New Zealand Spy Agency To Vet Network Builds, Provider Staff
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I realize that New Zealand is *not* in North America (hence NANOG), but I figure that some global providers might be interested here. This sounds rather... dire (probably not the right word). "The new Telecommunications (Interception Capability and Security) Act of 2013 is in effect in New Zealand and brings in several drastic changes for ISPs, telcos and service providers. One of the country's spy agencies, the GCSB, gets to decide on network equipment procurement and design decisions (PDF), plus operators have to register with the police and obtain security clearance for some staff. Somewhat illogically, the NZ government pushed through the law combining mandated communications interception capabilities for law enforcement, with undefined network security requirements as decided by the GCSB. All network operators are subject to the new law, including local providers as well as the likes of Facebook, Google, Microsoft, who have opposed it, saying the new statutes clash with overseas privacy legislation." http://yro.slashdot.org/story/14/05/13/005259/new-zealand-spy-agency-to-vet-... FYI, - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlNyHw4ACgkQKJasdVTchbLwDgD/WVHo2iTapJ90l8MRcwUZ5OQ7 QfJ5cI1v4t2bUXZp1hQBAKHCP0hyxg6naGOzRLt/vHjgxXnl3+yiWoj0ENxQyIr9 =0yLu -----END PGP SIGNATURE-----
It got a pretty firefight discussion at the NZNOG. None of the ISPs feel comfortable with it, but in avoiding a shoot-the-messenger syndrome they tried to give good feedback to the reps from GCSB who came to talk. Basically, a lot of post-act variations are expected to clarify what changes do and do not have to be notified. There was a lot of bitter humour about calling them at 3am to report BGP failures and ask permission to remediate. On Tue, May 13, 2014 at 3:33 PM, Paul Ferguson <fergdawgster@mykolab.com>wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I realize that New Zealand is *not* in North America (hence NANOG), but I figure that some global providers might be interested here.
This sounds rather... dire (probably not the right word).
"The new Telecommunications (Interception Capability and Security) Act of 2013 is in effect in New Zealand and brings in several drastic changes for ISPs, telcos and service providers. One of the country's spy agencies, the GCSB, gets to decide on network equipment procurement and design decisions (PDF), plus operators have to register with the police and obtain security clearance for some staff. Somewhat illogically, the NZ government pushed through the law combining mandated communications interception capabilities for law enforcement, with undefined network security requirements as decided by the GCSB. All network operators are subject to the new law, including local providers as well as the likes of Facebook, Google, Microsoft, who have opposed it, saying the new statutes clash with overseas privacy legislation."
http://yro.slashdot.org/story/14/05/13/005259/new-zealand-spy-agency-to-vet-...
FYI,
- - ferg
- -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iF4EAREIAAYFAlNyHw4ACgkQKJasdVTchbLwDgD/WVHo2iTapJ90l8MRcwUZ5OQ7 QfJ5cI1v4t2bUXZp1hQBAKHCP0hyxg6naGOzRLt/vHjgxXnl3+yiWoj0ENxQyIr9 =0yLu -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 So is there just reluctant acceptance of this law, or is there push-back and plans to repeal, or...? I guess my question is something along the lines of "Are people just reluctantly accepting that government surveillance & micromanagement of private businesses/networks is a fact of life?" I am purposefully making a distinction here between the U.S. CALEA [1] and NSLs [2] and a NZ spy agency getting "...to decide on network equipment procurement and design decisions". The latter seems like a bit of an overreach? - - ferg [1] https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_... [2] https://en.wikipedia.org/wiki/National_security_letter On 5/13/2014 6:40 AM, George Michaelson wrote:
It got a pretty firefight discussion at the NZNOG. None of the ISPs feel comfortable with it, but in avoiding a shoot-the-messenger syndrome they tried to give good feedback to the reps from GCSB who came to talk. Basically, a lot of post-act variations are expected to clarify what changes do and do not have to be notified.
There was a lot of bitter humour about calling them at 3am to report BGP failures and ask permission to remediate.
On Tue, May 13, 2014 at 3:33 PM, Paul Ferguson <fergdawgster@mykolab.com <mailto:fergdawgster@mykolab.com>> wrote:
I realize that New Zealand is *not* in North America (hence NANOG), but I figure that some global providers might be interested here.
This sounds rather... dire (probably not the right word).
"The new Telecommunications (Interception Capability and Security) Act of 2013 is in effect in New Zealand and brings in several drastic changes for ISPs, telcos and service providers. One of the country's spy agencies, the GCSB, gets to decide on network equipment procurement and design decisions (PDF), plus operators have to register with the police and obtain security clearance for some staff. Somewhat illogically, the NZ government pushed through the law combining mandated communications interception capabilities for law enforcement, with undefined network security requirements as decided by the GCSB. All network operators are subject to the new law, including local providers as well as the likes of Facebook, Google, Microsoft, who have opposed it, saying the new statutes clash with overseas privacy legislation."
http://yro.slashdot.org/story/14/05/13/005259/new-zealand-spy-agency-to-vet-...
FYI,
- ferg
- -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlNyItUACgkQKJasdVTchbL5GwEAxMtkr0W8oCtLTEdJDcdJHZTw hCGmG1ZTbWdb7NTEnwIA/j4YYMcN/gOQCQfABs1UIYFX30i/SewOkXYDOvfO6ReM =rAdv -----END PGP SIGNATURE-----
I can't speak to that Paul. I attended NZNOG as a guest, I'm from Australia. Others will have to say how the NZ industry is approaching this, I'd get it wrong if I tried! -G On Tue, May 13, 2014 at 3:49 PM, Paul Ferguson <fergdawgster@mykolab.com>wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
So is there just reluctant acceptance of this law, or is there push-back and plans to repeal, or...?
I guess my question is something along the lines of "Are people just reluctantly accepting that government surveillance & micromanagement of private businesses/networks is a fact of life?"
I am purposefully making a distinction here between the U.S. CALEA [1] and NSLs [2] and a NZ spy agency getting "...to decide on network equipment procurement and design decisions".
The latter seems like a bit of an overreach?
- - ferg
[1]
https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_... [2] https://en.wikipedia.org/wiki/National_security_letter
On 5/13/2014 6:40 AM, George Michaelson wrote:
It got a pretty firefight discussion at the NZNOG. None of the ISPs feel comfortable with it, but in avoiding a shoot-the-messenger syndrome they tried to give good feedback to the reps from GCSB who came to talk. Basically, a lot of post-act variations are expected to clarify what changes do and do not have to be notified.
There was a lot of bitter humour about calling them at 3am to report BGP failures and ask permission to remediate.
On Tue, May 13, 2014 at 3:33 PM, Paul Ferguson <fergdawgster@mykolab.com <mailto:fergdawgster@mykolab.com>> wrote:
I realize that New Zealand is *not* in North America (hence NANOG), but I figure that some global providers might be interested here.
This sounds rather... dire (probably not the right word).
"The new Telecommunications (Interception Capability and Security) Act of 2013 is in effect in New Zealand and brings in several drastic changes for ISPs, telcos and service providers. One of the country's spy agencies, the GCSB, gets to decide on network equipment procurement and design decisions (PDF), plus operators have to register with the police and obtain security clearance for some staff. Somewhat illogically, the NZ government pushed through the law combining mandated communications interception capabilities for law enforcement, with undefined network security requirements as decided by the GCSB. All network operators are subject to the new law, including local providers as well as the likes of Facebook, Google, Microsoft, who have opposed it, saying the new statutes clash with overseas privacy legislation."
http://yro.slashdot.org/story/14/05/13/005259/new-zealand-spy-agency-to-vet-...
FYI,
- ferg
- -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iF4EAREIAAYFAlNyItUACgkQKJasdVTchbL5GwEAxMtkr0W8oCtLTEdJDcdJHZTw hCGmG1ZTbWdb7NTEnwIA/j4YYMcN/gOQCQfABs1UIYFX30i/SewOkXYDOvfO6ReM =rAdv -----END PGP SIGNATURE-----
To: Paul Ferguson Cc: NANOG Subject: Re: New Zealand Spy Agency To Vet Network Builds, Provider Staff
I can't speak to that Paul. I attended NZNOG as a guest, I'm from Australia. Others will have to say how the NZ industry is approaching this, I'd get it wrong if I tried!
The industry in New Zealand is responding with "Nobody listened to us and we have no damn choice but to do what the government orders us to do". The general public is completely unaware of what has just happened and as long as there is still beer in the fridge and the game on TV they don't seem to give much of a toss.
On Tuesday, May 13, 2014 03:49:09 PM Paul Ferguson wrote:
I am purposefully making a distinction here between the U.S. CALEA [1] and NSLs [2] and a NZ spy agency getting "...to decide on network equipment procurement and design decisions".
The latter seems like a bit of an overreach?
I have to agree. Telling me what to buy - that's another realm, even for me... Mark.
On 13 May 2014, at 15:49, Paul Ferguson <fergdawgster@mykolab.com> wrote:
So is there just reluctant acceptance of this law, or is there push-back and plans to repeal, or...?
This was news to me when I heard about it the other day (because apparently I am a bad kiwi and do not keep myself informed), but it does sound like the conversation at NZNOG resulted in an exception list that makes the general idea at least a little more practical, if not palatable. See http://ncsc.govt.nz/assets/TICSA/NCSC-Guidance-for-Network-Operators.pdf http://ncsc.govt.nz/assets/TICSA/Notice-of-Exemptions.pdf The recent NZNOG discussion is hereabouts: http://list.waikato.ac.nz/pipermail/nznog/2014-May/020802.html Joe
Yep… If I had infrastructure in NZ, that would be enough to cause me to remove it. Owen On May 13, 2014, at 6:33 AM, Paul Ferguson <fergdawgster@mykolab.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I realize that New Zealand is *not* in North America (hence NANOG), but I figure that some global providers might be interested here.
This sounds rather... dire (probably not the right word).
"The new Telecommunications (Interception Capability and Security) Act of 2013 is in effect in New Zealand and brings in several drastic changes for ISPs, telcos and service providers. One of the country's spy agencies, the GCSB, gets to decide on network equipment procurement and design decisions (PDF), plus operators have to register with the police and obtain security clearance for some staff. Somewhat illogically, the NZ government pushed through the law combining mandated communications interception capabilities for law enforcement, with undefined network security requirements as decided by the GCSB. All network operators are subject to the new law, including local providers as well as the likes of Facebook, Google, Microsoft, who have opposed it, saying the new statutes clash with overseas privacy legislation."
http://yro.slashdot.org/story/14/05/13/005259/new-zealand-spy-agency-to-vet-...
FYI,
- - ferg
- -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iF4EAREIAAYFAlNyHw4ACgkQKJasdVTchbLwDgD/WVHo2iTapJ90l8MRcwUZ5OQ7 QfJ5cI1v4t2bUXZp1hQBAKHCP0hyxg6naGOzRLt/vHjgxXnl3+yiWoj0ENxQyIr9 =0yLu -----END PGP SIGNATURE-----
Don't get me wrong, I'm not a fan of this. But at least they did it in the open, unlike the NSA (where you live). -- TTFN, patrick On May 13, 2014, at 12:12 , Owen DeLong <owen@delong.com> wrote:
Yep… If I had infrastructure in NZ, that would be enough to cause me to remove it.
Owen
On May 13, 2014, at 6:33 AM, Paul Ferguson <fergdawgster@mykolab.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I realize that New Zealand is *not* in North America (hence NANOG), but I figure that some global providers might be interested here.
This sounds rather... dire (probably not the right word).
"The new Telecommunications (Interception Capability and Security) Act of 2013 is in effect in New Zealand and brings in several drastic changes for ISPs, telcos and service providers. One of the country's spy agencies, the GCSB, gets to decide on network equipment procurement and design decisions (PDF), plus operators have to register with the police and obtain security clearance for some staff. Somewhat illogically, the NZ government pushed through the law combining mandated communications interception capabilities for law enforcement, with undefined network security requirements as decided by the GCSB. All network operators are subject to the new law, including local providers as well as the likes of Facebook, Google, Microsoft, who have opposed it, saying the new statutes clash with overseas privacy legislation."
http://yro.slashdot.org/story/14/05/13/005259/new-zealand-spy-agency-to-vet-...
FYI,
- - ferg
- -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iF4EAREIAAYFAlNyHw4ACgkQKJasdVTchbLwDgD/WVHo2iTapJ90l8MRcwUZ5OQ7 QfJ5cI1v4t2bUXZp1hQBAKHCP0hyxg6naGOzRLt/vHjgxXnl3+yiWoj0ENxQyIr9 =0yLu -----END PGP SIGNATURE-----
I live in the USA and have not been forced to register with the government as a network operator or have them vet my staff. On 5/13/2014 11:34 AM, Patrick W. Gilmore wrote:
Don't get me wrong, I'm not a fan of this. But at least they did it in the open, unlike the NSA (where you live).
-- ================================================================ Aaron Wendel Chief Technical Officer Wholesale Internet, Inc. (AS 32097) (816)550-9030 http://www.wholesaleinternet.com ================================================================
They already have all the information and did it for you. You are just not aware of it. ----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 05/13/14 12:40, Aaron wrote:
I live in the USA and have not been forced to register with the government as a network operator or have them vet my staff.
On 5/13/2014 11:34 AM, Patrick W. Gilmore wrote:
Don't get me wrong, I'm not a fan of this. But at least they did it in the open, unlike the NSA (where you live).
I didn’t see the NSA telling us what we had to buy are demanding advance approval rights on our maintenance procedures. Owen On May 13, 2014, at 9:34 AM, Patrick W. Gilmore <patrick@ianai.net> wrote:
Don't get me wrong, I'm not a fan of this. But at least they did it in the open, unlike the NSA (where you live).
-- TTFN, patrick
On May 13, 2014, at 12:12 , Owen DeLong <owen@delong.com> wrote:
Yep… If I had infrastructure in NZ, that would be enough to cause me to remove it.
Owen
On May 13, 2014, at 6:33 AM, Paul Ferguson <fergdawgster@mykolab.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I realize that New Zealand is *not* in North America (hence NANOG), but I figure that some global providers might be interested here.
This sounds rather... dire (probably not the right word).
"The new Telecommunications (Interception Capability and Security) Act of 2013 is in effect in New Zealand and brings in several drastic changes for ISPs, telcos and service providers. One of the country's spy agencies, the GCSB, gets to decide on network equipment procurement and design decisions (PDF), plus operators have to register with the police and obtain security clearance for some staff. Somewhat illogically, the NZ government pushed through the law combining mandated communications interception capabilities for law enforcement, with undefined network security requirements as decided by the GCSB. All network operators are subject to the new law, including local providers as well as the likes of Facebook, Google, Microsoft, who have opposed it, saying the new statutes clash with overseas privacy legislation."
http://yro.slashdot.org/story/14/05/13/005259/new-zealand-spy-agency-to-vet-...
FYI,
- - ferg
- -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iF4EAREIAAYFAlNyHw4ACgkQKJasdVTchbLwDgD/WVHo2iTapJ90l8MRcwUZ5OQ7 QfJ5cI1v4t2bUXZp1hQBAKHCP0hyxg6naGOzRLt/vHjgxXnl3+yiWoj0ENxQyIr9 =0yLu -----END PGP SIGNATURE-----
Exactly. They just broke in and left a trail of open doors behind. Again, not saying either is good, just saying at least NZ is being "above board". -- TTFN, patrick On May 13, 2014, at 14:01 , Owen DeLong <owen@delong.com> wrote:
I didn’t see the NSA telling us what we had to buy are demanding advance approval rights on our maintenance procedures.
Owen
On May 13, 2014, at 9:34 AM, Patrick W. Gilmore <patrick@ianai.net> wrote:
Don't get me wrong, I'm not a fan of this. But at least they did it in the open, unlike the NSA (where you live).
-- TTFN, patrick
On May 13, 2014, at 12:12 , Owen DeLong <owen@delong.com> wrote:
Yep… If I had infrastructure in NZ, that would be enough to cause me to remove it.
Owen
On May 13, 2014, at 6:33 AM, Paul Ferguson <fergdawgster@mykolab.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I realize that New Zealand is *not* in North America (hence NANOG), but I figure that some global providers might be interested here.
This sounds rather... dire (probably not the right word).
"The new Telecommunications (Interception Capability and Security) Act of 2013 is in effect in New Zealand and brings in several drastic changes for ISPs, telcos and service providers. One of the country's spy agencies, the GCSB, gets to decide on network equipment procurement and design decisions (PDF), plus operators have to register with the police and obtain security clearance for some staff. Somewhat illogically, the NZ government pushed through the law combining mandated communications interception capabilities for law enforcement, with undefined network security requirements as decided by the GCSB. All network operators are subject to the new law, including local providers as well as the likes of Facebook, Google, Microsoft, who have opposed it, saying the new statutes clash with overseas privacy legislation."
http://yro.slashdot.org/story/14/05/13/005259/new-zealand-spy-agency-to-vet-...
FYI,
- - ferg
- -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iF4EAREIAAYFAlNyHw4ACgkQKJasdVTchbLwDgD/WVHo2iTapJ90l8MRcwUZ5OQ7 QfJ5cI1v4t2bUXZp1hQBAKHCP0hyxg6naGOzRLt/vHjgxXnl3+yiWoj0ENxQyIr9 =0yLu -----END PGP SIGNATURE-----
While I applaud NZ being open and honest about it, I do think that they have gone quite a bit further than the NSA and that their proposal is far more damaging. Owen On May 13, 2014, at 2:25 PM, Patrick W. Gilmore <patrick@ianai.net> wrote:
Exactly. They just broke in and left a trail of open doors behind.
Again, not saying either is good, just saying at least NZ is being "above board".
-- TTFN, patrick
On May 13, 2014, at 14:01 , Owen DeLong <owen@delong.com> wrote:
I didn’t see the NSA telling us what we had to buy are demanding advance approval rights on our maintenance procedures.
Owen
On May 13, 2014, at 9:34 AM, Patrick W. Gilmore <patrick@ianai.net> wrote:
Don't get me wrong, I'm not a fan of this. But at least they did it in the open, unlike the NSA (where you live).
-- TTFN, patrick
On May 13, 2014, at 12:12 , Owen DeLong <owen@delong.com> wrote:
Yep… If I had infrastructure in NZ, that would be enough to cause me to remove it.
Owen
On May 13, 2014, at 6:33 AM, Paul Ferguson <fergdawgster@mykolab.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I realize that New Zealand is *not* in North America (hence NANOG), but I figure that some global providers might be interested here.
This sounds rather... dire (probably not the right word).
"The new Telecommunications (Interception Capability and Security) Act of 2013 is in effect in New Zealand and brings in several drastic changes for ISPs, telcos and service providers. One of the country's spy agencies, the GCSB, gets to decide on network equipment procurement and design decisions (PDF), plus operators have to register with the police and obtain security clearance for some staff. Somewhat illogically, the NZ government pushed through the law combining mandated communications interception capabilities for law enforcement, with undefined network security requirements as decided by the GCSB. All network operators are subject to the new law, including local providers as well as the likes of Facebook, Google, Microsoft, who have opposed it, saying the new statutes clash with overseas privacy legislation."
http://yro.slashdot.org/story/14/05/13/005259/new-zealand-spy-agency-to-vet-...
FYI,
- - ferg
- -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iF4EAREIAAYFAlNyHw4ACgkQKJasdVTchbLwDgD/WVHo2iTapJ90l8MRcwUZ5OQ7 QfJ5cI1v4t2bUXZp1hQBAKHCP0hyxg6naGOzRLt/vHjgxXnl3+yiWoj0ENxQyIr9 =0yLu -----END PGP SIGNATURE-----
Cc: NANOG list Subject: Re: New Zealand Spy Agency To Vet Network Builds, Provider Staff
I didn't see the NSA telling us what we had to buy are demanding advance approval rights on our maintenance procedures.
Owen
Try to get approval to land a submarine cable onto US soil using Huawei DWDM kit and then come back to us.
On May 13, 2014, at 17:47 , Tony Wicks <tony@wicks.co.nz> wrote:
Cc: NANOG list Subject: Re: New Zealand Spy Agency To Vet Network Builds, Provider Staff
I didn't see the NSA telling us what we had to buy are demanding advance approval rights on our maintenance procedures.
Owen
Try to get approval to land a submarine cable onto US soil using Huawei DWDM kit and then come back to us.
Hey, now, that's not fair. The NSA is just doing what any large player who dominates their space does - try to block out the competition! Copy/pasting from a friend of mine (he can out himself if he likes): http://www.theguardian.com/books/2014/may/12/glenn-greenwald-nsa-tampers-us-... - But while American companies were being warned away from supposedly untrustworthy Chinese routers, foreign organisations would have been well advised to beware of American-made ones. A June 2010 report from the head of the NSA's Access and Target Development department is shockingly explicit. The NSA routinely receives or intercepts routers, servers, and other computer network devices being exported from the US before they are delivered to the international customers. - The agency then implants backdoor surveillance tools, repackages the devices with a factory seal, and sends them on. The NSA thus gains access to entire networks and all their users. The document gleefully observes that some "SIGINT tradecraft is very hands-on (literally!)". - Eventually, the implanted device connects back to the NSA. The report continues: "In one recent case, after several months a beacon implanted through supply-chain interdiction called back to the NSA covert infrastructure. This call back provided us access to further exploit the device and survey the network." - It is quite possible that Chinese firms are implanting surveillance mechanisms in their network devices. But the US is certainly doing the same. - Warning the world about Chinese surveillance could have been one of the motives behind the US government's claims that Chinese devices cannot be trusted. But an equally important motive seems to have been preventing Chinese devices from supplanting American-made ones, which would have limited the NSA's own reach. In other words, Chinese routers and servers represent not only economic competition but also surveillance competition. Makes you proud to be an UH-mer-e-kan, dunnit? -- TTFN, patrick
On May 13, 2014, at 4:52 PM, Patrick W. Gilmore <patrick@ianai.net> wrote:
- Warning the world about Chinese surveillance could have been one of the motives behind the US government's claims that Chinese devices cannot be trusted. But an equally important motive seems to have been preventing Chinese devices from supplanting American-made ones, which would have limited the NSA's own reach. In other words, Chinese routers and servers represent not only economic competition but also surveillance competition.
Case in point on Sprint/Softbank merger http://www.theverge.com/2013/3/28/4155714/us-wants-sprint-softbank-deal-to-a... Should we as a community look at Open Hardware when we start to lose trust in vendors and governments? Can we make boards/ASIC/FPGA commodity enough to scale? Zaid
On May 13, 2014, at 6:24 PM, Zaid Ali Kahn <zaid@zaidali.com> wrote:
Case in point on Sprint/Softbank merger http://www.theverge.com/2013/3/28/4155714/us-wants-sprint-softbank-deal-to-a...
Any such deal would also be subject to CFIUS and mandatory 5-year reviews as well. If you think your PII isn’t shared with the Government as part of this, your blinders are on. - Jared
On Tue, May 13, 2014 at 05:52:58PM -0400, Patrick W. Gilmore wrote:
On May 13, 2014, at 17:47 , Tony Wicks <tony@wicks.co.nz> wrote:
Cc: NANOG list Subject: Re: New Zealand Spy Agency To Vet Network Builds, Provider Staff
I didn't see the NSA telling us what we had to buy are demanding advance approval rights on our maintenance procedures.
Owen
Try to get approval to land a submarine cable onto US soil using Huawei DWDM kit and then come back to us.
Hey, now, that's not fair. The NSA is just doing what any large player who dominates their space does - try to block out the competition!
Copy/pasting from a friend of mine (he can out himself if he likes): http://www.theguardian.com/books/2014/may/12/glenn-greenwald-nsa-tampers-us-... - But while American companies were being warned away from supposedly untrustworthy Chinese routers, foreign organisations would have been well advised to beware of American-made ones. A June 2010 report from the head of the NSA's Access and Target Development department is shockingly explicit. The NSA routinely receives or intercepts routers, servers, and other computer network devices being exported from the US before they are delivered to the international customers.
- The agency then implants backdoor surveillance tools, repackages the devices with a factory seal, and sends them on. The NSA thus gains access to entire networks and all their users. The document gleefully observes that some "SIGINT tradecraft is very hands-on (literally!)".
- Eventually, the implanted device connects back to the NSA. The report continues: "In one recent case, after several months a beacon implanted through supply-chain interdiction called back to the NSA covert infrastructure. This call back provided us access to further exploit the device and survey the network."
- It is quite possible that Chinese firms are implanting surveillance mechanisms in their network devices. But the US is certainly doing the same.
- Warning the world about Chinese surveillance could have been one of the motives behind the US government's claims that Chinese devices cannot be trusted. But an equally important motive seems to have been preventing Chinese devices from supplanting American-made ones, which would have limited the NSA's own reach. In other words, Chinese routers and servers represent not only economic competition but also surveillance competition.
This comes as absolutely no surprise to me. I heard rumbles and rumors as far back as Gulf War I that just before the "shock and awe" assault, the Iraqui milnet, and in particular their C3I net, went down hard, reducing them to radio and POTS. The outage was attributed to our penetration of that net through router/switch backdoors, and to magic packets to hard-kill the routers. While the sources were not, TTBOMK, inside the classification barrier, the assertions and claims seemed quite plausible then; in light of the Snowden disclosures to date, them seem not merely plausible, but eminently probable. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin
On May 13, 2014, at 2:47 PM, Tony Wicks <tony@wicks.co.nz> wrote:
Cc: NANOG list Subject: Re: New Zealand Spy Agency To Vet Network Builds, Provider Staff
I didn't see the NSA telling us what we had to buy are demanding advance approval rights on our maintenance procedures.
Owen
Try to get approval to land a submarine cable onto US soil using Huawei DWDM kit and then come back to us.
Last I looked, you were free to change out the kit on your submarine cable to anything you wanted once the cable was landed. Owen
On Wednesday, May 14, 2014 03:35:41 PM Owen DeLong wrote:
Last I looked, you were free to change out the kit on your submarine cable to anything you wanted once the cable was landed.
Things could have changed now, but if memory serves, you would be asked to reconfirm your kit during intervals and/or if you tried to get any additional services deployed within the U.S. It's been a while since I ran a cable into the U.S., so this could have changed. Mark.
No, they just intercept whatever gear you do purchase before it gets to your loading dock and then seal it back up with their modifications. Matthew Kaufman (Sent from my iPhone)
On May 13, 2014, at 11:01 AM, Owen DeLong <owen@delong.com> wrote:
I didn’t see the NSA telling us what we had to buy are demanding advance approval rights on our maintenance procedures.
Owen
On May 13, 2014, at 9:34 AM, Patrick W. Gilmore <patrick@ianai.net> wrote:
Don't get me wrong, I'm not a fan of this. But at least they did it in the open, unlike the NSA (where you live).
-- TTFN, patrick
On May 13, 2014, at 12:12 , Owen DeLong <owen@delong.com> wrote:
Yep… If I had infrastructure in NZ, that would be enough to cause me to remove it.
Owen
On May 13, 2014, at 6:33 AM, Paul Ferguson <fergdawgster@mykolab.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I realize that New Zealand is *not* in North America (hence NANOG), but I figure that some global providers might be interested here.
This sounds rather... dire (probably not the right word).
"The new Telecommunications (Interception Capability and Security) Act of 2013 is in effect in New Zealand and brings in several drastic changes for ISPs, telcos and service providers. One of the country's spy agencies, the GCSB, gets to decide on network equipment procurement and design decisions (PDF), plus operators have to register with the police and obtain security clearance for some staff. Somewhat illogically, the NZ government pushed through the law combining mandated communications interception capabilities for law enforcement, with undefined network security requirements as decided by the GCSB. All network operators are subject to the new law, including local providers as well as the likes of Facebook, Google, Microsoft, who have opposed it, saying the new statutes clash with overseas privacy legislation."
http://yro.slashdot.org/story/14/05/13/005259/new-zealand-spy-agency-to-vet-...
FYI,
- - ferg
- -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iF4EAREIAAYFAlNyHw4ACgkQKJasdVTchbLwDgD/WVHo2iTapJ90l8MRcwUZ5OQ7 QfJ5cI1v4t2bUXZp1hQBAKHCP0hyxg6naGOzRLt/vHjgxXnl3+yiWoj0ENxQyIr9 =0yLu -----END PGP SIGNATURE-----
participants (14)
-
Aaron -
Alain Hebert -
George Michaelson -
Jared Mauch -
Joe Abley -
Mark Tinka -
Matthew Kaufman -
Mike A -
Owen DeLong -
Patrick W. Gilmore -
Paul Ferguson -
Tom Hill -
Tony Wicks -
Zaid Ali Kahn