What to Expect When The NSA Calls

by Colin Berkshire

Everybody should now know that the NSA spying program has little to do with terrorism. After all, how can the United Nations possibly be a terrorist organization that needs to be spied upon?

We also should realize that no politician can do anything to stop the NSA. Just consider this from the opening paragraph of the Wikipedia article on J. Edgar Hoover, founder of the FBI:

He used the FBI to harass political dissenters and activists, to amass secret files on political leaders, and to collect evidence using illegal methods. Hoover consequently amassed a great deal of power and was in a position to intimidate and threaten sitting Presidents.

The NSA knows everybody’s secrets, and we all have them. History simply repeats itself.

So, when the day comes for you to install an NSA spying device in your corporation’s network, how does it work exactly? What should you expect? It works something like this:

You will get a phone call from an individual who will indicate that they are a security expert. They will indicate that they are from a government agency and they need to talk to you about a security issue involving your company that as network administrator you need to be informed of. You are lead to believe that perhaps some crime is happening inside your organization that you need to be informed of…they have information to share with you. A meeting is set up, as the information they have is confidential and they need to talk with you in person.

They will meet you at your offices. When they arrive they will show you their official government ID and will ask if there is someplace private that they can talk with you. They politely thank you for setting up the meeting. They then briefly describe in a vague way that they handle special investigations and that they have something important to share. But first they need to confirm that you are the correct individual, because the information that they have is very sensitive. They ask you to describe your area of responsibility, your authority, and what your chain of command is up to the senior management.

Once they confirm that you are the correct individual within your organization then then put their briefcase on the desk, open it, pull out an envelope that they pull a piece of paper. They hand it to you and explain simply: “This is a matter of national security. This is a court order which you must comply with. You may not share any of this with anybody” and as an example they indicate that this includes your spouse, your manager, or any co-workers. They then confirm that you understand what they have just explained. They hand you a “receipt” and ask that you sign it…the receipt simply means that you have received the documents. You must sign; now.

They then ask if they can be given a tour of your data center, and they would like especially to understand how your company’s traffic transitions into the Internet. What ISPs do you use, how many gateways are there, what is the router strategy, what brand of equipment do you use, how is it mounted?

You then take them on a brief tour and show them so that they can see.

Approximately a week later they call and set up another appointment with you. Again, they show their identification and ask to speak with you privately. They remind you that you cannot disclose any of this to anybody…not even others in your management reporting structure.

They then open up a box and put it on the table. It contains a router from a major manufacturer. It looks like any other router. They explain that this is to be installed between your corporate network and your existing router. No configuration is necessary, everything is completely automatic and transparent. You should install it yourself, or you may have a technician install it if that is the normal practice in your organization. You may explain it is a network caching device. This should be done within one week. If you don’t hear back from the agents, then the device is working properly.

You then have the device installed, between your router and your network. You notice nothing different. End of story.

But what you have done is install a content examination and filtering device. Everything of interest is now extracted and transmitted to the NSA.

The device has relatively little overhead. It content buffers so that it minimizes its impact during peak traffic times, similarly to how QOS works. It doesn’t need to send everything. For example, if an employee watches a YouTube video it only needs to send the originating computer information and the video address…no need to send the actual video. eMails normally don’t need to have their content sent to the NSA…just the from/to pairs and subject line as long as the content is plain text and contains no keywords. Likewise, there is no need to send all Website traffic since only the URL and user’s computer identification is needed unless the page contains active content or is encrypted. Of course, any email with important keywords, or to/from persons of interest, or that contain things such as SSL signing credentials are sent.

One of the most important functions is to uniquely identify specific computers on your network and associate them with specific traffic. That allows specific computers to be targeted. When those computers contact Microsoft for a Windows Update they can be given “special updates” which are then installed as part of the regular maintenance update process. This allows direct access to hardware such as web cameras and hard drives.

The need for this device is obvious: NATting and firewalling limits the visibility by the NSA into exactly which computer is doing what. To allow better targeting it is necessary to install one of these spying devices on networks where there is information of high value to the NSA.

Of course, if your organization is a small one, or not doing anything of utility to the NSA there is almost no likelihood of ever hearing from the NSA. For the smaller organization they can usually grab whatever they need from your ISP or from the hooks which are installed in many consumer-grade routers. It’s only the very large corporation that gets this special treatment. After all, the NSA must choose their targets carefully enough so that the device doesn’t fall into the hands of a whistleblower that will do a teardown on it.

Anyway, that’s how it all works. Now you know what to expect. If your boss asks, just link him/her to this post.

If your boss asks how he can securely communicate, tell him/her to put it in writing and mail it…via snail mail. (And even then note that the from/to names and addresses are all OCRed and are sent to the NSA.)

Nothing is confidential from the NSA.