The NDR has released some source code (or rather, script code) detailing what the NSA actually does: According to the excerpt below I am accounted as an extremist! No wonder, the US dept. of homeland security questioned me closely when I entered the states ;-)
// START_DEFINITION
/*
These variables define terms and websites relating to the TAILs (The Amnesic
Incognito Live System) software program, a comsec mechanism advocated by
extremists on extremist forums.
*/
$TAILS_terms=word('tails' or 'Amnesiac Incognito Live System') and word('linux'
or ' USB ' or ' CD ' or 'secure desktop' or ' IRC ' or 'truecrypt' or ' tor ');
$TAILS_websites=('tails.boum.org/') or ('linuxjournal.com/content/linux*');
// END_DEFINITION
How do you become an extremist? You visit either of the two websites above.
(•_•)
( •_•)>⌐■-■
(⌐■_■)
Of course that is a bit of a hyperbolic statement, since TAILS is probably being advocated in many places, not just on extremist forums. But in any case, the code does not care and flags all traffic to these sites all the same. And that is really, what is the larger problem of what we know about the NSA activity: They indiscriminately collect vast amounts of information with little to no oversight; consider, how much data Edward Snowden – one IT contractor of countless employees – has been able to extract and physically remove from the NSA's oversight.
And I am pretty certain that every employee of the NSA is a idealistic youth who does not steal data for personal gain, but just to publish the agency's lack of oversight to the rest of the world (with perhaps a touch of vengeance added).
This is yet another sample for how algorithms govern our lives and impose symbolic categories on us humble beings. But that is going to be the material for another post...
The full published code can be grabbed from NDR here: http://daserste.ndr.de/panorama/xkeyscorerules100.txt
And for those too lazy to click and those who prefer syntax highlighting, here is the code as well:
// START_DEFINITION
/**
* Fingerprint Tor authoritative directories enacting the directory protocol.
*/
fingerprint('anonymizer/tor/node/authority') = $tor_authority
and ($tor_directory or preappid(/anonymizer\/tor\/directory/));
// END_DEFINITION
// START_DEFINITION
/*
Global Variable for Tor foreign directory servers. Searching for potential Tor
clients connecting to the Tor foreign directory servers on ports 80 and 443.
*/
$tor_foreign_directory_ip = ip('193.23.244.244' or '194.109.206.212' or
'86.59.21.38' or '213.115.239.118' or '212.112.245.170') and port ('80' or
'443');
// END_DEFINITION
// START_DEFINITION
/*
this variable contains the 3 Tor directory servers hosted in FVEY countries.
Please do not update this variable with non-FVEY IPs. These are held in a
separate variable called $tor_foreign_directory_ip. Goal is to find potential
Tor clients connecting to the Tor directory servers.
*/
$tor_fvey_directory_ip = ip('128.31.0.39' or '216.224.124.114' or
'208.83.223.34') and port ('80' or '443');
// END_DEFINITION
// START_DEFINITION
requires grammar version 5
/**
* Identify clients accessing Tor bridge information.
*/
fingerprint('anonymizer/tor/bridge/tls') =
ssl_x509_subject('bridges.torproject.org') or
ssl_dns_name('bridges.torproject.org');
/**
* Database Tor bridge information extracted from confirmation emails.
*/
fingerprint('anonymizer/tor/bridge/email') =
email_address('bridges@torproject.org')
and email_body('https://bridges.torproject.org/' : c++
extractors: {{
bridges[] = /bridge\s([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):?([0-9]{2,4}?[^0-9])/;
}}
init: {{
xks::undefine_name("anonymizer/tor/torbridges/emailconfirmation");
}}
main: {{
static const std::string SCHEMA_OLD = "tor_bridges";
static const std::string SCHEMA_NEW = "tor_routers";
static const std::string FLAGS = "Bridge";
if (bridges) {
for (size_t i=0; i < bridges.size(); ++i) {
std::string address = bridges[i][0] + ":" + bridges[i][1];
DB[SCHEMA_OLD]["tor_bridge"] = address;
DB.apply();
DB[SCHEMA_NEW]["tor_ip"] = bridges[i][0];
DB[SCHEMA_NEW]["tor_port_or"] = bridges[i][1];
DB[SCHEMA_NEW]["tor_flags"] = FLAGS;
DB.apply();
}
xks::fire_fingerprint("anonymizer/tor/directory/bridge");
}
return true;
}});
// END_DEFINITION
// START_DEFINITION
/*
The fingerprint identifies sessions visiting the Tor Project website from
non-fvey countries.
*/
fingerprint('anonymizer/tor/torpoject_visit')=http_host('www.torproject.org')
and not(xff_cc('US' OR 'GB' OR 'CA' OR 'AU' OR 'NZ'));
// END_DEFINITION
// START_DEFINITION
/*
These variables define terms and websites relating to the TAILs (The Amnesic
Incognito Live System) software program, a comsec mechanism advocated by
extremists on extremist forums.
*/
$TAILS_terms=word('tails' or 'Amnesiac Incognito Live System') and word('linux'
or ' USB ' or ' CD ' or 'secure desktop' or ' IRC ' or 'truecrypt' or ' tor ');
$TAILS_websites=('tails.boum.org/') or ('linuxjournal.com/content/linux*');
// END_DEFINITION
// START_DEFINITION
/*
This fingerprint identifies users searching for the TAILs (The Amnesic
Incognito Live System) software program, viewing documents relating to TAILs,
or viewing websites that detail TAILs.
*/
fingerprint('ct_mo/TAILS')=
fingerprint('documents/comsec/tails_doc') or web_search($TAILS_terms) or
url($TAILS_websites) or html_title($TAILS_websites);
// END_DEFINITION
// START_DEFINITION
requires grammar version 5
/**
* Aggregate Tor hidden service addresses seen in raw traffic.
*/
mapreduce::plugin('anonymizer/tor/plugin/onion') =
immediate_keyword(/(?:([a-z]+):\/\/){0,1}([a-z2-7]{16})\.onion(?::(\d+)){0,1}/c : c++
includes: {{
#include <boost/lexical_cast.hpp>
}}
proto: {{
message onion_t {
required string address = 1;
optional string scheme = 2;
optional string port = 3;
}
}}
mapper<onion_t>: {{
static const std::string prefix = "anonymizer/tor/hiddenservice/address/";
onion_t onion;
size_t matches = cur_args()->matches.size();
for (size_t pos=0; pos < matches; ++pos) {
const std::string &value = match(pos);
if (value.size() == 16)
onion.set_address(value);
else if(!onion.has_scheme())
onion.set_scheme(value);
else
onion.set_port(value);
}
if (!onion.has_address())
return false;
MAPPER.map(onion.address(), onion);
xks::fire_fingerprint(prefix + onion.address());
return true;
}}
reducer<onion_t>: {{
for (values_t::const_iterator iter = VALUES.begin();
iter != VALUES.end();
++iter) {
DB["tor_onion_survey"]["onion_address"] = iter->address() + ".onion";
if (iter->has_scheme())
DB["tor_onion_survey"]["onion_scheme"] = iter->scheme();
if (iter->has_port())
DB["tor_onion_survey"]["onion_port"] = iter->port();
DB["tor_onion_survey"]["onion_count"] = boost::lexical_cast<std::string>(TOTAL_VALUE_COUNT);
DB.apply();
DB.clear();
}
return true;
}});
/**
* Placeholder fingerprint for Tor hidden service addresses.
* Real fingerpritns will be fired by the plugins
* 'anonymizer/tor/plugin/onion/*'
*/
fingerprint('anonymizer/tor/hiddenservice/address') = nil;
// END_DEFINITION
// START_DEFINITION
appid('anonymizer/mailer/mixminion', 3.0// START_DEFINITION
/*
These variables define terms and websites relating to the TAILs (The Amnesic
Incognito Live System) software program, a comsec mechanism advocated by
extremists on extremist forums.
*/
$TAILS_terms=word('tails' or 'Amnesiac Incognito Live System') and word('linux'
or ' USB ' or ' CD ' or 'secure desktop' or ' IRC ' or 'truecrypt' or ' tor ');
$TAILS_websites=('tails.boum.org/') or ('linuxjournal.com/content/linux*');
// END_DEFINITION
Comments