Summary: Even the best journalists and national security experts have difficulty with technical stories like the recent NSA revelations. Today Marcus Ranum (bio) cuts through the government’s lies, explaining the truth behind the NSA’s tapping vital telephone and email communication systems.
When politicians and spokespeople choose their words with exquisite care, then it’s time to examine them with extra care. Let’s talk a little bit about the realities of how one might monitor a data center, shall we?
“We have no direct access to their systems.”
Of course you don’t. By “direct access” you mean that you can log in and collect data directly from the system, or have database administrators’ credentials and can issue queries, or whatever. You wouldn’t want that, anyway, because the queries and the activities might then become public knowledge — those are traceable, you know.
When someone logs into a system, gains administrative rights, and looks at someone’s email in-box that leaves traces in the system logs, and that’s completely unacceptable because what you’re querying for is classified and suddenly those system logs contain extremely sensitive data, indeed.
Here’s how you do it
Those big outfits decrypt all their traffic at the edges of the network using a load-balancer/redirector that’s capable of offloading the CPU-intensive activity of decryption from the backend servers. Inside the provider’s core network, the traffic carried within their switches is all in the clear.
You show up with a national security letter and maybe a warrant and tell the provider that you’ve got a system that does classified stuff and they’re going to plug it into their network and have the core switches span some of the traffic between, say, the mail servers and everything else, and the user authentication servers and everything else, and send a copy of that traffic to the mystery box (or boxes, depending on the load you need to consume) and that’s it.
There’s no need even to give the box an IP address, which is a feature also, because that makes the box impossible for anyone to see other than in the configuration of the core switch or if they get into the special locked room in the data center and count the number of boxes in the rack there.
Sniffing traffic is fairly straightforward