

XKEYSCORE: NSA’s Google for the World’s Private Communications - forlorn
https://firstlook.org/theintercept/2015/07/01/nsas-google-worlds-private-communications

======
duncan_bayne
One thing about all of this that really surprises me is the scale of it ... I
was genuinely and unhappily surprised to discover just how large a covert
programme can be kept entirely hidden from the general public & most
politicians.

I'd always naively assumed that working at this scale would guarantee leaks
much, much earlier.

~~~
dimino
Except for the minor detail that it literally wasn't kept hidden...

~~~
finnn
It was kept hidden for a very long time, considering the size and scope of the
operation.

~~~
ObviousScience
Sept of 2001 until Oct 2002?

It's just that... you know... literally no one wanted to talk about how a US
military department was using capabilities traditionally described as acts of
war to subvert US infrastructure and analyze the behaviors of US citizens.
There were terrorists!

Just like they didn't want to talk about it in the 90s, when the US government
tried to claim that encryption was a regulated government technology and while
US citizens are technically entitled to munitions, something something 2nd
amendment, if you export anything more than 44 bits, you're in serious
trouble.

------
MichaelGG
I guess the good thing in all this is that it's what you'd expect if you took
Carnivore from the 90s and threw a ton of intelligent people and pervasive
fibre access at it. There doesn't seem to be anything breakthrough, like "holy
shit they can _do_ that" kind of stuff.

Now yes, the scope is amazing. And I was getting this technical excitement
just reading the system. So many questions! Like, how do they distribute jobs
fairly or deal with resource over use? What stops some dumbass oper from
submitting a super-expensive query? How do they manage all this stuff? It's
pretty damn neat.

I'm wondering what the impact of TLS is on all this. Cause it seems like
that'd sort of destroy this system, eh?

Edit:
[https://www.documentcloud.org/documents/2116191-unofficial-x...](https://www.documentcloud.org/documents/2116191-unofficial-
xks-user-guide.html#document/p1) \- Interesting how they are really explicit
how USSID 18 stops them from doing stuff. Like they give the example of
finding a phone number without a country code. Not allowed! Unless you combine
it with something that'd limit it to foreign countries. But they note it's not
a 100% solution.

~~~
codezero
The tone of the references to USSID 18 makes me feel like they are tongue in
cheek.

For example this one:
[https://www.documentcloud.org/documents/2115979-advanced-
htt...](https://www.documentcloud.org/documents/2115979-advanced-http-
activity-analysis.html#document/p91)

They are saying: are you unsure if an IP is a proxy? Well, given that you know
so little about it, query all the users on the IP... you know, as long as the
IP is USSID 18 compliant... given that you know so much about it already.

Hrm.

~~~
MichaelGG
Hard to tell. I remember seeing in the docs somewhere that they suggest
capturing for 5 minutes and checking out to make sure it's OK to investigate
further.

As a practical matter, what more can they do? I wouldn't expect them to
actively try to give up on following leads. Seems like the intent of the law
is being attempted to be followed.

------
capnrefsmmat
I'm curious about their discussion of web forums. See the provided slides:

[https://www.documentcloud.org/documents/2116268-web-forum-
ex...](https://www.documentcloud.org/documents/2116268-web-forum-exploitation-
using-xks.html#document/p2)

It says they have "full take for US web forum servers under FISA coverage",
and "passive collection for OCONUS [outside continental US] web forum server
traffic". What does "FISA coverage" mean? They have warrants for specific
forums, or a general warrant giving them access to thousands of forums?

I run a fairly large OCONUS message board. Are my visitors all in XKEYSCORE? I
wish the release were more specific.

~~~
jlgaddis
Time to install an SSL certificate and force encryption on all visitors, eh?

~~~
capnrefsmmat
That's hard for a web forum with BBCode -- posts can load external images on
non-HTTPS domains.

I suppose I can have the BBCode alter the URLs to point to my domain, and use
nginx to proxy the image loads. I'd have to be careful to make sure users
can't proxy malicious scripts and stuff into the page (because it'd be same-
origin); is there a standard solution for this?

------
codezero
The app has a field for "justification" and in the examples, some of them are:

> Chinese webmail users

> Iranian webmail users

Oh.

~~~
hellbanner
Where did you see that?

~~~
codezero
In some of the screenshots in the linked Powerpoints:
[https://www.documentcloud.org/documents/2116255-using-xks-
to...](https://www.documentcloud.org/documents/2116255-using-xks-to-enable-
tao.html#document/p35)

------
noondip
Does anyone else notice (intentionally?) poor redaction? In one screenshot,
two IP addresses are visible, then blacked-out in two other places on the same
presentation slide - [https://imgur.com/SLyjhmp](https://imgur.com/SLyjhmp),
for example.

~~~
codezero
One of those IPs points to an Iranian IT company :P

------
enlightenedfool
Does using a VPN prevent any of these? EDIT: And I guess Google servers have
most of Android users' home Wi-fi passwords. Which means NSA could pretty
access any devices in those homes?

~~~
fnordfnordfnord
I'll just assume that most home routers have backdoors baked in; a number of
those have been found by various folks.

~~~
lazaroclapp
They don't even need to have intentional backdoors (as in, designed for spy
agencies/law enforcement). The chances of a random home internet appliance not
designed with serious cybersecurity considerations in mind (as opposed to
"good enough to stop the average snooper/criminal") not having root-worthy
vulnerabilities that can be exploited from the upstream provider is close to
nil.

Remember, most of these things have as their only threat model someone trying
to gain access from the Wi-Fi side before authentication. I doubt many vendors
seriously consider questions like "can the cable connection to the ISP be used
to take over the router?" or take steps to prevent it. For many devices, that
sort of access could be considered as a potentially legitimate feature (think,
customer support and remote diagnostics).

~~~
jlgaddis
And cable modems download their configuration from the ISP's CMTS when they're
powered on.

~~~
psykovsky
I could almost bet that they don't even validate certificates, IF they use any
kind of encryption at all...

~~~
fnordfnordfnord
Nope.
[https://defcon.org/images/defcon-18/dc-18-presentations/Blak...](https://defcon.org/images/defcon-18/dc-18-presentations/Blake-
bitemytaco/DEFCON-18-Blake-bitemytaco-Hacking-DOCSIS.pdf)

------
hellbanner
"“The National Security Agency’s foreign intelligence operations are 1)
authorized by law; 2) subject to multiple layers of stringent internal and
external oversight; and 3) conducted in a manner that is designed to protect
privacy and civil liberties. As provided for by Presidential Policy Directive
28 (PPD-28), all persons, regardless of their nationality, have legitimate
privacy interests in the handling of their personal information. NSA goes to
great lengths to narrowly tailor and focus its signals intelligence operations
on the collection of communications that are most likely to contain foreign
intelligence or counterintelligence information.”"

~~~
MichaelGG
Even if the oversight isn't that great (do we know how much abuse happens?),
it does make sense that they would try to narrowly focus their ops. It doesn't
actually benefit them to spy on random users. At the end of the day, we can
only assume most of the agents do actually want to get "bad guys". (As
compared to say, me, who'd love to have an XKS login for the trolling
possibilities alone.)

------
Sven7
Now comes the hard part of wondering what to lookup. Shall we search for
financial crimes? Nah...by the time we develop the expertise to write the
query the crime has changed. Shall we find the next Boston Bomber? Nah...even
more complicated. So what do we look for? The easy stuff...Godzilla for
example. Someone has to keep watch.

------
programmernews3
The advantage of NSA revelations is that it helps to educate people to form a
justified contempt for secret services and governments.

