Monday, March 10, 2008

 

The Whistleblower's Tale . . . and other FISA folly

Another affidavit [.pdf] has surfaced that gives further credence to tales of spying without a warrant by our nation's telephone companies, in this case Verizon Wireless, according to a story in Wired's Threat Level Blog.

Babek Pasdar, CEO of communications security firm Bat Blue, and a "Certified Ethical Hacker," testified that the Verizon Wireless East Coast Data Center had a circuit called "The Quantico Circuit" that was excepted from his firewall and fraud detection work. Quantico, Virginia, is headquarters for the FBI's electronic surveillance operations.

When Pasdar asked where the Quantico Circuit went, one of the other consultants on the job (named "C1" in the affidavit)smiled, "a very telling smile [that indicated] we were discussing something unusual," but did not answer the question. Later in the conversation, when Pasdar suggested that everything should be at least logged, another consultant, "C2," showed "body language [that] showed that he was very uncomfortable discussing the matter."

Then, by surprise, the Verizon Wireless Director of Security showed up. Pasdar testifies,

The tentative, uncertain DS I had known was transformed into a man wagging his finger in my face and telling me to "forget about the circuit" and move on with the migration, and if I couldn't do that then he would get somebody who would.

I politely and in a low-key manner informed the DS that my intention was to deliver security in line with industry-acceptable use scenarios, and although I am not intimately familiar with their security policy, it was reasonable to think that having a third party with completely open access to their network core was against organizational policy.

DS did not want to hear any of it and re-doubled his emphatic message to move on. This was serious stuff. He had let me know in no uncertain terms that I was treading above my pay grade.

When DS left, I asked C1, "Is this what I think it is?"

"What do you think?" he replied again, smiling.

I shifted the focus. "Forgetting about who it is, don't you think it is unusual for some third party to have completely open access to your systems like this? You guys are even firewalling your internal offices, and they are part of your own company."

C1 said, "Dude, that's what they want."

I didn't bother asking who "they" were this time. "They" now had a surrogate face -- DS.
Pasdar then testifies that the Quantico Circuit,

. . . was tied to the organization's core network. It had access to the billing system, text messaging, fraud detection, web site, and pretty much all the systems in the data center without apparent restrictions.

Pasdar concludes that not only is it possible for a third party to gain sensitive information using such a circuit, but also -- and this was missed by the Wired Threat Level -- to exert control over the network. Boy, I'd like to see some scenarios for what's possible . . .

A letter [.pdf] from Representatives Dingell, Markey and Stupak, dated March 6, also misses the possibility that the Quantico Circuit could be used to control the Verizon Wireless network. The letter renews the call to not pass a retroactive telco amnesty law until Congress gets the facts it has requested from the Bush Administration, and asserts that the Bush Administration has prohibited the telcos from talking to Congress.

Negotiations on FISA and retroactive telco immunity seem to have gone behind closed doors. Will the Democrats capitulate, as Glenn Greenwald reports? Or won't they?

Technorati Tags: , , , ,


Comments: Post a Comment

This page is powered by Blogger. Isn't yours?