Does The XKeyscore Source Code Leak Point To Another NSA Leaker?

from the new-goal:-a-leaker-a-year-for-the-next-decade! dept

The recent leak of the XKeyscore source code has raised an interesting question. Is there a second leaker? The report written by Jacob Appelbaum and others for DasErste.de detailed the NSA’s targeting of Tor users (and even those who just read about Tor) and the harvesting of their communications, but very explicitly did not state that Snowden was the source of this code snippet.

Others noticed this lack of attribution and commented on it. Cory Doctorow at Boing Boing apparently received confirmation that this particular leak was not from Snowden’s trove of documents.

Another expert said that s/he believed that this leak may come from a second source, not Edward Snowden, as s/he had not seen this in the original Snowden docs; and had seen other revelations that also appeared independent of the Snowden materials.

Cryptologist and security expert Bruce Schneier (who has seen the documents released to journalists by Snowden) concurred with Doctorow’s conclusion.

And, since Cory said it, I do not believe that this came from the Snowden documents. I also don’t believe the TAO catalog came from the Snowden documents. I think there’s a second leaker out there.

The TAO catalog was originally revealed by Der Spiegel with reporting by (again) Jacob Appelbaum and Greenwald/Snowden partner Laura Poitras. Nothing in the story explicitly states its origin, although the inclusion of Poitras at least suggests the documents can be traced back to Snowden’s stash.

Glenn Greenwald, however, offered his agreement with Schneier’s take here:

If so, then that’s two people who have seen Snowden’s documents, including one with ongoing access, claiming there’s a second leaker. And if so, the NSA’s problem, instead of gradually disappearing from the public eye, will become more severe. Coupled with the recent leak published by the Washington Post, which shows the agency harvests and stores plenty of unminimized non-terrorist communications with its 702 collections (the same collection the Privacy and Civil Liberties Oversight Board recently found to be more law-abiding and less Constitutionally unsound than the bulk metadata program), the agency now looks worse than ever. It was completely unprepared for the Snowden revelations, but at least by this point, it has a general feel for the leak release process. Now, it possibly has another leaker offering new data and info to journalists, one which is a totally unknown quantity.

At this point, all anyone has is speculation. If there’s another leaker, it’s doubtful he or she will make his/her identity known any time soon. Snowden revealed himself as a leaker and that hasn’t exactly worked out well for him.

But there’s also some indications that this snippet of code came from Snowden’s leaks. Errata Security (the group of bloggers that exposed the fakery behind NBC’s pre-Winter Olympics “report” that all visitors to Sochi would be instantly hacked) has done its own fisking of the code snippet and come to the following conclusions.

1. The signatures are old (2011 to 2012), so it fits within the Snowden timeframe, and is unlikely to be a recent leak.

2. The code is weird, as if they are snippets combined from training manuals rather than operational code. That would mean it is “fake”.

3. The story makes claims about the source that are verifiably false, leading us to believe that they may have falsified the origin of this source code.

4. The code is so domain specific that it probably is, in some fashion, related to real XKeyScore code – if fake, it’s not completely so.

Errata Security notes some of the oddities of the code, pointing out that it looks more like something pulled from a training exercise or manual rather than directly from XKeyscore itself. More investigation by Errata Security and The Grugq (another security expert) apparently uncovered the fact that the text was pulled from a document (pdf, docx, etc.) rather than an actual source file. But the aspect that seems to indicate this is part of Snowden’s stash is the timeline.

As this post to the Tor developer mailing list describes, the signatures in the code are old. The earliest date this file can be valid is 2011-08-08, when the Linux journal reported on TAILS. The latest date might be 2012-09-21, just before a new server was added to Tor that isn’t in the XKeyScore list. Since this is shortly before Snowden first tried to contact Greenwald, the dates sync up.

If the code is unrecognizable by those who’ve had access to the documents, that’s probably due to it being compiled from various pages and mocked up into a short code excerpt. Rob Graham at Errata Security doesn’t feel it’s necessarily fake, but believes the origin of the quoted source code may have been obscured — hence, no citation of Snowden’s leaks or any acknowledgment of existing NSA files.

Of course, this could mean another leaker is simply hiding behind Snowden, and has pulled files roughly in the same date range in order to deliver new leaks in order to remain undetected. If there is another leaker, my guess is he/she will be discovered rather than coming out publicly.

New leaker or no, the one-two punch of published leaks by Jacob Appelbaum and Barton Gellman (of the Washington Post) shows that the NSA is doing everything it’s been accused of — namely, hoovering up and holding onto incidental communications (even those originating from “untargeted” American citizens) and viewing anyone with even a passing interest in anonymity or encryption as “suspicious.”

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Does The XKeyscore Source Code Leak Point To Another NSA Leaker?”

Subscribe: RSS Leave a comment
21 Comments
sorrykb (profile) says:

Re: Re:

It’s much, much harder to demonize more than one leaker.

If it turns out there’s more than one leaker, the NSA defenders might have to abandon the “egotistical loner” personal attacks on Snowden.

Then again, they’d probably declare it to be proof of a vast conspiracy of enemy agents among us and justification for more NSA spying on everyone. /pessimism

Uriel-238 (profile) says:

Re: I think it comes with oversized bureaus.

We’ve been asking that very question for a while now.

As a Sinister Guild of Evil, the NSA seems to suffer from that most common of maledictions, incompetent minions.

Not incompetent in the classic bumbling nincompoop sort of way, but certainly so terrified about covering their own asses that they have little time to do much else.

That One Guy (profile) says:

Re: Re: No they wouldn't

Being able to keep tabs on what their staff is doing would create a paper-trail, something that could be used to show just what exactly they’ve been doing/ordering done.

Given how utterly averse they are to anyone knowing the details of what they’re doing, it makes sense from their point of view to structure things so that no such record of their activity exists, so they can always respond to any requests for information with ‘No such document exists or can be found.’

Uriel-238 (profile) says:

The single whistle theory.

On the other hand Snowden’s (unintentional) cult of personality can serve to protect the presence of other sources if it remains plausible that leaks could have come from Snowden.

I even suspect that’s a fall he’s willing to take at this point.


As of this posting I have not received a US National Security Letter or any classified gag order from an agent of the United States
This post does not contain an encrypted secret message
Monday, July 07, 2014 10:54:03 AM
stretcher picnic Russia license cot flag toothpick x-ray

Uriel-238 (profile) says:

Re: Re: Only 1%

Conspiracies to kill Hitler had the same problem.

And then ol’ Adolph had a winning lucky streak at dodging bullets, even through the July 20 Plot.

I only hope that we don’t have to wait for all the natural consequences to happen (the proverbial Allies reaching Berlin) before we see the surveillance state dismantled.

TestPilotDummy says:

No Surprise there if true

After all,

* Security Clearance Process is so Strict.
* The Borders are So Secure
* No Dual Citizens hold Office or can access Classified Data, Vaults or Comms
* No other nations are spying
* All electronics have their 1’s and 0’s (3VDC-5VDC) audited and monitored, by top secret security feature and won’t work right (e.g. 0VDC), when your intent is to Whistleblow

GEMont (profile) says:

Just a thought.

If the NSA wanted to get the public on their side about Snowden being a dangerous nasty spy who has harmed national security ( a federal wet-dream ), it could easily produce a fake secondary leak that appeared to be from Snowden’s cache, but which eventually disclosed far more sensitive information that could be pointed to as harming national security and be presented by the Truth Free Press as having “probably” come from Snowden’s cache of documents.

And as we have seen in the past on numerous occasions, the NSA and other federal agencies are 100% OK with disclosing truly sensitive National Security information that actually harms national security and/or endangers field operatives, as long as it can be used to fool the public into believing what they want it to believe.

Just a thought.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...