Babak Pasdar’s affidavit on Verizon’s Quantico Circuit reveals something about the government’s back-door access to all of Verizon’s data, one which might be familiar to you from the missing White House emails saga.
When the Steven McDevitt tried to reconstruct all OVP the emails from the period when Scooter Libby and Dick Cheney were coordinating their cover story, he discovered no logs from the emails of that period existed; thus, there’s no way to be sure that the 250 pages of email turned over to Patrick Fitzgerald constitute all the missing emails.
Golly. What a surprise, then, that the government didn’t want any logs taken of its back-door access to (presumably) Verizon’s data.
Pasder notes that (presumably) Verizon’s log collection system was very primitive.
I specifically remembered being shocked at the primitiveness and inadequacy of their log collection system. After all, this was a major carrier. After a cursory overview I was able to point out to C1 and C2 that their log collection system might not have been collecting all logs. This surprised C1 and C2. A subsequent test showed that the client’s log collection system was missing as many as 75% of the logs being generated, essentially rendering the whole system useless.
Mind you, that covered the whole system, not just the Quantico Circuit the government was using to access the system. But when Pasdar describes learning about the Circuit itself, he explains that there was no logging system for the Circuit. None.
This is a little narrative he tells about learning of the Circuit when testing the firewalls of the new system he was putting in.
At one point I overheard C1 and C2 talking about skipping a location. Not wanting to do a shoddy job I stopped and said "we should migrate all sites."
C1 told me this site is different.
I asked, "Who is it? Carrier owned or affiliate?"
C1 said, "This is the ‘Quantico Circuit.’"
Pasdar goes on to learn that this is a 45 mega bit per second circuit that supports data and voice communication. The consultants he was working with made it clear they weren’t supposed to put any access controls on it.
C1 said that this circuit should not have any access control. He actually said it should not be firewallled.
I suggested to migrate it and implement an "Any-Any" rule. ("Any-Any" is a nickname for a completely open policy that does not enforce any restrictions.) That meant we could log any activity making a record of the source, destination and type of communication. It would have also allowed easy implementation of access controls at a future date. "Everything at least SHOULD be logged," I emphasized.
C1 said, "I don’t think that is what they want."