Rafal Rohozinski: > John, > > With respect to SORM-II, the "signatures" are based upon the > technical characteristics of the system rather than something that's > detectable by protocol scanning.
What are the technical characteristics of SORM-II? > In a nutshell, SORM-II boxes > located on remote network segments (i.e. ISP's or other providers) > require a separate command channel for tasking and data backhaul. Detectable by what means? Is this the Kim Dot Com extra latency issue? Is this just another box found on a related network? > In some installations, this is a separate physical channel, and > others it is virtualized through the ISPs connection their upstream > provider or IXP (usually at the the central telephone switch). > Consequently, while the device itself does not have a detectable > signature, the control channel is a defining feature. The > challenge is in detecting the control channel. We have report > pending on SORM that should be released sometime during the late > spring of 2013. Can you give us a simple example? > We are trying to decide how and what to publish so > as to share usable knowledge without revealing tradecraft that would > allow the developers of SORM (II and III) to reduce detectability. This is a rather difficult thing to do - it seems not worth doing. These guys are already working on reducing detectability, aren't they? > BTW - SORM II is commercially available in the European, US and > Canadian under the brand name "NetBeholder" so those of you with > deep pockets should buy a set up and reverse engineer it > http://www.netbeholder.com/en/products.html … the company even has a > street address in Toronto, for those of you that want to visit. :-) > Has it been found on Canadian networks? Who uses it? All the best, Jacob -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
