Silk Road forums

The theoretical concept for Tor was originally developed by Paul Syverson for the US navy, the publicly available Tor program that we are using today was implemented by Roger Dingledine sometime after he left the NSA, as well as Nick Mathewson. I don't think that Dingledine thinks that Tor is adequate to prevent the NSA from pwning people, nobody with an in depth understanding of anonymity networks and signals intelligence really thinks that Tor can resist the NSA.

I am not worried about the Tor developers. They seem to be very libertarian. I don't think that Dingledine is against liberty, in fact I think he is very strongly in favor of freedom of speech and liberty and freedom. I also think that the NSA is almost entirely focused on preventing terrorism, protecting the cyber infrastructure of the USA, and gathering intelligence on foreign governments and such. The NSA is not a police agency, I am not worried about them. If they wanted to shut down SR then SR wouldn't be here. Our security is no match for the NSA. If the FBI or DEA were capable of pwning SR, I think a lot of us would be in prison right now. That is enough for me to feel as if the NSA is not interested in acting as a police agency. In fact, the NSA has not even shut down any of the major child pornography sites on Tor, or even targeted the child molesters using Tor to post their child abuse images. Targeting drug users or CP users is far from their primary interest, and if doing so has even the slightest chance of compromising their ability to gather intelligence on terrorists or foreign agencies, you can rest assured that they are not going to do anything.

and finally

IX. EXHIBITS
Note: Figures used in calculations are designed to be rough and larger than actual costs, in order to
demonstrate maximum reasonable costs.
Exhibit A: (http://www.dtc.umn.edu/mints/home.php) 5000 ~ 8000 PB / month. Presume ~85th
percentile at 7500 Petabytes * 12 months = ~90 Exabytes (94,371,840,000 GB). Data warehousing
costs are approximated to $0.35 / GB / year, ($0.168 / GB hardware, $0.014 / GB power, $0.091 / GB
housing, $0.077 / GB maintenance; breakdown derived from classified source, traffic costs not
included). 94,371,840,000 GB * $0.35 / GB = $33,030,144,000 USD / year.
Exhibit B: 1% * (94,371,840,000 GB) x $0.02 / GB fiber-optic transfer x 2 destinations (collection and
endpoint) = $37,748,736 total fiber-optic transmission costs. Note that although internet traffic doubles,
unique traffic does not increase at the same rate, so 1% is a shrinking figure as total traffic increases.
Non-unique traffic is typically limited to personal communications such as VOIP, email, and instant
messaging.
Exhibit C: IBM BladeCenter PN41, 20 Gbps @ $90,000 = $4.5k / Gbps. Similar costs across the board
(90k wholesale, 106k ~ 120k retail) with other DPI / traffic analysis solutions (Narus, Sandvine, LSI,
Qosmos, Interphase, Ellacoya etc).
Exhibit D: ~90 Exabytes raw analysis / 1 year = ~24 Tbps (23.36) average usage (20Tbps domestic, 4
Tbps international) @ 20% utilization = 117 Tbps (@ 100% utilization) x $4.5k Gbps = $526,500,000
USD. Hardware has a yearly cost of 48% of costs before traffic (power, housing, maintenance). Costs
before traffic are $570,375,000 ($526,500,000 / 0.48 * 0.52), and traffic costs of $37,748,736 bring the
total to $1,134,623,736 for all costs post-tap / pre-analysis.
Exhibit E: Maximum 5000 tapping points worldwide x $3,000,000 / tap / year for physical surveillance,
compliance, black operations, tap installation, and maintenance, and upkeep costs. In Germany alone,
there are 30 major backbone loops, and 10 major IXs, which require multiple taps for total surveillance.
Exhibit F: The cost of Access is $2.27b, consisting of $527m for Traffic Analysis, and $1.5b in Tap
Installation and Management (Exhibit E). The cost of Storage is $570m (Exhibit D), favoring the larger
cost against the 1% of $33b (Exhibit A). The cost of Traffic is $38m, and the cost of Analysis can reach
as high as $1.5b. $2,270m + $570m + $38m + $1,500m = $4,378m.

Even the effect on detecting crimes is significant. People are mistaken in thinking that the NSA needs to filter off so much noise that it is like finding a needle in a haystack, in reality filtering off noise is trivial. I highly suggest reading the following paper from 2009:

https://www.blackhat.com/presentations/bh-usa-09/TOPLETZ/BHUSA09-Topletz-GlobalSpying-PAPER.pdf

I will copy paste the majority of it, some small parts I did not though. Also I would like to point out that one of the authors, Steve Topletz, is a highly controversial figure in anonymity circles. On the other hand, Jonathan Logan and Kyle Williams are not very controversial. All of them have done work on commercial VPN software similar to JonDoNym, they have also contributed somewhat to Tor although Steve is pretty much an outcast in the Tor community, and has a history of being full of shit. That said, a lot of the things he was saying in 2009 in regards to the NSA turned out to be completely accurate, and I actually believe he was one of the first people to publicly point out Roger Dingledines past ties to the NSA. Steve has also given presentations on  anonymity at several hacker conferences, as well as at least once at a police and intelligence conference requiring a security clearance to participate in. All of the authors have at least one or two published papers, but they are not very big names in the academic world. They are all pretty well known in the hacker scene though, especially Steve who is a CDC member.

In this article, we will present insight to the realistic possibilities of Internet mass surveillance. When
talking about the threat of Internet surveillance, the common argument is that there is so much traffic
that any one conversation or email won't be picked up unless there is reason to suspect those
concerned; it is impossible that “they” can listen to us all.
This argument assumes that there is a scarcity of resources and motivation required for mass
surveillance. The truth is that motivation and resources are directly connected. If the resources are
inexpensive enough, then the motivations present are sufficient to use them. This is visible in the
economic effect of supply availability increasing the demand. The effect is that since it is more easily
done, it will be done more readily. Another fault in the above argument is that it assumes that there is
only all-or-nothing surveillance, which is incorrect.

It is important to break down the resources required and methods available as well as the means of
surveillance in order to understand what realistic threat mass surveillance of digital communication is.
The resources required are Access, Storage, Traffic, and Analysis. In this paper, we are speaking about
digital communications, and these methods do not fully apply to purely analog communication, such as
POTS (normal telephone service).
ACCESS
Surveillence requires access to the communication to be surveilled. Data today is transmitted via
copper cable lines, fiber-optics, directed micro-wave communication, broadcast radio (WiMAX,WiFi
etc.), satellite, and a few other arcane methods . The most profitable transmission media for
surveillance, by far, are fiber, broadcast, directed micro-wave, and satellite. Fiber provides the benefit
of large amounts of data from a single “cable.” Broadcast radio provides the benefit of non-physical
accessibility. Directed micro-wave is easily acquired through classic stand-in-the-middle listening.
Satellite provides a very big footprint, where one needs only to be standing near the receiver of the
transmission.
Fiber cables provide the most interesting targets for surveillance. Almost all international
communication eventually goes over a few particular fiber lines, so this is where the tapping is focused.
This is a practice far different from the UK / USA Echelon system of the 1980s, which operated mostly
by targeting direct micro-wave and satellite transmissions, because international fiber-optic lines were
more rare. Today, tapping into fiber is easily accomplished through a variety of methods: splicing the
fiber-optic line, connecting to the repeaters, or tapping into the endpoint routers, and through even
more esoteric methods, like bending the fiber and detecting stray “ghost” photons1. Tapping in most
cases is purely passive, which means two things. First, the signals are being listened to and not
intercepted or modified. Second, surveillance-induced artifacts are non-trivial to detect by the endpoint,
which means there is no “click” on the phone to tell you that someone is listening in. This is especially
true in digital communications espionage, which is the focus of this paper.
Access to fiber-optic lines is mostly accomplished by connecting to repeaters and tapping endpoint
routers. That is what is being performed by AT&T at the request of the NSA. This method is
inexpensive in resources and easy to implement, plus it requires very few people to know about it and
to operate it. In the case of repeater connections, even the fiber owners may not be aware that their
lines are being tapped unless they find the tap during routine maintenance.
Civilians generally assume that the Internet consists of millions of independent lines that would have to
be tapped individually for mass surveillance. Luckily for signals intelligence gathering and analysis,
this is not the case. To tap into 90% of traffic connecting the Eastern Hemisphere to the Western
Hemisphere (GUS / RUS / AFRICA / MIDDLE EAST / EU to US), agencies only need access to either
30 fiber cables2 or half of the 45 landing points3. An alternate method to achieve such access to this
traffic is to install access devices in just seven of the correct Internet Exchanges4 (IXs), which are
where ISPs and backbones interconnect at a single location. Rest assured, all of above has happened at
various scales5 as intelligence agencies are pitted against each other to gain power through knowledge.
Competition levels of espionage can be represented as many sets of Nash equilibria6, where allies and
enemies are not in distinct groups. In specific game theory, it can be represented by the classic Arms
Race model7, with distrustful parties engaged in noncooperative escalation games.

A special property of the Internet, which lends itself to accessibility, is resiliency in routing; if you can
not tap into a specific route, then you can destroy it to have the traffic rerouted through lines that you
have full access to. Accidently drop an anchor on a submarine cable, or have an excavator accidentally
cut a line, and then execute a Distributed Denial of Service or Table Poison attack against the routers in
question. There is an endless amount of innocuous events which are created or exploited for covert
access to fiber-optic communications. For example, one event occurred in November 2005, where the
cable between Iceland and Scotland was apparently severed8, rerouting all traffic through the USA.
Such an event could easily be used for purposeful traffic rerouting, a tapping opportunity, or both9,10.
For tapping subjects that require more surgical precision and shorter time windows than typical dragnet
operations, there are additional options like breaking into routers to establish “shadow routes" on IXs
and landing points. A shadow route is where the traffic between two interfaces is mirrored and a copy
is sent to a third virtual interface, such as a GRE tunnel or IPSec Encapsulated Security Payload11.
It is important to keep in mind that a surveillance organization does not have to cover all nodes or
routes for full access. One must simply select the ones with the most connections or throughput to other
nodes in order to succeed. Tapping into the connection at any endpoint, transmission line, repeater, or
router is enough to obtain the access required for mass surveillance. After you have access, the
remaining work for mass surveillance is relatively trivial.
STORAGE
Storage, as well as traffic, are relatively expensive resources. It makes little sense to tap into
communication lines and not be able to store the data that you want. However, if you are able to select,
reduce, and compress the data you are interested in, then storage resource requirements decrease.
Today, the cost of storage using standard products on the market is high when compared to the total
amount of traffic traveling the Internet. The cost of storing a year’s worth of traffic is very high; for
2008 alone, it would cost over $33 billionA. However, if you use data reduction methods, then the total
storage costs are much lower. For example, it is not necessary to store a copy of all traffic each time
someone downloads a movie; it is enough to reference the movie. The same applies for webpages,
documents, and other uniform communications. By storing only unique Internet traffic at the data-
mining facility, storage costs are reduced to much less than 1% of the original projection, which brings
mass surveillance into close reach for many organizations like the NSA, which has a projected yearly
budget between $3.5b and $4b12, excluding covert operations (Black Ops). Italy implemented such a
system in 2007, named DRAGON13, to retain data acquired from the mass surveillance of their citizens.
Some countries, like Sweden, not only record traffic destined for their country, but they also record all
international traffic that crosses their borders14. Think of them as a nosy person who not only reads his
own mail, but rifles through his neighbors' mailboxes as well.
TRAFFIC
Captured data must be transferred from the temporary storage on the tapped line to the aggregate data
stored at the data-mining facility. Therefore, data of interest must be transferred to a collection point.
Using the above projections, transferring unique traffic from the tapping point to the data-mining
facility costs roughly $40 million annuallyB. This is entirely in the financial reach of both large and
small intelligence gathering organizations. Although it is not publicly known if any organization does
indeed copy and store all unique traffic on the Internet, game theory suggests that if it is both possible
and beneficial, then not only is it likely, but also, capable parties will scramble to do so just to remain
on par with their counterparts.

Analyzing the stored data is where real intelligence happens, and it is more demanding than both
storage and traffic requirements. Post-tapping analysis and offsite analysis should be differentiated;
post-tapping is what selects and reduces the data to that which is unique and of interest15, whereas
offsite analysis is where raw data is turned into intelligence to be acted upon. Post-tap analysis
typically occurs directly at the tap, and the resulting data is stored. Very little communication is of
interest for realtime surveillance, so data is rarely relayed immediately and is typically cached to be
transmitted at a time better suited to both the cost and detectability of the surveillance. For the purpose
of this document, we will always assume higher and padded costs in an effort to demonstrate the
maximum financial requirements. The reality is that the costs are much lower, especially when
equipment is purchased in massive quantities and resources are shared by multiple organizations. The
cost of post-tap analysis is approximately $4.5k per Gbps of trafficC. This means that the post-tap
analysis hardware cost for all unique global Internet traffic at full network utilization is roughly $530m
per yearD for hardware costs alone. Hardware costs consist of only 48% of the total cost before traffic,
with traffic, datacenter upkeep, energy, and storage maintenance making up the rest. This brings the
total post-tap costs to approximately $1.13b per year, not including the installation and maintenance of
access components, which is an additional $1.5b per year. Offsite analysis costs vary, and depending
on what operations and techniques are performed on the unique data collected from the entire Internet,
costs could start at a few million dollars and reach up to a $1.5b in yearly costsE.
The total cost of surveilling all unique Internet traffic in the world is approximately $4.4bF, with a
variance of around $500m, depending on what is done with the information. Since the regions of
interest are different, with some intelligence organizations focusing on multi-national rather than global
surveillance, the cost for non-global mass surveillance of the Internet is less than $1.5b per interested
party. Eight particular intelligence-service countries have a strong interest in acquiring total global
surveillance; those are the United States, the United Kingdom, France, Germany, Russia, Israel, China,
and Australia. Other countries are restrained in their interest, limiting their appetites to those of their
domestic and foreign intelligence services16, which request spying on their citizens and neighboring
traffic.
Economically speaking, this is far less than many countries spend on things like military weapons or
state police17, all while providing an invaluable threat and strategic intelligence. This financial estimate
assumes that the selection of unique communication is 100%, without regard to protocol, and includes
all website, e-mail, and VoIP traffic. This estimate also assumes that it is a single party doing the work,
and that resources like taps, storage, and manpower are not being shared. In practice, however, many
allied countries share intelligence resources. One probable example would be the United States and
Germany sharing hardware taps of Middle Eastern traffic. As we can see in most "developed"
countries, today the actual work is outsourced to private contractors by legislative mandate, such as the
EU Data Retention Directive18, which provides no funding and shifts the burden entirely upon private
Data Centers and ISPs. In some countries, ISPs are required to provide the access, storage, and traffic
components or do it for their own profit by participating with interested 3rd parties, such as Nokia &
Siemens19. Given the minimal costs compared to both the budgets and perceived benefits, it is naive to
assume that mass surveillance is not being employed.

A netflow is a relationship between one computer and another one; the word "connection" does not
really apply to packet-based networks. One thousand active “professional” Internet users create
between 30k-50k concurrent netflows with roughly 80 Mbps to 250 Mbps of sustained bandwidth
consumption. Occasional Internet users, the majority, create much less. The numbers appear huge at
first glance, but applying professional processing equipment and software can reduce those huge
numbers to an easier-to-handle set of information that can readily be acted upon. Communication
surveillance analysis uses the Escalation of Surveillance concept, executed by four basic methods:
Classification, Interpretation, Reaction, and Selection.
Escalation of Surveillance means that, depending on previous analysis, the computers reserve more
resources to spy on a specific target. How they do it depends on the rules given to the Reaction
component and can be exceptionally complex. The escalation process does not stop at the post-tap
analysis stage, but instead, it "trickles up" to the offsite analysis. Additionally, if a target becomes
interesting due to escalation, then other people in connection with the target become more interesting as
well. This is because of context classification, and it can be summed up as “guilty by association.”
Technology makes it possible to interconnect seamlessly and inexpensively the post-tap installations
and the semi-automatic creation and updating of reaction rules. Therefore, escalatation of resources
spent on ancillary target groups that are connected to an escalated target can happen almost in
realtime20.
When communications are tapped into, the first step for analysis is Classification. The two types of
classification are Content classification and Context classification.
Context classification defines what kind of data (protocol) is transferred and who transfers it. Context
classification on IP networks, such as the Internet, is trivial because the underlying protocols provide
all required information in a form that is easy for computers to read and understand. With the advent of
Deep Packet Inspection, the context classification even touches the application protocols (Layer 7
analysis) and payload (classical deep packet inspection). The result is not just having the conclusion
"XY reads a Google page", but also being able to state "XY searched for porn on Google.” The data
generated by context classification is ideal for storage and later data-mining. Such data sets are
relatively small and have a precise meaning. It is fair to assume that the majority of Internet
surveillance focuses on context.
Content classification defines what type of data is transferred and what meaning the data has. In most
cases, content classification only considers the type of data, such as pictures or movies, but in some
cases, the meaning of the data is of interest. Content classification is especially effective on unique
Internet traffic. The Google logo is transferred millions of times every day, however, it is not unique; it
is classified once, put into a reference table, and never revisited. The same goes for most web and p2p
content. Combined with context classification, a resulting data set would say "XY downloaded a nude
picture of Angelina Jolie from webpage Z". The resulting dataset will be less then 200 bytes, regardless
of picture size, and by the time the first 5 to 10 packets are transferred, the connection has already been
analyzed21. One real-life example of this technique is a Bundeskriminalamt22 operation under the
auspices of stopping child pornography. It references known child pornography images, generates a
reference, and then watches to see if those references appear in network traffic. The effect is that they
will instantly know if anyone on their network is sending or receiving such images. This technology is
not limited to images; a checksum of any dataset can be programmed into their scanner, such as
sensitive or politically embarassing documents uploaded to Wikileaks. If the content, however, is not
unique, then the Classification method fails, and the next method used is Interpretation.

Quote from: Railgun on July 09, 2013, 03:00 pm

It seems as though, while there may be some database with everything I've ever thought stored within, there's no real cross-referencing or algorithm analyzing the data for warrant-producing gains.

There probably are, but with massive data sets, they are mostly useless. "Big data" is the most overhyped thing in tech right now, like "cloud" services were a few years ago. If you have a data set with thousands of parameters and you analyze it a million ways, than even with a rigid standard like "1 in 1000 probability of being spurious", which is more formally called a p-value of .001, you are going to find a thousand associations like that! There are ways to address it, like the Bonferroni correction, but it is extremely difficult to find the 10 true associations and exclude the 990 false ones. You are bound to get high false positive and false negative rates. Then you will waste your time raiding innocent people, or spend a lot of money following false leads, and really a judge should never sign a warrant based on evidence that has a 40% chance of being false. The NSA's current standard is a 51% probability of being true, or what John Oliver described as "a coin toss, plus one percent".

With signal analysis specifically, large data sets suffer from the base rate fallacy: http://www.raid-symposium.org/raid99/PAPERS/Axelsson.pdf

A Tor developer named Mike Perry has argued at length that many of the threat assessments against Tor don't take it into account. Many of those assessments also suffer from publication bias (he claims) and are not reproducible under real world conditions, even when the researchers run their analyses on the live Tor network, because there are still components they control, such as the hidden service they are trying to find.

In one sense, it's good that the NSA is collecting vast amounts of data. It makes drawing robust conclusions more difficult, so the more the better

Mike Perry may argue that, but Nick Mathewson and Roger Dingledine will both tell you that observation of a single packet at two points on a Tor circuit is likely enough for linkability. None of the big name academic anonymity researchers actually think that Tor can even stand a chance of resisting an attacker who watches both ends of a circuit. Let's consider an active attacker who watermarks streams. Now, active attacking isn't required, and observation of multiple packets isn't required, but I can understand and explain the probability of a false positive for a watermarked stream much better than I can explain the probability of a false positive from arrival time of a single packet. Imagine that the stream carries 128 packets, since Tor packets are 512 bytes this means the stream of packets is 64 kilobytes. The attacker can delay individual packets such that an identifiable interpacket arrival time signature is inserted in the stream. Imagine that the attacker delays 64 kilobytes of traffic from the user, and then releases the packets one after the other with 50 milliseconds of artificial delay between each of them. This will add a few seconds of delay to the stream, but it will create packets that have a very unique arrival time pattern. The attacker could first run several Tor exit nodes and observe how many streams of packets come with a delay of 50 +/- 10 milliseconds between each of them (to take into account any potential minor jitter at the middle node). They are likely to find that absolutely no streams have this characteristic. When they modify the targeted stream, they force it to have this characteristic, and because the middle node does not artificially delay traffic, the watermark will permanently be embedded in the stream from the time it is inserted all the way up to the destination website. I highly doubt that there is any base rate fallacy that will cause false positives in such a scenario, especially if the attacker delays the individual packets for 0-50 milliseconds prior to forwarding them on, and then looks for that signature of interpacket arrival timings. In fact, it can even be done more smoothly than that. The attacker could insert a specific timing delay between the first two packets, and then if they detect two packets at another surveillance point that arrive with this timing characteristic, they release two more with a different delay, and then release more and more and more. If they observe their inserted watermark for 64 rounds it seems like it is very conclusive that they are observing the same stream at two different locations. Especially considering that there will be a correlation in the total stream size as well, and especially considering that they can do this bidirectionally (although considering that a single packet in one direction is enough, using unidirectional tunnels like I2P does is not a protection but rather doubles the risk of falling victim to an internal attack)! 

I don't think that Narusinsight computers are capable of active attacks, but they can passively record and analyze the natural interpacket arrival timing characteristics of a stream in real time. Real time analysis by itself would not be as useful for a passive attack, in an active attack they could monitor for streams with their predetermined watermarks inserted into them, but for passive analysis they will need to compare fingerprints collected from all of their different collection points. But if they find a correlation between interpacket timing characteristics between a stream collected at one internet backbone and a stream collected at another, it is not at all likely to be a false positive.

I actually am considering making a simple graphical program that can observe a Tor stream and visually represent the packets (perhaps as tiny squares, with space between them representing the difference between their arrival time). It will be fun to send traffic through two nodes running this program, and then to visually compare the stream as it was recorded passing through the entry and the exit node, to see how closely they map together. Then I can add some delays as well, as well as visually compare the delayed stream at an entry node to an exit node. Of course there is no need to create a visual representation, but it just seems like a fun project to me, and it will perhaps help people to understand this attack better, especially if they notice that the watermarked stream looks strikingly different from all of the normal streams. Then maybe I will make a program that simply carries out passive interpacket timing correlation, and see the success rate it has with linking my own streams together out of the noise of regular traffic running over my nodes. It is not even as hard as comparing all streams through node 1 with all streams through node 2, it is at worst a matter of comparing all streams through node 1 and node 2 that are the same size, this can further be reduced by only comparing streams of the same size that share a middle node. If there are ten simultaneous streams through node 1 and 2 that are 100 kb and that share a middle node, something tells me it will not be hard to tell which of the streams is which simply by looking at the spatially represented interpacket arrival timing characteristics of the first several dozen packets of each stream.

I believe that it is more like a mailing list where you can select to send messages to a subset of your contacts, and to receive messages from or filter messages from whoever you like, with the messages presented in a threaded fashion. Actually it looks like Syndie does work with any anonymity network, although it was developed by the I2P people. The user interfaces for both frost and syndie are awful though, they both look like they would probably be a challenge for the average user to use.

It is worth pointing out that post 9/11 these distinctions are less clear though. For example, I believe the NYPD is trained in counter terrorism and intelligence now as well. The general distinctions still stand but the lines are getting muddier. I still perceive the intelligence agencies as having a big fat line between them and the police agencies though (meaning I do not see intelligence agencies acting as police agencies), even if the police agencies are starting to act more like intelligence agencies.

How can you say that when 80% of "sneak and peek"  searches (authorized by PATRIOT ACT) are against drug dealers?

Because the NSA has absolutely nothing to do with sneak and peak. They don't even have field agents as far as I am aware. They strictly consist of mathematicians and computer scientists and their missions are to collect and analyze traffic patterns, break encryption of adversaries, design encryption for the government that cannot be broken, protect the American cyber infrastructure from attack and attack the cyber infrastructure of targets for intelligence and possibly warfare purposes.

Intelligence Agencies: NSA, CIA
Federal Police Agencies: ICE, FBI, DEA, IRS
State Police Agencies: New York State Police, California Highway Patrol
Local Police Agencies: LAPD, NYPD

These agencies have different sorts of targets and different levels of skill and different legal permissions. Local police agencies mostly deal with things like drunk drivers, domestic abuse, shoplifting, petty drug crimes, small time CP offenders etc. They are also a first layer of response to things like 911 calls, so if somebody shoots someone or something they will be the ones to respond to a 911 call and make an arrest or initial search for the perpetrator. State police deal with mostly the same things but they have wider jurisdiction and might handle more complex investigations (though apparently the extent of what the state police do varies significantly from state to state). State and local police are more responsive than proactive. Federal police agencies have jurisdiction over the entire USA and they are much more specialized as compared to local and state police, for example the DEA enforces federal drug law, ICE enforces custom and immigration law, the IRS enforces tax law, the FBI is a general investigatory agency though they also are specialized in various things including but not limited to cyber investigations, counter terrorism, mafia investigations and serial killer investigations. The federal police generally do not bother small time offenders, they leave them for the local and state police agencies. They focus some on mid level offenders and primarily on the biggest offenders. If they are involved in going after a small time offender, it will be in a minimal support role for the state or local police. The intelligence agencies are on a completely different level. The NSA is tasked with the electronic forms of espionage that I already mentioned. The CIA is involved primarily in human intelligence, infiltrating foreign governments with moles as well as turning the agents of foreign governments to the USA. They are also involved in covert operations and a wide variety of other things, but predominately they are a human intelligence agency. There are other intelligence agencies specialized in creating signatures of events and then measuring variables trying to detect them (for example creating a signature of what a certain type of missile sounds like and then creating systems that can detect when those missiles are launched). There are a ton of different intelligence agencies and they are all extremely specialized in what they do and none of them are tasked with targeting criminals, they are not police agencies most of them are either military agencies (such as the NSA) or in a specialized class of their own (such as the CIA).


The FBI is a bit of a mix between a police agency and an intelligence agency though. They have criminal investigators but they also have investigators who specialize in counter intelligence (detecting spies in the USA) and counter terrorism. The FBI can be considered as a hybrid police intelligence agency, and they certainly scare me a lot more than the NSA does.