Talk:Traffic analysis

Untitled

It seems that most encrypted traffic could be buffered and fragmented to an arbitrary traffic spectrum within the bounds of message urgency. That is most traffic does not have 100% real time requirements. Thus individual keystrokes of SSL could be buffered and variably delayed. Of course interactive experiences would be somewhat degraded especially any mouse driven sessions.

But even small variances from actual keystroke timing could help throw off ordinary keystroke anaylsis for character driven session like passwords and simple command entry.

Hypothetically, a dummy user interface on the terminal end could also simulate/duplicate the effect of mouse commands allowing smooth movements and greatly reducing the effects of buffering mouse outputs -- to the point that sluggish response to events might be the only degradation.

Yoshikawa

Costello in Days of Infamy says he used the diplomatic address, which concealed the fact it was intelligence traffic. Costello also implies no analysis was done of the number of messages routed to/from given consular stations, which might have offered hints Pearl was a target. Trekphiler 11:18, 19 November 2006 (UTC)

I deleted this:

"Though not strictly related to traffic analysis limitations, it might be noted that those messages from the Hawaiian consulate (including some from Ensign Yoshikawa on Oahu) which were intercepted and decrypted didn't include clear evidence, or even mention, of a planned attack. They were evaluated as the usual intelligence every consulate routinely picked up and sent home. The only exception, a message sent on the 6th, was not decrypted until after the 7th."

It doesn't bear on traffic analysis.

I added this:

"Some messages from Ensign Yoshikawa on Oahu) were sent under routine diplomatic addresses, and so were not identified as intelligence traffic. It has been suggested^[1], however, the volume of diplomatic traffic to and from certain consular stations might have indicated places of interest to Japan, which might thus have suggested locations to concentrate traffic analysis and decryption efforts."

I also added mention of callsigns; it's from Room 40, I think. Trekphiler 11:37, 19 November 2006 (UTC)

References

1. Costello, Days of Infamy

Rounding Diamond Head

I deleted this:

"There was a famous exchange on December 2, 1941, five days before the Pearl Harbor attack, between Admiral Husband Kimmel, Pacific Fleet Commander, and his Intelligence Officer, Captain Edwin Layton. Kimmel remarked on the absence of information about Japanese aircraft carriers, and Layton explained that he didn't know where most of them were. Kimmel then asked whether they might be rounding Diamond Head (a volcano on Oahu). Layton replied that he didn't think so. Pearl Harbor was hit five days later."

It implies a causal relationship that doesn't exist, & I don't see a connection to traffic analysis. Neither am I convinced the radio operators left behind actually decieved Hypo. Trekphiler 11:52, 19 November 2006 (UTC)

Mav, this is Hollywood

I added this:

"There is a close relationship between traffic anaylsis and cryptanalysis (commonly called codebreaking). Callsigns and addresses are frequently encrypted, requiring assistance in identifying them. Traffic volume can often be a sign of an addressee's importance, giving hints to pending objectives or movements to cryptanalysts."

It's been said (Willmott, Barrier & the Javelin, I think) t/a aided Rochefort & Layton in identifying the Coral Sea as an objective. Trekphiler 12:05, 19 November 2006 (UTC)

Correlation Attacks

I was directed from the Tor article to this one by clicking on 'correlation attacks'. However, in this article nothing is mentioned about the latter. Just my 2c --Cruzlee 12:50, 15 May 2007 (UTC)

clarify on quote....

It is difficult to completely eliminate traffic analysis: "It is extremely hard to hide information such as the size or the timing of the messages. The known solutions require Alice to send a continuous stream of messages at the maximum bandwidth she will ever use...This might be acceptable for military applications, but it is not acceptable for most civilian applications." (Ferguson and Schneier, 2003).

Hey, someone put a [clarify] marker on the above quote on the article page. I don't think it needs clarification though, not in the article but on this talk page perhaps... Or perhaps the quote should link to a military vs. civilian approach of designing products.

You can't sell a product for civilian use that spends as much energy, is quite as heavy, armoured, and expensive as the military version. First, civilian applications have to be cheap and lightweight. You cannot burn through bandwidth for the sake of reducing traffic analysis in civilian use. —Preceding unsigned comment added by 85.144.136.10 (talk) 11:16, 23 September 2007 (UTC)

Bandwidth may be flat rate for some user applications, especially in enterprises. In fact, it's sometimes useful to inject dummy traffic to keep a constant load, not against traffic analysis but to make the user experience, as a function of load, predictable. Howard C. Berkowitz (talk) 02:06, 19 November 2007 (UTC)

Unfinished sentence

"Radio operators normally ..." --Steve (talk) 01:34, 19 November 2007 (UTC)

Pearl Harbor

I took out the following text;

• The espionage effort against Pearl Harbor before December didn't send an unusual number of messages; Japanese vessels regularly called in Hawaii and messages were carried aboard by consular personnel. At least one such vessel carried some Japanese Navy Intelligence officers. Such messages cannot be analyzed. It has been suggested^[1], however, the volume of diplomatic traffic to and from certain consulates might have indicated places of interest to Japan, which might thus have suggested locations to concentrate traffic analysis and decryption efforts.^{[citation needed]}

First of all, it is largely speculation. But more to the point, the U.S. did intercept and decrypt radio messages collecting intelligence about Pearl Harbor and they did raise alarm among Navy analysts. But there weren't that many of them, nowhere near enough for traffic analysis. It's also worth remembering that Japan didn't only attack Pearl harbor on Dec. 7, 1941. Attacks took place throughout the Pacific, so there likely was a pretty uniform increase in traffic, not a situation ripe for TA.--agr (talk) 01:44, 27 November 2007 (UTC)

The line between cryptanalysis and traffic analysis is blurred. One of the alerting factors, according to Kahn, not fully appreciated until the week after the advance, was that the Japanese consulate in Honolulu destroyed all its higher-security cryptosystems before the Pearl Harbor attack. The absence of high-security cryptosystems, today, would be a red flag, but it was not recognized as such at the time. Again, I emphasize that you can get a good argument among SIGINT analysts if a change in cryptosystem, before the content of the messages are broken, is strictly in the traffic analysis domain, in the cryptanalytic domain, and in the borderland between them.

Ironically, the final espionage messages (again see Kahn), which were so detailed they would have been of interest only for an actual attack, were encrypted in a lower-level cryptosystem. US doctrine had been to attack the hardest cryptosystems first, on the theory that messages in them were most important.

The only information for traffic analysis would have been diplomatic and consular traffic; the actual naval forces were under strict EMCON while their radio operators generated fake traffic from inland waters of Japan. With 20/20 hindsight, the sudden absence of high-level systems in Honolulu should have gotten a more detailed look, and a junior cryptanalyst had wanted to work over the weekend on what would have been the smoking gun message, but her supervisor wouldn't authorize overtime. I don't have Kahn or Layton at hand, but they identify the analyst and her boss. Howard C. Berkowitz (talk) 05:00, 27 November 2007 (UTC)

I reread the first chapter of Kahn, the one on Pearl Harbor. The absence of high-security cryptosystems was well noted at the time. But instructions to burn codes and destroy code machines had been given to numerous locations, not just Honolulu. See Kahn p. 44. "The Army and navy high command universally regarded the destruction of codes as virtual certainty that war would break out within the next few days." This was on Dec. 3. There had already been a large amount of intelligence suggesting war was imminent and warnings had been sent to US forces overseas.

What I think you are referring to as the smoking gun message, a cable (on p.53) from the Japanese consulate in Honolulu counting the ships in Pearl Harbor, was sent the evening of December 6 and the intercept was received in Washington around midnight. Kahn does say it was in a lower level crypto system and from a consulate and thus had lower priority, but he does not mention anything about a junior cryptanalyst wanting to work over the weekend (p. 55). On p.66 he describes how it was eventually broken on Dec 9 and that it took many hours to break, so it's doubtful a junior cryptanalyst would have had results in time.

A decoded message that did suggest an attack on Hawaii was the one from Tokyo that set a 1 pm Washington time deadline for the embassy in Washington to deliver the 14-part message breaking off negotiations. That was 7 am in Hawaii. There was debate over whether to send out a warning to US forces because some thought enough warnings had already been sent. General Marshall decided to send one anyway (p60) but it did not arrive at Pearl Harbor until after the attack had started, due to a famous series of communications screw ups.

While we believe in hindsight that the Japanese Consulate messages asking for detailed info on ship movement at Pearl Harbor were the smoking gun, I'm not so sure that interpretation was necessary at the time. If you were about to start a war and had intelligence assets with diplomatic cover near your enemy's main forward Naval base that you were about to lose once war started, wouldn't you instruct them to gather and report every scrap of information on what was going on, even if you weren't planning to attack the base immediately? Especially if you are as through as the Japanese? --agr (talk) 15:10, 27 November 2007 (UTC)

Seriously starting with Wohlstetter and wincing at the multitude of political investigations in the short term, one of the best things that one can say about Pearl Harbor was that a great many lessons were learned, and quite possibly on both sides. Things don't fall into neat subcategories; for example, I didn't first hear about reacting to changes in cryptosystems in either cryptanalysis or traffic analysis, but in a presentations on indications & warning checklists -- it might not even have been specific to SIGINT.

Unfortunately, who, specifically, asked to work on the consular messages on December 5 is something where I'm trusting to memory, not having all my library unpacked. Since, IIRC, it reflected on the internal politics with the Redmond brothers and Turner, it very well might have been Layton rather than Kahn.

As far as it being a smoking gun, we quickly get into the "wilderness of mirrors" problem, as in "do we send this message to mask a traffic pattern, or do we not send it on the chance it is read?" Motivations for much Japanese behavior isn't clear. Apparently, they had, on the diplomatic side, a great deal of confidence in PURPLE, but they destroyed the machines and went to low level. There was a separate attache system that I've never heard mentioned WRT Pearl Harbor, but it was used for a good deal of specific reporting.

"thorough" is not the word I'd pick for Japanese planning styles, but I don't have a better one. How many of their later operational plans had the flavor of "all our converging forces will meet while under radio silence, and fight a decisive battle in which all the enemy ships will sink?" Howard C. Berkowitz (talk) 15:36, 27 November 2007 (UTC)

Some of the lessons seem to have been forgotten. The parallels with 9/11 are striking. My concerns it that there is a tendency to suppose things would have been different if just one more message had been decoded, or one more Arabic intercept had been translated. In both situations there was enough intelligence to know something was up. In both cases the enemy had an well thought out plan and maintained communication discipline. The failings in the U.S. were on the operational side, but it would have taken imagination and follow through on someone's part to have changed the outcome.--agr (talk) 19:48, 27 November 2007 (UTC)

Good point. Another similarity, however, was that the information may have been there, but, for a variety of reasons, it wasn't getting into the hands that needed it. On the morning (Washington time) of the Pearl Harbor attack, the US had the 14th and key part of the Japanese diplomatic message before the Japanese at the embassy -- Japan had its bit of screwing up here, by ordering only senior diplomats to handle it, of whom only one had even hunt-and-peck typing skill. Let me stipulate -- this was clearly cryptanalytic, not traffic analysis.

Marshall had the decrypt, but first hesitated to send it to Short and others for fear of micromanaging. Next, Marshall gave it to the Army communications center, which apparently had been having radio propagation problems while the Navy did not. Marshall rejected the Navy's officer to send the message, and then the horrible mistake was made when the Army communications center believed that the Western Union remote telegraph was operational in the Hawaii communications center, but it was not. By comparison, when I worked with nuclear command and control in the seventies, a message of that priority would go out by up to 23 separate communications systems. Perhaps it was that telecommunications were new, but one would hope that today, if the same circumstances held, Marshall would have given the message to a senior officer, and told him to hand-carry it to the communications center until there was a positive acknowledgement that it was in Short's hands.

In the case of 9/11, there appears to have been information available a good deal earlier, but the culture of FBI field offices were so decentralized that, IIRC, Phoenix and Chicago each had a piece (maybe others did as well), but no one analyst had all the pieces. There is a continuing debate if the FBI is culturally capable of changing this model, which is usually quite appropriate for law enforcement, to the all-source central correlation that is needed in intelligence. If the National Counterterrorism Center had been in place in early 2001, would the pieces have come together? We don't know.

Compartmentation can be essential to operational security, but when the amount of security prevents the job from being done, it is counterproductive. Finding the right balance, especially when the White House is secretive, is a real challenge. Howard C. Berkowitz (talk) 20:02, 27 November 2007 (UTC)

Another thing that has changed is the DEFCON system. Instead of assuming that commanders will do the right thing when warned, there are specific steps that are worked out in advance. I'm not sure even if Marshall's message had gotten to Stark in time that anything different would have been done. They might have gone on assuming assuming that the attack would begin in the western Pacific.

As for US communications since then, see the NSA's report on the 1967 USS Liberty incident. It explains in detail how an order to move the ship away from the combat area took 18 hours to get to her, too late. And on 9/11/2001, when the US actually was under attack from the air, something we'd spend billions preparing for, NORAD couldn't get the people at FAA who knew what was happening onto their command conference circuit due to problems setting up a secure line. See Communication during the September 11, 2001 attacks. The only people in the US who had situational awareness and were able to do something in time were the passengers on United flight 93.--agr (talk) 21:38, 27 November 2007 (UTC)

(swinging the margin back to the left)

As long as Stark assumed the threat was sabotage rather than air strike, he might not have done anything. Still, it would have been relatively easy to have given ready ammunition to the shore and Fleet antiaircraft guns, gone to a modified readiness condition on the ships, and perhaps increased staffing. I have to keep reminding myself, in current terms, how primitive the operation was at its best. If for no other reason than the flying scenes, the movie The Final Countdown is worth watching. If it had happened that way (a US fleet carrier in the area on the morning of the attack), their challenge would be which ways they would sink the Mobile Fleet and shoot down the strike force. Depends on whether the captain decided to use the B57 nuclear weapons, or get more up close and personal, especially at night.

I am very familiar with the communications fiascoes involving both the Liberty and Pueblo. Especially with the Liberty, it amazed me that a year or so earlier, SIGINT vans were on destroyers with on-call air cover, yet that rustbucket was allowed into a shooting war with no escort. Yes, the recall order went to the Phillipines by mistake, but that ship was not equipped to go in harm's way.

I won't forget 9/11; I lived close enough to the Pentagon that the windows shook. Actually, we would have been in much better shape to deal with it in the late fifties or early sixties, since the threat then included fighting bombers over the continental US. By 9/11, budget cuts had made air (as opposed to space) defense something purely positioned to deal with something coming from outside the borders, not already in it. Once the planes were taken, I don't think there's a lot that could have been done about it.Howard C. Berkowitz (talk) 21:58, 27 November 2007 (UTC)

I did see The Final Countdown. The best move for Stark, I think, would have been to ask at the experimental radar at Perl to inform him if they saw anything unusual. He would have had a couple hours warning of the attack and vectors to the Japanese fleet. I'd like to see someone more knowledgeable of US capabilities at the time work out what the US then could have done, e.g. intercept the attackers and send bombers after the fleet. The war might have been over a lot sooner. As for 9/11, the guys at the FAA told friends in the AF who got F16s from Otis in the air. If NORAD had followed through, I think it might have been possible to stop the second attack on the WTC and the Pentagon. It would have been tight, but I'd rather the story was that they got there 5 minutes too late than that they never really tried. Of course we are way off topic.--agr (talk) 22:55, 27 November 2007 (UTC)

It would have been very tight. First, I heard the BANG and windows rattling, which sounded like exceptionally loud fireworks from the Mall, but was the impact. I'd estimate I heard F-16's at full military power 2-3 minutes later. The biggest problem is since this was essentially in the terminal control area for National Airport, they would have needed visual ID to know which was the right aircraft. Second, even if they hit it with every air-to-air missile they had, you still would have had over 100 tons coming down in a metro area.

As far as the other digression, if the carrier group had nuclear release authority, a couple of B-61's from 40,000 feet or so, high airburst if the strike flight started, and one or two on the carriers. With conventional weapons, probably 2 x2000lb laser-guided bombs for each carrier, and then hope the airstrike holds its close formation when the air-to-air missiles are inbound -- more targets than missiles. Failing that, one could probably do nasty things to control surfaces with a few F-14 supersonic passes.

Back to the serious point, the warnings don't neatly fall into traffic analysis or cryptanalysis, although they would be COMINT. In a modern alert center, those conditions should be enough. I tend to think all-source analysis wasn't ready to put those things together in December 1941. In other words, it probably would belong, as an example, under intelligence analysis rather than SIGINT. Howard C. Berkowitz (talk) 23:28, 27 November 2007 (UTC)

Those old warbirds were pretty tough and designed to survive nearby antiaircraft bursts. I'm not sure a supersonic shock wave would do much. But a bunch of F-14s zipping around would most likely reduce their bombing accuracy, which would have made a big difference. On the serious question, analysis of how many messages were sent in the various cipher systems would be grist for the traffic analysis mill, so that's an argument for placing the stoppage of high level ciphers there. Another example was the the Japanese changing all their call signs on December 1, 1945, only one month after the previous such change. In the past they happened every 6 months. --agr (talk) 13:53, 28 November 2007 (UTC)

I'm enjoying the what-if, which is a favorite of mine, figuring out what could have been made in the past. One wonderful experience was spending half an hour with a coppersmith at Colonial Williamsburg, he being an expert on old technique. We came to the conclusion that they could have built simple generators and radios, if they knew how to put together their materials and tools in a way that might have been regarded as witchcraft.

Back to the main topic, where I think you've brought together some key ideas. Message intercept, cryptanalysis, direction finding, and traffic analysis are all fundamentally means of collecting raw intelligence. Some of these, such as cryptanalysis and traffic analysis, are misnamed in a way. If you look back at my taxonomy under Intelligence cycle management, and the down to Intelligence collection management, I think cryptanalysis and traffic analysis goes under processing, rather than Intelligence analysis management. The critical point you bring out is that changes in cryptosystem, often critical information, doesn't fit neatly into any raw collection or early processing step. It might be something noted by the cryptanalysts when they can't get into messages they used to read, but I need to make it clear that there can be collection "observations and inferences", for want of a better term, that need to go into "all-source analysis". I may yet refer to all-source analysis in the SIGINT and traffic analysis and cryptanalysis articles, but I think you've shown me something that needs to be brought out under collection management and analysis management. Many thanks! I have a conference call now, but I'll try to work on this later today. Howard C. Berkowitz (talk) 18:07, 28 November 2007 (UTC)

References

1. Costello, John (1995). Days of Infamy: Macarthur, Roosevelt, Churchill-The Shocking Truth Revealed : How Their Secret Deals and Strategic Blunders Caused Disasters at Pear Harbor and the Philippines. Pocket. ISBN 0671769863.

"Torture taxis"

I removed the following material

===Recent=== :*Traffic analysis and [[planespotting]] techniques were used to infer the existence of secret CIA flights [http://villagevoice.com/news/0642,torturetaxi,74732,2.html], prisons [http://www.guardian.co.uk/usa/rendition/] and the [[Extraordinary rendition|transfer of prisoners]] to and from these prisons, the so-called [[Torture Taxi]]s.

The Village Voice link is dead (explained as expiration of an article license). Whatever one thinks of extreme rendition, this material has little explanation of how traffic analysis was used, or what, if anything, planespotting has to do with traffic analysis.

Traffic analysis, in this context, is a subset of SIGINT. For material to be relevant, it has to have some clear connection to the analysis of communications.

Howard C. Berkowitz (talk) 03:33, 29 April 2008 (UTC)

Traffic Analysis vs. Traffic Flow Analysis

It appears to me that what the article discusses is rather "traffic flow analysis" than "traffic analysis". Even though these two terms often seem to be used interchangeably, it occurs to me that "traffic analysis" is rather a superset of "traffic flow analysis", including cryptanalysis of data transmitted. Can somebody shed light on this issue? Thanks, 85.124.63.18 (talk) 14:36, 2 March 2009 (UTC)