Hey there, this is actually more of a question to start with, but I imagine it to lead into discussion. Today its emerged that the AFP, in their words, ‘have the ability to monitor and disrupt people using a VPN’. Anyone know how, exactly? When they say disrupt - what does this entail? Malware? Discuss.
Well, if they can do it without any privileged access to the VPN server (which could be in any other country, so it seems unlikely they could have such access for just any arbitrary VPN) , then they would need to be exploiting weaknesses in the VPN communications protocols (e.g. the recent weaknesses that were demonstrated with some OpenSSL( Open Source Secure Sockets Layer) versions).
If they are using such flaws and keeping them secret, then they are contributing to the overall insecurity of the standards that keep all of our businesses safe and secure and shame on them.
The NSA has been strongly suspected of having done exactly this and in some cases, having gone further by actively participating as expert consultants in standards groups that define security protocols and then using their advanced expertise to introduce subtle flaws into the standards (such as random number generation for elliptic curve algorithms), such that they could subsequently break the implementations of those standards in the field.
This is utterly irresponsible. They are probably not the only people able to break things using the weaknesses they introduced and as a consequence they make the world a less secure place when their job is supposed to be the opposite.
Of course, the other route for subverting VPN use, is to simply subvert the individuals machine first, with things like key loggers and other malware, so that the VPN just becomes irrelevant to the monitoring they want to do.
Here’s my take on this:
Monitor: Unless they’ve either compromised your local machine or the remote VPN server, you use a VPN with weak crypto, or they’re aware of zero-day issues in whatever VPN software you use, it’s unlikely they can glean anything from the encrypted payload. That said, it’s fairly trivial to identify the fact that you’re using a VPN, and who your provider is, and potentially gain information from said provider, depending on what data the provider keeps relating to your connections.
Disrupt: Even without compromising either end of the tunnel, if they can mangle/drop packets at any point along the route (Perhaps with the aid of a coerced, or voluntarily cooperative ISP) between your local machine and the VPN endpoint, then they can definitely degrade and disrupt your VPN connection, even if they can’t read the payload.
I think jscinoz has hit the nail on the head.
The abilities they claim are totally within the capability of your ISP: that is, they can tell that you’re using a VPN, and they can easily block your access to a remote endpoint.
Besides, we already know that some ISPs are very cosy with the AFP and have been actively blocking certain URLs for years.
Yes, I imagine disrupt to mean, get in the way of, not necessarily compromise the contents contained within any transmission. Very easy to null route your IP away from a set of other IP’s
It looks to me as if the AFP want to allow the perception they’re omnipotent. They’re not.
To “monitor and disrupt” a VPN is actually trivial to do. To monitor you just need a bit of software which listens to the network (I do this at home if I think something’s broken) which can tell if something’s a VPN or not. And to disrupt a VPN is, as @dc84 said, trivial if you can send traffic bound for one place to another place, like in @tjal’s example.
These comments made by the AFP seem designed to intimidate and allow false perceptions. It reminds me of hearing narcotics cops on the news talking about how maky hundred thousand “street deals of marry-joo-waanah” they’ve stopped.
As others have said, disruption does not equate to cracking the encrypted traffic, it just means interfering with the transmission. They’d also want to be real sure of whose VPN traffic they were interfering with too because if it turned out that the geek they were monitoring was employed by a major hardware or software vendor and the network was actually their employers then the AFP might find itself in conflict with other parts of the gov’t.
Take me for example, well, a few years ago. If the AFP had pulled a stunt like that on the VPN connection I was using almost 24/7 a few years ago, the chances would’ve been pretty high that they’d’ve ended up in a fight with the DoD as a result (and if not them then some other part of law enforcement, possibly even themselves).
I think Joe is right here, this sort of comment is designed to discourage people from using VPNs or other means of protecting their privacy and information. It’s not really any different to the claims by the RIAA or MPAA that they can see who is downloading everything. We know, of course, that not only is that crap, but more often than not they can’t even see what is being downloaded … especially given the number of DMCA takedown demands directed at content they neither own nor is owned by those they represent.
The sooner the IT industry implements IPSec for all connections (both IPv4 and IPv6) the better.