Ersatz Internet

This is going to be a “work in progress” posting. I’m just going to be throwing things up here as they come to mind, rather than working out the details and making it a “decent posting”.

The reason is very simple: The Egyptian Government cut off of internet services shows that this can happen to anyone at any time and it would be good to be prepared. While I have no idea if this will help anyone, time is of the essence. For folks not in Egypt, having an idea what services and materials to get in advance and how to prepare can be of benefit.

Network Basics

For most countries, they have a major link connecting them to the rest of the world. They also have key “domain name services” they control. A network shutdown may involve both of those, and may also involve the smaller domains inside the country (local networks). Depending on which part is being shut off, you need to replace each of them.

THE most likely disruption is a shutdown of the “boundary routers” that connect the interior networks to the Rest Of World. If that is the case, you need a different “pipe” to the world. That’s the hardest part to fix in size, but in some ways the easiest to fix for a single person for small messages.

If you connect to your internet service and can see the local sites (like the government web site or the local department store advertizing) they have only shut off the boundary to the rest of the world. If you get nothing, or nearly nothing, they have shut down the whole thing. If it’s just the boundary, internal connectivity ‘group to group’ becomes easier, but routing a bit more complex for going out of the country). If you can ping a site, like google.com, via IP number directly ( I always keep a list of known numbers for testing…) then it is Domain Name Service that is being disrupted. Setting up your own DNS server can fix that (and a cacheing DNS server is good to have anyway…)

OK, how do you get past it?

Get off the freeway… take a minor side road. No, it can’t carry the whole freeway full of traffic, but it can carry you.

Personal Connectivity

Many laptops have a built in modem, typically unused. You need to turn it on and use it. As long as their is basic telephone service, you can place a phone call to an internet access point outside the country. I have 2 ISPs (Internet Service Providers) and both provide “dial up access” as a “backup” service. So from anywhere in the world I can call their USA phone numbers and be “on the internet”. For desktop machines, you can buy and attach a modem if you do not already have one. ( I recommend that everyone have one of these in inventory ‘just in case’ and use it from time to time. I do. I have one built in to my “internet router box” so if my main network is down, I can ‘bring up the dial-up”. This was standard procedure for decades in commercial network designs with ‘dial up links’ next to the “leased lines” for emergency use.

Once ONE person has internet access in this way, they can then let other folks “sign up” for a dial up account using their system to access the foreign ISP. It will take a credit card, but not much more. Yes, it is possible to monitor a phone system and detect modem signals on a line, and shut it down. Nobody is really set up to do that ‘en mass’. IFF the whole phone system is shut down, you have real problems and connectivity will be lowered.

OK, are there other options?

Satellite links. Many folks get ISP service from a satellite. If you have that, you are already working.

Company “leased lines”. Many companies will have a private wire that connects their remote offices to their main corporate office. If that is the case, the in-house IT support folks can route your local site through that leased line and get internet access from the office that is outside the country. So check connectivity at work, and from any remote company offices that your office can reach. You may find that you need to ‘remote login’ to a machine in the remote location, but your I.T. folks ought to be able to set up the connectivity. Frankly, in the systems I built, if one site lost internet access, it would often just automatically route to another ( you can set that ‘routing preference’ in the ‘routing tables’ of your ‘routers’ that do all this connecting…

Border Locations. AT the border, you may be able to pick up wireless access for an adjacent country. So if there is a Starbucks just over the boarder, see if you can wirelessly connect to it for internet. I have a minature ‘dish’ antenna for my laptop that can connect over about a 1 block range. Not a long ways, but it would be enough in some cases… Hawking makes it and it cost me about $60.

http://www.hawkingtech.com/products/productlist.php?CatID=32&FamID=60&ProdID=386

So, to recap: Modem, work leased line, satellite link, border location wireless.

Oh, and it is possible for one computer to talk to another private location over a modem too, so you could, if you wished, have your computer and modem call another individual (not an ISP) out of the country and connect directly to them.

There are some other ways, but those are the “big lumps”. (You can ‘tunnel’ a signal inside other allowed communications, but that’s a bit complicated for now).

Finally: “Never underestimate the bandwidth of a truck full of DVDs or Thumb Drives”. It will take a long time for data to get from one place to another, but with dedicated servers on your private network, you can swap updates back and forth via physical transport of media to sites outside that do have internet access.

Group Connectivity

It is also possible that you don’t really care so much about reaching CNN New York and are more interested in contacting folks in your area. For that, you can set up ‘group intranets.

So a typical home or work wireless access node can be locked down, or opened up to other folks. If I left mine open, my neighbor can connect to it, and then we two can swap information. (At that point, we will want to have a shared Domain Name Servier or DNS server, or we will need to do things by calling each other by “IP Number” or Internet Protocol Number. Linux easily provides DNS services as does some releases of Microsoft Windows. Consult the manual pages for DNS if needed.) So, for example, I have a Linux box. I can “telnet” to my Linux box from my Windows machine by opening a ‘terminal window’ and typing “Telnet 192.168.1.22” (or whatever the IP number is that my machine has got). So if my neighbor gets on MY wireless node, then he can do the same. We can share file systems (with various remote file sharing protocols) and we can even set up things like individual email and “FTP” servers.

IFF I’ve got a ‘dial up’ internet access to outside the country running, I can turn on ‘internet sharing’ and my neighbor will get that access as well. It will be slow (as we are sharing one phone line) but it will exist.

Now is where it gets fun.

That neighbor can turn on his wireless router and internet sharing and let HIS neighbor get access through him.

You could do this to some depth, but after about 20 “hops” it is going to be pretty slow and a bit failure prone. Still, it WILL be “up” and with restraint (i.e. not watching videos) folks can get a lot of news and mail distributed. This, BTW, is how the Internet started but using modems instead of wireless links.

Inside each Linux and Unix box are the ‘primitive’ programs that made this go. All you need to do is turn them on again and learn out to configure your routing and your DNS. Then turn on a “web server” such as Apache and a mail server (there are several). So imagine a group of “20 deep” hops. Each home with 4 neighbors. That’s 4^20 total people… It doesn’t take long to connect a neighborhood. At about a half dozen users, your dial up will start to be a painfully slow, so things like “DNS Lookups” will be better from a local Linux server and information exchange would be better routed through a Linux “News” and “Mail” server as primarily text. I’ve had 4000 person companies run OK on a single dial up line for such basic services (prior to the “multi media’ age).

But once you have a few hundred folks up, they ought to be rapidly getting their own “dial up” accounts and / or finding a connection through a work site (or over a border fence …)

Router Tuning

Each route has a “hop count” and weighting. So I could configure my router (if a smart one, and Linux / Unix know how to be smart routers) to take my modem to the internet if it’s available, or try the one in the next home over if mine is off… and the one 2 homes over if that one is down too. In this way, a neighborhood becomes a ‘tapestry’ of connections with data flowing to wherever their is connectivity. One home gets taken out, the data just flows around that break to the ones that are still up.

This is a bit ‘esoteric’ so I’m not going to go into it just yet, but just ‘be advised’ that you want to find an I.T. guy to set up a routing plan for larger groups.

OK, so you have your “neighborhood” and it has some limited and sporadic connectivity to the internet. How do you connect to the next “block” over? Well, anyone on an edge could just toss a network cable over their fence and connect the two domains (with proper routing turned on at the edge between them).

For example, my “wireless box” has some plug in wired connections. An ethernet cable plugged in their, and over the fence, connects just as well as the wireless connection. Similiarly, my Linux box has 2 NICS or “Network Interface Cards” in it. I could plug one into my network, the other into their network, route between them, and everyone on MY network can now talk to everyone on THEIR network. Someone would need to act as ‘network guy’ and make sure the numbering didn’t collide and that the DNS servers knew about each other (but this is a normal IT function that a lot of folks ought to already know how to do). So my DNS server can be informed that 10.2.2.xxx is “serviced by Bob’s DNS at 10.2.2.129 so just ask him” and we’re ‘good to go’.

In this way, each neighborhood domain can link up with other domains and create one large “Intranet”. Folks wanting to coordinate inside that group need not go to the intERnet do do so. This, btw, is the type of structure used inside most companies. Your “inside” stuff is on your company “intRAnet” and only the outside stuff is on the internet. Similarly, when two companies partner on things, a DMZ or “Demilatarized Zone” or sometimes even a “partner network” is set up between them. Someplace they can both reach through their routers, but where they don’t get complete acess inside the other guys home network.

At this point, you have your neighborhood network, some limited Internet via modems and anyone with a satellite connection, and you have some connections to similar other groups around the margin. IF any of them gets a line to a corporate “Leased line” or can get a wireless link over the boarder, you all get more access and more data can flow (with updates to DNS and router tables…)

Honorable Mention

Ham Radio operators originated the cell phone (called ‘packet radio’) technology. They can still send data over radio links. If any of the folks in the intranet has this setup, they can provide that connectivity to the group.

Dialup can happen ‘house to house’. You con’t need to have a modem to an ISP, nor a wireless to your neighbor, nor a wire tossed over the fence. You could have a modem on your computer call a modem on another person’s private machine elsewhere (in another city or even another country) in what is called a ‘peer to peer’ connection. So even if all the ISP dial up numbers get “blocked” at the telephone company, unless they want to block ALL outgoing phone calls, you can call a friend at their home on their modem, then hop onto the internet out thier connection. Yes, this takes some ‘setting up’ of the modem and of their computer to ‘share’ the interent access. Of particular fun here is that a FAX modem uses different tones than a DATA modem, yet most modems can talk both. So if the country blocks DATA but lets FAX flow (I’m not sure how they could do that, but if they did…) you could configure your modem and your friends modem to both ‘talk FAX’ and ship data… and get out on a “FAX” line…

Mirror Servers. Some key servers can be replicated inside the intranet. Take a ‘thumb drive’ or a long weekend download for the first image, then set the system to ‘mirror’ changes. Now only the ‘difference’ has to travel over that internet connection, most folks inside can use the mirror copy. Having a mirror server on a modem link to another outside server is a very good way to keep line use low while providing a lot more service fast internally.

In Review

It’s very helpful to have a couple of modems and an ISP account with global access.

Set up your own internal servers for DNS ( “caching DNS server”), email, and FTP (File Transfer Protocol).

Set up your own internal network with a private IP number (such as 10.x.x.x. or 192.168.x.x) and then extend it toward the edges. When you encounter another group, put in a boundary router between you. (Possiblly using “NAT” or Network Address Translation to cure any numbering conflicts).

Exploit any other existing connection options (satellite, wireless over borders, packet radio, wire over a fence, heck I even sent 9600 baud through my old Startac cell phone telephone with a special cable…) to add redundant connections.

Get a good book on Linux and a good book on network routing (or a good friend who’s good at it…)

Learn to configure and use Linux (or if you really must, a lot of this can be done with Windows if you have a relase with the tools in it, like the ‘server’ editions).

What we are doing here is basically ‘building an intranet” and a google search on that term will yield many useful guides. Then we’re gluing on any ersatz ISP connection we can get via whatever connectivity still exists, be it modem or wireless or whatever. An example of google results would be these clase notes:

http://www.dhark.com/intranet.html

There are even “for dummies” books on how to do it:

http://www.amazon.com/Building-Intranet-Dummies-John-Fronckowiak/dp/076450276X

So the basic approach is to build a neighborhood network, bring up some ‘intranet’ services for internal usage, connect to the ‘outside’ by any wires or wireless available, and then use caching servers / mirrors to reduce total network traffic to the outside world.

What if basic connectivity works, but sites are blocked?

This is a simple censorship issue. (Ususally done via DNS and IP blocking). For that you need your own DNS server (updated from ‘outside’) and it is useful to have a ‘proxy server’ you can reach ‘outside’. If need be, you can set up a private encrypted “tunnel” to an outside helper / friend who then provides you a non-filtered access to the interent. That is a bit outside the scope of this posting as it stands now, but here are some links to look at. The general technique is either to use a proxy server or set up a private encrypted tunnel. There is GNU software to do this, and the technology / protocol (called “IPSEC” or Internet Protocal Security) is built in to many routers.

http://www.stunnel.org/

There is even a wiki on it ;-)

http://en.wikipedia.org/wiki/Stunnel

So if you DO have basic connectivity, it’s just a disruption of what you can see, then there are easy ways to flow around that. If you do NOT have basic connectivity, you need to establish that (and DNS) first. Then you can layer on other levels of security and ‘tunneling’.

Some of these are semi-randomly chosen, so I don’t know how trusted any software they might offer would be…

A google search can even turn up some folks doing this as a commercial service. A reminder, these are the result of a random google search on a key phrase such as “vpn tunnel” and I have no idea if these are reputable examples or not:

http://www.personalvpn.org/

http://www.vpnaccounts.com/

And pointers to proxy servers:

http://webupon.com/services/bypassing-internet-censorship/

Subscribe to feed

Advertisement

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Political Current Events and tagged , , . Bookmark the permalink.

26 Responses to Ersatz Internet

  1. j ferguson says:

    Very good stuff E.M.
    Reminds me of my tricks to get full net access from within an office where the IT people didn’t want it to happen. once more, a bit of invention, great persistence, and remembering what I’d already tried so as not to endlessly loop, got the job done.

    IT director walked by my desk one day, saw the forbidden screen and wanted to know how I’d done it. Guessing the proxy server’s ip address. They never changed it. It was our secret.

    Ham radio is good too. 73, AI4TO, John

  2. kuhnkat says:

    ““Never underestimate the bandwidth of a truck full of DVDs or Thumb Drives””

    Back in the day it was:

    “Never underestimate the bandwidth of a station wagon full of 9 track tapes driving down the freeway!!”

    Back then it was the largest bandwidth available!!!

  3. George says:

    This is a subject I know a little about as it is my profession. There is a LOT that could be done and actually, I am a bit loathe to go into too much detail as it is actually very easy for the “bad guys” to use these techniques to create a “black net” that can go pretty much undetected.

    The first thing one might want to do is define which services might be considered “critical”. General web browsing might not be one of those but email might be.

    “Back in the day” when the internet was just getting started, there was a network in the South Bay that consisted mostly of people with Linux boxes running Taylor UUCP and the Exim (or Sendmail) mail transport program. They created their own domain (which still exists today as a community access wireless network) of sbay.org and each home was given a subdomain within sbay.org. So maybe your domain might be “fred.sbay.org” and the users in your household might be something like “billy@fred.sbay.org”.

    UUCP as used to move mail, hop by hop, until it got to a house with internet access where it was sent out. Designated mail servers (MX hosts) were set up to receive mail for sbay.org domains and then forward it, hop by hop, over the dialup UUCP network to its destination.

    You could think of UUCP in this context as POP3 for an entire domain. This is how the San Jose Tech Museum received their email for a while when it was first getting started.

    I believe Taylor UUCP is still shipping with the Ubuntu linux distribution. Using UUCP maps, one can use a program called “pathalias” to create a connectivity map that creates a “next hop” map for your mailer to use. Note that UUCP works over dialup or over TCP/IP so you might connect to some sites over internet and other sites over just UUCP via telephone.

    As for TCP/IP networks, you can go down to Weird Stuff in Sunnyvale and pick up an older switch for little money. So now you start connecting houses on your block into this switch, assign them all IP addresses out of private IP space. Lets say you have taken the time to create your own internet domain and have somewhere in its DNS files both an offshore secondary DNS server and an offshore MX host to collect email. You can give your neighbors subdomains of your domain and they can give their computers names out of your subdomain. As long as you have some way of getting your DNS zone to your DNS server, you are golden.

    Now lets say you have that leased line at work. Maybe it is a dedicated point-to-point link to a branch office in Latin America or Europe. If you can dial up to a modem at work, maybe you can work out some Internet access or maybe your employer has set up a DSL circuit directly into your home for use as a telecommuter. All the better.

    Now you need something like Quagga running a routing protocol and a “tunnel”, say a GRE tunnel from your Quagga box to your router in that foreign country. Run the whole thing through something like CIPE or TINC to encrypt the communications. Now you can “collect” whatever routes your office has in Europe. Others might be able to do the same and you can set up routing sessions with them and you also exchange routes to get an even broader view of the Internet. Places to which you have a better view collect traffic for those destinations and places that are closer to your neighbor’s view collect traffic for these destinations. Pretty soon you are putting an internet back together.

    You could take things even further and create your own “black net” by creating your own top level domain (say .ChuckNorris instead of .com and .net), create your own “root” servers, duplicate the entire Internet numbering space and tunneling that traffic over the existing internet. You have an Internet inside the Internet. Encrypt all the tunnel traffic and it is pretty secure. Delete the “startup” configuration on your routers and should they be shut down for any reason, they come back up “blank” with no config and put the entire thing on an encrypted filesystem.

    There are kernel-based encryption schemes that encrypt everything, including the filesystem metadata so you can’t even tell there is a filesystem even on the media without the key. The drive doesn’t even look to be formatted.

    There is a LOT that could be done. It requires some planning and some forethought, though.

  4. George says:

    Also note that wireless “point to point” nodes can be had for very little money that can shoot a signal 20km. Then you can begin bridging together the neighborhood networks.

    For example, a Ubiquity Nanobridge M5 will shoot 150 Megabits/sec for 20km for under $100 at each end.

    http://www.ubnt.com/nanobridge

  5. P.G. Sharrow says:

    To all; interesting gadget that my son just brought to my attention:

    http://www.engadget.com/2011/02/03/dreamplug-is-the-low-powered-lilliputian-pc-for-people-with-rea/

    might fit in with this thread. pg

  6. E.M.Smith says:

    @P.G.Sharrow:

    Now I want one! I’m thinking Linux server… that I could plug into my ‘car 12vdc inverter’ adapter as an ’emergency compute infrastructre node’… With built in DNS, news, mail, uucp, ftp, etc servers prebuilt on a usb drive… Whole thing would fit in a gallon baggy in the “go box”…

    @George:

    Hadn’t seen thoseNanobridge guys. Neat!

    Per “black hats”, they already know how to do this stuff…

    FWIW, I’ve got 3 or 4 switches knocking around the closet, along with a router or two. I’ve got to think that in any country with interent, there are some number of ‘local geeks’ too.

    (FWIW, to me GEEK and NERD are almost the same, with nerd having only a lower level of social skills. No idea if that matches the book definitions.)

    The extreme stuff, like TCFS

    http://www.linuxjournal.com/article/2174

    are useful for hiding stuff if the Jackboots come. I was more looking at how folks in a neighborhood could “bring up a neighbor net” in spite of the govt, and then get some outside connections. But yeah, right after that you need ‘plausible deniability’…

    FWIW, I like a CD or bootable business card with a Knoppix on it…

    http://www.knoppix.net/

    You stick the CD in, boot, you have a pretty full function Linux. Configure from a thumb drive and go. Somebody starts being a problem, eject the CD, bend to break, and hit power off. Nothing left.

    So in a true Police State for ongoing purposes, you would want to have a prototypical pre-built infrastructure CD set that you could “deal into some PCs” and bring up anywhere any time, and just as quickly evaporate…

    But the first step is just getting the connectivity.

    For that, pre-buying some wireless and modem gear can work wonders, and having some downloaded Unix / Linux software really helps. After that, it’s mostly up to viral spread and rate of education processes….

    Oh, and if you have ANY connectivity, and help on the “outside” you can get black nets and tunnels running… fully encrypted the whole way.

    http://alumnit.ca/wiki/index.php?page=TunnelVisionTechInfo

    http://openmaniak.com/openvpn_tutorial.php

    and many many more…

  7. Pingback: Tweets that mention Ersatz Internet « Musings from the Chiefio -- Topsy.com

  8. Jason Calley says:

    @ E.M., George, and P.G.

    THANK YOU.

    Jeez, guys! Bright fellows… :) I think my brain is already full. E.M., I have just ordered the Dummies book you mention, and will have to do some remedial reading of it to even understand your post. This is exactly the sort of information I was hoping you would post, and is, I think, well worth knowing regardless of any political events.

    I run Ubuntu at home, but have not dug in very deeply to it, just, “OK, that was enough to get my email and Internet up, add a few chosen applications… that’s enough!” Looks like I need to get back on the learning curve.

    Let us hope that our networking chores are all for fun and never due to dire need.

    Again, thanks, guys, for sharing some of your knowledge.

  9. Jason Calley says:

    Oh, one more thing. have you seen this: http://www.usbwifi.orconhosting.net.nz/

    The basic idea is to make a basic parabolic dish from field expedient parts, and attach a USB WiFi unit.

  10. Jason Calley says:

    Oh, regarding the parabolic dish thingy, yes, I meant to credit George with the idea. The unit he linked to is MUCH nicer, but if you need to make something similar at home, get out the wok and the WiFi.

  11. Why not making an “open system”, kind of a la Tesla style, to irradiate a free paralell internet (of course not devised by Al Gore) data stream. There in your “land of freedom” this could be possible.
    Here in southamerica, DSL services, are mostly provided by Telefonica de España (gracious funders of the Group of Rome, as you can google it).

  12. If anyone can do it, do it!, raise you pirate flags!

  13. Jeff Alberts says:

    I have 2 ISPs (Internet Service Providers) and both provide “dial up access” as a “backup” service. So from anywhere in the world I can call their USA phone numbers and be “on the internet”.

    Assuming the rotary still works, and all the modems work (one bad modem can disable the rotary, depending on how it hunts). In this ago of recessions, I would think that would be a quick and easy thing for a telecom business to not have to pay for any more.

  14. George says:

    Also, using such things as cipe or tinc you can create what amounts to a “packet switched” network and use techniques not unlike “frequency hopping” radio. Imagine there are a dozen gateway machines with a potential path to the Internet and each of these 12 have a tinc or cipe tunnel to other gateways over the net. TINC and cipe encapsulate the tcp/ip packet inside a udp packet. UDP is connectionless. Connection state is maintained end to end by the encapsulated tcp packet. So you toss packets randomly across the 12 gateway machines. One would have to intercept the traffic from all 12 of them in order to put your message back together. Or, if one of them is blocked, you get 8% packet loss but the underlying TCP session re-sends the packet and chances are that one goes out a different gateway.

    So in order to intercept the traffic you need to monitor the at the actual end stations involved. If you toss the packets over more than one internet connection from the home, that means they all need to be monitored or you have to intercept it at the computer itself. It becomes exceedingly difficult and if you have thousands of people doing this, it becomes impossible.

    And to make things even more difficult, cipe does things like tosses in extra padding packets to make traffic analysis impossible. You can’t get any idea how much traffic is on the path because some of it is bogus. It sends packets even when there is nothing to send. These packets get dropped by the partner node.

    Actually, you would be surprised how little the bad guys know.

  15. George says:

    Now add to the problem the fact that each connection from the end node to each gateway has its own encryption key and those are re-keyed from time to time and that each of the gateway nodes also has separate sessions to other gateways with its own session keys that also get rekeyed over time, and it becomes a huge problem. There is no way to handle it short of trying to shut down the communications.

    Egypt handled the problem by ordering all ISPs to stop announcing their routes to non-domestic peers. This means that the rest of the world saw the routes to Egypt disappear. It isn’t clear if domestic communications could continue or not.

    There is, of course, a lot that could be done with manual static routes but anyone getting caught doing that would be in big trouble.

  16. George says:

    “Never underestimate the bandwidth of a station wagon full of 9 track tapes driving down the freeway!!”

    Actually, we discovered for one project that it was cheaper and faster to burn log data onto CDROM and mail it back to the office than it was to upgrade a particular circuit in Asia and ship the data back electronically. It got to that point when it started to take more than 24 hours to ship 24hrs worth of data.

  17. Ian W says:

    For a transmission medium that is line of sight (LOS) and can back-haul its own connectivity then WIMAX is a good protocol. Nodes in LOS can act as local distribution and also backbone a ‘network’. This is already done across wilderness areas in Africa.

  18. Jason Calley says:

    Looks like there may be a real attempt to decentralize the internet. http://www.nytimes.com/2011/02/16/nyregion/16about.html?_r=3
    Magic Eight Ball says “Ask again later!”

  19. E.M.Smith says:

    @Jason Calley:

    Very Nice!

    The “dirty little secret” of the internet is that ANYONE can be the top level control point if they so choose (and for those folks who choose to subscribe to them).

    We only have ‘central authority’ as it is convenient to us.

    And even there, that authority is largely deligated out to individual countries and from them on down to individual companies and…

    So I could simply declare the .EMSMITH domain and set up my own DNS server and IP number space and run with it. To the extent folks ‘agreed’ and pointed at my DNS server, it becomes real… To the extent “authority” attacks it on the public network, it just moves into an encrypted ‘dark net’ or onto ‘private wires’ (or wireless).

    Yeah, it can be made a PITA to “go rogue” but it can not be stopped…

    FWIW, on one occasion I worked at a large company that will be nameless. But it was a “Fortune 500” size company. They had a Tiny Little Problem… for a decade+ they had used a ‘randomly chosen’ number scheme internally. It just happened to be the number assigned to a different major corporation. Now you could consider this a kind of bastard security, in that any attempt to connect in to the private side would have routed off to the true owner of that IP space ( IIRC it was someone like IBM or HP)… and the only real ‘problem’ was that inside folks could not route to the actual owner of that IP (who they didn’t really need to visit anyway) so almost all internet traffic worked just fine… (as it went through various translations at the boundaries) BUT, it was a bit of a PITA as they wanted more internet integration. So eventually the day came when we did a grand IP renumbering to a proper IP number of our own…

    The point? For over a decade this major company basically was living as a ‘black network’. It’s not hard, and not even uncommon.

    What is going to happen now, and what that article points toward, is ever more folks realizing the potential benefits of having that ‘skill’ and the needed ‘tools’ on the shelf and ready to go. No need for someone like me to cobble it together out of old PCs and Linux…

    BTW, in my “sometimes dreams” I think about the potential of taking IP V4 and just adding another .xxx to it. Machines that knew that protocol would talk to each other (perhaps via a tunnel inside IPV4) while those that did not know it would not even realize it was there (hidden in the tunnel). In some ways an ‘ultimate black net’. This differs from using IPv6 (that also has more space in it) in that no one would own that space and most machines would not understand it. The “problem” would be that it does not route on public routers, but the “feature” is that it could be tunneled through them and would let a meta-internet be run over the internet without IP conflict (and with difficulty in detection). Never got around to doing anything with the idea, so here it is, world. Enjoy…

    Yours for a brighter black net future ;-)

    Oh, and a sidebar: You can now get gear that lets you run IP traffic over limited distances over the power lines. Think of the potential for a series of “nodes” of such network as an ersatz internet inside an oppressive country…

    Folks sharing a transformer on the power pole can communicate that way, then one of them makes a ‘wireless’ bridge to the next ‘transformer group’ over…

    http://www.amazon.com/Linksys-PLTK300-PowerLine-Network-Kit/dp/B001FB5TZ4

    Now you get to take down the whole power grid if you want to stop information sharing inside the country and if ANYONE has any kind of outside connect, you are one set of ‘mirror servers and DNS server’ away from full internet nationwide… Yeah, lower bandwidth. But “cacheing is your friend” ;-)

  20. George says:

    The problem with such a scenario is it would make tracking down and clobbering “bot net” infected computers nearly impossible. In a world where all computers were free of malware, sure. But that isn’t the case. You need to identify and disconnect infected systems. ISPs do this on a daily basis around the world.

  21. P.G. Sharrow says:

    The Chief Information Officer does it again. I just added that comment to my special file. Thankyou . pg

  22. Jason Calley says:

    @E.M. “You can now get gear that lets you run IP traffic over limited distances over the power lines. Think of the potential for a series of “nodes” of such network as an ersatz internet inside an oppressive country… ”

    Brilliant…

    I actually maintained a refrigeration monitoring system a couple of decades back that sent all the data over the on site power wiring. I guess I just never put two plus two together and realized that that could be applied to internet data.

    You berry bright guy, Mr. Chiefio.

  23. George says:

    Another reason to have a backup plan:

    http://www.boingboing.net/2011/02/17/dhs-erroneously-seiz.html

    I just don’t have the words.

  24. E.M.Smith says:

    @George:

    Well. That’s certainly a big fat belly flop by the Feds…

    Wonder if they have immunity from Lible and Slander suit?

    FWIW, I typically have relationships with 3 ISPs at a time, all of which have dial-up available should I need it…

  25. Jason Calley says:

    Why shut down the entire Internet when you can target known troublemakers?
    http://www.wendymcelroy.com/news.php?extend.3787
    After years of running various Windows systems and not having any substantial virus problems, I was hammered three times within a half year or so. I recommend Linux.

  26. E.M.Smith says:

    @Jason Calley:

    FWIW, I have a Windoz box I use for “uninteresting day to day” stuff. Then I have a Mac I use for the more interesting stuff (as it is harder to hack “out of the box”).

    Then, for very interesting stuff, I have a variety of Unix / Linux tools. One of my favorites is a Knoppix CD. Stick it in a box and boot. Now your “wares” guy gets to try to update / hack a write protected CD Rom….

    Oh, and everything is always done behind at least one and sometimes 2 layers of NAT. I also have 2 “blinky lights” in front of me. Disk activity and Network Activity. If anything is happening that seems out of the ordinary, I shutdown and evaluate / scrub / …. (Oh, and I turn off every auto-update auto-check auto-whatever thing possible.)

    But to the point of that article:

    Yup, it happens. How do I know? I’ve been on a government paid project to scan sites for vulnerabilities. In theory it was scanning THEIR site, so legal, but some of the responses it triggered didn’t look like ‘them’… The guys running the op were law enforcement related, so it was legit, but still….

    Back on my stuff:

    Why run Windoz at all? Well, first off, because a lot of stuff is only avialable for it or is a PITA to get running on other platforms. So I run that stuff on it. (And have an autobackup that runs from time to time ONLY when I plug in the media… so I can monitor / avoid contagion). But the second reason is the more important:

    Honeypot.

    IF or WHEN some “crap” gets through the defenses, it hits the ‘easy box’ first and the one with ‘not much of interest’ on it. That box will show symptoms first (perhaps just via blinky lights when their ought not to be any…) and that lets me keep the “good stuff” much safer.

    More than once having a Honeypot has turned up hacking attempts before they could figure out where the good stuff was hiding… (BTW, the “good stuff” boxes are typically left powered down unless needed. Hard to beat ‘no power – no network’… Air Gap security is your friend…)

    Sidebar on Linux:

    Yes, it CAN be much more secure. But it isn’t ‘out of the box’ for many releases. Better now, but…. About a decade ago I was bringing up a Linux box for a friend. We got it running and got networking going and got his cable modem running and … it was late, we were tired, so left it to run overnight and hit the sack. Next morning… The box was running like CRAZY with blinky lights on the network box going BURST BURST BURST pause BURST BURST…

    A quick check of the box showed that in the 8 hours or so it had “existed” it has already been scanned by someone with automated tools / wares; taken over, and turned into an attack droid… We downed the box, scrubbed it, and started over…

    The only error made was to think that as a new bring up it was OK to sit for a couple of hours. Security by obscurity fails in the face of automated IP scanners…

    Oh, and FWIW, I have a collection of USB drives. Various things live on various ones. They are substantially always left unplugged (unless I need what’s on them). If a box “goes down” the data doesn’t go with it… If a box is hacked, they get the MS OS and Software and whatever junk I’ve looked at lately on the web. For most of the drives, they are used when the host is unconnected from the network… Love that Air Gap…

    No, I’m not paranoid. I’ve been employed in security…

Comments are closed.