Re: netflow in the core used for surveillance

[Avi Freedman]

Hi, all.

Re: last week's thread on the Vice article -

I can only speak for Kentik, and *we* don't resell or give 3rd party access
to NetFlow data from our hundreds of customers.  And never have.

But there is definitely interest out there.  We do get approached about it
periodically and always say no.  Mostly by commercial vendors and not (at
least directly) by governmental bodies.

Of course, our *customers* could in theory share their data via API key, or
by using our outbound streaming firehose.  But I've never talked to a
customer who wanted to share their flow data with a 3rd party.  Usually by
far the opposite.

The closest thing to this that our customers do ask about is re: aggregate
community views, which people could contribute to to help themselves and
the community.  While we don't do this now, if and when we do it: 1) won't
be with raw data, 2) will be opt-in only, 3) will be designed with
customers and have open methodology; and 4) will be likely with synthetic
test, BGP, device metrics, and other non-flow data to start.

Thanks,

Avi

Re: netflow in the core used for surveillance

[Mark Tinka]

On 8/25/21 23:13, Randy Bush wrote:


https://www.vice.com/en/article/jg84yy/data-brokers-netflow-data-team-cymru

used to get dissidents, activists, and journos killed

at, comcast, ... zayo, please tell us you do not do this.


I guess Cambridge Analytica ain't just for the FaceMash...

Mark.

Re: netflow in the core used for surveillance

[Hank Nussbacher]

On 26/08/2021 00:13, Randy Bush wrote:

https://www.vice.com/en/article/jg84yy/data-brokers-netflow-data-team-cymru

used to get dissidents, activists, and journos killed

at, comcast, ... zayo, please tell us you do not do this.

randy



I'm confused.  Quoting from the article:
"In a recent research report on an Israeli spyware vendor called 
Candiru, Citizen Lab thanked Team Cymru.


Thanks to Team Cymru for providing access to their Pure Signal Recon 
product. Their tool’s ability to show Internet traffic telemetry from 
the past three months provided the breakthrough we needed to identify 
the initial victim from Candiru’s infrastructure," the report reads. 
Citizen Lab did not respond to multiple requests for comment."


So Team Cymru helped expose themselves as to getting dissidents, 
activists and journalists killed?


-Hank
Caveat: The views expressed above are solely my own and do not express 
the views or opinions of my employer

Re: netflow in the core used for surveillance

[J. Hellenthal via NANOG]

Im finding this really hard to believe for the "Team Cymru" part at least. 
Being originally a provider of security centric configuration of network 
components... IOS ... Juniper etc... and maintaining such a high standard for 
years that they turn foot and resell/sell data on customer traffic obtained 
from other networks they themself are a customer of for resale of data. This 
feels like a hit job on a company that secures more than it insecures by gov't 
passage.

Not trying to start a flame war here but... what do you do to your most secure 
threat? (That has financial and influential aspects)... 


-- 

J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.






> On Aug 25, 2021, at 16:13, Randy Bush  wrote:
> 
> https://www.vice.com/en/article/jg84yy/data-brokers-netflow-data-team-cymru
> 
> used to get dissidents, activists, and journos killed
> 
> at, comcast, ... zayo, please tell us you do not do this.
> 
> randy

Re: netflow in the core used for surveillance

[scott]

On Wed, Aug 25, 2021 at 6:15 PM Randy Bush > wrote:


https://www.vice.com/en/article/jg84yy/data-brokers-netflow-data-team-cymru

used to get dissidents, activists, and journos killed

at, comcast, ... zayo, please tell us you do not do this.

-

After the SF room thing a decade ago (or whatever timeframe it was) we 
have to know AT is doing it.




On 8/25/21 11:01 PM, jim deleskie wrote:
:: I think letting any of those people think ToR is safe as being a 
much bigger risk.



Especially since ToR was developed by the US Navy to support spying 
operations.





:: ...Team Cymru...and believe them to be the good guys,



Agreed and I have thought so for a very long time, but sadly this casts 
a shadow over my interpretation of their work.  Hopefully, someone there 
clarifies and we can go on knowing they're one of the (few) good guys.



scott

Re: netflow in the core used for surveillance

[Tom Beecher]

The NY Times did a story within the last couple years showing how easy it
was to identify an individual solely from purchasing anonymized data
commonly sold by advertisers and the like.

Now take that and be able to pin a person to an IP, and aggregate flow data
to find out everything someone does.

On Wed, Aug 25, 2021 at 7:02 PM jim deleskie  wrote:

> Randy,
>
>   We all know many folks send their *flow to someone or somewhere.  In
> exchange for pretty graphs for intelligence.  I suspect in many cases this
> data is then reused in many cases for many purposes.  But let's not
> overplay the risk here.  There would be much easier ways for rogue nations,
> bad guys/good/in the middle nation to find out about dissidents, activists,
> and journos than flow data. I think letting any of those people think ToR
> is safe as being a much bigger risk.
>
> -jim
>
> Disclosures for those that don't know.  I've never worked with Team Cymru,
> I do know them fairly well and believe them to be the good guys, I do
> currently have a relationship with them, I do not currently work for a
> large SP that sends them data.  I have worked A LOT with flow data over the
> last 20 years, for large SPs, small vendors, and all things in between.
>
> On Wed, Aug 25, 2021 at 6:15 PM Randy Bush  wrote:
>
>>
>> https://www.vice.com/en/article/jg84yy/data-brokers-netflow-data-team-cymru
>>
>> used to get dissidents, activists, and journos killed
>>
>> at, comcast, ... zayo, please tell us you do not do this.
>>
>> randy
>>
>

Re: netflow in the core used for surveillance

[jim deleskie]

Randy,

  We all know many folks send their *flow to someone or somewhere.  In
exchange for pretty graphs for intelligence.  I suspect in many cases this
data is then reused in many cases for many purposes.  But let's not
overplay the risk here.  There would be much easier ways for rogue nations,
bad guys/good/in the middle nation to find out about dissidents, activists,
and journos than flow data. I think letting any of those people think ToR
is safe as being a much bigger risk.

-jim

Disclosures for those that don't know.  I've never worked with Team Cymru,
I do know them fairly well and believe them to be the good guys, I do
currently have a relationship with them, I do not currently work for a
large SP that sends them data.  I have worked A LOT with flow data over the
last 20 years, for large SPs, small vendors, and all things in between.

On Wed, Aug 25, 2021 at 6:15 PM Randy Bush  wrote:

> https://www.vice.com/en/article/jg84yy/data-brokers-netflow-data-team-cymru
>
> used to get dissidents, activists, and journos killed
>
> at, comcast, ... zayo, please tell us you do not do this.
>
> randy
>

Re: netflow in the core used for surveillance

[Stephen Fulton]

Randy,

It is quite possible that some are simply the victim of their own 
ignorance.  I know of an ISP where one of their last-mile hardware 
vendors was pushing hard to get junior technical staff and senior 
non-technical staff to agree to share netflow data.  When senior 
technical staff found out, they told the vendor that they would not 
share the data and to stop.  The vendor persisted.  After probing to 
find out what vendor was used in the core & peering parts of the ISP's 
network, one of the vendor's staff kindly provided netflow configuration 
to the junior technical staff, along with specific instructions to apply 
it to their transit/peering ports.  The destination of the flows was a 
server under the complete control of the vendor, not the ISP.  This was 
brought to the attention of senior technical staff and you can guess 
what happened.


The vendor is not one of the majors, they are still relatively young.  I 
won't share the name on the list.


-- Stephen







On 2021-08-25 17:13, Randy Bush wrote:

https://www.vice.com/en/article/jg84yy/data-brokers-netflow-data-team-cymru

used to get dissidents, activists, and journos killed

at, comcast, ... zayo, please tell us you do not do this.

randy

Re: netflow in the core used for surveillance

[Christopher Morrow]

On Wed, Aug 25, 2021 at 5:39 PM Aaron Wendel 
wrote:

> You don't know that I don't know that.
>
>
some probably do? you don't know which though?

I think, though, that part of the problem the article does not point out is:
  1) I run a network
  2) I need  (for reasons) netflow data and analysis
  3) I can't do that my self 
  4) several companies put hands up:
  "I can do that for you, costs $X/month and I have a nice dashboard!
with graphs!"

ok, so I bought that... and for another slice of product the company
providing ALSO
provides 'threat intelligence' or other things, based on my netflow and
yours and hers...

It's unclear to me that (if done properly) the data shown to me about
'threats' (or whatever):
  is not a conglomeration of all other customers of 
(FGP) netflow data...
  is not available to internal tools of FGP, and internal users at FGP.
  is not being made available from FGP to  for money OR for 'good'.

I don't think it's a surprise to anyone that netflow stitched together can
reveal a lot about
what's going on on your network, including: "who uses vpn service X?" or
"vpn user X is possibly browsing
 site Y" etc...

>
> On 8/25/2021 4:32 PM, Paul Ebersman wrote:
> > randy>
> https://www.vice.com/en/article/jg84yy/data-brokers-netflow-data-team-cymru
> >
> > randy> at, comcast, ... zayo, please tell us you do not do this.
> >
> >
> > aaron> You know they do.
> >
> > No, you don't know that.
> >
> > The above all certainly collect this info. Not all sell it to anyone who
> > asks.
>
>

Re: netflow in the core used for surveillance

[Matt Harris]

On Wed, Aug 25, 2021 at 4:33 PM Paul Ebersman 
wrote:

> randy>
> https://www.vice.com/en/article/jg84yy/data-brokers-netflow-data-team-cymru
>
> randy> at, comcast, ... zayo, please tell us you do not do this.
>
>
> aaron> You know they do.
>
> No, you don't know that.
>
> The above all certainly collect this info. Not all sell it to anyone who
> asks.
>

Well, not just anyone who asks. But perhaps some of those who ask. You, for
example, as a random guy, might not have much luck. Various and sundry
other organizations, on the other hand, would likely have much better luck,
were they to pursue such a thing.

Matt Harris|Infrastructure Lead
816-256-5446|Direct
Looking for help?
Helpdesk|Email Support
We build customized end-to-end technology solutions powered by NetFire Cloud.

Re: netflow in the core used for surveillance

[Aaron Wendel]

You don't know that I don't know that.


On 8/25/2021 4:32 PM, Paul Ebersman wrote:

randy> 
https://www.vice.com/en/article/jg84yy/data-brokers-netflow-data-team-cymru

randy> at, comcast, ... zayo, please tell us you do not do this.


aaron> You know they do.

No, you don't know that.

The above all certainly collect this info. Not all sell it to anyone who
asks.

Re: netflow in the core used for surveillance

[Paul Ebersman]

randy> 
https://www.vice.com/en/article/jg84yy/data-brokers-netflow-data-team-cymru

randy> at, comcast, ... zayo, please tell us you do not do this.


aaron> You know they do.

No, you don't know that.

The above all certainly collect this info. Not all sell it to anyone who
asks.

Re: netflow in the core used for surveillance

[Aaron Wendel]

You know they do.

On 8/25/2021 4:13 PM, Randy Bush wrote:

https://www.vice.com/en/article/jg84yy/data-brokers-netflow-data-team-cymru

used to get dissidents, activists, and journos killed

at, comcast, ... zayo, please tell us you do not do this.

randy

Re: netflow in the core used for surveillance

[Brandon Svec via NANOG]

I would go on the assumption they do (or allow others to), always have and
always will.  And if not this way, they will find other ways such as one
infamous example-

https://en.wikipedia.org/wiki/Room_641A
*-Brandon*


On Wed, Aug 25, 2021 at 2:16 PM Randy Bush  wrote:

> https://www.vice.com/en/article/jg84yy/data-brokers-netflow-data-team-cymru
>
> used to get dissidents, activists, and journos killed
>
> at, comcast, ... zayo, please tell us you do not do this.
>
> randy
>

netflow in the core used for surveillance

[Randy Bush]

https://www.vice.com/en/article/jg84yy/data-brokers-netflow-data-team-cymru

used to get dissidents, activists, and journos killed

at, comcast, ... zayo, please tell us you do not do this.

randy