CITP Lecture Series:
Nick Weaver – NSA inna Box:
Implementing Internet Surveillance

CITP Lecture Series

Date: Wednesday, October 7, 2015
Time: 3 p.m.
Location: 306 Sherrerd Hall

The NSA’s technology for Internet surveillance and attack is remarkably mundane, a combination of network intrusion detection, big-data analytics, and packet-injection based exploitation. But the result is impressive: “Capture All, Identify All, Attack by Name”. Far from being “Nobody But Us”, off the shelf software and some modest programming can provide anyone with these capabilities assuming they can arrange a suitable network vantage point, ranging from a ~$150 installation at a Foggy Bottom Starbucks to cluster-taps on 10-gigabit links.

As a proof of concept demonstration, I’ve constructed an “NSA inna Box” demo, a <$1000, ~100 Mbps class Internet wiretap, running NSA-style full-content capture, NSA-derived "metadata" extraction, a basic web interface for searching, and packet-injection based targeting. This demo required roughly 45 hours to create. (Although due to Hurricane Joaquin, my demo hardware is at home, but demo interface will be presented in software on my laptop).

Note: The default talk is “clean”: No NSA program codewords, no images of Snowden slides or other leaked classified materials, the author does not have a security clearance, and has no access to unpublished material. But if there is nobody with a clearance in the audience, an alternate version will include program names and related material.

Bio: Nicholas Weaver received Ph.D. in Computer Science in 2003 from the University of California at Berkeley. Although his dissertation was on novel FPGA architectures, he was also highly interested in Computer Security, including postulating the possibility of very fast computer worms in 2001. His primary research focus is on network security, notably worms, botnets, and other internet-scale attacks, and network measurement. Other areas have included both hardware acceleration and software parallelization of network intrusion detection, defenses for DNS resolvers, and tools for detecting ISP-introduced manipulations of a user’s network connection.