The Dim-Post

October 5, 2012

A question for the level 3 boys

Filed under: technology — danylmc @ 5:21 am

The Herald reports:

Kim Dotcom’s internet connection was being diverted inside New Zealand weeks before the Government Communications Security Bureau says it started spying on him.

The Herald has obtained details showing Telecom engineers and staff at its technology services company Gen-I were investigating irregularities with his internet connection in November.

Information held by the Herald shows Gen-I studied data showing the amount of time it took information on the internet connection to reach the Xbox server. It went from 30 milliseconds to 180 milliseconds – a huge increase for online gamers.

The reason for the extra time emerged in a deeper inquiry, which saw a “Trace Route” search which tracks internet signals from their origin to their destinations. When the results were compared it showed the internet signal was being diverted inside New Zealand.

You can try this at home! Open a command prompt and type tracert and press enter, and your computer will tell you all the different machines it passes through to get to google. (You can also try it at work, but your company probably won’t let you trace route through the firewall.)

Anyway, I’m not a fancy networking guy but this sounds a bit strange to me. Do you really need to divert someone’s traffic to monitor it?

Update: Anita points out in the comments that re-routing traffic is required for a man in the middle attack which could be used to decrypt Kim Dotcom’s encrypted messages.


  1. Traceroute will only list the intermediate steps that allow themseves to be listed. A clean traceroute is not proof that your traffic is not being diverted.

    But yes, why anyone would divert rather than sniff if they only wanted to monitor is an interesting question. I’m sure someone might correct me, but I vaguely remember than diverting is more likely to get you the keys etc you need to decrypt encrypted traffic (which is the point of a man in the middle attack), but you have to do more than just watch traffic to get them.

    Comment by Anita — October 5, 2012 @ 5:46 am

  2. I wouldn’t have thought that diversion makes it easier to get keys than other forms of network sniffing, but it does mean that you can see the traffic without necessarily having the involvement of the ISP, or having to get into the target machine itself (although it does imply that there has been additional software installed on the target machine, or that the broadband router has been compromised).

    Comment by jonob — October 5, 2012 @ 7:21 am

  3. Yeah, I doubt diversion alone will get you the keys if you’re doing nothing but sniffing (and couldn’t get them without diverting traffic). If you’re prepared to do more than sniff however, it will make things easier.

    I was assuming any compromise was at the router or upstream, you’d go potty trying to maintain individual comprmises on as many boxes as I’m thinking there would’ve been in the house.

    And good morning 🙂

    Comment by Anita — October 5, 2012 @ 7:37 am

  4. The deeper technical aspects of this discussion so far are not credible or accurate.

    You certainly do not need to be man-in-the-middle to decrypt traffic. The only reason to go mitm is to intercept the traffic for the purposes of archiving and/or subjecting it to more specialised analysis later. You could also alter the information being sent to remote systems or change the information be returned. The reality thought is this last step would be a monumentally complex task to achieve in realtime, and for what purpose? The best reason I can think of is to defraud someone but the idea that the goverment would do this instead of just siezing his assets….. oh wait, they already did that instead. Maybe they just wanted to learn how to play CoD from the “number 1 player” (pfffft. where? In Coatesville??)

    The ability to intercept traffic (read-only) in realtime does not rely on internet routing. Only a fool (or someone with no other choice) would do it this way as it leaves an audit trail. More likely, the network traffic would be “mirrored” to specialist equipment at the network switching equipment level. There are physical interception methods that cover copper, fibre optic and RF transmission too but again, these are terriffically complicated to pull off. And why would you if you could just do it at a more convenient, centralised place in the network.

    The ability to decrpyt without the keys is dependent on the algorithm, key length and countermeasures taken but the encryptor. Might be easy, Might be hard. Might be close to impossible.

    Also, any interception may well have nothing to do with installing software or compromising broadband routers or equipment at the target location. It’s all happening (or should be) much deeper in the network. Though you could do this too, again, why would you as there is the risk of detection or an evidence trail plus the need to burglarize the target, electronically anyway.

    If there is traceroute data showing extra hops including IP addresses and timings then let’s see it Then we can easily see if they are worthy of further scrutiny as the identity of the IP network address owner may give some indication as to whether there was anything creepy going on. Even though you can easily obfuscate the traceroute you can also easily see *where* this is happening enabling further anaylsis and investigation.


    Comment by Daz — October 5, 2012 @ 9:24 am

  5. Yeah, but an MIM attack on https will usually throw up a certificate error (that’s what SSL certificates are for). If it doesn’t, that means the person doing the intercepting has obtained keys (by cracking, corruption or government action).

    It would be interesting (and hugely embarrassing for the intelligence agencies) if the Dotcom business led to such activity being disclosed.

    Also, if Dotcom’s traffic *was* being intercepted, that kind of indicates that unauthorized access with the backdoor connivance of telcos can happen in NZ (contrary to assurances from Those That Claim To Know). I’d discount interception *without* the tacit connivance of the telco – cutting a fibre is bloody obvious – alarms will go off and TDR will show you exactly where the cut happened.

    Comment by richdrich — October 5, 2012 @ 9:30 am

  6. Routing problems often happen without espionage being involved, Telecom’s flaky systems are usually to blame.

    Comment by Dave — October 5, 2012 @ 10:09 am

  7. maybe its his hacker mates doing it to slow his gaming up?

    Comment by gn35 — October 5, 2012 @ 10:14 am

  8. If this is such an easily detectable and unnecessarily complicated way to intercept someone’s communications, maybe whoever did it wanted to be noticed. Not ‘wanted to be noticed’ by the media or police, but wanted to be noticed by a hacker sitting in his Coatesville mansion – sort-of a hacker-to-hacker message saying ‘hey big boy, we’re watching’.

    Comment by kahikatea — October 5, 2012 @ 11:39 am

  9. @Kahikatea: or maybe they’re just incompetent – which given what we know so far, seems like the most likely explanation for anything.

    Comment by helenalex — October 5, 2012 @ 12:13 pm

  10. The deeper technical aspects of this discussion so far are not credible or accurate. You certainly do not need to be man-in-the-middle to decrypt traffic.

    Indeed. This line of story is bullshit. Classic correlation / causation reporting.
    Without seeing the raw data and correlating it with time data / Committed bitrate info / load at the cabinet etc. it’s pretty much impossible to determine the cause let alone draw a sensible conclusion.

    As per Daz’ notes, mirroring at the POI / aggregation node is the easiest option if you are intending to perform some sort of offline decryption as opposed to straightforward signal analysis (i.e. how many packets traveled from Point A to point Z over what timeframe).

    Note: Physical interception can and is used in some instances to facilitate intercept and while it is more complicated and expensive for fibre, it’s a piece of cake for copper.

    Comment by Gregor W — October 5, 2012 @ 2:35 pm

  11. The Telecommunications (Interception Capability) Act of 2004 requires all ISPs and telcos to have a way to intercept and capture traffic in response to a properly authorised request from a law enforcement agency.

    It doesn’t specify how this has to be done, and nor does it say that the interception has to be undetectable…

    Comment by Thomas Beagle — October 5, 2012 @ 6:29 pm

  12. It’s unlikely that re-routing the traffic would make it easy to break private-key based authentication, assuming a signing authority is in the loop. It may be a little easier with self-signed certs, but you’d need either (1) the key, or (2) ridiculous amounts of CPU time for a few hundred thousand years (if you’re lucky).

    I’d like to see a before-and-after tracert output. The key point will be who owns the extra IPs in the list. I suppose it’s conceivable (but dumb) that his ISP only has “lawful intercept” capabilities om certain servers, and the process of writing the traffic to disk MIGHT slow the connection down, but that scale of difference would surprise me unless the lawful intercept server is very busy or very slow. (I’m a performance tester by trade so I know a bit about this stuff.)

    Comment by Ben — October 5, 2012 @ 7:12 pm

  13. Not being a level 3 boy, I would have thought a MITM attack is a possible Modus Operandi of the enforcement operatives struggling to find success in this strange new world.

    Comment by Russell — October 5, 2012 @ 9:15 pm

  14. Aaaa….mmmm….yes all jolly interesting and all that, but what I’d like to know from one of you techo people, having watched Newsroom last week where they informed us that every single email etc message in existence was being monitored, and not being too conversant with all this newfangled techno-thingy stuff, and considering that it’s pretty evident that we have spies who are onto this stuff and who aren’t apparently answerable to roughly anyone (or at least anyone who can remember anything), is it possible that somewhere there is some pimply-faced ex-WINZ case manager who tin-arsed a promotion to justice (or whatever secret classification they might have this week) who might have been reading all the emails of commenters on left-wing-oriented blogs, and thus classifying us all as subversives, and who might just possibly know if I inadvertently insulted my local MP in a semi-drunken comment a couple of weeks ago but am unable to ascertain due to my inability to work this machine in a backwards direction, and thus be able to indicate that this may be the reason why his wife won’t answer my emails as to the whereabouts of my umbrella which I am practically certain I left in her car?

    Comment by ak — October 5, 2012 @ 9:19 pm

  15. Others have said the spies in NZ are keystone cops when it comes to technology or so I have been led to believe. aaaaaaaaaaaaaaaaaaaaaaghh no, not the face……………..

    Comment by Bob — October 5, 2012 @ 9:54 pm

  16. @ak
    Monitoring emails would depend on either (a) having direct access to the mail servers or (b) intercepting the traffic somewhere between two mail servers.

    If you own the mail server(s) involved and encrypt the traffic between them (in the case of multiple servers), you get around both of those things.

    Comment by Ben — October 5, 2012 @ 11:49 pm

  17. I assumed it was common knowledge that there are little black boxes in Mayoral Drive Exchange monitoring the main international link. Why is anyone surpised when we have an agency set up to do that plus laws with quite specific sections allowing them to do it.

    Comment by insider — October 5, 2012 @ 11:50 pm

  18. Just a couple of points.

    A man in the middle attack can be performed without certificate errors.

    Listening in on fibre is possible and not that difficult any more (fibre\fiber tapping). I believe New Scientist published an article on how to do it for less than US$100 back in the 90s.

    If you have access at the telco level you could use techniques such as BGP eavesdropping and be undetectable.

    It’s highly unlikely that their is a single “xbox server” that has ICMP enabled all the way through to it. Tracert doesn’t “trace signals”, it asks every device in the route to report back if it has been enabled to. However devices such as transparent caches are just that transparent. A high tracert response time also does not signify that there are additional devices in the path. It can indicate high latency on the network.

    And what sort of spy agency is going to put in monitoring devices that say they are there?

    Comment by Rob Singers — October 19, 2012 @ 4:58 pm

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at

%d bloggers like this: