NS&AT&T

Tyler Durden camera_lumina at hotmail.com
Wed May 17 12:42:41 PDT 2006 

Well, I suspect they do a lot more before inspection, and use a statistical 
model to trigger whether the actually grab and backhaul any piece of 
traffic.

"Obviously", Source and destination country will matter, then within the US 
source and destination IP address (eg, knock into low-risk bucket if both 
source and destination IP correspond to Citigroup, even if one IP is within 
Saudi)...application is obviously going to matter, presence of crypto (and 
possible "crypto depth") and all the way up to L7 including key words.

Clearly, this policy is going to be risk-model driven and will undergo 
periodic changes (implying too that NSA has their own LAN by which they 
download new policies remotely into the Narus boxes). It would be "nice" too 
if their models fill up their available backhauling bandwidth.

Now that just determines what traffic gets backhauled. It's a big vacuum 
cleaner that grabs as much as they can within requiring that they build a 
completely duplicate optical network. After that the traffic gets pulled 
into the Beltway (most likely) where further models probably determine 
whether the traffic gets stored, read by humans "now", or whatever.

Note that by this time having a human actually bother to "read" an email or 
whatever is not necessarily important, even if it's encrypted.

What this means (to your point) is that merely building better crypto is 
only one axis to protect your privacy. If your communication gets as far as 
the Beltway and human examiners (or possibly gets shot down to their 
subterranean cracking farm) then you're already "of interest". With good 
enough crypto it's -possible- that you can thwart their attempts to actually 
read your email, and that's good because it forces them to decide whether 
they want to expend the big $$$ and risk exposure for a field operation.

But the other axis is statistical (as you point out). It's far better to 
never get caught in the NSA driftnets in the first place. This means stego, 
this means P2P (hum...what if I had a P2P video of a document I wanted to 
transmit...NSA wouldn't be able to read that document, right?) this means 
(somehow) encouraging more crypto in more places so your traffic doesn't 
stick out.

-TD


>From: "Chris Olesch" <g13005 at gmail.com>
>To: cypherpunks at jfet.org, "Tyler Durden" <camera_lumina at hotmail.com>
>Subject: Re: NS&AT&T
>Date: Wed, 17 May 2006 11:34:47 -0500
>
>You know I really enjoyed George Orwells Popcorn. Maybe that was
>Redenbockers' Popcorn while reading George Orwell...hehe...
>
>Here is my dumb question for the day, but can someone show me where my 
>logic
>has run aloof?
>
>The NSA's claim is not to have listened to the content, just collected it.
>"Assuming" their telling the truth on this, I thought they may be trying to
>create a bell-curve type application that scans the messages for content
>based on predetermined criteria (similar to content filters I assume).
>
>However, the flaw I see is similar to the idea behind changing speed limits
>on residential streets. Public safety sets up the electronic signs to
>monitor speed limits, and flashes if you travel above the posted limit.
>Except the data can be ruined (for lack of a better word) if the drivers
>sneak up on the sign and gun-it past it, repeatedly!
>
>How this applies to the NSA model: If normal citizens are polluting their
>data by using more vulgar or "terror driven" speech. How will they know
>legitimate traffic from crank-yankers?
>
>-chris
>Y.A.C.Y.
>
>On 17/05/06, Tyler Durden <camera_lumina at hotmail.com> wrote:
>>
>>I'd bet by the time this post reaches the list most Cypherpunks &c will
>>have
>>already seen the string of information posted on Wired and other places,
>>about AT&T's network. This is a level of detail that I strongly suspect
>>has
>>NSA folks shitting bricks:
>>
>>http://www.wired.com/news/technology/0,70908-0.html?tw=wn_index_2
>>
>>
>>Here's an interesting quote:
>>
>> >One of the documents appears to describe AT&T's successful efforts to 
>>tap
>> >into 16 fiber-optic >cables connecting the company's WorldNet internet
>> >backbone to other internet service providers. >The document shows AT&T
>> >technicians phasing in fiber-optic splitters throughout February 2003,
>> > >cutting them in four at a time on a weekly schedule, ending with a 
>>link
>> >to Mae West, an internet >exchange point for West Coast traffic.
>>
>>Now this is REALLY interesting:
>>
>>http://blog.wired.com/images/nsadocs2_f.jpg
>>
>>OK, this means the 16 fibers mentioned above are single wavelength. From
>>this document we can also view what the actual bandwidths are: OC-12s and
>>OC-48s, a couple of OC-3s and no OC-192s. Now I don't see any
>>documentation
>>stating that there isn't more than this going into the room. The "four
>>splitters at a time" almost certainly implies that this traffic is coming
>>off a 4-fiber BLSR (most likely too NSA worked with the other carriers to
>>move the traffic to protect prior to installing the splitters).*
>>
>>Theoretically, they could actually just backhaul all of this traffic using
>>pretty ordinary 16 wavelength WDM from any number of vendors. Getting that
>>cross-country is difficult, but with ULH (Ultra Long Haul) this could be
>>done with a relative minimum of repeater/amplifier sites. If they pre-sort
>>the traffic before backhauling it they could then actually just buy a
>>wavelength on AT&T's backbone, which has some nice features to it (I'd bet
>>they also have their own encryption used for the entire wavelength pipe,
>>though I could be wrong).
>>
>>The pinchpoint here just might actually be the deep packet inspection.
>>Does
>>anyone know what kind of bandwidth the narus boxes can support?
>>
>>What this will do is give us an idea of how much traffic they are actually
>>taking back. From our discussions some months ago, I have assumed (and
>>still
>>believe) that they can't grab EVERYTHING and pull it back, because that
>>would require too obvious and too huge a network. My other assumption is
>>that the narus deep packet inspection is enforcing a prioritization prior
>>to
>>hockeying the most "juicy" traffic into their fiber or wavelegnths.
>>
>>*: They would have first told the owner/carrier of one of those OC-N pipes
>>to force a switch to protection bandwidth while they installed the
>>splitters, and then switch back once the splitters were installed. It
>>LOOKS
>>like they did this ring-by-ring, diverting traffic away from the "break"
>>and
>>then installing splitters on all four fibers terminating across the break.
>>
>
>
>
>--
>-G
>
>"The knack of flying is learning how to throw yourself at the ground and
>miss."
>"He felt that his whole life was some kind of dream and he sometimes
>wondered whose it was and whether they were enjoying it."
>"He inched his way up the corridor as if he would rather be yarding his way
>down it..."
>"We demand rigidly defined areas of doubt and uncertainty!"
>"I love deadlines. I like the whooshing sound they make as they fly by."
>
>Famous Quotes written by Douglas Adams,  (British comic writer, 1952-2001)
>http://hitchhikers.movies.go.com/

More information about the cypherpunks-legacy mailing list