• Emotet@slrpnk.net
    link
    fedilink
    English
    arrow-up
    6
    ·
    2 months ago

    Sounds interesting, got any links for further reading on that?

    I can’t quite connect the dots between wifi/internet traffic spikes when IRC is so light on traffic that it’s basically background noise and war driving.

    • barsoap@lemm.ee
      link
      fedilink
      English
      arrow-up
      7
      ·
      2 months ago

      When you send a message, that usually fits into an IP packet. That gets completely encrypted by the wifi, but you know that a data packet approximately that size has been sent at exactly that time. Simultaneously, you watch the IRC channel and see when messages are arriving from your suspect, or someone else types a message and that should correlate with another encrypted wifi package.

      The mistake was a) using wifi, exposing the data in the first place and b) not torrenting while you’re chatting. That would’ve obscured the time correlations.

      • Emotet@slrpnk.net
        link
        fedilink
        English
        arrow-up
        3
        ·
        2 months ago

        I have an understanding of the underlying concepts. I’m mostly interested in the war driving. War driving, at least in my understanding, implies that someone, a state agency in this case, physically went to the very specific location of the suspect, penetrated their (wireless) network and therefore executed a successful traffic correlation attack.

        I’m interested in how they got their suspects narrowed down that drastically in the first place. Traffic correlation attacks, at least in my experience, usually happen in a WAN context, not LAN, for example with the help of ISPs.

        • barsoap@lemm.ee
          link
          fedilink
          English
          arrow-up
          4
          ·
          2 months ago

          I’m interested in how they got their suspects narrowed down that drastically in the first place.

          They listened in on the chat he was in and could glean from chatter that he lived in a particular municipality or something, rough area. Stuff like, dunno, complain that the supermarket is closed because they had a water leak or something and pin-pointing that. The rest was driving around and see if anything correlates roughly, then park there long enough to make that correlation court-proof.

      • AugustWest@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        2 months ago

        Laymen with no understanding here. Obviously there were other mistakes, all of which make sense to me on a rudimentary level, but the first mistake you listed was him using wifi? What is the more secure alternative? Or do you just mean sending data directly over a true wifi connection and not using TOR or another medium?

        • barsoap@lemm.ee
          link
          fedilink
          English
          arrow-up
          4
          ·
          2 months ago

          Had he used an ethernet connection, that is, a cable, he would not have broadcasted his traffic to the neighbourhood and police would have needed much more of a clue where he lives (not just “this general area”) and also a search warrant.

          What’s particularly remarkable is that not having wifi at all at home, or only for their phone, is quite common among IT professionals: It’s faster, less prone to interference, and in case you mess up some encryption stuff at least you’re not broadcasting everything into the whole neighbourhood. All around the better option no paranoia required. But then you have an actual black hat, the type of people who tend to not just wear tinfoil hats but tinfoil underwear, make such a basic OPSEC mistake.