Putting NSA/GCHQ Spying Together

This is a really good analysis of how the NSA/GCHQ spying programs actually work. It's nice that we finally have enough documents public that we can start putting together the complete pictures.

Posted on December 1, 2014 at 6:41 AM • 56 Comments


ThothDecember 1, 2014 8:30 AM

Pretty much within our expectations of what the big boys want. They want hegemony over the world (physical and digital).

Tim HoddyDecember 1, 2014 8:58 AM

Bruce Schneier said:

"It's nice that we finally have enough documents public that we can start putting together the complete pictures."

But it's important to remember that only a tiny fraction of all of the documents released by Snowden have been made available to us.

Nicholas WeaverDecember 1, 2014 9:49 AM

This is a very well done piece IMO, but the basic conclusion is "ANY cable touching US/UK companies should be assumed to be compromised", since really that is the story!

The basic architecture they seem to prefer is the following:

The tap itself has a dumb filter: eliminate high volume traffic (think BitTorrent and Netflix) at line rate and forward the remaining back through a backhaul link to a more secure facility. This makes sense for two reasons:

  • #1 They are also paying a small fortune for backhaul and can't backhaul the whole fiber, so dropping the traffic here is of critical importance.
  • #2 They don't want to site the IDS clusters themselves (too much valuable information if captured, and also significantly bigger), so by using a simple filter it makes the installation smaller.
  • There it goes to what is very much a near-real-time IDS cluster: use a hash of SRC/DST pair and load balance to a cluster node, and the cluster is ~10 systems/10Gbps feed (the dumb filter doesn't reduce the number of machines here, since any IDS of note can implement that dumb filter internally very cheaply).

    These cluster nodes produce "metadata" analysis thats both stored locally and exported, and also a bulk record indexed by the metadata.

    The thing the NSA and company need to remember: This architecture is not particularly remarkable: I could build an equivalent for a bare fraction of what the NSA has spent. They have privileged access, but any other country that can buy/bribe/tap their way into a similar access can implement the same flow.

    keinerDecember 1, 2014 9:56 AM

    "The tap itself has a dumb filter:"

    ...so I mix my info into a stream of torrent and I'm out od mass surveilance? Cool.--..,++##**

    keinerDecember 1, 2014 10:19 AM

    As openVPN is f*ckup again, how about writing something like a Torrent-wrapper, to obfuscate all kinds of VPN or other data transfer?

    sector blueDecember 1, 2014 10:24 AM

    NSA docs about filtering out p2p traffic was from 2008, you can be sure they no longer filter it out especially with blockchain messaging happening like Bitmessage, or other p2p messaging like Pond.

    Even scarier is all of this can be automated, so the 5 Eyes Alliance can slim down their spy apparatus to only a few in the know employees and analysts. When AI software catches up they can slim down even more to a select handful of criminals inside all our intel agencies which will eliminate leaks forever, and put extreme blackmailing powers in the hands of a tiny few.

    keinerDecember 1, 2014 10:39 AM

    ...that's the way the USSR and GDR were run, or the mafia. Hmmm... And btw: I think we are already there.

    My name is not importantDecember 1, 2014 11:54 AM

    @Tim Hoddy:

    "But it's important to remember that only a tiny fraction of all of the documents released by Snowden have been made available to us."

    Tim. Not only it is a tiny fraction of all of the documents, but also a fraction choosed by some journalists that did not even know what PGP was before Snowden contacted them. Journalists appreciate sensationalism more than helping the world too, so it does not help at all.

    We have a serious lack of knowledge, we need technical documentation that helps us doing the work the NSA was expected to do: fixing the current computing infraestructure so a lot of security incidents will never happen. It is hard to see so clever minds (well, most of them) working to break trust instead of fixing flaws.

    Terry ClothDecember 1, 2014 11:56 AM

    @keiner, @Lemme:

    Remember, @Nicholas Weaver's analysis is what ``makes sense'', not what is known. I certainly wouldn't depend on that for any traffic that could send me to jail.

    LemmeDecember 1, 2014 12:26 PM

    @My name is not important, I wonder about the article on Snowden files and badbios on cryptome. Farfetched, but still something to keep an eye on.

    Clive RobinsonDecember 1, 2014 1:29 PM

    @ Nicholas Weaver,

    Your analysis is about what I would have expected, due to previous leaks of information over the years.

    It also falls in line with my supposition that the NSA, GCHQ et al are actually quite some way behind the curve, even though they pay "bleading edge" prices. The design is considerably more conservative than you would expect if you work in modern telecomms.

    Interestingly the bottle necks tell us rather more than the NSA / GCHQ appear to have confided to the slides.

    jonesDecember 1, 2014 2:00 PM

    Recently disclosed documents show that the NSA's fourth-largest cable tapping program, codenamed INCENSER, pulls its data from just one single source: a submarine fiber optic cable linking Asia with Europe.

    So, when fiber optic cables kept getting cut back in 2008, does this article mean that it wasn't really anchors, but instead that the NSA has submarines?


    WaelDecember 1, 2014 2:30 PM


    So, when fiber optic cables kept getting cut back in 2008...
    The thought crossed my mind.

    WaelDecember 1, 2014 2:52 PM


    Re Carter...
    Kind of clumsy, come to think of it. If I were tasked to tap into a submarine fiber, I would make sure of two things:

    1. No disruption of service
    2. Minimize the ability of detection afterwards using technology such as OTDR
    Which essentially means tapping the cable before it's deployed. If someone characterized the channel before and after "subversion", they may get a clue that something fishy (Pun intended) is going on. Another choice is to install "repeater stations" that can be tapped into without having to splice the optical fiber...

    keinerDecember 1, 2014 2:55 PM

    "Carter has additional maneuvering devices fitted fore and aft that will allow her to keep station over selected targets in odd currents.[citation needed] Past submarines outfitted this way[citation needed] were used to tap undersea cables, to intercept communications of foreign countries. Intelligence experts speculate that the MMP may find use in similar missions as an underwater splicing chamber for fiber optic cables.[3][4][5][6]"

    "On 17 January 2008 Jimmy Carter was awarded the 2007 Battle Efficiency Award, commonly known as a "Battle E".[8]"

    Nick PDecember 1, 2014 3:06 PM

    @ Wael

    "Another choice is to install "repeater stations" that can be tapped into without having to splice the optical fiber..."

    Good idea. They can be subverted ahead of time in a way that allows easy splicing later. Initial investigation of them shows nothing out of the ordinary. Same with the edge equipment the fiber connects to. Combining the two would defeat the fiber characterization detection methods as the edge equipment could lie to operators.

    WaelDecember 1, 2014 3:33 PM

    @Nick P,
    But if indeed the cables were "tapped-into", the way it happened kind of meets 1 and 2 above. They cut the cable on purpose, perhaps have a ship docking at the same place to give the "cause". Then tell affected countries we'll repair the cable for you (maybe charge them as well for it). Just tell them the characteristics of the channel will change because of the "repair". Sounds like a mission impossible script :)

    Clive RobinsonDecember 1, 2014 4:24 PM

    @ Nick P, Wael,

    Did you two ever actually pull out the maps of undersea cables I've suggested people look at for real physical "Choke Points"?

    If you have ask yourself how long it would take even a crude midget sub to find the cables and lay a pound or two of plastic explosive and a remotely triggered detonator up against them disguised as a rock etc.

    Then ask what would happen if 2/3rds of those choke points got blown at the same time...

    For nearly all our business and infrastructure disaster planning the calculations used are based on predictable "accidents" from some acturies tables, not that of a hostile mind. Worse more and more of our businesses are "off shoring" many aspects of their business over telecommunications using those cables, including Internet payment systems set up to avoid sales and other taxes...

    What would "first world" civilization be like in the following hours and days of such hostile activity against those subsea cables?

    Remember to account for the hierarchical base services such as DNS when thinking about such things...

    WaelDecember 1, 2014 4:49 PM

    @Clive Robinson,

    Did you two ever actually pull out the maps of undersea cables I've suggested people look at for real physical "Choke Points"?
    Are you kidding? The moment I do that, I'll have "knuckle dragging" Ninjas bust through my door and eat my primitive monkey brains alive. I live in the south pole, just in case ;)

    If you have ask yourself how long it would take even a crude midget sub to find the cables and lay a pound or two of plastic explosive and a remotely triggered detonator up against them disguised as a rock etc.
    I never thought about that :) you don't even need a submarine, just get a small boat with a long rope and hook knife at the end and go scrape around.

    Mike AmlingDecember 1, 2014 4:54 PM

    Yes, a lot of us thought the cable breaks were for tapping.

    1. I don't know anything about cable tapping, but I would think if your tapping method requires disruption, that you'd want to break the cable by some innocent-looking method such as trawling for fish, and then install the tap somewhere else before the cut is repaired.

    2. If you do tap the cable, how do you exfiltrate your data?
    A. Install another cable?
    B. Insert new packets with a friendly destination address, possibly into a different fiber in the same cable?
    C. Use an otherwise dark fiber in the same cable?

    WaelDecember 1, 2014 5:56 PM

    @Clive Robinson,
    Man-triggered earthquakes is something I read about a while back. I remember that in addition to air guns (which is new information for me,) small nukes were used for the same purpose. Nothing surprises me anymore. Again, arrogance blinds us humans and makes us believe we can control nature according to our whims without regard of future repercussions. The system is setup in such a way.

    Nick PDecember 1, 2014 6:05 PM

    @ Clive Robinson

    I did it here with Richard Steven Hack when we were designing a real "fire sail" attack on U.S. Requires electricity, transportation, and Internet to go down. For Internet, we noticed the international connections were in a fixed number of transoceanic cables that could be taken out just that way. Then there were only a few Tier 1 providers. Then there's around 365 key transformers in the grid that would cascade it down. Only so many refineries. And so on.

    We eventually stopped public discussion when we figured any further development of the idea, esp specifics, would get our door kicked in promptly. Proved the concept can be done albeit labor intensively.

    Note: I also left that out of the list of my posts here. No need for an aiding and abetting charge. Privacy tech has benevolent uses. Can't really argue that for a U.S. fire sail attack.

    Milo M.December 1, 2014 6:18 PM


    A bit of hyperbole, perhaps.



    A few good presentations, with the message that around 70% of cable cuts come from fishing boats, not spooks.



    To a good extent, it behooves the cable system operators to publicize the cable locations (as opposed to keeping them secret) to help keep more fishermen, shippers, etc., from inadvertently doing damage. Kind of like the "Call before you dig" signs put out by the land-based utilities.

    WaelDecember 1, 2014 6:38 PM

    @Milo M.,
    Thanks for the links. I'll look at them and get back with you. Now I am forced to look at the layout, having looked at the first link :) A quick remark: What caused the other 30% of the cuts? No one said "spooks" cut 100% of the cables!

    ThothDecember 1, 2014 9:24 PM

    We cannot secure the lines and cables and that's a fact. What we can secure is how we choose to communicate securely.

    There are many ways to obsfucate our communication which includes dumping random meaningless data to confuse snoopers. Hiding inside tunnels is another method.

    The problem is awareness and willingness to adopt better secure communication and higher assurance techniques in the face of national adversary type threats. They do not want their "peasants and workers" or "pawns" to be on their level or higher but they can be overwritten if a critical mass is reached.

    ThothDecember 1, 2014 9:57 PM

    Submarine cable between Singapore and Jakarta cut ?

    Link: http://www.theregister.co.uk/2014/12/02/seamewe_3_submarine_cable_reports_outage/

    Hmmmm.... Is it the Singapore team doing it ? Is it the Jakarta team doing it ? Or did USS Jimmy Carter silently entered the regional waters of Singapore / Jakarta and did some hands on work ?

    Most likely it is either the Singapore side or the Jimmy Carter doing the dirty job. Jakarta is too busy with it's internal politics to be able to do anything like that so that leaves the highest possibility to a Singapor (US/UK's gatekeeper guard dog of the SEA region) or US (personally arrived) for the job.

    Forcing additional network hops into US allied territories (especially Singapore, Phillipines or Australia) would allow sniffing and manipulating into the hands of 5-Eyes region.

    In the ASEAN region, Thailand, Myammar, Laos, Vietnam, Cambodia, Malaysia and Indonesia are not friends of the 5-Eyes as they are too busy with their own politics or historically at odds or neutrals. Only the British/US (ex-)Colony of Australia, New Zealand, Singapore and Phillipines would pose substantial support to British and US interest and go the extra mile to ensure better than usual relationships.

    WaelDecember 2, 2014 3:28 AM

    @Milo M.,
    These were pretty good presentations, thanks! Natural disasters and ship anchors seem to cause the most damage, I believe that. I also "think" sabotage will take the form of severing cables and not tapping into them. There are easier places to tap the communication paths. Tapping the submarine cable would be a last resort, I would imagine...

    Gerard van VoorenDecember 2, 2014 4:31 AM

    @ Clive Robinson • December 1, 2014 5:17 PM

    From the link http://cryptome.org/0001/usa-disasters3.htm in your post the first lines of text:

    While researchers might think that America's ousting by overt and covert means Slobodan Milosevic, the Taliban, and Saddam Hussein from power, smashing their regimes, and punishing countries like Iran, Turkey, Russia and North Korea which had tried to help them or exploit their difficulties would be the sum total of what was available to it, they would be wrong. Washington used not only land and space weapons against them but also undersea ones to make the terrible earthquake on December 26, 2004 which caused the deadly tsumanis which devastated the Muslim countries, lying around the Indian Ocean, in the hope of preventing them in any way from joining radical Islam in its growing fight against the West.

    Tin foil hat? Lasers are not my alley.

    skepticDecember 2, 2014 4:44 AM

    @Milo M., @Wael

    what if they want you to think that the 70% of cable cuts caused by fishing boats? o_0
    fishermen disguise would provide perfect cover for undersea cable tappage

    WaelDecember 2, 2014 5:00 AM


    what if they want you to think that the 70% of cable cuts caused by fishing boats?
    Then they succeeded, spectacularly!

    KietDecember 2, 2014 5:24 AM

    Didn't mean to be an arse by asking the question, considering individuals have put their lives on the line over getting these files out, or considering the authentication method may already seem obvious to most people here, but how do you verify the authenticity of these documents, short of sending it back for an official stamp? How do we know if these files weren't mass produced by counter-intelligence software, stored on internal honeypot server? If anyone has a link to a blog or an article that explains this, it'd be appreciated.

    BoppingAroundDecember 2, 2014 10:03 AM


    The whole world does have.

    Off-topic: I cringe each time I see the NSF abbreviation here.

    SlothDecember 2, 2014 12:24 PM

    I always read about our nice nsa gchq but how about the fsb and such? Or is it so long as you use russian or any other anti five eye infrastructure you are safer overall as long as you dont do anything that would annoy them?

    LessThanObviousDecember 2, 2014 1:42 PM

    It's at least somewhat comforting to hear that they are reducing so much of the data at the point of collection at least when GCHQ is involved. My understanding of the U.S. stateside NSA collections whether it's correct or not was that they store it all and use selectors to search stored data, whereas the more prudent approach described in the article is to use the selectors in real time to discard all that doesn't match a selector in short order. It's crucial for freedom of speech that anything that isn't specifically authorized for collection is transitory and temporal. If it's stored for extended periods the search selectors can always creep and push further into abusive usage, which based on human history is a legitimate fear.

    Bob S.December 2, 2014 2:13 PM

    @Gerard van Vooren

    Re: Undersea weapons caused 2004 Indian Ocean Tsunami.

    I love a good conspiracy as much as the next guy but...a tsunami?

    Anyway, I don't think a laser would do it. More likely a carefully selected explosive charge on the bottom of a geologically weak part of the ocean which might shift the plate/s. I don't think they could do nuclear, it would be detected. More like a barge of C4.

    I dunno. That's pretty deep.

    I think I'll just put on my double wrap foil hat and think about it for awhile.

    I just don't think so. But,.....

    Nick PDecember 2, 2014 3:25 PM

    @ BoppingAround

    "Off-topic: I cringe each time I see the NSF abbreviation here."

    Why? They fund a lot of good research, including for INFOSEC. Matter of fact, I'd like you to name an organization that isn't military and has funded more INFOSEC research. That way I can write up a proposal for them.

    BoppingAroundDecember 2, 2014 4:43 PM

    Nick P,

    Because I was playing Deus Ex too much back then. :-)

    This is the NSF I remind myself each time I see the abbreviation, if you are interested. And actually they weren't the bad guys in the game either. At least, much less shitty (they'll shoot at you in the first several chapters of the game) than other factions present there.

    Clive RobinsonDecember 2, 2014 5:35 PM

    @ Gerard van Vooren,

    Not so much a "tin foil hat" as "a boat anchor round the ankle" to stop the writer "sailing away" on what ever they were on.

    The question is as always "how much energy" is required and "over what period of time" to do a particular item of "work".

    If you look at something like a mouse trap the energy is stored in a spring which is applied via a lever. This lever is held in position by a second lever that is held in place by the bait lever mechanism. You can work out the ratios but a trigger weight of a couple of grams releases the equivalent of between 0.5 and 2Kg at 0.2meters in around 50mS.

    From which can be seen under the right conditions very small amounts of energy can be used to release very large amounts of stored energy by quite simple mechanical means.

    But what are the "right conditions"? The energy in an earth quake is realy vast as can be seen by working out how much energy is required to lift a thousand square kilometers of solid rock under tens of meters of water by ten meters or so against earths gravity.

    There is no way on God's little green apple that a submarine could generate that amount of energy and survive intact it's self.

    Thus the energy would have to come from somewhere else, and I'm assuming it will be by the normal process of continental drift. In this case the sub would only need to provide the trigger energy. But this raises a whole load of other questions and issues, not the least of which is the fact that that earthquake would have happened any way at some point in the near future so why trigger it...

    Now we know that if you inject water at high preasure into a fault line you can reduce the friction and create many small earthquakes rather than "wait for the big one". So the question is could you inject something else that would increase the friction and thus enable "the big one" to not be big but enormous. The answer is a very limited yes, but you would have to start years in advance and you would still have the issue of triggering it.

    Basicaly things don't stack up to what the author of the article is claiming.

    Which is why I warned about squirrels getting in your head and feasting on your brains.

    As Wael noted we have a lot of arrogance when it comes to controling nature, but the reality is even thermonuclear bombs don't put out any where near as much energy as some of natures more routine happenings.

    An example of this was a US scientist during WWII who convinced himself that if he could use enough explosives in the right place he could create tidal waves to swamp the Japanese ports and harbours. He was wrong by several orders of magnitude, and as predicted by other scientists explosives just won't impart their energy to water in a usefull way (which is why the bomb squad chucks suspect devices into tanks of water).

    AnuraDecember 2, 2014 5:51 PM

    @Clive Robinson

    "There is no way on God's little green apple that a submarine could generate that amount of energy and survive intact it's self."

    The people of Atlantis were able to not only wipe out all life on Mars, but render the entire planet completely uninhabitable. It's not inconceivable that the US had located Atlantis and recovered some of their long-lost technology and employed it for use on a submarine. Plus, while they have long since left the planet, Atlanteans do return on occasion to study their primitive cousins, and their technology is likely on board their space ship.

    ThothDecember 2, 2014 8:31 PM

    I would like to believe there are Atlanteans and Lemurians but so far no conclusive evidences yet.

    These advanced species ability to do communication between minds would be very useful for secure communication since you can't technically tap it substantially unless you tap the minds on both ends.

    Tony H.December 3, 2014 1:52 PM

    @Thoth: "In the ASEAN region, Thailand, Myammar, Laos, Vietnam, Cambodia, Malaysia and Indonesia are not friends of the 5-Eyes as they are too busy with their own politics or historically at odds or neutrals. Only the British/US (ex-)Colony of Australia, New Zealand, Singapore and Phillipines would pose substantial support to British and US interest and go the extra mile to ensure better than usual relationships."

    Brunei is very UK-friendly. In particular, very UK-establishment, old-school military friendly. And conveniently the cable map shows branches of three quite long and interesting cables landing in Brunei vs none in the adjacent part of Malaysia.

    Tony H.December 3, 2014 2:01 PM

    @BoppingAround: "Off-topic: I cringe each time I see the NSF abbreviation here."

    For years I saw that NSF Approved logo on those upside-down water bottles in office water coolers, and assumed it was the "real" US NSF. Turns out to be an industry standards body called the National Sanitation Foundation.

    Milo M.December 3, 2014 3:01 PM

    Summary of Undersea Fiber Optic Network Technology and Systems (3 MB):


    Cable-landing stations:


    One existing station in Brunei, one under construction:


    Tungku Cable Landing Station is the terminal station for the AAG and SMW3 cables.

    The undergoing SJC (South-East Asia Japan Cable) is going to land at the Telisai Cable Landing Station.


    There are now 9 international submarine cables landing in Malaysia, including APCN, APCN-2, AAG, SMW3, SMW4, FEA, and several cables between Malaysia and Indonesia such as Batam-Dumai-Melaka (BDM) Cable System, Dumai Malaka Cable System (DMCS) and Batam-Rengit Cable System (BRCS).



    View a list of all cables connected to a specific country—enter “Connected to” and the country name in the search box (for example, “Connected to Australia”).

    The above process (enter in the Search window on the map) brings up a list of 15 cables terminating in Malaysia, and 3 for Brunei.

    Wesley ParishDecember 3, 2014 8:26 PM


    !st April 2014
    At a press conference today at the UN Assembly in New York City, the head of the Martian Permanent Mission to the UN, Ambassador Dejah Thoris, announced that Mars had renounced its long-standing three-billion-year-old claim to Phobos, which had been based on the understanding that Phobos was artificial and had been the transporter starship that brought Martian ancestors to the planet. "We were misled by an excessive reliance on the reliability of the evidence presented by Soviet Academic Shklovsky in Earth year 1959 CE."


    DerrickDecember 4, 2014 3:23 AM

    @ Kiet

    Authenticity of these documents is moot, because we infer deductive logic and leap of faith, by which these documents can only represent lease common denominator. If these are fraudulent, the real thing can only be worse. ;p

    thevoidDecember 4, 2014 8:19 AM

    @Clive, @Anura

    the mini-nuke seems most plausable to me, for one reason in particular:

    shortly after the tsunami, i recall a documentary on pbs (probably nova), that actually dove to the epicenter. the researchers were surprised that the area was a complete dead zone. they made it a point that it was unusual and that they didn't have an explanation for it.

    i know that using a nuke to create a tsunami was actually considered, enough so that it was banned in one of the '70s arms treaties.

    ThothDecember 4, 2014 8:42 PM

    Will we one day destroy ourselves with the technologies we have in our hands ?

    I think we are closing in on that chance soon. We are getting technologically advanced in a very short time span but as a species we have not reached a level or mental and morale capability to handle the enormous power invested via these technologies and knowledge.

    Leave a comment

    Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

    Photo of Bruce Schneier by Per Ervland.

    Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.