Alan Horowitz asks ...
If I were standing in one of the places where NSA has it's taps of the Net - what would I see? Alligator clips across terminal strips, leading to a bunch of T3 lines?
I can't say I have a reliable answer to your question (although I can say fairly confidently that it is unlikely to be done with alligator clips at T3 and Sonet rates). In the past a good bit of this stuff was apparently done by intercepting microwave tail circuits (such as on the older FDM type undersea cables). For some random reason all the traffic on the undersea cable just happened to always be routed via a microwave link (sometimes as a "backup" to a cable link sent to a satellite ground station in case it had to carry the traffic if the cable failed). It is remarkable how many of the undersea cable terminals have microwave links to the rest of the world. Now with everything digital and almost always on fiber, one would probably expect that the main Internet backbone Sonet or FDDI rings have little diversions or bridges that feed undocumented fibers going somewhere that nobody at the carriers quite knows where. There is a great deal of dark fiber installed (around the Beltway area especially) for the spook agencies that was put in without any normal cable records being kept by the carriers regarding where the fibers in the bundle terminate or what they are used for or even where the actual cables really go. The amount of fiber going into some of the beltway CIA sites is truly impressive (several major runs). The DACS digital crossconnect points (high speed space/time division DS-1/DS-3 switches used for routing and and interconnecting digital circuits from one fiber pipe to another) could certainly be programmed to route a copy of the traffic on some interesting backbone T3 line out another port as well - and like all complex software driven devices this capability could be covertly activated and controlled without notice to the normal operators who certainly don't have source code or the expertise to vet it. As one might expect I've so far not met anyone at a carrier who knows exactly where the NSA taps are, but other possibilities certainly exist at repeater sites (where used) and even by optical taps (bending the fiber to make it leak a little light) in some manhole somewhere. And obviously buggering the firmware in central routers to forward selected packets is available as a last ditch option. Dave