• Buro Jansen & Janssen, gewoon inhoud!
    Jansen & Janssen is een onderzoeksburo dat politie, justitie, inlichtingendiensten, overheid in Nederland en de EU kritisch volgt. Een grond- rechten kollektief dat al 40 jaar, sinds 1984, publiceert over uitbreiding van repressieve wet- geving, publiek-private samenwerking, veiligheid in breedste zin, bevoegdheden, overheidsoptreden en andere staatsaangelegenheden.
    Buro Jansen & Janssen Postbus 10591, 1001EN Amsterdam, 020-6123202, 06-34339533, signal +31684065516, info@burojansen.nl (pgp)
    Steun Buro Jansen & Janssen. Word donateur, NL43 ASNB 0856 9868 52 of NL56 INGB 0000 6039 04 ten name van Stichting Res Publica, Postbus 11556, 1001 GN Amsterdam.
  • Publicaties

  • Migratie

  • Politieklachten

  • BEHIND THE CURTAIN A Look at the Inner Workings of NSA’s XKEYSCORE (II)

    Van nieuwsblog.burojansen.nl

    The sheer quantity of communications that XKEYSCORE processes, filters and queries is stunning. Around the world, when a person gets online to do anything — write an email, post to a social network, browse the web or play a video game — there’s a decent chance that the Internet traffic her device sends and receives is getting collected and processed by one of XKEYSCORE’s hundreds of servers scattered across the globe.

    In order to make sense of such a massive and steady flow of information, analysts working for the National Security Agency, as well as partner spy agencies, have written thousands of snippets of code to detect different types of traffic and extract useful information from each type, according to documents dating up to 2013. For example, the system automatically detects if a given piece of traffic is an email. If it is, the system tags if it’s from Yahoo or Gmail, if it contains an airline itinerary, if it’s encrypted with PGP, or if the sender’s language is set to Arabic, along with myriad other details.

    This global Internet surveillance network is powered by a somewhat clunky piece of software running on clusters of Linux servers. Analysts access XKEYSCORE’s web interface to search its wealth of private information, similar to how ordinary people can search Google for public information.

    Based on documents provided by NSA whistleblower Edward Snowden, The Intercept is shedding light on the inner workings of XKEYSCORE, one of the most extensive programs of mass surveillance in human history.

    How XKEYSCORE works under the hood

    It is tempting to assume that expensive, proprietary operating systems and software must power XKEYSCORE, but it actually relies on an entirely open source stack. In fact, according to an analysis of an XKEYSCORE manual for new systems administrators from the end of 2012, the system may have design deficiencies that could leave it vulnerable to attack by an intelligence agency insider.

    XKEYSCORE is a piece of Linux software that is typically deployed on Red Hat servers. It uses the Apache web server and stores collected data in MySQL databases. File systems in a cluster are handled by the NFS distributed file system and the autofs service, and scheduled tasks are handled by the cron scheduling service. Systems administrators who maintain XKEYSCORE servers use SSH to connect to them, and they use tools such as rsync and vim, as well as a comprehensive command-line tool, to manage the software.

    John Adams, former security lead and senior operations engineer for Twitter, says that one of the most interesting things about XKEYSCORE’s architecture is “that they were able to achieve so much success with such a poorly designed system. Data ingest, day-to-day operations, and searching is all poorly designed. There are many open source offerings that would function far better than this design with very little work. Their operations team must be extremely unhappy.”

    Analysts connect to XKEYSCORE over HTTPS using standard web browsers such as Firefox. Internet Explorer is not supported. Analysts can log into the system with either a user ID and password or by using public key authentication.

    As of 2009, XKEYSCORE servers were located at more than 100 field sites all over the world. Each field site consists of a cluster of servers; the exact number differs depending on how much information is being collected at that site. Sites with relatively low traffic can get by with fewer servers, but sites that spy on larger amounts of traffic require more servers to filter and parse it all. XKEYSCORE has been engineered to scale in both processing power and storage by adding more servers to a cluster. According to a 2009 document, some field sites receive over 20 terrabytes of data per day. This is the equivalent of 5.7 million songs, or over 13 thousand full-length films.

    This map from a 2009 top-secret presentation does not show all of XKEYSCORE’s field sites.
    When data is collected at an XKEYSCORE field site, it is processed locally and ultimately stored in MySQL databases at that site. XKEYSCORE supports a federated query system, which means that an analyst can conduct a single query from the central XKEYSCORE website, and it will communicate over the Internet to all of the field sites, running the query everywhere at once.

    There might be security issues with the XKEYSCORE system itself as well. As hard as software developers may try, it’s nearly impossible to write bug-free source code. To compensate for this, developers often rely on multiple layers of security; if attackers can get through one layer, they may still be thwarted by other layers. XKEYSCORE appears to do a bad job of this.

    When systems administrators log into XKEYSCORE servers to configure them, they appear to use a shared account, under the name “oper.” Adams notes, “That means that changes made by an administrator cannot be logged.” If one administrator does something malicious on an XKEYSCORE server using the “oper” user, it’s possible that the digital trail of what was done wouldn’t lead back to the administrator, since multiple operators use the account.

    There appears to be another way an ill-intentioned systems administrator may be able to cover their tracks. Analysts wishing to query XKEYSCORE sign in via a web browser, and their searches are logged. This creates an audit trail, on which the system relies to assure that users aren’t doing overly broad searches that would pull up U.S. citizens’ web traffic. Systems administrators, however, are able to run MySQL queries. The documents indicate that administrators have the ability to directly query the MySQL databases, where the collected data is stored, apparently bypassing the audit trail.

    AppIDs, fingerprints and microplugins

    Collecting massive amounts of raw data is not very useful unless it is collated and organized in a way that can be searched. To deal with this problem, XKEYSCORE extracts and tags metadata and content from the raw data so that analysts can easily search it.

    This is done by using dictionaries of rules called appIDs, fingerprints and microplugins that are written in a custom programming language called GENESIS. Each of these can be identified by a unique name that resembles a directory tree, such as “mail/webmail/gmail,” “chat/yahoo,” or “botnet/blackenergybot/command/flood.”

    One document detailing XKEYSCORE appIDs and fingerprints lists several revealing examples. Windows Update requests appear to fall under the “update_service/windows” appID, and normal web requests fall under the “http/get” appID. XKEYSCORE can automatically detect Airblue travel itineraries with the “travel/airblue” fingerprint, and iPhone web browser traffic with the “browser/cellphone/iphone” fingerprint.

    PGP-encrypted messages are detected with the “encryption/pgp/message” fingerprint, and messages encrypted with Mojahedeen Secrets 2 (a type of encryption popular among supporters of al Qaeda) are detected with the “encryption/mojaheden2” fingerprint.

    When new traffic flows into an XKEYSCORE cluster, the system tests the intercepted data against each of these rules and stores whether the traffic matches the pattern. A slideshow presentation from 2010 says that XKEYSCORE contains almost 10,000 appIDs and fingerprints.

    AppIDs are used to identify the protocol of traffic being intercepted, while fingerprints detect a specific type of content. Each intercepted stream of traffic gets assigned up to one appID and any number of fingerprints. You can think of appIDs as categories and fingerprints as tags.

    If multiple appIDs match a single stream of traffic, the appID with the lowest “level” is selected (appIDs with lower levels are more specific than appIDs with higher levels). For example, when XKEYSCORE is assessing a file attachment from Yahoo mail, all of the appIDs in the following slide will apply, however only “mail/webmail/yahoo/attachment” will be associated with this stream of traffic.

    To tie it all together, when an Arabic speaker logs into a Yahoo email address, XKEYSCORE will store “mail/yahoo/login” as the associated appID. This stream of traffic will match the “mail/arabic” fingerprint (denoting language settings), as well as the “mail/yahoo/ymbm” fingerprint (which detects Yahoo browser cookies).

    Sometimes the GENESIS programming language, which largely relies on Boolean logic, regular expressions and a set of simple functions, isn’t powerful enough to do the complex pattern-matching required to detect certain types of traffic. In these cases, as one slide puts it, “Power users can drop in to C++ to express themselves.” AppIDs or fingerprints that are written in C++ are called microplugins.

    Here’s an example of a microplugin fingerprint for “botnet/conficker_p2p_udp_data,” which is tricky botnet traffic that can’t be identified without complicated logic. A botnet is a collection of hacked computers, sometimes millions of them, that are controlled from a single point.

    Here’s another microplugin that uses C++ to inspect intercepted Facebook chat messages and pull out details like the associated email address and body of the chat message.

    One document from 2009 describes in detail four generations of appIDs and fingerprints, which begin with only the ability to scan intercepted traffic for keywords, and end with the ability to write complex microplugins that can be deployed to field sites around the world in hours.

    If XKEYSCORE development has continued at a similar pace over the last six years, it’s likely considerably more powerful today.

    Illustration for The Intercept by Blue Delliquanti

    Documents published with this article:

    Advanced HTTP Activity Analysis
    Analyzing Mobile Cellular DNI in XKS
    ASFD Readme
    CADENCE Readme
    Category Throttling
    CNE Analysis in XKS
    Comms Readme
    DEEPDIVE Readme
    DNI101
    Email Address vs User Activity
    Free File Uploaders
    Finding and Querying Document Metadata
    Full Log vs HTTP
    Guide to Using Contexts in XKS Fingerprints
    HTTP Activity in XKS
    HTTP Activity vs User Activity
    Intro to Context Sensitive Scanning With XKS Fingerprints
    Intro to XKS AppIDs and Fingerprints
    OSINT Fusion Project
    Phone Number Extractor
    RWC Updater Readme
    Selection Forwarding Readme
    Stats Config Readme
    Tracking Targets on Online Social Networks
    TRAFFICTHIEF Readme
    Unofficial XKS User Guide
    User Agents
    Using XKS to Enable TAO
    UTT Config Readme
    VOIP in XKS
    VOIP Readme
    Web Forum Exploitation Using XKS
    Writing XKS Fingerprints
    XKS Application IDs
    XKS Application IDs Brief
    XKS as a SIGDEV Tool
    XKS, Cipher Detection, and You!
    XKS for Counter CNE
    XKS Intro
    XKS Logos Embedded in Docs
    XKS Search Forms
    XKS System Administration
    XKS Targets Visiting Specific Websites
    XKS Tech Extractor 2009
    XKS Tech Extractor 2010
    XKS Workflows 2009
    XKS Workflows 2011
    UN Secretary General XKS

    Micah Lee, Glenn Greenwald, Morgan Marquis-Boire
    July 2 2015, 4:42 p.m.
    Second in a series.

    Find this story at 2 July 2015

    Copyright https://theintercept.com/

    XKEYSCORE: NSA’s Google for the World’s Private Communications (I)

    Van nieuwsblog.burojansen.nl

    One of the National Security Agency’s most powerful tools of mass surveillance makes tracking someone’s Internet usage as easy as entering an email address, and provides no built-in technology to prevent abuse. Today, The Intercept is publishing 48 top-secret and other classified documents about XKEYSCORE dated up to 2013, which shed new light on the breadth, depth and functionality of this critical spy system — one of the largest releases yet of documents provided by NSA whistleblower Edward Snowden.

    The NSA’s XKEYSCORE program, first revealed by The Guardian, sweeps up countless people’s Internet searches, emails, documents, usernames and passwords, and other private communications. XKEYSCORE is fed a constant flow of Internet traffic from fiber optic cables that make up the backbone of the world’s communication network, among other sources, for processing. As of 2008, the surveillance system boasted approximately 150 field sites in the United States, Mexico, Brazil, United Kingdom, Spain, Russia, Nigeria, Somalia, Pakistan, Japan, Australia, as well as many other countries, consisting of over 700 servers.

    These servers store “full-take data” at the collection sites — meaning that they captured all of the traffic collected — and, as of 2009, stored content for 3 to 5 days and metadata for 30 to 45 days. NSA documents indicate that tens of billions of records are stored in its database. “It is a fully distributed processing and query system that runs on machines around the world,” an NSA briefing on XKEYSCORE says. “At field sites, XKEYSCORE can run on multiple computers that gives it the ability to scale in both processing power and storage.”

    XKEYSCORE also collects and processes Internet traffic from Americans, though NSA analysts are taught to avoid querying the system in ways that might result in spying on U.S. data. Experts and privacy activists, however, have long doubted that such exclusions are effective in preventing large amounts of American data from being swept up. One document The Intercept is publishing today suggests that FISA warrants have authorized “full-take” collection of traffic from at least some U.S. web forums.

    The system is not limited to collecting web traffic. The 2013 document, “VoIP Configuration and Forwarding Read Me,” details how to forward VoIP data from XKEYSCORE into NUCLEON, NSA’s repository for voice intercepts, facsimile, video and “pre-released transcription.” At the time, it supported more than 8,000 users globally and was made up of 75 servers absorbing 700,000 voice, fax, video and tag files per day.

    The reach and potency of XKEYSCORE as a surveillance instrument is astonishing. The Guardian report noted that NSA itself refers to the program as its “widest reaching” system. In February of this year, The Intercept reported that NSA and GCHQ hacked into the internal network of Gemalto, the world’s largest provider of cell phone SIM cards, in order to steal millions of encryption keys used to protect the privacy of cell phone communication. XKEYSCORE played a vital role in the spies’ hacking by providing government hackers access to the email accounts of Gemalto employees.

    Numerous key NSA partners, including Canada, New Zealand and the U.K., have access to the mass surveillance databases of XKEYSCORE. In March, the New Zealand Herald, in partnership with The Intercept, revealed that the New Zealand government used XKEYSCORE to spy on candidates for the position of World Trade Organization director general and also members of the Solomon Islands government.

    These newly published documents demonstrate that collected communications not only include emails, chats and web-browsing traffic, but also pictures, documents, voice calls, webcam photos, web searches, advertising analytics traffic, social media traffic, botnet traffic, logged keystrokes, computer network exploitation (CNE) targeting, intercepted username and password pairs, file uploads to online services, Skype sessions and more.

    Bulk collection and population surveillance

    XKEYSCORE allows for incredibly broad surveillance of people based on perceived patterns of suspicious behavior. It is possible, for instance, to query the system to show the activities of people based on their location, nationality and websites visited. For instance, one slide displays the search “germansinpakistn,” showing an analyst querying XKEYSCORE for all individuals in Pakistan visiting specific German language message boards.

    As sites like Twitter and Facebook become increasingly significant in the world’s day-to-day communications (a Pew study shows that 71 percent of online adults in the U.S. use Facebook), they become a critical source of surveillance data. Traffic from popular social media sites is described as “a great starting point” for tracking individuals, according to an XKEYSCORE presentation titled “Tracking Targets on Online Social Networks.”

    When intelligence agencies collect massive amounts of Internet traffic all over the world, they face the challenge of making sense of that data. The vast quantities collected make it difficult to connect the stored traffic to specific individuals.

    Internet companies have also encountered this problem and have solved it by tracking their users with identifiers that are unique to each individual, often in the form of browser cookies. Cookies are small pieces of data that websites store in visitors’ browsers. They are used for a variety of purposes, including authenticating users (cookies make it possible to log in to websites), storing preferences, and uniquely tracking individuals even if they’re using the same IP address as many other people. Websites also embed code used by third-party services to collect analytics or host ads, which also use cookies to track users. According to one slide, “Almost all websites have cookies enabled.”

    The NSA’s ability to piggyback off of private companies’ tracking of their own users is a vital instrument that allows the agency to trace the data it collects to individual users. It makes no difference if visitors switch to public Wi-Fi networks or connect to VPNs to change their IP addresses: the tracking cookie will follow them around as long as they are using the same web browser and fail to clear their cookies.

    Apps that run on tablets and smartphones also use analytics services that uniquely track users. Almost every time a user sees an advertisement (in an app or in a web browser), the ad network is tracking users in the same way. A secret GCHQ and CSE program called BADASS, which is similar to XKEYSCORE but with a much narrower scope, mines as much valuable information from leaky smartphone apps as possible, including unique tracking identifiers that app developers use to track their own users. In May of this year, CBC, in partnership with The Intercept, revealed that XKEYSCORE was used to track smartphone connections to the app marketplaces run by Samsung and Google. Surveillance agency analysts also use other types of traffic data that gets scooped into XKEYSCORE to track people, such as Windows crash reports.

    In a statement to The Intercept, the NSA reiterated its position that such sweeping surveillance capabilities are needed to fight the War on Terror:

    “The U.S. Government calls on its intelligence agencies to protect the United States, its citizens, and its allies from a wide array of serious threats. These threats include terrorist plots from al-Qaeda, ISIL, and others; the proliferation of weapons of mass destruction; foreign aggression against the United States and our allies; and international criminal organizations.”

    Indeed, one of the specific examples of XKEYSCORE applications given in the documents is spying on Shaykh Atiyatallah, an al Qaeda senior leader and Osama bin Laden confidant. A few years before his death, Atiyatallah did what many people have often done: He googled himself. He searched his various aliases, an associate and the name of his book. As he did so, all of that information was captured by XKEYSCORE.

    XKEYSCORE has, however, also been used to spy on non-terrorist targets. The April 18, 2013 issue of the internal NSA publication Special Source Operations Weekly boasts that analysts were successful in using XKEYSCORE to obtain U.N. Secretary General Ban Ki-moon’s talking points prior to a meeting with President Obama.

    XKEYSCORE for hacking: easily collecting user names, passwords and much more

    XKEYSCORE plays a central role in how the U.S. government and its surveillance allies hack computer networks around the world. One top-secret 2009 NSA document describes how the system is used by the NSA to gather information for the Office of Tailored Access Operations, an NSA division responsible for Computer Network Exploitation (CNE) — i.e., targeted hacking.

    Particularly in 2009, the hacking tactics enabled by XKEYSCORE would have yielded significant returns as use of encryption was less widespread than today. Jonathan Brossard, a security researcher and the CEO of Toucan Systems, told The Intercept: “Anyone could be trained to do this in less than one day: they simply enter the name of the server they want to hack into XKEYSCORE, type enter, and are presented login and password pairs to connect to this machine. Done. Finito.” Previous reporting by The Intercept revealed that systems administrators are a popular target of the NSA. “Who better to target than the person that already has the ‘keys to the kingdom?’” read a 2012 post on an internal NSA discussion board.

    This system enables analysts to access web mail servers with remarkable ease.

    The same methods are used to steal the credentials — user names and passwords — of individual users of message boards.

    Hacker forums are also monitored for people selling or using exploits and other hacking tools. While the NSA is clearly monitoring to understand the capabilities developed by its adversaries, it is also monitoring locations where such capabilities can be purchased.

    Other information gained via XKEYSCORE facilitates the remote exploitation of target computers. By extracting browser fingerprint and operating system versions from Internet traffic, the system allows analysts to quickly assess the exploitability of a target. Brossard, the security researcher, said that “NSA has built an impressively complete set of automated hacking tools for their analysts to use.”

    Given the breadth of information collected by XKEYSCORE, accessing and exploiting a target’s online activity is a matter of a few mouse clicks. Brossard explains: “The amount of work an analyst has to perform to actually break into remote computers over the Internet seems ridiculously reduced — we are talking minutes, if not seconds. Simple. As easy as typing a few words in Google.”

    These facts bolster one of Snowden’s most controversial statements, made in his first video interview published by The Guardian on June 9, 2013. “I, sitting at my desk,” said Snowden, could “wiretap anyone, from you or your accountant, to a federal judge to even the president, if I had a personal email.”

    Indeed, training documents for XKEYSCORE repeatedly highlight how user-friendly the program is: with just a few clicks, any analyst with access to it can conduct sweeping searches simply by entering a person’s email address, telephone number, name or other identifying data. There is no indication in the documents reviewed that prior approval is needed for specific searches.

    In addition to login credentials and other target intelligence, XKEYSCORE collects router configuration information, which it shares with Tailored Access Operations. The office is able to exploit routers and then feed the traffic traveling through those routers into their collection infrastructure. This allows the NSA to spy on traffic from otherwise out-of-reach networks. XKEYSCORE documents reference router configurations, and a document previously published by Der Spiegel shows that “active implants” can be used to “cop[y] traffic and direc[t]” it past a passive collector.

    XKEYSCORE for counterintelligence

    Beyond enabling the collection, categorization, and querying of metadata and content, XKEYSCORE has also been used to monitor the surveillance and hacking actions of foreign nation states and to gather the fruits of their hacking. The Intercept previously reported that NSA and its allies spy on hackers in order to collect what they collect.

    Once the hacking tools and techniques of a foreign entity (for instance, South Korea) are identified, analysts can then extract the country’s espionage targets from XKEYSCORE, and gather information that the foreign power has managed to steal.

    Monitoring of foreign state hackers could allow the NSA to gather techniques and tools used by foreign actors, including knowledge of zero-day exploits—software bugs that allow attackers to hack into systems, and that not even the software vendor knows about—and implants. Additionally, by monitoring vulnerability reports sent to vendors such as Kaspersky, the agency could learn when exploits they were actively using need to be retired because they’ve been discovered by a third party.

    Seizure v. searching: oversight, audit trail and the Fourth Amendment

    By the nature of how it sweeps up information, XKEYSCORE gathers communications of Americans, despite the Fourth Amendment protection against “unreasonable search and seizure” — including searching data without a warrant. The NSA says it does not target U.S. citizens’ communications without a warrant, but acknowledges that it “incidentally” collects and reads some of it without one, minimizing the information that is retained or shared.

    But that interpretation of the law is dubious at best.

    XKEYSCORE training documents say that the “burden is on user/auditor to comply with USSID-18 or other rules,” apparently including the British Human Rights Act (HRA), which protects the rights of U.K. citizens. U.S. Signals Intelligence Directive 18 (USSID 18) is the American directive that governs “U.S. person minimization.”

    Kurt Opsahl, the Electronic Frontier Foundation’s general counsel, describes USSID 18 as “an attempt by the intelligence community to comply with the Fourth Amendment. But it doesn’t come from a court, it comes from the executive.”

    If, for instance, an analyst searched XKEYSCORE for all iPhone users, this query would violate USSID 18 due to the inevitable American iPhone users that would be grabbed without a warrant, as the NSA’s own training materials make clear.

    Opsahl believes that analysts are not prevented by technical means from making queries that violate USSID 18. “The document discusses whether auditors will be happy or unhappy. This indicates that compliance will be achieved by after-the-fact auditing, not by preventing the search.”

    Screenshots of the XKEYSCORE web-based user interface included in slides show that analysts see a prominent warning message: “This system is audited for USSID 18 and Human Rights Act compliance.” When analysts log in to the system, they see a more detailed message warning that “an audit trail has been established and will be searched” in response to HRA complaints, and as part of the USSID 18 and USSID 9 audit process.

    Because the XKEYSCORE system does not appear to prevent analysts from making queries that would be in violation of these rules, Opsahl concludes that “there’s a tremendous amount of power being placed in the hands of analysts.” And while those analysts may be subject to audits, “at least in the short term they can still obtain information that they shouldn’t have.”

    During a symposium in January 2015 hosted at Harvard University, Edward Snowden, who spoke via video call, said that NSA analysts are “completely free from any meaningful oversight.” Speaking about the people who audit NSA systems like XKEYSCORE for USSID 18 compliance, he said, “The majority of the people who are doing the auditing are the friends of the analysts. They work in the same office. They’re not full-time auditors, they’re guys who have other duties assigned. There are a few traveling auditors who go around and look at the things that are out there, but really it’s not robust.”

    In a statement to The Intercept, the NSA said:

    “The National Security Agency’s foreign intelligence operations are 1) authorized by law; 2) subject to multiple layers of stringent internal and external oversight; and 3) conducted in a manner that is designed to protect privacy and civil liberties. As provided for by Presidential Policy Directive 28 (PPD-28), all persons, regardless of their nationality, have legitimate privacy interests in the handling of their personal information. NSA goes to great lengths to narrowly tailor and focus its signals intelligence operations on the collection of communications that are most likely to contain foreign intelligence or counterintelligence information.”

    Coming next: A Look at the Inner Workings of XKEYSCORE

    Source maps: XKS as a SIGDEV Tool, p. 15, and XKS Intro, p. 6

    Documents published with this article:

    Advanced HTTP Activity Analysis
    Analyzing Mobile Cellular DNI in XKS
    ASFD Readme
    CADENCE Readme
    Category Throttling
    CNE Analysis in XKS
    Comms Readme
    DEEPDIVE Readme
    DNI101
    Email Address vs User Activity
    Free File Uploaders
    Finding and Querying Document Metadata
    Full Log vs HTTP
    Guide to Using Contexts in XKS Fingerprints
    HTTP Activity in XKS
    HTTP Activity vs User Activity
    Intro to Context Sensitive Scanning With XKS Fingerprints
    Intro to XKS AppIDs and Fingerprints
    OSINT Fusion Project
    Phone Number Extractor
    RWC Updater Readme
    Selection Forwarding Readme
    Stats Config Readme
    Tracking Targets on Online Social Networks
    TRAFFICTHIEF Readme
    Unofficial XKS User Guide
    User Agents
    Using XKS to Enable TAO
    UTT Config Readme
    VOIP in XKS
    VOIP Readme
    Web Forum Exploitation Using XKS
    Writing XKS Fingerprints
    XKS Application IDs
    XKS Application IDs Brief
    XKS as a SIGDEV Tool
    XKS, Cipher Detection, and You!
    XKS for Counter CNE
    XKS Intro
    XKS Logos Embedded in Docs
    XKS Search Forms
    XKS System Administration
    XKS Targets Visiting Specific Websites
    XKS Tech Extractor 2009
    XKS Tech Extractor 2010
    XKS Workflows 2009
    XKS Workflows 2011
    UN Secretary General XKS

    Morgan Marquis-Boire, Glenn Greenwald, Micah Lee
    July 1 2015, 4:49 p.m.
    Illustrations by Blue Delliquanti and David Axe for The Intercept

    Find this story at 1 July 2015

    copyright https://firstlook.org/theintercept/

    Agreements with private companies protect U.S. access to cables’ data for surveillance (2013)

    The U.S. government had a problem: Spying in the digital age required access to the fiber-optic cables traversing the world’s oceans, carrying torrents of data at the speed of light. And one of the biggest operators of those cables was being sold to an Asian firm, potentially complicating American surveillance efforts.

    Enter “Team Telecom.”

    In months of private talks, the team of lawyers from the FBI and the departments of Defense, Justice and Homeland Security demanded that the company maintain what amounted to an internal corporate cell of American citizens with government clearances. Among their jobs, documents show, was ensuring that surveillance requests got fulfilled quickly and confidentially.

    This “Network Security Agreement,” signed in September 2003 by Global Crossing, became a model for other deals over the past decade as foreign investors increasingly acquired pieces of the world’s telecommunications infrastructure.

    The publicly available agreements offer a window into efforts by U.S. officials to safeguard their ability to conduct surveillance through the fiber-optic networks that carry a huge majority of the world’s voice and Internet traffic.

    The agreements, whose main purpose is to secure the U.S. telecommunications networks against foreign spying and other actions that could harm national security, do not authorize surveillance. But they ensure that when U.S. government agencies seek access to the massive amounts of data flowing through their networks, the companies have systems in place to provide it securely, say people familiar with the deals.

    Negotiating leverage has come from a seemingly mundane government power: the authority of the Federal Communications Commission to approve cable licenses. In deals involving a foreign company, say people familiar with the process, the FCC has held up approval for many months while the squadron of lawyers dubbed Team Telecom developed security agreements that went beyond what’s required by the laws governing electronic eavesdropping.

    The security agreement for Global Crossing, whose fiber-optic network connected 27 nations and four continents, required the company to have a “Network Operations Center” on U.S. soil that could be visited by government officials with 30 minutes of warning. Surveillance requests, meanwhile, had to be handled by U.S. citizens screened by the government and sworn to secrecy — in many cases prohibiting information from being shared even with the company’s executives and directors.

    “Our telecommunications companies have no real independence in standing up to the requests of government or in revealing data,” said Susan Crawford, a Yeshiva University law professor and former Obama White House official. “This is yet another example where that’s the case.”

    The full extent of the National Security Agency’s access to fiber-optic cables remains classified. The Office of the Director of National Intelligence issued a statement saying that legally authorized data collection “has been one of our most important tools for the protection of the nation’s — and our allies’ — security. Our use of these authorities has been properly classified to maximize the potential for effective collection against foreign terrorists and other adversaries.”

    It added, “As always, the Intelligence and law enforcement communities will continue to work with all members of Congress to ensure the proper balance of privacy and protection for American citizens.”

    Collecting information

    Documents obtained by The Washington Post and Britain’s Guardian newspaper in recent weeks make clear how the revolution in information technology sparked a revolution in surveillance, allowing the U.S. government and its allies to monitor potential threats with a reach impossible only a few years earlier.

    Yet any access to fiber-optic cables allows for possible privacy intrusions into Americans’ personal communications, civil libertarians say.

    As people worldwide chat, browse and post images through online services, much of the information flows within the technological reach of U.S. surveillance. Though laws, procedural rules and internal policies limit how that information can be collected and used, the data from billions of devices worldwide flow through Internet choke points that the United States and its allies are capable of monitoring.

    This broad-based surveillance of fiber-optic networks runs parallel to the NSA’s PRISM program, which allows analysts to access data from nine major Internet companies, including Google, Facebook, Microsoft, Yahoo, AOL and Apple, according to classified NSA PowerPoint slides. (The companies have said the collection is legal and limited.)

    One NSA slide titled, “Two Types of Collection,” shows both PRISM and a separate effort labeled “Upstream” and lists four code names: Fairview, Stormbrew, Blarney and Oakstar. A diagram superimposed on a crude map of undersea cable networks describes the Upstream program as collecting “communications on fiber cables and infrastructure as data flows past.”

    The slide has yellow arrows pointing to both Upstream and PRISM and says, “You Should Use Both.” It also has a header saying “FAA 702 Operations,” a reference to a section of the amended Foreign Intelligence Surveillance Act that governs surveillance of foreign targets related to suspected terrorism and other foreign intelligence.

    Under that provision, the government may serve a court order on a company compelling it to reach into its networks for data on multiple targets who are foreigners reasonably believed to be overseas. At an Internet gateway, the government may specify a number of e-mail addresses of foreigners to be targeted without the court signing off on each one.

    When the NSA is collecting the communications of a foreign, overseas target who is speaking or e-mailing with an American, that American’s e-mail or phone call is considered to be “incidentally” collected. It is considered “inadvertently” collected if the target actually turns out to be an American, according to program rules and people familiar with them. The extent of incidental and inadvertent collection has not been disclosed, leading some lawmakers to demand disclosure of estimates of how many Americans’ communications have been gathered. No senior intelligence officials have answered that question publicly.

    Using software that scans traffic and “sniffs out” the targeted e-mail address, the company can pull out e-mail traffic automatically to turn over to the government, according to several former government officials and industry experts.

    It is unclear how effective that approach is compared with collecting from a “downstream” tech company such as Google or Facebook, but the existence of separate programs collecting data from both technology companies and telecommunications systems underscores the reach of government intelligence agencies.

    “People need to realize that there are many ways for the government to get vast amounts of e-mail,” said Chris Soghoian, a technology expert with the American Civil Liberties Union.

    Controlling the data flow

    The drive for new intelligence sources after the Sept. 11, 2001, attacks relied on a key insight: American companies controlled most of the Internet’s essential pipes, giving ample opportunities to tap the torrents of data flowing by. Even terrorists bent on destruction of the United States, it turned out, talked to each other on Web-based programs such as Microsoft’s Hotmail.

    Yet even data not handled by U.S.-based companies generally flowed across parts of the American telecommunications infrastructure. Most important were the fiber-optic cables that largely have replaced the copper telephone wires and the satellite and microwave transmissions that, in an earlier era, were the most important targets for government surveillance.

    Fiber-optic cables, many of which lie along the ocean floor, provide higher-quality transmission and greater capacity than earlier technology, with the latest able to carry thousands of gigabits per second.

    The world’s hundreds of undersea cables now carry 99 percent of all intercontinental data, a category that includes most international phone calls, as well, says TeleGeography, a global research firm.

    The fiber-optic networks have become a rich source of data for intelligence agencies. The Guardian newspaper reported last month that the Government Communications Headquarters, the British equivalent of the NSA, taps and stores data flowing through the fiber-optic cables touching that nation, a major transit point for data between Europe and the Americas. That program, code-named Tempora, shares data with the NSA, the newspaper said.

    Tapping undersea transmission cables had been a key U.S. surveillance tactic for decades, dating back to the era when copper lines carrying sensitive telephone communications could be accessed by listening devices divers could place on the outside of a cable’s housing, said naval historian Norman Polmar, author of “Spy Book: The Encyclopedia of Espionage.”

    “The U.S. has had four submarines that have been outfitted for these special missions,” he said.

    But the fiber-optic lines — each no thicker than a quarter — were far more difficult to tap successfully than earlier generations of undersea technology, and interception operations ran the risk of alerting cable operators that their network had been breached.

    It’s much easier to collect information from any of dozens of cable landing stations around the world — where data transmissions are sorted into separate streams — or in some cases from network operations centers that oversee the entire system, say those familiar with the technology who spoke on the condition of anonymity to discuss sensitive intelligence matters.

    Expanding powers

    In the aftermath of the Sept. 11 attacks, the NSA said its collection of communications inside the United States was constrained by statute, according to a draft report by the agency’s inspector general in 2009, which was obtained by The Post and the Guardian. The NSA had legal authority to conduct electronic surveillance on foreigners overseas, but the agency was barred from collecting such information on cables as it flowed into and through the United States without individual warrants for each target.

    “By 2001, Internet communications were used worldwide, underseas cables carried huge volumes of communications, and a large amount of the world’s communications passed through the United States,” the report said. “Because of language used in the [Foreign Intelligence Surveillance] Act in 1978, NSA was required to obtain court orders to target e-mail accounts used by non-U.S. persons outside the United States if it intended to intercept the communications at a webmail service within the United States. Large numbers of terrorists were using such accounts in 2001.”

    As a result, after White House and CIA officials consulted with the NSA director, President George W. Bush, through a presidential order, expanded the NSA’s legal authority to collect communications inside the United States. The President’s Surveillance Program, the report said, “significantly increased [NSA’s] access to transiting foreign communications.”

    Gen. Michael Hayden, then the NSA director, described that information as “the real gold of the program” that led to the identification of threats within the United States, according to the inspector general’s report.

    Elements of the President’s Surveillance Program became public in 2005, when the New York Times reported the government’s ability to intercept e-mail and phone call content inside the United States without court warrants, sparking controversy. The FISA court began oversight of those program elements in 2007.

    As these debates were playing out within the government, Team Telecom was making certain that surveillance capacity was not undermined by rising foreign ownership of the fiber-optic cables that the NSA was using.

    The Global Crossing deal created particular concerns. The company had laid an extensive network of undersea cables in the world, but it went bankrupt in 2002 after struggling to handle more than $12 billion in debt.

    Two companies, one from Singapore and a second from Hong Kong, struck a deal to buy a majority stake in Global Crossing, but U.S. government lawyers immediately objected as part of routine review of foreign investment into critical U.S. infrastructure.

    President Gerald Ford in 1975 had created an interagency group — the Committee on Foreign Investment in the United States, or CFIUS — to review deals that might harm U.S. national security. Team Telecom grew out of that review process. Those executive branch powers were expanded several times over the decades and became even more urgent after the Sept. 11 attacks, when the Defense Department became an important player in discussions with telecommunications companies.

    The Hong Kong company soon withdrew from the Global Crossing deal, under pressure from Team Telecom, which was worried that the Chinese government might gain access to U.S. surveillance requests and infrastructure, according to people familiar with the negotiations.

    Singapore Technologies Telemedia eventually agreed to a slate of concessions, including allowing half of the board of directors of a new subsidiary managing the undersea cable network to consist of American citizens with security clearances. They would oversee a head of network operations, a head of global security, a general counsel and a human resources officer — all of whom also would be U.S. citizens with security clearances. The FBI and the departments of Defense, Justice and Homeland Security had the power to object to any appointments to those jobs or to the directors who had to be U.S. citizens.

    U.S. law already required that telecommunications companies doing business in the United States comply with surveillance requests, both domestic and international. But the security agreement established the systems to ensure that compliance and to make sure foreign governments would not gain visibility into the working of American telecommunications systems — or surveillance systems, said Andrew D. Lipman, a telecommunications lawyer who has represented Global Crossing and other firms in negotiating such deals.

    “These Network Security Agreements flesh out the details,” he said.

    Lipman, a partner with Bingham McCutchen, based in Washington, said the talks with Team Telecom typically involve little give and take. “It’s like negotiating with the Motor Vehicle Department,” he said.

    Singapore Technologies Telemedia sold Global Crossing in 2011 to Level 3 Communications, a company based in Colorado. But the Singaporean company maintained a minority ownership stake, helping trigger a new round of review by Team Telecom and a new Network Security Agreement that added several new conditions.

    A spokesman for Level 3 Communications declined to comment for this article.

    By Craig Timberg and Ellen Nakashima, Published: July 7, 2013

    Find this story at 7 July 2013

    © 1996-2014 The Washington Post

    Greenwald’s Interpretation of BOUNDLESSINFORMANT NSA Documents Is Oftentimes Wrong

    For those of us who know something about the National Security Agency (NSA) and who have at the same time been closely following the drip-drop page-at-a-time disclosures of NSA documents by Glenn Greenwald and Laura Poitras, this has been an enormously frustrating time. Many of the recent headlines in the newspapers, especially in Europe, promise much, but when you do a tear-down analysis of the contents there is very little of substance there that we did not already know. Last week’s expose by the Dutch newspaper NRC Handelsblad was just such an example, where with one single example everything that the newspaper claimed was brand new had (in fact) been published 17 years earlier by Dutch historian Dr. Cees Wiebes. Ah, what we do to sell newspapers.

    There should also be tighter fact-checking by the newspapers of their interpretation of the information that they are being spoon-fed before they rush to print.

    For instance, over the past month or so we have been fed once-a-week articles from newspapers France, Germany, Spain, Norway and now the Netherlands (does anyone see a pattern here) all based on a single NSA document from the agency’s BOUNDLESSINFORMANT database of metadata intercepts for a 30-day period from December 2012 to January 2013. The newspaper headlines all have claimed that the BOUNDLESSINFORMANT revealed that NSA was intercepting the telephone and internet communications of these countries. But an analysis of the SIGINT Activity Designators (SIGADs) listed in these documents reveals that NSA was not intercepting these communications, but rather the host nation intelligence services – to whit the BND in Germany, DGSE in France, the FE in Norway and the MIVD in the Netherlands. These agencies have secretly been proving this metadata material to NSA, although it is not known for how long.

    There are other factual problems with the interpretation that has been placed on these documents. It really would be nice if the individuals using these materials do a little research into NSA operational procedures before leaping to conclusions lest they be further embarrassed in the future by mistakes such as this.

    I am not the only person who has noted some of these glaring mistakes being made by the authors of the recent newspaper articles based on the BOUNDLESSINFORMANT document. Here is an insightful study done by a Dutch analyst who has been closely following the materials being leaked:

    Screenshots from BOUNDLESSINFORMANT can be misleading

    electrospaces.blogspot.nl

    November 23, 2013

    Over the last months, a number of European newspapers published screenshots from an NSA tool codenamed BOUNDLESSINFORMANT, which were said to show the number of data that NSA collected from those countries.

    Most recently, a dispute about the numbers mentioned in a screenshot about Norway urged Snowden-journalist Glenn Greenwald to publish a similar screenshot about Afghanistan. But as this article will show, Greenwald’s interpretation of the latter was wrong, which also raises new questions about how to make sense out of the screenshots about other countries.

    Norway vs Afghanistan

    On November 19, the website of the Norwegian tabloid Dagbladet published a BOUNDLESSINFORMANT screenshot which, according to the paper, showed that NSA apparently monitored 33 million Norwegian phone calls (although actually, the NSA tool only presents metadata).

    The report by Dagbladet was almost immediatly corrected by the Norwegian military intelligence agency Etteretningstjenesten (or E-tjenesten), which said that they collected the data “to support Norwegian military operations in conflict areas abroad, or connected to the fight against terrorism, also abroad” and that “this was not data collection from Norway against Norway, but Norwegian data collection that is shared with the Americans”.

    Earlier, a very similar explanation was given about the data from France, Spain and Germany. They too were said to be collected by French, Spanish and German intelligence agencies outside their borders, like in war zones, and then shared with NSA. Director Alexander added that these data were from a system that contained phone records collected by the US and NATO countries “in defense of our countries and in support of military operations”.

    Glenn Greenwald strongly contradicted this explanation in an article written for Dagbladet on November 22. In trying to prove his argument, he also released a screenshot from BOUNDLESSINFORMANT about Afghanistan (shown down below) and explained it as follows:
    “What it shows is that the NSA collects on average of 1.2-1.5 million calls per day from that country: a small subset of the total collected by the NSA for Spain (4 million/day) and Norway (1.2 million).

    Clearly, the NSA counts the communications it collects from Afghanistan in the slide labeled «Afghanistan» — not the slides labeled «Spain» or «Norway». Moreover, it is impossible that the slide labeled «Spain» and the slide labeled «Norway» only show communications collected from Afghanistan because the total collected from Afghanistan is so much less than the total collected from Spain and Norway.”

    Global overview

    But Greenwald apparently forgot some documents he released earlier:

    Last September, the Indian paper The Hindu published three less known versions of the BOUNDLESSINFORMANT global overview page, showing the total amounts of data sorted in three different ways: Aggregate, DNI and DNR. Each results in a slightly different top 5 of countries, which is also reflected in the colors of the heat map.

    In the overall (aggregated) counting, Afghanistan is in the second place, with a total amount of over 2 billion internet records (DNI) and almost 22 billion telephony records (DNR) counted:

    The screenshot about Afghanistan published by Greenwald only shows information about some 35 million telephony (DNR) records, collected by a facility only known by its SIGAD US-962A5 and processed or analysed by DRTBox. This number is just a tiny fraction of the billions of data from both internet and telephone communications from Afghanistan as listed in the global overview.

    Differences

    With these big differences, it’s clear that this screenshot about Afghanistan is not showing all data which NSA collected from that country, not even all telephony data. The most likely option is that it only shows metadata from telephone communications intercepted by the facility designated US-962A5.

    That fits the fact that this SIGAD denotes a sub- or even sub-sub-facility of US-962, which means there are more locations under this collection program. Afghanistan is undoubtedly being monitored by numerous SIGINT collection stations and facilities, so seeing only one SIGAD in this screenshot proves that it can never show the whole collection from that country.

    This makes that Greenwald’s argument against the data being collected abroad is not valid anymore (although there maybe other arguments against it). Glenn Greenwald was asked via Twitter to comment on the findings of this article, but there was no reaction.

    More questions

    The new insight about the Afghanistan data means that the interpretation of the screenshots about other countries can be wrong too. Especially those showing only one collection facility, like France, Spain and Norway (and maybe also Italy and The Netherlands), might not be showing information about that specific country, but maybe only about the specific intercept location.

    This also leads to other questions, like: are this really screenshots (why is there no classification marking)? Are they part of other documents or did Snowden himself made them? And how did he make the selection: by country, by facility, or otherwise?

    There are many questions about NSA capabilities and operations which Snowden cannot answer, but he can answer how exactly he got to these documents and what their proper context is. Maybe Glenn Greenwald also knows more about this, and if so, it’s about time to tell that part of the story too.

    Matthew M. Aid is the author of Intel Wars: The Secret History of the Fight Against Terror (January 2012) and The Secret Sentry, the definitive history of the National Security Agency. He is a leading intelligence historian and expert on the NSA, and a regular commentator on intelligence matters for the New York Times, the Financial Times, the National Journal, the Associated Press, CBS News, National Public Radio (NPR) and many others. He lives in Washington, DC.

    November 24, 2013

    Find this story at 24 November 2013

    NRC over NSA

    Een van de elementen op de kaart van de NRC van zaterdag zijn de rode stippen die de vestigingen van SCS aangeven. Dat bestand is hetzelfde als dat van de kaart in Spiegel, waarvan een ongecensureerde versie  beschikbaar is bij Cryptome.

    Die kaart is uit augustus 2010. Als je de kaarten naast elkaar legt kom je een eind bij het vaststellen welke plaatsen NRC zwart heeft gemaakt. Wat betreft Europa kom je dan bijv. op het rijtje Bakoe, Kiev, Madrid , Moskou en
    Tblisi.

    x-keyscore servers op Cryptome

    SCS sites op Cryptome

    NRC driver 1

    Europeans Shared Spy Data With U.S.; Phone Records Collected Were Handed Over to Americans to Help Protect Allied Troops in War Zones

    Millions of phone records at the center of a firestorm in Europe over spying by the National Security Agency were secretly supplied to the U.S. by European intelligence services—not collected by the NSA, upending a furor that cast a pall over trans-Atlantic relations.

    Widespread electronic spying that ignited a political firestorm in Europe was conducted by French and European intelligence services and not by the National Security Agency, as was widely reported in recent days. Adam Entous reports on the News Hub. Photo: AP.

    The revelations suggest a greater level of European involvement in global surveillance, in conjunction at times with the NSA. The disclosures also put European leaders who loudly protested reports of the NSA’s spying in a difficult spot, showing how their spy agencies aided the Americans.

    The phone records collected by the Europeans—in war zones and other areas outside their borders—were shared with the NSA as part of efforts to help protect American and allied troops and civilians, U.S. officials said.

    European leaders remain chagrined over revelations that the U.S. was spying on dozens of world leaders, including close allies in Europe. The new disclosures were separate from those programs.

    But they nevertheless underline the complexities of intelligence relationships, and how the U.S. and its allies cooperate in some ways and compete in others.
    More
    NSA Said to View 23 Countries Closer U.S. Intelligence Partners Than Israel
    Senate to Review All U.S. Spying
    Spying Revelations Add Hurdle to U.S.-EU Trade Talks
    Germany Warns of Repercussions from U.S. Spying
    Obama Unaware as NSA Spied on World Leaders

    “That the evil NSA and the wicked U.S. were the only ones engaged in this gross violation of international norms—that was the fairy tale,” said James Lewis, a former State Department official, now a technology-policy specialist at the Center for Strategic and International Studies. “It was never true. The U.S’s behavior wasn’t outside the norm. It is the norm.”

    Consecutive reports in French, Spanish and Italian newspapers over the past week sparked a frenzy of finger-pointing by European politicians. The reports were based on documents leaked by former NSA contractor Edward Snowden and purportedly showed the extent to which the NSA sweeps up phone records in those countries.

    France’s Le Monde said the documents showed that more than 70 million French phone records between early December 2012 and early January 2013 were collected by the NSA, prompting Paris to lodge a protest with the U.S. In Spain, El Mundo reported that it had seen NSA documents that showed the U.S. spy agency had intercepted 60.5 million Spanish phone calls during the same time period.

    U.S. officials initially responded to the reports by branding them as inaccurate, without specifying how. On Tuesday, The Wall Street Journal reported that the data cited by the European news reports wasn’t collected by the NSA, but by its European partners.

    U.S. officials said the data was provided to the NSA under long-standing intelligence sharing arrangements.

    In a congressional hearing Tuesday, the National Security Agency director, Gen. Keith Alexander, confirmed the broad outlines of the Journal report, saying that the specific documents released by Mr. Snowden didn’t represent data collected by the NSA or any other U.S. agency and didn’t include records from calls within those countries.
    Phone Trouble

    Politicians have reacted to recent disclosures about U.S. surveillance programs based on leaks from former National Security Agency contractor Edward Snowden.
    View Graphics

    He said the data—displayed in computer-screen shots—were instead from a system that contained phone records collected by the U.S. and North Atlantic Treaty Organization countries “in defense of our countries and in support of military operations.”

    He said the conclusion that the U.S. collected the data “is false. And it’s false that it was collected on European citizens. It was neither.”

    The U.S. until now had been silent about the role of European partners in these collection efforts so as to protect the relationships.

    French officials declined to comment.

    A Spanish official said that Spain’s intelligence collaboration with the NSA has been limited to theaters of operations in Mali, Afghanistan and certain international operations against jihadist groups. The so-called metadata published in El Mundo was gathered during these operations, not in Spain.

    The Italian Embassy in Washington didn’t immediately respond to a request for comment.

    The revelations that the phone data were collected by European intelligence services rather than NSA could spark a backlash against the same politicians who had been pointing their fingers at the U.S.—although that response could be tempered by assurances that the data were collected abroad and not domestically.

    A U.S. analysis of the document published by Le Monde concluded the phone records the French had collected were actually from outside of France, then were shared with the U.S. The data don’t show that the French spied on their own people inside France.

    U.S. intelligence officials said they hadn’t seen the documents cited by El Mundo, but that the data appear to come from similar information the NSA obtained from Spanish intelligence agencies documenting their collection efforts abroad.

    At Tuesday’s House Intelligence Committee hearing, lawmakers also pressed Gen. Alexander and the Director of National Intelligence James Clapper on the NSA’s tapping of world leaders’ phone conversations, including German Chancellor Angela Merkel.

    Asked whether U.S. allies spy on the U.S., Mr. Clapper said, “Absolutely.”

    Rep. Adam Schiff (D., Calif.) asked why Congress hadn’t been informed when U.S. spies tapped a world leader’s telephone. Mr. Clapper said Congress isn’t told about each and every “selector,” the intelligence term for a phone number or other information that would identify an espionage target.

    “Not all selectors are equal,” Mr. Schiff responded, especially “when the selector is the chancellor of an allied nation.”

    The Wall Street Journal reported Monday that President Barack Obama didn’t know about NSA’s tapping of Ms. Merkel’s phone—which stretched back as far as 2002—until a review this summer turned it up.

    Mr. Clapper said that intelligence agencies follow the priorities set by the president and key departments, but they don’t necessarily provide top officials with details on how each requirement is being fulfilled.

    The White House does, however, see the final product, he said.

    Reporting to policy makers on the “plans and intentions” of world leaders is a standard request to intelligence agencies like the NSA, Mr. Clapper said. The best way to understand a foreign leader’s intentions, he said, is to obtain that person’s communications.

    Privately, some intelligence officials disputed claims that the president and top White House officials were unaware of how such information is obtained.

    “If there’s an intelligence report that says the leader of this country is likely to say X or Y, where do you think that comes from?” the official said.

    The House Intelligence Committee chairman, Rep. Mike Rogers (R., Mich.) remained a staunch defender of the NSA’s operations.

    “I am a little concerned about where we are—that we’ve decided that we’re going to name our intelligence services at the earliest opportunity as the bad guys in the process of trying to collect information lawfully and legally, with the most oversight that I’ve ever seen,” he said. “We’re the only intelligence service in the world that is forced to go to a court before they even collect on foreign intelligence operations, which is shocking to me.”

    —Christopher Bjork in Madrid and Stacy Meichtry in Paris contributed to this article.

    By Adam Entous and Siobhan Gorman connect
    Updated Oct. 29, 2013 7:31 p.m. ET

    Find this story at 29 October 2013

    ©2013 Dow Jones & Company, Inc.

    Europe shared spy data with US; Europe spy services ‘shared phone data’

    The NSA says European spy services shared phone data with it, and reports alleging otherwise are ‘false’.

    MILLIONS of phone records at the centre of a firestorm in Europe over spying by the National Security Agency were secretly supplied to the US by European intelligence services – not collected by the NSA, upending a furore that cast a pall over trans-Atlantic relations.

    The revelations suggest a greater level of European involvement in global surveillance, in conjunction at times with the NSA. The disclosures also put European leaders who loudly protested reports of the NSA’s spying in a difficult spot, showing how their spy agencies aided the Americans.

    The phone records collected by the Europeans – in war zones and other areas outside their borders – were shared with the NSA as part of efforts to help protect American and allied troops and civilians, US officials said.

    European leaders remain chagrined over revelations that the US was spying on dozens of world leaders, including close allies in Europe.

    The new disclosures were separate from those programs, but they underline the complexities of intelligence relationships, and how the US and its allies co-operate in some ways and compete in others.

    “That the evil NSA and the wicked US were the only ones engaged in this gross violation of international norms -that was the fairy tale,” said James Lewis, a former State Department official, now a technology-policy specialist at the Centre for Strategic and International Studies.

    “It was never true. The US’s behaviour wasn’t outside the norm. It is the norm.”

    Consecutive reports in French, Spanish and Italian newspapers over the past week sparked a frenzy of finger-pointing by European politicians. The reports were based on documents leaked by former NSA contractor Edward Snowden and purportedly showed the extent to which the NSA sweeps up phone records in those countries.

    France’s Le Monde said the documents showed that more than 70 million French phone records between early December last year and early January this year were collected by the NSA, prompting Paris to lodge a protest with the US. In Spain, El Mundo reported that it had seen NSA documents that showed the US spy agency had intercepted 60.5 million Spanish phone calls during the same time period.

    US officials initially responded to the reports by branding them as inaccurate, without specifying how. Late yesterday, The Wall Street Journal reported that the data cited by the European news reports wasn’t collected by the NSA but by its European partners.

    US officials said the data was provided to the NSA under long-standing intelligence sharing arrangements.

    Hours later, in a congressional hearing, the National Security Agency director, General Keith Alexander, confirmed the broad outlines of the Journal report, saying the specific documents released by Mr Snowden didn’t represent data collected by the NSA or any other US agency and didn’t include records from calls within those countries.

    He said the data, displayed in computer-screen shots, was instead from a system that contained phone records collected by the US and NATO countries “in defence of our countries and in support of military operations”.

    He said conclusions the US collected the data were “false. And it’s false that it was collected on European citizens. It was neither.”

    The US until now had been silent about the role of European partners in these collection efforts to protect the relationships. French officials declined to comment.

    A Spanish official said Spain’s intelligence collaboration with the NSA has been limited to theatres of operations in Afghanistan, Mali and international operations against jihadist groups. The data published in El Mundo was gathered during these operations, not in Spain.

    At yesterday’s house intelligence committee hearing, politicians pressed General Alexander and Director of National Intelligence James Clapper on the NSA’s tapping of world leaders’ phone conversations, including the German Chancellor, Angela Merkel.

    Asked whether US allies spy on the US, Mr Clapper said: “Absolutely.”

    Democrat congressman Adam Schiff asked why congress had not been informed when US spies tapped a world leader’s telephone.

    Mr Clapper said congress wasn’t told about each and every “selector”, the intelligence term for a phone number or other information that would identify an espionage target.

    “Not all selectors are equal,” Mr Schiff responded, especially “when the selector is the chancellor of an allied nation.”

    Mr Clapper said intelligence agencies followed the priorities set by the President and key departments, but did not necessarily provide top officials with details on how each requirement was being fulfilled.

    The White House did, however, see the final product, he said.

    Reporting to policymakers on the “plans and intentions” of world leaders was a standard request to intelligence agencies such as the NSA, Mr Clapper said, and the best way to understand a foreign leader’s intentions was to obtain their communications.

    Privately, some intelligence officials disputed claims that the President and top White House officials were unaware of how such information was obtained.

    “If there’s an intelligence report that says the leader of this country is likely to say X or Y, where do you think that comes from?” the official said

    Adam Entous and Siobhan Gorman
    The Wall Street Journal
    October 31, 2013 12:00AM

    Find this story at 31 October 2013

    © www.theaustralian.com.au

    NSA spy row: France and Spain ‘shared phone data’ with US

    Spain and France’s intelligence agencies carried out collection of phone records and shared them with NSA, agency says

    European intelligence agencies and not American spies were responsible for the mass collection of phone records which sparked outrage in France and Spain, the US has claimed.

    General Keith Alexander, the head of the National Security Agency, said reports that the US had collected millions of Spanish and French phone records were “absolutely false”.

    “To be perfectly clear, this is not information that we collected on European citizens,” Gen Alexander said when asked about the reports, which were based on classified documents leaked by Edward Snowden, the former NSA contractor.

    Shortly before the NSA chief appeared before a Congressional committee, US officials briefed the Wall Street Journal that in fact Spain and France’s own intelligence agencies had carried out the surveillance and then shared their findings with the NSA.

    The anonymous officials claimed that the monitored calls were not even made within Spanish and French borders and could be surveillance carried on outside of Europe.
    Related Articles
    GCHQ monitors luxury hotel bookings made by foreign diplomats 17 Nov 2013
    US spy chief defends spying on foreign leaders 30 Oct 2013
    Germany, France and Spain ‘were all spying on citizens’ 01 Nov 2013
    Anger in France over claims that NSA spied on politicians, business leaders as well as terrorists 21 Oct 2013
    NSA spying: US should not be collecting calls on allies, says top senator 28 Oct 2013
    Russia ‘spied on G20 leaders with USB sticks’ 29 Oct 2013

    In an aggressive rebuttal of the reports in the French paper Le Monde and the Spanish El Mundo, Gen Alexander said “they and the person who stole the classified data [Mr Snowden] do not understand what they were looking at” when they published slides from an NSA document.

    The US push back came as President Barack Obama was said to be on the verge of ordering a halt to spying on the heads of allied governments.

    The White House said it was looking at all US spy activities in the wake of leaks by Mr Snowden but was putting a “special emphasis on whether we have the appropriate posture when it comes to heads of state”.

    Mr Obama was reported to have already halted eavesdropping at UN’s headquarters in New York.

    German officials said that while the White House’s public statements had become more conciliatory there remained deep wariness and that little progress had been made behind closed doors in formalising an American commitment to curb spying.

    “An agreement that you feel might be broken at any time is not worth very much,” one diplomat told The Telegraph.

    “We need to re-establish trust and then come to some kind of understanding comparable to the [no spy agreement] the US has with other English speaking countries.”

    Despite the relatively close US-German relations, the White House is reluctant to be drawn into any formal agreement and especially resistant to demands that a no-spy deal be expanded to cover all 28 EU member states.

    Viviane Reding, vice-president of the European Commission and EU justice commissioner, warned that the spying row could spill over and damage talks on a free-trade agreement between the EU and US.

    “Friends and partners do not spy on each other,” she said in a speech in Washington. “For ambitious and complex negotiations to succeed there needs to be trust among the negotiating partners. It is urgent and essential that our US partners take clear action to rebuild trust.”

    A spokesman for the US trade negotiators said it would be “unfortunate to let these issues – however important – distract us” from reaching a deal vital to freeing up transatlantic trade worth $3.3 billion dollars (£2bn) a day.

    James Clapper, America’s top national intelligence, told a Congressional hearing yesterday the US does not “spy indiscriminately on the citizens of any country”.

    “We do not spy on anyone except for valid foreign intelligence purposes, and we only work within the law,” Mr Clapper said. “To be sure on occasions we’ve made mistakes, some quite significant, but these are usually caused by human error or technical problems.”

    Pressure from European leaders was added to as some of the US intelligence community’s key Congressional allies balked at the scale of surveillance on friendly governments.

    Dianne Feinstein, the chair of powerful Senate intelligence committee, said she was “totally opposed” to tapping allied leaders and called for a wide-ranging Senate review of the activities of US spy agencies.

    “I do not believe the United States should be collecting phone calls or emails of friendly presidents and prime ministers,” she said.

    John Boehner, the Republican speaker of the house and a traditional hawk on national security, said US spy policy was “imbalanced” and backed calls for a review.

    Mr Boehner has previously been a staunch advocate of the NSA and faced down a July rebellion by libertarian Republicans who tried to pass a law significantly curbing the agency’s power.

    By Raf Sanchez, Peter Foster in Washington

    8:35PM GMT 29 Oct 2013

    Find this story at 29 October 2013

    © Copyright of Telegraph Media Group Limited 2013

    ‘We didn’t spy on the Europeans, their OWN governments did’, says NSA (but still no apology for tapping German chancellor Merkel’s phone)

    Gen. Keith Alexander, the National Security Agency director, says foreign governments spied on their own people and shared data with the U.S.
    The NSA had been accused of snooping on 130.5 million phone calls in France and Spain, and keeping computerized records
    Sen. Dianne Feinstein said newspapers in Europe ‘got it all wrong’

    Alexander’s denial will fall heavily on the fugitive leaker Edward Snowden and his journalist cohorts, whom the NSA chief said ‘did not understand what they were looking at’
    The National Security Agency’s director flatly denied as ‘completely false’ claims that U.S. intelligence agencies monitored tens of millions of phone calls in France and Spain during a month-long period beginning in late 2012.

    Gen. Keith Alexander contradicted the news reports that said his NSA had collected data about the calls and stored it as part of a wide-ranging surveillance program, saying that the journalists who wrote them misinterpreted documents stolen by the fugitive leaker Edward Snowden.

    And a key Democratic senator added that European papers that leveled the allegations ‘got it all wrong’ with respect to at least two countries – saying that it was those nations’ intelligence services that collected the data and shared it with their U.S. counterparts as part of the global war on terror.

    Protests: (Left to right) NSA Deputy Director Chris Inglis, NSA Director General Keith Alexander and DNI James Clapper look on as a protestor disrupts the Capitol Hill hearing

    National Security Agency Director Gen. Keith Alexander testified Tuesday that the governments of France and Spain conducted surveillance on their own citizens’ phone conversations, and then shared the intelligence data with the U.S.

    On Monday newspapers in three countries published computer-screen images, reportedly provided by Snowden, showing what appeared to be data hoovered up by the United States from European citizens’ phone calls.

    But Alexander testified in a House Intelligence Committee hearing that ‘those screenshots that show – or lead people to believe – that we, the NSA, or the U.S., collect that information is false.’

    ‘The assertions by reporters in France, Spain and Italy that NSA collected tens of millions of phone calls are completely false,’ Alexander said.

    According to the French newspaper Le Monde and the Spanish daily El Mundo, the NSA had collected the records of at least 70 million phone calls in France and another 60.5 million in Spain between December and January.

    Italy’s L’Espresso magazine also alleged, with help from Snowden, that the U.S. was engaged in persistent monitoring of Italy’s telecommunications networks.

    General Alexander denied it all.

    ‘To be perfectly clear, this is not information that we collected on European citizens. It represents information that we and our NATO allies have collected in defense of our countries and in support of military operations.’

    Reporters, he added, ‘cite as evidence screen shots of the results of a web tool used for data management purposes, but both they and the person who stole the classified data did not understand what they were looking at.’

    President Barack Obama said he is instituting a complete review of U.S. intelligence procedures in the wake of stinging allegations that the NSA has been peeping on foreign leaders through their phones and email accounts

    California Democratic Sen. Dianne Feinstein, who chairs the Senate Intelligence Committee, said Tuesday that ‘the papers got it all wrong on the two programs, France and Germany.’

    ‘This was not the United States collecting on France and Germany. This was France and Germany collecting. And it had nothing to do with their citizens, it had to do with collecting in NATO areas of war, like Afghanistan.’

    Feinstein on Monday called for a complete review of all the U.S. intelligence community’s spying programs, saying that ‘Congress needs to know exactly what our intelligence community is doing.’

    In the weekend’s other intelligence bombshell, the U.S. stood accused of snooping on German Chancellor Angela Merkel’s cell phone and spying on Mexican President Felipe Calderon’s private emails.

    But Director of National Intelligence James Clapper told the committee that spying on foreign leaders is nothing new.

    ‘That’s a hardy perennial,’ he said, ‘and as long as I’ve been in the intelligence business, 50 years, leadership intentions, in whatever form that’s expressed, is kind of a basic tenet of what we are to collect and analyze.’

    ‘It’s one of the first things I learned in intel school in 1963,’ he assured the members of Congress, saying that the U.S. routinely spies on foreign leaders to ascertain their intentions, ‘no matter what level you’re talking about. That can be military leaders as well.’

    Clapper hinted that committee members had been briefed on such programs, saying that in cases where the NSA is surveilling foreign leaders, ‘that should be reported to the committee … in considerable detail’ as a ‘significant’ intelligence activity over which Congress has oversight.’

    He added that ‘we do only what the policymakers, writ large, have actually asked us to do.’

    Republican committee chair Mike Rogers of Michigan began the hearing by acknowledging that ‘every nation collects foreign intelligence’ and ‘that is not unique to the United States’.

    Clapper pleaded with the panel to think carefully before restricting the government’s ability to collect foreign intelligence, warning that they would be ‘incurring greater risks’ from overseas adversaries.

    Gen. Alexander dispensed with his prepared statement and spoke ‘from the heart,’ saying that his agency would rather ‘take the beatings’ from reporters and the public ‘than … give up a program’ that would prevent a future attack on the nation.

    The Wall Street Journal reported Tuesday afternoon that other U.S. officials had confirmed Alexander’s version of events, and that the electronic spying in France and Spain was carried out by those nations’ governments.

    The resulting phone records, they said, were then shared with the NSA as part of a program aimed at keeping U.S. military personnel and civilians safe in areas of military conflict.

    None of the nations involved would speak to the Journal about their own level of involvement in a scandal that initially touched only the U.S., but which now promises to embroil intelligence services on a global scale.

    By David Martosko, U.s. Political Editor

    PUBLISHED: 21:45 GMT, 29 October 2013 | UPDATED: 10:59 GMT, 30 October 2013

    Find this story at 29 October 2013

    © Associated Newspapers Ltd

     

    NSA Powerpoint Slides on BOUNDLESSINFORMANT

    These 4 slides are from the powerpoint “BOUNDLESSINFORMANT: Describing Mission Capabilities from Metadata Records.” They include the cover page and pages 3, 5, and 6 of the presentation. The powerpoint, leaked to the Guardian newspaper’s Glenn Greenwald by Edward Snowden, was first released by the Guardian newspaper on June 8, 2013 at this web page: http://www.guardian.co.uk/world/interactive/2013/jun/08/nsa-boundless-informant-data-mining-slides

    Also included with this collection is a “heat map” of parts of the world most subject to surveillance by Boundless Informant. This image was embedded in the Guardian’s story, which described Boundless Informant as “the NSA’s secret tool to track global surveillance data,” which collected “almost 3 billion pieces of intelligence from US computer networks over a 30-day period ending in March 2013.” http://www.theguardian.com/world/2013/jun/08/nsa-boundless-informant-global-datamining

    UNCLASSIFIED//FOR OFFICIAL USE ONLY
    BOUNDLESSINFORMANT – Frequently Asked Questions
    09-06-2012

     

    (U/FOUO) Questions

     

    1) What is BOUNDLESSINFORMANT! What is its purpose?

    2) Who are the intended users of the tool?

    3) What are the different views?

    4) Where do you get your data?

    5) Do you have all the data? What data is missing?

    6) Why are you showing metadata record counts versus content?

    7) Do you distinguish between sustained collect and survey collect?

    8) What is the technical architecture for the tool?

    9) What are some upcoming features/enhancements?

    1 0) How are new features or views requested and prioritized?

    1 1) Why are record counts different from other tools like ASDF and What’s On Cover?

    12) Why is the tool NOFORN? Is there a releasable version?

    13) How do you compile your record counts for each country?

     

    Note: This document is a work-in-progress and will be updated frequently as additional
    questions and guidance are provided.

    1) (U) What is BOUNDLESSINFORMANT? What is its purpose?

    (U//FOUO) BOUNDLESSINFORMANT is a GAO prototype tool for a self-documenting SIGINT
    system. The purpose of the tool is to fundamentally shift the manner in which GAO describes its
    collection posture. BOUNDLESSINFORMANT provides the ability to dynamically describe GAO’s
    collection capabilities (through metadata record counts) with no human intervention and graphically
    display the information in a map view, bar chart, or simple table. Prior to

    BOUNDLESSINFORMANT, the method for understanding the collection capabilities of GAO’s
    assets involved ad hoc surveying of repositories, sites, developers, and/or programs and offices. By
    extracting information from every DNI and DNR metadata record, the tool is able to create a near real-
    time snapshot of GAO’s collection capability at any given moment. The tool allows users to select a
    country on a map and view the metadata volume and select details about the collection against that
    country. The tool also allows users to view high level metrics by organization and then drill down to a
    more actionable level – down to the program and cover term.

    Sample Use Cases

    • (U//FOUO) How many records are collected for an organizational unit (e.g. FORNSAT)?

    • (U//FOUO) How many records (and what type) are collected against a particular country?

    • (U//FOUO) Are there any visible trends for the collection?

    • (U//FOUO) What assets collect against a specific country? What type of collection?

    • (U//FOUO) What is the field of view for a specific site? What countriees does it collect
    against? What type of collection?

    2) (U) Who are the intended users of the tool?

    • (U//FOUO) Mission and collection managers seeking to understand output characteristics
    of a site based on what is being ingested into downstream repositories. .

    (U//FOUO) Strategic Managers seeking to understand top level metrics at the

     

    organization/office level or seeking to answer data calls on NSA collection capability.

    BOUNDLESSINFORMANT – FAQ Page 1 o:

    UNCLASSIFIED//FOR OFFICIAL USE ONLY

     

    UNCLASSIFIED//FOR OFFICIAL USE ONLY

    BOUNDLESSINFORMANT – Frequently Asked Questions

    09-06-2012

    • (U//FOUO) Analysts looking for additional sites to task for coverage of a particular

    technology within a specific country.

    3) What are the different views?

    (U//FOUO) Map View – The Map View is designed to allow users to view overall DNI, DNR, or
    aggregated collection posture of the agency or a site. Clicking on a country will show the collection
    posture (record counts, type of collection, and contributing SIGADs or sites) against that particular
    country in addition to providing a graphical display of record count trends. In order to bin the records
    into a country, a normalized phone number (DNR) or an administrative region atom (DNI) must be
    populated within the record. Clicking on a site (within the Site Specific view) will show the viewshed
    for that site – what countries the site collects against.

    (U//FOUO) Org View – The Organization View is designed to allow users to view the metadata record
    counts by organizational structure (i.e. GAO – SSO – RAM-A – SPINNERET) all the way down to the
    cover term. Since it’s not necessary to have a normalized number or administrative region populated,
    the numbers in the Org View will be higher than the numbers in the Map View.

    (U//FOUO) Similarity View – The Similarity View is currently a placeholder view for an upcoming
    feature that will graphically display sites that are similar in nature. This can be used to identify areas
    for a de-duplication effort or to inform analysts of additional SIGADs to task for queries (similar to
    Amazon’s “if you like this item, you’ll also like these” feature).

     

    4) (U) Where do you get your data?

    (U//FOUO) BOUNDLESSINFORMANT extracts metadata records from GM-PLACE post-
    FALLOUT (DNI ingest processor) and post-TUSKATTIRE (DNR ingest processor). The records are
    enriched with organization information (e.g. SSO, FORNSAT) and cover term. Every valid DNI and
    DNR metadata record is aggregated to provide a count at the appropriate level. See the different views
    question above for additional information.

     

    5) (U) Do you have all the data? What data is missing?

    • (U//FOUO) The tool resides on GM-PLACE which is only accredited up to TS//SI//NOFORN.
    Therefore, the tool does not contain ECI or FISA data.

    • (U//FOUO) The Map View only shows counts for records with a valid normalized number
    (DNR) or administrative region atom (DNI).

    • (U//FOUO) Only metadata records that are sent back to NSA-W through FASCIA or
    FALLOUT are counted. Therefore, programs with a distributed data distribution system (e.g.
    MUSCULAR and Terrestrial RF) are not currently counted.

    • (U//FOUO) Only SIGINT records are currently counted. There are no ELINT or other “INT”
    records included.

    6) (U) Why are you showing metadata record counts versus content?

    (U//FOUO)

    7) (U ) Do you distin g uish between sustained collect and survey collect?

    (U//FOUO) The tool currently makes no distinction between sustained collect and survey collect. This
    feature is on the roadmap.

     

    BOUNDLESSINFORMANT – FAQ Page 2 o:

    UNCLASSIFIED//FOR OFFICIAL USE ONLY

     

    UNCLASSIFIED//FOR OFFICIAL USE ONLY
    BOUNDLESSINFORMANT – Frequently Asked Questions
    09-06-2012

     

    8) What is the technical architecture for the tool?

    Click here for a graphical view of the tool’s architecture

    (U//FOUO) DNI metadata (ASDF), DNR metadata (FASCIA) delivered to Hadoop
    Distributed File System (HDFS) on GM-PLACE

    (U//FOUO) Use Java MapReduce job to transform/filter and enrich FASCIA/ASDF data with
    business logic to assign organization rules to data

    (U//FOUO) Bulk import of DNI/DNR data (serialized Google Protobuf objects) into
    Cloudbase (enabled by custom aggregators)

    (U//FOUO) Use Java web app (hosted via Tomcat) on MachineShop (formerly Turkey Tower)
    to query Cloudbase

    (U//FOUO) GUI triggers queries to CloudBase – GXT (ExtGWT)

     

    9) What are some upcoming features/enhancements?

    • (U//FOUO) Add technology type (e.g. JUGGERNAUT, LOPER) to provide additional
    granularity in the numbers

    (U//FOUO) Add additional details to the Differential view

    (U//FOUO) Refine the Site Specific view

    (U//FOUO) Include CASN information

    (U//FOUO) Add ability to export data behind any view (pddg,sigad,sysid,casn,tech,count)

    (U//FOUO) Add in selected (vs. unselected) data indicators

    (U//FOUO) Include filter for sustained versus survey collection

     

    10) How are new features or views requested and prioritized?

    (U//FOUO) The team uses Flawmill to accept user requests for additional functionality or
    enhancements. Users are also allowed to vote on which functionality or enhancements are most
    important to them (as well as add comments). The BOUNDLESSINFORMANT team will periodically
    review all requests and triage according to level of effort (Easy, Medium, Hard) and mission impact
    (High, Medium, Low). The team will review the queue with the project champion and government
    steering committee to be added onto the BOUNDLESSINFORMANT roadmap.

    1 1) Why are record counts different from other tools like ASDF and What’s On

    Cover?

    (U//FOUO) There are a number of reasons why record counts may vary. The purpose of the tool is to
    provide

     

    BOUNDLESSINFORMANT – FAQ

     

    Page 3 o:

     

    UNCLASSIFIED//FOR OFFICIAL USE ONLY

    July 13, 2012

    Find this story at  txt

    Find this story at jpeg

    Find this story at pdf

    Order of Battle of the CIA-NSA Special Collection Service (SCS)

    The following page from an August 13, 2010 NSA powerpoint presentation on the joint CIA-NSA clandestine SIGINT unit known as the Special Collection Service (SCS) appeared on the Der Spiegel website last week. It has since be replaced by a heavily redacted version of the same page which deletes the locations of all SCS listening posts outside of Europe.

    The page shows the locations of all SCS listening posts around the world as of August 2010, of which 74 were active, 3 were listed as being dormant, 14 were unmanned remote controlled stations, three sites were then being surveyed, and two were listed as being “technical support activities.”

    In Europe, SCS sites were located at Athens and embassy annex, Baku, Berlin, Budapest, RAF Croughton (UK), Frankfurt, Geneva, Kiev, Madrid, Milan, Moscow and embassy annex, Paris, Prague, Pristina, Rome, Sarajevo, Sofia, Tblisi, Tirana, Vienna and embassy annex, and Zagreb.

    In Asia SCS were located at Bangkok and PSA, Beijing, Chengdu, Chiang Mai, Hong Kong, Jakarta, Kuala Lumpur, Manila, Phnom Penh, Rangoon, Shanghai, and Taipei.

    In the Middle East and North Africa (MENA) region, SCS sites were located at Abu Dhabi, Algiers, Amman, Amarah, Ankara, Baghdad and embassy annex, Basrah, Beirut, Benghazi, Cairo, Damascus, Istanbul, Jeddah, Khartoum, Kirkuk, Kuwait City, Manama, Mosul, Riyadh, Sana’a, Sulaymaniyah, Talil(?), “Tehran-in-Exile”, and Tripoli.

    In South Asia, SCS sites were located at one site illegible, Islamabad, Herat, Kabul and embassy annex, Karachi, Lahore, New Delhi, and Peshawar.

    In Africa, SCS sites were located inside the U.S. embassies in Abuja, Addis Ababa, Bamako, Lagos, Nairobi, Monrovia, Kinshasa, Lusaka, and Luanda.

    In Central America and the Caribbean, SCS sites were located at Guadalajara, Guatemala City, Havana, Hermosillo, Managua, Mexico City, Monterrey, Panama City, San Jose, and Tegucigalpa.

    And in South America, SCS sites were located in Brasilia, Bogota, Caracas, La Paz, Merida and Quito.

    Any corrections to the above would be gratefully received.

    Matthew M. Aid is the author of Intel Wars: The Secret History of the Fight Against Terror (January 2012) and The Secret Sentry, the definitive history of the National Security Agency. He is a leading intelligence historian and expert on the NSA, and a regular commentator on intelligence matters for the New York Times, the Financial Times, the National Journal, the Associated Press, CBS News, National Public Radio (NPR) and many others. He lives in Washington, DC.

    October 28, 2013

    Find this story at 28 October 2013

    Der Spiegel pdf 

    Der Spiegel unredacted image

    Revealed: How Australia spies on its neighbours

    Australia’s electronic spy agency is using the nation’s embassies to intercept phone calls and internet data in neighbouring countries, according to new information disclosed by intelligence whistleblower Edward Snowden and a former Australian intelligence officer.

    The secret Defence Signals Directorate operates clandestine surveillance facilities at embassies without the knowledge of most Australian diplomats.

    Fairfax Media has been told that signals intelligence collection occurs from Australian embassies in Jakarta, Bangkok, Hanoi, Beijing and Dili, the high commissions in Kuala Lumpur and Port Moresby and other diplomatic posts.

    A secret US National Security Agency document leaked by Mr Snowden and published by Germany’s Der Speigel magazine reveals a highly sensitive signals intelligence collection program conducted from US embassies and consulates and from the diplomatic missions of other “Five Eyes” intelligence partners, including Australia, Britain and Canada.

    Codenamed STATEROOM, the collection program involves interception of radio, telecommunications and internet traffic.

    The document says the DSD operates STATEROOM facilities at Australian diplomatic posts. It says the surveillance facilities are “small in size and in number of personnel staffing them”.

    “They are covert, and their true mission is not known by the majority of the diplomatic staff at the facility where they are assigned,” it says.

    The document says the DSD facilities are carefully concealed. “For example, antennas are sometimes hidden in false architectural features or roof maintenance sheds.”

    The Department of Foreign Affairs and Trade declined to comment on the potential diplomatic implications of the disclosure. A spokesperson said: “It is the long-standing practice of Australian governments not to comment on intelligence matters.”

    The leaked NSA document does not identify the location of the DSD facilities overseas. However, a former Australian defence intelligence officer told Fairfax Media that the directorate conducted surveillance from Australian embassies across Asia and the Pacific.

    In June, the East Timorese government complained publicly about Australian spying, including communications interception and the bugging of government offices during negotiations on the Timor Gap oil and gas reserves.

    The former intelligence officer said the interception facility at the Australian embassy in Jakarta played an important role in collecting intelligence on terrorist threats and people smuggling, “but the main focus is political, diplomatic and economic intelligence”.

    “The huge growth of mobile phone networks has been a great boon and Jakarta’s political elite are a loquacious bunch. Even when they think their own intelligence services are listening they just keep talking,” he said.

    He said the Australian consulate in Denpasar, Bali, had also been used for intelligence collection.

    Intelligence expert Des Ball said the DSD had long co-operated with the US in monitoring the Asia-Pacific region, including using listening posts in Australian embassies and consulates.

    “Knowing what our neighbours are really thinking is important for all sorts of diplomatic and trade negotiations,” Professor Ball told Fairfax Media.

    “It’s also necessary to map the whole of the telecommunications infrastructure in any area where we might one day have to conduct military operations so that we can make most use of our cyber warfare capabilities, however remote those contingencies might be, because you can’t get that knowledge and build those capabilities once a conflict starts.”

    Meanwhile, Indonesian Foreign Minister Marty Natalegawa has demanded an explanation of news that the US embassy in Jakarta has been used to tap the phones of Indonesian officials.

    “Indonesia cannot accept and strongly protests the news about the existence of tapping facilities at the US embassy in Jakarta,” Mr Natalegawa said.

    ”We have spoken to the US embassy representative in Jakarta demanding an official explanation from the US government about the news. If it’s confirmed, then it’s not only a breach of security, but a serious breach of diplomatic norms and ethics, and of course it’s not in line with the spirit of having a good relationship between the two countries.”

    The Age
    Date: October 31 2013
    Philip Dorling

    Find this story at 31 October 2013

    Copyright © 2013
    Fairfax Media

    Surveillance : la DGSE a transmis des données à la NSA américaine

    Une semaine après les manifestations d’indignation exprimées par les autorités politiques françaises après les révélations du Monde sur l’ampleur des interceptions électroniques réalisées, en France, par l’Agence nationale de sécurité (NSA) américaine, de nouveaux éléments montrent que cette émotion pouvait être, en partie, feinte.

    Mardi 29 octobre, devant la commission du renseignement de la Chambre des représentants, le chef de la NSA, le général Keith Alexander, a juré que les informations du Monde ainsi que celles d’El Mundo, en Espagne, et de L’Espresso, en Italie, sur l’interception de communications de citoyens européens par la NSA étaient « complètement fausses ». Il a précisé qu’il s’agissait de « données fournies à la NSA » par ces mêmes partenaires européens.

    Quelques heures plus tôt, le quotidien américain The Wall Street Journal, s’appuyant sur des sources anonymes, affirmait que les 70,3 millions de données téléphoniques collectées en France, par la NSA, entre le 10 décembre 2012 et le 8 janvier 2013, ont été communiquées par les services français eux-mêmes. Ces éléments auraient été transmis, selon ce journal, conformément à un accord de coopération en matière de renseignement entre les Etats-Unis et la France.

    UN ACCORD DE COOPÉRATION CONNU SOUS LE NOM DE « LUSTRE »

    Ces informations, qui tendent à dédouaner la NSA de toute intrusion, ne permettent de progresser dans la compréhension de l’espionnage américain dans le monde qu’à condition de les mettre en résonance avec l’éclairage apporté, le 28 octobre, par la Süddeutsche Zeitung. La presse allemande a signalé, grâce à une note dévoilée par l’ex-consultant de la NSA Edward Snowden, l’existence d’un accord de coopération sur la surveillance entre la France et les Etats-Unis connu sous le nom de « Lustre ».

    Selon nos informations, recueillies auprès d’un haut responsable de la communauté du renseignement en France, la direction des services extérieurs français, la DGSE, a, en effet, établi, à partir de la fin 2011 et début 2012, un protocole d’échange de données avec les Etats-Unis.

    La France bénéficie d’un positionnement stratégique en matière de transport de données électroniques. Les câbles sous-marins par lesquels transitent la plupart des données provenant d’Afrique et d’Afghanistan atterrissent à Marseille et à Penmarc’h, en Bretagne. Ces zones stratégiques sont à la portée de la DGSE française, qui intercepte et stocke l’essentiel de ce flux entre l’étranger et la France.

    “UN TROC ENTRE LA DIRECTION DE LA NSA ET CELLE DE LA DGSE”

    « C’est un troc qui s’est institué entre la direction de la NSA et celle de la DGSE, explique la même source. On donne des blocs entiers sur ces zones et ils nous donnent, en contrepartie, des parties du monde où nous sommes absents, mais la négociation ne s’est pas effectuée en une fois, le périmètre du partage s’élargit au fil des discussions qui se prolongent encore aujourd’hui. »

    Il paraît donc, a priori, en partie exact, qu’une partie des données téléphoniques transitant sur le sol français soit transmise, conformément aux accords de coopération, et sans tri préalable, par la DGSE à la NSA. Il s’agit donc de données concernant aussi bien des citoyens français recevant des communications de ces zones géographiques que d’étrangers utilisant ces canaux.

    Il paraît peu probable que le gouvernement français, qui supervise le financement des infrastructures d’interception et de stockage de la DGSE, ne soit pas au courant de ces pratiques. Ce qui relativise la sincérité des récriminations françaises après l’annonce, par Le Monde, de ces interceptions américaines.

    GÉOGRAPHIE SOUS-MARINE

    L’absence de statut juridique clair des métadonnées en France et l’étrange discrétion de la Commission nationale de contrôle des interceptions de sécurité (CNCIS) paraissent, de plus, avoir facilité la transmission à la NSA par la DGSE de millions de données relevant de la vie privée de millions de Français.

    Au regard de la quantité des interceptions réalisées en un seul mois, la justification avancée par les services de renseignement concernant des questions liées à la lutte contre le terrorisme peut également être sujette à caution.

    D’après un responsable à Matignon, la France n’est pas la seule à « troquer » ainsi les données passant sur son territoire. Elle appartiendrait à « une amicale » qui comprend des pays tels qu’Israël, la Suède ou l’Italie, vers lesquels convergent également des câbles sous-marins stratégiques pour les Américains. Depuis 2011, une nouvelle redistribution des cartes de la coopération en matière de renseignement s’est ainsi réalisée sur le seul fondement de cette géographie sous-marine.

    RESPONSABILITÉ DES AUTORITÉS POLITIQUES FRANÇAISES

    Ces informations viennent donc préciser celles déjà publiées par Le Monde concernant la collecte, en un mois, par la NSA, de 70,3 millions de données téléphoniques concernant la France. Qu’une partie de ces informations soient transmises avec l’assentiment de la DGSE ne change en rien son caractère attentatoire aux libertés. Ce nouvel éclairage pose avant tout la responsabilité des autorités politiques françaises. Sollicitée sur cette coopération, la DGSE s’est refusée à tout commentaire.

    Par ailleurs, Le Monde maintient, sur la base des documents dévoilés par Edward Snowden permettant de décrypter les tableaux d’interceptions de données téléphoniques et numériques à travers le monde, qu’il s’agit d’opérations « contre » un pays nommé. Dans ce cas précis, la France.

    Un haut responsable du renseignement français, joint, mercredi matin, a admis, sous couvert d’anonymat, l’existence de « ces échanges de données ». Il a néanmoins démenti « catégoriquement » que la DGSE puisse transférer « 70,3 millions de données à la NSA ».

    LE MONDE | 30.10.2013 à 12h51
    Par Jacques Follorou

    Find this story at 30 October 2013

    © Le Monde.fr

    Que dit le document sur la surveillance téléphonique de la NSA en France ?

    Le général Keith Alexander, le chef de la NSA, a mis en cause, mardi 29 octobre lors d’une audition devant la Chambre des représentants, les informations publiées par plusieurs journaux européens, dont Le Monde, sur la surveillance exercée par l’agence de renseignement dans leurs pays respectifs.

    Que disent les autorités américaines ?

    Selon Keith Alexander, les informations publiées par plusieurs journaux européens sont fondées sur des documents qui n’ont pas été “compris”.

    A l’instar du général américain, des sources anonymes ont affirmé au Wall Street Journal que ces documents, sur lesquels se sont appuyés les journaux européens, ne montrent pas des données interceptées par la NSA au sein de ces pays, mais des informations captées par les services de renseignement européens eux-mêmes, à l’extérieur de leurs frontières.

    D’où vient ce document ?

    DOCUMENT

    Le document sur lequel Le Monde s’est appuyé pour ses révélations fait partie des documents exfiltrés de la NSA par l’ancien sous-traitant de l’agence Edward Snowden, auxquels nous a donné accès notre collaboration avec Glenn Greenwald.

    Il est issu d’un logiciel, Boundless Informant, qui agrège et organise les données contenues dans les innombrables bases de données de la NSA et permet aux analystes de l’agence d’en avoir un aperçu en quelques clics. Son existence, ainsi que la carte du monde qui en est tirée et montre l’ampleur des données collectées pour chaque pays, a été révélée par le Guardian en juin.

    Ce logiciel permet aussi d’afficher un récapitulatif par pays des données le concernant. C’est le cas du document reproduit par Le Monde, sur lequel nous nous sommes fondés pour évoquer le chiffre de près de 70,3 millions de données téléphoniques interceptées.

    C’est également ce type de document que El Mundo en Espagne, L’Espresso en Italie et, avant eux, Der Spiegel en Allemagne ont utilisé pour étayer leurs révélations sur la surveillance.

    Que montre-t-il ?

    Le document montre clairement que 70 271 990 données téléphoniques concernant la France ont été incorporées dans les bases de données de l’agence entre le 10 décembre 2012 et le 8 janvier 2013.

    Pour s’y retrouver dans les nombreux “tuyaux” qui lui fournissent les données, la NSA utilise une nomenclature spécifique. Ainsi, au bas du document que nous reproduisons, on apprend que le “canal” “US-985D” – celui qui fournit l’ensemble des 70 millions de données françaises – est alimenté via deux outils techniques : “DRTBOX” et “WHITEBOX”. Le premier se taille la part du lion en récoltant près de 89 % des données affichées sur le document.

    Extratit du document obtenu par “Le Monde”

    Qu’est-ce qui reste flou ?

    Selon la version défendue par les sources anonymes du Wall Street Journal et par Keith Alexander, ce document ne montre pas des données de Français interceptées par la NSA, mais des informations collectées par la France et ses services, en dehors du territoire hexagonal et visant avant tout des cibles non françaises. Autrement dit, les données sont-elles fournies par la France, ou sont-elles issues d’une surveillance de la France ? L’intitulé du document – “France, 30 derniers jours” – ne permet pas de trancher.

    Extrait d’un document obtenu par “Le Monde”

    L’existence des deux techniques d’interception “DRTBOX” et “WHITEBOX” pourrait accréditer l’existence d’un partenariat avec les services français, dont les informations du Monde fournissent la preuve.

    Mais un document d’aide destiné aux analystes de la NSA répondant à leurs questions sur Boundless Informant permet, sinon de contredire, au moins de fortement nuancer l’hypothèse de la NSA, accréditant les informations du Monde. Publié par le site du Guardian en juin, il précise à plusieurs reprises que les informations qui y sont affichées sont issues de collecte “contre” les pays spécifiés.

    Le document explique par exemple qu'”un clic sur un pays [depuis la carte] montre la posture de collecte (…) contre ce pays en particulier”.

    Extrait d’un document publié par le “Guardian”. Le surlignage a été effectué par le “Monde”.

    Ailleurs, le document précise que “l’outil [Boundless Informant] permet à ses utilisateurs de selectionner un pays [ainsi que] les détails de la collecte contre ce pays”, est-il ainsi écrit. La question “combien de données sont collectées contre un pays en particulier ?” figure, elle, dans les exemples de requêtes que peuvent formuler les analystes dans le logiciel. Enfin, il est fait mention des “capacités de collecte de la NSA” que les analystes peuvent évaluer grâce à Boundless Informant.

    Extrait d’un document publié par le “Guardian”. Le surlignage a été effectué par le “Monde”.

    Comme Le Monde l’a écrit lors de ses révélations, les modalités techniques précises et le périmètre de cette surveillance sont inconnus.

    Pourquoi les autorités américaines démentent-elles aujourd’hui ?
    Il y a plusieurs semaines déjà, des médias partenaires de M. Greenwald ont utilisé des documents similaires à celui reproduit par Le Monde. Lorsque le Spiegel annonce que 500 millions de communications de citoyens allemands sont surveillées, il le fait en se fondant notamment sur un document issu de Boundless Informant. A l’époque, la NSA n’a ni commenté ni démenti ces informations.

    De fait, ce démenti public formulé par Keith Alexander intervient alors que la pression politique, domestique et internationale, s’est considérablement accrue sur son agence.

    Notons enfin que les informations concernant la surveillance d’intérêts économiques hexagonaux, tout comme celle d’importants diplomates, n’a pas été démentie par le chef de l’agence de renseignement américaine.

    Le Monde.fr | 30.10.2013 à 18h39
    Par Martin Untersinger

    Find this story at 30 October 2013

    © Le Monde.fr

    Codename “Lustre”; Frankreich liefert Informationen an britische und US-Geheimdienste

    Während Hollande den jüngsten Lauschangriff heftig kritisiert, arbeitet Frankreich längst mit amerikanischen und britischen Geheimdiensten zusammen. Unter dem Codenamen “Lustre” hat die Regierung vor einiger Zeit einen Kooperationsvertrag geschlossen – sie ist damit nicht alleine.

    Hollande kritisiert den Lauschangriff der US-Dienste und rückt näher an Merkel. Doch der Geheimdienst seines Landes arbeitet indes unter dem Codenamen “Lustre” mit dem Geheimdienstbündnis “Five Eyes” zusammen, dem neben den USA und Großbritannien auch Neuseeland, Kanada und Australien angehören. Paris liefert ihnen systematisch Informationen.

    Frankreich hat ein entsprechendes Kooperationsabkommen – ein sogenanntes Drittparteiabkommen – geschlossen, wie aus Dokumenten des Whistleblowers Edward Snowden hervorgeht, die der Norddeutsche Rundfunk und die Süddeutsche Zeitung einsehen konnten.

    Demnach kooperieren auch Israel (Codename Ruffle), Schweden (Codename Sardine) und Italien mit dem britischen und amerikanischen Geheimdienst. Die “Five Eyes”-Mitglieder sollen sich versprochen haben, sich nicht gegenseitig auszuspionieren. Das italienische Magazin L’Espresso berichtete unterdessen, dass Italiens Regierung ebenfalls von der NSA ausgespäht worden sein soll.

    Süddeutsche Zeitung
    26. Oktober 2013
    Von John Goetz und Frederik Obermaier

    Find this story at 26 October 2013

    © Süddeutsche Zeitung Digitale Medien GmbH / Süddeutsche Zeitung GmbH

    << oudere artikelen