Well, I suspect they do a lot more before inspection, and use a statistical model to trigger whether the actually grab and backhaul any piece of traffic. "Obviously", Source and destination country will matter, then within the US source and destination IP address (eg, knock into low-risk bucket if both source and destination IP correspond to Citigroup, even if one IP is within Saudi)...application is obviously going to matter, presence of crypto (and possible "crypto depth") and all the way up to L7 including key words. Clearly, this policy is going to be risk-model driven and will undergo periodic changes (implying too that NSA has their own LAN by which they download new policies remotely into the Narus boxes). It would be "nice" too if their models fill up their available backhauling bandwidth. Now that just determines what traffic gets backhauled. It's a big vacuum cleaner that grabs as much as they can within requiring that they build a completely duplicate optical network. After that the traffic gets pulled into the Beltway (most likely) where further models probably determine whether the traffic gets stored, read by humans "now", or whatever. Note that by this time having a human actually bother to "read" an email or whatever is not necessarily important, even if it's encrypted. What this means (to your point) is that merely building better crypto is only one axis to protect your privacy. If your communication gets as far as the Beltway and human examiners (or possibly gets shot down to their subterranean cracking farm) then you're already "of interest". With good enough crypto it's -possible- that you can thwart their attempts to actually read your email, and that's good because it forces them to decide whether they want to expend the big $$$ and risk exposure for a field operation. But the other axis is statistical (as you point out). It's far better to never get caught in the NSA driftnets in the first place. This means stego, this means P2P (hum...what if I had a P2P video of a document I wanted to transmit...NSA wouldn't be able to read that document, right?) this means (somehow) encouraging more crypto in more places so your traffic doesn't stick out. -TD
From: "Chris Olesch" <g13005@gmail.com> To: cypherpunks@jfet.org, "Tyler Durden" <camera_lumina@hotmail.com> Subject: Re: NS&AT&T Date: Wed, 17 May 2006 11:34:47 -0500
You know I really enjoyed George Orwells Popcorn. Maybe that was Redenbockers' Popcorn while reading George Orwell...hehe...
Here is my dumb question for the day, but can someone show me where my logic has run aloof?
The NSA's claim is not to have listened to the content, just collected it. "Assuming" their telling the truth on this, I thought they may be trying to create a bell-curve type application that scans the messages for content based on predetermined criteria (similar to content filters I assume).
However, the flaw I see is similar to the idea behind changing speed limits on residential streets. Public safety sets up the electronic signs to monitor speed limits, and flashes if you travel above the posted limit. Except the data can be ruined (for lack of a better word) if the drivers sneak up on the sign and gun-it past it, repeatedly!
How this applies to the NSA model: If normal citizens are polluting their data by using more vulgar or "terror driven" speech. How will they know legitimate traffic from crank-yankers?
-chris Y.A.C.Y.
On 17/05/06, Tyler Durden <camera_lumina@hotmail.com> wrote:
I'd bet by the time this post reaches the list most Cypherpunks &c will have already seen the string of information posted on Wired and other places, about AT&T's network. This is a level of detail that I strongly suspect has NSA folks shitting bricks:
http://www.wired.com/news/technology/0,70908-0.html?tw=wn_index_2
Here's an interesting quote:
cutting them in four at a time on a weekly schedule, ending with a
One of the documents appears to describe AT&T's successful efforts to tap into 16 fiber-optic >cables connecting the company's WorldNet internet backbone to other internet service providers. >The document shows AT&T technicians phasing in fiber-optic splitters throughout February 2003, link to Mae West, an internet >exchange point for West Coast traffic.
Now this is REALLY interesting:
http://blog.wired.com/images/nsadocs2_f.jpg
OK, this means the 16 fibers mentioned above are single wavelength. From this document we can also view what the actual bandwidths are: OC-12s and OC-48s, a couple of OC-3s and no OC-192s. Now I don't see any documentation stating that there isn't more than this going into the room. The "four splitters at a time" almost certainly implies that this traffic is coming off a 4-fiber BLSR (most likely too NSA worked with the other carriers to move the traffic to protect prior to installing the splitters).*
Theoretically, they could actually just backhaul all of this traffic using pretty ordinary 16 wavelength WDM from any number of vendors. Getting that cross-country is difficult, but with ULH (Ultra Long Haul) this could be done with a relative minimum of repeater/amplifier sites. If they pre-sort the traffic before backhauling it they could then actually just buy a wavelength on AT&T's backbone, which has some nice features to it (I'd bet they also have their own encryption used for the entire wavelength pipe, though I could be wrong).
The pinchpoint here just might actually be the deep packet inspection. Does anyone know what kind of bandwidth the narus boxes can support?
What this will do is give us an idea of how much traffic they are actually taking back. From our discussions some months ago, I have assumed (and still believe) that they can't grab EVERYTHING and pull it back, because that would require too obvious and too huge a network. My other assumption is that the narus deep packet inspection is enforcing a prioritization prior to hockeying the most "juicy" traffic into their fiber or wavelegnths.
*: They would have first told the owner/carrier of one of those OC-N pipes to force a switch to protection bandwidth while they installed the splitters, and then switch back once the splitters were installed. It LOOKS like they did this ring-by-ring, diverting traffic away from the "break" and then installing splitters on all four fibers terminating across the break.
-- -G
"The knack of flying is learning how to throw yourself at the ground and miss." "He felt that his whole life was some kind of dream and he sometimes wondered whose it was and whether they were enjoying it." "He inched his way up the corridor as if he would rather be yarding his way down it..." "We demand rigidly defined areas of doubt and uncertainty!" "I love deadlines. I like the whooshing sound they make as they fly by."
Famous Quotes written by Douglas Adams, (British comic writer, 1952-2001) http://hitchhikers.movies.go.com/