FBI has internet connected directly to verizon wireless

[Modelworks]

Very interesting read.
I thought they just listened in without a warrant on suspected individuals.
This smells more of the old rumors of Eschelon.

http://blog.wired.com/27bstrok...3/whistleblower-f.html

A U.S. government office in Quantico, Virginia, has direct, high-speed access to a major wireless carrier's systems, exposing customers' voice calls, data packets and physical movements to uncontrolled surveillance, according to a computer security consultant who says he worked for the carrier in late 2003.

"What I thought was alarming is how this carrier ended up essentially allowing a third party outside their organization to have unfettered access to their environment," Babak Pasdar, now CEO of New York-based Bat Blue told Threat Level. "I wanted to put some access controls around it; they vehemently denied it. And when I wanted to put some logging around it, they denied that."

Pasdar won't name the wireless carrier in question, but his claims are nearly identical to unsourced allegations made in a federal lawsuit filed in 2006 against four phone companies and the U.S. government for alleged privacy violations. That suit names Verizon Wireless as the culprit.

Pasdar has executed a seven-page affidavit for the nonprofit Government Accountability Project in Washington, which on Tuesday began circulating the document (.pdf), along with talking points (.doc), to congressional staffers hashing out a Republican proposal to grant retroactive legal immunity to phone companies who cooperated in the warrantless wiretapping of Americans.

According to his affidavit, Pasdar tumbled to the surveillance superhighway in September 2003, when he led a "Rapid Deployment" team hired to revamp security on the carrier's internal network. He noticed that the carrier's officials got squirrelly when he asked about a mysterious "Quantico Circuit" -- a 45 megabit/second DS-3 line linking its most sensitive network to an unnamed third party.

Quantico, Virginia, is home to a Marine base. But perhaps more relevantly, it's also the center of the FBI's electronic surveillance operations.

"The circuit was tied to the organization's core network," Pasdar writes in his affidavit. "It had access to the billing system, text messaging, fraud detection, web site, and pretty much all the systems in the data center without apparent restrictions."

The 2006 lawsuit (.pdf), which is suspended pending an appeals court ruling, describes a similar arrangement, naming Verizon.

Because the data center was a clearing house for all Verizon Wireless calls, the transmission line provided the Quantico recipient direct access to all content and all information concerning the origin and termination of telephone calls placed on the Verizon Wireless network as well as the actual content of calls.

The transmission line was unprotected by any firewall and would have enabled the recipient on the Quantico end to have unfettered access to Verizon Wireless customer records, data and information. Any customer databases, records and information could be downloaded from this center.

That doesn't mean Pasdar's affidavit confirms the claims in the lawsuit. He acknowledges speaking with the attorneys on that lawsuit before it was filed, so he may be the source in that complaint as well. But he insists he did not name Verizon or any other phone company to the lawyers.

"I don't know if I have a smoking gun, but I'm certainly fairly confident in what I saw and I'm convinced it was being leveraged in a less than forthright and upfront manner," Pasdar says.

Verizon spokesman Peter Thonis says he can't confirm or deny a Quantico arrangement, or comment on whether Pasdar did contract work for the company.

"What you're talking about sounds as if it would be classified and involving national security, so I wouldn't be able to find out the facts," Thonis writes in an e-mail.

 

[jpeyton]

Can you spy on me now?

Good.

 

[jersiq]

Ugh, so much misinformation in that Article. To be fair I only read your quote, but that was enough.

I have worked in the wireless industry for the past 10 years. I have specifically worked on the equipment that completes your calls for the last 7 years. I no longer work at a wireless company, so I have no vested interest in sharing this information.

There are CALEA boxes, however they can only fork DS0's, not an entire trunking facility.

Here's how a voice call works:

Caller A calls a landline, the resolution for which trunk group is provided by the ECP.
The connection is made in the 5ESS on a single DS0 level, to the landline caller.
So that's 1 DS0 tied up for one caller. The situation is similar when you call another mobile either within the same provider, or with a different provider. 1 DS0 per call although that is somewhat changing, but not completely implemented.

A DS3 is 28 T1's at 24 DS0's per T1, yielding 672 DS0's.
To put it in perspective, an average switch in a semi-metropolitan area will average between 800,000 to 1 million Call attempts in a busy hour (1 hour alone), and there are multiple regional switches.
I highly doubt that a DS3 would even be capable of handling a fraction of the call volume on some switches at 3 AM, which are the lowest traffic times in cellular. In fact, I will call it impossible.

Secondly, there is NO "clearing house" of call content. There are billing records, but that doesn't even come close to giving you the content of a call. If you think it is "stored", then I would like to see what you think the necessary sotrage size is considering the following scenario:

In order to serve ~500,000 voicemail subscribers (because we are recording voice after all) you would look at approxiamately 30-40 disks at 20 GB each (I am estimating here as I have never had to order this equipment), and that is using a proprietary compression algorithm by the vendor.
Again A DS3 could not handle the amount of traffic for voice alone, but I will entertain the other services they highlighted.

On a 1X or EVDO data call in a Mobile IP application, you are given a FA (Foreign Agent), and an HA (Home Agent) for your data completion. These HA's and FA's are located regionally throughout the US, and the major data distribution centers where the HA's are, had a DIRECT connection to the Internet though an ISP's POP. In a SIP call, it's a little easier, as the HA doesn't really have to get involved.

So notwithstanding the voice applications, a DS3 couldn't handle the information for data applications.

Now onto Text Messaging
Again, there are regional centers that handle the SMS functions for a regional area. They know the routes to other SMSC's and upon receipt, forward to the appropriate serving SMSC of where the recipient of the message is.
I believe the number for last year was ~3 or 4 billion messages sent. This also includes videos and pictures being sent, not just text messages at 160 characters per message.

Do you still think a DS3 is adequate capacity to monitor whatever they want, whenever they want?
I don't.

 

[Modelworks]

Originally posted by: jersiq

Do you still think a DS3 is adequate capacity to monitor whatever they want, whenever they want?
I don't.

Maybe not for every call that is placed, but a DS3 is defenitely more than enough for customer info, calls made, and listening to select calls.

If they have access to billing then they know who made what calls where, which enables them to target whomever they like without going through legal channels.

The point is did they have access to verizons network without any legal oversight whatsoever. The equivalent to be able to type in a name and view records, and then select that one caller for listening.

 

[jersiq]

Originally posted by: Modelworks

Originally posted by: jersiq

Do you still think a DS3 is adequate capacity to monitor whatever they want, whenever they want?
I don't.

Maybe not for every call that is placed, but a DS3 is defenitely more than enough for customer info, calls made, and listening to select calls.

If they have access to billing then they know who made what calls where, which enables them to target whomever they like without going through legal channels.

The point is did they have access to verizons network without any legal oversight whatsoever. The equivalent to be able to type in a name and view records, and then select that one caller for listening.

Yes they have access to "Select Calls", and the FBI have the same connection to other wireless carriers. Look up the provisions for CALEA. If presented with a warrant (and I am fully aware of the recent transgressions by Telecoms) , they have to get the forked calls from point A (carrier) to Point B (LEA) without intervening in the calls themselves. Think of how many cases would have been thrown out if Verizon had stored any of the calls.

I also call bullshit on the "connection without a firewall"
Most carriers have their own internal security team, and believe me due to the sensitive nature of customer information, they are locked down tighter that a frogs behind.

Edit:
As an FBI agent you can't click a button to listen to calls. The only way to listen is to have the customer added to information on the CALEA box, which the wireless carriers maintain themselves. In the recent uproar over the illegal wiretapping, did you notice that the TELCOMS complied with the requests without warrant? That means that THEY (carriers) are in charge of the boxes, not the FBI.
There is no "clearing house" of all calls made on a network. Your call is routed through a local switch, and that's it. If I am in Florida, and call a Florida number, my call goes to the serving switch, then directly to the person I am calling. The only exception is if I have been placed on the CALEA box, in which case my voice is sent to whatever agency requested the tap.