[tor-talk] XKeyScore code authenticity - genuine [was: messing with XKeyScore]

coderman coderman at gmail.com
Sun Jul 6 17:11:45 UTC 2014

the theme of messing with XKeyScore is amusing[0], but more to the
point i was asked to respond to some concerns of authenticity made in
a different post:

"Validating XKeyScore code"

i'm trying to keep this feedback technical, as i don't like much of
Graham's reasoning. (i do however approve of his use of "Great Man" in
the Voldemort sense, in reference to Cowboy Alexander[1])

his claim that "we believe the code partly fake and that it came from
the Snowden treasure trove." should be ammended:

"we believe the code deprecated, and that it came from the Snowden archives"



first segment of summary, by point:

# Point 1)
"The signatures are old (2011 to 2012), so it fits within the Snowden
timeframe, and is unlikely to be a recent leak."
 - agreed.

# Point 2)
"The code is weird, as if they are snippets combined from training
manuals rather than operational code. That would mean it is “fake”."
 - false; the code is valid and deprecated (can be used as example)
rather than false. the technical detail. as a programmer, i know that
a regexp rule like:
extractors: {{
    bridges[] =
is both written by a novice regexp'er, and also took them a bit of
time. more than they'd spend on an example.

for another example,
for (size_t i=0; i < bridges.size(); ++i) {
        std::string address = bridges[i][0] + ":" + bridges[i][1];
        DB[SCHEMA_OLD]["tor_bridge"] = address;
        DB[SCHEMA_NEW]["tor_ip"] = bridges[i][0];
        DB[SCHEMA_NEW]["tor_port_or"] = bridges[i][1];
        DB[SCHEMA_NEW]["tor_flags"] = FLAGS;

why two commits here to backend changes? as a programmer i understand
why this is done, but as a purely fictitious example the double commit
is pointless noise.

# Point 3)
"The story makes claims about the source that are verifiably false,
leading us to believe that they may have falsified the origin of this
source code."
 - false

how does limited misunderstanding arcane technicalities invalidate the entirety?
 if this were true, Robert Graham would be a complete imbecile, rather
than  technically competent and occasionally wrong.

# Point 4)
"The code is so domain specific that it probably is, in some fashion,
related to real XKeyScore code – if fake, it's not completely so."
 - false. as stated above, these rules are deprecated rather than
fictitiously constructed. (and perhaps referenced in training
materials for utilizing the particular language engines demonstrated)

as explained above, and i will go into more detail later (i wager i
have more big data experience and DPI experience than Mr. Graham the
DPI expert does in this domain alone[2] ;)

last but not least, this speaks to the need for greater technical
expertise to be applied to the leaked archives.  if anything, the
nature of domain specific details discussed here show that not just
generalists, but an army of specialists, will ultimately be needed to
properly parse and protect based upon the archives as yet revealed.

best regards,


0.  "" for those with "Jam Eschelon Day" nostalgia ;)
  ^- see whole thread from "messing with XKeyScore"

1. "The character assassination of Keith Alexander"
 '... People have criticized calling him a "great man". I'm quoting
the Harry Potter movie here people, where the guy who sells
Harry's[sic] wand points out that Voldermort was a great wizard,[sic]
a great and terrible wizard'

2. "XKeyScore: it's not attacking Tor"
 '... I am an expert in deep packet inspection (DPI). I've written a
system vaguely similar to this XKeyScore system here: (ferret). I find
the conclusions in this story completely unwarranted, though the
technical information cited by this story is pretty good. I suggest
future stories about the NSA's deep packet inspection actually consult
with engineers who've written DPI code before making wild claims.'

More information about the tor-talk mailing list