GCHQ's Response To Hacking Slashdot And LinkedIn: No Comment, But It Was Perfectly Legal
from the yeah,-nice-try dept
Over the weekend it came out that GCHQ used a packet injection attack on Slashdot and LinkedIn pages in order to do a "quantum insert" -- basically a man-in-the-middle attack to install malware on the computers of key employees at Belgian telco Belgacom, which they then used to get much greater access to Belgacom's infrastructure for spying. It would appear that neither LinkedIn, nor the owners of Slashdot, are particularly pleased about this. After requesting more information, GCHQ had a useful response: "no comment."In an emailed statement to Slashdot, the GCHQ’s Press and Media Affairs Office wrote: “We have no comment to make on this particular story.” It added:Right. So we can't comment on this, but we assure you that it's very much legal that we effectively ran a man-in-the-middle attack on your site, guaranteeing that people are less willing to go to your sites any more. Meh. Collateral damage for the very important work of spying on everyone.“All GCHQ’s work is carried out in accordance with a strict legal and policy framework which ensure that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Intelligence and Security Committee.”
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: gchq, packet injection, quantum insert, slashdot, surveillance
Companies: linkedin
Reader Comments
Subscribe: RSS
View by: Time | Thread
what about techdirt? reddit.com?
[ link to this | view in chronology ]
Re: what about techdirt? reddit.com?
[ link to this | view in chronology ]
Re: Re: what about techdirt? reddit.com?
There isn't much time!
[ link to this | view in chronology ]
Encryption anyone?
I notice this morning that Google's QUIC protocol has encryption apparently on all the time.
https://en.wikipedia.org/wiki/QUIC
http://www.ietf.org/proceedings/88/slides/slides-88-tsvarea-1 0.pdf
But why would you need to encrypt anything if you have nothing to hide? Using encryption when you have nothing to hide would be like quietly talking about private family matters indoors instead of shouting about it from the rooftop.
[ link to this | view in chronology ]
Re: Encryption anyone?
[ link to this | view in chronology ]
Re: Encryption anyone?
[ link to this | view in chronology ]
Re: Re: Encryption anyone?
[ link to this | view in chronology ]
Re: Re: Encryption anyone?
IT DOES NOT MATTER whether someone/anyone has 'something to hide' or does not: our INALIENABLE RIGHTS are NOT contingent upon being good/bad people, or good/bad times...
our INALIENABLE RIGHTS are UNASSAILABLE in and of themselves...
if ANYONE tells you/asks you to 'justify' them, tell them to fuck off: WE DO NOT HAVE TO DO THAT...
these are BEDROCK NATURAL RIGHTS (regardless of any shredding of the constitution), and we do NOT need to 'justify' them, 'excuse' them, 'asterisk' them, or otherwise explain or weigh them against some mythical rationale to abandon these rights...
dog damn it, sheeple, stand up on your hind legs and bare some bicuspids at Empire ! ! !
power NEVER devolves voluntarily, we have to TAKE IT BACK...
stop being afraid of a state whose only power over you is being afraid of the state...
The They (tm) do not hesitate to use violence against us 99% ALL THE TIME; what is the lesson from that ? ? ?
(pssst: the lesson is *not* to cower more abjectly...)
art guerrilla
aka ann archy
eof
[ link to this | view in chronology ]
Re: Encryption anyone?
[ link to this | view in chronology ]
Re: Re: Encryption anyone?
[ link to this | view in chronology ]
Re: Re: Encryption anyone?
[ link to this | view in chronology ]
Boy, now you're getting multiple re-writes out of one original!
Where Mike sez: "Any system that involves spying on the activities of users is going to be a non-starter. Creeping the hell out of people isn't a way of encouraging them to buy. It's a way of encouraging them to want nothing to do with you." -- So why doesn't that apply to The Google?
06:56:12[h-137-3]
[ link to this | view in chronology ]
Re: Boy, now you're getting multiple re-writes out of one original!
Maybe, just maybe, I get something valuable from Google in exchange for my information passing through their servers, and maybe I also have a reasonable expectation that no human is bothering to read my emails. But also maybe I don't get anything valuable from NSA critters snooping through my email looking for the slightest reason to suspect I'm an evil terrorist. Maybe to Google I'm just a blip in a vast ocean of statistics to calculate which advertisement I am most likely to respond to. Maybe to the government I'm an evil monster until proven otherwise.
[ link to this | view in chronology ]
Re: Re: Boy, now you're getting multiple re-writes out of one original!
If you're up to forecasting: Maybe to The Google-Borg you're product to be served up to its paying customers: advertisers, and none will care about your privacy or your being annoyed with endless advertisements.
Now, I don't care (much) about YOU, but the masses of you dolts going along with rabid commercialization of everything is ruining MY privacy, and civilization too. You can't be free when constantly surveilled, even if -- as NSA says -- it's just by a computer: the info can be used against you any number of ways. You're just saying a version of "Who cares? I don't got nothin' to hide."
As usual, I've relevant tag lines (thanks for opportunity!):
Worse than being censored on the net is being advertised. You can escape censorship with your ideas intact; advertising uses lures and tricks to re-shape your very mind.
Google is in advertising, not freedom. Advertising is commercial propaganda full of deceit.
So long as "The Market" (if not NSA directly) rewards Google for spying, do you expect it to do LESS of it?
07:12:01[i-145-1]
[ link to this | view in chronology ]
What you've just said...
[ link to this | view in chronology ]
Re: Re: Re: Boy, now you're getting multiple re-writes out of one original!
[ link to this | view in chronology ]
Re: Re: Re: Boy, now you're getting multiple re-writes out of one original!
But since you have failed to prove that you are not an evil monster then it's only logic that people believe that you are an evil monster.
[ link to this | view in chronology ]
Re: Re: Re: Boy, now you're getting multiple re-writes out of one original!
If you don't like commercialization then don't get involved in it period. So every time you come on this site then by your own actions you are showing that you like commercialization and everything to do with this site. You must be pretty dumb to keep coming on this site if you don't like it. If you don't like poison then it's your own stupid fault if you keep coming on this site to get the poison that you so hate.
[ link to this | view in chronology ]
Re: Re: Re: Boy, now you're getting multiple re-writes out of one original!
You should be enjoying all the Google wholesomeness supplied by this site since you like them so much.
[ link to this | view in chronology ]
Re: Re: Re: Boy, now you're getting multiple re-writes out of one original!
out_of_the_blue just hates it when due process is enforced.
[ link to this | view in chronology ]
Re: Re: Boy, now you're getting multiple re-writes out of one original!
[ link to this | view in chronology ]
Now what sort of domains would someone sitting at a computer at the nsa or gchq likely visit.........
[ link to this | view in chronology ]
Re:
Voyeur sex-sites, of course.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
CFAA
[ link to this | view in chronology ]
That would be the grown up thing to do. Instead they fear losing their toys and so they try to stonewall.
Canada is next on the list. With basically no oversight mechanisms in place whatsoever over CSEC. They operate totally in the dark. Even worse than the GCHQ/NSA
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Now that it is proven that /. isn't very secure it is now time to go elsewhere for nearly the same things they cover. That is unless they are determined to do something about it.
Short of that, they've just lost one reader for sure.
[ link to this | view in chronology ]
Re:
"The injection attempts are known internally as "shots," and they have apparently been relatively successful, especially the LinkedIn version. "For LinkedIn the success rate per shot is looking to be greater than 50 percent," states a 2012 document."
Reading between the lines: This shows that they had less success at targeting Slashdot as opposed to LinkedIn. This probably has to do with the kind of user who frequents Slashdot. Even among IT professionals, I would speculate that those whose frequent Slashdot are more sophisticated about computer security. They are the kind that would ensure their work computers are updated frequently and would also update the software on their own computers or smartphones often. They are more likely to use less vulnerable browsers or restrict the use or limit the scope of scripts within the browser. A successful QI attack requires not only a vulnerability in the browser but one in the underlying OS to permanently make sure the computer is compromised. Do not ignore a major point here that these attacks were not always successful.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Dictionary
[ link to this | view in chronology ]
Re: Dictionary
Necessary will mean; if we don't do this we have no other way of getting the information we need to carry out our legal duties.
Proportionate will mean; there is no less intrusive thing we could do to achieve this effect.
Rigorous oversight means: we have a couple of retired judges who come round a couple of times a year and ask questions, are answerable to a minister (who listens to whatever we say) and a Parliamentary Committee (appointed by the Prime Minister) which can ask us questions, but only force us to give answers about historical things and has no legal duty to investigate anything.
Which isn't to say that GCHQ is evil. But their legal rules and oversight framework could be improved.
[ link to this | view in chronology ]
Re: Re: Dictionary
That's what I said, isn't it?
In much the same way as rot13 encryption could be more secure, yes.
[ link to this | view in chronology ]
Cyber Attack!
Write your Senator now and say that we should nuke the bastards.
[ link to this | view in chronology ]
It was like reading a movie review with the movies name left out.
[ link to this | view in chronology ]