How to route intercepted material?
30 January 2008
The recent leak of the existence of malware that the Germal police might be using to intercept encrypted skype and SSLcalls has already made quite a bit of noise. It clearly suggests that the surveillance battlefield is shifting from the network to the end-host, where information and keys can be found in clear. Yet an interesting issue that is discussed in the letters relates to getting hold of the intercept material: in the old days it was gathered from the network – in the proposed architecture it is sitting on the victims’ machines.
Interestingly the proposed way of getting hold of the plaintext is through the use of an anonymous proxy! This ensures that even if a data-flow is detected by the victim, the agent doing the wiretap or the agency is not detected. Further good advice includes using a relay in a different jurisdiction to make tracing even harder, and add further uncertainty about the originator of the attack.
It is fascinating to see how, once again, law enforcement finds traffic analysis resistant communications key to their operational success. Already established standards for interception interfaces (from ETSI) stipulate that the delivery of intercept material has to be unobservable to anyone not authorised, even within the telco provider. The federal Trojan architecture pushes this even further, by requiring the malware to leak information in an unobservable manner.
The arms race is only starting…