"Mapping the domain" is one thing all military agencies try to do, just like if you were a hacker who gained access to an unfamiliar subnet you'd likely try to figure out the lay of the land.
I'm more surprised that NSA didn't already have programs to map the Internet, given how long nmap has been around.
However it has the key words N, S, and A so let's just assume it's something sinister and evil.
It is just how their bureaucratic apparatus evolved within its rules and constraints.
At some point a 3 letter agency got a large sum of money and was told "here, gather intelligence". So they did. Hired people, poured money into projects, training, equipment, contractors, promotions. All this wrapped in secrecy and hidden in its own world. Joe Schmo head of department X heading cellphone baseband radio firmware hacks will make sure to lobby for his department and tell everyone how there are all these terrorists everywhere running around discussing dirty bomb plans over cell phone conversation, and only his department can save the world. Does he care about the world? No, but he cares about getting more recognition, more money, a larger budget, more people under him and so on.
Every time something like a terrorist attack, war, defections, leaks happened the tendency is not to evaluate, scale down and reconsider where they are headed. But to ask for more budget, more equipment, more projects. Basically double down.
So it is not that there is a cabal conspiring to hold us down that meets in a dark basement some place. But rather the constraints and rules present, if not actively thought against will lead to this.
Another element in this is that those that might disagree with how things are run, don't get to rise high enough to the top to make a difference. Here we had Binney, Snowden and a few anonymous leakers. But it is not like they could have reason to the top in the administration to make a change from within so to speak. To steer the agency on a Constitutional path. So the top if full of those who believe in doing things the same way they are already being done.
Their goal for some time now[1] is to keep cash flowing through the military-industrial-complex. They obviously don't have any kind of focus on actual intelligence work, or they wouldn't be so bad at basic practices like compartmentalization[2]. Even the ways they could abuse their surveillance capabilities seem to be more of a "bonus". They could be much worse, but that would distract form their business of piping cash to their "contractor" friends.
Interestingly, the recent mess the EFF has been reporting on (Jewel v NSA) where they tried to retcon the public court record has - in the public court record - the DOJ lawyers delivering[3] and incredible Freuidan-slip. While arguing that basically nobody can ever have standing to challenge their Section 215 based activities, they mention this: (caps in original, emphasis mine)
ALL THESE TERRIBLE DISCLOSURES THAT OCCURRED OVER THE PAST YEAR -- IN FACT,
THIS IS THE ONE YEAR ANNIVERSARY -- DISCLOSURES THAT WE ARE CONVINCED THAT
HAVE SERIOUSLY HARMED THE NATIONAL SECURITY OF THIS *COMPANY*, WE HAVE CONTINUED
TO PROTECT THE IDENTITY OF PARTICULAR TELECOMMUNICATION CARRIERS THAT ARE
ALLEGED TO HAVE ASSISTED THE NSA,
"national security of this company". wow.
[1] According to William Binny and others. This recent interview mentions it, as to many others.
[2] For example, how the hell did Snowden even have access to that many sensitive docs? Even as a sysadmin, he didn't "need to know" a lot of that. They use to take that kind of practice deadly seriously.
I think the assaults on your sanity are likely more the result of sensationalized/incomplete reporting. The biggest issue I have with most of the Snowden reporting is that if the article doesn't outright jump to assumptions that aren't supported by the source material, they usually have unanswered questions and written in such a way that would cause the reader to jump to the worst possible conclusion. I'm not sure on the entirety of what's actually going on, but the only hard facts I can gleam from the original article[1] are: 1) GCHQ has an nmap/zmap-like tool (not surprising) 2) the various intelligence agencies hack their targets (not surprising) 3) they apparently gain control of relays to obscure their tracks (potentially disconcerting, but makes sense...) 4) the only criteria that was discussed was the fact that the relays can't be located in Five-Eyes countries (Slide 18).
Bruce Schneier made a couple of observations on the slide decks[2]:
24 people were able to identify "a list of 3000+ potential ORBs" in 5-8 hours. The presentation does not go on to say whether all of those computers were actually infected.
...
The slides never say how many of the "potential ORBs" CSEC discovers or the computers that register positive in GCHQ's "Orb identification" are actually infected
Despite this, the article authors have no problem tossing in assertions not made in their source material, such as: "these spy agencies try to attack every possible system they can, presumably as it might provide access to further systems. Systems may be attacked simply because they might eventually create a path towards a valuable espionage target, even without actionable information indicating this will ever be the case." or "Thus, system and network administrators now face the threat of industrial espionage, sabotage and human rights violations created by nation-state ad- versaries indiscriminately attacking network infrastructure and breaking into services." Heck, as far as I can tell they apparently threw in Slide 9-16 (what appears to generic description of network hacking) solely so that they could include the phrase "The NSA presentation makes it clear that the agency embraces the mindset of criminals." (Neglecting to mention that the supposed "tools to support this criminal process" are a Wireshark dump of an ICMP ping response [Slide 14], what looks to be an FTP session labelled "Iraqi Ministry of Finance" showing an attempt at brute forcing the administrator account [Slide 15], and a screenshot of a freshly opened cmd.exe [Slide 16])
If the average person reads through this without looking at the text critically, they're going to walk away thinking "holy crap, they're hacking everyone!", which would indeed be terrifying. The problem is that the evidence needed to reach that conclusion isn't actually there. Nothing is shown regarding any actual process for selecting hosts to use as relays, or any actual number of hosts that they hack into. One commenter on the Schneier article[3] points out that they can't just indiscriminately gain control of hosts - the host isn't necessarily going to be reliable and the chances of them getting caught increase quickly as the number of hacked hosts increases. Nor do they mention if there is any effort to assess the potential political damage that may arise from the target selection. I'd be pretty pissed if I found out that my laptop was being covertly used to hack on their behalf, but on the other end of the scale I don't care if some random open SMTP server in Nigeria is being used by the NSA to spy on North Korea.
Nothing is shown regarding any actual process for selecting hosts to use as relays, or any actual number of hosts that they hack into
To quote parts of figure 18 in the Heise story:
CSECS Operational Relay Box (ORB) ... subsequently used for exploits... 2/3 times a year, 1 day focused effort to acquire as many new ORBs as possible in as many non 5-Eyes countries as possible.
I interpret this as "hack many hosts as possible in a given short timeframe".
But it's still not a number - how many are actually being hacked in this manner? Hundreds? Thousands? Millions? Five? There's not enough context given to tell. That picture on slide 18 with all of the redactions just below the quote you cite shows 63 egg-shaped (or maybe "orb" shaped?) icons with various colored halos and warning symbols next to them. If I were to make an educated guess based on that slide, I'd guess that CSEC controls a total of 63 relays. If I only read the article, I'd assume several orders of magnitude more.
The point that I was trying to make in my earlier comment is that when we read an article like that we tend to instinctively ask more questions, and if the answers to our questions aren't there we tend to make assumptions. Depending on both our own biases and the biases of the author presenting the information, our assumptions are often way off the mark (in either direction).
Here's some questions I would pose to the authors of that article that aren't answered:
How many hosts are being hacked?
Who owns the hosts being hacked? Have the authors taken steps to inform the owners? If not, what is the reason they chose not to?
What are those hosts normally used for and by whom? What is the scale of the privacy implications associated with NSA/GCHQ/CSEC using this host?
What criteria are considered when they select a host to hack to use as a relay?
Thanks, this is the kind of response I was looking for. I was under the assumption, after reading a couple of articles that they were more or less hacking anything they could, and creating a network of vulnerable machines that could then be used as a relays.
I appreciate you taking the time to write this up - I will have to invest some time into going over these sources more carefully.
Notice people with quite a bit of money don't cease money-making activities. They tend to increase them. Sometimes money and power are their own end goal.
