NSA/GCHQ packet staining vs crypto staining

There  seem to be 2 ways to exploit staining:

1) The method of http://cryptome.org/2013/10/packet-stain/packet-staining.htm in which IPv4 packets from “intelligence sources” are stained by putting them within an IPv6 tunnel whose headers are processed by carriers supporting NSA mission. Of course. Microsoft windows comes with just such tunneling capacity at the PC, too.

2) a cryptographic mechanism that does not depend on the carrier – except in the sense that the carriers cables are tapped. This model assumes that an NSA has to scan a lot of draw packet dumps, looking for those of interest, using “suitable hardware” for the search problem.

In either case, we have what PTK used to take DARPA money for: “active network” research!

We have to remember that all start with the reluctant victim having his PC compromised though the insertion of behavior, upon leveraging a suitable exploit. If we believe the snowdonia campaign from NSA, the victim visits  the radical site (e.g. NRA) whose javascript pages duly insert the bug back on the browsing PC.

So what kind of bug would support 1) and 2)?

To hide this all, it feels like a combination of forces would be applied. First, the compromised PC would be induced to use cryptographic staining, hidden to the non technical eye behind Reed-Solomon coding erasures, intending that these signals are detected by the PMO


Now, note the path take in the picture given above. From the PC in Y (the target of intel) there is a peer-peer relationship within the internet cloud – that is NOT assumed to pass a particular network. On visiting the radical website, infected by the botnet in autonomous system 666, Y’s PC eventually uses the internet and some of the packets between Y and Z will go over the “compromised” edge router at the carrier’s internet/backbone handoff point. This router, too, is owned by the Botnet – in the sense that the botnet is biasing its routing tables with AS-AS update via BGP, etc. Thus packets from a given IPv4 address hit the edge router’s first rule set – where we should recall  that the (relatively persistent DHCP) address was recently learned about Ys PC by the botnet listening in to Z’s visitor log (hosted at the compromised, radical site that Y just visited). The router directs the packet “flow” via the packet staining device that wraps the flow in IPv6 tunnels. NSA/GCHQ upstream will later leverage the staining tags… to help isolate these flows obtained from general purpose fiber taps fixed at certain locations that target Y now visiting google.com, in the US, say.

Now I know enough, being once, along with the DOD/WH folks I trained with, a certified CCSP specially trained in cisco HIDS/NIDS, to know how the cisco IOS world can apply policy-based routing  that does real time deep packet inspection. So assume that the first edge router is so tuned with policy-based routing up to detect cryptographic headers on the first hop (NOT SHOWN on the picture above). How might we accomplish this?

One thing we know is that in 1980 NASA is listening to a signal – whose power is less than that emitted by your watch, from a craft 2 billion miles away – delivering a data rate of about 20kbits/s. Think about that! This means that the phone in your pocket is MORE than able to use its microphone to listen to the channel between PC and screen, which has far greater powered consumption than your watch display and is probably at a distance of 2 yards (rather than 2 billion miles). These days, with 4G, the data rates of mobile phone circuits are excellent of course (making them an ideal ACTIVE SENSOR network for remote spying on the signals emitted by all devices of the world). If your is not on, there is no reason why not to use that of your neighbor, know also to be in proximity to the PC in the same coffee shop with its internet cafes (a favorite GCHQ targeting space).

So, lets say that a compromised PC of Y, now, is induced to DROP bits in the packet checksum. This is known an RS world as an erasure – for which the math is able to recover. Now assume that the dropping rate is ITSELF a unique code – or stain. That is, as the cisco router does what its supposed to do IN HARDWARE VSLI – error correction on packet checksums that THEMSELVES HAVE ERRORS  – the stats collected PER FLOW are themselves being analyzed by the IOS process that detects the timing signal within the drop rate – and thus detects the particular PC. Though it may correct the packet as it flows across interfaces, being a botnet-owned router assume that this is also enough to induce routing via the PMD. One can imagine that the mechanism might also be inducing the botnet to refocus its efforts – on the Y’s PC directly.


About home_pw

Computer Programmer who often does network administration with focus on security servers. Sometimes plays at slot machine programming.
This entry was posted in spying. Bookmark the permalink.