XKEYSCORE: under the hood of the NSA's search engine for your Internet activity

Following up on its in-depth look at which communications the secret XKEYSCORE tool lets the NSA search, The Intercept makes some observations about how the technology actually works.

The snapshots we have of XKEYSCORE date to 2013, so the chances are that the system has matured since then, but as of the day Edward Snowden scraped and exfiltrated its specs, it was something of a shambles. However, to its credit, it did not (and may still not) support Internet Explorer.

XKS is/was a GNU/Linux app that runs on Red Hat servers, using Apache to search Mysql stores. John Adams, an engineer who was a senior opps manager at Twitter, looked at the details, and pronounced them terrible: "they were able to achieve so much success with such a poorly designed system. Data ingest, day-to-day operations, and searching is all poorly designed. There are many open source offerings that would function far better than this design with very little work. Their operations team must be extremely unhappy."

One of the most glaring flaws in XKS is its administrative logging, which is key to oversight of the system to track abuse and defection from its senior staff. All administrators shared a single account (login: "oper") with a single password. Anyone with those credentials can alter the logs of the system, including evidence or their own actions — and any audit trail left behind by such shenanigans will lead only to the entire pool of senior admins, not to a single person.

The Intercept's analysis focuses on the system's ability to "fingerprint" communications based on a set of criteria — for example, "Emails that are PGP encrypted" or "IMs written in Arabic," and that can be correlated with cookies set by common Internet services like Google.

There might be security issues with the XKEYSCORE system itself as well. As hard as software developers may try, it’s nearly impossible to write bug-free source code. To compensate for this, developers often rely on multiple layers of security; if attackers can get through one layer, they may still be thwarted by other layers. XKEYSCORE appears to do a bad job of this.

When systems administrators log into XKEYSCORE servers to configure them, they appear to use a shared account, under the name “oper.” Adams notes, “That means that changes made by an administrator cannot be logged.” If one administrator does something malicious on an XKEYSCORE server using the “oper” user, it’s possible that the digital trail of what was done wouldn’t lead back to the administrator, since multiple operators use the account.

There appears to be another way an ill-intentioned systems administrator may be able to cover their tracks. Analysts wishing to query XKEYSCORE sign in via a web browser, and their searches are logged. This creates an audit trail, on which the system relies to assure that users aren’t doing overly broad searches that would pull up U.S. citizens’ web traffic. Systems administrators, however, are able to run MySQL queries. The documents indicate that administrators have the ability to directly query the MySQL databases, where the collected data is stored, apparently bypassing the audit trail.


Behind the Curtain:
A look at the Inner Workings of NSA’s XKEYSCORE
[Micah Lee, Glenn Greenwald, and Morgan Marquis-Boire/The Intercept]