What happens in Room 641A and others like it??

Do they “tap” into your home internet connection or something?

Nope. They vaccuum up everybody’s traffic whether they’re a target or not.

The ISP has no way of knowing what they do with the data, whether they followed the rules or not.

The NSA has employees who are known to have abused these tools to spy on spouses and ex-lovers.

This court order for surveillance does not allow them to establish surveillance. It’s all being hoovered up already.

ALL of it.

The court order is what supposedly allows them to peek at it.

Even if you were not a surveillance target in the past, once an order is obtained they can go back in time (years in fact) and mine through whatever they’ve stored on you or your close contacts. See PRISM surveillance program. From that point forward they can be alerted to your future activity.

They don’t do that by “tapping” you. They do that by mining through what they have already collected.

About this FISA memo chatter— There are allegations that the data is being abused and peeked at without proper due process (and that is 100% confirmed in at least one case by the issue with the NSA employees stalking their spouses) or in the case of this memo, based on false allegations presented to the FISA court, which we now also know to be true.

These concerns are substantiated and this is being abused, end of story.
I am going to summarize how this worksand how they accomplished that.

The so-called “NSA rooms” are already publicized and/or the subject of litigationfrom the EFF but the rooms themselvesare in practice not any more special or technically different than an undersea cable tap or any other place where interception occurs.

The so-called “NSA rooms” rooms are real by the way: I worked at the AT&T CO in Brookfield Wisconsin. They had one of those rooms as of 2007 and we were not told anything about it other than the fact that it was a spooks-only zone and they’re all over the company.

Although not involved in that, the underlying mechanism is used for several other non-government / private industry applications of the same principles that I have in fact been involved with. The design and the infrastructure has the same end goal: Snooping on “free” wifi users by private entities hosting the free wifi and doing whatever the fuck they want with that data, as opposed to a government entity.

That’s a whole other subject. What is occurring?

They probably establish a span/monitoring session for the monitored customer network and spoof the MAC address of its gateway, then configure the device spoofing the gateway for an inbound only traffic policy so that it collects (but does not acknowledge) all of the traffic destined for the other endpoint simultaneously with the intended destination.

Please excuse my handwriting

You can cheat by breaking the rules of networking and there is no way to detect that this is occurring.

It’s all collected and vacuumed off to… somewhere…. where it’s indexed and searchable from there.

If I had to take a guess at which platform would be capable of cloning the destination mac, being configured for an inbound only policy, hoovering all of that up, AND forwarding all the traffic out to a collection host my money is on the Cloud Services Router 1000V.

Go ahead and install a demo version on VMWare and poke around. There’s a type of license that you can’t have and it has a *cough* awfully funny name: Stingray.

You know what a Stingray is, right?

It is a product that “could” do all of that and have a staggering amount of traffic shoved through it.

The “stingray” feature index appears to be capable of unlimited I/O (i.e in excess of 10 gigs a second.)

Bear in mind the telecommunications providers are willing (or at least compulsory) participants who are paid millions (?) of dollars to provide access to these traffic flows pursuant to the requirements of the surveillance program so we can safely assume they willing provided a monitor session (or equivalent) on an interface and then they ran some fiber off to a room for the NSA to do whatever the fuck they want with it.

Let’s configure this in the lab.

Create a monitor session on your core router, let’s say its a nexus 7k, you have one those laying around, right?

monitor session 1

source interface port-channel31 both

source vlan 123 both

destination interface Ethernet1/24

no shut

Then on your monitor session at interface Ethernet1/24:

interface Ethernet1/24

description SPAN Destination

switchport mode trunk

switchport monitor

no shut

You can skip that and export NetFlow or IPFIX packets directly from an edge router, but then its configuration would be obvious and it would need to be an active member of the infrastructure rather than a passive add-on you’ve socked away somewhere slurping on a connection agnostically with respect to the make/model/vendor of the two endpoints. The vCSR is suitable for this task.

About NetFlow/IPFIX: https://en.wikipedia.org/wiki/NetFlow

“Standard NetFlow was designed to process all IP packets on an interface. But in some environments, e.g. on Internet backbones, that was too costly, due to the extra processing required for each packet, and large number of simultaneous flows.”

Now we have “sampled NetFlow” which can be filtered to only collect certain traffic flows that are of interest to you thereby reducing the staggering scale of what we’re proposing here. This feature is only available on the Cisco 12000+ and that may not be the equipment involved.

We can’t force everyone to get this kind of gear on their edge or ask for direct control of it — and it’s not like we’re going to give the NSA backdoor access to your core router, your edge gateway, or your customer’s edge gateway to configure or manage this. It will have to work as I describe in order to meet functional reuirements. So that’s why I nominate the vCSR as an example of an add-on with that capability built in that can be tacked on to any gateway whether or not it (it and of itself) supports this feature.

What I am talking about is introducing a vCSR in parallel, which is not something that is visible to (or configurable/removable by) someone in control of the endpoints.

In my lab I’m spying on a gateway device manufactured by Lucent and it doesn’t have the capabilities necessary to export NetFlow let alone sampled NetFlow.

When the vCSR is introduced it doesn’t really matter what the hell the gateway device is or whether or not it supports these protocols or direct/native export of NetFlow.

The question isn’t “how do we accomplish this?” the question is “how do we come up with a consistent recipe/methodology for accomplishing this that is 100% vendor/technology agnostic, can drop into any telecommunications provider no matter what is running underneath their hood, and cannot be detected, tampered with, or disabled?” We’re going to introduce the vCSR in parallel to intercept the gateway and force export of the gateway’s data via NetFlow whether it likes it or not.

Instead of speculating on the NetFlow or Sampled Netflow configuration, I will use IPFIX/NBAR as an example of spying on your internet gateway by forwarding a netflow off from the vCSR to a syslog server (open source off the shelf syslog) or proprietary (idk, glownigger shit) collector at

— snip —

hostname vcsr1000 !

subscriber templating
flow record RECORD
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address

match transport source-port

match transport destination-port

match interface input

match interface output
match application name
match connection id
collect datalink mac source address input

collect datalink mac source address output

collect datalink mac destination address input c

collect datalink mac destination address output

collect datalink mac source address input

collect datalink mac destination address input

collect routing destination as

collect routing next-hop address ipv4

collect ipv4 dscp
collect ipv4 id
collect ipv4 source prefix

collect ipv4 source mask
collect ipv4 destination mask
collect transport tcp source-port

collect transport tcp destination-port

collect transport tcp flags
collect transport udp source-port

collect transport udp destination-port

collect flow direction
collect flow sampler
collect counter bytes
collect counter packets
collect timestamp sys-uptime first

collect timestamp sys-uptime last

collect application http uri statistics

collect application http url
collect application http host
collect application http user-agent

collect application http referer

flow exporter SYSLOG
description SYSLOG_SERVER
source GigabitEthernet1
transport udp 4739
export-protocol ipfix
flow monitor MONITOR
exporter SYSLOG
cache timeout event transaction-end
record RECORD
multilink bundle-name authenticated
!class-map match-all CVA
match any
policy-map TRAFFIC
class CVA
policy-map type access-control MAP
interface GigabitEthernet1
ip address
negotiation auto
interface GigabitEthernet2




ip nbar protocol-discovery

ip flow monitor MONITOR input

ip flow monitor MONITOR output

negotiation auto
service-policy input TRAFFIC
ip forward-protocol nd

— end —

Type “show ip nbar protocol-discovery” on the vCSR after a minute or two to verify it’s collecting statistics. You should now have a UDP stream flowing from to on port 4739 that is sending an outbound flow of everything from your production network on vlan123 (invisibly to the endpoints on vlan123.)

Sounds spooky. Think you’ll get away with just going to Starbucks or McDonalds? Wrong.

People using AT&T’s “hotspot” internet have their session mirrored off over a vpn (ipsec) connection (“CALEA tunnel”) to the spooks in Virginia. They’re already getting everything on everyone.

Why is Randall Stephenson (AT&T CEO) suddenly all in favor of an Internet Bill of Rightsas there is all this talk and speculation about what we’re going to find out about FISA abuse and/or surveillance mishandling?

He never gave a shit about any of this stuff his company has contracts open with the US government to do up until now. The only way out of those contracts right now is to create legislation that makes them illegal or will force the nature of them to be renegotiated within the letter of the law.

Disclaimer: I came up with this on my own time with my own lab gear. No leaks, internal communications, or inappropriate disclosures are involved.C onfiguring a monitor session or a NetFlow export isn’t exactly a state secret.

Cheating the rules of networking by cloning the MAC address is a lesser-known way of configuring a sniffer host for an IDS/IPS but it works.

I was (briefly) a Checkpoint Firewall/IDS administrator for a multinational bank on their 24/7 threat and intrusion monitoring dashboard about twenty years ago … right up until security caught me doing rails of cocaine off of my desk on third shift in case you’re wondering why I know how to do that.

Ironically enough, one of the products we used was called “snort!”

Final note: VPNs and encryption won’t do shit to save you from the law or Big Brother.

I can decrypt a process and show you credit cards in transit to and from the CHE without CHE access.

See ya in FEMA camp.