March 25, 2014

Some SIGINT and COMSEC during the Nuclear Security Summit

(UPDATED: March 27, 2014)

On March 24 and 25, the third Nuclear Security Summit (NSS) is held in The Hague, the seat of the government of the Netherlands. As 58 world leaders will be present, including US president Obama, the summit takes place under severe security measures.

Here we will take a look at some noticable things on the Signals Intelligence (SIGINT) and Communications Security (COMSEC) front, especially regarding the American president. When some new details or pictures come up, they will be added.

US presidential motorcade

On the morning of Monday, March 24, president Obama flew in aboard Air Force One, accompanied by all the famous vehicles like the helicopters which become Marine One when he is aboard, and the cars of the presidential motorcade. As can be seen in this video, there are actually 4 identical and heavily armored presidential limousines, so two motorcades with each two identical limousines can be formed - so no one knows which one is carrying the president.

One of the last cars in the motorcade is the WHCA Roadrunner which is recognizable by a small satellite dome and a number of VHF whip antennas on a roof platform. Also known as the Mobile Command and Control Vehicle (MC2V), it serves as the communications hub for the motorcade by beaming up encrypted duplex radio and streaming video to a military satellite, which in turn beams that data back down to a ground entry point and through to the switchboard of the White House Communication Agency (WHCA).

The WHCA Roadrunner arriving in Noordwijk, where Obama is staying
(still from a video by VOLMedia)

The WHCA Roadrunner on its way from Noordwijk to The Hague
with the satellite dome and 5 VHF antennas on its roof
(photo: madebymaus posted at

US communications aircraft

Also present is an aircraft most people don't know of and will rarely see. But it was noticed by air traffic spotters: a small US Army Beechcraft RC-12P Huron with tail number 92-13123 entered Dutch airspace around the same time as Air Force One.

A Beechcraft RC-12P surveillance and communications aircraft
(photo: Wikimedia Commons)

The Beechcraft C-12 Huron is a small twin-turboprop aircraft, which is used for many years by the US Army under its Guardrail/Common Sensor System program. In many different versions, the Beechcraft planes are widely used in war zones like Afghanistan, mainly for collecting Signals Intelligence. For that purpose they have highly specialized equipment on board, like for example DRT devices, which can be used to intercept and monitor short range radio and cell phone communications.

When following the president, the Beechcraft is probably also used as an additional communications hub between for example the presidential motorcade and the White House Communication Agency (WHCA) as this aircraft can also serve as a relay for satellite communications. The mission equipment of the RC-12P version includes datalink capability, and has fibre optic cabling and smaller and lighter wing pods.

The Doomsday Plane

Another interesting plane that followed Air Force One is a Boeing E-4B that serves as National Airborne Operations Center (NAOC). It's also known as the "Doomsday Plane" because during the Cold War there was always one of these aircraft in the air to provide a survivable platform in the event of a nuclear attack. Its original codename was "Nightwatch", derived from the famous Rembrandt painting that Obama saw during his visit to Amsterdam.

On March 24, plane spotters noticed an E-4B with tail number 75-0125 following Air Force One when entering European airspace. When the US president travels outside North America, the E-4B lands on an airport within several hundred miles of the president's destination, to be readily available in the event of an emergency that renders Air Force One unusable. It's not yet known where the E-4B landed during the Nuclear Security Summit.

A Boeing E-4B National Airborne Operations Center plane
(photo: Sergio Perez Aguado)

World leaders' telephones

For secure phone calls, president Obama can use his highly secured BlackBerry, which connects to a secure base station that follows him where ever he goes. In the picture below we can see he also brought his BlackBerry to the opening session of the Nuclear Security Summit on March 24:

Obama and his BlackBerry at the opening session of the Nuclear Security Summit
(photo: Yves Herman/Pool/European Pressphoto Agency)

The WHCA also installs secure wireline phones at every place the president stays. Nowadays that includes a vIPer 'Universal Secure Phone' which can connect through analog, digital or VoIP networks, and a Cisco IP phone that connects to the highly secured Executive Voice over Secure IP-network through dedicated and encrypted satellite links.

Other world leaders will also have brought their own equipment for secure communications with their capitals, including landline and mobile telephones that are able to perform end-to-end encryption of the calls.

For example, German chancellor Angela Merkel can use her secured BlackBerry 10 smartphone or a landline secured by the Elcrodat 6-2 encryption device. The French president François Hollande has a Teorem secure cell phone and can also place secure calls through a wireline DCS 500 telephone set.

The British prime minister David Cameron can place secure calls by using a Brent 2 secure telephone. Apparently he also uses one or two mobile phones, but from the picture below it's difficult to recognize their make and type. It's also not clear whether they have any encryption capability.

British Prime Minister David Cameron attends the
opening session of the Nuclear Security Summit
(photo: Reuters/Sean Gallup/Pool)

Russian spy ships?

There was some speculation about two Russian crab fishing trawlers lying in the harbour of Scheveningen, which is a small port next to The Hague. People noticed that these ships had so many antennas, and thought they could be Russian spy ships, trying to intercept communications from the world leaders attending the Nuclear Security Summit.

Two Russian trawlers in Scheveningen
(photo: Ferry Mingelen)

However, it stated out that both ships, from Petropavlovsk-Kamtsjatski in the far eastern part of Russia, came in three weeks ago having problems with their engines. This was solved rather quickly, but then problems with some neccessary certificates appeared, and both ships had to stay until that issue has been cleared.

Regarding the antennas, some people say that they are quite ordinary HF and VHF antennas, which were used by ships before maritime satellite communication was introduced.

During the Cold War, the Soviet Union had a large fleet of fishing trawlers that conducted covert signals intelligence gathering. Nowadays, known Russian spy ships are often much larger military vessels, which don't have to go into the territorial waters of a country they want to monitor, but can operate safely from international waters. An example is the Viktor Leonov SSV-175 from the Vishnya class in the picture below, but a ship like this one has not been seen near the Netherlands.

The Russian spy ship Viktor Leonov SSV-175
(photo: Stringer/Reuters)

Links and Sources
- 618 photo's of Obama in Noordwijk
- Photo's of the NSS 2014 at Flickr
- Photo gallery of Obama's trip to Europe and Saudi Arabia
- Russian spy ships? Scheveningse haven door Russen geannexeerd
- More about The Beast and its Escorts
- Secret Service agents on Obama detail sent home from Netherlands after night of drinking
- Revealed: INSIDE the President's $223m 'DOOMSDAY PLANE' that protects him against nuclear war, asteroids and terror attacks

March 23, 2014

Video demonstration of two intelligence analysis tools

In a previous article we provided a very extensive description of a communications analysis tool used by the Canadian agency CSEC. Here we will show two video demonstrations of analysis tools which are used by intelligence and law enforcement agencies all over the world: Sentinel Visualizer and Analyst's Notebook.

Sentinel Visualizer

The first intelligence analysis program is Sentinel Visualizer, which was developed by FMS Advanced Systems Group. This is a 'minority-owned' small business founded in 1986 and based in Vienna, Virginia, which provides custom software solutions to customers in over 100 countries.

This video shows a demonstration of how the Sentinel Visualizer software program can be used to analyse telephony metadata in order to discover new targets:

FMS claims that In-Q-Tel, the CIA's venture capital arm is an investor in FMS, apparently in order to improve their products so they can fit the needs of the CIA. FMS also claims that its product is much cheaper than the alternative, with the price of a single-computer license for its Sentinel Visualizer starting at 2699,- USD, while IBM's Analyst's Notebook tool starts at 7160,- USD.

Analyst's Notebook

Very similar to the Sentinel Visualizer is Analyst's Notebook, which was developed in the early 1990's by i2, a UK-based arm of software company i2 Group which produced visual intelligence and investigative analysis software. After a number of acquisitions, it became part of IBM in 2011.

Both programs offer similar functions, like metadata/link analysis, call chaining, timeline views, social network analysis, geospatial visualizations, and the import of data from knowledge bases and other data sets.

For analysing telephony metadata, Analyst's Notebook has an extension called Pattern Tracer, which enables rapid pattern analysis for "quickly identifying potential targets and predict future incidents more accurately".

This video demonstrates how a "Pattern-of-Life Analysis" can be conducted by using Analyst's Notebook - Esri Edition:

Analyst's Notebook is said to be used by about 2500 intelligence, security and law enforcement agencies, as wel as police forces (like for example the Dutch police, the German Federal Criminal Police Office and the London Metropolitan Police) and investigative organizations and companies in over 150 countries. According to a range of job descriptions, Analyst's Notebook is also used by analysts at NSA.


As can be seen in the second video, these intelligence analysis tools are quite powerful and able to provide a deep insight into the life of a targeted person. But the presentation also shows that this kind of surveillance is consuming too much time and resources for using it against millions of innocent civilians.

Like the example in the second video, these tools are mainly used for operations against known and potential terrorists and a number of other people of interest, like drugs and weapons traffickers, and also some high level foreign government and military officials.

Regarding the intrusiveness of these tools, we should also keep in mind that they are used by law enforcement and police forces too. Where intelligence agencies use these tools generally for preparing reports for political and military decision makers, their use in numerous criminal investigations by the police can affect ordinary citizens much more directly.


On December 15, 2013 the CBS television program 60 Minutes provided some hitherto unseen vieuws from inside the NSA headquarters. One of those was an NSA employee who gave a demonstration of how the metadata contact chaining method works. The following screenshots show a tool very similar to the ones in the videos above:

Today, the German magazine Der Spiegel published in its print edition a slide from an NSA presentation that shows a contact graph based upon a social network analysis for the CEO and the Chairwoman of the Chinese telecommunications company Huawei:

(image provided by @koenrh)

See our previous article about the Canadian OLYMPIA tool for how intelligence agencies can map such a social communications network by using just one or two e-mail addresses to start with. See also an earlier article about how NSA used similar techniques to create contact graphs about the Mexican and the Brazilian president.

Links and Sources
- How Sentinel Visualizer is a Superior Alternative to IBM's i2 Analyst's Notebook

March 13, 2014

OLYMPIA: How Canada's CSEC maps phone and internet connections

On October 6, 2013, the Brazilian television program Fantástico revealed the existance of a software program called OLYMPIA. In this case, the program was used by the Communications Security Establishment Canada (CSEC) to map the telephone and computer connections of the Brazilian Ministry of Mines and Energy (MME).

OLYMPIA is a sophisticated software framework that combines access to a range of databases and analytic tools. It's used to discover and identify the telephone and computer infrastructure used by potential targets. This information can then be used for setting up tapping, bugging and/or hacking operations. OLYMPIA itself does not collect any actual content of communications.

In this article we take a close look at the OLYMPIA tool, based on the powerpoint presentation that was first shown on Brazilian television on October 6, 2013. On November 30, the Canadian newspaper The Globe and Mail published most of the slides on its website. Here, all available slides are pulled together, including one that had to be reconstructed from the video footage (click the slides to enlarge them).

The OLYMPIA presentation was dissected and analysed in depth by a reader of this weblog, who wants to stay anonymous, but kindly allowed me to publish his interpretation here. I did some editing to make his text fit the format of this weblog.

For some readers these explanations may be too complex and detailed, but for those who are interested, they provide a unique look at this part of the signals intelligence tradecraft. We can assume that similar tools are used by NSA, GCHQ and other agencies.

The OLYMPIA presentation was held in June 2012 during the "SD Conference", where SD stands for SIGINT Development - an intelligence term for testing and creating new ways to collect signals intelligence information. According to Fantástico this is an annual conference for members of the Five Eyes partnership, which consists of the United States, United Kingdom, Canada, Australia and New Zealand.

This case study was presented by what seems to be someone from the Advanced Network Tradecraft unit of CSEC, probably because "one of the things Canada does very well is analysis" - according to NSA historian Matthew Aid. (or could Advanced Network Tradecraft be the ANT unit of NSA's Tailored Access Operations (TAO) division?)

This slide gives an overview of the Olympia interface which can present all sorts of different types of information at the same time and probably can be customized by the user. Right in the middle, probably just to have something graphical amidst all the tables, there is a map, showing the central part of Brasil, with a purple dot marking the capital Brasilia. It's not a Google map, because that would have replaced the jagged coastline with bathyometeric shaded relief and would look much nicer than this geolocation satellite view.

This slide shows the same image of the Olympia interface as in the previous slide, but this time with a pop-up menu open. The list shows eight previously known NSA tools and databases, a GCHQ tool, commercial software, and software tools developed by CSEC staff which are recognizable by their classical Greek names. Arranged in alphabetical order, the tools and databases listed in the pop-up menu and in another list from the interface are:
ATHENA - Ports Information (CSEC)
ATLAS - Geolocation and Network Information (CSEC)
BLACKPEARL - Survey Information (NSA)
COEUS - WHOIS Information (CSEC)
EONBLUE - Decoding Hostnames? (commercial)
EVILOLIVE - Geolocation (NSA)
GCHQ Geofusion - Geolocation (GCHQ)
HYPERION - IP-IP Communication Summaries (CSEC)
LEVITATE - FFU (FireFox User??) Events
MARINA - TDI Online Events (NSA)
PEITHO - TDI Online Events (CSEC)
PEPPERBOX - Targeting Requests
PROMETHEUS - CNO Event Summaries (CSEC)
QUOVA - Anonymizers, Geolocation Map (commercial)
SLINGSHOT - End Product Reports
STALKER - Web Forum Events
STARSEARCH - Target Knowledge
TIDALSURGE - Router Configs
TOYGRIPPE - VPN Detailed Events (NSA)

Only a handful of Olympia's tools do all the heavy lifting in the slide algorithms. The rest get passing mention in pull-down menus. Thus the presentation provides only a glimpse of Olympia's capabilities - we see for example TRITON for attacking the TOR network and TOYGRIPPE and FRIARTUCK for attacking VPN (virtual private networks) but not examples of their actual use.

The tools of Olympia represents a very large team effort at CSEC over several years with sheltering nearly all its database processing resources under the Olympia umbrella. The shelf life of the Olympia environment may be longer than its tools.

Of the 13 tools that are used, their use in the following algorithmic slides is almost entirely restricted to ATLAS, DANAUS, HYPERION, PEITHO and HANDSET. The reporting tool of course finishes every slide but two others, EONBLUE and QUOVO, only appear obliquely as report sources.

This slide presents a simple algorithm by using drag 'n' drop icons linked by arrows to specify its operations step-by-step. It draws on entries data records already stored in NSA's huge telephony database MAINWAY of call metadata. As NSA does the hoovering down in Brazil, the slide does not build use fresh Canadian surveillance by intercepts or insertion of malware on Brazilian cell phones or servers - that comes later in partnership with NSA's Tailored Access Operations (TAO) as warranted and informed by initial results obtained here.

Olympia is thus modular software that allows a mid-level analyst (who cannot write computer code) to specify and test advanced NoQYL database queries from within an intuitive visual environment. It provides an intuitive graphical interface allowing to assembly some 40 component tools into a flexible fit-for-purpose logic pipeline by simple drag and drop of icons. Such pipe-and-flow visual programming environments have a rich history – they match how Unix developers can quickly put together complex processes from the simple ones provided by the operating system.

Should an analyst drag one of the widgets into the design, a form window will pop up asking for parameters to be supplied. After stepping through the algorithm to fill in various pop-up forms that address database housekeeping issues, Olympia can then button up (compile) the tested product into a new icon that the next analyst can use as a trusted component for an even more complex investigative process. This allows analysts to conduct sophisticated target-development with minimal additional training.

With a database like MARINA consisting of trillions of rows (records) and 13 columns (fields), it is very easy to pose a query (play a design) that, after hours of delay, returns way too much data, or submit a query so complex or boolean-illogical that it freeezes NSA's server. To prevent this, it would make sense to have expert analysts work out main designs once and for all. Low-level analysts then just enter specific parameter ranges in the forms, but this of course would undercut the whole modular design power of Olympia.

So the whole process can be buttoned up, enabling one-button automation from a few business cards to the best phones to turn into meeting listening devices. While Olympia is a MySQL query builder, it does much more than that, notably advanced post-processing analytics of query results (which amount to a derived special-purpose database or QFD in NSA-speak: Question-Focused Dataset) resulting in convenient output to CSEC's reporting tool Tradecraft Navigator.

In the slide we see the following process:
-1- The process begins with a 'TC Init' widget that initializes processes Olympia needs to run. That may include starting up software, locating Five Eyes network resources, and verifying security authorizations for the analyst's 'thin client' interface to Olympia and NSA's remote network databases. That is, for security purposes following the Jeffrey Delisle spy case, Canadian analysts are given desktop computers without hard drives that cannot copy files to inserted thumb drives nor write to blank CDs. TC is used later in lower case to personalize data field header names so could alternatively represent the initials of the analyst (for logging purposes).

-2- The analyst next fills in a pop-up form called 'Dynamic Configuration' to provide initial data and establish project-specific terminology. The form amounts to a small database with one record (row) for each configuration needed and 7-8 fields (columns) with the specifics: configuration name and number, initial data, default value to use if actual value is missing after enrichment, true/false option to govern whether a later filter condition is met, field names to begin with tc_ (for thin client), and field type.

Configuration here seeds the coming discovery process with the MSISDN (SIM card routing number) for nine cell phones linked to staff at Brazil's Minerals Mining Energy (MME), either from business cards acquire by Canadian diplomats and mining executives or as metadata incidentally ingested by NSA from rooftop mobile phone intercepts at the American embassy in Brasilia. Recalling that MAINWAY has many billions of records just for Brazil, a narrow date range will keep the number of records, and so the subsequent latency (processing delay), manageable

-3- The initial set of phone numbers is then greatly expanded (enriched) by contact-chaining in the huge NSA metabase MAINWAY. This process collects the MSISDN of recipients of calls from the seed numbers, and recipients of their calls (two or more hops). Some of these will be just pizza joints or calls home but others will belong to coworkers at MME.

TAPERLAY is one of the most common skills listed in LinkedIn profiles, with one SIGINT analyst writing he "was responsible for entering numbering information for 132 countries and multiple service providers in each country by reviewing forms and reports and conferring with management." It is often used in conjunction with CHALKFUN, a NSA tool that searches the vast FASCIA database of device location information to find past or current location (notably US roaming) of mobile phones.

-6- The original phoneNumber field has now been supplemented by Last Seen (last recorded use), City and Country of initial registration, Identity (target's name), FIPS, destination number called and its fields, and others we cannot see on the alphabetical pulldown list. Here FIPS is an open source geolocation code maintained by the US government.

-7- The 'Sort' widget is then configured to re-order the records in some sensible way, say reverse chronological order and most frequent MSISDN.

-9- Prior to writing up a final report, the analyst could return to step 7 and insert further operational icons - 29 options are shown (even with A-E and Q-Z missing from the pop-up menu).

This slide says that the presentation is a case study about how to map the target's communication infrastructure when there's only very little information to start with, in this case:
- One known e-mail domain:
- Nine known phone numbers
- Very little data collected earlier

Starting with the single e-mail domain for Brazil's Ministry of Mines and Energy (MME), the algorithm works out IP numbers of MME's mail and internet servers plus their network owners and backbone carriers. Note the potential target here is the entire department, not an individual.

-0- After initialization, the input - here just a single domain but optionally a list of thousands - is put in a storage area (buffered) until its entries can be processed.

-1- The CSEC-developed tool DANAUS looks up the domain in its DNS (Domain Name System) repository. For one domain, this can easily be done by google search on the open internet but that is inefficient on a larger scale. Olympia will not only automates this process but can re-package it as a meta-tool icon that can be re-used as a component (sub-routine) of more ambitious algorithms.

-2- The DNS are next sorted by IP record type which splits them into two streams (Type A and Type MX records in DNS nomenclature). Here MX (Mail Exchanger) records specify the mail servers accepting e-mail messages on behalf of the recipient's domain. Type A (address) records specify IP numbers of the mail servers sending email from this domain.

-3a- The MX fork of the diagram filters records according to analyst specifications (pop-up window not shown), changes out value names, and merges text strings with certain information (extracted by the small 'i' icon, never explained) derived from records rejected by the filter. The output to Tradecraft Navigator is a simple database called 'Mail Servers' having six fields discussed below: Response_MX, Hostname, IPv4, Source, FirstSeen and LastSeen.

-3b- The A fork is filtered differently but here rejects are discarded. A new Canadian tool icon labelled ATLAS acts on the records that have been stored in fastBuffer to look up geospatial locations of the IPs. After a sort, duplicated IP locations can be eliminated by a standard database reporting feature (break on change in geolocation field). Duplicates might arise from a single server location hosting multiple IPs or a server cluster.

-4b- Records passing another filter (e.g. geolocation Brasilia) are then sorted by IP number for orderly output to Tradecraft Navigator for report-generation. Here the resulting database 'Domain's IPs' has 9 columns (fields) for IP Range, Country, ASN, Owner, and Carrier in addition to the ones above. The Autonomous System Number (ASN) provides the officially registered IP routing prefix that uniquely identifies each network on the Internet. Here the IPv4 numbers correspond to Global Village Telecom, Embratel and Pelpro. The analyst wants to know this because some carriers sell access to NSA while others have been hacked.

From the mail server records, it turned out the Ministry only used and for their mail servers (correio means mail in Portuguese). Journalists have inexplicably blacked out IPv4 numbers but anyone can look up the IP address for a given domain name at WHOIS websites, or apply the COEUS widget if they work at CSEC.

The analyst has now actually determined the IP addresses, their blocks of consecutive numbers (ranges), geolocation of servers used by MME's internet services providers plus the identities of backbone carrier networks. Some 27 IPs shown associated with the domain came out of processing A type records.

Some of this is unremarkable (the hostname is MME's public home page, is just a name server) while others have undeterminable relevance (being barely legible) to commercial espionage. One of these, ( running on http port 80 with A, comes up later as a potential target for a man-on-the-side attack.

- The Source field is a bit mysterious. It takes on only two values, EONBLUE and QUOVA. These are tool icons within Olympia whose names lie outside the Greek mythology theme, suggesting software from elsewhere. The explanation: a US company named Quova provides online blocking based on geolocation of a computer's IP address, like for example blacking out URL access to a football game in the home team's city so people purchase stadium tickets. Quova was acquired in 2010 by Neustar which provides a much broader range of backbone internet registry services. EonBlue is also corporate but more obscure.

- Between them, EONBLUE and QUOVA can report on recorded activities and attributes of the IPs at Brazil's MME: the MX record of shows it was first seen active from 17 Jun 09 and last seen active on 15 Feb 10; similar dates for active are later and don't overlap, namely 21 Jun 10 to 19 Jun 11.

- Later Olympia slides show QUOVA within a diagram, so this one should show both QUOVA and EONBLUE but does neither. QUOVA concerns itself with IP ranges, IP geolocation, and anonymizers (proxy servers relaying on a user's behalf, hiding identifying information), yet ATLAS provided IP geolocation in later slides and HYPERION and PEITHO the IP proxies. So it must be that QUOVA add value to the in-house DNS lookup tool DANAUS.

This slide shows how the analyst can identify a proxy server at the Ministry of Mines and Energy based on its observed behavior. It's not clear whether a discovered proxy server has been identified for certain, or that is only the strongest candidate seen, nor whether the full set of MME proxy servers have been located or just one of several. However, this is the most promising site for defeat of SSL by a man-on-the-side attack to intercept of transiting documents before they can be encrypted.

-1- After initialization, the Dynamic Configuration for the IPs of MME determined above is set with three lines: high, low, high - low +1 = range for each block. Here a reverse proxy server (firewall surrogate) often holds the first number of the range block and sits in front of a local network of other computers utilizing the rest of the range block as their addresses. Those other IPs don't show up in metabases because the URL requested by an outside visitor passes through the proxy on its way to the server (that actually can fulfill the request) is returned as if it came from the proxy server.

-2- The initial data is split at an enhancement fork which is not described further. Buffers should have been created for two subsequent tools PEITHO and HYPERION because they are sent large files (as indicated by the little 2-page icon on the connecting line). Those icons are missing from the algorithm, breaking it. Both PEITHO and HYPERION also need demultiplexing as followup but the De-Mux icons (the all-purpose dummy widget) are also missing from the diagram.

Recall many different ongoing processes on a given server are sending (and receiving data) simultaneously using the same Internet Protocol software. To accomplish this, packets of different types are intermingled ('multiplexed') in the exit stream. As the stream of packets is received, it is sorted out by type (demultiplexed) and passed to appropriate application on the receiving client.

-3a- PEITHO specializes in "TDI events" and has the same iconography as MARINA, tinted blue instead of pink. A menu in another slide ties MARINA to these same mysterious TDI events. MARINA is known to be a vast NSA metabase of internet metadata. An online LinkedIn profile speaks of having "used MARINA as a raw SIGINT data viewer for detection and analysis of priority targets and as a tracking and pattern-of-life tool."

PEITHO can thus be presumed very similar to MARINA, probably a refined subset of it adapted to dissecting out the TCP/IP connection metadata needed here, in particular recognizing and compiling the exchange of SSL certificates that are the hallmark of a secure (https) site. In one scenario, an off-site MME staffer uploading oil lease data points a web browser at the MME server that will host the documents, which sits within a LAN (local area network) behind a proxy server running port 443 for https.

After exchange of SSL certificates, the content can be sent over the internet encrypted rather than as plain text, and will decrypted at the MME repository. NSA data trawling - while not specifically seeking them out - intercepts these exchanges and stores them as a Sigint record subset in MARINA. PEITHO extracts these for the specified IP address ranges. This has nothing to do with defeating SSL - that comes later.

PEITHO can only provide half of a full TCP/IP 4-tuple (the output of this algorithm), namely the connection pairs with mentioning MME and server port numbers. This is done by filtering records in PEITHO high and low IP values provided by the initial configuration file, partitioning it into passing and not-passing. Values from both are renamed and retained in output because they define IP blocks.

-3b- Meanwhile, HYPERION works in parallel to PEITHO to provide IP to IP communication summaries, how data flows in and out of MME servers and their IP range blocks, in response to remote IP requests. This data too undergoes similar filtering and re-mapping of value names and formats, again with ultimate retention of both streams as the entity_IP and remote_IP components of the TCP/IP 4-tuple.

-4- The four fields of a TCP/IP 4-tuple are called entity_IP, remote_IP, remote_port, entity_port and will appear as a small table on the proxy output page. They are obtained by merger of the PEITHO 2-tuple with that of HYPERION.

-5- At this point, only https (port 443) and http (port 80) metadata remains as remote_port values. The latter is discarded on the basis of its port value under the assumption that high-value data will be encrypted in transit by a secure socket layer (SSL) using port 443. Note email servers use port 25 - that will show up in the next slide in the context of

On the results page provided by Tradecraft Navigator, only the two port columns are visible from the original socket pair 4-tuple. Ports are described by an esoteric compressed four-field format such as 6:443:TS(1) where the second element is the actual port number.

Here every port entry starts with 6: (making it uninformative) followed by 443 in the case of a remote https port, respectively high and variable (ephemeral) port numbers in the case of the entity_port column. The port description is then completed by a cryptic digraph drawn from TS, TC, FS, FC and a small qualifying number in parentheses.

It's not clear whether any more than just the straight port number needed to be retained here to substantiated a discovered proxy. Curiously, Olympia contains a distinct tool called ATHENA specializes in port information but it is not applied in this algorithm or any of the other slides.

The bottom line here is the analyst seems to have identified MME's proxy server and so a line of attack to be described later. That is of interest because closely held documents (like providing extents of offshore oil reserves or assay grade of mineral deposits being auctioned off) would be sent through this server as a measure to protect them from theft.

This slide presents a more complicated diagram of how an analyst can discover IP addresses the target, in the case the Brazilian MME, communicates with. This information can later be used to intercept these communications links.

-1- This starts with DNS lookup of the hostnames (eg That process can give duplicates and other records that are empty with respect to fields of interest. These are discarded.

-2- After appropriate menu enrichments have expanded out from the initial seeds, PEITHO and HYPERION act again in parallel to reconstruct the TCP 4-tuples (or socket pairs). The stream of internet packets sent out by a given server are a mix of packets from whatever processes are running, for example http, https, ftp, smtp and telnet on the TCP side and dns, dhcp, tftp, snmp, rip, voip via UDP.

-3- As only http and https are of interest here, the other packets are discarded via the De-Mux widget. Note the packets are not really multiplexed in the traditional sense used in signal electronics but remain discrete and merely alternate in the packet stream connecting server to client. De-multiplexing in this context simply means separating the packets as they come along, retaining only the subset of interest.

-4 - Not everything is of interest here, so the 'select values to carry' widget is necessary to whittle down the fields retained. Since TCP processes are bi-directional, with some of the packets coming from the server and others heading to the server, it's necessary to flip the latter set so that FROM always goes with the MME server and TO goes with IP addresses it communicates with. The two streams are then sorted by IP contacted which allows them to merge coherently to the 4-tuples described before.

-5a- The results are duplicated and split with one fork - after a sort and break-on-same field value reduction - sent to Tradecraft Navigator as a summary of the number of times each IP pair has connected, with most frequent presumably on top. No data page is provided in the slides.

-5b- The other duplicate is sorted so that each client is represented just once for geolocation lookup by ATLAS. That needs another version of de-multiplexing, followed by discard of empty rows. ATLAS is mentioned in three slides; from those annotations, it has to do with geolocation of network information and is filterable by date and IP range.

-6- The output to Tradecraft Navigator is sorted by ASN (Autonomous System Number, the unique identifier for an ISP network). The internet had some 42,000 unique autonomous networks in the routing system at the beginning of 2013; ten distinct ASN networks that MME connects with are discovered here. These include ASNs 6453 and 32613 in Canada, 16322 for Iran, 25019 and two others for Saudi Arabia, plus inexplicable IPs in Eritrea, Jordan and Thailand. ASN lookup is readily available and it provides country, date of registration, registrar, and owner name.

The data page is quite instructive. It shows the silliness of newspaper redactions: Fantástico/Greenwald scrubbed out all tool annotations on the algorithm and blocked columns 2, 4, 5, and 8 in the output whereas the Globe & Mail showed the whole algorithm legibly and redacted columns 2, 3 and 8.

Column 2 is merely DNS lookup, freely available on the open internet. Column 3 in the Globe & Mail can be restored using the months-earlier Fantástico publication. The IP ranges of MME's contacts in Column 8 are not too hard to get at using the initial IP contact from Fantástico as they will be a block extending the last 3 digits of the initial IP contact out to 255, e.g. the first row gives the range to, all assigned to Eritrea.

Here MOEM, the Ministry of Energy and Mines in Eritrea, is located at While their server is not often working, the IP address there does not correspond to any result found by the algorithm. Those IP addresses are assigned to Eritrea but do not have Hostnames and may be routers. Note that British Telecom provides the ASN network so all traffic there is routinely ingested by GCHQ and available to the Canadians. However there is no evidence from this algorithm that MME had any interest in its Eritrean counterpart MOEM.

The algorithm here re-uses tools and widgets seen before with very similar logic: previously determined hostnames associated with Brazil's MME seed the IP address look-up via 'Forward DNS' (Danaus) followed by DNI enrichment at unspecified NSA databases, the symmetric same split to PEITHO and HYPERION to collect IPs and ports, followed by filters, sorts and field renaming (no pop-up details provided) as seen in slides 2 and 4. After Atlas provides geolocation of the retained IPs (note the never-explained x5 in the upper left corner of the ATLAS icon), the fields are consolidated, with just the ones geo-located to non-Five Eyes countries retained.

It's not clear why results for the Five Eyes countries are discarded. These countries by agreement don't launch spying operations on each other; Canada could certainly launch attack on IPs on itself but that may not be within the remit of CSEC. It's hard to believe the analyst would not take a peak at friendly country IPs - perhaps these were only discarded for purposes of this presentation (at which NSA and GCHQ analysts were surely represented).

From other Snowden leaks, it's known NSA also runs its own Brazilian espionage program; if Canada installed its own man-in-the-middle malware on top of a pre-existing NSA attack, these could conceivably collide and crash the Brazilian system, or at least alert the Brazilians via degradation of network performance. For this reason, the analyst contacted TAO prior to the presentation, turning over subsequent man-in-the-middle attack details to them. TAO maintains the central malware repository and is better positioned to vett installations for redundancy and collisions.

These four output tables provide the best view to what CSEC learned about MME's vulnerabilities from applying the algorithm:

-1- The first table consists of two records for This Brazilian server was obtained earlier as record 5 from the slide 2 processing (which started with and provided IPs and ISPs in the 'Domain's IPs Output' table). Here journalists have blacked out the target column out of internet illiteracy (they are and and the IP it contacts. The port numbers indicate the target server is using ephemeral ports and the contact http port 80, meaning it is not a mail server nor secure like https.

This server in Brasilia has been assigned a new database field with value Case Notation MA10099(1) here that was added by the analyst later (certainly not produced from running the algorithm). It's not clear whether this case notation is that of GSEC or joint notation with NSA's TAO.

It's instructive to look at what anyone can learn in seconds for free on the open internet -- and how this works. In the case of, the TLD (top level domain) acessovpn is recognized by the Root Server which redirects to which redirects to two name servers and which themselves have A type records and so separate IP addresses both located at the same geolocation in Brazil.

-2- This pair of tables unfortunately has the headers censored. They may simply represent the two IP addresses and They are sorted by order of use - number IPs contacted. Thus the ASN contacted the most (26 and 15 times respectively in the time frame considered) was 18881. That indicates the IPS was Global Village Telecom, a formerly Brazilian telecom owned since 2010 by the French company Vivendi. After that, the first IP contacted ASN 7738 11 times whereas the second IP contacted ASN 26599 9 times. Farther down the list, providers in Columbia, Mexico, India and China are listed.

-3- The final result table utilizes two tools not mentioned in the script suggesting these were applied from within Tradecraft Navigator: Reverse DNS (DANAUS) and EONBLUE. The latter is a closely held corporate tool, apparently used here for decoding Hostnames behind proxies, though nothing came of it here. EONBLUE surfaced earlier in slide 2 paired with corporate tool QUOVA (that was the source of there). The entire table refers to A type rather than MX (email servers).

This slide shows the contact chaining for Brazil's Ministry of Mines and Energy on both the internet and telephony side, mostly the latter. The process is initialized from a small plaintext file of initial selectors (CSV comma separated values, records separated by carriage returns) which is reconfigured to a standardized database format with administrative oversight (front door rules: legal and policy justifications for collection) before being passed to the thin client of the analyst. This is the only appearance of 'Justification' in the slide set.

-1- Another field is added, 'SelectorRealm'. Realm isn't explained here by a popup or sample output slide but in the MonkeyPuzzle memo it meant divisions of a large database (emailAddrm, google, msnpassport, and yahoo). Realm here might specify a subset of collection SIGADS. Thus this step is narrowing the field of inquiry by adding a realm field to the input records to restrict subsequent processing to that realm.

-2a- The records are now filtered by their DNR (telephony) selectors in an unspecified manner. The fork meeting filter conditions is expanded by DNI (internet) chaining via unspecified databases (web email contacts possibly being the realm) and using one hop (see below) for output to Tradecraft Navigator. The fork of records failing to meet filter conditions is discarded.

-2b- The other fork meeting filter conditions, after specifying date ranges etc, is sent out to be expanded DNR contacted chaining. This enrichment step is quite instructive: it involves four telephony databases (FASTBAT, DISHFIRE, FASCIA, MAINWAY). Here FASTBAT appears for the first time in Snowden document releases. It must be partially non-redundant with respect to the others or it would make no sense to include it. It is possibly a SIGAD specific to Brazil or South America, possibly CSEC collection at the Canadian Embassy in Brasilia (the other three are NSA). DISHFIRE holds SMS records (cell phone texting).

It would be amazing if this contact-chaining step did not take overnight (or at least involve long latency) - these databases contain many trillions of records and NSA could be running thousands of multi-hop contact-chaining requests simultaneously for analysts throughout Five Eyes. It's not clear whether NSA's move to the cloud will expedite such searches or break algorithms such as this for whom the haystack has gotten too large.

-3- Because of how realms, date ranges, country of call origin etc were initially specified, not all records produced by contact chaining having any data left in the fields of interest. (It is very common for some fields to be blank in database records) These empty records are discarded so they don't contribute rubbish to the output.

-4a- After renaming records for consistent output, the records are sorted by an important field (e.g. MSISDN phone number) and split, with one fork going to summary statistics (how many records had a given value for the fixed field), as seen by the capital greek letter Sigma (symbol for sum in math) in the 'Group by' icon. These are likely sorted to highest frequency order.

-4b- The other fork simply outputs all the records to Tradecraft Navigator, which may have its own social networking visualization tool or just pass it on to RENOIR. The original presentation may have contained a sample of output but if so, Greenwald may not have included it or if he did, the Globe and Mail didn't publish it.

In this important Olympia algorithm slide, CSEC leverages an initially modest collection of 9 cell phone call records (called DNR selectors) to successively recover the three identification numbers characterizing a cell phone, which in turn lead the analyst to identification of two obsolete handset models (Nokia 3120c-1c and Motorola MURQ7) owned by top MME staffers at one time. The handset models might next be checked against NSA's collection of cell phone malware at TAO or NAC to see if existing tools could hack the phones and turn them into surveillance devices.

A Snowden document disclosed earlier revealed the NSA asking State Department to pass along all cell phone numbers they had been given in the course of normal high level contacts with foreign counterparts. Thus numbers turned in by the American Embassy representatives in Brazil with day-to-day dealings with MME were ingested into an NSA database to which Canada had ready access to. These 9 selectors probably have originated by this route.

What all can be deciphered from this slide?

-1- The overall logic flow is very clear: start from the 9 DNR call record seeds, determine the MSISDN number of the two cell phones, with that find the IMSI, from that the IMEI, and finally the handset model. This is far from trivial due to the properties of cell phone numbers (see below) and devious manufacturing practices in countries such as China. Unlike in previous slides (where anyone online can do reverse DNS lookup in seconds), cell phone owners cannot follow CSEC's logic flow even for their own phone.

-2- The three ellipses show a practically identical logic flow. Even though the tool and widget logos are barely legible, they are evidently the same. In fact, the ellipse processes make very little use of high-powered Olympia tools. The icons primarily represent housekeeping widgets (filter, dummy, rename, sort, delete, etc) that are useful but don't provide enough muscle to do more than shuffle record formats. The real work is done almost entirely by the large outlined-text H icon, not named in the redacted slide or seen elsewhere in menus or other algorithms. It will be called H for HANDSET here.

-3- The output (smaller orange rectangle on far right holding the Tradecraft Navigator icon) is key to understanding the steps of the algorithm. The output is provided for us below the schematic in the form of a small database with 8 fields and two records (the upper dark blue line is highlighted). Although it is highly unlikely these phones are still in use, the MSISDN numbers providing the original input are blued-out as are the IMSI and IMEI. Interestingly, their field names include the work 'correlation' suggesting that they cannot be unambiguously determined but are instead inferred from associations. The Motorola model is more specifically the MURQ7-3334411C11.

-4- The last column TOPI (Target Office of Primary Interest) here takes on the value CSEC, suggesting it is Five Eyes terminology. It's not clear why TOPI needs to be included as a database field. Perhaps adding MME to the NSA's target database - where priority, legal authority, resources needed and operational risk are reviewed - requires tracking of the originating partner agency. Since Canada lacks the malware and insert capabilities of NSA, Brazil's MME must go in the queue to compete with many other projects in the works.

-5- The output line 'Bands Supported by IMEI' can be read well enough that google search can be used to correct any letters mis-read initially. The result provides a look-up of the band wavelengths that the cell phone can use - that might be useful down the roar for DRTBOX interception - and the various communication protocols, like GSM, WCDMA, FDD, HSUPA and HSDPA.

-6- To understand the main algorithm flow, it is necessary to delve into the meaning of the MSISDN, IMSI and IMEI, the three main numbers associated with a cell phone. While that seems straightforward, nominal explanations have to be corrected for online tools that make end runs around official protocols. Cell phones are commonly lost, stolen, re-sold, unlocked, unblocked, registered in one country but used in another, SIM cards replaced, chip sets re-soldered and so on. And that can take place on phones whose manufacturers violated all the rules for unique serial numbers, billing information and so forth.

MSISDN (Mobile Subscriber ISDN Number) is just the ordinary telephone number of a mobile cell that would be on a business card. CSEC may have asked their Brazilian embassy to scan business cards of high level MME staff acquired in the course of ordinary interaction. These selectors could account for the 9 DNR records mentioned here as initializers.

-7- Due to the blurred slide and erased annotations, we cannot follow exactly how CSEC get from the MSISDN to the IMSI to IMEI to the handset model. This cannot be straightforward because the headers indicate correlation (possibly via different databases that share time of call) rather than a determinative algorithm.

In the CO-TRAVELER cloud analytics document, we see two years later that NSA cannot routinely obtain either the MSISDN or IMEI starting from the IMSI in the SEDB Tower QFD summary database. Thus this slide is in some ways the most interesting of all, more the pity that it was so poorly disclosed.

This slide provides a summary showing how all the information gathered can be used for BPoA (Backdoor Point of Access?) leading to further actions through:
- CNE (Computer Network Exploitation, such as cookie-replay, man-on-the-side attacks, CDR, etc.)

- Passive tasking (Upstream collection through backbone cable splitting and filtering, router intercept or telecom carrier cooperation)

- HUMINT-enabled (Human Intelligence, like information derived from voluntary, paid or bribed informants)
It's not clear whether CSEC could take things only so far and then NSA and GCHQ had to step in to aid in an actual tapping, bugging or hacking operation.

This slide is reconstructed from the video footage and shows a diagram containing all the telephone and internet connections discovered in the OLYMPIA case study. At the left side of the slide there are the telephone connections and at the right side the internet links.

It's interesting to see that in this diagram there are also a number of SIGADs, which are codes designating interception facilities. It's not really clear whether they were used to collect the metadata used for the chaining by the OLYMPIA tools, or whether they were eventually used to conduct interception of content on these communication links.

At the telephony side we see DS-800 as the facility for phone lines between the Brazilian ministry and numbers in Equador and Venezuela. Telephone communications to some other countries are monitored by facilities designated US-3294 and US-966V.

Internet traffic between IP addresses from Global Village Telecom and internet providers in Africa, the Middle East and Canada are also monitored by DS-800. We can also see that for internet traffic to India there's a facility designated DS-200 (maybe because GCHQ has good access to India?).

> See also: What are SIGADs starting with DS for?

This slide seems to be the final one of the OLYMPIA case study presentation. The analyst writes that he identified mail servers, which meanwhile have been targeted by means of passive collection. That means by tapping the traffic from internet backbone cables. Analysts have been assessing the value of these e-mail data.

The analyst also says that he is working with NSA's TAO division "to further examine the possibility for a Man on the Side operation". Here he's evidently referring to Based on the network information gathered, the Network Analysis Centre (NAC) of the British signals intelligence agency GCHQ has started "a BPoA analysis on the MME".

This shows that the OLYMPIA presentation was not just a software tutorial or an example of coding. The results prove CSEC actually ran this exercise against the Brazilian Ministry of Mines and Energy and got some real results: information about their telephone and internet connections, although probably by far not complete.

As OLYMPIA is target-development software, this tool didn't gather any content of phone calls or e-mail messages, but this last slide tells us that as a result of the OLYMPIA effort, at least the e-mail of the Brazilian ministry became subject of an actual collection operation.

> See also: An NSA eavesdropping case study

Links and Sources
- How does CSEC work with the world's most connected telecom company?
- Interpreting the CSEC Presentation: Watch Out Olympians in the House!
- Slides reveal Canada’s powerful espionage tool
- American and Canadian Spies target Brazilian Energy and Mining Ministry
- Anonymous: Total tear-down of Canada's Olympia spyware (pdf)

February 27, 2014

NSA director Alexander's phones

(Updated: March 16, 2014)

After a range of articles about how NSA intercepts foreign communications, we now take a look at the equipment that NSA uses to secure their own telecommunications, more specific those of its director.

We can do this because last December, the CBS program 60 Minutes offered some unprecedented insights into the NSA headquarters. Of course very limited, but still interesting for those with a sharp eye. Perhaps the most revealing was that for the first time ever it was shown how the office of the director of NSA looks like:

The office of NSA director Alexander, December 2013
(click to enlarge)

The office of the director is at a corner on the eighth floor of the OPS 2B building, which is the wider and lower one of the two black mirrored glass structures of the NSA headquarters at Fort George G. Meade. Contrary to what many people would probably expect, the director's office is far from high tech. We see a rather traditional interior with a classic wooden desk, shelfs with books, picture frames and lots of memorabilia, a conference table and a group of old-fashioned seatings with a large plant in a shiny copper pot.

Most interesting for us is the telecommunications equipment used by the current director, Keith B. Alexander, which can be seen in the following screenshot:

NSA director Alexander working at his desk, December 2013
Behind him we see his secure telephone equipment
(click to enlarge)

VTC Screen
In the corner at the left we see a video teleconferencing screen with a high-definition camera, made by the Norwegian manufacturer Tandberg. In 2010 this company was bought by Cisco Systems, so their equipment can be safely used for US Top Secret/SCI videoconferencing. From within secured locations (SCI enclaves), the video feed goes over the JWICS IP network for the intelligence community, which is secured by stream-based Type 1 bulk encryption devices.

STE Phone
At the left of general Alexander there's a large black telephone called Secure Terminal Equipment (STE), which is made by L3 Communications. The STE is a highly secure phone, which means that this device is capable of encrypting calls up to the level of Top Secret/SCI. This phone can be used to make secure calls to anyone with a similar or compatible device. STE is the successor of the almost legendary STU-III secure phone system from the late 1980s.

With an estimated 400.000 users, STE is used for secure communications with everyone working for the US government, the military or its contractors, who can not be reached through a more select secure phone network for the US military (IST/DRSN) or the SIGINT community (NSTS).

IST Phone
At the far right we see a big white Integrated Services Telephone (IST), which was designed by Electrospace Systems Inc. and manufactured by Raytheon. This is a so called "red phone", which means that it's connected to the Defense Red Switch Network (DRSN). This is the main secure telephone network for military command and control communications and connects all mayor US command centers and many other military facilities.

Although this IST phone looks very futuristic, it was gradually replaced by the newer IST-2 since 2003. Remarkable to see that notably the highest NSA official still uses the old model. The new IST-2 was also on the President's desk in the Oval Office, before it was replaced by a Cisco IP phone for the new Executive Voice over Secure IP-network in 2011, to provide a dedicated link between the President and his senior cabinet members.

It's revealing to see that there's no such new IP telephone in the office of the director of NSA, which means that he has no direct line to the President. Which is according to the fact that NSA actually falls under the Department of Defense and its intelligence gathering is coordinated by the Director of National Intelligence.

NSTS Phone
A third, white phone set is hidden right behind general Alexander's back, but we can see a glimpse of it in this screenshot:

NSA director Alexander working at his desk, December 2013
Behind him we see his secure telephone equipment

This telephone is part of NSTS, which stands for National (or NSA/CSS) Secure Telephone System and is the NSA's internal telephone network for calls up to the level of Top Secret/SCI. Newer NSTS phones are connected by fiber optic modems to a fiber backplane that interfaces with an NSANet access point router. The voice traffic is then encrypted together with data traffic utilizing a Type 1 bulk encryption device.

As can be seen in other pictures from inside NSA, the devices used on the NSTS network are white Nortel M3904 executive phones - a very reliable high-end model which is also used at the offices of both the Israeli and the British prime minister. Nortel was a big Canadian telephone equipment manufacturer, but was dissolved in 2009. Thereafter, the Enterprise Voice and Data division of Nortel was bought by the US telecommications company Avaya (formerly Lucent)

A Nortel M3904 phone from the NSTS network as seen
elsewhere in the NSA headquarters building

From declassified NSA documents, we can learn that the NSTS phones have numbers like 963-5247s (with s for secure) and that the numbers of the STE phones are written like STE 6325 (no real examples).* The IST phones of the DRSN have four or five digit numbers.*

Predecessors of these three types of telephones (STE, IST and NSTS) were also present in the office of then NSA director Michael V. Hayden, when James Bamford described a meeting with him in his 2001 book Body of Secrets:
"There are also several telephones on the table. One for secure internal calls; another is a secure STU-III for secret external calls; and a "red line" with buttons that can put him through instantly to the secretary of defense, the Chairman of the Chiefs of Staff and other senior officials.
No phones, however, connect the director to the White House; indeed, during Hayden's first year in office, he never, once spoke directly to president Clinton".*

In a separate program, called 60 Minutes Overtime, CBS showed 'The Making Of' their previous 60 Minutes report about NSA. It included some new video fragments, like one in which we get a better look at the computer equipment on the desk behind director Alexander's chair:

NSA director Alexander being interviewed by John Miller, December 2013
At the left side we see the director's computer equipment
(click to enlarge)

We see a common HP office keyboard, two computer screens and in between them there's a so-called KVM-switch with some colorful stickers on it.

The latter device is used to work on multiple computers or networks operating at different classification levels, all with one Keyboard, Video screen and Mouse, hence the abbreviation KVM. By pushing a button, the device can switch between four different connections, which is done by the hardware in order to keep them physically separated. The KVM Switch in this picture is the SwitchView SC4 from Avocent (formerly Cybex) with four secure channels.

From the stickers with the color codes, we learn that this device enables the director to switch between three separate computer networks at the following classification levels:
- Green: UNCLASSIFIED, which is the military NIPRNet
- Red: SECRET, which is the military SIPRNet
- Orange: TOP SECRET and Yellow: TOP SECRET/SCI

The latter connection is most often used for access to JWICS, the highly secure network used by the American intelligence community, but here it may also be used for NSANet. It's not clear whether the second compter screen is for one of these networks, or for a separate access to the common internet. Both screens have a blue label which might denote that the screens can be used for multiple classification levels.

60 Minutes
The CBS program Inside the NSA was broadcasted on December 15, 2013, but was immediatly heavily critized as being too less critical in approach to the NSA, some people even said it was NSA propaganda. This seems not quite fair, as Snowden reporter Glenn Greenwald had numourous occasions in media from all over the world to present his interpretation of what NSA is doing - which went almost unquestioned.

CBS reporter John Miller asked NSA director Alexander about all the major things that came up from the Snowden-leaks and he also got answers. NSA even showed an actual example of how the metadata contact chaining method works. Whether one is satisfied by these anwers is another thing, but we should keep in mind that Greenwald's version is not always the right one and NSA is not always lying.

CBS 60 Minutes: Inside the NSA (December 15, 2013)

NSA director Keith Alexander, who's a four-star general and a career Army intelligence officer, will retire on March 28. He was head of the National Security Agency and the Central Security Service since August 2005 and the US Cyber Command since May 2010. It's expected that he will be replaced by US Navy Vice Admiral Michael S. Rogers.

Links and Sources
- '60 Minutes' Trashed For NSA Piece
- Inside the NSA - How did 60 Minutes get cameras into a spy agency

February 17, 2014

Dutch government tried to hide the truth about metadata collection

(Updated: March 8, 2014)

On February 4, the Dutch government admitted that it was not NSA that collected 1,8 million metadata from phone calls of Dutch citizens, but actually their own military intelligence service MIVD. They gathered those data from foreign communications and subsequently shared them with partner agencies like NSA.

Just like everyone else, the Dutch interior minister was mislead by how Glenn Greenwald erroneously interpreted the data shown in screenshots from the NSA tool BOUNDLESSINFORMANT. This let him misinform the Dutch public and parliament too, and only after being faced with a lawsuit, he finally disclosed the truth. Here's the full story.

How it started

The first charts from the BOUNDLESSINFORMANT tool were published by the German magazine Der Spiegel on August 5, 2013. Next to a bigger chart about Germany was a smaller one about the Netherlands, but this was completely overseen by Dutch media.

Only after the French paper Le Monde came with a big story about alleged NSA eavesdropping on French citizens on October 20, 2013, the Dutch IT website published on October 21 about the screenshot that was in Der Spiegel several months before:

The report by was correct in explaining that the chart only shows metadata, but the headline initially read "NSA intercepted 1.8 million phonecalls in the Netherlands". It was the first time a news medium correctly presented the BOUNDLESSINFORMANT chart as showing metadata instead of content.

But as the initial headline had immediatly been copied by other media, many people, including politicians, got the idea that NSA was actually eavesdropping on a vast number of Dutch phone calls. After discussing this on Twitter, Tweakers corrected the title by adding "metadata" and "per month".

> See also: BOUNDLESSINFORMANT only shows metadata

A talkative minister

On the night of October 22, the Dutch interior minister Ronald Plasterk was asked about these revelations in the late night talk show Pauw & Witteman. He gave a clear explanation about what metadata are used for, and guessed that with around 60.000 phone calls per day between the Netherlands and the United States, this would make 1,8 million calls per month - apperently assuming that numbers of metadata equals phone calls.

He said that he wasn't yet certain whether it was actually NSA that collected those metadata from Dutch phonecalls, but that a European group of experts was established to clarify this with the Americans. The minister said that it would not be acceptable if NSA was monitoring Dutch citizens without asking permission from the Dutch government before doing so.

According to a statement by the interior minister during the parliamentary debate on February 11, 2014, it was only by now that AIVD and MIVD started communicating with NSA about the exact origins of these particular data. It would last 4 weeks to get this clear - rather quick, according to the minister.
(286e minuut)

Before this bilateral investigation was initiated, it seems that the Dutch government was relying on the work of a multinational group of experts on behalf of 27 European countries. This ad hoc EU-US Working Group was established in July 2013 to examine the NSA spying programs. Their final report (pdf) was published on November 27.

Besides this group of experts, the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament also started an inquiry in September 2013, presented preliminary conclusions on December 18 and a final report (pdf) on February 21.

Dutch interior minister Ronald Plasterk in the talk show Pauw & Witteman
(October 22, 2013 - in Dutch)

Almost one week later, on October 28, the Spanish paper El Mundo also published a screenshot from BOUNDLESSINFORMANT. The article, written by Glenn Greenwald and a Spanish journalist, once again said the chart proved that NSA had spied on 60 million phonecalls from Spain in one month.

This was the standard interpretation that Greenwald gave to BOUNDLESSINFORMANT charts for Germany, France, Spain, Norway, Afghanistan and Italy. He used them to demonstrate the claim made by Edward Snowden, that NSA is eavesdropping on innocent people everywhere in the world.

By framing the public debate in this way, most people, including politicians, assumed these claims were true, and therefore it was for example the Dutch interior minister, responsible for the civilian intelligence and security service AIVD, who was asked for explanation. Only people familiar with Dutch intelligence knew that SIGINT collection is actually done by the NSO, which is part of the military intelligence agency MIVD.

NSA strikes back

On October 29, NSA director Keith Alexander testified before a hearing of the House intelligence committee. He forcefully denied that NSA was collecting millions of phone calls from European countries by saying "Those screenshots that show or at least lead people to believe that we, NSA, or the US, collected that information is false".

Instead, data shown in charts from the Snowden document were collected not just by the NSA itself, but were also "provided to NSA by foreign partners," Alexander said. "This is not information that we collected on European citizens. It represents information that we and our NATO allies have collected in defense of our countries and in support of military operations". The next day, this statement was also sent to European partner agencies, including AIVD.

The same day, the Wall Street Journal reported that according to US officials, the metadata records for France and Spain were not collected by the NSA, but by French and Spanish intelligence services. The metadata were gathered outside their borders, like in war zones, and then shared with NSA.

Then, interior minister Plasterk was invited to appear in the Dutch television news magazine Nieuwsuur on October 30. According to a reconstruction by the newspaper NRC Handelsblad, he was advised by Defense minister Hennis-Plasschaert not to go, because her department, responsible for Dutch SIGINT collection through the MIVD, was irritated by Plasterk's willingness to talk about this issue.

Before going to Nieuwsuur, Plasterk had a meeting with Marc Kuipers, the deputy director of his own AIVD and asked him about the metadata. He was told that there was no hard evidence that the statement of NSA was correct, and Kuipers reportedly denied that the 1,8 million metadata were collected by Dutch agencies. As their research started just a week before, AIVD apparently wasn't sure yet about the exact origins of these data.

During the Nieuwsuur broadcast, minister Plasterk showed the letter (pdf) with the statement from general Alexander, but completely misinterpreted it as being a confirmation that the number of 1,8 million metadata were actually collected by NSA - something that was not acceptable for him. He also strongly denied that the 1,8 million were collected by Dutch agencies and subsequently shared with NSA.

Dutch interior minister Ronald Plasterk in the television
magazine Nieuwsuur, October 30, 2013

A few weeks later, NRC Handelsblad announced that they would soon start disclosing Snowden documents related to the Netherlands. NSA watchers expected that one of the first disclosures would be the complete BOUNDLESSINFORMANT screenshot, including the bottom part showing the technical specifications. But that didn't happen. NRC published two articles, on November 23 and November 30, but both contained more background information than spectacular new revelations about the Netherlands.

Most surprising was that the BOUNDLESSINFORMANT screenshot wasn't published. Maybe it had something to do with the fact that this weblog explained on November 23, that Greenwald's interpretation of these charts was not correct, which became clear after comparing two screenshots published by Greenwald in a Norwegian paper in the days before.

A few days later, on November 27, I published my research revealing that the DRTBox technique used to collect the metadata shown in the charts about France, Spain, Italy, Norway and Afghanistan is mainly used for short-range radio and cell phone interception during military operations.

Not NSA, but MIVD

These analysis not only support the official statement by NSA, but also confirm what the intelligence agencies from Germany and Norway had said earlier: that the metadata shown in the charts were collected by them as part of military operations abroad, and not by NSA (exactly the same was said by the Danish military intelligence service, anticipating on a chart about Denmark that never came).

After an investigation of exactly 4 weeks, experts from AIVD and MIVD, who compared actual data collected by the SIGINT unit NSO with data in the systems of their counterparts from NSA, concluded that there was a "perfect match". This was shared with defense minister Hennis and interior minister Plasterk on November 22. Prime minister Mark Rutte was informed during a regular meeting on December 10.

After it became clear that the metadata were not collected by NSA, but by the Dutch agency MIVD, the whole issue automatically became something that was not in the interest of the state to disclose (although not a formal state secret). The interior and the defense minister argued about whether to inform parliament and the public, like in Germany and Norway, but ultimately decided not to do so, following the standard practice to Never Say Anything about the modus operandi of the intelligence and security services.

This is a rather strange argumentation, as "collecting and sharing (meta)data" doesn't reveal any specific methods or operations. Both practices are regularly mentioned in the public reports of MIVD and the oversight committee CTIVD. But as almost no one reads these, the parliament and the people still thought it was NSA that monitored their phone calls.

Presently, it's still not clear whether or not the government informed the parliamentary intelligence oversight committee (CIVD or Commissie Stiekem), because ministers and members aren't even allowed to mention which topics were discussed during the committee meetings.

According to NRC Handelsblad, defense minister Hennis informed the parliamentary oversight committee on December 12, by saying that the telephony data were collected by Dutch services and shared with NSA. Because she didn't link this to minister Plasterk's statement from October 30, apparently none of the members of the committee was aware of the political impact...

The headquarters of the AIVD in Zoetermeer
(photo: ANP)

Citizens against the State

But then there was a lawsuit on behalf of a coalition of citizens and organizations against the Dutch state, as represented by the interior minister. It aims at stopping Dutch intelligence agencies acquiring data from NSA that might be obtained illegally if Dutch and European law would apply. Furthermore, the coalition demands that the state informs the citizens whose illegally obtained data have been used.

Faced with the possibility of a court ruling that acquiring foreign intelligence might be illegal, which would de facto end the intelligence sharing relationships with foreign countries, the Dutch government was forced to reply. So on February 4, 2014, the state advocate came with a response (pdf), which contains two interesting points:
- The demands are mainly based upon press reports speaking of intercepted phone calls, which is incorrect, because in fact it's not about content, but about metadata. These are collected by the state, lawfully acquired in the context of international cooperation and subsequently passed on to other countries. (par. 6.2)

- Dutch intelligence services are using data derived from undirected interception of cablebound communications by foreign agencies. This method is (still) prohibited in the Netherlands, but legal in the US, and therefore the state sees this as lawful acquisitions. (par. 2.17 - revealing that this is apparently one of the things that the Dutch get in return for the metadata they share)

Misleading the parliament

Now that the state advocate had disclosed the true nature of the 1,8 million, the interior and the defense minister also had to inform the parliament and the public. This was done by a short official statement saying:
"The graph in question points out circa 1.8 million records of metadata that have been collected by the National Sigint Organization (NSO) in the context of counter-terrorism and military operations abroad. It is therefore expressly data collected in the context of statutory duties. The data are legitimately shared with the United States in the light of international cooperation on the issues mentioned above."

This was exact the opposite of what interior minister Plasterk had said during the Nieuwsuur broadcast on October 30 and subsequently to parliament. He was accused of lying or at least witholding crucial information and now had to fear for his position.

On Saturday, February 8, the newspaper NRC Handelsblad published out of the blue the long-awaited complete BOUNDLESSINFORMANT screenshot regarding the Netherlands, including the bottom part which was seen now for the first time since the initial publication by Der Spiegel in August 2013:

The BOUNDLESSINFORMANT screenshot for the Netherlands
(picture by NRC Handelsblad - click to enlarge)

> See for all details about this chart: BOUNDLESSINFORMANT: metadata collection by Dutch MIVD instead of NSA

On February 11, there was a parliamentary debate about the whole issue. Interior minister Plasterk sincerely apologized for his misleading statements on October 30, saying that he just wanted to make sure to the public that it was not his own AIVD that eavesdropped on Dutch citizens.

This statement was hardly convincing, and many parliament members were not satisfied with the fact that he didn't correct his statement after he was informed about the truth on November 22. Both the interior and the defense minister continuously replied that it was not in the interest of the state to provide any more information.

Given this overstretched secrecy, it almost seemed a slip of the tongue when minister Plasterk explained that because "under different programs, different types of metadata are shared" it was not so easy to attribute the 1,8 million to collection by MIVD.

After a debate of almost 8 hours, most opposition parties voted against the interior minister, but that wasn't enough to force a resignation. However, the whole affair weakened his position, he can't afford new mistakes anymore.


With claims made by Edward Snowden that NSA is monitoring innocent civilians all over the world being spread by media for months, it's understandable that the BOUNDLESSINFORMANT charts were seen as evidence for American spying on European countries. Glenn Greenwald presented them in that way to major European newspapers and supported his interpretation by a FAQ document saying that this tool shows "How many records (and what type) are collected against a particular country".

But now that it has become clear this interpretation was false, it also reveals that Greenwald apparently relied solely on these few documents, and was unaware of what the charts really show. I think we have to assume that Snowden also had no idea about their factual context, let alone any experience with the program - if he had, it would be even worse.

The whole story about BOUNDLESSINFORMANT not only backfired upon Snowden and Greenwald, but also upon several European governments, for example the Spanish and the French ones, who fiercly protested against the alleged US spying on their countries, and of course the Dutch one, where interior minister Plasterk was almost forced to resign because of the misinterpretation of the BOUNDLESSINFORMANT chart.

Links and Sources
- Le Monde/BugBrother: La NSA n’espionne pas tant la France que ça
- Cees Wiebes over de internationale gevolgen van Plasterkgate
- Jan Dirk Snel: De Tweede Kamer heeft zelf boter op het hoofd – Over de zogenaamde affaire-Plasterk
- Onjuiste geheimhouding regering over AIVD/MIVD
- Broken oversight & the 1.8M PSTN records collected by the Dutch National Sigint Organization
- The Netherlands, not USA, gathered info from 1.8 million phone calls
- NSA hielp Nederland met onderzoek naar herkomst 1,8 miljoen
- MIVD: Interceptie van telecommunicatie
- Denmark admits to tapping phones in conflict zones abroad