and time) to go and start sniffing traffic.  Not to mention that while 
port-scanning might be considered acceptable behavior for some ISPs, actually 
doing traffic sniffing is a much more severe violation of user's privacy and 
thus might be harder to get away with (the headline, "ISP scans ports" 
doesn't sound like a CNN hit, "ISP spies on user's traffic" is more likely to 
put the ISP out of business...).  So in some ways, I believe it's much more 
likely for the average GNUnet user to encounter such a 'stupid' adversary 
than someone with the time, money, technical expertise and boldness to run 
tcpdump.

Christian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAPzto9tNtMeXQLkIRAlROAJ4uDIM2UwZl23bdSqSYncv+tuhhXgCgqJJx
EMnC5APdQLYv9yzKO3466zA=
=XBgg
-----END PGP SIGNATURE-----