ePluribus Media Community || citizen journalism, for the people, by the people

All About NSA's and AT&T's Big Brother Machine, the Narus 6400

by bewert

Wed May 17, 2006 at 08:24:51 AM EST

[editor's note, by standingup] Originally posted Mon Apr 10, 2006 at 04:52:08 PM CST. Bumping this after reading Josh Marshall's post today on TPM.

Update [2006-5-17 13:52:54 by standingup]: There is a new development in this story. See Whistleblower Victory: Judge rules AT&T docs to be aired in court from Valtin for details. Emptywheel also has written a good post on the topic worth reading Domestic Spying: They're Not Getting Data, They're Getting the Switches.

(Cross-posted from DailyKos at the suggestion of stndingup)

Last week we found out that the EFF had sued AT&T over their secret work with the NSA on surveillance of millions of US citizens without wiretaps. We learned that paragraph 65 of this complaint shows EFF is trying to turn it into a nationwide Class Action suit covering all current and former customers (any after 9/2001) of AT&T. And we learned that a retired AT&T technician had stepped forward and disclosed the installation of secret NSA spy equipment in the San Francisco trunk facility. As well as the belief that similar equipment is in place in Seattle, San Jose, Los Angeles and San Diego.

Specifically, this equipment was the Narus ST-6400, a machine that was capable of monitoring over 622 Mbits/second in real time in May, 2000, and capturing anything that hits its' semantic (i.e. the meaning of the content) triggers. The latest generation is called NarusInsight, capable of monitoring 10 billion bits of data per second.

Follow me over the jump and let's learn some more about the private company Narus, it's founder Ovi Cohen, and board member Bill Crowell. Shall we?

commentary :: :: :: buzz-it!

Narus is a private company founded in 1997 by Ori Cohen, who had been in charge of technology development for VDONet, an early media streaming pioneer. It has venture funding from an all-star team of investors including JP Morgan Partners, Mayfield, NeoCarta, Presidio Venture Partners, Walden International, Intel, NTT Software and Sumisho Electronics.

Of note is that while Hoover's company factsheet on Narus continues to list Mr. Cohen as Chairman, while Narus's own website listing of the Board of Directors no longer mentions Mr. Cohen.

Prior to 9/11 Narus worked on building carrier-grade tools to analyze IP network traffic for billing purposes, to prevent what they term "revenue leakage". Post-9/11 they have continued down that path while adding more semantic monitoring abilities for surveillance purposes. They even brought in former Deputy Director of the NSA William P. Crowell as an addition to their Board of Directors. From the Press Release announcing this:

Crowell is an independent security consultant and holds several board positions with a variety of technology and technology-based security companies. Since 9/11, Crowell has served on the Defense Advanced Research Projects Agency (DARPA) Task Force on Terrorism and Deterrence, the National Research Council Committee on Science and Technology for Countering Terrorism and the Markle Foundation Task Force on National Security in the Information Age.
His past positions have included president and chief executive officer of Cylink, a leading provider of e-business security solutions, as well as a series of senior positions at the National Security Agency, including deputy director of operations and deputy director of the Agency. Crowell has served as chairman of the President's Export Council (PEC) Subcommittee on Encryption, which worked with the Administration, Congress and private industry to substantially loosen restrictions on the export of encryption products and technology.
"Narus has an impressive track record of working with tier-one carriers to keep their networks running safely, continuously and profitably," said William Crowell. "I look forward to helping Narus as they forge new strategic partnerships and continue to break new ground in the telecommunications industry."

So these guys (1) build hugely cool network monitoring devices and (2) are tied into US (at least) national security organizations at the highest levels. What are these hugely cool machines capable of?

From the Key Features list of NarusInsight

-Universal data collection from links, routers, soft switches, IDS/IPS, databases, etc. provides total network view across the world's largest IP networks.
-Normalization, Correlation, Aggregation and Analysis provide a comprehensive and detailed model of user, element, protocol, application and network behaviors, in real time.
-Seven 9s reliability from data collection to data processing and analysis.
-Industry-leading packet processing performance that supports network speeds of up to OC-192 at layer 4 and OC-48 at layer 7, enabling carriers to monitor traffic at either the edge of the network or at the core.
-Unsurpassed and limitless scalability to support the world's largest, most complex IP networks.
-Unparalleled flexibility -- NarusInsight's functionality can easily be configured to meet any specific customer requirement (Narus Software Developer Kit -SDK).
-Unparalleled extensibility -- NarusInsight's functionality can easily be configured to feed a particular activity or IP service such as security, lawful intercept or even Skype detection and blocking.

How powerful is this? OC-192 carries about 10 gigabits of data per second. Ten billion bits per second, monitored in real-time. That is stunning. This is one damned powerful machine, one of the most powerful I've ever heard of in 25 years in IT.

And what does it monitor while looking at this 10 billion bits of IP data per second? First lets take a look at what the network model is, the OSI model of seven layers. NarusInsight focuses on two layers: number four, the transport layer, built on standards like TCP and UDP, the physical building blocks of internet data traffic, and number seven, the application layer, built on standards like HTTP and FTP, which are dependent on the application using them, i.e. Internet Explorer, Kazaa, Skype, etc. It monitors 10 billion bits per second at level four and 2500 million bits per second at level seven. For reference, the 256K DSL line I am using equals .25 million bits per second. So one NarusInsight machine can look at about 39,000 DSL lines at once in great detail. That is a pretty damn big number. This is some really serious hardware with equally serious software. Which is our next subject.

So what exactly is done to and with this data? That's kind of a grey area, so let's try to find what we can. The starting point is called the Internet Protocol Detail Record, which Narus helped found. From that FAQ I just linked to, we learn that

IPDR stands for the Internet Protocol Detail Record, the name comes from the traditional telecom term CDR (Call Detail Record), used to record information about usage activity within the telecom infrastructure (such as a call completion).
NDM-U stands for Network Data Management - Usage. It refers to a functional operation within the Telecom Management Forum's Telecom Operations Map. The NDM function collects data from devices and services in a service providers network. Usage refers to the type of data which is the focus of this document.
IPDR.org is the non-profit organization that promotes use of the IPDR NDM-U and other related standards. The principle deliverable for IPDR.org is the NDM-U specification and related development tools.

And is it actually being used?

IPDR.org has been in existence since 1999 and more than a dozen vendors have actual IPDR implementations "etched in code". Their systems are actually able to talk to each other and interoperate. Version 2.5 and up of the NDM-U represents a stable basis for development. IPDR.org's Interoperability Pavilion is a working demonstration of multiple companies exchanging service usage data in that format.

Service usage data. That would be data on the actual usage of the Internet. And what kind of data would this be? Way back in 1999, this article stated

In an effort to provide more complex network traffic analysis, Narus is introducing its semantic network traffic service. The company cites research which predicts the fast-growing ISP sector will become stagnant without the ability to offer differentiated services. In order to gain significant revenues from these services, a technology was necessary to allow usage based pricing.
"We realized that, at the heart of the data that is needed to accurately measure usage and enable 'pay-as-you-go' business models for Internet service providers, is what we call the 'semantics' of network traffic," said Ori Cohen, Narus' founder and chief executive officer.
"In short, by seeing the 'semantics' of network traffic, service providers can see 'inside' the data, providing much more detailed insight about the use of the Internet and the perceived value of specific applications than existing technologies allow."
Semantic Traffic Analysis uses network technology to consistently capture and analyze all IP data streams on heavily trafficked networks remotely and non-invasively. In addition, the semantics of the data stream are determined also, as well as the protocol used and the application taking place. A variety of other data is available as well.

Remember that semantics is not just the data, but rather the meaning of the data. It looks at the the data in a more comprehensive way than looking for keywords. Each NarusInsight machine does this at 2500 million bits per second, in real-time.

You really wonder why BushCo doesn't want to talk about this stuff? It's the biggest invasion of privacy in history by several orders of magnitude.

How can we know? From Narus' Lawful Intercept and Regulatory Compliance page:

Explosive Internet growth in recent years has transformed worldwide communications, yielding tremendous efficiencies and benefits, as well as many risks.
For example, terrorist attacks around the globe have been carefully orchestrated through Internet-based forms of communications such as e-mail, messaging, hidden Web pages and now VoIP, forcing governmental organizations and law enforcement agencies to re-evaluate how they are providing public security as it becomes so much easier and faster to communicate electronically.
Recent mandates and the resulting standards referenced under CALEA in the United States and ETSI in Western Europe aim to preserve the right of law enforcement agencies to conduct authorized electronic surveillance in an effort to protect the public and its right to privacy. However, these mandates create IT headaches for carriers as they struggle to meet the requirements.
With a suite of products targeted at meeting lawful intercept requirements, Narus simplifies lawful intercept tasks helping carriers and agencies meet requirements without experiencing any degradation in service quality.
Key benefits

-Packet-mode data intercepts for Service Providers and Carriers.

-Wireline to wireless and WiFi or dialup to broadband.

-"Instant Compliance" with CALEA and ETSI for simple, fast and hands-free compliance.

-Carrier-grade speeds, performance and scalability.

-Supports all of your services, out-of-the-box.

-Securely manages resources while simplifying audits and reporting.

-Network and vendor agnostic.

-Enables additional application for revenue generation or revenue protection.

This data flows right into NarusInsight Intercept Suite, which enables

Packet-level, flow-level, and application-level usage information is captured and analyzed as well as raw user session packets for forensic analysis, surveillance or in satisfying regulatory compliance for lawful intercept.
The Lawful Intercept module offers carriers and service providers compliance with regulatory requirements regarding lawful intercept. The Lawful Intercept module provides an end-to-end solution consisting of Administration, Access and Delivery functions. The Lawful Intercept module is compliant with CALEA and ETSI standards. It can be seamlessly integrated with third party products for testing/validation or as a complete law enforcement solution.
The Directed Analysis module seamlessly integrates with NarusInsight Secure Suite or other DDoS, intrusion or anomaly detection systems, securely providing analysts with real-time, surgical targeting of suspect information (from flow to application to full packets). The Directed Analyis module provides industry standard formats and offers tools for archival and integration with third party investigative tools.
These capabilities include playback of streaming media (i.e. VoIP), rendering of web pages, examination of e-mail and the ability to analyze the payload/attachments of e-mail or file transfer protocols. Narus partner products offer the ability to quickly analyze information collected by the Directed Analysis or Lawful Intercept modules. When Narus partners' powerful analytic tools are combined with the surgical targeting and real-time collection capabilities of Directed Analysis and Lawful Intercept modules, analysts or law enforcement agents are provided capabilities that have been unavailable thus far.

Imagine how great a tool "instant compliance" with the Communications Assistance for Law Enforcement Act could be with this kind of reach and detail. Especially if a secret Presidential Directive allows it to be used without the warrants required under the Act.

That's what it appears we are up against, folks. Real-time semantic data monitoring on a huge scale. A scale beyond what most of us can even comprehend. It's scarey.

All About NSA's and AT&T's Big Brother Machine, the Narus 6400 | 33 comments (33 topical, 0 hidden)

Misinterpreting IPDR (none / 0) (#1)

I think you're misinterpreting IPDR pretty dramatically. The way people I know use it is as a binary encoding for XML to speed up data processing, mainly in billing environments. You can get a dramatic performance boost (about 3 orders of magnitude) by switching from moving ascii-formated data around to agreeing on a binary representation and then using it. The IPDR folks have standard libraries to enable automatic creation of those binary representations, and automatic negotiation of ascii vs binary communications for backwards compatability with existing systems.

by silence on Mon Apr 10, 2006 at 06:37:44 PM EST

I took it straight from their own website (none / 0) (#2)

I've never heard of it before, so I went right to the source, ipdr.org. The quoted passage is directly from their faq, which I linked to. I'm not sure how that is misinterpreting IPDR.

by bewert on Mon Apr 10, 2006 at 06:53:08 PM EST
[ Parent ]

Source of data (none / 0) (#4)

You're accurately quoting their FAQ, but what you're not picking up on is that the source of data is typically billing mechanisms, not intercepted data. I spent a couple days meeting with IPDR folks about the idea of incorporating their libraries into a product I was working on a couple years back, and that's pretty much all they talked about. (I wound up not using their libraries)

Its concievable that somebody would use IPDR as a mechanism for storing, transmitting, and analyzing records about intercepted data -- the technology is pretty general-purpose -- but right now there's no evidence for that.

by silence on Mon Apr 10, 2006 at 07:09:21 PM EST
[ Parent ]

silence I was just scanning some of the IPDR (none / 0) (#10)

material and related.

Do you recall after 9/11 that Amdocs came into the picture for some sort of spying scenario...? Oh, yeah, maybe it was that Israeli arti student thing that grew hot and then went desaparecido, seems as though that enters my fuzzy memory in context. In any case, I believe that I recall Amdocs being tie into almost very telecom provider in the States.

It seems the 'revenue leakage' aspect of their service offering is an important part of Narus' story. Perhaps it explains Amdocs' ubiquitous presence too.

Billing World & OSS Today - April 2002 (print edition)
"The Internet Protocol Detail Record Organization (IPDR.org) announced that ACE*COMM, Amdocs, Convergys, Hewlett-Packard, Narus, NEC America and TSI have attained IPDR-compliant status by demonstrating their ability to exchange IP usage records utilizing the protocol in v2.5 of the Network Data Management - Usage Specification."

That capacity to do semantic analysis does make me wary of the massive data-monitoring ability that running it through their machines would seem to provide for.

Lawful Intercept, hmmmm....

Just who is it that thinks he's the law these days? I think Scooter's in on that secret! Please add any more that you might be able to on the semantic side of this picture.

Bewert, thank you for the informative post, very important stuff in my book. Welcome aboard, we can always use added tech power brought to bear here. I'm hoping to get enough time to begin and then advance discussion of the rewriting of the National Telecommunications Act being done under our very noses. It's taking awhile but if you please, wade on in.

by luaptifer on Mon Apr 10, 2006 at 08:38:24 PM EST
[ Parent ]

lawful intercept capacity (none / 0) (#11)

EVERY manufacturer of communications equipment who sells to the US market has a lawful intercept capacity. The FCC forced spent a whole lot of time forcing communications carriers to put it in, and their requirements are completely nuts. The key word in the material you linked to was CALEA. There isn't anything which prevents those capabilities from being used for illegal surveillance, and a lot of the requirements are such that it would be difficult to spot such illegal surveillance — even for the administrators at a telecommunications company.

by silence on Mon Apr 10, 2006 at 08:49:04 PM EST
[ Parent ]

: yes, generically a Lawful Intercept (none / 0) (#13)

is not something I'd recoil from (don't know the specs here). It's who now thinks he's the law and what that permits the force of his own 'assumed authority' to cause providers to do that is what really concerns me.
Your portrayal of the problem, by the way, doesn't make me any happier :-(

by luaptifer on Mon Apr 10, 2006 at 09:45:46 PM EST
[ Parent ]

There is a big overlap (none / 0) (#14)

They were working on billing mechanisms that used semantic analysis to drive the billing. It's a short step to surveillance for national security or other reasons.

by bewert on Mon Apr 10, 2006 at 10:42:13 PM EST
[ Parent ]

the potential has to be a tiny step the way I (none / 0) (#15)

figure it. it ultimately goes back to the same character set they're reading, I have to figure.

Perhaps with some intervening decryption for financial transactions so I'd assume not technicality but simply formality is the barrrier between hypothetical and it really already happen(-ed?)ing.

that's the thing with these guys, formality's just a formality.

by luaptifer on Mon Apr 10, 2006 at 11:04:46 PM EST
[ Parent ]

: Looking at billing data (none / 0) (#17)

Part of what's been going on has definitely been the examination of billing data kept by AT&T. That's not exactly a wiretap -- its just ignoring the rules and "formalities" about what you're allowed to go and look at.

by silence on Mon Apr 10, 2006 at 11:54:26 PM EST
[ Parent ]

Question for silence (none / 0) (#3)

Are you saying the Internet Protocol Detail Record is not being used or is irrelevant in relation to the use of the Narus ST-6400?

Just want to make sure I'm following along in the discussion.

by susie dow on Mon Apr 10, 2006 at 07:04:53 PM EST

Could be used, no evidence (none / 0) (#5)

I'm saying that I don't think we've got evidence that they're using it for managing information about intercepted data. What they've actually got is a really neat library for converting XML records into a binary representation so that you can manipulate, store, and transmit them really efficiently. The library is general-purpose, so somebody who has an XML schema for storing their interceted communications COULD be using it, but that would be like saying that the folks intercepting communicatiosn are using Word to write their memos in. IPDR's libraries and tools are remarkably generaly-purpose, and not nefarious in and of themselves.

by silence on Mon Apr 10, 2006 at 07:13:13 PM EST
[ Parent ]

From this Google cache IPDR is an output format (5.00 / 1) (#18)

This google cache is of an old Narus webpage describing NarusDA:Directed Analysis.

The NarusDA (Directed Analysis) product gives carriers, government agencies and organizations that protect sensitive networks the ability to conduct precise targeting and real-time delivery of raw network traffic for the reconstruction of one or more IP sessions.
<snip>
Intercepted data is processed by the processing layer where it is correlated, aggregated and delivered. The output of the processing layer consists of:
Metadata - providing summary information on captured packets for use in link state analysis. Output is offered in flat-file, XML or IPDR formats.
Packets - providing captured packets for use in investigation or forensics analysis. Output is offered in PCAP (tcpdump) format.
<snip>
Narus Directed Analysis allows precise targeting and real-time delivery of raw network data enabling the full reconstruction of one or more IP sessions.

In this case it looks like the IPDR is used to as a standard format to deliver data. More from this related page.

IP Monitoring Overview
Packet-level, flow-level, and application-level usage information is captured and analyzed as well as raw user session packets for forensic analysis, surveillance or in satisfying regulatory compliance for lawful intercept.
The NarusLI (Lawful Intercept) product offers carriers and service providers compliance with regulatory requirements regarding lawful intercept. NarusLI provides an end-to-end solution consisting of Administration, Access and Delivery functions. The NarusLI product is compliant with CALEA and ETSI standards. NarusLI can be seamlessly integrated with NarusForensics for testing/validation or as a complete law enforcement solution.
The NarusDA (Directed Analysis) product seamlessly integrates with NarusSecure or other DDoS, intrusion or anomaly detection systems, securely providing analysts with real-time, surgical targeting of suspect information (from flow to application to full packets). NarusDA provides industry standard formats and offers tools for archival and integration with NarusForensics or other 3rd party investigative tools.
These capabilities include playback of streaming media (i.e., voip), rendering of web pages, examination of e-mail and the ability to analyze the payload/attachments of e-mail or file transfer protocols. The NarusForensics product offers the ability to quickly analyze information collected by NarusDA or NarusLI. When the powerful analytic tool of NarusForensics is combined with the surgical targeting and real-time collection capabilities of NarusDA or NArusLI, analysts or law enforcement agents are provided capabilities that have been unavailable thus far.
Customers
Carriers and Governments have deployed Narus around the world protect their countries and infrastructure.

So to me it seems that the raw data is converted into IPDR-compliant data for further analysis.

This is all legal up to a certain point, and even more so with a warrant. But the potential for harm is clear. If they are targeting your IP address, they can save and review everything that goes back and forth from and to your computer, as well as the IP addresses that you are communicating with.

And thinking back to Orrin Hatch's questions during a Senate Judiciary hearing on this, to the panel including NSA folks, he came very close to stating this type of mechanism was being used and then backed away, saying it was classified info. Remember that Orrin is one of the Group of Eight that has been briefed on the program.

by bewert on Tue Apr 11, 2006 at 06:56:07 AM EST
[ Parent ]

Good digging (none / 0) (#19)

The other formats are widely recognized file formats. Tcpdump was the first widely used sniffer, showing up in academic papers and books, and then subsequently used by network administrators and by engineers. The capture file format tcpdump uses is supported by just about every analysis tool out there.

I've used it periodically while debugging network protocols.

It sounds like the Narus gear segregates material about a single individual, and then provides individual capture and meta-data for that individual's sessions. There's legitimate use for that kind of product, both for engineers trying to debug problems on heavily used networks, and for lawful intercept, and the switch to illegal interception is just a matter of getting somebody to go and do it.

by silence on Tue Apr 11, 2006 at 10:20:24 AM EST
[ Parent ]

That's exactly what I was thinking (5.00 / 1) (#20)

Their targeting capability makes it easy to grab an individuals datastream and save it for later review. It's a very simple thing to abuse. And if past actions are any indication, the warrantless actions will quickly be expanded to cover drug dealers and other common criminals once their legality is legislated.

I dug up the transcript of that Senate Judiciary hearing for our review. Here is the relevant section (I've highlighted interesting parts):

HATCH:<snip> Now, let me just ask one more question. And I appreciate the distinguished chairman giving this opportunity. And again, I'll direct it to you, Judge Kornblum, and I would appreciate anything any of the rest of you tremendous judges would care to add. I'd just like some clarification on a few points. Based on your understanding of the law, if the government obtains information through the NSA program, do you believe as a matter of law that this information can be used in support of applications for a court order under the FISA statute? And do you believe that any fruit of the poisonous tree arguments are valid? In other words, if they actually obtain information that would support applications for a court order under the FISA statute, would the fruit of the poisonous tree arguments be valid against that information?
MR. KORNBLUM: I think the answer to both questions is yes. As we did in the Ames (ph) case, we explained to the FISA Court that Attorney General Reno had approved six warrantless searches of Ames' home and office at the CIA, and we did that in conjunction with the applications for continued electronic surveillance of Ames, because the FISA statute at that time didn't permit surreptitious searches. The court considered it and approved the electronic surveillances. Ames never went to trial. He decided to plead guilty rather than have his wife face imprisonment. If he had gone to trial his attorney, Plato Kucheros (ph), would undoubtedly have challenged all of the evidence obtained in the warrantless searches. My personal belief is that when I persuaded Attorney General Reno to authorize the warrantless searches, she was doing so lawfully under the Truong-Humphrey line of cases in the Fourth Circuit. And of course, Ames lived in northern Virginia, which was in the Fourth Circuit. So you had a situation where, in the Ames case, you had warrantless electronic -- I'm sorry, warrantless physical searches approved by the attorney general in full conformity with the law in the eastern district of Virginia. And at the same time, you had FISA surveillances authorized by the FISA Court. I think both would have been sustained, but there's an important difference between them. During the course of the trial, the FISA information and FISA applications would have been protected from discovery, because FISA has that protective mechanism in it. Defense lawyers never get to see FISA applications. On the other hand, the warrantless searches authorized by Attorney General Reno would have been subject to full discovery and whatever paperwork Attorney General Reno saw. What I had submitted to her would have been subject to disclosure and used by the District Court in the Eastern District of Virginia to determine whether the surveillances were lawfully authorized and conducted pursuant to the pre-FISA standard, even though it was conducted after FISA came into law, because the warrantless search was not available to the government in the FISA statute.
In the context of the present situation, the warrantless collections now being done by the president would be subject to the same discovery. That is, whatever legal mechanism was being authorized or was being followed to authorize the collection, if the president wanted to go forward with prosecution and use that evidence at trial, it'd be subject to the federal rules of criminal procedure to the normal discovery. If the president --
SEN. HATCH: So there would be definitely be protections for individuals?
MR. KORNBLUM: Well, you have the Classified Information Procedures Act to deal with that. And if the situation became unbearable, the president can always withdraw prosecution or exert the state secrets privilege to protect military --
SEN. HATCH: But in either event, that would be a protection of the person accused.
MR. KORNBLUM: Yes. Well, the State Secrets Act would in effect end the prosecution.
SEN. HATCH: Sure.
MR. KORNBLUM: But the federal rules of criminal procedure would protect any defendant charged with evidence collected in the program.
SEN. HATCH: Do you mind, Mr. Chairman, if I ask just two more questions?
SEN. SPECTER: Do I mind if you ask two more questions?
SEN. HATCH: If you do, I won't.
SEN. SPECTER: I've already opened the door. Ask all the questions you want, Senator Hatch.
SEN. HATCH: Oh, I'm just beginning then. No, I'm just kidding, I have two more. And please, any of the judges, the other judges who care to comment, I'm not meaning to just make this a dialogue between the two of us --
SEN. SPECTER: You want two more questions, and how many more answers? (Laughter. )
SEN. HATCH: Well, anybody who feels like they should, I'd be happy to listen to, and I'm sure you would too. Judge, do you believe that information obtained under the NSA program may be legally used in support of an application for a Title 18 warrant, where you believe one of the parties has been determined to be an al-Qaeda affiliate, but is a suspected common -- has not been determined to be an al-Qaeda affiliate, but is a suspected common criminal, say, such as a drug dealer?
MR. KORNBLUM: Well, any determination like that that is faced by a district judge in trial is going to be decided under the federal rules of criminal procedure and the protective mechanisms of the Classified Information Procedures Act. There's no way to predict what the facts are, and a district judge would be faced with making that decision.
SEN. SPECTER: Well, under Senator Hatch's hypothetical, if one of the parties to the conversation is not al-Qaeda, that's outside of the president's purview. The attorney general hasn't told us much, but he has told us that one of the persons, U.S. persons -- one party to the conversation is in the United States and one is overseas, but at least one is al-Qaeda. So when Senator Hatch poses a hypothetical that neither is al- Qaeda, how could that be justified under the president's program?
SEN. HATCH: Well, even if one is al-Qaeda, the foreigner calling into the country, but talks to a common criminal, can that be used against the common criminal?
SEN. SPECTER: Well, you've changed the hypothetical now to make one al-Qaeda.
SEN. HATCH: Okay, okay. I kind of thought that was implied.
MR. KORNBLUM: Well, whatever the facts are, the standard followed by the district judge is going to be that enunciated in the pre-FISA decisions. That is --
SEN. HATCH: In other words, the criminal will have some element of protection from a civil liberties standpoint.
MR. KORNBLUM: I would think the answer is yes, that a district --
SEN. HATCH: The answer is yes.
MR. KORNBLUM: That a district judge would protect his liberties, and he's going to be bound by the judicial decisions which define the president's power.
SEN. SPECTER: Well, how can the criminal have protection when the wall is down, and the law's established that if you have a foreign intelligence warrant and incidental to that there is evidence of a crime, that it's useable? That's the current status of all.
SEN. HATCH: No, but I'm talking about using the current warrantless surveillance.
SEN. SPECTER: You're talking about what, Senator Hatch?
SEN. HATCH: Warrantless surveillance. The warrantless surveillance.
MR. KORNBLUM: Well, to be admissible --
SEN. SPECTER: Let's see if we can bring this to a close, Judge Kornblum. If you'll answer this question.
MR. KORNBLUM: To be admissible, the evidence would have had to have been lawfully seized or lawfully obtained, and the standard that the district judge would use is that, depending upon where this is, is the law in his circuit. In most of the circuits, the law is clear that the president has the authority to do warrantless surveillance if it's to collect foreign intelligence and it's targeting foreign powers or agents. If the facts support that, then the district judge could make that finding and admit the evidence, just as they did in Truong- Humphrey.
SEN. SPECTER: Senator Hatch, I'm delighted to have a few comments, but we're now over 10 minutes and we have another panel.
SEN. HATCH: I'm happy to discontinue any further questions.
SEN. SPECTER: Before you leave, Senator Hatch, I want to cover one point in your presence. And that is, you have been privileged to have been briefed, because you're on the subcommittee, and when you say that you believe it's constitutional under the Fourth Amendment. I have a lot of respect for your legal judgment, and I was once an advocate for you for the Supreme Court. But under the doctrine of separation of powers, you are not a judge.
SEN. HATCH: That's true. And I may very well be wrong.
SEN. SPECTER: Well, you may be right or you may be wrong, judges are sometimes right and sometimes they're wrong. But our system is that the judges make determination of constitutionality, senators don't. Even super lawyer senators like you, Senator Hatch. You don't make decisions on constitutionality.
SEN. HATCH: Well, we make them every day. The problem is that they may not be worth the decision making paper that we write them on.
SEN. SPECTER: Well, I think they're very valuable, but it violates the principle of separation of powers. Senators are not judges, and to submit the program to the Intelligence Subcommittee and in the context of the statute proposed, to have 45 days of free reign for the administration, then at the end of 45 days if there is sufficient probable cause going to the FISA Court, but if there's not, to go to the subcommittee. I don't know exactly what the subcommittee does at that point.
SEN. HATCH: Well, let me just say this much. The administration, rightly or wrongly -- and that may have to be determined by the courts in the final analysis -- decided -- the president decided that this program had to be reauthorized every 45 days, that the chief judge of the FISA Court was informed, the next chief judge of the FISA Court was informed, eight top members of the Congress were informed on the program. And the question is, is that enough information to be able to resolve the conflict in favor of the president's argument? It may take the courts to decide that, but I see plenty of concern here on the panel that you may not yourselves how that should be decided at this particular point. The fact of the matter is that we've had people who have been hotly criticizing the president for doing what the president feels he had to do to protect our nation and protect our people from terrorism that could amount to very serious consequences, even worse than 9/11. And these are very important issues. The distinguished chairman, of course, is trying to come up with a statute that the president will be happy to comply with, that will solve the problems and the deficiencies of the current 1978 FISA statute. I commend the chairman for that, and I'm certainly going to try and help him on that. And I commend all of you for being as cautious as you are on just how all of this is going to come down in the end. So, Mr. Chairman, I just want to thank you for allowing me to have this little extra time, I know I've taken more than I should have, but I just want to again express my respect for all of you and what you've had to say here.
SEN. SPECTER: Well, let me make one more comment, Senator Hatch, before you go.
SEN. HATCH: Sure.
SEN. SPECTER: And that is that if there is an order by the FISA Court that the president feels is wrong and needs to act against, he can get a supersedeas until there is an appeal. It's discretionary with the FISA court, but you would expect in an emergency situation there'd be a supersedeas. And then you'd have an appellant court for FISA. And then if you don't like what the appellant court does, you can get another supersedeas and go to the Supreme Court. But when the court has ruled, if I understand Judge Kornblum correctly, the president can't disregard it. When the court makes a determination on constitutionality and you go up the line and you get to the Supreme Court, that's that. Don't you agree, Judge Kornblum?
MR. KORNBLUM: Yes, I do.
SEN. SPECTER: That's Marbury v. Madison, 1803. Been followed once or twice. Well, I'm going to go onto some other lines of questioning, Senator Hatch.
SEN. HATCH: Well, just one last point on that.
SEN. SPECTER: I doubt it, but go ahead. (Laughter.)
SEN. HATCH: Judge Kornblum also indicated that the president may be faced with a situation because of time constraints and so forth that isn't just a yes here. Where he may have to just act in the best interests of the country, that may be upheld by the courts or may not be. I don't know. And neither does anybody else here today. But I'll tell you one thing, I want my president acting -- as long as it's clear that they've done everything they can to comply with the law, and where they feel that they have this obligation under Article 2 of the obligation, I would want my president to protect us.
SEN. SPECTER: Well, let's --
SEN. HATCH: I think that's the position they've taken down there, rightly or wrongly -- I personally believe rightly.
SEN. SPECTER: Well, when you say act, do you customarily mean some response if the country's in jeopardy, then of course the president should act. If you're talking about gathering additional intelligence, the president can do that too. And he has 72 hours to go to the court. And if he has acted in a way that the court later says is illegal, he's gotten the information, he's acted. And he has that authority under an emergency situation.
SEN. HATCH: All I can say is it's a little bit different in this situation, from what I know about it.
SEN. SPECTER: Well, Senator Hatch, would you be willing to be a witness, so we can really find out what's going on here? (Laughter.)
SEN. HATCH: I think that's what I've been maybe doing. I don't know. I apologize to the chairman.

Note especially the references to "the warrantless collections". That would seem to be exactly what the Narus machines do.

by bewert on Tue Apr 11, 2006 at 11:51:28 AM EST
[ Parent ]

lawful intercept -- odd request (5.00 / 1) (#22)

Digging back at my old emails, we actually had one kind of odd request from the lawful intercept people in August of 2002. The maintainers of the TAP MIB were looking for a mechanism to prevent sysadmins from seeing what was being tapped. I recollect, but can't find documentary evidence for, the notion that there was also some kind of problem with hostile sysadmins disabling wiretaps.

I wound up sending an email explaining that a threat model which involved a hostile sysadmin wasn't one you could reasonably defend against, and holding a meeting to explain the various ways that sysadmins with administrative remote access and physical local access could mess with you pretty much no matter what you did. I don't believe equipment sold by my employer (a major communications equipment manufacturer) ever incorporated make-wiretapping-invisible-to-ordinary-sysadmins features as a result.

I'm wondering if this somehow indirectly led the NSA to choosing a somewhat obscure equipment vendor, and to place the equipment in its own room, so that the ordinary sysadmins wouldn't have physical access to it.

by silence on Tue Apr 11, 2006 at 01:12:25 PM EST
[ Parent ]

Ah... (5.00 / 1) (#23)

feeling a "bingo" moment here -- small equipment manufacturer, controlled access away from sysadmins...

by Cho on Tue Apr 11, 2006 at 01:23:31 PM EST
[ Parent ]

: Me too n/t (5.00 / 1) (#25)

by bewert on Tue Apr 11, 2006 at 01:58:01 PM EST
[ Parent ]

Digging up old notes (none / 0) (#6)

Digging up my old notes, from Feb. 2002, I note that back then, they could only handle ~20,000 transactions/second. Fast, when compared with XML processing, and fast enough for handling billing for a communications switch, but not fast enough to handle the kind of massive data output you'd get from one of these massive interception engines.

by silence on Mon Apr 10, 2006 at 07:32:21 PM EST
[ Parent ]

Data (none / 0) (#7)

So what exactly are they doing with the data? What is the point ultimately?

Surveillance, yes...but to what end? What would be the ultimate goal?

by susie dow on Mon Apr 10, 2006 at 08:00:47 PM EST

I am not sure (none / 0) (#8)

Isn't the pertinent point that the act itself of collecting this data in a wholesale manner from U.S. citizens is illegal? Or am I looking at this incorrectly?

by standingup on Mon Apr 10, 2006 at 08:19:41 PM EST
[ Parent ]

You've got it right (none / 0) (#9)

This kind of wholesale interception of communications by US citizens by the US government is illegal.

by silence on Mon Apr 10, 2006 at 08:24:03 PM EST
[ Parent ]

But to what end? (none / 0) (#12)

That seems to be the big unanswered question. I'ts easy to label everything as National Security but what if the intent is nothing more than political?

For instance, determining sources of certain types of information and then blocking them. I'm thinking of the phone jamming but taken to a new extreme.

by susie dow on Mon Apr 10, 2006 at 09:34:05 PM EST
[ Parent ]

Purely passive (none / 0) (#16)

From what I've been able to tell, the system they're using is entirely passive.

by silence on Mon Apr 10, 2006 at 11:53:13 PM EST
[ Parent ]

NarusInsight Discover Suite can block some things (none / 0) (#21)

From the current Discover Suite page:

The VoIP detection application module of NDS provides carriers and service providers the ability to detect VoIP traffic and understand the impact on their networks and businesses. It enables them to address unauthorized or bypass VoIP traffic (i.e., revenue leakage) by billing for, or blocking, re-directing and re-prioritizing, them.
<snip>
The Skype detection application module of NDS provides carriers and service providers the ability to detect Skype and understand the impact on their networks and businesses. It enables the monitoring, blocking, re-direction or re-prioritization of Skype traffic.

It would seem that once the ability to block some traffic is there, it could easily be expanded to block virtually anything desired.

by bewert on Tue Apr 11, 2006 at 12:00:37 PM EST
[ Parent ]

Sure, but IPDR isn't suited for that (none / 0) (#24)

You can use the equipment for blocking stuff -- that's critical for preventing DDOS attacks. But if your'e using IPDR for tracking, its not a real-time system, and you won't be able to reliably block stuff.

by silence on Tue Apr 11, 2006 at 01:51:54 PM EST
[ Parent ]

From my reading IPDR isn't used to block (none / 0) (#26)

They have other real-time tech. Best I can figure out from the public info is that IPDR is a wrapper of sorts for saved IP data streams, which would make sense from what I have read about it. It's extensible and so could be upgraded with surveillance options specifically for the NSA by Narus. I'm not sure. I'm not sure whether that would be required to be made public in IPDR.org

by bewert on Tue Apr 11, 2006 at 02:01:22 PM EST
[ Parent ]

Y cable (5.00 / 1) (#27)

Sure, if you were routing though the Narus gear, but that's not what they're doing. The Wired article describes the configuration as:

"While doing my job, I learned that fiber optic cables from the secret room were tapping into the Worldnet (AT&T's internet service) circuits by splitting off a portion of the light signal," Klein wrote.

That wouldn't give them the capability to block stuff. They'd have to terminate the cable at a Narus box, and then have a new connection coming out the other side. What it sounds like they're doing is splitting off some of the light, and sending it to the Narus gear. That gives you an intercept-only capability, not the ability to block services or launch man-in-the-middle attacks.

by silence on Tue Apr 11, 2006 at 02:11:15 PM EST
[ Parent ]

Blocking (none / 0) (#28)

When I brought up blocking access earlier, my thoughts were more along the lines of using the technology to identify WHAT needs to be blocked.

HOW it would be blocked would be another matter entirely and I assume would require much different technology.

The thing about using the technology to identify the transmission path of a particular type of message is they can aim for any point along the path to interupt. And continue aiming until they have shut down the communications' path within that particular group.

Yes, there would be collateral damage. But if the intent was to stop a TYPE of communication vs communication from say just one person, than real time would not be an issue at all having already identified the route along which a type of communication will travel.

I hope what I've written makes sense.

As an example...the phone jamming in NH. Their idea was to interfere with people who wouldn't vote for Bush from getting to the polls. So they blocked calls to places offering rides to Dem leaning voters by jamming the phone lines with too many calls.

All they did was focus their attention on interupting a part of the path to voting not the whole path itself.

And that's why the Narus technology that is being discussed here has me worried.

by susie dow on Tue Apr 11, 2006 at 04:19:41 PM EST
[ Parent ]

: DDOS possible (none / 0) (#29)

It is indeed possible that you could use something like this to identify places to launch DDOS attacks against. That said, the sort of equipment that they're using here isn't cheap. It would be much cheaper and easier to figure out what to block by sending out people to sign up for mailing lists, infiltrate organizations, and get your data that way.

by silence on Tue Apr 11, 2006 at 04:32:11 PM EST
[ Parent ]

semi-serious (none / 0) (#30)

What if the CIA black-ops are making enough money in the drug trade anymore.

Once upon a time there was a theory that if you could make trades fast enough, you could become rich. And some people did and more people did and more people until Black Thursday.

What if this is about financial data. What if the NSA has become day traders. You are talking about datamining insane amounts of int'l calls, domestic business calls. What happens when there is a 100% increase between CEOs of Verizon & MCI? Maybe a buy-out. Or even email filtering looking for financial info.

At any rate, I think the whole "phone record" story was leaked on purpose to cover up the real story about the hidden rooms. The NSA wouldn't need to get phone records from MCI. They probably already had their database accessed. What they did was secret survelliance with ever-upgrading technology, that could soon filter and store speech, email, VOIP in real-time.

by intranets on Wed May 17, 2006 at 11:45:17 AM EST
[ Parent ]

switch (none / 0) (#31)

In the 1990s, a second-generation #4ESS switch was developed. The advancements over the original #4ESS are not known.
The last #4ESS was installed in suburban Atlanta, GA in 1999 as a toll tandem for AT&T. At the peak (1999), there were 145 #4ESS switches in the AT&T long-haul network, with several owned by various Regional Bell Operating Companies (RBOCs). As time goes on, AT&T is replacing or supplementing their #4ESS toll tandem switches with #5ESS switches, which are of a much advanced design and are used as "edge" switches in the network. Most RBOCs who used #4ESS tandems have replaced them with #5ESS switches and/or tandems of other manufacturers (e.g. Nortel). As of 2006, AT&T still operates and maintains approximately 100 #4ESS switches in the public switched telephone network.

AT&T Technical Journal
Not as technical as the old B.S.T.J. nor understandable as the old Bell Laboratories Record., the AT&T Technical Journal does come up with some fascinating articles. No. 73 was on AT&T switches. The 5ESS-2000 and the 4ESS were both reviewed along with a lengthy discussion of how cellular and PCS calls are switched.

Wonder if anyone can find this issue?

by intranets on Wed May 17, 2006 at 07:10:29 PM EST

digiblade: 5/12/2006 (none / 0) (#32)

digiblade: How the NSA Conducts Wiretapping: Introducing The Narus ST-6400 and NarusInsight by Narus Ltd.

Not sure if this is linked here or not, but it follows this same line and then some.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
by wanderindiana on Wed May 17, 2006 at 10:41:42 PM EST

uh oh (none / 0) (#33)

on narus.com 10/2002

Narus Mediation Platform Selected by T-Mobile for its GPRS Service
T-Mobile is using the Narus convergent OSS mediation platform to track usage activity for its newly launched GPRS services in the US. The Narus platform handles the mediation of all Call Detail Records (CDRs) and other network information from numerous sources to provide T-Mobile with information needed to deploy new services. Narus gathers data from the various mobile network devices and filters and aggregates the data into billable information. Narus also recently announced its MobileSight product and selection by France Telecom's Sofrecom unit as its standard for deploying mobile mediation solutions.

and this gem
http://www.cedmagazine.com/article/CA247984.html

Narus' Hunter agrees that cable operators that collect information as part of their efforts to boost network efficiency and capabilities will have to deal with perception problems rightly and wrongly tied to privacy issues. They'll have to help customers understand that Big Brother isn't lurking on the other side of their cable modems.
"Yes, we see every packet that passes by, and at the edge we get rid of some information," Hunter says. "We don't collect the file itself. We don't know what's in an e-mail, for example. We throw out that information."
Instead, Narus collects data to drive the business side of the equation, Hunter adds. Instead of the content of a specific e-mail, Narus' software can discern how many e-mail messages were sent.

by intranets on Thu May 18, 2006 at 05:58:21 AM EST

All About NSA's and AT&T's Big Brother Machine, the Narus 6400 | 33 comments (33 topical, 0 hidden)

Support ePluribus Media -- Support Citizen Powered Journalism!