September 14, 2017

Are the Shadow Brokers identical with the Second Source?

(Updated: September 16, 2017)

What a lot of people don't know, is that a range of classified documents from the NSA have not been attributed to Edward Snowden, which means that there was at least one other leaker inside the NSA.

Initially, this leaker was called the "second source", and although he was responsible for significant leaks, they got little attention in the US. More media coverage gained the release, since 2016, of NSA hacking tools by the mysterious "Shadow Brokers".

Now, a close look at documents published by the German magazine Der Spiegel in December 2013 provided new indications that the second source could be identical with the Shadow Brokers.

NSA's Cryptologic Center in San Antonio, Texas (2013)
(photo: William Luther - click to enlarge)

The second source

The first leak that was not attributed to Snowden, was of an internal NSA tasking record, showing that German chancellor Angela Merkel was apparently on the NSA's targeting list. The second revelation that was said to come from the same source as the Merkel record, was that of the ANT product catalog, containing a wide range of sophisticated eavesdropping gadgets and techniques.

Security expert Bruce Schneier, who was probably the first to write about the possibility of a second source, said that this source apparently passed his documents to a small group of people in Germany, including hacktivist Jacob Appelbaum and documentary film maker Laura Poitras.

Because Poitras also received one of the initial sets of documents from Snowden, it is sometimes assumed that the documents from the Second Source may actually stem from the Snowden trove, despite not being attributed as such. For some of the individual documents this was contradicted by Glenn Greenwald and Edward Snowden though.

Spiegel reportings

The ANT catalog was published by the German magazine Der Spiegel on December 29, 2013. The original article was in German and written by Jacob Appelbaum, Judith Horchert, Ole Reißmann, Marcel Rosenbach, Jörg Schindler and Christian Stöcker. A translation in English mentioned the names of Jacob Appelbaum, Judith Horchert and Christian Stöcker.

Although this catalog got most of the attention, not at least because Appelbaum explained the various tools during a presentation at the hackers conference CCC on December 30, it was actually just an addition to Der Spiegel's extensive main piece about the hacking division of the NSA, called Tailored Access Operations (TAO).

This article was written by Jacob Appelbaum, Marcel Rosenbach, Jörg Schindler, Holger Stark and Christian Stöcker, with the cooperation of Andy Müller-Maguhn, Judith Horchert, Laura Poitras and Ole Reißmann. There was also a translation in English prepared by the Spiegel staff based upon reporting "by Jacob Appelbaum, Laura Poitras, Marcel Rosenbach, Christian Stöcker, Jörg Schindler and Holger Stark."

TAO documents

This main piece was accompanied by various NSA documents: one slide about FOXACID, a partial presentation about QUANTUM, two separate pages from other documents, as well as complete powerpoint presentations about QUANTUM tasking, the TAO unit at NSA/CSS Texas, and the QFIRE architecture:

(click to go to the various documents)

Not Snowden?

Apparently never noticed before, is that not only the ANT product catalog, but also these other presentations and documents were not attributed to Snowden. In both the German and the English version, the whole lengthy article contains multiple times phrases like "internal NSA documents viewed by SPIEGEL" but never in combination with the name of Edward Snowden.

This is remarkable, because for the media, it's usually almost some kind of honor to publish documents provided by Snowden, which is then clearly mentioned in their reporting. In those cases, the byline includes the name of the one who actually provided the documents on Snowden's behalf, often Glenn Greenwald and for Der Spiegel, Laura Poitras.

But both articles from December 29 have Jacob Appelbaum, instead of Poitras in the byline, which seems to be an indication that here, the top secret NSA documents were provided by Appelbaum, likely as the middleman for the mysterious second source.

Exception: FOXACID slide

There's one exception though: the description of the FOXACID slide says that it is from an NSA presentation from the Snowden cache - this was confirmed when on August 19, 2016, The Intercept eventually published the full presentation about FOXACID.

This slide was probably provided by Laura Poitras, from her cache of Snowden documents, which would explain why she was mentioned as one of the persons that provided assistance for Der Spiegel's main piece of December 29.

The other presentations have not been published as part of the Snowden revelations, there's only one with a similar layout (from Booz Allen's SDS unit), but is about a different topic.


If not only the ANT Product Catalog, but also these other NSA presentations about the TAO division were not provided by Snowden, but by the second source, what's the significance of that?

Analysing the range of revelations that were not attributed to Snowden, resulted in the following list of documents that were likely leaked by the second source:

- Chancellor Merkel tasking record
- TAO product catalog
- XKEYSCORE rules: New Zealand
- NSA tasking & reporting France, Germany, Brazil, Japan
- XKEYSCORE agreement between NSA, BND and BfV(?)
- NSA tasking & reporting EU, Italy, UN

Except for the TAO catalog, one of the things that all these documents have in common, is that they are different from the usual powerpoint presentations, program manuals and internal wiki pages that make up the biggest part of the Snowden revelations.

(Of course, absence of evidence is no evidence of absence, but as these second source documents are often more significant than many other Snowden files, there seems to be no reason not to publish them)

The additional December 29 files do actually fit the typical sort of documents from Snowden, which makes it more difficult to distinguish between documents from Snowden and those from the other leaker(s).

The Shadow Brokers

If we look at the content of the files, we see that those from Der Spiegel's December 29 article are all about NSA's hacking operations. There have been several Snowden stories about that topic, but more spectacular became the release, since August 2016, of actual NSA hacking tools by a mysterious person or group called The Shadow Brokers (TSB or SB).

There has been a lot of speculation about who could be behind this and how he, she or they got access to these sensitive files. One option is an NSA insider, either on his own, in cooperation with crypto-anarchists, or as a mole directed by a hostile intelligence agency.

Another suggestion was that an NSA hacker mistakenly uploaded his whole toolkit to a server outside the NSA's secure networks (also called a "staging server" or "redirector" to mask its true location) and that someone was able to grab the files from there - this option was for example favored by Snowden.


The latter theory was falsified when on April 14, 2017, the Shadow Brokers did not only publish an archive containing a series of Windows exploits, but also several documents and top secret presentation slides about NSA's infiltration of the banking network SWIFT - things unlikely to be on a staging server, which makes that the source behind the Shadow Brokers is most likely an insider.

On July 28, the website CyberScoop reported that as part of their investigation into the Shadow Brokers leaks, US government counterintelligence investigators contacted former NSA employees in an effort to identify a possible disgruntled insider.

(just a few days ago, the Shadow Brokers released a manual for the hacking framework UNITEDRAKE, strangely enough without date and classification markings, but again something that one wouldn't find on an outside staging server)

Same source?

With the documents published by the Shadow Brokers apparently being stolen by an insider at NSA, the obvious question is: could the Shadow Brokers be identical with the Second Source?

One interesting fact is that the last revelation that could be attributed to the second source occured on February 23, 2016, and that in August of that year the Shadow Brokers started with their release of hacking files. This could mean that the second source decided to publish his documents in the more distinct and noticeable way under the guise of the Shadow Brokers.

But there's probably also a much more direct connection: the batch of documents published along with Der Spiegel's main piece from December 29, 2013 include a presentation about the TAO unit at NSA's Cryptologic Center in San Antonio, Texas, known as NSA/CSS Texas (NSAT):

TAO Texas presentation, published by Der Spiegel in December 2013
(click for the full presentation)

And surprisingly, the series of three slides that were released by the Shadow Brokers on April 14 were also from NSA/CSS Texas. They show three seals: in the upper left corner those of NSA and CSS and in the upper right corner that of the Texas Cryptologic Center:

TAO Texas slide, published by the Shadow Brokers in April 2017
(click for the full presentation)


It's quite remarkable that among the hundreds of NSA documents that have been published so far, there are only these two sets from NSA/CSS Texas, which is responsible for operations in Latin America, the Caribbean, and along the Atlantic littoral of Africa in support of the US Southern and Central Commands.

Besides the one in San Antonio, Texas, NSA has three other regional Cryptologic Centers in the US: in Augusta, Georgia, in Honolulu, Hawaii and in Denver, Colorado. These four locations were established in 1995 as Regional Security Operations Centers (RSOC) in order to disperse operational facilities from the Washington DC area, providing redundancy in the event of an emergency.

So far, no documents from any of these regional centers have been published, except for the two from NSA/CSS Texas. This could be a strong indication that they came from the same source - and it seems plausible to assume that that source is someone who actually worked at that NSA location in San Antonio.


This person may only have stolen files that were available at his own workplace, as it should be realized that not every leaker necessarily has similar broad access like Snowden had (and gained) in his job as a systems administrator.

Snowden on the other hand may only have downloaded things from a intranet for NSA as a whole (assuming that would contain the most interesting files) and leaving the local network for his Hawaii office untouched - which would explain why we never saw any documents marked NSA/CSS Hawaii (another reason could be that such documents would have made it easier to identify him).

Given the many hacking files, it's tempting to assume that the second source/Shadow Brokers was an NSA hacker at the Texas TAO unit. It's not clear though whether someone in such a position would also have had the access to the intelligence reports and traditional tasking lists which were published by Wikileaks. It's also possible that those documents came from a different source.


One final thing that the revelations from the second source and the Shadow Brokers seem to have in common is the motivation: none of their documents reveal serious abuses or illegal methods, but only compromise methods and operations, and discredit US intelligence.

Most of these documents weren't vetted by professional journalists either: although initially published by Der Spiegel and some other German media, later files were made public by the uncritical website Wikileaks, while the Shadow Brokers postings come without any intermediary on sites like Pastebin, Medium and Steemit.

(In March 2017, Wikileaks started the "Vault 7" series in which they publish secret hacking tools from the CIA. These files have dates between November 2003 and March 2016 and are therefore more recent that those from the Shadow Brokers, with their newest files being dated October 18, 2013 - some 5 months after Snowden left the NSA and around the same time when Der Spiegel published the first document from the second source)


On the weblog there are some additional thoughts about this issue: the author is, for various reasons, skeptical about the Shadow Brokers being a disgruntled NSA employee or contractor, and therefore that he could be identical with the second source. As an alternative, EmptyWheel suggests that Jakob Appelbaum and the Shadow Brokers may have a mutually shared source.

Links and sources
- UNITEDRAKE and hacking under FISA Orders
- Shadow Brokers' Persistence: Where TSB has signed, message, hosted, and collected
- The US Intelligence Community has a Third Leaker

August 13, 2017

Do NSA compliance reports point to an unknown classification compartment?

(UPDATED August 14, 2017)

On July 12, the American Civil Liberties Union (ACLU) published two Top Secret NSA compliance reports, which were obtained after declassification under the Freedom Of Information Act (FOIA). Here we will take a look the classification marking of these reports, of which one part has been redacted:

Both documents are quarterly reports from the NSA to the Foreign Intelligence Surveillance Court (FISC) on compliance under Section 702 of the FISA Amendments Act (FAA), which governs both the PRISM and the Upstream collection efforts. One of the reports is from March 2014, the other one from March 2015.

More about the content of these two compliance reports can be found in this article by The Hill, as well as in this posting on the weblog Here we will take a look at the classification of these reports.

Classification marking

The classification line of both reports is: TOP SECRET//[...]/SI//ORCON/NOFORN, which stands for:

- TOP SECRET: the highest classification level
- [...]: an unknown SCI control system
- SI: the SCI control system "Special Intelligence"
- ORCON: the dissemination restriction "Originator Controlled"
- NOFORN: the dissemination restriction "No Foreign Nationals"

As we can see, the double slash behind TOP SECRET is followed by a short space that has been redacted. Then comes a single slash, followed by SI for the control system for Signals Intelligence (SIGINT), which was formerly denoted as COMINT. This means that the redaction also hides a so-called control system, used for protecting national intelligence information concerning sources and methods.

The semiannual Section 702 FAA compliance reports, like this one from 2015, which are prepared by the Attorney General and the Director of National Intelligence, don't have the redacted marking and are just TOP SECRET//SI//NOFORN.


Meanwhile, a reader suggested that the redacted part of the classification line might hide HCS, which is the abbreviation for HUMINT Control System. HUMINT stands for Human Intelligence, and therefore, HCS is the control system that protects intelligence from the CIA. And indeed, it appears that "HCS" fits the redacted space perfectly:

HCS itself isn't classified, so the reason why this marking appears redacted here, is probably that NSA only declassified its own part and redacted everything related to the CIA. Analysts of the CIA request and receive information from 702 FAA collection, but the scope of their involvement remains classified.

With HCS being the most likely option for the redacted space in the 2014 and 2015 compliance reports, please read the following with that in mind!


Another option that comes to mind is the STELLARWIND compartment, which was created in October 2001 to protect NSA's new collection methods as authorized by president George W. Bush. This is officially known as the President's Surveillance Program (PSP) and more popular as the "warrantless wiretapping".

For classification purposes, the abbreviation of STELLARWIND is STLW, which is too long for the redacted space in the marking on the compliance reports. The STELLARWIND classification guide from January 2009 does provide an interesting alternative though, where it says:

"The markings "TSP" and "Compartmented" were at times used in briefing materials and documentation associated with the STELLAR WIND program. "TSP" and "Compartmented" were used primarily by the National Security Agency (NSA) Legislative Affairs Office (LAO), NSA Office of General Counsel (OGC), and the Executive Branch in briefings and declarations intended for external audiences, such as Congress and the courts. The term "TSP" was initially used in relation to only that portion of the Program that was publicly disclosed by the President in December 2005. These markings should be considered the same as the STELLARWIND marking, but should not be directly associated with the program."

In several documents that had been presented to the FISA Court and meanwhile have been declassified by the US government, we can see this TSP marking:

Classified declaration of NSA director Alexander, April 20, 2007.

The two recently declassified compliance reports from 2014 and 2015 were also meant for the FISA Court, and if we try out "TSP", it fits the redacted space remarkably well:


PSP/TSP collection (2001-2007)

Under the President's Surveillance Program (PSP), as protected by the STELLARWIND compartment, it became possible for NSA to not only collect fully foreign communications, but also those with just one end foreign - the express aim was to find foreign terrorists with connections inside the US. Under the PSP the following data were collected (with their succeeding legal authorizations):

- Telephony content (since 2008: Section 702 FAA Upstream collection)
- Internet content (since 2008: Section 702 FAA Upstream collection)

- Telephony metadata (2006-2015: Section 215 (BR/FISA) bulk collection)
- Internet metadata (2004-2011: Section 402 (PR/TT) bulk collection)

The bulk collection of internet metadata was brought from the president's authority under that of the FISA Court (FISC) in July 2004, and the same happened with the bulk telephone metadata in May 2006.

The collection of both telephone and internet content became also authorized by FISC orders as of January 2007, which was temporarily replaced by the Protect America Act (PAA) in August 2007 and then permanently by Section 702 of the FISA Amendments Act (FAA) in July 2008.

Section 702 FAA is also the legal foundation for PRISM collection, which started in September 2007 with data being provided by Microsoft. Until October 2012, another eight internet companies had followed. While Upstream collection, at major telecom switches, only provides future communications in transit, PRISM gives access to stored data from a target's past too.

After revelations by the New York Times in December 2005, president Bush admitted that NSA was collecting the one-end foreign telephone and internet content and named it the Terrorist Surveillance Program (TSP). Bush stayed silent though about the other part of the PSP, which involved the bulk collection of domestic metadata. This came to light in June 2013, when Snowden provided the Verizon order to the press.

Another option

As we have seen, the TSP marking fits the redacted space in the classification line of the compliance reports very well, but of course it's always possible that a different abbreviation might be hidden there. In documents that have been declassified earlier, "TSP" was not redacted, so strictly spoken, it shouldn't have been redacted here.

And there's indeed another option: on September 6, 2014, the US Justice Department released a declassified version of a 2004 memorandum about the STELLARWIND program. The classification line of this document has a similar short redaction right after "Top Secret", just like in the compliance reports:

Classification marking of the 2004 DoJ memorandum about STELLAR WIND

Interestingly, "TSP" would also fit the redacted space here - but this wouldn't make much sense, as TSP was meant as a replacement for STELLARWIND for audiences who didn't have a need-to-know for the STELLARWIND cover term - and "STELLAR WIND" is in the classification line here too. Also, the name Terrorist Surveillance Program probably didn't exist in 2004, as it was apparently first used by President Bush in a speech on January 23, 2006.

So, it's not very likely that "TSP" is the marking that was redacted in the 2004 memorandum, but position and length of the marking indicate that it's very well possible that it's actually the same control system as in the classification line of the compliance reports from 2014 and 2015 - with an abbreviation of almost exactly the same length as "TSP".

Regarding the status of this mysterious marking: in the 2004 document it's shown between double slashes, which is strange, because according to the official classification manuals, there cannot be something between two double slashes in that position (see the chart below).

If this double slash is correct, then we would have a complete new category which isn't in the (public) classification manuals. This reminds of the UMBRA marking, which also appeared unexpectedly between double slashes in a classification line.

Another option is that the double slash behind the redacted marking is actually a mistake and there should have been just a single slash, just like in the classification lines of the 2014 and 2015 compliance reports. In this case, the marking represents a normal control system like SI, HCS, and several others mentioned in the classification manuals.

Overview of the categories and formatting for the US classification and control markings
From the Intelligence Community Classification Manual 6.0 from December 2013
(click to enlarge)

July 14, 2017

Dutch report provides metadata numbers to compare with Snowden documents

(Updated: September 21, 2017)

Since the Snowden revelations, we know that signals intelligence agencies are trying to acquire large sets of telephone metadata in order to analyse them in support of protecting their national security.

Less known is that commercial companies also analyse similar big data sets, albeit for research purposes and with personal information being anonymized.

Now, a research report from the Netherlands provides us with actual numbers of mobile telephone metadata, which can be used to compare with the numbers that NSA and GCHQ collected according to the Snowden documents.

Tourist movements

Recently published was a report about visitor movements in and around the Dutch capital of Amsterdam. It was prepared by the economic research company Decisio on behalf of the province of Noord-Holland and the municipalities of Amsterdam and Zandvoort.

Since a few years, Amsterdam almost suffers from a huge increase of tourists, but it was difficult to get detailed insights in where they come from, where they stay and which areas of the city, as well as which surrounding towns are most popular.

Now, these insights became available by using information from the "tracking device" carried by almost every individual: the mobile phone.

Anonymized data sets

Decisio acquired a huge set of mobile telephone metadata from Vodafone, which is the second largest provider in the Netherlands, with over 5 million customers. When they use their mobile phones, they connect to one of the 32.000 cell towers or base stations, which associate the phone number with a location.

Each month, Vodafone provides these data to another research company called Mezuro, which processes and analyses them to map the movements using a grid of 1250 regions containing multiple base station cells. The results were then analysed by Decisio and compared with other information sources.

But before that, the Vodafone metadata were anonymized by replacing every phone number with a random number that changes every month. Foreign phone numbers were replaced daily. Also, only the movements of groups of more than 15 numbers were reported, so it's impossible to track the movements of individual phone users.

Development of the average number of daily mobile phone transactions
from Vodafone users between January 2013 and September 2015
(source: Decisio research report)

Mobile phone metadata

Most interesting parts of the report are the details about the telephone metadata: Mezuro periodically receives information about some 3 million Vodafone phone numbers that are active on a daily basis. These phones generated 400 million "transactions", or Call Detail Records (CDRs) a day.

These transactions are the moments that a mobile phone connects to a cell tower, not only for a phone call or a text message (SMS), but increasingly often for a social media posting, sending or receiving an e-mail, a Google search or checking a website - for Dutch users, this is on average 100 times a day.

An article from October 2013 about Mezuro says that the company analyzed some 150 million data points daily and that an average smartphone connects 150 to 200 times a day with a cell tower.

This number was confirmed during a parliamentary hearing in Germany, when someone from BND explained that one cell phone generates between 100 and 200 metadata and business records a day.

Update: similar numbers come from the Russian billing (and interception) company Peter-Service, which installs billing installations capable of 18 million subscribers creating 2,851 billion transactions a day, which equals 158 transactions per person per day.

If we take these metadata as the rows of a (database) table, each of them contain multiple fields, corresponding to columns for information pieces like for example the number calling, the number called, date, time, cell tower location, and information needed to transfer various types of messages.


For the tourism research, the Vodafone data were multiplied in order to get the numbers for the full population. The multiplier changes daily depending on the day of the week, holidays, etc, but lies roughly around 5 (for foreign visitors it's much more difficult to calculate this number).

As this total also includes people who don't use a mobile phone, the multiplier for the total number of metadata must be lower. According to the report, the users of the Vodafone network account for 1/3 of all mobile phone users in the Netherlands, so here we can use 3 as multiplier.

That makes that in 2016, all Dutch mobile phones generated some 1200 million transactions a day. In a month that's over 36 billion and in a year 432 billion telephone metadata records.

For comparison with the numbers from the Snowden documents, we have to look for the numbers from early 2013. The chart from the report shows that in January 2013, there were ca. 85 million transactions by Vodafone users a day, which makes 255 million for all Dutch users. In a month that's 7,65 billion.


Now, let's take a look at some of the numbers from the Snowden revelations. For the Netherlands there was a chart from the NSA tool BOUNDLESSINFORMANT, which shows 1,8 million telephone metadata records for 30 days around January 1, 2013.

Initially it was thought that this were Dutch data sucked up by NSA, but later it came out that they were actually collected by Dutch military intelligence, most likely in Afghanistan, and subsequently shared with the Americans.

Now that we know that in the same period of time, the Dutch mobile phone users alone already accounted for over 7 billion metadata, 1,8 million is a tiny number, maybe generated by not more than 2500 smartphones. In Afghanistan, old fashioned cell phones may have created less transactions, so the 1,8 million metadata could have been the traffic captured from a small town.

Update: On Twitter, a Dutch journalist involved with the Snowden revelations said that the 1,8 million records represent some 12 million pieces of metadata (which means one record consists of at least 6 fields) and that the Dutch Ministry of Defence had confirmed that they were collected from Somalia.

The BOUNDLESSINFORMANT chart for the Netherlands with data
collected from December 10, 2012 to January 8, 2013
(click to enlarge)

Late 2013, major European newspapers published similar charts for other countries too, again claiming that they showed how many phone calls NSA was intercepting. But even if those claims were true, the 70 million the BOUNDLESSINFORMANT chart presented for France, 60 million for Spain, 45 million for Italy and 33 million for Norway, are tiny numbers given the actual 7,65 billion metadata for a small country like the Netherlands.

Even the 552 million metadata in the chart for Germany doesn't come close. If the Netherlands with some 16 million people generated 7,65 billion mobile phone metadata a month, then for 80 million German citizens that number would be over 38 billion.

And to be clear: the data represented in these specific BOUNDLESSINFORMANT charts were not collected by NSA in Europe, but shared with NSA by European intelligence agencies, as part of their military cooperation in various crisis zones.

NSA and GCHQ totals

Finally, we can look at how many telephony metadata NSA and GCHQ collect in total and compare that with the numbers from the Netherlands. In 2012, the British GCHQ "was handling 600m "telephone events" each day" - according to Snowden documents seen by The Guardian.

This seems a surprisingly small number compared to the 225 million transactions generated by Dutch users, but it's possible that the 600 million only apply to traditional telephone and SMS metadata, excluding the internet data from smartphones.

The NSA collected a total of 135 billion telephone metadata a month during the first half of 2012. This is some 17 times the amount for the Netherlands as a whole - again not a very excessive number, as it would roughly equal the telephone metadata of around 300 million people, which is more or less the population in the Middle East.

The volumes of NSA metadata collection between January and June 2012
(click to enlarge)


During the Snowden revelations, the press was eager to present numbers about NSA and GCHQ data collection that seemed impressingly high. But not a single media outlet took the time or effort to come up with the total numbers of telephone and internet communications, needed to put them in the right perspective.

From the research report about Amsterdam tourism we finally learned what the actual number of mobile telephone metadata for a western country look like. Although we still don't know how exactly NSA and GCHQ are counting their metadata, comparing them to the numbers from the Netherlands shows that their collection efforts may be not as excessive as initially thought.

Links and sources
- Decisio: Bezoekersstromen Amsterdam - Zandvoort (2017)
- Autoriteit Consument & Markt: Telecommonitor eerste kwartaal 2016 (2016)
- ITU: Innovation of tourism statistics through the use of new big data sources (2014)
- CBS: Rapportage project impact ICT; Mobiele telefonie (2013)

One interesting result from the tourism report is that measuring the number of visitors of Amsterdam's annual Gay Pride showed that instead of the 560.000 visitors according to the organisation, only 115.000 visitors came from outside the city center, additional to the 235.000 people who are present on every Saturday and may or may not have watched the event. This confirms that visitor numbers for free public events are often significantly exaggerated.

June 8, 2017

Dutch-Russian cyber crime case reveals how the police taps the internet

(Updated: August 26, 2017)

About how signals intelligence agencies, like NSA and GCHQ, are intercepting communications, we learned a lot from the Snowden revelations and the German parliamentary inquiry, but also from new legislation in France, the Netherlands and the United Kingdom.

Much less is known about the practice of tapping by law enforcement, like for example the FBI and police forces. Now, a case from the Netherlands provides some interesting insights in how Dutch police intercepts internet communications - in a way that comes remarkably close to the bulk collection by intelligence agencies.

Office of the Team High Tech Crime (THTC) of the Dutch police in Driebergen
(photo: NRC/Merlin Daleman)

Cooperation with the Russians

On Saturday, May 27, the Dutch newspaper De Volkskrant came with a surprising story about the cooperation between the Team High Tech Crime (THTC) of the Dutch police and officials from the Russian federal security service FSB, which is the main successor to the notorious KGB.

Since 2009, regular meetings are held in the Netherlands, in which also officials from the FBI participate. The aim is to cooperate in tracking down and eventually arresting cyber criminals. The Volkskrant's front page report is accompanied by an extensive background story, which contains some more worrying details, but is only available in Dutch.

The cooperation with the Russians dates back to September 2007, when the head of THTC attended a conference in the Russian city of Khabarovsk, at which CIA, FBI, Mossad, BND and other agencies were present. The head of THTC was able to create a connection to the FSB and their deputy head of the Center for Information Security (TsIB), Sergei Mikhailov, became the liaison for the Dutch police and would regularly visit the Netherlands.

Meetings in Driebergen

Initially, the meetings with the Russians were held in the Dutch village of Driebergen, where the Team High Tech Crime has its offices. The Dutch security service AIVD was apparently not very fond of this, so every visit of for example Mikhailov had to be reported, and since 2012, every police officer who had contact with someone from the FSB was briefed by the AIVD before and after every meeting.

The FSB, much like the FBI, isn't just responsible for law enforcement, but is also Russia's secret service for domestic security. This made AIVD worried that FSB officers could use their visits to the Netherlands for spying - although strictly spoken, collecting foreign intelligence is the task of another Russian agency, the SVR.

The police compound in Driebergen started as highway patrol station, but nowadays houses some of the most sensitive units of the Dutch police, including the national criminal investigation branch and the Unit Landelijke Interceptie (or Lawful Interception, ULI; nowadays: Interceptie & Sensing, I&S), which was created in 2005 as the central facility for internet tapping, as well as for telephone tapping on behalf of all the smaller police districts.*

The police compound in the village of Driebergen
(photo via Flickr)

Security incident

There was at least one security incident in Driebergen: De Volkskrant describes that during a meeting with FBI and FSB, a Russian official came to a member of the Dutch police team, pointed at someone from the FBI and said "he is copying your data". An investigator went looking and saw that indeed the American had a thumb drive in a police laptop and was copying Dutch information. Whether this had any consequences was not reported.

In 2014, the cooperation with Russia came under pressure: in July, there was the Russian annexation of the Crimea and shortly aftwerwards, flight MH17 was shot down, killing 193 Dutch citizens. The criminal investigation of this case also takes place in Driebergen, so the police decided to move to meetings with FSB officials from Driebergen to police stations in Amsterdam and Rotterdam.


Intercepting at Leaseweb

The first case in which Dutch police and Russian FSB cooperated started in 2008, when Russian criminals used the ZeuS trojan horse malware to spoof the login screen of banks in order to capture user credentials, and steal the money from bank accounts without a trace.

Often these criminals used servers of the Dutch hosting company Leaseweb, which offers relatively anonymous and cheap services as well as high-speed connections, as it is close to the large Amsterdam internet exchange AMS-IX. To communicate with eachother, the criminals used the messenger service ICQ, which is still popular in Russia and Eastern Europe, but doesn't use encryption.

To catch the criminals behind the ZeuS malware, the Dutch police team set up operation Roerdomp (the Dutch name for the Eurasian bittern) and in October 2008, they asked other countries for the ICQ numbers of known cyber criminals. Within 3 months, authorities from the US, Germany, Britain, the Ukraine and Russia provided a total of 436 ICQ numbers. In January 2009, the public prosecutor and an examining judge approved the interception of communications associated with these numbers.

ICQ logo and interface

DPI filtering

To acquire these ICQ communications, the police had decided to intercept all ICQ traffic from Russia that went through the Leaseweb servers. For that purpose they bought equipment for deep-packet inspection (DPI) worth 600.000,- euro.

DPI devices are able to examine the packets that make up internet traffic and filter them according to predefined criteria, usually to prevent viruses and spam, but in this case for intercepting communications.

High-end DPI equipment, from manufacturers like Narus and Verint, can also recreate ("sessionize") the communication sessions in order to filter complete files and messages out - which is also one of the main features of NSA's XKEYSCORE system.

The Volkskrant reports that after the interception was approved, the new equipment was connected to the servers of Leaseweb, but actually, Leaseweb will have splitted the traffic on its main backbone cable, creating a copy of all the data, which was then directed to the police computer - telecom and internet companies really don't like outsiders to install equipment onto their actual networks.

Next, all the copied Leaseweb traffic, some 50 Gigabit per second for 4 to 10 million websites, went through the DPI machine. First the police filtered out all ICQ traffic, and then the ICQ traffic associated with the list of the 436 selected numbers. This went on for 3 months, so the warrant was apparently renewed a few times, as an approval for targeted interception is initially limited to a period of 4 weeks.

Update: On July 5, 2017, it was reported that in the brand new Equinix AM4 data center in Amsterdam (with over 120.000 servers, connected to 150 networks), there's a highly secure section which is used by the Dutch government - could that be intended for intercepting the servers that (foreign) companies are hosting there?

Leaseweb headquarters in Amsterdam
(click to enlarge)

Some questions

The description of the tapping operation by De Volkskrant raises some questions. Government filtering systems having access to all the internet traffic of a company is the way that (signals) intelligence agencies are conducting bulk collection, not the way that law enforcement is supposed to do targeted interception.

In western countries, the police is generally only allowed to tap communications associated with individually identified suspects or specific communication identifiers, like phone numbers and e-mail addresses. In the ZeuS case, it was probably argued that it was targeted interception because there were 436 specific identifiers: the ICQ numbers of known cyber criminals.

Foreign selectors

First, this case immediately reminds of the selector affair that came to light through the German parliamentary inquiry into the cooperation between NSA and BND. For years, NSA provided the Germans with millions of internet identifiers, which they entered into their satellite collection system, without being able to see to whom these identifiers belonged.

Could that have happened to the Dutch police too? Were they able to verify that each one of the 436 ICQ numbers was used by a cyber criminal, or did they just trusted the foreign authority that provided them?

For this kind of international cooperation, it's often inevitable that you have to trust your foreign partners, but then you should also try to make sure that the data collection is as careful and targeted as possible.

Dutch internet tapping

One way to assure that is through technical means. For telephone tapping this is relatively easy, because telephone switches have built-in tapping capabilities based upon international standards. For internet tapping this is different and external devices have to be used to pick out the communications of interest.

In the Netherlands, the interception of internet data uses the Transport of Intercepted IP Traffic (TIIT) protocol, which ensures that the police only gets the internet data associated with an IP or e-mail address for which there's a warrant (managed through the Warrant Management System, WMS).

Overview of the TIIT protocol for IP and e-mail interception
(click to enlarge)

First, an Internet Service Provider (ISP) copies all its traffic and leads the copy to a secured interception network on its own premises. There, a sniffer machine (S1) filters out the data that have to be intercepted, and encrypts these with a key that is associated with a particular warrant.

Then, these data go to the ISP collector machine (S2), which sets up a connection, through an encrypted tunnel over a regular internet link, to a government collector machine (T1), which receives the data from one or more S2 machines.

The T1 devices are managed by the central interception unit in Driebergen and from there, the intercepted data are distributed to computers (T2) at the tapping rooms (tapkamers, nowadays: BOB-kamers) of the police districts. There, they are stored and decrypted so the intercepted communications become available in plain text.

Intercepting hosting providers

With the TIIT protocol, the police doesn't get access to the copy of an ISP's entire traffic: it's the ISP that controls the sniffer machine that filters out the communications that belong to a particular suspect. But at Leaseweb it was apparently the police that controlled the sniffer (in the form of DPI equipment) where all the traffic passed through.

The most likely reason for this is that Leaseweb is a hosting provider and it's considered that such companies don't have to comply with the Dutch Telecommunications Law that says that public communication networks or services have to be interceptable. Therefore, hosting providers were not required to install the tapping facilities like the telephone and internet access companies have.

But the hosting companies can of course cooperate voluntarily when the police presents them a warrant. However, when the new Secret Services Act comes into force, such non-public communication providers do have to tolerate interception on behalf of AIVD and MIVD, but they don't need to have pre-installed tapping equipment.

This means that in both cases, even for targeted interception, the government will control the sniffer equipment for filtering up to a company's entire traffic - something that digital rights groups like the ACLU already consider to be unlawful "bulk surveillance."


Another question is how to make sure that the police doesn't misuse it's power when for example a hosting provider voluntarily provides access to their entire traffic. Maybe the police has internal protocols for that, but while interception conducted by the secret services is subject to independent oversight, police tapping is not.

It's considered that in criminal cases, a judge will eventually decide whether certain police methods are lawful or not, but in practice, judges often lack the necessary technical knowledge, while police and public prosecutors try to hide these sensitive techniques. It's not clear whether any suspect in the ZeuS case was tried before a Dutch court.

Untargeted interception

The ZeuS case shows that not only the networks of telecommunications and internet service providers can be useful to intercept, but also hosting providers like Leaseweb, especially when their servers are used by foreign companies to host their internet (communication) services - useful, not only for the police, but also for the secret services AIVD and MIVD.

Soon, both services can even go a step further, as the new Secret Services Act will also allow them to conduct untargeted cable interception. That means that they may not only filter out communications that are associated with already known identifiers, but also (temporarily) store all the metadata and a lot of content in order to search for data that belong to yet unknown targets.

In the public debate about the new law, there was a lot of speculation about how the new untargeted cable access will be implemented, but the interception at Leaseweb, as described by De Volkskrant, gives a very concrete example of what can be expected.

National watch center of the Royal Marechaussee in Driebergen
with a large dark gray Philips PNVX crypto telephone

The end of ZeuS

After collecting the messages associated with the 436 ICQ numbers and subsequently analysing them, it came out that one particular ICQ number acted as the leader of the cyber crime network. In one of the intercepted conversations this person even admitted to be the designer of the ZeuS malware.

The police gave him the codename "Umbro", but he himself used aliasses like Lucky12345, Monstr, Slavik, IOO, Pollingsoon, and Nu11. De Volkskrant story doesn't tell how the police found out the real identity of "Umbro" and it was only in 2014, under the international law enforcement Operation Tovar, that he was identified as Evgeniy Mikhailovich Bogachev, born October 28, 1983.

Already in 2013, investigators noticed that the ZeuS virus wasn't just used for stealing money anymore, but also for finding out very specific information about government officials of Russia's neighbours. Dutch police and the FBI became convinced that "Umbro" (Bogachev) had started working for Russian intelligence too.

To be or not to be arrested

The latter seems to be one of the reasons that, after the hack of the Democratic National Committee (DNC) in 2016, the US government put Bogachev on a list of sanctioned individuals. Besides that, his malware was also responsible for stealing over 100 million USD from American organizations. However, Bogachev is still at large, probably because he is useful for Russian intelligence operations.

For the Dutch police team there was another unpleasant surprise: Sergei Mikhailov, the FSB officer who had become such a familiar face for them, was suddenly arrested in December 2016 - according to Russian press reports because he and Kaspersky expert Ruslan Stojanov had leaked information to US intelligence.

Nobody knows whether this is true or where Mikhailov is now, but the cooperation between Dutch police and the Russian FSB continues.

In August 2017, Russian media reported that Sergei Mikhailov and his deputy Dmitry Dokuchaev were charged with treason after they were found to have helped the CIA catch two notorious Russian hackers: Roman Seleznev, who was arrested in 2014 on the Maldives, and Yevgeniy Nikulin, who was arrested in the Czech Republic in 2016.

Links and sources
- Moscow's cyber-defense How the Russian government plans to protect the country from the coming cyberwar (2017)
- Dutch police works together with Russia's FSB, despite political tensions (2017)
- Russen schakelden contactpersoon van Nederlandse cyberpolitie uit (2017)
- Inspectie V en J: Meldkamer Landelijke Eenheid Politie (.pdf) (2014)
- Ars Technica: Deep packet inspection meets ‘Net neutrality, CALEA (2007)
- Aftapbaarheid van telecommunicatie (.pdf) (2005)
- Geschiedenis AVD Driebergen (2002)

May 13, 2017

The equipment aboard an EP-3E electronic surveillance plane

Since the start of the Snowden-revelations in 2013, many people got the impression that the US National Security Agency (NSA) mainly intercepts the communications of ordinary citizens. In reality, the NSA is part of the Department of Defense and as such, a large part of its job is to collect data for tactical military purposes.

A good example of the latter task comes from an internal NSA damage assessment report about the 2001 Hainan Island incident, in which an EP-3E electronic surveillance aircraft collided with a Chinese fighter jet and had to make an emergency landing on the Chinese island of Hainan.

The report was among the Snowden-documents and published by The Intercept on April 10. As will be shown here, it provides many details about both the interception and the encryption equipment aboard the EP-3E aircraft.

A Lockheed EP-3E electronic surveillance aircraft from the US Navy
(photo: US Navy - click to enlarge)

Damage assessment

The purpose of the report was to review and assess the damage to cryptologic sources and methods and the response of the US SIGINT agencies to the crisis. The second was to review and assess emergency destruction of classified material and the emergency procedures.

In general, damage to Communications Security (COMSEC) systems, like cryptographic devices, keying material and encryption methodology, was considered low, mainly because cryptographic devices are designed in anticipation of being lost or compromised.

For Signals Intelligence (SIGINT), the equipment to intercept communications and other signals as well as the results of these efforts, there was an opposite approach: the assumption had been that sensitive SIGINT material would be protected at all time, or destroyed before it was lost or compromised.

Because emergency destruction techniques didn't kept pace with technology, especially where they often no longer reside in hardware, but in software. The Hainan incident revealed that existing destruction procedures were outdated and inadequate. Also, individual and crew training appeared to be deficient and lacked realism and context.

Nevertheless, damage in the realm of tactical SIGINT was assessed to be medium, which means that the damage was recoverable with concerted effort.

The damaged EP-3E after it had landed on the Hainan island
(click to enlarge)

The EP-3E aircraft

The EP-3E aircraft is a modified version of the Lockheed P-3 Orion, which is a four-engine turboprop aircraft developed for the US Navy and introduced in the 1960s. The Platform Integration division of the military contractor L-3 converted several P-3Cs into the EP-3E, which is also known as ARIES (Airborne Reconnaissance Integrated Electronic System). The Navy has 11 EP-3Es, the last of which was delivered in 1997.

The plane generally has a crew of 24, including linguists, cryptographers and technicians. The EP-3E that flew over the South China Sea carried an 18-member reconnaissance team from the Navy, Marines, and Air Force, in addition to a 6-member flight crew. The position of their workstations can be seen in this schematic from the damage assessment report:

(click to enlarge)

Other tactical SIGINT spy planes are the Boeing RC-135 COBRA BALL, COMBAT SENT or RIVET JOINT of the US Air Force, the De Havilland RC-7 Airborne Reconnaissance Low (ARL) of the US Army and the Beechcraft (R)C-12 Huron, which is used by the Army, the Navy, the Air Force and the Marine Corps.

Together with other flying spying platforms like drones and satellites, these planes contribute to what is called Overhead Collection. The NSA's other primary information channels are cable access, hacking operations, joint NSA-CIA units and foreign partnerships.

COMINT equipment

COMINT stands for Communications Intelligence, which is information derived from the interception of foreign communications, either between people or between machines. Together, COMINT and ELINT (see below) are called SIGINT.

The COMINT collection system onboard the EP-3E consisted of antiquated HF, VHF, and UHF receivers, a rudimentary signal distribution network, and narrowband cassette recorders. The COMINT collection system used the ALD-9 antenna and processor package. In addition to installed equipment, six carry-on computers were onboard.

The COMINT equipment was generally unclassified with the exception of two carry-on computers, a SCARAB computer containing the LUNCHBOX PROFORMA processor and a laptop containing MARTES analysis tools. All data on these two systems was considered compromised.

Although other planes in the military’s spy fleet had recently undergone a major surveillance equipment upgrade, the plane that ended up in Chinese hands was two weeks away from getting one, so the equipment was old and outdated and a lot of it didn’t work properly.

SCARAB computer

The SCARAB is a portable computer device that contained the LUNCHBOX processor, which uses software to process 40 worldwide PROFORMA signals, some teleprinter and pager signals, datalink signals for the HUNTER and PREDATOR drones, and the Joint Air to Surface Stand Off Missile (JASSM) datalink. Additionally, the SCARAB computer contained the XBIT Signals Analysis software for bit manipulation and BLACKMAGIC demodulation software.

The SCARAB computer containing the LUNCHBOX processor for PROFORMA data
(photo: EP-3E incident report - click to enlarge)

PROFORMA is the codename for digital command and control data communications that relay information and instructions to and from radar systems, weapon systems (like surface-to-air missiles, anti-aircraft artillery, fighter aircraft), and control centers.

Exploitation of this information provides US and allied warfighters nearly instantaneous situational awareness data from a target country's radar systems. This information supplements US sensor systems while providing insight into the target country’s decision process.

Several working aides aboard the EP-3E provided details about Russian-designed PROFORMA signals used by North Korea, Russia, Vietnam, and possibly China. This material detailed the association of signals to specific weapon systems. China was known to use two of the signals resident in the LUNCHBOX processor.

For the 2001 mission over the South China Sea, the Science and Technology (S&T) Operator aboard the EP-3E was tasked to collect and process PROFORMA signals possibly associated with Chinese SA-10 surface-to-air missiles and Chinese short-range air navigation.

MARTES laptop

Besides the SCARAB computer, there was also a Tadpole Ultrabook IIi laptop, which contained the MARTES software tools, the RASIN Manual, the RASIN Manual Working Aid and the Telegraphic Codes Manual.

RASIN stands for Radio Signals Notation and is the COMINT Signal Classification System for classifying and reporting a wide variety of signals with their associated parametrics and characteristics. Together, the RASIN manual and the aforementioned files provided a comprehensive overview of how US intelligence exploits an adversary’s signal environment.

The Tadpole Ultrabook IIi laptop with MARTES software tools
(photo: EP-3E incident report - click to enlarge)

MARTES is the name of a set of software tools for collecting, analyzing, and processing signals. A new version of MARTES is released approximately every six months, and it is generally divided into COMINT, FISINT and ELINT tools.

A portable, digital player/recorder used to collect the signals analyzed by MARTES contained a tape of 45 minutes of enciphered and unenciphered Chinese Navy communications. The unenciphered portions carried speech segments that identified Chinese communicants.

The compromise of the largely tactical COMINT documentation was rated medium. The most sensitive and damaging documentation contained detailed collection requirements against Chinese military datalink and microwave signals. The tasking data included frequencies, data rates, dish sizes, and target communicants.

Also compromised was the ability of the US to collect Chinese submarine signal transmissions and make subsequent vessel correlations. This compromise could prompt the Chinese to modify that particular signal.

ELINT equipment

ELINT stands for Electronic Intelligence and comprises the technical and intelligence information obtained from the intercept and analysis of noncommunication, electromagnetic radiations.

The ELINT systems onboard the EP-3E included a disparate collection of antennas, signal distribution networks, wideband and narrowband receivers, recorders, and processing and display equipment. The bulk of these systems were off-the-shelf devices that, although designed for the ELINT mission, contained no particularly sensitive technologies.

The system that were of a specific concern after the Hainan incident included the AN/ULQ-16 and the AN/ALQ-108. The AN/ULQ-16 is a computerized pulse processor used to make detailed timing measurements of radar signals. The AN/ALQ-108 is an enemy IFF (Identify Friend or Foe) interrogation system, which is used to actively and passively exploit early Soviet IFF and range extension signals.

Emergency destruction of the ELINT equipment during the Hainan incident was largely ineffective. The crew zeroized (deleted) all memories and erased all mission data, but the rugged construction of critical components and lack of destruction tools prevented adequate destruction.

Communications equipment

For internal communications, the EP-3E uses the the Digital Communications Management System (DCMS). All operational crew positions have access to the DCMS with headsets or through their helmets, with the exception of personnel in the galley and observers in the flight station. Communication paths between crew members are divided into various audio networks.

For communications with the outside world, there are numerous radios onboard, which connect to a variety of radio networks. Short-range communications are conducted using both plain voice and secure VHF and UHF radios. When the aircraft is on a mission for Sensitive Reconnaissance Operations (SRO), long-range communications with NSA and military operation centers are conducted via HF radio and over secure UHF satellite networks.

Radio/satellite transceivers

The EP-3E was equipped with the following radio transmitter/receivers (transceivers):

- Two AN/ARC-94 HF radios for long-range communication. One (HF-1) is configured for secure modem communications and is encrypted using a KG-84C encryption device. The other (HF-2) is configured for voice communications and can be encrypted using a KYV-5 encryption device.

- Three AN/ARC-206 radios for UHF line-of-sight communications. UHF-1 and UHF-2 are controlled by the Senior Evaluator (SEVAL) and are configured for voice communications. Both can be encrypted using KY-58 encryption devices. A third AN/ARC-206 radio is configured for line-of-sight datalink operations.

- Two AN/ARC-182 radios for VHF or UHF line-of-sight communications. Both are controlled from the flight station and are configured for voice communications. Both can be encrypted using KY-58 encryption devices. The control units for these radios have a switch setting allowing an easy and immediate change to emergency frequencies.

- One LST-5 satellite radio for secure UHF voice satellite communications. The radio can only be controlled locally at its location is in an avionics bay inside the aircraft cabin. It is encrypted using a KY-58 encryption device.

- The OL-390 Digital Communications Group and its associated UHF radio are used for secure satellite modem communications. The radio is controlled by the secure communications operator and is encrypted using a KG-84A encryption device. Because this radio shares distribution and antenna equipment with the LST-5, simultaneous transmission using both radios is not possible.

Encryption devices

For securing voice and data communications, the EP-3E had 16 encryption devices onboard, of the following types:

- The KY-58, which is used for voice and data encryption at 16 Kb/sec over AM/FM, VHF and UHF radio and satellite channels. The device can be used for data up to the classification level TOP SECRET. It accepts keys from the family of Common Fill Devices and also incorporates remote keying. The production of the KY-58, which is part of the VINSON family, was completed in 1993.

A KY-58 encryption device
(photo via - click to enlarge)

- The KG-84, which is used for data encryption at 64 Kb/sec over radio and satellite channels. The KG-84 can be used for communications up to the level of TOP SECRET, depending on the key-set that is loaded, and is fully complient with NSA TEMPEST standards. Like similar encryption devices, the KG-84 can be controlled either locally, or remotely (for example from the cockpit) through a Remote Control Unit (RCU).

KG-84C (left) and a KG-84A (right) encryption devices
(photo: EP-3E incident report - click to enlarge)

- The KYV-5, which is used for voice or data encryption over HF, VHF and UHF radio and satellite channels. The KYV-5 is a relatively small communications security module which is attached to a larger CV-3591 converter, together forming a TACTERM unit. The device is part of the Advanced Narrowband Digital Voice Terminal (ANDVT) family.

A KYV-5 encryption device attached to a CV-3591 converter
(photo via - click to enlarge)

The damage assessment report isn't clear about whether the Chinese removed these encryption devices from the plane before giving it back to the US. The particular equipment had previously been compromised, though not directly to China, and the report also mentions that components of for example the KG-84 had also been available through sites like eBay.

Cryptographic materials

Beside the KY-58, KG-84 and KYV-5 encryption devices, the EP-3E also carries KYK-13 and KOI-18 electronic fill devices, a KL-43 off-line encryption device, and a Global Positioning System (GPS) unit.

The EP-3E that landed on the Hainan island also carried keying and other cryptographic materials for its various secure devices, including Top Secret keying material in canisters, entire codebooks, and call sign lists. In all, this was much more than what was needed for the mission: nearly a month's worth of keying material and codebook pages that were not scheduled to become effective until well after the scheduled landing.

Instead, the use of an electronic key loading device such as the CYZ-10 Data Transfer Device (DTD) could have eliminated the risk of hardcopy keying material compromise. These devices can hold multiple keys, load multiple devices, and are easily zeroized.

During the Hainan incident, most cryptographic keys and codebooks had been jettisoned by the plane's crew, but the remaining material was considered compromised. However, all the encryption keys (except for the worldwide GPS key) were replaced by new ones within 15 hours of the EP-3E's emergency landing.

A COMSEC Material System (CMS) box containing cryptographic keying material
(photo: EP-3E incident report)

Radio networks

The radio equipment onboard the EP-3E conntected to the following networks:

- The Global High Frequency System (GHFS), which is a worldwide network of highpower HF stations that provides air/ground HF command and control radio communications between ground agencies and US military aircraft. The GHFS network supports Sensitive Reconnaissance Operations aircraft by passing encoded advisory conditions (NICKELBACK), position reports and administrative traffic. As of October 1, 2002, the network was renamed into High Frequency Global Communications System (HFGCS).

- The Pacific Tributary Network (PTN), which is a UHF secure voice satellite network that provides COMINT advisory support and threat warning to deployed US and allied forces. Network participants include the Pacific Reconnaissance Operations Center (PACROC), which provides coordination and flight following to SRO aircraft, the NSA's Kunia Regional SIGINT Operations Center (KRSOC) on Hawaii and the National Security Operations Center (NSOC) at Fort Meade.

- The SENSOR PACER network, which is a UHF secure low data-rate digital satellite network that provides time-sensitive SIGINT reporting, COMINT advisory support, threat warning, and administrative traffic support to Sensitive Reconnaissance Operations platforms worldwide. Network participants include KRSOC and the Tactical SIGINT Interaction Center at Kadena AB, Okinawa (TSIC-K).

- The SIERRA ONE Early Warning network, which is a UHF secure voice satellite network utilized by 5th and 7th Fleet Orion P-3's and EP-3E's for tactical reporting and coordination. Network participants include all PACOM Tactical Support Centers (TSC) and CTF 57/72, Kami Seya, Japan.

April 10, 2017

Mysterious devices in Trump's pop-up situation room

Last Thursday, April 6, the United States conducted airstrikes against Syria and president Trump received a briefing on this attack at his Mar-a-Lago estate in West Palm Beach, Florida. The next day, his press secretary Sean Spicer tweeted a photo of this briefing, which shows some hitherto unseen and futuristic looking devices:

Trump and his team of policy makers at Mar-a-Lago. April 6, 2017
(White House photo - click to enlarge)

In the photo we see some kind of small guest or spare room with a rather narrow table and cheap chairs of the type that can be rented for events. At the far right side there seem to be dark curtains, indicating there may be windows.

As was pointed out by Sean Spicer, the photo was redacted for security reasons: the content of the documents was erased. CNN provided a version of this photo showing who all the persons in the room are:

(click to enlarge)

Not present in the room were vice president Mike Pence, secretary of defense James Mattis and chairman of the Joint Chiefs of Staff, general Joseph Dunford, but they participated from Washington DC via secure video teleconference, according to Spicer.

The photo clearly is an imitation of the famous picture showing former president Barack Obama with his national security team monitoring the killing of Osama bin Laden in the White House Situation Room in May 2011. The Trump picture is even shot from the same angle as the Obama one:

President Obama and his national security team watching the killing of
Osama bin Laden in the White House Situation Room. May 1, 2011.
(White House photo by Pete Souza - click to enlarge)

Video teleconferencing

The big screen seen on the left side of the Mar-a-Lago photo can be identified as the Cisco TelePresence System EX90 with high-definition video screen, modified for TEMPEST protection by CIS Secure Computing. The system includes a smaller touchscreen device which is used to control the video teleconference calls.

Mysterious devices

Much more intriguing are the white devices with some kind of black screen or speaker, two by two connected to a larger central device by two cables each. Only for president Trump there's a different device in silver grey, probably with a display folded up:

On the internet, there was speculation about the purpose of the mysterious devices. Some suggested that it could be small displays or microphone/speakers, but that seems less likely. Displays of that size would hardly add any useful functions and for such a small group there's no need for microphones and/or speakers in front of every participant: nowadays one single conference phone unit is sufficient for much larger conference tables (and the large Cisco EX90 screen has built-in microphones too).

In a thread on Reddit, someone said that the "hardened EX90 doesnt really have good microphone pickups, so we have to run a few external microphones thru the 1/8 mini microphone jack. Now they went a little crazy with the mic's but prolly went overboard because didnt want anyone complaining about not being heard. What you see is a Mini XLR cable and Sheilded POE cable that goes from each base station to the next."
However, another thread on Reddit is somewhat more in favor of jammer devices (see below).

There's also no reason why there should be such a series of devices when it comes to encryption: both video and audio from the standard Cisco equipment can easily be encrypted by a single network encryptor, like from General Dynamics's TACLANE series. In this way, the Defense Information Systems Agency (DISA) provides secure video teleconferencing over its Secret (SIPRNet) and Top Secret/SCI (JWICS) networks.

Voice masking?

Another option for the black-and-white boxes is that they may not be used for picking up audio, but for masking it. With a technique called voice, speech or sound masking, a special device generates noise, preferably according to an algorithm that is adjusted to human speech. This noise is distributed through a number of emitters in order to mask the voices of people who are for example engaged in confidential conversations.

Such a purpose could explain the modular set-up of the mysterious devices in the Mar-a-Lago room: the larger ones in the middle of the table could then be for producing a standard voice masking noise, while the small ones may even be capable of adjusting the noise to the voice of that particular person.

(click to play)

Several companies sell voice masking systems, but on their websites there aren't devices similar to those in Trump's room. So there's no proof that they are for voice masking, but maybe readers of this weblog can provide more information.

Interesting is that one seller claims that their equipment uses the M2 algorithm, which is especially for US and NATO contractor companies, and US and Five Eyes(!) governments can contact the company for "further voice masking options."

In the 2015 Technical Specifications for SCIF Construction (pdf) it is said that in case the normal construction of a room doesn't provide the necessary acoustic protection, "sound masking devices, in conjunction with an amplifier and speakers or transducers" can be used in order to prevent classified discussions from being overheard by unauthorized persons.

Figures showing that the spectrum of SpeechMask is adjusted to
the actual qualities of human speech than broadband noise is.
(graphic: - click to enlarge)

A Mar-a-Lago SCIF?

This brings us to the security of the room in which the meeting took place. According to Trump's press secretary, the photo shows a SCIF, which stands for Sensitive Compartmented Information Facility - a room, a suite of rooms or a whole building that is protected in such a way that classified Sensitive Compartmented Information (SCI) can be stored, processed, viewed and/or discussed without being intercepted from the outside.

People were wondering whether the Mar-a-Lago residence actually had such a SCIF, especially after Trump and his advisors held an "open-air situation room" meeting on the terrace of the resort, in front of club members and waiters, when North Korea fired a missile in February.

It seems that with the photo from Thursday, press secretary Spicer wants to show that for sensitive government business Mar-a-Lago does have a SCIF. But this isn't very convincing. Everything seems hastily arranged for this occasion, given the rather uncomfortable chairs and the odd sign taped onto the door, which says "QUIET AREA" - not clear whether that applies to the room we see or the room behind the door:

And if the mysterious white devices are indeed for voice masking, that would also indicate that the room isn't fully qualified as a permanent SCIF - else there would be no need for installing such equipment. At best, this room is a (temporary) Secure Working Area (SWA), which is an accredited facility "used for discussing, handling, and/or processing SCI, but where SCI will not be stored."

With Donald Trump having spent already 8 of the 11 weekends of his presidency at Mar-a-Lago, it's strange that there's apparently still no proper SCIF with solid walls and without windows, and just one door with a high-security lock - shouldn't be too difficult to construct for the real estate businessman like Trump was.

By contrast, president George W. Bush had a special building on his ranch in Crawford, Texas that was used as a SCIF, modeled like a conference room in the White House Situation Room, with comfortable chairs and all the necessary communications equipment for secure and non-secure phone calls as well as for video teleconferencing:

George W. Bush in the SCIF on his ranch in Texas. December 29, 2004.
(White House photo)

On the same day as the airstrike against Syria, president Trump also received the Chinese president Xi Jinping at Mar-a-Lago, which at least led to visitors of the club being warned not to use cell phones when the president was near. Also there were plenty of secret service agents around, according to local news reports.

Mar-a-Lago isn't just Trump's private vacation residence, but also a club resort that is open to paying members and ticketed guests, staffed by workers without the same security clearances as White House staff, which makes the place vulnerable to infiltration and/or eavesdropping by foreign intelligence.

- NBC News: What Is a SCIF and Who Uses It?
- BBC: Decoding the Trump 'war room' photograph
- Quartz: Trump created a makeshift Situation Room at Mar-a-Lago for a briefing on the Syria bombing
- Motherboard: What the Heck Are These Electronic Devices in Trump's Situation Room?
- National Counterintelligence and Security Center: Technical Specifications for Construction and Management of Sensitive Compartmented Information Facilities (pdf)