Echelon Communication's DATA Snowden SIGNIT SIGAD NSA TOOLS

1. Echelon could become a cyber secret police, eroding individuals' right to privacy. The MEPs have warned the government that Britain could be in breach of the European Convention on Human Rights because of its participation in Echelon. As National Security Agency expert James Bamford explains in his book Body of Secrets: "The real issue is whether Echelon is doing away with individual privacy, a basic human right." The worldwide spy network does exist, but provides no firm evidence that the Echelon system has been used for commercial espionage. The Snowden documents also revealed an overwhelming number of NSA codewords, internal organizational designators and the SIGADs which denote collection facilities, for which separate lists were compiled here in order to keep track of them - and they are still the most complete ones available.
2.  
3. After all the system upgrades, trying to get a connection should not be a problem anymore. Real-time monitoring of military of intelligence operations may be different, but the White House was eager to show that at least they were capable of doing so during the moments when US Navy SEALS killed Osama bin Laden on May 1, 2011.
4.  
5. - NSANet for messages classified up to Top Secret/SCI (Five Eyes signals intelligence). On this network the address format for e-mail is XXX@nsa
6. - JWICS for messages classified up to Top Secret/SCI (US intelligence). The address format is XXX@nsa.ic.gov
7. - SIPRNET for messages classified up to Secret (mainly US military). The address format is XXX@nsa.smil.mil
8. - UNCL for unclassified messages, likely through NIPRNet. The address format is XXX@nsa.gov
9.  
10. From an e-mail that was declassified earlier we know that in April 2013 Snowden used the address "ejsnowd@nsa.ic.gov", which is the format for the JWICS network, but was apparently used on NSANet.* Besides e-mail addresses, many messages also have phone numbers in the signature blocks. They show numbers for one or more of the telephone systems used at the NSA.
11.  
12. - NSTS, which stands for National Secure Telephone System and is NSA's internal telephone network for secure calls. Numbers for this network have the format 969-8765 and are often marked with "(s)" for "secure"
13. - STE, which stands for Secure Terminal Equipment, being a telephone device capable of encrypting phone calls on its own. Telephone numbers can be written in the format (301) 234-5678 or as STE 9876.
14. - BLACK, CMCL or Commercial, which are numbers for non-secure telephones that may also access the public telephone network. They have the regular format (301) 234-5678 and are often marked with "(b)" for "black" (as opposed to "red") or with "(u)" for unclassified.
15.  
16. 702 FAA collection
17. The Snowden-revelations have shown that under the legal authority of section 702 FAA, NSA conducts two types of data collection:
18. - Upstream collection, for both internet and telephone communications, which are filtered out based upon specific selectors at major telephone and internet backbone switches. This takes place under the collection programs FAIRVIEW and STORMBREW.
19. - Downstream collection, only for internet (including internet telephony) communications, based upon specific selectors, which are acquired from at least 9 major American internet companies. This takes place under the collection program PRISM.
20.  
21.  
22. Data from FAA collection are usually stored in separate database partitions and are protected by the Exceptionally Controlled Information (ECI) compartment RAGTIME (RGT). Only analysts who are cleared for RAGTIME, have the specific need-to-know and who are authorized by the data owner have access to these data.
23.  
24. Already a few months before the start of the Snowden-revelations a book revealed that RAGTIME has 4 components:
25. - RAGTIME-A: foreign-to-foreign counterterrorism (CT) data
26. - RAGTIME-B: data from foreign governments (FG) transiting the US
27. - RAGTIME-C: data related to counterproliferation (CP) activities
28. - RAGTIME-P: domestic bulk collection of internet metadata*
29. Note that the first three components correspond to the first three FISA Court certifications that authorize section 702 FAA collection.
30.  
31.  
32. TIKICUBE
33. This appears to be a unit of the Investigations Division Q3. Whether this might be a special unit investigating the Snowden leak isn't clear though. The abbreviations behind the investigators name are: CFE for Certified Fraud Examiner and CISSP for Certified Information Systems Security Professional. We also see that this investigation division is not located at the NSA headquarters complex at Fort Meade, but at FANX. This stands for Friendship Annex, a complex of NSA office buildings in Linthicum, near Baltimore, some 12 km. or 7.5 miles north-east of Fort Meade. The famous blue-black glass headquarters buildings are OPS 2A and OPS 2B, while the SIGINT division is apparently in the flat 3-story building from the late 1950s, designated OPS 1.
34.  
35. Markings with the mysterious undisclosed COMINT compartments weren't found on any of the Snowden-documents, but only on those that were declassified by the government, so it seems that Snowden had no access to information protected by these particular compartments. Snowden also said he doesn't want to harm the US and also not to constrain bilateral relations with other countries. But as the opposite has happened, it seems that some journalists to whom he gave his documents, are not always publishing them according to his intentions.
36.  
37.  
38. OP SECRET // STLW / SI // ORCON / NOFORN
39. "COMINT-STELLAR WIND" and according to the official formatting rules, this means that STELLARWIND would be part of the COMINT control system. STELLARWIND (STLW) was not an ordinary SCI control system (then there would have been only a single slash between STLW and COMINT), but a category on its own, or belongs to a category not mentioned in the publicly available government classification marking guides.
40.  
41.  
42. Joint Executive for SIGINT Interoperability (JESI)
43. In 1998, the agencies of the Five Eyes group established the Joint Executive for SIGINT Interoperability (JESI, pronouncesd as "jessy"). In the newsletter from August 25, 2003, JESI is described as a "multi-national executive body responsible for ensuring continued interaction and interoperability among the five SIGINT partners". JESI doesn't have its own staff, it's just a collaboration platform.
44.  
45. Officials from the Five Eyes agencies also meet at an annual JESI conference. In July 2003 this meeting was held in the Australian capital Canberra and was focused on the mission objectives of the partner agencies and how they relate to the 5-EYES SIGINT Partnership Business Vision, which was published earlier that year. They addressed the following topics:
46.  
47. - Mission collaboration and knowledge sharing
48. - Enabling SIGINT operations through information assurance
49. - Exchange of finished intelligence
50. - Maintaining business continuity
51.  
52. JESI also initiated the creation of several protected websites to allow employees of the Second Party agencies to securely share data within specific communities of interest.
53.  
54.  
55. Secure communications: IWS
56. A collaboration tool called InfoWorkSpace (IWS) was created to exchange information between NSA, the US military and partner countries during Operation Enduring Freedom in Afghanistan. IWS is a software tool that provides chat communications as well as audio and video conferencing, file sharing, virtual whiteboards, and shared desktop views through desktop computers connected to a secure network.* As within the Five Eyes it's about signals intelligence, IWS most likely ran, and maybe still runs on NSANet.
57.  
58. According to a SIDtoday newsletter from September 10, 2003 IWS was already used by over 4000 NSA and their Second Party counterparts at the working levels. They collaborated on topics like Operation Enduring Freedom, international terrorism, real-time collection coordination, SIGINT development and multi-intelligence tasking. This successful use of IWS led JESI decide that the system should also be used at leadership-level. As of 2003, the SIGINT directors of the Five Eyes partners would use IWS to enhance their collaboration on subjects ranging from current intelligence objectives to future collection planning. They would get access to one of the IWS servers managed by NSA, codenamed VOTEDOOR.
59.  
60.  
61.  
62. SUSLAG Liaison Office
63. After taking over the Bad Aibling satellite station, BND seems to have moved the control facility to the nearby Mangfall Barracks, which were taken over from the German armed forces (Bundeswehr) in 2002. For the Special US Liaison Activity Germany (SUSLAG), which is the liaison office of NSA for Germany, a new highly secure container building was built on the Mangfall Barracks premises in 2003 (nicknamed "tin can" or Blechdose).
64.  
65. According to the commissioner's report, the SUSLAG building and the building with BND servers and equipment are connected through a 100 MBit/s fiber optic cable. SUSLAG also has a technical data link to the NSA's primary communications hub in Europe, the European Technical Center (ETC) in the Mainz-Kastel district of the city of Wiesbaden.
66.  
67. Cooperation between the US and Germany in the Joint SIGINT Activity (JSA, 2004-2012) took place inside the BND building, for which NSA personnel had access permissions. After the JSA was terminated, SUSLAG personnel kept their entrance rights for the BND building, but it has separate rooms for highly sensitive information to which none of the Americans have access.
68.  
69. A letter from BND from October 15, 2015 says that at that moment, 10 people from NSA worked at SUSLAG, with following access rights:
70. - 2 have access to building 7 (SUSLAG) only
71. - 4 have access to building 7 and building 4 (Administration)
72. - 4 have access to building 7 and building 8 (BND)
73.  
74. The SUSLAG building is only used by NSA personnel and BND claims that the data protection commissioner has no jurisdiction over the SUSLAG, but she disputes that and says the SUSLAG building is simply part of the BND complex. She also regrets that SUSLAG doesn't recognize her oversight authority.
75.  
76.  
77. Close Access operations
78. MIVD director Eichelsheim revealed that the GRU officers planned a "close access" operation. Such an operation can range from simply setting up a microphone to listen into what is said in a nearby building, to the highly sophisticated collection of unintentional emanations from computer equipment by exploiting so-called TEMPEST vulnarabilities.
79. In this case it was an effort to gain access to the internal Wi-Fi network of the OPCW headquarters building by using an interception system hidden in a car at a nearby parking lot. It was described as high-end equipment capable of hacking Wi-Fi connections from a distance, identifying the users and intercepting their login credentials very similar to an IMSI-catcher (also known as a Stingray).
80.  
81.  
82. Special Collection Service (SCS). They operate covertly from inside US diplomatic facilites around the world and consist of specialized officers from both CIA (for getting physical or HUMINT access) and NSA (for the SIGINT interception equipment). US Department of Justice issued an indictment in which 12 Russian intelligence officials (mostly from the GRU) were identified and accused of hacking the Democratic National Committee (DNC) and the Clinton presidential campaign and subsequently releasing the stolen files using platforms like DC Leaks, Wikileaks and Guccifer 2.0.
83.  
84.  
85. The Treaty Room is on the second floor of the main building of the White House, the residential mansion, which includes both the ceremonial rooms and the private quarters of the president. The room is named after the peace treaty between the United States and Spain, which was signed here on August 12, 1898, ending the Spanish-American War.
86. on the large table in the Treaty Room there are the following three telephone sets:
87. - A Cisco 8851 IP phone (with a box on the back) for non-secure calls
88. - A Cisco 8851 IP phone for secure calls
89. - An IST-2 red phone
90.  
91.  
92. Integrated Services Telephone version 2 or IST-2, a device that was designed by Raytheon and subsequently manufactured by Telecore, Inc. This IST is a so called "red phone", which means that it's connected to the Defense Red Switch Network (DRSN). This is the main secure telephone network for military command and control communications and connects all mayor US command centers and many other military facilities. A special feature of the IST-2 is that one can make both secure and non-secure calls through this one single device. The phone itself has no encryption capability: any secure calls are encrypted in bulk before leaving the secure building, enclave or compound. As part of a military telephone network, the IST-2 also has the distinctive 4 red buttons which are used to select the four levels of a system called Multilevel Precedence and Preemption (MLPP). This allows to make phone calls that get precedence over ones with a lower priority.
93.  
94.  
95.  
96. Secure telephones
97. On both sides of the video teleconference screen, there are telephone sets which can be recognized as common Cisco 7975 unified IP phones, which are also modified by the communications security company CIS Secure Computing. Most visible is that instead of the standerd silver bezel or faceplate, these phones have a bright yellow one, which is the color code for the highest classification level: Top Secret/SCI.
98.  
99.  
100. Secure teletype
101. An ETCRRM II encryption machine, as was used for the Hot Line from 1963-1980. In March 1969, US president Nixon offered chancellor Kiesinger to set up a secure teletype link between the White House and Palais Schaumburg. Were they again unaware of the earlier hotline, or was an encrypted link considered more secure? In those days it was much easier to encrypt teletype messages than a telephone channel. We don't know whether this secure link was actually established and what equipment was used, but if so, it probably consisted of the same devices used for the hotline between Washington and Moscow: a standard teleprinter made by Teletype Corp. with the encryption being performed by an Electronic Teleprinter Cryptographic Regenerative Repeater Mixer II
102.  
103. STU-I telephone
104. The secure teletype hotline was replaced by a secure telephone link, probably by the end of the 1970s, after the German chancellor had moved his office to the newly built Federal Chancellery in 1976.
105.  
106. DPI filtering
107. To acquire these ICQ communications, the police had decided to intercept all ICQ traffic from Russia that went through the Leaseweb servers. For that purpose they bought equipment for deep-packet inspection (DPI) worth 600.000,- euro.
108.  
109. DPI devices are able to examine the packets that make up internet traffic and filter them according to predefined criteria, usually to prevent viruses and spam, but in this case for intercepting communications.
110.  
111. High-end DPI equipment, from manufacturers like Narus (now part of Symantec) and Verint, can also recreate ("sessionize") the communication sessions in order to filter complete files and messages out - which is also one of the main features of NSA's XKEYSCORE system.
112.  
113. President's Surveillance Program (PSP), which president George W. Bush authorized in secret right after the 9/11 attacks. Its purpose was not to spy on random Americans, but to find connections between foreign terrorists and conspirators inside the US. In May 2006, this bulk collection was brought from the president's authority under that of the FISA Court, based upon a very extensive interpretation of Section 215 of the USA PATRIOT Act. Internally, NSA refers to this kind of collection as BR FISA, with BR for Business Records.
114.  
115. Under Section 215, NSA collected domestic phone records from the three biggest American telecommunication companies: AT&T, Verizon and Sprint. According to government officials, the data provided by these companies consisted mostly of landline phone records, which meant that NSA actually got less than 30% of the total amount of US telephone metadata.
116.  
117. However, as of August 29, 2011, AT&T started to provide cell phone metadata too: ca. 1,1 billion records a day, which would make over 30 billion records each month. Before these records were handed over to NSA, AT&T stripped off the location data, to comply with the FISA Court orders that don't allow the collection of location data. Verizon was apparently not able or not willing to strip the location metadata, so their cell phone records could not be acquired by NSA.
118.  
119.  
120. From various declassified documents analysed in an article on the weblog EmptyWheel, it becomes clear that there are three different kinds of queries that NSA analysts conducted on the domestic phone records database:
121. 1. Queries for data integrity purposes
122. 2. Queries for "Ident lookups"
123. 3. Queries for contact chaining
124.  
125. In the EmptyWheel article it's assumed that besides these queries, NSA also conducted some kind of pattern analysis: in many declassified documents a redaction appears right after the term "contact chaining", which according to EmptyWheel could hide something like "pattern analysis".
126.  
127. BR FISA data were stored in two NSA repositories, although both names had been redacted. An NSA review from June 2009 describes this second database as a "repository for individual BR FISA metadata call records for access by authorized Homeland Security Analysis Center (HSAC) and data integrity analysts to view detailed information about specific telephony calling events".
128.  
129. This seems to refer to the complete calling records, and also the PCLOB-report (.pdf) about the BR FISA program says there's analysis software that "provides the associated information about the telephone calls involved, such as their date, time of day, and duration". The second database gave access to these additional details, whereas MAINWAY only contains or provides "summaries of one-hop chains", i.e. selector #1 was in contact with selector #2 and the number of times this happened within a specific timeframe. In the glossary of the 2009 NSA Review, the second repository is listed with a remarkably long name, which, according to its position, has to start with and M, N or O.
130.  
131. Transaction is another term that NSA uses for metadata, so "transaction database" probably just means that it contains the (full) metadata records. The 2012 Inspector General report lists three additional storage systems for BR FISA data, making a total of five being involved here:
132. 1. Contact chaining database that accepts metadata from multiple sources (= MAINWAY)
133. 2. Database repository that stores detailed metadata information, which supports the contact chaining summaries in [MAINWAY]. Replaced an earlier database in January 2011.
134. 3. Contingency database for the time the aforementioned database was being rebuild
135. 4. System backup that stores an exact copy of the raw metadata from the providers
136. 5. Backup tapes on which periodically the raw metadata were saved off-line
137.  
138. So when NSA needs large data centers, that's also because the same sets of data are stored multiple times. Besides backups, there are often separate databases dedicated to a specific purpose or analysis method.
139.  
140. In January 2014, the Privacy and Civil Liberties Oversight Board (PCLOB) judged that Section 215 collection was actually of "minimal value in safeguarding the nation from terrorism" and that there was "no instance in which the program directly contributed to the discovery of a previously unknown terrorist plot or the disruption of a terrorist attack".
141.  
142. According to PCLOB, the bulk phone records did provide some value "by offering additional leads regarding the contacts of terrorism suspects already known to investigators, and by demonstrating that foreign terrorist plots do not have a U.S. nexus". This however, was not seen as a sufficient justification for the large-scale collection of domestic phone records.
143.  
144. In the course of 2015, US Congress eventually enacted the USA FREEDOM Act, which prohibits NSA to collect and store domestic call records in bulk as of November 29, 2015. Instead, the agency now has to apply for a warrant from the FISA Court approving specific selectors, which are then provided to telecommunication providers, who use them for querying their own databases and only the results are handed over to NSA.
145.  
146. Classified documents have been disclosed without having been attributed to Snowden.
147. 2013:
148. - Chancellor Merkel tasking record
149. - TAO's ANT product catalog
150. 2014:
151. - XKEYSCORE rules: TOR and TAILS
152. - NCTC watchlisting guidance
153. - NCTC terrorist watchlist report
154. 2015:
155. - XKEYSCORE rules: New Zealand
156. - Ramstein AFB supporting drone operations
157. - NSA tasking & reporting: France
158. - NSA tasking & reporting: Germany
159. - NSA tasking & reporting: Brazil
160. - NSA tasking & reporting: Japan
161. - Chinese cyber espionage against the US
162. - XKEYSCORE agreement between NSA, BND and BfV
163. - The Drone Papers
164. - Cellphone surveillance catalogue
165. 2016:
166. - US military documents: Iraq and Afghanistan
167. - NSA tasking & reporting: EU, Italy, UN
168. - TAO hacking tools (The Shadow Brokers)
169. - FBI & CBP border intelligence gathering
170. - TAO IP addresses and domain names
171. 2017:
172. - TAO Windows files
173. - CIA hacking tools (Vault 7)
174. - TAO Solaris exploits
175. - TAO Windows exploits + SWIFT files
176. - CIA specific hacking projects (Vault 7)
177. - NSA report about Russian hacking
178. - TAO UNITEDRAKE Manual
179. - CIA source code (Vault 8)
180.  
181.  
182. Mass surveillance is even more difficult for fiber optic cables than for satellite links. If there would be any mass surveillance for the latter, then this should involve some 300 communications satellites, for which there should be ground stations at at least three places around the world. There you would need 250 satellite dishes of 10 million euros each to receive the up to 500 frequencies per satellite. For each frequency two modems and converters were needed, and with the necessary processing capacity, this would require a nuclear power plant for electricity. Mass surveillance on cable traffic could probably only be done with the capacity of the American, Russian and Chinese intelligence agencies combined. For BND, mass surveillance would drown the agency in data. The witness had never witnessed any kind of economical espionage by NSA in Germany. But he had to admit that not everything was talked about.
183.  
184.  
185. Operation Eikonal
186. Regarding the joint NSA-BND operation Eikonal, the witness said that there was no massive scale surveillance of German citizens with data forwarded to NSA. Under Eikonal, which was a one of a kind operation, there was targeted collection from traffic that transited Germany from one foreign country to another.
187.  
188. This was focussed on Afghanistan and anti-terrorism. Selected data were collected and forwarded to NSA. The witness would give more details only behind closed doors, because BND is still using these methods. The internal codename for Eikonal was Karat, but that name wasn't shared with NSA. There was even a third codename. Eikonal was tested during a few months (early 2006?), during which period no data were shared with NSA.
189.  
190. For Germany, Eikonal was useful because it provided foreign intelligence for protecting German troops and countering terrorism. The NSA provided better technical equipment that BND didn't had. In return, BND provided NSA with data collected from transit traffic using search profiles about Afghanistan and anti-terrorism. BND was asked to cooperate because NSA isn't able to do everything themselves. What was collected under Eikonal was far less than the 500 million metadata in the German BOUNDLESSINFORMANT chart.
191.  
192.  
193. Telephony metadata
194. According to the witness, one phone call creates between 30 and 50 metadata, which includes not only time and number but also a lot more technical data. With the given number of users in a crisis zone, this easily adds up to billions of metadata. But not all these have to be collected (erfasst); less than one percent can actually be pulled in. This is no mass surveillance without a reasonable ground (anlasslose Massenüberwachung). The witness assumes that NSA and GCHQ operate in a similar way as the BND.
195.  
196. The over 500 million metadata records from the Germen BOUNDLESSINFORMANT chart were most certainly from Afghanistan, more precisely from satellite communication links between two foreign countries in crisis regions. According to the witness this huge number of metadata for a single month is quite normal. It could be that these numbers are collected up to today, although he isn't sure about that. BND isn't counting every single part of metadata, as NSA is apparently doing and which leads to those huge numbers.
197.  
198. NYMROD is a name-matching system that is used for finding "garbled or misspelled names" of targets. It contains names taken from CREST (a translating database) and from intelligence reports from NSA, CIA and DoD databases. If we compare that function with the data in the record that was published, it seems not very likely that the entry is from NYMROD. A tasking database still seems the best option.
199.  
200.  
201. Document collections
202. The most user-friendly collection of all the leaked documents can be found on the website IC Off The Record (which started as a parody on IC On The Record, the official US government website on which declassified documents are published). Other websites that collect leaked documents related to the Five Eyes agencies, so from Snowden as well as from other sources, are FVEY Docs and Cryptome. The Snowden-documents are also available and searchable through the Snowden Surveillance Archive.
203.  
204.  
205. Domestic US leaks
206. Here, only leaks related to foreign signals intelligence and related military topics will be listed. Not included are therefore documents about American domestic operations, like for example:
207. - Several revelations about the DEA
208. - The FBI's Domestic Investigations and Operations Guide (DIOG) and related documents (Update: in March 2018, Minneapolis FBI agent Terry James Albury was charged with leaking these documents to The Intercept)
209.  
210.  
211. The phrase "ob in der 2-Mb-Ebene greifbar" suggests that it could be possible to just intercept specific 2 Mbit/s channels while leaving the other ones untouched (one physical STM1-cable has a data rate of 155 Mbit/s and contains 63 virtual channels).
212.  
213. Whether this is possible is important for how focused such cable tapping can be. Isolating individual channels depends in the first place on where exactly the tapping takes place:
214.  
215. A. When the physical fiber is intercepted before it reaches the switch, it has to be bend in order to catch the light that leaks. Because this leaking signal is much weaker, it has to be amplified before it can be processed. In this way it's not possible to select individual channels: the eavesdropper gets everything that runs over the fiber, and has to demultiplex the channels himself to select the ones that contain traffic of interest.
216.  
217. B. When the interception takes place at an optical switch itself, then it's possible to only grab the virtual channels you are interested in. A physical cable contains channels which have to be demultiplexed at the switch in order to be forwarded (switched) to the fiber that leads to the intended destination. When the switch converts the optical signals into electronic signals it is even more easy to duplicate only individual channels of interest.
218.  
219. There currently a need to extract the traffic of two STM-64 and four STM-16 cables, which have a data rate of ca. 10 Gbit/s and 2,5 Gbit/s respectively. This is also said to be circuit-switched, but "extraction at a higher level".
220.  
221. There are 29 channels to/from Reims and 22 channels to/from Paris, all of which could easily have been in the fiber-optic cable between Frankfurt and Reims, and Frankfurt and Paris, respectively, as one single STM1-cable contains 63 separate channels:
222. Frankfurt - Stuttgart: ? channels of interest
223. Frankfurt - Paris: 22 channels of interest
224. Frankfurt - Reims: 29 channels of interest
225. Frankfurt - Luxembourg: 11 channels of interest
226.  
227.  
228. For telephony:
229. - IMSI: Numbers of cell phone SIM cards
230. - IMEI: Numbers of cell phone devices
231. - SCREENNAMES: User names or numbers, mainly used for VoIP calls.
232. - EMAIL_ID: E-mail addresses, mainly used for VoIP calls
233. - PSTN: Phone and fax numbers
234.  
235. For internet:
236. - EMAIL_ID: E-mail addresses without permutations
237. - IMEI: Numbers of cell phone devices
238. - IMSI: Numbers of cell phone SIM cards
239. - IPV4: IP addresses
240. - PSTN: Phone numbers
241. - OTHER: For example user names, messenger or social network identifiers, cookies, login-data, phone numbers, hashes, etc.
242.  
243. This contain's telephone selectors there's also a field for a description, like a text explaining the reason for targeting, a code or an abbreviation like CT for Counter-Terrorism.
244.  
245. The Shadow Brokers
246. October 31, 2016, Shadow Brokers came with a "Halloween message" on Medium, this time including a new file, which contains "configuration data for an as-yet-undisclosed toolkit for a variety of UNIX platforms" and also a list of 352 IP addresses and 306 domain names the NSA's hacking team Equation Group may have used for their operations. These addresses include timestamps from August 22, 2000, to August 18, 2010. The 10 most impacted countries are China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy and Russia.
247.  
248. December 14, 2016, someone calling himself Boceffus Cleetus published a post on Medium, saying that Shadow Brokers were now selling the supposed NSA hacking tools one by one, for prices between 1 and 100 bitcoins (780 - 78,000 USD), or 1000 bitcoins (780,000 USD) for the whole lot. Included is a list with codenames of the exploits as well as a file signed with a PGP key with an identical fingerprint as the original Shadow Brokers dump from August.
249.  
250. On January 12, 2017, the Shadow Brokers published a final message accompanied by 61 Windows-formatted binary files, including executables, dynamic link libraries, and device drivers, which are also considered to have been tools from the NSA's TAO hacking division. Most of these files had remained undetected by the most-used anti-virus tools. Images included with these files showed they were included on a Drive D that was most likely a USB drive, which, according to an independent researcher "lends credibility to the argument the leak came from an insider who stole, and subsequently lost control of, a USB stick, rather than a direct hack of the NSA."
251.  
252. On April 8, 2017, the Shadow Brokers were back and released a range of exploits for the Unix operating system Solaris and on April 14, 2017 they published an archive containing a series of Windows exploits that it had offered for sale in January and documents about NSA's infiltration of SWIFT, for the first time also including several Top Secret NSA powerpoint presentations, similar to those leaked by Snowden. The latest timestamp found in these files is October 17, 2013, which is one day before the latest one in the first Shadow Brokers release.
253.  
254.  
255. Chancellor Merkel
256. The journalists from Der Spiegel also found interesting things purely by accident. The cache of documents for example contained an NSA presentation from the Center for Content Extraction (CCE, unit designator T1221) about a system to automatically sort out interesting and useful parts of intercepted phone calls. One slide of the presentation shows an example list of some chiefs of state (cos), among which German chancellor Angela Merkel was listed. The presentation was not about actual interception operations, but did provide an indication that Merkel had been a target.
257.  
258.  
259. Federation of American Scientists (FAS) provides science-based analysis of and solutions to protect against catastrophic threats to national and international security. Specifically, FAS works to reduce the spread and number of nuclear weapons, prevent nuclear and radiological terrorism, promote high standards for nuclear energy’s safety and security, illuminate government secrecy practices, as well as prevent the use of biological and chemical weapons. Founded in November 1945, as the Federation of Atomic Scientists, by scientists who built the first atomic bombs during the Manhattan Project, FAS is devoted to the belief that scientists, engineers, and other technically trained people have the ethical obligation to ensure that the technological fruits of their intellect and labor are applied to the benefit of humankind. In early 1946, FAS rebranded as the Federation of American Scientists to broaden its network of supporters to include all caring citizens like you who want to reduce the risks to humanity from global catastrophes.
260.  
261.  
262. ZABBO, collection in Bad Aibling of satellite communications from Afghanistan.
263.  
264. Cyber defense
265. Interestingly, filtering internet traffic using threat-detection algorithms sounds very much like detecting and preventing malware and cyber attacks. But maybe except for a case when a terrorists group would conduct cyber attacks, the law precisely states that this "black box" metadata filtering and collection system can only be used to detect terrorist threats. It can not be used for any other purpose, including cybersecurity, counterintelligence or criminal investigations.
266.  
267. Collection INSIDE the US:
268. Targeted collection - US persons & foreigners:
269. - Section 105 FISA
270. - Section 703 FISA Amendments Act (FAA)
271.  
272. Targeted collection - Foreigners:
273. - Transit Authority
274. - Section 702 FISA Amendments Act (FAA)
275. - Downstream Collection (PRISM)
276. - Upstream Collection
277.  
278. Bulk collection - US persons:
279. - Section 402 FISA (PR/TT)
280. - Section 215 USA PATRIOT Act (BR FISA)
281. - USA FREEDOM Act (USAFA)
282.  
283. Collection OUTSIDE the US:
284. Targeted collection - US persons:
285. - Sections 704 & 705 FISA Amendments Act (FAA)
286. Targeted & Bulk collection - Foreigners:
287.  
288. - Executive Order 12333
289. - Classified Annex Authority (CAA)
290. - Special Procedures governing Communications Metadata Analysis (SPCMA)
291. - Raw SIGINT Availability Procedures
292.  
293.  
294. All this happens under three different legal authorities, and for each there's a different SIGINT Activity Designator (SIGAD):
295. Traditional FISA:
296. - Communications of persons being agents of foreign powers or connected to international terrorist groups
297. - Individualized warrant needed from the FISA Court
298. - Internet traffic only (SIGAD: US-984T)
299.  
300. Section 702 FAA:
301. - Communications of foreigners/with one end foreign
302. - Must be justified under an annual FAA Certification
303. - All kinds of internet traffic (SIGAD: US-984XR)
304. - Telephone traffic (SIGAD: US-984X2)
305.  
306. Transit Authority:
307. - Communications with both ends foreign
308. - No external approval required
309. - Internet traffic: only e-mail (SIGAD: US-990)
310. - Telephony: according to "Directory ONMR" (SIGAD: US-990)
311.  
312.  
313. For collection under Transit Authority, the presentation says that communications "must be confirmed foreign-to-foreign", which is ensured by filters at the actual tapping points.
314.  
315. These filters only forward authorized traffic to the selection engines, which then pick out the communications that match with strong selectors, like e-mail addresses, phone numbers, etc. These selectors are entered into the system by analysts using the tasking tools UTT, CADENCE (for internet) and OCTAVE (for telephony).
316.  
317. Under the FAIRVIEW program, NSA at that time had access points at the following parts of the AT&T network:
318. - Peering Link Router Complexes (8)
319. - VoIP Router Complexes (26, planned: 0)
320. - Hub VoIP Router Complex (1, planned: 30)
321. - Program Cable Stations (9, planned: 7)
322. - Non-Program Cable Stations (0)
323. - RIMROCK 4ESS Circuit Switches (16)
324. - Program Processing Site (1)
325.  
326. Peering Link Router Complex
327. NSA has 8 access points at AT&T Peering Link Router Complexes. According to Pro Publica they correspond to AT&T's Service Node Routing Complexes (SNRCs), where other communication providers connect to the AT&T backbone through OC-192 and 10GE fiber-optic cables. For NSA, this means they can catch traffic from those other providers too. This backbone access is codenamed SAGURA or SAGUARO. The 8 facilities are in:
328. -
329. Seattle
330. - San Francisco
331. - Los Angeles
332. - Dallas
333. - Chicago
334. - Atlanta
335. - New York City
336. - Washington DC
337.  
338. It was this kind of access point that was/is in Room 641A in San Francisco, as was exposed by Mark Klein during a lawsuit in 2006. Klein told that the equipment in room 641a was installed early 2003, which could fit the turning on of "a new DNI (Digital Network Intelligence) collection capability" in September of that year.
339.  
340.  
341. UTransit Authority, roughly the following number of records were counted for FAIRVIEW:
342.  
343. - 87% or 5,3 billion: Personal Communications Services (PCS, cell phone, etc)
344. - 2% or 122 million: Mobile communications-over-IP (MOIP)
345. - 8% or 488 million: Public Switched Telephone Network (PSTN)
346. - 3% or 183 million: Internet communications (DNI)
347.  
348. The overwhelming majority of data come from foreign-to-foreign telephone communications, mostly from cell phones. Because there's no dataflow diagram for the content of phone calls, it's possible that this is only telephone metadata and SMS messages. Only about 3% comes from foreign-to-foreign e-mail messages, for which some 183 million metadata records were counted. This number comes close to the roughly 150 million e-mails a month that were processed in 2012, which could indicate that one metadata record equals one e-mail message. The technology used to process 97% of these data is called FAIRVIEWCOTS, which could be a combination of the program's codename and the abbreviation COTS, which stands for Commercial-Of-The-Shelf equipment. Only nearly 3%, so probably the e-mail traffic, is processed by a hitherto unknown system codenamed KEELSON. Finally, a tiny number also went through SCISSORS.
349.  
350. Internet metadata
351. An NSA document from 2003 seems to be about bulk internet data. It says that FAIRVIEW also collected "metadata, or data about the network and the communications it carries" and that for September 2003 alone, "FAIRVIEW captured several trillion metadata records - of which more than 400 billion were selected for processing or storage".
352.  
353. This doesn't really sound like AT&T handed over bulk metadata indiscriminately, but it would fit how it's described in the 2009 STELLARWIND-report (in which, according to Pro Publica, AT&T is mentioned as "Company A") about the collection efforts under the President's Surveillance Program (PSP):
354. "In order to be a candidate for PSP IP metadata collection, data links were first vetted to ensure that the preponderance of communications was from foreign sources, and that there was a high probability of collecting al Qaeda (and affiliate) communications. NSA took great care to ensure that metadata was produced against foreign, not domestic, communications"
355.  
356. The "internet dragnet", that is, the bulk collection of internet metadata of domestic communications under the authority of section 402 FISA (at NSA called PR/TT) was first approved by the FISA Court on July 14, 2004. That means, the 400 billion metadata collected under FAIRVIEW in 2003 were not yet part of the PR/TT bulk collection, and accordingly not domestic. It is still remarkable that AT&T was able to forward 400 billion metadata records a month just from its foreign communications: in 2012, the total number of internet metadata that NSA collected worldwide was "just" 312 billion a month.
357.  
358.  
359. Telephone metadata
360. About bulk telephone metadata there's an NSA document from 2011. It says that as of September 2011, FAIRVIEW began handing over "1.1 billion cellular records a day in addition to the 700M records delivered currently" under the Business Record (BR) FISA authorization, which refers to section 215 of the USA PATRIOT Act. It was already known that the major US telecoms handed over their metadata records of landline telephone calls, but here we see that AT&T also started doing so for cell phone calls. And for the very first time we also have some numbers now: the total of 1,8 billion a day provided by AT&T make 54 billion a month and about 650 billion phone records a year. For comparison, in 2012, NSA's regular foreign collection resulted in a total number of 135 billion telephone records a month and 1,6 trillion a year.
361.  
362. Eight AT&T facilities, internally designated as "Service Node Routing Complexes" (SNRCs), were identified as being the eight "peering link router complexes" seen on the map of the NSA's FAIRVIEW program:
363. - 420 South Grand Avenue, Los Angeles, California
364. - 611 Folsom Street, San Francsco, California
365. - 51 Peachtree Center Avenue, Atlanta, Georgia
366. - 10 South Canal Street, Chicago, Illinois
367. - 30 E Street Southwest, Washington, DC
368. - 811 10th Avenue, New York, New York
369. - 1122 3rd Avenue, Seattle, Washington
370. - 4211 Bryan Street, Dallas, Texas
371.  
372. And an Extra 2.
373. - 2651 Olive Street, Saint Louis, Missouri
374. - 12976 Hollenberg Drive, Bridgeton, Missouri
375.  
376.  
377.  
378. TOP SECRET//COMINT-GAMMA
379.  
380. October 19, 2004, the Global SIGINT Highlights evolved from the SIGINT Digest, which was NSA's sole contribution to the initial 1995 prototype of Intelink, a secure intranet of the US intelligence community.
381.  
382. This being the control system for signals intelligence which covers almost anything the NSA does. All those powerpoint presentations, wiki pages and daily business reports are therefore not the agency's biggest secrets.
383.  
384. It is not clear whether Snowden had access to the GAMMA compartment. So far, no such documents have been published, except for five internal NSA Wiki pages, for which the highest possible classification was TOP SECRET//SI-GAMMA/TALENT KEYHOLE/etc., but without GAMMA information being seen in them.
385.  
386. The time is presented according to the standard military notation. 161711Z for example stands for the 16th day, 17 hours and 11 minutes ZULU (= Greenwich Mean) Time, with the month and the year being that of the particular briefing.
387.  
388. For the classification level, the following codes are known:
389.  
390. 1 = Confidential(?)
391. 2 = Secret
392. 3 = Top Secret
393. S = ?
394. E = ?
395. I = ?
396. Z-G = Top Secret/Comint-Gamma
397. Z-3 = Top Secret/Comint
398.  
399. LSZ List, the new codes in these lists stand for:
400.  
401. - 703: VC3 Virtual Container connection with 48,960 MBit/s
402. - 710: (not yet known)
403. - 712: VC12 Virtual Container connection with 2,240 MBit/s
404. - 720: (not yet known)
405. - 730: (not yet known)
406.  
407. VC3 and VC12 are from the Synchronous Digital Hierarchy (SDH) protocol to transfer multiple digital bit streams synchronously over optical fiber. This has the option for virtual containers for the actual payload data. VC3 is for mapping 34/45 Mbit/s (E3/DS3) signals; VC4 for 140 Mbit/s (E4); VC12 for 2 Mbit/s (E1).
408.  
409. Classification labels
410. Twelve routers have an orange and a yellow label, only the bottom one has a red label. These labels indicate the (highest) classification level of the data that are handled by the equipment. The red label is for Secret, the orange one for Top Secret and the yellow one for Sensitive Compartmented Information (SCI), which means the information is in a "control system" with extra protective measures. All but one of the routers may therefore transfer data up to the level of Top Secret/SCI. This sounds quite impressive, but actually almost everything NSA does is classified at this level, more specifically as Top Secret//Comint (or SI for Special Intelligence) - the marking that can be seen on almost all Snowden documents.
411.  
412. Labels contained new codewords and names of countries. Eventually the following words could be read, with in gray those that are uncertain:
413.  
414. BAYBRIDGE
415. TUNISIA
416.  
417. PARTSTREAMER
418. NETHERLANDS
419.  
420. BAYBRIDGE
421. SEENFLARE
422.  
423. BAYBRIDGE
424. BELGIUM
425.  
426. BAYBRIDGE
427. SIDELIGHT
428.  
429. BAYBRIDGE
430. MALFRACK
431.  
432. BAYBRIDGE
433. THAWFACTOR TR82/...
434.  
435. ... EXPANSION
436. GERMANY ...
437.  
438. CRO......
439. MEVE/ORION ..MG/..EF
440.  
441. BAYBRIDGE
442. ...... ..../....
443.  
444. BAYBRIDGE
445. FAIRLANE
446.  
447. BAYBRIDGE
448. ITALY ....
449.  
450. ........
451. ....... ....
452.  
453. DNI-U (Director National Intelligence-Unclassified)
454. - Until 2006: Open Source Information System (OSIS)
455. - Classification level: Sensitive But Unclassified (SBU, color code: green)
456. - Access: US intelligence users
457. - Controlled by: DNI-CIO Intelligence Community Enterprise Services office (ICES)
458. - Purpose: Providing open source information; consists of a group of secure intranets used by the US Intelligence Community (IC)
459. - Computer applications: Intelink-U, Intellipedia, EViTAP, etc.
460.  
461. NIPRNet (Non-secure Internet Protocol Router Network)
462. - Classification level: Sensitive But Unclassified (SBU, color code: green)
463. - Secured by: Network traffic monitored by the TUTELAGE program and QUANTUM-DNS at the 18 gateways to the public internet *
464. - Address format: http://subdomains.domain.mil
465. - E-mail format: john.doe@mail.mil
466. - Access: US military users, via Common Access Card smart card *
467. - Number of users: ca. 4,000,000
468. - Purpose: Combat support applications for the US Department of Defense (DoD), Joint Chiefs of Staff (JCS), Military Departments (MILDEPS), Combatant Commands (COCOM), and senior leadership; composed of the unclassified networks of the DoD; provides protected access to the public internet.
469. - Computer applications: E-mail, file transfer and web services like the Joint Deployable Intelligence Support System (JDISS)
470. - Video Teleconferencing (VTC)
471.  
472. SIPRNet (Secret Internet Protocol Router Network)
473. - Classification level: SECRET (color code: red)
474. - Secured by: TACLANE (KG-175A/D) network encryptors
475. - Address format: http://subdomains.domain.smil.mil
476. - E-mail format: john.doe@mail.smil.mil
477. - Access: users from multiple US intelligence agencies and government departments (and some foreign partners)*, via SIPRNet Token smart card
478. - Number of users: ca. 500,000 *
479. - Controlled by: JCS, NSA, DIA and DISA *
480. - Purpose: Supporting the Global Command and Control System (GCCS), the Defense Message System (DMS), collaborative planning and numerous other classified warfighter applications, and as such DoD's largest interoperable command and control data network.
481. - Computer applications: Intelink-S, Intellipedia, TREASUREMAP, Joint Deployable Intelligence Support System (JDISS), Defense Knowledge Online, Army Knowledge Online, InfoWorkSpace (IWS), etc.
482. - Phone service: VoSIP (Voice over Secure IP) as an adjunct to the DRSN for users that do not require the full command and control and conferencing capabilities.
483. - Secure Video Teleconferencing (VTC)
484.  
485.  
486. JWICS (Joint Worldwide Intelligence Communications System)
487. - Classification level: TOP SECRET/SCI (color code: yellow)
488. - Secured by: TACLANE (KG-175A/D) network encryptors *
489. - Address format: http://subdomains.domain.ic.gov
490. - E-mail format: john.doe@agency.ic.gov
491. - Access: users from multiple US intelligence agencies and government departments
492. - Controlled by: DIA, with management delegated to AFISR
493. - Purpose: Collaboration and sharing of intelligence data within the US Intelligence Community (IC)
494. - Computer applications: ICE-mail, Intelink-TS, Intellipedia, GHOSTMACHINE, ROYALNET, TREASUREMAP, ICREACH, Joint Deployable Intelligence Support System (JDISS), etc.
495. - Phone Service: DoD Intelligence Information System (DoDIIS) VoIP telephone system
496. - Secure Video Teleconferencing (VTC)
497.  
498. FBI
499. - LEO (Law Enforcement Online; Unclassified, for law enforcement communications)
500. - FBINet (Federal Bureau of Investigation Network; Secret)
501. - SCION (Sensitive Compartmented Information Operational Network; Top Secret/SCI)
502.  
503. DHS
504. - HSIN (Homeland Security Information Network; Unclassified)
505. - HSDN (Homeland Secure Data Network; Secret)
506.  
507. State Department
508. - OpenNet (Unclassified)
509. - ClassNet (Secret; address format: http://subdomain.state.sgov.gov)
510. - INRISS (INR Intelligence Support System; Top Secret/SCI)
511.  
512. Department of Energy
513. - DOENet (DOE Corporate Network; Unclassified)
514. - ECN/U (Emergency Communications Network/Unclassified)
515. - ECN/C (Emergency Communications Network/Classified)
516.  
517. CIA
518. - AIN (Agency InterNet; Unclassified)
519. - ADN (Agency Data Network?; Top Secret/SCI)
520.  
521. NRO
522. - GWAN (Government Wide Area Network, also known as NRO Management Information System (NMIS); Top Secret)
523. - CWAN (Contractor Wide Area Network; Top Secret)
524.  
525. NGA
526. - NGANet (National Geospational intelligence Agency Network; Top Secret/SCI)
527.  
528. NSANet (National Security Agency Network)
529. - Classification level: TOP SECRET/SCI (color code: yellow)
530. - Secured by: TACLANE network encryptors *
531. - Address format: http://subdomain.domain.nsa
532. - E-mail format: john.doe@nsa
533. - Access: US, UK, CAN, AUS, NZL signals intelligence users
534. - Controlled by: NSA, with management delegated to CSS Texas
535. - Purpose: Sharing intelligence data among the 5 Eyes partners
536. - Computer applications: InfoWorkSpace (IWS), SIDToday (newsletter), TREASUREMAP, MAILORDER, MARINA, TURBINE, PRESSUREWAVE, INTERQUAKE, CATAPULT, Cellular Information Service (WCIS), GATC Opportunity Volume Analytic, etc.
537. - Phone service: NSTS (National Secure Telephone System)
538.  
539. PEGASUS
540. - Until 2010: GRIFFIN (Globally Reaching Interconnected Fully Functional Information Network)
541. - Classification level: SECRET//REL FVEY
542. - Access: US, UK, CAN, AUS, NZL military users
543. - Controlled by: DIA(?)
544. - Purpose: Information sharing and supporting command and control systems
545. - Applications: Secure e-mail, chat and VoSIP communications
546.  
547.  
548. STONEGHOST (Quad-Link or Q-Lat)
549. - Classification level: TOP SECRET//SCI
550. - Access: US, UK, CAN, AUS, NZL(?) military intelligence users
551. - Controlled by: DIA
552. - Purpose: Sharing of military intelligence information
553. - Applications: Intelink-C, etc.
554.  
555.  
556. CFBLNet (Combined Federated Battle Laboratories Network)
557. - Classification level: Unclassified and SECRET
558. - Access: US, UK, CAN, AUS, NZL, and at least nine European countries Research & Development institutions
559. - Controlled by: MultiNational Information Sharing (MNIS) Program Management Office
560. - Purpose: Supporting research, development and testing on command, control, communication, computer, intelligence, surveillance and reconnaissance (C4ISR) systems.
561. - Applications: Communications, analytic tools, and other applications
562.  
563. CENTRIXS Four Eyes (CFE or X-Net)
564. - Classification level: TOP SECRET//ACGU
565. - Address format: http://subdomains.domain.xnet.mnf
566. - Access: US, UK, CAN, AUS military users
567. - Controlled by: DIA
568. - Purpose: Operational coordination through sharing and exchange of intelligence products
569. - Applications: Various services
570.  
571.  
572. CENTRIXS-ISAF (CX-I)
573. - Classification level: TOP SECRET//ISAF
574. - Access: ca. 50 coalition partners
575. - Controlled by: ?
576. - Purpose: Sharing critical battlefield information; US component of the Afghan Mission Network (AMN).
577. - Computer applications: Web services, instant messaging, Common Operational Picture (COP), etc.
578. - Voice over IP
579.  
580.  
581. CENTRIXS-M (Maritime)
582. - Classification level: TOP SECRET ?
583. - Purpose: Supporting multinational information exchange among the ships of coalition partners of the US Navy to provide access to critical, time-sensitive planning and support data necessary to carry out the mission
584. - Computer applications: E-mail, Chat messaging, Webpages, etc.
585.  
586. CENTRIXS-GCTF
587. - Address format: http://subdomains.domain.gctf.cmil.mil
588. - For the ca. 80 Troop Contributing Nations of the Global Counter-Terrorism Force (GCTF)
589.  
590. CENTRIXS-CMFC
591. - For the Combined Maritime Forces, Central Command (CMFC)
592.  
593. CENTRIXS-CMFP
594. - For the Combined Maritime Forces, Pacific (CMFP)
595.  
596. CENTRIXS-J
597. - For the United States and Japan
598.  
599. CENTRIXS-K
600. - For the United States and South-Korea
601.  
602.  
603. "Global Signals Cognizance: The core communications infrastructure and global network information needed to achieve and maintain baseline knowledge.
604. Capture knowledge of location, characterization, use, and status of military and civil communications infrastructure, including command, control, communications and computer networks: intelligence, surveillance, reconnaissance and targeting systems; and associated structures incidental to pursuing Strategic Mission List priorities.
605. Focus of mission is creating knowledge databases that enable SIGINT efforts against future unanticipated threats and allow continuity on economy of force targets not currently included on the Strategic Mission List."
606.  
607. Four satellite links between the United Kingdom and Iraq, which were given the following case notations, starting with G2, which is NSA's identifier for the Intelsat 902 communications satellite:
608. - G2BCR (UK - Iraq)
609. - G2BBU (UK - Iraq)
610. - G2BCS (Iraq - UK)
611. - G2BBV (Iraq - UK)
612.  
613. The physical gateways (the satellite ground stations) for these satellite links are in the UK and in Iraq, with the UK station providing logical gateways to the Rest-of-the-World (ROW), mainly Turkey, Syria, Saudi Arabia, UAE and Egypt.
614.  
615.  
616. Multiplexing and compression
617. By analysing the C7 channel (see below), it was confirmed that the two links from the UK to Iraq were load-sharing traffic between the Rest-of-the-World and Iraq, as was the case for the link originating in Iraq.
618.  
619. For an efficient transmission, the links are equipped with the DTX-600 Compression Gateway device, made by Dialogic. This is a high-capacity, multi-service, multi-rate voice and data compression system, which is able to simultaneously compress toll quality voice, fax, Voice Band Data (VBD), native data (for example, V.35), and signaling information
620.  
621. Signaling System No. 7
622.  
623. Most of the information in the report is derived from the so-called C7 channel. C7 is the British term for the Signaling System No. 7 as specified by ITU-T recommendations. In the US it is referred to as SS7 or CCSS7 (for Common Channel Signalling System 7).
624.  
625. SS7 is a set of protocols for setting up and routing telephone calls. In the SS6 and SS7 versions of this protocol, this signalling information is "out-of-band", which means it is carried in a separate signaling channel, in order to keep it apart from the end-user's audio path. In other words, SS7 contains the metadata for telephone conversations, like the calling and the called phone numbers and a range of switching instructions. This makes the SS7 or C7 channel the first stop for intelligence agencies.
626.  
627.  
628.  
629. GERONTIC
630. GCHQ Cable Master List from 2009 lists GERONTIC also as a landing partner for the following nine cables:
631. - FLAG Atlantic 1 (FA1)
632. - FLAG Europe-Asia (FEA)
633. - Apollo North
634. - Apollo South
635. - Solas
636. - UK-Netherlands 14
637. - UK-France 3
638. - Europe India Gateway (EIG)
639. - GLO-1
640.  
641.  
642. INCENSER (DS-300)
643. Among the documents about the GCHQ cable tapping is also a small part of an internal glossary. It contains an entry about INCENSER, which says that this is a special source collection system at Bude. This is further specified as the GERONTIC delivery from the NIGELLA access, which can be viewed in XKEYSCORE (XKS)
644.  
645. QUANTUMBOT
646. The Intercept in December 2014, the INCENSER access is also capable of supporting the QUANTUMBOT (IRC botnet hijacking), QUANTUMBISQUIT (for targets who are behind large proxies), and QUANTUMINSERT (HTML web page redirection) hacking techniques.
647. Two other components of the QUANTUMTHEORY computer network exploitation framework, QUANTUMSQUEEL (for injection of MySQL databases) and QUANTUMSPIM (for instant messaging), had been tested, but weren't yet operational.
648.  
649. WINDSTOP
650. Data collected under the INCENSER program are not only used by GHCQ, but also by NSA, which groups such 2nd Party sources under the codename WINDSTOP. As such, INCENSER was first mentioned in a slide that was published by the Washington Post on in October 2013
651.  
652. The section in the center of the lower part shows these data were collected by the following programs:
653.  
654. - DS-300 (INCENSER): 14100 million records
655. - DS-200B (MUSCULAR): 181 million records
656.  
657. XKEYSCORE, which is used to index and search the data collected under the INCENSER program.
658.  
659. Top 5 of cable tapping programs
660.  
661. SSO worldwide total:160.168.000.000 (100%)
662. DANCINGSOASIS: 57.788.148.908 (36%)
663. SPINNERET (part of RAMPART-A):23.003.996.216 (14%)
664. MOONLIGHTPATH (part of RAMPART-A):15.237.950.124 (9%)
665. INCENSER (part of WINDSTOP):14.100.359.119 (9%)
666. AZUREPHOENIX (part of RAMPART-A):13.255.960.192 (8%)
667. Other programs:38.000.000.000 (24%)
668.  
669. 6 Topical Missions:
670.  
671. - Winning the Global War on Terrorism
672. - Protecting the U.S. Homeland
673. - Combating Proliferation of Weapons of Mass Destruction
674. - Protecting U.S. Military Forces Deployed Overseas
675. - Providing Warning of Impending State Instability
676. - Providing Warning of a Strategic Nuclear Missile Attack
677. - Monitoring Regional Tensions that Could Escalate
678. - Preventing an Attack on U.S. Critical Information Systems
679. - Early Detection of Critical Foreign Military Developments
680. - Preventing Technological Surprise
681. - Ensuring Diplomatic Advantage for the U.S.
682. - Ensuring a Steady and Reliable Energy Supply for the U.S.
683. - Countering Foreign Intelligence Threats
684. - Countering Narcotics and Transnational Criminal Networks
685. - Mapping Foreign Military and Civil Communications Infrastructure
686.  
687. XX.SQF055191
688. XX - This may stand for Internet Service Providers
689. . (dot) - Indicating multiple types of content
690. SQF - Fixed trigraph denoting FBI FISA collection
691. 05 - Year the Case Notation was established: 2005
692. 5191 - Serial number of the targeted address
693.  
694. Top Secret Codeword
695. UMBRA was one of three codewords that were used to protect sensitive intercepts of Communication Intelligence (COMINT). These codewords represented three levels of sensitivity:
696. - UMBRA for the most sensitive material (Category III)
697. - SPOKE for less sensitive material (Category II)
698. - MORAY for the least sensitive material (Category I)
699.  
700. The codewords UMBRA, SPOKE and MORAY can be seen on many highly secret documents, a number of which have been declassified, like for example this statement from 1980 for a court case about NSA's information about UFOs
701.  
702. Cryptologic Support Groups provide advice and assistance on SIGINT reporting and dissemination and are located at all major US military command headquarters, both inside and outside the United States. The locations of Cryptologic Support Groups in 2002 were:
703. - STRATCOM: United States Strategic Command, Omaha
704. - TRANSCOM: United States Transportation Command, Belleville
705. - USSPACECOM: United States Space Command, Colorado Springs
706. - JSOC: Joint Special Operations Command, Spring Lake
707. - State Department, Washington
708. - NMJIC: National Military Joint Intelligence Center, Washington
709. - CIA: Central Intelligence Agency, Langley
710. - ONI: Office of Naval Intelligence, Suitland
711. - San Francisco
712. - FORSCOM: United States Army Forces Command, Fort Bragg
713. - JFCOM: United States Joint Forces Command, Norfolk
714. - SOCOM: United States Special Operations Command, MacDill AFB
715. - CENTCOM: United States Central Command, MacDill AFB
716. - Key West (Naval Air Station)
717. - SOUTHCOM: United States Southern Command, Doral
718. - EUCOM: European Command, Molesworth
719. - NAVEUR: United States Naval Forces Europe, London
720. - USAREUR: United States Army Europe. Wiesbaden
721. - USAFE: United States Air Forces in Europe, Ramstein
722. - EUCOM: European Command, Stuttgart
723. - USFK: United States Forces Korea, Seoul
724. - Japan
725. - Hawaii (United States Pacific Command)
726.  
727. NSA metadata collection:
728. - telephony metadata which are received by FASCIA, which is NSA's main ingest processor for telephony metadata;
729. - internet metadata that are transferred to MARINA, which is a huge NSA database that can store internet metadata for up to a year;
730. - internet metadata that had to be deleted because there was apparently not enough storage space.
731.  
732. Except for the deleted metadata, the charts shows ca. 10,4 billion internet metadata (DNI) a day, which makes 312 billion a month or 3,7 trillion a year. There are ca. 4,5 billion telephony metadata (DNR) a day, which makes 135 billion a month or 1,6 trillion a year. If we compare these numbers with those from BOUNDLESSINFORMANT, we see a big difference:
733.  
734. There's a difference of 11 billion telephony metadata between both charts, but an even bigger gap exists between the internet metadata: the Volumes and Limits chart shows 215 billion more than BOUNDLESSINFORMANT. This discrepancy wasn't noticed in the press reportings, nor in Greenwald's book, so at the moment there's no clear explanation for this.
735.  
736.  
737. FASCIA, the telephony metadata go to MAINWAY, which is another huge NSA database that keeps these kind of data for at least five years. In 2006 it was estimated that MAINWAY contained 1,9 trillion (1.900.000.000.000) call detail records.
738.  
739. For comparison: in 2007, AT&T's Daytona system, which is used to manage its call detail records (CDR's) supported 2,8 trillion records. In 2012, T-Mobile USA Inc. upgraded to an IBM Netezza 1000 platform with a capacity of 2 petabytes. This is used for loading 17 billion records a day, making 510 billion a month and more than 6 trillion a year.
740.  
741. If we assume the telecom providers and NSA use "records" in the same sense, than this shows that the telecommunication companies produce far more phone call metadata than NSA collects. As T-Mobile USA alone apparently creates 4 times more records as presented in NSA's BOUNDLESSINFORMANT tool, the domestic telephone metadata collection under section 215 Patriot Act cannot be included in the numbers we've seen so far.
742.  
743.  
744.  
745. NSA's British partner agency GCHQ, which according to this slide from 2011 collects 50 billion metadata per day. This makes 1,5 trillion a month and an astonishing 18 trillion (18.000.000.000.000) a year! GCHQ also collects 600 million telephony metadata a day, which makes 18 billion a month. For indexing and searching the content of internet communications, GCHQ uses the TEMPORA system, which is capable of processing the traffic from 46 fiber-optic cables of 10 gigabits per second. This makes that 21 petabytes of data flow past these systems every day.
746.  
747. NSA worldwide Aggregated totals total: 221.919.881.317 (100%)
748.  
749.  
750. Edward Snowden saw the heat map with the 3 billion attributed to the United States as a proof that NSA was conducting domestic surveillance, although the heat map itself cannot provide sufficient evidence for that. The 3 billion could very well relate to foreign communications which are just transiting the US or to the American end of for example phone calls where the other end is a foreign suspect. Somewhat more information could have been provided by the bar charts for the US, but these haven't been published.
751.  
752. The number of 3.095.553.478 for the United States is the aggregated total. The number of internet records (DNI) for the US is 2.892.343.446, which leaves just 203.210.032 telephony records (DNR) or 0,065% of the aggregated total. In a table this looks like this:
753.  
754. United States total:3.095.553.478 per month
755. Internet records (DNI):2.892.343.446 per month
756. Telephony records (DNR):203.190.032 per month
757.  
758. Special Source Operations (SSO) division published in Greenwald's book, we can also compare the number of data collected by this division with the total number of NSA data collection. We see that SSO, which is responsible for tapping the world's main fiber optic cables, accounts for 72% of all data: NSA worldwide total: 221.919.881.317 (100%)
759.  
760.  
761. MUSCULAR contributes 60 gigabyte of data to the PINWALE database for internet content every day, which is 1,8 terabyte a month. As BOUNDLESSINFORMANT counts 181 million records for MUSCULAR, this would mean that 1 million internet metadata records represent almost 10 gigabyte of (content) data.
762.  
763. This correlation can be used to make a very rough estimate of the total amount of internet data collected by NSA. The worldwide total of 97 billion internet records a month would then equal some 961 terabyte of data each month or 11,5 petabyte a year (some numbers to compare are here; the new NSA data center in Bluffdale, Utah can store an estimated 12 exabytes, which is 12.000 petabytes).
764.  
765. Special Source Operations (SSO) division, which is responsible for collecting data from major telephony and internet cables and switches. During the one month period between December 10, 2012 and January 8, 2013, a total of more than 160 billion metadata records were counted, divided into 93 billion DNI (internet) data and 67 billion DNR (telephony) data.
766.  
767. SIGINT Activity Designator (SIGAD) US-3171, a facility that is also known under the codename DANCINGOASIS, which is sometimes abbreviated as DGO. During the one month period covered by the chart, this program collected 57.7 billion data records, which is more than twice as much as the program that is second: US-3180, which is codenamed SPINNERET. Third is US-3145 or MOONLIGHTPATH and fourth DS-300 or INCENSER.
768.  
769.  
770. Data filtering
771. The cable intercepted by DANCINGOASIS transfers 25 petabyte of communications data each day. Between 3 and 6 petabyte of them are being scanned by NSA computers. These systems search the data for keywords that are determined by NSA's targeting offices.
772.  
773. 10 and 40 percent of the data (both content and metadata) collected under the DANCINGOASIS program are filtered out and stored in two databases: 43 gigabyte in one and 132 gigabyte in another database, every day.*
774.  
775. This means that 175 gigabyte of data is stored daily, which is 0,000007% of the 25 petabyte that is transmitted by the cable. The 175 gigabyte makes 5,2 terabyte a month and 63 terabyte a year. Whether the 57,7 billion records collected under DANCINGOASIS also equal 5,2 terabyte of digital storage space seems a bit questionable however.
776.  
777. The book doesn't provide the names of the databases, so probably it aren't the known ones like PINWALE, MAINWAY and MARINA. Therefore, the data from DANCINGOASIS might be stored in the NSA's new cloud systems, the names of which NSA likes to keep secret for some reason or another.
778.  
779. Because of similar capacity limits across a range of collection programs, the NSA is leaping forward with cloud-based collection systems and a huge new "mission data repository" in Utah.
780.  
781.  
782. December 21, 2012 SHELLTRUMPET had processed its 1 trillionth metadata record. Almost half of this volume was processed during 2012, and half of that volume, so one quarter of a trillion (250 billion) metadata records, came from DANCINGOASIS.*
783.  
784. June 6, 2013, and shows the dates when PRISM collection began for each provider:
785. - Microsoft: September 11, 2007
786. - Yahoo: March 12, 2008
787. - Google: January 14, 2009
788. - Facebook: June 3, 2009
789. - PalTalk: December 7, 2009
790. - YouTube: September 24, 2010
791. - Skype: February 2, 2011
792. - AOL: March 31, 2011
793. - Apple: October 2012
794.  
795. According to the book 'Der NSA Komplex', which was published by Der Spiegel in March 2014, PRISM also gained access to Microsoft's cloud service SkyDrive (now called OneDrive) as of March 2013. This was realized after months of cooperation between FBI and Microsoft.*
796.  
797. The Washington Post reported that in the speaker's notes accompanying the presentation, it's said that "98 percent of PRISM production is based on Yahoo, Google and Microsoft; we need to make sure we don’t harm these sources". The Post also says that "PalTalk, although much smaller, has hosted traffic of substantial intelligence interest during the Arab Spring and in the ongoing Syrian civil war".
798.  
799. The program cost of 20 million dollar per year was initially interpreted as being the cost of the program itself, but later The Guardian revealed that NSA pays for expenses made by cooperating corporations, so it seems more likely that the 20 million is the total amount paid by NSA to the companies involved in the PRISM program.
800.  
801. top-5 units tasking most DNI requests for PRISM are:
802. - S2I: Counter-Terrorism Product Line (11.461 selectors)
803. - S2E: Middle East and Africa Product Line (6935 selectors)
804. - F6: NSA/CIA Special Collection Service (4007 selectors)
805. - S2D: Counter Foreign Intelligence Product Line (3796 selectors)
806. - F22: European Cryptologic Center (3523 selectors)
807.  
808. SCISSORS, which seems to be used for separating different types of data and protocols. Metadata and voice content then pass the ingest processing systems FALLOUT and CONVEYANCE respectively. Finally, the data are stored in the following NSA databases:
809. - MARINA: for internet metadata
810. - MAINWAY: for telephone and internet metadata contact chaining
811. - NUCLEON: for voice content
812. - PINWALE: for internet content, video content, and "FAA partitions"
813.  
814. NSA having "direct access" was not only based on this slide, but also on misreading a section from the draft of a 2009 NSA Inspector General report about the STELLARWIND program, which on page 17 says: "collection managers sent content tasking instructions directly to equipment installed at company-controlled locations". The Washington Post thought this referred to the companies involved in the PRISM program, but it actually was about Upstream Collection, which has filters installed at major internet switches. This follows from two facts: first, that the STELLARWIND program was terminated in January 2007 while PRISM only started later that year; second, that STELLARWIND only involved companies that operate the internet and telephony backbone cables, like AT&T and Verizon, not internet service providers like Facebook and Google)
815.  
816. Despite this clear evidence that speaks against a "direct access" to company servers, Glenn Greenwald still sticks to that claim in his book No Place To Hide, which was published on May 13, 2014.
817.  
818.  
819. Sentinel Visualizer
820. The first intelligence analysis program is Sentinel Visualizer, which was developed by FMS Advanced Systems Group. This is a 'minority-owned' small business founded in 1986 and based in Vienna, Virginia, which provides custom software solutions to customers in over 100 countries.
821.  
822. FMS claims that In-Q-Tel, the CIA's venture capital arm is an investor in FMS, apparently in order to improve their products so they can fit the needs of the CIA. FMS also claims that its product is much cheaper than the alternative, with the price of a single-computer license for its Sentinel Visualizer starting at 2699,- USD, while IBM's Analyst's Notebook tool starts at 7160,- USD.
823.  
824.  
825. SIGADs at the left designate the following programs:
826. - US-983: STORMBREW
827. - US-984*: BLARNEY under FISA authority
828. - US-984X*: Programs under FAA authority
829. - US-990: FAIRVIEW
830. - US-3140: MADCAPOCELOT
831. - US-3273: SILVERZEPHYR
832. - US-3354: COBALTFALCON
833. Although we don't know what the numbers stand for, it's clear that the programs under FAA authority (which also include PRISM) are by far the most productive ones.