Some time ago the alleged source code of XKeyscore - one of the tools the NSA uses to spy on people - has been published. Now a security analyst by the name of Robert Graham analyzed the code line for line. He suspects that the NSA uses a modified version of Snort or something similar. Within the code he found several lines regarding the reported flagging of tor users like:
fingerprint('anonymizer/tor/torpoject_visit')=http_host('www.torproject.org') and not(xff_cc('US' OR 'GB' OR 'CA' OR 'AU' OR 'NZ'));
This triggers "torproject_visit" to be true unless the user is in one of the "Five-Eyes-Alliance" countries. Similar code can be found regarding .onion and the analysis of e-mails.Especially mails from [email protected] are filtered since they contain lists of Tor-Bridges.
He composed a blog post containing various tips on how to trigger XKeyscore and flood it with useless information maybe even to the point that the system itself might get corrupted. Those tips can be found at http://blog.erratasec.com/2014/07/jamming-xkeyscore_4.html?m=1
Click the link at your own risk, you might trigger XKeyscore just by visiting the page. I thought I share it with TekSyndicate anyways since this is the stuff that might interest some people around here.
Sources: http://www.heise.de (german), http://blog.erratasec.com