More XKeyScore code

In a recent post, I mention that the XKeyScore code revealed by Jacob Appelbaum looks weird. I'm guessing that instead of actual source, it's just snippets copied from PowerPoint presentations and PDF manuals. Twitter user @nin_99 pointed out today that a previous Snowden leak had (accidentally) reveals similar XKeyScore code.

Back on January 17, 2014, the New York Times reported on how the NSA was eavesdropping on data from cell phones apps. In redacting the document (protecting sources and methods), the NYTimes made a common redaction mistake, covering the critical bits instead of removing it. That meant anybody doing a simple copy-and-paste could retrieve the "redacted" text. One of those slides contained XKeyScore source code similar to other code recently released.

The slide in question looked like the following:

Doing a copy-and-paste on the text underneath the blackbar reveals the following code:

fingerprint('image/exif/gpsCoordinates') = 

 file_ext('jpeg' or 'pjpeg' or 'jpg' or 'pjpg' or 'tiff' or 'gif' or 'png' or 'riff' or 'wav') and 

 'exif:GPSLatitude' or 'exif:GPSLongitude' or 'exif:GPSDestLatitude' or 'exif:GPSDestLongitude'; 

You can do this yourself. Click on this file. When it downloads, open it. On Windows, hit control-A to select all the text, then control-C to copy it. Open notepad and hit control-V to paste. In the text, you'll see this source code -- though it's hidden under a black bar in the PDF file.

This example gives weight to my suspicions that the original store about Tor and TAILS wasn't derived from actual source code, but pieced together from PowerPoints/PDFs.

This example disproves the assertion that "NSA targets Tor users for being extremists". By that logic, this code "targets photographers for being extremists".

XKeyScore: regex foo

For those of you rusty on your regex code, I thought I'd explain those found in the alleged XKeyScore source. The first one is:

/bridge\s([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):?([0-9]{2,4}?[^0-9])/

Jamming XKeyScore

Back in the day there was talk about "jamming echelon" by adding keywords to email that the echelon system was supposedly looking for. We can do the same thing for XKeyScore: jam the system with more information than it can handle. (I enumerate the bugs I find in the code as "xks-00xx").

Reading the XKeyScore-rules source

Today's story is about "XKeyScore source code" leak. As an expert, I'm going to read through the code line-by-line and comment on it.

Let's assume, for the moment, that somebody has taken an open-source deep-packet-inspection project like Snort and written a language on top of it to satisfy XKeyScore needs. Let's look at the gap between what Snort can do now and what this code wants to produce.

XKeyScore: it's not attacking Tor

The latest Jacob Appelbaum story is, as usual, activist garbage. The underlying technical information is solid, but their conclusions are completely unwarranted.

The story starts by claiming that that two German Tor servers are "under surveillance by the NSA". That implies the NSA has installed a wiretap monitoring all traffic going to/from those servers. That's not what the evidence shows. Instead, the deal is that the wiretaps exist elsewhere in the world, such as Pakistan or Iran. The NSA wants to find users in those countries who connect to Tor. It's those people the NSA is surveilling. The same argument applies to the MixMinion server: the NSA isn't "tracking all connections" to the server as the story claims -- just ones that originate from the targets under surveillance, in order to find out information about those targets.