FOXACID Operations Manual

A few days ago, I saw this tweet: "Just a reminder that it is now *a full year* since Schneier cited it, and the FOXACID ops manual remains unpublished." It's true.

The citation is this:

According to a top-secret operational procedures manual provided by Edward Snowden, an exploit named Validator might be the default, but the NSA has a variety of options. The documentation mentions United Rake, Peddle Cheap, Packet Wrench, and Beach Head-­all delivered from a FOXACID subsystem called Ferret Cannon.

Back when I broke the QUANTUM and FOXACID programs, I talked with the Guardian editors about publishing the manual. In the end, we decided not to, because the information in it wasn't useful to understanding the story. It's been a year since I've seen it, but I remember it being just what I called it: an operation procedures manual. It talked about what to type into which screens, and how to deal with error conditions. It didn't talk about capabilities, either technical or operational. I found it interesting, but it was hard to argue that it was necessary in order to understand the story.

It will probably never be published. I lost access to the Snowden documents soon after writing that essay -- Greenwald broke with the Guardian, and I have never been invited back by the Intercept -- and there's no one looking at the documents with an eye to writing about the NSA's technical capabilities and how to securely design systems to protect against government surveillance. Even though we now know that the same capabilities are being used by other governments and cyber criminals, there's much more interest in stories with political ramifications.

Posted on October 15, 2014 at 6:29 AM • 31 Comments

Comments

Josh WiederOctober 15, 2014 8:55 AM

"there's no one looking at the documents with an eye to writing about the NSA's technical capabilities and how to securely design systems to protect against government surveillance" - Can you perhaps clarify this statement? By this do you truly mean to say that *no* data reporters or competent computer specialists are working with the documents? Given the wide distribution of the documents between many prominent news organizations at this point I am not sure if that is accurate. Or perhaps did you mean that no one is looking specifically at the FOXACID guide? I have been a long-time reader of your blog and research work; by no means do I seek to twist your work. I look forward to clarification should time permit. Thank you.

Mr. EOctober 15, 2014 8:57 AM

I am slightly annoyed at how whoever is in posession of the Snowden cache of documents (Greenwald?) are keeping it to themselves and not just releasing the whole thing to the public. Part of me wishes Snowden had given the material to Wikileaks. Releasing drips of information from it over months in order to keep up a supply of headline stories may serve to keep the overall story in the public conscience, but to be frank a lot of people find it irritating and lost interest ('Another Snowden revelation? blah...').

All of these documents should become public at some point, now we know that the Five Eyes governments are trampling all over our rights, why should we be concerned about the possible impact on their operations if the whole Snowden trove became public?

maxCohenOctober 15, 2014 9:26 AM

"and there's no one looking at the documents with an eye to writing about the NSA's technical capabilities and how to securely design systems to protect against government surveillance"

How do you know this if you are not involved? Or is it based on the fact that articles aren't being written by the press?

BobOctober 15, 2014 9:45 AM

Greenwald has responded to this post on Twitter; he cites multiple news organizations and subject matter experts working on the Snowden documents. I'm curious to see Bruce's response.

anonOctober 15, 2014 9:51 AM

i've been waiting for this since 2006:

this approach could be exploited by a malicious entity who, by gaining access to an individual's computer via undocumented exploits installed by any variety of benign plugins or security flaws in the operating system, uses software that examines all electronic transmisssions, looking for patterns and associations in the use of individual words (or the syntax of information that has been encoded in different ways), and with occasional input from "judges," recombines these symbols (the product of patterns and associations) in a manner calculated to elicit certain responses (via the mechanisms of behaviorist psychology).


are you really visiting the web pages you think you are?

bobOctober 15, 2014 9:56 AM

Snowden charged Greenwald and the original reporter (whose name I have forgotten) with releasing what they felt was in the public interest. There certainly exists information that will endanger individuals - that must be balanced against the greater issue. There will never be a complete dump.

Mr. EOctober 15, 2014 10:05 AM

"There will never be a complete dump."

"Jake Appelbaum, Micah Lee, Ashkan Soltani, Chris Soghoian, Morgan Marquis-Boire have all worked w/docs-"

Why these people and not the general public? Would Greenwald and others who have the documents be amenable to requests to view the data?

Sorry, but I believe it is in the public interest for the public to have access to all of these documents, for open and frank analysis of what is actually going on at the NSA, GCHQ etc. What we have seen so far is nothing short of cause for outrage.

Surely Greenwald and hand picked people such as he named in his tweet, would better spend their time skimming the documents for anything which would endager an individual, redacting their names and so on, so they can release all of the data to the public. I actually resent the way this is being handled, on one hand I applaud these guys for what they have done so far, but on the other hand I am furious at the information being with-held by a clique of individuals the public have no control over.

maxCohenOctober 15, 2014 10:10 AM

" I am furious at the information being with-held by a clique of individuals the public have no control over. "

You mean the NSA, right? Because if it was that clique nothing we be coming out to anyone right now.

AlOctober 15, 2014 10:42 AM

@Mr.E has it ever occured to you that perhaps these experts are taking their time with it because it is boring work? when there is nothing to see, it is best to not show.

Mr. EOctober 15, 2014 10:43 AM

Since nobody in the public facing apparatus of any of these intelligence agencies has been held to account perhaps there are names in those documents that should be published in the public interest.

I personally am more interested in seeing the bigger picture that would be revealed if the entire cache of documents were freely available to anyone with the time and inclination to analyse them. Instead we get a curated form of sanitised information that has been through the arbitrary filter of the minds of those few who have access. Despite what has been released, I still feel there are secrets being withheld.

anonymous cowardOctober 15, 2014 12:16 PM

The NSA and other TLAs had plenty of time to move people out of harm's way.
Besides, scum like that deserves to be exposed.

Charles WilloughbyOctober 15, 2014 12:32 PM

@Ggreenwald has yet to answer why he has not released the names of targeted Americans despite numerous calls for him to do so. He has also not explained his reasonings for not doing so. He has maintained targets do not want to be named but this is hard to believe in that there are thousands of names and only five released. Sadly, he has privatized documents and information that belongs to the American people. He has also turned into a bit of a megalomaniac. The next whistleblower should go to a different source, perhaps Cryptome.

maxCohenOctober 15, 2014 12:51 PM

"has yet to answer why he has not released the names of targeted Americans despite numerous calls for him to do so."

Why would he release the names of targeted Americans? Why would I want the world to know if I was targeted and have my life turned upside down by a maniac press?

maxCohenOctober 15, 2014 2:06 PM

Seriously, I think I'm missing something. Cryptome has this post listed from the links "Bruce Schneier Censored by Snowden Censors". I'm not clear what's being censored. :(

Semiothisa sexmaculata GVOctober 15, 2014 6:10 PM

Maybe Greenwald works for NSA...or for some other part of The Govt...

Nick POctober 19, 2014 8:12 PM

@ Bruce Schneier

" I lost access to the Snowden documents soon after writing that essay"

I'm actually more interested in how you lost access to them than the manual itself. I recall you had some or all the documents on an air gapped machine. First thoughts were it was an accident, a sabotage via something someone sent you, you got rid of them willingly, or you were compelled to get rid of them.

Bruce SchneierOctober 19, 2014 8:35 PM

"'...there's no one looking at the documents with an eye to writing about the NSA's technical capabilities and how to securely design systems to protect against government surveillance' - Can you perhaps clarify this statement? By this do you truly mean to say that *no* data reporters or competent computer specialists are working with the documents?"

No. What I wrote and what you wrote are different. There are several competent computer specialists working with the documents. Ashkan Soltani has been working with the Washington Post for most of the past year, for example. More recently, Micah Lee has been working with the Intercept. What I wrote is that no one, at least as far as I know, is looking at the documents with an eye to publishing stories about the technology as technology. Political stories that include technological elements, yes. Technological stories, no.

Bruce SchneierOctober 19, 2014 8:39 PM

"How do you know this if you are not involved? Or is it based on the fact that articles aren't being written by the press?"

I know this primarily because the articles are not being published, but also because I have talked with some of the journalists working with the material.

Bruce SchneierOctober 19, 2014 8:41 PM

"Greenwald has responded to this post on Twitter; he cites multiple news organizations and subject matter experts working on the Snowden documents. I'm curious to see Bruce's response."

I didn't see the Tweet, but I can't respond.

I'm sure Greenwald is correct about whatever he said, though. And it would be great if there finally are people writing the tech stories. I think they need to be written.

Bruce SchneierOctober 19, 2014 8:43 PM

"Seriously, I think I'm missing something. Cryptome has this post listed from the links "Bruce Schneier Censored by Snowden Censors". I'm not clear what's being censored. :("

I don't think anything or anyone is being censored.

Bruce SchneierOctober 19, 2014 8:47 PM

"I'm actually more interested in how you lost access to them than the manual itself. I recall you had some or all the documents on an air gapped machine. First thoughts were it was an accident, a sabotage via something someone sent you, you got rid of them willingly, or you were compelled to get rid of them."

I deleted the manual after the QUANTUM/FOXACID story was published, along with all of the other unredacted source material that went with that story.

At the time, we all believed that we would be writing a series of tech stories based on the material. If you remember, Greenwald broke with the Guardian soon after, and then I lost access because he lost his press platform. That was unexpected by everyone. I have not yet gotten back together with Greenwald and the Intercept, and at this point doubt that I ever will.

Nick POctober 19, 2014 9:30 PM

@ Bruce Schneier

Thanks for the explanation. That makes a lot of sense.

"What I wrote is that no one, at least as far as I know, is looking at the documents with an eye to publishing stories about the technology as technology. Political stories that include technological elements, yes. Technological stories, no."

Don't feel this is as much an issue, though. We've been doing one better: we're understanding how their attacks are working, what they're hitting, and developing tons of countermeasures & working strategies. I've posted most of my own on your own blog, from beating hardware subversion all the way up to middleware. Although I agree those technology stories might be interesting, I put a lot more value in those that are instead strengthening various layers so as to make TAO developers throw shit across the room. The funny thing is that DARPA and NSF, both US-based, are funding some of best foundational work with design details publicly available (eg clonable).

Andrew_KOctober 20, 2014 2:47 AM

(Post written on Oct, 16th)
Yes, there are probably documents within the Snowden files which are interesting. They may not be interesting to 99% of the public since they deal with technical details, not the big stuff. We at this commentary section might be part of the 1% that is interested in knowing every detail on every program. We should not make the mistake of implying public interest from us being part of the public and us having this interest. See the majority continue usage of Facebook, Dropbox, and so on. Majority of the public does not care.

Anyhow, these documents may still be dangerous and no one of us would be able to see the danger. MaxCohen has a very valid point that there may be names of average people contained who -- shomehow -- managed to on NSA radar and who would not want to receive any public attention. There may be also people on lists which are on them for very good reasons and those should probably not be warned. In addition, the files may still be a risk to ongoing undercover operations. The Snowden files might contain just that part of the puzzle which is needed for Chinese counterintelligence to identify an american mole.

A solution to that dilemma could be that whoever has the files hands back a copy to the U.S. officials who then can get their spooks to safe harbours wihtout raising suspicion. Wait five to six months (you should announce that when handing back the copy) and then publish the complete document set. Bad thing is -- U.S. officials might not cooperate, playing a game which undercover agents in hostile countries will have to pay the price for.

@ anonymous coward
Getting people out of the way includes knowing which people to get out of whose way. As far as publicly known, NSA has no clue which documents Snowden took. They can't (ok, they will not) shut down complete operations.

@ Bruce
It's all about secrets and lies :)

Bruce SchneierOctober 20, 2014 8:40 AM

@ Nick P

"Don't feel this is as much an issue, though. We've been doing one better: we're understanding how their attacks are working, what they're hitting, and developing tons of countermeasures & working strategies."

You're probably right. When I first looked at the NSA material in August, there was a lot that I thought the tech community needed to know. At this point, we seem to be reverse-engineering a lot of it. Nicholas Weaver is doing some incredible work in this area, for example.

PeterOctober 20, 2014 9:40 AM

"I lost access to the Snowden documents"

Brian, you really expect us to believe that you don't have a copy? But that's okay, I would probably say the same.

Trust no one, deny everything :)

Nick POctober 20, 2014 1:28 PM

@ Bruce

Exactly. Especially Weaver as he came to mind when I wrote that comment. He's tearing their stuff up. The guy attacking GSM & picocells is incidentally reversing their capabilities there. And Epstein's people at NSF & DARPA are killing their efforts at the foundation. Technical side needs *way* more attention as I've always repeated here. I do feel better, though, knowing talented people like Weaver are among the few dealing with the TLA threat.

Bruce SchneierOctober 20, 2014 2:56 PM

"...you really expect us to believe that you don't have a copy? But that's okay, I would probably say the same."

I did not take anything home from Brazil with me. Remember, it was a week after Miranda was arrested in the UK. Everyone was on high alert.

And we all believed that I would be soon back in Rio doing more work with the documents. Greenwald's break with the Guardian was unexpected by everyone.

SkepticalOctober 20, 2014 7:29 PM


I'm wary of the idea of stories being written specifically to counter the techniques and vulnerabilities described in NSA documents.

In part this is because I'm not sure that the set of currently known vulnerabilities is equal to the set of vulnerabilities known by the NSA. Stories derived from the Snowden cache will be focused upon the set of vulnerabilities known by the NSA, and so these may have a disproportionate impact upon the NSA relative to other foreign intelligence agencies.

More generally, my reservation exists because it's hard to know what vulnerabilities, or what techniques, are currently of sufficient importance to outweigh public disclosure. One publication for example accidentally exposed the name of a militant group in Iraq whose communications could be captured by exploiting a vulnerability in an app (also exposed) many of them used. Given current events in Iraq and Syria (and elsewhere), shutting down such a source may come higher costs than benefits.

The real problem here is that, outside the government, or a government-sanctioned public/private group, I don't think that necessary weighing can occur due to lack of information.

Bruce, you might consider reaching out to respected journalists - those you know or others - and writing an article on the process used by the US Government to decide whether, when, and how, to disclose vulnerabilities. Despite the huge incentives to lose perspective and integrity in pursuit of the Snowden story, you kept things pretty level. Even where I disagreed with you, you were reasonable.

I'm not sure how far the story would get, since the USG seems to be flirting with the idea of greater disclosure in this area, but remains uncertain. So this would be a first date. Bring along some reporters, another tech expert or two, all respected for their expertise and their balance (don't bring anyone who thinks all documents should be released, for example).

Still, this could be a very fruitful area of inquiry for you, and connects well to some of your key concerns. It's also an area where you would have a lot to contribute, a fact that perhaps would be made known to the right people in the course of reporting.

I wonder what a team of Gellman, Wittes, Schneier, Soltani working on this story would produce.

JonKnowsNothingOctober 20, 2014 8:31 PM

(originally posted 10/16/2014)

If you read Glenn Greenwald's book "No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State", you will find the first portion of the book totally dedicated to how "uninformed and technically ignorant" he is and he likely has not improved much. He is a journalist/lawyer.

Only Laura Poitras, a documentary film maker forced to live in Germany to avoid US Govt harassment, was smart enough to do what was needed and communicated with Edward Snowden long before Greenwald managed to figure out what to do. She even had to handed him the entire set of documents because ... well, he couldn't figure out how to open them himself.

There's no doubt the dumping the entire trove is not going to happen and it would NOT be in the best interests of everyone as it gives credence to government complaints about accessing and publishing documents unofficially released and in some countries like Australia, they are implementing laws to prevent such publication under any circumstances to be followed by prison sentences way longer than Chelsea Manning received (35 years).

Dumping the wrong document, the wrong way would be very unhealthy and not everyone can have accommodations in the Ecuadorian Embassy in London. There is a lot of room at Gitmo but I don't think anyone would willingly want to settle there for the remainder of their lifetime.

There are technical aspects that need to be reviewed and it's unfortunate that a journalist isn't quite up to snuff to figure out that some technical stuff needs to be reviewed by techies.

There are a number of holders of the documents now, each perusing their own agendas. Most are journalists and publishers. Each are engaged, not no so much in slowing down the release of the info, as fighting various legal problems.

The Guardian, the original publisher of the documents and close supporter of Edward Snowden, publishes in 3 sensitive areas: UK, USA, Australia. In the UK and Australia there is no "freedom of the press" and the government can shut down any publication for any reason they chose. See the video of the destruction of the Guardian hard drives for an example.

Australia has or is passing a law to prevent any further publication of any un-official documents whether they are from Snowden or the other 2+ NSA leakers or any future leakers.

In the USA the FBI/NSA and friends are pushing their own interpretations of these laws and as has been mentioned, plan to put a stopper in the end-to-end encryption plans of tech companies in the USA.

While Bruce Schneier may not have current access to the documents, he is free to continue to give public discourse on them as they are released. He's not facing an indictment and he's not a disappeared person nor is he under proxy detention.

I prefer that he remain free to explain them and expose other aspects and implications of these policies. His explanations are worth more to me than an unexplained-dump-all-who-will-read-it-no-one set of files.

Ask yourself: Have you read every single file released by Chelsea Manning? She gave up 35 years of her life to give them to you. Did you read all of them? 100% of them? Never missed a dot, dash or undefined cross-reference?

I'll wait for the explained version as long as we can have enough people who can explain them so that even Glenn Greenwald can understand, why he shouldn't carry a cell phone: the War Head On Forehead Targeting Device willingly carried by nearly everyone. (update 10/20/2014 Apple sold 40 MILLION of the newest version of these targeting devices in 3 months and expects to sell even more of them by end of the year 2014.)

In fact, it doesn't matter one bit if another Snowden file is released or not. Everyone who reads this blog or news like it, already knows the answer and what needs to be done. We've known it for a long time: decades even. But we lied about it, we said it wasn't true. We lied to ourselves, our colleagues, our bosses and our customers. We said it was too hard, too cumbersome, to complex, made the code run slow or wasn't elegant or clean. We did it this because it was easy to do. We, ourselves made this debacle what it is.

The question that remains is what will YOU do about it? There are @20,000 NSA employees and @80,000 NSA contractors and less than a bakers-dozen have stepped up to tell you what you already know. What about the rest of the thousands of employees at Google, Facebook, Microsoft and all the rest of the companies that benefit off what you already know? How many of them are stepping up to do "the right thing"? How many of them are making a stand and withdrawing completely from these activities? You already know the answer here too. Even Bruce Schneier has to put a disclaimer on his site least his employer be "tainted" by the truth. What will you do? Exactly what General Keith Alexander then head of the NSA, said would happen when the last file of the Snowden cache was released: "Nothing".

Worrying about Glenn Greenwald is the wrong person to worry about. Look to yourselves now. You are the only ones who can make a difference.

JonKnowsNothingOctober 20, 2014 8:59 PM

@skeptical

I'm not sure how far the story would get, since the USG seems to be flirting with the idea of greater disclosure in this area, but remains uncertain.

There will be no true disclosures from the USG or the NSA or GCHQ or Unit 8200 or any of the other agencies world wide. They will act and talk like there are changes but a detailed read of the analysis of public documents that purport to document how these activities are legal then illegal and then legal again, show there's no plans to change and whatever they say has been changed can be un-changed/altered/augmented anytime the agencies chose.

It's not bites and bytes but it's even more important because it shows exactly how and what they think of your privacy. The technology won't be allowed if they decide it's in the "illegal" column. A quick change, in the dark, no disclosures and it's all back to square one.

Courts shouldn’t rely on EO 12333 because the President could always change it: Sheldon Whitehouse’s revelation on December 7, 2007 (right in the middle of this litigation) that OLC had ruled the President could change it in secret and not note the change publicly. Whitehouse strongly suggested that the Executive in fact had changed EO 12333 without notice to accommodate its illegal wiretap program.


See:

FISCR Used an Outdated Version of EO 12333 to Rule Protect America Act Legal
Published October 20, 2014 By emptywheel Marcy Wheeler

ht tps://www.emptywheel.net/2014/10/20/fiscr-used-an-outdated-version-of-eo-12333-to-rule-protect-america-act-legal/

(url fractured to prevent autorun. remove the space from the header)


Clive RobinsonOctober 21, 2014 4:29 PM

@ Skeptical,

I'm wary of the idea of stories being written specifically to counter the techniques and vulnerabilities described in NSA documents.

Don't be.

The reasons are firstly they are from 2008 or earlier so atleast six years old. If you believe as many do in the technology 18month generation, then the explots are 4 generations old, or in human terms eighty years old or just pre WWII.

As I said at the time Bruce went through the TAO catalogue there was nothing in their that I could not easily understand and explain, and in some cases I explained how my own research was actually quite a bit ahead and explained some of the improvments in sufficient depth for any one with a modicum of knowledge to implement them [1].

Thus I suspect that most countries with a formal higher education in engineering can not onlydo the same as in the TAO catalogue but a lot more. And even if they have not there are plenty of manufacturers quite willing to sell any government or Law Enforcment Organisation the technology (it's what I used to do many years ago[2]).

Thus you have to weigh the nebulous intel claims against the very real harms caused by the likes of Russia, Israel, France, China and in the case of my country the USA as well.

Thus explaining how to defeat these old attacks is a step forward in making us all more secure, and thus stabilizing society and hopefully reducing the likely hood of yet another war and it's consiquences.

If you look back on this blog you will see that I've regularly explained the likes of EmSec (enhanced TEMPEST) for exactly the same reason. Importantly always always with publicaly published information, available to anybody who wants to learn and can buy or borrow the text books etc. On a couple of occasions I've had to wait for others too --often unknowingly-- provide a public example ( for instance you will see I had to wait on some of Matt Blazes students before I could talk about "clocking the inputs and clocking the outputs").

As I've indicated in the past you are more than welcome to disagree that is your freedom to do so, likewise I reserve the same right with regards what you say. Which is not to say that I disagree with you all the time, I don't, but even when I do I generaly find it provokes me to think more on the subjects raised.

[1] Whilst you might think this is some kind of traitorous behaviour, I don't believe it is, nor do I suspect do the authorities, who it's highly likely read this blog. And further appear to have used without my permission some of my older ideas for airgap crossing and the like.

[2] What stoped me being what the spook officers call a "contractor" was an issue over the design for an efficient wide band programable EM jammer in the 1980s for a ME country. I'd checked with my handeling officers and they green lighted it, then the CIA or their ilk stuck their flat feet in. It was messy and I was lucky not to end up like the Matrix four, or worse Gery Bull. There's nothing like having your freedom or existance put on the line because it's politicaly convenient or because compartmentalisation means you get thrown to the wolves to wake you up to just how disfunctonal the secret intel world realy is. And the politicos realy should wake up to the fact they "Only ever get an intel hand job not even a blow job and never ever the real thing, because they cannot be trusted.", most of which are predicated on what the politicos want to hear not the actuality of the real world (intel weenies especially the seniors want to believe they are "movers and shakers" if not "king makers" not realising they ceeded that to the likes of News Int. years ago). If you ever want to find out what the real world is all about, go on a deniable black bag job to a diplomats house or mission where you know they have guns and no restraint on using them... That's what the likes of comms companies "Secret Squirrels" do, usually much to the enrichment of the company executives (an illegal advantage under EU legislation that BT has enjoyed for many years).

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.