Jumat, 26 April 2019

New Details Close The Articulation Nsa-Bnd Functioning Eikonal

(Updated: Jan 24, 2016)

This weblog firstly reported virtually the articulation NSA-BND performance Eikonal on Oct 15, 2014, but meanwhile interesting novel details became available from the hearings of the German linguistic communication parliamentary inquiry, as well as from recent disclosures past times a political leader from Austria.

Under performance Eikonal, the NSA cooperated amongst the German linguistic communication unusual intelligence service BND for access to transit cables from Deutsche Telekom inwards Frankfurt. Here follows an overview of what is known virtually this performance so far. New information may travel added equally it comes available.




> See for the latest: Unnoticed leak answers as well as raises questions virtually performance Eikonal



 

Initial reporting

Operation Eikonal was revealed past times the regional German linguistic communication paper Süddeutsche Zeitung as well as the regional broadcasters NDR as well as WDR on Oct 4, 2014. They reported that betwixt 2004 as well as 2008, the German linguistic communication unusual intelligence service BND had tapped into the Frankfurt network central DE-CIX as well as shared the intercepted information amongst the NSA.

For this operation, NSA provided sophisticated interception equipment, which the Germans didn't had but were eager to use. Interception of telephone traffic started inwards 2004, network information were captured since 2005. Reportedly, NSA was peculiarly interested inwards communications from Russia.

To forbid communications of German linguistic communication citizens existence passed on to NSA, BND installed a special plan (called DAFIS) to filter these out. But according to the reporting, this filter didn't piece of employment properly from the beginning. An initial assay inwards 2003 showed the BND that 5% of the information of German linguistic communication citizens could non travel filtered out, which was considered a violation of the constitution.

Süddeutsche Zeitung reported that it was people noticed, Deutsche Telekom was non connected to DE-CIX when performance Eikonal took place, so something didn't add together up.

As nosotros volition see, this was right, as well as the actual cable tap was non at DE-CIX, but took house at Deutsche Telekom. Nonetheless, many press reports soundless link Eikonal to the DE-CIX network exchange.



Operations centre room inwards the quondam BND headquarters inwards Pullach
(Photo: Martin Schlüter - Click to enlarge)


Eikonal equally portion of RAMPART-A

As was firstly reported past times this weblog on Oct 15, 2014, performance Eikonal was portion of the NSA umbrella plan RAMPART-A, nether which the Americans cooperate amongst 3rd Party countries who "provide access to cables as well as host U.S. equipment".

Details virtually the RAMPART-A plan itself had already been revealed past times the Danish paper investigate whether this fellowship assisted BND inwards tapping the Frankfurt network exchange.

During hearings of BND officials it became clear that performance Eikonal was non virtually tapping into the Frankfurt network central DE-CIX, but virtually 1 or to a greater extent than cables from Deutsche Telekom. This was firstly confirmed past times German linguistic communication media on Dec 4, 2014.


Hearing of Nov 6, 2014 (Live-blog)

According to witness T.B., who was heard on on Nov 6, 2014, it was but during the assay catamenia that the filter organization was solely able to filter out 95% of German linguistic communication communications. When the organization went live, this percent rose to 99% amongst a instant phase that could filter out fifty-fifty to a greater extent than than 99%. When necessary, a concluding banking concern check was conducted past times hand.


Hearing of Nov 13, 2014 (Live-blog - Official transcript)

During this hearing, the witness W.K. said that Eikonal was a 1 of a sort operation, at that topographic point was targeted collection from traffic that transited FRG from 1 unusual province to another.

This was focussed on Transitional Islamic State of Afghanistan as well as anti-terrorism. Selected information were collected as well as forwarded to NSA. The internal codename for Eikonal was Granat, but that cry wasn't shared amongst NSA. There was fifty-fifty a tertiary codename.

For Germany, Eikonal was useful because it provided unusual intelligence for protecting German linguistic communication troops as well as countering terrorism. The NSA provided amend technical equipment that BND didn't had. In return, BND provided NSA amongst information collected from transit traffic using search profiles virtually Transitional Islamic State of Afghanistan as well as anti-terrorism. BND was asked to cooperate because NSA isn't able to create everything themselves.

Eikonal provided solely several hundred useful telephone calls, electronic mail as well as fax messages a year, which was a huge disappointment for NSA. This, combined amongst the fact that it proved to travel impossible to 100% guarantee that no German linguistic communication information were collected as well as forwarded, led BND to terminate the program.

For Eikonal, the cable traffic was filtered past times using selectors provided past times both NSA as well as BND. Although non all selectors tin travel attributed to a particular province as well as at that topographic point may receive got been upwards to several hundred m selectors, witness W.K. said that BND was soundless able to banking concern check whether every unmarried 1 was appropriate: solely selectors that could travel checked were used.



Hearing of Dec 4, 2014 (Live-blog - Official transcript)

During this hearing, BND-employee S.L., who was the projection manager of performance Eikonal at BND headquarters, testified. He told that BND had rented ii highly secured rooms of ca. 4 x half dozen meters inwards the basement of a Deutsche Telekom switching centre inwards the Frankfurt suburb Nied.

These rooms were solely accessible for BND personnel as well as contained the front-end of the interception system, existing of nineteen inch racks, amongst telecommunication equipment similar multiplexers, processors as well as servers. These devices were remotely controlled from the headquarters inwards Pullach.*

Based upon analysis of populace information virtually telecommunication networks, BND pick out specific cables that would most probable comprise traffic that seemed useful for the goals of the operation. It became clear that for redundancy purposes, cables solely used 50% of their capacity. For example, 2 cables of 10 Gbit/s carried solely five Gbit/s of traffic, so inwards instance of a disruption, 1 cable could accept over the traffic of the other one.



The switching centre of Deutsche Telekom inwards Frankfurt-Nied
where some cables were tapped nether performance Eikonal
(Screenshot: ZDF Frontal21 - Click to enlarge)


After a specific coax or fiber-optic cable had been selected, technicians of Deutsche Telekom installed a splitter as well as a re-create of the traffic was forwarded to 1 of the secure rooms, where it was fed into a (de-)multiplexer or a router so the signal could travel processed. After they got rid of the peer-to-peer as well as websurfing traffic, the remaining communications data, similar e-mail, were filtered past times selectors from BND as well as NSA.

The selected information were sent dorsum to BND headquarters inwards Pullach over a leased commercial line, of which the capacity was increased after the network collection became fully operational. From Pullach to the JSA inwards Bad Aibling at that topographic point was a 2 Mbit/s line.

Timeframe

Eikonal started amongst access to a telephone cable (Leitungsvermittelt). Project manager S.L. told that the firstly cable was connected (aufgeschaltet) inwards Dec 2004, but that it's signal was likewise weak. Therefore, inwards Jan 2005, an amplifier was installed.

In February, March as well as Apr additional cables were connected, so telephony collection started inwards the jump of 2005. By the goal of 2006, Deutsche Telekom announced that its line organization model for dedicated transit cables would travel terminated, so inwards Jan 2007 the telephone collection ended.*

BND also wanted access to network traffic (Paketvermittelt), for which the firstly cable became available past times the goal of 2005, but because the backlink was missing, collection was technically non possible. This was solved inwards 2006, as well as inwards the jump of 2006 a instant cable was added, as well as they tested the front-end organization as well as later on the filter systems until mid-2007 (Probebetrieb).

During this stage, information were solely forwarded to the articulation NSA-BND unit of measurement JSA after a manual check. Fully automated forwarding solely happened from belatedly 2007 until performance Eikonal was terminated inwards June 2008 (Wirkbetrieb).*

Legal issues

The collection of telephone communications from transit cables was done nether the full general say-so of the BND Act, amongst details specified inwards the "Transit Agreement" betwixt BND as well as Deutsche Telekom, which for the latter was signed past times Bernd Köbele.

For the collection of network information it was impossible to fully separate unusual as well as domestic traffic, so it couldn't travel ruled out that German linguistic communication communications were inwards at that topographic point too. Therefore, BND requested an guild from the G10-commission, which, similar the FISA Court inwards the US, has to approve information collection when their ain citizens could travel involved.

H5N1 G10-order describes the communication channel (Germany to/from a specific unusual country) that BND is allowed access to, the threat profile as well as it also authorizes the search damage that may travel used for filtering the traffic.*

Such an guild allows the collection of G10-data (communications amongst 1 goal German), which were processed within BND's separate G10 Collection program. As a bycatch, this G10-interception also yielded fully unusual traffic (Routine-Verkehre), which was used for performance Eikonal:




Some employees from Deutsche Telekom as well as from BND had doubts virtually the legality of this solution, which seemed to usage a G10-order equally a encompass for getting access to fully unusual network traffic.

Eventually, the federal Chancellery, obviously upon asking of the BND, issued a alphabetic quality maxim that the performance was legal. This convinced the Telekom administration as well as the performance went on. It didn't travel clear nether what say-so this alphabetic quality was issued.

After BND had learned how to collect network traffic from fiber-optic cable, it applied for G10-orders to intercept (one goal German) communications from 25 unusual as well as domestic network service providers inwards 2008. This fourth dimension these cables were existence tapped at the DE-CIX network exchange, which is also inwards Frankfurt.

Results

The collection nether performance Eikonal resulted inwards solely a few hundred intelligence reports (German: Meldungen) a year, each consisting of 1 intercepted e-mail, fax message or telephone call. These were burned onto a CD to paw them over to NSA personnel at the JSA.*

According to S.L., metadata (containing upwards to 91 fields) were "cleaned" so solely technical metadata (Sachdaten) were forwarded to the JSA, where they were used for statistical as well as analytical purposes.

Personal metadata (personenbezogene Daten), similar electronic mail as well as IP addresses were non shared. Technical metadata are for illustration used to position the telecommunication providers, transmission links as well as the diverse protocols.


Hearing of Dec 18, 2014 (Live-blog - Official transcript)

During this hearing, a talkative full general Reinhardt Breitfelder, caput of the SIGINT partition from 2003-2006, confirmed many of the details from the before hearings of his subordinates. He also gave impressions of the dilemmas inwards dealing amongst the NSA as well as what to create amongst the equipment they provide.


Hearing of Jan 15, 2015 (Live-blog - Official transcript)

In this hearing, the commission questioned ii employees from Deutsche Telekom (Harald Helfrich as well as Wolfgang Alster), but they provided real petty novel information, except for that Deutsche Telekom personnel solely knows betwixt which cities a cable runs, but they don't know what sort of traffic it contains - they are non allowed to await inside.


Hearing of Oct 1, 2015 (Live-blog)

Joachim Mewes from the Chancellary testified that somewhere inwards 2005, BND invited him as well as the G-10 Commission to see the tapping site inwards Frankfurt, obviously equally to exhibit that no filtering took house there, but that everything from the cable went to BND headquarters as well as was split upwards up over there. This notwithstanding contradicts other testimonies, maxim that filtering was conducted about the access point.



H5N1 room where hearings of the parliamentary commission accept place
(photo: DPA)

 

Disclosures from Austria

On May 15, 2015, Peter Pilz, fellow member of the Austrian parliament for the Green party, disclosed an electronic mail from an employee of the Deutsche Telekom unit of measurement for lawful intercept assistance (Regionalstelle für staatliche SonderAuflagen, ReSa), who notified someone from BND that obviously a particular fiber-optic cable had been connected to the interception equipment. The electronic mail describes this cable equally follows:

Transit STM1 (FFM 21 - Grand Duchy of Luxembourg 757/1), containing 4 links of 2 Mbit/s:

Channel 2: Luxembourg/VG - Wien/000 750/3
Channel 6: Luxembourg/CLUX - Moscow/CROS 750/1
Channel 14: Ankara/CTÃœR - Luxembourg/CLUX 750/1
Channel 50: Luxembourg/VG - Prague/000 750/1

STM1 stands for Synchronous Transport Module level-1, which designates a transmission fleck charge per unit of measurement of 155,52 Mbit/second. H5N1 similar multiplexing method is Wavelength-Division Multiplexing (WDM) unremarkably used inwards submarine fiber-optic cables. The latter having a much larger capacity, to a greater extent than oftentimes than non STM-64 or 9,5 Gbit/second.

The number 757 is a so-called Leitungsschlüsselzahl (LSZ), which denotes a sure enough type of cable. In this instance it stands for a channelized STM-1 base of operations link (2 Mbit inwards 155 Mbit), which seem to travel used for internal connections.

According to the meanwhile updated LSZ List, the number 750 stands for a "DSV2 Digitalsignal-Verbindung 2 Mbit/s", which is a digital signal path.

The cable mentioned inwards the electronic mail so solely has a modest capacity, which seems to dot that NSA and/or BND selected it carefully.

FFM 21 stands for "Frankfurt am Main 21", which according to Deutsche Telekom's network map is the cry of the Point-of-Presence (PoP) located at its facility inwards the Frankfurt suburb Nied - the location where that Eikonal tapping took place.

This agency nosotros receive got a physical cable running betwixt Grand Duchy of Luxembourg as well as the Deutsche Telekom PoP inwards Frankfurt, but containing channels to cities which are much further, so they receive got to connect to channels within other physical cables that run from Frankfurt to Moscow, Prague, Vienna as well as Ankara, respectively:



As the electronic mail is from Feb 3, 2005, it must relate to telephone collection, because for Eikonal, the firstly cable containing network traffic solely became available past times the goal of that year.


The Transit agreement

On May 18, the Austrian tabloid paper Kronen Zeitung published the total "Transit Agreement" (pdf) betwixt BND as well as Deutsche Telekom, inwards which the latter agreed to supply access to transit cables, as well as inwards render volition travel paid 6.500,- euro a calendar month for the expenses. The understanding came into retrospective outcome equally of Feb 2004.

This disclosure got petty attention, but is rather remarkable, equally such agreements are closely guarded secrets. The Transit understanding existed inwards solely ii copies: 1 for BND as well as 1 for Deutsche Telekom.

It is non known how Pilz came into possession of these documents, but it seems the source must travel somewhere within the German linguistic communication parliamentary investigation commission. They are the solely persons exterior BND as well as Deutsche Telekom who, for the travel of their inquiry, got access to the understanding as well as the other documents.

Leaking these documents to Pilz seems non a real smart move, equally it volition farther minimize the endangerment that the commission volition ever acquire access to the listing of suspicious NSA selectors.


Country lists

On May 19, Pilz held a press conference (mp3) inwards Berlin, together amongst the chairman of the Green political party inwards Grand Duchy of Luxembourg as well as a representative of the German linguistic communication Green party. Here, Pilz presented a statement (pdf), which includes the aforementioned e-mail, 10 questions to the German linguistic communication government, as well as ii tables amongst cable links to or from Republic of Austria as well as Luxembourg:



Lists of links that obviously were on a priority listing of NSA.
LSZ = Leitungsschlüsselzahl (cable type indentifier);
Endstelle = Endpoint; Österreich = Austria.
(Source: Peter Pilz - Click to enlarge)



According to Pilz, the total listing contains 256 cable links. 94 of them connect European Union fellow member states, xl run betwixt European Union members as well as other European countries similar Switzerland, Russia, Serbia, Bosnia-Herzegovina, Ukraine, Republic of Belarus as well as Turkey. 122 links connect European countries amongst nations all over the world, amongst Saudi Arabia, Japan, Dubai as well as Cathay existence mentioned most.

The province which most links (71) run to or from is the Netherlands. The listing for that province was disclosed past times Peter Pilz during a press conference inwards Brussels on May 28, 2015. The US, the Great Britain as well as Canada are non on the list, although at that topographic point were obviously 156 links from/to Great Britain too.

Updates:

On June 25, 2015, the Dutch telecommunication provider KPN announced the results of its enquiry into the alleged tapping of its cables. It was real hard to position the channels inwards the listing because meanwhile KPN's whole network had been restructured. Eventually it became clear the connections (being channels within cables as well as KPN solely existence responsible for the firstly one-half until Frankfurt) had been rented out nether telephony wholesale contracts, so it was impossible to draw private customers or users.

On Oct 2, 2015, the Slovene idiot box journal POP TV revealed that also links to/from Slovenia, Croatia, Serbia as well as Bosnia as well as Herzogovina were on the NSA's "yellow list" obtained past times Peter Pilz.

On Jan 16, 2016, Finnish media reported that the listing also contained half dozen transit links to/from Finland.
 
Additional details

On June 5, 2015, Peter Pilz held a press conference inwards Paris, where he presented a statement (.docx) containing a listing of 51 transit links to or from France. Interestingly, this listing straightaway also includes some additional technical identifiers for these links, which were obviously left out inwards the before ones:



First portion of the listing amongst links related to France
(Source: Peter Pilz - Click to enlarge)


On June 29, 2015, Peter Pilz presented a similar detailed listing (.pdf) of 28 transit links to as well as from Poland.

According to the updated LSZ List, the novel codes inwards these lists stand upwards for:

- 703: VC3 Virtual Container connexion amongst 48,960 MBit/s
- 710: (not yet known)
- 712: VC12 Virtual Container connexion amongst 2,240 MBit/s
- 720: (not yet known)
- 730: (not yet known)

VC3 as well as VC12 are from the Synchronous Digital Hierarchy (SDH) protocol to transfer multiple digital fleck streams synchronously over optical fiber. This has the selection for virtual containers for the actual payload data. VC3 is for mapping 34/45 Mbit/s (E3/DS3) signals; VC4 for 140 Mbit/s (E4); VC12 for 2 Mbit/s (E1).

The novel identifiers inwards this listing stand upwards for: O-nr.: Ordnungsnummer; GRUSSZ: Grundstücksschlüsselzahl; FACHSZ: Fachschlüsselzahl.

No information virtually these identifiers was constitute yet, but past times analysing the information inwards the list, it seems that the FACHSZ codes are related to a telecom provider. French Republic Telecom for illustration appears amongst FACHSZ codes CFT, VPAS, VCP3, VB5 or 0.

The GRUSSZ number identifies a particular city, amongst the firstly ii or iii digits corresponding amongst the international telephone country codes. The in conclusion ii digits seem to follow a dissimilar scheme, equally nosotros tin come across that a upper-case alphabetic quality ever ends amongst "10":
Paris = 33010
Lyon = 33190
Reims = 33680
  Brussels = 32010
Prague = 42010
Oslo = 47010
  Warsaw = 48010
Poznan = 48020
Moscow = 70010
It's possible that these are but internal codes used past times Deutsche Telekom, equally internationally, connections betwixt telephone networks are identified past times Point Codes (PC). From the Snowden-revelations nosotros know that these codes are also used past times NSA as well as GCHQ to designate the cable links they intercept.



NSA or BND want lists?

Initially, Peter Pilz claimed these links were samples from a priority listing of the NSA, but on May 27, he said inwards Switzerland, that the listing was from BND, as well as was given to NSA, who marked inwards yellowish the links they wanted to receive got fully monitored.

The German linguistic communication parliamentary hearings were also non real clear virtually these lists. On Dec 4, projection manager S.L. confirmed that NSA had a want listing for circuit-switched transit links, but inwards the hearing from Jan fifteen it was said that at that topographic point was a "wish listing of BND" containing some 270 links. And on March 5, quondam SIGINT manager Urmann said he couldn't cry upwards that NSA requested specific communication links.

Maybe the solution is provided past times the Dutch website De Correspondent, which reports that at that topographic point is a much larger listing (probably prepared past times BND) of some m transit links, of which ca. 250 were marked inwards yellowish (probably those prioritized past times NSA).


Whose cables?

Media reports say that these cables belong to the providers from diverse European countries, but that seems questionable. As nosotros saw inwards the aforementioned e-mail, it seems most probable that the lists exhibit channels within fiber-optic cables, as well as that the physical cables all run betwixt the Deutsche Telekom switching facility inwards Frankfurt as well as the cities nosotros come across inwards the lists.

In theory, these cables could travel owned or operated past times those providers mentioned inwards the lists, but as well as so they would rather connect at a peering dot similar the DE-CIX network exchange, where providers central traffic amongst eachother.

In this case, it seems to a greater extent than probable that the physical cables are portion of Deutsche Telekom's Tier 1 network, which is a worldwide backbone that connects the networks of lower-level network providers.



Simplified construction of the Internet, showing how Tier 1, Tier 2 as well as Tier 3 providers
transit information traffic inwards a hierarchial way as well as how Tier 2 providers exchange
traffic straight through peering at an Internet eXchange Point (IXP)
(diagram: Wikimedia Commons - click to enlarge)


Questions

It is non clear how many of the over 250 links on the listing were genuinely intercepted. We solely know that for sure enough for the STM-1 cable amongst the 4 channels described inwards the aforementioned electronic mail from Deutsche Telekom to BND.

Strange is the fact that during the parliamentary hearings, most BND witnesses spoke virtually "a cable inwards Frankfurt", which sounds similar 1 unmarried physical cable, whereas the disclosures past times Peter Pilz clearly exhibit that multiple channels must receive got been intercepted.

Update:
During the commission hearing of Jan 29, 2015, BND technical engineer A.S. said that nether performance Eikonal, telephone traffic came inwards amongst a information charge per unit of measurement of 622 Mbit/s. This equals a measure STM-4 cable, which contains 252 channels of 2 Mbit/s. This number comes about the channels on the "wish list", but it seems non possible that those were all inwards but 1 physical cable.

Another enquiry is whether it is possible to solely filter the traffic from specific channels, or that 1 has to receive got access to the whole cable.

It should travel noted that non the entire communications traffic on these links was collected as well as stored, but that it was filtered for specific selectors, similar telephone numbers as well as electronic mail addresses. Only the traffic for which at that topographic point was a correspond was picked out as well as processed for analysis.


Possible targets

Based upon these documents, Peter Pilz filed a complaint (pdf) against 3 employees of Deutsche Telekom as well as 1 employee of BND for spying on Austria, although at the same fourth dimension he said he was convinced the NSA was most interested non inwards Austrian targets, but inwards the offices of the UN, OPEC as well as OSCE inwards Vienna.

Apparently he didn't consider the fact that Eikonal was portion of the RAMPART-A umbrella program, which is aimed at targets inwards Russia, the Middle East as well as North Africa. Many cities mentioned inwards the disclosed lists seem to point to Russian Federation equally target, as well as projection manager S.L. testified that Eikonal was mainly used for targets related to Afghanistan, which fits the fact that at that topographic point are for illustration xiii links to Saudi Arabia.

Green political party members from diverse countries claimed that this cable tapping was used for economical or industrial espionage, but so far, at that topographic point is no specific indication, allow lone evidence for that claim.



Links as well as sources
- LeMonde.fr: Deutsche Telekom a espionné la French Republic pour le compte de la NSA
- Tagesschau.de: Europa verlangt Aufklärung von Berlin
- DeCorrespondent.nl: Er is geen enkel bewijs dat de Nederlandse kabels zijn afgetapt
- Volkskrant.nl: 71 KPN-internetverbindingen afgetapt door geheime diensten
- NRC.nl: Telekom und BND Angezeigt: Es leakt sich was zusammen
- Zeit.de: Daten abfischen mit Lizenz aus dem Kanzleramt

Tidak ada komentar:

Posting Komentar