lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <BLU404-EAS341F53CC2843913CB640856FE5A0@phx.gbl>
Date: Sun, 11 Aug 2013 12:25:35 -0500
From: peter_toyota <peter_toyota@...mail.com>
To: Justin Elze <formulals1@...il.com>, Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: XKeyscore sees 'nearly EVERYTHING you do

It was CALEA, The way they told us to connect the system back then was via a separate management network. The tap data was not sent back via Snmp. Smnp was used only to activate the tap. The routers and switches had a dedicated port to siphon back the tapped data to the pc used to collect it. You could not see anything on a tcp dump with live traffic because all these commands and the resulting data  happen out of band.
 And I am not saying this is as a theory to bullshit the list and appear like I know shit. I mention this because I saw it installed back then. Who knows if in 10 years time they changed the way of tapping? Maybe now it is easier to tap a fiber like you all say, and introduce a couple tenths of db loss in the signal that a test instrument could pick up (possibly defeating the stealth nature of the tap)... ? or pull the fiber from the bottom of the seafloor and break into the cable and be able to id which fibers you want to tap, cut into that huge cable without mesing the fiber and install the tap?
I do not know, and look forward to reading about the miriad of theories in this list. At least I saw how it was done 10 years ago.

-------- Original message --------
From: Justin Elze <formulals1@...il.com> 
Date: 08/11/2013  9:13 AM  (GMT-06:00) 
To: Valdis.Kletnieks@...edu 
Cc: Pedro Luis Karrasquillo <peter_toyota@...mail.com>,full-disclosure@...ts.grok.org.uk 
Subject: Re: [Full-disclosure] XKeyscore sees 'nearly EVERYTHING you do 
 
The SNMP theory is a pretty horrible one.

Firewalls and ACLs both block SNMP at ISPs

Even if you it did suddenly allow the NSA/whoever to SPAN a port the amount of traffic would be extremely obvious. 

If you were going to do this passive optical taps would be easy, cost effective, and non intrusive(once installed) 



On Sun, Aug 11, 2013 at 10:00 AM, <Valdis.Kletnieks@...edu> wrote:
On Sat, 10 Aug 2013 22:16:15 -0400, Pedro Luis Karrasquillo said:

> NSA picks this up remotely via a very secret SNMP command.

So has anybody ever spotted this SNMP command in a tcpdump?
Found the code that handles it in net-snmp?  Cisco IOS? JunOS?
Nobody's ever caught their supervisor CPU get pegged due to SNMP
management?  Nobody spotted it a few years ago when everybody and
their pet llama was fuszzing SNMP implementations? Not one "Hey,
that command didn't get rejected, wonder what it does"?  If it isn't
on a device installed on the local net, how does the SNMP packet get
through firewalls and/or airgaps to the management network?  And
more importantly, how does the return traffic get exfiltrated without
being noticed?

Occam's Razor suggests it's much more likely to be very similar in
form and function to a CALEA box on steroids.

Not saying the NSA isn't sucking up data - but I've seen no plausible
evidence that it's done via SNMP.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



-- 
IMPORTANT NOTICE: This e-mail and any attachments thereto is intended only
for use by the individual or entity to whom it's addressed and may be
proprietary and/or legally privileged. If you are not the intended
recipient of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this email, and any attachments thereto, without
the prior written permission of the sender is strictly prohibited.   If you
receive this e-mail in error, please immediately telephone or e-mail the
sender and permanently delete the original copy and any copy of this
e-mail, and any printout thereof.
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ