NSA Watches Those Interested in Linux and Information Security

Thanks to Snowden's documents, last year it became known about the existence of the XKeyscore program , which monitors Internet traffic for keywords, search queries, etc.

Yesterday, the German journalist Jacob Appelbaum - one of those to whom Edward Snowden handed over part of the NSA's secret documents - published the file xkeyscorerules100.txt , operating in the XKeyscore system. These are a few rules by which the activity of users on the Internet is monitored.

XKeyscore Deep Packet Inspection software runs on 150 dedicated servers around the world, typically located near large telecommunications hubs. The modular architecture of XKeyscore provides for the loading of individual small "rules" (rules), written in their own programming languages ​​Genesis and XKScript, as well as in C ++ and Python. According to these rules, useful information is extracted from recorded Internet traffic.

As can be seen from the published rules, the NSA monitored two Tor network nodes in Berlin and Nuremberg. The agency compiled a list of IP addresses that access these servers.

In addition, the NSA keeps track of those users who search the web for information about the Linux TAILS secure operating system .

fingerprint('ct_mo/TAILS')=
fingerprint('documents/comsec/tails_doc') or web_search($TAILS_terms) or
url($TAILS_websites) or html_title($TAILS_websites)

^{Syntax explanation for the xkeyscorerules100.txt file}

It's funny, but other documents mention the rules by which “potential extremists” who read sites like Linux Journal are tracked. They are considered "extremist forums."

// START_DEFINITION
/*These variables define terms and websites relating to the TAILs (The Amnesic Incognito Live System) software program, a comsec mechanism advocated by extremists on extremist forums. */
$TAILS_terms=word('tails' or 'Amnesiac Incognito Live System') and word('linux' or ' USB ' or ' CD ' or 'secure desktop' or ' IRC ' or 'truecrypt' or ' tor ');
$TAILS_websites=('tails.boum.org/') or ('linuxjournal.com/content/linux*');
// END_DEFINITION

There are rules for registering users who are interested in various information security services on the Internet, including HotSpotShield, FreeNet, Centurian, FreeProxies.org, MegaProxy, privacy.li and the anonymous email service MixMinion. In the latter case, all traffic from the IP address 128.31.0.34 is recorded. It belongs to the MixMinion server, which is located on the campus of the Massachusetts Institute of Technology. Incidentally, in addition to the mail service, this server hosts many other websites, including open source games and other free projects.