Slashdot Mirror
GCHQ Created Spoofed LinkedIn and Slashdot Sites To Serve Malware
An anonymous reader writes "Ars Technica reports how a Snowden leak shows British spy agency GCHQ spoofed LinkedIn and Slashdot so as to serve malware to targeted employees. From the article: 'Der Spiegel suggests that the Government Communications Headquarters (GCHQ), the British sister agency to the NSA, used spoofed versions of LinkedIn and Slashdot pages to serve malware to targets. This type of attack was also used to target “nine salaried employees” of the Organization of Petroleum Exporting Countries (OPEC), the global oil cartel.'"
I suppose using HTTPS would have helped even a little, if Slashdot ever bothered to do so. The victims might have noticed that the certificates changed, even if they did check out, most especially if they used HTTPS Everywhere. They couldn't just foist off an SSL cert for Slashdot signed by some other CA (or even the same CA) then: the SSL Observatory would have noticed the change in the certificate the way SSH notices that public keys to servers you connect to change. Unless of course Slashdot gave its (non-existent) private keys to GCHQ, in which case all bets are now off. Why browser SSL doesn't automatically cache certs the way SSH does and warn if there's a change that doesn't involve certificate expiry or revocation is something that isn't quite clear to me.
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
Actually...
The KGB (Komitet gosudarstvennoy bezopasnosti) did the external spying, while the NKVD (Narodnyy Komissariat Vnutrennikh Del) did the internal stuff.
Organization that used to be NKVD was castrated in 1950's with arrest of Beria and KGB inherited role of the political police.
Skipping some renaming & reorganizations, the KGB was a successor to the NKVD which was a successor to OGPU which was a successor to the Checka.
The KGB owned internal troops, border guards, secret police, and external spies.
Both the KGB and GRU (military intelligence) spied abroad.
Sending malware counts as a crime, not legal surveillance.
If the victims knew the identities of the perpetrators they would be eligible for extradition under the standing treaties.
This has been repeated several times, but nobody has been able to name the treaty. In fact the last time I asked somebody brought up a non-governmental hacker.
This is a world of governments. What they do is legal, by definition, unless they have specific Constitutional or statutory bars on that particular behavior. Neither the US nor the UK has ever signed a treaty, or passed a law, that makes hacking in service of the government illegal.
Let me put it to you this way:
If US officials can't get extradited to Venezuela for participating in that minor coup attempt Venezuela had a decade pr so back, why could they be extradited for hacking?
It's not like a) the Venezuela coup worked so the new government loved the coupsters, or b) the Venezuelan government would have refrained from charging the CIA officers they were accusing if they thought anyone (literally anyone) would take it seriously.
What they do is legal, by definition, unless they have specific Constitutional or statutory bars on that particular behavior. Neither the US nor the UK has ever signed a treaty, or passed a law, that makes hacking in service of the government illegal.
I'll let my google-wiki-fu dazzle you:
Fourth Amendment to the United States Constitution
....
The Fourth Amendment (Amendment IV) to the United States Constitution is the part of the Bill of Rights that prohibits unreasonable searches and seizures and requires any warrant to be judicially sanctioned and supported by probable cause.
...
One threshold question in Fourth Amendment jurisprudence is whether a "search" has occurred. Initial Fourth Amendment case law hinged on a citizen's property rights—that is, when the government physically intrudes on "persons, houses, papers, or effects" for the purpose of obtaining information, a "search" within the original meaning of the Fourth Amendment has occurred.
...
The Fourth Amendment proscribes unreasonable seizure of any person, person's home (including its curtilage) or personal property without a warrant. A seizure of property occurs when there is "some meaningful interference with an individual's possessory interests in that property"
In my interpretation of the functionality of our universe sending detectable signals that carry malware in order to gain illicit access does count as physical action.
As a poker player, I never release my trump card early in the game.
Somehow, this reminds me of Zapp Brannigan.
..Why are there CCTV cameras everywhere in Britain?
Err, there aren't.
Look, you (pl) keep throwing this one up, I'm in Britain, and the nearest 'state' CCTV cameras to my current location are a mile and a half away, and I stay in a major town. The nearest CCTV camera to my home location is approx 1,300 feet away (as the Google Earth ruler flies..) and it's pointed at a bloody 'Doo hut'.
My place of employ?, internally we've cameras everywhere (and I run 4-8 of them), the industrial estate we're located on is surrounded by a ring of the buggers, guess what?, none of the fucking things work (and they haven't done so now for a number of years..7+ years now).
Yes, Britain in parts (hello London, Glasgow, any other 'metropolitan' area and the major road networks) may have an inordinate number of CCTV cameras, but they're not 'everywhere in Britain' and not any more so than any other country.
If you truly want an example of Panopticon levels of CCTV surveillance, try Monaco.
How is U.S. law relevant when those actions were not in the U.S.?
Edward Snowden revealed that U.S. government agencies have performed illegal and immoral actions. The people that ordered those actions are traitors, not the messenger.