Is the XKeyScore Code Released in Germany Faked?

Expert analysis uncovers serious misrepresentations and possible fakery

Following up on our post about the wildly exaggerated claims made about the purported XKeyScore source code released in Germany this week by hacker Jacob Applebaum, here’s a very interesting post by cybersecurity expert Robert Graham with evidence that the code may have been at least partly faked: Errata Security: Validating XKeyScore Code.

The burning questions about the XKeyScore “source code” is whether it’s real, and whether it come from Snowden. The Grugq (@thegrugq) has some smart insight into this, and I have my own expertise with deep-packet-inspection code. I thought I’d write up our expert analysis to the questions.

TL;DR: we believe the code partly fake and that it came from the Snowden treasure trove.

A slightly longer summary is:

  1. The signatures are old (2011 to 2012), so it fits within the Snowden timeframe, and is unlikely to be a recent leak.
  2. The code is weird, as if they are snippets combined from training manuals rather than operational code. That would mean it is "fake".
  3. The story makes claims about the source that are verifiably false, leading us to believe that they may have falsified the origin of this source code.
  4. The code is so domain specific that it probably is, in some fashion, related to real XKeyScore code - if fake, it's not completely so.

Here’s a point that jumped out at me immediately upon looking at the code: all over the Internet, people are claiming that the code identifies linuxjournal.com as an “exremist forum” — but that’s simply false. As I tweeted two days ago:

Graham’s post agrees with this evaluation:

Another misrepresentation in the story is that the source calls the Linux Journal an extremist forum. That’s not true.

A comment does say that TAILS is “a comsec mechanism advocated by extremists on extremist forums”. This is true, as the picture (from the Grugq) demonstrates on the right: it’s a picture from an ISIS/jihad forum advocating the use of TAILS. But nowhere does it claim that the Linux Journal is one of those extremists — that’s something willfully made up by the authors of the story.

That the story already misrepresents the meaning of this source code hints that it may already be misrepresenting the provenance.

Exactly. Something smells very fishy here. Read the whole thing. And for those interested in the highly technical details, here’s Graham’s post going through the code line by line.

Jump to top

Create a PageThis is the LGF Pages posting bookmarklet. To use it, drag this button to your browser's bookmark bar, and title it 'LGF Pages' (or whatever you like). Then browse to a site you want to post, select some text on the page to use for a quote, click the bookmarklet, and the Pages posting window will appear with the title, text, and any embedded video or audio files already filled in, ready to go.
Or... you can just click this button to open the Pages posting window right away.
Last updated: 2016-01-01 10:29 am PST
LGF User's Guide RSS Feeds Tweet

Help support Little Green Footballs!

Subscribe now for ad-free access!Register and sign in to a free LGF account before subscribing, and your ad-free access will be automatically enabled.

Recent PagesClick to refresh
A Third of Black Women in Study of Disadvantaged Neighborhood Have PTSD - Chicago Tribune Nortasha Stingley doesn't remember a lot about the weeks after her 19-year-old daughter was shot and killed nearly four years ago. All she could do was cry. All she wanted to do was scream. After Stingley lost 40 pounds ...
Birth Control Works
13 hours, 5 minutes ago
Views: 122 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
How Trees Talk to Each Other Published on Aug 30, 2016 "A forest is much more than what you see," says ecologist Suzanne Simard. Her 30 years of research in Canadian forests have led to an astounding discovery — trees talk, often and over vast ...
Birth Control Works
14 hours, 7 minutes ago
Views: 152 • Comments: 0 • Rating: 1
Tweets: 1 • Share to Facebook
Shares: 0
Comments: 0
: 0
Classic Oatmeal-Raisin Cookies Recipe - NYT Cooking ngredients 1 cup/227 grams (2 sticks) unsalted butter, softened, more for pans 1 cup/200 grams dark brown sugar, packed ⅓ cup/66 grams granulated sugar 2 large eggs 1 tablespoon/15 milliliters vanilla extract 1 ½ cups/187 grams all-purpose flour ¾ ...
The Vicious Babushka
1 day, 12 hours ago
Views: 163 • Comments: 2 • Rating: 0
Tweets: 1 • Share to Facebook
Shares: 0
Comments: 0
: 0
Ricardo Naipes, Al NorteI love how this song is about people living in the same neighborhood where my mom grew up in Southwest Detroit way back when the accordion was for the polka music. Oh and will someone please translate,,
Mich-again
1 day, 23 hours ago
Views: 180 • Comments: 0 • Rating: 0
Tweets: 2 • Share to Facebook
Shares: 0
Comments: 0
: 0
Maple Scones Recipe - NYT Cooking Ingredients 1 cup whole wheat flour 1 cup white flour (more as needed) 2 tablespoons (packed) brown sugar 2 teaspoons baking powder ¼ teaspoon salt ¼ pound (1 stick) chilled butter ½ cup chopped toasted walnuts or cooked wheat ...
The Vicious Babushka
2 days, 2 hours ago
Views: 202 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
How Politicians Force Doctors to Lie to Women - Rolling Stone On Tuesday, the Texas Senate advanced a bill that would enable doctors to lie to pregnant patients about fetal deformities in order to coercively dissuade them from choosing to have an abortion. Specifically, SB 25 eliminates withholding information regarding ...
Birth Control Works
2 days, 2 hours ago
Views: 253 • Comments: 0 • Rating: 1
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Gang Rape of 15-Year-Old Was on Facebook Live; Police Search for Attackers - North Lawndale - DNAinfo Chicago CHICAGO — A 15-year-old girl who had been reported missing was gang-raped on Facebook Live, officials said. The girl went missing Sunday. On Tuesday, Anthony Guglielmi, a Chicago Police Department spokesman, announced she had been found by Ogden District ...
Birth Control Works
2 days, 3 hours ago
Views: 575 • Comments: 0 • Rating: 0
Tweets: 3 • Share to Facebook
Shares: 0
Comments: 0
: 0
Man Jailed Indefinitely for Refusing to Decrypt Hard Drives Loses Appeal Forensic examination also disclosed that Doe [Rawls] had downloaded thousands of files known by their "hash" values to be child pornography. The files, however, were not on the Mac Pro, but instead had been stored on the encrypted external ...
Unshaken Defiance
2 days, 11 hours ago
Views: 534 • Comments: 1 • Rating: 1
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
In America, We’re All ‘Somebody Else’s Babies’ But somebody else’s babies is exactly who we are, especially in the eyes of Native Americans slaughtered and displaced to make way for the rest of us. Whether we were brought here against our wills in the hulls of ...
Birth Control Works
2 days, 12 hours ago
Views: 457 • Comments: 0 • Rating: 0
Tweets: 1 • Share to Facebook
Shares: 1
Comments: 0
: 1
How to Survive Gaslighting: When Manipulation Erases Your Reality It’s obvious to those already initiated. To those new to the phenomena: the president and the current administration are gaslighting us. It’s a term we are hearing a lot of right now. The term “gaslighting” refers to when someone ...
Birth Control Works
2 days, 12 hours ago
Views: 452 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0