February 15, 2020

The serial numbers of NSA reports

(Updated: February 16, 2020)

On January 14, the NSA disclosed a serious vulnerability in the CryptoAPI service of the Windows 10 operating system (vulnerability identifier: CVE-2020-0601). In a rare public Cybersecurity Advisory the agency even offered further details about this issue.

An interesting detail is that this Cybersecurity Advisory has two serial numbers in the same format as the NSA uses on their Top Secret intelligence reports, some of which have been published by Wikileaks and as part of the Snowden-leaks.

The serial numbers on the NSA's Cybersecurity Advisory from January 14, 2020

The NSA's Cybersecurity Advisory has three groups of letters and numbers, the last one being the date of the document in the format month/day/year, which is typical for the United States.

The first group seems to be an external serial number, while the second group is more like an internal serial number. Below, the components of both serial numbers will be discussed in detail.

External serial number

The first serial number on the public Cybersecurity Advisory is similar to the serial numbers on a range of highly classified intelligence reports which were published by Wikileaks in June and July 2015 and in February 2016. These documents were not attributed to Edward Snowden, so they were probably provided by a still unknown "second source".

These intelligence reports were part of various editions of the "Global SIGINT Highlights - Executive Edition" briefings. Wikileaks published only one report in the original layout with header and a disclaimer. In the bottom right corner they have one or two serial numbers, one number for each source of intelligence:

NSA intelligence report about an intercepted conversation between French president
François Hollande and prime minister Jean-Marc Ayrault, May 22, 2012.
(Watermarked by Wikileaks - Click to enlarge)

The serial numbers are followed by a timestamp in the standard military notation: for example, 161711Z stands for the 16th day, 17 hours and 11 minutes ZULU (= Greenwich Mean) Time, with the month and the year as mentioned in the briefing.

The first five intelligence reports published by Wikileaks were from 2006 to 2012 and have the following serial numbers:

These kind of briefings are called serialized reports, which are described in the NSA SIGINT Reporter's Style and Usage Manual as "The primary means by which we provide foreign intelligence information to intelligence users, most of whom are not part of the SIGINT community. A report can be in electrical, hard-copy, video, or digital form, depending on the information's nature and perishability."

The NSA Style Manual also explains the serial numbers of these reports: "Serial numbers are assigned to NSA reports on a one-up annual basis according to the PDDG issuing the report. Every serial includes the classification level, the PDDG of the originator, and a one-up annual number, as in the following examples:

The classification level of a report can be represented by a variety of codes. Comparing the first part of the serial number with the classification marking of a particular report shows that they are assigned according to the following scheme (updated and corrected):

1 = ?
2 = ?
3 = (Top Secret) Comint
  E = ?
G = (Top Secret) Comint-Gamma
I = ?
  S = ?
U = Unclassified
Z = NoForn

The Producer Designator Digraph (PDDG) consists of a combination of two letters and/or numbers and designates a particular "collector". These codes refer to NSA collection facilities and programs, but those with double vowels stand for the signals intelligence agencies of the Five Eyes partnership, as was already revealed in Nicky Hager's book Secret Power from 1996:
AA = GCHQ, United Kingdom
EE = DSD, now ASD, Australia
II = GCSB, New Zealand
OO = NSA, United States
UU = CSE, Canada

The one-up annual number doesn't seem like a continuous number for each year: on the Windows vulnerability report the one-up number is 104201, which would mean that the NSA produced already over one hundred thousand reports in the first two weeks of 2020 alone. That's not realistic, so maybe there are number ranges assigned to each producer or something similar.

Finally, the year in which the report was issued is represented by its last two digits.

Internal serial number

The second series of letters and numbers on the NSA's Cybersecurity Advisory seems to be an internal serial number. In this case it's PP-19-0031, a format that we also saw on the draft of the famous NSA Inspector General's report about the STELLARWIND program, which was leaked by Edward Snowden. This draft report is dated March 24, 2009 and has the serial number ST-09-0002:

Comparing these two serial numbers indicate that the two digits in the middle represent the year and the last four digits are most likely a one-up annual number. The first two letters may be an internal code for the producer: the office, bureau or unit that prepared and issued the report.

This two-letter code doesn't correspond to the PDDG and also not to NSA's organizational designators, which has D1 for the Office of the Inspector General, so there must be another, unknown system for these codes.


After this comparative analysis it has become clear that the serial numbers (and the date) of the NSA's Cybersecurity Advisory can be explained as follows:

January 16, 2020

US government uses Swiss diplomatic network to communicate with Iran

(Updated: February 12, 2020)

A number of countries are connected to each other through bilateral hotlines in order to prevent misunderstandings and miscommunications in times of severe crisis. But what when there's a crisis between two countries that don't have a hotline?

Such a situation occurred after the United States killed the Iranian general Qassem Soleimani on January 3. Because there's no hotline between these countries, the US government used the Swiss diplomatic network urging Tehran not to escalate the crisis, as was reported by the Wall Street Journal.

The Swiss embassy in Tehran
(photo: FDFA - click to enlarge)

Intermediary since 1980

Already since 1980, when Iranian revolutionaries had seized the US embassy in Tehran and took 52 Americans hostage, the Swiss acted as a messenger (or briefträger) between the American and the Iranian government. The US appointed Switzerland as its "protecting power" in Iran and a special United States Interest Section was established in the Swiss embassy for handling informal contacts.

After the American invasion of Iraq in 2003, Swiss diplomats transmitted messages with Iran to prevent direct clashes and under president Obama Switzerland hosted the talks that led to the Iran nuclear deal from 2015. The Swiss ambassador in Iran regularly visits Washington to explain Iran's politics to officials from the Pentagon, the State Department and US intelligence agencies.

The Swiss embassy in Washington DC
(photo: keystone - click to enlarge)

The Soleimani crisis

Details about the informal contacts between the US and Iran have now been revealed by the Wall Street Journal (WSJ): immediately after Washington confirmed the death of general Soleimani on January 3, the US government sent a first urgent message to Tehran asking not to escalate the situation.

The Swiss ambassador delivered the American message by hand to the Iranian foreign minister Javad Zarif early on Friday morning, as the WSJ learned from US and Swiss officials. But Zarif apparently responded to the message with anger, saying that "[U.S. Secretary of State Mike] Pompeo is a bully" and that "The U.S. is the cause of all the problems."

Two days later, on January 5, Zarif called the Swiss ambassador asking to relay his response to the US government, which appeared more restrained. This was followed by a range of back and forth messages, "far more measured than the fiery rhetoric traded publicly by politicians", which for now seem to have helped prevent a military clash between both countries.

The Swiss diplomatic network

The message from the US government to Iran "arrived on a special encrypted fax machine in a sealed room of the Swiss mission" and the WSJ adds that this "equipment operates on a secure Swiss government network linking its Tehran embassy to the Foreign Ministry in Bern and its embassy in Washington. Only the most senior officials have the key cards needed to use the equipment."

Using the secure diplomatic communications network of a third party is a good option for exchanging sensitive messages between two countries, because it's not always possible to set up a direct communications link. One of the difficulties is that in order to encrypt such communications, both parties have to use the same algorithms and, obviously, countries don't like to share their crypto systems with others.

Similar to an official direct bilateral hotline, the back channel through the Swiss diplomatic network appears to be effective, because both parties "can trust a message will remain confidential, be delivered quickly, and will reach only its intended recipients. Statements passed on the back channel are always precisely phrased, diplomatic, and free of emotion" - according to the WSJ report.

The west wing of the Federal Palace (Bundeshaus) in Bern, Switzerland,
home of the Federal Department of Foreign Affairs (FDFA)
(photo: Mike Lehmann/Wikimedia Commons - click to enlarge)

Swiss crypto manufacturers

Switzerland's neutrality is not only useful for diplomatic negotiations, but was also an advantage for the manufacturers of crypto equipment.

One of the oldest companies was Gretag AG, which goes back to 1947. In 1987 most of its cryptographic business was split off and transferred to Omnisec AG, which had been founded especially for this purpose. However, the civil encryption machines as well as those for the Swiss government were sold to AT&T in 1991. Under a new owner, this product line was renamed to Safenet Data Systems, but the company declined rapidly and was liquidated in 2004.

Most of the business had already been taken over by Omnisec AG, which had become one of the most trusted crypto-companies in the world, selling its voice, fax and data encryptors to governments, armies and intelligence services. But gradually the market for proprietary Swiss encryption technology became smaller and smaller and so the company was dissolved in February 2018.

Another Swiss crypto manufacturer is Crypto AG, which was established in 1952 by Boris Hagelin for the activities of his original Swedish company AB Cryptoteknik. Crypto AG became one of the most famous companies in the crypto business, but there were also several allegations that it cooperated with intelligence agencies like the NSA and the German BND.

On February 11, 2020, American and German news outlets revealed that in 1970, the CIA and the German foreign intelligence agency BND took over the ownership of Crypto AG, which provided them an easier access to the encrypted diplomatic and military communications of over 100 countries (the Swiss government always got the secure versions of Crypto AG's equipment though). In 1993, the BND sold its share to the CIA, which continued to run the company until 2018, when Crypto AG was sold to a Swedish entrepreneur.

The Crypto AG Fax Encryption HC-4221
(photo: Crypto AG brochure)

Swiss fax encryption systems

Both Omnisec AG and Crypto AG produced devices for encrypting fax transmissions. Omnisec had the Omnisec 525 Fax Encryptor, which was available in 2007, while Crypto AG manufactured the Fax Encryption HC-4220, which was succeeded by the HC-4221 and was still available in 2011.

These aren't secure fax machines in the strict sense, but separate crypto devices, which encrypt the signals from a commercial fax machine before being transmitted through the public switched telephone network (PSTN). As can be seen in the photo, the HC-4220 was designed to put the actual fax machine on top of it.

Currently, Crypto AG offers the HC-9300 Crypto Desktop, which is a futuristic looking touchscreen device that performs the encryption of telephone, fax, VoIP and e-mail communications. This device is available at least since 2015 and is approved by the Technical Secretariat of the OPCW to be used for inspections for example.

Maybe the Swiss diplomatic network already uses the HC-9300 to secure its fax messages, but in general, government agencies tend to be rather conservative and stick to older versions, also because new crypto equipment has to undergo rigorous testing before it may be used to protect classified information.

See also:
- The hotline between Washington and the former German capital Bonn
- The Washington-Moscow Hotline

December 12, 2019

Review of Snowden's book Permanent Record - Part II: At the NSA

(Updated: December 20, 2019)

More than 6 years after the first disclosure of Top Secret documents from the NSA, after numerous video appearances and more than 4000 tweets, Edward Snowden has now written an autobiography. It's titled Permanent Record and was published simultaneously in over 20 countries on September 17.

An extensive discussion of the first half of this book, from Snowden's youth to his jobs at the CIA, is provided in Part I of this review. Here, it's about his time at the NSA, which he accuses of collecting everyone's information and storing it forever. However, the book in no way substantiates these claims, misrepresents the NSA collection programs and fails to justify his massive theft of classified data.


Sysadmin at the NSA in Japan

In August 2009 Snowden moved to Japan for his first job at the NSA. This was yet another a contractor job, as he was hired by Perot Systems (which was taken over by Dell in September 2009) under the Agency Extended Information Systems Services (AXISS) contract of the NSA.

His new workplace was at the NSA's Pacific Technical Center (PTC) at Yokota Air Base, near Tokyo. This facility was opened in 2003 as "the sister organization to the highly successful European Technical Center (ETC), providing essential technical and logistical services to vital cryptologic missions in the Pacific Theater."

Here, Snowden worked as a systems administrator responsible for maintaining the local NSA systems and helping to connect the NSA's systems to those of the CIA. As such he found out that the NSA was far ahead in terms of cyberintelligence, but far behind when it came to cybersecurity:
"In Geneva, we'd had to haul the hard drives out of the computer every night and lock them up in a safe - and what's more, those drives were encrypted. The NSA, by contrast, hardly bothered to encrypt anything."
(p. 166)


In Japan, Snowden noticed that the NSA had no proper backup system: because of limited bandwith, local collection sites often did not send copies back to NSA headquarters. He then engineered an automated backup and storage system, that was initially named EPICSHELTER, but was later renamed into Storage Modernization Plan/Program. (p. 166-168)

This system would constantly scan the files at every NSA facility and only if the agency lacked a copy of it back home would the data be automatically queued for transmission. It's not known how accurate this description is, because no original documents about EPICSHELTER have been published.

It's likely though that the scope of the system was smaller than the book suggests and only handled documents and reports produced by NSA employees, not the data the agency intercepted (in Oliver Stone's biographical thriller the fictional Snowden says that EPICSHELTER was only "collecting our finished intel").

For its intercepted communications, the NSA already had a system with a more or less similar function: XKEYSCORE, which in 2008 consisted of filtering systems at some 150 local collection sites. Analysts instruct these local filters to select data of interest, which are subsequently transferred to the agency's central databases. Data that are not of interest disappear from the system's rolling buffer after around 30 days.

Slide from an NSA presentation about XKEYSCORE
showing its federated query hierarchy
(click to enlarge)

Leaving readers with the impression that EPICSHELTER copied and stored virtually all of the NSA's data, Snowden writes:
"The combination of deduplication and constant improvements in storage technology allowed the agency to store intelligence data for progressively longer periods of time. Just over the course of my career, the agency's goal went from being able to store intelligence for days, to weeks, to months, to five years or more after its collection. By the time of this book's publication, the agency might already be able to store it for decades." (p. 167)
Snowden then claims that it is the NSA's ultimate dream "to store all of the files it has ever collected or produced for perpetuity, and so create a perfect memory. The permanent record." (p. 168)

The Utah Data Center

Given that Permanent Record is the title of the book, one would expect a solid substantiation of this claim, but the only "corpus delicti" that Snowden comes up with is the huge $ 1.2 billion data center that NSA built near Bluffdale, Utah, which was probably reported first in July 2009. (p. 246-247)

Snowden says that within the NSA this data center was initially called "Massive Data Repository" but then renamed to "Mission Data Repository" to sound less creepy. This isn't a unique designation for the Utah complex though, because from other sources we know that the NSA has multiple Mission Data Repository (MDR) cloud platforms.

We can assume that Snowden looked and searched for internal NSA documents about the Utah Data Center (UDC), but either he found nothing, or nothing has been published. Maybe that's because it's simply a big back-up facility for the US Intelligence Community as a whole?

That at least seems a plausible option given its official name of "Intelligence Community Comprehensive National Cybersecurity Initiative Data Center" with the purpose of providing a secure and resilient environment supporting the nation's cyber security.

The only relevant piece from the Snowden trove is a map showing that in Utah one can find the NSA's Utah Language Center and two of the NSA's GHOSTMACHINE (GM) cloud computing platforms, codenamed gmCAVE and gmPEACH. It's not clear though whether this is the situation before or after the opening of the data center.

Slide from a 2012 NSA presentation showing the locations
of the agency's GHOSTMACHINE cloud platforms
(click to enlarge)

Permanent Record?

Contrary to Snowden's claim about a "permanent record", many of the data the NSA collects are actually stored for much shorter periods of time. For the programs where communications from foreign targets are collected inside the United States the maximum retention periods for unevaluated data are:
- PRISM (targeted collection from internet companies): 5 years
- Upstream (targeted collection from backbone cables): 2 years
- Section 215 (bulk collection of domestic telephone metadata): 5 years

It seems there were no clear storage restrictions for data collected outside the US under EO 12333 authority, but examples show that they were not kept very long: the NSA's main database for internet metadata, MARINA, stored data for a year, while the massive data processing system RT-RG used in Iraq and Afghanistan could hold its data initially for not more than a month.

In response to the Snowden disclosures, president Obama issued Presidential Policy Directive 28 (PDD-28) in which he determined that personal information about foreigners shall also "not be retained for more than 5 years".

However, Obama's directive didn't change the policy that encrypted communications may be stored indefinitely, something that was useful in the past when only things of importance were encrypted, but makes less sense nowadays. It's ironical that when Snowden urges us to encrypt our data, that actually means they could be stored much longer than if we don't.

On December 12, 2019, the NSA's Inspector General (IG) published a report about the retention requirements for SIGINT data. Many data have to be deleted after a number of years, but the report found several deficiencies in that process. The IG made 11 recommendations and the NSA agreed to implement all of them.


The limitations on storing data from PRISM, Upstream and Section 215 only became public through the declassification of opinions from the FISA Court as well as from a report from the NSA's Civil Liberties and Privacy Office, both in response to one-sided press reports about these programs.

This means that while he was working at the NSA, Snowden may not have been aware of these limitations and therefore jumped to the conclusion that the agency wanted to store its data as long as possible. But by still not mentioning these limited retention periods in his book, Snowden deliberately misleads his readers.

Snowden's atomic moments

According to Permanent Record, Japan was Snowden's "atomic moment" where he realized that "if my generation didn't intervene the escalation would only continue" and surveillance would become "the ear that always hears, the eye that always sees, a memory that is sleepless and permanent." (p. 184-185)

There were however two moments that raised his suspicions:

1. China's domestic surveillance

The first moment was when the NSA's Pacific Technical Center hosted a conference on China and Snowden had to step in as a replacement by giving a briefing about the intersection between counterintelligence and cyberintelligence. (p. 169)

Preparing his briefing, he read about China's mass surveillance against its own citizens and then suspected that the US government was doing the same, because "if something can be done, it probably will be done, and possibly already has been". (p. 170-171)

But how could such surveillance remain secret in an open society like that of the United States, while even the censoring and monitoring measures from the tightly controlled Chinese society are well known? And what would such domestic surveillance have to do with the NSA, which is a military foreign intelligence agency?

Like more radical privacy activists Snowden seems to assume that intelligence agencies like the NSA and CIA desperately want to spy on their own citizens.* But if the government really wants to do so, there are other and easier options, for instance through the FBI and other law enforcement agencies that have the power to wiretap and access to government and private databases.

Another example of mixing these things up is when Snowden describes that he couldn't tell his girlfriend that his "former coworkers at the NSA could target her for surveillance and read the love poems she texted me." It's hard to believe that Snowden really thought that: if there would have been a reason to monitor her, it would have been done by the FBI, not the NSA. (p. 197)

2. The STELLARWIND report

The second moment that apparently scared Snowden was when he read a very secret report about the President's Surveillance Program (PSP), which was established by president George W. Bush after the attacks of 9/11. It gave the NSA the power to track down foreign terrorists without a warrant from the Foreign Intelligence Surveillance Court (FISC) and was therefore also known as Warrantless Wiretapping.

An unclassified report about the PSP was published in July 2009, which gave Snowden the impression that graver things had been going on than just targeted interception of terrorists. This suspicion sent him searching for the classified report on the President's Surveillance Program, which he only found somewhat later by chance. (p. 174-175)
While being interviewed for The Joe Rogan Experience podcast on October 23, 2019, Snowden said that he found the classified version of the STELLARWIND report only somewhere in 2012. It turned up when he ran some "dirty word searches" to help out the Windows network systems administration team that sat next to him when he was in the Office of Information Sharing at NSA Hawaii (see below).

The report appeared to be in a separate classification compartment under the code name STELLARWIND (STLW) and only because someone in the office of the NSA's Inspector General and who had come to Hawaii had left a draft copy on a lower-security system, it popped up as something that Snowden had to remove and delete. Instead, he read it all the way through. (p. 175)

The first page of the highly classified STELLARWIND report
(click for the full report)

After reading the highly restricted report, Snowden found that "the activities it outlined were so deeply criminal that no government would ever allow it to be released unredacted". (p. 176)

This claim requires an explanation of the STELLARWIND program, which doesn't follow in the book, despite the fact that the classified report is very detailed. It makes clear that the program encompassed 4 components:
- Targeted collection of telephony content
- Targeted collection of internet content
- Bulk collection of domestic telephony metadata
- Bulk collection of domestic internet metadata

This may look massive, but on page 9 of the report NSA director Michael Hayden is cited saying that "NSA would not collect domestic communications". Furthermore it explains that the program was only used to collect communications from:
- Members of al-Qaeda and its affiliates (since October 2001)
- Taliban members in Afghanistan (from October 2001 to January 2002)
- The Iraqi Intelligence Service (from March 2003 to March 2004)

The content of these target's communications was collected by filtering backbone cable traffic using some 11,000 phone numbers and e-mail addresses.* On pages 38 and 39 the report says that the bulk collection of both telephone and internet metadata was also strictly limited to finding unknown conspirators of known members of al-Qaeda.

Between 2004 and 2007, all four components of the STELLARWIND program were moved from the president's authority to that of the FISA Court (FISC), based upon a creative interpretation of the Patriot Act and the new Protect America Act.

According to the original report, STELLARWIND was not used for large-scale monitoring of American citizens,* but that's not something we learn from Permanent Record, which is not only misleading but also fails to account for the reason why Snowden was apparently so upset after reading it.

Security clearance reinvestigation

In September 2010, Edward Snowden left Japan and returned to Maryland, where Dell provided him a new job as a technical solutions consultant for their CIA contract, a job that didn't require a security clearance, because the CIA refused to grant him access to classified information (see Part I of this review).

Around that time, Snowden was also due for a periodic background reinvestigation, but when the review was completed in May 2011, no derogatory information had been found. According to the HPSCI-report this was because the investigation was incomplete as, for example, it "never attempted to verify Snowden's CIA employment or speak to his CIA supervisors".

Not much later, Snowden was diagnosed with epilepsy after which he took a four-month disability leave from work until January 2012. According to his memoir, he decided "to start over" and take a less stressful job in Hawaii where the climate and more relaxed lifestyle was better to prevent epileptic seizures. (p. 215)

Did Snowden, who clearly didn't fit into a government bureaucracy, ever considered a private sector job in Silicon Valley, where there's an equally nice climate? Or was he determined enough to find out more about mass surveillance to stay inside the Intelligence Community, although not yet ready to sacrifice everything for that goal? (p. 215)

Sysadmin at the NSA in Hawaii

By the end of March 2012, Snowden and his girlfriend had moved to Hawaii, where he got a new job for Dell at the NSA's regional Cryptologic Center.

While most NSA employees had moved to a new building in the beginning of 2012, Snowden and other technical support workers remained in the so-called Kunia Tunnel, a three story underground bunker facility originally built for aircraft assembly during World War II.

Here, he worked for exactly one year, until March 2013, as a SharePoint systems administrator and the sole employee of the Office of Information Sharing. It was "a significant step down the career ladder, with duties I could at this point perform in my sleep." (p. 214)

The tunnel entrance to the former Kunia Regional Security Operations Center
in Hawaii, where Snowden worked from March 2012 to March 2013
(photo: NSA - click to enlarge)


Just like in his first job at CIA headquarters Snowden started with automating his tasks by writing scripts to do the work for him "so as to free up my time for something more interesting." (p. 214)

That more interesting activity is described in what is probably the most important and most surprising revelation of Permanent Record:
"I want to emphasize this: my active searching out of NSA abuses began not with the copying of documents, but with the reading of them. My initial intention was just to confirm the suspicions that I'd first had back in 2009 in Tokyo. Three years later I was determined to find out if an American system of mass surveillance existed and, if it did, how it functioned." (p. 215)

Here, Snowden basically admits that he isn't a whistleblower: he wasn't confronted with illegal activities or significant abuses and subsequently collected evidence of that, but acted the other way around by gathering as much information he could get, only based upon a vague and, as we have seen, rather far-fetched suspicion.

Snowden also doesn't share whether he found any concrete misconducts in those numerous files, things that could have triggered his decision to hand them over to journalists. He even omits almost all the disclosures made by the press, which makes that Permanent Record contains hardly anything that justifies his unprecedented data theft.

E-mail from Snowden as systems administrator in Hawaii, August 2012
Declassified by the NSA in June 2016
(Click to enlarge)

Readboards and Heartbeat

While his colleagues at the Kunia Tunnel watched Fox News, Snowden's quest for information started with reading what he calls "readboards", a kind of digital bulletin boards where each NSA site posted news and updates. (p. 220)

He started hoarding documents from all these readboards, creating an archive of everything he thought was interesting. After a complaint about exceeding his storage quotum, Snowden came up with the idea to share his personal collection with his colleagues, as a justification, or "the perfect cover", for collecting material from more and more sources. (p. 221, 256)

He then got approval from his boss to create an automated readboard that would perpetually scan for new and unique documents, not only from NSAnet, but also from the networks of the CIA, the FBI as well as from JWICS, the high-level Defense Department intelligence network. (p. 221)

Instead of only gathering titles and metadata like common RSS-readers do, the system had to pull in full documents so NSA Hawaii would have access to all the necessary information in case the fiber-optic cable that connected it with NSA headquarters would be disconnected as a result of a power outage or a cyber attack.

Snowden called the new system Heartbeat (not in capitals in the book) because "it took the pulse" of the NSA and of the wider Intelligence Community (IC), but the program was also important for another reason: "Nearly all of the documents that I later disclosed to journalists came to me through Heartbeat." (p. 221-222)

Mock-up of the Heartbeat interface in Oliver Stone's biographical thriller Snowden
(screenshot from Snowden - click to enlarge)

Scraping tools and stolen passwords

The HPSCI-report says Snowden started his mass downloading of NSA data somewhere around August 1, 2012, using two common scraping tools, called DownThemAll! and wget. These tools were available for legitimate system administrator purposes, but Snowden used them to scrape "all information from internal NSA networks and classified webpages of other IC elements."

This is followed by two redacted sections, so it's not known whether the report acknowledges that this scraping effort was part of an authorized program named Heartbeat. Snowden doesn't mention the scraping tools in his book, but in a video appearance on August 20, 2019, he admitted that he "wrote some scrapers".

Besides the bulk downloading, the HPSCI-report says that Snowden used "his systems administrator privileges to search across other NSA employees' personal network drives and copy what he found on their drives". He also searched for "files related to the promotion and hiring decisions" on the personal network drives of people who had been involved in decisions about jobs for which Snowden had applied.

Already in November 2013, Reuters reported that Snowden even persuaded maybe up to 25 fellow workers to give him their logins and passwords, but in a live chat in January 2014, Snowden vehemently denied this: "I never stole any passwords, nor did I trick an army of co-workers".

The HPSCI-report from 2016 confirmed Reuters' reporting and says that Snowden asked "several of his co-workers for their security credentials so he could obtain information that they could access, but he could not. One of these co-workers subsequently lost his security clearance and resigned from NSA employment."

One would expect that Permanent Record addresses these specific and quite serious accusations, but they are completely ignored. In more general terms however, the book confirms Snowden's almost insatiable desire for information regardless of whether he was entitled to it - he almost seems proud of how easy he could circumvent auditing controls and internal monitoring systems like MIDNIGHTRIDER. (p. 256)

"Collect it All"

While almost "every journalist who later reported on the disclosures was primarily concerned with the targets of surveillance", like American citizens or foreign leaders, Snowden's own curiosity was of technical nature: "the better you can understand a program's mechanics, the better you can understand its potential for abuse." (p. 222)

While Glenn Greenwald saw the slide below as evidence that NSA really wants to "Collect it All", Snowden now says that this was "just PR speak, marketing jargon" intended to impress America's Five Eyes partners and therefore gave him "no insight into how exactly that ambition was realized in technological terms." (p. 222-224)

Slide from a presentation about satellite collection capabilities
at Menwith Hill Station in the United Kingdom, 2011

Given how keen Snowden was to find out the inner workings of the NSA's collection systems, surprisingly little detail about them is found in his book. For example, the best-known and most controversial programs, Section 215 and PRISM, are addressed in only one paragraph each. (p. 222-223)

Just as little information is provided about other NSA collection programs - apparently because such details would undermine Snowden's repetitive claim that the NSA tries to collect everyone's data to store them forever. For example:

- Bulk collection of domestic telephone metadata under Section 215 was limited to counter-terrorism investigations and only used for contact-chaining with no more than 288 seed numbers in 2012, resulting in 6000 numbers that analysts actually looked at.

- Targeted collection from internet companies under PRISM doesn't allow "direct access" to the servers of the companies, has multiple layers of oversight and was used against roughly 160,000 specific foreign targets in 2018.


The most detailed, but still rather limited description in Permanent Record is that of the technologies behind Upstream collection, which is the interception of foreign communications at backbone cables and switching facilities. Snowden says that if you want to look something up on the internet, it has to pass "through TURBULENCE, one of the NSA's most powerful weapons." (p. 225)

According to an internal NSA dictionary, TURBULENCE isn't so much a weapon, but a "framework of mission modernization". A detailed explanation of this framework on the weblog of Robert Sesek shows that it has nine different components, including TURMOIL and TURBINE, which also feature in Snowden's book:

TURMOIL is installed at many locations around the world and makes a copy of a data stream based upon selectors like e-mail addresses, credit card or phone numbers, etc. Suspicious traffic is then tipped over to TURBINE, which uses algorithms to decide whether computer exploits should be used against certain kinds of web traffic. Then, TURBINE injects the exploits in the web traffic back to the target's computer: "Your entire digital life now belongs to them". (p. 225-226)

Snowden claims that these systems "are the most invasive elements of NSA's mass surveillance system, if only because they're the closest to the user." But as TURMOIL filters communications traffic for data that match specific selectors, this qualifies as targeted collection, which is generally preferred above indiscriminate bulk collection.

It's only because Snowden has the habit of describing all the NSA's collection efforts as if they are directed against everyone and anyone ("your traffic", "your digital life") that even targeted collection sounds very scary, but as long as you're not a target, these exploits won't find their way to your computer.

A slide from an unpublished NSA presentation about the TUMULT component of
the TURBULENCE program as seen in the documentary film Citizenfour
(screenshot by paulmd - click to enlarge)

Exfiltrating the data

In his memoir, Snowden says that the big decisions in (his) life are made subconscious and only expressed themselves once fully formed: "once you're finally strong enough to admit to yourself that this is what your conscience has already chosen for you." (p. 214)

Snowden's preparations for leaking to the press apparently started in August 2012, which is earlier than previously assumed. But before handing over his personal collection of Top Secret files, he wanted to "search them and discard the irrelevant and uninteresting, along with those containing legitimate secrets". (p. 256-257)

This was quite difficult on monitored NSA computers, so he took an old Dell PC that he found in a forgotten corner: "Under the guise of compatibility testing, I could transfer the files to these old computers, where I could search, filter, and organize them as much as I wanted, as long as I was careful." (p. 256-257)

It seems that Snowden used this desktop computer as a "thin-on-thick" device, which means that it officially served as a thin client. According to the HPSCI-report Snowden requested such a thin-on-thick computer in late August 2012, which is less than a month after he started bulk downloading internal NSA files.

Careful evaluation?

This set-up allowed Snowden to get "the files I wanted all neatly organized into folders" and later on, he assured that he "carefully evaluated every single document I disclosed to ensure that each was legitimately in the public interest". (p. 258)

Given the huge number of files that he handed over (the book says nothing about their exact number), it's hard to imagine that Snowden was able to evaluate them as careful as he said. In his memoir he already admits how complicated this was:
"Sometimes I'd find a program with a recognizable name, but without an explanation of what it did. Other times I'd just find a nameless explanation, with no indication as to whether the capability it described was an active program or an aspirational desire. I was running up against compartments within compartments, caveats within caveats, suites within suites, programs within programs" (p. 217)

Apparently it was as difficult for Snowden as it was for the journalists to make sense out of these never-before-seen documents, but with the difference that Snowden had less than a year to study them part-time, while a dozen of journalists and their assistants have worked on them for over five years and may still haven't solved all the puzzles.

Even in his hotel room in Hong Kong, in the week before he would meet Greenwald and Poitras, Snowden was sorting his archive, and in order to make it as comprehensive as possible for nontechnical people he also put together dictionairies and glossaries of abbreviations like CCE, CSS, DNI and NOFORN. (p. 288-289)

All these efforts didn't prevent mistakes in the early press reportings, like for example that NSA had "direct access" to the servers of Facebook, Google, and other internet companies. The misinterpretation of the BOUNDLESSINFORMANT slides was another major case that made clear that both Snowden and the journalists lacked enough information about this tool.

When in April 2015, John Oliver expressly asked whether he really had read every single document, Snowden eventually backed down from his original statement saying "Well, I do understand what I turned over" and slowly conceded that his actions carried dangers regardless of his own intentions or competence.

The Rubik's Cube

The next step in exfiltrating the files was getting them out of the Kunia Tunnel complex. Taking pictures with a smartphone wasn't an option, so Snowden decided to copy them onto mini- and micro-SD cards. They have so little metal in them that they will hardly trigger metal detectors, but are extremely slow to write: it can take up to 8 hours to fill a single card. (p. 258-259)

This had to be repeated multiple times and so Snowden sneaked the SD cards past the security checks in different ways: in his sock, in his cheek (so he could swallow it if needed) and at the bottom of his pocket. He doesn't confirm or deny whether he also used a Rubik's Cube to hide an SD card, or that the cube was just used to distract the guards. (p. 259)

Oliver Stone's film Snowden showing how an SD card was hidden in a Rubik's Cube
(screenshot from Snowden - click to enlarge)

At home, Snowden transferred the files from the SD cards to a larger storage device and secured them with multiple layers and different methods of encryption. Altogether, the documents fitted on a single drive, which he left out in the open on his desk at his home, confident that they were protected by the encryption. (p. 262-263)

Handing over the files

On December 1, 2012 Snowden first contacted columnist Glenn Greenwald, but when it proved to be difficult for him to set up an encrypted communications channel, Snowden contacted film maker Laura Poitras on January 13, 2013, after he had received her public key through Micah Lee from the Electronic Frontier Foundation. (p. 250-253)

It's not clear when Snowden sent Poitras the first set of documents that she showed to Greenwald on their flight to Hong Kong.* Eventually, they each received a copy of the full archive when they met Snowden on June 2/3 at his room in the Mira Hotel.

An intriguing story that's not in Permanent Record, but was told in Harper's Magazine from May 2017 is that already on May 10, 2013, Snowden had sent (encrypted) backup copies of the NSA files in postal packages to Jessica Bruder in New York, to Trevor Timm of the Freedom of the Press Foundation, to one person who wants to remain anonymous, and to one unknown person.

In his book, Snowden tries to explain how thoroughly he secured his own archive of NSA documents (through some kind of key distribution scheme), but how about the keys for what was in these packages? And what has happened to the packages?


Infrastructure analyst at the NSA in Hawaii

On March 30, 2013, Edward Snowden had started a new job as an infrastructure analyst for intelligence contractor Booz Allen Hamilton (BAH) at the NSA/CSS Threat Operations Center (NTOC) of NSA Hawaii.

NTOC is a watch center that provides real-time network monitoring and cyber defense capabilities and is located in the NSA's new Joseph J. Rochefort Building (nicknamed "Roach Fort" or "The Roach"), which was officially opened in January 2012.

The Joseph J. Rochefort Building of NSA/CSS Hawaii near Wahiawa in Honolulu
where Snowden worked from mid-April to mid-May 2013.
(still from CBS News - click to enlarge)

There are different versions of the reason why Snowden took this new job. In his memoir he says that after reading about all those NSA programs, systems and tools, his final desire was to see how they were operated by the analysts who take the actual targeting decisions: "Was there anyone this machine could not surveil?" (p. 275-276)

He was especially interested in the XKEYSCORE system, which would later be presented as the NSA's "widest-ranging tool, used to search nearly everything a user does on the Internet". The Booz Allen job as an infrastructure analyst allowed him to work with XKEYSCORE to monitor suspicious activities of hostile cyber actors on the infrastructure of the internet. (p. 277)

Dual-hat authority

Another and more specific reason was given in an interview from June 24, 2013 with the South China Morning Post (SCMP) in which Snowden said that he took the new job because: "My position with Booz Allen Hamilton granted me access to lists of machines all over the world the NSA hacked".

Later, Snowden explained that in his opinion "we’ve crossed lines. We're hacking [Chinese] universities and hospitals and wholly civilian infrastructure rather than actual government targets and military targets." It was to get access to this kind of information that he took the new job, which "gave him rare dual-hat authority covering both domestic and foreign intercept capabilities".

That "dual-hat" also allowed Snowden to find out whether "vast amounts of US communications were being intercepted and stored without a warrant, without any requirement for criminal suspicion, probable cause, or individual designation."

In his new job he continued copying internal NSA documents (maybe he could still use his previous sysadmin priviliges?), but to actually exfiltrate them, he had to return after hours to his old desk with the thin-on-thick computer at the Kunia Tunnel - according to the HPSCI-report.

By-catch conversations

According to Greenwald's book No Place to Hide, Snowden had an even bigger goal in mind when he applied for the job as an infrastructure analyst: the raw surveillance repositories of the NSA. "He took a pay cut to get that job, as it gave him access to download the final set of files he felt he needed to complete the picture of NSA spying."

He succeeded and handed the files over to Barton Gellman from The Washington Post, which in July 2014 reported on these ca. 22,000 collection reports from 2009 to 2012, which contained roughly 160,000 intercepted e-mails and instant-messages. Analysis showed that they came from more than 11,000 accounts, while 9 out of 10 account holders were not the intended targets and nearly half of them Americans.

These online conversations were intercepted through PRISM and Upstream, which is targeted collection, but in Snowden's view it clearly crossed the line of proportionality. In The Post he said that such a "continued storage of data of innocent bystanders in government databases is both troubling and dangerous. Who knows how that information will be used in the future?"

The future danger is largely mitigated by the limited retention period of up to 5 years, but the fact that even this targeted collection leads to such a large amount of by-catch is one of the most problematic aspects of the NSA's operations. Therefore it's puzzling that Snowden doesn't mention this issue at all in his book, especially because The Washington Post's report is not widely known.

Witnessing abuses?

Before starting his new job, Snowden first had to attend a two-week training course at NSA headquarters. There, and during "the short stint I put in at Booz back in Hawaii, were the only times I saw, firsthand, the abuses actually being committed that I'd previously read about in internal documentation." (p. 279)

Here, one expects an explanation of these abuses, but as we will see, Snowden only presents some minor cases in which the NSA's collection system was misused by individual analysts, which doesn't even come close to an organization "in which malfeasance has become so structural as to be a matter not of any particular initiative, but of an ideology" as Snowden puts it. (p. 235)


It's allegedly XKEYSCORE that enables these abuses, but it remains unclear whether Snowden actually has a good understanding of how this system works. At least his descriptions in the book are incomplete and misleading.

He says that by studying the technical specs he found out that XKEYSCORE works "by 'packetizing' and 'sessionizing,' or cutting up the data of a users' online sessions into manageable packets for analysis" - actually, 'sessionizing' means that the small IP packets in which internet communications travel are reassembled into a their original format for further analysis. (p. 278-279)

Diagram showing the dataflow for the DeepDive version of XKEYSCORE

Snowden describes the back end of XKEYSCORE as "an interface that allows you to type in pretty much anyone's address, telephone number, or IP address, and then basically go through the recent history of their online activity." He then says that he would have been able to type in the names of the NSA director or the US president. (p. 279)

He already claimed having such an "authority" in his very first video appearance on June 9, 2013, but afterwards, Glenn Greenwald had to admit that although such searches would not be legally permitted, they were technically possible.

The technical possibilities however are limited too, because in order to retrieve communications via XKEYSCORE, the NSA first has to have physical access to communication links that contain the target's traffic. Therefore it's definitely not the case that "Everyone's communications were in the system" as Snowden says. (p. 279)

What Snowden doesn't tell us is that the actual purpose of XKEYSCORE, and its unique capability, is finding files which are not associated with specific selectors so analysts can trace targets who are using the internet anonymously.

Intimate images

Snowden assumes that none of his new colleagues intended to abuse XKEYSCORE's capabilities, but if they would, then for personal rather than professional reasons. This led to what he calls "the practice known as LOVEINT [...] in which analysts used the agency's programs to surveil their current and former lovers". (p. 280)

It's rather exaggerated to call this a practice because in 2013, NSA Inspector General George Ellard reported that since January 2003, there had been 12 instances of intentional misuse of NSA collection systems. Of these 12 cases, only 8 involved current or past lovers or spouses, most of them foreigners and which were brought to light either through auditing controls or self-reporting.

Apparently more often, male analysts alerted each other of nude photos they found among target communications, "at least as long as there weren't any women around" - which may be one of the reasons that the NSA has adopted a strong diversity policy. (p. 280)

Snowden on the other hand was most touched by "the family stuff" and recalls how he saw a webcam recording of a little boy sitting in the lap of his father, an Indonesian engineer who had applied for a job at a research university in Iran "that was suspected of being related to a nuclear program or a cyberattack" and therefore became of interest to the NSA. (p. 281-282)

As unprofessional as some of his colleagues were by sharing nudes, Snowden seems to have had difficulty to keep a professional distance from his targets. The video with the boy reminded him so much of his own father that he, almost in shock, realized that he would probably never see his family again. (p. 282)

Daniel K. Inouye International Airport in Honolulu, Hawaii
(photo: hellochris/Wikimedia Commons - click to enlarge)

Leaving NSA Hawaii

In the weeks before leaving to Hong Kong, Snowden copied the last set of documents he intended to disclose and tried to decide in which country it would be best to meet Poitras and Greenwald. With Russia and China out of bounds, the elimination process left him with Hong Kong. (p. 283-284)

The final preparations he made "were those of a man about to die". He told his supervisor at Booz Allen that he needed a leave of absence of a couple of weeks for epilepsy treatment on the US mainland and he left his girlfriend a note saying that he was called away for work. (p. 283-284)

Then Snowden packed some luggage, including several thumb drives full of NSA documents, and four laptops: one for secure communications, one for normal communications, a decoy and one that he kept "airgapped". He left his smartphone at home, went to the airport and bought a ticket in cash for the next flight to Tokyo. There, he bought another ticket in cash and arrived in Hong Kong on May 20, 2013. (p. 285)

> To be continued!

Links & sources

- Le Monde: Bug Brother: Pourquoi je préfère la BD sur Snowden à son autobiographie (Dec. 18, 2019)
- Emptywheel: Snowden Needs a Better Public Interest Defense, Part I - Part II (Nov.-Dec. 2019)
- Rolf's Blog: Review of Ed Snowden's "Permanent Record" (Oct. 10, 2019)
- The New York Review of Books: Snowden in the Labyrinth (Oct. 2019)
- Matthew Green: Looking back at the Snowden revelations (Sept. 24, 2019)
- The New Yorker: Edward Snowden and the Rise of Whistle-Blower Culture (Sept. 23, 2019)
- The New Republic: Edward Snowden's Novel Makeover (Sept. 17, 2019)
- Wired: After 6 Years in Exile, Edward Snowden Explains Himself (Sept. 16, 2019)
- The Guardian: Interview by Ewen MacAskill (Sept. 13, 2019)
- Der Spiegel: 'If I Happen to Fall out of a Window, You Can Be Sure I Was Pushed' (Sept. 13, 2019)
- House Permanent Select Committee on Intelligence: Review of the Unauthorized Disclosures of Former National Securitty Agency Contractor Edward Snowden (Sept. 15, 2016)
- Wired: Edward Snowden: The Untold Story (Aug. 2014)
- Vanity Fair: The Snowden Saga: A Shadowland of Secrets and Light (May 2014)

November 20, 2019

Leaked report reveals security risks at the Austrian security service BVT

(Updated: November 22, 2019)

A classified report that was published by an Austrian newspaper has revealed a range of security risks at the Austrian security service BVT, especially regarding its internal computer network.

The classified report was prepared by an investigation team from the SOTERIA group of the secretive Club of Berne, a cooperation platform in which almost all European domestic security services collaborate.


Austria's security service BVT

The Austrian security service is officially called Office for the Protection of the Constitution and Counterterrorism (German: Bundesamt für Verfassungsschutz und Terrorismusbekämpfung or BVT) and was created in 2002 by merging the Austrian state police with various special task forces against terrorism and organized crime.

The BVT came into a crisis after on February 28, 2018 Austrian police forces raided its headquarters, seizing large amounts of data. In August 2018, The Washington Post reported that European security services didn't trust their Austrian counterpart anymore, apparently because the Austrian interior minister Herbert Kickl from the far-right FPÖ party was too close to the Russian government.

On November 6, 2018, an Austrian newspaper published a leaked document showing that the Finnish secret service didn't want to share counter-intelligence information with BVT. In April 2019 it was reported that British and Dutch agencies also heavily restricted their intelligence sharing with the BVT. Because of these concerns, the BVT's participation in the working groups of the Club of Bern was postponed.

The headquarters of the Austrian security service BVT at the Rennweg in Vienna
(photo: Tokfo/Wikimedia Commons - click to enlarge)

Club de Berne (CdB)

The Club of Berne (French: Club de Berne, or CdB) is an intelligence sharing forum for the domestic security services of the 28 states of the European Union (EU) plus Norway and Switzerland and is named after the Swiss city of Bern, where it was probably founded.

The Club started in 1971 with nine members and is based on voluntary exchange of information, best practices, experiences and views as well as discussing problems related to counter-intelligence, counter-proliferation and cyber threats.

After the attacks of 9/11, the Club of Berne created the Counter Terrorism Group (CTG) which is specifically aimed at counter-terrorism. Since July 2016, the CTG has a platform for the real-time sharing of information about terrorism suspects and there's also a database which makes information about foreign fighters more easily accessible. The Dutch secret service AIVD hosts a collaboration center where analysts from 23 of the 30 CTG members can share and analyse intelligence information.

The security assessment

Now, a classified internal report from the Club of Berne about the internal security of the BVT has been leaked to the press. It was published on November 11, 2019 on oe24.at, the website of the Austrian newspaper ÖSTERREICH. They seemed to have received a copy of the 25-page report from an intelligence expert.

This isn't the first leak of intelligence information in Austria. Hardly noticed outside the German-speaking world was that in 2015, the Austrian member of parliament Peter Pilz published a range of highly sensitive documents about operation Eikonal, a cooperation between the NSA and the German BND for tapping fiber-optic cables of Deutsche Telekom.

Front page of the Club of Berne's security assessment of BVT
(click to enlarge)

Club of Berne's coat of arms

First, the leaked report shows that the Club de Berne has its own coat of arms and that its SOTERIA group has its own logo - both are on the front page of the report.

The Club of Berne coat of arms has a latin cross in red, with in three of the four quarters nine white stars on a green background. The fourth quarter is a variation on the coat of arms of Bern, with a walking bear.

It's likely that the white stars stand for the members of the Club of Berne, which started with nine members in 1971. It's not clear why there are just 27 stars, whereas, as far as we know, the Club has 30 members.

SOTERIA group's logo

Next to the coat of arms is the logo of the SOTERIA group. As indicated by the circle in an ancient decorative pattern, this group is named after Soteria, the Greek goddess or spirit of safety and salvation, deliverance, and preservation from harm. As we will see below, the networks and databases of the Club of Berne also have names from Greek mythology.

Given the topic of the report, the SOTERIA group is apparently responsible for internal security of the Club. It may not have been the intention, but the coat of arms with the big red cross, especially in combination with the Soteria-logo actually look quite esoteric.

The assessment team

The inspection of the BVT was conducted by an assessment team that visited the BVT headquarters at Rennweg 93 in Vienna on February 13, 2019. The team consisted of the following members:
- Team Leader, from the British MI5
- Team Coordinator, also from the British MI5
- Personnel security expert, from the Swiss Federal Intelligence Service (FIS) and the German Federal Security Service BfV
- Cyber security expert, from the Latvian State Security Department VSD
- Physical security expert, again from the British MI5

Deficiencies of BVT's network

During their inspection, the assessment team found a remarkable number of deficiencies. The main risk was that the BVT had just one single computer network, which was not accredited to handle and store any level of classified information.

This internal network also had connections to the public internet, which not only raised a threat to its own classified information, but also to that from the Club of Berne and to classified information of the other members of the Club. This is shown in one of the diagrams from the security assessment report:

From this diagram we learn that the computer network of the Club of Berne is called POSEIDON and that members of the Club are connected to it in various ways:

- A Voice-over-IP (VoIP) and Video Teleconferencing (VTC) capability.

- A terminal for access to the NEPTUNE network, which is accredited for classified information up to Secret and "may be used for future communications with Club members". The terminal has no connections with other networks, but data may be transferred between the NEPTUNE network and the BVT's internal network using "USB over airgap". This implies a security risk, but according to the investigators, it was "carried out by the assigned personnel in compliance with established procedures."

- A terminal for access to the PHOENIX database of the Counter Terrorism Group (CTG), which, according to the diagram, is a stand-alone machine with no connections to the BVT's network.

- Finally, yet another stand-alone terminal for NEPTUNE "web services".

With at least three computer terminals for the network of the Club of Berne alone, one can imagine how many different terminals there must be at intelligence and security services that also participate in other intelligence sharing groups, like the SIGINT Seniors Europe (14-Eyes).

Three pages from the SOTERIA group security assessment of the BVT
(screenshots from oe24.at - click to enlarge)

Even more security risks

The security assessment report by the SOTERIA group identifies even more security risks. The BVT allowed its employees to take mobile phones or laptops in areas where classified information up to Secret is handled, so everyone could take photos of classified documents and bring them to the outside.

Another issue was that the BVT was using four antivirus programs and one of them was developed by the Russian company Kaspersky Lab. Other intelligence services, like those in the Netherlands, decided to remove this software from their systems already in May 2018, because the risk of espionage was deemed too high.

Regarding the personnel of the BVT, the assessment says: "The security vetting is repeated every three years and may theoretically result in the revocation of the security clearance. This has, however, never happened so far." Employees could also travel to countries with "aggressive intelligence organisations" without having to report that, something that is mandatory at many other agencies.

The headquarters building of the BVT was also not very well secured: although the windows on the ground floor were barred, those on the upper floors could be opened without triggering an alarm. This also applied to the fire exit doors. Finally, there are about 100 security cameras on the building, but there were only two officials to watch them on just two screens.

Security cameras at the BVT headquarters building
(screenshot from oe24.at)

Links & sources
- oe24.at: Wer trägt die Schuld am BVT-Chaos? (Nov. 19, 2019)
- oe24.at: Alarm: Verfassungsschutz BVT steht total blamiert da (Nov. 11, 2019)
- The Washington Post: Austria’s far-right ordered a raid on its own intelligence service. Now allies are freezing the country out. (Aug. 17, 2018)