Re: PRISM: NSA/FBI Internet data mining project
On Jun 6, 2013, at 10:25 PM, jamie rishaw j...@arpa.com wrote: tinfoilhat Just wait until we find out dark and lit private fiber is getting vampired. /tinfoilhat well, that's exactly and the only thing what would not surprise me, given the eff suit and mark klein's testimony about room 421a full of narus taps. mark klein is an utterly convincing and credible guy on this subject of tapping transit traffic. but the ability to assemble intelligence out of taps on providers' internal connections would require reverse engineering the ever changing protocols of all of those providers. and at least at one of the providers named, where i worked on security and abuse, it was hard for us, ourselves, to quickly mash up data from various internal services and lines of business that were almost completely siloed -- data typically wasn't exposed widely and stayed within a particular server or data center absent a logged in session by the user. were these guys scraping the screens of non-ssl sessions of interest in real time? with asymmetric routing, it's hard to reassemble both sides of a conversation, say in IM. one side might come in via a vip and the other side go out through the default route, shortest path. only *on* a specific internal server might you see the entire conversation. typically only the engineers who worked on that application would log on or even know what to look for. and also, only $20m/year? in my experience, the govt cannot do anything like this addressing even a single provider for that little money. and pretty much denials all around. so at the moment, i don't believe it. (and i hope it's not true, or i might have to leave this industry in utter disgust because i didn't notice this going on in about 8 years at that provider and it was utterly contrary to the expressed culture. take up beekeeping, or alcohol, or something.). -- Jamie Rishaw // .com.arpa@j - reverse it. ish. arpa / arpa labs
Re: PRISM: NSA/FBI Internet data mining project
The oh well, it happens, who cares, guess you need PGP comments on this thread are idiotic. Some of you would benefit from reading the text of the 4th Amendment: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized The Washington Post mentioned some safeguards... but those were pathetic. Why? They seemed to be similar to the following analogy: we'll keep that video camera in your home, recording your every move, and we promise we'll close our eyes when reviewing the tape whenever it shows you naked. THAT is essentially what they're saying. The access described by both the Washington Post and The Guardian is essentially unfettered/unmetered/unmonitored. Just as a doctors take the hippocratic oath to maintain decent standards which are to the benefit of modern civilization... shouldn't IT/Networking/Internet professionals (NANOG readers!!!) have standards that, hopefully, distinguishes us from... say... the State-run ISP of North Korea. And if these allegations are true... then... I have a difficult time believing that there was no quid pro quo involved. Especially since such companies risk a backlash and huge loss of customers if/when this gets out. So I don't think they'd do this without some kind of return in favor. Did they get special tax treatment? Tarp money of any kind (maybe to a parent company)? Easing of regulation enforcement? If there was quid pro quo, then what a bunch of F'ing whores, selling their own customers down the river... to make a buck... and potentially contributing to a future tyranny. Sure, the US government probably only use this to catch the bad guys today... but what would a *corrupt* adminstration do with such data in the future... stick the IRS on their political enemies? (oh, wait, that just happened... h) -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-932
Re: IP4 address conservation method
* Blake Hudson One thing not mentioned so far in this discussion is using PPPoE or some other tunnel/VPN technology for efficient IP utilization. The result could be zero wasted IP addresses without the need to resort to non-routable IP addresses in a customer's path (as the pdf suggested) and without some of the quirkyness or vendor lock-in of using ip unnumbered. PPPoE (and other VPNs) have many of the same downsides as mentioned above though, they require routing cost and increase the complexity of the network. The question becomes which deployment has more cost: the simple, yet wasteful, design or the efficient, but complex, design. shameless plug alert Or, simply just use IPv6, and use a stateless translation service located in the core network to provide IPv4 connectivity to the public Internet services. This allows for 100% efficient utilisation of whatever IPv4 addresses you have left - nothing needs to go to waste due to router interfaces, subnet power of 2 overhead, internal servers/services that have no Internet-available services, etc...all without requiring you to do anything special on the server/application stacks to support it (like set up tunnel endpoints), add dual-stack complexity into your network, or introduce any form of stateful translation or VPN service into your network. Here's some more resources: http://fud.no/talks/20130321-V6_World_Congress-The_Case_for_IPv6_Only_Data_Centres.pdf http://tools.ietf.org/html/draft-anderson-siit-dc-00 In case you're interested in more, Ivan Pepelnjak and I will host a (free) webinar about the approach next week. Feel free to join! http://www.ipspace.net/IPv6-Only_Data_Centers BTW: I hear Cisco has implemented support for this approach in their latest AS1K code, although I haven't confirmed this myself yet. Tore
Re: PRISM: NSA/FBI Internet data mining project
Subject: Re: PRISM: NSA/FBI Internet data mining project Date: Fri, Jun 07, 2013 at 12:25:35AM -0500 Quoting jamie rishaw (j...@arpa.com): tinfoilhat Just wait until we find out dark and lit private fiber is getting vampired. /tinfoilhat I'm not even assuming it, I'm convinced. In Sweden, we have a law, that makes what NSA/FBI did illegal while at the same time legalising, after some scrutiny, the practice of tapping traffic that passes Sweden and is not both originated by and destined to Swedes. . We're pretty good at selling transit abroad. Eastward. Go figure. Combine that with our NSA buddy, the FRA (http://www.fra.se) actively attempting to hire WDM experience and there is enough circumstantial data that I'm convinced it's being done. Also, what agencies like NSA, GCHQ and FRA have done for ages is listening to a broad spectrum of RF data with their aerials. Moving it into fiber is just keeping pace with the technology. Another historical fact is that the FRA has its roots in a extremely successful wiretapping operation in WW2, where the German teleprinter traffic between Norway (occupied) and Germany was passed on leased lines through western Sweden. Cross-border wiretap. In conclusion; I'm convinced. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I'm having an emotional outburst!! signature.asc Description: Digital signature
Re: IP4 address conservation method
Jimmy Hess mysi...@gmail.com writes: The kernel has its defaults, but distribution vendors such as Redhat/Ubuntu/Debian, are free to supply their own defaults through sysctl.conf or their NetworkManager packages or network configuration scripts... It's interesting to note they have so far chosen to go (mostly) with the defaults. I'm sure most people do not have a problem, or else, someone would have updated the defaults by now Changing defaults will break stuff for people relying on those defaults. This is usually not acceptable. At least not in the kernel. The behaviour is well documented and easy to change. Whining about the defaults not matching personal preferences is useless noise. Bjørn
Re: PRISM: NSA/FBI Internet data mining project
On Thu, Jun 06, 2013 at 08:07:57PM -0400, Alex Rubenstein wrote: Has fingers directly in servers of top Internet content companies, dates to 2007. Happily, none of the companies listed are transport networks: I've always just assumed that if it's in electronic form, someone else is either reading it now, has already read it, or will read it as soon as I walk away from the screen. So, you are comfortable just giving up your right to privacy? It's just the way it is? If you want to exercise your right to privacy, use end to end encryption and onion remixing networks to hamper traffic analysis. Everything else is for the hopelessly gullible. I'm sorry, I am not as accepting of that fact as you are. I am disappointed and disgusted that this is, and has been, going on. Our government is failing us. What government is this, kemo sabe? Nanog has a global audience.
Re: PRISM: NSA/FBI Internet data mining project
On Fri, Jun 07, 2013 at 12:25:35AM -0500, jamie rishaw wrote: tinfoilhat Just wait until we find out dark and lit private fiber is getting vampired. /tinfoilhat Approaches like http://www.wired.com/science/discoveries/news/2006/04/70619 obviously don't scale to small time operators. But if you can vaccuum up close to the core at full wire speed (and there is no reason to think you can't, since there are switches which deal with that) you don't have to deal with periphery that much. How would you tap a few TBit/s so that you can filter it down to where you can look it at layer 7 in ASICs, and filter out something to a more manageable data rate? Would you use a dedicated fibre to forward that to a central facility, or do it with storage that is periodically picked up via sneakernet?
RE: PRISM: NSA/FBI Internet data mining project
Approaches like http://www.wired.com/science/discoveries/news/2006/04/70619 obviously don't scale to small time operators. But if you can vaccuum up close to the core at full wire speed (and there is no reason to think you can't, since there are switches which deal with that) you don't have to deal with periphery that much. Remember, there is no core. I say that half-jokingly. Sniffing at the core will only net you a small set of potentially asymmetrical traffic flow.
Re: PRISM: NSA/FBI Internet data mining project
On 06/07/13 02:34 -0400, Rob McEwen wrote: The oh well, it happens, who cares, guess you need PGP comments on this thread are idiotic. Some of you would benefit from reading the text of the 4th Amendment: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized OpenPGP and other end-to-end protocols protect against all nefarious actors, including state entities. I'll admit my first reaction yesterday after hearing this news was - so what? Network security by its nature presumes that an insecure channel is going to be attacked and compromised. The 4th Amendment is a layer-8 solution to a problem that is better solved lower in the stack. The Washington Post mentioned some safeguards... but those were pathetic. Why? They seemed to be similar to the following analogy: we'll keep that video camera in your home, recording your every move, and we promise we'll close our eyes when reviewing the tape whenever it shows you naked. THAT is essentially what they're saying. The access described by both the Washington Post and The Guardian is essentially unfettered/unmetered/unmonitored. Just as a doctors take the hippocratic oath to maintain decent standards which are to the benefit of modern civilization... shouldn't IT/Networking/Internet professionals (NANOG readers!!!) have standards that, hopefully, distinguishes us from... say... the State-run ISP of North Korea. And if these allegations are true... then... I have a difficult time believing that there was no quid pro quo involved. Especially since such companies risk a backlash and huge loss of customers if/when this gets out. So I don't think they'd do this without some kind of return in favor. Did they get special tax treatment? Tarp money of any kind (maybe to a parent company)? Easing of regulation enforcement? I assume these taps were put in place under the auspices of (by order of) homeland security or some such. If there were some financial incentive involved, I'd be surprise. -- Dan White
RE: PRISM: NSA/FBI Internet data mining project
So, you are comfortable just giving up your right to privacy? It's just the way it is? If you want to exercise your right to privacy, use end to end encryption and onion remixing networks to hamper traffic analysis. Whoa. These are two completely separate issues. I concur with you whole-heartedly; if you have something to keep private or something that is sensitive, protect it. That is your right, it is legal, and you should do it. I do. But that DOES NOT, UNDER ANY CIRCUMSTANCES, in any way make it OK for the USG to ignore the fourth amendment. I should not have to hamper traffic analysis that is analyzing my traffic illegally. That is the bigger point here. Everything else is for the hopelessly gullible. You mean, Everything else is for the people who are OK with being snooped on by the government. I'm sorry, I am not as accepting of that fact as you are. I am disappointed and disgusted that this is, and has been, going on. Our government is failing us. What government is this, kemo sabe? Nanog has a global audience. Fair enough, but I think we all know what I am talking about.
Re: [NANOG 58] Final agenda posted and late registration - See you in New Orleans!
I just wanted to take a moment and say thank you to all you that put together NANOG. I'm pretty new to the list and 58 was the first NANOG that I followed, watched a few archive speakers in the past, but this was the first time I actually stay tuned and followed most speakers. Simply put, thank you for the knowledge, perspective, and keep up the effort. On Tue, May 21, 2013 at 7:33 AM, David Temkin d...@temk.in wrote: All- The final agenda for NANOG 58 has been posted at: http://www.nanog.org/meetings/nanog58/agenda Also of note, Standard Registration ends on May 30 - the price will then go up $75. We encourage you to register now and lock in the few remaining hotel rooms at http://www.nanog.org/meetings/nanog58/registration This meeting will follow the new Monday-Wednesday format of tutorials beginning Monday morning, a Newcomers Lunch, and then General Sessions beginning in the early afternoon. The program will conclude with the Peering Track and then a social on Wednesday night. Looking forward to seeing everyone in The Big Easy! Regards, -Dave Temkin Chair, NANOG Program Committee -- Phil Fagan Denver, CO 970-480-7618
Re: PRISM: NSA/FBI Internet data mining project
On Fri, Jun 7, 2013 at 1:57 AM, Mark Seiden m...@seiden.com wrote: and also, only $20m/year? in my experience, the govt cannot do anything like this addressing even a single provider for that little money. agreed, that 20m seems extraordinarily low for such an effort... hell, for 6 yrs time transport costs along would have exceeded that number.
Re: [NANOG 58] Final agenda posted and late registration - See you in New Orleans!
I echo the same sentiment and this meeting being my first in-person, I can say that if you can swing physically making it to a meeting, jump at the chance. The content was excellent, the networking in the hallways was priceless, and the evening activities that the sponsors put on were first-class. Again, hats off to the folks at NANOG for a great meeting. -dan Dan Brisson Network Engineer University of Vermont (Ph) 802.656.8111 dbris...@uvm.edu On 6/7/13 10:21 AM, Phil Fagan wrote: I just wanted to take a moment and say thank you to all you that put together NANOG. I'm pretty new to the list and 58 was the first NANOG that I followed, watched a few archive speakers in the past, but this was the first time I actually stay tuned and followed most speakers. Simply put, thank you for the knowledge, perspective, and keep up the effort. On Tue, May 21, 2013 at 7:33 AM, David Temkin d...@temk.in wrote: All- The final agenda for NANOG 58 has been posted at: http://www.nanog.org/meetings/nanog58/agenda Also of note, Standard Registration ends on May 30 - the price will then go up $75. We encourage you to register now and lock in the few remaining hotel rooms at http://www.nanog.org/meetings/nanog58/registration This meeting will follow the new Monday-Wednesday format of tutorials beginning Monday morning, a Newcomers Lunch, and then General Sessions beginning in the early afternoon. The program will conclude with the Peering Track and then a social on Wednesday night. Looking forward to seeing everyone in The Big Easy! Regards, -Dave Temkin Chair, NANOG Program Committee
Re: PRISM: NSA/FBI Internet data mining project
On 6/7/2013 9:50 AM, Dan White wrote: OpenPGP and other end-to-end protocols protect against all nefarious actors, including state entities. I'll admit my first reaction yesterday after hearing this news was - so what? Network security by its nature presumes that an insecure channel is going to be attacked and compromised. The 4th Amendment is a layer-8 solution to a problem that is better solved lower in the stack. That is JUST like saying... || now that the police can freely bust your door down and raid your house in a fishing expedition, without a search warrant, without court order, and without probable cause... the solution is for you to get a stronger metal door and hide all your stuff better.|| You're basically saying that it is OK for governments to defy their constitutions and trample over EVERYONE's rights, and that is OK since a TINY PERCENTAGE of experts will have exotic means to evade such trampling. But to hell with everyone else. They'll just have to become good little subjects to the State. If grandma can't do PGP, then she deserves it, right? Yet... many people DIED to initiate/preserve/codify such human rights... but I guess others just give them away freely. What a shame. Ironically, many who think this is no big deal have themselves benefited immensely from centuries of freedom and prosperity that resulted from rule of law and the U.S. Constitution/Bill of Rights. I assume these taps were put in place under the auspices of (by order of) homeland security or some such. If there were some financial incentive involved, I'd be surprise. Some of the authors of the laws that were used to justify these are already starting to come forward saying, it wasn't suppose to go that far. And to the extent that some laws were followed correctly, any such laws that do not conform to the 4th Amendment are suppose to be invalid, and eventually, officially invalidated. I think what has happened here is that stuff like this was nudging the 4th amendment aside... and little-by-little, kept getting worse... just like the Frog in the slowly heating water who doesn't know that he is now boiling to death. Does ANY REASONABLE person on this list REALLY think that the government snooping through your e-mail without warrant or court order is DIFFERENT in nature than the government sneaking into your home and snooping through your desk? Yes, it is easier. Yes, we ought to know that mail is less secure (from the BAD guys!!!). Otherwise, there really isn't any difference. This is a flagrant violation of the 4th amendment. -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
PGP/SSL/TLS really as secure as one thinks?
On 2013-06-07 06:50, Dan White wrote: [..] A nice 'it is Friday' kind of thought OpenPGP and other end-to-end protocols protect against all nefarious actors, including state entities. If you can't trust the entities where your data is flowing through because you are unsure if and where they are tapping you, why do you trust any of the crypto out there that is allowed to exist? :) Think about it, the same organization(s) that you are suspecting of having those taps, are the ones who have the top crypto people in the world and who have been influencing those standards for decades... Oh, yes, the fun thing is that likely one is not able to do 'better' crypto either, unless it is not to talk. With PGP/SSL/TLS I of course mean primarily the underlying crypto, not the mechanism that they exist as, the mechanisms are quite well understood, the crypto though is a whole bunch of hocus spocus for most folks. And remember that when you are good enough with the crypto you are likely quickly enough to join on of those orgs ;) /me doles out tin foil hats for one to safely think this over on the weekend. Greets, Jeroen
Re: PRISM: NSA/FBI Internet data mining project
This is one of these Save the forest by burning it situations that don't have any logic. To save a forest firefighters often cut a few tree. Don't cut all the trees in a forest to save it from a fire. Exceptions must be made for police forces to violate rights (like privacy). Exceptions can't be the norm. A exception can't be we have accesss to all emails all the time. Thats cutting all the forest. If you give police forces the ability to violate personal rights all the time (not as exceptions) what this cause is people running away from the police forces. And turn the police forces in some type of criminal, the only difference is better organized and backed by the law. -- -- ℱin del ℳensaje.
Re: PGP/SSL/TLS really as secure as one thinks?
On Jun 7, 2013, at 10:14 AM, Jeroen Massar jer...@massar.ch wrote: If you can't trust the entities where your data is flowing through because you are unsure if and where they are tapping you, why do you trust any of the crypto out there that is allowed to exist? :) Think about it, the same organization(s) that you are suspecting of having those taps, are the ones who have the top crypto people in the world and who have been influencing those standards for decades... I believe there are two answers to your question, although neither is entirely satisfactory. The same organization(s) you describe use cryptography themselves, and do influence the standards. They have a strong interest in keeping their own communication secure. It would be a huge risk to build in some weakness they could exploit and hope that other state funded entities would not be able to find the hidden flaw that allows decryption. Having unbreakable cryptography is not necessary to affect positive change. Reading unencrypted communications is O(1). If cryptography can make reading the communications (by breaking the crypto) harder, ideally at least O(n^2), it would likely prevent it from being economically feasible to do wide scale surveillance. Basically if they want your individual communications it's still no problem to break the crypto and get it, but simply reading everything going by from everyone becomes economically impossible. There's an important point to the second item; when scanning a large data set one of the most important details algorithmically is knowing which data _not_ to scan. When the data is in plain text throwing away uninteresting data is often trivial. If all data is encrypted, cycles must be spent to decrypt it all just to discover it is uninteresting. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ signature.asc Description: Message signed with OpenPGP using GPGMail
Re: PRISM: NSA/FBI Internet data mining project
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/06/2013 16:02, Christopher Morrow wrote: On Fri, Jun 7, 2013 at 1:57 AM, Mark Seiden m...@seiden.com wrote: and also, only $20m/year? in my experience, the govt cannot do anything like this addressing even a single provider for that little money. agreed, that 20m seems extraordinarily low for such an effort... hell, for 6 yrs time transport costs along would have exceeded that number. Does seem cheap. Still, here's an update from the horse's mouth: http://www.dni.gov/index.php/newsroom/press-releases/191-press-releases-2013/868-dni-statement-on-recent-unauthorized-disclosures-of-classified-information Cheers, James Harrison -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) iEYEARECAAYFAlGx970ACgkQ22kkGnnJQAz8swCgjwv821xxn+B4wBVOCE069x6q hJ0An3wMSQ4K3DPzakhKEfPRuTnTgpAv =w9js -END PGP SIGNATURE-
Re: PRISM: NSA/FBI Internet data mining project
On 06/07/13 11:11 -0400, Rob McEwen wrote: On 6/7/2013 9:50 AM, Dan White wrote: OpenPGP and other end-to-end protocols protect against all nefarious actors, including state entities. I'll admit my first reaction yesterday after hearing this news was - so what? Network security by its nature presumes that an insecure channel is going to be attacked and compromised. The 4th Amendment is a layer-8 solution to a problem that is better solved lower in the stack. That is JUST like saying... || now that the police can freely bust your door down and raid your house in a fishing expedition, without a search warrant, without court order, and without probable cause... the solution is for you to get a stronger metal door and hide all your stuff better.|| Hiding stuff better is generally good security practice, particularly in the absence of a search warrant. How effective those practices are is really what's important. From a data standpoint, those security procedures can be highly effective, even against law enforcement. But it's not law enforcement that I worry about the most (understandably, you may have a differing opinion); It's the random anonymous cracker who isn't beholden to any international laws or courts. I design my personal security procedures for him. That's why I don't, say, send passwords in emails. I don't trust state entities to protect the transmission of that data. I don't wish to place that burden on them. You're basically saying that it is OK for governments to defy their constitutions and trample over EVERYONE's rights, and that is OK since a TINY PERCENTAGE of experts will have exotic means to evade such trampling. But to hell with everyone else. They'll just have to become good little subjects to the State. If grandma can't do PGP, then she deserves it, right? I believe it's your responsibility to protect your own data, not the government's, and certainly not Facebook's. Yet... many people DIED to initiate/preserve/codify such human rights... but I guess others just give them away freely. What a shame. Ironically, many who think this is no big deal have themselves benefited immensely from centuries of freedom and prosperity that resulted from rule of law and the U.S. Constitution/Bill of Rights. Freedom is very important to me, as well as the laws that are in place to protect them. -- Dan White
Re: PRISM: NSA/FBI Internet data mining project
On 6/7/2013 11:42 AM, Dan White wrote: I believe it's your responsibility to protect your own data, not the government's, and certainly not Facebook's. Dan, I agree with everything you said in your last post. Except this part misses the point. Yes, it may not be their job to protect the data, but they do have certain responsibilities to not enable the snooping/sharing of my data beyond what is either obviously expected and/or what is clearly found in licensing/terms. -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
Webcasting as a replacement for traditional broadcasting (was Re: Wackie 'ol Friday)
- Original Message - From: Michael Painter tvhaw...@shaka.com Anyone besides jra remember the last Super Bowl? Better this year? Worse? I'm sure whomever is listening in would like to know as well. http://www.multichannel.com/blogs/translation-please/multicast-unicast-and-super-bowl-problem Well, in fact, the most recent Massive Failure was the webcast of the Concert For Boston, on 5/31. They were using a vendor called LiveAlliance.tv, who did not appear to be farming it out to Limelight or Akamai or Youtube, as far as I could tell, and they apparently only figured for a scale 5 audience, and then got more than 500k attempts. They got rescued by a vendor named Fast Hockey who are an amateur hockey webcast aggregator, I gather, and *are* an Akamai client. My estimation is that the reason that webcasting will never completely replace broadcasting is that -- because it is mostly unicast -- its inherent complexity factor is a) orders of magnitude higher than bcast, and b) *proportional to the number of viewers*. Like Linux, that doesn't scale. And broadcasters are not prone to think of the world in a view where you have to provide technical support to people just to watch your show. He's at the 40... the 30... the 20... this is gonna be the Super Bowl, folks... the 10... [buffering] Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: PRISM: NSA/FBI Internet data mining project
- Original Message - From: Robert Mathews (OSIA) math...@hawaii.edu On 6/6/2013 7:35 PM, Jay Ashworth wrote: [ . ] Happily, none of the companies listed are transport networks: [ ] Cheers, -- jra Could you be certain that TWC, Comcast, Qwest/CenturyLink could not be involved? No, nor L3, GBLX, or the others. But you'd assume their names would get mentioned... Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: PRISM: NSA/FBI Internet data mining project
- Original Message - From: Robert Mathews (OSIA) math...@hawaii.edu On 6/6/2013 9:22 PM, valdis.kletni...@vt.edu wrote: Pay attention. None of the ones *listed* are transport networks. Doesn't mean they're not involved but unlisted (as of yet). *Vladis: * /sarcasm on I thank you for waking me up in class! I am impressed - your finely tuned language hair has picked-up the distinctions. Further, I am quite certain that the listing will be more inclusive/explicative in the next round. /sarcasm off With all due respect, Dr Mathews, I *know* Valdis[1]' reputation; he's a regular participant here. Who are you again? Cheers, -- jra [1] Note proper spelling of his name[2]. [2] Note that I spelled your name correctly as well. -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: PRISM: NSA/FBI Internet data mining project
- Original Message - From: Robert Mathews (OSIA) math...@hawaii.edu Being an AGENT or AGENCY of Change is not an activity most are CAPABLE of effectively thinking about, let alone acting upon. [ ... ] Laziness aside, permit me to humbly note that emphasis on COMPLIANCE (with sane or insane laws) alone, neither ENSURES, nor ASSURES security for oneself or one's customers. UN-altered REPRODUCTION and DISSEMINATION of this IMPORTANT Information is ENCOURAGED, ESPECIALLY to COMPUTER BULLETIN BOARDS. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: PRISM: NSA/FBI Internet data mining project
- Original Message - From: Mark Seiden m...@seiden.com but the ability to assemble intelligence out of taps on providers' internal connections would require reverse engineering the ever changing protocols of all of those providers. and at least at one of the providers named, where i worked on security and abuse, it was hard for us, ourselves, to quickly mash up data from various internal services and lines of business that were almost completely siloed -- data typically wasn't exposed widely and stayed within a particular server or data center absent a logged in session by the user. Jamie makes an excellent point here: Least Privilege should apply within carrier's cores and data centers, just as much as within corporate and organizational ones. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: PRISM: NSA/FBI Internet data mining project
On 6/7/13 8:28 AM, tei'' wrote: This is one of these Save the forest by burning it situations that don't have any logic. To save a forest firefighters often cut a few tree. Don't cut all the trees in a forest to save it from a fire. Seasonal work, many solar obits past. Well, actually, standard practice is to scratch a line and burn out from the line to reduce fuel proximal to the line. Scrach can take the form of a crew with hand tools scratching a width-of-tool reduction in fine fuel to tandem tractors scratching width-of-blade, followed by walked drip torches. Trees don't really burn and cutting trees to make line is only useful when attempting to limit crown fires more effectively dealt with by retreat to a discontiguous canopy and firing out to reduce propagation over fine fuels. Modernly, fire is recognized as a natural phenomena and past fire suppression doctrine has elevated fuel load and fire intensity, with deleterious effect, and suppression goals modified to structure defense, and identified resource defense, as well as the ongoing timber sales value defense. -e
Re: PRISM: NSA/FBI Internet data mining project
On Thu, Jun 6, 2013 at 5:04 PM, Matthew Petach mpet...@netflight.comwrote: On Thu, Jun 6, 2013 at 4:35 PM, Jay Ashworth j...@baylink.com wrote: Has fingers directly in servers of top Internet content companies, dates to 2007. Happily, none of the companies listed are transport networks: http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274 I've always just assumed that if it's in electronic form, someone else is either reading it now, has already read it, or will read it as soon as I walk away from the screen. Much less stress in life that way. ^_^ Matt When I posted this yesterday, I was speaking somewhat tongue-in-cheek, because we hadn't yet made a formal statement to the press. Now that we've made our official reply, I can echo it, and note that whatever fluffed up powerpoint was passed around to the washington post, it does not reflect reality. There are no optical taps in our datacenters funneling information out, there are no sooper-seekret backdoors in the software that funnel information to the government. As our formal reply stated: Yahoo does not provide the government with direct access to its servers, systems, or network. I believe the other major players supposedly listed in the document have released similar statements, all indicating a similar lack of super-cheap government listening capabilities. Speaking just for myself, and if you quote me on this as speaking on anyone else's behalf, you're a complete fool, if the government was able to build infrastructure that could listen to all the traffic from a major provider for a fraction of what it costs them to handle that traffic in the first place, I'd be truly amazed--and I'd probably wonder why the company didn't outsource their infrastruture to the government, if they can build and run it so much more cheaply than the commercial providers. ;P 7 companies were listed; if we assume the burden was split roughly evenly between them, that's 20M/7, about $2.85M per company per year to tap in, or about $238,000/month per company listed, to supposedly snoop on hundreds of gigs per second of data. Two ways to handle it: tap in, and funnel copies of all traffic back to distant monitoring posts, or have local servers digesting and filtering, just extracting the few nuggets they want, and sending just those back. Let's take the first case; doing optical taps, or other form of direct traffic mirroring, carrying it untouched offsite to process; that's going to mean the ability to siphon off hundreds of Gbps per datacenter and carry it offsite for $238k/month; let's figure a major player has data split across at least 3 datacenters, so about $75K/month per datacenter to carry say 300Gbps of traffic. It's pretty clearly going to have to be DWDM on dark fiber at that traffic volume; most recent quotes I've seen for dark fiber put it at $325/mile for already-laid-in-ground (new builds are considerably more, of course). If we figure the three datacenters are split around just the US, on average you're going to need to run about 1500 miles to reach their central listening post; that's $49K/month just to carry the bitstream, which leaves you just about $25K/month to run the servers to digest that data; at 5c/kwhr, a typical server pulling 300 watts is gonna cost you $11/month to run; let's assume each server can process 2Gbps of traffic, constantly; 150 servers for the stream of 300Gbps means we're down to $22K for the rest of our support costs; figure two sysadmins getting paid $10k/month to run the servers (120k annual salary), and you've got just $2k for GA overhead. That's a heck of an efficient operation they'd have to be running to listen in on all the traffic for the supposed budget number claimed. I'm late for work; I'll follow up with a runthrough of the other model, doing on-site digestion and processing later, but I think you can see the point--it's not realistic to think they can handle the volumes of data being claimed at the price numbers listed. If they could, the major providers would already be doing it for much cheaper than they are today. I mean, the Utah datacenter they're building is costing them $2B to build; does anyone really think if they're overpaying that much for datacenter space, they could really snoop on provider traffic for only $238K/month? More later--and remember, this is purely my own rampant speculation, I'm not speaking for anyone, on behalf of anyone, or even remotely authorized or acknowledged by any entity on this rambling, so
Re: PRISM: NSA/FBI Internet data mining project
On 6/7/2013 11:58 AM, Jay Ashworth wrote: With all due respect, Dr Mathews, I *know* Valdis[1]' reputation; he's a regular participant here. Who are you again? Cheers, -- jra [1] Note proper spelling of his name[2]. [2] Note that I spelled your name correctly as well. I am no one particularly important, or of great reputation! .. and, I shall make it a point to avail myself to a nearby English class... meanwhile, please carry on with the cultivated and wonderful discussions on what a government can, cannot, or indeed may do Cheers to you as well.
Re: PRISM: NSA/FBI Internet data mining project
Five days ago anyone who would have talked about the government having this capability would have been issued another tin foil hat. We think we know the truth now, but why hasn't echelon been brought up? I'm not calling anyone a liar, but isn't not speaking the truth the same thing? Sent from my Mobile Device. Original message From: Matthew Petach mpet...@netflight.com Date: 06/07/2013 9:34 AM (GMT-08:00) To: Cc: NANOG nanog@nanog.org Subject: Re: PRISM: NSA/FBI Internet data mining project On Thu, Jun 6, 2013 at 5:04 PM, Matthew Petach mpet...@netflight.comwrote: On Thu, Jun 6, 2013 at 4:35 PM, Jay Ashworth j...@baylink.com wrote: Has fingers directly in servers of top Internet content companies, dates to 2007. Happily, none of the companies listed are transport networks: http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274 I've always just assumed that if it's in electronic form, someone else is either reading it now, has already read it, or will read it as soon as I walk away from the screen. Much less stress in life that way. ^_^ Matt When I posted this yesterday, I was speaking somewhat tongue-in-cheek, because we hadn't yet made a formal statement to the press. Now that we've made our official reply, I can echo it, and note that whatever fluffed up powerpoint was passed around to the washington post, it does not reflect reality. There are no optical taps in our datacenters funneling information out, there are no sooper-seekret backdoors in the software that funnel information to the government. As our formal reply stated: Yahoo does not provide the government with direct access to its servers, systems, or network. I believe the other major players supposedly listed in the document have released similar statements, all indicating a similar lack of super-cheap government listening capabilities. Speaking just for myself, and if you quote me on this as speaking on anyone else's behalf, you're a complete fool, if the government was able to build infrastructure that could listen to all the traffic from a major provider for a fraction of what it costs them to handle that traffic in the first place, I'd be truly amazed--and I'd probably wonder why the company didn't outsource their infrastruture to the government, if they can build and run it so much more cheaply than the commercial providers. ;P 7 companies were listed; if we assume the burden was split roughly evenly between them, that's 20M/7, about $2.85M per company per year to tap in, or about $238,000/month per company listed, to supposedly snoop on hundreds of gigs per second of data. Two ways to handle it: tap in, and funnel copies of all traffic back to distant monitoring posts, or have local servers digesting and filtering, just extracting the few nuggets they want, and sending just those back. Let's take the first case; doing optical taps, or other form of direct traffic mirroring, carrying it untouched offsite to process; that's going to mean the ability to siphon off hundreds of Gbps per datacenter and carry it offsite for $238k/month; let's figure a major player has data split across at least 3 datacenters, so about $75K/month per datacenter to carry say 300Gbps of traffic. It's pretty clearly going to have to be DWDM on dark fiber at that traffic volume; most recent quotes I've seen for dark fiber put it at $325/mile for already-laid-in-ground (new builds are considerably more, of course). If we figure the three datacenters are split around just the US, on average you're going to need to run about 1500 miles to reach their central listening post; that's $49K/month just to carry the bitstream, which leaves you just about $25K/month to run the servers to digest that data; at 5c/kwhr, a typical server pulling 300 watts is gonna cost you $11/month to run; let's assume each server can process 2Gbps of traffic, constantly; 150 servers for the stream of 300Gbps means we're down to $22K for the rest of our support costs; figure two sysadmins getting paid $10k/month to run the servers (120k annual salary), and you've got just $2k for GA overhead. That's a heck of an efficient operation they'd have to be running to listen in on all the traffic for the supposed budget number claimed. I'm late for work; I'll follow up with a runthrough of the other model, doing on-site digestion and processing later, but I think you can see the point--it's not realistic to think they can handle the volumes of data being claimed at the price numbers listed.
Re: PRISM: NSA/FBI Internet data mining project
On Thu, 06 Jun 2013 22:57:07 -0700, Mark Seiden said: and also, only $20m/year? in my experience, the govt cannot do anything like this addressing even a single provider for that little money. Convince me the *real* number doesn't have another zero. Remember - the $20M number came from a source that has *very* good reason to lie as much as it can right now about the true extent of this. pgpafw5KXXlBt.pgp Description: PGP signature
Weekly Routing Table Report
This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, LacNOG, TRNOG, CaribNOG and the RIPE Routing Working Group. Daily listings are sent to bgp-st...@lists.apnic.net For historical data, please see http://thyme.rand.apnic.net. If you have any comments please contact Philip Smith pfsi...@gmail.com. Routing Table Report 04:00 +10GMT Sat 08 Jun, 2013 Report Website: http://thyme.rand.apnic.net Detailed Analysis: http://thyme.rand.apnic.net/current/ Analysis Summary BGP routing table entries examined: 455106 Prefixes after maximum aggregation: 185702 Deaggregation factor: 2.45 Unique aggregates announced to Internet: 225482 Total ASes present in the Internet Routing Table: 44265 Prefixes per ASN: 10.28 Origin-only ASes present in the Internet Routing Table: 34687 Origin ASes announcing only one prefix: 16161 Transit ASes present in the Internet Routing Table:5879 Transit-only ASes present in the Internet Routing Table:147 Average AS path length visible in the Internet Routing Table: 4.6 Max AS path length visible: 30 Max AS path prepend of ASN ( 55644) 23 Prefixes from unregistered ASNs in the Routing Table: 331 Unregistered ASNs in the Routing Table: 139 Number of 32-bit ASNs allocated by the RIRs: 4787 Number of 32-bit ASNs visible in the Routing Table:3699 Prefixes from 32-bit ASNs in the Routing Table: 10729 Special use prefixes present in the Routing Table: 26 Prefixes being announced from unallocated address space:226 Number of addresses announced to Internet: 2623669644 Equivalent to 156 /8s, 98 /16s and 5 /24s Percentage of available address space announced: 70.9 Percentage of allocated address space announced: 70.9 Percentage of available address space allocated: 100.0 Percentage of address space in use by end-sites: 94.6 Total number of prefixes smaller than registry allocations: 159823 APNIC Region Analysis Summary - Prefixes being announced by APNIC Region ASes: 109375 Total APNIC prefixes after maximum aggregation: 33513 APNIC Deaggregation factor:3.26 Prefixes being announced from the APNIC address blocks: 110866 Unique aggregates announced from the APNIC address blocks:45108 APNIC Region origin ASes present in the Internet Routing Table:4855 APNIC Prefixes per ASN: 22.84 APNIC Region origin ASes announcing only one prefix: 1227 APNIC Region transit ASes present in the Internet Routing Table:825 Average APNIC Region AS path length visible:4.8 Max APNIC Region AS path length visible: 30 Number of APNIC region 32-bit ASNs visible in the Routing Table:563 Number of APNIC addresses announced to Internet: 724781792 Equivalent to 43 /8s, 51 /16s and 74 /24s Percentage of available APNIC address space announced: 84.7 APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079, 55296-56319, 58368-59391, 131072-133119 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 39/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 103/8, 106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8, 163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary Prefixes being announced by ARIN Region ASes:158557 Total ARIN prefixes after maximum aggregation:80320 ARIN Deaggregation factor: 1.97 Prefixes being announced from the ARIN address blocks: 159120 Unique aggregates announced from the ARIN address blocks: 73458 ARIN Region origin ASes present in the Internet Routing Table:15729 ARIN Prefixes per ASN:10.12 ARIN Region origin ASes
Pen testing and white hats for mass consumption
Since one Whacky Weekend thread isn't enough on a post-NANOG weekend: Here's some coverage of pentesting and 'ethical' hacking packaged for a general audience. I only caught the first half of this the other day, but it seemed worth listening to. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: Pen testing and white hats for mass consumption
On Fri, Jun 07, 2013 at 03:03:16PM -0400, Jay Ashworth wrote: Since one Whacky Weekend thread isn't enough on a post-NANOG weekend: Here's some coverage of pentesting and 'ethical' hacking packaged for a general audience. I only caught the first half of this the other day, but it seemed worth listening to. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274 You seem to have forgotten the link. :) -- staticsafe O ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post - http://goo.gl/YrmAb Don't CC me! I'm subscribed to whatever list I just posted on.
Re: PRISM: NSA/FBI Internet data mining project
i have talked with a dozen people about this who ought to know if there were something more creepy than usual going on. and nobody in engineering knows of anything. but hm, people in compliance said no comment. that, and the $20M annual number, suggests that what they actually did was set up a portal for intel agency people to use to request business records of the members (service providers). (maybe PRISM stands for something like Portal to Request Intelligence Service Materials, or somesuch.) of course, under patriot, the legal concept of business records was greatly expanded, and the kinds of approvals needed to get them reduced. i really wonder if the FISC has a pki. i.e. as a technical matter can a FISC judge electronically approve a NSL or FISA warrant? if i'm right, now they're following the letter of the new law electronically, rather than using paper and fax. which would increase timeliness, accuracy and efficiency for all parties concerned. this would only affect compliance activities at the providers, who would continue receiving and handling individual requests just as previously and supplying the same data as before. (and i suppose now the providers could actually supply the returned records electronically also…) (i am actually in favor of this kind of thing for both law enforcement requests and for intel agency requests. the amount of time and money wasted and delays in handling perfectly legal and necessary investigative requests was kind of shocking to me. i repeatedly heard complaints about cases where compliance would not respond to LE in long enough that the data provided was stale for judicial purposes, and the same search warrant would have to be reissued. (or where they would take a very long time to reject a request for a technical or legal reason.) (there's an interesting gray area in this request handling: there were several times as an internal investigator at a provider when i wanted to be able to convey to LE that they *should go through the trouble* of doing all the paperwork of going to a judge, or even worse, through the MLAT which means a foot of paper and a man-month of work. there were even more times when i wanted to say don't bother to even ask, you'd just be wasting your time). but my lawyers would not allow that sort of communication. On Jun 7, 2013, at 11:05 AM, valdis.kletni...@vt.edu wrote: On Thu, 06 Jun 2013 22:57:07 -0700, Mark Seiden said: and also, only $20m/year? in my experience, the govt cannot do anything like this addressing even a single provider for that little money. Convince me the *real* number doesn't have another zero. Remember - the $20M number came from a source that has *very* good reason to lie as much as it can right now about the true extent of this.
Re: PRISM: NSA/FBI Internet data mining project
- Original Message - From: Valdis Kletnieks valdis.kletni...@vt.edu On Thu, 06 Jun 2013 22:57:07 -0700, Mark Seiden said: and also, only $20m/year? in my experience, the govt cannot do anything like this addressing even a single provider for that little money. Convince me the *real* number doesn't have another zero. Remember - the $20M number came from a source that has *very* good reason to lie as much as it can right now about the true extent of this. Indeed. Luckily, the press is all over this like a bad smell. I mentioned The Story in a new posting just now; they have, surprisingly, already managed to dig at this spot, a pretty quick response for them: http://www.thestory.org/stories/2013-06/americans-spying-americans Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: Pen testing and white hats for mass consumption
sigh volume=loud tone=annoyed - Original Message - From: Jay Ashworth j...@baylink.com To: NANOG nanog@nanog.org Sent: Friday, June 7, 2013 3:03:16 PM Subject: Pen testing and white hats for mass consumption Since one Whacky Weekend thread isn't enough on a post-NANOG weekend: Here's some coverage of pentesting and 'ethical' hacking packaged for a general audience. I only caught the first half of this the other day, but it seemed worth listening to. http://www.thestory.org/stories/2013-06/employment-security-hacker Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
FIXED: Pen testing and white hats for mass consumption
Since one Whacky Weekend thread isn't enough on a post-NANOG weekend: Here's some coverage of pentesting and 'ethical' hacking packaged for a general audience. I only caught the first half of this the other day, but it seemed worth listening to. and that link is... http://www.thestory.org/stories/2013-06/employment-security-hacker Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: PRISM: NSA/FBI Internet data mining project
I'm cool with technology to catch bad guys, I just don't know that catching everything for some kind of dragnet is the right approach. There will be a time where Americans realize they are actually not in control of their governence, perhaps that time is now? On the upside, Holder now has another leak (reason) to subpoena a journalist.. ;) As a side note.. I don't know how many of you have been on major government projects, but 20MM was spent in the first 20 minutes.. Much of the gear can be developed by another organization on another (massive) budget. Look at Groom Lake*.. What's their budget?Government contracting is murky territory, especially when things are critically needed and a General says go. *Groom Lake (area 51) was confirmed to be the facility that developed the stealth helicopter used in the Bin Laden raids. Sent from my Mobile Device. Original message From: Mark Seiden m...@seiden.com Date: 06/07/2013 12:11 PM (GMT-08:00) To: valdis.kletni...@vt.edu Cc: goe...@anime.net,NANOG nanog@nanog.org Subject: Re: PRISM: NSA/FBI Internet data mining project i have talked with a dozen people about this who ought to know if there were something more creepy than usual going on. and nobody in engineering knows of anything. but hm, people in compliance said no comment. that, and the $20M annual number, suggests that what they actually did was set up a portal for intel agency people to use to request business records of the members (service providers). (maybe PRISM stands for something like Portal to Request Intelligence Service Materials, or somesuch.) of course, under patriot, the legal concept of business records was greatly expanded, and the kinds of approvals needed to get them reduced. i really wonder if the FISC has a pki. i.e. as a technical matter can a FISC judge electronically approve a NSL or FISA warrant? if i'm right, now they're following the letter of the new law electronically, rather than using paper and fax. which would increase timeliness, accuracy and efficiency for all parties concerned. this would only affect compliance activities at the providers, who would continue receiving and handling individual requests just as previously and supplying the same data as before. (and i suppose now the providers could actually supply the returned records electronically also…) (i am actually in favor of this kind of thing for both law enforcement requests and for intel agency requests. the amount of time and money wasted and delays in handling perfectly legal and necessary investigative requests was kind of shocking to me. i repeatedly heard complaints about cases where compliance would not respond to LE in long enough that the data provided was stale for judicial purposes, and the same search warrant would have to be reissued. (or where they would take a very long time to reject a request for a technical or legal reason.) (there's an interesting gray area in this request handling: there were several times as an internal investigator at a provider when i wanted to be able to convey to LE that they *should go through the trouble* of doing all the paperwork of going to a judge, or even worse, through the MLAT which means a foot of paper and a man-month of work. there were even more times when i wanted to say don't bother to even ask, you'd just be wasting your time). but my lawyers would not allow that sort of communication. On Jun 7, 2013, at 11:05 AM, valdis.kletni...@vt.edu wrote: On Thu, 06 Jun 2013 22:57:07 -0700, Mark Seiden said: and also, only $20m/year? in my experience, the govt cannot do anything like this addressing even a single provider for that little money. Convince me the *real* number doesn't have another zero. Remember - the $20M number came from a source that has *very* good reason to lie as much as it can right now about the true extent of this.
Re: PRISM: NSA/FBI Internet data mining project
Has anyone found out if this system is actually based on Narus? I associated this program as a super version of the ATT thing, and if I recall it was understood that was Narus and Co via NSA/FBI? Sent from my Mobile Device. Original message From: Jay Ashworth j...@baylink.com Date: 06/07/2013 12:16 PM (GMT-08:00) To: NANOG nanog@nanog.org Subject: Re: PRISM: NSA/FBI Internet data mining project - Original Message - From: Valdis Kletnieks valdis.kletni...@vt.edu On Thu, 06 Jun 2013 22:57:07 -0700, Mark Seiden said: and also, only $20m/year? in my experience, the govt cannot do anything like this addressing even a single provider for that little money. Convince me the *real* number doesn't have another zero. Remember - the $20M number came from a source that has *very* good reason to lie as much as it can right now about the true extent of this. Indeed. Luckily, the press is all over this like a bad smell. I mentioned The Story in a new posting just now; they have, surprisingly, already managed to dig at this spot, a pretty quick response for them: http://www.thestory.org/stories/2013-06/americans-spying-americans Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: PRISM: NSA/FBI Internet data mining project
I assume the unclassified word Prism (which is found everywhere on IC resumes and open job descriptions) refers to Palantir's Prism suite. Could be wrong, but seems logical. On Fri, Jun 7, 2013 at 4:28 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: Has anyone found out if this system is actually based on Narus? I associated this program as a super version of the ATT thing, and if I recall it was understood that was Narus and Co via NSA/FBI? Sent from my Mobile Device. Original message From: Jay Ashworth j...@baylink.com Date: 06/07/2013 12:16 PM (GMT-08:00) To: NANOG nanog@nanog.org Subject: Re: PRISM: NSA/FBI Internet data mining project - Original Message - From: Valdis Kletnieks valdis.kletni...@vt.edu On Thu, 06 Jun 2013 22:57:07 -0700, Mark Seiden said: and also, only $20m/year? in my experience, the govt cannot do anything like this addressing even a single provider for that little money. Convince me the *real* number doesn't have another zero. Remember - the $20M number came from a source that has *very* good reason to lie as much as it can right now about the true extent of this. Indeed. Luckily, the press is all over this like a bad smell. I mentioned The Story in a new posting just now; they have, surprisingly, already managed to dig at this spot, a pretty quick response for them: http://www.thestory.org/stories/2013-06/americans-spying-americans Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: PRISM: NSA/FBI Internet data mining project
On Jun 7, 2013, at 10:02 AM, Christopher Morrow morrowc.li...@gmail.com wrote: On Fri, Jun 7, 2013 at 1:57 AM, Mark Seiden m...@seiden.com wrote: and also, only $20m/year? in my experience, the govt cannot do anything like this addressing even a single provider for that little money. agreed, that 20m seems extraordinarily low for such an effort... hell, for 6 yrs time transport costs along would have exceeded that number. Obligatory Independence Day quote: President Thomas Whitmore: I don't understand, where does all this come from? How do you get funding for something like this? Julius Levinson: You don't actually think they spend $20,000 on a hammer, $30,000 on a toilet seat, do you? Andy Ringsmuth a...@newslink.com News Link – Manager Technology Facilities 2201 Winthrop Rd., Lincoln, NE 68502-4158 (402) 475-6397(402) 304-0083 cellular
Re: PRISM: NSA/FBI Internet data mining project
I've been trying to find details to the contrary but as far as I see, there's no indication that the constitutional (or otherwise) rights of any US citizens (or anyone, anywhere, for that matter) are being overtly (or otherwise) trampled which would seem to be the pertinent objection. The somewhat obvious ... - the NSA are authorized by congress (i.e. the American people) under the National Security Act of 1947 to deal with foreign signals intelligence and they've been doing this for some time. http://www.nsa.gov/about/mission/index.shtml - specifically the NSA has powers under the Foreign Intelligence Surveillance Act and amendments. http://www.intelligence.senate.gov/laws/pl110261.pdf - co-operating parties are under direction to follow NSA guidelines about disclosure. http://www.intelligence.senate.gov/laws/pl95-511.pdf The NSA are collecting SIGINT from commercial enterprise without disclosing specifics. This is lawful and to be expected. Your government is doing it too and has been for probably most of your nation's existence by whatever means available. Pertinent things we know here ... - there's a program called PRISM under NSA auspices. - the slides specifically reference extra-territorial communications. - there's discussion of providers and what type of information can be retrieved. - the infrastructure or procedures are established and have been for some time. Taking the few slides and relevant quotes (i.e. factual points) provided by the Washington Post and the Guardian and others and drawing a straight line on those, i.e. ignoring supposition and whatever, I don't see any news here other than somebody from NSA has leaked a powerpoint presentation that seemingly is an internal, hyperbolic, morale-boosting show. The Guardian has verified the authenticity of the document ... which was apparently used to train intelligence operatives on the capabilities of the program. http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data Here's the result of an ACLU FOI request dated 10/2/2009 ... http://www.aclu.org/files/pdfs/natsec/faafoia20101129/FAAFBI0536.pdf I don't see anything surprising or new. Is .gov is overstepping it's mandate and abusing any of this? History tells us there should be concerns. Is there any evidence to support such an assertion here? No. Later, I noticed this: http://www.dni.gov/index.php/newsroom/press-releases/191-press-releases-2013/869-dni-statement-on-activities-authorized-under-section-702-of-fisa They contain numerous inaccuracies. James R. Clapper, Director of National Intelligence I've skimmed this: http://www.dni.gov/index.php/newsroom/press-releases/191-press-releases-2013/868-dni-statement-on-recent-unauthorized-disclosures-of-classified-information I might read it carefully later but it looks to describe sensible paradigms for understanding this leak. If there's an abuse of process going on can somebody point it out to me? If there is something un-constitutional going on, it's not PRISM per se, but the Act (FISA) which authorizes it. Right? If that's the case it doesn't require evidence of a program to point to the problem.
Re: PRISM: NSA/FBI Internet data mining project
Lol.. I think the 20k hammer is probably a result of the contract vehicle. Firm fixed tend to have trouble with change orders so they bury costs within the project. The real cheap stuff comes from the indefinite quantity type of contracts, where they are buying consumables regularly at a discounted rate (and change orders are non issues). I used to wonder why the air force would run close to full burner on a training departure towards to the end of the month. I was told by someone who had an understanding of these things if you didn't use your fuel in a given month it impacted the next months delivery. It was necessary waste to ensure regular fuel quantities. The government entity was buying fuel on an indefinite basis, and the contract made the fuel cheaper as they were burning more. It's a total shit show in government contracting, which is I'm surprised they consider this system to be so wildly successful. If it was some anti jihad box, why did it not detect the Boston guys (who were not US citizens and likely would have been subject to monitoring by the anti jihad box)? Sent from my Mobile Device. Original message From: Andy Ringsmuth a...@newslink.com Date: 06/07/2013 1:38 PM (GMT-08:00) To: NANOG list nanog@nanog.org Subject: Re: PRISM: NSA/FBI Internet data mining project On Jun 7, 2013, at 10:02 AM, Christopher Morrow morrowc.li...@gmail.com wrote: On Fri, Jun 7, 2013 at 1:57 AM, Mark Seiden m...@seiden.com wrote: and also, only $20m/year? in my experience, the govt cannot do anything like this addressing even a single provider for that little money. agreed, that 20m seems extraordinarily low for such an effort... hell, for 6 yrs time transport costs along would have exceeded that number. Obligatory Independence Day quote: President Thomas Whitmore: I don't understand, where does all this come from? How do you get funding for something like this? Julius Levinson: You don't actually think they spend $20,000 on a hammer, $30,000 on a toilet seat, do you? Andy Ringsmuth a...@newslink.com News Link – Manager Technology Facilities 2201 Winthrop Rd., Lincoln, NE 68502-4158 (402) 475-6397(402) 304-0083 cellular
Re: PRISM: NSA/FBI Internet data mining project
Wink wink http://www.forbes.com/sites/andygreenberg/2013/06/07/startup-palantir-denies-its-prism-software-is-the-nsas-prism-surveillance-system/ Sent from my Mobile Device. Original message From: Jason L. Sparks jlspa...@gmail.com Date: 06/07/2013 1:31 PM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: Jay Ashworth j...@baylink.com,NANOG nanog@nanog.org Subject: Re: PRISM: NSA/FBI Internet data mining project I assume the unclassified word Prism (which is found everywhere on IC resumes and open job descriptions) refers to Palantir's Prism suite. Could be wrong, but seems logical. On Fri, Jun 7, 2013 at 4:28 PM, Warren Bailey wbai...@satelliteintelligencegroup.commailto:wbai...@satelliteintelligencegroup.com wrote: Has anyone found out if this system is actually based on Narus? I associated this program as a super version of the ATT thing, and if I recall it was understood that was Narus and Co via NSA/FBI? Sent from my Mobile Device. Original message From: Jay Ashworth j...@baylink.commailto:j...@baylink.com Date: 06/07/2013 12:16 PM (GMT-08:00) To: NANOG nanog@nanog.orgmailto:nanog@nanog.org Subject: Re: PRISM: NSA/FBI Internet data mining project - Original Message - From: Valdis Kletnieks valdis.kletni...@vt.edumailto:valdis.kletni...@vt.edu On Thu, 06 Jun 2013 22:57:07 -0700, Mark Seiden said: and also, only $20m/year? in my experience, the govt cannot do anything like this addressing even a single provider for that little money. Convince me the *real* number doesn't have another zero. Remember - the $20M number came from a source that has *very* good reason to lie as much as it can right now about the true extent of this. Indeed. Luckily, the press is all over this like a bad smell. I mentioned The Story in a new posting just now; they have, surprisingly, already managed to dig at this spot, a pretty quick response for them: http://www.thestory.org/stories/2013-06/americans-spying-americans Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.commailto:j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274tel:%2B1%20727%20647%201274
BGP filter issue -- need contact from Level3
NANOG folks, I have had a bug with Level3 bgp filters for over a week, and have not been able to get a call back from their NOC despite multiple phone calls, for what should be a trivial change, but is buggy (yes I've used their normal process to no avail.) Can someone from their NOC or having a useful contact for same, please contact me off list so I can get this resolved. Much appreciated, Owen Roth Snr Network Engineer Impulse Advanced Communications o...@impulse.net 805-884-6332
Re: PGP/SSL/TLS really as secure as one thinks?
On 08/06/2013, Jeroen Massar jer...@massar.ch wrote: On 2013-06-07 06:50, Dan White wrote: [..] A nice 'it is Friday' kind of thought Caring about secrecy (or obscurity) of algorithms is a fools errand. http://en.wikipedia.org/wiki/Kerckhoffs%27s_principle Taking Shannon's maxim the enemy knows the system to it's ultimate conclusion, the NSA put a premium on any and all looking at their algorithms. They'd prefer us to have a crack or they're not doing their job. As you say, they have the top crypto people in the world and this is a cherished paradigm of doing business in crypto land. Any useful system will survive that process.
The Cidr Report
This report has been generated at Fri Jun 7 21:13:20 2013 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date PrefixesCIDR Agg 31-05-13456466 261325 01-06-13457291 261189 02-06-13457058 261549 03-06-13457448 261806 04-06-13457768 260371 05-06-13456341 260320 06-06-13456735 260392 07-06-13457163 260501 AS Summary 44384 Number of ASes in routing system 18385 Number of ASes announcing only one prefix 3015 Largest number of prefixes announced by an AS AS6389 : BELLSOUTH-NET-BLK - BellSouth.net Inc. 116910048 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 07Jun13 --- ASnumNetsNow NetsAggr NetGain % Gain Description Table 457311 260494 19681743.0% All ASes AS6389 3015 79 293697.4% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS28573 2820 110 271096.1% NET Serviços de Comunicação S.A. AS4766 2958 942 201668.2% KIXS-AS-KR Korea Telecom AS17974 2523 546 197778.4% TELKOMNET-AS2-AP PT Telekomunikasi Indonesia AS22773 1989 154 183592.3% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS10620 2650 830 182068.7% Telmex Colombia S.A. AS18566 2065 507 155875.4% COVAD - Covad Communications Co. AS7303 1732 454 127873.8% Telecom Argentina S.A. AS4323 1621 410 121174.7% TWTC - tw telecom holdings, inc. AS4755 1737 584 115366.4% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS2118 1069 85 98492.0% RELCOM-AS OOO NPO Relcom AS7552 1164 187 97783.9% VIETEL-AS-AP Vietel Corporation AS18881 974 29 94597.0% Global Village Telecom AS36998 1237 301 93675.7% SDN-MOBITEL AS1785 1991 1148 84342.3% AS-PAETEC-NET - PaeTec Communications, Inc. AS18101 998 179 81982.1% RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI AS4808 1141 391 75065.7% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS13977 844 140 70483.4% CTELCO - FAIRPOINT COMMUNICATIONS, INC. AS701 1533 843 69045.0% UUNET - MCI Communications Services, Inc. d/b/a Verizon Business AS22561 1192 511 68157.1% DIGITAL-TELEPORT - Digital Teleport Inc. AS855731 54 67792.6% CANET-ASN-4 - Bell Aliant Regional Communications, Inc. AS7545 2000 1326 67433.7% TPG-INTERNET-AP TPG Telecom Limited AS24560 1077 409 66862.0% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services AS8151 1277 612 66552.1% Uninet S.A. de C.V. AS6983 1138 477 66158.1% ITCDELTA - ITC^Deltacom AS8402 1660 1024 63638.3% CORBINA-AS OJSC Vimpelcom AS17676 730 107 62385.3% GIGAINFRA Softbank BB Corp. AS6147 665 48 61792.8% Telefonica del Peru S.A.A. AS3549 1046 437 60958.2% GBLX Global Crossing Ltd. AS34744 676 72 60489.3% GVM S.C. GVM SISTEM 2003 S.R.L. Total 4625312996
BGP Update Report
BGP Update Report Interval: 30-May-13 -to- 06-Jun-13 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASNUpds % Upds/PfxAS-Name 1 - AS36998 180296 6.9% 269.1 -- SDN-MOBITEL 2 - AS4837 130901 5.0% 246.1 -- CHINA169-BACKBONE CNCGROUP China169 Backbone 3 - AS17974 83748 3.2% 34.6 -- TELKOMNET-AS2-AP PT Telekomunikasi Indonesia 4 - AS840253306 2.0% 35.4 -- CORBINA-AS OJSC Vimpelcom 5 - AS453837215 1.4% 71.7 -- ERX-CERNET-BKB China Education and Research Network Center 6 - AS982931658 1.2% 50.7 -- BSNL-NIB National Internet Backbone 7 - AS18403 31281 1.2% 74.3 -- FPT-AS-AP The Corporation for Financing Promoting Technology 8 - AS35548 26358 1.0%4393.0 -- SMARTTERRA-AS smartTERRA GmbH NL-AMS / DE-DUS1 / DE-DUS2 9 - AS580025716 1.0% 111.8 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 10 - AS33776 24043 0.9% 143.1 -- STARCOMMS-ASN 11 - AS50710 21353 0.8% 89.3 -- EARTHLINK-AS EarthLink Ltd. CommunicationsInternet Services 12 - AS755216537 0.6% 15.0 -- VIETEL-AS-AP Vietel Corporation 13 - AS211816177 0.6% 12.8 -- RELCOM-AS OOO NPO Relcom 14 - AS941616049 0.6%8024.5 -- MULTIMEDIA-AS-AP Hoshin Multimedia Center Inc. 15 - AS390915563 0.6% 864.6 -- QWEST-AS-3908 - Qwest Communications Company, LLC 16 - AS28573 14239 0.6% 6.3 -- NET Serviços de Comunicação S.A. 17 - AS45899 13982 0.5% 37.5 -- VNPT-AS-VN VNPT Corp 18 - AS14420 13457 0.5% 40.8 -- CORPORACION NACIONAL DE TELECOMUNICACIONES - CNT EP 19 - AS985413017 0.5% 13017.0 -- KTO-AS-KR KTO 20 - AS702912933 0.5% 7.2 -- WINDSTREAM - Windstream Communications Inc TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASNUpds % Upds/PfxAS-Name 1 - AS985413017 0.5% 13017.0 -- KTO-AS-KR KTO 2 - AS339208322 0.3%8322.0 -- AQL (aq) Networks Limited 3 - AS941616049 0.6%8024.5 -- MULTIMEDIA-AS-AP Hoshin Multimedia Center Inc. 4 - AS194065177 0.2%5177.0 -- TWRS-MA - Towerstream I, Inc. 5 - AS8137 4724 0.2%4724.0 -- DISNEYONLINE-AS - Disney Online 6 - AS290184397 0.2%4397.0 -- WEBCONTROL-AS SmartTERRA GmbH 7 - AS35548 26358 1.0%4393.0 -- SMARTTERRA-AS smartTERRA GmbH NL-AMS / DE-DUS1 / DE-DUS2 8 - AS6629 7293 0.3%3646.5 -- NOAA-AS - NOAA 9 - AS6174 6300 0.2%3150.0 -- SPRINTLINK8 - Sprint 10 - AS147332491 0.1%2491.0 -- AS14733 - Barclays Capital Inc. 11 - AS146806977 0.3%2325.7 -- REALE-6 - Auction.com 12 - AS362252156 0.1%2156.0 -- INFINITEIT-ASN-01 - Infinite IT Solutions Inc. 13 - AS373673387 0.1%1693.5 -- CALLKEY 14 - AS144534366 0.2%1455.3 -- AS-AKN - ADVANCED KNOWLEDGE NETWORKS 15 - AS423344330 0.2%1443.3 -- BBP-AS Broadband Plus s.a.l. 16 - AS371641396 0.1%1396.0 -- ZAIN-SL 17 - AS369482483 0.1%1241.5 -- KENIC 18 - AS572011236 0.1%1236.0 -- EDF-AS Estonian Defence Forces 19 - AS104452204 0.1%1102.0 -- HTG - Huntleigh Telcom 20 - AS449711860 0.1% 930.0 -- GOETEC-AS GOETEC Limited TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 211.214.206.0/24 13017 0.5% AS9854 -- KTO-AS-KR KTO 2 - 92.246.207.0/249613 0.3% AS48612 -- RTC-ORENBURG-AS CJSC Comstar-Regions 3 - 202.41.70.0/24 9043 0.3% AS2697 -- ERX-ERNET-AS Education and Research Network 4 - 78.40.240.0/24 8322 0.3% AS33920 -- AQL (aq) Networks Limited 5 - 203.118.224.0/21 8051 0.3% AS9416 -- MULTIMEDIA-AS-AP Hoshin Multimedia Center Inc. 6 - 203.118.232.0/21 7998 0.3% AS9416 -- MULTIMEDIA-AS-AP Hoshin Multimedia Center Inc. 7 - 192.58.232.0/247289 0.3% AS6629 -- NOAA-AS - NOAA 8 - 12.139.133.0/245863 0.2% AS14680 -- REALE-6 - Auction.com 9 - 173.232.234.0/24 5837 0.2% AS30693 -- EONIX-CORPORATION-AS-WWW-EONIX-NET - Eonix Corporation 10 - 173.232.235.0/24 5837 0.2% AS30693 -- EONIX-CORPORATION-AS-WWW-EONIX-NET - Eonix Corporation 11 - 69.38.178.0/24 5177 0.2% AS19406 -- TWRS-MA - Towerstream I, Inc. 12 - 151.118.255.0/24 5168 0.2% AS3909 -- QWEST-AS-3908 - Qwest Communications Company, LLC 13 - 151.118.254.0/24 5168 0.2% AS3909 -- QWEST-AS-3908 - Qwest Communications Company, LLC 14 - 151.118.18.0/245151 0.2% AS3909 -- QWEST-AS-3908 - Qwest Communications Company, LLC 15 - 198.187.189.0/24 4724 0.2% AS8137 -- DISNEYONLINE-AS - Disney Online 16 - 64.187.64.0/23 4494 0.2%
Re: PRISM: NSA/FBI Internet data mining project
Le 07/06/2013 19:10, Warren Bailey a écrit : Five days ago anyone who would have talked about the government having this capability would have been issued another tin foil hat. We think we know the truth now, but why hasn't echelon been brought up? I'm not calling anyone a liar, but isn't not speaking the truth the same thing? ;-) mh Sent from my Mobile Device. Original message From: Matthew Petach mpet...@netflight.com Date: 06/07/2013 9:34 AM (GMT-08:00) To: Cc: NANOG nanog@nanog.org Subject: Re: PRISM: NSA/FBI Internet data mining project On Thu, Jun 6, 2013 at 5:04 PM, Matthew Petach mpet...@netflight.comwrote: On Thu, Jun 6, 2013 at 4:35 PM, Jay Ashworth j...@baylink.com wrote: Has fingers directly in servers of top Internet content companies, dates to 2007. Happily, none of the companies listed are transport networks: http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274 I've always just assumed that if it's in electronic form, someone else is either reading it now, has already read it, or will read it as soon as I walk away from the screen. Much less stress in life that way. ^_^ Matt When I posted this yesterday, I was speaking somewhat tongue-in-cheek, because we hadn't yet made a formal statement to the press. Now that we've made our official reply, I can echo it, and note that whatever fluffed up powerpoint was passed around to the washington post, it does not reflect reality. There are no optical taps in our datacenters funneling information out, there are no sooper-seekret backdoors in the software that funnel information to the government. As our formal reply stated: Yahoo does not provide the government with direct access to its servers, systems, or network. I believe the other major players supposedly listed in the document have released similar statements, all indicating a similar lack of super-cheap government listening capabilities. Speaking just for myself, and if you quote me on this as speaking on anyone else's behalf, you're a complete fool, if the government was able to build infrastructure that could listen to all the traffic from a major provider for a fraction of what it costs them to handle that traffic in the first place, I'd be truly amazed--and I'd probably wonder why the company didn't outsource their infrastruture to the government, if they can build and run it so much more cheaply than the commercial providers. ;P 7 companies were listed; if we assume the burden was split roughly evenly between them, that's 20M/7, about $2.85M per company per year to tap in, or about $238,000/month per company listed, to supposedly snoop on hundreds of gigs per second of data. Two ways to handle it: tap in, and funnel copies of all traffic back to distant monitoring posts, or have local servers digesting and filtering, just extracting the few nuggets they want, and sending just those back. Let's take the first case; doing optical taps, or other form of direct traffic mirroring, carrying it untouched offsite to process; that's going to mean the ability to siphon off hundreds of Gbps per datacenter and carry it offsite for $238k/month; let's figure a major player has data split across at least 3 datacenters, so about $75K/month per datacenter to carry say 300Gbps of traffic. It's pretty clearly going to have to be DWDM on dark fiber at that traffic volume; most recent quotes I've seen for dark fiber put it at $325/mile for already-laid-in-ground (new builds are considerably more, of course). If we figure the three datacenters are split around just the US, on average you're going to need to run about 1500 miles to reach their central listening post; that's $49K/month just to carry the bitstream, which leaves you just about $25K/month to run the servers to digest that data; at 5c/kwhr, a typical server pulling 300 watts is gonna cost you $11/month to run; let's assume each server can process 2Gbps of traffic, constantly; 150 servers for the stream of 300Gbps means we're down to $22K for the rest of our support costs; figure two sysadmins getting paid $10k/month to run the servers (120k annual salary), and you've got just $2k for GA overhead. That's a heck of an efficient operation they'd have to be running to listen in on all the traffic for the supposed budget number claimed. I'm late for work; I'll follow up with a runthrough of the other model, doing on-site digestion and processing later, but I think
Re: PRISM: NSA/FBI Internet data mining project
Also of interest: http://www.guardian.co.uk/world/2013/jun/07/nsa-prism-records-surveillance-questions - ferg On Fri, Jun 7, 2013 at 3:49 PM, Michael Hallgren m.hallg...@free.fr wrote: Le 07/06/2013 19:10, Warren Bailey a écrit : Five days ago anyone who would have talked about the government having this capability would have been issued another tin foil hat. We think we know the truth now, but why hasn't echelon been brought up? I'm not calling anyone a liar, but isn't not speaking the truth the same thing? ;-) mh Sent from my Mobile Device. Original message From: Matthew Petach mpet...@netflight.com Date: 06/07/2013 9:34 AM (GMT-08:00) To: Cc: NANOG nanog@nanog.org Subject: Re: PRISM: NSA/FBI Internet data mining project On Thu, Jun 6, 2013 at 5:04 PM, Matthew Petach mpet...@netflight.comwrote: On Thu, Jun 6, 2013 at 4:35 PM, Jay Ashworth j...@baylink.com wrote: Has fingers directly in servers of top Internet content companies, dates to 2007. Happily, none of the companies listed are transport networks: http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274 I've always just assumed that if it's in electronic form, someone else is either reading it now, has already read it, or will read it as soon as I walk away from the screen. Much less stress in life that way. ^_^ Matt When I posted this yesterday, I was speaking somewhat tongue-in-cheek, because we hadn't yet made a formal statement to the press. Now that we've made our official reply, I can echo it, and note that whatever fluffed up powerpoint was passed around to the washington post, it does not reflect reality. There are no optical taps in our datacenters funneling information out, there are no sooper-seekret backdoors in the software that funnel information to the government. As our formal reply stated: Yahoo does not provide the government with direct access to its servers, systems, or network. I believe the other major players supposedly listed in the document have released similar statements, all indicating a similar lack of super-cheap government listening capabilities. Speaking just for myself, and if you quote me on this as speaking on anyone else's behalf, you're a complete fool, if the government was able to build infrastructure that could listen to all the traffic from a major provider for a fraction of what it costs them to handle that traffic in the first place, I'd be truly amazed--and I'd probably wonder why the company didn't outsource their infrastruture to the government, if they can build and run it so much more cheaply than the commercial providers. ;P 7 companies were listed; if we assume the burden was split roughly evenly between them, that's 20M/7, about $2.85M per company per year to tap in, or about $238,000/month per company listed, to supposedly snoop on hundreds of gigs per second of data. Two ways to handle it: tap in, and funnel copies of all traffic back to distant monitoring posts, or have local servers digesting and filtering, just extracting the few nuggets they want, and sending just those back. Let's take the first case; doing optical taps, or other form of direct traffic mirroring, carrying it untouched offsite to process; that's going to mean the ability to siphon off hundreds of Gbps per datacenter and carry it offsite for $238k/month; let's figure a major player has data split across at least 3 datacenters, so about $75K/month per datacenter to carry say 300Gbps of traffic. It's pretty clearly going to have to be DWDM on dark fiber at that traffic volume; most recent quotes I've seen for dark fiber put it at $325/mile for already-laid-in-ground (new builds are considerably more, of course). If we figure the three datacenters are split around just the US, on average you're going to need to run about 1500 miles to reach their central listening post; that's $49K/month just to carry the bitstream, which leaves you just about $25K/month to run the servers to digest that data; at 5c/kwhr, a typical server pulling 300 watts is gonna cost you $11/month to run; let's assume each server can process 2Gbps of traffic, constantly; 150 servers for the stream of 300Gbps means we're down to $22K for the rest of our support costs; figure two sysadmins getting paid $10k/month to run the servers (120k annual salary), and you've got just $2k for GA overhead. That's a heck of an efficient operation they'd have to be running to listen in on
Re: PRISM: NSA/FBI Internet data mining project
the palantir financial product named prism is useless for intelligence analysis. it's for timeseries financial data. my understanding is it's a completely different product, code base and market from the connect-the-dots product they sell as a competitor to i2's Analyst's Notebook product. these are not the droids you're looking for On Jun 7, 2013, at 2:21 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: Wink wink http://www.forbes.com/sites/andygreenberg/2013/06/07/startup-palantir-denies-its-prism-software-is-the-nsas-prism-surveillance-system/ Sent from my Mobile Device. Original message From: Jason L. Sparks jlspa...@gmail.com Date: 06/07/2013 1:31 PM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: Jay Ashworth j...@baylink.com,NANOG nanog@nanog.org Subject: Re: PRISM: NSA/FBI Internet data mining project I assume the unclassified word Prism (which is found everywhere on IC resumes and open job descriptions) refers to Palantir's Prism suite. Could be wrong, but seems logical. On Fri, Jun 7, 2013 at 4:28 PM, Warren Bailey wbai...@satelliteintelligencegroup.commailto:wbai...@satelliteintelligencegroup.com wrote: Has anyone found out if this system is actually based on Narus? I associated this program as a super version of the ATT thing, and if I recall it was understood that was Narus and Co via NSA/FBI? Sent from my Mobile Device. Original message From: Jay Ashworth j...@baylink.commailto:j...@baylink.com Date: 06/07/2013 12:16 PM (GMT-08:00) To: NANOG nanog@nanog.orgmailto:nanog@nanog.org Subject: Re: PRISM: NSA/FBI Internet data mining project - Original Message - From: Valdis Kletnieks valdis.kletni...@vt.edumailto:valdis.kletni...@vt.edu On Thu, 06 Jun 2013 22:57:07 -0700, Mark Seiden said: and also, only $20m/year? in my experience, the govt cannot do anything like this addressing even a single provider for that little money. Convince me the *real* number doesn't have another zero. Remember - the $20M number came from a source that has *very* good reason to lie as much as it can right now about the true extent of this. Indeed. Luckily, the press is all over this like a bad smell. I mentioned The Story in a new posting just now; they have, surprisingly, already managed to dig at this spot, a pretty quick response for them: http://www.thestory.org/stories/2013-06/americans-spying-americans Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.commailto:j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274tel:%2B1%20727%20647%201274
Re: PRISM: NSA/FBI Internet data mining project
http://www.guardian.co.uk/world/2013/jun/07/obama-china-targets-cyber-overseas the headline may be misleading. Presidential Policy Directive 20 defines OCEO as operations and related programs or activities … conducted by or on behalf of the United States Government, in or through cyberspace, that are intended to enable or produce cyber effects outside United States government networks. effects outside United States government networks. now there's an interesting phrase. OCEO == Offensive Cyber Effects Operations. -e
Re: PRISM: NSA/FBI Internet data mining project
what a piece of crap this article is. the guy doesn't understand what sniffing can and can't do. obviously he doesn't understand peering or routing, and he doesn't understand what cdns are for. he doesn't understand the EU safe harbor, saying it applies to govt entitites, when it's purely about companies hosting data of EU citizens. he quotes a source who suggests that the intel community might have privileged search access to facebook, which i don't believe. he even says company-owned equipment might refer to the NSA, which i thought everybody calls the agency so to not confuse with the CIA. and he suggests that these companies might have given up their master decryption keys (as he terms them) so that USG could decrypt SSL. and the $20M cost per year, which would only pay for something the size of a portal or a web site, well, that's mysterious. sheesh. this is not journalism. On Jun 7, 2013, at 3:54 PM, Paul Ferguson fergdawgs...@gmail.com wrote: Also of interest: http://www.guardian.co.uk/world/2013/jun/07/nsa-prism-records-surveillance-questions - ferg On Fri, Jun 7, 2013 at 3:49 PM, Michael Hallgren m.hallg...@free.fr wrote: Le 07/06/2013 19:10, Warren Bailey a écrit : Five days ago anyone who would have talked about the government having this capability would have been issued another tin foil hat. We think we know the truth now, but why hasn't echelon been brought up? I'm not calling anyone a liar, but isn't not speaking the truth the same thing? ;-) mh Sent from my Mobile Device. Original message From: Matthew Petach mpet...@netflight.com Date: 06/07/2013 9:34 AM (GMT-08:00) To: Cc: NANOG nanog@nanog.org Subject: Re: PRISM: NSA/FBI Internet data mining project On Thu, Jun 6, 2013 at 5:04 PM, Matthew Petach mpet...@netflight.comwrote: On Thu, Jun 6, 2013 at 4:35 PM, Jay Ashworth j...@baylink.com wrote: Has fingers directly in servers of top Internet content companies, dates to 2007. Happily, none of the companies listed are transport networks: http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274 I've always just assumed that if it's in electronic form, someone else is either reading it now, has already read it, or will read it as soon as I walk away from the screen. Much less stress in life that way. ^_^ Matt When I posted this yesterday, I was speaking somewhat tongue-in-cheek, because we hadn't yet made a formal statement to the press. Now that we've made our official reply, I can echo it, and note that whatever fluffed up powerpoint was passed around to the washington post, it does not reflect reality. There are no optical taps in our datacenters funneling information out, there are no sooper-seekret backdoors in the software that funnel information to the government. As our formal reply stated: Yahoo does not provide the government with direct access to its servers, systems, or network. I believe the other major players supposedly listed in the document have released similar statements, all indicating a similar lack of super-cheap government listening capabilities. Speaking just for myself, and if you quote me on this as speaking on anyone else's behalf, you're a complete fool, if the government was able to build infrastructure that could listen to all the traffic from a major provider for a fraction of what it costs them to handle that traffic in the first place, I'd be truly amazed--and I'd probably wonder why the company didn't outsource their infrastruture to the government, if they can build and run it so much more cheaply than the commercial providers. ;P 7 companies were listed; if we assume the burden was split roughly evenly between them, that's 20M/7, about $2.85M per company per year to tap in, or about $238,000/month per company listed, to supposedly snoop on hundreds of gigs per second of data. Two ways to handle it: tap in, and funnel copies of all traffic back to distant monitoring posts, or have local servers digesting and filtering, just extracting the few nuggets they want, and sending just those back. Let's take the first case; doing optical taps, or other form of direct traffic mirroring, carrying it untouched offsite to process; that's going to mean the ability to siphon off hundreds of Gbps per datacenter and carry it offsite for $238k/month; let's figure a major player has data split across at least 3 datacenters, so about $75K/month per datacenter to
Re: PRISM: NSA/FBI Internet data mining project
Tax payer money.. :) On 6/7/13, Mark Seiden m...@seiden.com wrote: what a piece of crap this article is. the guy doesn't understand what sniffing can and can't do. obviously he doesn't understand peering or routing, and he doesn't understand what cdns are for. he doesn't understand the EU safe harbor, saying it applies to govt entitites, when it's purely about companies hosting data of EU citizens. he quotes a source who suggests that the intel community might have privileged search access to facebook, which i don't believe. he even says company-owned equipment might refer to the NSA, which i thought everybody calls the agency so to not confuse with the CIA. and he suggests that these companies might have given up their master decryption keys (as he terms them) so that USG could decrypt SSL. and the $20M cost per year, which would only pay for something the size of a portal or a web site, well, that's mysterious. sheesh. this is not journalism. On Jun 7, 2013, at 3:54 PM, Paul Ferguson fergdawgs...@gmail.com wrote: Also of interest: http://www.guardian.co.uk/world/2013/jun/07/nsa-prism-records-surveillance-questions - ferg On Fri, Jun 7, 2013 at 3:49 PM, Michael Hallgren m.hallg...@free.fr wrote: Le 07/06/2013 19:10, Warren Bailey a écrit : Five days ago anyone who would have talked about the government having this capability would have been issued another tin foil hat. We think we know the truth now, but why hasn't echelon been brought up? I'm not calling anyone a liar, but isn't not speaking the truth the same thing? ;-) mh Sent from my Mobile Device. Original message From: Matthew Petach mpet...@netflight.com Date: 06/07/2013 9:34 AM (GMT-08:00) To: Cc: NANOG nanog@nanog.org Subject: Re: PRISM: NSA/FBI Internet data mining project On Thu, Jun 6, 2013 at 5:04 PM, Matthew Petach mpet...@netflight.comwrote: On Thu, Jun 6, 2013 at 4:35 PM, Jay Ashworth j...@baylink.com wrote: Has fingers directly in servers of top Internet content companies, dates to 2007. Happily, none of the companies listed are transport networks: http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274 I've always just assumed that if it's in electronic form, someone else is either reading it now, has already read it, or will read it as soon as I walk away from the screen. Much less stress in life that way. ^_^ Matt When I posted this yesterday, I was speaking somewhat tongue-in-cheek, because we hadn't yet made a formal statement to the press. Now that we've made our official reply, I can echo it, and note that whatever fluffed up powerpoint was passed around to the washington post, it does not reflect reality. There are no optical taps in our datacenters funneling information out, there are no sooper-seekret backdoors in the software that funnel information to the government. As our formal reply stated: Yahoo does not provide the government with direct access to its servers, systems, or network. I believe the other major players supposedly listed in the document have released similar statements, all indicating a similar lack of super-cheap government listening capabilities. Speaking just for myself, and if you quote me on this as speaking on anyone else's behalf, you're a complete fool, if the government was able to build infrastructure that could listen to all the traffic from a major provider for a fraction of what it costs them to handle that traffic in the first place, I'd be truly amazed--and I'd probably wonder why the company didn't outsource their infrastruture to the government, if they can build and run it so much more cheaply than the commercial providers. ;P 7 companies were listed; if we assume the burden was split roughly evenly between them, that's 20M/7, about $2.85M per company per year to tap in, or about $238,000/month per company listed, to supposedly snoop on hundreds of gigs per second of data. Two ways to handle it: tap in, and funnel copies of all traffic back to distant monitoring posts, or have local servers digesting and filtering, just extracting the few nuggets they want, and sending just those back. Let's take the first case; doing optical taps, or other form of direct traffic mirroring, carrying it untouched offsite to process; that's going to mean the ability to siphon off hundreds of Gbps per datacenter and carry it offsite for $238k/month; let's figure a major player has data split across at least 3 datacenters, so
Re: PRISM: NSA/FBI Internet data mining project
Sorry for the top post
Re: PRISM: NSA/FBI Internet data mining project
So when are we rioting? On Fri, Jun 7, 2013 at 7:14 PM, Nick Khamis sym...@gmail.com wrote: Tax payer money.. :) On 6/7/13, Mark Seiden m...@seiden.com wrote: what a piece of crap this article is. the guy doesn't understand what sniffing can and can't do. obviously he doesn't understand peering or routing, and he doesn't understand what cdns are for. he doesn't understand the EU safe harbor, saying it applies to govt entitites, when it's purely about companies hosting data of EU citizens. he quotes a source who suggests that the intel community might have privileged search access to facebook, which i don't believe. he even says company-owned equipment might refer to the NSA, which i thought everybody calls the agency so to not confuse with the CIA. and he suggests that these companies might have given up their master decryption keys (as he terms them) so that USG could decrypt SSL. and the $20M cost per year, which would only pay for something the size of a portal or a web site, well, that's mysterious. sheesh. this is not journalism. On Jun 7, 2013, at 3:54 PM, Paul Ferguson fergdawgs...@gmail.com wrote: Also of interest: http://www.guardian.co.uk/world/2013/jun/07/nsa-prism-records-surveillance-questions - ferg On Fri, Jun 7, 2013 at 3:49 PM, Michael Hallgren m.hallg...@free.fr wrote: Le 07/06/2013 19:10, Warren Bailey a écrit : Five days ago anyone who would have talked about the government having this capability would have been issued another tin foil hat. We think we know the truth now, but why hasn't echelon been brought up? I'm not calling anyone a liar, but isn't not speaking the truth the same thing? ;-) mh Sent from my Mobile Device. Original message From: Matthew Petach mpet...@netflight.com Date: 06/07/2013 9:34 AM (GMT-08:00) To: Cc: NANOG nanog@nanog.org Subject: Re: PRISM: NSA/FBI Internet data mining project On Thu, Jun 6, 2013 at 5:04 PM, Matthew Petach mpet...@netflight.comwrote: On Thu, Jun 6, 2013 at 4:35 PM, Jay Ashworth j...@baylink.com wrote: Has fingers directly in servers of top Internet content companies, dates to 2007. Happily, none of the companies listed are transport networks: http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274 I've always just assumed that if it's in electronic form, someone else is either reading it now, has already read it, or will read it as soon as I walk away from the screen. Much less stress in life that way. ^_^ Matt When I posted this yesterday, I was speaking somewhat tongue-in-cheek, because we hadn't yet made a formal statement to the press. Now that we've made our official reply, I can echo it, and note that whatever fluffed up powerpoint was passed around to the washington post, it does not reflect reality. There are no optical taps in our datacenters funneling information out, there are no sooper-seekret backdoors in the software that funnel information to the government. As our formal reply stated: Yahoo does not provide the government with direct access to its servers, systems, or network. I believe the other major players supposedly listed in the document have released similar statements, all indicating a similar lack of super-cheap government listening capabilities. Speaking just for myself, and if you quote me on this as speaking on anyone else's behalf, you're a complete fool, if the government was able to build infrastructure that could listen to all the traffic from a major provider for a fraction of what it costs them to handle that traffic in the first place, I'd be truly amazed--and I'd probably wonder why the company didn't outsource their infrastruture to the government, if they can build and run it so much more cheaply than the commercial providers. ;P 7 companies were listed; if we assume the burden was split roughly evenly between them, that's 20M/7, about $2.85M per company per year to tap in, or about $238,000/month per company listed, to supposedly snoop on hundreds of gigs per second of data. Two ways to handle it: tap in, and funnel copies of all traffic back to distant monitoring posts, or have local servers digesting and filtering, just extracting the few nuggets they want, and sending just those back. Let's take the first case; doing optical taps, or other form of direct traffic mirroring,
Re: PRISM: NSA/FBI Internet data mining project
I'd love to, but American Idle is on in 5 minutes. Maybe next time? Nick On Fri, Jun 7, 2013 at 8:57 PM, Ishmael Rufus sakam...@gmail.com wrote: So when are we rioting? On Fri, Jun 7, 2013 at 7:14 PM, Nick Khamis sym...@gmail.com wrote: Tax payer money.. :) On 6/7/13, Mark Seiden m...@seiden.com wrote: what a piece of crap this article is. the guy doesn't understand what sniffing can and can't do. obviously he doesn't understand peering or routing, and he doesn't understand what cdns are for. he doesn't understand the EU safe harbor, saying it applies to govt entitites, when it's purely about companies hosting data of EU citizens. he quotes a source who suggests that the intel community might have privileged search access to facebook, which i don't believe. he even says company-owned equipment might refer to the NSA, which i thought everybody calls the agency so to not confuse with the CIA. and he suggests that these companies might have given up their master decryption keys (as he terms them) so that USG could decrypt SSL. and the $20M cost per year, which would only pay for something the size of a portal or a web site, well, that's mysterious. sheesh. this is not journalism. On Jun 7, 2013, at 3:54 PM, Paul Ferguson fergdawgs...@gmail.com wrote: Also of interest: http://www.guardian.co.uk/world/2013/jun/07/nsa-prism-records-surveillance-questions - ferg On Fri, Jun 7, 2013 at 3:49 PM, Michael Hallgren m.hallg...@free.fr wrote: Le 07/06/2013 19:10, Warren Bailey a écrit : Five days ago anyone who would have talked about the government having this capability would have been issued another tin foil hat. We think we know the truth now, but why hasn't echelon been brought up? I'm not calling anyone a liar, but isn't not speaking the truth the same thing? ;-) mh Sent from my Mobile Device. Original message From: Matthew Petach mpet...@netflight.com Date: 06/07/2013 9:34 AM (GMT-08:00) To: Cc: NANOG nanog@nanog.org Subject: Re: PRISM: NSA/FBI Internet data mining project On Thu, Jun 6, 2013 at 5:04 PM, Matthew Petach mpet...@netflight.comwrote: On Thu, Jun 6, 2013 at 4:35 PM, Jay Ashworth j...@baylink.com wrote: Has fingers directly in servers of top Internet content companies, dates to 2007. Happily, none of the companies listed are transport networks: http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274 I've always just assumed that if it's in electronic form, someone else is either reading it now, has already read it, or will read it as soon as I walk away from the screen. Much less stress in life that way. ^_^ Matt When I posted this yesterday, I was speaking somewhat tongue-in-cheek, because we hadn't yet made a formal statement to the press. Now that we've made our official reply, I can echo it, and note that whatever fluffed up powerpoint was passed around to the washington post, it does not reflect reality. There are no optical taps in our datacenters funneling information out, there are no sooper-seekret backdoors in the software that funnel information to the government. As our formal reply stated: Yahoo does not provide the government with direct access to its servers, systems, or network. I believe the other major players supposedly listed in the document have released similar statements, all indicating a similar lack of super-cheap government listening capabilities. Speaking just for myself, and if you quote me on this as speaking on anyone else's behalf, you're a complete fool, if the government was able to build infrastructure that could listen to all the traffic from a major provider for a fraction of what it costs them to handle that traffic in the first place, I'd be truly amazed--and I'd probably wonder why the company didn't outsource their infrastruture to the government, if they can build and run it so much more cheaply than the commercial providers. ;P 7 companies were listed; if we assume the burden was split roughly evenly between them, that's 20M/7, about $2.85M per company per year to tap in, or about $238,000/month per company listed, to supposedly snoop on hundreds of gigs per second of data. Two ways to handle it:
Re: PRISM: NSA/FBI Internet data mining project
Server maintenance at 00 on my end.
Re: PRISM: NSA/FBI Internet data mining project
Dan, While the government has no responsibility to protect my data, they do have a responsibility to respect my privacy. While you are correct in that proper personal security procedures to protect my data from random crackers would, in fact, also protect it from the government, that's a far cry from what is at issue here. The question here is whether or not it should be considered legitimate for the US Government to completely ignore the fourth and fifth amendments to the constitution and build out unprecedented surveillance capabilities capturing vast amounts of data without direct probable cause for that snooping. I'm not so much concerned about them gaining access to data I don't want them to access. I am far more disturbed by the trend which reflects a government which increasingly considers itself unrestrained by the laws it is in place to support and implement. Owen On Jun 7, 2013, at 8:42 AM, Dan White dwh...@olp.net wrote: On 06/07/13 11:11 -0400, Rob McEwen wrote: On 6/7/2013 9:50 AM, Dan White wrote: OpenPGP and other end-to-end protocols protect against all nefarious actors, including state entities. I'll admit my first reaction yesterday after hearing this news was - so what? Network security by its nature presumes that an insecure channel is going to be attacked and compromised. The 4th Amendment is a layer-8 solution to a problem that is better solved lower in the stack. That is JUST like saying... || now that the police can freely bust your door down and raid your house in a fishing expedition, without a search warrant, without court order, and without probable cause... the solution is for you to get a stronger metal door and hide all your stuff better.|| Hiding stuff better is generally good security practice, particularly in the absence of a search warrant. How effective those practices are is really what's important. From a data standpoint, those security procedures can be highly effective, even against law enforcement. But it's not law enforcement that I worry about the most (understandably, you may have a differing opinion); It's the random anonymous cracker who isn't beholden to any international laws or courts. I design my personal security procedures for him. That's why I don't, say, send passwords in emails. I don't trust state entities to protect the transmission of that data. I don't wish to place that burden on them. You're basically saying that it is OK for governments to defy their constitutions and trample over EVERYONE's rights, and that is OK since a TINY PERCENTAGE of experts will have exotic means to evade such trampling. But to hell with everyone else. They'll just have to become good little subjects to the State. If grandma can't do PGP, then she deserves it, right? I believe it's your responsibility to protect your own data, not the government's, and certainly not Facebook's. Yet... many people DIED to initiate/preserve/codify such human rights... but I guess others just give them away freely. What a shame. Ironically, many who think this is no big deal have themselves benefited immensely from centuries of freedom and prosperity that resulted from rule of law and the U.S. Constitution/Bill of Rights. Freedom is very important to me, as well as the laws that are in place to protect them. -- Dan White
Re: PRISM: NSA/FBI Internet data mining project
Yeah... so when are we rioting? Because they'll just continue to make laws that circumvent the constitution. On Fri, Jun 7, 2013 at 8:20 PM, Owen DeLong o...@delong.com wrote: Dan, While the government has no responsibility to protect my data, they do have a responsibility to respect my privacy. While you are correct in that proper personal security procedures to protect my data from random crackers would, in fact, also protect it from the government, that's a far cry from what is at issue here. The question here is whether or not it should be considered legitimate for the US Government to completely ignore the fourth and fifth amendments to the constitution and build out unprecedented surveillance capabilities capturing vast amounts of data without direct probable cause for that snooping. I'm not so much concerned about them gaining access to data I don't want them to access. I am far more disturbed by the trend which reflects a government which increasingly considers itself unrestrained by the laws it is in place to support and implement. Owen On Jun 7, 2013, at 8:42 AM, Dan White dwh...@olp.net wrote: On 06/07/13 11:11 -0400, Rob McEwen wrote: On 6/7/2013 9:50 AM, Dan White wrote: OpenPGP and other end-to-end protocols protect against all nefarious actors, including state entities. I'll admit my first reaction yesterday after hearing this news was - so what? Network security by its nature presumes that an insecure channel is going to be attacked and compromised. The 4th Amendment is a layer-8 solution to a problem that is better solved lower in the stack. That is JUST like saying... || now that the police can freely bust your door down and raid your house in a fishing expedition, without a search warrant, without court order, and without probable cause... the solution is for you to get a stronger metal door and hide all your stuff better.|| Hiding stuff better is generally good security practice, particularly in the absence of a search warrant. How effective those practices are is really what's important. From a data standpoint, those security procedures can be highly effective, even against law enforcement. But it's not law enforcement that I worry about the most (understandably, you may have a differing opinion); It's the random anonymous cracker who isn't beholden to any international laws or courts. I design my personal security procedures for him. That's why I don't, say, send passwords in emails. I don't trust state entities to protect the transmission of that data. I don't wish to place that burden on them. You're basically saying that it is OK for governments to defy their constitutions and trample over EVERYONE's rights, and that is OK since a TINY PERCENTAGE of experts will have exotic means to evade such trampling. But to hell with everyone else. They'll just have to become good little subjects to the State. If grandma can't do PGP, then she deserves it, right? I believe it's your responsibility to protect your own data, not the government's, and certainly not Facebook's. Yet... many people DIED to initiate/preserve/codify such human rights... but I guess others just give them away freely. What a shame. Ironically, many who think this is no big deal have themselves benefited immensely from centuries of freedom and prosperity that resulted from rule of law and the U.S. Constitution/Bill of Rights. Freedom is very important to me, as well as the laws that are in place to protect them. -- Dan White
Re: PRISM: NSA/FBI Internet data mining project
I think we know now, that they will know we are organizing. Sent from my Mobile Device. Original message From: Ishmael Rufus sakam...@gmail.com Date: 06/07/2013 6:32 PM (GMT-08:00) To: Owen DeLong o...@delong.com Cc: NANOG nanog@nanog.org Subject: Re: PRISM: NSA/FBI Internet data mining project Yeah... so when are we rioting? Because they'll just continue to make laws that circumvent the constitution. On Fri, Jun 7, 2013 at 8:20 PM, Owen DeLong o...@delong.com wrote: Dan, While the government has no responsibility to protect my data, they do have a responsibility to respect my privacy. While you are correct in that proper personal security procedures to protect my data from random crackers would, in fact, also protect it from the government, that's a far cry from what is at issue here. The question here is whether or not it should be considered legitimate for the US Government to completely ignore the fourth and fifth amendments to the constitution and build out unprecedented surveillance capabilities capturing vast amounts of data without direct probable cause for that snooping. I'm not so much concerned about them gaining access to data I don't want them to access. I am far more disturbed by the trend which reflects a government which increasingly considers itself unrestrained by the laws it is in place to support and implement. Owen On Jun 7, 2013, at 8:42 AM, Dan White dwh...@olp.net wrote: On 06/07/13 11:11 -0400, Rob McEwen wrote: On 6/7/2013 9:50 AM, Dan White wrote: OpenPGP and other end-to-end protocols protect against all nefarious actors, including state entities. I'll admit my first reaction yesterday after hearing this news was - so what? Network security by its nature presumes that an insecure channel is going to be attacked and compromised. The 4th Amendment is a layer-8 solution to a problem that is better solved lower in the stack. That is JUST like saying... || now that the police can freely bust your door down and raid your house in a fishing expedition, without a search warrant, without court order, and without probable cause... the solution is for you to get a stronger metal door and hide all your stuff better.|| Hiding stuff better is generally good security practice, particularly in the absence of a search warrant. How effective those practices are is really what's important. From a data standpoint, those security procedures can be highly effective, even against law enforcement. But it's not law enforcement that I worry about the most (understandably, you may have a differing opinion); It's the random anonymous cracker who isn't beholden to any international laws or courts. I design my personal security procedures for him. That's why I don't, say, send passwords in emails. I don't trust state entities to protect the transmission of that data. I don't wish to place that burden on them. You're basically saying that it is OK for governments to defy their constitutions and trample over EVERYONE's rights, and that is OK since a TINY PERCENTAGE of experts will have exotic means to evade such trampling. But to hell with everyone else. They'll just have to become good little subjects to the State. If grandma can't do PGP, then she deserves it, right? I believe it's your responsibility to protect your own data, not the government's, and certainly not Facebook's. Yet... many people DIED to initiate/preserve/codify such human rights... but I guess others just give them away freely. What a shame. Ironically, many who think this is no big deal have themselves benefited immensely from centuries of freedom and prosperity that resulted from rule of law and the U.S. Constitution/Bill of Rights. Freedom is very important to me, as well as the laws that are in place to protect them. -- Dan White
Re: Webcasting as a replacement for traditional broadcasting (was Re: Wackie 'ol Friday)
Jay Ashworth wrote: He's at the 40... the 30... the 20... this is gonna be the Super Bowl, folks... the 10... [buffering] Cheers, -- jra lol...tnx Jay!
PRISM Update: NYT says WaPo a bit credulous
Well, ok, they don't actually *say* that, but it's the underlying idea behind their own piece, which says that the listed companies didn't really give NSA quite such unfettered access: http://www.nytimes.com/2013/06/08/technology/tech-companies-bristling-concede-to-government-surveillance-efforts.html?pagewanted=all_r=0 Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274