GFR/Cop

GFR/C pyRouter
R t

Proces
ss flow
fl

Commercial in Confidence Revision 2.3

1
How do we stop thhe flow of illicit data
such as child pornography which can
enter our hommes,, encourageg
predators and tho
ose that encourage
and engaage them?

2
Who will take part in upcom ming commercial and law
enforceme ent trials
•Altnet / BDE

–Providing Global File Registry

y (GFR) technology and related
licenses.
•Cisco

–Providing proven best of breeed technology, based on their

widely deployed SCE platform m.
•Local ISP

–Australian ISP where the pilott will take place.

3
How does it all work
w together?

4
 Law enforcem
ment overview
The CopyRouter detects and replaces from search results refere ences
to files that are known to the police. This has a flow on effect:
1- If user downloads the file, the file they get is one from the police.
2- The original
g files won't be available for download. Even if the
t user
does NOT download this file, the information about the original file has been
removed for this search, which means...
3- Information about these files won't be propagated through h the client
host that is receiving this search result. But the files from po
olice would.
4- Also, Browsing a host directly is treated in the same manne er,severely limiting
di
direct fil exchange
user-to-user file h i
using hi method.
this h d

The Internet
GFR Copyroutter

Gnutella Servers hosting replacement content

from Law Agencies.

All search results replaced by the SCE

Reportts about traffic activity and
point to these servers.
replacements made are sent to
secure servers

5
Step 1 : Local ISP user ruuns a search (query) on
P2P network, i.e., for Pretteens sweet hot 15.wmv?

What do you have with ‘'Preteens sweet

15 wmv?
hot 15.wmv?

SCE does not modiify any packet.

6
Step 2a.: P2P clients on the net start replying back with search results (query hits), of
any files they may know containing ‘Preteens sweet
s hot 15.wmv
'.Each query hit contains information about thhe file (filehash, filename, etc) and where
to get the file from ( IP address and port nummber).

Here you go, we have all this....

Step 2.b : The SCE detects packets with P2P results

n comes into action...
and the application

7
 Law enforcement overview – cont
cont'd
d
Cleaned up search results Original
g search results
Preteens sweet hot 15.wmv Preteens sweet hot 15.wmv
Hash : {Hash-of-this-police-generated-video} Hash : aaaaaaaaaaaaaaaa
Get it from IP-of-police-P2P Servers Get it from IP 1.2.3.4

Lolita - 33455233.jpg Lolita - 33455233.jpg

Hash : {Hash-of-the-police-generated-image} Hash : bbbbbbbbbbbbbbbb
Get it from IP
IP-of-police-P2P
of police P2P servers Get it from IP 5.4.2.6

8
 Law enforceme
ent application

– Search results scanned for known,

k targeted hashes.
– When a hit happens, the info ormation about the original file is
replaced with information abo out another file
file, chosen by the
Law Enforcement agency.
–When the user accesses the file f just downloaded, the
O
Operating i system will
ill handle
h dl theh file
fil normally.
ll
–It is possible to target any file types

• Images (jpg,
(jpg png,
png bmp,
bmp tiff)
t
• Videos (avi, wmv, mov, xdiv)
x
• Audio (
(mp3,
p , wma,, acc,, ogg)
• Documents (doc, pdf, ppt t)
• etc.

9
 Possible messaging when these
t files are downloaded
When a user downloads a file that was replaced by the Law Enforcement agency and they
ny other file, putting the message from the
open the file, their computer will handle it as an
agency right in front of their eyes.

Download process over P2P...

DRM Window in WMV

10
Messaging and diffferent file types...

11
 Applications : Commercial in parallel to Law enforcement
The CopyRouter in its current implementation will handle the requirement off Law enforcement agencies – we just need entries for the look-up table
(LUT) which would be provided by Law enforcement agencies.
The biggest differences are in the reporting needs : different destinations
destinations, diffferent information (enforcement agencies may require IP info)
info). We therefore
need to determine which 'vendor' provided which information in the LUT, and this is done by adding a new field to the LUT.

SERVER_IP {Initial_agen
ncy_Server_IP} {NumberOfServers}
SERVER_PORT {Initial_ag
gency_Server_Port} {NumberOfPorts}
Any hits here will generate a 'red' report, FILE_EXT .jpg
which will be routed to the ADD
police collector server ONLY
ONLY. # Infringing
g g Hash
2J35NKWJE6BXOFBVAXSLIOY
Replacement
p Hash
YJFCQK64UO UFIRGOBOJNMPGY6SCBHO6P3D4D7QVFB7
File size
853097
Vendor
2
These reports contain full IP information. 2OIOPN45W3G6KWN6CXKJX2C
CC6CGO3JGD UFIRGOBOJNMPGY6SCBHO6P3D4D7QVFB7 853097 2
5D2AB3T64BD55NHCJ5BGBGN
NDWPWVOHMK UFIRGOBOJNMPGY6SCBHO6P3D4D7QVFB7 853097 2
TLNW6OX44TQOPDI6XBQ2CHX
XZH7CANE3J UFIRGOBOJNMPGY6SCBHO6P3D4D7QVFB7 853097 2

P2P traffic between users

Not Found in LUT

Hit for FP
Law Enforcement
E Data
collec
ctor

12
 Example of inform
mation generated
xxxx

xxxxxxxx xxxxxxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx

These results were seen by the Copyrouter when installed on a very

small network connection in a test environment
environment. The results passed
via the router as part of the norma
al P2P traffic.
The red highlighted parts are the hashes
h that could be targeted,
yellow
ll hi
highlights
hli ht are IP addresses.
dd
13
 Reportin
ng : SCE
zFor each P2P search result seen, a on
ne line report is sent to a reporting
server.
zThese reports
Th t contain
t i information
i f ti ab
b t the
bout th files,
fil b t never about
but b t
users.
Report= reports : file seen.
zThe SCE will run in 'report-only mode
e' for about a week. Data gathered in
this stage will be useful for:
z Getting a baseline of P2P activity in
n the network prior to the pilot.
z Creating a more targeted lookup ta
able.

P2P trafffic between users

Reports from
SCE

14
 Special handling
g of P2P protocol
Compression:
•

–Some of the Query and d Query Hits are normally

compressed
–We change the compre ession offer token so the
session will be in plain ttext
text.

Encryption
E
• ti
–Some of the sessions are
a normally encrypted
–We change the traffic th
hat holds the encryption
negotiation
g so the sessiion will be in p
plain text.
15
 Global File
e Registry
•Interdicts p
proven illicit data on an automated basis.
•Substitutes that illicit data with an
a appropriate warning/notice
•It does this without impact on cu ustomer experience or technical
performance without effecting privacy or customer integrity
•World's best technology gy for disru
upting
p g & defeating
g illicit data
trafficking
•Protects yyour communityy regardg dless of where the cyber
y
criminals operate from

16
 Thank
k you!
y

Commercial in Confidence Revision 1.9.4

17