I think that it is more likely that GCHQ employs ex-hackers, especially those who have been due to be prosecuted under Computer Misuse Act misdemeanors.
Most of these kids are perfect for indoctrination into such government agencies. They like to think they are James Bond.
Codenames are computer assigned these days. There has been a history of operations being compromised because people were being overly descriptive with the codenames.
If you look at that list, the structure is quite obvious - so a program matching two words within broadcategories gives you pronounceable and memorable names, without the risk of a human giving it something too related to the content.
> I think that it is more likely that GCHQ employs ex-hackers, especially those who have been due to be prosecuted under Computer Misuse Act misdemeanors.
Those people may get work in companies that do business with GCHQ/CESG, but I think it's unlikely they would be employed by GCHQ directly.
You use the word "misdemeanors" - that doesn't really have direct equivalent in English law. Do you mean something that is not a criminal offence? Or something that is criminal but not arrestable? Or something that is arrestable but which doesn't carry a prison sentence?
(There is plenty of weird conspiracy stuff going on in the UK government, such as the role of the Metropolitan police in the press hacking scandal, the non-investigation of Hillsborough, security matters in Northern Ireland, the the post office selloff, and anything related to Savile: http://www.harrowell.org.uk/blog/2014/07/02/tories-and-thugs... . There's no need to invent unsubstantiated ones)
oh, definitely, remember the "Anti-Crisis Girl" software[0] (screenshots leaked in Snowdens Revalations), an obvious nod to Svetlana Loboda's song[1] of the same name from Eurovision.
The people crafting these things are people too, they go about daily life the same as we do, albeit in the firm belief they're doing it for the good of the people.
I find that if I think of military/intelligence project names as being in part a form of marketing for which I am not the target demographic, and then imagine the sorts of people who are in that demographic, they make a whole lot more sense.
In the UK: Contractors. Military contractors in particular are a huge industry and they've moved into producing surveillance equipment as a natural progress of what they produced previously.
They also buy from abroad (although mostly from the US and Israel, who both produce software like this at a number of shops).
> Developing creative solutions to technical problems on live operations, this is a high pressured environment. You'll need to be both flexible and focused. You'll be using a wide range of technical ability rather than deep specialist skills, but you'll need an interest and aptitude in network security and coding. You'll have plenty of opportunities to develop your skills, but a technical qualification or experience in low level software, network security, malware analysis, penetration testing or vulnerability discovery and mitigation would be useful. Most importantly you should have a willingness to learn.
It scared the crap out of me when Dropbox asked if it wanted to save my screenshot. Since when did it have access to things like that? I had a phone interview with Dropbox a few weeks ago and they mentioned a ton of new products that seemed vaguely offputting as well. After the screenshot prompt, I immediately uninstalled Dropbox, but after a few days I realized it had a bunch of useful backups so I ended up reinstalling it.
If the dropbox program is running under your user account, it has the same permissions you do. Unless you're on Linux and have restricted it via AppArmor.
Isn't that behavior -- asking to do something before it does it -- the behavior that you'd like? I would be upset if it went ahead and did that, and then I discovered the feature later.
Maybe if I wanted to save my screen shots. I didn't want that behavior at all and it surprised me that it had access things outside of the well-defined folder I had already known about.
I think the more important question is if their client is open sourced, how can we trust that the binaries are made with exactly those sources? There should be a measure of testing it without the sources too, maybe sniffing packets to check for the encrypted content is a start.
The whole point of being open sourced is that you can compile them yourselves after your verification and use the product of your own compilation with the server-side of spideroak.
More realistically, your distribution maintainers will verify and compile the package, and you trust your distribution maintainers more than spideroak so you delegate source verification to them.
> The whole point of being open sourced is that you can compile them yourselves after your verification and use the product of your own compilation with the server-side of spideroak.
So this is a good point, however:
> More realistically, your distribution maintainers will verify and compile the package, and you trust your distribution maintainers more than spideroak so you delegate source verification to them.
This is actually pretty compelling, but ignores Windows and OSX devices, which not only are the vast majority of all users, but also the least likely to compile their own. They will trust the provided binaries instead.
This is one of those "Why Johnny Can't Encrypt" (http://www.gaudior.net/alma/johnny.pdf) situations. I'm not solely criticizing spideroak here, I think this is a more general open problem with any 3rd party service that's meant to be trusted. It's an oxymoron that's been only somewhat breached because of public key cryptography.
Checking for encrypted packets wouldn't tell you anything about the binaries' trustworthiness. A back door might just encrypt the data with a second key, or more specifically, encrypt the key that encrypts the data with another key. A reliable way of testing binaries doesn't seem very feasible to me. It's like antivirus vendors trying to find new viruses: the malware authors can always obfuscate their code just a little more, do it just a little bit differently, and now it does the same thing while escaping detection.
Authors of open source software who want to distribute trustable binaries should include instructions for how to reproduce the binary exactly from the source. A third party verifier could reproduce the binary, then publish a digital signature affirming that they reproduced it, allowing anyone who doesn't want to compile it to check with a trusted third party.
But all of that is a moot point if the source code isn't being very carefully checked.
Don't vote for the big three. We've seen it with DRIP, and it will only get worse with time. Start getting active with the green party, or the pirate party UK.
The "terrorism" and "national security" justifications aren't absolute either: They are, in the best case, a shorter way of saying "what the informed public considers the right balance between security and freedom". It's frightening if the same agencies that are given a lot of powers based on this are also manipulating public opinion.
This story was in the first position on the front page less than an hour ago. It was there for hours. The link was then changed from [0] to [1], and within thirty minutes, it was on the second page at number 47. (It first took a drop to around 17, hovered there for a while, then hit 47.)
Could we have an explanation of what's going on here? How can penalties from flagging be this steep for a story with 200 upvotes and 90 comments? Why did the position suddenly change shortly after the link was changed, but not right away?
To be fair though, hasn't everyone who has started playing with HTTP in code manipulated online polls at some point just to learn? Does anyone actually put any weight in online polls other than linkbait headline sites?
Of course. But that is nothing "to be fair" about.
It's wrong to do so if you're a teenage hacker who just discovered scripting, and it's wrong to do so if you're a government.
And the latter is IMO much worse than some teenage kid playing around because of scale, impact, accountability and the fact that, in a "democracy", the government should be influenced by the people and not the other way around.
Really? It's wrong? By what measure? It's certainly not illegal to manipulate online polls. In fact, I personally find it quite amusing to do so, in certain cases.
I try to never conflate the meaning of the words "illegal" and "wrong", as they are rather orthogonal, even if many people do not realize this.
And I think it's wrong (unethical) to do so for a multitude of reasons. Two main ones are because it's misleading to people reading/interpreting the results, and that it's actively trying to sabotage the intent of whoever set up the poll.
Don't get me wrong though, if we're talking about a stupid or silly poll, on a stupid or silly site, or if it's in the context of a really good prank, etc, it can be a forgiveable type of "wrong". In fact in certain circumstances one could even argue that it's not actually completely wrong, simply because I wouldn't want to live with a system of ethics where pranks are never right. That's a tricky one (as is often the case with discussions about ethics).
However, that's not really the type of manipulating of polls we were discussing here.
Consider online opinion polls around the Scottish independence debate. Whichever side you support, it's easy to recognise the political and democratic ramifications of an opinion poll being altered to reflect the current government's position.
Except there are plenty of real polls, being conducted by reputable polling companies, that people actually pay attention to. GCHQ aren't manipulating Scottish independence, they have plenty of Scottish staff, it would leak and that would be ammunition for the Nats.
Well a significant percentage of HN folk certainly, but I doubt this translates well outside this sphere.
I'm more alarmed by the email spoofing. Isn't this the same as manufacturing evidence? Consider: An entity is under surveillance, however the powers that be decide the scope is too limited. What better way to invite scrutiny than ensuring an email from the desired target arrives in the monitored entity's inbox?
It would be incredibly easy to use this sort of program to game visibility on HN.
This story itself serves as the perfect example. When it was submitted four days ago [0], it quickly took a huge ranking hit and dropped off the front page. When a story drops off the front page this quickly, it's nearly impossible for it to get the upvote momentum required to gain any additional visibility. And the same URL can't be submitted again, so the opportunity for discussion of the article has essentially been removed.
Then, we're left discussing a breaking story as the top item four days later, when a summary report about the original story that contains no new information is published on Slate.
One might be quick to blame moderators, but in the discussion of another recent First Look story, dang said most of the penalty came from users flagging the story. [1] How many users flagging the story does it take to produce this outcome? Does GCHQ just need three accounts with a little karma to seriously diminish visibility here for days? Safeguards should be developed to prevent this sort of malicious activity. Maybe some sort of collusion penalty, where if the same users are flagging the same stories, the effect is diminished? Or a greater restriction on the maximum penalty?
EDIT: And it's happened again! This story was #1 when the link was to [3]. About a half hour ago, the link was changed to firstlook.org, and within minutes, the story fell to the center of the main page. Now, thirty minutes later, it's at number 47 (with 200 points after six hours). It was at the top for hours, then dropped to 47 within thirty minutes of the link being changed. The fact that flagging happened right after the link was changed seriously suggests that some someone has automated monitoring for First Look links to flag.
Of all the predictors of future dystopia, I think Asimov may be closest with the Foundation series in a weird kind of a way. I do wonder who the mule is though.
This is why we shouldn't touch online voting systems with a ten foot pole. Stuff like blockchain and next-gen/biometric auth systems give us some hope that in the future we can eventually have online voting for elections, but I'd still like it to be researched and tested for decades before such a system is implemented in a country.
> but I'd still like it to be researched and tested for decades
That's the real problem though: in order to attest that the system works and is reliable, you need massive knowledge and study. Considering that elections are supposed to be for everyone and the amount of people capable of conducting such studies is at most a 100 per country, the whole electronic voting is impossible.
It's not a technical issue, it's either an education issue (everyone needs to be able to understand and verify the system) or a "knowledge" issue (we need to find a straightforward solution to the problem)
You vote online, you print a paper ballot, you print a copy of the ballot for your own records, you mail the paper ballot so it can be verified in the event of a dispute.
If anything, that would be more secure than what we do now since citizens can count the votes on their own and have hard copies of their voting decisions to dispute the official record with if need be.
Right now, you send the only copy you have to the government at your polling place...and can't prove anything if they alter your vote(s).
Of course, which is why you have the online version [which would also need to be intercepted] and every citizen having a copy of their own votes [if everything is compromised, you can go door to door].
The more parties with a copy of the voting record, the better off we are and the harder fraud is to commit.
I'm just generally amused by the "online voting" issue when, right now, none of us can even prove how we voted...let alone guarantee the vote totals were correct. We take it on faith no one meddles with our paper ballots. Yet, you expect higher protections for a system that naturally lends itself to being as verifiable as the existing system AND providing more methods to verify the validity of every voter's votes.
Not if it's open-source (or at least, harder to game).
All you gotta do is co-opt the "Read the Bills Act" with a requirement to video-record the congress-person reading the bill (as that becomes their affidavit). Make that open-source, and then it just starts bleeding out. Auto-upload that to an app where people could get speech-to-text transcription / notifications / annotate sections / review past laws being read by past congress-people / etc. From there, ensure all bills can be edited in a central and private repositories (probs git, erryone likes git, though svn treats me well), so that all final bills can have all individual contributions clearly marked/annotated automatically. Oh look, auto-matching bill-text with campaign contributions :-P. Code is law. Patch the corruption.
> GATEWAY: “Ability to artificially increase traffic to a website.”
Are they actually just talking about DDoS here? It seems an unusually euphemistic description if so, given how plin-spoken a lot of the previously published documents are.
And if not, why would they want or need to increase traffic? I'm puzzled.
I think they mean things like artifical visitor inflation. For example, to make a Youtube video "viral" they could seed it with 30,000 fake views. Or, perhaps, they could mass upvote certain HN threads as soon as they're posted...
Remember that intelligence agencies generally care more about exploitation (figuratively) and manipulation than attack.
1) increase traffic on articles that favor topic X (one the government likes). The publisher (owner of site) perceives it as public's interest, and adds more articles on X.
2) make some independent pro-government site appear more popular than it is. This could enabled ad money to come its way (including from state ad campaigns), as an indirect method of funding it.
Perhaps if you are a terrorist organisation using the Internet to spread propaganda, believing a particular medium is reaching a wide audience, you might be more inclined to continue publishing via that medium. Of course, all of the content falls directly into the laps of GCHQ and the NSA.
Obviously defeating a naive online poll is trivial, but it is also trivial to detect.
Presumably this software does it in untraceable ways - with a botnet of IPs from the country in question, with delays and stutter etc so that it is indistinguishable from real traffic.
You should not underestimate the power of online actions in shaping opinion - for example if stories on a particular tech consistently made the top of HN, a significant no. of people would start thinking it was popular amongst this demographic.
If a BBC or Daily Mail story which was a puff piece for GCHQ was consistently on the top of their 'most read' section, people would be far more exposed to that story over a given period. etc.
Still, schoolchildren have controlled botnets... I'm not overhyping the dangers of giving computers to children, my point is that you don't need souvereign power to do that.
As to manipulation of things like HN: The best defense is that such manipulation isn't as easy as just flipping a switch, and there is generally very little interest in doing so. Also Companies where this is an issue (ebay, amzon, google) have very sophisticated systems that can't be fooled or controlled by spying agencies...
Running completely gameable, "unscientific polls" should be considered journalistic malpractice. It was annoying and stupid before, continuing to do so going forward knowing that it will be abused by governments and hidden organizations to manufacture consent is unacceptable.
This is in no way confined to polls. Almost every website has a voting component of some kind, be that measuring which stories are read most, allowing up/downvotes, Q&A or comment systems etc. It doesn't have to be a straightforward poll to be gamed.
I think it would be better to address the malpractice by our governments than to blame journalists - if the gov. is sufficiently determined, and is given the funds to spend on it, they will find ways to distort online discourse. The UK has just increased funding for 'intelligence' (what an oxymoron) by £800 million, so you can expect more of this to come, and we should lay the blame where it belongs - with those agencies poisoning the well of online discussion.
Online polls are worthless anyway. In high school, someone in our class hacked an online poll to win a contest to get Mandy Moore to perform at our school. NBD.
Reading a few comments here and thinking about yours, I realize that it could make a huge difference.
At present, I see the UK as a 2 or 3 party system, none of whom represent me (or a number of the people I speak to). Now say all the polls had been manipulated and the green party had a demonstrable chance of getting in, then I would likely vote for them. At present no reason.
First past the post is really the weakest form of democracy possible. The very phrase "tactical voting" demonstrates that it fails in its purpose.
But we're not talking about "all the polls" but "online polls." Here in the U.S., nobody bases their voting decisions on what Fox's or MSNBC's online polls say.
Ever heard of "moving with the stream"? Everyone does that sometimes, as you have to pick your fights. If you can create a fake public consensus, you've basically changed the direction of the stream.
Many people might even reevaluate their opinions if it seems that everyone else agrees on the opposite idea. It's pretty human.
Which is precisely why online polls are worthless. I wonder what sorts of results you'd get if you ran a poll about domestic surveillance on HN, Reddit, etc. You think that'd be a representative viewpoint? Who puts any stock in these sorts of poll results? Plus: if GCHQ can manipulate them, so can a whole bunch of other people...
They're statistically meaningless due to their skewed and self selecting nature but that's different to worthless.
As other have pointed out their results are often reported as significant and a statistically illiterate public will often believe the results are meaningful. So long as that remains true their manipulation can have some value.
There are some online pollsters such as YouGov who predict significant outcomes with quite good accuracy. We're not talking about vBulletin polls or anything here - their entire business is polls. They also monitor the trends and opinions of people towards products, political parties and other things.
Technically you could ruin a brand or political party by doing a pre-election poll, quoting the stats on newsnight and demotivating the voters into voting for another party to avoid wasting their vote. This does happen. It wouldn't surprise me if cash changed hands here and there to make it happen.
If GCHQ got at the dataset or manipulated it with shill accounts at the pollsters then they could have significant power over the measure of public opinion.
Yes they are. A representative sample of the population is not online, period, and the huge self-selection bias in the sorts of websites they visit necessitates some very substantial black magic to get numbers out.
It's not about their accuracy. It's about skewing them, so people perceive some opinion as "non mainstream" while it could even be the majority opinion.
Fanatical supporters are quite capable of doing this on their own. For example, UKIP supporters dominate the comments section and polls on the Telegraph, while making up about 10% of the population.
(Yes, 30% of the vote in the Euro elections .. of a very low turnout)
>Fanatical supporters are quite capable of doing this on their own. For example, UKIP supporters dominate the comments section and polls on the Telegraph, while making up about 10% of the population
Well, if they are passionate enough to go vote on the polls while others wouldn't care to, that's their right...
The government --who is supposed to be neutral and for all parties-- interfering and skewing to a particular result, that's wrong on so many levels, I can't even begin to describe...
The government --who is supposed to be neutral and for all parties
Whereas in the Scottish Independence referendum, the civil service has a buzzfeed and twitter account publishing heavily biased "no" material. I suppose at least that's overt.
Some examples:
AIRWOLF - YouTube profile, comment and video collection
BEARTRAP - Bulk retrieval of public BEBO profiles from member or group
BIRDSONG - Automated posting of Twitter updates
BIRDSTRIKE - Twitter monitoring and profile collection.
BUGSY - Google+ collection (circles, profiles etc.)
FATYAK - Public data collection from LinkedIn
FUSEWIRE - Provides 24/7 monitoring of Vbulletin forums for target postings/online activity. Also allows staggered postings to be made.
GODFATHER - Public data collection from Facebook
GOODFELLA - Generic framework for public data collection from social networks.
INSPECTOR - Tool for monitoring domain information and site availability
RESERVOIR - Facebook application allowing collection of various information.
GATEWAY - Ability to artificially increase traffic to a website
GESTATOR - amplification of a given message, normally video, on popular multimedia websites (Youtube)
SLIPSTREAM - ability to inflate page views on websites
TANGLEFOOT - is a bulk search tool which queries a set of online resources. This allows analysts to quickly check the online presence of a target.