[118837] in Cypherpunks
Re: Unplugged! The biggest hack in history
daemon@ATHENA.MIT.EDU (Dave Emery)
Fri Oct 8 21:23:42 1999
Date: Fri, 8 Oct 1999 21:03:20 -0400
From: Dave Emery <die@die.com>
To: Hal Lockhart <Hal.Lockhart@storagenetworks.com>
Cc: "'cypherpunks-unedited@toad.com'" <cypherpunks-unedited@toad.com>,
"'pgut001@cs.auckland.ac.nz'" <pgut001@cs.auckland.ac.nz>
Message-ID: <19991008210320.A4626@die.com>
Mail-Followup-To: Hal Lockhart <Hal.Lockhart@storagenetworks.com>,
"'cypherpunks-unedited@toad.com'" <cypherpunks-unedited@toad.com>,
"'pgut001@cs.auckland.ac.nz'" <pgut001@cs.auckland.ac.nz>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <9D8B3C643D2AD311BC8D00508B120BA40F5B9A@mahqexc01.storagenetworks.com>; from Hal Lockhart on Fri, Oct 08, 1999 at 04:52:32PM -0400
Reply-To: Dave Emery <die@die.com>
On Fri, Oct 08, 1999 at 04:52:32PM -0400, Hal Lockhart wrote:
>
> I looked into this seriously last year and there is a much simpler (and
> cheaper) way of doing this. Assuming access to the wire, you just bridge it
> instead of tapping it.
>
> All you need is a laptop with two modems in it and some hardware to bridge
> the analog initial handshake (DTMF tones, carrier squeal, etc.). You just
> play man in the middle and read the digital data stream directly. Estimated
> price <$10K.
>
> I can't claim credit for this idea, but I don't have ready access to my
> archives to say who suggested the idea to me.
>
This is readily detectable by looking at the connection information
the modem maintains and looking at the ping time over the connection.
The modem computes a round trip delay estimate for the connection
and for many brands this is available in a status message accessible
by the right AT command. Surely if you are connecting to Boston from
SF, you don't expect the modem round trip delay to be 2 ms... Also the
demodulation and remodulation process adds almost 100 ms to the ICMP ping
time through the connection for most modems, so if the ping time is
abnormally long (almost twice the usual) you know something is fishy.
And finally, the V.90 speeds above 33.6 are based an asymetrical connection
in which the ISP end has direct access to the 8 bit u-law PCM samples
going in both directions - a normal client type modem cannot connect
in V.90 server mode so all connections completed through such a
man in the middle wiretap would be less than 33.6.
--
Dave Emery N1PRE, die@die.com DIE Consulting, Weston, Mass.
PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
