Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Through Varying IPs

CmdrTaco posted more than 13 years ago | from the well-it-could-work dept.

The Internet 127

alanjstr writes "Reuters is reporting that an ex-CIA director and ex-KGB man have come together and developed a new way of 'hiding' internet communications. It does this by IP hopping: 'The Invicta system uses special cards to link protected computers to a central control unit. It lets clients decide how often they wish to vary IP addresses and specify which applications may be accessed on their network.'" I've always wondered if there could be a way through software to do this. Of course, a centralized server would need to route which would be a major bandwidth bottleneck.

cancel ×

127 comments

This is why Iridium (satellite phones) was killed. (1)

Anonymous Coward | more than 13 years ago | (#204996)

Iridium did not fail from mere financial woes. It was KILLED.

Satellite phones are the ultimate stealth device. The best they could do is trace you to the western hemisphere. Iridium didn't fail. It was killed by a collusion of law-enforcement agencies and world govt's that still have monopolies on their telcos. They saw Iridium as an "illegal circunvention device" to get around local monopolies. And law enforcement saw the potential for hiding from any trace.

This method of security has been around for years (2)

Anonymous Coward | more than 13 years ago | (#204997)

it's called a "Dial-up account", and I've been using it's security feature of random IP addresses (aka "dynamic" IP) for years. News sure travels slowly huh

Re:...or you could use a real service. (1)

X (1235) | more than 13 years ago | (#204999)

It works either way.

...or you could use a real service. (2)

X (1235) | more than 13 years ago | (#205000)

ZKS's Freedom [fredom.net] is SOOOOO much better than this product it's rediculous. This is so far from revolutionary I doubt serious security people will pay much attention to it.

Re:...or you could use a real service. (2)

X (1235) | more than 13 years ago | (#205001)

Ugh.. sorry for the typeoh... It's Freedom [freedom.net] .

Mobile IP (2)

jd (1658) | more than 13 years ago | (#205002)

Been there, done that, downloaded the kernel t-patch. :)

Nothing new. . . (1)

GeorgieBoy (6120) | more than 13 years ago | (#205003)

This is something that's been done for a while by gov't orgs. If your one of the primary objectives is security , something like this is developed "in-house" because they were creating a unique security measures. They can afford a boatload of IPs. This is not to be confused with security through obfuscation - the specifications of how this has being done has been kept secret since it is something intended for internal use. If everybody knows how this is handled (special routing, etc.) then it makes it easier to poke holes in the open protocol. This is one of the occasions where I would support a closed specification (I'm usually in favor of open standards).

Re:Nothing new. . . (1)

GeorgieBoy (6120) | more than 13 years ago | (#205004)

ahh, another failure of mine to proofread, excuse the poor grammar:

the specifications of how this has being done
should be
the specifications for how this has been done

It's tough writing comments on the run!

Re:Hoax? (1)

Mandi Walls (6721) | more than 13 years ago | (#205005)

Nah, that was a company called "invita" that was actually a company in washington state pretending along with the FBI.

Similar thing (1)

Darlock (7305) | more than 13 years ago | (#205006)

A company I used to work for had a similar technology to prevent people from dialing into their servers. You would get a card that had an LCD and every few minutes the code would change. When you logged into the ppp server you had to provide the proper code to log in. It was a pain to carry this thing around with you but it worked.

Even though this technology is a bit different I don't see it being that great for security. Inside a corporate network this would be fine but on the internet this would be useless.

- If my IP address rotated all of the time how do my packets get back to me?
- Do these guys have to be my ISP? Wouldn't that mean that they would act as a firewall/router to the outside world?

I think I'll stick with encryption.

Re:Similar thing (1)

Darlock (7305) | more than 13 years ago | (#205007)

Nah,

It was a small hydro company. At least someone there was a little pro-active about security.

Re:what about MAC address? (2)

PureFiction (10256) | more than 13 years ago | (#205008)

Second, don't the packets contain things like the MAC address of the ethernet card?

Yes, but this changes with every hop of the packet. The initial MAC ID is from your computer, and is the MAC ID of your NIC.

Once this packet hits the first router, it forwards the packet and it now contains the MAC ID of the router's NIC.

The only time tracking MAC IDs is usefull is if you are on a broadcast LAN, like ethernet w/ dumb hubs, and you can sniff traffic. Otherwise, its all the routers/switches MACs...

Re:IP Spread Spectrum (2)

cloudmaster (10662) | more than 13 years ago | (#205009)

I think it's more like iptables -t nat -A POSTROUTING -s internalnet -j SNAT --to 10.1.1.1-10.1.1.254. Whoopie. My firewall has been doing that since I stuck iptables on it. I wouldn't think that it'd take much to randomly select a source IP instead of the current sequential selection...

there goes tcpwrappers (2)

mr_burns (13129) | more than 13 years ago | (#205010)

How am I supposed to use IP based authentication on a moving target user? It's hard enough authenticating PPP(oE)/dhcp users. hosts.allow would have to become a process to let legitimate users in, and as such, security is weakened. What if the process freaks out, segfaults, zombies.....what about IP spoofing as eggshell code?

Do I have to prompt for a kerberos session every time the IP changes during a session? How easy would it be to hijack the session by fooling the stack into thinking that it legitimately changed to the attacker's IP? How easy would it be to DoS via spoofing parts of the protocol?

Frequency hopping radios are nifty, but we're not talking about beaming light. IP is much more complicated, and has more weak points.

IP V6 Sooner than Later (1)

freq (15128) | more than 13 years ago | (#205011)

We already have an IP shortage! what if everyone started hopping IP's?

havn't they ever heard of encryption?

sheesh

KGB Expert my eye! (1)

freq (15128) | more than 13 years ago | (#205012)

and the article was really light on details, but there are alot of better ways to be secure.

Just a variation on spread spectrum (2)

AJWM (19027) | more than 13 years ago | (#205015)

Or frequency hopping. Indeed, I don't see why you need a "special card" or a central server, so long as the machines involved can agree on an IP sequence and the timing.

If you wanted to get fancy you could simultaneously assign several IPs and spread the packets amongst them (as well as periodically changing the IPs), to really confuse someone doing traffic analysis.

Re:Police Radios (1)

Tolchz (19162) | more than 13 years ago | (#205016)

Ahh, the joys of frequency-hop radios.

I've been trained on the SINCGARS model radio in the Army. It can jump between 100 frequencies per second and you can supposedly still make out what is being said , even if 30% of the hopset is being jammed.

A grain of salt (1)

tlo (20044) | more than 13 years ago | (#205018)

This doesn't seem to be the "incredible intellectual achievement" claimed in the article. Most modern radio-based communications do the exact same thing in the form of frequency hopping. And those system don't require a central host to mediate (although they don't have to worry about routing tables, which leads to . . .)

From the 'gotcha' front, I wonder how they addressed the problem allowable IP addresses to jump between. I would think you would always be limited to the subdomain routed by the host you connect to. If you are connecting from and to huge domains, it's not as bad, but if there is very little traffic in or out, it would be easy to reassemble your session simply by ignoring the IPs and capturing everything. Either way, you are relying on obscurity to provide security.

Although I wouldn't call it a bad idea, I don't think this qualifies as a good one.

-Trevor

Robert Hanssen wanted to work here. (1)

Finni (23475) | more than 13 years ago | (#205019)

This link [commoncriteria.org] is for a blurb about how Robert Hanssen (the recently accused spy) wanted to work at Invicta when he retired.

Invicta doesn't appear to have a website. Maybe because they don't have an IP address for search engines to crawl? How would that work, anyway? If it switches addresses all the time, how do you keep a connection open?

Re:Not a troll... (1)

Brento (26177) | more than 13 years ago | (#205020)

I suppose windows is capable of releasing an ip and getting a new one... ideas?

Yep, get Windows 2000. It can change IP's, DNS servers, and more without rebooting.

sounds like IP spoofing (2)

Basje (26968) | more than 13 years ago | (#205021)

If I understand IP well enough. All they seem to do is spoof to another IP every 0.x seconds. Hence probably the billions of IP addresses too.

Maybe they have a lot of destination addresses too, but somewhere, somehow this has to be routed to the receiving end. Of course, it could be the central server, but then that would be nothing but a router.

Of course, one could also split an encrypted file/text in blocks, and send those in a particular order to/from a number of IP addresses. Kind of like a key. But that would be a pointless excercise: from 8ip's to 8 ip's would be equivalent to 6 bits extra keyspace (2^6 possibilities). It would just be just a little harder to get all of the traffic.


----------------------------------------------

Multiproxy (1)

suqur (28061) | more than 13 years ago | (#205022)

Why not just use MultiProxy [multiproxy.org] ? You set it up as a proxy, and it connects and routes your TCP/IP traffic through other publicly available proxies on the 'net. You can have it cycle through (non)anonymous proxies at specified intervals, or for every connection. This is essentially the same idea, but without a centralized server. Right? Or am I way off? BTW, this program is great for circumventing blocked AIM or ICQ ports if you're behind a transparent firewall.

Re:Security through Vapor? (3)

ajs (35943) | more than 13 years ago | (#205026)

I hear the toll of the bell:
Even if every company wanted a billion IP addresses, that wouldn't be a big deal in a 128bit address space
I didn't think I'd have to do the math on /. , but here goes:

Company X has 100 applications that require a VPN (say, 100 data feed vendors). So, they do the usual IP address math that big companies do (round up the the nearest obscene order of magnitude). So, a billion addresses per application is roughly 32 bits.

Now, I need about 100 of those, but clearly growth is a concern, so let's say I need about 8 bits worth.

Ok, so before that company even gets off the ground. Before they even start deploying IPv6 on their servers, desktops, etc. They're using 256 COMPANIES worth of standard IPv6 allocation. If every company does this (and of course, this is a conservative example), we're talking about a gold-rush on IPv6 addresses that would exaust the non-reserved addresses trivially in the first 5 years.

Let's not be hasty, though, let's assume that we can multiplex these puppies. So, one device might be able to handle multiple servers and clients and rotate the IPs correctly using one IP space. Cool, so for each server-side device IBM buys, only one company's worth of v6 allocation need be used. That should give us another couple of years of life on the namespace.

All things considered, this is a very bad idea. Rotating through 20 addresses to confuse the issue can add some difficulty for crackers, but using "billions" of addresses will add you to my "rude Internet citizens" list.

Security through Vapor? (5)

ajs (35943) | more than 13 years ago | (#205027)

This sounds very suspcious to me.... Problems as I see it:
  1. Your clients must all use this technology. This is fine for building a VPN, but it does nothing for building services which must be announced to the public.
  2. The quote: "The number of IP addresses drawn on may be in the billions thanks to an artificial increase in cyberspace, Sheymov said," makes me wonder. Are they refering to IPv6 or to private addresses? If we're talking IPv6, then I'm very concerned because I don't want to see every company on the planet sucking up billions of addresses per application. That would make the increase to 128 bits pointless. If they're talking about private addresses, you still have to map to an external address at some point, and that's your weak link.
  3. Since when do we expect the former head of the CIA to sell security solutions without back doors?
  4. On the other hand, since when do we expect the former head of the CIA to have a technical clue when endorsing products?
Color me skeptical....

How about an Anonymous IP Router? (1)

dunham (35989) | more than 13 years ago | (#205028)

Dunno how practical the IP hopping thing would turn out to be in practice, but it makes me wonder if a usable IP equivalent of the anonymous remailer system could be developed. (It would, of course, have to frequently switch paths, perhaps with every packet.)

This would be less centralized and offer anonymity, in addition to making it hard to trace the connection.

Re:SecureID (1)

Zurk (37028) | more than 13 years ago | (#205029)

yup..its a secureid hardware card. made by the ex RSA patent holders at RSA : http://rsa.com/products/securid/index.html
bitch to set up but it works great specially with kerberos...and it works with unixes and mainframes too. had an old universe mainframe install running it once.

*shudder* (2)

Dwonis (52652) | more than 13 years ago | (#205030)

I hope this doesn't become too widely-used. Can you say routing nightmare?
------

Re:...or you could use a real service. (1)

dinky (58716) | more than 13 years ago | (#205031)

Don't you mean http://www.freedom.net/ ?

Imbed data in ip address? (1)

Asgard (60200) | more than 13 years ago | (#205032)

With a large enough IP space, couldn't one imbed information in the source address of the packet?

Re:Security through Vapor? (1)

ghoti (60903) | more than 13 years ago | (#205033)

Even if every company wanted a billion IP addresses, that wouldn't be a big deal in a 128bit address space ... but it would be very predictable. Because of the simpler routing in IPv6, there would be a way to tell which IP addresses belong to whom. So if you can eavesdrop on the network, you can sort out which packets are for the company you are spying on, and then all that's left to do is find out how many connections there were at the same time, and pick the data packets apart.
I am not a security expert, but this idea doesn't strike me as very useful or secure. Maybe somebody with more knowledge of the Internet than talking about "cyber addresses" could add some ideas.

Working with MS networking.... (3)

Dr. Blue (63477) | more than 13 years ago | (#205034)

Yeah, I can see how great this would work with Windows: "You have worked for 2 seconds so I am changing your IP address. Windows must be restarted in order for this change to take effect. Restart now?" :-)

security through obscurity (4)

joq (63625) | more than 13 years ago | (#205035)


All this sounds like is a time based routing mechanism nothing more, and I don't really see how changing the IP address is going to save a misconfigured machine. For one, somewhere down the line the address is going to delegate out, so if say someone is browsing via 10.10.1.16 and they're browsing say something on my server and my logs show:

198.81.129.14
"http://www.antioffline.com/cia-soviet/" "Mozilla/4.0 (compatible; MSIE 5.5;Windows NT 5.0)"

Then about one second later

198.81.129.193 "http://www.antioffline.com/cia-soviet/" "Mozilla/4.0 (compatible; MSIE 5.5;Windows NT 5.0)"

Now this is typically another visitor or whatever, but if the connections were so repetitive enough with the same browser fingerprint coming through I can probably correlate them both together by their netblocks depending on who owned the block. So unless they plan on purchasing completely obsolete netblocks like say 198.81.129.0-255 then 198.83.0.0.-255 than how do they expect to stay obscured from view? Keep in mind that there are hardly any complete netblocks to purchase in that fashion (class A s close to impossible), so what are they really planning on doing?

Now if they partnered with ISP's to snag dhcp addresses not being used from a wide variety of places, say Earthlink here, MomandPopISP there, then it'd be a plus for them however simple traceroutes, and block lookups can give you their information. (who owns the block etc)

All it sounds like is a sort of a dhcp-round-robbin-routing set up which is not going to save them still, if someone is really intent on getting access to their networks, they'd run out of address ranges before their scheme would work.

Now on the spook/snoop side of things... I say TMTOWTPGPSAM! (There's More Than One Way To Sign PGP Sign A Message) to keep info from eyes other than the intended recipient.

Re:Ahh, I get it... (1)

Knobby (71829) | more than 13 years ago | (#205036)

Good question!..

This isn't like hopping ports, which theoretically might be able to do the same thing.. You're hopping IP's which means that the DNS server needs to know where the hell you are. If the DNS server knows where you are, then what's stopping me from querying the DNS server to find you?? I like the idea of hopping ports every few seconds, and firing encrypted packets that contain the next port, or a random seed included with the original request that defines the jump sequence...

It's heavy in fluff, no substance (2)

ka9dgx (72702) | more than 13 years ago | (#205037)

Look, you're connected to the internet, you only have one subnet, with X addresses. This company gives you a VPN service, with it's own set of addresses, probably all virtual. How does this differ from VPN and/or NAT? It's fluff... NAT is nice for getting devices to be able to see the internet, but it's not a replacement for security. VPN is a good idea, but only if there are no chinks anywhere in the armor. (Yes, running Microsoft code is a BIG chink)

--Mike--

Re:Security through Vapor? (2)

selectspec (74651) | more than 13 years ago | (#205038)

If you could encace one of the participants with boxes running snoot, you'd could eventually figure this thing out. Sounds like security through obscurity which we all know doesnt really work, especially if you're the CIA.

Are we *sure* he's stopped working for KGB/CIA? (2)

billstewart (78916) | more than 13 years ago | (#205040)

Sounds suspicious to me.... Depending on whether the "centralized" box is really a centralized box run by his company or only a centralized-per-customer firewall-like-thing, it could be a golden opportunity for wiretapping the paranoid, or it could be just watered-down explanations given to the non-technical press by the Corporate Speaker-To-Publicists.

Frequency hopping, random thoughts etc. (2)

andkaha (79865) | more than 13 years ago | (#205042)

The concept of frequency hopping [hedylamarr.at] was invented by Hedy Lamarr [hedylamarr.at] in the 1930's. It is currently being used in several countries as a secure way of sending military orders.

The advantage of frequency hopping to IP hopping seems to be that it's (probably) harder to predict frequencies than it is to predict IP addresses. No doubt they will/have figure/d out how to allocate a large anough IP space to make a fairly secure transmission and how to sync the sender and receiver.

(...and what to do about the unused IP's... hmmm... You only really need one big pool of IP addresses for a set of computers, don't you? Then it's just a matter of juggling the IP's around and make sure every computer in the set of computers know what IP they themselves and their respective communication partner at any moment have... The more computer that are communicationg over the pool of IP's, the more secure the channel is.)

And now, let's all repeat the mantra of the day: Computers do what we tell them to do. Thus no computer system will ever be completely secure.

save some money... (2)

passion (84900) | more than 13 years ago | (#205044)

just use dyndns.org [dyndns.org] yourself!

Re:Sequencing, randomness, etc ... (1)

JoeGee (85189) | more than 13 years ago | (#205045)

Or charity work for unemployed Russian tech workers ...


Sequencing, randomness, etc ... (2)

JoeGee (85189) | more than 13 years ago | (#205046)

If the sequence used by these cards is not completely random then observing the stream of packets from either of the two connected computers will allow one to extrapolate the formula used to sequence the address progress.

If I have the formula I need only a small ordered list of the IP addresses being used and I can predict what the next IP address will be. With that, I am in the loop.

This sounds like a glorified network card to me. This might confuse the kiddiez, but I suspect persons who use this company's products would be much better relying on very strong encryption and rigid security practices.


Security through TCP Sequence Number (2)

Greyfox (87712) | more than 13 years ago | (#205047)

I remember reading a while back now a paper on sending encrypted communications to a system using the TCP sequence number. The idea being to spoof a packet to the system under the guise of something fairly innocuous but have the real payload be encrypted and sent in the TCP sequence number or one of the other lesser used fields of the TCP packet. As far as any monitoring entity is concerned, that's just random crap coming in on the network connection.

Single point of failure/false sense of security (2)

BierGuzzl (92635) | more than 13 years ago | (#205048)

Essentially all the computers using this "card" to communicate with the world wild web rely on firmware to be up to date and invulnerable to attacks. Not only does the card become the firewall, controlling which network services are available, it also becomes the ultimate "sitting duck" described in the article. According to the article, each client can decide how often it's ip should change and which network services it will serve. It would follow that an attacker could compromise the card by masquerading as one of the clients and actually ghost the entire website.

Invicta, Invita... (2)

Lish (95509) | more than 13 years ago | (#205049)

Hmm. Wasn't Invita, just one letter off from Invicta, the name of the fake security company the FBI used to snag [slashdot.org] those Russian hackers not that long ago? Curious...


---

Fluffware (2)

MattW (97290) | more than 13 years ago | (#205050)

Are they trying to outdo one-click ordering?

In order to route IPs on the Internet, route aggregation is required. An end host isn't going to be able to switch its address amongst many different network addresses, only to different IPs in a subnet. Given that someone who wants to compromise a machine has to have a way to find/connect to it first, it is trivial to relocate a machine. Also, see if ARIN wants to assign whole blocks of IPs for machines to hop around on.

IPv6? Maybe that would make this slightly more useful. But if a machine is supposed to be accessible, you have to make it known where it is -- if it isn't accessible, then you SHOULD just put a firewall blocking all inbound traffic, and that's that.

Another day, another "revolution". *sigh*

Police Radios (1)

The Wing Lover (106357) | more than 13 years ago | (#205052)

How is this different from police radios? They like to jump between frequencies, but I can walk into Radio Shack and get a scanner that'll receive them...

"Set us up the IP block!" -- caffeinated_spork (2)

The_Messenger (110966) | more than 13 years ago | (#205053)

Good, now I can circumvent Slashdot's ultra-lame IP block when trolling AC without resorting to slow proxy servers. :-)

--

Analog to CDMA (1)

gutier (129597) | more than 13 years ago | (#205058)

Frequency hopping has been around for decades, most prominently in CDMA technology. More precisely, "IP Hopping" is an almost perfect analog to "slow frequency hopping" where multiple bits are transmitted on one frequency band before hopping to another band. I suppose "IP Hopping" can be considered novel, but no, not really.

Hmmmmm... (1)

gnarly (133072) | more than 13 years ago | (#205059)

"My connection is super secure. Other than the CIA and the KGB nobody can trace me!!!!"

Re:IP V6 Sooner than Later (1)

mrgoat (143500) | more than 13 years ago | (#205060)

Um, yeah, I read the article too. Sounds like a rehashed press release that caught some staffer's attention.

If you really think about it, this is not going to benefit most companies one iota for protecting their corporate traffic. Think about it...most big corps run their own dark fiber now, have their own networks and routing policies trans/internationally. So what if you modulate your IP space out in the big bad world? Smaller corps use VPN's and such in addition to smaller pipes. The paranoid ones encrypt everything. I don't see how modulating IP's, which must fit into predictable ranges anyways, is going to really help things along much.

However, there is one area of use by big corps that can afford this toy. That is snooping on their competition. Most IDS systems don't come with the kind of configuration that can handle fingerprinting this toy's kind of traffic. You have to script it in or find a vendor(with really good consulting staff) that knows their stuff. This toy gives folks with deep pockets a substantial advantage over someone who won't or can't buy it or the protection they need.

As for the infallibility of this toy, it would be interesting to see some pros tear it apart and see what ticks. I am betting there are some holes there.



mrgoat

No, that was INVITA.. (1)

sparkane (145547) | more than 13 years ago | (#205061)

..as in:

We'd like to "invita" you to our country, special party, very elite, BYOB, and don't forget your toothbrush.

Maybe "invita-tion" would make a good New Hacker's Dictionary term: getting invited to something that is going to be detrimental to your health/career/whathaveyou. Probably not in the hacker psyche deeply enough though.

Re:IP V6 Sooner than Later (2)

dmccarty (152630) | more than 13 years ago | (#205062)

Like spread spectrum radio waves, you first have to lock into the variation, wich in this case could be completely random, [...]

Nothing is really "completely random." When creating large sets of random numbers you usually have to rely on some algorithm to create them, which rules out the "random" bit by the definition of an algorithm.
--

Re:security through obscurity (2)

dmccarty (152630) | more than 13 years ago | (#205063)

So unless they plan on purchasing completely obsolete netblocks like say 198.81.129.0-255 then 198.83.0.0.-255 than how do they expect to stay obscured from view?

You're assuming they plan to own the IP addresses they say they're coming from--i.e., non-spoofed IP's. Given that this plan originated from the CIA and (former?) KGB I would say that that's a dangerous assumption.
--

Someone sell these people an Egress (1)

Isao (153092) | more than 13 years ago | (#205064)

This won't work. Sub-second IP changes would mean the server (read "router") will have to log the chain of IPs for a short while, in order to route (NAT) return traffic properly. So compromise the router, security gone. I, for one, don't trust that. Second, as a website, simply do traffic analysis on your logs. Most sites have referrer turned on, they'll know if you click two consecutive links on their site (or enough of the time to reveal your uniqueness). This is (weak) information hiding, not security. Where do they get these people?

Better schedule your transfers. (1)

M3shuggah (162909) | more than 13 years ago | (#205066)

It would be my luck that I would be transfering the last 10megs of a 500meg cd-image, right when my IP changed.

But seriously... It sounds good in theory, but if developers don't code their apps for the instantaneous IP change, it could seriously cause major headaches.

Also there would need to be downtime for an IP before it was used again, otherwise I could make a request, (then if hypothetically I changed IPs, and my old one was assigned immediately) the other user with my old IP would recieve the packets. Which could be a huge security risk, if transfering sensitive material.

reuters a good source? (2)

loraksus (171574) | more than 13 years ago | (#205068)

It sounds interesting, though I'm not sure if reuters has their story correct. This is my take on it.

I'm assuming their solution is hardware based ("special cards"), with a star topology from the central unit. I'm sure that the special cards will not be running a variation of ethernet, but some other, more secure transport. If it is standard ethernet, the network would be switched.

The "central unit" acts as a switch / router, and allows some kind of address changing. No other hubs / switches are on the network, except perhaps between "central units"

I am assuming that reuters or yahoo is wrong, and this protocol is based on the switching of MAC addresses, rather than IP.

If so, then the whole network would have to be revamped in order to put this in place. Existing routers would most likely not be able to handle MAC switching - perhaps a software upgrade could change that though. I'm pretty sure that the company would just sell their central units as hubs / switches. Why not have a monopoly on the propriatary network that you designed?
So, while they are at it, they might as well couple this with fiber optics, with the central unit watching the strength of the signal for drops (i.e. a fiber optic tap is detectable - unlike ethernet, which can be tapped just by planting something on the cat-5 jacket (CIA $$$$ stuff) - or by cutting into the wire and installing a repeater/sniffer unit. We are talking about fairly expensive "spy" stuff either way.

If not, if the address switching is indeed IP, there would certainly be a way to sniff the network and to filter out MAC adresses from all other data being sent across the network. If the "special cards" or the network were designed to prevent sniffing, that would

Either way - it is essentially security through obsurity, but it makes life a lot harder for those trying to compromise computers - although hosting a server with this would be difficult - unless the Central unit acted as a gateway of some kind.

More info is certainly needed - if someone can post some that would really clear things up.

The slashdot 2 minute between postings limit:
Pissing off hyper caffeineated /.'ers since Spring 2001.

Seems like a lot of trouble to go through (1)

commodoresloat (172735) | more than 13 years ago | (#205069)

... just to trade Metallica songs.

The more things change... (4)

isomeme (177414) | more than 13 years ago | (#205070)

Sounds like the IP analog for radio Frequency Hopping Spread Spectrum (FHSS [boun.edu.tr] ). Which, by the way, was invented and patented as a radio security technique during WWII by movie star Hedy Lamarr and her pianist [techtarget.com] . A movie star geek girl? I was definitely born in the wrong generation...

--

Re:Not a troll... (1)

SlashGeek (192010) | more than 13 years ago | (#205072)

I would think that your computer would see a set local IP address, and the net card would handle everything else. From the sound of it, at least for now, it seems aimed more at corperate or WAN usage, where this card would only be on the server. I don't think his intentions are to sell this as a consumer product for a little while.

Just another step in the ladder (3)

SlashGeek (192010) | more than 13 years ago | (#205073)

It's a step, but lets face it. If somebody, especially the gov't really wants to see what you are up to, they'll find a way.

Of course, a centralized server would need to route which would be a major bandwidth bottleneck.

And, of course, a centralized server could also be very easily tapped by a Carnivore-like device.

I guess it could scare off a few skript kiddies though.

Re:IP V6 Sooner than Later (4)

SlashGeek (192010) | more than 13 years ago | (#205074)

Read the article!!! The author clearly stated that things like encryption and firewalls were like "building fences around known locations" wich makes them "sitting ducks for a determined hacker." The idea behind IP hopping is that they don't even know where you are to begin with. Like spread spectrum radio waves, you first have to lock into the variation, wich in this case could be completely random, then deal with the "fences". It adds another layer, and a pretty damn good one.

Downfall (2)

Tebriel (192168) | more than 13 years ago | (#205075)

What happens when you get a DoS attack from a billion different IP addys? This is a two way street here.

How can I short this company? (1)

mkcmkc (197982) | more than 13 years ago | (#205076)

Don't you wish there was some way to sell shares in idiotic companies like this short before they IPO?

(BTW, I've already patented a similar security method: I train packs of chipmunks to plug and unplug 10baseT cables into random ports, thwarting any attempt to break in across the related links.)

--Mike

This is a great concept... (3)

SomeoneGotMyNick (200685) | more than 13 years ago | (#205077)

It should be worth making a few more episodes of The Lone Gunmen to exploit it.

Re:This method of security has been around for yea (1)

marcop (205587) | more than 13 years ago | (#205078)

it's called a "Dial-up account", and I've been using it's security feature of random IP addresses (aka "dynamic" IP) for years. News sure travels slowly huh

Yeah, crappy ISPs can now advertise their high line drop rates as "security features".

Repeat?? (2)

VivianC (206472) | more than 13 years ago | (#205079)

Invicta? Wasn't that the name of the FBI's fake company [slashdot.org] that snagged those Russian hackers?

Odd that they would have the same name...


Viv
-----------

On a similar note... (1)

TrebleJunkie (208060) | more than 13 years ago | (#205080)

Here's something I came up with about the time Carnivore hit the news that wouldn't take a big corporation full of ex-intelligence (yeah, right.) officers to implement:

http://www.digitech.org/~tjunkie/idea.html [digitech.org]

It's a pretty simple idea, not very flashy, and, oh, it's a freaking bandwidth hog. But, same time, it might be fun to play with.

Ed R.Zahurak

Not a troll... (1)

djocyko (214429) | more than 13 years ago | (#205083)

how happy would windows be about this? Everytime I change the static ip of my network card I have to reset. I suppose windows is capable of releasing an ip and getting a new one... ideas?

perhaps it would be wise now not to expect security on a win box? (but that would definitly be read as a troll)

BW limitations (1)

IdeaMan (216340) | more than 13 years ago | (#205084)

Doesn't necessarily have to consume bandwith.
Put another way, the router used has to handle all that bandwith anyway, just make it a little smarter.

New clothes on old ideas? (1)

jbaltz (219494) | more than 13 years ago | (#205085)

Wow.

Spread spectrum meets NAT.

Still, it looks new and interesting, but it still depends on a lot of out-of-band information, and I'd hate to be in charge of their BGP tables.


//jbaltz
--

Re:Very cool idea.... (1)

The Monster (227884) | more than 13 years ago | (#205088)

isn't this just a variant on 'security through obscurity'?
A bit, yes. The problem is that you have to have a way for the Right People to be able to find each other. the article alludes to some kind of bottleneck from a central server making connections for the clients. Can you spell "DOS"?

In a sense, the server is acting as a sort of firewall. (Kindasorta.) If you can persuade the server that you're OK, you get the IP. So the security is in the server. Breach that, and what's next?

Re:Very cool idea.... (4)

hillct (230132) | more than 13 years ago | (#205089)

Maybe, but isn't this just a variant on 'security through obscurity'?

I'd have to say that this is a not-so-clasic example, and in fact a neat idea, but when it comes down to it it's still securing a system through making it difficult to find.

It's admittedly a neat technology, but it it really secure?

--CTH

--

Hmm, Napster or P2P Application? (1)

tarbabyxxxx (241558) | more than 13 years ago | (#205090)

This could work great to hide P2P file sharing.

breaks most firewalls (1)

kireK (254264) | more than 13 years ago | (#205093)

Image all the fun you would have setting off security allerts on firewalls and intrusion detection devices... Hey guys... back to the lab... OK?

Ahh, I get it... (3)

Shoten (260439) | more than 13 years ago | (#205095)

Ok, let's see if I get this right...

They keep moving around so many times a second that the bad guys can't find them. If a bad guy manages to ping an address that's a target, by the time he even types the "n" in "nmap" it's another address.

But the GOOD traffic can find them? How the hell does this thing know the difference? It sounds like they came up with a great way to hide a computer (especially if they end up trying to pretend to be someone else's IP range in the process), but they totally ignore the fundamental problem: how to tell good traffic from bad without a human having to examine it. This has to be some of the worst snake oil I have ever seen.

It's snake oil. (1)

AnotherBlackHat (265897) | more than 13 years ago | (#205097)

Foo - One could do the same thing without all the expensive hardware (it would probably work better too, fewer timing problems to contend with) It's nothing more than an encryption layer added to IP addressing. You'll still need encryption on the packets themselves (unless you don't mind people being able to read everything you write) and a man in the middle attack wouldn't even notice that encryption was happening. Plus they've added an extra point of failure, and you have to trust the party that builds the cards.

IP Spread Spectrum (1)

ZaneMcAuley (266747) | more than 13 years ago | (#205098)

Is this like Spread spectrum for IP addresses.

Predictable? (1)

ZaneMcAuley (266747) | more than 13 years ago | (#205099)

Is it possible to predict the outcome of the next IP hop? Does it stay within a predefined range? Must it do for Corporate scenarios? If you can predict the next hop u got em ahead of em, lay a mind and wammo. Whats the IP hop algorithm? any ideas?

Re:Working with MS networking.... (1)

ZaneMcAuley (266747) | more than 13 years ago | (#205100)

NT feature only :)

Re:Better schedule your transfers. (1)

ZaneMcAuley (266747) | more than 13 years ago | (#205101)

Surely this would be at a lower level than the application layer :)

Not really a shield (4)

ZaneMcAuley (266747) | more than 13 years ago | (#205102)

More like a moving target :) Duck shoot ne1 :)

That *is* interesting.. (1)

drfreak (303147) | more than 13 years ago | (#205103)

I have also thought of doing a similar
thing with MAC addresses on top of DHCP
with short leases, for added security.

using iptables, this should be possible,
as you can route packets and change (mangle)
them according to MAC address.. cool shit

Re:Security through Vapor? (1)

garbuck (303365) | more than 13 years ago | (#205104)

If we're talking IPv6, then I'm very concerned because I don't want to see every company on the planet sucking up billions of addresses per application. That would make the increase to 128 bits pointless.

With 128 bits, you could have 3e29 companies using a billion addresses each. 98 bits for the company address, plus 30 bits for each company to play with.

Ravenous Bugblatter Beast of Langley, VA (2)

blair1q (305137) | more than 13 years ago | (#205105)

I dunno, but it seems like if you wrap a towel around your head so that you can't see your attacker, then, even if he thinks that he can't see you because you can't see him, the rest of us can still tell that you've got a towel wrapped around your head.

--Blair

Traffic? (1)

JohnnyKnoxville (311956) | more than 13 years ago | (#205106)

wouldn't your network DHCP and DNS traffic increase tenfold?

Weakest Link. (2)

jfisherwa (323744) | more than 13 years ago | (#205108)

'The Invicta system uses special cards to link protected computers to a central control unit. It lets clients decide how often they wish to vary IP addresses and specify which applications may be accessed on their network.'"

What they fail to mention is that their Central Control Unit is running an out-of-the-box copy of RedHat 6.0.

-

Seriously; how secure can this be if it is revolving around a single (or cluster) of control units that dictate, record, log, and monitor the IP addresses?

Sounds to me like they're selling us NSA-quality security, along with NSA-approved backdoors and line tapping capability.

-

How about this--instead of having a single control center managing the IP pool, we create a peer-to-peer network where, upon joining, you effectively 'donate' your 'IP address' (some form of tunneling/enscapulation would be in use?) to the community pool.

The network client continuously searches for a new partner to exchange addresses with, based on specified variables, and trades your address with theirs.

Instead of being a one-to-one swap, it's going to be take an address, pass it on.. the first few may be easy to track, but once you've done your 10th or 40th swap (each sequential exchange gives the new partner the address you procured in the last exchange), the paper trail is extensive.

Just a random thought, it may be effective when combined with some existing solutions.

Jason Fisher [feroxtech.com]

NY Times article (1)

mgarraha (409436) | more than 13 years ago | (#205109)

In June 2000 the New York Times ran another article [nytimes.com] (free registration required) about Victor Sheymov.

inherent weakness? (1)

nilstar (412094) | more than 13 years ago | (#205110)

But, wouldn't the inherent weakness be that central computer which routes everything? I mean even with the expectation that it would be 'high bandwidth ready', wouldn't a d-dos attack be a prime candidate to take it down?

Hoax? (2)

sakusha (441986) | more than 13 years ago | (#205111)

Could this bee a hoax? I remember it was only a few weeks ago when the FBI lured two Russian crackers to come to work at a fictitious security company called "Invicta." It was a false front created to lure the crackers into US jurisdiction.

This Technology has Little Benefit (1)

GNU Zealot (442308) | more than 13 years ago | (#205112)

The people that have the greatest need for Internet security are companies/organizations that have a presence on the Internet. These people want patrons to be able to get to their site. In order for people to be able to get to their site, they have to know their IP address. Therefore this technology is not even usable by those who need security the most.

This technology adds only a very small amount of security for your average consumer. Most users' systems are comprimised in one fell swoop and are not the subject of a determined attack because there are always plenty of other possible victims. There are two marginal benefits which I see (although there could very well be more):

  • Scanning networks will take more time because the attacker can't ever quite be sure that they've scanned all the hosts.
  • If a system is compromised, you can not simply write down the victim's IP and expect to return to the system at a later date. However this is easily worked around by having the compromised system periodically give you its IP address (via email, IRC, etc.).

Very cool idea.... (1)

kypper (446750) | more than 13 years ago | (#205113)

We need IPV6 for this more than ever.
Can you imagine the ranges at which people would hop?

Why bother? (1)

bartle (447377) | more than 13 years ago | (#205114)

This would only really be effective as a hiding mechanism in a rather large organization. A sniffer can still determine that there is a large amount of information flowing between organizations, it just wouldn't be able to tell what. If all you want to do is secure the information, just encrypt a single session. It would be much more efficient.

I suppose if someone wants to write a poor mans' solution, you could just rotate UDP ports rather than actual IPs. This would pretty much befuddle most current sniffing software, it would look like a bunch of small, random sessions rather than one big one. But I still don't quite see what that would get you, the strain on the IP stack and NAT routers would give you an unnecessary performance hit.

what about MAC address? (2)

complexmath (449417) | more than 13 years ago | (#205115)

It seems like the main goal of this technology isn't to obscure the source of web browsing, as another poster assumed, but rather to make sniffing a session much more difficult. Since both ends need to be running this software, I don't see it being useful for anything else.

Still, I wonder about a few things. First, how can you implement time-based IP-hopping when IP is not time-dependent? That is, what happens when the connection between the two machines encounters a bit of congestion? The destination will have hopped on to a new address and the packetes will never arrive... unless there's something I'm missing.

Second, don't the packets contain things like the MAC address of the ethernet card? Are they saying that their technology either will not include this information, or switch it right along with the IP address?

As glorious as it sounds, somehow I don't see this being nearly as effective against MitM as signal-hopping with radio frequencies. With a radio scanner you would either have to monitor all available frequencies to try to put the session together or synch with the session and hop along with it, which is fairly difficult. However with packet sniffing, everything that passes is available for reading. The only way I can see this being halfway useful is if somehow every address used had a different route between the two machines, which isn't really feasible.

So... it's a nice idea I suppose but it sounds to me like it's mostly hype.

Useful... (1)

Snootch (453246) | more than 13 years ago | (#205116)

...but only if you don't want to be found by anyone! Clients, yeah, sure (though - have you seen Windows changing IP? Reboot every other microsecond, anyone?), but servers of any description? I remain sceptical...

43rd Law of Computing:

Re:Very cool idea.... (1)

Snootch (453246) | more than 13 years ago | (#205117)

Great - just as we give them lots of address space, someone had to figure out a way of using it all up at once... besides, someone has to keep track of where everyone is - now isn't that just one of those "sitting ducks for attacks", hmm?

43rd Law of Computing:

Re:Useful... (1)

Snootch (453246) | more than 13 years ago | (#205118)

Give the computer one IP, and let card handle the changing IP's and forward them. A different approach, but not entirely difficult.

Well, would *you* like to pay for a net card that does this? Give me encryption any day...

43rd Law of Computing:

Re:CmdrMoron (1)

Snootch (453246) | more than 13 years ago | (#205119)

Yeah, thank God we don't need routers on the Internet, that would slow everything to a crawl.
Correction: Thank God the whole Internet doesn't go through a couple of routers run by one company - now that would be painful, but this is what's being proposed, in effect.

43rd Law of Computing:

Not you AGAIN! (1)

Snootch (453246) | more than 13 years ago | (#205120)

Will you just quit this troll? It's not new, it's not funny, it's just lame.

43rd Law of Computing:

Re:Similar thing (1)

Snootch (453246) | more than 13 years ago | (#205121)

Was that Motorola perchance? I saw one of those being used to log into their dial-up once...
43rd Law of Computing:

Re:Not a troll... (2)

Snootch (453246) | more than 13 years ago | (#205122)

At a server? That's just stupid...how can you be got to? And if normal traffic can reach you, doesn't that invalidate the whole point?

43rd Law of Computing:
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...