<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    It has been publishd in the Linux Journal that NSA tags you/us for
    extra tracking etc when you search Linux Journal for subject on
    Tails or Tor. Well that got me. How about you.<br>
    <br>
    <br>
    Feel good about my country now!<br>
    <br>
    <font color="#3333ff">Here is NSA's script:<br>
      <br>
      // START_DEFINITION<br>
      /**<br>
       * Fingerprint Tor authoritative directories enacting the
      directory protocol.<br>
       */<br>
      fingerprint('anonymizer/tor/node/authority') = $tor_authority<br>
        and ($tor_directory or preappid(/anonymizer\/tor\/directory/));<br>
      // END_DEFINITION<br>
      <br>
      // START_DEFINITION<br>
      /*<br>
      Global Variable for Tor foreign directory servers. Searching for
      potential Tor<br>
      clients connecting to the Tor foreign directory servers on ports
      80 and 443.<br>
      */<br>
      <br>
      $tor_foreign_directory_ip = ip('193.23.244.244' or
      '194.109.206.212' or<br>
      '86.59.21.38' or '213.115.239.118' or '212.112.245.170') and port
      ('80' or<br>
      '443');<br>
      // END_DEFINITION<br>
      <br>
      // START_DEFINITION<br>
      /*<br>
      this variable contains the 3 Tor directory servers hosted in FVEY
      countries.<br>
      Please do not update this variable with non-FVEY IPs. These are
      held in a<br>
      separate variable called $tor_foreign_directory_ip. Goal is to
      find potential<br>
      Tor clients connecting to the Tor directory servers.<br>
      */<br>
      $tor_fvey_directory_ip = ip('128.31.0.39' or '216.224.124.114' or<br>
      '208.83.223.34') and port ('80' or '443');<br>
      // END_DEFINITION<br>
      <br>
      <br>
      // START_DEFINITION<br>
      requires grammar version 5<br>
      /**<br>
       * Identify clients accessing Tor bridge information.<br>
       */<br>
      fingerprint('anonymizer/tor/bridge/tls') =<br>
      ssl_x509_subject('bridges.torproject.org') or<br>
      ssl_dns_name('bridges.torproject.org');<br>
      <br>
      /**<br>
       * Database Tor bridge information extracted from confirmation
      emails.<br>
       */<br>
      fingerprint('anonymizer/tor/bridge/email') =<br>
      email_address('<a class="moz-txt-link-abbreviated" href="mailto:bridges@torproject.org">bridges@torproject.org</a>')<br>
        and email_body('<a class="moz-txt-link-freetext" href="https://bridges.torproject.org/">https://bridges.torproject.org/</a>' : c++<br>
        extractors: {{<br>
          bridges[] =
/bridge\s([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):?([0-9]{2,4}?[^0-9])/;<br>
        }}<br>
        init: {{<br>
         
      xks::undefine_name("anonymizer/tor/torbridges/emailconfirmation");<br>
        }}<br>
        main: {{<br>
          static const std::string SCHEMA_OLD = "tor_bridges";<br>
          static const std::string SCHEMA_NEW = "tor_routers";<br>
          static const std::string FLAGS = "Bridge";<br>
          if (bridges) {<br>
            for (size_t i=0; i < bridges.size(); ++i) {<br>
              std::string address = bridges[i][0] + ":" + bridges[i][1];<br>
              DB[SCHEMA_OLD]["tor_bridge"] = address;<br>
              DB.apply();<br>
              DB[SCHEMA_NEW]["tor_ip"] = bridges[i][0];<br>
              DB[SCHEMA_NEW]["tor_port_or"] = bridges[i][1];<br>
              DB[SCHEMA_NEW]["tor_flags"] = FLAGS;<br>
              DB.apply();<br>
            }<br>
            xks::fire_fingerprint("anonymizer/tor/directory/bridge");<br>
          }<br>
          return true;<br>
        }});<br>
      // END_DEFINITION<br>
      <br>
      <br>
      // START_DEFINITION<br>
      /*<br>
      The fingerprint identifies sessions visiting the Tor Project
      website from<br>
      non-fvey countries.<br>
      */<br>
fingerprint('anonymizer/tor/torpoject_visit')=http_host('<a class="moz-txt-link-abbreviated" href="http://www.torproject.org">www.torproject.org</a>')<br>
      and not(xff_cc('US' OR 'GB' OR 'CA' OR 'AU' OR 'NZ'));<br>
      // END_DEFINITION<br>
      <br>
      <br>
      // START_DEFINITION<br>
      /*<br>
      These variables define terms and websites relating to the TAILs
      (The Amnesic<br>
      Incognito Live System) software program, a comsec mechanism
      advocated by<br>
      extremists on extremist forums.<br>
      */<br>
      <br>
      $TAILS_terms=word('tails' or 'Amnesiac Incognito Live System') and
      word('linux'<br>
      or ' USB ' or ' CD ' or 'secure desktop' or ' IRC ' or 'truecrypt'
      or ' tor ');<br>
      $TAILS_websites=('tails.boum.org/') or
      ('linuxjournal.com/content/linux*');<br>
      // END_DEFINITION<br>
      <br>
      // START_DEFINITION<br>
      /*<br>
      This fingerprint identifies users searching for the TAILs (The
      Amnesic<br>
      Incognito Live System) software program, viewing documents
      relating to TAILs,<br>
      or viewing websites that detail TAILs.<br>
      */<br>
      fingerprint('ct_mo/TAILS')=<br>
      fingerprint('documents/comsec/tails_doc') or
      web_search($TAILS_terms) or<br>
      url($TAILS_websites) or html_title($TAILS_websites);<br>
      // END_DEFINITION<br>
      <br>
      <br>
      // START_DEFINITION<br>
      requires grammar version 5<br>
      /**<br>
       * Aggregate Tor hidden service addresses seen in raw traffic.<br>
       */<br>
      mapreduce::plugin('anonymizer/tor/plugin/onion') =<br>
       
      immediate_keyword(/(?:([a-z]+):\/\/){0,1}([a-z2-7]{16})\.onion(?::(\d+)){0,1}/c
      : c++<br>
          includes: {{<br>
            #include <boost/lexical_cast.hpp><br>
          }}<br>
          proto: {{<br>
            message onion_t {<br>
              required string address = 1;<br>
              optional string scheme = 2;<br>
              optional string port = 3;<br>
            }<br>
          }}<br>
          mapper<onion_t>: {{<br>
            static const std::string prefix =
      "anonymizer/tor/hiddenservice/address/";<br>
      <br>
            onion_t onion;<br>
            size_t matches = cur_args()->matches.size();<br>
            for (size_t pos=0; pos < matches; ++pos) {<br>
              const std::string &value = match(pos);<br>
              if (value.size() == 16)<br>
                onion.set_address(value);<br>
              else if(!onion.has_scheme())<br>
                onion.set_scheme(value);<br>
              else<br>
                onion.set_port(value);<br>
            }<br>
      <br>
            if (!onion.has_address())<br>
              return false;<br>
      <br>
            MAPPER.map(onion.address(), onion);<br>
            xks::fire_fingerprint(prefix + onion.address());<br>
            return true;<br>
          }}<br>
          reducer<onion_t>: {{<br>
            for (values_t::const_iterator iter = VALUES.begin();<br>
                iter != VALUES.end();<br>
                ++iter) {<br>
              DB["tor_onion_survey"]["onion_address"] =
      iter->address() + ".onion";<br>
              if (iter->has_scheme())<br>
                DB["tor_onion_survey"]["onion_scheme"] =
      iter->scheme();<br>
              if (iter->has_port())<br>
                DB["tor_onion_survey"]["onion_port"] = iter->port();<br>
              DB["tor_onion_survey"]["onion_count"] =
      boost::lexical_cast<std::string>(TOTAL_VALUE_COUNT);<br>
              DB.apply();<br>
              DB.clear();<br>
            }<br>
            return true;<br>
          }});<br>
      <br>
      /**<br>
       * Placeholder fingerprint for Tor hidden service addresses.<br>
       * Real fingerpritns will be fired by the plugins<br>
       *   'anonymizer/tor/plugin/onion/*'<br>
       */<br>
      fingerprint('anonymizer/tor/hiddenservice/address') = nil;<br>
      // END_DEFINITION<br>
      <br>
      <br>
      // START_DEFINITION<br>
      appid('anonymizer/mailer/mixminion', 3.0, viewer=$ascii_viewer) =<br>
              http_host('mixminion') or<br>
              ip('128.31.0.34');<br>
      // END_DEFINITION<br>
      <br>
      <br>
      <br>
    </font><br>
  </body>
</html>