SniffJoke is a software you run on your computer that injects randomly generated traffic in your normal one and, while it does not affect the normal communication and the content exchanged with a remote host, has a noisy effect on the operation of a third element eavesdropping on your conversation (be it a sniffer, a passive interceptor or a chinese trojan). The data it injects makes the recostruction of TCP streams very arduous (eg: wireshark, xplico). As in any concealment tecnique, an expert professional can understand the general flow of the transaction by reading one packet at a time, but this analysis cannot be automated, so: if they’re after you they will get you, but with this software you could consider yourself safe against mass-targeted attacks. Usually it also enough using minority software, because general range attacks are targeted against the most used browser, the most user content portal and the most common operating system, maximizing the effort/gain ratio.
The previous distinction is necessary as anytime a new defense system is designed it has to be proportional to the kind of threat expected.
Online attacks, being them active (the attacker modifies something related to your software, you behaviour or your information) or passive (the attacker has access to something that gives him leverage), have to be divided in two important kinds: attacks targeting in the large and attacks targeting a single host o person.
If you aim at protecting yourself against massive and generalized sniffing, SniffJoke is the tool for you; if you mean to defend youself from interceptions tailored at you, any automated tool, as SniffJoke, has a little or no value.
SniffJoke and the ever growing technological misinformation
Wiretapping and censorship in ordero to secure a network are nothing but a urban myth, a tale for kids. The only effective tool is a trojan, which is the detective equivalent of a bug. Therefore, using a sniffer should give to the tech un-savy (or to those who watch too many hollywood based movies) the sensation we are talking about wiretapping.
The main difference between a telephone and a computer stands in the latter being based upon open technologies. If before the internet information was acquired and sent using networks and devices distributed by the state, and by the state only, now anyone who has the skill can modify this information media.
This freedom led to the exponential diffusion of the Interner, while on the other hand it rendered all the usual control systems obsolete and useless.
Being the creation of non wiretappable and un-censorable communication methods, theese forms of control cannot hold those willing to break them.
Moreover, many of theese forms of control (and therefore of attacking) are the same used by those who harm human rights, such as privacy, anonimity and freedom of opinion; therefore there will not be any room to avoid digital self-defence as proposed by initiatives as Surveillance-Self Defence.
For this reason, the widespread adoption of tools for a pseudo-legal use in order to allow wiretapping and censorship do not deter criminals, but only pose a thread to the unaware citizen. By not knowing he should defend himself, he is the only designated victim left.
The interesting point is that debate around security and wirettapping of the internet never verges around elemental technical aspects, it always revolves around the ever eroding end declining laws and restrictions. A 19 year old undergraduate with a little background can assemble an effective censorship and wiretapping contermeasure, so if the laws and methods usually deployed by those willing to control the internet are so easily circumvented, there is no way they’re as useful and effective as they want us to believe. The crime deterrant effect, moreover, is completely nullified, as a criminal can just ask the aforementioned guy to produce a software suiting his needs or he can download a copy of many of the free softwares around the internet doing the same thing. SniffJoke was made to remind that internet has been create to let two entities communicate, not to let a third spy on their conversation. That’s how it is, i can do nothing about this.
This software is also made to remind everyone that actual models of defense, prevention, and detection are no more up to the date. A network that is globally distributed and based on open technologies has a different set of rules, laws and regulations have to adapt and accept it. Not believing in change means harming the law enforcements agents and citizens. This element of change is so complex to accept that usually those observing the phenomenon tend to try and adapt the old schemes to it, but fail miserably. I’m sorry, there are no references and citations, it’s a new thing: welcome to it.
SniffJoke protects against passive packet analisys and stream reconstruction by exploiting the flaws and shortcomings of wiretapping tecniques that are based upon some assumptions about the type of comunication. Therefore, a wiretapping method cannot match the completeness of a TCP/IP stack as found modern operating systems, which is always able to determin what to discard and what to accept based on the actual state of the communication.
Thanks to Gianluca Costa, he produced two comparative images showing how a sniffed google page appears with and without SniffJoke protecting the communication. and Thanks to Andrea Lusuardi for translation of this page.
Therefore, as everything is better with images, this is the internet to SniffJoke:
FAQ:
- SniffJoke makes following the TCP stream harder but not impossible. On the other hand, an analyst has to read ALL your data almost one by one by hand. Someone so masochistic must follow a great prize, or he/she won’t have a reason to harm himself so much :)
- Usually, the closest the sniffer is to the victim, the more CPU time he will have to dedicate
to the task. This can be true, but there are some verifiable conditions that cannot be worked around even
under the most accurate analisys (well, there are, but they are not yet implemented in version 0.3 as they
are not ready yet) - A too literal interpretation of what was meant to be humility: “This attacks will work for months, years top, but will be patched”. Be careful with what you mean with patch: it’s not about detecting SniffJoke’s signature on ongoing network traffic, as one could be tempted to do. The signature cannot be identified because SniffJoke attacks are based on probabilistic shares. We can have high rates of random packets injected before the 10th packet is out, then we can wait a little, and then more again and so on. The same hack can sometimes generate a signature and sometimes a completely different one. TCP and IP options are used seamlessly on both real and injected traffic. For example, all legitimate packets are sent with the minimum TTL and a random addition between 0 and 2,
but sometimes a shorter TTLed packet is sent so it can expire earlier. The author would also like to thank those who, thinking their best, filter out all the ICMP requests, making the anomaly
generated by SniffJoke even harder to spot. - Usually, we think that an attacker is after your password, that SniffJoke cannot hide. If the data streams are not reassembled, there is no way the password can be extracted. Also, it usually is information that we use and look for that describes us best, dear totally profiled complicate password user :P
Digg: http://digg.com/security/SniffJoke_0_3_capabilities_and_focus
Packetstorm: http://www.packetstormsecurity.nl/filedesc/sniffjoke-0.3.zip.html
