On Jun 13, 2013, at 12:28 , "Avi Freedman" <avi@freedman.net> wrote:
I disagree.
There have already been lab demos of sfps that could inject frames and APTs are pretty advanced, sinister, and can be hard to detect now.
I'm not suggesting Huawei is or isn't enabling badness globally but I think it would be technically feasible.
I am assuming a not-Hauwei-only network. The idea that a router could send things through other routers without someone who is looking for it noticing is ludicrous. Of course, most people aren't paying attention, a few extra frames wouldn't be noticed most likely. But if you are worried about it, you should be looking. Also, I find it difficult to believe Hauwei has the ability to do DPI or something inside their box and still route at reasonable speeds is a bit silly. Perhaps they only duplicate packets based on source/dest IP address or something that is magically messaged from the mother ship, but I am dubious. It should be trivial to prove to yourself the box is, or is not, doing something evil if you actually try. -- TTFN, patrick
------Original Message------ From: Patrick W. Gilmore To: NANOG list Subject: Re: huawei Sent: Jun 13, 2013 12:22 PM
On Jun 13, 2013, at 12:18 , Nick Khamis <symack@gmail.com> wrote:
A local clec here in Canada just teamed up with this company to provide cell service to the north:
http://cwta.ca/blog/2012/09/24/ice-wireless-iristel-and-huawei-partner-for-3...
Scary....
Why?
Do you think Huawei has a magic ability to transmit data without you noticing?
If you don't want to use Hauwei because they stole code or did other nasty things, I'm right there with you. If you believe a router can somehow magically duplicate info and transport it back to China (ignoring CT/CU's inability to have congestion free links), I think you are confused.
-- TTFN, patrick
On 06/13/2013 09:35 AM, Patrick W. Gilmore wrote:
I am assuming a not-Hauwei-only network.
The idea that a router could send things through other routers without someone who is looking for it noticing is ludicrous.
::cough:: steganography ::cough:: Mike
On 6/13/13, Michael Thomas <mike@mtcc.com> wrote:
On 06/13/2013 09:35 AM, Patrick W. Gilmore wrote:
I am assuming a not-Hauwei-only network.
The idea that a router could send things through other routers without someone who is looking for it noticing is ludicrous.
::cough:: steganography ::cough::
Mike
Well put! N.
Not really, no one has claimed it's impossible to hide traffic. What is true is that it's not feasible to do so at scale without it becoming obvious. Steganography is great for hiding traffic inside of legitimate traffic between two hosts but if one of my routers starts sending cay photos somewhere, no matter how cute, I'm gonna consider that suspicious. That's an absurd example (hopefully funny) but _any_ from one of my routers over time would be obvious, especially since to be effective this would have to go on much of the time and in many routers. Hiding all that isn't feasible for a really technically astute company and they're not in that category yet (IMO). On Jun 13, 2013 1:10 PM, "Nick Khamis" <symack@gmail.com> wrote:
On 6/13/13, Michael Thomas <mike@mtcc.com> wrote:
On 06/13/2013 09:35 AM, Patrick W. Gilmore wrote:
I am assuming a not-Hauwei-only network.
The idea that a router could send things through other routers without someone who is looking for it noticing is ludicrous.
::cough:: steganography ::cough::
Mike
Well put!
N.
On 06/13/2013 10:20 AM, Scott Helms wrote:
Not really, no one has claimed it's impossible to hide traffic. What is true is that it's not feasible to do so at scale without it becoming obvious. Steganography is great for hiding traffic inside of legitimate traffic between two hosts but if one of my routers starts sending cay photos somewhere, no matter how cute, I'm gonna consider that suspicious. That's an absurd example (hopefully funny) but _any_ from one of my routers over time would be obvious, especially since to be effective this would have to go on much of the time and in many routers. Hiding all that isn't feasible for a really technically astute company and they're not in that category yet (IMO).
It all depends on what you're trying to accomplish. Hijacking many cat photos to send your cat photo... how deep is your DPI? Remember also, the answer to the universe fits in 6 bits... Mike
I think one of the possibilities suggested beyond call-home or backdoors was that they might have installed a secret kill-switch to be activated against 'enemy' nodes in time of war was an cyber shock and awe campaign. mg On Thu, Jun 13, 2013 at 8:24 PM, Michael Thomas <mike@mtcc.com> wrote:
On 06/13/2013 10:20 AM, Scott Helms wrote:
Not really, no one has claimed it's impossible to hide traffic. What is true is that it's not feasible to do so at scale without it becoming obvious. Steganography is great for hiding traffic inside of legitimate traffic between two hosts but if one of my routers starts sending cay photos somewhere, no matter how cute, I'm gonna consider that suspicious. That's an absurd example (hopefully funny) but _any_ from one of my routers over time would be obvious, especially since to be effective this would have to go on much of the time and in many routers. Hiding all that isn't feasible for a really technically astute company and they're not in that category yet (IMO).
It all depends on what you're trying to accomplish. Hijacking many cat photos to send your cat photo... how deep is your DPI?
Remember also, the answer to the universe fits in 6 bits...
Mike
That is far more feasible than mass interception and forwarding of traffic, though there is (AFAIK) no indication that such a kill switch exists. I also think that if China wanted to do something nefarious a far better target would be Lenovo, which still seems to be an accepted vendor in US government circled judging from the number I've seen in DC this week and laptops have far more horsepower and storage most pieces of networking gear. On Jun 13, 2013 1:35 PM, "Mark Gallagher" <markwgallagher@gmail.com> wrote:
I think one of the possibilities suggested beyond call-home or backdoors was that they might have installed a secret kill-switch to be activated against 'enemy' nodes in time of war was an cyber shock and awe campaign.
mg
On Thu, Jun 13, 2013 at 8:24 PM, Michael Thomas <mike@mtcc.com> wrote:
On 06/13/2013 10:20 AM, Scott Helms wrote:
Not really, no one has claimed it's impossible to hide traffic. What is true is that it's not feasible to do so at scale without it becoming obvious. Steganography is great for hiding traffic inside of legitimate traffic between two hosts but if one of my routers starts sending cay photos somewhere, no matter how cute, I'm gonna consider that suspicious. That's an absurd example (hopefully funny) but _any_ from one of my routers over time would be obvious, especially since to be effective this would have to go on much of the time and in many routers. Hiding all that isn't feasible for a really technically astute company and they're not in that category yet (IMO).
It all depends on what you're trying to accomplish. Hijacking many cat photos to send your cat photo... how deep is your DPI?
Remember also, the answer to the universe fits in 6 bits...
Mike
They are a state controlled company. You think the PRC's party members dont call the shots? I've been to Beijing for work.. I can assure you the government has a very known presence through the private community. Often times, graduates of their state run colleges enter the "private" sector to help their collective needs. China is an odd place, but in my opinion often they are underestimated. Look at their stealth plane, that's a good starting point on their ability to borrow technology and implement it quickly. It's about numbers over there, not sense. Sent from my Mobile Device. -------- Original message -------- From: Scott Helms <khelms@zcorum.com> Date: 06/13/2013 10:22 AM (GMT-08:00) To: Nick Khamis <symack@gmail.com> Cc: NANOG <nanog@nanog.org> Subject: Re: huawei Not really, no one has claimed it's impossible to hide traffic. What is true is that it's not feasible to do so at scale without it becoming obvious. Steganography is great for hiding traffic inside of legitimate traffic between two hosts but if one of my routers starts sending cay photos somewhere, no matter how cute, I'm gonna consider that suspicious. That's an absurd example (hopefully funny) but _any_ from one of my routers over time would be obvious, especially since to be effective this would have to go on much of the time and in many routers. Hiding all that isn't feasible for a really technically astute company and they're not in that category yet (IMO). On Jun 13, 2013 1:10 PM, "Nick Khamis" <symack@gmail.com> wrote:
On 6/13/13, Michael Thomas <mike@mtcc.com> wrote:
On 06/13/2013 09:35 AM, Patrick W. Gilmore wrote:
I am assuming a not-Hauwei-only network.
The idea that a router could send things through other routers without someone who is looking for it noticing is ludicrous.
::cough:: steganography ::cough::
Mike
Well put!
N.
They are a state controlled company. You think the PRC's party members dont call the shots?
and you live in a police and surveillance state where the govt sniffs evey packet you send, ever phone call you make, ... other than style, what's the dfference? oh, i guess the chinese are only bombing their neighbors, not folk half a planet away. the differentiation may be an acquired taste.
On Thu, Jun 13, 2013 at 1:20 PM, Scott Helms <khelms@zcorum.com> wrote:
if one of my routers starts sending cat photos somewhere, no matter how cute, I'm gonna consider that suspicious.
Hi Scott, If once every 24 hours or so your router borrows the source IP of a packet it recently passed and uses it to send a burst of 20 intentionally unacknowledged packets containing a cat photo, your odds of noticing are very close to zero and your odds of tracing it to the router are even worse. Implementing a magic-packet remote kill switch is even easier... and completely undetectable until used. With a little effort you could implement it in the forwarding hardware where even a thorough analysis of the firmware image can't detect it. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Bill, Certainly everything you said is correct and at the same time is not useful for the kinds traffic interception that's been implied. 20 packets of random traffic capture is extraordinarily unlikely to contain anything of interest and eve if you do happen to get a juicy fragment your chances of getting more ate virtually nil. An effective system must either capture and transmit large numbers of packets or have a command and control system in order to target smaller captures against a shifting list of addresses. Either of those things are very detectable. I've spent a significant amount of time looking at botnet traffic which has the same kind of requirements. On Jun 13, 2013 6:45 PM, "William Herrin" <bill@herrin.us> wrote:
On Thu, Jun 13, 2013 at 1:20 PM, Scott Helms <khelms@zcorum.com> wrote:
if one of my routers starts sending cat photos somewhere, no matter how cute, I'm gonna consider that suspicious.
Hi Scott,
If once every 24 hours or so your router borrows the source IP of a packet it recently passed and uses it to send a burst of 20 intentionally unacknowledged packets containing a cat photo, your odds of noticing are very close to zero and your odds of tracing it to the router are even worse.
Implementing a magic-packet remote kill switch is even easier... and completely undetectable until used. With a little effort you could implement it in the forwarding hardware where even a thorough analysis of the firmware image can't detect it.
Regards, Bill Herrin
-- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On 06/13/2013 05:28 PM, Scott Helms wrote:
Bill,
Certainly everything you said is correct and at the same time is not useful for the kinds traffic interception that's been implied. 20 packets of random traffic capture is extraordinarily unlikely to contain anything of interest and eve if you do happen to get a juicy fragment your chances of getting more ate virtually nil. An effective system must either capture and transmit large numbers of packets or have a command and control system in order to target smaller captures against a shifting list of addresses. Either of those things are very detectable. I've spent a significant amount of time looking at botnet traffic which has the same kind of requirements.
I think you're having a failure of imagination that anything less than a massive amount of information sent back to the attacker could be useful. I think there are lots and lots of things that could be extremely useful that would only require a simple message with "got here" back to the attacker if the "got here" condition was sufficiently interesting. Spying doesn't have the same motivations as typical botnets for illicit commerce. Mike
On Jun 13, 2013, at 5:39 PM, Michael Thomas <mike@mtcc.com> wrote:
On 06/13/2013 05:28 PM, Scott Helms wrote:
Bill,
Certainly everything you said is correct and at the same time is not useful for the kinds traffic interception that's been implied. 20 packets of random traffic capture is extraordinarily unlikely to contain anything of interest and eve if you do happen to get a juicy fragment your chances of getting more ate virtually nil. An effective system must either capture and transmit large numbers of packets or have a command and control system in order to target smaller captures against a shifting list of addresses. Either of those things are very detectable. I've spent a significant amount of time looking at botnet traffic which has the same kind of requirements.
I think you're having a failure of imagination that anything less than a massive amount of information sent back to the attacker could be useful. I think there are lots and lots of things that could be extremely useful that would only require a simple message with "got here" back to the attacker if the "got here" condition was sufficiently interesting. Spying doesn't have the same motivations as typical botnets for illicit commerce.
Mike
and even botnets for illicit commerce may only be interested something that is small and may not change very often so will not need regular exflitration... e.g. on a server, the current password of a user who can sudo or a few private keys
Not at all Michael, but that is a targeted piece of data and that means a command and control system. I challenge your imagination to come up with a common scenario where a non targeted "I'm/they're here" that's useful to either the company or the Chinese government keeping in mind that you have no fore knowledge of where these devices might be deployed. Also, no oneseems to want to touch the fact that doing this kind of snooping would be several orders of magnitude easier on laptops and desktops which have been sold by Lenovo for much longer than networking gear by Huawei. On Jun 13, 2013 8:39 PM, "Michael Thomas" <mike@mtcc.com> wrote:
On 06/13/2013 05:28 PM, Scott Helms wrote:
Bill,
Certainly everything you said is correct and at the same time is not useful for the kinds traffic interception that's been implied. 20 packets of random traffic capture is extraordinarily unlikely to contain anything of interest and eve if you do happen to get a juicy fragment your chances of getting more ate virtually nil. An effective system must either capture and transmit large numbers of packets or have a command and control system in order to target smaller captures against a shifting list of addresses. Either of those things are very detectable. I've spent a significant amount of time looking at botnet traffic which has the same kind of requirements.
I think you're having a failure of imagination that anything less than a massive amount of information sent back to the attacker could be useful. I think there are lots and lots of things that could be extremely useful that would only require a simple message with "got here" back to the attacker if the "got here" condition was sufficiently interesting. Spying doesn't have the same motivations as typical botnets for illicit commerce.
Mike
On 06/13/2013 06:11 PM, Scott Helms wrote:
Not at all Michael, but that is a targeted piece of data and that means a command and control system. I challenge your imagination to come up with a common scenario where a non targeted "I'm/they're here" that's useful to either the company or the Chinese government keeping in mind that you have no fore knowledge of where these devices might be deployed. Also, no oneseems to want to touch the fact that doing this kind of snooping would be several orders of magnitude easier on laptops and desktops which have been sold by Lenovo for much longer than networking gear by Huawei.
Non targeted? Why be so narrow? For a targeted use, something that detects, oh say, "we [the Syrians] gassed the rebels" in some stream and sends it out a covert channel would be very interesting. Remember that vast sums of money are spent on these intelligence gathering systems. Whether they're targeting routers is really hard to say -- the attacker has the advantage of knowing what they're looking for and we don't. So in a router? It may just be opportunistic that they're easier or safer to penetrate? We really don't know. Things are rarely as they appear on the surface. Mike, "I just heard the Syria example from the Newshour as I typed... this isn't hard"
What you're describing is a command and control channel unless you're suggesting that the router itself had the capacity to somehow discern that. That's the problem with all the pixie dust theories. The router can't, it doesn't know who the rebels are much less their net block ahead of time. Something has to pass rules to the box to be able trigger off of. On Jun 13, 2013 9:53 PM, "Michael Thomas" <mike@mtcc.com> wrote:
On 06/13/2013 06:11 PM, Scott Helms wrote:
Not at all Michael, but that is a targeted piece of data and that means a command and control system. I challenge your imagination to come up with a common scenario where a non targeted "I'm/they're here" that's useful to either the company or the Chinese government keeping in mind that you have no fore knowledge of where these devices might be deployed. Also, no oneseems to want to touch the fact that doing this kind of snooping would be several orders of magnitude easier on laptops and desktops which have been sold by Lenovo for much longer than networking gear by Huawei.
Non targeted? Why be so narrow? For a targeted use, something that detects, oh say, "we [the Syrians] gassed the rebels" in some stream and sends it out a covert channel would be very interesting. Remember that vast sums of money are spent on these intelligence gathering systems. Whether they're targeting routers is really hard to say -- the attacker has the advantage of knowing what they're looking for and we don't. So in a router? It may just be opportunistic that they're easier or safer to penetrate? We really don't know. Things are rarely as they appear on the surface.
Mike, "I just heard the Syria example from the Newshour as I typed... this isn't hard"
On 06/13/2013 06:57 PM, Scott Helms wrote:
What you're describing is a command and control channel unless you're suggesting that the router itself had the capacity to somehow discern that. That's the problem with all the pixie dust theories. The router can't, it doesn't know who the rebels are much less their net block ahead of time. Something has to pass rules to the box to be able trigger off of.
I think you're misunderstanding: the router is watching traffic and gives clues that "we're gassing the rebels" that was added to all of the DPI vectors which get surreptitiously added to the other DPI terms unbeknownst to the owner and sent back to the attacker. That's enormously powerful. All it takes is sufficient money and motivation. Is this speculative? Of course -- I'm not a spook. Is it possible? You bet. Mike
What protocol is a DPI vector? In what way is making a router even remotely efficient as a method of end to end covert communication? There are thousands (if not millions) of ways for two hosts to exchange data without it being detectable that's much faster and cheaper than involving the network infrastructure. Kill switches and secret back doors are all feasible but the rest of this is fantasy. On Jun 13, 2013 10:05 PM, "Michael Thomas" <mike@mtcc.com> wrote:
On 06/13/2013 06:57 PM, Scott Helms wrote:
What you're describing is a command and control channel unless you're suggesting that the router itself had the capacity to somehow discern that. That's the problem with all the pixie dust theories. The router can't, it doesn't know who the rebels are much less their net block ahead of time. Something has to pass rules to the box to be able trigger off of.
I think you're misunderstanding: the router is watching traffic and gives clues that "we're gassing the rebels" that was added to all of the DPI vectors which get surreptitiously added to the other DPI terms unbeknownst to the owner and sent back to the attacker. That's enormously powerful. All it takes is sufficient money and motivation. Is this speculative? Of course -- I'm not a spook. Is it possible? You bet.
Mike
What protocols have empty space in the headers whereby I can add my 'message' and send it along with legit traffic? I would think most all.. On Thu, Jun 13, 2013 at 8:16 PM, Scott Helms <khelms@zcorum.com> wrote:
What protocol is a DPI vector? In what way is making a router even remotely efficient as a method of end to end covert communication? There are thousands (if not millions) of ways for two hosts to exchange data without it being detectable that's much faster and cheaper than involving the network infrastructure.
Kill switches and secret back doors are all feasible but the rest of this is fantasy. On Jun 13, 2013 10:05 PM, "Michael Thomas" <mike@mtcc.com> wrote:
On 06/13/2013 06:57 PM, Scott Helms wrote:
What you're describing is a command and control channel unless you're suggesting that the router itself had the capacity to somehow discern
that.
That's the problem with all the pixie dust theories. The router can't, it doesn't know who the rebels are much less their net block ahead of time. Something has to pass rules to the box to be able trigger off of.
I think you're misunderstanding: the router is watching traffic and gives clues that "we're gassing the rebels" that was added to all of the DPI vectors which get surreptitiously added to the other DPI terms unbeknownst to the owner and sent back to the attacker. That's enormously powerful. All it takes is sufficient money and motivation. Is this speculative? Of course -- I'm not a spook. Is it possible? You bet.
Mike
-- Phil Fagan Denver, CO 970-480-7618
On Thu, Jun 13, 2013 at 09:11:35PM -0400, Scott Helms wrote:
I challenge your imagination to come up with a common scenario where a non targeted "I'm/they're here" that's useful to either the company or the Chinese government keeping in mind that you have no fore knowledge of where these devices might be deployed.
How about "code that watches for password changes on the device, captures them, quietly and slowly leaks them a bit at a time"? And I do mean "slowly": passwords don't change all that often, so if it takes a week to transmit one, that's not a concern. Passwords also get reused, so knowledge of the pair (Device1, Password1) is often useful when considering (Device2, Device3, ... DeviceN). You're right: nobody would know a priori where the devices are going. But why would [some of the] attackers care? And it's not strictly necessary to have the devices transmit the info to a pre-designated listener: it could be inserted in ALL traffic [1] so that the device is always (slowly) broadcasting its own password. Yes, this is very inefficient; yes, that might mean that transmission of the password back to the attackers isn't guaranteed; yes that might mean that it takes a much longer time to harvest passwords. But if the attackers' goal is to harvest as many passwords as possible, then efficiency and speed aren't important. (After all, many of the devices might sit in boxes for a long time. Or be installed on networks that are air-gapped. Or otherwise might never report anything useful.) What's much more important is undetectability, and given that almost all the detection mechanisms in play look for something like "lots of traffic to/from an unexpected location" the best way to avoid that is to be very slow, very quiet and very undirected. Yeah, yeah, yeah, I know: far-fetched. But yesterday's "far-fetched" keeps turning out to be today's reality with monotonous regularity. And: suppose *you* were an attacker with a multi-billion dollar budget, thousands of people, and years to work: don't you think you could pull this off, too? ---rsk [1] Perhaps disused packet header fields. Or perhaps, more cleverly, buried in the packet itself. Or otherwise concealed in other ways that make it very hard to pick out unless you know, a priori, what you're looking for.
Disclosure: I've been consulting to a group in Huawei for six years, ever since I retired from Nortel. I have seen no sign of anything except competent gathering of competitive information at meetings, the same as we did at Nortel. I would not have expected to see anything else, of course. As a Canadian, I cast a somewhat skeptical eye on claims of Huawei being a particular security hazard. My personal view, without any evidence outside of the newspapers, is that the claims are commercially and politically motivated. I note that Cisco equipment, for instance, is also manufactured in China, but no one has taken that any further. The IPR scandal is twenty years in the past, now. I've watched my own group mature and visited their Shenzhen campus of 10,000-plus engineers from time to time, and I would say that Huawei is well able to generate their own technology these days. It's fun to speculate on how one might insert back doors in products, but I'm not sure there's reason to tie such speculation to particular vendors. Tom Taylor
On Fri, 14 Jun 2013 10:21:25 -0400, Tom Taylor said:
It's fun to speculate on how one might insert back doors in products, but I'm not sure there's reason to tie such speculation to particular vendors.
It's so much fun we've been doing it *at least* since we all wondered where IBM got the S-boxes from. :)
On Fri, Jun 14, 2013 at 8:47 AM, Rich Kulawiec <rsk@gsp.org> wrote:
On Thu, Jun 13, 2013 at 09:11:35PM -0400, Scott Helms wrote:
I challenge your imagination to come up with a common scenario where a non targeted "I'm/they're here" that's useful to either the company or the Chinese government keeping in mind that you have no fore knowledge of where these devices might be deployed.
How about "code that watches for password changes on the device, captures them, quietly and slowly leaks them a bit at a time"? And I do mean "slowly": passwords don't change all that often, so if it takes a week to transmit one, that's not a concern.
This is feasible, but frankly unlikely because AFAIK no one disputes that backdoors (intentional or not) are in most if not all gear. Having said that, it would still be pretty obvious in mass and over time to have packets going to a predesignated host. Its not really possible for a box to know whether its in a "real" network or a lab with Spirent or other traffic generator hooked to it.
Passwords also get reused, so knowledge of the pair (Device1, Password1) is often useful when considering (Device2, Device3, ... DeviceN).
You're right: nobody would know a priori where the devices are going. But why would [some of the] attackers care?
It really depends on what someone wants to accomplish. There are lots of things that are possible, but not feasible simply because there are cheaper/faster/better ways of accomplishing the same thing. Shutting down a network is pretty easy so if you have a kill switch and a backdoor (both likely and easy) then why do you care about the passwords of the devices near by? You can knock out a core router in other ways.
And it's not strictly necessary to have the devices transmit the info to a pre-designated listener: it could be inserted in ALL traffic [1] so that the device is always (slowly) broadcasting its own password. Yes, this is very inefficient; yes, that might mean that transmission of the password back to the attackers isn't guaranteed; yes that might mean that it takes a much longer time to harvest passwords.
How? There is truly not that much room in the IP packet to play games and if you're modifying all your traffic this would again be pretty easy to spot. Again, the easiest/cheapest method is that there is a backdoor there already.
But if the attackers' goal is to harvest as many passwords as possible, then efficiency and speed aren't important. (After all, many of the devices might sit in boxes for a long time. Or be installed on networks that are air-gapped. Or otherwise might never report anything useful.) What's much more important is undetectability, and given that almost all the detection mechanisms in play look for something like "lots of traffic to/from an unexpected location" the best way to avoid that is to be very slow, very quiet and very undirected.
Yeah, yeah, yeah, I know: far-fetched. But yesterday's "far-fetched" keeps turning out to be today's reality with monotonous regularity.
Not really, things that are far fetched can become reality but only in cases where something underlying changes.
And: suppose *you* were an attacker with a multi-billion dollar budget, thousands of people, and years to work: don't you think you could pull this off, too?
I could certainly and as I've pointed out, I wouldn't even consider routers outside of disruptive attacks. If you want to steal information you want to be as close to the end user target as you can be so your signal to noise ratio is better. If I wanted to do this and had the resources of the Chinese government then I'd be much more focused on Lenovo than Huawei. The parts that are most interesting in Huawei aren't the core pieces but rather the consumer and office gear.
---rsk
[1] Perhaps disused packet header fields. Or perhaps, more cleverly, buried in the packet itself. Or otherwise concealed in other ways that make it very hard to pick out unless you know, a priori, what you're looking for.
There are a couple of places you could stick something, but it would stick out like a sore thumb in Wireshark.
I would imagine the people running an ultra ninja spy network would have people working for them in their enemies national hardware supply chain, you can put your code in their gear. I don't know why everyone thinks their email or router password being comprised is the end result. A worm was placed into a SCADA (Seimens) controller that manipulated the rotation of centrifuges. If I can do THAT.. Why would I care about some lame box at your office? I would love to know how much effort the NSA puts into playing with other national covert surveillance programs. The Chinese have been saying for years they aren't rooting dot com and dot gov, but I would bet money the NSA has been watching them do it for as long as it has been around (which REALLY passes off the Chinese) . When you have endless money and time, there are no bounds. We (Americans) think in terms of Presidential cycles and Holidays. They (Chinese) tend to have a little different view on things, time is progress. I encourage all of you to watch Vice on HBO tonight. If you enjoy it, there is an episode a week or two back showing these massive (3-5k units) housing developments that are sitting completely empty. As it turns out, the Chinese are building because that is how they measure their economic growth. If they are building, they are growing. Never mind they have no one to sleep there, let alone ever intend to make their money back. I suppose I should wrap up my rant with: Government (world wide) spends a tremendous amount of time and money on keeping things secure. They used to house sensitive information in vaults with guys standing 24x7 with Uzis, but as the information age has approached they have lost touch with reality. All of these security screenings, background checks, spying, and a 29 year old anime fan with a smokin' girlfriend smuggled thumb drives out and flew to China. He mentioned he had access to the location of every CIA station and operative in the world - which means he had access to their AD controller. This shit isn't mystical, it's new. Sent from my Mobile Device. -------- Original message -------- From: Scott Helms <khelms@zcorum.com> Date: 06/14/2013 10:23 AM (GMT-08:00) To: Rich Kulawiec <rsk@gsp.org> Cc: NANOG <nanog@nanog.org> Subject: Re: huawei On Fri, Jun 14, 2013 at 8:47 AM, Rich Kulawiec <rsk@gsp.org> wrote:
On Thu, Jun 13, 2013 at 09:11:35PM -0400, Scott Helms wrote:
I challenge your imagination to come up with a common scenario where a non targeted "I'm/they're here" that's useful to either the company or the Chinese government keeping in mind that you have no fore knowledge of where these devices might be deployed.
How about "code that watches for password changes on the device, captures them, quietly and slowly leaks them a bit at a time"? And I do mean "slowly": passwords don't change all that often, so if it takes a week to transmit one, that's not a concern.
This is feasible, but frankly unlikely because AFAIK no one disputes that backdoors (intentional or not) are in most if not all gear. Having said that, it would still be pretty obvious in mass and over time to have packets going to a predesignated host. Its not really possible for a box to know whether its in a "real" network or a lab with Spirent or other traffic generator hooked to it.
Passwords also get reused, so knowledge of the pair (Device1, Password1) is often useful when considering (Device2, Device3, ... DeviceN).
You're right: nobody would know a priori where the devices are going. But why would [some of the] attackers care?
It really depends on what someone wants to accomplish. There are lots of things that are possible, but not feasible simply because there are cheaper/faster/better ways of accomplishing the same thing. Shutting down a network is pretty easy so if you have a kill switch and a backdoor (both likely and easy) then why do you care about the passwords of the devices near by? You can knock out a core router in other ways.
And it's not strictly necessary to have the devices transmit the info to a pre-designated listener: it could be inserted in ALL traffic [1] so that the device is always (slowly) broadcasting its own password. Yes, this is very inefficient; yes, that might mean that transmission of the password back to the attackers isn't guaranteed; yes that might mean that it takes a much longer time to harvest passwords.
How? There is truly not that much room in the IP packet to play games and if you're modifying all your traffic this would again be pretty easy to spot. Again, the easiest/cheapest method is that there is a backdoor there already.
But if the attackers' goal is to harvest as many passwords as possible, then efficiency and speed aren't important. (After all, many of the devices might sit in boxes for a long time. Or be installed on networks that are air-gapped. Or otherwise might never report anything useful.) What's much more important is undetectability, and given that almost all the detection mechanisms in play look for something like "lots of traffic to/from an unexpected location" the best way to avoid that is to be very slow, very quiet and very undirected.
Yeah, yeah, yeah, I know: far-fetched. But yesterday's "far-fetched" keeps turning out to be today's reality with monotonous regularity.
Not really, things that are far fetched can become reality but only in cases where something underlying changes.
And: suppose *you* were an attacker with a multi-billion dollar budget, thousands of people, and years to work: don't you think you could pull this off, too?
I could certainly and as I've pointed out, I wouldn't even consider routers outside of disruptive attacks. If you want to steal information you want to be as close to the end user target as you can be so your signal to noise ratio is better. If I wanted to do this and had the resources of the Chinese government then I'd be much more focused on Lenovo than Huawei. The parts that are most interesting in Huawei aren't the core pieces but rather the consumer and office gear.
---rsk
[1] Perhaps disused packet header fields. Or perhaps, more cleverly, buried in the packet itself. Or otherwise concealed in other ways that make it very hard to pick out unless you know, a priori, what you're looking for.
There are a couple of places you could stick something, but it would stick out like a sore thumb in Wireshark.
On Fri, 14 Jun 2013 13:21:09 -0400, Scott Helms said:
How? There is truly not that much room in the IP packet to play games and if you're modifying all your traffic this would again be pretty easy to spot. Again, the easiest/cheapest method is that there is a backdoor there already.
Do you actually examine your traffic and drop packets that have non-zeros in reserved fields? (Remember what that did to the deployment of ECN?) And there's plenty of room if you stick a TCP or IP option header in there. Do you actually check for those too? How fast can you send data to a cooperating router down the way if you splat the low 3 bits of TCP timestamps on a connection routed towards the cooperating router? (SUre, you just busted somebody's RTT calculation, but it will just decide it's a high-jitter path and deal with it).
On 06/14/2013 10:51 AM, Valdis.Kletnieks@vt.edu wrote:
On Fri, 14 Jun 2013 13:21:09 -0400, Scott Helms said:
How? There is truly not that much room in the IP packet to play games and if you're modifying all your traffic this would again be pretty easy to spot. Again, the easiest/cheapest method is that there is a backdoor there already. Do you actually examine your traffic and drop packets that have non-zeros in reserved fields? (Remember what that did to the deployment of ECN?)
And there's plenty of room if you stick a TCP or IP option header in there. Do you actually check for those too?
How fast can you send data to a cooperating router down the way if you splat the low 3 bits of TCP timestamps on a connection routed towards the cooperating router? (SUre, you just busted somebody's RTT calculation, but it will just decide it's a high-jitter path and deal with it).
Right. The asymmetry here is staggering. That's why they are hugely advantaged aside from the staggering asymmetry in funding. The only thing that we have on our side is that with enough eyeballs low probabilities become better, but the military well knows that problem for centuries, I'm sure. Mike
On Fri, Jun 14, 2013 at 1:51 PM, <Valdis.Kletnieks@vt.edu> wrote:
On Fri, 14 Jun 2013 13:21:09 -0400, Scott Helms said:
How? There is truly not that much room in the IP packet to play games and if you're modifying all your traffic this would again be pretty easy to spot. Again, the easiest/cheapest method is that there is a backdoor there already.
Do you actually examine your traffic and drop packets that have non-zeros in reserved fields? (Remember what that did to the deployment of ECN?)
And there's plenty of room if you stick a TCP or IP option header in there. Do you actually check for those too?
When I think something odd is happening or I'm benchmarking new gear from a new vendor, yes I do but the main point is that there is so little benefit for them do this why would they bother?
How fast can you send data to a cooperating router down the way if you splat the low 3 bits of TCP timestamps on a connection routed towards the cooperating router? (SUre, you just busted somebody's RTT calculation, but it will just decide it's a high-jitter path and deal with it).
In $random_deployment they have no idea what the topology is and odd behavior is *always *noticed over time. The amount of time it would take to transmit useful information would nearly guarantees someone noticing and the more successful the exploit was the more chance for discovery there would be.
On 06/14/2013 11:35 AM, Scott Helms wrote:
In $random_deployment they have no idea what the topology is and odd behavior is *always *noticed over time. The amount of time it would take to transmit useful information would nearly guarantees someone noticing and the more successful the exploit was the more chance for discovery there would be.
As a software developer for many, many years, I can guarantee you that is categorically wrong. I'd venture to say you probably don't even notice half. And that's for things that are just bugs or misfeatures. Something that was purposeful and done by people who know what they're doing... your odds in Vegas are better IMO. Mike, who's seen way too many "how in the hell did that ever work?"
On 6/14/13 2:57 PM, Michael Thomas wrote:
On 06/14/2013 11:35 AM, Scott Helms wrote:
In $random_deployment they have no idea what the topology is and odd behavior is *always *noticed over time. The amount of time it would take to transmit useful information would nearly guarantees someone noticing and the more successful the exploit was the more chance for discovery there would be.
As a software developer for many, many years, I can guarantee you that is categorically wrong. I'd venture to say you probably don't even notice half. And that's for things that are just bugs or misfeatures. Something that was purposeful and done by people who know what they're doing... your odds in Vegas are better IMO.
Mike, who's seen way too many "how in the hell did that ever work?"
Ah, how well I remember the '91 Interop. One new dialup network access server worked great everywhere -- except going through 3Com routers. Something wrong with 3Com routers? Ha! No, after a lot of network packet debugging, it turned out the NAS was setting IP version to 0. (A tiny bug in a compile.) Only 3Com was checking the IP version! That is, by definition, only 3Com routers actually worked properly!!! And we had a lot more router vendors in those days....
On Fri, 14 Jun 2013 14:35:08 -0400, Scott Helms said:
In $random_deployment they have no idea what the topology is and odd behavior is *always *noticed over time.
Severe selection bias in that statement. Odd *noticed* behavior is always noticed. There's literally *no* way to know how many times somebody's looked at a packet trace trying to diagnose something else and failed to notice something subtly odd. (Donald Rumsfeld correctly identified these as "unknown unknowns").
Ps.. Has anyone seen evidence echelon is actually PRISM? Sent from my Mobile Device. -------- Original message -------- From: Scott Helms <khelms@zcorum.com> Date: 06/14/2013 10:23 AM (GMT-08:00) To: Rich Kulawiec <rsk@gsp.org> Cc: NANOG <nanog@nanog.org> Subject: Re: huawei On Fri, Jun 14, 2013 at 8:47 AM, Rich Kulawiec <rsk@gsp.org> wrote:
On Thu, Jun 13, 2013 at 09:11:35PM -0400, Scott Helms wrote:
I challenge your imagination to come up with a common scenario where a non targeted "I'm/they're here" that's useful to either the company or the Chinese government keeping in mind that you have no fore knowledge of where these devices might be deployed.
How about "code that watches for password changes on the device, captures them, quietly and slowly leaks them a bit at a time"? And I do mean "slowly": passwords don't change all that often, so if it takes a week to transmit one, that's not a concern.
This is feasible, but frankly unlikely because AFAIK no one disputes that backdoors (intentional or not) are in most if not all gear. Having said that, it would still be pretty obvious in mass and over time to have packets going to a predesignated host. Its not really possible for a box to know whether its in a "real" network or a lab with Spirent or other traffic generator hooked to it.
Passwords also get reused, so knowledge of the pair (Device1, Password1) is often useful when considering (Device2, Device3, ... DeviceN).
You're right: nobody would know a priori where the devices are going. But why would [some of the] attackers care?
It really depends on what someone wants to accomplish. There are lots of things that are possible, but not feasible simply because there are cheaper/faster/better ways of accomplishing the same thing. Shutting down a network is pretty easy so if you have a kill switch and a backdoor (both likely and easy) then why do you care about the passwords of the devices near by? You can knock out a core router in other ways.
And it's not strictly necessary to have the devices transmit the info to a pre-designated listener: it could be inserted in ALL traffic [1] so that the device is always (slowly) broadcasting its own password. Yes, this is very inefficient; yes, that might mean that transmission of the password back to the attackers isn't guaranteed; yes that might mean that it takes a much longer time to harvest passwords.
How? There is truly not that much room in the IP packet to play games and if you're modifying all your traffic this would again be pretty easy to spot. Again, the easiest/cheapest method is that there is a backdoor there already.
But if the attackers' goal is to harvest as many passwords as possible, then efficiency and speed aren't important. (After all, many of the devices might sit in boxes for a long time. Or be installed on networks that are air-gapped. Or otherwise might never report anything useful.) What's much more important is undetectability, and given that almost all the detection mechanisms in play look for something like "lots of traffic to/from an unexpected location" the best way to avoid that is to be very slow, very quiet and very undirected.
Yeah, yeah, yeah, I know: far-fetched. But yesterday's "far-fetched" keeps turning out to be today's reality with monotonous regularity.
Not really, things that are far fetched can become reality but only in cases where something underlying changes.
And: suppose *you* were an attacker with a multi-billion dollar budget, thousands of people, and years to work: don't you think you could pull this off, too?
I could certainly and as I've pointed out, I wouldn't even consider routers outside of disruptive attacks. If you want to steal information you want to be as close to the end user target as you can be so your signal to noise ratio is better. If I wanted to do this and had the resources of the Chinese government then I'd be much more focused on Lenovo than Huawei. The parts that are most interesting in Huawei aren't the core pieces but rather the consumer and office gear.
---rsk
[1] Perhaps disused packet header fields. Or perhaps, more cleverly, buried in the packet itself. Or otherwise concealed in other ways that make it very hard to pick out unless you know, a priori, what you're looking for.
There are a couple of places you could stick something, but it would stick out like a sore thumb in Wireshark.
On 6/14/13, Scott Helms <khelms@zcorum.com> wrote:
backdoors (intentional or not) are in most if not all gear. Having said that, it would still be pretty obvious in mass and over time to have packets going to a predesignated host. Its not really possible for a box to know whether its in a "real" network or a lab with Spirent or other traffic generator hooked to it.
It wouldn't have to send packets to a predefined host. Conceivably, it could leak bits of information by modulating the timing of packets forwarded by it, the spacing in times of packets from simple legitimate HTTP, DNS, or ICMP response, from behind the router, for protocols involving multiple RTTs, could be used to encode bits of information to be transmitted covertly. ; furthermore, the signalling to start communicating over the "timing based" hidden channel, could be established in various ways that would thoroughly disguise the malicious nature of the attacker's signalling. -- -JH
Really? In a completely controlled network then yes, but not in a production system. There is far too much random noise and actual latency for that to be feasible. On Jun 14, 2013 7:35 PM, "Jimmy Hess" <mysidia@gmail.com> wrote:
On 6/14/13, Scott Helms <khelms@zcorum.com> wrote:
backdoors (intentional or not) are in most if not all gear. Having said that, it would still be pretty obvious in mass and over time to have packets going to a predesignated host. Its not really possible for a box to know whether its in a "real" network or a lab with Spirent or other traffic generator hooked to it.
It wouldn't have to send packets to a predefined host.
Conceivably, it could leak bits of information by modulating the timing of packets forwarded by it, the spacing in times of packets from simple legitimate HTTP, DNS, or ICMP response, from behind the router, for protocols involving multiple RTTs, could be used to encode bits of information to be transmitted covertly.
; furthermore, the signalling to start communicating over the "timing based" hidden channel, could be established in various ways that would thoroughly disguise the malicious nature of the attacker's signalling.
-- -JH
On 6/14/13, Scott Helms <khelms@zcorum.com> wrote:
Really? In a completely controlled network then yes, but not in a production system. There is far too much random noise and actual latency for that to be feasible.
I think you might be applying an oversimplified assumption the situation. Noise limits the capacity of a channel, and increases the number of gyrations required to encode a bit, so that it can be received without error. The degree of 'random noise', 'actual latency variation', and 'natural packet ordering' can be estimated, to identify the noise. Even with noise, you can figure out, that the average value which the errors were centered around increased by 5ms or 10ms, when a sequence of packets with certain sizes, certain checksum values, and certain ephemeral ports were processed in a certain sequence, after a sufficient number of repetitions. -- -JH
Is it possible? Yes, but it's not feasible because the data rate would be too low. That's what I'm trying to get across. There are lots things that can be done but many of those are not useful. I could encode communications in fireworks displays, but that's not effective for any sort of communication system. On Jun 14, 2013 8:13 PM, "Jimmy Hess" <mysidia@gmail.com> wrote:
On 6/14/13, Scott Helms <khelms@zcorum.com> wrote:
Really? In a completely controlled network then yes, but not in a production system. There is far too much random noise and actual latency for that to be feasible.
I think you might be applying an oversimplified assumption the situation. Noise limits the capacity of a channel, and increases the number of gyrations required to encode a bit, so that it can be received without error.
The degree of 'random noise', 'actual latency variation', and 'natural packet ordering' can be estimated, to identify the noise.
Even with noise, you can figure out, that the average value which the errors were centered around increased by 5ms or 10ms, when a sequence of packets with certain sizes, certain checksum values, and certain ephemeral ports were processed in a certain sequence, after a sufficient number of repetitions.
-- -JH
It is if you're trying to figure out something far away, smoke signals come to mind (seriously). Any amount of noise seen (aside from AWGN, obviously) in the world is not a big deal. We have pretty neat ways to clean up noise in bandwidth channels. ;) http://www.comtechefdata.com/technologies/doubletalk is one of the plays we roll out all the time. Applied Signal (father of ninja magic mentioned above) had offices in Crypto City, but were eaten by Raytheon a while back and I'm unsure if they're still around. Food for thought, but really - don't sweat the noise. On 6/14/13 5:34 PM, "Scott Helms" <khelms@zcorum.com> wrote:
Is it possible? Yes, but it's not feasible because the data rate would be too low. That's what I'm trying to get across. There are lots things that can be done but many of those are not useful.
I could encode communications in fireworks displays, but that's not effective for any sort of communication system. On Jun 14, 2013 8:13 PM, "Jimmy Hess" <mysidia@gmail.com> wrote:
On 6/14/13, Scott Helms <khelms@zcorum.com> wrote:
Really? In a completely controlled network then yes, but not in a production system. There is far too much random noise and actual latency for that to be feasible.
I think you might be applying an oversimplified assumption the situation. Noise limits the capacity of a channel, and increases the number of gyrations required to encode a bit, so that it can be received without error.
The degree of 'random noise', 'actual latency variation', and 'natural packet ordering' can be estimated, to identify the noise.
Even with noise, you can figure out, that the average value which the errors were centered around increased by 5ms or 10ms, when a sequence of packets with certain sizes, certain checksum values, and certain ephemeral ports were processed in a certain sequence, after a sufficient number of repetitions.
-- -JH
On 06/14/2013 05:34 PM, Scott Helms wrote:
Is it possible? Yes, but it's not feasible because the data rate would be too low. That's what I'm trying to get across. There are lots things that can be done but many of those are not useful.
I could encode communications in fireworks displays, but that's not effective for any sort of communication system.
You're really hung up on bit rate, and you really shouldn't. Back in the days before gigabit pipes, tapping out morse was considered a data rate beyond belief. Ships used flags and signaling lights well into the second world war at least. The higher the value of the information, the lower the bit rate you need to transmit it (I think this might formally be information entropy, but I'm not certain). You might think that there is nothing of particularly high value to be had within the confines of what a (compromised) router can produce, but I'd say prepare to be surprised. I'm not much of a military guy, but some of the stuff they dream up makes you go "how on earth did you think that up?". And that's just the unclassified widely known stuff. Part of the issue when you say "it could be done cheaper somewhere else" presupposes we know the economics of what they're trying to do. We don't, so we should assume that routers just like everything else are a target, and that you almost certainly won't notice it if they are. Mike
I was a "military guy"back in the day 31m and 31q to be precise. On Jun 14, 2013 9:09 PM, "Michael Thomas" <mike@mtcc.com> wrote:
On 06/14/2013 05:34 PM, Scott Helms wrote:
Is it possible? Yes, but it's not feasible because the data rate would be too low. That's what I'm trying to get across. There are lots things that can be done but many of those are not useful.
I could encode communications in fireworks displays, but that's not effective for any sort of communication system.
You're really hung up on bit rate, and you really shouldn't. Back in the days before gigabit pipes, tapping out morse was considered a data rate beyond belief. Ships used flags and signaling lights well into the second world war at least. The higher the value of the information, the lower the bit rate you need to transmit it (I think this might formally be information entropy, but I'm not certain).
You might think that there is nothing of particularly high value to be had within the confines of what a (compromised) router can produce, but I'd say prepare to be surprised. I'm not much of a military guy, but some of the stuff they dream up makes you go "how on earth did you think that up?". And that's just the unclassified widely known stuff. Part of the issue when you say "it could be done cheaper somewhere else" presupposes we know the economics of what they're trying to do. We don't, so we should assume that routers just like everything else are a target, and that you almost certainly won't notice it if they are.
Mike
On 6/14/13, Scott Helms <khelms@zcorum.com> wrote:
Is it possible? Yes, but it's not feasible because the data rate would be too low. That's what I'm trying to get across. There are lots things that can be done but many of those are not useful. [snip]
I agree that the data rate will be low. I don't agree that it's not feasible. There will be indeed be _plenty_ of ways that a low bit rate channel can do everything the right adversary needs. A few bits for second is plenty of data rate for sending control commands/rule changes to a router backdoor mechanism, stealing passwords, or leaking cryptographic keys required to decrypt the VPN data stream intercepted from elsewhere on the network, leaking counters, snmp communities, or interface descriptions, or criteria-selected forwarded data samples, etc.... -- -JH
I can't agree Jimmy, I don't see a few bps being anywhere close to being useful in any of the scenarios your describe especially because there are easier ways of doing those things. To do any of that the first thing you have to do is establish the C&C channel so now you have a very low bit rate bi-directional communication so by the time the C&C asks the router to start stealing a key the IP of one of the IPSEC tunnel has changed. If the router intercepts traffic for a given IP or block what is going to do with it? It has very little non-volatile storage and we have such a low bit rate of communication that it can't just send a copy. A core router seldom has so many spare CPU cycles & free RAM that it can afford to read through the data and glean the interesting bits. Scott Helms Vice President of Technology ZCorum (678) 507-5000 -------------------------------- http://twitter.com/kscotthelms -------------------------------- On Sat, Jun 15, 2013 at 2:56 AM, Jimmy Hess <mysidia@gmail.com> wrote:
Is it possible? Yes, but it's not feasible because the data rate would be too low. That's what I'm trying to get across. There are lots things
On 6/14/13, Scott Helms <khelms@zcorum.com> wrote: that
can be done but many of those are not useful. [snip]
I agree that the data rate will be low. I don't agree that it's not feasible.
There will be indeed be _plenty_ of ways that a low bit rate channel can do everything the right adversary needs.
A few bits for second is plenty of data rate for sending control commands/rule changes to a router backdoor mechanism, stealing passwords, or leaking cryptographic keys required to decrypt the VPN data stream intercepted from elsewhere on the network, leaking counters, snmp communities, or interface descriptions, or criteria-selected forwarded data samples, etc....
-- -JH
First: this is a fascinating discussion. Thank you. Second: On Sat, Jun 15, 2013 at 01:56:34AM -0500, Jimmy Hess wrote:
There will be indeed be _plenty_ of ways that a low bit rate channel can do everything the right adversary needs.
A few bits for second is plenty of data rate for sending control commands/rule changes to a router backdoor mechanism, stealing passwords, or leaking cryptographic keys required to decrypt the VPN data stream intercepted from elsewhere on the network, leaking counters, snmp communities, or interface descriptions, or criteria-selected forwarded data samples, etc....
I was actually thinking much slower: a few bits per *day*. Maybe slower yet. (So what if it takes a month to transmit a single 15-character password?) For people who think in terms of instant gratification, or perhaps, in next-quarter terms, or perhaps, in next-year terms, that might be unacceptabe. But for people who think in terms of next-decade or beyond, it might suffice. And if the goal is not "get the password for router 12345" but "get as many as possible", then a scattered, random, slow approach might yield the best results -- *because* it's scattered, random, and slow. ---rsk
On 06/15/2013 05:13 AM, Rich Kulawiec wrote:
First: this is a fascinating discussion. Thank you.
Second:
On Sat, Jun 15, 2013 at 01:56:34AM -0500, Jimmy Hess wrote:
There will be indeed be _plenty_ of ways that a low bit rate channel can do everything the right adversary needs.
A few bits for second is plenty of data rate for sending control commands/rule changes to a router backdoor mechanism, stealing passwords, or leaking cryptographic keys required to decrypt the VPN data stream intercepted from elsewhere on the network, leaking counters, snmp communities, or interface descriptions, or criteria-selected forwarded data samples, etc.... I was actually thinking much slower: a few bits per *day*. Maybe slower yet.
(So what if it takes a month to transmit a single 15-character password?)
For people who think in terms of instant gratification, or perhaps, in next-quarter terms, or perhaps, in next-year terms, that might be unacceptabe. But for people who think in terms of next-decade or beyond, it might suffice.
And if the goal is not "get the password for router 12345" but "get as many as possible", then a scattered, random, slow approach might yield the best results -- *because* it's scattered, random, and slow.
And all of us here by virtue of talking about it do not have a day job which involves thinking all of this stuff up. A lot of the stuff the DoD is willing to talk about is seriously brilliant, and that's just the public stuff. Information really, really wants to be free. Getting access to poorly defended routers is probably the easy part for them. Masking the payloads is something that they get paid the big bux for in general, so it is seriously naive to think they don't have dozens of tricks they employ on a daily basis. The only thing we really have to counter their ingenuity, IMO, are laws and other layer 8 impediments. Mike, still wonders if this phenomenon is just a restatement of entropy
i wonder if and how many governments are worried about when the nsa tells cisco to send the kill switch signal to their routers. randy
On 6/15/13 5:35 PM, Randy Bush wrote:
i wonder if and how many governments are worried about when the nsa tells cisco to send the kill switch signal to their routers. Having worked for an Israel-based security vendor I'd opine:
A. That many sovereign states are concerned about sourcing for reasons that seem to involve other state actors. B. That I am much happier not being in a position where I get paid to care about this.
randy
On Sat, Jun 15, 2013 at 8:35 AM, Randy Bush <randy@psg.com> wrote:
i wonder if and how many governments are worried about when the nsa tells cisco to send the kill switch signal to their routers.
randy
What kill switch ? http://www.cisco.com/en/US/products/csa/cisco-sa-20090325-udp.html http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-s...
On Fri, Jun 14, 2013 at 08:34:49PM -0400, Scott Helms wrote:
Is it possible? Yes, but it's not feasible because the data rate would be too low. That's what I'm trying to get across. There are lots things that can be done but many of those are not useful.
I could encode communications in fireworks displays, but that's not effective for any sort of communication system.
Depends on the value of secrets leaked. Secret keys don't have a lot of bits, and change rarely, if ever. Shell code is typically compact, too. Something which requires several side effects acting constructively is completely invisible, even if you're reading the source.
----- Original Message -----
From: "Scott Helms" <khelms@zcorum.com>
Is it possible? Yes, but it's not feasible because the data rate would be too low. That's what I'm trying to get across. There are lots things that can be done but many of those are not useful.
I could encode communications in fireworks displays, but that's not effective for any sort of communication system.
At this point, of course, we hearken back to the Multics system, which needed -- in order to get the B1(?) common criteria security rating that it had -- to prevent Covert Channel communication between processes of different security levels *by means as low-bandwidth as sending morse code by modulating the system load*. So I don't think "there's too little bandwidth" is a good enough argument, Scott. But there's a much more important issue here: In some cases, like the Verizon Wireless 4G puck I mentioned earlier, manufactured by ZTE, *you can't see the back side of the device*. There's nearly no practical way for a subscriber to know what's coming out of the 4G side of that radio, so it could be doing anything it likes. Verizon Wireless proper could know, but they have no particular reason to look and, some might argue, lots of reasons not to want to know. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
What about through SDR? ie. http://nuand.com/ I mean, 'subscriber' seems to indicate a layman, but SDR isn't too complex to get running for someone with a modicum of electronics experience - especially in this day and age, where oscilloscopes and frequency analysis is available to anyone with some Google-fu. On Sat, Jun 15, 2013 at 11:11 AM, Jay Ashworth <jra@baylink.com> wrote:
----- Original Message -----
From: "Scott Helms" <khelms@zcorum.com>
Is it possible? Yes, but it's not feasible because the data rate would be too low. That's what I'm trying to get across. There are lots things that can be done but many of those are not useful.
I could encode communications in fireworks displays, but that's not effective for any sort of communication system.
At this point, of course, we hearken back to the Multics system, which needed -- in order to get the B1(?) common criteria security rating that it had -- to prevent Covert Channel communication between processes of different security levels *by means as low-bandwidth as sending morse code by modulating the system load*.
So I don't think "there's too little bandwidth" is a good enough argument, Scott.
But there's a much more important issue here:
In some cases, like the Verizon Wireless 4G puck I mentioned earlier, manufactured by ZTE, *you can't see the back side of the device*. There's nearly no practical way for a subscriber to know what's coming out of the 4G side of that radio, so it could be doing anything it likes.
Verizon Wireless proper could know, but they have no particular reason to look and, some might argue, lots of reasons not to want to know.
Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
----- Original Message -----
From: "Jazz Kenny" <trapperjohn117@gmail.com>
What about through SDR? ie. http://nuand.com/
I mean, 'subscriber' seems to indicate a layman, but SDR isn't too complex to get running for someone with a modicum of electronics experience - especially in this day and age, where oscilloscopes and frequency analysis is available to anyone with some Google-fu.
Stipulated. Though the airlink encryption might give one pause as well. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Jay, That's a very interesting point about the 4G puck....do you mean modulating data over side-lobes? To your point, I as a subscriber would have no way every knowing that unless of course I hooked up my specanny and started to try to decode the sidelobes....I imagine most folks don't do that ( if thats how one would even go about it ) On Sat, Jun 15, 2013 at 12:11 PM, Jay Ashworth <jra@baylink.com> wrote:
----- Original Message -----
From: "Scott Helms" <khelms@zcorum.com>
Is it possible? Yes, but it's not feasible because the data rate would be too low. That's what I'm trying to get across. There are lots things that can be done but many of those are not useful.
I could encode communications in fireworks displays, but that's not effective for any sort of communication system.
At this point, of course, we hearken back to the Multics system, which needed -- in order to get the B1(?) common criteria security rating that it had -- to prevent Covert Channel communication between processes of different security levels *by means as low-bandwidth as sending morse code by modulating the system load*.
So I don't think "there's too little bandwidth" is a good enough argument, Scott.
But there's a much more important issue here:
In some cases, like the Verizon Wireless 4G puck I mentioned earlier, manufactured by ZTE, *you can't see the back side of the device*. There's nearly no practical way for a subscriber to know what's coming out of the 4G side of that radio, so it could be doing anything it likes.
Verizon Wireless proper could know, but they have no particular reason to look and, some might argue, lots of reasons not to want to know.
Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
-- Phil Fagan Denver, CO 970-480-7618
----- Original Message -----
From: "Phil Fagan" <philfagan@gmail.com>
That's a very interesting point about the 4G puck....do you mean modulating data over side-lobes? To your point, I as a subscriber would have no way every knowing that unless of course I hooked up my specanny and started to try to decode the sidelobes....I imagine most folks don't do that ( if thats how one would even go about it )
Not at all. The *standard air-data link* coming out the back of the puck, in "4G" (protip: it's not) LTE, *is not something that the user can see*, without great effort. So, that commercial end-user customer of Verizon has no way to see what extra data *the puck itself* might be phoning home with. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
If it was that easy why did the feds come up with that bts spoofed? Sent from my Mobile Device. -------- Original message -------- From: Jay Ashworth <jra@baylink.com> Date: 06/16/2013 12:46 PM (GMT-08:00) To: NANOG <nanog@nanog.org> Subject: Re: huawei ----- Original Message -----
From: "Phil Fagan" <philfagan@gmail.com>
That's a very interesting point about the 4G puck....do you mean modulating data over side-lobes? To your point, I as a subscriber would have no way every knowing that unless of course I hooked up my specanny and started to try to decode the sidelobes....I imagine most folks don't do that ( if thats how one would even go about it )
Not at all. The *standard air-data link* coming out the back of the puck, in "4G" (protip: it's not) LTE, *is not something that the user can see*, without great effort. So, that commercial end-user customer of Verizon has no way to see what extra data *the puck itself* might be phoning home with. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
So I'm clear, its not just a "low bit rate" argument. Its a low bit rate, combined with little spare horsepower (CPU & RAM), little non-volatile storage, and a deluge of information to sort through in order to find something useful. If core routers weren't in the core, where they have access to lots of data, they'd never be considered as targets for data interception. To that point there are other, better, places to intercept data that has both better throughput and fewer challenges (ie less expensive). Scott Helms Vice President of Technology ZCorum (678) 507-5000 -------------------------------- http://twitter.com/kscotthelms -------------------------------- On Sat, Jun 15, 2013 at 2:11 PM, Jay Ashworth <jra@baylink.com> wrote:
----- Original Message -----
From: "Scott Helms" <khelms@zcorum.com>
Is it possible? Yes, but it's not feasible because the data rate would be too low. That's what I'm trying to get across. There are lots things that can be done but many of those are not useful.
I could encode communications in fireworks displays, but that's not effective for any sort of communication system.
At this point, of course, we hearken back to the Multics system, which needed -- in order to get the B1(?) common criteria security rating that it had -- to prevent Covert Channel communication between processes of different security levels *by means as low-bandwidth as sending morse code by modulating the system load*.
So I don't think "there's too little bandwidth" is a good enough argument, Scott.
But there's a much more important issue here:
In some cases, like the Verizon Wireless 4G puck I mentioned earlier, manufactured by ZTE, *you can't see the back side of the device*. There's nearly no practical way for a subscriber to know what's coming out of the 4G side of that radio, so it could be doing anything it likes.
Verizon Wireless proper could know, but they have no particular reason to look and, some might argue, lots of reasons not to want to know.
Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
On Fri, Jun 14, 2013 at 07:51:22PM -0400, Scott Helms wrote:
Really? In a completely controlled network then yes, but not in a production system. There is far too much random noise and actual latency for that to be feasible.
The coding used for the stegano side channel can be made quite robust, see watermarking.
With the CPU and RAM available in a router that has to actually continue functioning at the same time? Exactly how much data through put would you consider to be usable in this scenario? Again, my point is not that its impossible but that all these things are impractical AND there are easier/faster/cheaper ways of capturing traffic. There are also easier/faster/cheaper ways of disrupting traffic. Routers in the core are great places to execute a targeted man in the middle attack. They're great places to disrupt traffic by behaving erratically, intentionally mangling dynamic routing protocols, or by simply going dark. They're terrible places for gathering non-targeted information because the amount of data flowing through them means that that the likelihood of any give packet having any value is very very low. If the goal includes stealing data then leveraging edge routing is much more realistic and leveraging PCs is several orders of magnitude better because there is much more available horsepower and its much easier to make a PC passively listen for interesting data on its own. Scott Helms Vice President of Technology ZCorum (678) 507-5000 -------------------------------- http://twitter.com/kscotthelms -------------------------------- On Sat, Jun 15, 2013 at 4:12 AM, Eugen Leitl <eugen@leitl.org> wrote:
On Fri, Jun 14, 2013 at 07:51:22PM -0400, Scott Helms wrote:
Really? In a completely controlled network then yes, but not in a production system. There is far too much random noise and actual latency for that to be feasible.
The coding used for the stegano side channel can be made quite robust, see watermarking.
On 6/15/13, Scott Helms <khelms@zcorum.com> wrote:
They're terrible places for gathering non-targeted information because the amount of data flowing through them means that that the likelihood of any give packet having any value is very very low. If the goal includes [snip]
The probability of a low-likelihood or infrequent event approaches 100%, given sufficient time, persistence, and creativity. Even if 1% or less of packets passing through are interesting; that happens to be more than enough to provide a snoop gains, and cause damage to a legitimate user. The potential existence of 'better' options; doesn't mean backdooring of routers wouldn't be included in part of a nation state or other bad actor's backdooring program. -- -JH
Jimmy, This I agree with and in fact I said in earlier parts of this conversation that the existence of a kill switch and/or backdoor in Huawei gear wouldn't surprise me at all. Of course I'd say the same thing about pretty much all the gear manufacturers and its really just a question of who has or can get access to that information for a given manufacturer. Scott Helms Vice President of Technology ZCorum (678) 507-5000 -------------------------------- http://twitter.com/kscotthelms -------------------------------- On Sat, Jun 15, 2013 at 7:57 AM, Jimmy Hess <mysidia@gmail.com> wrote:
They're terrible places for gathering non-targeted information because
On 6/15/13, Scott Helms <khelms@zcorum.com> wrote: the
amount of data flowing through them means that that the likelihood of any give packet having any value is very very low. If the goal includes [snip]
The probability of a low-likelihood or infrequent event approaches 100%, given sufficient time, persistence, and creativity. Even if 1% or less of packets passing through are interesting; that happens to be more than enough to provide a snoop gains, and cause damage to a legitimate user.
The potential existence of 'better' options; doesn't mean backdooring of routers wouldn't be included in part of a nation state or other bad actor's backdooring program.
-- -JH
So, DPI, duplication, injection into frames. If each Hauwei knows of each other....I supose you could create a Hauwei backbone and slowly pick and pull peices of what you want out of the flow. But how realistic is that really... On Thu, Jun 13, 2013 at 10:35 AM, Patrick W. Gilmore <patrick@ianai.net>wrote:
On Jun 13, 2013, at 12:28 , "Avi Freedman" <avi@freedman.net> wrote:
I disagree.
There have already been lab demos of sfps that could inject frames and APTs are pretty advanced, sinister, and can be hard to detect now.
I'm not suggesting Huawei is or isn't enabling badness globally but I think it would be technically feasible.
I am assuming a not-Hauwei-only network.
The idea that a router could send things through other routers without someone who is looking for it noticing is ludicrous.
Of course, most people aren't paying attention, a few extra frames wouldn't be noticed most likely. But if you are worried about it, you should be looking.
Also, I find it difficult to believe Hauwei has the ability to do DPI or something inside their box and still route at reasonable speeds is a bit silly. Perhaps they only duplicate packets based on source/dest IP address or something that is magically messaged from the mother ship, but I am dubious.
It should be trivial to prove to yourself the box is, or is not, doing something evil if you actually try.
-- TTFN, patrick
------Original Message------ From: Patrick W. Gilmore To: NANOG list Subject: Re: huawei Sent: Jun 13, 2013 12:22 PM
On Jun 13, 2013, at 12:18 , Nick Khamis <symack@gmail.com> wrote:
A local clec here in Canada just teamed up with this company to provide cell service to the north:
http://cwta.ca/blog/2012/09/24/ice-wireless-iristel-and-huawei-partner-for-3...
Scary....
Why?
Do you think Huawei has a magic ability to transmit data without you noticing?
If you don't want to use Hauwei because they stole code or did other nasty things, I'm right there with you. If you believe a router can somehow magically duplicate info and transport it back to China (ignoring CT/CU's inability to have congestion free links), I think you are confused.
-- TTFN, patrick
-- Phil Fagan Denver, CO 970-480-7618
On Jun 13, 2013, at 11:35 AM, Patrick W. Gilmore <patrick@ianai.net> wrote:
Also, I find it difficult to believe Hauwei has the ability to do DPI or something inside their box and still route at reasonable speeds is a bit silly. Perhaps they only duplicate packets based on source/dest IP address or something that is magically messaged from the mother ship, but I am dubious.
This could be a latent, not used feature from _any_ vendor. A hard coded backdoor password and username. A sequence of port-knocking that enables ssh on an alternate port with no ACL. Logins through that mechanism not in syslog, not in the currently logged in user table, perhaps the process(es) hidden from view. Do we really trust Cisco and Juniper more than Hueawei? :) -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
This is a good point; unless your taping your traffic and examining it for anything outside of the norm then would you ever see it? However, we are talking transport protocols, no? I would certainly hope the OOB network was monitored and controlled. Hmm.....a network of clients/servers strategically located at Huewai POPS with a sole pupose of creating sessions destined for control servers so as to create the ability to inject payload into packets that are actually destined for where you want the data to go. On Thu, Jun 13, 2013 at 11:42 AM, Leo Bicknell <bicknell@ufp.org> wrote:
On Jun 13, 2013, at 11:35 AM, Patrick W. Gilmore <patrick@ianai.net> wrote:
Also, I find it difficult to believe Hauwei has the ability to do DPI or something inside their box and still route at reasonable speeds is a bit silly. Perhaps they only duplicate packets based on source/dest IP address or something that is magically messaged from the mother ship, but I am dubious.
This could be a latent, not used feature from _any_ vendor.
A hard coded backdoor password and username. A sequence of port-knocking that enables ssh on an alternate port with no ACL. Logins through that mechanism not in syslog, not in the currently logged in user table, perhaps the process(es) hidden from view.
Do we really trust Cisco and Juniper more than Hueawei? :)
-- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
-- Phil Fagan Denver, CO 970-480-7618
On 13/06/2013 18:42, Leo Bicknell wrote:
A hard coded backdoor password and username.
e.g.: http://www.phenoelit.org/dpl/dpl.html Or alternatively if you want access to any huawei device with software older than about a year ago: http://phenoelit.org/stuff/Huawei_DEFCON_XX.pdf
A sequence of port-knocking that enables ssh on an alternate port with no ACL.
e.g.
http://krebsonsecurity.com/2013/01/backdoors-found-in-barracuda-networks-gea...
There's no need to resort to malice to explain these problems when alternative explanations exist. Nick
there are lots of other attack scenarios besides the simple one you suggest, as people who try to analyze malware payloads by their outbound network activity have figured out. an attack could be time-driven, or driven by some very hard to interpret network signalling (such as a response to something the router would have a perfectly legitimate reason to ask an attacker about). which means you need to watch for an indefinite length of time (possibly forever) to see behavior. (in the malware world, the question is: how long do you run this in your sandbox to find the command and control?) covert channels have been known for many years, and outbound data could be encoded in a covert channel by timing (which is much more difficult to notice than content modification such as steganography as there are no specs and few expectations about timing). see http://www.crypto.com/papers/jbug-Usenix06-final.pdf for an wonderful example of a keyboard specially modified to leak passwords by modulating the timing in an ssh channel snooped between the admin and the router. the volume of data need not be huge. a login and password, for example, can be leaked out in a covert channel without the likelihood of anyone noticing, and would provide subsequent access to the router in case of need, which is good enough for many military purposes. finally, denial of service on a network component could be implemented by watching for a sequence of out of spec packets of death. only someone doing impossibly exhaustive fuzzing might see the result, and it would be indistinguishable from a bug. On Jun 13, 2013, at 9:35 AM, "Patrick W. Gilmore" <patrick@ianai.net> wrote:
On Jun 13, 2013, at 12:28 , "Avi Freedman" <avi@freedman.net> wrote:
I disagree.
There have already been lab demos of sfps that could inject frames and APTs are pretty advanced, sinister, and can be hard to detect now.
I'm not suggesting Huawei is or isn't enabling badness globally but I think it would be technically feasible.
I am assuming a not-Hauwei-only network.
The idea that a router could send things through other routers without someone who is looking for it noticing is ludicrous.
Of course, most people aren't paying attention, a few extra frames wouldn't be noticed most likely. But if you are worried about it, you should be looking.
Also, I find it difficult to believe Hauwei has the ability to do DPI or something inside their box and still route at reasonable speeds is a bit silly. Perhaps they only duplicate packets based on source/dest IP address or something that is magically messaged from the mother ship, but I am dubious.
It should be trivial to prove to yourself the box is, or is not, doing something evil if you actually try.
-- TTFN, patrick
------Original Message------ From: Patrick W. Gilmore To: NANOG list Subject: Re: huawei Sent: Jun 13, 2013 12:22 PM
On Jun 13, 2013, at 12:18 , Nick Khamis <symack@gmail.com> wrote:
A local clec here in Canada just teamed up with this company to provide cell service to the north:
http://cwta.ca/blog/2012/09/24/ice-wireless-iristel-and-huawei-partner-for-3...
Scary....
Why?
Do you think Huawei has a magic ability to transmit data without you noticing?
If you don't want to use Hauwei because they stole code or did other nasty things, I'm right there with you. If you believe a router can somehow magically duplicate info and transport it back to China (ignoring CT/CU's inability to have congestion free links), I think you are confused.
-- TTFN, patrick
On 6/13/13, Patrick W. Gilmore <patrick@ianai.net> wrote:
It should be trivial to prove to yourself the box is, or is not, doing something evil if you actually try.
What if it's not doing anything evil 99% of the time... after all 90%+ of traffic may be of no interest to a potential adversary, but there is a backdoor mechanism that allows "targetted evilness" to be enabled? Sniffing on a targetted IP address can be disguised as "legitimate" return traffic, to a connection actually initiated from the "backdoor data interaction point" to some other web server, creating a ruse.. A low-bandwidth fabricated return flow on top of the legitimate return flow once every few months, or every few days is extremely likely to go unnoticed, on any network that has a significantly large amount of normal production traffic.
-- TTFN, patrick -- -JH
Targeted how without an active C&C system? On Jun 13, 2013 10:01 PM, "Jimmy Hess" <mysidia@gmail.com> wrote:
On 6/13/13, Patrick W. Gilmore <patrick@ianai.net> wrote:
It should be trivial to prove to yourself the box is, or is not, doing something evil if you actually try.
What if it's not doing anything evil 99% of the time... after all 90%+ of traffic may be of no interest to a potential adversary, but there is a backdoor mechanism that allows "targetted evilness" to be enabled?
Sniffing on a targetted IP address can be disguised as "legitimate" return traffic, to a connection actually initiated from the "backdoor data interaction point" to some other web server, creating a ruse..
A low-bandwidth fabricated return flow on top of the legitimate return flow once every few months, or every few days is extremely likely to go unnoticed, on any network that has a significantly large amount of normal production traffic.
-- TTFN, patrick -- -JH
On 6/13/13, Scott Helms <khelms@zcorum.com> wrote:
Targeted how without an active C&C system?
How have you determined that there is not one? Conceptually, the "simplest" backdoored router, could have a mechanism, where crafted packets that would ordinarily be forwarded on, contain some "magic bit pattern" in the source address or other parameter, that cause the packet to bypass ACLs and be punted directly to software. So the simplest conceivable C&C system, could be "one guy" checking if random IP addresses they have personally decided are interesting, are behind a backdoored router. By sending a crafted port 53 DNS request, with some encrypted material with a digitally signed hash based on a timestamp, the source IP, and the destination IP being probed. And waiting for the magicaly structured "ICMP Destination unreachable/Admin prohibited" error reply packet, containing some covert bit pattern confirming the presence and system identification of a backdoored unit on the path to the 'interesting' remote host. -- -JH
participants (22)
-
cb.list6
-
Eugen Leitl
-
Jay Ashworth
-
Jazz Kenny
-
Jimmy Hess
-
joel jaeggli
-
Leo Bicknell
-
Mark Gallagher
-
Mark Seiden
-
Michael Thomas
-
Nick Hilliard
-
Nick Khamis
-
Patrick W. Gilmore
-
Phil Fagan
-
Randy Bush
-
Rich Kulawiec
-
Scott Helms
-
Tom Taylor
-
Valdis.Kletnieks@vt.edu
-
Warren Bailey
-
William Allen Simpson
-
William Herrin