GCHQ's Response To Hacking Slashdot And LinkedIn: No Comment, But It Was Perfectly Legal
from the yeah,-nice-try dept
Over the weekend it came out that GCHQ used a packet injection attack on Slashdot and LinkedIn pages in order to do a “quantum insert” — basically a man-in-the-middle attack to install malware on the computers of key employees at Belgian telco Belgacom, which they then used to get much greater access to Belgacom’s infrastructure for spying. It would appear that neither LinkedIn, nor the owners of Slashdot, are particularly pleased about this. After requesting more information, GCHQ had a useful response: “no comment.”
In an emailed statement to Slashdot, the GCHQ’s Press and Media Affairs Office wrote: “We have no comment to make on this particular story.” It added:
“All GCHQ’s work is carried out in accordance with a strict legal and policy framework which ensure that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Intelligence and Security Committee.”
Right. So we can’t comment on this, but we assure you that it’s very much legal that we effectively ran a man-in-the-middle attack on your site, guaranteeing that people are less willing to go to your sites any more. Meh. Collateral damage for the very important work of spying on everyone.
Filed Under: gchq, packet injection, quantum insert, slashdot, surveillance
Companies: linkedin
Comments on “GCHQ's Response To Hacking Slashdot And LinkedIn: No Comment, But It Was Perfectly Legal”
what about techdirt? reddit.com?
are they doing same shit to those sites , others?
Re: what about techdirt? reddit.com?
As I tried to ‘splain in the first re-write, fruitlessly to the fanboys, ANY site that re-directs can spoof another. It’s just a matter of doing. Teh internets is a giant confidence racket to lure us with empty entertainments, make us dependent on it for commerce, and then the already visible controls can be exerted to push us any way desired, including on-the-fly re-writing of history so won’t need any literal memory-holes. Some day soon you won’t be able to rely on Google at all, already it censors — as in Pirate Bay and other links to the UK: just a matter of checking a bit of text and then NOT putting that site into the list.
Re: Re: what about techdirt? reddit.com?
Quick, the only way to protect yourself is to get off the internet and never look back.
There isn’t much time!
Encryption anyone?
If more sites used SSL, then a MITM attack becomes more difficult (not impossible). It then becomes necessary to either compromise the browser into trusting a non trustworthy certificate, or to compromise one of over 600 Certificate Authorities into giving you a genuine certificate with which to conduct your attack.
I notice this morning that Google’s QUIC protocol has encryption apparently on all the time.
https://en.wikipedia.org/wiki/QUIC
http://www.ietf.org/proceedings/88/slides/slides-88-tsvarea-10.pdf
But why would you need to encrypt anything if you have nothing to hide? Using encryption when you have nothing to hide would be like quietly talking about private family matters indoors instead of shouting about it from the rooftop.
Re: Encryption anyone?
Using encryption when you have nothing to hide would be like trying to conceal the book on Clojure you are reading from the annoying nearby passenger who keeps trying to peek at what you are reading.
Re: Encryption anyone?
All kinds of bad things have been known to go on in families that they would like to hide. That’s why there should be surveillance cameras installed in every home and monitored by the police.
Re: Re: Encryption anyone?
Except those of the police themselves and high ranking government officials, of course.
Re: Re: Encryption anyone?
i can not make this point strongly enough:
IT DOES NOT MATTER whether someone/anyone has ‘something to hide’ or does not: our INALIENABLE RIGHTS are NOT contingent upon being good/bad people, or good/bad times…
our INALIENABLE RIGHTS are UNASSAILABLE in and of themselves…
if ANYONE tells you/asks you to ‘justify’ them, tell them to fuck off: WE DO NOT HAVE TO DO THAT…
these are BEDROCK NATURAL RIGHTS (regardless of any shredding of the constitution), and we do NOT need to ‘justify’ them, ‘excuse’ them, ‘asterisk’ them, or otherwise explain or weigh them against some mythical rationale to abandon these rights…
dog damn it, sheeple, stand up on your hind legs and bare some bicuspids at Empire ! ! !
power NEVER devolves voluntarily, we have to TAKE IT BACK…
stop being afraid of a state whose only power over you is being afraid of the state…
The They ™ do not hesitate to use violence against us 99% ALL THE TIME; what is the lesson from that ? ? ?
(pssst: the lesson is not to cower more abjectly…)
art guerrilla
aka ann archy
eof
Re: Encryption anyone?
That would be one thing if all sites used HTTPS, but the PRISM documents already leaked go into detail how they have already defeated HTTPS and can even spy in on people using VPN software so it’s a moot point. They simply shouldn’t be doing it without proper court authorization, not this ‘oh fuck ya caught us, we will stop and won’t do it any more’ mantra which they seem to have going on.
Re: Re: Encryption anyone?
It’s not a moot point, as the NSA has only been able to break a few HTTPS and VPN connections under certain rare circumstances. They are not able to break these things wholesale.
Re: Re: Encryption anyone?
So does that mean we should all just bend over and take Big Brother’s cock?
Boy, now you're getting multiple re-writes out of one original!
No comment except time for the fanboys to again have Tagline Envy!
Where Mike sez: “Any system that involves spying on the activities of users is going to be a non-starter. Creeping the hell out of people isn’t a way of encouraging them to buy. It’s a way of encouraging them to want nothing to do with you.” — So why doesn’t that apply to The Google?
06:56:12[h-137-3]
Re: Boy, now you're getting multiple re-writes out of one original!
It must be terribly sad when children run crying from you in public, yet leaving you wondering why those same people are not creeped out by Google. Maybe there’s a reason for that.
Maybe, just maybe, I get something valuable from Google in exchange for my information passing through their servers, and maybe I also have a reasonable expectation that no human is bothering to read my emails. But also maybe I don’t get anything valuable from NSA critters snooping through my email looking for the slightest reason to suspect I’m an evil terrorist. Maybe to Google I’m just a blip in a vast ocean of statistics to calculate which advertisement I am most likely to respond to. Maybe to the government I’m an evil monster until proven otherwise.
Re: Re: Boy, now you're getting multiple re-writes out of one original!
@ “DannyB”: “Maybe to the government I’m an evil monster until proven otherwise.”
If you’re up to forecasting: Maybe to The Google-Borg you’re product to be served up to its paying customers: advertisers, and none will care about your privacy or your being annoyed with endless advertisements.
Now, I don’t care (much) about YOU, but the masses of you dolts going along with rabid commercialization of everything is ruining MY privacy, and civilization too. You can’t be free when constantly surveilled, even if — as NSA says — it’s just by a computer: the info can be used against you any number of ways. You’re just saying a version of “Who cares? I don’t got nothin’ to hide.”
As usual, I’ve relevant tag lines (thanks for opportunity!):
Worse than being censored on the net is being advertised. You can escape censorship with your ideas intact; advertising uses lures and tricks to re-shape your very mind.
Google is in advertising, not freedom. Advertising is commercial propaganda full of deceit.
So long as “The Market” (if not NSA directly) rewards Google for spying, do you expect it to do LESS of it?
07:12:01[i-145-1]
Re: Re: Re: What you've just said...
is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this thread is now dumber for having read it. I award you no points, and may God have mercy on your soul.
Re: Re: Re: Boy, now you're getting multiple re-writes out of one original!
Hands up here who wouldn’t be surprised if one day OOTB got so disgusted with the amount of advertising he saw in the real world that he gouged out his own eyeballs, so he could save his soul?
Re: Re: Re: Boy, now you're getting multiple re-writes out of one original!
” “Maybe to the government I’m an evil monster until proven otherwise.”
But since you have failed to prove that you are not an evil monster then it’s only logic that people believe that you are an evil monster.
Re: Re: Re: Boy, now you're getting multiple re-writes out of one original!
“Now, I don’t care (much) about YOU, but the masses of you dolts going along with rabid commercialization of everything is ruining MY privacy, and civilization too. “
If you don’t like commercialization then don’t get involved in it period. So every time you come on this site then by your own actions you are showing that you like commercialization and everything to do with this site. You must be pretty dumb to keep coming on this site if you don’t like it. If you don’t like poison then it’s your own stupid fault if you keep coming on this site to get the poison that you so hate.
Re: Re: Re: Boy, now you're getting multiple re-writes out of one original!
Yoyo apparently has never figured out what ad blockers do and what things like Noscript, Lightbeam, and Ghostery do. I resent the fact I have to load my browser with all of these to keep the majority of commercial spying out but I do it because I value my privacy and refuse to make it easy on them.
You should be enjoying all the Google wholesomeness supplied by this site since you like them so much.
Re: Re: Re: Boy, now you're getting multiple re-writes out of one original!
You could prevent your privacy from being “ruined” and keep it intact by fucking off the site for good like you promised long ago.
out_of_the_blue just hates it when due process is enforced.
Re: Re: Boy, now you're getting multiple re-writes out of one original!
Except they shouldn’t be reviewing even your information without due cause. Just because you don’t care if your privacy is violated doesn’t mean that other law abiding citizens don’t care to have them peaking in on their information.
GCHQ/NSA lead by example and we will be happy to emulate what you do. We want to be just like our big brother.
Now what sort of domains would someone sitting at a computer at the nsa or gchq likely visit………
Re: Re:
none of the UK’s security agencies have done a thing that’s illegal, according to them! the response is nothing different to what was said in the second ‘investigation’ that was done into their practices. we have done nothing wrong!i would like to know what punishment would have been demanded if it had been an ordinary individual that had done half what this or any of the other agencies had done! my guess is they would have had their balls nailed to the wall! what is worse is they will just go back now to blaming Snowden for all the bad feeling towards them and as soon as possible blame him further for something happening and how it would have been worse had it not been for what they are doing!!
I wonder if they would accept the same response when they request information on users from a company.
CFAA
If they did this (NSA too) to a US based company, they should be threatened with 35+ years in prison for a CFAA violation.
You didn’t expect these people to come out and say “Yep we did it and we made a mistake” we shouldn’t have attacked (insert every big tech company here)
That would be the grown up thing to do. Instead they fear losing their toys and so they try to stonewall.
Canada is next on the list. With basically no oversight mechanisms in place whatsoever over CSEC. They operate totally in the dark. Even worse than the GCHQ/NSA
Re: Re:
No one expects the Canadians of foul play. That “Nice, friendly fellow North of the United States” stereotype is the perfect cover for such a malicious operation.
Looks like I’ll be looking for a new site to go to. I’ve been going to /. for years. I quit commenting when they went to Discus as I refuse to go join up with some datamining outfit just to be able to comment.
Now that it is proven that /. isn’t very secure it is now time to go elsewhere for nearly the same things they cover. That is unless they are determined to do something about it.
Short of that, they’ve just lost one reader for sure.
Re: Re:
There is some hopeful information in the Spiegel article
“The injection attempts are known internally as “shots,” and they have apparently been relatively successful, especially the LinkedIn version. “For LinkedIn the success rate per shot is looking to be greater than 50 percent,” states a 2012 document.”
Reading between the lines: This shows that they had less success at targeting Slashdot as opposed to LinkedIn. This probably has to do with the kind of user who frequents Slashdot. Even among IT professionals, I would speculate that those whose frequent Slashdot are more sophisticated about computer security. They are the kind that would ensure their work computers are updated frequently and would also update the software on their own computers or smartphones often. They are more likely to use less vulnerable browsers or restrict the use or limit the scope of scripts within the browser. A successful QI attack requires not only a vulnerability in the browser but one in the underlying OS to permanently make sure the computer is compromised. Do not ignore a major point here that these attacks were not always successful.
Re: Re:
I don’t really see this as a reason for deciding to no longer read Slashdot. Remember that GCHQ was targeting a subset of Belgacom IT staff, not all Slashdot readers. The Slashdot site, itself, was not compromised or even touched. If they targeted you it would be for whatever sites you were currently using. Your best defense is to maximize security on your own computer or smartphone. It will not make any difference to stop using Slashdot.
Do as I say and not as I do is not a philosophy that works very well when governments use it.
Dictionary
Hmmm…
We took “If you find someone that’s probably a terrorist, you can collect stuff” to mean “Everyone’s a terrorist, do what you want”
We get loads of way cool reality porn this way, oh yeah plus sometimes there’s like crime and stuff
If you compare it to all the data on the planet, it’s really not that much, plus we can’t really look at most of it very well, honest
Sometimes we pretend to tell some politicians what we’re doing, besides we got loads of good dirt on them as they do the best reality porn.
Re: Dictionary
Authorised will mean; it is within the scope of our duties under law (which is very broad).
Necessary will mean; if we don’t do this we have no other way of getting the information we need to carry out our legal duties.
Proportionate will mean; there is no less intrusive thing we could do to achieve this effect.
Rigorous oversight means: we have a couple of retired judges who come round a couple of times a year and ask questions, are answerable to a minister (who listens to whatever we say) and a Parliamentary Committee (appointed by the Prime Minister) which can ask us questions, but only force us to give answers about historical things and has no legal duty to investigate anything.
Which isn’t to say that GCHQ is evil. But their legal rules and oversight framework could be improved.
Re: Re: Dictionary
Add the word “assumed” before “duties” and that’s pretty much what I said…
Reality so far suggests this is true only if by “no other way” you mean “We couldn’t be bothered to look for another”
…assuming the effect you’re going for is “we have to know everything about everybody we can whether they are even vaguely suspected of a crime or not”, then yes.
That’s what I said, isn’t it?
In much the same way as rot13 encryption could be more secure, yes.
Cyber Attack!
An attack on a U.S. website by a foreign government! A government that has in the past invaded American soil, destroyed American property and taken American lives!
Write your Senator now and say that we should nuke the bastards.
May have been an interesting article if I had any idea what a GCHQ was.
It was like reading a movie review with the movies name left out.