One thing about all of this that really surprises me is the scale of it ... I was genuinely and unhappily surprised to discover just how large a covert programme can be kept entirely hidden from the general public & most politicians.
I'd always naively assumed that working at this scale would guarantee leaks much, much earlier.
Is it that large of a scale as far as leak-locations go? Isn't it basically several dozen fibre taps?
Also, we knew the FBI was doing this in the 90s so it shouldn't be totally surprising to find the NSA doing it now.
The scale is the awesome data processing and operative capabilities. But is that so surprising to remain secret? I'm sure the NSA and other parts of big governments do all sorts of nifty shit and manage to keep it quite much longer than a decade.
It's just that... you know... literally no one wanted to talk about how a US military department was using capabilities traditionally described as acts of war to subvert US infrastructure and analyze the behaviors of US citizens. There were terrorists!
Just like they didn't want to talk about it in the 90s, when the US government tried to claim that encryption was a regulated government technology and while US citizens are technically entitled to munitions, something something 2nd amendment, if you export anything more than 44 bits, you're in serious trouble.
I guess the good thing in all this is that it's what you'd expect if you took Carnivore from the 90s and threw a ton of intelligent people and pervasive fibre access at it. There doesn't seem to be anything breakthrough, like "holy shit they can do that" kind of stuff.
Now yes, the scope is amazing. And I was getting this technical excitement just reading the system. So many questions! Like, how do they distribute jobs fairly or deal with resource over use? What stops some dumbass oper from submitting a super-expensive query? How do they manage all this stuff? It's pretty damn neat.
I'm wondering what the impact of TLS is on all this. Cause it seems like that'd sort of destroy this system, eh?
Edit: https://www.documentcloud.org/documents/2116191-unofficial-x... - Interesting how they are really explicit how USSID 18 stops them from doing stuff. Like they give the example of finding a phone number without a country code. Not allowed! Unless you combine it with something that'd limit it to foreign countries. But they note it's not a 100% solution.
They are saying: are you unsure if an IP is a proxy? Well, given that you know so little about it, query all the users on the IP... you know, as long as the IP is USSID 18 compliant... given that you know so much about it already.
Hard to tell. I remember seeing in the docs somewhere that they suggest capturing for 5 minutes and checking out to make sure it's OK to investigate further.
As a practical matter, what more can they do? I wouldn't expect them to actively try to give up on following leads. Seems like the intent of the law is being attempted to be followed.
It says they have "full take for US web forum servers under FISA coverage", and "passive collection for OCONUS [outside continental US] web forum server traffic". What does "FISA coverage" mean? They have warrants for specific forums, or a general warrant giving them access to thousands of forums?
I run a fairly large OCONUS message board. Are my visitors all in XKEYSCORE? I wish the release were more specific.
I'd guess 'under FISA coverage' means they're collecting all traffic, but can only access it with FISA court approval (i.e it's under the coverage of the FISA court).
Traffic outside the US is collected, but probably doesn't need any approval to look at. I'd suspect that all your visitors are in XKEYSCORE.
That's hard for a web forum with BBCode -- posts can load external images on non-HTTPS domains.
I suppose I can have the BBCode alter the URLs to point to my domain, and use nginx to proxy the image loads. I'd have to be careful to make sure users can't proxy malicious scripts and stuff into the page (because it'd be same-origin); is there a standard solution for this?
Does anyone else notice (intentionally?) poor redaction? In one screenshot, two IP addresses are visible, then blacked-out in two other places on the same presentation slide - https://imgur.com/SLyjhmp, for example.
Does using a VPN prevent any of these?
EDIT: And I guess Google servers have most of Android users' home Wi-fi passwords. Which means NSA could pretty access any devices in those homes?
Only if the traffic from your VPN host to the target host isn't routed through NSA capture sites. Say China-China traffic is probably out of reach. It generally seems like their captures sites are located where international traffic is routed. One strategy could be to always have a VPN host close to the target host. But still - it doesn't stop them from logging your strange VPN usage.
There isn't evidence that the NSA has access to Google servers, apart from the unencrypted fiber issue (which Google has since fixed, they say). However most users probably have shitty routers that can be remotely pwnd by anyone so yeah...
It's also more efficient to just tap the connections of the users' ISPs, rather than tap each home. And since they're tapping backbones, a VPN will only help some. It'll limit the ability for them to easily search you via IP - they'll need to try to distinguish your traffic from the other users on the proxy/VPN. I didn't see anything about correlating timing information, and it'd seem like that'd be a much more difficult thing to analyze versus indexing HTTP requests.
But if you read the slides, the instructions to operates are VERY clear to never use this data (passwords and such), but only pass it on to TAO. I'd guess they'd want to be really certain before doing something active/noticeable which might involve spending some sort of identity.
They don't even need to have intentional backdoors (as in, designed for spy agencies/law enforcement). The chances of a random home internet appliance not designed with serious cybersecurity considerations in mind (as opposed to "good enough to stop the average snooper/criminal") not having root-worthy vulnerabilities that can be exploited from the upstream provider is close to nil.
Remember, most of these things have as their only threat model someone trying to gain access from the Wi-Fi side before authentication. I doubt many vendors seriously consider questions like "can the cable connection to the ISP be used to take over the router?" or take steps to prevent it. For many devices, that sort of access could be considered as a potentially legitimate feature (think, customer support and remote diagnostics).
"“The National Security Agency’s foreign intelligence operations are 1) authorized by law; 2) subject to multiple layers of stringent internal and external oversight; and 3) conducted in a manner that is designed to protect privacy and civil liberties. As provided for by Presidential Policy Directive 28 (PPD-28), all persons, regardless of their nationality, have legitimate privacy interests in the handling of their personal information. NSA goes to great lengths to narrowly tailor and focus its signals intelligence operations on the collection of communications that are most likely to contain foreign intelligence or counterintelligence information.”"
Even if the oversight isn't that great (do we know how much abuse happens?), it does make sense that they would try to narrowly focus their ops. It doesn't actually benefit them to spy on random users. At the end of the day, we can only assume most of the agents do actually want to get "bad guys". (As compared to say, me, who'd love to have an XKS login for the trolling possibilities alone.)
Now comes the hard part of wondering what to lookup.
Shall we search for financial crimes? Nah...by the time we develop the expertise to write the query the crime has changed.
Shall we find the next Boston Bomber? Nah...even more complicated.
So what do we look for? The easy stuff...Godzilla for example. Someone has to keep watch.
I'd always naively assumed that working at this scale would guarantee leaks much, much earlier.