What LinkedIn says about NSA spy programs

Steve Lord co-organises 44Con and is technical director of Mandalorian.

Over at Cryptome, the cypherpunks have been busy looking at how the National Security Agency watches us.

They've identified that the XKeyscore system is produced by US contractor SAIC, and runs on Red Hat Enterprise Linux. On the page they list some interesting code names and after reading, I wondered what else could be found by looking around on the internet. The answers are surprising; I only scratched the surface of what was there, but read on for some highlights.

Working through the open internet, I quickly gathered a list of code words, including some that appeared repeatedly. Using a simple technique known as keyword density analysis, I quickly found that some code names appeared to be much more popular than others.

XKeyscore, which we now know is the overarching NSA internet signals intelligence program, was the top entry by far. Pinwale, the NSA's main signals intercepts database, also scores highly among LinkedIn users working on signals intelligence.

Mainway, the NSA database of call metadata for calls made through the four largest US telephone carriers, also features heavily in the list. Many of the social network profiles I examined referenced Intelink, the intelligence community's classified intranet.

I also found evidence of people working on XKeyscore dating back to some time between 2007 and 2009. The oldest mention of XKeyscore referred to monitoring “XKeyscore by conducting daily checks to ensure that the database was running for the use of other offices. Periodically conducted check balances to ensure the system was not being misused”. It's good to know that people were thinking about this back then, but is the NSA still thinking about it now?

Looking through these profiles brings up an interesting history of military intelligence capability. It's clear that in the early to mid-2000s, much of the work done by these people focused on commercial mapping tools such as ArcGIS or IBM i2's Analyst's Notebook.

After the mid-2000s, the mention of government programmes and software code names seems to shoot up, like someone went on a code naming spree. One particular LinkedIn profile stood out as a treasure trove of information for not only code names but their purpose:

• Used OneRoof, UIS and the WorkCenter reporting tools to report on mission critical targets.

• Utilised Gistque reporting tool for record maintenance as well as analytical research and support.

• Performed near real-time intelligence reporting to forward deployed troops in Afghanistan.

• Used OneRoof, UIS as well as the Coastline reporting tool to receive and report on near real-time intelligence for forward deployed troops.

• Performed geospatial and VHF queries on areas of interest (AOI) in Afghanistan.

• Queries were performed using data from KL reports on the (AOI) 

• Produced VHF area study products for areas of interest based on mission requirements.

• VHF products were created using KL Queries and geolocation data from Google Earth and Asociation

• Queried and researched information on databases such as Anchory, Association and Global Reach.

• Used Marina as a raw Sigint data viewer for detection and analysis of priority targets.

• Used Homebase as coordination and tasking tool with other DNI analysts.

• Discovered, evaluated and exploited targets via digital networks and all source intelligence assets.

• Utilised Anchory/Maui reporting database to correlate and verify target selections.

• Utilised Air Gap for discovery of priority targets within the missions AOI.

• Used Marina as a tracking and pattern of life tool on selected targets within the missions AOI

Different code names can refer to databases, applications, pieces of software or overarching programmes. This can make for confusing reading. In order to understand this we need to understand how the NSA goes from raw data to the finished intelligence product.

XKeyscore processes all of the raw signals before they're sent off to what are known as production lines that deal with specifics. An analyst will sit down at a desk and analyse information in a database such as Marina. A tool such as CPE (Content Preparation Environment) is then used to develop a report stored in Maui (a database for finished NSA intelligence products) or Anchory (a similar community-wide intelligence reports database).

Thus we can confirm that the owner of the above profile: used a call data records analysis tool/database to identify priority targets and analyse their metadata; used the DoD priority missions system Air Gap to identify mission targets; and looked through finished intelligence reports in the NSA and intelligence community-wide databases to correlate and verify target selections.

Having the code names is one thing, but knowing their meaning is another. By looking through social networks we can start to peel back the US intelligence onion.

For example, one analyst working in the Special Operations Task Force East Afghanistan in Bagram spent some time between 2009 and 2011 doing this:

• Wrote Sigint reports using NSA GMetrics, Real Time Regional Gateway, Google Earth, ArcGIS, Anchory, and Mauqi.

• Performed geospatial metadata analysis on Sigint reporting using Real Time Regional Gateway, TowerPower, Sigint Navigator, Mainway, Sigint Emitter Discovery Base, Treasure Trove, Cedes, Ripcord, Wrangler, Vantage, Muawi, Anchory, ArcGIS, Google Earth and Bellview.

• After analysing these reports and after I performed geospatial metadata analysis of these messages, I provided our commanders on the ground timely and accurate intelligence and developed targets of interest for our commanders to pursue.

Now that we know what the code names mean, we can see that the analyst worked on geospatial-based intelligence products using telephone carrier metadata (Mainway), the community-wide intelligence reports system (Anchory) and the finished intelligence products database (Maui, assuming Mauqi is a typo).

The interesting thing about all of this is what the NSA hasn't said about XKeystone, Prism and its other programmes. It's clear by going through the internet that there are some people working on ensuring that the system isn't being abused, and it is also clear that these intercepts are supporting active military programmes relating to the acquisition and assassination of high value US military targets abroad.

The question remains though, if this much information is publicly available then why not be more open about it?

This article originally appeared at scmagazineuk.com