----- Forwarded message from Scott Helms <khelms@zcorum.com> ----- Date: Thu, 5 Sep 2013 10:02:39 -0400 From: Scott Helms <khelms@zcorum.com> To: Eugen Leitl <eugen@leitl.org> Cc: NANOG list <nanog@nanog.org> Subject: Re: [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches The last paragraph in the post is the most important, but it invalidates the rest of the post. Core routers are a terrible intercept point because of load and the sheer amount of packets they process and they are also MUCH more likely to be running up to date firmware than a router in an edge network where the main technical person is primarily a Windows/Exchange admin. The problem with recording "everything" is that its not feasible and the idea that all/most/many core routers are merrily sending a copy of all packets to some external storage facility is demonstrably false. If you want to record flows that's a bit more technically (and legally in the US since its meta-data) feasible, but again netflow traffic from all/most/many core routers is extremely hard to hide on a 24/7 basis and again is demonstrably false. Its far easier (technically and legally) for the NSA to have a directory of devices they can tap on demand without the knowledge of the owners either through unpatched security flaws, cooperation from the carrier, or intentionally built back doors. Its also more feasibly for them (and we have good evidence this has happened) to directly mirror the layer 2 traffic on some of the largest backbone networks. This of course allows them to passively listen without impacting the core router, but that approach is quite difficult to leverage when you're trying to target a specific person or organization since the volume of unimportant information so greatly exceeds the targeted information. Scott Helms Vice President of Technology ZCorum (678) 507-5000 -------------------------------- http://twitter.com/kscotthelms -------------------------------- On Thu, Sep 5, 2013 at 7:20 AM, Eugen Leitl <eugen@leitl.org> wrote:
----- Forwarded message from liberationtech@lewman.us -----
Date: Wed, 4 Sep 2013 22:27:46 -0400 From: liberationtech@lewman.us To: liberationtech@lists.stanford.edu Subject: Re: [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches Organization: The Tor Project, Inc. X-Mailer: Claws Mail 3.9.2 (GTK+ 2.24.20; x86_64-pc-linux-gnu) Reply-To: liberationtech <liberationtech@lists.stanford.edu>
On Wed, 4 Sep 2013 20:33:09 -0400 Robert Guerra <rguerra@privaterra.org> wrote:
Curious on people's comments on types of routers, firewalls and other appliances that might be affected as well as mitigation strategies. Would installing a pfsense and/or other open source firewall be helpful in anyway at a home net location?
When I read this article, I read core routers and switches at ISPs, like Cisco, Juniper, F5, etc. I don't read this as linksys, dlink, netgear, etc. I'm sure NSA could crack into anything consumer level with ease, it's likely any 4-bit criminal could do it too. However, it makes more sense for NSA to watch the core connectivity points on the Internet, rather than watching individuals, solely from an economic effort versus benefit point of view.
When I ran global networks, one can record everything and sort out the individual streams later to find employees doing various layers of fraud or not. There was no point in watching the end points because it was too resource intensive.
I'm sure the NSA has analyzed this and come to the same conclusion. There's no point in going after tens of millions of endpoints, when you can own them all with a handful of switches.
A counterpoint is that most core Internet routers and switches are running at capacity and any monitoring affects quality of service and gets customers complaining.
-- Andrew http://tpo.is/contact pgp 0x6B4D6475 -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys@stanford.edu.
----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5