GCHQ's Response To Hacking Slashdot And LinkedIn: No Comment, But It Was Perfectly Legal

from the yeah,-nice-try dept

Over the weekend it came out that GCHQ used a packet injection attack on Slashdot and LinkedIn pages in order to do a "quantum insert" -- basically a man-in-the-middle attack to install malware on the computers of key employees at Belgian telco Belgacom, which they then used to get much greater access to Belgacom's infrastructure for spying. It would appear that neither LinkedIn, nor the owners of Slashdot, are particularly pleased about this. After requesting more information, GCHQ had a useful response: "no comment."

In an emailed statement to Slashdot, the GCHQ’s Press and Media Affairs Office wrote: “We have no comment to make on this particular story.” It added:

“All GCHQ’s work is carried out in accordance with a strict legal and policy framework which ensure that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Intelligence and Security Committee.”

Right. So we can't comment on this, but we assure you that it's very much legal that we effectively ran a man-in-the-middle attack on your site, guaranteeing that people are less willing to go to your sites any more. Meh. Collateral damage for the very important work of spying on everyone.

Filed Under: gchq, packet injection, quantum insert, slashdot, surveillance
Companies: linkedin

GCHQ Used Fake Slashdot Page To Install Malware To Hack Internet Exchange

from the is-nothing-sacred? dept

Back in September, it was reported that the UK's equivalent of the NSA, GCHQ, had gleefully hacked Belgacom, the Belgian telco, using a "quantum insert" to plant malware on the computers of key engineers at the company. At the time, it was described as follows:

According to the slides in the GCHQ presentation, the attack was directed at several Belgacom employees and involved the planting of a highly developed attack technology referred to as a "Quantum Insert" ("QI"). It appears to be a method with which the person being targeted, without their knowledge, is redirected to websites that then plant malware on their computers that can then manipulate them. Some of the employees whose computers were infiltrated had "good access" to important parts of Belgacom's infrastructure, and this seemed to please the British spies, according to the slides.

Over the weekend it appears that Der Spiegel published a further report by Laura Poitras on this hacking, which revealed that the spoofed websites used to install this malware were none other than Slashdot and Linkedin. Interesting choices. So, it sounds like they did a man-in-the-middle attack, redirecting very specific visitors from those two sites to sites that planted malware instead. I wonder if LinkedIn (which is already involved in a lawsuit over the NSA stuff) and Slashdot have any legal basis to go after the government for effectively attacking their servers?

Update: Nicholas Weaver explains what happened in much more detail. It's not a fake page, but a packet injection attack.

Filed Under: gchq, malware, man in the middle, quantum insert, slashdot, surveillance
Companies: belgacom

Can Your Slashdot Comments Get You A Job?

from the in-some-places,-apparently... dept

It always amuses me when people insist that no one would create content without getting paid for it, since that's clearly not true. Plenty of people produce all sorts of valuable content for a variety of other reasons -- and even if they don't get paid for it directly, down the road, it can lead to opportunities to get paid. A good example of that, obviously, is the open source community, where there are plenty of stories of active contributors leveraging their success in the community to find jobs. But can it apply to blog comments as well? Perhaps. Ian alerted us to the fact that the Software Freedom Law Center (SFLC) is looking to hire people on the PR side, and one of the things they're asking for (even before a resume) is a link to your Slashdot profile (or other similar "comment histories"). Who knew all those "first!" posts could be worth something...?

Filed Under: comments, content, jobs, resume, slashdot