Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] PRISM: NSA/FBI Internet data mining project

Andy Isaacson adi at hexapodia.org
Fri Jun 7 12:20:40 PDT 2013


Apologies for replying out of thread and the wide CC list.

On Fri, Jun 07, 2013 at 06:41:32PM +0200, Eugen Leitl wrote:
> ----- Forwarded message from Matthew Petach <mpetach at netflight.com> -----
> 
> Date: Fri, 7 Jun 2013 09:32:53 -0700
> From: Matthew Petach <mpetach at netflight.com>
> Cc: NANOG <nanog at nanog.org>
> Subject: Re: PRISM: NSA/FBI Internet data mining project
> 
> Speaking just for myself, and if you quote me on this
> as speaking on anyone else's behalf, you're a complete
> fool, if the government was able to build infrastructure
> that could listen to all the traffic from a major provider
> for a fraction of what it costs them to handle that traffic
> in the first place, I'd be truly amazed--and I'd probably
> wonder why the company didn't outsource their infrastruture
> to the government, if they can build and run it so much
> more cheaply than the commercial providers.  ;P
> 7 companies were listed; if we assume the
> burden was split roughly evenly between them, that's
> 20M/7, about $2.85M per company per year to tap in,
> or about $238,000/month per company listed, to
> supposedly snoop on hundreds of gigs per second
> of data.  Two ways to handle it: tap in, and funnel
> copies of all traffic back to distant monitoring posts,
> or have local servers digesting and filtering, just
> extracting the few nuggets they want, and sending
> just those back.

That's not what PRISM is claimed to do, in the WaPo/Gu slide deck.  The
deck claims that PRISM provides a way for an analyst at NSA to request
access to a specific target (gmail account, Skype account, Y! messenger,
etc) and get a dump of data in that account, plus realtime access to the
activity on the account.  The volume is quoted to be on the order of
10k-100k of requests annually.  The implication is that data production
is nearly immediate (measured in minutes or hours at most), not enough
time for a rubber-stamp FISA warrant, implying a fully automated system.

At these volumes we're talking one, or a few, boxes at each provider;
plus the necessary backdoors in the provider's storage systems (easy,
since the provider already has those backdoors in place for their own
maintenance/legal/abuse systems); and trusted personnel on staff at the
providers to build and maintain the systems.  Add a VPN link back to
Fort Meade and you're done.

That's obviously a much easier system (compared to your 200 GBps
sniffer) to build at the $2M/yr budget, and given that $2M is just the
government's part -- the company engineering time to do it is accounted
separately -- it seems like a reasonable ballpark for an efficient
government project.  (There are plenty such, and the existence of
inefficient government projects doesn't change that fact.)

It's even possible that executive/legal at the providers actually aren't
aware that their systems are compromised in this manner.  NatSec claims
will open many doors, especially with alumni of the DoD who have
reentered the civilian workforce:
https://financialcryptography.com/mt/archives/001431.html

-andy



More information about the liberationtech mailing list