Skip Navigation

Rethinking Intelligence: Interview with Babak Pasdar

Babak Pasdar, President and CEO of Bat Blue Networks, is an information technology security expert. In 2008 Pasdar reported his discovery of an unrestricted portal into a major telecommunications company’s data network to Congress.

Published: August 19, 2014

Inter­view Tran­script

Babak Pasdar, Pres­id­ent and CEO of Bat Blue Networks, is an inform­a­tion tech­no­logy secur­ity expert. Pasdar holds five network and secur­ity patents and is certi­fied by the Inter­na­tional Coun­cil of E-Commerce Consult­ants as an “ethical hacker.” In 2008 Pasdar repor­ted his discov­ery of an unres­tric­ted portal into a major tele­com­mu­nic­a­tions company’s data network to Congress.

Mike German, a Fellow at the Bren­nan Center for Justice at NYU Law School, inter­viewed Babak Pasdar on August 19, 2014. The follow­ing is an edited tran­script of that inter­view.

Q: Hi, my name is Mike German. I’m a Fellow with the Bren­nan Center for Justice at NYU Law School and today I’m with Babak Pasdar. Babak is the pres­id­ent and CEO of Bat Blue Networks. He’s been a network secur­ity expert for twenty-five years and a tech­no­lo­gist. You’re a certi­fied ethical hacker and you have five network secur­ity patents. In 2003 you were hired to help upgrade the data networks, the mobile data networks, of a major tele­com­mu­nic­a­tions provider. Why don’t you tell us what happened?

PASDAR: Sure, Veri­zon Wire­less hired me and my team to do some rapid deploy­ment upgrades for some of their secur­ity infra­struc­ture. They were rolling out the camera phones that we’ve all come to know and love, and the infra­struc­ture they had could not support the projec­ted usage. So they hired us to, on a rapid basis, upgrade their infra­struc­ture to facil­it­ate the use of the camera phones. It was during that time when we were doing the upgrade to the secur­ity infra­struc­ture, where I discovered what came to be known as the Quantico Circuit. And for myself, I treated it just like any other element of connectiv­ity into the carrier; I wanted to secure it by imple­ment­ing controls around it and imple­ment­ing visib­il­ity, so there would be a record of the commu­nic­a­tions that would traverse this connec­tion. And…

Q: So this was a circuit that connec­ted into what, exactly?

PASDAR: Into a third party, as far as I know. Now, the termin­a­tion point I, it’s not known to me. But what was very unusual about that partic­u­lar circuit was that, whereas all the other points of entry and egress into that carri­er’s data center were controlled, there were controls around it and there was logging around it. That partic­u­lar circuit they recog­nized as the Quantico Circuit had no controls and no mean­ing­ful logging around it. And when I went to imple­ment the controls and logging to have it adhere to the carri­er’s secur­ity policy and secur­ity stand­ards, there was a lot of resist­ance from the carri­ers all the way up to the Director of Secur­ity for the carrier whom I repor­ted to.

Q: So this is basic­ally an open portal that some third party has into the company’s data. What type of inform­a­tion is, or would be, avail­able through that portal?

PASDAR: Sure. It was a completely open portal; there was over­tures of logging that they made to make it appear as though they were logging, though the system they were send­ing logs to was so over­whelmed. Just by nature of how logging func­tions, if you don’t collect it the first time it’s gener­ated, it’s lost forever. So I would say, easily based on the metrics that we took, 75–80% of the logs gener­ated were lost. So, they imple­men­ted the appear­ances of logging, though there was noth­ing mean­ing­ful there. To answer your ques­tion more directly, the type of content it would have access to was the entirety of the carri­er’s data center infra­struc­ture. It included customer records, data, all inter­net commu­nic­a­tions, emails, brows­ing, text messages, and most import­antly, it also included the carri­er’s fraud detec­tion system. And it seems benign on the surface, but what the fraud detec­tion system does is track all mobile devices by geography. And if, for example, you make a call and you’re in New York, and then twenty minutes later you make a call from the same mobile number, the ESN number, from let’s say, Phoenix, Arizona, it would deem one of those fraud­u­lent and it would trig­ger an alert. So the fraud detec­tion system actu­ally had access to track indi­vidual users of the phone. So it had access to all of it. Essen­tially, it had access to the entirety of the carri­er’s crit­ical infra­struc­ture. And it was even odder to have some third party that is unknown have zero controls, zero loggings, and zero visib­il­ity into the entirety of a carri­er’s system.

Q: And you’re there to help them improve their secur­ity. So what is this type of a portal do to the secur­ity of all those… all that data?

PASDAR: Completely under­mines it. You cannot be half secure, just like you can’t be half preg­nant. You have to imple­ment secur­ity broadly and consist­ently across the board. You can’t select­ively say, "Some third party can have completely unfettered access into my envir­on­ment versus other third parties can only have limited access based on their specific rights that are assigned. So it flew against the secur­ity policies that the organ­iz­a­tion had for them­selves.

Q: So, for all the custom­ers of this company, the secur­ity of their inform­a­tion is comprom­ised by this access.

PASDAR: Abso­lutely. And, you know, there a term in our industry called carrier grade. Carrier grade means the highest perform­ing, most resi­li­ent, most secure plat­form. Thereby carri­ers use it because there’s such a depend­ence on crit­ical infra­struc­ture. Carrier grade is both a tech­no­logy rating as well as an approach. And the approach by no means met the, or even come close to the term, carrier grade.

Q: And when there is this sort of a vulner­ab­il­ity, I mean, even if the company trus­ted this third party 100%, there could be bad actors within that entity or could other hack­ers exploit that avenue into the data center?

PASDAR: So, from a secur­ity stand­point, there is no 100% trust. Nobody. You don’t even trust your own employ­ees or your own CEO 100%. You imple­ment controls, based on what their require­ments are to perform their job and you always imple­ment logging. You always imple­ment visib­il­ity elements that you can go back and refer­ence to determ­ine what was actu­ally done. So from a secur­ity stand­point, there’s never a 100% trust scen­ario- as was the case with the Quantico Circuit.

Q: And again, you’re hired to improve their secur­ity. Did you or others work­ing there feel like they could­n’t talk about this Quantico Circuit?

PASDAR: The others… the others abso­lutely did not feel that they could talk about it; they got very squir­relly. I saw lots of glances back and forth and we were, you know, when you work with a group of people and you spend so many late nights togeth­er… It’s one of those projects, there’s quite a degree of open­ness that comes along with it where you rely on each other to deliver on the success of the project. And the dynamic and the mood of the situ­ation completely changed when I insisted that we had to adhere to the secur­ity policy and I had to adhere to my mandate- even though they told me that, “Hey! Move on! Don’t worry about this one! Move on!” And it was just not some­thing I could do. And as I invest­ig­ated it further and further and as I pushed the issue further, the Director of Secur­ity actu­ally got in his car and drove to the data center, which was an incred­ibly. incred­ibly unpre­ced­en­ted move to point his finger in my face and tell me that if I could­n’t take his direc­tion then he would find some­body who would.

Q: And, ulti­mately in 2008, you came forward and repor­ted this to Congress and the public, so that they could under­stand more about it. Now, because of, years later, a differ­ent concerned insider, Edward Snowden, we now know a lot more about what the govern­ment has been doing. Given that you know a lot more about what the govern­ment’s been doing in this space, does that give you some perspect­ive on what you think this Quantico Circuit was?

PASDAR: It does. I could only come to the same conclu­sions as every­body else. Ulti­mately, my focus was to report the facts as I knew them and under­stood them. And you know, it’s up to I guess, folks smarter than I am, and with a greater level of access than I, to determ­ine what the conclu­sions were. But Edward Snowden seemed to really valid­ate a lot of the concerns that a lot of citizens had, espe­cially with regard to this Quantico Circuit issue and other programs.

Q: And, of course, a lot of people have criti­cized Snowden for coming public with this. But based on your exper­i­ence, is there a way to work inside to get these issues resolved? Or does it need that kind of public disclos­ure?

PASDAR: So, I can’t speak from personal exper­i­ence, but I can speak from the perspect­ive of having listened to a lot of other folks who tried to work within the system. The system does not seem to be very inter­ested in getting feed­back and getting criti­cism. And it seems to be overt about its desire to punish people who just don’t toe the line, regard­less of if it was right or wrong. So from that perspect­ive, I would say that Ed Snowden had to take some extreme meas­ures because other folks who had tried to oper­ate within the system got quite a shel­lack­ing, both profes­sion­ally and in terms of their personal lives. And certainly Ed Snowden, it didn’t fall far from that tree, you know? He certainly is the subject of lots of shel­lack­ing. But, the one thing I can speak from personal exper­i­ence with is that, you know, it’s so easy for some­body that has not gone through this exer­cise to say, “Well, they should’ve done this…” or "They should’ve done that." But once you make a disclos­ure, what happens to that data, what happens to the machinery that’s set in motion is completely outside of some­body’s control. I know it was for me. I made a disclos­ure to folks that repres­en­ted them­selves to be my attor­neys prior to find­ing the Govern­ment Account­ab­il­ity Project, and the very next day they took my inform­a­tion and filed a $233,000,000,000 lawsuit with my disclos­ure as a John Doe anonym­ous disclos­ure. So, you know, I’m not sure if Ed Snowden really had the means to control what happened to the inform­a­tion once he disclosed it, but I’m sure he felt that he was compelled to disclose it. And I can opine that it’s a lot easier for the NSA and the govern­ment agen­cies to create new systems than it is for us to go back and try to undo the preced­ent that was set from a Consti­tu­tional perspect­ive. So as it relates to that, I have to support him and I think the guy was incred­ibly brave to do what he did. Right or wrong, it took a lot of guts to do what he did.

Q: And in your own exper­i­ence, I mean you felt it was neces­sary for the public to know about what you knew?

PASDAR: Abso­lutely!

Q: And… because that’s… why did you think it was so import­ant for the public to know?

PASDAR:  For some of the very same reas­ons I just said. It’s a lot easier for the govern­ment to create new systems than it is for us to go back and try to take back Consti­tu­tional powers. You know, part of the chal­lenge is that we’re in a very unique time in the coun­try’s life, in that previ­ously, tech­no­logy could not do what it did. We did not have the tech­no­lo­gical resources to oper­ate in this fash­ion, and that was a little bit of a safety mech­an­ism for the Consti­tu­tion. But, you know, now that we have these tech­no­lo­gical capab­il­it­ies, we have to make sure we enforce what is consti­tu­tion­ally appro­pri­ate, and not let tech­no­logy get ahead of the Consti­tu­tion. And that’s one of the main reas­ons I did this. Because previ­ously we had the concept, from a tech­no­logy perspect­ive, we called it biolo­gical over­load, right? People could not absorb enough inform­a­tion in order to effec­tu­ate such a broad and sweep­ing level of access that the NSA and some of these govern­ment agen­cies have over citizens. But now they do. And it’s really, really import­ant that they learn how to oper­ate within the bound­ar­ies of the Consti­tu­tion.

Q: One of the other things that we’ve learned that the NSA was doing was going out and under­min­ing encryp­tion stand­ards, and even work­ing with some US compan­ies to insert back­doors in soft­ware and even hard­ware. What does under­min­ing encryp­tion do for cyber secur­ity writ large?

PASDAR: It’s troub­ling, to say the least. And it was a concern I always had, you know? A few years ago, they did a compet­it­ive analysis of vari­ous encryp­tion stand­ards and Rijndael stand­ard was selec­ted. And then some­thing was modi­fied where it became an advanced encryp­tion stand­ard. And it made me very suspi­cious. I’m not sure exactly what was modi­fied in the code, but certainly some of the ciphers they have in there are, you know, they are able to decrypt on the fly and… And they’re also, by the way, they’re also lever­aging tech­no­lo­gies and devel­op­ing tech­no­lo­gies that let them have access to encryp­ted commu­nic­a­tions without having to decrypt it by read­ing spaces in between commu­nic­a­tions and things to that effect. So it’s troub­ling. It’s troub­ling that they would inter­cept hard­ware and they would plant spyware into equip­ment. And you know, it’s… and folks like RSA- RSA, the organ­iz­a­tion- to comply with them and to do some­thing illegal like that is, uh, it just really speaks to the moral­ity of the organ­iz­a­tion, and how little they care about the integ­rity of their custom­ers’ data and the privacy of the custom­ers’ commu­nic­a­tion that they portray they’re commit­ted to uphold. So it’s very, very troub­ling and it’s a very overt and aggress­ive act – this is not a defens­ive posture. They’re not func­tion­ing as a “Blue Team.” Blue Teams are folks that are charged with defend­ing the integ­rity, and the privacy, and the avail­ab­il­ity of systems and data. That’s a very overt and aggress­ive act and it really under­mines all our…all of the integ­rity of the commu­nic­a­tions that’s out there.

Q: And of course, we… anybody with a computer knows that there are bad actors out there. There are hack­ers, there are virus creat­ors, there are all sorts of differ­ent people who would want to intrude into your system to steal data. When a govern­ment secur­ity agency… a national secur­ity agency, is actu­ally under­min­ing cyber­se­cur­ity, how does that chal­lenge the abil­ity of all of us to protect ourselves?

PASDAR: Well… Look, if they’ve got access to it then, there’s a lot of smart guys out there, you know? The NSA does­n’t, you know, have the only smart folks out there. So when they weaken stand­ards, it weak­ens the integ­rity of all inter­net commu­nic­a­tions, it weak­ens the integ­rity of all elec­tronic commu­nic­a­tions. So if they have access to it, chances are some­body else will get access to it. And when you look at the way that organ­iz­a­tions and people oper­ate, they don’t upgrade, they don’t adhere to the latest patches. So it really opens up a whole Pandora’s Box in terms of you know, access to vulner­able systems, vulner­able commu­nic­a­tions, and to folks that put their lives on the line, rely­ing on encryp­tion- to students in Iran, or the folks that are in Egypt that are look­ing to have the same type of free­dom that we have, these guys are rely­ing on that encryp­tion stand­ard with their lives. And it’s unfor­tu­nate that, you know, it could be that the very same organ­iz­a­tions they’re concerned about would have access to all those commu­nic­a­tions and not so good things could happen to them.

Q: So, as a US tech­no­logy company owner actu­ally work­ing in this field, what have these revel­a­tions about the NSA’s activ­it­ies done to the US tech­no­logy market? Or, are we even start­ing to feel that impact?

PASDAR: Well, there’s been a huge trans­ition to the cloud and a lot of organ­iz­a­tions want to move to the cloud because there’s a lot bene­fits that go along with it. But, it has had a chilling effect on busi­ness. And it’s had a very specific chilling effect on tech­no­logy in the US. US has always been the cent­ral hub of tech­no­logy, and we’re start­ing to see a lot of organ­iz­a­tions talk­ing about moving their cloud infra­struc­ture, or moving their data into Europe or other coun­tries that don’t have such a troub­ling history with privacy and integ­rity. And it’s a shame because the cloud market was slated to grow from $131,000,000,000 to $677,000,000,000 by 2016. I’m not sure what all of these revel­a­tions in terms of dollar impact have had on it, but I would imagine there have been some organ­iz­a­tions that have decided not to oper­ate in the US. 59% of that number was supposed to oper­ate in the US, and I’m sure some organ­iz­a­tions have decided not to oper­ate in the US. Some have been very public about it.

Q: Right. So these negat­ive consequences of the NSA’s activ­it­ies- both the negat­ive impact on secur­ity that they create, obvi­ously the negat­ive impact on privacy and the negat­ive impact on the US economy, these were fore­see­able, right? Anybody could’ve sat down with a little bit of time and said, you know, "What possible harm could come from this activ­ity?” Obvi­ously, the NSA had some interest in gain­ing access to commu­nic­a­tions but what are the rami­fic­a­tions of that? Would­n’t you expect an agency that’s an intel­li­gence agency to incor­por­ate those possible negat­ive outcomes into their decision to engage in this type of activ­ity?

PASDAR: So, I think you’re right on. When you erode the integ­rity of the stand­ards, you erode confid­ence, and when you erode confid­ence, it has an impact on the economy. I can’t get into their mind, but I would imagine that there is a mind­set of, “We need to achieve our object­ive at all costs,” and, you know, this is my opin­ion on this. So unfor­tu­nately I think there’s a little bit of a tunnel vision. But person­ally, what concerns me more than some­body blow­ing up a bus in the US is the Consti­tu­tion being under­mined. I think that’s far, far more damaging. It becomes an irre­cov­er­able act compared to some­body that does not like us and wants to do some­thing phys­ical to us. So, you’re abso­lutely right: no act of terror­ism can really under­mine confid­ence the way you know, under­min­ing the Consti­tu­tion, the way under­min­ing the integ­rity of the systems and tools that we would use, would have.

Q: And there’s also some indic­a­tion that the NSA has sort of two roles: one, it’s a part of the Depart­ment of Defense. It’s a milit­ary organ­iz­a­tion, so it actu­ally has offens­ive activ­it­ies that it’s involved in. What kind of an example does the NSA set for the rest of the world when it’s engaged in those kinds of offens­ive tactics?

PASDAR: I think this is some­thing that every­body’s learn­ing as we go along. Inter­est­ingly enough, as part of what we do, we act in a defens­ive way on behalf of our custom­ers in protect­ing their systems, in protect­ing the integ­rity of their data, the avail­ab­il­ity of their systems, and privacy of their data. And we’re seeing that there’s a big battle going on, and there are three types of actors out there. There are the hackt­iv­ists that are very ideo­lo­gic­ally driven, there are the finan­cial hack­ers who are very motiv­ated by empty­ing your bank account, and then there are the nation­al­ized actors. It’s very, very diffi­cult to tell who is doing what out there because of the nature of hack­ing, and how it could be made to look like some­body’s coming from one coun­try when they’re actu­ally some­where else. So we’re not sure what that offens­ive capab­il­ity is doing in terms of impact. There’s a lot of offens­ive stuff going on. We just recently found out that the Brit­ish were using a tech­no­logy called Hacienda to scan almost every computer out there; it’s an incred­ibly large-scale scan­ner that would let them know what’s out there and who’s out there and who’s doing what, perhaps even what the applic­a­tions are. So, there’s a lot of stuff like that going on, and a lot of these govern­ments are homestead­ing in terms of trying to get their cyber legs under them.

Q: Is there a built-in conflict of interest for the NSA to be doing both defens­ive cyber­se­cur­ity and offens­ive cyber­at­tacks?

PASDAR: Well, I would imagine that what they’re doing is trying to figure out what their tools are and what their arsenal is. And just based on the dynamic threat land­scape that we’re deal­ing with, they’re prob­ably test­ing out tools that you know, you can buy a rifle and that rifle has a life of quite a few years; but when you find an exploit, when you find an offens­ive capab­il­ity, that offens­ive capab­il­ity has a life of weeks or months. So I would imagine that’s what they’re doing. It’s tough for me to comment on what they’re doing versus what they’re not doing because I’m not really privy to what their offens­ive capab­il­it­ies are, and some of the approaches they’re taking. I do find that it’s prob­ably illegal and overly aggress­ive to kind of put spyware in inter­cep­ted hard­ware, but a lot of this is tough to know what they’re doing and what they’re not doing and how legit­im­ate it is, or not…

Q: And obvi­ously, we know a lot more now because of leaks; not because of the over­sight systems that are built in. Obvi­ously, you went to Congress trying to expose some of the prob­lems that are being created by the activ­it­ies that these agen­cies are involved in. What do you think of the over­sight in your exper­i­ence with Congress?

PASDAR: It’s a joke. There is no over­sight. You have agen­cies with unlim­ited budgets and no over­sight – it sets a danger­ous preced­ent.

Q: Okay.  As you said, moving to the cloud is the future, and there are all sorts of economic bene­fits that will be real­ized from that, but people won’t do it if they don’t feel their data will be protec­ted in that envir­on­ment. How can we, as a community, try to protect that inform­a­tion better?

PASDAR: You know, I could talk about the stand­ard commer­cial ways of doing that. Part of the chal­lenge is that when the integ­rity of your data can be under­mined with a national secur­ity letter, it becomes extremely diffi­cult. You know, folks that were deman­ded to have their encryp­tion keys handed over, and things to that effect. It’s very, very diffi­cult to do anything other than make sure you’ve got over­sight, and make sure there’s not over­reach.

Q: And chan­ging the laws, perhaps… that protect our privacy?

PASDAR: It… yeah, but I think it’s tough to hold your breath wait­ing for Congress to act on some­thing, but yeah, it really does require a differ­ent perspect­ive on what the agen­cies’ roles are and what’s legit­im­ate and what’s not.

Q: Okay. If some­body wanted to learn more about cyber­se­cur­ity and the nature of the threat today, even the threat from our own National Secur­ity Agency, and intel­li­gence agen­cies, what would you suggest they would read? Is there a partic­u­lar blog, or books that you think really get to the point?

PASDAR: Well, I think it’s import­ant not to promote anybody, but I think there are a lot of legit­im­ate journ­al­ists out there that have a very tempered approach to this, that actu­ally conduct legit­im­ate journ­al­ism to invest­ig­ate and present their inform­a­tion; I would point to them.

Q: And who among the journ­al­ists?

PASDAR: Well, I don’t want to get into any names.

Q: Okay.

PASDAR: You know, there’s quite a few of them out there. Obvi­ously, from a public­a­tion stand­point, WIRED Magazine has always been very good with regard to that. The Guard­ian has been very good with regard to that. I would encour­age people to look at the Govern­ment Account­ab­il­ity Project website, and some of the things that they’re deal­ing with. I think that would offer some insight into some of what’s happen­ing. And I would encour­age people to look at some of the public disclos­ures of whis­tleblowers that have come out and some of the sacri­fices that the whis­tleblowers have made in order to get that inform­a­tion out. From a tech­no­logy perspect­ive, I think it’s crit­ic­ally import­ant that people be as educated as possible, though it’s extremely, extremely hard to get good inform­a­tion, espe­cially amongst all the, you know, pardon the expres­sion – fluff – that’s out there about the cloud, right? So, there are a lot of folks out there talk­ing about it, but not all of it is mean­ing­ful or substant­ive.

Q: And as far as inform­a­tion from the govern­ment agen­cies them­selves, obvi­ously they’ve been out speak­ing in public about the programs and the nature of the work they’re doing. How reli­able do you think the things that they’ve been saying publicly are?

PASDAR: To be honest with you, Mike, I just ignore it. I don’t know if there’s any amount of faith or trust I have in anything they say publicly.

Q: Okay. Was there anything I forgot to ask you?

PASDAR: No, I think you got it.

Q: Okay, great. Babak, I really appre­ci­ate your time.

PASDAR: Oh, my pleas­ure.

Q: Thanks a lot.