But the return on investment is likely to be far less. If it is harder, more resources have to be spent, then they will be more selective if just because it would be prohibitive to bug every system across the world, at least at present.
>But the return on investment is likely to be far less.
I am not so sure about that. The internet... well, many of the wide-open holes have been closed... BGP hijacking isn't as trivial as it was in '08[1], mostly because filtering has been implemented in some places, but it's still something that could be done by someone of, say, my resources. It's trivial to anyone with real resources.
And there are all sorts of other possible attacks. Hell, even ignoring the (probably easy, for one of the three letter agencies) possibility of putting a backdoor in the firmware shipping on popular routers, well, most ISPs end up using ancient router firmware revisions on their routers[2]
Yeah; read over that BGP hijacking attack; it sounds way easier than setting up a collector at every ISP. (You'd still need local collectors to not add too much latency, but a single (/very/ well connected) collector could cover a reasonable region)
[2]Cisco charges an arm and a leg for firmware upgrades... they give you some of the really old stuff? but usually the choice is used $BIGNAME hardware without firmware updates, or you roll-your own quagga. (at the 10G/sec traffic level my upstreams can push, quagga/vyatta work just fine... that's what I use.)
Again, I don't understand why you think that it's harder for the NSA to hack / bribe / trick their way into data than it is to have to obtain court orders and convince everyone to work with them.
einhverfr|12 years ago
lsc|12 years ago
I am not so sure about that. The internet... well, many of the wide-open holes have been closed... BGP hijacking isn't as trivial as it was in '08[1], mostly because filtering has been implemented in some places, but it's still something that could be done by someone of, say, my resources. It's trivial to anyone with real resources.
And there are all sorts of other possible attacks. Hell, even ignoring the (probably easy, for one of the three letter agencies) possibility of putting a backdoor in the firmware shipping on popular routers, well, most ISPs end up using ancient router firmware revisions on their routers[2]
Yeah; read over that BGP hijacking attack; it sounds way easier than setting up a collector at every ISP. (You'd still need local collectors to not add too much latency, but a single (/very/ well connected) collector could cover a reasonable region)
[1]http://www.defcon.org/images/defcon-16/dc16-presentations/de...
[2]Cisco charges an arm and a leg for firmware upgrades... they give you some of the really old stuff? but usually the choice is used $BIGNAME hardware without firmware updates, or you roll-your own quagga. (at the 10G/sec traffic level my upstreams can push, quagga/vyatta work just fine... that's what I use.)
AlexeiSadeski|12 years ago