Given the number of employees at the NSA with far more integrity, ethics and intelligence than our politicians, and there’s at least 100,000 people in the United States with Top Secret clearance, it was simply unrealistic to expect this level of surveillance against the American people could be kept a secret indefinitely, just as it’s unrealistic to expect them to safeguard the US without some means of intercepting communications. From what I’ve seen trawling the blogs, the INFOSEC community appears to be in general agreement with the actions of Edward Snowden. A surveillance state, like the one we’ve been drifting towards for the last decade, ultimately does more to undermine a nation’s security and facilitate organised crime. Last week’s events provided just one example of why.
Much of this was our own fault, in not taking an interest in all the privacy-invading laws that were being passed over the years, in handing over so much of our personal information to the major Internet giants when common sense told us it was being turned over to God knows who, in brushing away legitimate worries with the tired and long disproven ‘nothing to hide, nothing to fear’ statement. The truth has always been ‘If you have nothing to hide, you’re in bigger trouble than you realise’.
So, the leaks themselves… Only the first document pertaining to the FISC order was a revelation, because something like that just isn’t supposed to happen in a Western democracy. The ‘checks and balances’ and legal processes are a joke, when it takes just a single court order at the request of the FBI (not the NSA in this case) to swipe 121 million peoples’ records. It’s a joke when a 29-year-old contractor can access that kind of information at leisure and do anything with it.
As for PRISM, the information made public about it was insignificant compared to what’s already been revealed over the years by organisations like the Open Rights Movement and the Electronic Frontier Foundation. While there are things I still won’t publicly comment on, it’s been widely known (and long confirmed) that certain capabilities do exist.
Room 641A, AT&T Building, San Francisco
The cat’s been out of the bag since at least 2006, when former AT&T technician Mark Klein revealed the existence of equipment that pipes traffic to a government location from one of the AT&T WorldNet switching installations (and several others). This was likely one component of the Total Information Awareness programme, commissioned by the Bush administration. Klein had three documents, dating from around 2004, to back this up:
* Study Group 3, LXG/Splitter Wiring
* SIMS, Splitter Cut-In and Test Procedure
* Cut-In and Test Procedure
The ‘cut-in’ relates to a technique for splitting fibre-optic cabling just enough to read the traffic passing through it. A ‘splitter cabinet’ is said to carry the data to the infamous Room 641A, which at the time of writing contained Sun servers, a couple of Juniper routers and a Narus STA 6400.
Narus’ own marketing talk is indecipherable, but I’m pretty sure the STA 6400 is a high-end Deep Packet Inspection system, designed primarily for intrusion detection and traffic management on corporate networks. However, if the NSA was using it in conjunction with the splitter cabinets, they could quite easily inspect unencrypted traffic without adding latency.
When a request is received, the traffic in this case is routed to a hub at the FBI Quantico via something labeled the ‘Quantico Circuit’, then potentially forwarded to the NSA building in Fort Meade.
At least one other ‘secret room’ is located at Verizon’s premises at Houston, according to an ex-NSA official interviewed by James Bamford, author of The Shadow Factory. A document posted at Cryptome.org also shows Verizon has the traffic inspection equipment and liaison team for servicing requests from law enforcement.
The NSA Data Centre
Another thing that was initiated during the Bush administration is the NSA’s giant data centre in Utah. What’s surprising about this is the lack of secrecy around it – the general plans are available online from mainstream sources like Wired.com. Even the approximate data storage capacity (10^24 bytes) is known, along with the fact they have a supercomputer optimised for breaking AES. I’d also hazard a guess that part of the reason they’re gathering so much traffic is to make their ciphertext analysis more efficient.
Binney made a couple of telling statements to the Wired.com reporter that link the data centre to Room 641A-type installations and what the FBI gathered from Verizon:
“Anybody you want, route to a recorder […] If your number’s in there? Routed and gets recorded. The Narus device allows you to take it all.” And when Bluffdale is completed, whatever is collected will be routed there for storage and analysis.
one of the deepest secrets of the Stellar Wind program—again, never confirmed until now—was that the NSA gained warrantless access to AT&T’s vast trove of domestic and international billing records, detailed information about who called whom in the US and around the world.’
In his interview, Snowden confirmed what I’ve argued here all along – that policies, procedures, ‘checks and balances’ provide almost no security while the technical means to bypass them exist. Even without the recent leaks, there was more than enough information published in mainstream sources telling us that nothing stored or communicated on the Internet could be considered private, and there’s generally nothing tangible preventing foreign governments, organised criminals and rogue employees getting our data if the backdoors are in place. How we deal with that is up to us.
I’ll end this post with something I read on The Guardian’s Comment is Free: ‘If you as an individual live your life true ie be honest & faithful then you will be free, but do not take it on yourself to be the conscience of every other human on earth though.’