At 10:45 AM 6/26/2006 -0400, Perry E. Metzger wrote:

Quoting:

In a pivotal network operations center in metropolitan St. Louis, AT&T has maintained a secret, highly secured room since 2002 where government work is being conducted, according to two former AT&T workers once employed at the center.

http://www.salon.com/news/feature/2006/06/21/att_nsa/index_np.html

By coincidence, the day after that article appeared, we released the (partially redacted) Declaration of J. Scott Marcus, our expert in EFF's case against AT&T, http://www.eff.org/legal/cases/att/marcus-decl-redact.pdf. The Salon reporter then followed with this piece, http://www.salon.com/news/feature/2006/06/23/internet_expert/index_np.html -------------------------------------------------------------------- James S. Tyre jstyre@jstyre.com Law Offices of James S. Tyre 310-839-4114/310-839-4602(fax) 10736 Jefferson Blvd., #512 Culver City, CA 90230-4969 Co-founder, The Censorware Project http://censorware.net Policy Fellow, Electronic Frontier Foundation http://www.eff.org --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com ----- End forwarded message ----- Is the NSA spying on U.S. Internet traffic? Salon exclusive: Two former AT&T employees say the telecom giant has maintained a secret, highly secure room in St. Louis since 2002. Intelligence experts say it bears the earmarks of a National Security Agency operation. By Kim Zetter Jun. 21, 2006 | In a pivotal network operations center in metropolitan St. Louis, AT&T has maintained a secret, highly secured room since 2002 where government work is being conducted, according to two former AT&T workers once employed at the center. In interviews with Salon, the former AT&T workers said that only government officials or AT&T employees with top-secret security clearance are admitted to the room, located inside AT&T's facility in Bridgeton. The room's tight security includes a biometric "mantrap" or highly sophisticated double door, secured with retinal and fingerprint scanners. The former workers say company supervisors told them that employees working inside the room were "monitoring network traffic" and that the room was being used by "a government agency." The details provided by the two former workers about the Bridgeton room bear the distinctive earmarks of an operation run by the National Security Agency, according to two intelligence experts with extensive knowledge of the NSA and its operations. In addition to the room's high-tech security, those intelligence experts told Salon, the exhaustive vetting process AT&T workers were put through before being granted top-secret security clearance points to the NSA, an agency known as much for its intense secrecy as its technological sophistication. "It was very hush-hush," said one of the former AT&T workers. "We were told there was going to be some government personnel working in that room. We were told, 'Do not try to speak to them. Do not hamper their work. Do not impede anything that they're doing.'" The importance of the Bridgeton facility is its role in managing the "common backbone" for all of AT&T's Internet operations. According to one of the former workers, Bridgeton serves as the technical command center from which the company manages all the routers and circuits carrying the company's domestic and international Internet traffic. Therefore, Bridgeton could be instrumental for conducting surveillance or collecting data. If the NSA is using the secret room, it would appear to bolster recent allegations that the agency has been conducting broad and possibly illegal domestic surveillance and data collection operations authorized by the Bush administration after the terrorist attacks of Sept. 11, 2001. AT&T's Bridgeton location would give the NSA potential access to an enormous amount of Internet data -- currently, the telecom giant controls approximately one-third of all bandwidth carrying Internet traffic to homes and businesses across the United States. The nature of the government operation using the Bridgeton room remains unknown, and could be legal. Aside from surveillance or data collection, the room could conceivably house a federal law enforcement operation, a classified research project, or some other unknown government operation. The former workers, both of whom were approached by and spoke separately to Salon, asked to remain anonymous because they still work in the telecommunications industry. They both left the company in good standing. Neither worked inside the secured room or has access to classified information. One worked in AT&T's broadband division until 2003. The other asked to be identified only as a network technician, and worked at Bridgeton for about three years. The disclosure of the room in Bridgeton follows assertions made earlier this year by a former AT&T worker in California, Mark Klein, who revealed that the company had installed a secret room in a San Francisco facility and reconfigured its circuits, allegedly to help collect data for use by the government. In detailed documents he provided to the Electronic Frontier Foundation, Klein also alleged there were other secret rooms at AT&T facilities in other U.S. cities. NSA expert Matthew Aid, who has spent the last decade researching a forthcoming three-volume history of the agency, said of the Bridgeton room: "I'm not a betting man, but if I had to plunk $100 down, I'd say it's safe that it's NSA." Aid told Salon he believes the secret room is likely part of "what is obviously a much larger operation, or series of interrelated operations" combining foreign intelligence gathering with domestic eavesdropping and data collection. "You're talking about a backbone for computer communications, and that's NSA," Russ Tice, a former high-level NSA intelligence officer, told Salon. Tice, a 20-year veteran of multiple U.S. intelligence agencies, worked for the NSA until spring 2005. "Whatever is happening there with the security you're talking about is a whole lot more closely held than what's going on with the Klein case" in San Francisco, he said. (The San Francisco room is secured only by a special combination lock, according to the Klein documents.) Tice added that for an operation requiring access to routers and gateways, "the obvious place to do it is right at the source." In a statement provided to Salon, NSA spokesman Don Weber said: "Given the nature of the work we do, it would be irresponsible to comment on actual or alleged operational issues as it would give those wishing to do harm to the United States insight that could potentially place Americans in danger; therefore, we have no information to provide. However, it is important to note that NSA takes its legal responsibilities seriously and operates within the law." Since last December, news reports have asserted that the NSA has conducted warrantless spying on the phone and e-mail communications of thousands of people inside the U.S., and has been secretly collecting the phone call records of millions of Americans, using data provided by major telecommunications companies, including AT&T. Such operations would represent a fundamental shift in the NSA's secretive mission, which over the last three decades is widely understood to have focused exclusively on collecting signals intelligence from abroad. The reported operations have sparked fierce protest by lawmakers and civil liberties advocates, and have raised fundamental questions about the legality of Bush administration policies, including their consequences for the privacy rights of Americans. The Bush administration has acknowledged the use of domestic surveillance operations since Sept. 11, 2001, but maintains they are conducted within the legal authority of the presidency. Several cases challenging the legality of the alleged spying operations are now pending in federal court, including suits against the federal government, and AT&T, among other telecom companies. In a statement provided to Salon, AT&T spokesman Walt Sharp said: "If and when AT&T is asked by government agencies for help, we do so strictly within the law and under the most stringent conditions. Beyond that, we can't comment on matters of national security." According to the two former AT&T workers and the Klein documents, the room in the pivotal Bridgeton facility was set up several months before the room in San Francisco. According to the Klein documents, the work order for the San Francisco room came from Bridgeton, suggesting that Bridgeton has a more integral role in operations using the secured rooms. The company's Bridgeton network operations center, where approximately 100 people work, is located inside a one-story brick building with a small two-story addition connected to it. The building shares a parking lot with a commercial business and is near an interstate highway. According to the two former workers, the secret room is an internal structure measuring roughly 20 feet by 40 feet, and was previously used by employees of the company's WorldNet division. In spring 2002, they said, the company moved WorldNet employees to a different part of the building and sealed up the room, plastering over the window openings and installing steel double doors with no handles for moving equipment in and out of the room. The company then installed the high-tech mantrap, which has opaque Plexiglas-like doors that prevent anyone outside the room from seeing clearly into the mantrap chamber, or the room beyond it. Both former workers say the mantrap drew attention from employees for being so high-tech. Telecom companies commonly use mantraps to secure data storage facilities, but they are typically less sophisticated, requiring only a swipe card to pass through. The high-tech mantrap in Bridgeton seems unusual because it is located in an otherwise low-key, small office building. Tice said it indicates "something going on that's very important, because you're talking about an awful lot of money" to pay for such security measures. The vetting process for AT&T workers granted access to the room also points to the NSA, according to Tice and Aid. The former network technician said he knows at least three AT&T employees who have been working in the room since 2002. "It took them six months to get the top-security clearance for the guys," the network technician said. "Although they work for AT&T, they're actually doing a job for the government." He said that each of them underwent extensive background checks before starting their jobs in the room. The vetting process included multiple polygraph tests, employment history reviews, and interviews with neighbors and school instructors, going as far back as elementary school. Aid said that type of vetting is precisely the kind NSA personnel who receive top-secret SCI (Sensitive Compartmented Information) clearance go through. "Everybody who works at NSA has an SCI clearance," said Aid. It's possible the Bridgeton room is being used for a federal law enforcement operation. According to the Communications Assistance for Law Enforcement Act of 1994, telecom companies are required to assist law enforcement officials who have legal authorization to conduct electronic surveillance, either in pursuit of criminal suspects or for the protection of national security. The companies must design or modify their systems to make such surveillance possible, essentially by making them wiretap-ready. The FBI is the primary federal agency that tracks and apprehends terrorist suspects within the U.S. Yet, there are several indications that the Bridgeton room does not involve the FBI. "The FBI, which is probably the least technical agency in the U.S. government, doesn't use mantraps," Aid said. "But virtually every area of the NSA's buildings that contain sensitive operations require you to go through a mantrap with retinal and fingerprint scanners. All of the sensitive offices in NSA buildings have them." The description of the opaque Plexiglas-like doors in Bridgeton, Aid said, indicates that the doors are likely infused with Kevlar for bulletproofing -- another signature measure that he said is used to secure NSA facilities: "You could be inside and you can't kick your way out. You can't shoot your way out. Even if you put plastique explosives, all you could do is blow a very small hole in that opaque glass." Jameel Jaffer, deputy director of the American Civil Liberties Union's national security program, said it is unlikely that the FBI would set up an ongoing technical operation -- in this case, for several years running -- inside a room of a telecommunications company. The Foreign Intelligence Surveillance Act, passed by Congress in 1978, requires law enforcement officials to obtain warrants from a secret federal court for domestic surveillance operations involving the protection of national security. If the FBI (or another federal agency) wanted data, it would more likely be targeting a specific individual or set of individuals suspected of engaging in criminal or terrorist activities. The agency would obtain a warrant and then call AT&T, or show up in person with the warrant and ask for the wiretap to be engaged. According to Jaffer, the FBI, NSA or any other federal agency could also legally tap into communications data under federal guidelines using technical means that would not require technical assistance of a telecom company. In an e-mail statement to Salon, FBI spokesperson Paul Bresson said: "The FBI does not confirm whether or not we are involved in an alleged ongoing operational activity. In all cases, FBI operations are conducted in strict accordance with established Department of Justice guidelines, FBI policy, and the law." Rather than specifically targeted surveillance, it is also possible that the Bridgeton room is being used for a classified government project, such as data mining, with which the Pentagon has experimented in the past. Data mining uses automated methods to search through large volumes of data, looking for patterns that might help identify terrorist suspects, for example. According to Tice, private sector employees who work on classified government projects for the NSA are required to undergo the same kind of top-secret security clearance that AT&T workers in the Bridgeton room underwent. According to the former network technician, all three AT&T employees he knows who work inside the room have network technician and administration backgrounds -- not research backgrounds -- suggesting that those workers are only conducting maintenance or technical operations inside the room. Furthermore, Tice said it is much more likely that any classified project using data collected via a corporate facility would take place in separate facilities: "The information that you garner from something like a room siphoning information and filtering it would be sent to some place where you'd have people thinking about what to do with that data," he said. Dave Farber, a respected computer scientist at Carnegie Mellon University and former chief technologist for the Federal Communications Commission, also said it is likely that data collected in a facility like the Bridgeton center would be used elsewhere, once the facility is set up to divert the data. "If I own the routers, I can put code in there to have them monitor for certain data. That's not a particularly difficult job," said Farber, who is considered one of the pioneers of Internet architecture. Farber said that "packets" of data can essentially be copied and then sent to some other location for use. "Most of the problems would have to do with keeping your staff from knowing too much about it." According to the former network technician, workers at Bridgeton, at the direction of government officials, could conceivably collect data using any AT&T router around the country, which he says number between 1,500 and 2,000. To do so, the company would need to install a wiretap-like device at select locations for "sniffing" the desired data. That could explain the purpose of the San Francisco room divulged by Klein, as well as the secret rooms he alleged existed at AT&T facilities in other U.S. cities. "The network sniffer with the right software can capture anything," the former network technician said. "You can get people's e-mail, VoIP phone calls, [calls made over the Internet] -- even passwords and credit card transactions -- as long as you have the right software to decrypt that." In theory, surveillance involving Internet communications can be executed legally under federal law. "But with most of these things," Farber said, "the problem is that it just takes one small step to make it illegal." New light on NSA spying A former Internet expert for the FCC concludes that a secret AT&T installation was most likely used for government surveillance. By Kim Zetter Jun. 23, 2006 | A federal court in California released a previously sealed 40-page document on Thursday in the Electronic Frontier Foundation's lawsuit against AT&T, which bolsters allegations that the telecommunications giant built secret rooms to allow the National Security Agency to conduct widespread surveillance of Internet traffic. The document also paints a detailed scenario of how the NSA may be conducting the top-secret operation, which closely matches information given to Salon by a former AT&T employee who worked at the company's network operations center in Bridgeton, Mo. The document, a statement by J. Scott Marcus, a former senior advisor for Internet technology to the Federal Communications Commission, was filed under seal on April 5 on behalf of the EFF to support its class-action suit against AT&T, which alleges that the company violated a number of federal laws in aiding the government's domestic spying operation against AT&T customers. The court sealed the document because it contained proprietary AT&T information, then ordered AT&T and EFF to work together to produce a redacted version to place in the public record, which they did on Thursday. EFF asked Marcus to examine records from a former AT&T technician in California named Mark Klein that describe how AT&T reconfigured its network in San Francisco and installed special computer systems in a secret room, allegedly to divert and collect Internet traffic to help the NSA conduct warrantless surveillance. Were the records authentic and was it feasible that they described a government surveillance program, or could the reconfiguration and systems have been put in place for more innocuous uses? Marcus concludes in his statement that the documents are authentic and, after considering a number of possible reasons for the reconfiguration -- such as legitimate network monitoring and maintenance -- writes that the system AT&T installed in a secret San Francisco room, and likely other cities, was "exceptionally well suited to a massive, distributed surveillance activity" and that "no other application provides as good an explanation for the combination of engineering choices that were made." He considered that the system might be set up to accommodate lawful traffic intercepts under the Communications Assistance for Law Enforcement Act, but deemed this not a credible scenario, since there are far simpler and less expensive solutions for meeting CALEA, which required Internet service providers to make their networks wiretap-ready. He also concludes that given how cash strapped AT&T was in 2002 and 2003 when the expensive changes and additions to the system were made, it is "exceedingly unlikely" that AT&T financed the project on its own. "I therefore conclude that it is highly probable that funding came from an outside source, and consider the U.S. Government to be the most likely source," he writes in the document. Over several pages that are redacted at key points, Marcus discusses technical details in the Klein documents that have previously been unavailable. (The Klein documents are under seal, and although some of them have made it to the Internet, others, judging by details revealed by Marcus, have never been made public.) According to Marcus, the Klein documents refer to a "private ... backbone network, which appears to partition from AT&T's main Internet backbone." This suggests the presence of a private network, Marcus writes, whose existence is "not consistent with normal AT&T practice." "The most plausible inference is that this was a covert network that was used to ship data of interest to one or more central locations for still more intensive analysis," Marcus writes. The most interesting aspect of the Marcus statement is the clear, though speculative, scenario he provides for how the National Security Agency is likely conducting its surveillance and data collection through that network. Marcus, currently a consultant with WIK-Consult GmbH in Bad Honnef, Germany, was unavailable for comment. But in the statement, he suggests that the secret San Francisco room is connected to two separate networks -- the regular commercial network on which e-mail, Web surfing and voice-over Internet Protocol traffic runs, and the second private, covert network that is partitioned off from the regular network and is used to divert traffic that has been copied and sent back to a central collection place. He suggests that massive amounts of data are collected at 15 to 20 locations around the country, where it is automatically screened and winnowed down to only "data of interest" by a special system installed in San Francisco (and likely elsewhere) before it is shipped off to one or two central collection points, where it is processed by powerful computers and analyzed by skilled staff. This agrees with what several sources told Salon this week. A former AT&T network technician who is well acquainted with AT&T's common backbone and asked to remain anonymous, told Salon about a secret, heavily secured room located in AT&T's Bridgeton facility, where the company runs its technical command center from which it manages all of its backbone. From that facility, the company could send commands to any of its 1,500 to 2,000 routers around the country to filter and divert traffic from those locations. To do that, the technician said, AT&T would need to physically place network "sniffers" at key points in the company's backbone. "There are 10 or 15 data centers located in major cities around the country," he said. "So they would need to stick [a sniffer] in each of those data centers to capture all the information." Then the company could easily send commands from the Bridgeton room to the routers in those locations. The commands would indicate what data to collect and where to divert it afterward. Marcus writes that although the configuration in San Francisco was deployed in early 2003, given AT&T processes, the planning for it was probably underway six to 12 months earlier. This coincides with the timing of the Bridgeton Network Operation Center, which was put in place about eight months before the San Francisco room was configured and was the place from which the work order for the secret room in San Francisco originated. The Bridgeton room, guarded with a high-tech mantrap with retinal and fingerprint scanners, is restricted to government workers and AT&T employees with top-secret security clearances and is likely just used for remotely monitoring and maintaining the secret rooms around the country and sending commands. Russ Tice, a former NSA officer and senior analyst until last year, told Salon that the data once collected is probably not sent to Bridgeton but instead is diverted to an NSA facility where powerful processing equipment can analyze it. As for the kind of data collected, Marcus infers from the Klein documents that the configuration in place in San Francisco would enable surveillance of "both overseas and purely domestic traffic." But the Klein evidence suggests that only "off net" traffic was being collected in San Francisco at the time the documents were written. "Off net" refers to traffic sent between AT&T customers and customers of other ISPs; "on net" traffic is sent strictly between one AT&T customer and another AT&T customer. Still, this amounts to a lot of data, Marcus says. It would mean that any traffic that passed through AT&T's network from another ISP or network would be intercepted. He suggests the possibility, however, that authorities could conceivably weed out domestic traffic to collect only international traffic exchanged between an AT&T customer and noncustomer, given that software programs exist that can help distinguish domestic Internet traffic from traffic that travels from outside the United States. But he writes that even with such weeding, some purely domestic traffic would likely slip through the filter. A hearing on the EFF lawsuit against AT&T is being held in San Francisco Friday to determine whether the case should be thrown out. The Department of Justice has interfered in the case, calling on the court to dismiss it on grounds that national security secrets would be exposed if a trial were to proceed. -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]