This is going take a little explaining, so please bear with me. My goal is to show how easy it is for third parties to exploit wiretapping systems to implicate the innocent -- and worse. But before I can do that, I need to provide a short briefing on the current state of the Internet environment, as well as an explanation of how it got that way. If you're already alarmed about mass surveillance of telecommunications traffic, you might wonder how it could possibly get worse.
This is one way.
Let's go through the obvious part first: we know that at least one large chunk of telecommunications traffic is being vacuumed up by the spooks and peered at. Some of that analysis is no doubt connection-based (who's talking to who, how often) and some of it's traffic-based (what they're saying, how much they're saying). Because of the volume of traffic, it's being done by computers, with anything of particular interest flagged for human review. And we can presume that those humans will react with alarm and Push The Big Red Button that alerts the stormtroopers if they see something sufficiently disturbing. We can also surmise that there are other places like Room 641A scattered around the world, either run by US spooks or run by someone else's spooks, and that some of them are sharing either raw data or analysis or both.
Ah, you say, but all I do is post comments to DailyKos, VPN into work, send email to the kids and download a little porn.
That may be all you do. It may not be all your computer does. So here comes the non-obvious part.
About half a decade ago, a few hundred anti-spam volunteers scattered around the world had finally gotten a decent handle on the spam problem: they'd deployed automated mechanisms which would quickly detect new spam server installations and add them to blacklists. Given that those were numbered only in the thousands -- and they that changed comparatively slowly due to inherent delays involved in shifting them around -- anti-spammers had a relatively small number of relatively stationary targets to deal with.
And then spammers had a brilliant idea: they wrote (or hired someone to write) a custom piece of malware that would turn any Windows system it took over into a spam-sending engine. They released Sobig, which is analyzed here and here.
It was a masterstroke. The number of spam-sending systems worldwide increased exponentially over a period of just a few months, completely outflanking the anti-spammers' defenses. Their carefully-maintained blacklists couldn't possibly keep up with millions upon millions of moving targets. The people working on anti-spam techniques had to entirely rethink their approach.
The spammers followed up with variations on this -- including some that not only sent spam, but used the infected systems to host copies of the web sites promoted in the spam. And other variations that allowed them to use one infected system to control others. And others that rummaged through all the email stored on them to find more people to spam. And still others that set up keystroke loggers to grab the username/password combinations used at financial and other web sites. And so on.
Within a short time, the number of hijacked systems ("zombies" or "bots") was easily into the tens of millions. And today? The consensus seems to be that any estimate under 100 million is too low. Vint Cerf -- widely acknowledged as one of the fathers of the network you're using at the moment, and now working for Google -- has given 250 million as his guess. The exact number is unknowable -- because until one of these systems does something to make itself visible to someone who is watching, it's very unlikely to be detected. Here's a sample of the last 10 seen here, by IP address and ISP/location:
87.119.54.101 Szeptel DSL, Poland
65.35.179.13 Roadrunner cable, Tampa, Florida
201.58.181.158 Veloxzone DSL, Brazil
220.128.233.208 Hinet DSL, Taiwan
81.202.40.91 ono.com dialup, Spain
84.94.109.229 012.net cable. Israel
122.168.16.227 Airtel DSL, India
71.236.118.27 Comcast cable, Pennsylvania
200.121.161.203 Speedy DSL, Peru
71.241.190.141 Verizon DSL, Buffalo, New York
All compromised. All running Windows. (How do I know? Passive OS fingerprinting. Out of the last 1.2 million I've seen, 8 didn't fingerprint as Windows, and I suspect those 8 were due to data transmission errors.)
So what the hell does this have to do with the topic of this message?
There's an old maxim in security circles that says:
If someone else can run arbitrary code on your computer,
it's not YOUR computer any more.
Every one of those systems noted above now belongs to someone else -- not to the person whose desk it's on or whose backpack it rides around in while switched off. The former owners of those systems are only permitted to keep using them because it suits the purposes of their new owners. It keeps them plugged in to power, connected to a network, upgraded (the bad guys say "thanks" for that extra memory added last week) and otherwise available.
So who are the new owners? Spammers. Phishers. Search engine scammers. Blackmailers. Typosquatters. Spyware makers. Kiddie porn sellers. Denial-of-service attackers. Identity
thieves. Pretty much the scum of the Internet. The increasingly-organized scum of the Internet. There's an entire, thriving underground economy out there: these systems are being
leased out on a wholesale basis: so many euros for 10000 systems for a week, and so on. Some of the analysis that's been done shows individuals in control of botnets with 2-3 million systems.
One prominent nexus for all this activity is the "Russian Business Network"; take a few minutes to read some of these if you want a look at part of the dark underbelly of the Internet:
The RBN has a successful business model: they're the online equivalent of an open-air bazaar where goods and services of all kind are exchanged. You can sell credit card numbers and buy custom malware, discuss the latest phishing techniques and commission denial-of-service attacks. These are not people to be trifled with: several researchers have been hit with retaliatory attacks while engaged in analysis of software that traces back to RBN. And they're not the only game in town.
So. See the problem yet?
Yeah, you're getting there. You know what's stopping The Bad Guys from creating synthetic traffic to and from a compromised computer (maybe yours, maybe not) and, oh, let's say a couple of dozen other computers in other interesting countries -- traffic discussing operational plans for something hideous, traffic with your name plastered all over it?
Nothing.
And unless you've got a network analyzer sniffing what goes in and out of your connection and analyzing it, you won't see it -- because they own your computer now and can easily keep you from seeing it.
But the computers and people watching via Room 641A will see it.
And you may find out about what they saw when your door is kicked in pre-dawn next Wednesday, and when, eventually, you are tried in front of a jury (if you're lucky enough to get a public trial and aren't simply just thrown into a dark hole where you're tortured until you break,
because that's how the United States does things now) that is shown evidence that proves that the traffic came and went from your system. Don't count on them grasping everything I just went through or even part of it: check out the raw deal Julie Amero got simply for being the unlucky person sitting in front of a poorly-maintained, already-infected computer when the porn popups started:
And that was just porn. Yet she was publicly crucified by incompetent and arrogant reporters, police, prosecutors and jurors, as well as extremely incompetent and arrogant "experts" -- who, as it turned out, lacked entry-level IT security knowledge. And of course, some of the public fell for it: her career's in ruins, her reputation's destroyed, etc.
Now imagine how a jury -- a jury appropriately conditioned by years of fear-mongering courtesy of this administration and the professional liars who work for it -- will view you, Mr./Ms. Homegrown Terrorist, when they are presented with this "proof". Reams and reams of it. And when your defense boils down to "I didn't do it". Yeah, right. What about these posts to DailyKos? What about your association with known malcontents...radicals...liberals? And what's this FSM cult you're part of?
And if that's still not enough -- then there's always the reliable fallback, readily available to the same attackers, of planting kiddie porn on your disk somewhere you won't look, but the spooks who have confiscated your system will. Any possible credibility you might have speaking in your own defense will instantly evaporate once that fact is introduced into evidence. (The Four Horseman of the Internet are: terrorism, child pornography, money laundering and drugs. Mention of any one of these will elicit knee-jerk reactions and political grandstanding of astonishing proportions. More than one? You've got a decent shot at being the lead story on Fox Noise or the increasingly-indistinguishable CNN/CHN for a week.)
Why you? Who knows? Maybe a random choice, maybe revenge (since people who are capable of pulling this off are for hire if somebody's got enough cash -- see RBN, above), maybe a diversion, maybe something else.
Motivations aside, the salient point is that there are no technical barriers to it. Your software firewall is a screen door trying to hold back a tank. Your anti-virus, anti-spyware, anti-bogeyman software is laughable. If you're running Windows, and worse, if you're running Internet Explorer or Outlook, then you're high on the target list. (And don't get too smug if you have a Mac or even a Linux or Unix box. Yes, these are vastly more secure environments, but as you should already know, one bonehead move by you and it won't matter.)
Unless...your system is already compromised, and at least 1 in 8 of you reading this fall in that category. Probably more.
Don't think they can do it? Think again. These are not your stereotypical pale male geeks living in their parents' basement and taking a break from Star Trek trivia. These are intelligent, well-trained, highly-motivated professionals who have already demonstrated that they are formidable adversaries -- and who control, in the aggregate, more computing and network power than anyone else. What they're running makes what Google's operating look miniscule by comparison. And because their assets are distributed around the planet, constantly shifting, constantly changing tactics, constantly reorganizing, they're tough to track. Some of them have also demonstrated that they're willing and able to act in meatspace when it suits their purposes. Oh, and they're self-funded, enabling them to grease palms when necessary.
So what's your ISP doing about it? You know, the same ISP that's likely one of the telecom companies that the Bush administration is trying to immunize from the things they might or might not have done which might or might not be legal and which might or might not have had intelligence value?
Your ISP is either busy cozying up to the feds or the RIAA/MPAA, or trying to maintain their monopolies, or trying to raise your rates (again), or trying to upsell you bundled services, or disrupting your network traffic because they can't even come remotely close to delivering what their advertising says they offer, or trying to get immunity...oh wait, we covered that. Let's just say that cable TV and phone companies really don't have the slightest inclination to run a secure data network. (Evidence? Comcast and Verizon have spent much of the past several years battling for the number one spot on the list of the world's most spam-sending networks. Current scoreboard: Network reputation - estimated spam volume by ISP. Almost all that spam is coming from hijacked systems.) Don't go feeling all smug if your ISP isn't one of those two: with precious few isolated exceptions, they're ALL swarming with hijacked systems. That means Charter and Ameritech and Roadrunner and Adelphia and Qwest and and AT&T and BellSouth and very likely yours.
One last thing -- one last very disturbing thing, possibly more so than anything else I've said so far. I saved it for last so that you'd have some context for it.
The feds keep earning "F" grades in IT security from the GAO year after year. There are two reasons for this: first, the GAO is being generous. Second, there isn't a lower grade available.
So what possible reason does anyone have to believe that the feds are the only ones tapped into the output of Room 641A?
After all, building and maintaining all that infrastructure is expensive and tedious. A much faster path to the goal, if you're the real bad guys that we're supposedly trying to catch, is to let someone else do it for you at their expense, and then just skim the results.
So as bad as you feel about having all this data in the hands of the nascent fascists running the country at the moment, as awful as the consequences might be for anyone framed by it, how do you feel about having it in the hands of people who will sell it wholesale to anyone with cash-in-hand?