Re: CALEA & Re: XKeyscore

[Michal Purzynski <michal () rsbac org>]

On 8/12/13 4:57 PM, Pedro Luis Karrasquillo wrote:
> "Man, you just created a mental loop in what you said. So, two lines 
> earlier you said Chavez / Putin would not allow them to intercept 
> communication by means of taping cables and now you are saying that"
>
> Oh noes! CRC error detected. You just had a buffer overflow. Sorry I 
> caused you to loop up. I never said Putin or Chavez would be in a 
> position to agree or disagree with anything. Especially Chavez now 
> that he is fertilizing the sugar cane.  Certainly a CALEA kind of 
> intercept is not the only tool they could use. I just do not think 
> that fiber tapping is the easiest way. It is certainly one of the 
> ways, but getting the info via a backdoor is really much easier where 
> feasible, like in unfriendly states. The backdoor being the CALEA 
> capability.

Don't be afraid, I'm fine - my brain has a recent copy of PaX and 
everything here is PIE compiled. NX enabled, 100% ASLR, no information 
leaks at all, no JIT generation allowed. Utopia!

You can't use CALEA in Venezuela easily. Read on, to learn why. Same 
goes for Russia.

>  "Cisco architecture is there, like there are many others. And it's 
> just one of the brands. You just use best means you have for the 
> situation. And it's accidentally managed by SNMP... so what? It could 
> be telnet, who cares. These days you just mix and match all the 
> technologies you have for intercepting. And whenever you can tap the 
> cable, you do it, because it gives you the best bang for the buck."
>
> Exactly my point. Not sure why you all got so worked up about me 
> pointing out that there are easier ways to do this than tap a fiber. 
> Tapping a fiber is a good idea if there is not an easier less 
> intrusive way. The spooks could not care less about money, it is all 
> about getting it done without getting noticed.

I see... you misunderstood the documentation. Go and read it again.

You're trying to tell that CALEA is a backdoor that NSA can use all the 
time to get traffic. And here's why not:
1. It's a set of SNMP commands efficiently configuring a filter doing 
'find me all this data, and ship <here>'. Kind of a span port with a 
filter. Over-engineered, BTW.
2. Being SNMP it must be configured befored used. Yes, I've read all the 
documentation - fascinating lecture, I have to say!
3. When was the last time you've seen SNMP opened to the public? Been a 
while here. And even if, the whole CALEA capability must be configured 
_before_ used. Not something you can do by accident, and _not_ running 
by default either.
4. There's a lot of additional gear to accept the intercepted traffic 
and ship it further. It needs to be installed somewhere, before you can 
monitor things.
5. There's a lot of data everywhere these times. You cannot monitor 
entire ISP this way, or they would need to keep a few Gbits of spare 
bandwidth just for the NSA. Actualy, I'd make a deal with them - you 
guys in a tasteless black suits pay for all my bandwidth and I can give 
you half ;) Local processing, you say? Distributed computing? Mr Putin 
won't allow you. Shipping all the traffic to a friendly country to 
process there? Say, Germany? Sure, and no-one from the Russian ISP would 
ever notice? Especially, that the CALEA traffic is visible as a hell - 
being either UDP or IPSEC.
6. Cisco says it puts the load on a CPU. And it does. Now, the routing 
engines even in expensive modern network gears aren't exactly the speed 
beasts. My phone leaves them in the dust. How much traffic can you 
extract this way, making the CPU work three times harder, before it 
starts dropping BGP sessions?

To sum up - sure, you can use CALEA to extract traffic in a limited way. 
Say a few VOIP sessions. But in order for that to happen you need to 
have the agreement with the ISP, put your gear there, have it configured 
an than you can have fun.

But CALEA isn't a backdoor, that NSA has put everywhere to miraculously 
ship all the traffic to them. Say I have a few of Cisco routers - they 
cannot send me a magic packet and expect traffic to be sent to them. And 
yes, I know my traffic levels very well, and so does our NOC team - 
let's say the NSA copies everything - that means I have twice the 
traffic suddenly. I'd be waken up in a middle of the night by the NOC 
people to investigate if something like this would happen.

Red dots? Tap the fibre in decix and there's for sure some communication 
from Moscow. So you can say you get some Moscow traffic and put a red 
spot there.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/