Thursday, June 13, 2013

NSA Leaks: Part II

"We hack network backbones – like huge internet routers, basically – that give us access to the communications of hundreds of thousands of computers without having to hack every single one." Eric Snowden on NSA hacking of foreign countries
This slide describes data content from major providers now available to the NSA. All the slides in this blog post are from The Guardian NSA Files.

After spending the night thinking about what I have read about the NSA collection techniques and Eric Snowden's comments about NSA spying overseas, a simple conception came to me.  As part of this crisis , the providers in the slide above maintain they are not letting the NSA have unrestricted access to their file servers. Google, Facebook, Apple, etc are maintaining  that they respond to FISA requests are per order (as they always have), sftp'ing data to the NSA. But this is not what Eric Snowden is maintaining or  Glen Greenwald and others are describing. In fact this slide, reveals an enhanced collection ability coming online slowly over that last seven years:

So clearly, the providers are either (1) misrepresenting their data feeds to the NSA or (2) unaware of the mechanism by which their data is being retrieved or (3) both (1) and (2) simultaneously. Note that the vertical access isn't labeled in the slide above.  Should we just assume it is representative of an accumulated amount of data? There are a number of linear regressions this slide might represent.  The one I want to pursue here is the ongoing IPv6 migration. Let me explain why.

Regional networks are generally broken up into Autonomous Systems ("AS"). These systems have often have "peering relationships" which allow them to share information and pass packets. (boy that simplifies things a bit...). At the edge of these regional network are connections to to backbone routers. These routers might give the NSA access to thousands of terminals Snowden has referenced. Typically ATM ("Asynchronous Transfer Mode") based routers are used to move data across regional networks. ATM routers have strong advantages over TCP/IP at the backbone layers of the internet.  At regional NAPs ("Network Access Points"), ATM routers could give the NSA access to the internet's "fat pipes" or perhaps even direct fiber links to Buckley or Ft. Meade.

The ATM routers would be the most likely collection points for the data specified in this slide described as the "New Way" for operational program named "Boundless Informant":

This is data analytics collection not field agent gathered intelligence. My guess is that there is still real conflict between the two methods, despite the fact that most of the IC probably wishes they could work together seamlessly.  But back to the question of where this type of information actually comes from:

So the NSA and other state security servers have always tapped wires, undersea cables, fiber optics, etc. But this slide distinguishes Prism from those more traditional "Echelon" like signals interception ('sigint') efforts. What does the phrase "Collection directly from the servers of..." mean? To date, we do not exactly know. If we had the link from the slide below, we might have a better idea:

So let us assume for the moment that the NSA technical architecture for penetrating Hong Kong University servers and draining data from Google is the same. What would that architecture look like? It is probably not extra NSA infrastructure wired into a foreign or Google telcom closet. It is most probably those ATM routers themselves. And this revelation begets an entire line of questions...