Schneier on Security
A blog covering security and security technology.
« Merchants Not Storing Credit Card Data |
| Security Risks of Online Political Contributing »
October 16, 2007
Security Risks of Wholesale Telephone Eavesdropping
A handful of prominent security researchers have published a report on the security risks of the large-scale eavesdropping made temporarily legal by the "Protect America Act" passed in the U.S. in August, and which may be made permanently legal soon. "Risking Communications Security: Potential Hazards of the 'Protect America Act'" -- dated October 1, 2007, and marked "draft" -- is well worth reading:
The civil-liberties concern is whether the new law puts Americans at risk of spurious -- and invasive -- surveillance by their own government. The security concern is whether the new law puts Americans at risk of illegitimate surveillance by others. We focus on security. How will the collection system determine that communications have one end outside the United States? How will the surveillance be secured? We examine the risks and put forth recommendations to address them.
Not surprising, the risks are considerable. And difficult to address.
We see three serious security risks that have not been adequately addressed (or perhaps not even addressed at all): the danger that the system can be exploited by unauthorized users, the danger of criminal misuse by a trusted insider, and the danger of misuse by the U.S. government. Our recommendations are based on these concern.
The group has two basic recommendations: data minimization, and oversight:
Minimization is critical. Allowing collection of calls on U.S. territory necessarily entails greater access to the communications of U.S. persons; the architecture must minimize collection of both the call details and the content of these communications. The best way to prevent problems is to intercept as early as possible: at the cableheads; such a solution, by decreasing the number of interception points will simplify the security problem. Surveilling at the cableheads will help minimize collection but it is not sufficient. Intercepted traffic should be studied (by geo-location and any other available techniques) to determine whether it comes from non-targeted U.S. persons and if so, discarded before any further processing is done.
Oversight is necessary to prevent abuse and ensure information assurance. Independent oversight of operations is also essential and is a fundamental tenet of security. To assure independence the overseeing authority should be as far removed from the intercepting authority as practical.
More in the report, of course.
EDITED TO ADD (2/4/08): Here's the final report.
Posted on October 16, 2007 at 7:07 AM
• 29 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Man, you guys have one scary government, eh?
"Surveilling" strikes again, Arrggghhhh!
The horse has left the barn and the barn has collapsed from age. We now know that all domestic US telecommunications (voice and data) were surveilled starting just weeks after Bush's inauguration (long before 11 Sep.). The only question is whether the criminals will be punished. Failure to punish sends a clear message that we just don't care. To forgive is to endorse.
>We now know that all domestic US
>telecommunications (voice and data)
>were surveilled starting just weeks
>after Bush's inauguration (long before
I know I can cite legislation like CALEA and press releases of the time showing it was proudly championed by Sen. Patrick Leahy (Democrat, Vermont...) in the 1990s that spent billions to retrofit existing systems that couldn't be intercepted easily and mandated those capabilities in all new equipment going forward.
Why? Well, because with technology, the Feds weren't able to conduct wiretapping like they used to. You know, dating back at least to Wilson and institutionalized during the Cold War when NSA was intercepting all foreign originated and terminated analog phone calls as routine practice.
Oh, wait. We're not really serious about this privacy stuff -- it's just a convenient excuse for partisan attacks.
@Frank Wilhoit, why should we expect punishment for eavesdropping (relatively passive) when active election fraud was ratified by the Supreme Court?
Personally I feel the greater crime is using the word 'surveilled' and/or 'surveilling' in public discourse.
I had to chuckle to see two of the authors come Sun. Night and day from Scott McNealy's "You have zero privacy anyways, get over it".
@ZG, The problem is that its a concern even more for non-US people because most of the infrastructure goes in the US anyway.
As a Canadian, I feel alot less secure because the oversight about the US snooping "outsiders" is not only inexistant its not even subject to debate :)
"Man, you guys have one scary government, eh?"
What do you have? a Jirga
These studies are useless .. and serve no other purpose than to:
a) Get the writers on CNN for a day
b) Waste ~$1M on Federal Grants to improve their own predictions by writing more papers .. the cycle is self primed and perpetuated.
c) get picked by this blog and lastly
commented by those who don't know their own past (and present) and lecture everyone on their "evil ways"
This hyperventilating about "unauthorized use" of information is laughable. I wonder what is NOT unauthorized used ..
Pavlov could prove his theories today in abundance by measuring garbage produced by academia in the response to the word wire-tap/surveillance etc. etc.
@Maxime, As a Canadian, I feel alot less secure because the oversight about the US snooping "outsiders" is not only inexistant its not even subject to debate :)
If only the Canadian, British and American governments didn't have a 'gentleman's agreement' to spy on each other's citizens. It is lawful for the UK to spy on US citizens, and for the US to spy on UK citizens. Before the Bush era, this is how 'domestic surveillance' was neatly handled.
So if you object to having the US spy on you, take it up with your own government. This doesn't work outside the US-UK-Canadian relationship, of course.
Only those who commit crimes have anything to fear . . . but those who _define_ crimes are the ones you SHOULD fear.
"So if you object to having the US spy on you, take it up with your own government."
Exactly. Why is it so difficult for government A to provide communication facilities for its citizens that government B cannot listen to?
Because it is in the interests of those in charge of BOTH governments to make sure that citizens of EITHER government can be spied upon.
As long as A & B share the information with each other.
...all this stuff just means that Joe MacCarthy (sp?) never really disappeared and lives on...
@Matt from CT
Check the "related filings" section.
Regardless of your politics, there is increasing *discussion* regarding the aggressiveness of the U.S. Govt in pursuing new monitoring capabilities, and growing circumstantial evidence that they are actually gaining new capabilities as well (see EFF vs. AT&T, US vs. Nacchio). Whether this is a result of the current Administration or not is left to the opinion of the reader.
I am sorry. I do not know how to use blog. This is just to know. Excuse me.
@loyal_citizen, are you insinuating those court documents show that not playing ball with the NSA led to indicting the CEO who wouldn't go along with requests he thought were illegal?
As one of those appellate brief excerpts states, somebody has to be held accountable for the financial losses at Qwest, and if their CEO had not rejected the illegal request maybe they would've gotten that big government contract and everything would've been all right. Right?
@Anonymous--- that is what Nacchio's defense is arguing. Whether or not they are just playing games, or there is some substance behind the argument (hard to tell given all the redacting), the fact that the defense team is even trotting this out is telling. Given the sheer volume of discussion that has been occuring in the courts, in the Congress, and in the public, it's hard to argue that *something* isn't going on in the monitoring space. I believe that this is one of the reasons why NSA has been so opposed to some of the discussions, it's shining too much light in their direction. This is not "tin foil hat" thinking, it's simply a matter of intelligence agencies not liking being in the papers *regardless of the facts and merits of the discussion* - it makes people wonder what they are doing.
@ Matt from CT:
You seem to believe that there is nothing wrong with the NSA collecting information on domestic calls *prior* to 9/11.
The illegal wiretaps initiated by executive order were supposedly done in response to 9/11. What reason would there be for doing so prior to that? It's already been established that the Bush Administration had back-burnered concerns over terrorism (ref. "Against All Enemies," Richard Clarke).
Combined with the 'inconvenience' of FISA and judicial review, it can be concluded that the Bush Administration was seeking information and access which they knew would not pass legal review.
So they chose to break the law, and cover things up with an executive order, nonsense about FISA, and now blanket immunity for the telcos.
We must, as consumers of a security product, ask why.
If wiretaps are only done with warrants, where a 'target' has to be specifically identified, and a 'reason' for the wiretap articulated, then the number of wiretaps will be rather strictly limited. Perhaps your line is tapped, but the odds are that it's not.
Wholesale wiretapping changes all that. But look at what it provides!
That is, a way for 'low level' individuals to insert disinformation into intelligence and law-enforcement networks.
Having communications that you *know* your adversary is listening to can be very useful.
For some reason, I'd rather post this anonymous. If someone wants a credible citation, just go look at the financial records for Naurus using the normal web tools for doing that. Boy, have they ever been doing well for quite some time. And the stories on slashdot by some folks fired for "illegally entering the naurus server room" at AT&T and taking pictures. You don't need that much gear to do what they're claiming to be doing. It's about right if you're doing traffic analysis on *everything*, and maybe a bunch of computer speech recog looking for keywords...and I'll bet that when this comes to court the plea will be "but no human listened without a warrant".
Naurus has recently updated their site to say things like "we only tap what we're supposed to" but that's not how it read last year.
Oops, gotta go answer the door, looks like a buncha guys in black.
I hope no one remembers why I wanted to listen to phone calls back in 1972...
'Cause today I only want to listen to terrorist conversations. Right?
From what I can tell (and granted, I'm not an expert, just an interested party), there seems to be a big difference between the CALEA-mandated 'interceptability' and the Narus stuff. The Narus gear seems like it's definitely geared towards realtime traffic analysis of backbones at line speed, doing deep packet inspection and maybe some forms of content/semantic analysis. That's definitely not "hey, we want you to intercept Joe Blow's emails, here's a warrant."
That said, I have a big problem with CALEA, too. Fundamentally I have a problem with making interception a design consideration, even though that has zero value to the actual users. Historically, the POTS network wasn't built that way in the first place; the analog pen registers and trap-and-trace techniques were developed after, in response to phones. This is how things *should* work: first you develop the technology, and then law enforcement figures out ways to use it.
But you don't build the technology around the demands of law enforcement. When we were laying phone lines originally, we didn't run all of them through the police station, as convenient as that may have been for the police. It's the job of law enforcement to do their job, even though reality and progress may sometimes make it difficult. Tough luck.
It's a lot tougher to build a secure, robust infrastructure, when law enforcement and the politicians are mandating that you build insecurities into it for their convenience.
>You seem to believe that there is
>nothing wrong with the NSA collecting
>information on domestic calls *prior* to
Would you please point out any construct of the English language in my posting that would cause someone to form that impression?
I responded to someone who said the surveillance began after the Bush Administration took office and before 9/11 by correcting their historically inaccurate statement.
The United States Government has a long history of what I believe to be unconstitutional search and seizures, in this case long term operations spanning numerous and continous administrations of both political parties by intercepting all communications in which one of the parties was located outside of the U.S.
To believe the current abuses are unique to this administration or Republicans or right-wingers or whatever is extremely dangerous and naive because it is used for partisan purposes to say that if only the Democrats were in power these abuses wouldn't happen. Mr. Wilhoit's contention that surveillance began weeks after this current administration took office is mis-leading at best, and the statement that it involved all *domestic* communications isn't supported by credible evidence that I am aware of.
I'm glad you provided that link, and it fits neatly into this point.
The project the Qwest documents referred to was Project Groundbreaker.
This is from the NSA's press release on the subject:
>31 July 2001
>For further information, contact:
>NSA Public and Media Affairs,
>National Security Agency Outsources Areas of Non-Mission Information
>Technology to CSC-Led Alliance Team
The National Security Agency (NSA) has
>established an official government-industry partnership for Information
>Technology Infrastructure (ITI) services within the areas of Telephony,
>Distributed Computing, Enterprise Management, and Networks by awarding
>a prime contract on 31 July 2001 to the CSC-led Alliance Team. Today's
>acquisition, known as Project GROUNDBREAKER, concludes an
>extensive procurement process, following a 15-month Feasibility Study,
>announced in a June 2000 Press Release, and a managed competition
>among industry leaders, announced in a March 2001 Media Update. The winning
>Alliance Team, self-named as Eagle Alliance, is a CSC-led joint venture in
>partnership with Logicon, a Northrup Grumman company. Additionally, the
>team comprises strategic alliance partners that include General Dynamics
>for telephony and networks, Keane Federal Systems for distributed
>computing and enterprise management support, and Omen, Inc., a small
>business that will integrate the Eagle Alliance small business consortium.
>Technology and Service Delivery Partners for this Alliance Team include
>ACS Defense, BTG, CACI, Compaq, TRW, Windemere, Fiber Plus, Verizon,
>and Superior Communications
Yep, the Rocky Mountain News documents talk about bidding conferences on a project six weeks into the Bush Administration. For a project launched under the Clinton Administration well before the election.
These are not issues left to the opinion of the reader -- these are objective facts. The issue of using technology for greater government and private sector surveillance instead of using it to increase privacy from government snooping is neither a new issue, nor is it one that either political party can claim any moral highground on.
Today you have people like Sen. Leahy expound on "illegal wiretaps" yet those wiretaps -- legal or not -- are only possible because Sen. Leahy and others decided to compromise the technology and mandate and pay for building deliberate vulnerabilities into the infrastructure.
Those who try to paint this issue as one of politics and specific to this administration are simply being complicit in perpetuating these intrusions -- by making it seem that other politicians and particularly the Democrats don't do these things. They do, they have, and they will continue to unless this issue is made to trandscend tactical partisanship.
@Matt from CT:
Between your decrying partisan attacks and turning to the 'someone else did it first' excuse, I have difficulty seeing your statement any other way. Your insistence that it's all about a consistent pattern of unconstitutional behaviors takes a back seat.
Also, there's a distinct difference between creating a law to enhance surveillance capabilities for legitimate law enforcement procedures and ignoring the law to conduct either paranoid searches for invisible terrorists and/or spy on one's political enemies.
(And frankly, the moment someone brings up 'partisan attacks,' it's a red flag in my book. Even the term 'bipartisan' is gobbledygook when you think about it.)
@ Anonymous, Nick Lancaster, et. al.
You may want to read more of Matt's posts on the blog before jumping to the conclusion that he's "turning to the 'someone else did it first' excuse". I don't believe he's excusing this at all. In fact, I think he finds blanket surveillance to be offensive to his sensibilities.
The issue of governmental surveillance in the US, as Matt rightly points out, is not a partisan one. Members of both major political parties have poor records on this issue. Indeed, we are currently still under the umbrella of intrusive surveillance without oversight thanks to a Democratic majority failing to stand up to the current Administration.
Matt's right -> American citizens should be complaining about government wiretapping and privacy intrusions, not about focusing it as a "Bush Administration" issue.
@ Pat Calahan:
Then Matt needs to phrase his argument better, as it certainly doesn't sound like his primary concern is government wiretapping.
If it's a 'whole government' issue, then the Bush Administration is unquestionably a critical component of the subject at hand and wholly deserving of criticism. That criticism, however, must focus on the illegality of his actions, as well as Congressional leaders who seemingly don't know the Fourth Amendment from a bump in the road, which is how I have approached it in past comments and my own blog (on those occasions I dip into political commentary).
And, in review, I'm coming off as a jerk, so I'll shut up now.
A great site polluted by those who think they are so smart again. Any topic, just make some stupid, unsupported comment about America or Bush, then assume everyone thinks your a genius.
Fact of the matter is that these same self-proclaimed intellectuals that poo poo about anything and everything the US government does will be the same ones that will sit back in a self-righteous air of superiority about how they would have connected the dots and known everything after something bad happens. Their solution? They will just say the government should have been doing the same things that they would have been poo pooing about had they done it.
Basically, a bunch of do nothings who offer no solutions.
I don't think we have a scary government. I think governments where you can be run feet first through a tree shredder (like Hussein's Iraq), beaten with clubs if you are a woman who isn't properly covered (Taliban Afghanistan), or who actively finance terrorist groups like Hezbollah (I'm talking about you, Iran) are the ones that scare me.
So go ahead and bash America left and right--they won't do anything in retaliation to you. You're safe. We know you are too much of a coward to criticize real evil. You're also too arrogant to sit it out. So bash the US, an overwhelming decent and peaceful nation, so you, in all your arrogance, can feel good about yourself.
It's a shame.
@Me: Just because it's not the worst place doesn't mean it doesn't have problems. The governments of the former Iraq, Iran, China, Afghanistan, Sudan, and Zimbabwe all suck. And so does ours. The idea is to stop the downhill slide before it gets that bad.
@Bruce: Guess this just means we need to put more crypto in the hands of the individual. A requirement for telephone companies to make allowances for interception doesn't mean much if every phone call gets routed over a P-t-P SSL connection.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.