Nicholas Weaver at Lawfare describes his little side project to listen in on unencrypted Internet traffic:
The Intelligence Community has a concept, NOBUS, or “Nobody but Us”, to describe unique capabilities they possess which our adversaries can’t employ against us. I may defend the effectiveness of bulk surveillance and attack, but these tools are anything but NOBUS.
About a year and a half ago, mostly for my own entertainment, I started a small hobby project. I previously argued in a talk that the primary NSA Digital Network Intelligence flow was conceptually straightforward, a blend of Network Intrusion Detection (NIDS), big-data analytics, packet injection, and malcode. Yet this was at the time an academic pontification, without a system to back it up; there was some doubt in the audience.
So I got out my credit card, bought a small computer, a network tap, and some zip-ties, and got to work. The goal was “bulk-surveillance in miniature”, a system implementing the primary NSA capabilities on 100 Mbps networks, including easily searchable bulk recording, user identification, cookie tracking, packet-injection attacks, and a web interface.
“NOBUS” blinks red lights at me as the sort of thing an ingrown community might come up with; to me, you always assume the other guys are right on your heels. But what do I know? So Nicholas gives us the technical details of putting together a simple listening package, and ends with Bruce Schneier‘s wisdom on the subject of a secure Internet:
We need to act like every open wireless network or hotel in the Washington area is potentially compromised. And with the low cost of such installation, it doesn’t even need to remain the realm of foreign intelligence services. How much money could criminals make with such systems?
At this point, it doesn’t matter if the NSA disappeared tomorrow. The precedents are now well established. After all, if the US can target NATO allies with bulk surveillance and attack-by-name, who can’t do the same to us? And I personally believe the US has more to lose than we have to gain.
The only robust defense against Internet surveillance is universal encryption, as cleartext traffic represents not just an information leakage but an exploitation vector. Because what is the opposite of NOBUS? How about a homework assignment.