Thursday, July 03, 2014

XKeyScore: it's not attacking Tor

The latest Jacob Appelbaum story is, as usual, activist garbage. The underlying technical information is solid, but their conclusions are completely unwarranted.

The story starts by claiming that that two German Tor servers are "under surveillance by the NSA". That implies the NSA has installed a wiretap monitoring all traffic going to/from those servers. That's not what the evidence shows. Instead, the deal is that the wiretaps exist elsewhere in the world, such as Pakistan or Iran. The NSA wants to find users in those countries who connect to Tor. It's those people the NSA is surveilling. The same argument applies to the MixMinion server: the NSA isn't "tracking all connections" to the server as the story claims -- just ones that originate from the targets under surveillance, in order to find out information about those targets.


The story claims that simply searching for information about Tor makes you a target. Instead, it's the other way around: when the NSA has targeted somebody, one piece of information they want to know about that person is whether or not they've used Tor. The comments linking "TAILS" with "extremists" isn't saying everyone who uses TAILS is an extremist (as is widely reported), but that jihadi forums post instructions on how to use TAILS.

Tapping an Internet link (like the taps in Paikstan and Yeme) generate more data than the NSA can possibly handle. What this XKeyScore system does is index that data, making it easily searchable by human analysts. This indexing can also trigger automated mechanisms, such as those that store specific sessions for longer data retention. To know precisely what "threat" this system poses to Tor, we'd have to know more about those automated systems. This source code doesn't show any threat at all -- indeed, it shows precisely what we'd expect it to show given the other Snowden disclosures about the NSA and Tor.

I don't know precise numbers, but I'd be surprised that this code represented more than 0.1% of the fingerprints the NSA was looking for. I mention this to point out that fundamentally, the NSA isn't terribly interested in Tor. They are interested in other things, and the Tor information here is added more of as an afterthought rather than as a primary mission of the system.

I am an expert in deep packet inspection (DPI). I've written a system vaguely similar to this XKeyScore system here: (ferret). I find the conclusions in this story completely unwarranted, though the technical information cited by this story is pretty good. I suggest future stories about the NSA's deep packet inspection actually consult with engineers who've written DPI code before making wild claims.

1 comment:

marc said...

RAMPART-A has access to international communications from anywhere around the world (https://s3.amazonaws.com/s3.documentcloud.org/documents/1200864/tssinframpartaoverview-v1-0-redacted-information.pdf)