Thanks for the reality check on Cisco-pushed router software updates; I agree there would likely have to be operator complicity to actually alter any routing patterns, insofar as carefully managing flows is kind of the definition of what the operators do.

As to the point about lawful intercept and backdoors, IMHO that bears repeating: Basically all telecom systems now have ‘lawful intercept’ capabilities that enable remote tapping. It is merely assumed by the manufacturer that none of that will be used unlawfully, there’s nothing in the gear that can tell the difference between a legal tap and an illegal tap. And if the manufacturer is under pressure from the USG to do so, it could buld the ‘lawful intercept’ functionality in such a way as to allow the remote operator to go as far as they want in siphoning off a copy of any number of streams of interest. And the latent ability to do that would be undetectable by the operator.

As regards the Narus boxes, I think we should keep in mind there may be multiple methods deployed out there. In other words it’s possible that Narus and hoovering are not coterminous. You could use Narus for specific known suspects, in real time, and also hoover much broader-band traffic for later analysis and contact-tracing. Or one IC agency could be using one method and another agency using the other, etc.

Netmaker and b4real, thank you both!

The telcos have figured prominently to date because they are natural aggregation points for a lot of domestic traffic as well as for most international traffic. However, a substantial portion of domestic Internet and somewhat less voice traffic never hits the telcos networks. Specifically cable and corporate traffic that is either terminated at an IXP or directly in a data center. So these other actors would have to be considered in any scheme to succesfully monitor all or most domestic voice and internet traffic.

Regarding Cisco or some other provider of carrier class network equipment surreptitiously slipping in code to magically siphon off huge amounts of network traffic – it’s not going to happen.

For many practical reasons with respect to equipment sizing, network capacity, configuration management of the equipment and traffic management/monitoring of the equipment any attempt to siphon off large amounts of traffic through the back door either wouldn’t work at all or would be caught.

That is not to say that the equipment provider (Cisco/Juniper/…) could or would not be involved in such an effort but if they were, they would be actively working with whoever was managing the equipment.

Having said that, it would be possible for an equipment provider to put a back door in so that the government could direct a router to siphon off small amounts of traffic or even completely take over control of the router. If any signficant number of routers were being compromised and actively used then you might expect there to find some type of command/management infrastructure on the government side to facilitate this.

Regarding non-carrier (Google, Yahoo, Microsoft, GoDaddy…) e-mail providers being involved in handing over bulk e-mail for data mining purposes.

Their participation is not necessary. The government need only tap the communications links where these e-mail providers connect to the Internet. They would not need to tap all the backbone links in the country. Another possibility if they have the active assistance of the carriers would be to set the network routing to relay the e-mail providers traffic through the government monitoring equipment. This would be easier to implement than the taps but more likely to be detected.

The e-mail providers participation may not even be desireable as it could; (1) signficantly delay any filtering and processing of the e-mail traffic, (2) introduce the complexity of dealing with each provider’s data format rather than just dealing with the SMTP (Simple Mail Transport Protocol) format they would get by intercepting/taping the traffic and (3) un-necessarily increase the number of people that would be aware of the program.

Where this line of reasoning breaks down is when all the participants in an e-mail conversation are using the same e-mail provider. Accessing that traffic would require either tapping the client side communication (a much more difficult proposition than just tapping the inter-provider SMTP traffic) or the active cooperation of the e-mail provider with the government.

If the government really has gone to all the effort to tap domestic traffic then I wouldn’t expect it to stop with just voice and e-mail. Credit card and other financial transaction processing networks would be high on the list of targets.

Finally, regarding why the e-mail providers trade group would oppose immunity and telcos would actively work with the government. Think about the corporate history, cultures, work forces and customer relationships of telcos vs stand-alone e-mail providers (e-mailers).

Telcos have a much, much longer working relationship with the government, have large numbers of ex-military employees and have inherited mostly common corporate cultures, structures and practices from their Ma-Bell monopoly days. Telcos are highly regulated at the state and federal level, their equipment is designed to afford government access and telcos are conditioned to be responsive to government wiretap requests (think CALEA). Both telco customers and organizations have been conditioned by many decades of movies, television programming and news articles to accept that their phone calls may be monitored by individual wiretaps or swept up by a pervasive monitoring system like Echelon. In reality, telcos really are a captive agent of the government.

Non-telco e-mailers like Google, Yahoo and Microsoft have much different backgrounds. They don’t have long histories of working with the government, they have very different corporate cultures as compared to each other and as compared to the telcos. Their technical employee base comes not from the military but from academia making them willful and un-likely to be responsive to government spying requests or dictates.

E-mailers are practically un-regulated entities affording the government very little leverage in influencing their behaviour. E-mailers have relatively short corporate histories as compared to telcos and have come of age in a time when privacy concerns have become a significant driver of corporate behaviour.

When you think of popular references to people having their e-mail read it is more likely to be because their account was hacked than it would be of the government being given legitimate access. And in cases where the government is trying to gain access the e-mailers are more frequently portrayed as resisting that access by litigating against it and requiring court orders. We and the e-mailers have not (yet) been conditioned to allow the authorities un-fettered access to our e-mail. The backlash to e-mailers of being perceived as having been complicit in large scale government hoovering of our e-mail would be much worse than what the telcos have faced. And it is a lot easier to have new market competitors take away customers in the e-mailer world than it is in the telco world.

On a more venal note, e-mailers have an antagonistic, dependent relationship with the telcos and may just be taking a rare opportunity to stick it to them as usually it is the other way around.

-Netmaker

NarusInsight

“System Specification & Capabilities

Some features of NarusInsight include:[4]

* Scalability to support surveillance of large, complex IP networks (such as the Internet)
* High-speed Packet processing performance, which enables it to sift through the vast quantities of information that travel over the Internet.
* Normalization, Correlation, Aggregation and Analysis provide a model of user, element, protocol, application and network behaviors, in real-time. That is it can track individual users, monitor which applications they are using (e.g. web browsers, instant messaging applications, email) and what they are doing with those applications (e.g. which web sites they have visited, what they have written in their emails/IM conversations), and see how users’ activities are connected to each other (e.g. compiling lists of people who visit a certain type of web site or use certain words or phrases in their emails).
* High reliability from data collection to data processing and analysis.
* NarusInsight’s functionality can be configured to feed a particular activity or IP service such as security, lawful intercept or even Skype detection and blocking.
* Compliance with CALEA and ETSI.
* Certified by Telecommunication Engineering Center(TEC) in India for Lawful Intercept and Monitoring Systems for ISPs

The intercepted data flows into NarusInsight Intercept Suite. This data is stored and analyzed for surveillance and forensic analysis purposes.

Other capabilities include playback of streaming media (i.e. VoIP), rendering of web pages, examination of e-mail and the ability to analyze the payload/attachments of e-mail or file transfer protocols. Narus partner products, such as Pen-Link, offer the ability to quickly analyze information collected by the Directed Analysis or Lawful Intercept modules.

A single NarusInsight machine can monitor traffic equal to the maximum capacity (10 Gbit/s) of around 39,000 DSL lines or 195,000 telephone modems. But, in practical terms, since individual internet connections are not continually filled to capacity, the 10 Gbit/s capacity of one NarusInsight installation enables it to monitor the combined traffic of several million broadband users.

According to a company press release, the latest version of NarusInsight Intercept Suite (NIS) is “the industry’s only network traffic intelligence system that supports real-time precision targeting, capturing and reconstruction of webmail traffic… including Google Gmail, MSN Hotmail, Yahoo! Mail, and Gawab Mail (English and Arabic versions).” [5]

It can also perform semantic analysis of the same traffic as it is happening, in other words analyze the content, meaning, structure and significance of this entire traffic, as it is happening. The exact use of this data is not fully documented, as the public is not authorized to see what types of activities and ideas are being watched for.”

I think it is very likely that they have been sweeping up all traffic, voice plus numbers/names and the contents of all emails.

That, on the surface, simply doesn’t make sense.

Unless it has something to do with his location: Denver.
Related to the Air Force installations there? Or in Utah? Or where…?

Because otherwise, given the amount of looting, of basically booking ‘future transmissions and capacity’ that appears to have been in full swarm, the prosecution of Nacchio — and him alone! — just does not make sense from the peanut gallery where I sit.