XKeyscore

1. /*
2. ##########################################################################################################################
3. XKeyScore Source Code Review
4. The recent revelations from Jake Applebaum, et all today, highlight some not-to-be-understated revelations.
5.  
6. Tor users are directly targeted
7. TAILS users are directly targeted
8. People searching for privacy tools are targeted
9. While the conclusion by some may have been “well of course the NSA is doing that” the revelation and the insight it provides is direct, specific evidence that people worried about their privacy are being attacked. More-over, this provides further evidence that the NSA’s goal is to collect it all.
10.  
11. The Revelations
12.  
13. To summarize, the source code to the NSA program, XKeyscore (known since the early days of the Snowden disclosures) has been leaked. It sounds like the program’s entire source code is in the hands of another party and it shows what the code does, how it works and who it’s targeting. We now know that privacy-conscious bystanders are targeted: Tor users, people that visit the Tor website, people that use TAILS, or try to view hidden services. Each of these are considered suspicious activities and flagged as the IP’s of suspects by NSA’s network monitoring machine. This is further a reminder that if you look like you are privacy conscious, you are going to be a targeted as an “extremist” in the eyes of the United States and it’s allies.
14.  
15. Tracking Bridge Users
16.  
17. XKeyscore is tracking the IP addresses that are sending emails to the Tor bridge automated account. When a user is in a country that blocks Tor, they have an option to use an unlisted Tor entry node called bridges. To get an unlisted bridge IP, one of the options is to email a Tor Project email address which auto-replies with an address of a bridge. The Five Eyes have been documenting each IP that makes a request to that email address.
18.  
19. Tracking Tor Directory Authorities
20.  
21. Another facet disclosed was that the NSA are targeting a specific Tor directory server run by Sebastian Hahn. I believe that this is the case only because the source of the XKeycode leak was by a node in Germany. Looking at nodes in other countries, would point to a corresponding directory authority in that region.
22.  
23. Until relatively recently, the Tor Network consisted of only 9 directory servers of which all clients would first make a connection to prior to joining the Tor network. These 9 directory servers are still in place, but an additional feature lets Tor nodes act as a directory server cache. With this feature, you weren’t automatically required to connect to one of the directory authorities during each bootup. This helps mitigate this risk.
24.  
25. Tracking Tor Entry Nodes
26.  
27. Even if your connection to the directory authorities were not caught by the program, your connections to the Tor entry nodes were. So while directory authorities were only used during boot, the connections to Tor entry nodes were used repeatedly as your client will build a circuit.
28.  
29. There’s not much you can do to defend against this one. Using a bridge would ensure that XKeyScore won’t know which IP’s to track, but the requests for bridges are caught as well. One may consider running their own unlisted Tor entry node, which is possible, but it severely degrades your anonymity. Users concerned with this may consider using a VPN service and then connecting over Tor. This would not fix it, but it would make it more difficult to identify the originating request to connect to Tor.
30.  
31. Tracking Torproject.org Visits
32.  
33. One of the more useless network iterations that are logged is that of users visiting www.torproject.org. The document shows what they are calling “microplugins” that highlight specific pieces of information that are caught in transit. Your visit to the Tor Project’s website logged and you are now flagged as suspicious.
34.  
35. XKeyScore Code
36.  
37. The most interesting part is the code released showing how XKeyScore works. Many have already highlighted that the NSA programs are merely malicious implementations of existing technology (as opposed to custom software built from the ground up). We can see that XKeyScore’s database uses a MapReduce model. One very common with NoSQL databases like Hadoop. This is hinted in the “mapper” and “reducer” functions that searches for onion addresses:
38. ##########################################################################################################################
39. */
40.  
41. // START_DEFINITION
42. /**
43.  * Fingerprint Tor authoritative directories enacting the directory protocol.
44.  */
45. fingerprint('anonymizer/tor/node/authority') = $tor_authority
46.   and ($tor_directory or preappid(/anonymizer\/tor\/directory/));
47. // END_DEFINITION
48.  
49. // START_DEFINITION
50. /*
51. Global Variable for Tor foreign directory servers. Searching for potential Tor
52. clients connecting to the Tor foreign directory servers on ports 80 and 443.
53. */
54.  
55. $tor_foreign_directory_ip = ip('193.23.244.244' or '194.109.206.212' or
56. '86.59.21.38' or '213.115.239.118' or '212.112.245.170') and port ('80' or
57. '443');
58. // END_DEFINITION
59.  
60. // START_DEFINITION
61. /*
62. this variable contains the 3 Tor directory servers hosted in FVEY countries.
63. Please do not update this variable with non-FVEY IPs. These are held in a
64. separate variable called $tor_foreign_directory_ip. Goal is to find potential
65. Tor clients connecting to the Tor directory servers.
66. */
67. $tor_fvey_directory_ip = ip('128.31.0.39' or '216.224.124.114' or
68. '208.83.223.34') and port ('80' or '443');
69. // END_DEFINITION
70.  
71.  
72. // START_DEFINITION
73. requires grammar version 5
74. /**
75.  * Identify clients accessing Tor bridge information.
76.  */
77. fingerprint('anonymizer/tor/bridge/tls') =
78. ssl_x509_subject('bridges.torproject.org') or
79. ssl_dns_name('bridges.torproject.org');
80.  
81. /**
82.  * Database Tor bridge information extracted from confirmation emails.
83.  */
84. fingerprint('anonymizer/tor/bridge/email') =
85. email_address('bridges@torproject.org')
86.   and email_body('https://bridges.torproject.org/' : c++
87.   extractors: {{
88.     bridges[] = /bridge\s([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):?([0-9]{2,4}?[^0-9])/;
89.   }}
90.   init: {{
91.     xks::undefine_name("anonymizer/tor/torbridges/emailconfirmation");
92.   }}
93.   main: {{
94.     static const std::string SCHEMA_OLD = "tor_bridges";
95.     static const std::string SCHEMA_NEW = "tor_routers";
96.     static const std::string FLAGS = "Bridge";
97.     if (bridges) {
98.       for (size_t i=0; i < bridges.size(); ++i) {
99.         std::string address = bridges[i][0] + ":" + bridges[i][1];
100.         DB[SCHEMA_OLD]["tor_bridge"] = address;
101.         DB.apply();
102.         DB[SCHEMA_NEW]["tor_ip"] = bridges[i][0];
103.         DB[SCHEMA_NEW]["tor_port_or"] = bridges[i][1];
104.         DB[SCHEMA_NEW]["tor_flags"] = FLAGS;
105.         DB.apply();
106.       }
107.       xks::fire_fingerprint("anonymizer/tor/directory/bridge");
108.     }
109.     return true;
110.   }});
111. // END_DEFINITION
112.  
113.  
114. // START_DEFINITION
115. /*
116. The fingerprint identifies sessions visiting the Tor Project website from
117. non-fvey countries.
118. */
119. fingerprint('anonymizer/tor/torpoject_visit')=http_host('www.torproject.org')
120. and not(xff_cc('US' OR 'GB' OR 'CA' OR 'AU' OR 'NZ'));
121. // END_DEFINITION
122.  
123.  
124. // START_DEFINITION
125. /*
126. These variables define terms and websites relating to the TAILs (The Amnesic
127. Incognito Live System) software program, a comsec mechanism advocated by
128. extremists on extremist forums.
129. */
130.  
131. $TAILS_terms=word('tails' or 'Amnesiac Incognito Live System') and word('linux'
132. or ' USB ' or ' CD ' or 'secure desktop' or ' IRC ' or 'truecrypt' or ' tor ');
133. $TAILS_websites=('tails.boum.org/') or ('linuxjournal.com/content/linux*');
134. // END_DEFINITION
135.  
136. // START_DEFINITION
137. /*
138. This fingerprint identifies users searching for the TAILs (The Amnesic
139. Incognito Live System) software program, viewing documents relating to TAILs,
140. or viewing websites that detail TAILs.
141. */
142. fingerprint('ct_mo/TAILS')=
143. fingerprint('documents/comsec/tails_doc') or web_search($TAILS_terms) or
144. url($TAILS_websites) or html_title($TAILS_websites);
145. // END_DEFINITION
146.  
147.  
148. // START_DEFINITION
149. requires grammar version 5
150. /**
151.  * Aggregate Tor hidden service addresses seen in raw traffic.
152.  */
153. mapreduce::plugin('anonymizer/tor/plugin/onion') =
154.   immediate_keyword(/(?:([a-z]+):\/\/){0,1}([a-z2-7]{16})\.onion(?::(\d+)){0,1}/c : c++
155.     includes: {{
156.       #include <boost/lexical_cast.hpp>
157.     }}
158.     proto: {{
159.       message onion_t {
160.         required string address = 1;
161.         optional string scheme = 2;
162.         optional string port = 3;
163.       }
164.     }}
165.     mapper<onion_t>: {{
166.       static const std::string prefix = "anonymizer/tor/hiddenservice/address/";
167.  
168.       onion_t onion;
169.       size_t matches = cur_args()->matches.size();
170.       for (size_t pos=0; pos < matches; ++pos) {
171.         const std::string &value = match(pos);
172.         if (value.size() == 16)
173.           onion.set_address(value);
174.         else if(!onion.has_scheme())
175.           onion.set_scheme(value);
176.         else
177.           onion.set_port(value);
178.       }
179.  
180.       if (!onion.has_address())
181.         return false;
182.  
183.       MAPPER.map(onion.address(), onion);
184.       xks::fire_fingerprint(prefix + onion.address());
185.       return true;
186.     }}
187.     reducer<onion_t>: {{
188.       for (values_t::const_iterator iter = VALUES.begin();
189.           iter != VALUES.end();
190.           ++iter) {
191.         DB["tor_onion_survey"]["onion_address"] = iter->address() + ".onion";
192.         if (iter->has_scheme())
193.           DB["tor_onion_survey"]["onion_scheme"] = iter->scheme();
194.         if (iter->has_port())
195.           DB["tor_onion_survey"]["onion_port"] = iter->port();
196.         DB["tor_onion_survey"]["onion_count"] = boost::lexical_cast<std::string>(TOTAL_VALUE_COUNT);
197.         DB.apply();
198.         DB.clear();
199.       }
200.       return true;
201.     }});
202.  
203. /**
204.  * Placeholder fingerprint for Tor hidden service addresses.
205.  * Real fingerpritns will be fired by the plugins
206.  *   'anonymizer/tor/plugin/onion/*'
207.  */
208. fingerprint('anonymizer/tor/hiddenservice/address') = nil;
209. // END_DEFINITION
210.  
211.  
212. // START_DEFINITION
213. appid('anonymizer/mailer/mixminion', 3.0, viewer=$ascii_viewer) =
214.         http_host('mixminion') or
215.         ip('128.31.0.34');
216. // END_DEFINITION
217.  
218. /*
219. Source: http://www.b3rn3d.com/blog/2014/07/04/xkeyscore-source-code-review/
220. http://www.b3rn3d.com/assets/xkeyscorerules100.txt
221. MORE INFO HERE: https://www.techdirt.com/articles/20140703/02494927769/nsas-xkeyscore-source-code-leaked-shows-tor-users-classified-as-extremists.shtml
222. */