Ex AT&T Tech Says NSA Monitors All Web Traffic

Sir Tandeth writes "A former technician at AT&T, who alleges that the telecom giant forwards virtually all of its internet traffic into a 'secret room' to facilitate government spying, says the whole operation reminds him of something out of Orwell's 1984. Appearing on MSNBC's Countdown program, whistleblower Mark Klein told Keith Olbermann that all Internet traffic passing over AT&T lines was copied into a locked room at the company's San Francisco office — to which only employees with National Security Agency clearance had access. 'Klein was on Capitol Hill Wednesday attempting to convince lawmakers not to give a blanket, retroactive immunity to telecom companies for their secret cooperation with the government. He said that as an AT&T technician overseeing Internet operations in San Francisco, he helped maintain optical splitters that diverted data en route to and from AT&T customers. '"

I've read about this before.

[morgan_greywolf]

You can read Klein's April 2006 statement in his own words here [wired.com] and there are pictures of the secret room at AT&T here [wired.com].

Very scary stuff.

Re:Encrypt

[Conception]

Actually, the constitution isn't clear on this issue. In fact, it's clear on very few.

Re:Encrypt

[644bd346996]

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Clear enough? No warrant, no searches or seizures of my stuff. They are particularly prohibited from searching through all of my correspondence without a warrant.

Re:I've read about this before.

[morgan_greywolf]

Well, it seemed like the last time I looked at those pictures, there were more of them. Of course, they were of the outside of the secret room, and not of the inside, but anyway, there were more. My tinfoil hat is going on now.

Re:Encrypt

[neoform]

Who do you think controls the root DNS servers?

If you're using public key encryption, it isn't that much work for telcos to act as an encryption proxy to whomever you're connecting to, which pretty much kills any encryption you're using.

Only true way to stop spying is shared key encryption, which is completely unrealistic for broad use.

Re:Anything about this in AT&T Privacy Stateme

[MobyDisk]

We already have [eff.org].

Son of carnivore.

[Anonymous Coward]

Or grandson of carnivore. [wikipedia.org] My guess: Log all traffic and then they have a record when someone becomes "interesting."

Re:Encrypt

[Shimmer]

The insufficiency of analogy to more traditional means of communication (postal service in sealed envelopes, telegraph, town crier, word of mouth, whatever) is sufficient demonstration that the constitution is unclear on these matters.

Fine. Have you by any chance ever read the 10th Amendment?

The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.

In other words, if the Constitution is unclear and there is no relevant law then the Federal Govt. has no power whatsoever to intercept our Internet traffic.

Re:Pure FUD. Need more information.

[statemachine]

Then read the article. AT&T used optical splitters which means that the NSA got a copy of everything that crossed AT&T.

Oops, I just noticed you were modded flamebait, and rightfully so. FUD applies more to your post than the article.

Re:Encrypt

[11223]

I'm afraid you do not understand how public key crypto works. If Alice has Bob's key and has personally verified that the signature of the key, communication between Alice and Bob is secure so long as the "hard problem" that the cryptosystem depends on (e.g. discrete log for RSA) is not broken. There is no proxying which can take place; Alice encrypts her traffic with Bob's public key before sending it to him.

Is it possible you've confused public key cryptosystems in general with systems based on Diffie-Hellman key exchange that provide protection against eavesdroppers but not man-in-the-middle attacks?

Re:Encrypt

[neoform]

All digital signatures need to be verified with someone..

If you're the government, how hard do you think it would be to tamper with those signature databases to make them match the man in the middle?

RSA signatures work against your run-of-the-mill hacker, but does not stop telcos/gov from doing this.

Re:I've read about this before.

[erroneus]

Oh yeah? Go take pictures of important buildings in the middle of the day across town and see if you don't get questioned by the police after a few hours?

Not as Hard as You Think

[twifosp]

To all the posters saying this would be too difficult to monitor and analyze:

No it wouldn't. It's called sampling. Red flags and segmenting certain layers and patterns. You don't have to store a fraction of the traffic data to analyze it and store what you need.

I won't say what I do, but I do it for a fortune 50 company, and I personally analyze an obscene amount of internet traffic. I do all this with a few servers and a workstation. Now I can honestly I say I have probably analyzed .5% of the internet's traffic (doesn't sound like much, but it is). With the differnet software we use and the relatively small amounts of hardware we use, I can easily imagine scaling that to 100% without too much problems. You'd need a lot more people, better alogorithms, and much more processing and storage space. But it's definitely possible.

And you don't even need to do 100%. As I pointed out before, you can segment your data and sample it for what you are looking for. Or data mine samples if you don't know what you are looking for. Find the flags you want, and apply that accross the whole traffic spectrum.

Pretty scary. Allthough my first thought is that this is used for counter-terrorism activities, I can't help but think that's instead used for political purposes as well. Who knows. Big brother indeed.

Yes and no.

[Anonymous Coward]

Most of it's due to this guy [wikipedia.org].

Sadly most of his ideas are closely mirrored by the apocalyptic christian evangelicals (misnomer admitted)

Re:Encrypt

[Chris Burke]

I'm afraid you do not understand how public key crypto works. If Alice has Bob's key and has personally verified that the signature of the key, communication between Alice and Bob is secure so long as the "hard problem" that the cryptosystem depends on (e.g. discrete log for RSA) is not broken. There is no proxying which can take place; Alice encrypts her traffic with Bob's public key before sending it to him.

The first bold part is what commonly makes the second bold part untrue.

Unless Alice has personally verified that the key she has is in fact Bob's key and vice versa, then she doesn't know for sure that it's Bob's public key that she's using. If Alice just get Bob's public key off the internet itself, then Alice doesn't know that it was Bob Alice was talking too and it may actually be Charlie's public key that she received. If it is in fact Charlie's public key, then Charlie can act as a man-in-the-middle. Alice unknowingly sends a message to Charlie with Charlie's public key, he decrypts it, re-encrypts it with Bob's public key, then sends it on to Bob. Neither will ever know.

People get around this by using certificates which come from a Certificate Authority whom they trust and who verifies that the keys you received are really Bob's keys and not Charlie's. The same problem shows up here, though, since at the point where Alice is communicating with the certificate authority over the internet, the CA is basically Bob and she's in the same boat.

People get around this part of the problem by having the Certificate Authority's keys hard-coded inside their browsers and OSes. There are two problems with this, one general and the other specific. The general problem is that if you get your browser over the internet, once again you can't be sure that the CA's key is really the right key and that the MD5 hash is really the MD5 hash of the unmodified browser. The specific problem is that this whole article is about the government getting telecom companies to cooperate with their spying programs. The Certificate Authority's usually fall into that category, and it would be naive to assume that they haven't handed over to the government their private keys, in which case NSA-Charlie doesn't even need to feed you a fake CA key somehow, he can just flat out pose as CA-Bob.

It is fundamentally impossible to share cryptographic keys securely over an insecure communication network. This is known as "the key exchange problem", and it's really, literally, impossible to fix. The only way to truly be secure when exchanging keys is for Alice and Bob to step outside the insecure network and physically meet in person, and exchange keys and verify that the other person has the correct key.

So if you're really so paranoid that you feel you must encrypt all your communications to keep the government from spying on you, just remember this, and find an off-line way to exchange public keys with everyone you wish to talk to.

Re:I've read about this before.

[NoData]

Also, good interview with Mark Klein on NPR's All Things Considered.
http://www.npr.org/templates/story/story.php?storyId=16088947&ft=1&f=1 [npr.org]
One thing he mentions: The NSA likely has installations like this maybe a dozen of locations around the country.

Obligatory....

[Anonymous Coward]

NSA monitors internet in America? In New Soviet America, internet monitors YOU.

Sorry, couldn't resist.