Jun 27 2006

How Exposure Destroys National Security

Published by at 4:15 pm under All General Discussions

An ongoing court case which is not getting much national media attention yet is the perfect example of the damage that can and will be done to our national defense by the NY Times, USA Today and the Washington Post. The lefty media prints stories which are then used by far left organizations to bring cases to court and open up our defenses for all to see. One such case was brought by EFF and is targetted at the telephone company compliance with anti-terror programs.

In order to bolster the case brought by some low level smuck at AT&T who fantasized about the utility of certain equipment put in place required the need to bring in a communications expert to assess the wild claims – which tells you right away this ‘source’ doesn’t know his IP from his IM, and was not educated or expereinced enough to be a source on such a story.

All you need to know is that the hired-gun expert reported on what this all could mean, and in essence exposed more and more technical details useful to terrorists wanting to evade detection by law enforcement. Here is the report that is now part of the court’s public record (h/t Salon for their myopic zealotry). Let’s start with the essence of the expert’s conclusions.

[top PDF page 13 (p9), line 1] “Redacted Acronym” Configurations could be used for a number of legititmate purposes; however the scale of these deployments is, in my opinion and based on my experience, vastly in excess of what would be needed for any likely application, or any likely combination of applications other than surveillance.

The expert has a lot of experience, and I know his company well (BBN). It was a developer of parrallel processing systems we looked at for computationally intensive problems (like sifting data flows). But the guy looks to be a wannabe. He has had lot’s of jobs but never as the lead engineer, more as a program manager. And the fact he ended up in the US government and later an international standards body tells me he could not hold his own with the real down-in-the-bits engineers. This first statement is the foundation of all other conclusions and speculations (more of the latter than the former). And it is underpinned by a completely arbitrary assessment of capacity. Not functionality or capability, simple capacity. He assumes the size is more than needed for most applications he is familiar with, but he is not familiar with them all by a long shot. He is familiar with setting up ISPs, not in data processing. Let’s just say if it was not for the claims by AT&T and the Feds the program is a national security program this conclusion would be laughable because of all the assumptions on scope and mission life one would have to make to determine a proper capacity.

From this strange leap in logic, the ‘expert’ goes on to note that all of the equipment can be used for legitimate purposes and for legal searches

[same page, line 10]For instance the “Redacted Acronym” Configurations could be used in support of routine lawful intercept, and are possibly being used in that way, but lawful intercept requirements could not account for AT&T’s deployment of the [redacted] deployments. As another example, the “Redacted Acronym” Configurations be used in support of AT&T commercial security offerings, and it appears AT&T is using either the “Redacted Acronym” Configurations or, more likely, similar technology deployed elsewhere in support of their Internet Protect commercial offering.

Emphasis mine. This ‘expert’ just tipped his ignorance of government classified programs and data processing systems (vs and ISP backbone). First off, you will never see classified systems shared with commercial users of the same functions. Apparently the documentation the leaker stole from AT&T made mention that these “Configurations” were to be used in a new security service offering. The ‘expert’ notes that it is more likely that other systems would be used? It is necessary. And now we get the first hint of what may be in these rooms. One thing the government does is contract with businesses to establish new capabilities – like network security. I see experts from CISCO and other companies all the time discussing the latest security ideas. They have to implement them in their products for application in certain areas.

For example, when NASA has a mission running and their are people at Johnson in Texas and Kennedy in Florida and Goddard iin Maryland all working together, they have to communicate securely through private circuits owned by companies like AT&T which connect up to circuits that are run at each of the centers to the actual offices and computers and phones “on-line”. The new secure paradigm, without going into too much detail, are things like virtual private networks which run unseen over public open network assets.

I use this example only to illustrate other uses for these systems and rooms. They could be equipment used to separate llegitimate government traffic through security systems which also audit and trace all data. The Federal government obsesses about auditing and recording information. And there is a lot of it out there. The military is an enormous user of bandwidth, especially in times of war. So there are a million uses of these systems this ‘expert’ is not aware of because he has never had to design large scale, distributed data processing systems (as yours truly has). All I am saying is the conclusion is based in limited experience and a mindset to reach a predetermined conclusion. Alternate, non-criminal uses are easy to envision.

The proof of this mindset based conclusion is in the report itself, where he admits to a preconception which, when it is wrong, makes him conclude there is something out of place (as opposed to the simple conclusion his preconception was wrong):

[bottom of same page, line 22]Prior to seeing the Klein Documentation [the leakers’s stolen documents], I would have expected the [Terrorist Surveillance] Program to involve a modest and limited deployment, targeted solely at overseas traffic, and likely limited in the information captured to traffic measures (except as pursuant to a warrant). The majority of international IP traffic enters the United States at a limited number of locations, many of them in the areas of [N]orthern Virginia, Silicon Valley, New York, and (for Latin America) south Florida.

Final emphasis in the original. Note that the assumption is built in this was part of the NSA Terror Surveillance Program monitoring terrorist communications overseas. The logic here is stunningly myopic. He is saying this does not look like what I thought an NSA TSP would look like, therefore it is one. He then says system deployment makes sense as part of some other, broader initiative (like providing secure communications to government facilities across the nation), therefore it is not one of these but the TSP.

It never occurs to the expert he is not seeing an NSA TSP because he is trying to fit this square peg into the round hole he wants in the answer. Also note that ‘majority’ of the international internet traffic is in certain locations. But it is not all the traffic flows (and probably not the flows for 3rd world communications). What about a terrorist in Canada or Mexico or Puerto Rico? What about the Caribean? Again, the logic here is to stretch the speculation instead of dealing with the facts at hand. If there was going to be 100% coverage of all possible international traffic, does the deployment make sense?

I could go on for hours tearing this apart. I had a hard time selecting one page to fisk out of the 40 pages presented. What we have is this: a media story which made allegations which were all wrong (the end around FISA turned out to be using FISA for the first time to track down leads in the US from military surveillance of targets overseas) ending up in a court case exposing key information (like were all the nerve centers of internet traffic exist – thanks for painting a target on my community’s back). This is exposed by an ‘expert’ pontificating on how the systems really resemble something else, therefore it must be an espionage game. And that is how the damage is done.

Addendum: One last nail in this guy’s expert opinion. Why do I think this is an eleborate protection capability? Check out this next section:

[top PDF page 40 (p10)]The “Redacted Acronym” Configurations are fully capable of pattern analysis, pattern matching and detailed analysis at the level of content, not just addressing information. One key component, the [redacted], exists primarily to conduct sophisticated rule-based analysis of content.

Klein Exhibit C speaks of a private [redacted] backbone network, which appears to be partitioned from the AT&T main Internet backbone, the CCB. This suggests the presence of a private network

Here we have all the makings of a virtual private network which is monitoring data for viruses, spam and porn, etc….

. And the government does monitor all the data inside its networks for network attacks and illicit use. As Ron White says: ‘Yep, you did it. You caught the ‘Tator’ “.

Addendum: The final blow. The obvious answer is increased security for AT&T’s government customers. This is dismissed out of hand in the following snippet on page 36 of the PDF (p31). But first I must note this service began to be deployed in 2003. Which coincides nicely with when the US government would be deploying new safe guards as a result of post 9-11 analysis. And since the NSA TSP has been operating since 2001, it is clear this could not have been an NSA TSP element from the beginning (if it ever was – which I have my doubts). The ‘expert’ notes AT&T offering new secure services in 2004, which again is in line with getting permission from the government to extend the service to the private sector. Now for the straw that breaks this camel’s back:

I considered several alternative hypotheses, including (1) enhanced security for U.S. government customers of AT&T Worldnet; (2) data mining of AT&T customers; and (3) support for sophisticated, possibly application-specific billing and accounting measurements. None of these possibilities appear to account for the investment AT&T apparently made in the “Redacted Acronym” Configurations.

I know for as fact the US Government is on a tear paying to enhance its e-security and spending billions to do so. So to dismiss the idea it would not pay AT&T for these security upgrades (which would be reviewed by NSA security engineers in many cases) is idiotic. It is the most likely answer, well before some secret spying decoder thingy.

3 responses so far

3 Responses to “How Exposure Destroys National Security”

  1. MerlinOS2 says:

    AJ the other point being missed here is that the very infrastructure probe capability he is describing here is the type of thing that is MANDATED by the Calea requirements for warranted searchs!

    Congress has required this capability.

    He has only in essence charged that they are complying with a legal requirement, not any abuse or even actual usage.

  2. Eye on the Watcher’s Council…

    As you may know the members of the Watcher’s Council each nominate one of his or her own posts and one non-Council post for consideration by the whole Council. The complete list of this week’s Council nominations is here. Here’s what …

  3. MerlinOS2 says:


    Another point is that the 2003/2004 timeframe of implementation also coincides with the aftermath of the Calea legislation enactment. For almost 2 1/2 years after the legislation passed, the bells were in the courts for a ruling as to who had to pay for the equipment required under the mandate. You know the old unfunded government mandate saw. It was settled in 2003, and equipment then was begining to be installed.

    As to this installation being a NSA job. Well I think most would tell you that have a clue is that for the NSA to collocate at a non secure facility, has resulted in a number of sites less than you can count on your most personal of parts.