More Cowbells: new NSA leaks reveal extent of spying

  • January 24, 2015

Surveillance & Security

New leaks from the NSA archive, seen exclusively by ROAR, reveal that even the Internet’s most basic architecture — the DNS database — is compromised.

This article was developed with thanks to technical analysis made by Christian Grothoff, Matthias Wachs, Monika Ermer and Jacob Appelbaum.

In the last few years we have been living a critical moment in the history of the Internet. The good old days, in which optimism was widespread among engineers and new technologies were considered a solution to the great problems of humanity, seem to have disappeared. Nowadays, the Internet has become a very lucrative spying machine, and many of those same engineers are fighting to preserve the most basic rights to privacy.

It’s mostly thanks to Edward Snowden and Wikileaks that we have caught a glimpse of the most obscure practices in the world of industrial-level spying, carried out by the National Security Agency (NSA) and its allies.

Under the pretense of fighting terrorism, these agencies now have direct access to the servers of the largest internet platforms like Facebook, Google, Apple and Yahoo; they are able to access, in their own words, “nearly everything a user does on the internet,” including email and social networking contents; and they pay tech companies to install back-doors and get access to encrypted communications and all of this without any legal restriction or judicial order.

The fact that, in addition to millions of unaware citizens, this technology has been used to spy on the Presidents of Mexico, Germany and Brazil, foreign embassies, state companies such as Petrobras and United Nations delegates sent a clear message: privacy in the virtual space we have come to live in has become an illusion. Nothing is private on the Internet, and there are powerful interests bent on keeping it that way.

Today, new leaks by Le Monde and the Associated Whistleblowing Press, seen exclusively by ROAR, demonstrate that even the fundamental architecture of the internet — the so-called Domain Name System or DNS — is compromised by the NSA and its allies.

DNS: from problem solver to problem

When you do something on the Internet, almost everything begins with a request to the Domain Name System. It is thanks to this fundamental protocol that users with no technical knowledge can access different services on the web by looking up names (such as instead of complex IP addresses (like 2001:DB8:4145::4242).

DNS was invented to solve a very basic usability issue of the newly born internet. With time it has become so widespread that it is used by virtually everybody to carry out their daily activities on the web. The system, built during the early 1980s, was never intended to preserve the user’s privacy: every DNS database is public and stores the contents of requests, their answers and user’s sensitive metadata (like information on duration, time and place of access) without any kind of encryption.

Given these critical vulnerabilities in this system, it is only natural that the big spy agencies like the NSA and its allies in the UK, Australia, Canada and New Zealand, are ahead of the pack to exploit them for their own benefit. Thanks to the new leaks, we now know exactly how.


DNS has always been an open book and MORECOWBELL is the program the NSA has developed exclusively to read it. As the leaked slides show, the system allows the agency to monitor the availability of sites and web services, changes in content and a wide array of metadata that can help it build complete profiles for targeted users. If necessary, it can even be used to find weak points for launching direct attacks.

Given the widespread use of DNS in the public internet, the implications of this program are huge, as it affects users on a global level. To achieve its goals, the MORECOWBELL program uses dedicated infrastructure camouflaged in different locations, including Malaysia, Germany and Denmark, besides 13 other countries that sustain their network of servers.

This distributed and secret network gives the NSA a series of strategic advantages. On the one hand, they have a global overview of DNS resolutions and the availability of services, and on the other, it makes it impossible to attribute the operation to the US government.

Monitoring the battlefield

This last point is particularly important, as MORECOWBELL can have a very practical application in war operations, particularly in what the NSA calls “Battle Damage Indicators.”

During war, communications, energy and computer networks are frequently targets. Thanks to MORECOWBELL, the US Government can have a real time estimation of the efficiency of the attack by having access to information on the availability of services in the region.

This method is a cheap, efficient and easily applicable tool for optimizing aerial attacks in zones of difficult access or visibility.

From the Internet to the internets

Even though the DNS community is conscious of the privacy issues described above, conflicting interests make it virtually impossible to come up with a consensus on the solution. On the one hand, modifying a system as widely distributed as DNS can result in major problems for the daily Internet use of billions of users. On the other, a change that seeks to solve these problems can clash head on with business models and powerful national interests.

As for now, there are many technical solutions, although none is completely satisfactory. Among them, and without going into detail, there is a query minimization proposal and other more or less radical projects like Confidential DNS, DNSCurve, GNU Name System or Namecoin, all of them with their strong and weak points.

In the end, however, any real solution has to pass through a high-level political barrier. We must understand that the internet is not a truly decentralized system. It has a clear owner: the United States. The Domain Name System and the general register for IP addresses, for instance, the two major databases that hold the global Internet in place, are both controlled by US institutions.

Because of this, and thanks to the reckless exploitation of the network as a spying machine, the trend towards an Internet divided according to national interests is accelerating. In the future there might not be one Internet, but many strategically separated internets.

Something similar is already a reality in countries like China and Iran, which have isolated their networks in order to control the flow of information and exercise censorship according to their own specific interests.

Towards greater decentralization

However, since the Snowden revelations caused a huge stir in international politics, the debate has opened up completely. “Brazil is in favor of greater decentralization: Internet governance must be multilateral and multisectoral with a broader participation,” Communications Minister Paulo Bernardo told a congressional panel in 2013, and other BRICS countries such as Russia have openly declared that they will start laying their own fiber optic cables.

At the same time, Germany has proposed a closed system that protects European communications roughly along the lines of the Schengen agreement. Their argument is very logical: why does an email sent from Berlin to Paris have to pass through New York or London?

This trend towards greater decentralization clearly goes against the interests of the United States, which is why the US government is fighting hard and on many fronts to oppose it. In this sense, the future remains unclear.

What we do know, however, is that as long as the Internet is still using the same outdated architecture and protocols, without a movement to decentralize and guarantee user privacy, it will continue to be used as a tool for surveillance and indiscriminate control for political, economical and military dominance.

Help sustain ROAR Magazine

Print issues released quarterly.

Associated Whistleblowing Press

The Associated Whistleblowing Press is a non-profit organization dedicated to the defense of human rights by promoting transparency, freedom of information and speech, whistleblowing and investigative journalism. AWP is conceived as a global network made up of cooperative local platforms and actors.

More >

Source URL —

Further reading


The City Rises

Read now

Magazine — Issue 6