Mar 08 2008
Muck-Raking BS Using Amateur ‘Experts’
The liberal media and pundits are so technically illiterate it is sometimes scary. And this complete illiteracy leads them to wild-eyed fake accusations based on the ‘testimony’ of ‘experts’ who are not experts and cannot hold a candle to some of us professionals in the telecommunications business. While I would not even consider myself a security guru (though I deal with it on a daily basis) I can tell you without hesitation the latest ‘expert’ to arise in the NSA-FISA wars is clearly not.
Paul Kiel over at the aptly named TPMMuckRaker provides us the latest example of the rabid left using amateur ‘experts’ to make a case about US eavesdropping on Americans.
That consultant is a man named Babak Pasdar, who outlined the accusation in an an affidavit (pdf) for the Government Accountability Project. Pasdar does not name the wireless carrier, but Wired reports that “his claims are nearly identical to unsourced allegations made in a federal lawsuit filed in 2006,” which names Verizon Wireless.
In the affidavit, Pasdar says that he was hired by the carrier in 2003 to do a major security overhaul, a taxing job that was going relatively smoothly, having covered more than 300 sites, until he asked why the overhaul seemed to be skipping one location, which the carrier consultants called the “Quantico Circuit.” Quantico, Virginia is home to the FBI Academy and the bureau’s electronic surveillance operations.
When Pasdar asked the company’s security consultants about the location, he only got smiles. And when he insisted that the location be covered by the same security procedures as the others, one of the consultants replied “I don’t think that is what they want.” When he asked “Who?” the consultants didn’t respond. Then the company’s security director appeared to demand that Pasdar “move on” and “forget about the circuit” or he’d be fired.
I will deal with Mr. Pasdar and his affidavit in detail in a moment. Rest assured he is not as experienced or as technically deep as TPM tries to make him out to be. One thing is correct though, this case is very similar to the previous claims by the left the last time they thought they found a suspicious telecom room – a matter which I posted on at the time.
This previous media screw-up was based on a technician’s (not an engineer’s) recollection of seeing communications circuits in a separate room from the public circuits. My assessment then was this technician simply discovered the private federal communications backbones, which every major federal agency or department have to link its geographically distributed facilities and commercial workforces together. They do use cell phones, blackberries and email in the US government folks.
For example, NASA uses AT&T (the same carrier this technician worked for) to provide its communications backbone – which is physically closed off from AT&T’s public backbone or any other federal agencies backbone they support. And it is closed off for damn good reasons. No one wants a hacker getting into NASA’s systems during a launch and screwing things up.
These federal circuit rooms are separate and have special monitors on them for auditing, checking for security breaches and attacks, and checking for misuse (e.g., porn). All this previous guy did was probably trip over a room used to house one or more of these private federal circuits. NASA has them, DoD has many of them, DoJ and the FBI have theirs – they are all over the place. And yes, we use commercial providers to give is the com pipelines to move classified and secure traffic. It is either that or put the Federal government into the com business.
Let me pass on some highlights of my career to establish my bona fides. I specialize in architecting, designing and developing distributed computer systems, especially those that deal with command and control functions as well as simple data transport. I worked on the developing the DoD’s Global Command and Control System (GCCS), worked briefly on the FBI’s Integrated Automated Fingerprinting System and now work on NASA’s plans to explore the universe, which has me working with NASA’s communications engineers. These are just a few of the programs I have worked and provided lead Systems Engineering support to. Not only do I know various communications architectures, I know the how the federal government designs, operates and outsources their internal implementations.
So, with that said let’s get to Mr. Pasdar’s lame affidavit – shall we?
First off, Pasdar is a bit of a blow hard. In his background he mentions he is a “Certified Ethical Hacker”, yet he demonstrates a ludicrous lack of understanding in Federal security policies, as we shall see. To summarize his experience he installs firewalls/routers, which is like saying he plugs in computers and configures them. Not a trivial skill, but not that of a security systems engineer, computer systems engineer, etc. His job in the referenced incident, which took him many uselessly long sentences stuffed with techno babble to convey, was to replace old firewalls/routers with newer versions.
And it was not even a big job – maybe four weeks max:
[Page 1] The carrier was under immense tome pressures to activate the new technologies I was brought on to implement, as it was already late September and they had a hard freeze date in Mid October.
The guy was brought in to copy the firewall setting from the old devices into the new ones – that’s it. Again it tales this guy a lot of words to say something simple:
[Page 2] We quickly pressed on to define our objectives and establish phases for the project. This included understanding the function for each of the client’s firewall policies. Then it required converting the policies to a common format we could manipulate. Finally, it involved translating them from raw format to a language the new firewalls would understand.
In simple language, they decided to copy the old settings into a neutral format so the could automate the translation and minimize human translation errors. Remember, they had four weeks to finish. He drones on about how they transitioned a few minor devices first and then went onto the full migration – at which point it becomes clear this guy has no clearances and no idea about the secure federal communications systems his customer supports:
[Page 3] At one point I overheard C1 [permanent Consultant 1 for the prime customer] and C2 [Consultant 2] talking about skipping a location. Not wanting to do a shoddy job I stopped and and said “we should migrate all sites”.
Basically this guy butts his nose in where it does not belong, and moves on to demonstrate his ignorance:
[Page 3] C1 told me this site is different.
I asked, “Who is it? Carrier owned or affiliate?”
C1 said, “This is the ‘Quantico Circuit.'”
With the US Marines and FBI and others located in Quantico tripping over US government com circuits is as surprising as finding politicians in DC. I also just want to note for the record how damn popular (and secure) Blackberries are within the US government – and how they use them to send and get email while on the road. A factor one would think that would cause someone to rethink this entire lame case mucked up by TPM.
The story continues (too much once you realize federal com circuits exist everywhere there is federal office):
[Page 3] What kind of circuit is it?”, I asked.
“A DS-3,” replied C1. (A DS-3 is a 45 mega bit per second circuit that supports data and voice communications)
Let me put that into some perspective for folks, and why this is not a large enough circuit to be doing mass surveillance. One NASA spacecraft staring at the Sun will be generating 150 mega bits per second continuously all day, every day. This DS-3 is not capable of handling a 3rd of that data. US weather satellites can produce 150 Mbps of data each pass, which means this circuit is incapable of relaying that data in real time. This circuit cannot handle the data from one satellite. it is very small in the telecom world.
[Page 4] C1 said this circuit should not have any access control. He actually said it should not be firewalled.
I suggested to migrate it and implement an “Any-Any” rule. … That meant we could log any activity making a record of the source, destination and type of communication. ….
C1 said, “I don’t think that is what they want.”
“Who?”, I asked, and again C1 and C2 did not respond.
C2 by this point had stepped back and his body language showed that he was very uncomfortable discussing this matter.
“Come on guys, let’s just do it and ask for forgiveness later. You know its the right thing.” I suggested.
No wonder C1 and C2 were looking uncomfortable. Clearly this guy did not have the clearances to be told any details, and he was proposing a major criminal violation. I don’t think I am violating any big secrets in pointing out that these secure federal circuits are connected using federally owned devices and managed using federal employees or contractors with very serious background checks and security clearances.
What this ‘expert’ did not know was he was proposing to commit a serious federal crime by going in and messing with government property without authorization. Which is why it is very clear he is not an expert at all – just some naive rube who was hired to translate settings from one product into another.
And what are knowledgeable people supposed to think based on the affidavit of this neophyte with the big ego and who was so absolutely clueless that he was proposing to commit a federal crime? Are we to be impressed with TPM MuckRaker and their ‘expert’? I am impressed – at how dumb and naive they are. Next time TPM or the left want to plant a fake BDS driven conspiracy story try getting the views of real experts in the field. You won’t come away looking so damn foolish and uninformed.
And definitely don’t use someone who just admitted he was pushing people to commit a federal crime by accessing federal property without permission. Geez.
And these kinds of misunderstandings (purposeful or not) carry over into policy making as well:
http://hotair.com/archives/2008/03/08/obama-adviser-obama-naive-knee-jerk-on-telecom-immunity/
Ok, evidently we are talking about a DS3 (also known as a T3) data circuit. Not exactly a huge circuit in today’s SONET world of OC-12 and larger circuits. It appears to be a circuit connecting two routers or two networks judging from the conversation.
No access control would tend to mean that it is interconnecting two networks of same security levels. It implies that everyone on one network has free access to the other. Sort of like two offices of the same department might have or two offices of the same company.
The “any any” rule the guy is talking about is probably something like:
permit ip any any log
which would be a router rule that allows all traffic but logs it. The problem with a rule like this is that if there is no real need for it, it uses up CPU resources to log these traffic flows, if they are logged to a remote machine someplace it uses up network and storage resources to keep this data archived, if they are not saved remotely the logs are quickly overwritten in memory making them useless and if they are saved they must then be safeguarded because the data they contain is now a potential security hazard as it will show who had access to what when. It could very well be that no record of this was wanted to be kept for very good reason. Data you don’t have can’t be stolen by China. If the two networks are of equal security access, there is no need to keep a record of it.
I first saw this story a couple of days ago over at Wired
http://blog.wired.com/27bstroke6/2008/03/whistleblower-f.html
You have to read the thread just for the laughs.
Those tinfoil kids on what is supposed to be a techie oriented site and the editors who allowed this thing to get out to start with make you wonder if they just figured out how to publish press releases from hardware manufactures, because they sure botched the job on the technical weakness of this story.
Again for scale. DS-3 45 meg in the story
Common Hi Speed DSL 6 meg
Common Cable Modem 10 meg
Verizon FIOS connection 50 meg
My connection here at the house for Day Trading
Linksys RV-016 16 port router with 7 of the ports configured as wide area network inputs from the web. That is the maximum the particular router supports
INPUTS
3 DSL 6 meg lines from Provider A
2 DSL 6 meg lines from Provider B
1 Cable Modem 10 meg line from Provider C
1 VSAT 45 meg satellite connection
The first 6 lines are a round robin shared total bandwidth setup the last is a fallback if 3 or more of the others fail.
Bottom line my place kicks this feed right out of the room. I also have completely separate business feeds here with multiple redundant OC-12 lines.
All this for a single stock trader to have 24/7 access to exchanges around the world with direct data feeds from the exchanges running into a disk farm via network grade routers and processed by multiple IBM Z9 mainframe computers.
That little DS-3 line wouldn’t be enough to service the internet cafe on base at Quantico in a decent manner. You could end up stalling that line just from having a bunch of guys surfing and steaming Youtube videos at the same time.
As to that other setup from San Francisco in the earlier EFF lawsuit, it is very likely this is part of the access required for warranted use of the system of the CALEA legislation to tap the net for authorized use.
This connection goes to a wireless provider, not a net backbone site.
Even at that take the entire network traffic through that place in one day if it is a hub and the DS-3 would be like trying to bail out the ocean with a teaspoon.
A lot of small people want to look big. MSM will buy anything that makes Bush look evil.
The little turd wanted to traipse into the network closets and server farms in Quantico and initiate a log on USMC, FBI, and who knows who elses internal network traffic.
To be reviewed by whom.
The assumption by the turd is that the network in question needed his services. That it lacked the security his 4 month long contract was ‘staffed’ to provide. That he is the epitome of data security experience in the United States of America.
Well, maybe the security on that network far exceded the capabilities of his corporate white gear – eh…
Well, maybe the equipment in that network might have been unfamiliar to him – eh…
There are a lot of reasons not to invite him in.
Important, very important.
Self important.
They knew (nothing), but did nothing
It’s written to make you breathless, but in the end you find out you are in a vacuum.