Does The XKeyscore Source Code Leak Point To Another NSA Leaker?

from the new-goal:-a-leaker-a-year-for-the-next-decade! dept

The recent leak of the XKeyscore source code has raised an interesting question. Is there a second leaker? The report written by Jacob Appelbaum and others for detailed the NSA's targeting of Tor users (and even those who just read about Tor) and the harvesting of their communications, but very explicitly did not state that Snowden was the source of this code snippet.

Others noticed this lack of attribution and commented on it. Cory Doctorow at Boing Boing apparently received confirmation that this particular leak was not from Snowden's trove of documents.
Another expert said that s/he believed that this leak may come from a second source, not Edward Snowden, as s/he had not seen this in the original Snowden docs; and had seen other revelations that also appeared independent of the Snowden materials.
Cryptologist and security expert Bruce Schneier (who has seen the documents released to journalists by Snowden) concurred with Doctorow's conclusion.
And, since Cory said it, I do not believe that this came from the Snowden documents. I also don't believe the TAO catalog came from the Snowden documents. I think there's a second leaker out there.
The TAO catalog was originally revealed by Der Spiegel with reporting by (again) Jacob Appelbaum and Greenwald/Snowden partner Laura Poitras. Nothing in the story explicitly states its origin, although the inclusion of Poitras at least suggests the documents can be traced back to Snowden's stash.

Glenn Greenwald, however, offered his agreement with Schneier's take here:
If so, then that's two people who have seen Snowden's documents, including one with ongoing access, claiming there's a second leaker. And if so, the NSA's problem, instead of gradually disappearing from the public eye, will become more severe. Coupled with the recent leak published by the Washington Post, which shows the agency harvests and stores plenty of unminimized non-terrorist communications with its 702 collections (the same collection the Privacy and Civil Liberties Oversight Board recently found to be more law-abiding and less Constitutionally unsound than the bulk metadata program), the agency now looks worse than ever. It was completely unprepared for the Snowden revelations, but at least by this point, it has a general feel for the leak release process. Now, it possibly has another leaker offering new data and info to journalists, one which is a totally unknown quantity.

At this point, all anyone has is speculation. If there's another leaker, it's doubtful he or she will make his/her identity known any time soon. Snowden revealed himself as a leaker and that hasn't exactly worked out well for him.

But there's also some indications that this snippet of code came from Snowden's leaks. Errata Security (the group of bloggers that exposed the fakery behind NBC's pre-Winter Olympics "report" that all visitors to Sochi would be instantly hacked) has done its own fisking of the code snippet and come to the following conclusions.
1. The signatures are old (2011 to 2012), so it fits within the Snowden timeframe, and is unlikely to be a recent leak.

2. The code is weird, as if they are snippets combined from training manuals rather than operational code. That would mean it is “fake”.

3. The story makes claims about the source that are verifiably false, leading us to believe that they may have falsified the origin of this source code.

4. The code is so domain specific that it probably is, in some fashion, related to real XKeyScore code – if fake, it's not completely so.
Errata Security notes some of the oddities of the code, pointing out that it looks more like something pulled from a training exercise or manual rather than directly from XKeyscore itself. More investigation by Errata Security and The Grugq (another security expert) apparently uncovered the fact that the text was pulled from a document (pdf, docx, etc.) rather than an actual source file. But the aspect that seems to indicate this is part of Snowden's stash is the timeline.
As this post to the Tor developer mailing list describes, the signatures in the code are old. The earliest date this file can be valid is 2011-08-08, when the Linux journal reported on TAILS. The latest date might be 2012-09-21, just before a new server was added to Tor that isn't in the XKeyScore list. Since this is shortly before Snowden first tried to contact Greenwald, the dates sync up.
If the code is unrecognizable by those who've had access to the documents, that's probably due to it being compiled from various pages and mocked up into a short code excerpt. Rob Graham at Errata Security doesn't feel it's necessarily fake, but believes the origin of the quoted source code may have been obscured -- hence, no citation of Snowden's leaks or any acknowledgment of existing NSA files.

Of course, this could mean another leaker is simply hiding behind Snowden, and has pulled files roughly in the same date range in order to deliver new leaks in order to remain undetected. If there is another leaker, my guess is he/she will be discovered rather than coming out publicly.

New leaker or no, the one-two punch of published leaks by Jacob Appelbaum and Barton Gellman (of the Washington Post) shows that the NSA is doing everything it's been accused of -- namely, hoovering up and holding onto incidental communications (even those originating from "untargeted" American citizens) and viewing anyone with even a passing interest in anonymity or encryption as "suspicious."

Reader Comments (rss)

(Flattened / Threaded)

  1. icon
    Ninja (profile), Jul 7th, 2014 @ 9:58am

    Aha, another leaker would be awesome for a variety of reasons. Mostly because it would shift the focus from Snowden's personality/character/whatever. It's much, much harder to demonize more than one leaker.

    reply to this | link to this | view in thread ]

  2. icon
    sorrykb (profile), Jul 7th, 2014 @ 10:16am


    It's much, much harder to demonize more than one leaker.

    If it turns out there's more than one leaker, the NSA defenders might have to abandon the "egotistical loner" personal attacks on Snowden.

    Then again, they'd probably declare it to be proof of a vast conspiracy of enemy agents among us and justification for more NSA spying on everyone. /pessimism

    reply to this | link to this | view in thread ]

  3. identicon
    Anonymous Coward, Jul 7th, 2014 @ 10:37am

    If NSA cannot keep tabs on their own staff, what hope have they of keeping tabs on real bad guys?

    reply to this | link to this | view in thread ]

  4. identicon
    beech, Jul 7th, 2014 @ 10:40am

    "I think there's a second leaker out there."

    ...shuuuuut uuuuuup!

    reply to this | link to this | view in thread ]

  5. identicon
    Anonymous Coward, Jul 7th, 2014 @ 10:52am

    what's different here is that if there is a new source, that new source is almost surely still working at the facility, and that means recent crimes may make it into the discussion whenever that source feels safe to not completely hide within snowden's contrail.

    i say if.

    reply to this | link to this | view in thread ]

  6. icon
    Uriel-238 (profile), Jul 7th, 2014 @ 10:56am

    The single whistle theory.

    On the other hand Snowden's (unintentional) cult of personality can serve to protect the presence of other sources if it remains plausible that leaks could have come from Snowden.

    I even suspect that's a fall he's willing to take at this point.

    As of this posting I have not received a US National Security Letter or any classified gag order from an agent of the United States
    This post does not contain an encrypted secret message
    Monday, July 07, 2014 10:54:03 AM
    stretcher picnic Russia license cot flag toothpick x-ray

    reply to this | link to this | view in thread ]

  7. identicon
    Anonymous Coward, Jul 7th, 2014 @ 10:58am

    there's a sort of dark irony to this all.

    it's as if these reporters don't really care about the underling issue, rather just the newsworthiness of a scoop, regardless of consequence.

    I'm with beech above- stfu about it.

    reply to this | link to this | view in thread ]

  8. icon
    Uriel-238 (profile), Jul 7th, 2014 @ 11:01am

    I think it comes with oversized bureaus.

    We've been asking that very question for a while now.

    As a Sinister Guild of Evil, the NSA seems to suffer from that most common of maledictions, incompetent minions.

    Not incompetent in the classic bumbling nincompoop sort of way, but certainly so terrified about covering their own asses that they have little time to do much else.

    reply to this | link to this | view in thread ]

  9. icon
    Nathan Brathahn (profile), Jul 7th, 2014 @ 11:11am

    Only 1%

    If only 1% of the 60.000 NSA employees got a conscience, it would result in 600 possible leakers/whistleblowers.

    reply to this | link to this | view in thread ]

  10. identicon
    Anonymous Coward, Jul 7th, 2014 @ 11:39am

    Re: Only 1%

    Except you have to couple that conscience with the courage to butt heads with a federal government that is willing to destroy your life rather than admit any wrongdoing...

    It's a tall order for most people.

    reply to this | link to this | view in thread ]

  11. icon
    Uriel-238 (profile), Jul 7th, 2014 @ 12:03pm

    Re: Re: Only 1%

    Conspiracies to kill Hitler had the same problem.

    And then ol' Adolph had a winning lucky streak at dodging bullets, even through the July 20 Plot.

    I only hope that we don't have to wait for all the natural consequences to happen (the proverbial Allies reaching Berlin) before we see the surveillance state dismantled.

    reply to this | link to this | view in thread ]

  12. identicon
    Beech, Jul 7th, 2014 @ 1:39pm


    i mainly want everyone to shut up about it because if the NSA hasn't found out there's a second leaker yet, we shouldn't be helping them. let them keep thinking its snowden and hopefully the second guy's (if he exists) life wont be ruined.

    reply to this | link to this | view in thread ]

  13. identicon
    Anonymous Coward, Jul 7th, 2014 @ 8:27pm


    If they could keep tabs on their own staff, they would be.

    reply to this | link to this | view in thread ]

  14. identicon
    Anonymous Coward, Jul 7th, 2014 @ 8:37pm


    That is a bit of a tautology given that they are one and the same.

    reply to this | link to this | view in thread ]

  15. icon
    That One Guy (profile), Jul 7th, 2014 @ 8:53pm

    No they wouldn't

    Being able to keep tabs on what their staff is doing would create a paper-trail, something that could be used to show just what exactly they've been doing/ordering done.

    Given how utterly averse they are to anyone knowing the details of what they're doing, it makes sense from their point of view to structure things so that no such record of their activity exists, so they can always respond to any requests for information with 'No such document exists or can be found.'

    reply to this | link to this | view in thread ]

  16. identicon
    Anonymous Coward, Jul 8th, 2014 @ 6:01am

    Re: Re: Re: Only 1%

    reply to this | link to this | view in thread ]

  17. identicon
    TestPilotDummy, Jul 8th, 2014 @ 9:45am

    No Surprise there if true

    After all,

    * Security Clearance Process is so Strict.
    * The Borders are So Secure
    * No Dual Citizens hold Office or can access Classified Data, Vaults or Comms
    * No other nations are spying
    * All electronics have their 1's and 0's (3VDC-5VDC) audited and monitored, by top secret security feature and won't work right (e.g. 0VDC), when your intent is to Whistleblow

    reply to this | link to this | view in thread ]

  18. icon
    GEMont (profile), Jul 9th, 2014 @ 7:57am

    Just a thought.

    If the NSA wanted to get the public on their side about Snowden being a dangerous nasty spy who has harmed national security ( a federal wet-dream ), it could easily produce a fake secondary leak that appeared to be from Snowden's cache, but which eventually disclosed far more sensitive information that could be pointed to as harming national security and be presented by the Truth Free Press as having "probably" come from Snowden's cache of documents.

    And as we have seen in the past on numerous occasions, the NSA and other federal agencies are 100% OK with disclosing truly sensitive National Security information that actually harms national security and/or endangers field operatives, as long as it can be used to fool the public into believing what they want it to believe.

    Just a thought.


    reply to this | link to this | view in thread ]

  19. identicon
    Anonymous Coward, Jul 12th, 2014 @ 11:41am

    What if the NSA itself leaked the source code?

    reply to this | link to this | view in thread ]

  20. identicon
    GM, Jul 12th, 2014 @ 8:40pm


    It's even more difficult to demonize an anonymous one.

    reply to this | link to this | view in thread ]

  21. icon
    XXXMADAM (profile), Oct 30th, 2014 @ 9:22am



    reply to this | link to this | view in thread ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.