[liberationtech] NSA Laughs at PCs, Prefers Hacking Routers and Switches

Scott Helms khelms at zcorum.com
Thu Sep 5 14:02:39 UTC 2013

The last paragraph in the post is the most important, but it invalidates
the rest of the post.  Core routers are a terrible intercept point because
of load and the sheer amount of packets they process and they are also MUCH
more likely to be running up to date firmware than a router in an edge
network where the main technical person is primarily a Windows/Exchange
admin.  The problem with recording "everything" is that its not feasible
and the idea that all/most/many core routers are merrily sending a copy of
all packets to some external storage facility is demonstrably false.  If
you want to record flows that's a bit more technically (and legally in the
US since its meta-data) feasible, but again netflow traffic from
all/most/many core routers is extremely hard to hide on a 24/7 basis and
again is demonstrably false.

Its far easier (technically and legally) for the NSA to have a directory of
devices they can tap on demand without the knowledge of the owners either
through unpatched security flaws, cooperation from the carrier, or
intentionally built back doors.  Its also more feasibly for them (and we
have good evidence this has happened) to directly mirror the layer 2
traffic on some of the largest backbone networks.  This of course allows
them to passively listen without impacting the core router, but that
approach is quite difficult to leverage when you're trying to target a
specific person or organization since the volume of unimportant information
so greatly exceeds the targeted information.

Scott Helms
Vice President of Technology
(678) 507-5000

On Thu, Sep 5, 2013 at 7:20 AM, Eugen Leitl <eugen at leitl.org> wrote:

> ----- Forwarded message from liberationtech at lewman.us -----
> Date: Wed, 4 Sep 2013 22:27:46 -0400
> From: liberationtech at lewman.us
> To: liberationtech at lists.stanford.edu
> Subject: Re: [liberationtech] NSA Laughs at PCs, Prefers Hacking Routers
> and Switches
> Organization: The Tor Project, Inc.
> X-Mailer: Claws Mail 3.9.2 (GTK+ 2.24.20; x86_64-pc-linux-gnu)
> Reply-To: liberationtech <liberationtech at lists.stanford.edu>
> On Wed, 4 Sep 2013 20:33:09 -0400
> Robert Guerra <rguerra at privaterra.org> wrote:
> >
> > Curious on people's comments on  types of routers, firewalls and
> > other appliances that might be affected as well as mitigation
> > strategies. Would installing a pfsense and/or other open source
> > firewall be helpful in anyway at a home net location?
> When I read this article, I read core routers and switches at ISPs,
> like Cisco, Juniper, F5, etc. I don't read this as linksys, dlink,
> netgear, etc. I'm sure NSA could crack into anything consumer
> level with ease, it's likely any 4-bit criminal could do it too.
> However, it makes more sense for NSA to watch the core connectivity
> points on the Internet, rather than watching individuals, solely from
> an economic effort versus benefit point of view.
> When I ran global networks, one can record everything and sort out the
> individual streams later to find employees doing various layers of
> fraud or not. There was no point in watching the end points because it
> was too resource intensive.
> I'm sure the NSA has analyzed this and come to the same conclusion.
> There's no point in going after tens of millions of endpoints, when you
> can own them all with a handful of switches.
> A counterpoint is that most core Internet routers and switches are
> running at capacity and any monitoring affects quality of service and
> gets customers complaining.
> --
> Andrew
> http://tpo.is/contact
> pgp 0x6B4D6475
> --
> Liberationtech is a public list whose archives are searchable on Google.
> Violations of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
> ----- End forwarded message -----
> --
> Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
> ______________________________________________________________
> ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
> AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5

More information about the NANOG mailing list