Does The XKeyscore Source Code Leak Point To Another NSA Leaker?

from the new-goal:-a-leaker-a-year-for-the-next-decade! dept

Mon, Jul 7th 2014 10:02am — Tim Cushing

The recent leak of the XKeyscore source code has raised an interesting question. Is there a second leaker? The report written by Jacob Appelbaum and others for DasErste.de detailed the NSA's targeting of Tor users (and even those who just read about Tor) and the harvesting of their communications, but very explicitly did not state that Snowden was the source of this code snippet.

Others noticed this lack of attribution and commented on it. Cory Doctorow at Boing Boing apparently received confirmation that this particular leak was not from Snowden's trove of documents.

Another expert said that s/he believed that this leak may come from a second source, not Edward Snowden, as s/he had not seen this in the original Snowden docs; and had seen other revelations that also appeared independent of the Snowden materials.

Cryptologist and security expert Bruce Schneier (who has seen the documents released to journalists by Snowden) concurred with Doctorow's conclusion.

And, since Cory said it, I do not believe that this came from the Snowden documents. I also don't believe the TAO catalog came from the Snowden documents. I think there's a second leaker out there.

The TAO catalog was originally revealed by Der Spiegel with reporting by (again) Jacob Appelbaum and Greenwald/Snowden partner Laura Poitras. Nothing in the story explicitly states its origin, although the inclusion of Poitras at least suggests the documents can be traced back to Snowden's stash.

Glenn Greenwald, however, offered his agreement with Schneier's take here:

Seems clear at this point RT @ageis @vruz Bruce Schneier: "I think there's a second [NSA] leaker out there." https://t.co/0iCULZWf0L — Glenn Greenwald (@ggreenwald) July 4, 2014

If so, then that's two people who have seen Snowden's documents, including one with ongoing access, claiming there's a second leaker. And if so, the NSA's problem, instead of gradually disappearing from the public eye, will become more severe. Coupled with the recent leak published by the Washington Post, which shows the agency harvests and stores plenty of unminimized non-terrorist communications with its 702 collections (the same collection the Privacy and Civil Liberties Oversight Board recently found to be more law-abiding and less Constitutionally unsound than the bulk metadata program), the agency now looks worse than ever. It was completely unprepared for the Snowden revelations, but at least by this point, it has a general feel for the leak release process. Now, it possibly has another leaker offering new data and info to journalists, one which is a totally unknown quantity.

At this point, all anyone has is speculation. If there's another leaker, it's doubtful he or she will make his/her identity known any time soon. Snowden revealed himself as a leaker and that hasn't exactly worked out well for him.

But there's also some indications that this snippet of code came from Snowden's leaks. Errata Security (the group of bloggers that exposed the fakery behind NBC's pre-Winter Olympics "report" that all visitors to Sochi would be instantly hacked) has done its own fisking of the code snippet and come to the following conclusions.

1. The signatures are old (2011 to 2012), so it fits within the Snowden timeframe, and is unlikely to be a recent leak.

2. The code is weird, as if they are snippets combined from training manuals rather than operational code. That would mean it is “fake”.

3. The story makes claims about the source that are verifiably false, leading us to believe that they may have falsified the origin of this source code.

4. The code is so domain specific that it probably is, in some fashion, related to real XKeyScore code – if fake, it's not completely so.

Errata Security notes some of the oddities of the code, pointing out that it looks more like something pulled from a training exercise or manual rather than directly from XKeyscore itself. More investigation by Errata Security and The Grugq (another security expert) apparently uncovered the fact that the text was pulled from a document (pdf, docx, etc.) rather than an actual source file. But the aspect that seems to indicate this is part of Snowden's stash is the timeline.

As this post to the Tor developer mailing list describes, the signatures in the code are old. The earliest date this file can be valid is 2011-08-08, when the Linux journal reported on TAILS. The latest date might be 2012-09-21, just before a new server was added to Tor that isn't in the XKeyScore list. Since this is shortly before Snowden first tried to contact Greenwald, the dates sync up.

If the code is unrecognizable by those who've had access to the documents, that's probably due to it being compiled from various pages and mocked up into a short code excerpt. Rob Graham at Errata Security doesn't feel it's necessarily fake, but believes the origin of the quoted source code may have been obscured -- hence, no citation of Snowden's leaks or any acknowledgment of existing NSA files.

Of course, this could mean another leaker is simply hiding behind Snowden, and has pulled files roughly in the same date range in order to deliver new leaks in order to remain undetected. If there is another leaker, my guess is he/she will be discovered rather than coming out publicly.

New leaker or no, the one-two punch of published leaks by Jacob Appelbaum and Barton Gellman (of the Washington Post) shows that the NSA is doing everything it's been accused of -- namely, hoovering up and holding onto incidental communications (even those originating from "untargeted" American citizens) and viewing anyone with even a passing interest in anonymity or encryption as "suspicious."

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: leaker, nsa, source code, surveillance, training manuals, xkeyscore

21 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Ninja (profile), 7 Jul 2014 @ 9:58am

Aha, another leaker would be awesome for a variety of reasons. Mostly because it would shift the focus from Snowden's personality/character/whatever. It's much, much harder to demonize more than one leaker.
[ link to this | view in chronology ]
- sorrykb (profile), 7 Jul 2014 @ 10:16am
  
  Re:
  It's much, much harder to demonize more than one leaker.
  
  If it turns out there's more than one leaker, the NSA defenders might have to abandon the "egotistical loner" personal attacks on Snowden.
  
  Then again, they'd probably declare it to be proof of a vast conspiracy of enemy agents among us and justification for more NSA spying on everyone. /pessimism
  [ link to this | view in chronology ]
- GM, 12 Jul 2014 @ 8:40pm
  
  Re:
  It's even more difficult to demonize an anonymous one.
  [ link to this | view in chronology ]
Anonymous Coward, 7 Jul 2014 @ 10:37am

If NSA cannot keep tabs on their own staff, what hope have they of keeping tabs on real bad guys?
[ link to this | view in chronology ]
- Uriel-238 (profile), 7 Jul 2014 @ 11:01am
  
  I think it comes with oversized bureaus.
  We've been asking that very question for a while now.
  
  As a Sinister Guild of Evil, the NSA seems to suffer from that most common of maledictions, incompetent minions.
  
  Not incompetent in the classic bumbling nincompoop sort of way, but certainly so terrified about covering their own asses that they have little time to do much else.
  [ link to this | view in chronology ]
- Anonymous Coward, 7 Jul 2014 @ 8:27pm
  
  Re:
  If they could keep tabs on their own staff, they would be.
  [ link to this | view in chronology ]
  - That One Guy (profile), 7 Jul 2014 @ 8:53pm
    
    No they wouldn't
    Being able to keep tabs on what their staff is doing would create a paper-trail, something that could be used to show just what exactly they've been doing/ordering done.
    
    Given how utterly averse they are to anyone knowing the details of what they're doing, it makes sense from their point of view to structure things so that no such record of their activity exists, so they can always respond to any requests for information with 'No such document exists or can be found.'
    [ link to this | view in chronology ]
- Anonymous Coward, 7 Jul 2014 @ 8:37pm
  
  Re:
  That is a bit of a tautology given that they are one and the same.
  [ link to this | view in chronology ]
beech, 7 Jul 2014 @ 10:40am

"I think there's a second leaker out there."

...shuuuuut uuuuuup!
[ link to this | view in chronology ]
Anonymous Coward, 7 Jul 2014 @ 10:52am

what's different here is that if there is a new source, that new source is almost surely still working at the facility, and that means recent crimes may make it into the discussion whenever that source feels safe to not completely hide within snowden's contrail.

i say if.
[ link to this | view in chronology ]
Uriel-238 (profile), 7 Jul 2014 @ 10:56am

The single whistle theory.
On the other hand Snowden's (unintentional) cult of personality can serve to protect the presence of other sources if it remains plausible that leaks could have come from Snowden.

I even suspect that's a fall he's willing to take at this point.

As of this posting I have not received a US National Security Letter or any classified gag order from an agent of the United States
This post does not contain an encrypted secret message
Monday, July 07, 2014 10:54:03 AM
stretcher picnic Russia license cot flag toothpick x-ray
[ link to this | view in chronology ]
Anonymous Coward, 7 Jul 2014 @ 10:58am

there's a sort of dark irony to this all.

it's as if these reporters don't really care about the underling issue, rather just the newsworthiness of a scoop, regardless of consequence.

I'm with beech above- stfu about it.
[ link to this | view in chronology ]
- Beech, 7 Jul 2014 @ 1:39pm
  
  Re:
  i mainly want everyone to shut up about it because if the NSA hasn't found out there's a second leaker yet, we shouldn't be helping them. let them keep thinking its snowden and hopefully the second guy's (if he exists) life wont be ruined.
  [ link to this | view in chronology ]
Nathan Brathahn (profile), 7 Jul 2014 @ 11:11am

Only 1%
If only 1% of the 60.000 NSA employees got a conscience, it would result in 600 possible leakers/whistleblowers.
[ link to this | view in chronology ]
- Anonymous Coward, 7 Jul 2014 @ 11:39am
  
  Re: Only 1%
  Except you have to couple that conscience with the courage to butt heads with a federal government that is willing to destroy your life rather than admit any wrongdoing...
  
  It's a tall order for most people.
  [ link to this | view in chronology ]
  - Uriel-238 (profile), 7 Jul 2014 @ 12:03pm
    
    Re: Re: Only 1%
    Conspiracies to kill Hitler had the same problem.
    
    And then ol' Adolph had a winning lucky streak at dodging bullets, even through the July 20 Plot.
    
    I only hope that we don't have to wait for all the natural consequences to happen (the proverbial Allies reaching Berlin) before we see the surveillance state dismantled.
    [ link to this | view in chronology ]
    - Anonymous Coward, 8 Jul 2014 @ 6:01am
      
      Re: Re: Re: Only 1%
      That was because of Hitler's Time Travel Exemption Act.
      [ link to this | view in chronology ]
TestPilotDummy, 8 Jul 2014 @ 9:45am

No Surprise there if true
After all,

* Security Clearance Process is so Strict.
* The Borders are So Secure
* No Dual Citizens hold Office or can access Classified Data, Vaults or Comms
* No other nations are spying
* All electronics have their 1's and 0's (3VDC-5VDC) audited and monitored, by top secret security feature and won't work right (e.g. 0VDC), when your intent is to Whistleblow
[ link to this | view in chronology ]
GEMont (profile), 9 Jul 2014 @ 7:57am

Just a thought.
If the NSA wanted to get the public on their side about Snowden being a dangerous nasty spy who has harmed national security ( a federal wet-dream ), it could easily produce a fake secondary leak that appeared to be from Snowden's cache, but which eventually disclosed far more sensitive information that could be pointed to as harming national security and be presented by the Truth Free Press as having "probably" come from Snowden's cache of documents.

And as we have seen in the past on numerous occasions, the NSA and other federal agencies are 100% OK with disclosing truly sensitive National Security information that actually harms national security and/or endangers field operatives, as long as it can be used to fool the public into believing what they want it to believe.

Just a thought.

---
[ link to this | view in chronology ]
Anonymous Coward, 12 Jul 2014 @ 11:41am

What if the NSA itself leaked the source code?
[ link to this | view in chronology ]
XXXMADAM (profile), 30 Oct 2014 @ 9:22am

FBI/CIA PIMPS
POLITICAL SEXTORTIONS VIA ESCORT SERVICES

https://sites.google.com/site/ciapimps/home
[ link to this | view in chronology ]