General Discussion

http://www.whistleblower.org/program-areas/homeland-security-a-human-rights/surveillance/fisababak-pasdar

For civil liberties advocates, the first week of March 2008 wasn’t shaping up very well. For months, the House of Representatives had
been wrangling to work out a compromise bill for a pressing issue – anti-terrorist spying legislation. That political hot-button
guaranteed a tremendous amount of media coverage, as the bill represents Congress’ response to the “domestic spying” scandal
plastered on the front pages of newspapers for years – proof that the Bush administration had violated the privacy rights of American
citizens by circumventing the Foreign Intelligence Surveillance Act (FISA) requirements to secure judicial warrants to target monitor
citizen’s communications.

~snip~

That’s when GAP helped our client, Babak Pasdar, educate our representatives on the full scope of what information certain telecoms
provided to the Bush administration. In a word – everything. Pasdar’s disclosures shocked Congress, and delayed the vote.

The “Quantico Circuit”

Pasdar, a experienced computer expert, was hired as a contractor to do security work for a major telecommunications company. In
doing so, he discovered a mysterious “Quantico Circuit” at the company’s facility (media sources identified the telecom as Verizon).
The circuit, linked to Quantico, VA, provided the federal government unfettered access to all of that company’s customer mobile phone
communications – all calls, emails, text messages, internet use, videos, billings, and even customer locations. However, the line was
configured so no record of what was being tapped by the government existed.

Pasdar stated that logs should be kept of what was recorded, but he was quickly moved off the project. When the telecommunications
immunity vote seemed imminent, he knew he had to expose his finding to the country before judgment was passed. How could any
immunity be reasonable, or just, if the full violations were not known? Pasdar sought help from GAP.

http://www.themediaconsortium.com/reporting/wp-content/uploads/2008/03/affidavit-bp-final.pdf

My name is Babak Pasdar, President and CEO of Bat Blue Corporation. I have given this affidavit to
Thomas Devine, who has identified himself as the legal director of the Government Accountability
Project, without any threats, inducements or coercion.

I have been a technologist in the computer and computer security industry for the past nineteen years
and am a "Certified Ethical Hacker" (E-Commerce Consultants International Council.) I have worked
with many enterprise organizations, telecommunications carriers, as well as small and medium sized
organizations in consulting, designing, implementing, troubleshooting, and managing security systems.
This statement is to make a record ofmy concerns about the privacy implications for our society from
what I personally witnessed at a major telecommunications carrier, as summarized below.

~snip~

Our plan that evening was to migrate a set of users to the new firewall, and then determine if and how it
impacted access and functionality. We started testing and, all-in-all, the small users test migration went
very well. The test went so well that we then set out to migrate over 300 sites that were carrier owned
or affiliate locations. These 300 or so sites were mostly sales offices. We migrated the locations by
redirecting their traffic to the new firewalls. All was going extremely well. As the night went on you
could feel the relief taking over the anxiousness everyone had felt earlier.

At one point I overheard C1 and C2 talking about skipping a location. Not wanting to do a shoddy job
I stopped and said "we should migrate all sites."

C1 told me this site is different.

I asked, "Who is it? Carrier owned or affiliate?"

C1 said, "This is the 'Quantico Circuit.'''

I remember that he paused and looked at me as did C2. I inquired, "Quantico, Virginia? Is this a store
location?"

C1 responded, "No."

"Is it what I think it is?", I asked.

C1 did not reply but just smiled. It was a very telling smile and I knew we were discussing something
unusual.

"What kind of circuit is it?", I asked.

"A DS-3," replied C1. (A DS-3 is a 45 mega bit per second circuit that supports data and voice
communications.)

C1 said that this circuit should not have any access control. He actually said it should not be
firewalled.

I suggested to migrate it and implement an "Any-Any" rule. ("Any-Any" is a nickname for a
completely open policy that does not enforce any restrictions.) That meant we could log any activity
making a record ofthe source, destination and type of communication. It would have also allowed
easy implementation of access controls at a future date. "Everything at the least SHOULD be logged," I
emphasized.

C1 said, "I don't think that is what they want."

"Who?", I asked, and again C1 and C2 did not respond.

C2 by this point had stepped back and his body language showed that he was very uncomfortable
discussing this matter.

"Come on guys, let's just do it and ask for forgiveness later. You know its the right thing." I suggested.

C1 and C2 did not want to comply. Instead they got on the phone with DS who asked me to stop what I
was doing and move on. To my surprise, he then drove the one hour or so to the data center.

The tentative, uncertain DS I had known was transformed into a man wagging his finger in my face and
telling me to "forget about the circuit" and "move on" with the migration, and ifI couldn't do that then
he would get someone who would.

I politely and in a low-key manner informed DS that my intention was to deliver security in line with
industry-acceptable use scenarios, and although I am not intimately familiar with their security policy,
it was reasonable to think that having a third party with completely open access to their network core
was against organizational policy.

DS did not want to hear any of it and re-doubled his emphatic message to move on. This was serious
stuff. He had let me know in no uncertain terms that I was treading above my pay grade.

When DS left, I asked C1 again, "Is this what I think it is?"

"What do you think?", he replied again, smiling.

I shifted the focus. "Forgetting about who it is, don't you think it is unusual for some third party to have
completely open access to your systems like this? You guys are even firewalling your internal offices,
and they are part of your own company!"

C1 said, "Dude, that's what they want."

I didn't bother asking who "they" were this time. "They" now had a surrogate face - DS. That told me
that "they" went all the way to the top, which was why the once uncertain DS could now be so sure and
emphatic.