----- Forwarded message from Maxim Kammerer <mk@dee.su> ----- Date: Fri, 4 Jul 2014 15:40:01 +0300 From: Maxim Kammerer <mk@dee.su> To: liberationtech <liberationtech@lists.stanford.edu> Cc: tor-dev@lists.torproject.org Subject: [tor-dev] XKeyscore rules probably are from Snowden, after all Message-ID: <CAHsXYDBdwVu6dcmY1NETphzPa6PBLBsEaVT2rH0nCkrZ4b2SJg@mail.gmail.com> Reply-To: tor-dev@lists.torproject.org There has been some speculation that the recent XKeyscore rule leaks [1] do not come from Snowden — particularly, by Schneier [2]. I believe that there is a good case that the leaks do come from Snowden, since it is possible to pinpoint the date range when the rule sources [3] have been last updated. The earliest possible date is 2011-08-08, when the Linux Journal writeup about Tails [4], referenced by the glob pattern "linuxjournal.com/content/linux*" has been published. The pattern is not a generic Linux Journal filter, as implied in [1]. The likely latest possible date is 2012-02-28, when "maatuska" directory authority has changed its IP [5]. A less likely upper bound is 2012-09-21, when "Faravahar" directory authority has been added [6]. NSA either took the 8 authorities from the actual consensus, or picked them from Tor's sources [7]. However, Tor sources list more than 8 authorities, and are not properly maintained (e.g., see entry for "moria1" wrt. its last .34/.39 octet tweaks), so I doubt NSA would use that. Moreover, it is hard to miss the port number in the sources, whereas NSA did miss that some authorities do not (and did not) use ports 80/443. E.g., "moria1" (the MIT campus server mentioned in [1]) would not be matched as a Tor authority by the rules. Snowden most likely tried to contact Greenwald at the end of 2012 [8], which is entirely consistent with the above. Another NSA employee leaking XKeyscore rules after being inspired by Snowden's leaks, would have probably downloaded a more up-to-date rules file. Cross-posting to tor-dev, in case I got any historical directory authority changes wrong. [1] http://daserste.ndr.de/panorama/aktuell/nsa230_page-1.html [2] https://www.schneier.com/blog/archives/2014/07/nsa_targets_pri.html [3] http://daserste.ndr.de/panorama/xkeyscorerules100.txt [4] http://www.linuxjournal.com/content/linux-distro-tales-you-can-never-be-too-... [5] https://lists.torproject.org/pipermail/tor-dev/2012-February/003312.html [6] https://trac.torproject.org/projects/tor/ticket/5749 [7] https://gitweb.torproject.org/tor.git/blob/HEAD:/src/or/config.c [8] http://www.nytimes.com/2013/08/18/magazine/laura-poitras-snowden.html -- Maxim Kammerer Liberté Linux: http://dee.su/liberte _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev ----- End forwarded message -----