Jim Sensenbrenner (R-WI), the author of the original USA PATRIOT Act, disagrees.

In a amicus brief filed in support of the American Civil Liberties Union’s lawsuit against the National Security Agency’s bulk collection of U.S. phone records, Sensenbrenner argues that the government has gone far beyond what the legislation authorizes.

Section 215, known as the business records provision, authorizes intelligence agencies to apply for information if “the records are relevant to an ongoing foreign intelligence investigation.”

In practice, the NSA uses section 215 to collect data pertaining to every phone call to, from, and within the U.S. in the name of combating terrorism.

Sensenbrenner and the other members of Congress who enacted Section 215 “did not intend to authorize the program at issue in this lawsuit or any program of a comparable scope,” according to the brief.

The brief goes on to propose this question (emphasis ours):

The NSA is gathering on a daily basis the details of every call that every American makes, as well as every call made by foreigners to or from the United States. How can every call that every American makes or receives be relevant to a specific investigation?“

Filed by the Electronic Frontier Foundation, the brief notes that Sensenbrenner “was not aware of the full scope of the program when he voted to reauthorize Section 215” and would have voted against it if he had known.

In Sensenbrenner’s words: “The suggestion that the administration can violate the law because Congress failed to object is outrageous. But let them be on notice: I am objecting right now.”  source

Following the “Salt Typhoon” breach, which compromised U.S. Army National Guard networks, a former Air National Guard servicemember stated that all U.S. forces should now operate under the assumption that their networks are compromised and will be degraded, according to Nextgov/FCW. This reflects a heightened state of alert and a need for enhanced cybersecurity measures due to the severity of the breach, which has been described as the “worst telecom breach” in American history. 

An elite Chinese cyberspy group hacked at least one state’s National Guard network for nearly a year, the Department of Defense has found.

The hackers, already responsible for one of the most expansive cyberespionage campaigns against the U.S. to date, are alleged to have burrowed even further than previously known and may have obtained sensitive military or law enforcement information. Authorities are still working to discover the extent of the data accessed.

A Department of Homeland Security memo from June, describing the Pentagon’s findings, said that the group, publicly known by the nickname Salt Typhoon, “extensively compromised a U.S. state’s Army National Guard network” from March 2024 through December. The memo did not say which state.

The report was provided to NBC News through the national security transparency nonprofit Property of the People, which obtained it through a freedom of information request.

The Department of Defense didn’t respond to a request for comment. A National Guard Bureau spokesperson confirmed the compromise but declined to share details.

“While we cannot provide specific details on the attack or our response to it, we can say this attack has not prevented the National Guard from accomplishing assigned state or federal missions, and that NGB continues to investigate the intrusion to determine its full scope,” the spokesperson said.

A spokesperson for China’s embassy in Washington did not deny the campaign but said the U.S. has failed to prove China is behind the Salt Typhoon hacks.

“Cyberattacks are a common threat faced by all countries, China included,” the spokesperson said, adding that the U.S. “has been unable to produce conclusive and reliable evidence that the ‘Salt Typhoon’ is linked to the Chinese government.

Salt Typhoon is notorious even by the standards of China’s massive cyberspy efforts because of its ability to jump from one organization to another. Last year, U.S. authorities found that it had hacked at least eight of the country’s largest internet and phone companies, including AT&T and Verizon, using access to spy on the calls and text messages of both the Harris and Trump presidential campaigns, as well as the office of then-Senate Majority Leader Chuck Schumer.

While part of the Department of Defense, National Guard units are also under the authority of their states; some are deeply integrated with local governments or law enforcement, which may have given the Salt Typhoon hackers the ability to compromise other organizations.

The hack “likely provided Beijing with data that could facilitate the hacking of other states’ Army National Guard units, and possibly many of their state-level cybersecurity partners,” the DHS report found. The National Guard in 14 U.S. states work with law enforcement “fusion centers” to share intelligence, the DHS memo notes. The hackers accessed a map of geographic locations in the targeted state, diagrams of how internal networks are set up, and personal information of service members, it said.

In January, the Treasury Department — also a recent target of alleged Chinese hacking — sanctioned a Sichuan company for allegedly helping Beijing’s Ministry of State Security conduct Salt Typhoon operations.

Salt Typhoon can be pernicious and hard to root out once the hackers take hold. In the AT&T case, the company announced in December that it appeared as if they were no longer being affected and Verizon said in January it had “contained” the incident. Both companies stopped short of saying they were fully protected from the hackers returning. A report from Cisco said that, in at least one instance, Salt Typhoon hackers remained in an affected environment for up to three years. source

DHS: Salt Typhoon hackers breached Army National Guard, exposing admin credentials and network diagrams

A U.S. Department of Homeland Security (DHS) memo circulated in June revealed that a Chinese cyberespionage group known as Salt Typhoon ‘extensively compromised a U.S. state’s Army National Guard network over nine months in 2024. The memo, which cites findings from the Department of Defense, said the breach lasted from March through December and did not specify which state was targeted. It also revealed that the stolen data included administrator credentials and detailed network diagrams, basically information that could enable Salt Typhoon hackers to carry out follow-on attacks against the compromised installations.

The memo, however, noted that “If the PRC-associated cyber actors that conducted the hack succeeded in the latter, it could hamstring state-level cybersecurity partners’ ability to defend US critical infrastructure against PRC cyber campaigns in the event of a crisis or conflict.”

The DHS also identified that in 2023 and 2024, Salt Typhoon also stole 1,462 network configuration files associated with approximately 70 U.S. government and critical infrastructure entities from 12 sectors, including energy, communications, transportation, and water and wastewater sectors. “These configuration files could enable further computer network exploitation of other networks, including data capture, administrator account manipulation, and lateral movement between networks, according to CISA reporting and NSA guidance.”

Salt Typhoon, already tied to some of the most aggressive cyber operations against the U.S., is now believed to have gained deeper access than previously known, raising concerns that the hackers may have obtained sensitive military or law enforcement information. Federal officials are still investigating the extent of the data exposure.

A National Guard Bureau spokesperson confirmed the compromise to NBC News, but declined to share details. “While we cannot provide specific details on the attack or our response to it, we can say this attack has not prevented the National Guard from accomplishing assigned state or federal missions, and that NGB continues to investigate the intrusion to determine its full scope,” the spokesperson said.

The DHS revealed that between January and March 2024, Salt Typhoon exfiltrated configuration files associated with other U.S. government and critical infrastructure entities, including at least two U.S. state government agencies. At least one of these files later informed them of a compromise of a vulnerable device on another U.S. government agency’s network.

It added that Salt Typhoon’s success in compromising states’ Army National Guard networks nationwide could undermine local cybersecurity efforts to protect critical infrastructure. “In some 14 states, Army National Guard units are integrated with state fusion centers responsible for sharing threat information—including cyber threats. In at least one state, the local Army National Guard unit directly provides network defense services.”

The memo also identified that Salt Typhoon access to Army National Guard networks in these states could include information on state cyber defense posture, as well as the personally identifiable information (PII) and work locations of state cybersecurity personnel data that could be used to inform future cyber-targeting efforts.

According to DOD reporting, in 2024, Salt Typhoon used its access to a US state’s Army National Guard network to exfiltrate administrator credentials, network traffic diagrams, a map of geographic locations throughout the state, and PII of its service members.

The DHS memo surfaces as senior cybersecurity officials from the National Security Agency and the FBI report progress in disrupting Chinese cyber campaigns targeting U.S. critical infrastructure.

Speaking Tuesday at the International Conference on Cyber Security at Fordham University in New York City, experts detailed Beijing’s so-called Typhoon campaigns, where coordinated efforts involving both Chinese government entities and private sector actors aimed at infiltrating U.S. government agencies and critical infrastructure installations.

Kristina Walter, director of the NSA’s Cybersecurity Collaboration Center, focused on Volt Typhoon, an effort by Chinese actors to preposition themselves on U.S. critical infrastructure for disruptive or destructive cyberattacks in the event of a kinetic conflict centered around Taiwan.

“The good news is, they really failed. They wanted to persist in domestic networks very quietly for a very long time so that if and when they needed to disrupt those networks, they could. They were not successful in that campaign,” she said.

“We, with private sector, with FBI, found them, understood how they were using the operating systems, how they’re using legitimate credentials to maintain persistence, and frankly, we equipped the entire private sector and U.S. government to hunt for them and detect them.”

Walter did not offer further details about those efforts. She said that after the NSA and other agencies released a public advisory in 2024, owners of critical infrastructure reached out to them to confirm that they had found evidence of Volt Typhoon and ask for help.

Brett Leatherman, who was recently appointed assistant director for cyber at the FBI, echoed those remarks and noted that Volt Typhoon was specifically focused on critical infrastructure centered around the U.S. Navy, particularly in island communities like Guam.

He said U.S. efforts to shine a light on the campaign forced Chinese actors to pull back, adapt their tactics, and burn previous methods they used to breach critical infrastructure systems. The publicity fostered by U.S. agencies forced Chinese groups to come up with new ways to breach organizations while also providing ways for private industry to better defend itself.

“Even if you’re not dismantling that network — we’re never going to dismantle the CCP hacking apparatus — but if you can bring real relief to victims, you’re also protecting national security by doing that, and that’s why public attribution is so important when it comes to PRC hacking activity,” he said.

Commenting on the DHS memo, Ensar Seker, CISO at SOCRadar, wrote in an emailed statement that the revelation that Salt Typhoon maintained access to a U.S. National Guard network for nearly a year is a serious escalation in the cyber domain.

“This isn’t just an opportunistic intrusion. It reflects deliberate, long-term espionage designed to quietly extract strategic intelligence. The group’s sustained presence suggests they were gathering more than just files, they were likely mapping infrastructure, monitoring communication flows, and identifying exploitable weak points for future use,” according to Seker. “What’s deeply concerning is that this activity went undetected for so long in a military environment. It raises questions about visibility gaps, segmentation policies, and detection capabilities in hybrid federal-state defense networks.”

He added that it’s another reminder that advanced persistent threat actors like Salt Typhoon are not only targeting federal agencies but also state-level components, where the security posture might be more varied.

“In a time where we are often fooled into thinking cybercrime means somebody telling us that we missed jury duty, or convincing our loved ones of a long-distance romantic relationship, we sometimes miss the fact that this is more than a game and is played at the nation state level,” Erich Kron, security awareness advocate at KnowBe4, wrote in an emailed statement. “Cybercrime has real dangers for real people and real governments as well. The Typhoon groups, several different alleged Chinese-backed cybercrime groups that carry the ‘Typhoon’ moniker as part of their name, have been known to be very stealthy and very effective. While this was at the state level with the National Guard, it still goes to demonstrate that even our military forces are at risk from these cybercrime groups.”

He added that “These criminal groups must be taken seriously, which means that everyone from senior government leadership to the average citizen needs to be at least somewhat aware of the threats, how to spot them, and who to report them to. Whether it’s stealing money from individuals to fund other operations or trying to cripple infrastructure through cyberattacks, these bad actors are a clear and present danger.” source

shopping

you’ll need an RTL-SDR unit. i recommend the dipole antenna kit as well, so you don’t need to make any additional purchases. if you’re a radio enthusiast already, you might have a better antenna available, but if you’re like me you do not and it’s worth the US$10. mine took a bit over a week to arrive. if you’re extremely unlucky, you might need two of them, but i was fine with just one. buy here

basic setup

once your RTL-SDR arrives, you’ll want to put together your antenna. if you’re lucky, like i am, you can just extend the antennas arbitrarily and it’ll work fine; if you’re cursed, the RTL-SDR website has resources on how long is ideal for various frequencies.

connect the antenna to the RTL-SDR unit, plug it in, and follow the RTL-SDR quick start guide. SDRSharp will work, or any of the other Windows options. some of what we’ll need is only available on windows.

once your RTL-SDR’s drivers are sorted out, find the specifications for police radio in your area on RadioReference. click your state, click your county, scroll down and see if there’s a link above a frequency table for you. if you’re lucky, there is, and if you click it there’s a page with a table with System Type and System Voice entries at the top. mine has a system type of EDACS Networked Standard and a system voice of ProVoice and Analog, so the rest of this assumes that’s what you’ve got as well. if not, good luck.

there should be a table for System Frequencies on your RadioReference page. start up SDRSharp and tune your radio to the first frequency listed there. you’ll probably hear a bunch of static and the UI will look something like this:

see how there’s one constant signal and a bunch of other signals that appear and disappear all over the place? well, that’s trunking, and the constant signal is our control channel. if you don’t see it, you can click and drag on the bottom axis of the top panel to change the view. once you’ve found that constant signal, click on it to get the approximate frequency, go back to your frequency table and the closest thing to that will be the exact frequency. it should sound like a series of weird beeps instead of static. remember that frequency, it’ll be important later.

update 2020-07-31: that control channel can change between the frequencies listed on RadioReference. if things randomly quit working, come back to this step, and see if the control channel has moved. i’ll mark down below the places that need changing accordingly.

specific setup

EDACS is a trunked system, so we’re using RTL-SDR’s trunked radio tutorial as our guide, mostly. that guide assumes we have two RTL-SDRs, but there’s a piece at the end explaining how to do it with just one. that sucks. i’m going to paraphrase it here.

first, we’re going to download the software we need: Unitrunker, VB-Cable, and DSD+ (extract both the regular and DLL downloads to the same folder). install unitrunker and VB-Cable and extract dsd+ somewhere convenient. you might need to reboot after installing VB-Cable because computers are bad. VB-Cable might set your default input and output devices to the wrong things when you install it, so switch them back if it does. https://www.unitrunker.com/download.html

or dowmload zippped MSI file from us HERE  UniTrunker-2.1.0.108

open up dsd+. it’ll open four different windows, one of them should have a list of audio input and output devices. check the number in the input list that goes with CABLE Output – for me it’s 3. pull up notepad and make a new file. since my input was number 3, i’m typing

DSDPlus.exe -i3M

in that file: if yours is not 3, put whatever the correct number is for you instead of 3. then, save the file, find your DSDPlus folder, make sure the type is set to “All Files”, and name the file run.bat. close dsd+, go to that folder, and open that run.bat file you just created. it should pull up dsd+ and if you’re lucky it’ll print

audio input device #3 (CABLE Output (VB-Audio Virtual ) initialized

or something like that. leave that open.

open up unitrunker. click the + to add a new receiver, and click the RTL2832 button to add your RTL-SDR. set your settings around like this:

the most important things are the RTL Device, the sample rate (2.56 msps), and the VCOs (2 VCOs). i do not know what a VCO is and i do not care enough to find out. we should now have two VCO tabs next to our info tab. the first one needs to look kinda like this:

the important things are the Role being Signal, the Park frequency being the control channel we found earlier (mine is 851.7625), and the Mute box being checked.

update 2020-07-31: if the control channel changes, this Park frequency is one of the two things you’ll need to update.

the second VCO should look kinda like this:

the important things are the Role being Voice, the Deemphasis box being unchecked, and the Digital Output being set to your CABLE Input. this means it will connect up with dsd+ listening to our CABLE Output.

press Play now; it should pull up a window with a Channels tab. the Channels tab should look something like this:

but the Frequency column will all be zeroes except for the control frequency we found earlier. you’ll need to copy over the rest of the frequencies manually from the RadioReference site.

update 2020-07-31: if the control channel changes, you’ll need to uncheck the Control box on the old control channel, and check the Control box on the new control channel.

press the stop button and the play button again, and everything should in theory be working. ideally, the Call History tab will be crowded and updating pretty frequently, and unitrunker will be passing things along to dsd+ which will give us the audio we want. technically, this is enough.

groups

the thing, though, is we don’t have context for any of this. for now, at least. RadioReference should have a table or several of talkgroups – the “list all in one table” button may come in handy – and we can use that information to figure out who we’re hearing, and have at least some control over who takes priority if multiple people in different contexts are talking at once.

find the main unitrunker window – it’s titled “Universal Trunker” and if you don’t have it open just click the home button a bunch until it opens – and then open the Systems tab and double-click the one that exists. open the Groups tab in that window, and it should give you a massive list with columns for ID, Label, and a bunch of stuff we don’t care about right now. the ID matches up with the DEC column in the RadioReference table, and the Label can be either “Description” or “Alpha Tag” or something you make up yourself if you feel creative. if you pay RadioReference $15 for a Premium subscription then unitrunker can import that data automatically.

once you’ve filled that all in, open the Sites tab and double-click the entry you see there, then open the Call History tab. the group labels you added should now be appearing in the Audience column; the LCN and Frequency should turn green for what unitrunker is currently listening to.

back in the Groups tab, you can edit the Priority values to control which groups will be chosen more often – as far as i can tell, higher priority groups will interrupt lower priority groups, and equal priority groups will just play whoever started talking first.

broadcasting

this setup lets you listen to things locally, but what if you want your comrades with no hardware to be able to also listen? the laziest option is to just stream the Call History window on Twitch or something, but in theory there are better options. RadioReference runs Broadcastify, which is designed for hosting police scanner livestreams, but they have to manually approve your broadcast, which is annoying for short term activity. you could run an icecast server yourself or something, but that takes effort to configure. honestly all of those kinda suck but those are your options as far as i know.

update 2020-07-31: you can also let your friendly neighborhood succulent run an icecast server for you; reach out to me if you need something like this. if you’ve got an icecast server, you’ll need to pay for (or otherwise obtain) VB-CABLE A+B, set up VB-CABLE A, and grab butt (broadcast using this tool).

you’ll need to set DSD+ to output to “CABLE-A Input” like how you set it to input from “CABLE Output” – Cable A is the fourth output in DSD+, so my run.bat now looks like this:

DSDPlus.exe -i3M -o4

run butt, pull up the settings, and under the Audio tab set the Input Device to “CABLE-A Output”. (for bonus points, set the Streaming Codec to AAC+.) under the Main tab, Add a new Server and put in whatever info your icecast server admin told you to use. now restart your DSD+ and hit butt’s play button to start streaming, and you should be running a livestream of your police scanner that is accessible over the internet. source

Understanding, Listening and Recording Trunked Radio Systems with an RTL-SDR and Trunk-Recorder

U.S. Government Catalogue of Cellphone Surveillance Devices
Used by The Military and by CIA, NSA, FBI and other Intelligence Agencies

STINGRAYS

Learn what a  Stingray is here

• NSA-backdoored equipment info found OFF this website
• U.S. Government Catalogue of Cellphone Surveillance Devices
• Backdoors on Wikipedia
• National Security Agency
• Central Intelligence Agency
• NSA EXTRACTED INFO
• CRYPTO MUSEUM
• Edward Snowden
• Stingray
• Pegasus Spyware
• X-Keyscore

The FBI insisted it never planned to use the program to trhttps://www.foxnews.com/ack Americans

The FBI has come under scrutiny in recent months after it purchased a license to use the highly effective spyware program. FBI officials have insisted they did not end up using the program and had intended to only use it for research. Nevertheless, internal documents suggest they had plans to expand its use–including for tracking Americans. The FBI now tells Fox News it will drop the program.

Director Wray faced a grilling from members of Congress on the issue in hearings earlier this year, when he stated that his organization had never used to program.

 

“The Director’s testimony was accurate when given and remains true today – there has been no operational use of the NSO product to support any FBI investigation,” the FBI told Fox.

Sen. Ron Wyden, D-OR, accused Wray of essentially lying – or at least fudging the truth – in testimony earlier this year. Wray was asked about the FBI’s purchase of the spyware and bureau plans to use it in criminal investigations, including tracking Americans. Wray insisted the FBI would only use Pegasus for “research,” but the New York Times soon obtained internal FBI documents indicating this was not accurate – the FBI had hoped to use Pegasus more broadly.

Pegasus has already proven capable of infiltrating the phones of U.S. officials working overseas, something Rep. Adam Schiff, D-Calif., highlighted in a spyware hearing this summer.

“Late last year, multiple news organizations reported that mobile phones used by U.S. diplomats in Uganda had been compromised by NASA’s Pegasus tool,” Schiff said at the time. “It is my belief that we are very likely looking at the tip of the iceberg and that other U.S. government personnel have had their devices compromised, whether by a nation state using NSA services or tools offered by one of its lesser known but equally potent competitors.”

Experts say the spyware has legitimate uses but is also a powerful tool for authoritarian governments. Mexico used Pegasus in its effort to track down El Chapo, and Saudi Arabia also used it to track journalist Jamal Khashoggi prior to orchestrating his murder, according to cyber defense expert Jason Blessing.

The Spy Factories: NSA’s XKeyscore Isn’t the Only Program Tracking You

When whistleblower Edward Snowden revealed his NSA files in 2013, one sneaky program stood out: XKeyscore, a secret system that spies can use to search and analyze nearly everything you do on the internet in real-time.

XKeyscore is still hoovering up your internet searches, passwords, user names, emails, and personal messages a decade later. In fact, it’s not the only tool governments used to spy on your personal data. Here are five ways the US, Britain, Israel, Canada, and others may be spying on you right now.

CIA snooping on Americans‍

The CIA is vacuuming up data in bulk so spies can sift through it, according to two members of the US Senate Intelligence Committee.

If the data collec­tion happens over­seas or falls into a statutory black hole, it comes under Exec­ut­ive Order 12333 which means there’s little over­sight. “What stops the CIA from poring through the data look­ing for Amer­ic­ans’ inform­a­tion? Let’s be honest: noth­ing,” according to the Brennan Center for Justice.

Senator Ron Wyden said he is also concerned the US Defense Intelligence Agency is buying consumer smartphone location data from a third-party broker and the Department of Homeland Security is helping to compile money transfer records.

Pegasus software‍

The Israeli company NSO Group developed Pegasus spyware to target terrorists but governments have used it to track at least 180 journalists, political dissidents, activists, and heads of state including French President Emmanuel Macron.

More than 50,000 phone numbers targeted for surveillance by Pegasus’ customers were leaked to Amnesty International, revealing a massive global privacy breach. Once installed, the software operator can receive text messages, contact lists, and calendar events, and can turn on the phone’s camera and microphone to capture activity in the phone’s vicinity.

Who uses it? The FBI ‘tested’ Pegasus spyware but said they haven’t used it in investigations. Canada’s CitizenLab linked Pegasus to operations in 45 countries including Mexico, Bahrain, Kazakhstan, Morocco, Saudi Arabia, and the UAE. Israeli police used the spyware to scrutinize citizens’ phones. The son of ex-Israeli PM Benjamin Netanyahu was one such target. Not all countries have access to Pegasus software. Israel reportedly blocked Ukraine from buying a license, fearing Russia would be angry if Pegasus was sold to a regional foe.

Codename Tempora: Britain’s GCHQ cyberspies ‍

The European Court of Human Rights ruled in 2021 that GCHQ spies were acting unlawfully when they intercepted online communications in bulk. Judges also criticized GCHQ’s regime for sharing sensitive digital intelligence with foreign governments.

The data included information from passports, travel records, financial data, telephone calls, emails, and open or covert sources.

The court case revealed that Britain’s spies had secretly collected bulk personal data since the late 1990s and gathered information on people ‘unlikely to be of intelligence or security interest’. UK lawyers argued that the information was needed for national security.

Vault 7: CIA hacking techniques‍

In 2017, WikiLeaks published what it described as thousands of pages of internal CIA discussions about Agency hacking techniques. CIA spies could apparently access Apple iPhones, Google Android devices, and other gadgets to capture text and voice messages before they were encrypted with software.

By the end of 2016, the CIA’s Center for Cyber Intelligence had more than 5,000 registered users and produced more than 1,000 hacking systems, trojans, viruses, and other ‘weaponized’ malware, creating, in effect, its own NSA with less accountability, according to WikiLeaks.

The House Intelligence committee was ‘looking into the report’ by Yahoo! News in 2021 that claimed the CIA allegedly plotted revenge for the WikiLeaks revelations by targeting founder Julian Assange.

CSIS: Canada’s spies creep forward‍

Canada’s CSE – the signals intelligence group that collects data much like the NSA does in the US – received new powers in 2019 under a law designed to crack down on terrorists. Privacy advocates worry the law is an invitation for mass surveillance and see potential problems.

Critics have long complained about CSE which, in 2012, spied on Canadians using public WiFi networks in Canadian airports. The agency – and its watchdog – argued that they were only collecting metadata (for example, an IP or email address and phone number) rather than the content of messages.

“But we (and they) know that metadata can reveal tons of private information about a person and their life: where they have been, what they believe, who they talk to, etc,” according to Canada’s International Civil Liberties Monitoring Group.

• NSA-backdoored equipment info found OFF this website
• U.S. Government Catalogue of Cellphone Surveillance Devices
• Backdoors on Wikipedia
• National Security Agency
• Central Intelligence Agency
• NSA EXTRACTED INFO
• CRYPTO MUSEUM
• Edward Snowden
• Stingray
• Pegasus Spyware
• X-Keyscore

Top-secret documents reveal that the National Security Agency is dramatically expanding its ability to covertly hack into computers on a mass scale by using automated systems that reduce the level of human oversight in the process.

The classified files – provided previously by NSA whistleblower Edward Snowden – contain new details about groundbreaking surveillance technology the agency has developed to infect potentially millions of computers worldwide with malware “implants.” The clandestine initiative enables the NSA to break into targeted computers and to siphon out data from foreign Internet and phone networks.

The covert infrastructure that supports the hacking efforts operates from the agency’s headquarters in Fort Meade, Maryland, and from eavesdropping bases in the United Kingdom and Japan. GCHQ, the British intelligence agency, appears to have played an integral role in helping to develop the implants tactic.

In some cases the NSA has masqueraded as a fake Facebook server, using the social media site as a launching pad to infect a target’s computer and exfiltrate files from a hard drive. In others, it has sent out spam emails laced with the malware, which can be tailored to covertly record audio from a computer’s microphone and take snapshots with its webcam. The hacking systems have also enabled the NSA to launch cyberattacks by corrupting and disrupting file downloads or denying access to websites.

The implants being deployed were once reserved for a few hundred hard-to-reach targets, whose communications could not be monitored through traditional wiretaps. But the documents analyzed by The Intercept show how the NSA has aggressively accelerated its hacking initiatives in the past decade by computerizing some processes previously handled by humans. The automated system – codenamed TURBINE – is designed to “allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually.”

In a top-secret presentation, dated August 2009, the NSA describes a pre-programmed part of the covert infrastructure called the “Expert System,” which is designed to operate “like the brain.” The system manages the applications and functions of the implants and “decides” what tools they need to best extract data from infected machines.

Mikko Hypponen, an expert in malware who serves as chief research officer at the Finnish security firm F-Secure, calls the revelations “disturbing.” The NSA’s surveillance techniques, he warns, could inadvertently be undermining the security of the Internet.

“When they deploy malware on systems,” Hypponen says, “they potentially create new vulnerabilities in these systems, making them more vulnerable for attacks by third parties.”

Hypponen believes that governments could arguably justify using malware in a small number of targeted cases against adversaries. But millions of malware implants being deployed by the NSA as part of an automated process, he says, would be “out of control.”

“That would definitely not be proportionate,” Hypponen says. “It couldn’t possibly be targeted and named. It sounds like wholesale infection and wholesale surveillance.”

The NSA declined to answer questions about its deployment of implants, pointing to a new presidential policy directive announced by President Obama. “As the president made clear on 17 January,” the agency said in a statement, “signals intelligence shall be collected exclusively where there is a foreign intelligence or counterintelligence purpose to support national and departmental missions, and not for any other purposes.”

“Owning the Net”

The NSA began rapidly escalating its hacking efforts a decade ago. In 2004, according to secret internal records, the agency was managing a small network of only 100 to 150 implants. But over the next six to eight years, as an elite unit called Tailored Access Operations (TAO) recruited new hackers and developed new malware tools, the number of implants soared to tens of thousands.

To penetrate foreign computer networks and monitor communications that it did not have access to through other means, the NSA wanted to go beyond the limits of traditional signals intelligence, or SIGINT, the agency’s term for the interception of electronic communications. Instead, it sought to broaden “active” surveillance methods – tactics designed to directly infiltrate a target’s computers or network devices.

In the documents, the agency describes such techniques as “a more aggressive approach to SIGINT” and says that the TAO unit’s mission is to “aggressively scale” these operations.

But the NSA recognized that managing a massive network of implants is too big a job for humans alone.

“One of the greatest challenges for active SIGINT/attack is scale,” explains the top-secret presentation from 2009. “Human ‘drivers’ limit ability for large-scale exploitation (humans tend to operate within their own environment, not taking into account the bigger picture).”

The agency’s solution was TURBINE. Developed as part of TAO unit, it is described in the leaked documents as an “intelligent command and control capability” that enables “industrial-scale exploitation.”

TURBINE was designed to make deploying malware much easier for the NSA’s hackers by reducing their role in overseeing its functions. The system would “relieve the user from needing to know/care about the details,” the NSA’s Technology Directorate notes in one secret document from 2009. “For example, a user should be able to ask for ‘all details about application X’ and not need to know how and where the application keeps files, registry entries, user application data, etc.”

In practice, this meant that TURBINE would automate crucial processes that previously had to be performed manually – including the configuration of the implants as well as surveillance collection, or “tasking,” of data from infected systems. But automating these processes was about much more than a simple technicality. The move represented a major tactical shift within the NSA that was expected to have a profound impact – allowing the agency to push forward into a new frontier of surveillance operations.

The ramifications are starkly illustrated in one undated top-secret NSA document, which describes how the agency planned for TURBINE to “increase the current capability to deploy and manage hundreds of Computer Network Exploitation (CNE) and Computer Network Attack (CNA) implants to potentially millions of implants.” (CNE mines intelligence from computers and networks; CNA seeks to disrupt, damage or destroy them.)

Eventually, the secret files indicate, the NSA’s plans for TURBINE came to fruition. The system has been operational in some capacity since at least July 2010, and its role has become increasingly central to NSA hacking operations.

Earlier reports based on the Snowden files indicate that the NSA has already deployed between 85,000 and 100,000 of its implants against computers and networks across the world, with plans to keep on scaling up those numbers.

The intelligence community’s top-secret “Black Budget” for 2013, obtained by Snowden, lists TURBINE as part of a broader NSA surveillance initiative named “Owning the Net.”

The agency sought $67.6 million in taxpayer funding for its Owning the Net program last year. Some of the money was earmarked for TURBINE, expanding the system to encompass “a wider variety” of networks and “enabling greater automation of computer network exploitation.”

Circumventing Encryption

The NSA has a diverse arsenal of malware tools, each highly sophisticated and customizable for different purposes.

One implant, codenamed UNITEDRAKE, can be used with a variety of “plug-ins” that enable the agency to gain total control of an infected computer.

An implant plug-in named CAPTIVATEDAUDIENCE, for example, is used to take over a targeted computer’s microphone and record conversations taking place near the device. Another, GUMFISH, can covertly take over a computer’s webcam and snap photographs. FOGGYBOTTOM records logs of Internet browsing histories and collects login details and passwords used to access websites and email accounts. GROK is used to log keystrokes. And SALVAGERABBIT exfiltrates data from removable flash drives that connect to an infected computer.

The implants can enable the NSA to circumvent privacy-enhancing encryption tools that are used to browse the Internet anonymously or scramble the contents of emails as they are being sent across networks. That’s because the NSA’s malware gives the agency unfettered access to a target’s computer before the user protects their communications with encryption.

It is unclear how many of the implants are being deployed on an annual basis or which variants of them are currently active in computer systems across the world.

Previous reports have alleged that the NSA worked with Israel to develop the Stuxnet malware, which was used to sabotage Iranian nuclear facilities. The agency also reportedly worked with Israel to deploy malware called Flame to infiltrate computers and spy on communications in countries across the Middle East.

According to the Snowden files, the technology has been used to seek out terror suspects as well as individuals regarded by the NSA as “extremist.” But the mandate of the NSA’s hackers is not limited to invading the systems of those who pose a threat to national security.

In one secret post on an internal message board, an operative from the NSA’s Signals Intelligence Directorate describes using malware attacks against systems administrators who work at foreign phone and Internet service providers. By hacking an administrator’s computer, the agency can gain covert access to communications that are processed by his company. “Sys admins are a means to an end,” the NSA operative writes.

The internal post – titled “I hunt sys admins” – makes clear that terrorists aren’t the only targets of such NSA attacks. Compromising a systems administrator, the operative notes, makes it easier to get to other targets of interest, including any “government official that happens to be using the network some admin takes care of.”

Similar tactics have been adopted by Government Communications Headquarters, the NSA’s British counterpart. As the German newspaper Der Spiegel reported in September, GCHQ hacked computers belonging to network engineers at Belgacom, the Belgian telecommunications provider.

The mission, codenamed “Operation Socialist,” was designed to enable GCHQ to monitor mobile phones connected to Belgacom’s network. The secret files deem the mission a “success,” and indicate that the agency had the ability to covertly access Belgacom’s systems since at least 2010.

Infiltrating cellphone networks, however, is not all that the malware can be used to accomplish. The NSA has specifically tailored some of its implants to infect large-scale network routers used by Internet service providers in foreign countries. By compromising routers – the devices that connect computer networks and transport data packets across the Internet – the agency can gain covert access to monitor Internet traffic, record the browsing sessions of users, and intercept communications.

Two implants the NSA injects into network routers, HAMMERCHANT and HAMMERSTEIN, help the agency to intercept and perform “exploitation attacks” against data that is sent through a Virtual Private Network, a tool that uses encrypted “tunnels” to enhance the security and privacy of an Internet session.

The implants also track phone calls sent across the network via Skype and other Voice Over IP software, revealing the username of the person making the call. If the audio of the VOIP conversation is sent over the Internet using unencrypted “Real-time Transport Protocol” packets, the implants can covertly record the audio data and then return it to the NSA for analysis.

But not all of the NSA’s implants are used to gather intelligence, the secret files show. Sometimes, the agency’s aim is disruption rather than surveillance. QUANTUMSKY, a piece of NSA malware developed in 2004, is used to block targets from accessing certain websites. QUANTUMCOPPER, first tested in 2008, corrupts a target’s file downloads. These two “attack” techniques are revealed on a classified list that features nine NSA hacking tools, six of which are used for intelligence gathering. Just one is used for “defensive” purposes – to protect U.S. government networks against intrusions.

“Mass exploitation potential”

Before it can extract data from an implant or use it to attack a system, the NSA must first install the malware on a targeted computer or network.

According to one top-secret document from 2012, the agency can deploy malware by sending out spam emails that trick targets into clicking a malicious link. Once activated, a “back-door implant” infects their computers within eight seconds.

There’s only one problem with this tactic, codenamed WILLOWVIXEN: According to the documents, the spam method has become less successful in recent years, as Internet users have become wary of unsolicited emails and less likely to click on anything that looks suspicious.

Consequently, the NSA has turned to new and more advanced hacking techniques. These include performing so-called “man-in-the-middle” and “man-on-the-side” attacks, which covertly force a user’s internet browser to route to NSA computer servers that try to infect them with an implant.

To perform a man-on-the-side attack, the NSA observes a target’s Internet traffic using its global network of covert “accesses” to data as it flows over fiber optic cables or satellites. When the target visits a website that the NSA is able to exploit, the agency’s surveillance sensors alert the TURBINE system, which then “shoots” data packets at the targeted computer’s IP address within a fraction of a second.

In one man-on-the-side technique, codenamed QUANTUMHAND, the agency disguises itself as a fake Facebook server. When a target attempts to log in to the social media site, the NSA transmits malicious data packets that trick the target’s computer into thinking they are being sent from the real Facebook. By concealing its malware within what looks like an ordinary Facebook page, the NSA is able to hack into the targeted computer and covertly siphon out data from its hard drive. A top-secret animation demonstrates the tactic in action.

The documents show that QUANTUMHAND became operational in October 2010, after being successfully tested by the NSA against about a dozen targets.

According to Matt Blaze, a surveillance and cryptography expert at the University of Pennsylvania, it appears that the QUANTUMHAND technique is aimed at targeting specific individuals. But he expresses concerns about how it has been covertly integrated within Internet networks as part of the NSA’s automated TURBINE system.

“As soon as you put this capability in the backbone infrastructure, the software and security engineer in me says that’s terrifying,” Blaze says.

“Forget about how the NSA is intending to use it. How do we know it is working correctly and only targeting who the NSA wants? And even if it does work correctly, which is itself a really dubious assumption, how is it controlled?”

In an email statement to The Intercept, Facebook spokesman Jay Nancarrow said the company had “no evidence of this alleged activity.” He added that Facebook implemented HTTPS encryption for users last year, making browsing sessions less vulnerable to malware attacks.

Nancarrow also pointed out that other services besides Facebook could have been compromised by the NSA. “If government agencies indeed have privileged access to network service providers,” he said, “any site running only [unencrypted] HTTP could conceivably have its traffic misdirected.”

A man-in-the-middle attack is a similar but slightly more aggressive method that can be used by the NSA to deploy its malware. It refers to a hacking technique in which the agency covertly places itself between computers as they are communicating with each other.

This allows the NSA not only to observe and redirect browsing sessions, but to modify the content of data packets that are passing between computers.

The man-in-the-middle tactic can be used, for instance, to covertly change the content of a message as it is being sent between two people, without either knowing that any change has been made by a third party. The same technique is sometimes used by criminal hackers to defraud people.

A top-secret NSA presentation from 2012 reveals that the agency developed a man-in-the-middle capability called SECONDDATE to “influence real-time communications between client and server” and to “quietly redirect web-browsers” to NSA malware servers called FOXACID. In October, details about the FOXACID system were reported by the Guardian, which revealed its links to attacks against users of the Internet anonymity service Tor.

But SECONDDATE is tailored not only for “surgical” surveillance attacks on individual suspects. It can also be used to launch bulk malware attacks against computers.

According to the 2012 presentation, the tactic has “mass exploitation potential for clients passing through network choke points.”

Blaze, the University of Pennsylvania surveillance expert, says the potential use of man-in-the-middle attacks on such a scale “seems very disturbing.” Such an approach would involve indiscriminately monitoring entire networks as opposed to targeting individual suspects.

“The thing that raises a red flag for me is the reference to ‘network choke points,’” he says. “That’s the last place that we should be allowing intelligence agencies to compromise the infrastructure – because that is by definition a mass surveillance technique.”

To deploy some of its malware implants, the NSA exploits security vulnerabilities in commonly used Internet browsers such as Mozilla Firefox and Internet Explorer.

The agency’s hackers also exploit security weaknesses in network routers and in popular software plugins such as Flash and Java to deliver malicious code onto targeted machines.

The implants can circumvent anti-virus programs, and the NSA has gone to extreme lengths to ensure that its clandestine technology is extremely difficult to detect. An implant named VALIDATOR, used by the NSA to upload and download data to and from an infected machine, can be set to self-destruct – deleting itself from an infected computer after a set time expires.

In many cases, firewalls and other security measures do not appear to pose much of an obstacle to the NSA. Indeed, the agency’s hackers appear confident in their ability to circumvent any security mechanism that stands between them and compromising a computer or network. “If we can get the target to visit us in some sort of web browser, we can probably own them,” an agency hacker boasts in one secret document. “The only limitation is the ‘how.’”

Covert Infrastructure

The TURBINE implants system does not operate in isolation.

It is linked to, and relies upon, a large network of clandestine surveillance “sensors” that the agency has installed at locations across the world.

The NSA’s headquarters in Maryland are part of this network, as are eavesdropping bases used by the agency in Misawa, Japan and Menwith Hill, England.

The sensors, codenamed TURMOIL, operate as a sort of high-tech surveillance dragnet, monitoring packets of data as they are sent across the Internet.

When TURBINE implants exfiltrate data from infected computer systems, the TURMOIL sensors automatically identify the data and return it to the NSA for analysis. And when targets are communicating, the TURMOIL system can be used to send alerts or “tips” to TURBINE, enabling the initiation of a malware attack.

The NSA identifies surveillance targets based on a series of data “selectors” as they flow across Internet cables. These selectors, according to internal documents, can include email addresses, IP addresses, or the unique “cookies” containing a username or other identifying information that are sent to a user’s computer by websites such as Google, Facebook, Hotmail, Yahoo, and Twitter.

Other selectors the NSA uses can be gleaned from unique Google advertising cookies that track browsing habits, unique encryption key fingerprints that can be traced to a specific user, and computer IDs that are sent across the Internet when a Windows computer crashes or updates.

What’s more, the TURBINE system operates with the knowledge and support of other governments, some of which have participated in the malware attacks.

Classification markings on the Snowden documents indicate that NSA has shared many of its files on the use of implants with its counterparts in the so-called Five Eyes surveillance alliance – the United Kingdom, Canada, New Zealand, and Australia.

GCHQ, the British agency, has taken on a particularly important role in helping to develop the malware tactics. The Menwith Hill satellite eavesdropping base that is part of the TURMOIL network, located in a rural part of Northern England, is operated by the NSA in close cooperation with GCHQ.

Top-secret documents show that the British base – referred to by the NSA as “MHS” for Menwith Hill Station – is an integral component of the TURBINE malware infrastructure and has been used to experiment with implant “exploitation” attacks against users of Yahoo and Hotmail.

In one document dated 2010, at least five variants of the QUANTUM hacking method were listed as being “operational” at Menwith Hill. The same document also reveals that GCHQ helped integrate three of the QUANTUM malware capabilities – and test two others – as part of a surveillance system it operates codenamed INSENSER.

GCHQ cooperated with the hacking attacks despite having reservations about their legality. One of the Snowden files, previously disclosed by Swedish broadcaster SVT, revealed that as recently as April 2013, GCHQ was apparently reluctant to get involved in deploying the QUANTUM malware due to “legal/policy restrictions.” A representative from a unit of the British surveillance agency, meeting with an obscure telecommunications standards committee in 2010, separately voiced concerns that performing “active” hacking attacks for surveillance “may be illegal” under British law.

In response to questions from The Intercept, GCHQ refused to comment on its involvement in the covert hacking operations. Citing its boilerplate response to inquiries, the agency said in a statement that “all of GCHQ’s work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorized, necessary and proportionate, and that there is rigorous oversight.”

Whatever the legalities of the United Kingdom and United States infiltrating computer networks, the Snowden files bring into sharp focus the broader implications. Under cover of secrecy and without public debate, there has been an unprecedented proliferation of aggressive surveillance techniques. One of the NSA’s primary concerns, in fact, appears to be that its clandestine tactics are now being adopted by foreign rivals, too.

“Hacking routers has been good business for us and our 5-eyes partners for some time,” notes one NSA analyst in a top-secret document dated December 2012. “But it is becoming more apparent that other nation states are honing their skillz [sic] and joining the scene.” source

 XKeyscore gives ‘widest-reaching’ collection of online data  NSA analysts require no prior authorization for searches  Sweeps up emails, social media activity and browsing history

A top secret National Security Agency program allows analysts to search with no prior authorization through vast databases containing emails, online chats and the browsing histories of millions of individuals, according to documents provided by whistleblower Edward Snowden.

The NSA boasts in training materials that the program, called XKeyscore, is its “widest-reaching” system for developing intelligence from the internet.

The latest revelations will add to the intense public and congressional debate around the extent of NSA surveillance programs. They come as senior intelligence officials testify to the Senate judiciary committee on Wednesday, releasing classified documents in response to the Guardian’s earlier stories on bulk collection of phone records and Fisa surveillance court oversight.

The files shed light on one of Snowden’s most controversial statements, made in his first video interview published by the Guardian on June 10.

“I, sitting at my desk,” said Snowden, could “wiretap anyone, from you or your accountant, to a federal judge or even the president, if I had a personal email”.

US officials vehemently denied this specific claim. Mike Rogers, the Republican chairman of the House intelligence committee, said of Snowden’s assertion: “He’s lying. It’s impossible for him to do what he was saying he could do.”

But training materials for XKeyscore detail how analysts can use it and other systems to mine enormous agency databases by filling in a simple on-screen form giving only a broad justification for the search. The request is not reviewed by a court or any NSA personnel before it is processed.

 

XKeyScore – the NSA’s secret tool that collects and reveals ‘nearly everything a user does on the internet’

 

XKeyscore, the documents boast, is the NSA’s “widest reaching” system developing intelligence from computer networks – what the agency calls Digital Network Intelligence (DNI). One presentation claims the program covers “nearly everything a typical user does on the internet”, including the content of emails, websites visited and searches, as well as their metadata.

Analysts can also use XKeyscore and other NSA systems to obtain ongoing “real-time” interception of an individual’s internet activity.

Under US law, the NSA is required to obtain an individualized Fisa warrant only if the target of their surveillance is a ‘US person’, though no such warrant is required for intercepting the communications of Americans with foreign targets. But XKeyscore provides the technological capability, if not the legal authority, to target even US persons for extensive electronic surveillance without a warrant provided that some identifying information, such as their email or IP address, is known to the analyst.

One training slide illustrates the digital activity constantly being collected by XKeyscore and the analyst’s ability to query the databases at any time.

The purpose of XKeyscore is to allow analysts to search the metadata as well as the content of emails and other internet activity, such as browser history, even when there is no known email account (a “selector” in NSA parlance) associated with the individual being targeted.

Analysts can also search by name, telephone number, IP address, keywords, the language in which the internet activity was conducted or the type of browser used.

One document notes that this is because “strong selection [search by email address] itself gives us only a very limited capability” because “a large amount of time spent on the web is performing actions that are anonymous.”

The NSA documents assert that by 2008, 300 terrorists had been captured using intelligence from XKeyscore.

Analysts are warned that searching the full database for content will yield too many results to sift through. Instead they are advised to use the metadata also stored in the databases to narrow down what to review.

A slide entitled “plug-ins” in a December 2012 document describes the various fields of information that can be searched. It includes “every email address seen in a session by both username and domain”, “every phone number seen in a session (eg address book entries or signature block)” and user activity – “the webmail and chat activity to include username, buddylist, machine specific cookies etc”.

Email monitoring

In a second Guardian interview in June, Snowden elaborated on his statement about being able to read any individual’s email if he had their email address. He said the claim was based in part on the email search capabilities of XKeyscore, which Snowden says he was authorized to use while working as a Booz Allen contractor for the NSA.

One top-secret document describes how the program “searches within bodies of emails, webpages and documents”, including the “To, From, CC, BCC lines” and the ‘Contact Us’ pages on websites”.

To search for emails, an analyst using XKS enters the individual’s email address into a simple online search form, along with the “justification” for the search and the time period for which the emails are sought.

The analyst then selects which of those returned emails they want to read by opening them in NSA reading software.

The system is similar to the way in which NSA analysts generally can intercept the communications of anyone they select, including, as one NSA document put it, “communications that transit the United States and communications that terminate in the United States”.

One document, a top secret 2010 guide describing the training received by NSA analysts for general surveillance under the Fisa Amendments Act of 2008, explains that analysts can begin surveillance on anyone by clicking a few simple pull-down menus designed to provide both legal and targeting justifications. Once options on the pull-down menus are selected, their target is marked for electronic surveillance and the analyst is able to review the content of their communications:

Chats, browsing history and other internet activity

Beyond emails, the XKeyscore system allows analysts to monitor a virtually unlimited array of other internet activities, including those within social media.

An NSA tool called DNI Presenter, used to read the content of stored emails, also enables an analyst using XKeyscore to read the content of Facebook chats or private messages.

An analyst can monitor such Facebook chats by entering the Facebook user name and a date range into a simple search screen.

Analysts can search for internet browsing activities using a wide range of information, including search terms entered by the user or the websites viewed.

As one slide indicates, the ability to search HTTP activity by keyword permits the analyst access to what the NSA calls “nearly everything a typical user does on the internet”.

The XKeyscore program also allows an analyst to learn the IP addresses of every person who visits any website the analyst specifies.

The quantity of communications accessible through programs such as XKeyscore is staggeringly large. One NSA report from 2007 estimated that there were 850bn “call events” collected and stored in the NSA databases, and close to 150bn internet records. Each day, the document says, 1-2bn records were added.

William Binney, a former NSA mathematician, said last year that the agency had “assembled on the order of 20tn transactions about US citizens with other US citizens”, an estimate, he said, that “only was involving phone calls and emails”. A 2010 Washington Post article reported that “every day, collection systems at the [NSA] intercept and store 1.7bn emails, phone calls and other type of communications.”

The XKeyscore system is continuously collecting so much internet data that it can be stored only for short periods of time. Content remains on the system for only three to five days, while metadata is stored for 30 days. One document explains: “At some sites, the amount of data we receive per day (20+ terabytes) can only be stored for as little as 24 hours.”

To solve this problem, the NSA has created a multi-tiered system that allows analysts to store “interesting” content in other databases, such as one named Pinwale which can store material for up to five years.

It is the databases of XKeyscore, one document shows, that now contain the greatest amount of communications data collected by the NSA.

In 2012, there were at least 41 billion total records collected and stored in XKeyscore for a single 30-day period.

Legal v technical restrictions

While the Fisa Amendments Act of 2008 requires an individualized warrant for the targeting of US persons, NSA analysts are permitted to intercept the communications of such individuals without a warrant if they are in contact with one of the NSA’s foreign targets.

The ACLU’s deputy legal director, Jameel Jaffer, told the Guardian last month that national security officials expressly said that a primary purpose of the new law was to enable them to collect large amounts of Americans’ communications without individualized warrants.

“The government doesn’t need to ‘target’ Americans in order to collect huge volumes of their communications,” said Jaffer. “The government inevitably sweeps up the communications of many Americans” when targeting foreign nationals for surveillance.

An example is provided by one XKeyscore document showing an NSA target in Tehran communicating with people in Frankfurt, Amsterdam and New York.

In recent years, the NSA has attempted to segregate exclusively domestic US communications in separate databases. But even NSA documents acknowledge that such efforts are imperfect, as even purely domestic communications can travel on foreign systems, and NSA tools are sometimes unable to identify the national origins of communications.

Moreover, all communications between Americans and someone on foreign soil are included in the same databases as foreign-to-foreign communications, making them readily searchable without warrants.

Some searches conducted by NSA analysts are periodically reviewed by their supervisors within the NSA. “It’s very rare to be questioned on our searches,” Snowden told the Guardian in June, “and even when we are, it’s usually along the lines of: ‘let’s bulk up the justification’.”

In a letter this week to senator Ron Wyden, director of national intelligence James Clapper acknowledged that NSA analysts have exceeded even legal limits as interpreted by the NSA in domestic surveillance.

Acknowledging what he called “a number of compliance problems”, Clapper attributed them to “human error” or “highly sophisticated technology issues” rather than “bad faith”.

However, Wyden said on the Senate floor on Tuesday: “These violations are more serious than those stated by the intelligence community, and are troubling.”

In a statement to the Guardian, the NSA said: “NSA’s activities are focused and specifically deployed against – and only against – legitimate foreign intelligence targets in response to requirements that our leaders need for information necessary to protect our nation and its interests.

“XKeyscore is used as a part of NSA’s lawful foreign signals intelligence collection system.

“Allegations of widespread, unchecked analyst access to NSA collection data are simply not true. Access to XKeyscore, as well as all of NSA’s analytic tools, is limited to only those personnel who require access for their assigned tasks … In addition, there are multiple technical, manual and supervisory checks and balances within the system to prevent deliberate misuse from occurring.”

“Every search by an NSA analyst is fully auditable, to ensure that they are proper and within the law.

“These types of programs allow us to collect the information that enables us to perform our missions successfully – to defend the nation and to protect US and allied troops abroad.”

X-Keyscore:
Allows the NSA and Allies to Monitor Emails,
Web Browsing, Internet Searches and Social Media

XKeyscore 

XKeyscore (XKEYSCORE or XKS) is a secret computer system used by the United States National Security Agency (NSA) for searching and analyzing global Internet data, which it collects in real time. The NSA has shared XKeyscore with other intelligence agencies, including the Australian Signals Directorate, Canada’s Communications Security Establishment, New Zealand’s Government Communications Security Bureau, Britain’s Government Communications Headquarters, Japan’s Defense Intelligence Headquarters, and Germany’s Bundesnachrichtendienst.^[1]

In July 2013, Edward Snowden publicly revealed the program’s purpose and use by the NSA in The Sydney Morning Herald and O Globo newspapers. The code name was already public knowledge because it was mentioned in earlier articles, and, like many other code names, it appears in job postings and online résumés of employees.^[2][3]

On July 3, 2014, German public broadcaster Norddeutscher Rundfunk, a member of ARD, published excerpts of XKeyscore’s source code.^[4] A team of experts analyzed the source code.^[5] cited

XKEYSCORE

NSA’s Google for the World’s Private Communications

Morgan Marquis-Boire, Glenn Greenwald, Micah Lee cited theintercept.com

ONE OF THE National Security Agency’s most powerful tools of mass surveillance makes tracking someone’s Internet usage as easy as entering an email address, and provides no built-in technology to prevent abuse. Today, The Intercept is publishing 48 top-secret and other classified documents about XKEYSCORE dated up to 2013, which shed new light on the breadth, depth and functionality of this critical spy system — one of the largest releases yet of documents provided by NSA whistleblower Edward Snowden.

The NSA’s XKEYSCORE program, first revealed by The Guardian, sweeps up countless people’s Internet searches, emails, documents, usernames and passwords, and other private communications. XKEYSCORE is fed a constant flow of Internet traffic from fiber optic cables that make up the backbone of the world’s communication network, among other sources, for processing. As of 2008, the surveillance system boasted approximately 150 field sites in the United States, Mexico, Brazil, United Kingdom, Spain, Russia, Nigeria, Somalia, Pakistan, Japan, Australia, as well as many other countries, consisting of over 700 servers.

These servers store “full-take data” at the collection sites — meaning that they captured all of the traffic collected — and, as of 2009, stored content for 3 to 5 days and metadata for 30 to 45 days. NSA documents indicate that tens of billions of records are stored in its database. “It is a fully distributed processing and query system that runs on machines around the world,” an NSA briefing on XKEYSCORE says. “At field sites, XKEYSCORE can run on multiple computers that gives it the ability to scale in both processing power and storage.”

XKEYSCORE also collects and processes Internet traffic from Americans, though NSA analysts are taught to avoid querying the system in ways that might result in spying on U.S. data. Experts and privacy activists, however, have long doubted that such exclusions are effective in preventing large amounts of American data from being swept up. One document The Intercept is publishing today suggests that FISA warrants have authorized “full-take” collection of traffic from at least some U.S. web forums.

The system is not limited to collecting web traffic. The 2013 document, “VoIP Configuration and Forwarding Read Me,” details how to forward VoIP data from XKEYSCORE into NUCLEON, NSA’s repository for voice intercepts, facsimile, video and “pre-released transcription.” At the time, it supported more than 8,000 users globally and was made up of 75 servers absorbing 700,000 voice, fax, video and tag files per day.

The reach and potency of XKEYSCORE as a surveillance instrument is astonishing. The Guardian report noted that NSA itself refers to the program as its “widest reaching” system. In February of this year, The Intercept reported that NSA and GCHQ hacked into the internal network of Gemalto, the world’s largest provider of cell phone SIM cards, in order to steal millions of encryption keys used to protect the privacy of cell phone communication. XKEYSCORE played a vital role in the spies’ hacking by providing government hackers access to the email accounts of Gemalto employees.

Numerous key NSA partners, including Canada, New Zealand and the U.K., have access to the mass surveillance databases of XKEYSCORE. In March, the New Zealand Herald, in partnership with The Intercept, revealed that the New Zealand government used XKEYSCORE to spy on candidates for the position of World Trade Organization director general and also members of the Solomon Islands government.

These newly published documents demonstrate that collected communications not only include emails, chats and web-browsing traffic, but also pictures, documents, voice calls, webcam photos, web searches, advertising analytics traffic, social media traffic, botnet traffic, logged keystrokes, computer network exploitation (CNE) targeting, intercepted username and password pairs, file uploads to online services, Skype sessions and more.

Bulk collection and population surveillance

XKEYSCORE allows for incredibly broad surveillance of people based on perceived patterns of suspicious behavior. It is possible, for instance, to query the system to show the activities of people based on their location, nationality and websites visited. For instance, one slide displays the search “germansinpakistn,” showing an analyst querying XKEYSCORE for all individuals in Pakistan visiting specific German language message boards.

As sites like Twitter and Facebook become increasingly significant in the world’s day-to-day communications (a Pew study shows that 71 percent of online adults in the U.S. use Facebook), they become a critical source of surveillance data. Traffic from popular social media sites is described as “a great starting point” for tracking individuals, according to an XKEYSCORE presentation titled “Tracking Targets on Online Social Networks.”

When intelligence agencies collect massive amounts of Internet traffic all over the world, they face the challenge of making sense of that data. The vast quantities collected make it difficult to connect the stored traffic to specific individuals.

Internet companies have also encountered this problem and have solved it by tracking their users with identifiers that are unique to each individual, often in the form of browser cookies. Cookies are small pieces of data that websites store in visitors’ browsers. They are used for a variety of purposes, including authenticating users (cookies make it possible to log in to websites), storing preferences, and uniquely tracking individuals even if they’re using the same IP address as many other people. Websites also embed code used by third-party services to collect analytics or host ads, which also use cookies to track users. According to one slide, “Almost all websites have cookies enabled.”

The NSA’s ability to piggyback off of private companies’ tracking of their own users is a vital instrument that allows the agency to trace the data it collects to individual users. It makes no difference if visitors switch to public Wi-Fi networks or connect to VPNs to change their IP addresses: the tracking cookie will follow them around as long as they are using the same web browser and fail to clear their cookies.

Apps that run on tablets and smartphones also use analytics services that uniquely track users. Almost every time a user sees an advertisement (in an app or in a web browser), the ad network is tracking users in the same way. A secret GCHQ and CSE program called BADASS, which is similar to XKEYSCORE but with a much narrower scope, mines as much valuable information from leaky smartphone apps as possible, including unique tracking identifiers that app developers use to track their own users. In May of this year, CBC, in partnership with The Intercept, revealed that XKEYSCORE was used to track smartphone connections to the app marketplaces run by Samsung and Google. Surveillance agency analysts also use other types of traffic data that gets scooped into XKEYSCORE to track people, such as Windows crash reports.

In a statement to The Intercept, the NSA reiterated its position that such sweeping surveillance capabilities are needed to fight the War on Terror:

“The U.S. Government calls on its intelligence agencies to protect the United States, its citizens, and its allies from a wide array of serious threats. These threats include terrorist plots from al-Qaeda, ISIL, and others; the proliferation of weapons of mass destruction; foreign aggression against the United States and our allies; and international criminal organizations.”

Indeed, one of the specific examples of XKEYSCORE applications given in the documents is spying on Shaykh Atiyatallah, an al Qaeda senior leader and Osama bin Laden confidant. A few years before his death, Atiyatallah did what many people have often done: He googled himself. He searched his various aliases, an associate and the name of his book. As he did so, all of that information was captured by XKEYSCORE.

XKEYSCORE has, however, also been used to spy on non-terrorist targets. The April 18, 2013 issue of the internal NSA publication Special Source Operations Weekly boasts that analysts were successful in using XKEYSCORE to obtain U.N. Secretary General Ban Ki-moon’s talking points prior to a meeting with President Obama.

XKEYSCORE for hacking: Easily collecting user names, passwords and much more

XKEYSCORE plays a central role in how the U.S. government and its surveillance allies hack computer networks around the world. One top-secret 2009 NSA document describes how the system is used by the NSA to gather information for the Office of Tailored Access Operations, an NSA division responsible for Computer Network Exploitation (CNE) — i.e., targeted hacking.

Particularly in 2009, the hacking tactics enabled by XKEYSCORE would have yielded significant returns as use of encryption was less widespread than today. Jonathan Brossard, a security researcher and the CEO of Toucan Systems, told The Intercept: “Anyone could be trained to do this in less than one day: they simply enter the name of the server they want to hack into XKEYSCORE, type enter, and are presented login and password pairs to connect to this machine. Done. Finito.” Previous reporting by The Intercept revealed that systems administrators are a popular target of the NSA. “Who better to target than the person that already has the ‘keys to the kingdom?’” read a 2012 post on an internal NSA discussion board.

This system enables analysts to access web mail servers with remarkable ease.

The same methods are used to steal the credentials — user names and passwords — of individual users of message boards.

Hacker forums are also monitored for people selling or using exploits and other hacking tools. While the NSA is clearly monitoring to understand the capabilities developed by its adversaries, it is also monitoring locations where such capabilities can be purchased.

Other information gained via XKEYSCORE facilitates the remote exploitation of target computers. By extracting browser fingerprint and operating system versions from Internet traffic, the system allows analysts to quickly assess the exploitability of a target. Brossard, the security researcher, said that “NSA has built an impressively complete set of automated hacking tools for their analysts to use.”

Given the breadth of information collected by XKEYSCORE, accessing and exploiting a target’s online activity is a matter of a few mouse clicks. Brossard explains: “The amount of work an analyst has to perform to actually break into remote computers over the Internet seems ridiculously reduced — we are talking minutes, if not seconds. Simple. As easy as typing a few words in Google.”

These facts bolster one of Snowden’s most controversial statements, made in his first video interview published by The Guardian on June 9, 2013. “I, sitting at my desk,” said Snowden, could “wiretap anyone, from you or your accountant, to a federal judge to even the president, if I had a personal email.”

Indeed, training documents for XKEYSCORE repeatedly highlight how user-friendly the program is: with just a few clicks, any analyst with access to it can conduct sweeping searches simply by entering a person’s email address, telephone number, name or other identifying data. There is no indication in the documents reviewed that prior approval is needed for specific searches.

In addition to login credentials and other target intelligence, XKEYSCORE collects router configuration information, which it shares with Tailored Access Operations. The office is able to exploit routers and then feed the traffic traveling through those routers into their collection infrastructure. This allows the NSA to spy on traffic from otherwise out-of-reach networks. XKEYSCORE documents reference router configurations, and a document previously published by Der Spiegel shows that “active implants” can be used to “cop[y] traffic and direc[t]” it past a passive collector.

XKEYSCORE for counterintelligence

Beyond enabling the collection, categorization, and querying of metadata and content, XKEYSCORE has also been used to monitor the surveillance and hacking actions of foreign nation states and to gather the fruits of their hacking. The Intercept previously reported that NSA and its allies spy on hackers in order to collect what they collect.

Once the hacking tools and techniques of a foreign entity (for instance, South Korea) are identified, analysts can then extract the country’s espionage targets from XKEYSCORE, and gather information that the foreign power has managed to steal.

Monitoring of foreign state hackers could allow the NSA to gather techniques and tools used by foreign actors, including knowledge of zero-day exploits—software bugs that allow attackers to hack into systems, and that not even the software vendor knows about—and implants. Additionally, by monitoring vulnerability reports sent to vendors such as Kaspersky, the agency could learn when exploits they were actively using need to be retired because they’ve been discovered by a third party.

Seizure v. searching: Oversight, audit trail and the Fourth Amendment

By the nature of how it sweeps up information, XKEYSCORE gathers communications of Americans, despite the Fourth Amendment protection against “unreasonable search and seizure” — including searching data without a warrant. The NSA says it does not target U.S. citizens’ communications without a warrant, but acknowledges that it “incidentally” collects and reads some of it without one, minimizing the information that is retained or shared.

But that interpretation of the law is dubious at best.

XKEYSCORE training documents say that the “burden is on user/auditor to comply with USSID-18 or other rules,” apparently including the British Human Rights Act (HRA), which protects the rights of U.K. citizens. U.S. Signals Intelligence Directive 18 (USSID 18) is the American directive that governs “U.S. person minimization.”

Kurt Opsahl, the Electronic Frontier Foundation’s general counsel, describes USSID 18 as “an attempt by the intelligence community to comply with the Fourth Amendment. But it doesn’t come from a court, it comes from the executive.”

If, for instance, an analyst searched XKEYSCORE for all iPhone users, this query would violate USSID 18 due to the inevitable American iPhone users that would be grabbed without a warrant, as the NSA’s own training materials make clear.

Opsahl believes that analysts are not prevented by technical means from making queries that violate USSID 18. “The document discusses whether auditors will be happy or unhappy. This indicates that compliance will be achieved by after-the-fact auditing, not by preventing the search.”

Screenshots of the XKEYSCORE web-based user interface included in slides show that analysts see a prominent warning message: “This system is audited for USSID 18 and Human Rights Act compliance.” When analysts log in to the system, they see a more detailed message warning that “an audit trail has been established and will be searched” in response to HRA complaints, and as part of the USSID 18 and USSID 9 audit process.

Because the XKEYSCORE system does not appear to prevent analysts from making queries that would be in violation of these rules, Opsahl concludes that “there’s a tremendous amount of power being placed in the hands of analysts.” And while those analysts may be subject to audits, “at least in the short term they can still obtain information that they shouldn’t have.”

During a symposium in January 2015 hosted at Harvard University, Edward Snowden, who spoke via video call, said that NSA analysts are “completely free from any meaningful oversight.” Speaking about the people who audit NSA systems like XKEYSCORE for USSID 18 compliance, he said, “The majority of the people who are doing the auditing are the friends of the analysts. They work in the same office. They’re not full-time auditors, they’re guys who have other duties assigned. There are a few traveling auditors who go around and look at the things that are out there, but really it’s not robust.”

In a statement to The Intercept, the NSA said:

“The National Security Agency’s foreign intelligence operations are 1) authorized by law; 2) subject to multiple layers of stringent internal and external oversight; and 3) conducted in a manner that is designed to protect privacy and civil liberties. As provided for by Presidential Policy Directive 28 (PPD-28), all persons, regardless of their nationality, have legitimate privacy interests in the handling of their personal information. NSA goes to great lengths to narrowly tailor and focus its signals intelligence operations on the collection of communications that are most likely to contain foreign intelligence or counterintelligence information.”

XKeyscore: NSA tool collects ‘nearly everything a user does on the internet’

• XKeyscore gives ‘widest-reaching’ collection of online data
• NSA analysts require no prior authorization for searches
• Sweeps up emails, social media activity and browsing history

• NSA-backdoored equipment info found OFF this website
• U.S. Government Catalogue of Cellphone Surveillance Devices
• Backdoors on Wikipedia
• National Security Agency
• Central Intelligence Agency
• NSA EXTRACTED INFO
• CRYPTO MUSEUM
• Edward Snowden
• Stingray
• Pegasus Spyware
• X-Keyscore

Check out our article on the NSA SPYING SOFTWARE for CELL PHONES called Pegasus – Pegasus spyware: FBI vows not to use after grilling from Capitol Hill

During a celebration inside the Capital One Arena with supporters, Trump signed an executive order to withdraw the United States from the Paris Climate Agreement.

Trump went on to declare a national emergency on the Southern Border while designating criminal cartels as terror groups.

He also signed an executive order to bring an end to birthright citizenship for children born to undocumented parents.

After stepping back into the Oval Office, the 47th president pardoned more than 1,500 people who were charged with storming the US Capitol on January 6, 2021.

That included commuting the sentences of those convicted.

Among the other orders President Trump signed on Monday was the renaming of the Gulf of Mexico to the Gulf of America.

Trump also signed an executive order to delay the ban on TikTok for 75 days.

The ban on the social media app went into effect on Sunday and TikTok went dark for several hours Saturday night.

You can find the full list of executive orders signed by President Trump during his first day in office, below:

– Reinstating the name Mount McKinley

– Renaming Gulf of Mexico to Gulf of America

– Designating Cartels as foreign terrorist organizations

– Ending diversity, inclusion, and equity hiring in the federal government

– Temporary withdrawal of all areas on the Outer Continental Shelf from Offshore Wind Leasing\

– Revocation of any active or current security clearances held by the former intelligence officials involved with “inappropriate political coordination with the 2020 Biden presidential campaign” and John R. Bolton

– Granting pardons for January 6 rioters

– Reevaluating United States foreign aid

– Declaring a national energy emergency

– Restoring accountability for career senior executives

– Promoting beautiful federal civic architecture

– Restoring the death penalty in the US

– Routing more water from the Sacramento-San Joaquin Delta to other parts of California

– Securing the United State’s borders

– United States citizenship does not automatically extend to those born in the United States

– Realignment of the U.S. Refugee Admissions Program

– Unleashing America’s affordable and reliable energy and natural resources

– Clarifying the military’s role in protecting the US borders

– ‘America First’ trade policy that benefits American workers, manufacturers, farmers, ranchers, entrepreneurs, and businesses

– Resolving the backlog of security clearances for Executive Office of the President

– Restoring accountability to policy-influence positions within the federal workforce

– Withdrawing the US from the World Health Organization

– Delaying TikTok ban for 75 days

– Putting America First in international environmental agreements

– Deliver emergency price relief to the American people

– Hiring freeze for federal civilian employees (does not apply to military personnel of the armed forces or to positions related to immigration enforcement, national security, or public safety)

– Regulatory freeze pending review

– Restoring freedom of speech and ending federal censorship

– Recissions of dozens of executive orders and actions from Biden administration

– Ending diversity, equity, and inclusion (DEI) programs in the federal government

– Only two sexes, male and female, to be recognized by the federal government

– Department of Government Efficiency to implement the president’s DOGE Agenda

– Putting America and its interests first in foreign policy

– Protecting US citizens from terrorist attacks and threats

– Tapping into the vast natural resources, energy, and seafood in Alaska

– Ensuring the federal government carries out United State’s immigration laws

– Pulling the US from the Paris Agreement

– Declaring a National Emergency at the Southern Border of the United States

– Pulling the US out of the global corporate tax deal secured by Biden

– Organization of the National Security Council and subcommittees

source

Trump signs executive actions on Jan. 6, TikTok, immigration and more

President Trump on Monday signed a flurry of executive orders, memorandums and proclamations after his inauguration, reversing many of his predecessors’ policies and reinstating actions from his first term in office.

He signed the first batch in front of a packed crowd at Capital One Arena, drawing cheers, before then moving to the Oval Office to sign more.

Trump and his officials also signaled a slew of other executive actions to come soon, ranging from campaign priorities like border security to culture war issues like DEI policies.

Here are some of the key orders either signed or signaled on Monday.

Trump issued pardons Monday for some 1,500 defendants who participated in the siege on the U.S. Capitol four years ago, wiping away scores of convictions for people who helped delay the certification of the 2020 election and upend the peaceful transfer of power. Those pardoned include rioters convicted of violence against police.

Designating criminal cartels as terrorists: This order defines drug cartels as foreign terrorist organizations, in order to expedite the removal of members of groups like Tren de Aragua, a transnational criminal organization from Venezuela, and MS-13.

Suspending refugee resettlement: Trump signed an order suspending the U.S. Refugee Admissions Program.

Ending birthright citizenship: Trump signed an order that would end birthright citizenship for children born in the United States to parents without legal status. The order argues that the 14th Amendment, which enshrines birthright citizenship, does not extend to individuals who are born in the country but not “subject to the jurisdiction thereof.”

This action has already seen legal challenges.

Enhance vetting and screening: This order instructs federal agencies to “vet and screen to the maximum degree possible all aliens who intend to be admitted, enter, or are already inside the United States, particularly those aliens coming from regions or nations with identified security risks.”

“Protect American citizens against invasion”: This order instructs federal agencies to use “all lawful means to ensure the faithful execution of the immigration laws of the United States against all inadmissible and removable aliens.”

Restore the death penalty

Trump signed an order reinstating the federal death penalty, instructing the attorney general to “pursue the death penalty for all crimes of a severity demanding its use.” In particular, it calls for the death penalty to be sought in all cases involving the murder of a law enforcement officer, and all capital crimes committed by immigrants without legal status.

“Weaponization of government”

Trump signed an order “ending the weaponization of the federal government.”

Trump and his allies have long claimed that the Justice Department under Biden was weaponized against him, citing the various legal cases against him, and other conservatives.

DOJ prosecutors wound down the two federal criminal cases against Trump after he won the 2024 election, following longstanding department precedent. In a report on the government’s election interference case released last week, special counsel Jack Smith said the evidence against Trump would have led to his conviction at trial — if not for his election victory that led to charges being dropped.

Throughout the 2024 campaign, Trump pledged to punish, prosecute or jail his political enemies. Trump has repeatedly indicated that he would use federal law enforcement as part of a campaign to exact “retribution.”

Federal workforce

Trump signed a “freeze on all federal hiring, excepting the military and a number of other excluded categories.” At Capital One Arena, Trump told his supporters the temporary pause would “ensure that we’re only hiring competent people who are faithful to the American public.”

He also signed an order requiring federal workers to return to the office in person, and a “regulatory freeze” preventing the creation of new federal regulations.

Withdrawing from the Paris Climate Accord

Trump signed an order titled, “Putting America first in international environmental agreements,” which included withdrawing from the Paris Climate Accord.

Trump previously withdrew from the Paris accords during his first term, but Biden rejoined the agreement in 2021.

Energy and climate

Trump intends to declare a national energy emergency, aiming to cut red tape and regulations for the energy industry, and a second one specific to Alaskan resources, an incoming White House official told reporters on a background conference call.

“That national energy emergency will unlock a variety of different authorities that will enable our nation to quickly build again, to produce coal and natural resources, to create jobs, to create prosperity and to strengthen our nation’s national security,” the official said. The official said energy prices are too high, but declined on the call to name a lower target price.

The action will end what incoming Trump officials call the “electric vehicle mandate” and will end “efforts to curtail consumer choice on the things that consumers use every single day, whether it be showerheads, whether it be gas stoves, whether it be dishwashers and the like,” the official said.

Trump has long railed against energy efficiency standards on the campaign trail, and specifically taken aim at “electric vehicle mandates,” a term he uses to encompass all policies designed to encourage a transition to battery-powered cars. Rules actually requiring 100% of vehicles to be electric do not exist on the federal level.\

Defining ‘sex’ and ending DEI programs

Trump signed an executive action Monday night dealing with gender identity. The details weren’t immediately made public; however, an incoming White House official speaking on background had told reporters earlier in the day that an order would make it the policy of the United States to recognize two biologically distinct sexes — male and female.

“These are sexes that are not changeable, and they are grounded in fundamental and incontrovertible reality,” the official said.

The change will require government agencies to use the definitions on documents like passports, visas and employee records the official said. Taxpayer funds will not be allowed to be used for “transition services,” the official said.

A second action will end diversity, equity and inclusion programs in the federal government, the official said, giving as examples environmental justice programs in the U.S. Department of Agriculture, as well as diversity training. source

A running list of Trump’s planned executive orders, actions, proclamations and legislation

Donald Trump is promising a “golden age of America” in his second term, and he’s issuing a raft of executive orders to try and make it happen.

The president signed a slew of orders and directives that aim to end birthright citizenship and crack down on illegal crossings at the southern border, increase domestic energy production and transform a federal government he views as both too bloated and too “woke.”

     By the authority vested in me as President by the Constitution and the laws of the United States of America, and section 301 of title 3, United States Code, it is hereby ordered as follows:

     Section 1.  Purpose.  The First Amendment to the United States Constitution, an amendment essential to the success of our Republic, enshrines the right of the American people to speak freely in the public square without Government interference.  Over the last 4 years, the previous administration trampled free speech rights by censoring Americans’ speech on online platforms, often by exerting substantial coercive pressure on third parties, such as social media companies, to moderate, deplatform, or otherwise suppress speech that the Federal Government did not approve.  Under the guise of combatting “misinformation,” “disinformation,” and “malinformation,” the Federal Government infringed on the constitutionally protected speech rights of American citizens across the United States in a manner that advanced the Government’s preferred narrative about significant matters of public debate.  Government censorship of speech is intolerable in a free society.

Sec. 2.  Policy.  It is the policy of the United States to:       (a)  secure the right of the American people to engage in constitutionally protected speech;

(b)  ensure that no Federal Government officer, employee, or agent engages in or facilitates any conduct that would unconstitutionally abridge the free speech of any American citizen;

(c)  ensure that no taxpayer resources are used to engage in or facilitate any conduct that would unconstitutionally abridge the free speech of any American citizen; and

(d)  identify and take appropriate action to correct past misconduct by the Federal Government related to censorship of protected speech.

Sec. 3.  Ending Censorship of Protected Speech.  (a)  No Federal department, agency, entity, officer, employee, or agent may act or use any Federal resources in a manner contrary to section 2 of this order.

(b)  The Attorney General, in consultation with the heads of executive departments and agencies, shall investigate the activities of the Federal Government over the last 4 years that are inconsistent with the purposes and policies of this order and prepare a report to be submitted to the President, through the Deputy Chief of Staff for Policy, with recommendations for appropriate remedial actions to be taken based on the findings of the report.

Sec. 4.  General Provisions.  (a)  Nothing in this order shall be construed to impair or otherwise affect:

(i)   the authority granted by law to an executive department or agency, or the head thereof; or

(ii)   the functions of the Director of the Office of Management and Budget relating to budgetary, administrative, or legislative proposals.

(b)  This order shall be implemented consistent with applicable law and subject to the availability of appropriations.

(c)  This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

THE WHITE HOUSE,

    January 20, 2025. source

Advanced Network Technologies (ANT) is a department of the US National Security Agency (NSA), that provides tools for the NSA‘s Tailored Access Operations (TAO) ¹ unit and other internal and external clients. With the tools it is possible to eavesdrop on conversations (room bugging), personal computers, networks, video displays, and a lot more, using covertly installed hard- and software implants (covert ware). Most of it is built from commercial off-the-shelf parts (COTS).

Some of these products are listed in the ANT Product Catalogue, an internal NSA document that was intended for the US intelligence and law-enforcement community, and that was disclosed to the press on 29 December 2013 by an unknown source. It is believed that this source is not NSA whistleblower Edward Swowden, which means there is at least one other whistleblower [3][5].

➤ Browse the NSA ANT catalog Here

LOUDAUTO is the codename or cryptonym of a covert listening device (bug), developed around 2007 by the US National Security Agency (NSA) as part of their ANT product portfolio. The device is an audio-based RF retro reflector that should be activited (illuminated) by a strong continuous wave (CW) 1 GHz ¹ radio frequency (RF) signal, beamed at it from a nearby listening post (LP).

Although the device is activated by an external illumination signal, it should also be powered by local 3V DC source – typically provided by two button cells – from which it draws just 15µA. In this respect, it is a semi-passive element (SPE).

Room audio is picked up and amplified by a Knowles miniature microphone, that modulates the re-radiated illumination signal by means of Pulse Position Modulation (PPM). The re-emitted signal is received at the listening post – typically by a CTX-4000 or PHOTOANGLO system – and further processed by means of COTS equipment.

LOUDAUTO is part of the ANGRYNEIGHBOR family of radar retro-reflectors. In this context, the term radar refers to the continuous wave activation beam from the listening post, that operates in the 1-2 GHz frequency band. The processing and demodulation of the returned signal is typically done by means of a commercial spectrum analyser, such as the Rohde & Schwarz FSH-series, that has been enhanced with FM demodulating capabilities. In many respects, LOUDAUTO can be seen as a further development of the CIA‘s EASY CHAIR passive elements, combined with later active bugging devices, like the SRT-52 and SRT-56, which also used Pulse Position Modulation (PPM).

Information about LOUDAUTO was first published in an internal Top Secret (TS) NSA document on 1 August 2007, that was available to the so-called five eyes countries (FVEY) ² only. Although it was scheduled for declassification on 1 August 2032 (25 years after its inception), it was revealed to the public on 29 December 2013 by the German magazine Der Spiegel. The source of this leak is still unknown. ³ According to a product datasheet of 7 April 2009, the price of a single LOUDAUTO device was just US$ 30. According to that document, the end processing — presumably the demodulation — was still under development in 2009 [1].

FiREWALK

FIREWALK is the codename or cryptonym of a covert implant, developed around 2007 by or on behalf of the US National Security Agency (NSA) as part of their ANT product portfolio. The device is implanted into the RJ45 socket of the Ethernet interface of a PC or a network peripheral, and can intercept bidirectional gigabit ethernet traffic and inject data packets into the target network.

The implant is housed inside a regular stacked RJ45/twin-USB socket, such as the one shown in the image on the right. At the top are two LEDs and inside are the ethernet transformer and in some cases even an Ethernet Phy (eg. Broadcom).

NSA was able to manipulate this standard off-the-shelf computer part – probably somewhere in the supply chain or directly at the factory where the product was assembled – and replace the internal electronics by a miniature ARM9 / FPGA computer platform, named TRINITY [2].

Also implanted inside the socket, is a miniature wideband radio frequency (RF) tranceiver, named HOWLERMONKEY. It allows the implant to bypass an existing firewall or air gap protection [3].

The implant is suitable for 10/100/1000 Mb (gigabit) networks and intercepts all network traffic, with is then sent through a VPN tunnel, using the HOWLERMONKEY RF module. If the distance between the target network and the node to the Remote Operations Center (ROC) is too large, other implants in the same building may be used to relay the signal. The implant can also be used to insert data packets into the target network. The diagram below shows the construction.

At the left are the RJ45 and twin-USB sockets, with two LED indicators at the top. Immediately behind the sockets is a PCB with the power circuitry. At the back is the actual NSA FIREWALK implant, which is built around a TRINITY multi-chip module, consisting of an 180 MHz ARM9 microcontroller, an FPGA with 1 million gates, 96 MB SDRAM and 4 MB Flash memory. The latter contains the firmware, which can be tailored for a specific application or operation. In practice, the firmware would filter the network packets and relay the desired ones to the NSA’s ROC, using a nearby RF node (outside the building) and the internet to transport the intercepted data [1].

The above information was taken from original NSA datasheets from January 2007, that were disclosed to the press in 2013 by former CIA / NSA contractor Edward Snowden. The items were developed by, or on behalf of, the cyber-warfare intelligence-gathering unit of the NSA, known as The Office of Tailored Access Operations (TAO), since renamed Computer Network Operations [4].

Cryptonyms

All products in the ANT catalogue are identified by a codeword or cryptonym, which is sometimes abbreviated. At present, the following ANT cryptonyms are known:

NSA Spy Gear

• ANGRYNEIGHBOR
• CANDYGRAM
• CROSSBEAM
• CTX4000
• CYCLONE Hx9
• DEITYBOUNCE
• DROPOUTJEEP
• EBSR
• ENTOURAGE
• FEEDTROUGH
• GENESIS
• GINSU
• GODSURGE
• GOPHERSET
• COTTONMOUTH-I
• COTTONMOUTH-II
• COTTONMOUTH-III

• FIREWALK
• GOURMETTROUGH
• HALLUXWATER
• HEADWATER
• HOWLERMONKEY
• IRATEMONK
• IRONCHEF
• JETPLOW
• JUNIORMINT
• LOUDAUTO
• MAESTRO-II
• MONKEYCALENDAR
• NEBULA
• NIGHTSTAND
• NIGHTWATCH
• PHOTOANGLO
• PICASSO

• RAGEMASTER
• SCHOOLMONTANA
• SIERRAMONTANA
• SOMBERKNAVE
• SOUFFLETROUGH
• SPARROW II
• STUCCOMONTANA
• SURLYSPAWN
• SWAP
• TOTECHASER
• TOTEGHOSTLY
• TAWDRYYARD
• TRINITY
• TYPHON HX
• WATERWITCH
• WISTFULTOLL

Room surveillance

• CTX-4000
• LOUDAUTO
• NIGHTWATCH
• PHOTOANGLO
• TAWDRYYARD

Documentation

1. NSA, ANT Product catalog
   8 January 2007. Obtained from [2].

References

1. IC off the Record, The NSA Toolbox: ANT Product Catalog
   29-30 December 2013.
2. Jacob Appelbaum, Judith Horchert, Christian Stöcker, Catalogue Advertises NSA Toolbox
   Spiegel Online. 29 December 2013.
3. Wikipedia, NSA ANT catalog
   Retrieved November 2020.
4. Wikipedia, Tailored Access Operations
   Retrieved November 2020.
5. James Bamford, Commentary: Evidence points to another Snowden at the NSA
   Reuters, 22 August 2016.

Further information

• About the NSA
• About the CIA
• Other bugs

source

Backdoors – Exploitable weaknesses in a cipher system

Deliberate weakening of a cipher system, commonly known as a backdoor, is a technique that is used by, or on behalf of, intelligence agencies like the US National Security Agency (NSA) – and others – to make it easier for them to break the cipher and access the data. It is often thought that intelligence services have a Master Key that gives them instant access to the data, but in reality it is often much more complicated, and requires the use of sophisticated computing skills.

In the past, intelligence services like the NSA weakened the ciphers just enough to allow it to be barely broken with the computing power that was available to them (e.g. by using their vast array of Cray super computers), assuming that other parties did not have that capability. Implementing a backdoor is difficult and dangerous, as it might be discovered by the user — after which it can no longer be used — or by another party, in which case it can be exploited by an adversary.

Below is a non-exhaustive overview of known backdoor constructions and examples:

• Weakening of the encryption algorithm
• Weakening the KEY
• Hiding the KEY in the cipher text
• Manipulation of user instructions (manual)
• Key generator with predictive output
• Implementation of a hidden ‘unlock’ key (master key)
• Key escrow
• Side channel attack (TEMPEST)
• Unintended backdoors
• Covertly installed hard- and/or software (spyware)

Weakening of the algorithm

One of the most widely used types of backdoor, is weakening of the algorithm. This was done with mechanical cipher machines – such as the CX-52 – electronic ones – such as the H-460 – and software-based encryption. NSA often weakened the algorithm just enough to break it with the help from a super computer (e.g. Cray), assuming that adversaries did not have that capacity.

This solution is universal. It can be applied to mechanical, electronic and computer-based encryption systems. One of the first known examples is the weakening of the Hagelin CX-52 by Peter Jenks of the NSA, in the early 1960s [1].

The Hagelin CX-52 had the problem that it was theoretically safe when used correctly. It was possible however to configure the device in such a way that it produced a short cycle, as a result of which it became easy to break. Jenks modified the CX-52 in such a way that it always produced a long cycle, albeit one that he could predict.

The modified product was designated CX-52M and was marketed by Crypto AG as a new version with improved security, which customers immediately started ordering in quantities. He repeated the exercise in the mid-1960s, when Crypto AG moved from mechanical to electronic designs.

The first electronic cipher machines were built around (non)linear feedback shift registers – LFSR or NLFSR – built with the (then) newest generation of integrated circuits (ICs). This part is commonly known as the crypto heart or the cryptologic. Jenks manipulated the shift registers in such as way that it seemed robust from the outside. Nevertheless NSA could break it, as they knew the exact nature of the built-in weakness.

Manipulating the cryptologic, or actually the cryptographic algorithm, requires quite some mathematical ingenuity, and is not trivial at all.

During the 1970s, the weaknesses were discovered by several (unwitting) Crypto AG employees and even by customers. Crypto AG usually fended them off with the excuse that the algorithm had been developed a long time ago, and that an improved version would be released soon. It should be no surprise that hiding the weaknesses became increasingly difficult over the years.

The same principle can be applied to software-implementations of cryptographic algorithms as well, but it has become extremely difficult to do that in such a way that it passes existing tests, such as NIST entropy-tests, and can with­stand the peer review of the academic community.

Another popular method for weakening a cipher system, is by shortening the effective length of the crypto KEY. The length is typically specified in bits, and in the 1980s, the keys of military cipher systems were typically 128 bits long, which was about twice the length that was needed.

The DES encryption algorithm – that was used for bank transactions – had a key length of 56 bits. It had been developed by Horst Feistel at IBM as Lucifer and had been improved by NSA.

In 1983, the small Dutch company Text Lite, introduced the small PX-1000 pocket terminal shown in the image on the right. It had a built-in text editor and an acoustic modem, by which texts could be uploaded in seconds. The device used DES encryption for the protection of the text messages, which was thought to be useful for journalists and business men on the move.

DES was considered secure at the time. Although it might have been breakable by NSA, doing so would cost a lot of resources (i.e. computing power). With DES available in a consumer product for an affordable price, NSA faced a serious problem, and turned to Philips Usfa

for assistence.Philips bought the entire stock of

DES-enabled devices and shipped it to the US. The product was then re-released under the Philips brand, with an algorithm that was supplied by NSA.

The new algorithm was a stream cipher with a key-length of no less than 64 bits. This is more than the 56 bits of DES, and suggested that it was a least a strong as DES, and probably even stronger. By reverse engineering the algorithm, Crypto Museum has meanwhile concluded that of the 64 key bits, only 32 are significant. This means that the key has effectively been halved.

Does this mean that it takes only half the time to break the key? No, as each key-bit doubles the number of combinations, removing 32 bits means that it has become 4,294,967,296 times easier to break the key (2³²). For example: if we assume that it takes one full year to break a 64-bit key, breaking a 32-bit key would take just 0.007 seconds. A piece of cake for NSA‘s super computers.

Hide the KEY in the ciphertext

It is sometimes suggested that the cryptographic key might be hidden in the output stream (i.e. in the cipher text). Not in a readable form, of course, but when you known where to look, the key will reveal itself. Although this method is prone to discovery it has in fact been used in the past.

A good example of this technique is the Hagelin CSE-280 voice encryptor, that was introduced by Crypto AG in the early 1970s. The product had been developed in cooperation with the German cipher authority ZfCh (part of the BND), and used forward synchro­nisation, to allow late entry sync.

The key was hidden in the preample that was inserted at the beginning of each transmission. If one knew where to look, the entire key could be reconstructed. A few years after the device had been introduced, Crypto AG‘s chief developer Peter Frutiger suddenly realised how it was done.

It was only a matter of time before customers would discover it too. In 1976, the Syrians became aware of the (badly hidden) key in the preamble, and notified Crypto AG, where Frutiger provided them with a fix that made it instantly unbreakable. NSA was furious and Frutiger got fired for this.

The exploit was based on redundancy in the enciphered message preamble. It caused a bias which was an unnecessary shortcoming by design. It involved solving a set of binary equasions, an exponentially large number of times, for which the special purpose device was developed.More bout Aroflex
Rigging the manualIn some cases, the cipher can be weakened by manipulating the manual. This was done for example with the manuals of the Hagelin CX-52 machine. Although the CX-52 was in theory a virtually unbreakable machine, it could be set up accidentally in such a way, that it produced a short cycle (period), which was easy to break.By manipulating the manual, guidelines were given for ‘proper’ use of the machine, but in reality the user was instructed to configure the machine in such a way that it generated a short cycle, which was easy to break by the NSA.

Another example of hiding hints in the output stream, is the T-1000/CA, internally known as Beroflex, that was the civil version of the NATO-approved Aroflex, a joint development of Philips and Siemens. It was based on a T-1000 telex.

Whilst the Aroflex was highly secure, Beroflex (T-1000/CA) was not. With the right means and the right knowledge, it could be broken. This was not a trivial task however, and required the use of a special purpose device – a super chip – that had been co-developed by experts at the codebreaking division of the Royal Dutch Navy.

Key generator with predictive outputMany encryption systems, old and new alike, make use of KEY-generators – commonly pseudo random number generators, or PRNGs – for example for the generation of unique message keys, for generating private and public keys, and for generating the key stream in a stream cipher.By manipulating the key generator, it is theoretically possible to generate predictable keys, weak keys or predicatable cycles. Examples are the mechanical key generator of the Hagelin CX-52M, but also the software-based random number generators (RNGs) in modern software algorithms.Creating this kind of weaknesses is neither simple nor trivial, as the weakened key generator has to withstand a variety of existing entropy tests, including the ones published by the US National Institute of Standards and Technology (NIST). Nevertheless, various (potential) backdoors based on weakened PRNGs have been reported in the press, some of which are attributed to the NSA.In December 2013, Reuters reported that documents released by Edward Snowden indicated that NSA had payed RSA Security US$ 10 million to make Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) the default in their encryption software. It had already been proven in 2007, that constants could be constructed in such a way as to create a kleptographic backdoor in the NIST-recommended Dual_EC_DRBG [3]. It had been deliberately inserted by NSA as part of its BULLRUN decryption program. NIST promptly withdrew Dual_EC_DRBG from its draft guidance [4].➤ Wikipedia: Random number generator attack
➤ Wikipedia: Dual_EC_DRBG
It is often thought by the general public, that intelligence agencies have something like a magic password, or master key, that gives them instant access to secure communications of a subject. Although in most cases the backdoor mechanism is far more complex, it is technically possible.An example of a possible master key, is the so-called_NSAKEY that was found in a Microsoft operating system in 1999. The variable contained a 1024-bit public key, that was similar to the cryptographic keys that are used for encryption and authentication. Although Microsoft firmly denied it, it was widely speculated that the key was there to give the NSA access to the system.There are however a few other possible explanations for the presence of this key — including a backup key, a key for installing NSA proprietary crypto suites, and incompetence on the part of Microsoft, NSA or both — all of which seem plausible. In addition, Dr. Nicko van Someren found a third – far more obscure – key in Windows 2000, which he doubted had a legitimate purpose [5].➤ Wikipedia: _NSAKEY
A good example of KEY ESCROW is the so-called Clipper Chip, that was introduced by the NSA in the early 1990s, in an attempt to control the use of strong encryption by the general public.It was the intention to use this chip in all civil encryption products, such as computers, secure telephones, etc., so that everyone would be able to use strong encryption. By forcing people to surrender their keys to the (US) government, law enforcement agencies had the ability to decrypt the communication, should that prove to be necessary during the course of an investigation.

Encryption systems are often attacked by adversaries, by exploiting information that is hidden in the so-called side channels. This is known as a side channel attack. In most cases, side channels are unintended, but they may have been inserted deliberately to give an eavesdropper a way in.Side channels are often unwanted emanations – such as radio frequency (RF) signals that are emitted by the equipment, or sound generated by a printer or a keyboard – but may also take the form of variations in power consumption (current) that occur when the device is in use (power analysis). In military jargon, unwanted emanations are commonly known as TEMPEST.An early example of a cryptographic device that exhibited exploitable TEMPEST problems, is the Philips Ecolex IV mixer shown in the image on the right, which was approved for use by NATO.As it was based on the One-Time Tape (OTT) principle, it was theoretically safe. However, in the mid-1960s, the Dutch national physics laboratory TNO, proved that minute glitches in the electric signals on the teleprinter data line, could be exploited to reconstruct the original plaintext. The problem was eventually soved by adding filters between the device and the teleprinter line.➤ Wikipedia: Side-channel attack <Unintended weaknessesBackdoors can also be based on unintentional weaknesses in the design of an encryption device. For example, the Enigma machine – used during WWII by the German Army – can not encode a This and other weaknesses greatly helped the codebreakers at Bletchley Park, and allowed the cipher to be broken throughout World War II.Unintended weaknesses were also present in the early mechanical cipher machines of Crypto AG (Hagelin), such as the C-36, M-209, C-446 and CX-52. Although they were theoretically strong, they could accidentally be setup in such a way that they produced a short cycle, which could be broken much more easily. Similar properties can be found in the first generations of electronic crypto devices that are based on shift-registers.

It had to be assumed that the (US) government could be trusted under all circumstances, and that sufficient mechanisms were in place to avoid unwarranted tapping and other abuse, which was heavily disputed by the Electronic Frontier Foundation (EFF) and other privacy organisations.

The device – which used the Skipjack algorithm – was not embraced by the public. In addition, it contained a serious flaw. In 1994, shortly after its introduction, (then) AT&T researcher Matt Blaze discovered the possibility to tamper the device in such a way that it offered strong encryption whilst disabling the escrow capability. And that was not what the US Government had in mind.

Cryptographic Key Escrow

The Clipper Chip was a cryptographic chipset developed and promoted by the US Government. It was intended for implementation in secure voice equipment, such as crypto phones, and required its users to surrender their cryptographic keys in escrow to the government. This would allow law enforcement agencies (CIA, FBI), to decrypt any traffic for surveillance and intelligence  purposes. The controversial Clipper Chip was announced in 1993 and was already defunct by 1996 [1].

The physical chip was designed by Mykotronx (USA) and manufactured by VLSI Technology Inc. (USA). The initial cost for an unprogrammed chip was $16 and a programmed one costed $26.

The image on the right shows the Mykotronx MYK78T chip as it is present inside the AT&T’s TSD-3600-E telephone encryptor. The chip is soldered directly to the board (i.e. not socketed) and was thought to be tamper-proof (see below). The AT&T TSD-3600 telephone encryptor was the first and only product that featured the ill-fated Clipper Chip before it was withdrawn.

in order to provide a level of protection against misuse of the key by law enforcement agencies, it was agreed that the Unit Key of each device with a clipper chip, would be held in escrow jointly by two federal agencies. This means that the actual Unit Key was split in two parts, each of which was given to one of the agencies. In order to reconstruct the actual Unit Key, the database of both agencies had to be accessed and the two half-Unit Keys had to be combined by bitwise XOR [3].

Skipjack Algorithm
The Clipper Chip used the Skipjack encryption algorithm for the transmission of information, and the Diffie-Hellman key exchange algorithm for the distribution of the cryptographic session keys between peers. Both algorithms are believed to provide good security.

The Skipjack algorithm was developed by the NSA and was classed an NSA Type 2 encryption product. The algorithm was initially classified as SECRET, so that it could not be examined in the usual manner by the encryption research community. After much debate, the Skipjack algorithm was finally declassified and published by the NSA on 24 June 1998 [2]. It uses an 80-bit key and a symmetric cipher algorithm, similar to DES.

Key Escrow
The heart of the concept was Key Escrow. Any device with a Clipper Chip inside (e.g. a crypto phone) would be assigned a cryptographic key, which would be given to the government in escrow. The user would then assume the government to be the so-called trusted third party. If government agencies “established their authority” to intercept a particular communication, the key would be given to that agency, so that all data transmitted by the subject could be decrypted.

The concept of Key Escrow raised much debate and became heavily disputed. The Electronic Frontier Foundation (EFF), established in 1990, preferred the term Key Surrender to stress what, according to them, was actually happening. Together with other public interest organizations, such as the Electronic Privacy Information Center, the EFF challenged the Clipper Chip proposal, saying that it would be illegal and also ineffective, as criminals wouldn’t use it anyway.

In response to the Clipper Chip initiative by the US Government, a number of very strong public encryption packages were released, such as Nautilus, PGP and PGPfone. It was thought that, if strong cryptography was widely available to the public, the government would be unable to stop its use. This approach appeared to be effective, causing the premature ‘death’ of the Clipper Chip, and with it the death of Key Escrow in general.

In 1993, AT&T Bell produced the first and only telephone encryptor based on the Clipper Chip: the TSD-3600. A year later, in 1994, Matt Blaze, a researcher at AT&T, published a major design flaw in the Escrowed Encryption System (EES). A malicious party could tamper the software and use the Clipper Chip as an encryption device, whilst disabling the key escrow capability.

When establishing a connection, the Clipper Chip transmits a 128-bit Law Enforcement Access Field (LEAF). The above diagram shows how the LEAF was established. The LEAF contained information needed by the intercepting agency to establish the encryption key.

To prevent the software from tampering with the LEAF, a 16-bit hash code was included. If the hash didn’t match, the Clipper Chip would not decrypt any messages. The 16-bit hash however, was too short to be safe, and a brute force attack would easily produce the same hash for a fake session key, thus not revealing the actual keys [3] . If a malicious user would tamper the device’s software in this way, law enforcement agencies would not be able to reproduce the actual session key. As a result, they would not be able to decrypt the traffic.

Interior

Since the Clipper-project has failed, we think it is safe to show you the contents of the chip. Although this is something we would not normally do, this one is too good to be missed. Below, Travis Goodspeed shows us how easy it is to open the package and reverse-engineer a chip [4]. Luckily, according to Kerckhoff’s principle, the secret is in the key and not in the device [5].

The black dots along the four edges are the connection pads of the chip. The image was publised on Travis’ photostream on Flickr and is reproduced here with his kind permission. Click the image for a hi-res version. Note that this is a large file (18MB) which may take some time to download.

In some cases, the safety doctrine that is intended to make the device more secure, actually makes the cipher weaker. For example: during WWII, the German cipher authority dictated that a particular cipher wheel should not be used in the same position on two successive days. Whilst this may seem like a good idea, it effectively reduces the maximum number of possible settings.

By far the most common of the unintended weaknesses is operator error, such as choosing a simple or easy to guess password, sending multiple messages on the same key, sending the same message on two different keys, etc. Here are some examples of unintended weaknesses

With a special key combination, the key logger can be turned in a USB memory stick, from which the logged data can be recovered by a malicious party. A more sophisticated example of covert hardware, is the addition of a (miniature) chip on the printed circuit board of an existing device. As many companies today have outsourced the production of their electronics, there is always a possibility that it might be maliciously modified by a foreign party. This is particularly the case with critical infrastructure like routers, switches and telecommunications backbone equipment. This problem is enhanced by the increasing complexity of modern computers, as a result of which virtually no one knows exactly how it works. A good example is the tiny computer that is hidden inside Intel’s AMT processors, and that has been actively exploited as a spying tool [6].

• Crypto Museum, Operation RUBICON
  February 2020.
• Wikipedia, Backdoor (computing)
  Retrieved February 2020
• Wikipedia, Random number generator attack
  Retrieved February 2020
• Wikipedia, Dual_EC_DRBG
  Retrieved February 2020
• Wikipedia, _NSAKEY
  Retrieved February 2020
• Wikipedia, Intel_Active Management Technology
  Retrieved November 2020.
• Adding a small chip to the board (can only be done during production process)
• Adding a regular component with a built-in chip ➤ e.g. NSA’s FIREWALK
• Tiny computer inside a regular processor ➤ e.g. Intel AMT
• External key logger (USB or PS2)
• Key logger (spy) software
• Computer viruses
• Supply chain attack
• Weak keys
• A letter can not encode into itself (Enigma)
• False security measures
• Operator mistakes
• Software bugs

Another way of getting surreptitious access to a computer system, such as a personal computer, is by covertly installing additional hardware or software that gives an adversary direct or indirect access to the system and its data. Spyware can be visible, but can also be completely invisible.

An example of a hidden-in-plain-sight device is a so-called key logger that can be installed between keyboard and computer. The image on the right shows two variants: one for USB (left) and one for the old PS-2 keyboard interface.

Items like these can easily be installed in an office – for example by the cleaning lady – and are hardly noticed in the tangle of wires below your desk. It registers every key stroke, complete with time/date stamp, including your passwords. If the cleaning lady removes it a few days later, you will never find out that it was ever installed.

Manipulated hardware can be used to eavesdrop on your data, but can also be used as part of a Distributed Denial of Service attack (DDoS), or to disrupt the critical infrastructure of a company or even an entire country. In many cases, such attacks are carried out by (foreign) state actors. Manipulation of hardware is also possible by adding a secret chip to a regular inconspicuous component. A good example is the FIREWALK implant of the US National Security Agency (NSA) that is hidden inside a regular RJ45 Ethernet socket of a computer. It is used by the NSA to spy behind firewalls and was disclosed by former CIA / NSA-contractor Edward Snowden in 2013.

This device is particularly dangerous as it can not be found with a visual inspection. Further­more, it transmits the intercepted data via radio waves and effectively bypasses all security.

Is this problem restricted to high-end (computing) devices? Certainly not. Most modern domestic appliances, such as smart thermomenters, smart meters, domotica and in particular devices for the Internet of Things (IoT), are badly built, contain badly written software and are rarely properly protected, as a result of which they are extremely vulnerable to manipulation (hacking).

source

• NSA-backdoored equipment info found OFF this website
• U.S. Government Catalogue of Cellphone Surveillance Devices
• Backdoors on Wikipedia
• National Security Agency
• Central Intelligence Agency
• NSA EXTRACTED INFO
• CRYPTO MUSEUM
• Edward Snowden
• Stingray
• Pegasus Spyware
• X-Keyscore

During the course of the investigation, while ANOM’s criminal users unknowingly promoted and communicated on a system operated lawfully by the FBI, agents catalogued more than 27 million messages between users around the world who had their criminal discussions reviewed, recorded, and translated by the FBI, until the platform was taken down yesterday.

The users, believing their ANOM devices were protected from law enforcement by the shield of impenetrable encryption, openly discussed narcotics concealment methods, shipments of narcotics, money laundering, and in some groups—violent threats, the indictment said. Some users negotiated drug deals via these encrypted messages and sent pictures of drugs, in one instance hundreds of kilograms of cocaine concealed in shipments of pineapples and bananas, and in another instance, in cans of tuna, in order to evade law enforcement.

The indictment charges 17 alleged distributors of the FBI’s devices and platform. They are charged with conspiring to violate the Racketeer Influenced and Corrupt Organizations Act (RICO), pertaining to their alleged involvement in marketing and distributing thousands of encrypted communication devices to transnational criminal organizations worldwide.

During the last 24 to 48 hours, in addition to the more than 500 arrests around the world, authorities searched more than 700 locations deploying more than 9,000 law enforcement officers worldwide and seized multi-ton quantities of illicit drugs.

CLICK HERE – Video Messages from International Partners

Grand totals for the entire investigation include 800 arrests; and seizures of more than 8 tons of cocaine; 22 tons of marijuana; 2 tons of methamphetamine/amphetamine; six tons of precursor chemicals; 250 firearms; and more than $48 million in various worldwide currencies. Dozens of public corruption cases have been initiated over the course of the investigation. And, during the course of the investigation, more than 50 clandestine drug labs have been dismantled. One of the labs hit yesterday was one of the largest clandestine labs in German history.

“This was an unprecedented operation in terms of its massive scale, innovative strategy and technological and investigative achievement,” said Acting U.S. Attorney Randy Grossman. “Hardened encrypted devices usually provide an impenetrable shield against law enforcement surveillance and detection. The supreme irony here is that the very devices that these criminals were using to hide from law enforcement were actually beacons for law enforcement. We aim to shatter any confidence in the hardened encrypted device industry with our indictment and announcement that this platform was run by the FBI.”

“Today marks the culmination of more than five years of innovative and complex investigative work strategically aimed to disrupt the encrypted communications space that caters to the criminal element,” said Suzanne Turner, Special Agent in Charge of the Federal Bureau of Investigation (FBI) – San Diego Field Office.  “The FBI has brought together a network of dedicated international law enforcement partners who are steadfast in combating the global threat of organized crime. The immense and unprecedented success of Operation Trojan Shield should be a warning to international criminal organizations  – your criminal communications may not be secure; and you can count on law enforcement worldwide working together to combat dangerous crime that crosses international borders.”

“Operation Trojan Shield is a perfect example of an OCDETF case – an investigation driven by intelligence and maximizing the strengths of partner law enforcement agencies in coordinated efforts to dismantle command and control elements of criminal networks,” said OCDETF Director Adam W. Cohen.  “Coordination is the cornerstone of the OCDETF program, and the impressiveness of the combined efforts of the U.S. Attorney’s Office, FBI, and our foreign partners cannot be overstated.  This effort has created lasting disruptive impacts to these transnational criminal organizations.”

“The AFP and FBI have been working together on a world-first operation to bring to justice the organised crime gangs flooding our communities with drugs, guns and violence,” said AFP Commissioner Reece Kershaw APM. “The FBI provided an encrypted communications platform while the AFP deployed the technical capability which helped unmask some of the biggest criminals in the world. This week the AFP and our state police partners will execute hundreds of warrants and we expect to arrest hundreds of offenders linked to the platform. This is the culmination of hard work, perseverance and an invaluable, trusted relationship with the FBI.

We thank the FBI for their long and integral partnership with the AFP.”

Europol’s Deputy Executive Director Jean-Philippe Lecouffe: “This operation is an exceptional success by the authorities in the United States, Sweden, the Netherlands, Australia, New Zealand and the other European members of the Operational Task Force. Europol coordinated the international law enforcement community, enriched the information picture and brought criminal intelligence into ongoing operations to target organised crime and drug trafficking organisations, wherever they are and however they choose to communicate. I am very satisfied to see Europol supporting this operation and strengthen law enforcement partnerships by emphasizing the multi-agency aspect of the case.”

“I am exceptionally proud of our New Zealand Police staff who supported Operation Trojan Shield,” said New Zealand Police Commissioner Andrew Coster. “This operation will have an unprecedented impact on organised crime syndicates across the globe. We value our strong relationship with the FBI, AFP and Europol and it is through these partnerships and the unrelenting efforts by law enforcement agencies from multiple countries that this operation has seen such incredible success This is a fantastic result and reiterates the importance of our transnational partnerships with law enforcement agencies across the globe in our common ongoing efforts to dismantle organised crime groups and the enormous harm they cause to our communities.”

“This remarkably successful operation demonstrates what can be accomplished when law enforcement agencies throughout the world work together,” said DEA Los Angeles Division Special Agent in Charge Bill Bodner. “Through strong relationships with our partners in more than 67 countries, professionals throughout the DEA, including experts in the Los Angeles Division, supported this unprecedented collaboration and our own mission to disrupt and dismantle the criminal organizations that profit from the distribution of illegal drugs.”

According to the San Diego indictment, ANOM’s administrators, distributors, and agents described the platform to potential users as “designed by criminals for criminals” and targeted the sale of ANOM to individuals that they knew participated in illegal activities.

All defendants are foreign nationals located outside of the U.S. In total, eight of the indicted defendants were taken into custody last night.  Authorities are continuing to search for the remaining nine defendants.

The indictment alleges the defendants knew the devices they distributed were being used exclusively by criminals to coordinate drug trafficking and money laundering, including in the U.S. The defendants personally fielded “wipe requests” from users when devices fell into the hands of law enforcement.

The FBI’s review of ANOM users’ communications worked like a blind carbon copy function in an email. A copy of every message being sent from each device was sent to a server in a third-party country where the messages were collected and stored. The data was then provided to the FBI on a regular basis pursuant to an international cooperation agreement. Communications such as text messages, photos, audio messages, and other digital information were reviewed by the FBI for criminal activity and disseminated to partner law enforcement agencies in other countries. Each user was using ANOM for a criminal purpose. Those countries have built their own cases against ANOM users, many of whom were arrested in takedowns in Europe, Australia and New Zealand over the last several days.

Intelligence derived from the FBI’s communications platform presented opportunities to disrupt major drug trafficking, money laundering, and other criminal activity while the platform was active. For example, over 150 unique threats to human life were mitigated.

This operation was led by the FBI and coordinated with the U.S. Drug Enforcement Administration, the U.S. Marshals Service, Australian Federal Police, Swedish Police Authority, National Police of the Netherlands, Lithuanian Criminal Police Bureau, Europol, and numerous other law enforcement partners from over a dozen other countries.

This investigation began after Canada-based encrypted device company Phantom Secure was dismantled by the FBI in 2018 through a San Diego-based federal RICO indictment and court-authorized seizure of the Phantom Secure platform, forcing many criminals to seek other secret communication methods to avoid law enforcement detection. The FBI—along with substantial contributions by the Australian Federal Police—filled that void with ANOM.

When the FBI and the San Diego U.S. Attorney’s Office dismantled Sky Global in March 2021, the demand for ANOM devices grew exponentially as criminal users sought a new brand of hardened encryption device to plot their drug trafficking and money laundering transactions and to evade law enforcement.  Demand for ANOM from criminal groups also increased after European investigators announced the dismantlement of the EncroChat platform in July 2020. The ANOM platform – unlike Phantom Secure, EncroChat, and Sky Global – was exploited by the FBI from the very beginning of ANOM’s existence and was not an infiltration of an existing popular encrypted communications company.

In October 2018, Phantom Secure’s CEO pleaded guilty to a RICO conspiracy in the Southern District of California.  He was sentenced to nine years in prison and ordered to forfeit $80 million in proceeds from the sale of Phantom devices.

For further information, please see https://www.justice.gov/usao-sdca/pr/chief-executive-communications-company-sentenced-prison-providing-encryption-services and https://www.justice.gov/usao-sdca/pr/sky-global-executive-and-associate-indicted-providing-encrypted-communication-devices.

Operation Trojan Shield is an Organized Crime Drug Enforcement Task Forces (OCDETF) investigation.  OCDETF identifies, disrupts, and dismantles the highest-level drug traffickers, money launderers, gangs, and transnational criminal organizations that threaten the United States by using a prosecutor-led, intelligence-driven, multi-agency approach that leverages the strengths of federal, state, and local law enforcement agencies against criminal networks.

Assistant U.S. Attorneys Meghan E. Heesch, Joshua C. Mellor, Shauna Prewitt, and Mikaela Weber of the U.S. Attorney’s Office for the Southern District of California are prosecuting the case, with assistance from Paralegal Specialist Tracie Jarvis.  Former Assistant U.S. Attorney Andrew P. Young made invaluable contributions during his tenure on the case team.

Acting U.S. Attorney Grossman praised federal prosecutors and FBI agents and international law enforcement partners for their relentless pursuit of justice in this extraordinary case. Additionally, Acting U.S. Attorney Grossman thanked the coordinated efforts of the Department of Justice’s Office of International Affairs which facilitated many international components of this complex investigation.

The charges and allegations contained in an indictment are merely accusations, and the defendants are considered innocent unless and until proven guilty.

DEFENDANTS  21-CR-1623-JLS	COUNTRY
*Joseph Hakan Ayik (1)
Domenico Catanzariti (2)	Australia
*Maximilian Rivkin (3)
Abdelhakim Aharchaou (4)	The Netherlands
*Seyyed Hossein Hosseini (5)
Alexander Dmitrienko (6)	Spain
*Baris Tukel (7)
*Erkan Yusef Dogan (8)
*Shane Geoffrey May (9)
Aurangzeb Ayub (10)	The Netherlands
James Thomas Flood (11)	Spain
*Srdjan Todorovic aka Dr. Djek (12)
*Shane Ngakuru (13)
Edwin Harmendra Kumar (14)	Australia
Omar Malik (15)	The Netherlands
Miwand Zakhimi (16)	The Netherlands
*Osemah Elhassen (17)
*Fugitive

 

SUMMARY OF CHARGES

Conspiracy to Conduct Enterprise Affairs Through Pattern of Racketeering Activity (RICO Conspiracy), in violation of 18 U.S.C. § 1962(d)

Maximum Penalty: Twenty years in prion

AGENCIES

Federal Bureau of Investigation

Drug Enforcement Administration

United States Marshals Service

Department of Justice, Office of International Affairs

Australian Federal Police

Swedish Police Authority

Lithuanian Criminal Police Bureau

National Police of the Netherlands

EUROPOL

 

For further information, please see

https://www.europol.europa.eu/newsroom/news/800-criminals-arrested-in-biggest-ever-law-enforcement-operation-against-encrypted-communication

https://www.afp.gov.au/news-media/media-releases/afp-led-operation-ironside-smashes-organised-crime

Encrypted Phone Company Was Secretly Commandeered by FBI to Track Criminals’ GPS Data

The agency’s backdoor access to Anom phones collected the locations of users across the world, transferring the data to authorities.

FBI Sold Criminals Fake Encrypted Phones That Actually Copied Their Messages

The Anom company helped international law enforcement arrest over 800 suspected criminals in what marks the FBI’s latest attempt to overcome encryption.

An encrypted chat platform that catered to criminals is actually an FBI sting operation.

Since 2019, the FBI has been secretly operating Anom, a company that pretended to offer encrypted messaging to criminal organizations. In reality, the Anom app would relay to federal investigators a copy of every message sent.

The operation enabled the FBI and international law enforcement to arrest over 800 suspected criminals across the globe, according to Europol.

Anom ended up serving more than 12,000 devices belonging to over 300 criminal organizations, including the Italian mafia, outlaw motorcycle gangs, and crime syndicates based in Asia. The encrypted chat platform recorded messages covering assassination plots, mass drug trafficking, and illegal gun distribution.

The operation marks US law enforcement’s latest attempt to circumvent encryption on smartphones. For years now, the FBI has been urging Apple to create a backdoor into its iPhones, citing the need to collect evidence against suspected criminals. Apple has thus far refused, so the agency has contracted professional smartphone hacking services to help it unlock devices seized in investigations.

“When we took down Phantom Secure in 2018, we found the criminal organizations moved quickly to back-up options with other encrypted platforms,” said FBI San Diego Assistant Special Agent in Charge Jamie Arnold in a statement.

As a result, the FBI and its law enforcement partners attempted to fill the void with Anom. According to Vice, a confidential source who sold phones using Phantom Secure had been developing their own encrypted chat platform; the source then offered up the platform to the FBI, which began working to circulate Anom in criminal underground circles.

According to Australian Federal Police, the Anom encrypted messaging app was installed on special phones that had been stripped of other capabilities. “The mobile phones, which were bought on the black market, could not make calls or send emails. It could only send messages to another device that had the organized crime app. Criminals needed to know a criminal to get a device,” Australian Federal Police added.

To market itself, Anom also had its own YouTube, Twitter, Facebook, and Reddit pages, which advertised the app as a secure communications platform.

The FBI has since replaced the Anom.io website with a notice that says: “Law enforcement has been monitoring messages and attachments from the ANØM platform. A number of investigations have been initiated and are ongoing.” Users of Anom can learn if they’re under investigation by typing in their username and smartphone details into a form on the site. SOURCE

We Got the Phone the FBI Secretly Sold to Criminals

Unlocking the Google Pixel 4a with a PIN code reveals some common apps: Tinder, Instagram, Facebook, Netflix, and even Candy Crush. But none of those apps work, and tapping their icons doesn’t do anything. Resetting the phone and typing in another PIN opens up an entirely different section of the device, with a new background and new apps. Now in place of the old apps sit a clock, a calculator, and the device’s settings.

“Enter Anom ID” and a password, the screen reads. Hidden in the calculator is a concealed messaging app called Anom, which last month we learned was an FBI honeypot. On Anom, criminals believed they could communicate securely, with the app encrypting their messages. They were wrong: an international group of law enforcement agencies including the FBI were monitoring their messages and announced hundreds of arrests last month. International authorities have held press conferences to tout the operation’s success, but have provided few details on how the phones actually functioned.

Motherboard has obtained and analyzed an Anom phone from a source who unknowingly bought one on a classified ads site. On that site, the phone was advertised as just a cheap Android device. But when the person received it, they realized it wasn’t an ordinary phone, and after being contacted by Motherboard, found that it contained the secret Anom app.

The person Motherboard bought the phone from said they panicked “when I realised what I had just purchased.” Motherboard granted the person anonymity to protect them from any retaliation.

When booting up the phone, it displays a logo for an operating system called “ArcaneOS.” Very little information is publicly available on ArcaneOS. It’s this detail that has helped lead several people who have ended up with Anom phones to realize something was unusual about their device. Most posts online discussing the operating system appear to be written by people who have recently inadvertently bought an Anom device, and found it doesn’t work like an ordinary phone. After the FBI announced the Anom operation, some Anom users have scrambled to get rid of their device, including selling it to unsuspecting people online. The person Motherboard obtained the phone from was in Australia, where authorities initially spread the Anom devices as a pilot before expanding into other countries. They said they contacted the Australian Federal Police (AFP) in case the phone or the person who sold it was of interest to them; when the AFP didn’t follow up, the person agreed to sell the phone to Motherboard for the same price they paid. They said they originally bought it from a site similar to Craigslist.

Another person Motherboard spoke to who bought one of the phones said they were in Lithuania.

“I bought this phone online, for ridiculously low price, now I understand why,” that second person said. That person also provided Motherboard with photos and a video of their device. In that case, the Anom login screen appeared inaccessible, but other settings such as the decoy PIN code remained. “Probably this phone was used by some drug dealer :D,” they said.

For the past few months, members of Android hobbyist and developer forums have been trying to help the people who bought the strange phones return them to a usable state.

“I cannot install any apps because there is no [App Store], everything has been removed,” one person who said they bought the phone second-hand wrote on a German language forum in March, before the FBI and its partners stopped the operation.

“If he also had access to/data, he could change all of the cell phone’s settings manually,” one forum user replied.

“That’s strange… You have the boot screen saying that the phone has been modified, yet you seem to have a locked bootloader… Doesn’t make any sense to me :/,” a user on another forum replied to someone facing similar issues.

“I have the same thing. A friend got a used pixel 4a and it’s running arcaneos with the same issues described by the OP. Nothing works when attempting to flash,” someone else added to the thread.

After Motherboard determined that ArcaneOS was linked to the Anom devices and had bought the phone, someone else on one of the forums also made the connection.

“This is a phone the used with that FBI ANON [sic] application to read the message with the users,” a user wrote on a thread. That user did not respond to a request for comment on how they also came to the same conclusion.

The Phone

Besides ArcaneOS, the phone has a few other interesting features and settings.

Ordinarily, Android phones have a setting to turn location tracking off or on. There appears to be no setting for either on this device.

The phone offers “PIN scrambling,” where the PIN entry screen will randomly rearrange the digits, potentially stopping third-parties from figuring out the device’s passcode if watching someone type it in. The status bar at the top of the screen includes a shortcut for what appears to be a wipe feature on the phone, with an icon showing a piece of paper going through a shredder. Users can also set up a “wipe code,” which will wipe the device from the lockscreen, and configure the phone to automatically wipe if left offline for a specific period of time, according to the phone’s settings reviewed by Motherboard.

Encrypted phone companies typically offer similar data destruction capabilities, and at least in some cases companies have remotely wiped phones while they’re in authorities’ possession, hindering investigations. The Department of Justice has charged multiple people who allegedly worked for Anom in part for obstructing law enforcement by using this wipe feature.

Daniel Micay, lead developer of security and privacy focused Android operating system GrapheneOS, also provided Motherboard with images someone had recently sent him of a third Anom device. That phone was a Google Pixel 3a, suggesting Anom loaded its software onto multiple iterations of phones over time, and the Anom login screen was not immediately accessible.

“The calculator theoretically opens chat but it doesn’t work anymore. They said it requires entering a specific calculation,” Micay said. “Quite amusing security theater.”

Micay said others claimed that Anom used GrapheneOS itself, but “it sounds like they may have advertised it to some people by saying it uses GrapheneOS but it has no basis.”

“Basically [it] sounds like people have heard of GrapheneOS so these companies either use it in some way (maybe actual GrapheneOS, maybe a fork) or just claim they did when they didn’t,” he said.

The phone obtained by Motherboard and the one included in the video both have an identical list of contacts saved to the innocuous looking section of the device. However, at least some of these appear to be placeholder contacts generated by a specific tool available on Github. None of the people included in the contact list responded to a request for comment.

With its wipe features and the hidden user interface, the Anom device does look like one from any of the other encrypted phone firms that serious organized criminals have used in the past, such as Encrochat and Phantom Secure. That was very much on purpose, according to Andrew Young, a partner in the Litigation Department in law firm Barnes & Thornburg’s San Diego office and former Department of Justice lead prosecutor on the Anom case.

“We can’t just run a good investigation; we have to run a good company,” he previously told Motherboard in a phone call. That included providing customer service and solving users’ tech issues, and potentially dealing with hackers who may target the company too.

Anom started when an FBI confidential human source (CHS), who had previously sold devices from Phantom Secure and another firm called Sky Global, was developing their own product. The CHS then “offered this next generation device, named ‘Anom,’ to the FBI to use in ongoing and new investigations,” court documents read.

In June the FBI and its law enforcement partners in Australia and Europe announced over 800 arrests after they had surreptitiously been listening in on Anom users’ messages for years. In all, authorities obtained over 27 million messages from over 11,800 devices running the Anom software in more than 100 countries by silently adding an extra encryption key which allowed agencies to read a copy of the messages. People allegedly smuggling cocaine hidden inside cans of tuna, hollowed out pineapples, and even diplomatic pouches all used Anom to coordinate their large-scale trafficking operations, according to court documents.

The FBI declined to comment. SOURCE