GCHQ Created Spoofed LinkedIn and Slashdot Sites To Serve Malware 335
An anonymous reader writes "Ars Technica reports how a Snowden leak shows British spy agency GCHQ spoofed LinkedIn and Slashdot so as to serve malware to targeted employees. From the article: 'Der Spiegel suggests that the Government Communications Headquarters (GCHQ), the British sister agency to the NSA, used spoofed versions of LinkedIn and Slashdot pages to serve malware to targets. This type of attack was also used to target “nine salaried employees” of the Organization of Petroleum Exporting Countries (OPEC), the global oil cartel.'"
First infection (Score:2)
Viral Marketing to Governments.
Rogue governments !! (Score:5, Insightful)
The term "Rogue" is used to denote "dishonest and/or unprincipled".
They used to put USSR, China, North Korea under the "Rogue Government" category.
Both the governments of the United States of American and that of Great Britain have proven to be DISHONEST _and_ UNPRINCIPLED !
IMHO, it's time we should include the government of the United States and that of United Kingdom under the "Rogue Government" category.
And btw, if you see the performance of John McCain, especially how he tried to blame Edward Snowden, you would understand how ludicrously pathetic American politicians have become ...
As an American, I am beyond furious ...
Re:Rogue governments !! (Score:5, Insightful)
McCain is a first class weasel to begin with. I remember watching one of the presidential debates, ranting about how the government had paid 40K$ or something for a lightbulb, not mentioning that it was for a planetarium projector.
Re: (Score:3)
FTFY.
Re: (Score:3)
Governments are always nefarious and untrustworthy entities when it comes to surveillance.
Not "even in a democracy" but "Especially in a democracy" because keeping tabs
Re:Rogue governments !! (Score:5, Informative)
..Why are there CCTV cameras everywhere in Britain?
Err, there aren't.
Look, you (pl) keep throwing this one up, I'm in Britain, and the nearest 'state' CCTV cameras to my current location are a mile and a half away, and I stay in a major town. The nearest CCTV camera to my home location is approx 1,300 feet away (as the Google Earth ruler flies..) and it's pointed at a bloody 'Doo hut'.
My place of employ?, internally we've cameras everywhere (and I run 4-8 of them), the industrial estate we're located on is surrounded by a ring of the buggers, guess what?, none of the fucking things work (and they haven't done so now for a number of years..7+ years now).
Yes, Britain in parts (hello London, Glasgow, any other 'metropolitan' area and the major road networks) may have an inordinate number of CCTV cameras, but they're not 'everywhere in Britain' and not any more so than any other country.
If you truly want an example of Panopticon levels of CCTV surveillance, try Monaco.
How do you know Snowden has released *ALL* info ? (Score:5, Interesting)
... Snowden is no more principled than McCain or an investment banker. He released ALL of the intelligence information he gathered at the NSA ...
I am intrigued !
How do you know Edward Snowden has released _*ALL*_ the information he had gathered at the NSA ?
How do you know Edward Snowden does not keep some files to himself, files that pack even *MORE* fire power than what he has released so far ?
As a poker player, I never release my trump card early in the game.
I don't know if Edward Snowden plays poker or not, but judging from what he has done since his days as a security guard ... I suspect the guy has even more juicy things in the pipeline
Re: (Score:2)
Snowden has said he does not have any more files.
Re: (Score:2)
Whoa
Snowden, your /. user # is LOW buddy.
Re:How do you know Snowden has released *ALL* info (Score:5, Informative)
As a poker player, I never release my trump card early in the game.
Somehow, this reminds me of Zapp Brannigan [youtube.com].
Re:How do you know Snowden has released *ALL* info (Score:5, Interesting)
Snowden stated that he's released all of the information he had The only thing that is restricting the release of information at this point is the journalists that he released it to. Those journalists have already said that they haven't even released the really juicy stuff yet. That's pretty impressive, if it's true, considering the significant revelations already made.
Re:How do you know Snowden has released *ALL* info (Score:4, Funny)
"As a poker player, I never release my trump card early in the game."
If you were a poker player, you'd know that there are no trumps in poker.
Re: (Score:3)
yeah, so few ppl do not realize that outing information about spying on Americans was whistle-blowing, while spilling information about our actions on other nations (which was legal per US law), turned him into a traitor.
So... Here we have a government agency, which is funded by taxpayers, going completely off the rails and spends fortunes on snooping potential terrorists like the leaders of Germany, France, Spain -- not to mention entire countries which are supposedly allies. And you are saying it is not in the interests of the US citizens to know this?
I see the distinction you make, I really do. But this is still whistleblowing, by my reckoning; it is public money being spent on ludicrous targets.
Besides, I am convinced t
Re: (Score:3)
"But it's not only the USA or GB. At the moment, Merkel & friends are trying to get away by throwing a fit, as if they didn't know. "
Merkel didn't know. She used her unencrypted party-cellphone for a decade for state business in clear violation of the rules and guidelines. She was warned repeatedly but choose to ignore it.
Any other official would have been sacked on the spot for that.
Victims were alerted (Score:5, Funny)
when the quality of the comments section significantly improved.
Re:Victims were alerted (Score:5, Funny)
when the quality of the comments section significantly improved.
Plus submissions were actually edited...
Re:Victims were alerted (Score:5, Funny)
Whose watching?
Re:Victims were alerted (Score:4, Interesting)
They're watching what you're doing on your computer via their hidden cameras over there.
Re: (Score:2)
Whoosh watching?
Re: (Score:2)
Whoooo! Swatching!
Re: (Score:2)
Doctor who? (Score:3)
Re: (Score:2)
Re: (Score:2)
I don't know!
(He's on third.)
Re:Victims were alerted (Score:5, Funny)
Whose watching?
The grammar police. We've had our eyes on you for some time.
hey, GCHQ employees (Score:5, Funny)
I know you're reading this.
You're smart. Smart enough to be able to work out who I am, probably without much trouble.
Why don't you do something productive?
They specifically chose these jobs (Score:3)
so they wouldn't HAVE to be productive. All they have to do is listen and let the money roll in.
Re:hey, GCHQ employees (Score:5, Interesting)
It makes me sad.
My (long ago retired) father ended up as a relatively senior civil servant for his home country, working abroad and dealing with, to put it generally, import&export. Now he was once asked by his government if he would exploit the contacts he'd formed and cooperate in passing certain useful information to them as and when required. He refused.
I'm sure he'd have enjoyed greater job security in his latter years if he'd cooperated, but he did what was right - ultimately for him too, because being open and honest means a more relaxed life, where you are free to build what you want and speak about what you want.
Even if - and let's say your a stellar maths grad - you're given the most comfortable desk, access to the best machines and the company of a small subset of brilliant minds, your work won't go to improving human scholarship if you work for a secret service. It'll be kept under lock and key, deployed for the whim of the politicians of the day and their masters. And yes, you'll be indoctrinated with the mantra of every civil servant - "I'm not allowed an opinion because I'm only following orders". But that's only acceptable if your orders can ultimately be scrutinised by the general public on behalf of whom you are working.
And if you just enjoy playing god, well, go into the City, or start up your own business. If you're that good, then you can perform in plain sight, can't you?
It's not that simple ... (Score:5, Insightful)
And if you just enjoy playing god, well, go into the City, or start up your own business. If you're that good, then you can perform in plain sight, can't you?
Speaking from experience here ... it's not that simple
I started to plan for my escape from China way back in the late 1960's because of the social madness created by Mao back then.
Thongs of mindless assholes with red armband parading on the street, waving that little red book and plunged the Chinese society into total darkness.
Those of us with brains knew that the things coming from Mao were bullshit, but those without brains who embraced Mao's bullshit outnumbered us 1000 to 1.
So we ran, and ran, and finally I got to Hongkong.
From Hongkong I ended up in the United States, and at that time, the U. S. of A. was a paradise, a place where brainy people get to do whatever they want to do without having fear of official repression.
Some 40 odd years have passed, and the United States is turning into just like Mao's China ...
Everything coming from Washington D.C. is pure bullshit, and the things I have noticed right now is that the mindless fucktards who bought into Washington D.C.'s bullshit are outnumbering those who know better.
While the society in the United States of American haven't plunged into darkness yet, there is no certainty that it won't.
When the controlling regime got desperate ~ (Mao's reign at that time was in danger of collapsing from within, motivating Mao in his encouragements to the mindless assholes with red armbands creating social havoc), ~ they will do anything to remain in charge.
And if (and when) the regime which is reigning over Washington D.C. (democrats _ and_ republicans) is in danger of collapsing, there is NO TELLING what they would do.
To make the matter worse ... they have a lot of very powerful tools Mao couldn't even begin to dream of 50 years ago.
I am an American now, and I am looking at my adopted country, the United States of America, with the same dismay as Mao's China, back in the 1960's.
powerful, you should write this up properly (Score:5, Insightful)
I've read a similar post you made before. You have a powerful point to make, and you make it well.
It would be a service to the country you loved, and freedom in general, if you spent an hour or two to write that up "properly", to spend a few minutes editing it to say exactly what you want to say. I could see such an article being shared quite a bit via social networking, blogs etc.
Re: (Score:2)
agreed - some of the less beholden sites would run it as an op-ed.
Re:It's not that simple ... (Score:4, Interesting)
At least half of the people I know are Chinese, most of them in their early 40's or so who came over in the 90's. You're the first one I've knowingly encountered who seems to have any clue about this sort of thing. Though its a gross oversimplification, I tend to view Chinese and eastern European immigrants as the inheritors of western civilization in the US, since the rest of us seem to have given up on it. Their kids are going to be powerful in another 40 or 50 years. Yet my Chinese friends generally don't seem to have a clue about political and cultural history, they're all about money and taking care of their families. In some ways they know a lot less than I do even about Chinese cultural history. I've toyed with the idea of trying to teach a class on it at the local weekend Chinese school, aimed at parents. Not that they would necessarily be interested or that my preaching would accomplish anything.
Re:It's not that simple ... (Score:4, Insightful)
Only an American would be naive. Disclaimer: I am American.
You should meet my wife. She's 100% German and moved to the United States only when we got married. She was over 30 at the time. When we met several years before our marriage, her speech and written word was flawless even then. Her accent morphs to whatever English speaking country she is in. She is freakin' talented. He says her nightmare is speaking with an American, a Brit, and a Australian at the same time because she wouldn't know which accent to use. It bears repeating again: I can attest that her American accent and use of language is flawless. Her written prose is flawless.
I corrected her English only once. She then corrected me. I consulted a dictionary to prove her wrong and it turns out she was right. She kicks my ass in English -- and I'm the native speaker. Now, with that said, there are two things you need to know. Her profession is translation so she was trained. She comes from a family of translators and interpreters. The other thing you should know is that she isn't the only one with these kinds of talents that I've met. I am now learning German and one of the guys in my class speaks native Spanish, good Romanian (his wife is Romanian), and pretty good English (of which I can attest). His German abilities completely outstrip mine.
I don't normally rail against someone... especially someone with a 4 digit ID, but I'm telling you that you need to get off the computer and get more face-to-face time with other people. There are people who walk around you and just because you think they speak American doesn't mean that they are American or even from North America. Right now, I'm living in a foreign country and I'm in the linguistic circles because of my wife. I am exposed to a lot of really talented people out there. Some of them are not even formally trained like my wife.
I suggest you apologize to Taco Cowboy -- another 4 digit ID, I might add. He was saying something important and it's not the first time I've personally seen him post something like this. This is very personal thing for him to open up to people -- especially on Slashdot like this. I surmise he hurts on the inside to watch what is happening to America -- a country he obviously loves. Then to have someone like you come along, act like an asshole, and call him a liar is just a horrendous insult to someone like him.
I had to learn the hard way that I'm not the most talented person in this world. No matter how good I get in whatever I pursue, there is always going to be a lot of people who are a whole lot better than I am. Grow a pair, apologize to Taco Cowboy, and learn that others don't have the same limitations you have.
Re:hey, GCHQ employees (Score:5, Insightful)
The Gestapo, KGB, and Stasi were mainly agencies of internal political repression, although the KGB also spied outside the country as well. Since the targets of surveillance were apparently outside the UK, it isn't really the same. That doesn't mean you can't find it disagreeable.
Even if the anglosphere currently isn't openly corporate fascist that doesn't mean it wont be 5, 10, 15 or 20 years down the road. If they have years worth of supposedly private communiques from people thats is like Stasi's wet dream where the people being repressed write their own profile, willingly.
Once the thugs are in power they are not gonna delete that data, they are going to use it.
Re:hey, GCHQ employees (Score:5, Interesting)
Re:hey, GCHQ employees (Score:5, Insightful)
And when they say they dont do domestic data gathering you shouldn't trust them. NSA was already caught wiht its hand in the cookie jar.
Semantics; Assuming it's not a baldfaced lie, they can 'partner' with the NSA then 'share resources' and they've got their hands on the results of domestic spying while only having encouraged and facilitated it themselves.
In the US, courts have ruled that corporate spying on individuals is legal so 'privatizing' the actual data gathering launders it into legality under this time honored principle: 'What are you gonna do about it, you're powerless'.
Re:hey, GCHQ employees (Score:5, Insightful)
In the US, courts have ruled that corporate spying on individuals is legal so 'privatizing' the actual data gathering launders it into legality under this time honored principle: 'What are you gonna do about it, you're powerless'.
This is a phrase that needs definition so we can better fight against it:
Data Laundering: The government circumventing the illegal search and seizure provisions of the constitution through the use of private corporations vast databases of information on all citizens.
This always elicits the response,"If you don't like $Corps policy of getting tax dollars to spy on you to circumvent the constitution, don't use them." When every corporation is a one way mirror on all of our lives to the government, this no longer becomes feasible. Unless you want to live like the Uni bomber.
Re:hey, GCHQ employees (Score:5, Interesting)
You know what? I agree with you.
That is why it is so important to stamp out signs of genuine oppression and actual thuggish behavior immediately when they are identified, and have good oversight over the rest. That is why I find the indifference on Slashdot to the admitted political oppression engaged in by the IRS to be so appalling. People here moan, scream, and wail about oppression this and that when it involves the intelligence agencies. But when it involves the IRS, which unlike the NSA really does have considerable formal power to make the lives of individual Americans hell, which genuinely does have dossiers on almost everyone in America and various other people from around the world, expects you to send them a report at least annually, engages in its own internet surveillance, and now will be charged with overseeing American health insurance and apparently records, hardly anybody seems to care. That goes for the various Canadians, Europeans, and others that speak with an "American voice" of outrage about the intelligence agencies and many other policy questions, as well as the actual Americans that claim they are for "freedom" no matter now many dead bodies are created. It's like talking to someone that claims he greatly loves his family and would protect them to the death, goes ballistic if someone looks cross eyed at his sister, but upon seeing his brother and mother being gang raped simply utters "meh" and walks away. I can think of a number of explanations for that, but few of them are flattering. At the very least it looks like distorted thinking regarding computer-centric issues.
As to the intelligence agencies proper, yes, I think that much of that data, such as the phone metadata, should be purged periodically if it is going to be kept at all. My recollection from some story was that they were supposed to keep it for no more than 5-7 years. If it is going to be kept at all I would like to see it in a separate organization either within or outside of NSA that would be responsible for ensuring proper privacy protections were applied, including proper purging, as well as reporting on its use. I would also like to see more and better congressional oversight, possibly involving the GAO. I'm sure that other nations could put similar arrangements in place.
Intelligence agencies are a potential danger to a democracy, but also a critical part of defending them. They must be watched and governed adequately so that they don't pose an undue risk, but not so tightly that they become ineffective and leave the nation at risk. History generally isn't kind to nations caught unaware. Sometimes they even cease to be. We haven't reached the end of history yet, so they will be needed for many years to come.
Re: (Score:2)
The past sock puppets tried hard to shape the wider computer-centric community on data been hard to keep, hard to search, political or legal protections, the protection of the marketplace and stock values, domestic protections, courts...its all turning out to be a huge joke with each new press release
Readers now know the legal and real world domestic
Re: (Score:2)
Tax law in the US is public, while a persons accounts are been frozen, they can still find a lawyer to read the letters and have them explain very limited future options.
The US and UK seems to have gone to great lengths to have to out smart their own gov staff as their gifted staff seem to know their countries laws and legal protections.
Its all fun
Re: (Score:2)
Actually...
The KGB (Komitet gosudarstvennoy bezopasnosti) did the external spying, while the NKVD (Narodnyy Komissariat Vnutrennikh Del) did the internal stuff.
Re:hey, GCHQ employees (Score:5, Informative)
Actually...
The KGB (Komitet gosudarstvennoy bezopasnosti) did the external spying, while the NKVD (Narodnyy Komissariat Vnutrennikh Del) did the internal stuff.
Organization that used to be NKVD was castrated in 1950's with arrest of Beria and KGB inherited role of the political police.
Re: (Score:3, Informative)
Skipping some renaming & reorganizations, the KGB was a successor to the NKVD which was a successor to OGPU which was a successor to the Checka.
The KGB owned internal troops, border guards, secret police, and external spies.
Both the KGB and GRU (military intelligence) spied abroad.
Down at the Twist and Shout (Score:2)
Re:hey, GCHQ employees (Score:4, Insightful)
If the victims knew the identities of the perpetrators they would be eligible for extradition under the standing treaties.
Re:hey, GCHQ employees (Score:4, Informative)
Sending malware counts as a crime, not legal surveillance.
If the victims knew the identities of the perpetrators they would be eligible for extradition under the standing treaties.
This has been repeated several times, but nobody has been able to name the treaty. In fact the last time I asked somebody brought up a non-governmental hacker.
This is a world of governments. What they do is legal, by definition, unless they have specific Constitutional or statutory bars on that particular behavior. Neither the US nor the UK has ever signed a treaty, or passed a law, that makes hacking in service of the government illegal.
Let me put it to you this way:
If US officials can't get extradited to Venezuela for participating in that minor coup attempt Venezuela had a decade pr so back, why could they be extradited for hacking?
It's not like a) the Venezuela coup worked so the new government loved the coupsters, or b) the Venezuelan government would have refrained from charging the CIA officers they were accusing if they thought anyone (literally anyone) would take it seriously.
Re: (Score:2)
As far as I am aware attacking private systems with malware is a punishable crime both in US and UK.
Re:hey, GCHQ employees (Score:5, Informative)
What they do is legal, by definition, unless they have specific Constitutional or statutory bars on that particular behavior. Neither the US nor the UK has ever signed a treaty, or passed a law, that makes hacking in service of the government illegal.
I'll let my google-wiki-fu dazzle you:
Fourth Amendment to the United States Constitution
....
The Fourth Amendment (Amendment IV) to the United States Constitution is the part of the Bill of Rights that prohibits unreasonable searches and seizures and requires any warrant to be judicially sanctioned and supported by probable cause.
...
One threshold question in Fourth Amendment jurisprudence is whether a "search" has occurred. Initial Fourth Amendment case law hinged on a citizen's property rights—that is, when the government physically intrudes on "persons, houses, papers, or effects" for the purpose of obtaining information, a "search" within the original meaning of the Fourth Amendment has occurred.
...
The Fourth Amendment proscribes unreasonable seizure of any person, person's home (including its curtilage) or personal property without a warrant. A seizure of property occurs when there is "some meaningful interference with an individual's possessory interests in that property"
In my interpretation of the functionality of our universe sending detectable signals that carry malware in order to gain illicit access does count as physical action.
Re: (Score:2)
If a hostile government act isn't a crime, it's an act of war.
Re:hey, GCHQ employees (Score:4)
Re: (Score:3)
Saying that the purpose of the GCHQ or NSA is to spy outside the country is like saying that the purpose of the military is to shoot and bomb people.
The NSA Mission Statement [nsa.gov] references Executive Order 12333 [archives.gov], and I quote directly -- "2.2 Purpose. This Order is intended to enhance human and technical collection techniques, especially those undertaken abroad..." The GCHQ lacks a specific mission statement, because as you know, the British are terrible at getting to the point. The website is, however, full of committee-written documents and available in 9 different languages and makes a point of saying it's available to those who require "assistive devices
Re:hey, GCHQ employees (Score:5, Insightful)
The concern is not whether spying activity is at home or abroad - any such distinction can be defeated with recriprocal agreements. The issue is that the targetting was of administrators at Internet exchanges.
And you're worried about Iran putting pressure on OPEC? Deal with your lack of domestic energy security. You had 40 years to wake up, but instead you sold everything off to mostly foreign concerns. Spying on OPEC is just doing dirty work for these businesses to ensure they profitably receive their fuels.
Re: (Score:2)
And you're worried about Iran putting pressure on OPEC? Deal with your lack of domestic energy security. You had 40 years to wake up, but instead you sold everything off to mostly foreign concerns.
And now we're getting the Chinese to build our next generation of nuclear power stations... *facepalm*
Re: (Score:2)
Yes, but Iran isn't OPEC, so it still makes sense to say that it might put pressure on OPEC.
How exactly does spying on internal OPEC discussions stop them from deciding to limit supply to Britain, please? Is it so Britain can figure out ASAP how it should threaten Iran as a whole because a group has dared to exercise its right not to sell a product to private companies?
Of course it's a concern that Britain's energy policy has been directed toward maximising profit for energy companies rather than to securin
Re: (Score:2)
not really, I don't think they're supposed to be breaking laws. the only spying they can do internationally legally is actually uk citizens.. they do not have international contracts in place that enable them to legally give a set of personnel the right to break laws in other countries by performing hacks there (and domestically were it to go into court they could _only_ argue that it was an act of war, which would have been an unauthorized act of war in that case and everyone in the agency would be guilty
Re: (Score:3)
You quote an Israeli source. Did you give a thought that this is likely at best propaganda and at worse complete lies?
Quite apart from anything else the deputy of a branch of the army is NOT the same thing as the official spokesperson of the country.
Most of Europe being at the mercy of Russia for a large part of its gas is of far more real concern.
Don't Panic! (Score:4, Funny)
Don't worry, this is the real Slashdot right here. I promise.
Re:Don't Panic! (Score:5, Funny)
Yeah, the NSA version is here. [slashdot.org] ;-)
Do as I say, not as I do (Score:5, Insightful)
If I or any /. reader were to do the same, a pretty harsh sentence would await us.
HTTPS on Slashdot (Score:5, Interesting)
Re:HTTPS on Slashdot (Score:4, Insightful)
Re: (Score:2, Insightful)
The ex staff, fired staff, mercenary, contractor - they all take the complex skill set with them and sell it.
Other govs, firms, foreigners with cash, faith groups with cash... thats why junk crypto is so useless - all the interesting people can pay to learn about the 'net' and always know to avoid it or
Re: (Score:2, Interesting)
You do realize that the UK already has an obscene amount of data on it's people?
Londoners in particular, can be tracked individually by the police if they so choose. I don't think they even need a warrant. In theory they could decide they wanted to find out what some random hot chick does every day, and they'd be able to follow her everywhere she went for as long as she was in London.As long as she's in public she's on one of their cameras. For most people (ie: the ones who don't discuss their illegal activ
Re: (Score:2)
The computers kept running and everything was just fine. Then came voice prints from the US drug wars in South America (for wider use). CCTV tracking, cell phone decryption and finally the bulk of all UK internet traffic per day.
As for the use of analysts, you have a lot of private sector pre sorting for 'advertising' contracts th
Re: (Score:2)
What "legitimate certificate previously?" There is absolutely no reason that I'm aware of not to think the certificate authorities weren't compromised from the very beginning.
Strict Transport Security (Score:2)
add some proper authentication and encryption in HTTP2.0 instead of bitching that it's the wrong layer.
The current HTTP 2.0 draft is based on SPDY, which operates in a TLS tunnel. This allows for secure HTTP basic authentication and TLS client certs. It also eliminates the IPv4 exhaustion excuse, as web browsers supporting SPDY will support SNI.
HTTP Strict Transport Security [wikipedia.org] - not very useful
In what way is it "not very useful"? Is it just that browsers' preloaded STS whitelists aren't nearly as big as the HTTPS Everywhere rulesets? (Disclosure: I use HTTPS Everywhere, and when I switched away from Go Daddy for my own web site, I made sure to pick a shared
Re: (Score:2)
Even worse, browsers introduce regressions like a Chrome's misfeature than came to Firefox as browser.urlbar.trimURLs. It really needs to go, yet it not only exists but defaults to true.
Let's all vote on bugzilla bug #691147. Seriously, it's time to switch the default to https, rather than making everything but http a second-class citizen.
Re: (Score:2)
b) add some proper authentication and encryption in HTTP2.0 instead of bitching that it's the wrong layer. it's clear no-one is going to adopt HTTPS
widely anytime soon; most websites require you to login, meaning you can perform encrypted key exchange (EKE) with them, which allows for two-way authentication, plus encryption optionally;
Lets not even think about it. Not only is it the wrong layer inventing new protocols that don't even exist yet thinking they will be adopted any sooner than throwing the switch on SSL on existing systems is about as silly as not caring about it being the WRONG LAYER.
A solution is mostly implemented in the form of TLS-SRP. RFCs already written, SSL toolkits already support it, patches exist for major browsers and web severs such as Apache already support it.
Using a TLS-SRP patched browser you enter your l
Re: (Score:2)
No, I meant what I said. "https.example.com" is an example of a host supporting HTTPS, yet the browser accesses
it by default as "http://https.example.com". You don't seem to have understood what I said at all.
Default protocol (Score:2)
The correct way to use https is to write it as protocol
Yet user agents continue to automatically write http as protocol. So how should a server communicate to the user agent that the correct protocol for accessing the server is HTTPS, not HTTP? There is HTTP Strict Transport Security, but not all web sites are popular enough to get into all major browsers' preloaded STS lists for first-visit security.
Re: (Score:2)
War crimes and crimes against humanity the Nazis were executed over come to mind.
Re: (Score:2)
So?
If I decided to execute some dude I'd be in huge-ass trouble. Yet Texas does that shit all the damn time.
It's the government. The shit it does is legal by definition as long as the correct internal procedures are followed.
Spoofed slash dot was easy to spot (Score:5, Funny)
There were no dupes, and all TFS's had perfect spelling and grammar.
Re: (Score:2)
Re:Spoofed slash dot was easy to spot (Score:5, Funny)
Actually, that's the real one. If you're seeing dupes, misspellings and poor grammar, and the articles seem to be a bit behind other sites, then it is probably a rushed retyping of the original.
Re: (Score:2)
Dupes? There are dupes?
Did you maybe have a deja vu? Or can you be certain that you didn't read it on a spoofed page?
Tell me when I made you paranoid enough.
Re: (Score:2)
When I saw a CowboyNeal option in the poll I knew that the GCHQ set up us the spoof.
Re: (Score:2)
i.e. get the browser and then what on a modern OS? Just pass the ip back and then?
if that OS is Windows (Score:3)
Due to some perfectly reasonable decisions by Microsoft that failed to predict the future, a reasonably a proficient private hacker could choose an appropriate Trojan to embed. The agencies involved in this sort of thing have libraries of them.
Those exploits are chained much like the normal boot process. The boot sector is 512 BYTES. It can't do much, but it can load the boot loader. The boot loader is quite limited, but it can load the 2MB kernel, which loads the rest of the OS.
Similarly, based on what
Re: (Score:2)
these "consumers" admin key networks. What risk? (Score:3)
"The consumers machine"? The targets run major network exchanges. Owning their machines, and thereby the network exchanges they administer, is sort of like rooting the internet.
What's the risk? That the admin notices they have some malware? If they notice, they could either a) remove the malware just as admins everywhere do all the time or b) conjecture about a vast government conspiracy. Neither really does any damage - people have been babbling on about government conspiracies to get them approximat
SSL (Score:5, Informative)
I suppose using HTTPS would have helped even a little, if Slashdot ever bothered to do so. The victims might have noticed that the certificates changed, even if they did check out, most especially if they used HTTPS Everywhere [eff.org]. They couldn't just foist off an SSL cert for Slashdot signed by some other CA (or even the same CA) then: the SSL Observatory would have noticed the change in the certificate the way SSH notices that public keys to servers you connect to change. Unless of course Slashdot gave its (non-existent) private keys to GCHQ, in which case all bets are now off. Why browser SSL doesn't automatically cache certs the way SSH does and warn if there's a change that doesn't involve certificate expiry or revocation is something that isn't quite clear to me.
Re: SSL (Score:5, Insightful)
Re: SSL (Score:4, Interesting)
Linkedin does not use SSL consistently and it's vulnerable to downgrade attacks. People are discussing this in several fora and Twitter at the moment.
Re: (Score:2)
Being notified of the 'duplicate' responses from the server would have helped too. That's not a normal running condition.
I don't mind so much that browsers don't cache SSL certificates and notify of changes, but it is a shame that the server can't request that behaviour (using something like HSTS).
Re: (Score:2)
Re: (Score:3)
The victims might have noticed that the certificates changed, even if they did check out
Actually, only half the victims could have realised this (at least directly). The websites being spoofed are victims here as well - after all it does your reputation no good at all if someone spoofs your website to serve malware. Best case, you look like an incompetent admin; worst case, someone thinks you did it deliberately and starts telling a lot of their friends. It's akin to a murderer framing an innocent party for his crime - that innocent party is a victim of a crime too. I suspect these agencies ha
Almost Cut My Hair (Score:2)
And I'm not feelin' up to par
It increases my paranoia
Like lookin' at my mirror and seein' a police car
But I'm not givin' in an inch to fear
'cause I promised myself this year
I feel like I owe it to someone
I bet a lot of /.ers are mentally running through some of their past posts right about now. Where did I leave that tinfoil?
Re: (Score:3)
Nope. I joined repeatedly, and earned positive karma repeatedly, with many accounts.
Bunch of deleted stuff... you can leave your past behind, if you are willing to leave your past behind. Most people aren't, and that's what everyone against you is counting on.
Kill your wife, or child, or countryman, or government, or celebrity, or friend? I count on you to be strong, while the perpetrator counts on you to be weak.
Everyone should be mentally reviewing their activity. and if it should be censored or stoppe
What will they stoop to next? (Score:3)
That's a pretty sophisticated hack. Looks like they've gone as far as setting up an entire site that looks superficially like Slashdot, but is full of grotesquely dull stories apparently designed to warp the minds of unsuspecting IT professionals - obviously some sort of psyop strategy, but to what purpose?:
http://slashdot.org/topic/bi/ [slashdot.org]
And still no SSL support fon /. (Score:2)
If /. had even basic ssl support, at least a possible forged certificate could have been revealed.
Please stop calling them Attacks (Score:3)
They are frauds. The NSA perpetrated a fraud with these actions. This helps to clarify that these acts are illegal. Fraud is illegal.
Thanks,
Re: (Score:2)
OK
The British spy agency GCHQ generated and sent fraudulent messages over the telecommunications network purporting to be from Linkedin and Slashdot to targeted employees' computers, through their internet connection; in order to deceive their targets and their computers' in order to exploit security vulnerabilities causing their computers to execute covertly planted software with a malicious intent.
After targets were defrauded into having covert malware planted on their computers; the software would
Thanks, I really liked that rendering :) (Score:2)
It does put their actions into a less fear-based perspective, and a more accurate one. At least it seems so to me.
If you're running Windows, I have to ask why (Score:2)
Is it "the games"? Is it "the critical apps"? There's a VM for that... there's a separate machine for that. Don't be a sucker. Not saying that Linux can't be targeted, but I will say there is much low-hanging fruit to get to before they get to you. And especially if you're running MSIE? Really? At least go with a browser with NoScript available. Things are getting serious. You should be too.
Javascript (Score:4, Insightful)
If there was ever indisputable proof that Slashdot needs to maintain javascript-free functionality in slashcode, this is it. If it were viable to use slashdot with javascript disabled, this sort of impersonation attack would be a lot harder to pull off because NoScipt would have protected from drive-by nsa-ware infections hoisted on the slashdot impersonator site.
Unfortunately, its been years since it was reasonable to use slashdot without javascript. Even if you still use the old style interface, there are too many corners where javascript has crept into the design in a mandatory way rather than just as an enhancement.
Time to go HTTPS only Slashdot (Score:4, Insightful)
Really. I mean it. It is not that hard.
Re: (Score:2)
Linked-who-what?
Re:Internet...broken? (Score:5, Insightful)
Time to start from scratch, and start a large-scale redesign of the Internet and its protocols, to try and better secure users from surveillance/attacks?
In my view the most dire issue facing the network right now is handful of content companies owning majority of network traffic. People have to run their own servers and get involved with the network again. There is no meaningful technological solution for aggregation of power in the hands of a few media companies caused by laziness and lack of engagement. Those with the skills need to work to make it more accessible to those without the time or inclination to learn.
Tor and other fringe security protocols/networks won't cut it, and getting people to use very-user-unfriendly encryption tools won't happen - nothing short of a mammoth redesign
The structure of the current net at IP layer and below is architecturally about right as far as I'm concerned. 100% untrusted, 100% untrustworthy. All the network needs to do is forward packets with some degree of assurance they will be delivered.. the rest is up to us users.
far surpassing the resources/scale of the IPv6 changeover, is going to come anywhere close to repairing the damage.
I think if we're smart about it IPv6 becomes a huge part of the solution. Whatever the future of the net and accompanying protocol soup look like maintaining a network of peers where any one can talk to anyone else is the most powerful tool we have to avoid oppressive tendencies of various less than perfect governments.
There's no going back now - it's already too late to salvage what we have, because it has already been completely and irrecoverably 'owned' - the NSA broke the Internet.
If you were talking specifically SMTP or SSL CA's I would agree with you. More generally all is not lost and all does not need to be replaced.
Re: (Score:2)
Hm, /. may have a valid case to chase after.
After all, they duplicated the site/logo/etc without the permission of the actual copyright owners.
They could also make a case for monetary damages and damages to their reputation (trademark?), especially when you consider lost advertisement revenue (if we do believe that the advertisement business model for the Web makes any sense).