it looks like this is called QFIRE / MIDDLEMAN (CovNet?) http://cryptome.org/2013/12/nsa-qfire.pdf of particular note you'll see that this unclassified (high risk side) TAO Covert Network is accessed within a NSA SCIF via a "highly constrained" *cough* VMWare ESX server instance (ala NetTop for back-end) which is then colocated at bare metal and/or directly guest bridged to the SCSnet / NSAnet / *secret networks. . . . one day i'll have more to say about this! (i encourage the leakers to beat me to it ;) --end-top-post-- On Tue, Nov 26, 2013 at 9:03 PM, coderman <coderman@gmail.com> wrote:
in the discussion regarding well positioned injection points on the backbone (QUANTUMINSERT) i have not yet seen discussion of using these well positioned injection points for covert network connections.
consider that you are eavesdropping on return path for a given un-used, high address space of a third party (a lot of that 15.0.0.0/8 is idle :)
consider that you can inject arbitrary packets into the egress for same net block (even if upstream, still sufficient to match route).
you can now establish a covert TCP connection appearing to come from the high space of 15.0.0.0/8, of which HP only sees the returning (encrypted) martians. (and this assumes they're even watching!)
this "wide stack" approach provides cover via multitudes of idle address spaces of third parties, while the actual communicators are hidden.
anxiously awaiting the details on how this is used...
*sacrifices chickens to the "Snowden Release Gatekeepers" (TM)*