Free Surveillance or Security?: The Risks Posed by New Wiretapping Technologies by Susan Landau

NSA technical director Brian
Snow9 put it at a scientific meeting in 2007, "[With the Internet] there's
malice out there trying to get you. When you build a refrigerator, you have
to worry about random power surges. The problem is that [Internet] projects are designed assuming random malice rather than targeted attacks.i10
    Security was simply not viewed as a serious problem for the new communications systems. No one anticipated needing to protect the network
against its users, and so no explicit mechanisms were built in to protect
the network. After all, attacks had never been a serious problem on the
telephone network. The fact that this did not carry over to the new
network was because of the differences I have discussed in the two communication networks, but this was not considered at the time.
    Essentially the only devices that could be connected to the PSTN were
telephones. Because telephones are not multipurpose devices and cannot
be programmed to do other tasks, the only serious network attacks the
phone network suffered were "blue box" attacks: users, or devices, whistled
in the phone receiver at the correct frequency,11 tricking the network into
providing free long-distance calls.12 Signaling System 6 thwarts this through "out-of-band" signaling, in which the call-signaling information is transmitted through a different channel than the voice communication.

    In contrast with telephones, computers are "smart" devices capable of
being programmed to do many interesting things. That tremendous benefit
can, however, be a problem when this malleability is turned against the
network itself. This was not something that the ARPANET designers
considered.
    The PSTN designers opted to handle the problem that systems for data
transfer, whether human speech or file transfer over an electronic network,
are unreliable13 by building a system out of highly reliable components.
Early Internet architects went in the other direction and opted for reliability achieved through redundancy. TCP/IP assumes an unreliable data
delivery mechanism, IP, and then uses a reliable delivery mechanism, TCP,
on top of it. TCP has various mechanisms to ensure this reliability, including congestion control, managing the order of packets received to ensure
none are missed, and opening the connection in the first place. The latter
is worth discussing in some detail.
    There is a handshake between the two connecting machines establishing their communication; there are messages that flow back and forth
establishing that packets have been received; and the two machines
measure the time elapsed between such acknowledgments, resending if
there has not been a timely response.
    Suppose user Alice wants to view an article from Scientific American on
how magic fools the human brain.14 Her machine, the client, makes a
request to the computer hosting the Scientific American web page stating it
wants to establish a connection (figure 3.1). This is the synchronization
message, or SYN. The Scientific American server then responds with a synchronization acknowledgment: SYN ACK. If all is working correctly, Alice's
machine replies with an acknowledgment of its own, ACK, and the connection is established. The server downloads the Scientific American home
page onto Alice's client. The Scientific American home page contains more
information, and this step is actually a sequence of many small steps: a
large number of packets have to flow across the network from the Scientific
American server to Alice's machine.
    The Scientific American server starts sending packets and Alice's machine
acknowledges receiving them. If the server does not receive packet acknowledgments within a fixed time window, the server resends the missing
packets. Both machines have timers operating; if appropriate acknowledgments are not received in a timely fashion (a matter of milliseconds), then
the packets (or request for packets) are automatically resent. Once the