×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

British Intelligence Responds To Slashdot About Man-in-Middle Attack

samzenpus posted about 5 months ago | from the what-do-you-have-to-say dept.

Security 256

Nerval's Lobster writes "The GCHQ agency, Britain's equivalent of the National Security Agency, reportedly used fake LinkedIn and Slashdot pages to load malware onto computers at Belgian telecommunications firm Belgacom. In an emailed statement to Slashdot, the GCHQ's Press and Media Affairs Office wrote: 'We have no comment to make on this particular story.' It added: 'All GCHQ's work is carried out in accordance with a strict legal and policy framework which ensure that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Intelligence and Security Committee.' Meanwhile, LinkedIn's representatives suggested they had no knowledge of the reported hack. 'We have read the same stories, and we want to clarify that we have never cooperated with any government agency,' a spokesperson from the social network wrote in an email to Slashdot, 'nor do we have any knowledge, with regard to these actions, and to date, we have not detected any of the spoofing activity that is being reported.' An IT security expert with extensive knowledge of government intelligence operations, but no direct insight into the GCHQ, hypothesized to Slashdot that carrying out a man-in-the-middle attack was well within the capabilities of British intelligence agencies, but that such a 'retail' operation also seemed somewhat out of character. 'Based on what we know they've done, they are doing industrialized, large scale traffic sweeping and net hacking,' he said. 'They operate a wholesale, with statistical techniques. By "statistical" I mean that they send something that may or may not work.' With that in mind, he added, it's plausible that the GCHQ has software that operates in a similar manner to the NSA's EGOTISTICAL GIRAFFE, and used it to redirect Belgacom employees to a fake download. 'However, the story has been slightly garbaged into it being fake [LinkedIn and Slashdot] accounts, as opposed to network spoofing.'" Update: You can read the official statement from Slashdot's parent company, Dice Holdings, here on our blog.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

256 comments

First Spoof (3, Funny)

anagama (611277) | about 5 months ago | (#45391293)

First Spoof.

Though this is no laughing matter.

Re:First Spoof (0)

Anonymous Coward | about 5 months ago | (#45391585)

Guess who's been modding up all those pro-surveillance comments?

"Oops, the dog ate my mod points."

@slashdot: use https per default! (3, Insightful)

Anonymous Coward | about 5 months ago | (#45391295)

That would make MIM attacks much more difficult

Re: @slashdot: use https per default! (4, Interesting)

Antony T Curtis (89990) | about 5 months ago | (#45391389)

Using HTTPS is not the solution when the only thing people see is that some trusted certificate was used. If a trusted Certificate Authority was compromised or issued `fake' certificates for government spy agencies, the target wouldn't know that a MITM attack has occurred because the little green icon is showing just fine.

However, if we had something like a GPG content encoding, if the site hasn't already been trusted by the user, red flags will immediately be showing.

Like as like not, with the proliferation of CAs which exist, MITM attacks are easier than ever because people have been conditioned to trust HTTPS.

Re: @slashdot: use https per default! (4, Insightful)

heypete (60671) | about 5 months ago | (#45391493)

True, but it would prevent the insertion of malicious packets (the "Quantum Insert" technique they describe in the various articles). Invalid SSL/TLS packets would simply be discarded and it would not be possible to insert malicious packets into the encrypted, MACed datastream.

Yes, MITM would be possible but Slashdot could implement certificate pinning (either through having browsers like Chrome have the cert details baked-in [imperialviolet.org] , or having users use something like Cert Patrol for Firefox) to make this harder. It's not foolproof, but it would certainly make this type of attack considerably more difficult and easier to detect.

Re: @slashdot: use https per default! (1)

Karl Cocknozzle (514413) | about 5 months ago | (#45391615)

Using HTTPS is not the solution when the only thing people see is that some trusted certificate was used. If a trusted Certificate Authority was compromised or issued `fake' certificates for government spy agencies, the target wouldn't know that a MITM attack has occurred because the little green icon is showing just fine.

However, if we had something like a GPG content encoding, if the site hasn't already been trusted by the user, red flags will immediately be showing.

Like as like not, with the proliferation of CAs which exist, MITM attacks are easier than ever because people have been conditioned to trust HTTPS.

Although I like where your head is, wouldn't the CPU power required to do on-the-fly GPG decoding of content be prohibitive? Or am I misunderstanding the proposed solution?

Re: @slashdot: use https per default! (3, Interesting)

Antony T Curtis (89990) | about 5 months ago | (#45391677)

Although I like where your head is, wouldn't the CPU power required to do on-the-fly GPG decoding of content be prohibitive? Or am I misunderstanding the proposed solution?

A large amount of the content on the internet is static. The static assets can be stored on the disk, already signed. This has the added advantage that HTTPS cannot provide: The static assets are cacheable and they are tamper-proof, should the server be compromised.

When it comes to dynamic content, one can 'cheat' a little by reusing the same session key for the same connection. The startup cost is not much different than existing HTTPS which uses DH for key exchange.

It's not going to be much slower than what we have today with HTTPS for interactive sites, where humans are the slow link in the chain.

Re: @slashdot: use https per default! (0)

Anonymous Coward | about 5 months ago | (#45391885)

Just use self signed certificates and make the CA and its fingerprint known to everyone. Problem solved.

Re: @slashdot: use https per default! (1)

Anonymous Coward | about 5 months ago | (#45391903)

Using HTTPS is not the solution when the only thing people see is that some trusted certificate was used. If a trusted Certificate Authority was compromised or issued `fake' certificates for government spy agencies, the target wouldn't know that a MITM attack has occurred because the little green icon is showing just fine.

Certificate pinning helps with this.

Also, that's part of the idea behind DANE (putting certificates in DNS) with DNSSEC. Unfortunately the whole roll out is kind of going at a glacial pace.

Re: @slashdot: use https per default! (3, Interesting)

yakatz (1176317) | about 5 months ago | (#45391959)

Google Chrome supports certificate pinning so you can't go to a site if the certificate used does not match the known one on the list compiled into the browser, which sort-of solves the wrongly issued certificate problem.
RFC 6844 [ietf.org] has a proposed DNS type for verifying the proper certificate was served (requires DNSSEC to make sure the DNS was not tampered with).

Re: @slashdot: use https per default! (1)

yakatz (1176317) | about 5 months ago | (#45391977)

Woops, wrong one. That RFC says not to use it for validation, only for a certificate authority to see if they should issue a cert. I will try to find the correct one.

Re:@slashdot: use https per default! (0)

Anonymous Coward | about 5 months ago | (#45391619)

i'm sure the most advanced intelligence agencies on the planet can break your cereal box encryption

they'll just suck up the data and go to work on it breaking the encryption and the keys with their super computers

Heh. (5, Insightful)

girlintraining (1395911) | about 5 months ago | (#45391327)

All GCHQ's work is carried out in accordance with a strict legal and policy framework which ensure that our activities are authorised, necessary and proportionate, and that there is rigorous oversight

The Stasi said the same thing in East Germany. But that's circular logic: We're authorized to do this because we authorized it.

Re:Heh. (5, Insightful)

s.petry (762400) | about 5 months ago | (#45391405)

The Stasi said the same thing in East Germany. But that's circular logic: We're authorized to do this because we authorized it.

Exactly! They claim that they use laws to control what they snoop, and have oversight. When the laws are "secret", the courts are "secret", and the oversight is internal how much should we trust them? None at all!

Re:Heh. (0)

cold fjord (826450) | about 5 months ago | (#45391561)

The laws aren't secret, but some of the court decisions have been, and even some of those are being declassified. The courts use ordinary judges that rotate in from other courts, the courts aren't secret, but the warrants are. The oversight comes from Congress, the courts, and the executive branch.

Frankly I doubt you would trust them if you sat in the court and watched every proceeding. You would most likely be wondering where they hid what was really going on.

Re:Heh. (0, Troll)

magic maverick (2615475) | about 5 months ago | (#45391627)

You're still a cunt. Also, this is discussing the UK where theoretically the "[US] Congress, the courts, and the executive branch" have no power. So I guess I could say you're not just a cunt. You're a stupid cunt.

Re:Heh. (-1, Flamebait)

cold fjord (826450) | about 5 months ago | (#45391683)

If you look very carefully I answered a post about a US thing. Why don't you protest that post? Or do you lack the wit to answer it?

Re:Heh. (0)

Anonymous Coward | about 5 months ago | (#45391757)

You did not, please look more carefully yourself.

Re:Heh. (3, Insightful)

crashcy (2839507) | about 5 months ago | (#45391837)

cold fjord is rushing so quickly to defend the NSA that he no longer waits for them to be mentioned. Think he gets overtime?

Re:Heh. (0)

Anonymous Coward | about 5 months ago | (#45391927)

cold fjord, Ignore them.

Unfortunately we have idiots in the UK too.

Your post is accurate and equally applicable to how things work in the UK.

The trouble is a lot of people don't give a crap about politics until they realise they no longer understand the system they're labouring under.

They then assume that anyone who sounds like they do understand how the system works must be complicit in all that's wrong with the system.

As the system is not to their liking/understanding they then feel it correct to call those who built the system "cunts" and "idiots" which is true... if you realise we live in a democracy and it was their inactivity/disinterest in the system that built it...

Re:Heh. (3, Insightful)

MysteriousPreacher (702266) | about 5 months ago | (#45391649)

The laws aren't secret, but some of the court decisions have been, and even some of those are being declassified. The courts use ordinary judges that rotate in from other courts, the courts aren't secret, but the warrants are. The oversight comes from Congress, the courts, and the executive branch.

GCHG is a British thing. i.e. not much oversight from US branches of government.

Re:Heh. (0)

cold fjord (826450) | about 5 months ago | (#45391673)

If you look very carefully I answered a post about a US thing. Why don't you protest that post?

Re:Heh. (1)

oobayly (1056050) | about 5 months ago | (#45391785)

1). Look carefully at s.petry's post
2). Didn't see anything about the US
3). Got caught out by troll
4). ???
5). Um, profit?

Re:Heh. (0)

cold fjord (826450) | about 5 months ago | (#45391811)

The complaints about "secret courts"? Does FISA ring a bell?

Re:Heh. (2)

oobayly (1056050) | about 5 months ago | (#45391879)

Unfortunately the US doesn't have a monopoly on "secret courts". I truly wish it did, but we can't get everything we wish for.

Re:Heh. (1)

crashcy (2839507) | about 5 months ago | (#45391895)

You're not making sense cold. You've been working too hard. Take a break, go home, see your family. There will be plenty more shilling waiting for you tomorrow. Just remember, stick to defending NSA, attacking Snowden. The GCHG has their own man, let them deal with their own PR.

Re:Heh. (2)

girlintraining (1395911) | about 5 months ago | (#45391823)

If you look very carefully, you might avoid looking like a total moron on your rebuttal. The OP never mentioned the United States. The article is about the Brisih. The OP mentioned the courts. The British, unless something has gone terribly wrong in London very recently, still have courts. They wear wigs and robes, and that's worth a chuckle, but the courts are still a very real thing. We inherited them from the British, warts and all. And believe me, the common law system... is a very. big. wart.

Re:Heh. (0)

Anonymous Coward | about 5 months ago | (#45391847)

Even if you post this exact same comment three times, it doesn't make it true. Nowhere in the parent chain does anyone talk about the US except you. You might interpret s.petry's post as being about FISA but that's probably because you can't place Europe on a map, not because s.petry was actually talking about FISA. My interpretation is that s.petry isn't an idiot and is talking about the story this whole thread is attached to, like everybody else. That's kind of how it works around here.

Re:Heh. (-1)

cold fjord (826450) | about 5 months ago | (#45391887)

Really? So which secret courts in the UK was s.petry referring to? Surely you can point to them? Or could you acknowledge the simple fact that s.petry was going on about the FISA court, yet again?

Europe.... I think I've heard of it.

Re:Heh. (0)

Anonymous Coward | about 5 months ago | (#45391681)

GCHQ doesn't give a flying fuck what Congress says...its British. That said, it's not like the NSA has been so well regulated that you have anything to say about the adequate oversight of the American system either. Shill?

Re:Heh. (-1, Troll)

cold fjord (826450) | about 5 months ago | (#45391749)

If you look very carefully I answered a post by s.petry complaining yet again about "secret courts" which is a reference to the American FISA.

GCHQ may very well care about some things that Congress says as it authorizes payments to the NSA to forward to GCHQ as part of partnership agreements.

Shill? Bugger off.

Re:Heh. (2)

mrbester (200927) | about 5 months ago | (#45391899)

There are secrets courts and secret rulings on UK with regard to security matters. US calls it FISA. We don't have a name for it as the secrecy also encompasses Family Court and super injunctions.

Re:Heh. (0)

Anonymous Coward | about 5 months ago | (#45391713)

Don't feed the cold fjord government shill troll.

Re:Heh. (2)

s.petry (762400) | about 5 months ago | (#45391881)

First, thanks for paying attention to which country we are talking about. Congress does not have oversight over the UKs GCHQ.

Second, even if we were talking about the NSA you would be dishonest. Congress has no oversight of FISA rulings, none, zero, zip, nada!

Re:Heh. (-1, Troll)

cold fjord (826450) | about 5 months ago | (#45391951)

So then, please enlighten us about exactly which British court you were referring to? Please? Or was it yet another FISA/NSA rant in a story on the UK as is common on Slashdot.

As to your second point I find it an interesting diversion. Congress has oversight over the NSA and can create disestablish courts, remove judges, and change the laws that govern both the courts and the NSA. So, you've got it essentially wrong again.

Re:Heh. (1)

pixelpusher220 (529617) | about 5 months ago | (#45391925)

The 'laws' may not be secret, but until very very very recently, the 'interpretation' of the Executive branch as to what those 'public' laws granted them power to do, was quite secret.

Re:Heh. (3, Interesting)

girlintraining (1395911) | about 5 months ago | (#45391645)

Exactly! They claim that they use laws to control what they snoop, and have oversight. When the laws are "secret", the courts are "secret", and the oversight is internal how much should we trust them? None at all!

Not necessarily. Some things need to be secret. When we put spies on trial, we shouldn't showcase all the classified documents they stole for public inspection. It's evidence, but it's secret evidence -- and the sensitive nature of the documents is sufficient justification for doing so. The problem is not secrecy, anymore than keeping your password secret is a security vulnerability. The problem is when secrecy exceeds its mandate; when it crosses a line from matters of true national security to matters that are politically embarassing or unpopular. And as we can see in contemporary society, that line seems to be quite muddled.

What irks me is people's reactionary "teh guv'ment's tryin' to take away mah freedomz!" to every discussion presented about government surveillance and/or intelligence activities. They have to know that it's necessary at some level, but they reduce this wide breadth of space from no surveillance to police society to a binary. I don't understand why so many people engage in black and white thinking when the problem so obviously isn't as clear cut as the overwhelmingly vast majority of people argue it is.

I mean, the government's using circular logic, and that's wrong. But the people raging against it are using equally broken logic. And there's perfectly good discussion not happening because everyone flung themselves to the polar extremes. Why?

Re:Heh. (4, Insightful)

s.petry (762400) | about 5 months ago | (#45391841)

I never mentioned "secrets", like your example of trial evidence, I said "secret" as in know outside knowledge of ruling/decision. If the rulings are all secret, oversight is impossible. It's not just the US FISA courts that make "secret" rulings, but the UK has numerous secret courts as well.

We have had a similar discussion before. I _agree_ that some things should not be public knowledge. Plans for making weapons, locations of CIA houses, lists of operative names, etc.. are all fine to be restricted from the public. We don't need those to be available to have discussion on mass surveillance. The public should be aware of the Government plans to scoop all data from everyone everywhere using ever possible means including those that are considered illegal by their respective countries laws.

For example, if you start dumping all of the traffic from a site you could (and perhaps would depending on the target) go to jail based on numerous wiretapping laws related to computers. The list of laws is extensive, I'll suggest you get a book on CEH, CISSP, etc.. that explain those all of those laws. If the Government is going to break all of those laws, that should be a matter of public knowledge and debate. Not the agents names, and maybe not even the agency doing the work. The actions are what is important.

I mean, the government's using circular logic, and that's wrong. But the people raging against it are using equally broken logic. And there's perfectly good discussion not happening because everyone flung themselves to the polar extremes. Why?

I don't agree with there only being two extremes, and I don't agree that the majority of the discussion about mass surveillance is using broken logic. Most of the discussion against it has been using law which is not circular. The Government debate for mass surveillance is mostly that they don't have to follow the law, which is also not circular logic.

Re:Heh. (4, Insightful)

Heed00 (1473203) | about 5 months ago | (#45391993)

They have to know that it's necessary at some level...

If by "it" you mean some sort of surveillance that's targeted, based on suspicion and granted on a case by case basis by an oversight (court, law, etc.) body that's just not a rubber stamp factory, then yes -- but I haven't really seen anyone argue against that, so I don't know where you are getting the notion of a false dichotomy.

Unless by "it" you mean "suspicionless mass surveillance" -- in which case, no, it is not necessary at some level.

Re:Heh. (1)

gedeco (696368) | about 5 months ago | (#45391447)

These actions were authorised in the United Kingdom.
Whenever one of those hackers get caught by the belgian justice, it sounds fair to assume he would spent some time in jail.

There was economic damage, violation of privacy.....

Re:Heh. (1)

smash (1351) | about 5 months ago | (#45391569)

Now I'll prefix this by saying I think this whole surveillance stuff is disgusting.... however, that said...

This is where cyberspace gets a little hairy. If they never set foot in belgium, and were not making modifications to belgium owned assets, then I would argue that belgium law has fuck all to do with anything. Just because Belgium user's computers trusted the internet at large it doesn't make it the GCHQ problem.

Re:Heh. (3)

cold fjord (826450) | about 5 months ago | (#45391453)

I expect that it was the People's Chamber [wikipedia.org] , or "Volkskammer*," that granted the Stasi it's authority to spy.

In the UK it would be up to the democratically elected Parliament to pass legislation authorizing GCHQ's work.

* To an English speaking ear that is oddly similar to Volks hammer or people's hammer. Oddly appropriate in reference to the Stasi which combined both surveillance and repression. I think I would also stay away from any "People's Courts."

Re:Heh. (1)

Anonymous Coward | about 5 months ago | (#45391503)

In the US, the "People's Court" is a reality TV show where the mediator for a private binding arbitration hearing dresses up in robes like a real judge. Then they call on as guests the sort of people who would have been on the Jerry Springer Show back when that was a thing.

Re: Self contradiction (0)

Anonymous Coward | about 5 months ago | (#45391535)

The law says "to modify a computer or it's content without the owners knowledge or consent" is a virus, which is illegal, which is what they are doing, which they say is legal.
It's fine if a judge has agreed to issue a warrant to tap someone's communication when there is reasonable suspicion of illegal activity, but to just spy wholesale on people without any kind of checks or measures is counter to the laws of this country for which the perpetrators should be held to account.

Re:Heh. (5, Interesting)

lorinc (2470890) | about 5 months ago | (#45391555)

It's funny to see people finally realize that the world we're headed to is very similar to that of East Germany, with the slight difference that you won't be assured to have a house, a job and food every day. Probably these points were not among the good things to retain from the Commies, whereas global surveillance was.

They're not authorized to do it (0)

Anonymous Coward | about 5 months ago | (#45391591)

Except they're not authorized or legal.

The "authorised, necessary and proportionate" is to imply that its legal under RIPA surveillance warrants, which let them grab bulk foreign data (not British data as they've been doing, and not sending out malware to hack computers as they've been doing).

So no, its not legal, not at all.

Re:Heh. (1)

Anonymous Coward | about 5 months ago | (#45391729)

To be fair to them it's more:

We're authorised to do it by the people you authorised to make decisions for you, who, due to them wanting to keep having you authorise them, decided not to let you know what they were authorising on your behalf.

Re:Heh. (0)

Anonymous Coward | about 5 months ago | (#45391843)

Whats the matter offended because it's not the NSA doing the spying. Well our soy service is there to spy ON you and the rest of the world as well as the domestic population.

if they aint SPYING on somebody then why do are we paying them? Makes a change to see tax payers money used to do what they actually say they will with it.

Re:Heh. (0)

Anonymous Coward | about 5 months ago | (#45391963)

American version; everyone we kill deserves to die.

https? (5, Insightful)

Anonymous Coward | about 5 months ago | (#45391335)

So, when is Slashdot going to turn on https and stop the attack vector?

Re:https? (0)

Anonymous Coward | about 5 months ago | (#45391427)

LOL it's MIM that is not going to save you!

Re:https? (4, Insightful)

Gravis Zero (934156) | about 5 months ago | (#45391527)

So, when is Slashdot going to turn on https and stop the attack vector?

the real question is when will the internet switch to an uncompromised encryption scheme.

Re:https? (2)

smash (1351) | about 5 months ago | (#45391609)

Nah, the real question is when more than 1% of the internet's user base give a shit enough to be concerned enough to even consider whether or not the remote site they are talking to is trustworthy. Let's start with trying to stop them from opening attachments first, then we'll worry about solving global surveillance issues, eh? Baby steps.

Re:https? (1)

Nerdfest (867930) | about 5 months ago | (#45391583)

If you use Linux, it's actually quite easy to turn on DNSSEC, which I assume would help mitigate this problem.

Re:https? (4, Insightful)

ColdWetDog (752185) | about 5 months ago | (#45391693)

No need. All you have to do is insert some unicode in your post or response. If it renders correctly either 1) Hell just froze over or 2) You've been pawned.

Re:https? (3, Funny)

girlintraining (1395911) | about 5 months ago | (#45391893)

2) You've been pawned.

1.e4 e5
2.Bc4 Nf6
3.d3 c6
4.Bg5 h6
5.Bxf6 Qxf
6 6.Nc3 b5
7.Bb3 a5
8.a3 Bc5
9.Nf3 d6
10.Qd2 Be6
11.Bxe6 fxe6
12.O-O g5
13.h3 Nd7
14.Nh2 h5
15.g3 Ke7
16.Kg2 d5
17.f3 Nf8
18.Ne2 Ng6
19.c3 Rag8
20.d4 Bb6
21.dxe5 Qxe5
22.Nd4 Kd7
23.Rae1 h4
24.Qf2 Bc7
25.Ne2 hxg3
26.Qxg3 Qxg3+
27.Nxg3 Nf4+
28.Kh1 Rxh3
29.Rg1 Rxh2+

You were saying?

Re:https? (0)

Anonymous Coward | about 5 months ago | (#45391763)

You'd need https (with certificate monitoring through a trusted 3rd party not using the CA system). DNSSEC would also help. Though neither fixes the issue when everything is compromised from day 0 - and I'm assuming that key exchange and crypto are perfect and uncompromisable.

With perfect crypto you can only communicate safely to person's you have verified personally and exchanged key information personally. If you haven't do that, then everything else can be MiTM.

This is why the Red Line between Moscow and Washington used a OTP. It is perfect and uncompromisable and only susceptible to DoS, and nothing else.. Yet, quite useless for the way people use crypto.

Hey, GCHQ (1)

Heed00 (1473203) | about 5 months ago | (#45391343)

Fuck the fuck off!

Re:Hey, GCHQ (0)

Anonymous Coward | about 5 months ago | (#45391567)

Ya ya silly buggers, have ya stopped G4S (Wackenhutt) from wiring up mics and datahubs at the gchq Cheltenham digs yet?!? methinks snot.

One more thing, for the record, fix the glitched-up National Police Software, coz the israelis and the yanks backdoored it before Miller sold it to Commishhhhh Blair!

Oh, that reminds me of another thing, ya know, they say you lot are the Britishit version of NSA, well, are ya?
If yuz is, ya better be cutting off the SiSense PRISM, coz its an israeli operation.
sort yurselves out!

lol fags (0)

Anonymous Coward | about 5 months ago | (#45391361)

"we have no comment to confirm or deny the shit we did"

Really? British intelligence went after slashdot? (3, Funny)

damn_registrars (1103043) | about 5 months ago | (#45391373)

I have a hard time believing that someone convinced them this site was worthwhile. Was this just some kind of training exercise for them, to make sure that they could handle the traffic volume from a dying site before they go and try to intercept traffic from one that is relevant?

Re:Really? British intelligence went after slashdo (5, Interesting)

drinkypoo (153816) | about 5 months ago | (#45391409)

I have a hard time believing that someone convinced them this site was worthwhile.

That's because you're letting your ego get in the way. This isn't about you. This is about one or more specific targets that they believed or suspected were slashdot users.

Re:Really? British intelligence went after slashdo (4, Informative)

Captain Hook (923766) | about 5 months ago | (#45391411)

Really? British intelligence went after slashdot?

No, the target were Belgium Telco workers.

GCHQ needed a way to insert malicous scripts on the workers PC in order to gain a foothold on the Belgium Telcoms networks. The way they did that was to run a man-in-the-middle attack on the sites that those workers were going to visit.

Re:Really? British intelligence went after slashdo (0)

Anonymous Coward | about 5 months ago | (#45391635)

yes but that was because the Belgians are future-lookers, and there were plans afoot to abandon the yank/israeli/britishit GSM (Global{poor}StandardMobile), and implement faster,cleaner systems, with....wait for it............
much better privacy!
mysteries abound!

and YESYES, of course theyre on /. most of the commentators these days are either industry reps, lobby-types, or "intel" buffoons!

the real story here is that there are PEOPLE everywhere who are fed up with the PRISM israeli operation. it is simply a violation of national integrity to have those outlandish types riddling the apparati and the bureaucracys

Re:Really? British intelligence went after slashdo (2)

s.petry (762400) | about 5 months ago | (#45391445)

I have a hard time believing that someone convinced them this site was worthwhile. Was this just some kind of training exercise for them, to make sure that they could handle the traffic volume from a dying site before they go and try to intercept traffic from one that is relevant?

Sites like Slashdot and Reddit are very legit targets. If you want to measure public opinion you actually need sites like this. I'm sure that they also scan forums on intellectual sites like Science, etc... How do you know how to spin things, or continue to spin things, if you don't know how much information the public has.

Do I think they use it to track individual users? I have no evidence of this, but that does not mean it does not happen. If we can't see what they do I have no trust in them. If they are capable of what we "know", they are capable of attempting to silence critics.

Re:Really? British intelligence went after slashdo (1)

cold fjord (826450) | about 5 months ago | (#45391651)

If we can't see what they do I have no trust in them.

If you can see what they do then so can the people they are trying to spy on. That is self-defeating.

If they are capable of what we "know", they are capable of attempting to silence critics.

"Capable of" and "intend to" are completely different questions, as well as matters of legal interest.

Successful counter-troll (0)

Anonymous Coward | about 5 months ago | (#45391379)

employees who [...] spent significant amounts of time on LinkedIn and Slashdot.

We all knew what they were doing. Thanks GCHQ for cleaning up our comments section!

No comment (1)

PPH (736903) | about 5 months ago | (#45391395)

'We have no comment to make on this particular story.' It added: 'All GCHQ's work is carried out ....

Sure looks like a comment to me.

What legal framework? (1)

Anonymous Coward | about 5 months ago | (#45391437)

All GCHQ's work is carried out in accordance with a strict legal and policy framework

The Mafia also operates in accordance with a strict internal policy framework. It still doesn't make it right.

Ultimately it's up to the people to control their respective governments. If a democratically elected government carries out activities that are only legal within their own policy, yet immoral by other standards, the people themselves are responsible for these actions.

Time For https:\\slashdot.org (0)

Anonymous Coward | about 5 months ago | (#45391443)

If https://slashdot.org [slashdot.org] worked, then a MITM would not.

Re:Time For https:\\slashdot.org (1)

smash (1351) | about 5 months ago | (#45391637)

Where does the certificate come from? And if you are MITM'd by someone who owns your CA, how do you know that the certificate being presented is valid? HTTPS in this instance would have made precisely fuck all difference. HTTPS in it's current implementation will stop maybe script kiddies and the average phisher. not state-sponsored attacks.

Re:Time For https:\\slashdot.org (0)

Anonymous Coward | about 5 months ago | (#45391661)

How clueless!

Re:Time For https:\\slashdot.org (1)

Charliemopps (1157495) | about 5 months ago | (#45391981)

You're assuming that:
a. The user would even notice that the cert had changed (very doubtful)
b. That the cert changed at all...
c. That the cert authorities aren't compromised
d. That the encryption algorithm isn't compromised
e. The users OS isn't compromised already

All pretty big stretches... but given what we've seen so far maybe not... The biggest revelation we've had with regard to all of this is how far they will go to get the job done. The answer to that appears to be "As far as they need to" which leads us to "What's the first thing you would do to circumvent internet security if you had unlimited resources and the belief that you were in the right? The answers to that is simple, subvert the cert authorities. In fact, I would be surprised if we eventually find out that at least some of them are even owned outright by the NSA. It seems outlandish, but so far just about everything they've done has sounded outlandish up until the day we find out about it.

thats a relief. (1)

nimbius (983462) | about 5 months ago | (#45391457)

for a minute there I thought america was the only country that invented a secret court to grant secret warrants to undisclosed agencies seeking to wiretap undisclosed targets.
turns out now that everything you did to slashdot is "legal" we can move on to more pressing issues like when are we getting more Doctor Who? I feel like personally thats the only way i could ever call the whole 'we have no respect for the internet' thing squaresies

British Intelligence Responds? (1)

korbulon (2792438) | about 5 months ago | (#45391469)

"We have no comment to make on this particular story."

How is this a response?

Re:British Intelligence Responds? (3, Interesting)

Joining Yet Again (2992179) | about 5 months ago | (#45391515)

Assuming this isn't a hoax, feathers successfully ruffled.

How often does GCHQ make an official statement in response to some random guys on the Internet claiming that they overstepped their bounds? It's surely not setting a precedent, so why has it respnded to this one?

["no comment"]
[junior PR flunky boilerplate sounding like it's from a FTSE 100 corp.]

Re:British Intelligence Responds? (2)

ledow (319597) | about 5 months ago | (#45391901)

Er... it hasn't.

It's responded with "No Comment" like it has for just about every media outlet that has ever asked it.

It might even be legally bound to reply to "press enquiries", in whatever form. I'm pretty sure if I wrote them a letter, they would reply. Most likely with a similar response.

Just because they're spies does not mean they don't have a press office and/or a secretary who just fobs off anyone who asks. Hell, you can get replies from Santa if you post them in a Royal Mail postbox (even if you don't address the letter, but just put "To Santa" and have a return address!).

A response means nothing. The response given means nothing (it literally means "I have received your letter. I have no response").

Call me back when there's a story.

Re:British Intelligence Responds? (1)

smash (1351) | about 5 months ago | (#45391647)

Of course it is a response. "Yes, we received your message".

Better than what I thought (0)

Anonymous Coward | about 5 months ago | (#45391671)

British Intelligence Responds:

"Yeah baby! Shall we shag now or shag later?!"

Re:British Intelligence Responds? (0)

Anonymous Coward | about 5 months ago | (#45391687)

oi, you twat, git fokt!
listen `ere you horrible bugger,
the israelis run prism.

Re:British Intelligence Responds? (0)

Anonymous Coward | about 5 months ago | (#45391803)

My goodness, you seem an IRAte type, shame about those jEUROCRATS, the ECB, and the EU-version of COINTELPRO...
Honestly, old chap, what is your problem with the Israeli IT-domination scheme? It all seems legit and above-board, so kindly shove off slashdot with your anti-scimitaric drivel.
Don`t take it the wrong way, it`s only that slashdot is now a properly AIPAC-affiliated propaganda vehicle, and you cannot possible comment on behalf of the entire MOD, or (the lobby would) can you?

The British are a joke. (0)

Anonymous Coward | about 5 months ago | (#45391491)

There is no more British "empire".

The UK economy is in the toilet.

The UK weather sucks.

Go ahead and tap my communications, you sorry pale faced
warm beer drinking bad toothed pieces of subhuman shit.

I could care less.

Re:The British are a joke. (0)

Anonymous Coward | about 5 months ago | (#45391919)

We gifted you a language and you can't even learn to use it properly, you poor excuse for a sub-human.

It's "I could NOT care less". No, don't reply with a retro-argued usage, the phrase is "I could not care less". Any attempt to explain how using a phrase that means the opposite is somehow correct just shows you are unable to either understand your mistake, or take responsibility for it.

Fucking colonials.

Re:The British are a joke. (0)

Anonymous Coward | about 5 months ago | (#45391945)

Well our empire lasted longer than yours did you inbred merkin.

Holy fuck (0)

Anonymous Coward | about 5 months ago | (#45391497)

Fuck the UK.

Re:Holy fuck (0)

Anonymous Coward | about 5 months ago | (#45391597)

Fuck the UK.

The english are best at fucking themselves quite good.
Let's keep the good part, Scotland in the EU and toss away the putrid rest.

strict legal and policy framework (1)

sl4shd0rk (755837) | about 5 months ago | (#45391507)

I'm very glad they have this in place. Just knowing they are policing themselves with laws made to fit within the policies they've made up makes me feel so much better now. I'll never have to worrry about privacy again.

Re:strict legal and policy framework (1)

Virtucon (127420) | about 5 months ago | (#45391547)

Yes we can all feel safer that there's checks and balances to ensure that we don't do bad things.

Try Tor and exclude US/US friendly exit nodes (2)

i_want_you_to_throw_ (559379) | about 5 months ago | (#45391743)

With all the uproar over US spying, you could always use a Tor solution that excludes US and US intelligence friendly exit nodes. PAPARouter [paparouter.com] (disclaimer: my company) is a router that has Tor in it and US and US friendly exit nodes are excluded (US, UK, Australia, New Zealand and all Commonwealth countries) by default. Anonymize several devices just hooking to the wireless access point. (Or build your own Onion-Pi from Adafruit and save a couple of bucks)

we have never cooperated... (2, Funny)

Anonymous Coward | about 5 months ago | (#45391949)

we have never cooperated with any government agency

What they mean to say is, "We have never cooperated with any government agency, unless compelled by law, or because the FBI asked nicely while threatening to throw us in jail, and even if we did cooperate, we aren't allowed to reveal that we did, and even if we are allowed to reveal that we did, we wouldn't because that would make us look bad."

ive never had an account here (0)

Anonymous Coward | about 5 months ago | (#45391999)

but i post and lurk for many moons

i just want to tell the fraud commiting gchq spys that we already knew all about it
we mitm -ed you while we were getting mitm-ed by you
your mom told me that you liked a reach-around
congrats on your excelent job well done!
stop hiding behind your mommys skirts and come out into the light
  i feel free but its not because of ANYTHING you or your ilk have EVER done
you guys are seriously worse in my eyes than al -queada
you have no honor

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...