unnoticed leak answers and raises questions about operation eikonal.pdf
TRANSCRIPT
November 22, 2015
Unnoticed leak answers and raises
questions about operation Eikonal (Last edited: November 23, 2015)
Almost unnoticed, the Austrian member of parliament Peter Pilz
recently disclosednew information about operation Eikonal, under
which NSA and BND cooperated in tapping some fiber-optic cables
at a switching center of Deutsche Telekom in Frankfurt, Germany.
As part of the NSA umbrella program RAMPART-A, Eikonal was set
up to gather intelligence about targets from Russia, the Middle
East and North-Africa. Because the cables that were tapped came
also from countries like Austria, Switzerland, France, Belgium and
the Netherlands, there were fears that their communications were
intercepted too.
Here, the newly disclosed information will be discussed and
combined with things we learned from the hearings of the
German parliamentary commission that investigates NSA spying,
including operation Eikonal.
> See also: New details about the joint NSA-BND operation Eikonal
Overview of the joint NSA-BND operation Eikonal (2004-2008)
(Click to enlarge)
Leak
The new information comes from transcripts of some fax and e-mail messages from employees of BND,
Deutsche Telekom and the federal Chancellery, which Peter Pilz published on his website on October 23,
2015.
He never told how he got these highly sensitive documents, but as they were made available to the
parliamentary inquiry commission, it seems most likely someone from or very close to this commission
must have leaked them to Pilz. This leak was never investigated.
Media attention
Also remarkable is that the information and documents disclosed by Peter Pilz were almost completely
ignored by mainstream German media like ARD and ZDF and the major newspapers. The latest disclosure
was for example only reported by the Austrian paper Der Standard and the German tech website Heise.de.
By contrast, in neighbouring countries like Austria, Belgium and the Netherlands, the Pilz revelations were
big news and led to official investigations. Through May and June of this year, he had published lists of
communication links related to Switzerland, France, Luxembourg and Poland too, claiming they showed to
what extent BND and NSA spied upon these countries.
First part of the list with communication links related to France
(Source: Peter Pilz - Click to enlarge)
Whose's links?
Initially, Peter Pilz claimed these links were from a priority list of the NSA, but neither he, nor the
commission hearings could clearly confirm this. The Dutch website De Correspondent reported that there
was even a much larger list of some 1000 transit links, of which ca. 250 were marked in yellow.
Now, Pilz confirms that there's indeed such a large list: it was prepared by Deutsche Telekom and contains
all its 1028 transit links. Employees of BND had marked 256 of them in yellow, apparently the ones they
were most interested in, and hence the list became known as the BND priority list. He doesn't mention an
involvement of NSA at this stage anymore.
Now that we know the large list of over 1000 links isn't an even larger "wish list", but a list of all available
transit links, it could well be that BND tried to select around 20% of them, as a rather strange provision in
German law says that bulk collection is only allowed up to a maximum of 20% of a cable's capacity.
As Telekom Austria rented the channels to Vienna, we can assume that other national telecommunication
providers also rented their links to Frankfurt, with Deutsche Telekom being the owner of the cables as part
of their international backbone network.
Determining the access points
After BND selected the 256 channels, Deutsche Telekom had to look which of them ran through Frankfurt
and could be intercepted there. For this purpose Harald Helfrich of the lawful interception unit of Deutsche
Telekom AG (DTAG) sent his collegue mr. Tieger the following e-mail on September 16, 2003:
Hallo LK,
wie heute morgen besprochen übersende ich Ihnen die Liste der Transit-Leitungen der DTAG. Wir bitten
Sie die gelb unterlegten Verbindungen bzgl. ihrer Führung (z.B. Ffm 21 oder Norden-Nordeich) und ob in
der 2-Mb-Ebene greifbar, zu analysieren.
Anlage: Trans mit ausgesuchten Strecken
In this mail it is asked to analyse whether the transit channels marked in yellow can be intercepted at the
2 Mbit-level, either at Deutsche Telekom's Frankfurt am Main Point-of-Presence 21 (Ffm 21) or at Norden-
Norddeich.
The latter is a town at the northern coast of Germany, where the SeaMeWe-3 andTAT-14 submarine
cables land. For the parliamentary commission this was a reason to ask whether also cables where
intercepted over there, but that was strongly denied by the witnesses involved.
Selecting individual channels?
Interestingly, the phrase "ob in der 2-Mb-Ebene greifbar" suggests that it could be possible to just
intercept specific 2 Mbit/s channels while leaving the other ones untouched (one physical STM1-cable has
a data rate of 155 Mbit/s and contains 63 virtual channels).
Whether this is possible is important for how focused such cable tapping can be. Isolating individual
channels depends in the first place on where exactly the tapping takes place:
A. When the physical fiber is intercepted before it reaches the switch, it has to be bend in order to catch
the light that leaks. Because this leaking signal is much weaker, it has to be amplified before it can be
processed. In this way it's not possible to select individual channels: the eavesdropper gets everything
that runs over the fiber, and has to demultiplex the channels himself to select the ones that contain traffic
of interest.
Splitting a traffic from a fiber-optic cable by bowing it
(diagram: OSA Publishing, slightly simplified)
B. When the interception takes place at an optical switch itself, then it's possible to only grab the virtual
channels you are interested in. A physical cable contains channels which have to be demultiplexed at the
switch in order to be forwarded (switched) to the fiber that leads to the intended destination. When the
switch converts the optical signals into electronic signals it is even more easy to duplicate only individual
channels of interest.
Diagram showing (de)multiplexing at a fiber-optic switch
(diagram modified from Wikimedia Commons/Jflabourdette)
Different methods
During the commission hearing of March 26, 2015, Klaus Landefeld, board member of the DE-CIX internet
exchange, indicated that at least since 2009, interception takes place at the switch. Also, the so-called
G10-orders authorise interception based uponAutonomous System Numbers (ASN) which are used for
logical paths, rather than by naming physical cables to or from a certain city.
However, it seems that under operation Eikonal, the fiber-optic cables were tapped by splitting the cable
signal before it reached the switch. This was more or less clearly indicated by several witnesses heard by
the parliamentary commission, and there are several other indications too.
In 2004, it was apparently not yet possible to establish a tap at the switch itself to get access to individual
channels (although Deutsche Telekom could have demultiplexed the fiber and only forward the channels of
interest to BND, but this wasn't the case).
Government authorisation
After BND had made clear what they wanted, the Deutsche Telekom management wasn't sure whether
such cable access was legal. Therefore they wanted to be backed by the federal Chancellery. On
December 30, 2003, the coordinator for the intelligence services at the Chancellery, Ernst Uhrlau, sent the
following fax message to Kai-Uwe Ricke, then CEO of Deutsche Telekom, and Josef Brauner, head of the
landline division T-Com:
Sehr geehrter Herr Ricke, sehr geehrter Herr Brauner,
das Bundeskanzleramt ist sehr interessiert, dass der Bundesnachrichtendienst im Rahmen seines
gesetzlichen Auftrages kabelgestützte Transitverkehre aufklärt. Der vom Bundesnachrichtendienst in
Ihrem Unternehmen geplante Aufklärungsansatz steht aus hiesiger Sicht in Einklang mit geltendem Recht.
Ich darf auf diesem Weg die Anregung des Bundesnachrichtendienstes weitergeben, in der Deutschen
Telekom AG, T-Com, den Bereich RA 43 (Staatliche Sonderauflagen), zu dem bereits im Rahmen der
Strategischen Fernmeldekontrolle Kontakte bestehen, mit der Durchführung der auf Seiten der Deutschen
Telekom AG erforderlichen Maßnahmen zu beauftragen.
It says that in the opinion of the Chancellery, the proposed BND operation is according to German law.
The Chancellery encourages Deutsche Telekom to instruct its lawful intercept unit RA 43 (which is one of
four Regionalstellen für staatliche Sonderauflagenor ReSA) to start taking the necessary measures for the
interception.
Transit Agreement
On behalf of the board of Deutsche Telekom, Josef Brauner answers the fax from the Chancellery on
January 13, 2004. He says the T-Com division is aware of the importance of a well-functioning intelligence
service, and will therefore support the interception of cable-bound transit traffic:
Sehr geehrter Herr Ministerialdirektor,
gerne bestätigen wir Ihnen den Erhalt Ihres Schreibens vom 30. Dezember des letzten Jahres.
Die T-Com ist sich der Bedeutung eines gut funktionierenden Nachrichtendienstes für das Gemeinwesen
der Bundesrepublik Deutschland - insbesondere vor dem Hintergrund der terroristischen Angriffe des 11.
September 2001 - bewusst und wird daher die geplanten Aktivitäten des Bundesnachrichtendienstes, die
kabelgestützten Transitverkehre im Rahmen seines gesetzlichen Auftrages aufzuklären, unterstützen.
Entsprechend der Anregung des Bundesnachrichtendienstes wird diesseits unser Bereich RA43 (staatliche
Sonderauflagen) beauftragt, die hierfür von unserer Seite erforderlichen Maßnahmen vorzunehmen
Then on March 1, 2004, the BND and Deutsche Telekom signed the so-called Transit Agreement (pdf), in
which the latter agreed to provide access to its transit cables, and in return will be paid 6.500,- euro a
month for the expenses. This agreement was also leaked to Peter Pilz, who published it on May 18, 2015
in the Austrian tabloid paper Kronen Zeitung.
Preparing for collection
After the agreement had been signed, BND sent an e-mail on March 9, 2004 to Wolfgang Alster, head of
Deutsche Telekom's lawful interception unit RA 43 asking for the connection (schaltung) of the first
communication links. He adds that he had ordered the payment of the first two monthly payments:
Schaltauftrag
DTAG RA 433
Hallo Herr Alster,
Der Geschäftsbesorgungsvertrag "Transit" ist ja jetzt von beiden Seiten unterzeichnet und gestern habe
ich die beiden ersten Monatszahlungen veranlasst.
Daher erdreiste ich mich, Sie um die erste Schaltung von Leitungen zu bitten.
Realising the access was apparently not that easy, because it took until December 2004 before the first
cable was connected. Then it appeared that it's signal was too weak, so in January 2005 an amplifier was
installed - as the parliamentary commission was told by S.L., who was the BND project manager for
Eikonal (note that the use of an amplifier indicates tapping the entire fiber-optic cable).
At this first stage of operation Eikonal, only circuit-switched (Leitungsvermittelte) telephone
communications were intercepted. Collection of packet-switched(Paketvermittelte) internet
communications started in 2006 (see below).
RUBIN
On February 3, 2005, mr. Knau mailed his colleague Harald Helfrich at the RA 43 unit that an STM1-link
between switching center Frankfurt 21 and Luxembourg had been connected. Channels 2, 6, 14, and 50
contained the virtual channels that had Luxembourg as their endpoint:
Hallo Herr Helfrich,
Habe heute früh die o.g. Verbindung auf die Punkte 71/00/002/03 19 + 39 zugeschaltet. In der Anlage ist
die Belegung lt. RUBIN ersichtlich.
Auf den Kanälen 2, 6, 14, 50 befinden sich die in der Liste markierten DSVn mit der Endstelle
Luxembourg.
Bitte um Rückmeldung ob das ganze funktioniert.
Anlage: Belegung 7571 Luxbg
We also see the term RUBIN (German for ruby), and during the commission hearings it seemed that this
was an alternate codename for operation Eikonal. But when heard on January 15, 2015, Harald
Helfrich explained that RUBIN is actually a system that Deutsche Telekom uses to manage its
communication links and cables - which perfectly fits how the term is used in this e-mail.
Channels of interest
The next e-mail is also from February 3, 2005, but was already published by Peter Pilz on May 15, 2015
and is the only one that is available in what seems to be its original form. It's from Harald Helfrich, who
informs a mr. Siegert at the BND that mr. Knau had connected an STM1-link earlier that morning (see
previous e-mail). He says it contains the channels that were on the BND priority list:
This e-mail says that BND was interested in the following 2 Mbit/s channels from the Transit STM1-cable
"Ffm 21 - Luxembourg 757/1":
Channel 2: Luxembourg/VG - Wien/000 750/3
Channel 6: Luxembourg/CLUX - Moscow/CROS 750/1
Channel 14: Ankara/CTÜR - Luxembourg/CLUX 750/1
Channel 50: Luxembourg/VG - Prague/000 750/1
According to Peter Pilz, additional cables were connected on February 14 and 25, as well as on March 3,
2005. Unfortunately, he either doesn't possess or didn't disclose the related e-mails, so we still don't know
how many and which channels have actually been intercepted.
The interception of telephony communications therefore started in the Spring of 2005, which means that
collection under Eikonal only lasted for 3 years, and not 4 years, when one would count from signing the
agreement in 2004 until the end of the operation in 2008.
Ending telephone interception
Peter Pilz published the transcripts of two more e-mails, which are about ending the telephone
interception. On May 27, 2008, mr. Thorwald from Deutsche Telekom sent the following message to his
colleague Harald Helfrich, informing him that fully circuit-switched transit traffic isn't supported anymore.
Therefore, the extraction of transit traffic at the company's premises can be terminated:
Sehr geehrter Herr Helfrich,
Wie wir bereits telefonisch besprochen, teile ich Ihnen mit, dass die Verarbeitung von reinen
leitungsvermittelten "Transit-Verkehren" von uns nicht mehr durchgeführt wird.
Aus diesem Grund kann die Ableitung der Transit-Verkehre in unseren Betriebsräumen eingestellt werden.
Im leitungsvermittelten Bereich (Ableitung auf höherer Ebene) besteht aktuell der Bedarf zur Ableitung
von folgenden Verkehren:
+ 2 x STM-64
+ 4 x STM-16
After that, Thorwald writes that there's currently a need to extract the traffic of two STM-64 and four STM-
16 cables, which have a data rate of ca. 10 Gbit/s and 2,5 Gbit/s respectively. This is also said to be
circuit-switched, but "extraction at a higher level".
Anomalies
If we assume that Peter Pilz provided the correct date for this e-mail, it's strange that there was
apparently a need for new cable accesses, hardly a month before operation Eikonal was officially
terminated (June 2008).
Even more strange is that the e-mail says the new accesses are also circuit-switched (leitungsvermittelt),
while during the hearings it was testified that the collection of such telephone communications ended in
January 2007, after Deutsche Telekom fased-out its business model for dedicated transit cables. This e-
mail brings that message almost 1,5 years later!
Internet access
From the commission hearings we also learned that BND wanted access to internet traffic too, which is
packet-switched (Paketvermittelt). For this, the first cable became available by the end of 2005, but it
took some months before the backlink was also connected. In the spring of 2006 a second cable was
added, and the front-end system and the filters were tested until mid-2007.
Could it be that mr. Thorwald just made a mistake, and wrote "leitungsvermittelten" where he meant
"paketvermittelten"? But even then, why add new internet cables, just before the operation was ended?
Another question
A similar anomaly can be found in an e-mail, that according to Peter Pilz, was sent one day later, on May
28, 2008. In it, mr. Knau informed Harald Helfrich and his superior Wolfgang Alster that the access to four
STM1-cables can be terminated immediately.
Given what was said during the commission hearings, one would have expected that this also had
happened already in January 2007, instead of May 2008. It seems some things don't add up here.
Wie bereits fernmündlich besprochen, können nachfolgende STM1-Zuschaltungen mit sofortiger Wirkung
aufgehoben werden:
Ffm 21 - Stuttgart 10 757/22A
Ffm 21 - Paris 757/1
Ffm 21 - Reims 757/1
Ffm 21 - Luxembourg 757/1
Physical cables
Unlike the numerous virtual channels in the lists, this e-mail is about physical cables. "Ffm 21 -
Luxembourg 757/1" is the one mentioned in the e-mail from February 3, 2005, containing 4 channels of
interest to Luxembourg; the others are cables from Frankfurt (Ffm) to Reims, Paris, and Deutsche
Telekom's Point-of-Presence in Stuttgart. With this, we now have proof of 3 other cables having been
tapped.
According to a list (.docx) publiced by Peter Pilz, there are 29 channels to/from Reims and 22 channels
to/from Paris, all of which could easily have been in the fiber-optic cable between Frankfurt and Reims,
and Frankfurt and Paris, respectively, as one single STM1-cable contains 63 separate channels:
Frankfurt - Stuttgart: ? channels of interest
Frankfurt - Paris: 22 channels of interest
Frankfurt - Reims: 29 channels of interest
Frankfurt - Luxembourg: 11 channels of interest
Peter Pilz concludes that operation Eikonal was the start of NSA's illegal mass surveillance of European
telecommunications. But that's not supported by evidence. After Eikonal, NSA continued joint cable
tapping operations with BND and other European agencies, but as these programs are part of RAMPART-A,
they are mainly aimed at specific targets in Russia, North-Africa and the Middle East.*
BND cable tapping
Operation Eikonal did start something else though: it provided BND with the knowledge and the
experience for conducting cable tapping on its own: in 2009 they started intercepting cables from 25
internet service providers, this time at the DE-CIXinternet exchange in Frankfurt - as was revealed by Der
Spiegel on October 6, 2013.
Among these 25 providers are foreign companies from Russia, Central Asia, the Middle East and North
Africa, but also 6 German providers: 1&1, Freenet, Strato AG, QSC, Lambdanet and Plusserver, who
almost exclusively handle domestic traffic.
It appears that this interception takes place in cooperation with the DE-CIX Management and that the
various providers themselves didn't knew that this was happening. A smart move, as this provides BND
with just one single point-of-contact, while the indivual providers can honestly deny that their cables are
being intercepted.
Links and sources - Heise.de: BND-Operation Eikonal: "Freibrief" für die Telekom aus dem Kanzleramt - DerStandard.at: Pilz: Berlin genehmigte NSA-Spionage gegen Österreich - PeterPilz.at: "Ich darf die Anregung weitergeben..." Die Operation Transit in Europa
Geplaatst door P/K op 23:22
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: Eikonal, Germany, NSA Partnerships
No comments:
Post a Comment
http://electrospaces.blogspot.com/2015/11/unnoticed-leak-answers-and-raises.html
Tagebuch / Oktober 2015 Tagebuch
o YouTube o Flickr
AMTSGEHEIMNISSE
Texte
Zeit im Pilz
Gästebuch
Pilz Box
Pilz Bücher
Linkliste
Die Affäre "Kampusch"
Luftraum
FREITAG, 23. OKTOBER 2015
„ICH DARF DIE ANREGUNG WEITERGEBEN..."
DIE OPERATION TRANSIT IN EUROPA
28.2. 2002
Das Memorandum of Agreement MoA zwischen NSA und BND über Telekom-Überwachung in Europa wird abgeschlossen. Die NSA
darf den BND als Instrument zur Überwachung der Telekommunikation einsetzen.
16. September 2003
Die Überwachungsspezialisten der Deutschen Telekom AG erhalten einen „kleinen Auftrag". Aber der ist alles andere als klein. Das
belegt ein Mail, das Harald HELFRICH, der Mitarbeiter der "Regionalstelle für staatliche Sonderauflagen" ReSa der deutschen Telekom
AG seinem Kollegen Christof TIEGER sendet. Der Betreff verweist auf das kommende Projekt: „Analyse von Transit".
„Hallo LK,
wie heute morgen besprochen übersende ich Ihnen die Liste der Transit-Leitungen der DTAG. Wir bitten Sie die gelb unterlegten
Verbindungen bzgl. ihrer Führung (z.B. Ffm 21 oder Norden-Nordeich) und ob in der 2-Mb-Ebene greifbar, zu analysieren."
Anlage: „Trans mit ausgesuchten Strecken"
Die „gelb unterlegten Verbindungen" finden sich in der Beilage, der „Prioritätenliste" des BND. Die Deutsche Telekom hatte dem BND
eine Liste aller Transitverbindungen übergeben. Von 1028 Verbindungen haben Mitarbeiter des BND 256 gelb markiert. Jetzt soll die
ReSa feststellen, welche davon über Frankfurt laufen und daher dort angreifbar sind.
BND und Deutsche Telekom AG wissen jetzt wie es geht. Aber sie wissen nicht, ob die geplante Operation Transit legal ist - und ob sie
politisch gedeckt wird.
30. Dezember 2003
Ministerialdirektor Ernst UHRLAU dient als Geheimdienstkoordinator im Berliner Bundeskanzleramt . Frank Walter Steinmeier ist als
beamteter Staatsekretär im Bundeskanzleramt sein direkter politischer Vorgesetzter. Die Deutsche Telekom AG will dem Wunsch des
BND, auf Transitleitungen zugreifen zu können, nur dann nachkommen, wenn die Bundesregierung Rückendeckung gibt und einen
rechtlichen Blankoscheck ausstellt.
Das Bundeskanzleramt kommt dem Wunsch nach. Uhrlau faxt an den CEO der Deutschen Telekom AG, Kai-Uwe RICKE:
„Sehr geehrter Herr Ricke, sehr geehrter Herr Brauner,
das Bundeskanzleramt ist sehr interessiert, dass der Bundesnachrichtendienst im Rahmen seines gesetzlichen Auftrages
kabelgestützte Transitverkehre aufklärt. Der vom Bundesnachrichtendienst in Ihrem Unternehmen geplante Aufklärungsansatz steht
aus hiesiger Sicht in Einklang mit geltendem Recht.
Ich darf auf diesem Weg die Anregung des Bundesnachrichtendienstes weitergeben, in der Deutschen Telekom AG, T-Com, den
Bereich RA 43 (Staatliche Sonderauflagen), zu dem bereits im Rahmen der Strategischen Fernmeldekontrolle Kontakte bestehen, mit
der Durchführung der auf Seiten der Deutschen Telekom AG erforderlichen Maßnahmen zu beauftragen."
Damit hat das deutsche Bundeskanzleramt dem BND und der Deutschen Telekom AG mit einem juristischen Persilschein grünes Licht
gegeben.
13. Jänner 2004
Josef BRAUNER antwortet für den Vorstand der Deutschen Telekom AG in einem Brief an Ernst UHRLAU dem Bundeskanzleramt:
„Sehr geehrter Herr Ministerialdirektor,
gerne bestätigen wir Ihnen den Erhalt Ihres Schreibens vom 30. Dezember des letzten Jahres.
Die T-Com ist sich der Bedeutung eines gut funktionierenden Nachrichtendienstes für das Gemeinwesen der Bundesrepublik
Deutschland - insbesondere vor dem Hintergrund der terroristischen Angriffe des 11. September 2001 - bewusst und wird daher die
geplanten Aktivitäten des Bundesnachrichtendienstes, die kabelgestützten Transitverkehre im Rahmen seines gesetzlichen Auftrages
aufzuklären, unterstützen.
Entsprechend der Anregung des Bundesnachrichtendienstes wird diesseits unser Bereich RA43 (staatliche Sonderauflagen)
beauftragt, die hierfür von unserer Seite erforderlichen Maßnahmen vorzunehmen."
Die massiven rechtlichen Bedenken der Deutschen Telekom sind jetzt vom Tisch. Die Operation „Transit" kann gestartet werden.
1. März 2004
Die Deutsche Telekom AG und der Bundesnachrichtendienst unterzeichnen den Geschäftsbesorgungsvertrag „Transit". Darin
verpflichtet sich die Deutsche Telekom AG dem BND die Ableitung der gewünschten Leitungen zu ermöglichen und die Infrastruktur
dafür zur Verfügung zu stellen.
9. März 2004
Robert LAHN arbeitet im Büro für „technische Sonderaufgaben" im BND. Am 9. März erteilt er den Schaltauftrag an ReSa-Chef
Wolfgang ALSTER:
„Schaltauftrag
DTAG RA 433
Hallo Herr Alster,
Der Geschäftsbesorgungsvertrag „Transit" ist ja jetzt von beiden Seiten unterzeichnet und gestern habe ich die beiden ersten
Monatszahlungen veranlasst.
Daher erdreiste ich mich, Sie um die erste Schaltung von Leitungen zu bitten."
3. Februar 2005
Die Zuschaltungen beginnen.
8.15 Uhr:
Mail von KNAU/DTK an HELFRICH/DTK „betreff: STM1-Zuschaltung (Ffm 21 - Luxembourg 757/1)":
„Hallo Herr Helfrich,
Habe heute früh die o.g. Verbindung auf die Punkte 71/00/002/03 19 + 39 zugeschaltet. In der Anlage ist die Belegung lt. RUBIN
ersichtlich.
Auf den Kanälen 2, 6, 14, 50 befinden sich die in der Liste markierten DSVn mit der Endstelle Luxembourg.
Bitte um Rückmeldung ob das ganze funktioniert."
Anlage: „Belegung 7571 Luxbg"
10.42 Uhr:
Mail von HELFRICH/DTK an BND und ALSTER/DTK
„Hallo Hr. Siegert, Hr. Knau hat heute morgen wieder eine STM 1 zugeschaltet. in dieser befindet sich nun kein nationaler Verkehr
mehr (aus diesem Grunde fand auch die große Umschaltaktion statt). Die Verbindung Ffm 21 - Luxembourg 757/1 wurde auf die
Punkte 71 / 00/ 002 / 03 / 19 + 39 zugeschaltet. Vier der darin befindlichen 2MBit-Strecken befinden sich auf ihrer ersten
Prioritätenliste, diese sind zu finden auf:
Kanal 2: Luxembourg/VG - Wien/000 750/3
Kanal 6: Luxembourg//CLUX - Moscow/CROS 750/1
Kanal 14: Ankara/CTÜR - Luxembourg/CLUX 750/1
Kanal 50: Luxembourg/VG - Prague/000 750/1.
Bitte um eine kurze Rückmeldung, wenn alles o.k. ist. Ende nächste Woche folgt eine weitere STM1."
Damit wird die erste österreichische Verbindung von BND und NSA abgehört.
Aber die NSA erhält weit mehr als die vier Leitungen. In der abgehörten STM1 befinden sich 63 Kanäle. Sie alle konnten damit
abgeleitet und der NSA nach Bad Aibling überspielt werden.
Der damalige BND-Abteilungsleiter Reinhardt BREITFELDER beschreibt die Arbeitsweise vor dem NSA-Untersuchungsausschuss des
Deutschen Bundestages:
„Die (Datenströme) sind vorne geteilt worden, und zwar in einen G-10-Teil und in einen Routineteil. Dieser Routineteil wurde erst mal
G-10-gefiltert, weil man ja nie ausschließen kann, dass auch im Routineteil G 10 drin vorkommt. Nach dieser Filterung wurde dieser
Routineteil an die NSA in Deutschland, also in Bad Aibling unten, konkret weitergeleitet, und zwar nicht an die NSA direkt, sondern an
diese gemischte Arbeitsgruppe NSA-BND, die als JSA hier immer wieder auftaucht. So wurde das gemacht."
Am 14.2., am 25.2. und am 7.3.2005 erfolgen die nächsten Zuschaltungen.
Die Aktion Transit läuft in Frankfurt von März 2005 bis Mai 2008 im Vollbetrieb. 15 Mitarbeiter des BND überwachen so mehr als drei
Jahre lang einen großen Teil der europäischen und internationalen Telekommunikation vom Knoten in Frankfurt / Nied aus. Im Mai
2008 wissen NSA und BND, dass die Massenüberwachung funktioniert. Aber im Jahr 2008 haben sich die Technologie und damit die
Möglichkeiten der Überwachung weiter entwickelt.
28. Mai 2008
Siegfried KNAU/DTK sendet ein Mail an Harald HELFRICH/DTK und Wolfgang ALSTER(DTK
„Wie bereits fernmündlich besprochen, können nachfolgende STM1-Zuschaltungen mit sofortiger Wirkung aufgehoben werden:
Ffm 21 - Stuttgart 10 757/22A
Ffm21 - Paris 757/1
Ffm 21 - Reims 757/1
Ffm 21 - Luxembourg 757/1."
Damit wird die Ableitung dieser vier STM1-Leitungen in Frankfurt beendet. Aber ist das das Ende der NSA/BND-Telefonüberwachung?
Die Antwort gibt ein Mail vom Vortag:
27. Mai 2008
Schreiben von THORWALD/DTK an HELFRICH/DTK
„Sehr geehrter Herr Helfrich,
Wie wir bereits telefonisch besprochen, teile ich Ihnen mit, dass die Verarbeitung von reinen leitungsvermittelten „Transit-Verkehren"
von uns nicht mehr durchgeführt wird.
Aus diesem Grund kann die Ableitung der Transit-Verkehre in unseren Betriebsräumen eingestellt werden.
Im leitungsvermittelten Bereich (Ableitung auf höherer Ebene) besteht aktuell der Bedarf zur Ableitung von folgenden Verkehren:
+ 2 x STM-64
+ 4 x STM-16"
Die Massenüberwachung der europäischen Telefongespräche durch NSA und BND wird nicht eingestellt - sie wird „nur" auf ein
technisch weit höheres Niveau gestellt: Statt Verkehren in STM-1-Leitungen werden ab jetzt Verkehre vom Telefonat bis zu E-Mail,
SMS und Internet in STM-16- und STM-64-Leitungen mit der 16- bzw. 64-fachen Kapazität abgeleitet.
Die „Operation Transit" war der Einstieg in die NSA-Massenüberwachung europäischer Telekommunikation. Sie war der
entscheidende Wendepunkt zum ebenso umfassenden wie illegalen Überwachungsstaat - mit der Billigung durch die
Regierungen in Washington und Berlin.
http://www.peterpilz.at/2015-10/peter-pilz-tagebuch.htm
You are here: peterpilz.at> Diary
Diary / October 2015 diary
o YouTube o Flickr
Official secrets
Texts
Time in mushroom
Guestbook
Mushroom Box
Mushroom Books
Link List
The affair "Kampusch"
airspace
Friday, October 23, 2015
"May I Excitation passing on ..."
THE OPERATION TRANSIT IN EUROPE
28.2. 2002
The Memorandum of Agreement MoA between NSA and BND on telecom monitoring in Europe is finished. The NSA may use the BND
as a tool for monitoring telecommunications.
September 16, 2003
The monitoring specialists of Deutsche Telekom AG received a "small order". But that is anything but small. This is confirmed by an e-
mail that his colleague Christof Tieger sends Harald HELFRICH, the employees of the "Regional Centre for special government
regulations" ReSa of Deutsche Telekom AG. The subject refers to the upcoming project: "Analysis of Transit".
"Hi LK,
as this morning discussed I am sending you the list of transit lines by DTAG. We ask the yellow shaded links regarding. Its leadership
(eg Ffm 21 or north-north-calibration) and whether tangible to analyze in the 2-Mb-level. "
Plant: "Trans with selected lines"
The "yellow shaded compounds" can be found in the supplement, the "priority list" of the BND. The German Telekom had the BND
handed over a list of all transit connections. Of 1028 compounds BND 256 have highlighted in yellow. Now is the ReSa determine
which of them run over Frankfurt and therefore are vulnerable there.
BND and German Telekom AG now know how to do it. But they do not know whether the planned operation Transit is legal - and
whether it is politically covered.
December 30, 2003
Assistant Secretary of State Ernst Uhrlau serves as intelligence coordinator in the Berlin Chancellery. Frank Walter Steinmeier is a civil
servant State Secretary in the Federal Chancellery have direct political boss. The German Telekom AG wants the desire of the BND, to
have access to transit pipelines, only offspring, if the federal government is backing and a legal blank check issued.
The Federal Chancellery comes after the request. Uhrlau fax to the CEO of Deutsche Telekom AG, Kai-Uwe Ricke:
"Dear Mr. Doe, Mr Brown,
the Federal Chancellery is very interesting that the Federal Intelligence Service as part of its statutory mandate enlightens cable-based
transit traffic. The planned by the Federal Intelligence Service in your organization Enlightenment approach is of the view here in
compliance with applicable law.
I must pass on this way, the excitation of the Federal Intelligence Service, in Deutsche Telekom AG, T-Com, the RA section 43 (special
government regulations) to which there are contacts already resulting from the strategic telecommunications monitoring, to the
implementation of on the part of Deutsche Telekom to instruct AG necessary measures. "
Thus, the German Chancellor's Office gave the BND and the German Telekom AG with a clean bill of legal green light.
13th January 2004
Josef Brauner answers for the Executive Board of Deutsche Telekom AG in a letter to Ernst Uhrlau the Federal Chancellery:
"Dear Mr. Secretary,
We are happy to confirm receipt of your letter of 30 December of last year.
The T-Com recognizes the importance of a properly functioning intelligence service for the community of the Federal Republic of
Germany - especially in the light of the terrorist attacks of 11 September 2001 - aware and therefore the planned activities of the
Federal Intelligence Service, the cable-supported transit traffic within the framework of its legal responsibilities, educate, support.
According to the suggestion of the Federal Intelligence Service on this side our range RA43 (special government regulations) is
commissioned to make the necessary on our part for this action. "
The massive concerns Deutsche Telekom are now off the table. The operation "Transit" can be started.
March 1st, 2004
The German Telekom AG and the Federal Intelligence Service signed the agency agreement "Transit". In it, the German Telekom AG
is committed to enabling the BND to derive the desired lines and to provide the infrastructure for this purpose.
March 9, 2004
Robert LAHN working in the office for "special technical tasks" in BND On March 9, he issued the order to switch RESA Chef Wolfgang
ALSTER.:
"Switching order
DTAG RA 433
Hello Mr. Alster,
The Agency Agreement "Transit" is indeed now been signed by both sides and yesterday I led the first two monthly payments.
Therefore I erdreiste me to ask you about the first connection of transmission lines. "
February 3, 2005
The switch-ons begin.
8.15 Clock:
Mail of KNAU / DTK to HELFRICH / DTK "Subject: STM1-switching (FFM 21 - Luxembourg 757/1)":
"Hello Mr. Helfrich,
Have this morning the above connection is switched to the points 71/00/002/03 19 +. 39 In the complex the assignment RUBIN lt. Can
be seen.
On channels 2, 6, 14, 50 are marked in the list with the terminal are DSVN Luxembourg.
Request for feedback if the whole works. "
Plant: "Occupancy 7571 Luxbg"
10.42 Clock:
Mail from HELFRICH / DTK to BND and Alster / DTK "Hello Mr. Siegert, Hr. Knau today again switched an STM 1 tomorrow. This is
now no longer a national traffic (for this reason, also found the large switching action instead). The connection Ffm 21 - Luxembourg
757/1 been switched to points 71/00/002/03/19 +. 39 Four of the therein 2MBit trails are at their first priority list, this can be found on:
Channel 2: Luxembourg / VG - Wien / 000 750/3
channel 6: Luxembourg // CLUX - Moscow / CROS 750/1
channel 14: Ankara / CTÜR - Luxembourg / CLUX 750/1
channel 50: Luxembourg / VG - Prague / 000 750/1.
Please order a short feedback if everything is ok. End next week followed by another STM1. "
Thus the first Austrian combination of BND and NSA is listening.
But the NSA receives far more than the four lines. In the intercepted STM1 are 63 channels.They could all derived order and the NSA
will be dubbed to Bad Aibling.
The then Head of BND Reinhardt Breitfelder describes the operation before the NSA inquiry committee of the German Bundestag:
"The (data streams) have been divided front, in a G10 member and in a routine part. This routine part was only times G10 filtered,
because one can never rule out that even in routine part G 10 there exists. After this filtering this routine part of the NSA in Germany, ie
in Bad Aibling was passed down concretely, not directly to the NSA, but at this mixed working group NSA BND, which keeps coming up
here as JSA. So that was made. "
On 14.2., At 25.2. and on 7.3.2005 done the next switch-ons.
The Special Transit runs in Frankfurt from March 2005 to May 2008 in full operation. 15 employees of the BND monitor so more than
three years from a large part of the European and international telecommunications from the node in Frankfurt / Nied. In May 2008,
NSA and BND know that the mass surveillance works. But in 2008, have the technology and thus develop the possibilities of
surveillance.
May 28, 2008
Siegfried KNAU / DTK sends an email to Harald HELFRICH / DTK and Wolfgang ALSTER (DTK
"As discussed by telephone, following STM1 switch-ons can be canceled with immediate effect:
Ffm 21 - Stuttgart 10757 / 22A
Ffm21 - Paris 757/1
Ffm 21 - Reims 757/1
Ffm. 21 - Luxembourg 757/1 "
Thus, the derivation of these four STM1 lines in Frankfurt is terminated. But is that the end of the NSA / BND Wiretapping?
The answer is a mail from the previous day:
May 27, 2008
Be Thorwald / DTK to HELFRICH / DTK
"Dear Mr. Helfrich,
As we discussed over the phone, I inform you that the processing of pure circuit-switched "transit traffic" we will no longer be carried
out.
For this reason, the derivation of the transit traffic in our premises can be adjusted.
In circuit-switched portion (discharge at a higher level) is currently a need for the derivation of the following trades:
+ 2 x STM-64
+ 4 x STM-16 "
The mass monitoring of European calls by NSA and BND is not set - they will "only" put on a technically far higher level: instead will
operate in the STM-1 lines from now transports by telephone to email, SMS and Internet in STM-16 and STM-64 with the lines 16 or 64
times the capacity derived.
The "Operation Transit" was the introduction to the NSA mass surveillance European telecommunications She was the
decisive turning point for equally comprehensive as illegal surveillance state -. With the approval of the governments in
Washington and Berlin.
Send comment [8 comments] to top
Diary / October 2015 diary
o YouTube o Flickr
Official secrets
Texts
Time in mushroom
Guestbook
Mushroom Box
Mushroom Books
Link List
The affair "Kampusch"
airspace
<< Back
Friday, October 23, 2015
"May I Excitation PASS ..." THE OPERATION TRANSIT IN EUROPE 28.2. 2002 The Memorandum of Agreement MoA between NSA
and BND on telecom monitoring in Europe is finished. The NSA may use the BND as a tool for surveillance of telecommunications. 16 .
September 2003 The monitoring specialists of Deutsche Telekom AG received an
>> read more
answer
Reply:
Posted: 11/18/2015 14:06:15
as you can see on the basis of Paris was too little monitored. and with the results made too little. The Americans are right that
everything that smells just by extremism incarcerate at Guantanamo and
>> Read more
answer
Reply: white elite Posted: 11/22/2015 22:28:08
am überhaubt davür, vurauseilende to intern all non-white. Guantanamo in Europe, promises.
and is a rue!
answer
Reply:
Posted: 11/19/2015 22:47:07
Oida, you ghörst also eingsperrt and vagessn, AMIF .....
answer
Reply: NSA Posted: 10/28/2015 23:54:24
Good preparation Herrenpilz! However, they forgot our extremely effective tools that casual absolve us from European law and
ever. Yeah, we are the real cowboys Yahoooo, uh
>> read more
answer
Reply: no Posted: 10/25/2015 14:55:21
must of course not write that Nazi terror regime itself reveal the testimony they had therefore not warned disqualified himself and is a
pure
>> read more
answer
Reply: Peter Smith Posted: 10/24/2015 17:46:05
Can connect me only, thank you for their efforts to make this complex transparent. It would be interesting to clarify the question of what
is now the gentlemen in Berlin right under applicable law
>> read more
answer
Reply: Peter Smith Posted: 10/24/2015 18:18:15
Interesting side issue: Is the TTIP a figment of Article 2 North Atlantic Treaty, arranged "top" of the NATO and therefore a
secret? German Atlantic Society: lecture
>> read more
answer
Reply: Very Helfrich Posted: 10/23/2015 13:30:19
Thank you for your work, Mr Pilz. There is much more than a bad aftertaste in this Cabinet Merkel! Comprehensive monitoring appears
to be a large and cross-cutting issue here in fact
>> read more
answer
http://www.peterpilz.at/kommentar/2713/peter-pilz-tagebuch.htm#content
May 28, 2015
New details about the joint NSA-BND operation
Eikonal (Updated: October 7, 2015)
This weblog first reported about the joint NSA-BND operation Eikonal on October 15, 2014, but meanwhile
interesting new details became available from the hearings of the German parliamentary inquiry, and from
recent disclosures by a politician from Austria.
Under operation Eikonal, the NSA cooperated with the German foreign intelligence service BND for access
to transit cables from Deutsche Telekom in Frankfurt. Here follows an overview of what is known about
this operation so far. New information may be added as it comes available.
- Initial reporting - Parliamentary hearings -
- Disclosures from Austria -
> See for the latest: Unnoticed leak answers and raises questions about operation Eikonal
Initial reporting
Operation Eikonal was revealed by the regional German paper Süddeutsche Zeitungand the regional
broadcasters NDR and WDR on October 4, 2014. They reported that between 2004 and 2008, the German
foreign intelligence service BND had tapped into the Frankfurt internet exchange DE-CIX and shared the
intercepted data with the NSA.
For this operation, NSA provided sophisticated interception equipment, which the Germans didn't had but
were eager to use. Interception of telephone traffic started in 2004, internet data were captured since
2005. Reportedly, NSA was especiallyinterested in communications from Russia.
To prevent communications of German citizens being passed on to NSA, BND installed a special program
(called DAFIS) to filter these out. But according to the reporting, this filter didn't work properly from the
beginning. An initial test in 2003 showed the BND that 5% of the data of German citizens could not be
filtered out, which was considered a violation of the constitution.
Süddeutsche Zeitung reported that it was Deutsche Telekom AG (DTAG) that provided BND the access to
the Frankfurt internet exchange, and in return was paid 6000,- euro a month. But as some people noticed,
Deutsche Telekom was not connected to DE-CIX when operation Eikonal took place, so something didn't
add up.
As we will see, this was right, and the actual cable tap was not at DE-CIX, but took place at Deutsche
Telekom. Nonetheless, many press reports still link Eikonal to the DE-CIX internet exchange.
Operations center room in the former BND headquarters in Pullach
(Photo: Martin Schlüter - Click to enlarge)
Eikonal as part of RAMPART-A
As was first reported by this weblog on October 15, 2014, operation Eikonal was part of the NSA umbrella
program RAMPART-A, under which the Americans cooperate with3rd Party countries who "provide access
to cables and host U.S. equipment".
Details about the RAMPART-A program itself had already been revealed by the Danish
newspaper Information in collaboration with The Intercept on June 19, 2014. The program reportedly
involved at least five countries, but so far only Germany and, most likely, Denmark have been identified.
On October 20, Information published about a document from NSA's Special Source Operations (SSO)
division, which confirms that an operation codenamed "EIKANOL" was part of RAMPART-A and says it was
decommissioned in June 2008.
The slide below shows that under RAMPART-A a partner country taps an international cable at an access
point (A) and then forwards the data to a joint processing center (B). Equipment provided by the NSA
processes the data and analysts from the host country can then analyse the intercepted data (C), while
they are also forwarded to NSA sites in the US (D, E):
Parliamentary hearings
Because of the confusion about the role of Deutsche Telekom in operation Eikonal, the NSA investigation
commission of the German parliament (NSAUA) decided to alsoinvestigate whether this company assisted
BND in tapping the Frankfurt internet exchange.
During hearings of BND officials it became clear that operation Eikonal was not about tapping into the
Frankfurt internet exchange DE-CIX, but about one or more cables from Deutsche Telekom. This was
first confirmed by German media on December 4, 2014.
Hearing of November 6, 2014 (Live-blog)
According to witness T.B., who was heard on on November 6, 2014, it was just during the test period that
the filter system was only able to filter out 95% of German communications. When the system went live,
this percentage rose to 99% with a second stage that could filter out even more than 99%. When
necessary, a final check was conducted by hand.
Hearing of November 13, 2014 (Live-blog - Official transcript)
During this hearing, the witness W.K. said that Eikonal was a one of a kind operation, there was targeted
collection from traffic that transited Germany from one foreign country to another.
This was focussed on Afghanistan and anti-terrorism. Selected data were collected and forwarded to NSA.
The internal codename for Eikonal was Granat, but that name wasn't shared with NSA. There was even a
third codename.
For Germany, Eikonal was useful because it provided foreign intelligence for protecting German troops and
countering terrorism. The NSA provided better technical equipment that BND didn't had. In return, BND
provided NSA with data collected from transit traffic using search profiles about Afghanistan and anti-
terrorism. BND was asked to cooperate because NSA isn't able to do everything themselves.
Eikonal provided only several hundred useful phone calls, e-mail and fax messages a year, which was a
huge disappointment for NSA. This, combined with the fact that it proved to be impossible to 100%
guarantee that no German data were collected and forwarded, led BND to terminate the program.
For Eikonal, the cable traffic was filtered by using selectors provided by both NSA and BND. Although not
all selectors can be attributed to a particular country and there may have been up to several hundred
thousand selectors, witness W.K. said that BND was still able to check whether every single one was
appropriate: only selectors that could be checked were used.
> See also: German BND didn't care much about foreign NSA selectors
Hearing of December 4, 2014 (Live-blog - Official transcript)
During this hearing, BND-employee S.L., who was the project manager of operation Eikonal at BND
headquarters, testified. He told that BND had rented two highly secured rooms of ca. 4 x 6 meters in the
basement of a Deutsche Telekom switching center in the Frankfurt suburb Nied.
These rooms were only accessible for BND personnel and contained the front-end of the interception
system, existing of 19 inch racks, with telecommunications equipment like multiplexers, processors and
servers. These devices were remotely controlled from the headquarters in Pullach.*
Based upon analysis of public information about telecommunication networks, BND choose specific cables
that would most likely contain traffic that seemed useful for the goals of the operation. It became clear
that for redundancy purposes, cables only used 50% of their capacity. For example, 2 cables of 10 Gbit/s
carried only 5 Gbit/s of traffic, so in case of a disruption, one cable could take over the traffic of the other
one.
The switching center of Deutsche Telekom in Frankfurt-Nied
where some cables were tapped under operation Eikonal
(Screenshot: ZDF Frontal21 - Click to enlarge)
After a specific coax or fiber-optic cable had been selected, technicians of Deutsche Telekom installed a
splitter and a copy of the traffic was forwarded to one of the secure rooms, where it was fed into a (de-
)multiplexer or a router so the signal could be processed. After they got rid of the peer-to-peer and
websurfing traffic, the remaining communications data, like e-mail, were filtered by selectors from BND
and NSA.
The selected data were sent back to BND headquarters in Pullach over a leased commercial line, of which
the capacity was increased after the internet collection became fully operational. From Pullach to the JSA
in Bad Aibling there was a 2 Mbit/s line.
Timeframe
Eikonal started with access to a telephone cable (Leitungsvermittelt). Project manager S.L. told that the
first cable was connected (aufgeschaltet) in December 2004, but that it's signal was too weak. Therefore,
in January 2005, an amplifier was installed.
In February, March and April additional cables were connected, so telephony collection started in the
spring of 2005. By the end of 2006, Deutsche Telekom announced that its business model for dedicated
transit cables would be terminated, so in January 2007 the telephone collection ended.*
BND also wanted access to internet traffic (Paketvermittelt), for which the first cable became available by
the end of 2005, but because the backlink was missing, collection was technically not possible. This was
solved in 2006, and in the spring of 2006 a second cable was added, and they tested the front-end system
and subsequently the filter systems until mid-2007 (Probebetrieb).
During this stage, data were only forwarded to the joint NSA-BND unit JSA after a manual check. Fully
automated forwarding only happened from late 2007 until operation Eikonal was terminated in June 2008
(Wirkbetrieb).*
Legal issues
The collection of telephone communications from transit cables was done under the general authority of
the BND Act, with details specified in the "Transit Agreement" between BND and Deutsche Telekom, which
for the latter was signed by Bernd Köbele.
For the collection of internet data it was impossible to fully separate foreign and domestic traffic, so it
couldn't be ruled out that German communications were in there too. Therefore, BND requested an order
from the G10-commission, which, like the FISA Court in the US, has to approve data collection when their
own citizens could be involved.
A G10-order describes the communication channel (Germany to/from a specific foreign country) that BND
is allowed access to, the threat profile and it also authorizes the search terms that may be used for
filtering the traffic.*
Such an order allows the collection of G10-data (communications with one end German), which were
processed within BND's separate G10 Collection program. As a bycatch, this G10-interception also yielded
fully foreign traffic (Routine-Verkehre), which was used for operation Eikonal:
Some employees from Deutsche Telekom and from BND had doubts about the legality of this solution,
which seemed to use a G10-order as a cover for getting access to fully foreign internet traffic.
Eventually, the federal Chancellery, apparently upon request of the BND, issued a letter saying that the
operation was legal. This convinced the Telekom management and the operation went on. It didn't
become clear under what authority this letter was issued.
After BND had learned how to collect internet traffic from fiber-optic cable, it applied for G10-orders to intercept(one end German)
communications from 25 foreign and domestic internet service providers in 2008. This time these cables were being tapped at the DE-CIX
internet exchange, which is also in Frankfurt.
Results
The collection under operation Eikonal resulted in only a few hundred intelligence reports
(German: Meldungen) a year, each consisting of one intercepted e-mail, fax message or phone call. These
were burned onto a CD to hand them over to NSA personnel at the JSA.*
According to S.L., metadata (containing up to 91 fields) were "cleaned" so only technical metadata
(Sachdaten) were forwarded to the JSA, where they were used for statistical and analytical purposes.
Personal metadata (personenbezogene Daten), like e-mail and IP addresses were not shared. Technical
metadata are for example used to identify the telecommunication providers, transmission links and the
various protocols.
Hearing of December 18, 2014 (Live-blog - Official transcript)
During this hearing, a talkative general Reinhardt Breitfelder, head of the SIGINT division from 2003-
2006, confirmed many of the details from the earlier hearings of his subordinates. He also gave
impressions of the dilemmas in dealing with the NSA and what to do with the equipment they provide.
Hearing of January 15, 2015 (Live-blog - Official transcript)
In this hearing, the commission questioned two employees from Deutsche Telekom (Harald Helfrich and
Wolfgang Alster), but they provided very little new information, except for that Deutsche Telekom
personnel only knows between which cities a cable runs, but they don't know what kind of traffic it
contains - they are not allowed to look inside.
Hearing of October 1, 2015 (Live-blog)
Joachim Mewes from the Chancellary testified that somewhere in 2005, BND invited him and the G-10
Commission to visit the tapping site in Frankfurt, apparently as to show that no filtering took place there,
but that everything from the cable went to BND headquarters and was split up over there. This however
contradicts other testimonies, saying that filtering was conducted close to the access point.
A room where hearings of the parliamentary committee take place
(photo: DPA)
Disclosures from Austria
On May 15, 2015, Peter Pilz, member of the Austrian parliament for the Green party,disclosed an e-mail
from an employee of the Deutsche Telekom unit for lawful intercept assistance (Regionalstelle für
staatliche SonderAuflagen, ReSa), who notified someone from BND that apparently a particular fiber-optic
cable had been connected to the interception equipment. The e-mail describes this cable as follows:
Transit STM1 (FFM 21 - Luxembourg 757/1), containing 4 links of 2 Mbit/s:
Channel 2: Luxembourg/VG - Wien/000 750/3
Channel 6: Luxembourg/CLUX - Moscow/CROS 750/1
Channel 14: Ankara/CTÜR - Luxembourg/CLUX 750/1
Channel 50: Luxembourg/VG - Prague/000 750/1
STM1 stands for Synchronous Transport Module level-1, which designates a transmission bit rate of
155,52 Mbit/second. A similar multiplexing method isWavelength-Division Multiplexing (WDM) commonly
used in submarine fiber-optic cables. The latter having a much larger capacity, generally STM-64 or 9,5
Gbit/second.
The number 757 is a so-called Leitungsschlüsselzahl (LSZ), which denotes a certain type of cable. In this
case it stands for a channelized STM-1 base link (2 Mbit in 155 Mbit), which seem to be used for internal
connections.
According to the meanwhile updated LSZ List, the number 750 stands for a "DSV2Digitalsignal-
Verbindung 2 Mbit/s", which is a digital signal path.
The cable mentioned in the e-mail therefore only has a small capacity, which seems to indicate that NSA
and/or BND selected it carefully.
FFM 21 stands for "Frankfurt am Main 21", which according to Deutsche Telekom'snetwork map is the
name of the Point-of-Presence (PoP) located at its facility in the Frankfurt suburb Nied - the location where
that Eikonal tapping took place.
This means we have a physical cable running between Luxembourg and the Deutsche Telekom PoP in
Frankfurt, but containing channels to cities which are much further, so they have to connect to channels
within other physical cables that run from Frankfurt to Moscow, Prague, Vienna and Ankara, respectively:
As the e-mail is from February 3, 2005, it must relate to telephone collection, because for Eikonal, the first
cable containing internet traffic only became available by the end of that year.
The Transit agreement
On May 18, the Austrian tabloid paper Kronen Zeitung published the full "Transit Agreement"
(pdf) between BND and Deutsche Telekom, in which the latter agreed to provide access to transit cables,
and in return will be paid 6.500,- euro a month for the expenses. The agreement came into retrospective
effect as of February 2004.
This disclosure got little attention, but is rather remarkable, as such agreements are closely guarded
secrets. The Transit agreement existed in only two copies: one for BND and one for Deutsche Telekom.
It is not known how Pilz came into possession of these documents, but it seems the source must be
somewhere inside the German parliamentary investigation commission. They are the only persons outside
BND and Deutsche Telekom who, for the purpose of their inquiry, got access to the agreement and the
other documents.
Leaking these documents to Pilz seems not a very smart move, as it will further minimize the chance that
the commission will ever get access to the list of suspicious NSA selectors.
Country lists
On May 19, Pilz held a press conference (mp3) in Berlin, together with the chairman of the Green party in
Luxembourg and a representative of the German Green party. Here, Pilz presented a statement (pdf),
which includes the aforementioned e-mail, 10 questions to the German government, and two tables with
cable links to or from Austria and Luxembourg:
Lists of links that apparently were on a priority list of NSA.
LSZ = Leitungsschlüsselzahl (cable type indentifier);
Endstelle = Endpoint; Österreich = Austria.
(Source: Peter Pilz - Click to enlarge)
According to Pilz, the full list contains 254 (or 256) cable links. 94 of them connect EU member states, 40
run between EU members and other European countries like Switzerland, Russia, Serbia, Bosnia-
Herzegovina, Ukraine, Belarus and Turkey. 122 links connect European countries with nations all over the
world, with Saudi Arabia, Japan, Dubai and China being mentioned most.
The country which most links (71) run to or from is the Netherlands. The list for that country
was disclosed by Peter Pilz during a press conference in Brussels on May 28, 2015. The US, the UK and
Canada are not on the list, although there were apparently 156 links from/to Britain too.
Update:
On June 25, 2015, the Dutch telecommunications provider KPN announcedthe results of its inquiry into the
alleged tapping of its cables. It was very difficult to identify the channels in the list because meanwhile
KPN's whole network had been restructured. Eventually it became clear the connections (being channels
within cables and KPN only being responsible for the first half until Frankfurt) had been rented out under
telephony wholesale contracts, so it was impossible to trace individual customers or users.
Additional details
On June 5, 2015, Peter Pilz held a press conference in Paris, where he presented astatement
(.docx) containing a list of 51 transit links to or from France. Interestingly, this list now also includes some
additional technical identifiers for these links, which were apparently left out in the earlier ones:
First part of the list with links related to France
(Source: Peter Pilz - Click to enlarge)
On June 29, 2015, Peter Pilz presented a similar detailed list (.pdf) of 28 transit links to and from Poland.
According to the updated LSZ List, the new codes in these lists stand for:
- 703: VC3 Virtual Container connection with 48,960 MBit/s
- 710: (not yet known)
- 712: VC12 Virtual Container connection with 2,240 MBit/s
- 720: (not yet known)
- 730: (not yet known)
VC3 and VC12 are from the Synchronous Digital Hierarchy (SDH) protocol to transfer multiple digital bit
streams synchronously over optical fiber. This has the option for virtual containers for the actual payload
data. VC3 is for mapping 34/45 Mbit/s (E3/DS3) signals; VC4 for 140 Mbit/s (E4); VC12 for 2 Mbit/s (E1).
The new identifiers in this list stand for: O-nr.: Ordnungsnummer; GRUSSZ:Grundstücksschlüsselzahl;
FACHSZ: Fachschlüsselzahl.
No information about these identifiers was found yet, but by analysing the data in the list, it seems that
the FACHSZ codes are related to a telecom provider. France Telecom for example appears with FACHSZ
codes CFT, VPAS, VCP3, VB5 or 0.
The GRUSSZ number identifies a particular city, with the first two or three digits corresponding with the
international telephone country codes. The last two digits seem to follow a different scheme, as we can
see that a capital always ends with "10":
Paris = 33010
Lyon = 33190
Reims = 33680
Brussels = 32010
Prague = 42010
Oslo = 47010
Warsaw = 48010
Poznan = 48020
Moscow = 70010
It's possible that these are just internal codes used by Deutsche Telekom, as internationally, connections
between telephone networks are identified by Point Codes(PC). From the Snowden-revelations we know
that these codes are also used by NSA and GCHQ to designate the cable links they intercept.
> See also: How GCHQ prepares for interception of phone calls from satellite links
NSA or BND wish lists?
Initially, Peter Pilz claimed these links were samples from a priority list of the NSA, but on May 27,
he said in Switzerland, that the list was from BND, and was given to NSA, who marked in yellow the links
they wanted to have fully monitored.
The German parliamentary hearings were also not very clear about these lists. On December 4, project
manager S.L. confirmed that NSA had a wish list for circuit-switched transit links, but in the hearing from
January 15 it was said that there was a "wish list of BND" containing some 270 links. And on March 5,
former SIGINT director Urmann said he couldn't remember that NSA requested specific communication
links.
Maybe the solution is provided by the Dutch website De Correspondent, which reports that there is a much
larger list (probably prepared by BND) of some 1000 transit links, of which ca. 250 were marked in yellow
(probably those prioritized by NSA).
Whose cables?
Media reports say that these cables belong to the providers from various European countries, but that
seems questionable. As we saw in the aforementioned e-mail, it seems most likely that the lists show
channels within fiber-optic cables, and that the physical cables all run between the Deutsche Telekom
switching facility in Frankfurt and the cities we see in the lists.
In theory, these cables could be owned or operated by those providers mentioned in the lists, but then
they would rather connect at a peering point like the DE-CIX internet exchange, where providers exchange
traffic with eachother.
In this case, it seems more likely that the physical cables are part of Deutsche Telekom's Tier 1 network,
which is a worldwide backbone that connects the networks of lower-level internet providers.
Simplified structure of the Internet, showing how Tier 1, Tier 2 and Tier 3 providers
transit data traffic in a hierarchial way and how Tier 2 providers exchange
traffic directly through peering at an Internet eXchange Point (IXP)
(diagram: Wikimedia Commons - click to enlarge)
Questions
It is not clear how many of the over 250 links on the list were actually intercepted. We only know that for
sure for the STM-1 cable with the four channels described in the aforementioned e-mail from Deutsche
Telekom to BND.
Strange is the fact that during the parliamentary hearings, most BND witnesses spoke about "a cable in
Frankfurt", which sounds like one single physical cable, whereas the disclosures by Peter Pilz clearly show
that multiple channels must have been intercepted.
Update:
During the commission hearing of January 29, 2015, BND technical engineer A.S. said that under
operation Eikonal, telephone traffic came in with a data rate of 622 Mbit/s. This equals a standard STM-4
cable, which contains 252 channels of 2 Mbit/s. This number comes close to the channels on the "wish
list", but it seems not possible that those were all in just one physical cable.
Another question is whether it is possible to only filter the traffic from specific channels, or that one has to
have access to the whole cable.
It should be noted that not the entire communications traffic on these links was collected and stored, but
that it was filtered for specific selectors, like phone numbers and e-mail addresses. Only the traffic for
which there was a match was picked out and processed for analysis.
Possible targets
Based upon these documents, Peter Pilz filed a complaint (pdf) against 3 employees of Deutsche Telekom
and one employee of BND for spying on Austria, although at the same time he said he was convinced the
NSA was most interested not in Austrian targets, but in the offices of the UN, OPEC and OSCE in Vienna.
Apparently he didn't consider the fact that Eikonal was part of the RAMPART-A umbrella program, which is
aimed at targets in Russia, the Middle East and North Africa. Many cities mentioned in the disclosed lists
seem to point to Russia as target, and project manager S.L. testified that Eikonal was mainly used for
targets related to Afghanistan, which fits the fact that there are for example 13 links to Saudi Arabia.
Green party members from various countries claimed that this cable tapping was used for economical or
industrial espionage, but so far, there is no specific indication, let alone evidence for that claim.
Links and sources - LeMonde.fr: Deutsche Telekom a espionné la France pour le compte de la NSA
- Tagesschau.de: Europa verlangt Aufklärung von Berlin
- DeCorrespondent.nl: Er is geen enkel bewijs dat de Nederlandse kabels zijn afgetapt
- Volkskrant.nl: 71 KPN-internetverbindingen afgetapt door geheime diensten
- NRC.nl: Duitse BND tapte tientallen internetverbindingen KPN af
- DerStandard.at: BND-NSA-Affäre: Laut Pilz auch Spionage in Belgien und Niederlanden
- Golem.de: Telekom und BND Angezeigt: Es leakt sich was zusammen
- Zeit.de: Daten abfischen mit Lizenz aus dem Kanzleramt
Geplaatst door P/K op 23:22
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: Eikonal, Germany, NSA Partnerships
No comments:
Post a Comment
http://electrospaces.blogspot.com/2015/05/new-details-about-joint-nsa-bnd.html