[nycbug-talk] some more notes on Fifth HOPE

Chris McCulloh chrislist
Sat Jul 10 03:27:17 EDT 2004


On 09 Jul 2004 at 22:30, G.Rosamond posited:
> Bill Xia spoke about the Chinese gov't's firewall, probably built with 
> the assistance of Cisco. . .They censor sites external to China with 
> DNS poisoing, tcp session hijacking, ip blacklisting of 
> source/destination IP and port.  SSH tunnels are a way around for now.  
> Not to be on the gov't's side of this. . .but why don't they just cache 
> the sites they *do* want to give internally, and block everything else? 

I managed to catch the latter 60% of this, and quite honestly, after
discussing the scenario with one of my business partners, it really made
me think about things.  At first, it seems somewhat unclear why Cisco
would go out of their way to build a device that does packet processing at
quite a different level than anywhere else.  This is a device that would
have to provide processing capabilities much greater than anybody else had
previously asked for.

Enter Cisco's newest product: CRS-1.  The Carrier Routing System 1.  It
purports to route up to 92 Terabits per second.  Yes, 92 Tbps.  All of a
sudden, it just seems to be too coincidental.  Call it paranoid conspiracy
ideas, call it whatever you want, but this talk sort of pulled it all
together for me.  I wish I had the budget to explore the CRS-1 and see if
it does contain some type of hidden functionality or remnant traces of
code that may be in place in China.  But that's at least a remote
possibility that can't be completely excluded.

In regards to your mention of caching, well, I have to admit that's quite
a novel solution from their point of view.  However, the problem still
remains of how to determine what is acceptable and what is unacceptable. 
Given their (supposed) agenda to only hide political or news information
they deem could be improper, there becomes far more information for them
to process and admit into the cache as acceptable.  As a result, this
creates a LOT of work for them if they wish their country to be able to
prosper from the amount of valuable knowledge that is freely available. 
In the end, although this follows the more secure idea of "deny by
default," the Internet as a whole ends up being useless because the
security comes at far too great a cost in time/money, and potentially lost
valuable resources.

George -- I saw you briefly during the Cryptophone talk today, however it
was as I was on the phone running downstairs and outside to meet with
somebody who's badge I had.  My first clue was the Apple AC adapter lying
on the ground with the daemon sticker on it.  Unfortunately I was too
busy, but I'll stop and say hello sometime tomorrow.

-chris

-- 
Chris McCulloh, CISSP
Secure Systems Architect
Sinetimore, LLC

  e: cmcculloh at sinetimore.com
  t: 212.504.0288
  f: 212.656.1469
  w: http://www.sinetimore.com
  a: 40 Broad Street, 4th Floor, New York, NY 10004, USA
key: http://www.sinetimore.com/chriskey.pub
   : [ 9508 07E0 9E6C DD05 4419 40FA 4D96 FD82 24CE 0273 ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.nycbug.org/pipermail/talk/attachments/20040710/4da1bedd/attachment.bin 



More information about the talk mailing list