The network architecture of treason
By carefully examining how Republicans parse their statements about Bush's warrantless, openly felonious, and treasonous domestic surveillance program, and combining that with network engineering knowledge available through open sources, alert reader philosophicus has advanced our understanding of the NSA surveillance system Bush set up.
Long story short: (1) Internet surveillance is Bush's goal, not voice calls; (2) the Republican "wiretap" talking point is a diversion, to voice, away from from Internet surveillance; (3) Bush's domestic surveillance system would pose no engineering challenges whatever to NSA. No rocket science--or tinfoil hats--required.
In a future installment of this series, we'll look at the text mining component of this program, assess its impact, and see whether it's going to work (no). Read on:
[Portions of part 1 were originally published on Talk Left (with many good comments), and mentioned here, and implicitly here; links have been added here. Parts 2 and 3 are new. The indented portions of what follows are from philosphicus; the unindented framing is from Corrente. We solicit your feedback.]
Let us Parse:
Why, in his handwritten letter, does Rockefeller state that he's "not a technician."?
Why the mention of TIA in Rockefeller's letter?
What does Condi mean when she says "communicate in much more fluid ways"?
What's the "technology" and "hot numbers" Cheney talks about?
Why this seemingly inconsequential parsing by Bush of the difference between "monitoring and detection"? Bush says they use FISA if they're monitoring, but this is about "detection."
And why the mention of "large batches of numbers all at once"?
Because they're really not talking about voice--as one might think, hearing the word "wiretap." They're talking about data. These are IP addresses; email addresses (Note that the Times article that (very belatedly) revealed this program is careful to add the phrase "and email" throughout, whenever phone calls are mentioned.)
We believe that Bush, through the NSA, has put a system in place that, in essence, filters Internet traffic on certain triggers (text, phoneme, etc.) within Internet "conversations." This is "detection" in Bush's mind. "Monitoring" would be recording an entire conversation, like in a phone conversation. This is the technology Cheney, Condi, Gonzales and Bush are talking about, that didn't exist when FISA was drafted.
In part 3 of this post, philosophicus will outline the network architecture; and in a subsequent post, the "triggers." For now, let's look at why the Republican "wiretap" talking point is so pernicious.
Part 2: The Republican "wiretap" talking point is a diversionary tactic
"Wiretap" is a talking point that really sits up and works for the Republicans, because in this context, it confuses the exact issue they want to confuse. To the casual reader, wiretap suggests voice, like the FBI planting a bug in a Mafia don's phone. However, because of the way that the Patriot Act was drafted, "wiretap" can be construed to mean Internet communication.
Let's look at the EFF's analysis of the Patriot Act:
Before the PATRIOT Act, the government could only get a FISA pen-trap order when the communications to be monitored were likely to be either (1) those of an international terrorist or spy or (2) those of a foreign power or its agents relating to the criminal activities of an international terrorist or spy. PATRIOT 214 threw out this requirement. Now, any innocent person's communications can be tapped with a pen-trap so long as it is done "for" an intelligence investigation. The FBI doesn't have to demonstrate to the FISA court that the communications are relevant to its investigation. Nor can the court deny the FBI's request; if the FBI certifies the tap is "for" such an investigation, the FISA court must issue the order.
That Section 214 lowered the standard for FISA pen-traps is even more disturbing in light of the fact that PATRIOT Section 216 expanded their reach. Unlike regular wiretaps issued under much stricter standards, pen-traps aren't supposed to collect the actual content of your communications, such as what you say on the telephone. Instead, they capture "non-content" information about your communications, such as the telephone numbers that you dial or the numbers of people who call you.
Before PATRIOT, the statute defined pen registers and trap-and-trace devices solely in the context of telephone communications. But Section 216, which does not sunset, expanded the pen-trap definition to include devices that monitor Internet communications, without clarifying what portions of Internet communications are "content," requiring a full wiretap order, versus "non-content," which can be legally acquired only with a pen-trap order. At the very least, this change means that the government can use a pen-trap to see the email addresses of people youÕre sending email to and the addresses of people who send email to you, along with the timestamp and size in bytes of each email. The FBI can monitor the IP addresses of all the computers you interact with over the Internet, or capture the IP addresses of every person visiting a particular website. Under the vaguely written statute, it may even be able to capture the URL of every web page that you read, although the FBI refuses to confirm or deny whether it has done so.
Anytime anyone in the administration says that everything remains the same with "wiretaps", they are parsing words. This has nothing to with "wiretaps." "Wiretap," in common usage, is a term of art referring to analog communications. But in above section of the Patriot Act as drafted, it refers to Internet monitoring.
So why did Bush not get the warrants needed retroactively? I believe that the law was drafted in haste by lawyers and staff who had only a cursory knowledge of the technology. Once this was put into operation and the administration saw the result (e.g. 9,000 traffic flows with 18000 IP addrs) the career DOJ guys freaked. They probably registered their opinion which got deep-sixed by the administration and was probably leaked and sitting in the NYTimes safe, still unpublished. I believe we have some recent precedent for that.
Part 3: Bush's domestic surveillance system would pose no engineering challenges whatever to NSA.
So how would an agency go about surveillance on "overseas" Internet traffic on a massive scale? (Note: Since internet packets are routed from ISP to ISP without regard to borders, "overseas" is not really a meaningful term for Internet traffic, as opposed to point-to-point voice calls.) Could they do it without any rocket sciences, for not much money? Yes.
Step 1: Place monitors, probes, or taps on the Internet. Where would one place them? That's pretty simple. Let's look at CAIDA's Internet topology map.
The map shows a snapshot of the major "choke" points, or "core carriers," for Internet traffic as it exists today. There are not that many choke points--think of these as "hubs" in a hub and spoke airline network. (The choke points are in the magenta area in the middle of the diagram.)
Step 2: Figure the compute power and storage to monitor, say, the top 20 nodes in the diagram. For that we can go to a typical packet trace analysis of one the core carriers.
Notice anything interesting here? Link utilization for these links is minimal. These OC48 links can support upto 2.5 gigabits/sec but the utilization is barely more than 100megabits persecond. And the storage needed for these traces is minimal as well.
But do we have to monitor all that traffic? If we look at the application breakdown, we see that about 50% is http traffic. If we add email, the total is about 60%. That means that we're looking at doing deep packet inspection, etc. on only about 50 or 60 megabits/ sec per node. You can do that with an off-the-shelf $1000 rack server and software from any one of the dozens of companies that specialize in this. Storage is just as cheap.
Step 3: Check existing best practices. I found a little PowerPoint slide that Amogh Dhamdhere from Georgia Tech did, illustrating the Sprint IPMON architecture. (You may have noticed a sprint node is one of the top twenty Sprintlink1239 in the choke point diagram.)
Monitoring like this for research motives has been going on for years. Remember, when TCP/IP was first developed, security was not the issue, survivability was the issue, and so monitoring was necessary to develop success metrics. More recently, packet inspection techniques have been applied by the major ISPs to thwart Denial of Service attacks, worms. and so on.
So, we know where the chokepoints to monitor are (step 1). We're know how much capacity we need to monitor the checkpoints (step 2). And we know that there's proven technology to monitor the checkpoints (step 3). On the cheap.
Part 4: If we had such a system in place, what would we monitor?
So how does one spot a DoS attack or worm? Simply by recognizing a pattern or signature in the traffic. What is the difference between a malicious pattern and a certain set of words in an email or an http flow? To the computer, no difference. To humans, semantics (or semiotics, depending on your philosophy.) Somebody decides which patterns of words are malicious or evil. Hey! I wonder who does that?
Next up: What shall we do with all this data? Munging on the cheap.
Corrente thanks alert reader philosophicus for the analysis. We think he puts all the pieces together an an original and interesting way. (And of course the crazy, not indented stuff is all Lambert, who may, or may not, have fully recovered from his fever.) Thanks also to Leah for edits and holding the fort. It takes a village to stomp a weasel.
UPDATE: Welcome, Daou Report readers.
UPDATE: Note well that philosophicus is defining the scale and scope for this surveillance system, and concludes it can be done with $1000 off-the-shelf rack servers. This system doesn't have to be Echelon at all. That's old news. In fact, since the Bush administration likes to bypass existing institutions, it probably is something entirely new.
UPDATE: Welcome Suburban Guerilla readers.
UPDATE: Welcome, Crooked Timber readers.
UPDATE Happy Holidays, Heretik readers.
 Why do I (Lambert) say "treason" as opposed to (say) an impeachable offense? Here's why. The constiution defines treason Article III, section 3 as " Treason against the United States, shall consist only in levying War against them...." Now, as Bush is fond of informing us, there's a "new kind of war." And Bush is waging informational warfare (farmer; lambert) against the United States to destroy the Constitution, whether by eliminating the checks and balances carefully designed by the founders to limit executive power, or by destroying unenumerated rights retained by the people, such as the right to privacy. Who said the new kind of war was fought only with guns?
Now, I'm not a lawyer, and I doubt very much that there's been a lot of work done on levying informational War against the United States. But let's try a hypothetical. Supppose that NSA's technical abilities are being reported accurately. Bottom line: NSA can read anything, including what's on a drive or being typed. (Maybe Rockefeller knew what he was doing when he handwrote his note to Cheney, eh?) How would that capability, if exercised, or even potential, square with Article 1, section 5:
Each House shall keep a Journal of its Proceedings, and from time to time publish the same, excepting such Parts as may in their Judgment require Secrecy...
It wouldn't, would it? The executive would be treating Congress as a foreign adversary, as opposed to a co-equal branch of government. Which seems to be a pretty good description of what's going on.
We have built a monitoring system that meets our goal, and have created a measurement and analysis infrastructure capable of collecting GPS-synchronized packet traces and routing information, and analyzing terabytes of data.