Alleged XKeyscore filter lists leaked

German public broadcasters NDR and WDR have received what they say is parts of the source code for the NSA’s XKeyscore analysis software. In actuality, it seems to be part of a configuration file, more specifically filter rules, to find TOR and Tails users among their intercepted data. Users from countries belonging to the Five Eyes group (US, UK, Canada, Australia and New Zealand) are not monitored.

Heise: http://www.heise.de/security/meldung/XKeyscore-analysiert-und-sabotiert-2249628.html

cf. NDR story by Appelbaum et al: http://daserste.ndr.de/panorama/aktuell/NSA-targets-the-privacy-conscious,nsa230.html

cf. released “source code”: http://daserste.ndr.de/panorama/xkeyscorerules100.txt

The latest Jacob Appelbaum story is, as usual, activist garbage. The underlying technical information is solid, but their conclusions are completely unwarranted.

The story starts by claiming that that two German Tor servers are “under surveillance by the NSA”. That implies the NSA has installed a wiretap monitoring all traffic going to/from those servers. That’s not what the evidence shows. Instead, the deal is that the wiretaps exist elsewhere in the world, such as Pakistan or Iran. The NSA wants to find users in those countries who connect to Tor. It’s those people the NSA is surveilling. The same argument applies to the MixMinion server: the NSA isn’t “tracking all connections” to the server as the story claims — just ones that originate from the targets under surveillance, in order to find out information about those targets.

The story claims that simply searching for information about Tor makes you a target. Instead, it’s the other way around: when the NSA has targeted somebody, one piece of information they want to know about that person is whether or not they’ve used Tor. The comments linking “TAILS” with “extremists” isn’t saying everyone who uses TAILS is an extremist (as is widely reported), but that jihadi forums post instructions on how to use TAILS.

Tapping an Internet link (like the taps in Paikstan and Yeme) generate more data than the NSA can possibly handle. What this XKeyScore system does is index that data, making it easily searchable by human analysts. This indexing can also trigger automated mechanisms, such as those that store specific sessions for longer data retention. To know precisely what “threat” this system poses to Tor, we’d have to know more about those automated systems. This source code doesn’t show any threat at all — indeed, it shows precisely what we’d expect it to show given the other Snowden disclosures about the NSA and Tor.

Errata Security Blog: http://blog.erratasec.com/2014/07/xkeyscore-its-not-attacking-tor.html

There are now instructions on how to jam up the filter rules.

Errata Security Blog: http://blog.erratasec.com/2014/07/jamming-xkeyscore_4.html