NSA's XKeyscore Source Code Leaked! Shows Tor Users Classified As 'Extremists'

from the peeling-away-the-layers dept

We learnt about the NSA’s XKeyscore program a year ago, and about its incredibly wide reach. But now the German TV stations NDR and WDR claim to have excerpts from its source code. We already knew that the NSA and GCHQ have been targeting Tor and its users, but the latest leak reveals some details about which Tor exit nodes were selected for surveillance — including at least one in Germany, which is likely to increase public anger there. It also shows that Tor users are explicitly regarded as “extremists” (original in German, pointed out to us by @liese_mueller):

The source code contains both technical instructions and comments from the developers that provide an insight into the mind of the NSA. Thus, all users of such programs are equated with “extremists”.

Such is the concern about Tor that even visitors to Tor sites — whether or not they use the program — have their details recorded:

not only long-term users of this encryption software become targets for the [US] secret service. Anyone who wants to visit the official Tor Web site simply for information is highlighted.

The source code also gives the lie to the oft-repeated claim that only metadata, not content, is gathered:

With the source code can be proven beyond reasonable doubt for the first time that the NSA is reading not only so-called metadata, that is, connection data. If emails are sent using the Tor network, then programming code shows that the contents — the so-called email-body — are evaluated and stored.

As well as all this interesting information, what’s important here is that it suggests the source of this leak — presumably Edward Snowden, although the German news report does not name him — copied not just NSA documents, but source code too. As in the present case, that is likely to provide a level of detail that goes well beyond descriptive texts.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: , , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “NSA's XKeyscore Source Code Leaked! Shows Tor Users Classified As 'Extremists'”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: I've got you all beat

Not only do I run a Tor relay, but I’ve written open source code that uses encryption and I’ve posted anonymous comments that make fun of the NSA. To add icing to the cake, one time, I had a missed call on my cell phone and it had a country code of Egypt on it.

So I’m sure I’m now considered a valid selector by the NSA. And thanks to Obama’s two hop rule, by downloading this comment you are now a valid target to have all your email downloaded, read, processed and saved for later use by the government as they see fit.

TtfnJohn (profile) says:

Re: Re:

I’ve been in rooms in church basements full, just packed, with extremists!! These are Alcoholics Anonymous where some newbies take the Anonymity clause to ridiculous extremes and so use Tor as their way of maintaining their anonymity while on line! Though they’ll stay members pf Facebook! Which we all know is just packed with extremists!

Jack says:

Re: Re:

Well, if they are just targeting exit nodes and don’t have both your entry and exit nodes compromised, as long as you aren’t using any personally identifying information (obvious ones like name and address, and non-obvious ones like user-agent, headers, and cookies) you are still fine and anonymous. They can see what you are doing, but not who you are.

As long as you are careful about how you are using TOR, it is still safe. That is until the NSA has all 3 of your nodes compromised…

A big caveat for the NSA though – while they may be able to compromise a few nodes here and there or set up a bunch of fake nodes, it is such a big network that it would be very unlikely to have both your entry and exit node at the same time. Plus, you can simply change your route through the TOR network with a single click, which should be done often anyway. 5 or 10 years from now, who knows…

Always treat TOR like you are being monitored and are already compromised. Switch routes frequently, never use the same user-agent, always rotate through names/accounts, never allow JS and always make sure cookies are cleared out and sessions are closed after every single use.

Plus, you can always use proxy-chains and go through a VPN before entering TOR – it doesn’t slow you down at all since TOR is always slower than a VPN.

Ruben says:

Re: Re:

Tor all by itself doesn’t really help that much from a security standpoint.

Tor on windows borders on futile. You can be exploited so many other ways.

The only way to approach security(if you really care) is holistically. Start with a secure OS from a trusted source, and build up from there. The tails project is a good way to achieve this without too much effort.

Anonymous Coward says:

Re: Re: GitHub, anyone?

I fixed that inefficient code for you, this will do what you want.. ()

bool isExtremist(std::string name) {

return true;

( efficiency is important here after all, we can’t waste processor cycles when we’re processing everyone on the darned planet and in orbit around it, and we have built in capability for processing non-earth aliens by not using human characteristics as determinants)

Anonymous Coward says:

Re: Re:

Nowhere does it say that this leak came from Snowden. It’s possible. But it’s just as likely that someone else has stepped up and leaked this in the wake of all that has happened. Still we can expect to see Roger’s shooting his mouth off with all kinds of unsubstantiated allegations this weekend.

Anonymous Coward says:

Re: Re: Re: Re:

  1. I don’t think it’s much of a stretch to that someone else might leak information right now considering… 1. Anyone choosing to leak now knows that there are plenty of people out there that will support and try to protect them and 2. the public is paying attention these sorts of things and 3. they have practically been given a road map with step by step instructions for doing it successfully.

    2. I didn’t really mean to divert your pun torrent either.

Keyboard-Rider says:

Suggestion for a secure PC & Internet in times of surveillance scandal

• Operating system: https://tails.boum.org/ (used by Snowden; free software, which tunnels all internet traffic automatically through the TOR network, and which surface can look like the surface of Windows 8 or XP)
• + https://freenetproject.org (most secure anonymous filesharing software, which exists so far)

Regarding software the most important thing is to use a secure operation system; it’s the fundament for everything, which you do with a PC regarding software. So it’s a weakness, if on the one hand one relies on programs like the freenet project or TOR, but on the other hand does so on foundation of windows, which has a direct wire to the NSA.

Anonymous Coward says:

Re: Suggestion for a secure PC & Internet in times of surveillance scandal

Heads up. There hasn’t been a version of Tails yet that doesn’t phone home in some manner. In the beginning, their justification for the behavior was to “count” Tails users. Now, many versions down the line, it’s automatically “checking for updates”. You cannot defeat this with any setting, although you could certainly hex-edit the executable, and burn a new iso (recommended).

This inexorable connection to boum.org, in and of itself, is a red-flag pointing to Tails usage.

Anonymous Coward says:

Re: Whatever is an extremist

Was going to post this, but someone beat me to the punch.

Obviously Whatever is fine with it, because all copyright/NSA fanboys are masochists by nature. How else could they loudly and proudly claim more copyright extensions and surveillance betters culture and society, while still keeping a poker face?

Anonymous Coward says:

I am an extremist

time to behave like one!

Waihopai, INFOSEC, Information Security, Information Warfare, IW, IS, Priavacy, Information Terrorism, Terrorism Defensive Information, Defense Information Warfare, Offensive Information, Offensive Information Warfare, National Information Infrastructure, InfoSec, Reno, Compsec, Computer Terrorism, Firewalls, Secure Internet Connections, ISS, Passwords, DefCon V, Hackers, Encryption, Espionage, USDOJ, NSA, CIA, S/Key, SSL, FBI, Secert Service, USSS, Defcon, Military, White House, Undercover, NCCS, Mayfly, PGP, PEM, RSA, Perl-RSA, MSNBC, bet, AOL, AOL TOS, CIS, CBOT, AIMSX, STARLAN, 3B2, BITNET, COSMOS, DATTA, E911, FCIC, HTCIA, IACIS, UT/RUS, JANET, JICC, ReMOB, LEETAC, UTU, VNET, BRLO, BZ, CANSLO, CBNRC, CIDA, JAVA, Active X, Compsec 97, LLC, DERA, Mavricks, Meta-hackers, ^?, Steve Case, Tools, Telex, Military Intelligence, Scully, Flame, Infowar, Bubba, Freeh, Archives, Sundevil, jack, Investigation, ISACA, NCSA, spook words, Verisign, Secure, ASIO, Lebed, ICE, NRO, Lexis-Nexis, NSCT, SCIF, FLiR, Lacrosse, Flashbangs, HRT, DIA, USCOI, CID, BOP, FINCEN, FLETC, NIJ, ACC, AFSPC, BMDO, NAVWAN, NRL, RL, NAVWCWPNS, NSWC, USAFA, AHPCRC, ARPA, LABLINK, USACIL, USCG, NRC, ~, CDC, DOE, FMS, HPCC, NTIS, SEL, USCODE, CISE, SIRC, CIM, ISN, DJC, SGC, UNCPCJ, CFC, DREO, CDA, DRA, SHAPE, SACLANT, BECCA, DCJFTF, HALO, HAHO, FKS, 868, GCHQ, DITSA, SORT, AMEMB, NSG, HIC, EDI, SAS, SBS, UDT, GOE, DOE, GEO, Masuda, Forte, AT, GIGN, Exon Shell, CQB, CONUS, CTU, RCMP, GRU, SASR, GSG-9, 22nd SAS, GEOS, EADA, BBE, STEP, Echelon, Dictionary, MD2, MD4, MDA, MYK, 747,777, 767, MI5, 737, MI6, 757, Kh-11, Shayet-13, SADMS, Spetznaz, Recce, 707, CIO, NOCS, Halcon, Duress, RAID, Psyops, grom, D-11, SERT, VIP, ARC, S.E.T. Team, MP5k, DREC, DEVGRP, DF, DSD, FDM, GRU, LRTS, SIGDEV, NACSI, PSAC, PTT, RFI, SIGDASYS, TDM. SUKLO, SUSLO, TELINT, TEXTA. ELF, LF, MF, VHF, UHF, SHF, SASP, WANK, Colonel, domestic disruption, smuggle, 15kg, nitrate, Pretoria, M-14, enigma, Bletchley Park, Clandestine, nkvd, argus, afsatcom, CQB, NVD, Counter Terrorism Security, Rapid Reaction, Corporate Security, Police, sniper, PPS, ASIS, ASLET, TSCM, Security Consulting, High Security, Security Evaluation, Electronic Surveillance, MI-17, Counterterrorism, spies, eavesdropping, debugging, interception, COCOT, rhost, rhosts, SETA, Amherst, Broadside, Capricorn, Gamma, Gorizont, Guppy, Ionosphere, Mole, Keyhole, Kilderkin, Artichoke, Badger, Cornflower, Daisy, Egret, Iris, Hollyhock, Jasmine, Juile, Vinnell, B.D.M.,Sphinx, Stephanie, Reflection, Spoke, Talent, Trump, FX, FXR, IMF, POCSAG, Covert Video, Intiso, r00t, lock picking, Beyond Hope, csystems, passwd, 2600 Magazine, Competitor, EO, Chan, Alouette,executive, Event Security, Mace, Cap-Stun, stakeout, ninja, ASIS, ISA, EOD, Oscor, Merlin, NTT, SL-1, Rolm, TIE, Tie-fighter, PBX, SLI, NTT, MSCJ, MIT, 69, RIT, Time, MSEE, Cable & Wireless, CSE, Embassy, ETA, Porno, Fax, finks, Fax encryption, white noise, pink noise, CRA, M.P.R.I., top secret, Mossberg, 50BMG, Macintosh Security, Macintosh Internet Security, Macintosh Firewalls, Unix Security, VIP Protection, SIG, sweep, Medco, TRD, TDR, sweeping, TELINT, Audiotel, Harvard, 1080H, SWS, Asset, Satellite imagery, force, Cypherpunks, Coderpunks, TRW, remailers, replay, redheads, RX-7, explicit, FLAME, Pornstars, AVN, Playboy, Anonymous, Sex, chaining, codes, Nuclear, 20, subversives, SLIP, toad, fish, data havens, unix, c, a, b, d, the, Elvis, quiche, DES, 1*, NATIA, NATOA, sneakers, counterintelligence, industrial espionage, PI, TSCI, industrial intelligence, H.N.P., Juiliett Class Submarine, Locks, loch, Ingram Mac-10, sigvoice, ssa, E.O.D., SEMTEX, penrep, racal, OTP, OSS, Blowpipe, CCS, GSA, Kilo Class, squib, primacord, RSP, Becker, Nerd, fangs, Austin, Comirex, GPMG, Speakeasy, humint, GEODSS, SORO, M5, ANC, zone, SBI, DSS, S.A.I.C., Minox, Keyhole, SAR, Rand Corporation, Wackenhutt, EO, Wackendude, mol, Hillal, GGL, CTU, botux, Virii, CCC, Blacklisted 411, Internet Underground, XS4ALL, Retinal Fetish, Fetish, Yobie, CTP, CATO, Phon-e, Chicago Posse, l0ck, spook keywords, PLA, TDYC, W3, CUD, CdC, Weekly World News, Zen, World Domination, Dead, GRU, M72750, Salsa, 7, Blowfish, Gorelick, Glock, Ft. Meade, press-release, Indigo, wire transfer, e-cash, Bubba the Love Sponge, Digicash, zip, SWAT, Ortega, PPP, crypto-anarchy, AT&T, SGI, SUN, MCI, Blacknet, Middleman, KLM, Blackbird, plutonium, Texas, jihad, SDI, Uzi, Fort Meade, supercomputer, bullion, 3, Blackmednet, Propaganda, ABC, Satellite phones, Planet-1, cryptanalysis, nuclear, FBI, Panama, fissionable, Sears Tower, NORAD, Delta Force, SEAL, virtual, Dolch, secure shell, screws, Black-Ops, Area51, SABC, basement, data-haven, black-bag, TEMPSET, Goodwin, rebels, ID, MD5, IDEA, garbage, market, beef, Stego, unclassified, utopia, orthodox, Alica, SHA, Global, gorilla, Bob, Pseudonyms, MITM, Gray Data, VLSI, mega, Leitrim, Yakima, Sugar Grove, Cowboy, Gist, 8182, Gatt, Platform, 1911, Geraldton, UKUSA, veggie, 3848, Morwenstow, Consul, Oratory, Pine Gap, Menwith, Mantis, DSD, BVD, 1984, Flintlock, cybercash, government, hate, speedbump, illuminati, president, freedom, cocaine, $, Roswell, ESN, COS, E.T., credit card, b9, fraud, assasinate, virus, anarchy, rogue, mailbomb, 888, Chelsea, 1997, Whitewater, MOD, York, plutonium, William Gates, clone, BATF, SGDN, Nike, Atlas, Delta, TWA, Kiwi, PGP 2.6.2., PGP 5.0i, PGP 5.1, siliconpimp, Lynch, 414, Face, Pixar, IRIDF, eternity server, Skytel, Yukon, Templeton, LUK, Cohiba, Soros, Standford, niche, 51, H&K, USP, ^, sardine, bank, EUB, USP, PCS, NRO, Red Cell, Glock 26, snuffle, Patel, package, ISI, INR, INS, IRS, GRU, RUOP, GSS, NSP, SRI, Ronco, Armani, BOSS, Chobetsu, FBIS, BND, SISDE, FSB, BfV, IB, froglegs, JITEM, SADF, advise, TUSA, HoHoCon, SISMI, FIS, MSW, Spyderco, UOP, SSCI, NIMA, MOIS, SVR, SIN, advisors, SAP, OAU, PFS, Aladdin, chameleon man, Hutsul, CESID, Bess, rail gun, Peering, 17, 312, NB, CBM, CTP, Sardine, SBIRS, SGDN, ADIU, DEADBEEF, IDP, IDF, Halibut, SONANGOL, Flu, &, Loin, PGP 5.53, EG&G, AIEWS, AMW, WORM, MP5K-SD, 1071, WINGS, cdi, DynCorp, UXO, Ti, THAAD, package, chosen, PRIME, SURVIAC

Jeff (profile) says:

Kafka called...

The unbelievable irony of the NSA calling Tor users ‘extremists’ – the USG provides 80% of the funding for Tor(1)… so does that make the rest of the Gov’t extremists too?

Fowler, Geoffrey A. (17 December 2012). Tor: An Anonymous, And Controversial, Way to Web-Surf. Wall Street Journal. Retrieved 3 July 2014

Padpaw (profile) says:

Under the enemy expatriation act ( H.R. 3166 and S. 1698)the US government can strip a US citizen of their citizenship and their rights if they are classified as a terrorist.

So what makes a citizen a terrorist, anything and everything these days.

If you visit sites that preach dissent against any form of government misconduct congrats your a terrorist. If you protest anything peaceful or violent, your a terrorist. If you question your government over anything again your labelled a terrorist.

Just look at the NDA to see extreme examples of how “national security” trumps the constitution.

Peter says:



this is not the xkeyscore code. everyone who works with this kind of data knows, this is only a selector for something but nothing more.

do you realy believe the sourcecode for xkeyscore is somewhere on the table ? even, this short piece of code is never ever “The xkeyscore sourcecode”.

over and out

Coyne Tibbets (profile) says:

Not just interested in encryption...

So let’s see…the news articles claim the NSA is interested in people who are interested in encryption or Tor.

Well, according to the code snippet at NSA Targets the Privacy-Conscious for Surveillance, it goes just a bit beyond that…

In fact, NSA captures every web search containing one of these words: “linux”, “USB”, “CD”, “IRC” (Internet Relay Chat). They also capture anyone who goes to any article whatsoever that begins with “http://linuxjournal.com/content/linux”. Does that sound like “interested in encryption” to you?

This fits right in with my ideas of the NSA: When they claim they want x, they just capture everything and keep it all. If challenged, they say something like, “No, really, we were only interested in ‘x’.”

Should we believe that? When, in this case, they capture every web search that contains the words above, whether it involves encryption or not?

Coyne Tibbets (profile) says:

Re: Not just interested in encryption...

Sigh. I read the code wrong, with respect to the words list. The words must appear in combination with either the word “tails” or term “Amnesiac Incognito Live System”. So it’s not quite as sensitive to the words as I believed.

It is sensitive to all the linuxjournal.com articles matching the lead-in, though.

abbadabba says:


HAY! I never used this tor before. My bro says it’s for downloading stuff without paying for it. So I bet the bums in corporatism are behind this. Imagine how many people they will send to jail for just being cheap bastards who can’t wait for it to come out on Netflix.

Isn’t Germany where NewsCorp found someone to make code to help folks download card codes for their competitors’ TV satellite services? So that’s sort of like tor, passing around the pirated shite, but hoping it kills the competition at the same time.

Did you catch that criminal activity, NSA? Have you redeployed it?

abbadabba says:

Germany is perfectly placed to pie face the Five Eyes.

David Cameron’s email in Rebekah Brooks’ BlackBerry was reported to the Leveson court to have lost its content after spending three weeks in police custody. The other email had text, so my bet is that’s David’s Tempora file well passed it’s sellbuy date, gone meta after 30 days. Who’s the Rose Mary Woods this time? Home Secretary. GCHQ, you silly beans.

Give Cameron what he deserves, a big BlackBerry Pie in the facebook, Germany! Your pastry is vastly superior to his.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...