Jacob: First of all, it's important to recognize that SORM is a system for lawful access to telephone and IP traffic. It is normalized under the laws of the Russian Federation and most of the countries of the former Soviet Union. In other words, it is not a " secret" system, but rather one which is well-known, well-documented and has been around for over 10 years.
The relevant Russia legislation is: Order of the State Committee of the Russian Federation № 47 of 27.03.99 Order of the Ministry of Communications of the Russian Federation № 73 of 27.05.10. The company that produces SORM - MFI-SOFT - is quite proud of its product, and others that they produce in the information security market. In fact, here is their marketing video. The part about SORM starts at 3:14 http://youtu.be/mNTWvyXNTLM?t=3m13s ( okay, it's lame, but at least they are advertising it) As a consequence, the technical characteristics of SORM are quite well-documented. Also, because the system is installed at ISPs, the technical characteristics of its installation are also quite well-known. By way of a general introduction, here are links to two technical presentations on SORM (2 and 3) the provide some of this technical information, and also a view of the user interface ( which gives you a sense of its capabilities). SORM 2 - https://docs.google.com/open?id=0B4_SBxiVQGUOTzZhSVc4Q1JqZlk SORM 3 - https://docs.google.com/open?id=0B4_SBxiVQGUOOHBHa1hDcnA1RzA The files are in Russian, but nothing that Google translate can't help with :-) I really don't know if anyone in Europe, Canada, or the US has procured NetBeholder. But the fact that the company stopped advertising it openly on their website in 2010 leads me to believe that their success in this market space was rather small. Contrary to popular belief, LEA tools are not big business, and bring a lot of liability to companies so usually they tend to sell to home markets where they have a guaranteed monopoly and stable revenues. The only thing I can say about why they were marketing from Canada is related to some circumstantial evidence I received a few years ago that the Canadian subsidiary was selling Netbeholder as a "Canadian product" in a variety of south countries. However, I'd stress this is circumstantial evidence so nothing hard and fast. However, If you take a look at the SORM product page, you will see that they have adapted it to work with a wide range of equipment including Nortel, Broadworks and Ericsson, so it's not inconceivable that there may be existing installations in North America and elsewhere outside the CIS <http://www.mfisoft.ru/products/sorm/sorm1/nortel> . MFI claims its products are in 84 countries. If you look at the ALOE website, they do list a number of SIP providers in the US that use MFI equipment. However, since MFI/ALOE also resells VoIP soft switches, it's really unclear what they might be using. <http://www.aloe-systems.com/company/clients#usa>. > This is a rather difficult thing to do - it seems not worth doing. These > guys are already working on reducing detectability, aren't they? Because the system is not secret, and is legally mandated, no, the builders have not made it particularly stealthy. Rafal On Jan 7, 2013, at 8:02 PM, Jacob Appelbaum <ja...@appelbaum.net> wrote: > Rafal Rohozinski: >> John, >> >> With respect to SORM-II, the "signatures" are based upon the >> technical characteristics of the system rather than something that's >> detectable by protocol scanning. > > What are the technical characteristics of SORM-II? > >> In a nutshell, SORM-II boxes >> located on remote network segments (i.e. ISP's or other providers) >> require a separate command channel for tasking and data backhaul. > > Detectable by what means? Is this the Kim Dot Com extra latency issue? > Is this just another box found on a related network? > >> In some installations, this is a separate physical channel, and >> others it is virtualized through the ISPs connection their upstream >> provider or IXP (usually at the the central telephone switch). >> Consequently, while the device itself does not have a detectable >> signature, the control channel is a defining feature. The >> challenge is in detecting the control channel. We have report >> pending on SORM that should be released sometime during the late >> spring of 2013. > > Can you give us a simple example? > >> We are trying to decide how and what to publish so >> as to share usable knowledge without revealing tradecraft that would >> allow the developers of SORM (II and III) to reduce detectability. > > Don't > >> BTW - SORM II is commercially available in the European, US and >> Canadian under the brand name "NetBeholder" so those of you with >> deep pockets should buy a set up and reverse engineer it >> http://www.netbeholder.com/en/products.html … the company even has a >> street address in Toronto, for those of you that want to visit. :-) >> > > Has it been found on Canadian networks? Who uses it? > > All the best, > Jacob > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech
-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
