May 14, 2018

Banning Bitcoin and PGP in the own intranet


Some cryptoanarchist are arguing, that the government is not powerful enough to ban Bitcoin, because any restriction can be bypassed. That is simply not true. Banning bitcoin is as easy as banning filesharing. Everything what the provider has to do is blocking certain ports and search in the remaining traffic for patterns. Good routers have such monitoring capabilities out of the box integrated. How this is handled by real Internet-service-providers is unclear, but at least in local area network, the admin has the obligation for doing so. From a technical point of view, it is a bit problematic to block a complete port-range because sometimes this will effect useful services too, the better idea is to monitor the traffic on an IP base, so that the admin can answer the question, which of the user in last 1 month have used the bitcoin protocol, a bittorrent tracker, pgp encrypted e-mail and so on. Identification of the packets can be done either by the port address or by the content itself, for example a PGP messages starts with a certain header.
What the admin is doing with the collected data depends on the current company policy. If the company wants to be more restrictive it can search for users who have violated some of the rules, and this is a good reason for a detailed talk with the user. The funny thing is, that with network monitoring it is also possible to observe potential bypassing methods, that means if somebody has developed his own protocol number, it can be detected too. The idea is to create a fingerprint for every user and classify their activities according to a security relevance. Again, it is not necessary to block the traffic technical, it is enough to monitor the activities silent, so that for later purpose enough data about a user are available to call him a terrorist.
Here is a tutorial how to detect with Wireshark P2P traffic, https://www.howtogeek.com/107945/how-to-identify-network-abuse-with-wireshark/ Using wireshark for detecting e-mail encryption is also possible. Here https://serverfault.com/questions/693814/gpg-receive-keys-times-out-but-wireshark-confirms-the-http-response-is-receive is an example for recognizing a request to a so called keyserver. That means, if one of the users is asking a remote keyserver for a public key with the intention to encrypt a message this can be detected. What Wireshark can't do is to decrypt the message, because it doesn't know the password. That means, it is not possible to see what the user has written in his message (that is the general idea behind encryption). What is possible to say is, if the user has send an encrypted message and who was the receiver. Because sending encrypted messages can be seen as a terrorist act it is enough to expose the user.

No comments:

Post a Comment