Well, I suspect they do a lot more before inspection, and use a statistical model to trigger whether the actually grab and backhaul any piece of traffic. "Obviously", Source and destination country will matter, then within the US source and destination IP address (eg, knock into low-risk bucket if both source and destination IP correspond to Citigroup, even if one IP is within Saudi)...application is obviously going to matter, presence of crypto (and possible "crypto depth") and all the way up to L7 including key words. Clearly, this policy is going to be risk-model driven and will undergo periodic changes (implying too that NSA has their own LAN by which they download new policies remotely into the Narus boxes). It would be "nice" too if their models fill up their available backhauling bandwidth. Now that just determines what traffic gets backhauled. It's a big vacuum cleaner that grabs as much as they can within requiring that they build a completely duplicate optical network. After that the traffic gets pulled into the Beltway (most likely) where further models probably determine whether the traffic gets stored, read by humans "now", or whatever. Note that by this time having a human actually bother to "read" an email or whatever is not necessarily important, even if it's encrypted. What this means (to your point) is that merely building better crypto is only one axis to protect your privacy. If your communication gets as far as the Beltway and human examiners (or possibly gets shot down to their subterranean cracking farm) then you're already "of interest". With good enough crypto it's -possible- that you can thwart their attempts to actually read your email, and that's good because it forces them to decide whether they want to expend the big $$$ and risk exposure for a field operation. But the other axis is statistical (as you point out). It's far better to never get caught in the NSA driftnets in the first place. This means stego, this means P2P (hum...what if I had a P2P video of a document I wanted to transmit...NSA wouldn't be able to read that document, right?) this means (somehow) encouraging more crypto in more places so your traffic doesn't stick out. -TD

From: "Chris Olesch" <g13005@gmail.com> To: cypherpunks@jfet.org, "Tyler Durden" <camera_lumina@hotmail.com> Subject: Re: NS&AT&T Date: Wed, 17 May 2006 11:34:47 -0500

You know I really enjoyed George Orwells Popcorn. Maybe that was Redenbockers' Popcorn while reading George Orwell...hehe...

Here is my dumb question for the day, but can someone show me where my logic has run aloof?

The NSA's claim is not to have listened to the content, just collected it. "Assuming" their telling the truth on this, I thought they may be trying to create a bell-curve type application that scans the messages for content based on predetermined criteria (similar to content filters I assume).

However, the flaw I see is similar to the idea behind changing speed limits on residential streets. Public safety sets up the electronic signs to monitor speed limits, and flashes if you travel above the posted limit. Except the data can be ruined (for lack of a better word) if the drivers sneak up on the sign and gun-it past it, repeatedly!

How this applies to the NSA model: If normal citizens are polluting their data by using more vulgar or "terror driven" speech. How will they know legitimate traffic from crank-yankers?

-chris Y.A.C.Y.

On 17/05/06, Tyler Durden <camera_lumina@hotmail.com> wrote:

...

I'd bet by the time this post reaches the list most Cypherpunks &c will have already seen the string of information posted on Wired and other places, about AT&T's network. This is a level of detail that I strongly suspect has NSA folks shitting bricks:

http://www.wired.com/news/technology/0,70908-0.html?tw=wn_index_2

Here's an interesting quote:

...

...

cutting them in four at a time on a weekly schedule, ending with a

One of the documents appears to describe AT&T's successful efforts to tap into 16 fiber-optic >cables connecting the company's WorldNet internet backbone to other internet service providers. >The document shows AT&T technicians phasing in fiber-optic splitters throughout February 2003, link to Mae West, an internet >exchange point for West Coast traffic.

Now this is REALLY interesting:

http://blog.wired.com/images/nsadocs2_f.jpg

OK, this means the 16 fibers mentioned above are single wavelength. From this document we can also view what the actual bandwidths are: OC-12s and OC-48s, a couple of OC-3s and no OC-192s. Now I don't see any documentation stating that there isn't more than this going into the room. The "four splitters at a time" almost certainly implies that this traffic is coming off a 4-fiber BLSR (most likely too NSA worked with the other carriers to move the traffic to protect prior to installing the splitters).*

Theoretically, they could actually just backhaul all of this traffic using pretty ordinary 16 wavelength WDM from any number of vendors. Getting that cross-country is difficult, but with ULH (Ultra Long Haul) this could be done with a relative minimum of repeater/amplifier sites. If they pre-sort the traffic before backhauling it they could then actually just buy a wavelength on AT&T's backbone, which has some nice features to it (I'd bet they also have their own encryption used for the entire wavelength pipe, though I could be wrong).

The pinchpoint here just might actually be the deep packet inspection. Does anyone know what kind of bandwidth the narus boxes can support?

What this will do is give us an idea of how much traffic they are actually taking back. From our discussions some months ago, I have assumed (and still believe) that they can't grab EVERYTHING and pull it back, because that would require too obvious and too huge a network. My other assumption is that the narus deep packet inspection is enforcing a prioritization prior to hockeying the most "juicy" traffic into their fiber or wavelegnths.

*: They would have first told the owner/carrier of one of those OC-N pipes to force a switch to protection bandwidth while they installed the splitters, and then switch back once the splitters were installed. It LOOKS like they did this ring-by-ring, diverting traffic away from the "break" and then installing splitters on all four fibers terminating across the break.

-- -G

"The knack of flying is learning how to throw yourself at the ground and miss." "He felt that his whole life was some kind of dream and he sometimes wondered whose it was and whether they were enjoying it." "He inched his way up the corridor as if he would rather be yarding his way down it..." "We demand rigidly defined areas of doubt and uncertainty!" "I love deadlines. I like the whooshing sound they make as they fly by."

Famous Quotes written by Douglas Adams, (British comic writer, 1952-2001) http://hitchhikers.movies.go.com/

Oh yeah....

i'd love to know how much manpower is assigned to defining and tuning these filters. this is a difficult process to be sure.

They'll have a team of SAS and demographics experts somewhere. Given the financial services industry, this could be anywhere from half a dozen to several dozen people.

the SunFire V880 is the Narus controller according to the docs and i bet the filter updates are pretty frequent. they might even use an IPsec VPN over the backhaul fiber via the cisco/juniper switches listed.

Yes...it's VERY interesting to consider how they are transmitting those policy updates. Clearly they have a LAN. Does it use dedicated bandwdith? (eg, it's own GbE, for instance) are they in-band with other traffic? (ie, a tunneled VPN inside a big GbE?) or are they leveraging some of the unused SONET DCC-ish overhead bytes? The next obvious question could actually cause a knock on the door so I won't ask it.

On 5/17/06, Mike Owen <kyphros@gmail.com> wrote:

... I doubt the NSA cares about this list anymore (assuming they ever did).

hmm, i recall amusing conversations about honey tokens and baiting TLA's. *grin*

Back to the topic at hand, I'm sure they do policy updates via whatever channel they are recieving data. It's very common to just have a single out of band reporting/management link.

true, this is probably how it is done. would IPsec or some NSA built auth & privacy at layer 2 be more likely?

And I'd be surpised if these servers had any type of internal/external storage, such as the suggested Storedge. They most likely boot off the network, so if the servers are grabbed, there is only the contents of ram to worry about, and I'm sure there are rather explosive safeguards against that.

consider this vicious rumor but a little birdie informed me that physical security at these locations is well covered. strategically placed cages, reinforced and locked, armed guards. all this on top of the usually very tight security at these facilities. (though it sounded like the guards were a recent introduction. someone getting nervous about legitimate employees poking around?) so in this case i think there is probably useful data on the disks (the filters and controlling software for the narus / other equipment), caching might be implemented (the T3's on fibre channel have some nice throughput, although this configuration is years old at this point), and i very much doubt any destructive countermeasures.

A side benefit of having the filesystem living on an nfs server somewhere is that the above mentioned policy updates could be as simple as changing a single file on the storage server, and having all the sniffing servers immediately updated.

network file systems introduce reliability concerns. intermittent link outages would mean a bit of caching in the local case, but might cause monitoring / capture failure in a network file system scenario. maybe we'll find out in the near future. :)

On 5/17/06, Tyler Durden <camera_lumina@hotmail.com> wrote:

... Well, how out of band? Do you mean the management VPN (or whatever) doesn't travel with the actual grabbed traffic? (Frankly, this would be my first candidate.)

i was thinking three scenarios: 1. backhaul is a dedicated link (SONET?*) with encryption at this layer and control/management out of band. 2. backhaul and control/mgmt on the dedicated link (SONET?*) with encryption at this layer, no IPsec. 3. backhaul and control/mgmt on the dedicated link using IPsec for both. (least likely perhaps) the nature of SONET would make encryption at this layer tricky i think (L2/L3?) although the NSA is fond of authentication and privacy at the link layer. if a desire to leverage commercial solutions (narus, cisco, juniper, etc) won out would a strongly keyed IPsec be sufficient? no ISAKMP/IKE here, heh.

Of course, they could do it via SONET overhead bytes, thus avoiding the flakiness and vunerability that routers and switches still seem to have.

covert channels for backhaul? nah, that would still be too visible. especially if/when a customer puts link testing equipment on the line and sees something funny. SONET doesn't give you a lot of play room.

One wonders too if they do anything with SS7.

not for this. capturing SS7 would be useful and is surely performed though...

Of course, they could have a dedicated fiber for their management LAN, but due to latency issues &c I would suspect that can't be a LAN all the way across the country...

why not? most of these SONET/[D]WDM links are long haul anyway. it's not a single repeated fiber, but hops along backbone peering points like everything else. also casts an interesting light on the new super NSA warehouse planned for Denver, CO doesn't it. nice place to position tap aggregation...

Anyone know what telecom vendor NSA uses?

AT&T, Verizon and Sprint for sure. probably lease fiber (through some obfuscated shell company / other agency configuration?) from all of them to some degree, including the transoceanic cable oligopolies. one way to find out: - perform your own non-interruptive tap on the fibers exiting $telco via infiltration of outside plant conduit. (so easy, lol) - using test equipment see what SONET link(s) are full of blackened traffic. you could use AS no's or BGP/SS7 characteristics to identify legitimate circuits and highlight the blackened ones via elimination. - ask Sean Gorman or GeoTEL MetroFiber which provider sold out that particular circuit/fiber/route. something tells me this is beyond the means of your average hacker. FOIA requests it is then... *grin* for the record: i'm not advocating illegal intrusions; this is a mental exercise. :) [ i'm not too paranoid about visits from MIB's but mapping critical information infrastructure is definitely one way to attract attention. maybe i'll talk more about that later... ]

On Wed, 17 May 2006, Tyler Durden wrote:

Anyone know what telecom vendor NSA uses?

Lucent (now French, I believe?) -- Yours, J.A. Terranson sysadmin@mfn.org 0xBD4A95BF 'The right of self defence is the first law of nature: in most governments it has been the study of rulers to confine this right within the narrowest limits possible. Wherever standing armies are kept up, and the right of the people to keep and bear arms is, under any colour or pretext whatsoever, prohibited, liberty, if not already annihilated, is on the brink of destruction.' St. George Tucker

From: "Mike Owen" <kyphros@gmail.com> To: cypherpunks@jfet.org Subject: Re: NS&AT&T Date: Wed, 17 May 2006 15:33:20 -0700

On 5/17/06, Tyler Durden <camera_lumina@hotmail.com> wrote:

...

The next obvious question could actually cause a knock on the door so I won't ask it.

I doubt the NSA cares about this list anymore (assuming they ever did).

Well, just think about the $$$ that have flowed into NSA and the War on TERROR! and how few actual terrorists there are. You can be damned sure someone's monitoring this list, most probably as their full time job. Fuck, they probably post occasionally just out of boredom. True? -TD

On 5/17/06, Tyler Durden <camera_lumina@hotmail.com> wrote:

... Well, just think about the $$$ that have flowed into NSA and the War on TERROR! and how few actual terrorists there are. You can be damned sure someone's monitoring this list, most probably as their full time job.

they subscribe via narus feed of course :)

At 10:54 PM -0700 5/17/06, Bill Stewart wrote:

Nah, they stopped monitoring us years ago, when Tim May had been gone long enough that we stopped talking about him :-)

"When I was your age we didn't have Tim May! We had to be paranoid on our own! And we were grateful!" --Alan Olsen -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "...our claim to be left in the unmolested enjoyment of vast and splendid possessions, mainly acquired by violence, largely maintained by force, often seems less reasonable to others than to us." -- Winston Churchill, January 1914

Eugene Leitl said...

How would you trace back large scale purchases of hard drives and computer clusters to a TLA? They have to use contractors for that.

Ah...I think that's a very interesting question, particularly in the larger sense. Public companies have to (and are well motivated to) report on their sales. A nice deep, statistical dive could probably reveal what equipment they're buying, at least as $$$/sale-->oo. Hell, a lot of these are even annouced as "Lucent signed a $1.5B contract to supplies equipment and services to the government today..." Too bad there are no other superpowers around these days. Then again, I suspect the Soviets were always too fucked up to bother with something like that. -TD

On 2006-05-17T15:42:41-0400, Tyler Durden wrote:

But the other axis is statistical (as you point out). It's far better to never get caught in the NSA driftnets in the first place. This means stego, this means P2P (hum...what if I had a P2P video of a document I wanted to transmit...NSA wouldn't be able to read that document, right?) this means (somehow) encouraging more crypto in more places so your traffic doesn't stick out.

I suspect that anyone caught by narus sending any sort of unusual encrypted traffic (i.e. not skype or ssl on port 443), particularly traffic to a published tor node or to a known mix node, is automatically put in the "somewhat interesting" bucket. Thus, the kind of people who can avoid being caught in the dragnet by using stego have already been caught due to earlier experimentation. If the NSA has access to ISP subscription records, which current news reports suggest they do, even changing IPs or ISPs is not enough. You have to create a completely new identity, or you have to abuse an open net connection somewhere. And open connections like wireless hotspots are probably already flagged due to interesting traffic coming from them in the past. -- The six phases of a project: I. Enthusiasm. IV. Search for the Guilty. II. Disillusionment. V. Punishment of the Innocent. III. Panic. VI. Praise & Honor for the Nonparticipants.

Ironically, At 3:12 AM -0500 5/19/06, Chris Olesch <g13005@gmail.com> wrote:

You would think that if they wanted to lure customers into their spiderweb, they would simply offer free internet access, and burry a 'we have the right to spy on your' clause somewhere in the agreement.

There's a name for something like that. It's called "Google". ;-) Cheers, RAH -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

4 x OC3 = 622,080 kbp/s 8 x OC12 = 4,976,640 kbp/s 4 x OC48 = 9,953,280 kbp/s == 15.552 Gbp/s (is half of this mostly idle protect?)

Most likely no. From the context of the circuit order it seemed pretty clear that this was all active traffic. These were the fibers that were opticall tapped. Also, BLSRs (Bidirectional Line Switched Rings) support "extra traffic" that gets bumped during a protection switching event, so the protect bandwdith wouldn't even be idle (though the routers would probably throttle down when they sensed less bandwidth). Interestingly, though, from your chart above it looks like they probably have a router and an OC-192.The odds of all of these pipes being full of packets at the same time is probably very small, so maybe they can indeed grab everything. -TD