Microsoft Excel used as example in new NSA XKeyscore leak

The revelations about just what the National Security Agency is able to do in terms of looking in on anyone's online content continued today; newly leaked documents from a NSA training manual show something called XKeyscore, which has apparently been designed to view online content from almost anywhere, coming from nearly anyone.

The Guardian, which has been the recipient of prior NSA information leaks from Edward Snowden, also posted today's documents about XKeyscore, based largely on a manual made in February 2008. In its basic terms, the program lets NSA analysts view the content and the metadata from almost any source.

One of the pages from the manual, shown above, shows an example of how this system works. It states that XKeyscore can view "all the Microsoft Excel spreadsheets containing MAC addresses coming out of Iraq so I can perform network mapping." While a court order is needed to follow a US citizen via XKeyscore, no such court order is needed for foreign targets, even if they are talking with US citizens.

In a statement to The Guardian, the NSA defended the use of XKeyscore, saying it was a part of its "lawful" foreign data gathering activities. It added, "Allegations of widespread, unchecked analyst access to NSA collection data are simply not true."

Source: The Guardian | Image via The Guardian

Report a problem with article
Previous Story

Microsoft agrees to change SkyDrive name worldwide; won't appeal ruling [Update]

Next Story

Outlook.com users experiencing problems accessing email [Update: Back up]

45 Comments

Commenting is disabled on this article.

An this is why everyone should get rid of MS products (besides windows), an start using open source programs like "LibreOffice".

And why is that exactly, when this monitors network traffic? Excel was just used as an example of the type of query filters they can call. It could have just as easily said "Show me all .odf files send from Pakistan." It has nothing specific to Microsoft.

Snake89 said,
An this is why everyone should get rid of MS products (besides windows), an start using open source programs like "LibreOffice".

NO, companies want their staff to be productive, thats why they use MS Office, a program used world wide, if they wanted an outdated pile of 1998 crap then yes LibreOffice would surfice.


This xkeystore thing look more like a way to detect a suspicious activity on the web, than spying on each pc. So if you speak german in pakistan you are suspicious, mmm ok.

Fritzly said,

Fair enough, we are all entitled to our opinions although a little digging could help to gain a better knowledge about the subject:
http://www.theguardian.com/wor...e-program-full-presentation

It is indeed bogus, If this information comes from Snowden, I have great doubts about his authenticity. There is no bleeding way NSA can know which mac address is located in Irak, that is simply not possible. They would have to use ip adress to match, not mac address.

"One of the pages"

This is by no means being described as the limitations of this system, this is a mere example of its capabilities.

Shadowzz said,
Why MAC addresses? Arent they aware there are thousands if not millions of devices with duplicate MAC addresses right?
MAC addresses are a 48bit address and were intended to be a globally unique identifier. However, since they can be spoofed, changed, and virtualized. The IEEE Registration Authority, issues an Individual Address Block to hardware manufacturers, which is followed by a 12 IEEE-provided bits (identifying the organization), and 12 bits for the owner to assign to individual devices but there still is potential that they can be duplicated. It's probably not a rampant as you a suggested however, since there are 2^48 or 281,474,976,710,656 possible MAC addresses.

Edited by ahinson, Aug 1 2013, 3:54pm :

siri, show me all the microsoft excel spreadsheets containing MAC addresses coming out of iraq so I can perform network mapping

NO they don't have a backdoor into the OS. Read the article, "all the Microsoft Excel spreadsheets containing MAC addresses coming out of Iraq so I can perform network mapping.", meaning they are reading this information from their warrant-less monitoring of Internet traffic.

If anything, this is why you should protect your data before sending it in the clear.

The MAC addresses whose origins (IP ranges) are from Iraq.
Once the traffic is in a network, in which they have full control of the data, they can do whatever they want with that data, including reading any unencrypted traffic.

It's akin to using a network traffic analyzer/sniffer in a local area network - except on a much broader scale.

ahinson said,
NO they don't have a backdoor into the OS. Read the article, "all the Microsoft Excel spreadsheets containing MAC addresses coming out of Iraq so I can perform network mapping.", meaning they are reading this information from their warrant-less monitoring of Internet traffic.

If anything, this is why you should protect your data before sending it in the clear.

That is not what it says at all. In fact from the image you have no way of knowing what they are saying which is why this means nothing. As I referred to earlier it may as well describe a tool they use to scan data on a captured storage device.

All this text does is describe an action;
Perform -network mapping- based on -MAC addresses based in Iraq- which are -in an Excel spreadsheet-.
It does not specify what the source of the Excel sheet is, where/what this source is or how it has been obtained. It does not say anything about IP addresses or ranges either.

paulheu said,
That is not what it says at all. In fact from the image you have no way of knowing what they are saying which is why this means nothing. As I referred to earlier it may as well describe a tool they use to scan data on a captured storage device.

All this text does is describe an action;
Perform -network mapping- based on -MAC addresses based in Iraq- which are -in an Excel spreadsheet-.
It does not specify what the source of the Excel sheet is, where/what this source is or how it has been obtained. It does not say anything about IP addresses or ranges either.

You're right, my version is purely based on inference of other news and my person take - so it's speculation.

LINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUX

Lord Method Man said,
You really don't understand XKeyscore at all, do you?

Its f'ing Neowin man. Actually reading the articles is entirely optional, and usually frowned upon in the comments section.

Max Norris said,

Its f'ing Neowin man. Actually reading the articles is entirely optional, and usually frowned upon in the comments section.

Cause that is completely unique to Neowin.

syobon999 said,
LINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUXLINUX

Wow, how ignorant.

How does the above image show NSA is able to access any (online) excel spreadsheet and perform said action?

It is one page out of context from the other pages and basically says nothing about what this applies to. It may as well be about filtering data on a laptop or thumb drive which was found during some action.

This is the problem with these leaks, they are all out of context and you can interpret them in many ways. It smells more like half-*ssed journalism than anything else.

Wait, so am I reading this right? The NSA has a back door in Microsoft Office and they can track everybody online from any source? Oh, god please tell me I'm reading this wrong. That's terrible.

Tyler R. said,
Oh, god please tell me I'm reading this wrong. That's terrible.

You're reading it wrong. Excel isn't a server. They could just have easily used Notepad as an example.

syobon999 said,
more like a backdoor in MS Windows that allow this kind of mass file grabbing.

*sigh* You do know these files are being handed over from online storage systems and not users computers right? (The majority of which aren't even Windows based.) Pretty sure there's a bunch of articles about it here somewhere...

i find it pretty bad as office docs are supposed to be encryptable, unless its only for docs unencrypted, however i wouldnt have thought so.

syobon999 said,
OH YOU ARE SO SMART, WHAT YOU ARE GONNA DO ABOUT THIS SURVEILLANCE SYSTEM?

Don't save sensitive information on third party servers?

bigmehdi said,
Well the back door is either in microsoft office, or ms windows.
The worse case is in the later.
I'd like to know.

No. Probably none of them.

There is a number of ways the NSA could achieve this with XKS.
They could have access to backbone providers and using an optical splitter feed all the network in and out of iraq to their own private backbone network, directly into their data centres, probably on USA soil.
Or using the exploit similar to what China did, routes the entire networks, via their own servers.

Again once they have the data stored on their own servers, they can play about with it however they want.

Packet inspection to dig out known routers for networks and or machines of their targets. Or checking for known headers for documents such as Excel and then doing a cross check to known mac addresses. Harvesting the excel files and doing dictionary work and holistic checks to match key words and then further havesting everything else to do with that perticular 'interesting' user, via their MAC address since every packet on the internet is sent along with your mac address.

There are a few other ways but we don't really know how much of an infratructure they have already laid. For all we know their fat pipes for their private network could be just as big as our level3 back bone provider etc. Certainly with almost everything from Europe going via London and New York, it wouldn't be hard for them...

Anyone remember a few years back where we had transatlantic links cut by supposed trawler ship anchors? For all we know, the NSA could have had a underwater base commissioned and the cable feed split there without anyone ever knowing.

bigmehdi said,
Well the back door is either in microsoft office, or ms windows.
The worse case is in the later.
I'd like to know.

Did you even read the artical?????? It says online content....... DERP


XKeyscore, which has apparently been designed to view online content from almost anywhere, coming from nearly anyone.

Sagum is right. The only way this can be done is upstream at the Internet Backbone. I do data consolidation for a living so I know that the only technical means to gather data like they are describing is at that level and monitor all Internet traffic. Once inside a firewall though, they can't get at that data unless Cisco has given them that level of access and if they did, companies IT would know about it as it would be traceable and observable.

We also know that they do have that level of access from the AT&T leaks years ago. There is a room dedicated to the NSA and using Fiber Optics, it makes sense that you could split that data, mirror it, which is probably where half the bandwidth is going to justify caps, lol.

Tyler R. said,
Wait, so am I reading this right? The NSA has a back door in Microsoft Office and they can track everybody online from any source? Oh, god please tell me I'm reading this wrong. That's terrible.

No, it was saying that the NSA can access and filter data that is being transferred over the internet. They used Excel files as an example, but I imagine it could be any type of internet traffic.

They didn't specify whether there were any restrictions on the data they can access. But I imagine they would have a harder time getting files that are being transferred within another country.

Did you read the article?

It was saying that the NSA can access the contents of Excel files (or any other file for that matter) coming out of another country. Read before you comment, damn.