NSA’s XKeyscore is a global dragnet for vulnerable systems


XKeyscoreXKeyscore doesn’t just turn somebody’s internet life inside out. It’s also a bloodhound for sniffing out vulnerable systems.

A training slide on page 24 of the National Security Agency’s 2008 presentation on the program, as revealed on Wednesday by The Guardian (via Edward Snowden), states it quite baldly:

  • Show me all the exploitable machines in country X
    • Fingerprints from TAO [Ed. Note: Tailored Access Operations, the NSA organisation that hacks the networks of foreign governments and organizations] are loaded into XKEYSCORE’S application/fingerprintID engine
    • Data is tagged and databased
    • No strong-selector
    • Complex boolean tasking and regular expressions required

According to Ars Technica’s Sean Gallagher, the vulnerability “fingerprints” are added to serve as a filtering criteria for XKeyscore’s application engines, comprised of “a worldwide distributed cluster of Linux servers attached to the NSA’s Internet backbone tap points.”

This turns XKeyscore into a passive port scanner, Gallagher writes, which can be used to search for network behavior on systems that match the NSA TAO’s profiles for exploits or for systems already exploited by malware that the TAO can then take advantage of.

He explains how this could give the NSA a toehold of surveillance in countries such as Iran or China:

This could allow the NSA to search broadly for systems within countries such as China or Iran by watching for the network traffic that comes from them through national firewalls, at which point the NSA could exploit those machines to have a presence within those networks.

The slides also explain how XKeyscore can track encrypted VPN (Virtual Private Network) sessions and their participants, can capture metadata on who’s using PGP encryption in email or who’s encrypting Word documents, which can later be decrypted.

XKeyscore keeps all trapped Internet traffic for three days, but metadata is kept for up to 30 days.

That month gives the NSA time to trace the identity of those who created the documents its analysts intercept.

As the slides imply, this enables XKeyscore the unique ability of scouring traffic that hasn’t yet been targeted for monitoring.

“No other system performs this on raw unselected bulk traffic,” they state.

XKeyscore’s nature was disputed when it was first revealed.

What is XKeyscore, exactly?

Is it a tool that can scour all things internet for surveillance purposes, or is it merely a database search tool plunked on top of databases full of already-captured data from other surveillance sources, as maintained by US journalist Marc Ambinder?

It sure does sound like a surveillance tool, going by the NSA’s own description.

According to the slides published by The Guardian, XKeyscore is:

  1. DNI [ed.: Digital Network Intelligence] Exploitation System/Analytic Framework
  2. Performs strong (e.g. email) and soft (content) selection
  3. Provides real-time target activity (tipping)
  4. “Rolling Buffer” of ~3 days of ALL unfiltered data seen by XKEYSCORE:
    • Stores full-take data at the collection site—indexed by meta-data
    • Provides a series of viewers for common data types
  5. Federated Query system—one query scans all sites
    • Performing full-take allows analysts to find targets that were previously unknown by mining the meta-data

Has The Guardian mischaracterized XKeyscore as a top-secret, extraordinarily powerful surveillance tool?

I’m trying to keep my mind open, but it’s hard to dismiss The Guardian’s reporting, and it’s hard to deem Edward Snowden’s depiction of the NSA’s activities as “hyperbolic,” as some have deemed them, given the descriptions in these slides.

I’m no programmer, but when somebody calls a program an “exploitation system” that can be used “to find targets that were previously unknown by mining the meta-data,” that sure does sound like a surveillance tool to me.

A frighteningly powerful one, at that.