[dguido]

Fun fact, Moloch was initially created with funding from DARPA's famous Cyber Fast Track program! It's great to see that Moloch is still going strong since ~2013.

There is some previous discussion of Moloch when it was released in this older thread: https://news.ycombinator.com/item?id=20586005

[awick]

Not sure if you are joking, but Moloch was never part of DARPA's short lived Cyber Fast Track program. :) We do welcome contributions from everyone, and lots of different folks use Moloch. If interested join us over at https://molo.ch

[dguido]

That's odd. Are you one of the original authors? The CFT project list had Moloch on it. I'll try and dig it up, it's probably floating around my Google Drive. You may want to speak with Eoin Miller, as I believe he was the point of contact for the project in the document I'm thinking of.

[dguido]

Fuckkkkk I think I found the source of my confusion. I am wrong, you are right.

I DID find documents about Moloch floating around my Google Drive from ~2013-ish. I believe I invited your co-author Eion to present at a conference I was running, THREADS, in 2014 and that he was not able to make it. The focus the _year prior_ was exclusively on DARPA CFT. I combined those two events in my head and thought your project got some seed funding from DARPA too. I'm sorry!

Here is the conference:

THREADS 2014 when you were invited: https://github.com/trailofbits/threads/tree/master/2014

THREADS 2013 was a retrospective on DARPA CFT: https://github.com/trailofbits/threads/tree/master/2013

[whyhead]

Thanks, John. I tried to do something a while back with wireshark but I couldn't get the thing to scale. Gonna give this one a hard look.

[dguido]

I seem to be mistaken :-x. Moloch was never provided with early funding from CFT. I confused a few interactions I had with their project's original authors in 2013. It _feels_ like something CFT would have funded, but it was started on its own. See more here: https://news.ycombinator.com/item?id=22951925

[closeparen]

What can you do with a packet capture on a modern high security network besides go, "yup, that's TLS"?

May DoD turns off the forward secrecy stuff and escrows keys?

[tptacek]

In large part you're not looking at TLS application-data with this stuff; you're monitoring internal networks and all the protocols they run, in part so you can retroactively see if exploits, once revealed, have been run. For that kind of stuff you often care a lot more about, say, SMB dissection than you do about what stupid websites people are looking at.

The longstanding existence of tools like these --- and there are "better" ones that aren't open source, and have been for decades --- is one reason that "vulnerability equities processes" don't make sense; if the DoD uses an exploit against a foreign target, it can't just reveal it a few months later without compromising sources and methods.

(That doesn't mean you should care about that problem; I'm just reporting).

[closeparen]

Interesting. A lot of Big Tech has started to encrypt even internal network traffic, though. Wouldn't the spooks be way ahead of us on that one?