[tor-dev] XKeyscore rules probably are from Snowden, after all

Eugen Leitl eugen@leitl.org
Fri Jul 4 06:15:32 PDT 2014

----- Forwarded message from Maxim Kammerer <mk@dee.su> -----

Date: Fri, 4 Jul 2014 15:40:01 +0300
From: Maxim Kammerer <mk@dee.su>
To: liberationtech <liberationtech@lists.stanford.edu>
Cc: tor-dev@lists.torproject.org
Subject: [tor-dev] XKeyscore rules probably are from Snowden, after all
Message-ID: <CAHsXYDBdwVu6dcmY1NETphzPa6PBLBsEaVT2rH0nCkrZ4b2SJg@mail.gmail.com>
Reply-To: tor-dev@lists.torproject.org

There has been some speculation that the recent XKeyscore rule leaks
[1] do not come from Snowden — particularly, by Schneier [2]. I
believe that there is a good case that the leaks do come from Snowden,
since it is possible to pinpoint the date range when the rule sources
[3] have been last updated.

The earliest possible date is 2011-08-08, when the Linux Journal
writeup about Tails [4], referenced by the glob pattern
"linuxjournal.com/content/linux*" has been published. The pattern is
not a generic Linux Journal filter, as implied in [1].

The likely latest possible date is 2012-02-28, when "maatuska"
directory authority has changed its IP [5]. A less likely upper bound
is 2012-09-21, when "Faravahar" directory authority has been added
[6]. NSA either took the 8 authorities from the actual consensus, or
picked them from Tor's sources [7]. However, Tor sources list more
than 8 authorities, and are not properly maintained (e.g., see entry
for "moria1" wrt. its last .34/.39 octet tweaks), so I doubt NSA would
use that. Moreover, it is hard to miss the port number in the sources,
whereas NSA did miss that some authorities do not (and did not) use
ports 80/443. E.g., "moria1" (the MIT campus server mentioned in [1])
would not be matched as a Tor authority by the rules.

Snowden most likely tried to contact Greenwald at the end of 2012 [8],
which is entirely consistent with the above. Another NSA employee
leaking XKeyscore rules after being inspired by Snowden's leaks, would
have probably downloaded a more up-to-date rules file.

Cross-posting to tor-dev, in case I got any historical directory
authority changes wrong.

[1] http://daserste.ndr.de/panorama/aktuell/nsa230_page-1.html
[2] https://www.schneier.com/blog/archives/2014/07/nsa_targets_pri.html
[3] http://daserste.ndr.de/panorama/xkeyscorerules100.txt
[4] http://www.linuxjournal.com/content/linux-distro-tales-you-can-never-be-too-paranoid
[5] https://lists.torproject.org/pipermail/tor-dev/2012-February/003312.html
[6] https://trac.torproject.org/projects/tor/ticket/5749
[7] https://gitweb.torproject.org/tor.git/blob/HEAD:/src/or/config.c
[8] http://www.nytimes.com/2013/08/18/magazine/laura-poitras-snowden.html

Maxim Kammerer
Liberté Linux: http://dee.su/liberte
tor-dev mailing list

----- End forwarded message -----

More information about the cypherpunks mailing list