British Intelligence Responds To Slashdot About Man-in-Middle Attack

Nerval's Lobster writes "The GCHQ agency, Britain's equivalent of the National Security Agency, reportedly used fake LinkedIn and Slashdot pages to load malware onto computers at Belgian telecommunications firm Belgacom. In an emailed statement to Slashdot, the GCHQ's Press and Media Affairs Office wrote: 'We have no comment to make on this particular story.' It added: 'All GCHQ's work is carried out in accordance with a strict legal and policy framework which ensure that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Intelligence and Security Committee.' Meanwhile, LinkedIn's representatives suggested they had no knowledge of the reported hack. 'We have read the same stories, and we want to clarify that we have never cooperated with any government agency,' a spokesperson from the social network wrote in an email to Slashdot, 'nor do we have any knowledge, with regard to these actions, and to date, we have not detected any of the spoofing activity that is being reported.' An IT security expert with extensive knowledge of government intelligence operations, but no direct insight into the GCHQ, hypothesized to Slashdot that carrying out a man-in-the-middle attack was well within the capabilities of British intelligence agencies, but that such a 'retail' operation also seemed somewhat out of character. 'Based on what we know they've done, they are doing industrialized, large scale traffic sweeping and net hacking,' he said. 'They operate a wholesale, with statistical techniques. By "statistical" I mean that they send something that may or may not work.' With that in mind, he added, it's plausible that the GCHQ has software that operates in a similar manner to the NSA's EGOTISTICAL GIRAFFE, and used it to redirect Belgacom employees to a fake download. 'However, the story has been slightly garbaged into it being fake [LinkedIn and Slashdot] accounts, as opposed to network spoofing.'" Update: You can read the official statement from Slashdot's parent company, Dice Holdings, here on our blog.

First Spoof

[anagama]

First Spoof.

Though this is no laughing matter.

Re:First Spoof

Guess who's been modding up all those pro-surveillance comments?

"Oops, the dog ate my mod points."

Re:First Spoof

[LifesABeach]

When it comes to Statistics, Mark Twain nailed it.

Re:First Spoof

yes it is. slashdot readers getting owned is always lols.

Re:First Spoof

[davester666]

"strict legal and policy framework which ensure that our activities are authorised, necessary and proportionate, and that there is rigorous oversight"

equals

"do whatever you want, just don't get caught"

Re:First Spoof

[oldestgeek]

He attributed that quote to its correct source Benjamin Disraeli! It should now be "Lies, damned lies, statistics, and computer models!

@slashdot: use https per default!

That would make MIM attacks much more difficult

Re: @slashdot: use https per default!

[Antony+T+Curtis]

Using HTTPS is not the solution when the only thing people see is that some trusted certificate was used. If a trusted Certificate Authority was compromised or issued `fake' certificates for government spy agencies, the target wouldn't know that a MITM attack has occurred because the little green icon is showing just fine.

However, if we had something like a GPG content encoding, if the site hasn't already been trusted by the user, red flags will immediately be showing.

Like as like not, with the proliferation of CAs which exist, MITM attacks are easier than ever because people have been conditioned to trust HTTPS.

Re: @slashdot: use https per default!

[heypete]

True, but it would prevent the insertion of malicious packets (the "Quantum Insert" technique they describe in the various articles). Invalid SSL/TLS packets would simply be discarded and it would not be possible to insert malicious packets into the encrypted, MACed datastream.

Yes, MITM would be possible but Slashdot could implement certificate pinning (either through having browsers like Chrome have the cert details baked-in, or having users use something like Cert Patrol for Firefox) to make this harder. It's not foolproof, but it would certainly make this type of attack considerably more difficult and easier to detect.

Re: @slashdot: use https per default!

[smash]

out-of-band, self signed certs for the win!

Re: @slashdot: use https per default!

[Karl+Cocknozzle]

Using HTTPS is not the solution when the only thing people see is that some trusted certificate was used. If a trusted Certificate Authority was compromised or issued `fake' certificates for government spy agencies, the target wouldn't know that a MITM attack has occurred because the little green icon is showing just fine.

However, if we had something like a GPG content encoding, if the site hasn't already been trusted by the user, red flags will immediately be showing.

Like as like not, with the proliferation of CAs which exist, MITM attacks are easier than ever because people have been conditioned to trust HTTPS.

Although I like where your head is, wouldn't the CPU power required to do on-the-fly GPG decoding of content be prohibitive? Or am I misunderstanding the proposed solution?

Re:@slashdot: use https per default!

i'm sure the most advanced intelligence agencies on the planet can break your cereal box encryption

they'll just suck up the data and go to work on it breaking the encryption and the keys with their super computers

Re: @slashdot: use https per default!

[Antony+T+Curtis]

Although I like where your head is, wouldn't the CPU power required to do on-the-fly GPG decoding of content be prohibitive? Or am I misunderstanding the proposed solution?

A large amount of the content on the internet is static. The static assets can be stored on the disk, already signed. This has the added advantage that HTTPS cannot provide: The static assets are cacheable and they are tamper-proof, should the server be compromised.

When it comes to dynamic content, one can 'cheat' a little by reusing the same session key for the same connection. The startup cost is not much different than existing HTTPS which uses DH for key exchange.

It's not going to be much slower than what we have today with HTTPS for interactive sites, where humans are the slow link in the chain.

Re: @slashdot: use https per default!

Just use self signed certificates and make the CA and its fingerprint known to everyone. Problem solved.

Re: @slashdot: use https per default!

Using HTTPS is not the solution when the only thing people see is that some trusted certificate was used. If a trusted Certificate Authority was compromised or issued `fake' certificates for government spy agencies, the target wouldn't know that a MITM attack has occurred because the little green icon is showing just fine.

Certificate pinning helps with this.

Also, that's part of the idea behind DANE (putting certificates in DNS) with DNSSEC. Unfortunately the whole roll out is kind of going at a glacial pace.

Re: @slashdot: use https per default!

[yakatz]

Google Chrome supports certificate pinning so you can't go to a site if the certificate used does not match the known one on the list compiled into the browser, which sort-of solves the wrongly issued certificate problem.
RFC 6844 has a proposed DNS type for verifying the proper certificate was served (requires DNSSEC to make sure the DNS was not tampered with).

Re: @slashdot: use https per default!

[yakatz]

Woops, wrong one. That RFC says not to use it for validation, only for a certificate authority to see if they should issue a cert. I will try to find the correct one.

Re: @slashdot: use https per default!

These days you can easily validate the fingerprint of external content hosted on untrusted CDN using a few lines of javascript. There are ways to do it rather properly/securely, the client load is negligible and the server load nonexistent.

Such thing should be standardized at least into a popular frameworks to avoid user completely failing at implementation and also to tackle the growing threat content distribution networks represent.

Just imagine when the NSA discover they can just disseminate malware through Akamai's or Cloudfront's infrastructure, so many targets, in the same place.

So many sites relying on googleapis.com for their js/ajax libraries and fonts also deeply bothers me. At least enough to have *.googleapis.com inside a deny.hosts file. Not even mentioning the tracking concern of this one deeply rooted in 90% of the web.

Re: @slashdot: use https per default!

[Culture20]

make the CA and its fingerprint known to everyone.

What out of band method do you propose to do that? Word of mouth? TV? Radio? Postcards? Flashing circuit boards magnetically attached around Boston? Facebook?

Re: @slashdot: use https per default!

[dgatwood]

The problem is that certificates change regularly. What you really want is public key pinning, where you are warned if the public key changes, without regard to what CA signed it—not just the key fingerprint, either—the entire key. After all, you have the server's public key. Why would you ever start trusting a different public key for the same server?

AFAICT, there are only two valid to reasons rekey a server: if the key gets compromised (which, being a serious security problem, should be publicly disclosed on your server in some way) or because you're upgrading to a larger key. In the latter case, you should ideally sign the new key with the old key so that it is verifiable, and the browser should ignore that the old key is not trusted for key signing when it is only being used as a secondary signature for verifying a key change.

Re: @slashdot: use https per default!

[fuzzywig]

But surely they'd re-use all of the static assets. Presumably all they did was add in a bit of flash or java or something to implant the actual malware, the rest was probably a genuine slashdot story, complete with images and snarky comments and all the rest.

Re: @slashdot: use https per default!

All of that.

Re: @slashdot: use https per default!

I would know, because the certificate would have changed and my browser plugin would warn me.

This is Slashdot, not Fox News. There are lot more people here who would notice such stuff.

Re: @slashdot: use https per default!

[Andy+Dodd]

In addition to this, if you recall some of the recent Lavabit disclosures, we know that large Internet companies have been forced to provide their private SSL certs via secret court orders.

If the NSA/GCHQ have a site's private certs, they can MITM you without you knowing.

Re: @slashdot: use https per default!

All of which can easily be comprimised.

Re: @slashdot: use https per default!

What about a global mesh network built from millions of semi-disposable, mass produced routers.

Re: @slashdot: use https per default!

[IamTheRealMike]

Yes, indeed. This meme that SSL is broken or useless is very damaging and needs to end.

The fact is that despite all the handwaving and noise, nobody has yet presented proof that a CA has been subverted by intelligence agencies, let alone knowingly. It's certainly possible that this has happened and one may think it is even likely, but in the absence of any proof it's hard to credibly argue the entire system is hosed.

The difficulty of course is finding such a proof. If a CA was found to have been routinely issuing certificates to intelligence agencies, it's very very likely that browser makers would revoke that CA and destroy the business. Their written policies are quite clear on this point and do not make governments special, that's why GoDaddy revoked LavaBit's SSL cert after learning the private key had been disclosed to the FBI. So far we don't have any evidence that the NSA or GCHQ were willing to risk destruction of a civilian business in order to reach one of their targets - though I guess there are still plenty of Snowden disclosures to come.

But even if there have been such certs issued, SSL is not useless. Firstly, it raises the complexity a lot. And secondly, there are initiatives underway to prevent subversion even by multi-billion-dollar intelligence agencies. For example the certificate transparency initiative is intending to upgrade the certificate format to contain a proof of inclusion in a public log. Browsers will start requiring the presence of these proofs in future, and thus it will no longer be possible to issue secret SSL certs that nobody can see except the victim. This is a large, complex upgrade of a massive infrastructure so it will take years, but eventually this system will raise the bar for SSL attackers to the point where they will either have to give up, or actually pass new laws that formally subvert SSL to the will of governments (at which point of course it does not matter if they are detected and there is no need to compromise CA's).

Which will happen is an open question at this point. However, Slashdot should get its ass into gear and switch on SSL and HSTS by default. Saying it's an option for logged in users just isn't good enough, especially when that option is so well buried I can't actually find it! SSL all the time should be the default, these days, there's just no reason not to anymore.

Re: @slashdot: use https per default!

Yes, indeed. This meme that SSL is broken or useless is very damaging and needs to end.

The fact is that despite all the handwaving and noise, nobody has yet presented proof that a CA has been subverted by intelligence agencies, let alone knowingly.

How about we provide proof that at least one CA operates inside the USA, and thus falls under US law? If such a CA exists, they would be forced to give the NSA the necessary keys, and not tell anybody about it, which means that anyone who cares about security will by definition have to assume that SSL is broken.

Though I suspect they don't even need to go that far. Doesn't the US government have their own CA for signing .gov and .mil domains? Does their CA certificate prevent that CA from also signing certificates for other domains? (I believe it is possible to create such a limited CA certificate, but they are rare. Most local CAs even in countries where fraud is rampant and the government can't be trusted one bit, are able to sign certificates for any domain they like. Which again means we'd have to assume SSL is broken. Which those of us aware of the problems have done for years before the whole Snowden thing surfaced. Not because we were wearing tinfoil hats in regards to the NSA, but because there are CAs in countries such as China.

Heh.

[girlintraining]

All GCHQ's work is carried out in accordance with a strict legal and policy framework which ensure that our activities are authorised, necessary and proportionate, and that there is rigorous oversight

The Stasi said the same thing in East Germany. But that's circular logic: We're authorized to do this because we authorized it.

Re:Heh.

[s.petry]

The Stasi said the same thing in East Germany. But that's circular logic: We're authorized to do this because we authorized it.

Exactly! They claim that they use laws to control what they snoop, and have oversight. When the laws are "secret", the courts are "secret", and the oversight is internal how much should we trust them? None at all!

Re:Heh.

[gedeco]

These actions were authorised in the United Kingdom.
Whenever one of those hackers get caught by the belgian justice, it sounds fair to assume he would spent some time in jail.

There was economic damage, violation of privacy.....

Re:Heh.

[cold+fjord]

I expect that it was the People's Chamber, or "Volkskammer*," that granted the Stasi it's authority to spy.

In the UK it would be up to the democratically elected Parliament to pass legislation authorizing GCHQ's work.

* To an English speaking ear that is oddly similar to Volks hammer or people's hammer. Oddly appropriate in reference to the Stasi which combined both surveillance and repression. I think I would also stay away from any "People's Courts."

Re:Heh.

In the US, the "People's Court" is a reality TV show where the mediator for a private binding arbitration hearing dresses up in robes like a real judge. Then they call on as guests the sort of people who would have been on the Jerry Springer Show back when that was a thing.

Re:Heh.

[lorinc]

It's funny to see people finally realize that the world we're headed to is very similar to that of East Germany, with the slight difference that you won't be assured to have a house, a job and food every day. Probably these points were not among the good things to retain from the Commies, whereas global surveillance was.

Re:Heh.

[cold+fjord]

The laws aren't secret, but some of the court decisions have been, and even some of those are being declassified. The courts use ordinary judges that rotate in from other courts, the courts aren't secret, but the warrants are. The oversight comes from Congress, the courts, and the executive branch.

Frankly I doubt you would trust them if you sat in the court and watched every proceeding. You would most likely be wondering where they hid what was really going on.

Re:Heh.

[smash]

Now I'll prefix this by saying I think this whole surveillance stuff is disgusting.... however, that said...

This is where cyberspace gets a little hairy. If they never set foot in belgium, and were not making modifications to belgium owned assets, then I would argue that belgium law has fuck all to do with anything. Just because Belgium user's computers trusted the internet at large it doesn't make it the GCHQ problem.

Re:Heh.

[magic+maverick+]

You're still a cunt. Also, this is discussing the UK where theoretically the "[US] Congress, the courts, and the executive branch" have no power. So I guess I could say you're not just a cunt. You're a stupid cunt.

Re:Heh.

[girlintraining]

Exactly! They claim that they use laws to control what they snoop, and have oversight. When the laws are "secret", the courts are "secret", and the oversight is internal how much should we trust them? None at all!

Not necessarily. Some things need to be secret. When we put spies on trial, we shouldn't showcase all the classified documents they stole for public inspection. It's evidence, but it's secret evidence -- and the sensitive nature of the documents is sufficient justification for doing so. The problem is not secrecy, anymore than keeping your password secret is a security vulnerability. The problem is when secrecy exceeds its mandate; when it crosses a line from matters of true national security to matters that are politically embarassing or unpopular. And as we can see in contemporary society, that line seems to be quite muddled.

What irks me is people's reactionary "teh guv'ment's tryin' to take away mah freedomz!" to every discussion presented about government surveillance and/or intelligence activities. They have to know that it's necessary at some level, but they reduce this wide breadth of space from no surveillance to police society to a binary. I don't understand why so many people engage in black and white thinking when the problem so obviously isn't as clear cut as the overwhelmingly vast majority of people argue it is.

I mean, the government's using circular logic, and that's wrong. But the people raging against it are using equally broken logic. And there's perfectly good discussion not happening because everyone flung themselves to the polar extremes. Why?

Re:Heh.

[MysteriousPreacher]

The laws aren't secret, but some of the court decisions have been, and even some of those are being declassified. The courts use ordinary judges that rotate in from other courts, the courts aren't secret, but the warrants are. The oversight comes from Congress, the courts, and the executive branch.

GCHG is a British thing. i.e. not much oversight from US branches of government.

Re:Heh.

[cold+fjord]

If you look very carefully I answered a post about a US thing. Why don't you protest that post?

Re:Heh.

GCHQ doesn't give a flying fuck what Congress says...its British. That said, it's not like the NSA has been so well regulated that you have anything to say about the adequate oversight of the American system either. Shill?

Re:Heh.

Don't feed the cold fjord government shill troll.

Re:Heh.

To be fair to them it's more:

We're authorised to do it by the people you authorised to make decisions for you, who, due to them wanting to keep having you authorise them, decided not to let you know what they were authorising on your behalf.

Re:Heh.

You did not, please look more carefully yourself.

Re:Heh.

[oobayly]

1). Look carefully at s.petry's post
2). Didn't see anything about the US
3). Got caught out by troll
4). ???
5). Um, profit?

Re:Heh.

[cold+fjord]

The complaints about "secret courts"? Does FISA ring a bell?

Re:Heh.

[girlintraining]

If you look very carefully, you might avoid looking like a total moron on your rebuttal. The OP never mentioned the United States. The article is about the Brisih. The OP mentioned the courts. The British, unless something has gone terribly wrong in London very recently, still have courts. They wear wigs and robes, and that's worth a chuckle, but the courts are still a very real thing. We inherited them from the British, warts and all. And believe me, the common law system... is a very. big. wart.

Re:Heh.

[crashcy]

cold fjord is rushing so quickly to defend the NSA that he no longer waits for them to be mentioned. Think he gets overtime?

Re:Heh.

[s.petry]

I never mentioned "secrets", like your example of trial evidence, I said "secret" as in know outside knowledge of ruling/decision. If the rulings are all secret, oversight is impossible. It's not just the US FISA courts that make "secret" rulings, but the UK has numerous secret courts as well.

We have had a similar discussion before. I _agree_ that some things should not be public knowledge. Plans for making weapons, locations of CIA houses, lists of operative names, etc.. are all fine to be restricted from the public. We don't need those to be available to have discussion on mass surveillance. The public should be aware of the Government plans to scoop all data from everyone everywhere using ever possible means including those that are considered illegal by their respective countries laws.

For example, if you start dumping all of the traffic from a site you could (and perhaps would depending on the target) go to jail based on numerous wiretapping laws related to computers. The list of laws is extensive, I'll suggest you get a book on CEH, CISSP, etc.. that explain those all of those laws. If the Government is going to break all of those laws, that should be a matter of public knowledge and debate. Not the agents names, and maybe not even the agency doing the work. The actions are what is important.

I mean, the government's using circular logic, and that's wrong. But the people raging against it are using equally broken logic. And there's perfectly good discussion not happening because everyone flung themselves to the polar extremes. Why?

I don't agree with there only being two extremes, and I don't agree that the majority of the discussion about mass surveillance is using broken logic. Most of the discussion against it has been using law which is not circular. The Government debate for mass surveillance is mostly that they don't have to follow the law, which is also not circular logic.

Re:Heh.

Whats the matter offended because it's not the NSA doing the spying. Well our soy service is there to spy ON you and the rest of the world as well as the domestic population.

if they aint SPYING on somebody then why do are we paying them? Makes a change to see tax payers money used to do what they actually say they will with it.

Re:Heh.

Even if you post this exact same comment three times, it doesn't make it true. Nowhere in the parent chain does anyone talk about the US except you. You might interpret s.petry's post as being about FISA but that's probably because you can't place Europe on a map, not because s.petry was actually talking about FISA. My interpretation is that s.petry isn't an idiot and is talking about the story this whole thread is attached to, like everybody else. That's kind of how it works around here.

Re:Heh.

[oobayly]

Unfortunately the US doesn't have a monopoly on "secret courts". I truly wish it did, but we can't get everything we wish for.

Re:Heh.

[s.petry]

First, thanks for paying attention to which country we are talking about. Congress does not have oversight over the UKs GCHQ.

Second, even if we were talking about the NSA you would be dishonest. Congress has no oversight of FISA rulings, none, zero, zip, nada!

Re:Heh.

[crashcy]

You're not making sense cold. You've been working too hard. Take a break, go home, see your family. There will be plenty more shilling waiting for you tomorrow. Just remember, stick to defending NSA, attacking Snowden. The GCHG has their own man, let them deal with their own PR.

Re:Heh.

[mrbester]

There are secrets courts and secret rulings on UK with regard to security matters. US calls it FISA. We don't have a name for it as the secrecy also encompasses Family Court and super injunctions.

Re:Heh.

[pixelpusher220]

The 'laws' may not be secret, but until very very very recently, the 'interpretation' of the Executive branch as to what those 'public' laws granted them power to do, was quite secret.

Re:Heh.

cold fjord, Ignore them.

Unfortunately we have idiots in the UK too.

Your post is accurate and equally applicable to how things work in the UK.

The trouble is a lot of people don't give a crap about politics until they realise they no longer understand the system they're labouring under.

They then assume that anyone who sounds like they do understand how the system works must be complicit in all that's wrong with the system.

As the system is not to their liking/understanding they then feel it correct to call those who built the system "cunts" and "idiots" which is true... if you realise we live in a democracy and it was their inactivity/disinterest in the system that built it...

Re:Heh.

American version; everyone we kill deserves to die.

Re:Heh.

[Heed00]

They have to know that it's necessary at some level...

If by "it" you mean some sort of surveillance that's targeted, based on suspicion and granted on a case by case basis by an oversight (court, law, etc.) body that's just not a rubber stamp factory, then yes -- but I haven't really seen anyone argue against that, so I don't know where you are getting the notion of a false dichotomy.

Unless by "it" you mean "suspicionless mass surveillance" -- in which case, no, it is not necessary at some level.

Re:Heh.

[oobayly]

Justice and Security Act 2013

Re:Heh.

Unfortunately, as several congressmen have said, their oversight is limited at best. They are shuffled into a room where they are not allowed to take notes in order to review classified documentation and cannot allow their congressional staff to assist them in reviewing or researching.

This is not honest oversight.

Re:Heh.

[cold+fjord]

I hope you aren't taking time away from something useful to post that nonsense.

Re:Heh.

[girlintraining]

with the slight difference that you won't be assured to have a house, a job and food every day.

You need to go back and look at some of the photos of East Germany once the wall came down. Not everyone had a house, a job, and food every day. That's one of the compelling reasons why they kept trying to cross to West Germany; Economic conditions.

Re:Heh.

[cold+fjord]

I am for better oversight by both Parliament and Congress over their respective charges, where needed.

Re:Heh.

[MysteriousPreacher]

Really? So which secret courts in the UK was s.petry referring to? Surely you can point to them? Or could you acknowledge the simple fact that s.petry was going on about the FISA court, yet again?

Europe.... I think I've heard of it.

So if I can't identify a secret court in the UK, this validates your belief that a references to secret courts, in the context of a discussion around British intelligence services, is referring to a US court?

Am I understanding you right? Isn't possible that Petry is wrong about secret courts in the UK, as we do appear to be discussing Britain.

Re:Heh.

[Runaway1956]

They're SECRET, so no, they can't be pointed out. And, assuming that I knew where they were, if I DID point them out to you, I would be charged with treason and worse. Hell - they probably have a daycare center near by, so that exposing the secret court would expose me to pedophilia and child porn charges as well. Which part of the word "SECRET" did you fail to comprehend?

What about you? Can you point out any of the United State's secret courts? Can you name judges, or supply the addresses at which these judges hold court? Can you name the officers of the courts?

There isn't a whole lot that we can be certain of, regarding the intel communities in the US and UK. But one thing you CAN be pretty certain of, is that when one comes up with a trick, the other will be close behind. They SHARE almost everything!!

Re:Heh.

[girlintraining]

I searched high and low in your post for some kind of disagreement. And I'll be damned, but you didn't put any in. You just backfilled what I said in more detail. O__O My tenuous grip on reality might have just slipped a bit more at the notion that this is now four exchanges in, and there's no sign of anything but civilized discourse yet. Quick, make a Hitler reference before I pass out from shock!

Re:Heh.

[s.petry]

What can't you understand in people's responses? Since you can't seem to grasp such a simple concept, here is a link. I never mentioned FISA in my post! The UK has the same (or perhaps worse) "secret" court system.

Re:Heh.

[pixelpusher220]

The problem is when secrecy exceeds its mandate

The problem is that without detailed and extensive oversight of the secrecy, it *will* exceed it's mandate. It's simply human nature.

Re:Heh.

[s.petry]

I responded above, but just to be sure you read it.

Re:Heh.

[cold+fjord]

What about you? Can you point out any of the United State's secret courts? Can you name judges, or supply the addresses at which these judges hold court? Can you name the officers of the courts?

The FISA court is staffed by regular judges from other courts that rotate through it.

Here are 9 of the 11 judges.

Every few months, the FISA judges set aside their regular, public cases, travel to Washington, and take the bench inside a secure, windowless courtroom at 333 Constitution Avenue. Prosecutors and federal agents appear to answer questions about warrants before individual judges, rather than a panel.

Generally, the judges rotate on a week-long schedule. Three judges live in the Washington area and are available for emergencies. FISA judges do not receive extra pay.

Foreign Intelligence Surveillance Court

Re:Heh.

The laws aren't secret, but some of the court decisions have been

Interpretations of law shouldn't be secret either. A law that "convicted murderers shall be imprisoned" sounds pretty tame until you find out that a secret court has a secret interpretation of "anyone who is not a lawyer is a convicted murderer". Obviously that's extreme, but lesser examples would be unjust too.

Re:Heh.

[crashcy]

I suppose no one could ever accuse you of neglecting work to post this nonsense.

Re:Heh.

[s.petry]

Perhaps _you_ are ignorant to the turnings of the world, but don't presume that everyone is ignorant to the turnings of the world. If you only read what I post about the US, you don't bother to read very much of what I post.

Re:Heh.

[s.petry]

Because the link provided to Google search UK Secret courts has nothing to do with the UK? Shake your head really really hard, your thinker is stuck!

Re:Heh.

[s.petry]

Sieg Heil?

Re:Heh.

[houghi]

They were not retained. They were developed individually. That is even scarier.

Also scary is the fact that it crept up and became slowly worse over a period of , say, 50 years. I am afraid that if you want to reverse it in a democratic way, it will take another 50 years. And I have NO idea if it is even possible to put the genie back in the bottle.

When I was 15, I had discussions about what privacy was. We had images of a high political person that would harm his career AND he was not of our political idea. (Nothing illegal, mind you.)
We had serious discussions of whether we should make this knowledge public or not and in the end decided against us.

I am sure todayâ(TM)s youth will have no hesitation of posting this immediately online.

The issue is not so much that we did or did not post it, but that we at least thought about it. Perhaps because we had heard the stories of our parents firsthand. They fought in the was on BOTH sides for whatever reason. The Berlin wall was up. We spoke with people who had fled from Eastern Germany.

History tends to repeat itself. I just never thought it would be so soon.

Re:Heh.

[s.petry]

Are you claiming that giving you links on how to search for "Secret Courts in the UK" only deals with the USA? Are you trying to claim that it is impossible for a person to have knowledge of more than their home country? Are you really trying to claim that a person can have no knowledge of World Politics if they argue local politics?

Obviously all of those claims are false, in addition to being rather delusional.

Re:Heh.

[AmiMoJo]

Read their statement carefully. They say it was "authorized" and "necessary", but not "legal". As recent Snowden leaks have shown they know it isn't legal, but seem to have the support of politicians and the police since there has not been a criminal investigation started.

Re:Heh.

[s.petry]

On a serious note, I mentioned before that I believe we agree on numerous principles. I also think you are either used to people being disagreeable, so jump to a defensive posture quickly during dialogue.

Reading many of your posts, I believe the first to be truthful though admit that we disagree on details. The latter, take for what it's worth. I do the same on occasion, but try to improve my temperament.

Re:Heh.

[girlintraining]

but I haven't really seen anyone argue against that, so I don't know where you are getting the notion of a false dichotomy.

Sometimes in waiting rooms and airports, they have CNN or Fox News on. Sometimes I get trapped in those places and forget to bring my TV-B-Gone. I assure you, it's not intentional... but sometimes you just hear these sorts of things. As I understand it though... a lot of people purposefully watch the "news", and regrettably do not carry covert ways of turning off banks of televisions. I don't really understand it myself, but, I guess watching the "news" is a thing in society.

Re:Heh.

[AmiMoJo]

They have to know that it's necessary at some level, but they reduce this wide breadth of space from no surveillance to police society to a binary.

Ironically the GP didn't make that assumption, you did. He was merely arguing that the current oversight situation is unacceptable, and in particular the fact that both the rules and rulings are secret is problematic.

I see this a lot on Slashdot. No-body assumes any argument they disagree with is rational, and every debate polarizes into people who think the other side are all extremists and morons.

Re:Heh.

[cold+fjord]

If you wanted to convince me that you were informed on this matter at some level you could simply post the name of the court you were referring to if it wasn't the US FISA court. No google links, just a name. You have repeatedly evaded doing that in post after post. What can we conclude from that?

Re:Heh.

[aaaaaaargh!]

You have no idea what you're talking about (at least not this time).

Re:Heh.

[lorinc]

I don't need to go back and look at some photos, I was born there.

Re:Heh.

[green+is+the+enemy]

I'm of the opinion that the fall of the USSR has hurt not just its former citizens, but just about everyone in the world. The loss of ideological competition has opened up the flood gates of corruption in western democracies. The loss of military competition has slowed our scientific progress significantly. Economy-wise we seem to be headed towards something resembling feudalism. How exactly we will dig ourselves out of this I don't know.

Re:Heh.

[interkin3tic]

What irks me is people's reactionary "teh guv'ment's tryin' to take away mah freedomz!" to every discussion presented about government surveillance and/or intelligence activities. They have to know that it's necessary at some level, but they reduce this wide breadth of space from no surveillance to police society to a binary. I don't understand why so many people engage in black and white thinking when the problem so obviously isn't as clear cut as the overwhelmingly vast majority of people argue it is.

I'd suggest the overreaction is caused by the government's actions. Looking at the level of lying going on with NSA, and how many abuses the war on terror has been used to justified, I can't fathom how anyone would make a "lets not throw the baby out with the bathwater." They've justified an overreaction toward the side of freedom rather than security. I think at this point it's only safe to assume the worst of the government.

It seems pretty black and white to them. There seem to be alarmingly few voices inside the government expressing concern over moving to a police state. Those few that do seem to be expelled through groupthink, see Snowden and Manning for examples. Even very high government officials who voiced opposition were subject to backlash. Ashcroft decided stellar wind went too far. Bush sent people to harass him in the hospital trying to get him to cave. The attorney general, they did this to. And Bush went around him anyway. There seems to be no line the government isn't willing to cross.

Partisan politics as of late have also convinced me that the only way to fight determined zealots is with equally determination in the opposite direction. When you try to be reasonable with such stubbornness, you don't arrive at a middle ground that's a good balance for all, you end up being pushed backwards more and more. So if the government is willing to go full throttle towards police state, the only response is for us to go full throttle... whatever the opposite is. No state secrets. Ever. Oh, that will potentially endanger people? I'm dubious. There's two giant oceans between us and most people who would harm us, we have enough military might to literally kill everyone on earth, and anyone who would attack us is too dumb to cause any real damage. Moreover, we've faced bigger threats before without spying on everyone. You can't tell me we need the NSA spy program to defeat a bunch of islamic cultists but we DIDN'T need it to defeat the Nazis or get through the Cold War.

Even if it does endanger some people, I can live with that on my conscience better than I can live with allowing big brother to develop.

Re:Heh.

[s.petry]

There was no evasion, that is you imagining things. Numerous people have responded that there are secret courts in the UK just like FISA in the US, and you choose to ignore them. I gave you a link so that you could do some research, and you ignore that too.

The only evasion going on is _you_ evading reality. I also find it amusing how numerous people have told you that secret courts in the UK are legit, and now you imagine that I created dozens of sock puppets to point out a fact which is easily verifiable.

Miss some medication today? Or perhaps you are not a shill and reality is starting to cause cognitive dissonance.

Re:Heh.

[s.petry]

They are not named oh "thee of great ignorance!" They are simply called "Secret Courts" in the UK and they deal with many areas that the US FISA does not. Such as family issues where family members have been placed into custody "for their own protection" against their own, family, and doctor recommendations.

And no, "thee of great ignorance" is not and ad hominem, it's a well earned title!

Re:Heh.

[Heed00]

The Snidey McSniderson tone aside

...but sometimes you just hear these sorts of things.

Sometimes? What happened to, "every discussion" and "so many people" and "the overwhelmingly vast majority of people argue"? No doubt someone can be trotted out to say something stupid from time to time, but that's different than saying an entire debate is stifled because it's being forced into a false dichotomy. Or that the regular discourse position is centered around a false dichotomy.

Re:Heh.

[onyxruby]

The thing is they are likely exactly correct about that. The thing go to do is to change the framework that guided the behavior to begin with. The only way to do that is to have a clearly defined right to privacy. Now the Fourth Amendment can be argued as granting the right to privacy, unfortunately it isn't that clear cut.

The second thing you have to do is put in another amendment that says the plain language of the constitution means what it says. Words like "Shall" and "Shall Not" mean what the dictionary says and get rid of the tens of thousands of loopholes that have already been drilled into the Constitution over the years. You see those loopholes set precedent that make any kind of right to privacy worth about as much as your right to free speech or to bear arms.

Until you create a clear Constitutional limit that "you shall not cross" and start doing things like removing the ambiguity from words like "shall" there is no legal standard to use as a hammer. That means the constitutional framework that might be used to stop this kind of thing is riddled with loopholes. Legislatures are very skilled at exploiting these loopholes to do end runs around Constitutional rights. That means your framework that could stop this kind of thing is worthless.

Want to stop this kind of thing from happening? Demand the removal of Constitutional ambiguity and embrace Constitutional constructionism.

Re:Heh.

'... They have to know that it's necessary at some level...'

This is where your opinion and mine differ. Secrecy at any level is not necessary. It is built upon fear. Freedom is built upon love.

Re:Heh.

[intermodal]

The corruption in western democracies is nothing new. We've had it for many decades, they just haven't had a specific enemy to aim it at in quite a while.

The loss of ideological competition is only a bad thing if you consider all ideologies to be of equivalent value to each other. Communism (or Stalinism, or Leninism, &c., take your pick) has proved itself exceptionally dangerous in more than one case, with Stalin's slaughter of countless Soviet citizens, Pol Pot's merciless regime which made it clear that the people were nothing but slaves to the state, and the North Korean rule's results for the North Koreans.

I look forward to the day when we can find a large, powerful nation to try freedom again. I bet they'd really piss off the United States and the European Union as those two march ever further into the realm of gigantic government and their citizens into government dependency.

Re:Heh.

Come on mate. Is it worth it? We all know cold fjord so there's no public record you need to set. You're just feeding a troll.

Re:Heh.

Man, I'm not sure what's wrong with you but you just need to calm down a bit and reread the comments here. s.petry was pretty clearly talking about secret courts in the UK (whether they actually exist or not is irrelevant). Now maybe you posted in reply to him as a pure reaction to seeing 'secret courts' in his post thinking he was talking about the well known secret courts in the US. However, it has been pointed out to you that this was not what he was talking about and you could have simply said 'oops sorry, wrong country' and moved on with the rest if your day. Instead you are insisting that s.petry was talking about the US while every single other poster around you was pretty clear that he was talking about the UK.

Re:Heh.

BUUUUUUUURRRNNN!!!!!!

Re:Heh.

The other posters were clear that he was posting in a story about the UK. I'm pretty sure they didn't know what was in s.petry's head. If he was posting about courts that don't exist that would be nonsense, don't you think? He keeps posting the same nonsense in other stories. I see another post in this story where he is referring to CIA. Should we assume he intended to type MI6 because it is in a story about the UK? I see another person referring to Nancy Pelosi. Should we assume that is a reference to the Ed Miliband?

Re:Heh.

[girlintraining]

I'd suggest the overreaction is caused by the government's actions.

Going crazy because everyone else did is not the most productive thing to do.

I think at this point it's only safe to assume the worst of the government.

For select versions of "safe", I suppose. But I reiterate my previous point: Going crazy never helps.

It seems pretty black and white to them. There seem to be alarmingly few voices inside the government expressing concern over moving to a police state.

It's not their job. It's up to our elected officials to express concern (or not). Their job is to impliment what the elected officials collectively decide is the course of action to take.

Partisan politics as of late have also convinced me that the only way to fight determined zealots is with equally determination in the opposite direction.

You cannot beat violence with violence. That's how the cycle of violence is born, until it deteriorates into a situation where people have forgotten how the fight started, and they're just responding to attacks, without thought of an exit strategy.

Even if it does endanger some people, I can live with that on my conscience better than I can live with allowing big brother to develop.

I'm sorry, but when terrorists run into our cafes and blow people up to make them part of his/her political statement, we shouldn't respond by running into theirs and doing the same. You don't get to endanger the life and well-being of someone for political reasons. Ever. Period. The. Fucking. End. That's terrorism, and as a society we've said no to that.

There are other, better ways to fight back. Martin Luther King. Ghandi. Students for Democratic Society (before the FBI decided to incite some of them to terrorism and then, surprise!, come in and discredit them). The list goes on. We do not abandon our principles in the face of overwhelming opposition; We must fight back with democracy. We must demand it. And if we don't get it, then we stop contributing. No more taxes. No more working. Steal food, shutter the factories, block up the roads, and grind the entire establishment to a halt until we get truly free elections again, until we can freely assemble without government thugs surrounding us, or watching us through hidden or not so hidden cameras and microphones. We need to organize, as a people, in every community, city, state, county, and we just need to push and push until we get what we bargained for: A democratic society, with human rights, and human dignity.

But we do not get that through violence. Violence is the last resort. It will always ever be in my book. Until someone pulls out a gun, or a tank, or an aircraft carrier, and points it at me and tries to kill me for excercising my human rights, then I will not cross that line. Not once. Not a little. No. Period. But god help them if they cross the line.

The last defense of our freedom is violence. The last. We don't do it because it'd be easier, or because we're angry, or because we're feeling righteous. We do it only when our back is to the wall. When there is no other option and violence is imminent. Then, and only then, as an act of self-defense, do we fight.

Ever always we must show restraint, cool reasoning, and hold to our principles. You cannot beat the police state by going all Rambo on it. That's surrendering. Hell, that's worse than surrendering -- it's abandoning your own principles. Run if you have to, you can't win every fight. But don't just heave the helve in after the hatchet. Fuck...

Re:Heh.

[Nex]

Actually, ColdFjord's first reply was informative and unemotional, and had more worth that twenty posters hurling insults. Nex

Re:Heh.

Gracious and wise words indeed. TY.

Re:Heh.

[mrbester]

THE Ed Miliband? Heaven forfend there should be more than one of them...

Re:Heh.

[Actually,+I+do+RTFA]

If by "it" you mean some sort of surveillance that's targeted, based on suspicion and granted on a case by case basis by an oversight (court, law, etc.) body that's just not a rubber stamp factory, then yes -- but I haven't really seen anyone argue against that

That seems to be exactly the case in the LavaBit matter. Cops asked for a free look, were told "get a warrant" and then did. Yet everyone seems to think that Lavabit was somehow unfairly burdened.

Re:Heh.

[occasional_dabbler]

We most definitely do have secret courts. The first result on the LMGTFY page had this chilling sentence:

Claimants may not, therefore, be aware of all the allegations made against them

The USA might be up to it's neck in this shit, it's still standing on the UK's shoulders.

Re:Heh.

Why don't you go back to your little catholic, spanish tyranny where you come from, Mr SHILL.

Re:Heh.

Secret courts are from that nice catholic tradition of the Spanish court which you anglosaxons cherish so much. Yeah, that's irony.

Re:Heh.

They did have a house and food, every single one. They also had a job and if they did not show up, police would throw them into jail. If they talked agains the system, the Stasi would question them. Not like the West, were they set up honey-traps and dog attacks for you and your freedom.

Re:Heh.

[Heed00]

You're being disingenuous.

They weren't behaving in a way that could be described as "targeted" when they asked for Lavabit's encryption keys. IIRC, Lavabit did comply with some previous requests that were targeted to individual users -- but the case that led to them shutting down was for blanket access. Retroactive blanket access.

Furthermore, "based on suspicion" and "case by case" fall by the wayside when asking for blanket access, too. And of course the whole issue of "not rubber stamp oversight" isn't met either.

So, they were doing none of what I suggested and what you quoted -- very far from "exactly the case."

Re:Heh.

when the belgians shoot a v2 missile onto london, it is certainly a british problem of not building a massive bunker over the entirety of britain.

Re:Heh.

girlintraining talking shit? Never!

Re:Heh.

It's funny to see people finally realize that the world we're headed to is very similar to that of East Germany, with the slight difference that you won't be assured to have a house, a job and food every day. Probably these points were not among the good things to retain from the Commies, whereas global surveillance was.

What part of the States do you people live in? Things are pretty good where I live (Colorado)... Nobody is being rounded up by the secret police, nobody is starving in the streets, most people are able to make an honest living. For me and everyone I know, we live our lives without having a single interaction with State, Federal, or local government except for things like taxes and licenses... Nobody's freedom being infringed on. I travel around the States a lot, too, and see the same picture. Sure, we aren't a perfect country, but East Germany? Srsly?

Re:Heh.

[magic+maverick+]

In none of the ancestor posts is the USA mentioned. Considering that the entire thread is about a British agency, for you to bring up the USA and related things (Congress etc.), suggests you're a fucking stupid idiot. If you are talking about another post, well, I can't be bothered replying to all your posts to insult you. Just the occasional one.

As for wit, I think I may have mentioned before: I'm not interesting in having an argument with you. Basically, I am happy to insult you. Also: I take to heart the comment about arguing with fools. I don't want you to drag me down to your level and then beat me with your experience. ^_^

Cheers.

Re:Heh.

What the UK has is a law that allows courts to keep specific matters secret, not secret courts. That isn't new even if the scope is widened.

Re:Heh.

Indeed Mr SHITBALL. When Lavabit did not immediately turn over Mr Snowden's emails the govbernment demanded ALL emails of ALL users. In short, if you make any problems, the Spanish Inquisition is invoked.

That's equal to the principle "he did not stop immediately, so he gunned him down with our MP5s. He has now 25 bullets in what's left of his brain, but its all his own fault !".

Re:Heh.

[cheekyjohnson]

Nobody's freedom being infringed on.

Really? We have free speech zones, the NSA, the TSA, constitution-free zones, and a host of other nonsense. Just because you don't notice it, that doesn't mean your freedoms aren't under attack; they are.

Re:Heh.

Partisan politics as of late have also convinced me that the only way to fight determined zealots is with equally determination in the opposite direction. When you try to be reasonable with such stubbornness, you don't arrive at a middle ground that's a good balance for all, you end up being pushed backwards more and more.

This hits the core of the issue.

Re:Heh.

girlintraining likes to bait people into arguments, and he was surprised that you did not start one with him about it. So he then tried to goad you again by making the subtle jab about your post parroting his.
Notice that the post he replied to was talking about a secret court, but in his reply he's not talking about secret courts at all- he's talking about things like sealed records, gag orders, and closed proceedings.
He then adds a little extra bait by making some vague generalizations about people who oppose government snooping.

But in case you really do care, girly boy, the answer is simple- there are in reality two discussions. The first is whether or not the government should be snooping (and how much), the second is whether or not they should be able to use secret laws and courts for that, or anything else.

Re:Heh.

[crimson+tsunami]

Rubbish
There is no mention of the US before your sycophantic ravings introduced it.

Re:Heh.

[crimson+tsunami]

"Secret courts" refers to courts that are secret, no more, no less.
With your "America Fuck Yea!" attitude you have mistakenly believed the world and any discussion about said world revolves around you, it does not.

Re:Heh.

proportionate,

The GCHQ surely sees numerous Man-in-the-sandwich attacks on the Belgian porn they capture via observing the web traffic of the local council representatives all over the island. Therefore, proportionate.

Re:Heh.

[interkin3tic]

When I said push back with equal determination in the opposite direction, I didn't mean violence. I meant go to extremes in the state secrets vs no secrets spectrum. I'm arguing there should be no secrets "to protect security" or anything else. The danger I was referring to is our "enemies" catching wind of our methods of detecting terrorists and avoiding them. I'm saying I'd rather risk that scenario than risk too many secrets and spying. Not "lets kill people to oppose the police state" or "lets rebel." Absolutely no Rambo here.

Re:Heh.

[NoImNotNineVolt]

I looked very carefully. You posted in reply to s.petry, who didn't mention anything about the US. s.petry in turn was posting in reply to girlintraining, who also didn't mention anything about the US. Perhaps you can help us by linking to this "post about a US thing" that you were supposedly answering, because it seems to have eluded Slashdot's message threading.

Also, this is a bit off topic, but I can't help but bring it up. You come across as an asshat. If this isn't intentional, then I highly recommend you work on your interpersonal skills. If it is intentional, then congratulations on a job while done.

Re:Heh.

[NoImNotNineVolt]

Well done! Job well done! Ah, serves me right :P

Re:Heh.

Girlintraining posted about the Stasi. S.petry followed with a typical FISA court rant, of which there have been plenty on Slashdot. FISA isn't a UK institution. Maybe you should read more of his posts in the thread. If he was referring to a British institution he should have been able to immediately answer what it was, but he doesn't. Instead he evades, dodges, and calls names. The man is a 9/11 "truther," and often posts nonsense. Is it really too much to ask for a direct answer or reference?

Why don't you take a look at this thread.

Re:Heh.

Considering that the entire thread is about a British agency...

Lets test that. Here is the post from the head of the thread:

The Stasi said the same thing in East Germany. But that's circular logic: We're authorized to do this because we authorized it.

Hmmm, didn't realize that the Stasi was a British agency.

Also: I take to heart the comment about arguing with fools. I don't want you to drag me down to your level and then beat me with your experience

You appear to be what that wisdom is warning against. You are already at that level, as noted by your statement: "I'm not interesting in having an argument with you. Basically, I am happy to insult you. "

Ta Ta!

Re:Heh.

Your post seems to provide evidence that more than one ass can post in a thread.

Re:Heh.

[Actually,+I+do+RTFA]

IIRC, Lavabit did comply with some previous requests that were targeted to individual users -- but the case that led to them shutting down was for blanket access.

Then we have a disagreement on fact.

I would agree that that government was out of bounds in your version of facts.

However, my understanding is LavaBit rejected a warrant-less targeted request, and refused to reply to the warrant with the same targeted request. It was only after the gv't took them to court that they even offered to comply: 2 months after each e-mail was sent. They claimed that they lacked the technology to provide faster access to the gv't. So the gv't asked for the keys to implement their own solution.

In my understanding, the private keys were a natural outgrowth of pretty nasty failure to comply - or even proactively sue to quash the warrant or something of that nature.

https?

So, when is Slashdot going to turn on https and stop the attack vector?

Re:https?

LOL it's MIM that is not going to save you!

Re:https?

[Gravis+Zero]

So, when is Slashdot going to turn on https and stop the attack vector?

the real question is when will the internet switch to an uncompromised encryption scheme.

Re:https?

[Nerdfest]

If you use Linux, it's actually quite easy to turn on DNSSEC, which I assume would help mitigate this problem.

Re:https?

[ledow]

When they enable IPv6 and stop publishing IPv6 stories, most probably.

Re:https?

[smash]

Nah, the real question is when more than 1% of the internet's user base give a shit enough to be concerned enough to even consider whether or not the remote site they are talking to is trustworthy. Let's start with trying to stop them from opening attachments first, then we'll worry about solving global surveillance issues, eh? Baby steps.

Re:https?

[ColdWetDog]

No need. All you have to do is insert some unicode in your post or response. If it renders correctly either 1) Hell just froze over or 2) You've been pawned.

Re:https?

You'd need https (with certificate monitoring through a trusted 3rd party not using the CA system). DNSSEC would also help. Though neither fixes the issue when everything is compromised from day 0 - and I'm assuming that key exchange and crypto are perfect and uncompromisable.

With perfect crypto you can only communicate safely to person's you have verified personally and exchanged key information personally. If you haven't do that, then everything else can be MiTM.

This is why the Red Line between Moscow and Washington used a OTP. It is perfect and uncompromisable and only susceptible to DoS, and nothing else.. Yet, quite useless for the way people use crypto.

Re:https?

[girlintraining]

2) You've been pawned.

1.e4 e5
2.Bc4 Nf6
3.d3 c6
4.Bg5 h6
5.Bxf6 Qxf
6 6.Nc3 b5
7.Bb3 a5
8.a3 Bc5
9.Nf3 d6
10.Qd2 Be6
11.Bxe6 fxe6
12.O-O g5
13.h3 Nd7
14.Nh2 h5
15.g3 Ke7
16.Kg2 d5
17.f3 Nf8
18.Ne2 Ng6
19.c3 Rag8
20.d4 Bb6
21.dxe5 Qxe5
22.Nd4 Kd7
23.Rae1 h4
24.Qf2 Bc7
25.Ne2 hxg3
26.Qxg3 Qxg3+
27.Nxg3 Nf4+
28.Kh1 Rxh3
29.Rg1 Rxh2+

You were saying?

Re:https?

[Flere+Imsaho]

You think https is secure? How cute.
https://www.grc.com/fingerprints.htm

Re:https?

"the real question is when will the world switch to uncompromised Government."

Fixed that for you.

Re:https?

just wait a bit. anger is a great driver of production, especially when germans are angry.

Hey, GCHQ

[Heed00]

Fuck the fuck off!

Re:Hey, GCHQ

Ya ya silly buggers, have ya stopped G4S (Wackenhutt) from wiring up mics and datahubs at the gchq Cheltenham digs yet?!? methinks snot.

One more thing, for the record, fix the glitched-up National Police Software, coz the israelis and the yanks backdoored it before Miller sold it to Commishhhhh Blair!

Oh, that reminds me of another thing, ya know, they say you lot are the Britishit version of NSA, well, are ya?
If yuz is, ya better be cutting off the SiSense PRISM, coz its an israeli operation.
sort yurselves out!

Re:Hey, GCHQ

We have just added you to each of our 257 kill-by-drone-prospects-databases. You are obviously a TERROORRRRRRISSST!

Swearing at the overlord is apostasy !!!!!

And we review your mobile movements to set up a nasty surprise for you.

More information on the Belgacom hack

More information on the Belgacom hack.

lol fags

"we have no comment to confirm or deny the shit we did"

Really? British intelligence went after slashdot?

[damn_registrars]

I have a hard time believing that someone convinced them this site was worthwhile. Was this just some kind of training exercise for them, to make sure that they could handle the traffic volume from a dying site before they go and try to intercept traffic from one that is relevant?

Successful counter-troll

employees who [...] spent significant amounts of time on LinkedIn and Slashdot.

We all knew what they were doing. Thanks GCHQ for cleaning up our comments section!

Fire

[Nerdfest]

I detect the odour burning trousers.

No comment

[PPH]

'We have no comment to make on this particular story.' It added: 'All GCHQ's work is carried out ....

Sure looks like a comment to me.

Re:Really? British intelligence went after slashdo

[drinkypoo]

I have a hard time believing that someone convinced them this site was worthwhile.

That's because you're letting your ego get in the way. This isn't about you. This is about one or more specific targets that they believed or suspected were slashdot users.

Re:Really? British intelligence went after slashdo

[Captain+Hook]

Really? British intelligence went after slashdot?

No, the target were Belgium Telco workers.

GCHQ needed a way to insert malicous scripts on the workers PC in order to gain a foothold on the Belgium Telcoms networks. The way they did that was to run a man-in-the-middle attack on the sites that those workers were going to visit.

Comment removed

[account_deleted]

Comment removed based on user account deletion

What legal framework?

All GCHQ's work is carried out in accordance with a strict legal and policy framework

The Mafia also operates in accordance with a strict internal policy framework. It still doesn't make it right.

Ultimately it's up to the people to control their respective governments. If a democratically elected government carries out activities that are only legal within their own policy, yet immoral by other standards, the people themselves are responsible for these actions.

Time For https:\\slashdot.org

If https://slashdot.org worked, then a MITM would not.

Re:Time For https:\\slashdot.org

[smash]

Where does the certificate come from? And if you are MITM'd by someone who owns your CA, how do you know that the certificate being presented is valid? HTTPS in this instance would have made precisely fuck all difference. HTTPS in it's current implementation will stop maybe script kiddies and the average phisher. not state-sponsored attacks.

Re:Time For https:\\slashdot.org

How clueless!

Re:Time For https:\\slashdot.org

[Charliemopps]

You're assuming that:
a. The user would even notice that the cert had changed (very doubtful)
b. That the cert changed at all...
c. That the cert authorities aren't compromised
d. That the encryption algorithm isn't compromised
e. The users OS isn't compromised already

All pretty big stretches... but given what we've seen so far maybe not... The biggest revelation we've had with regard to all of this is how far they will go to get the job done. The answer to that appears to be "As far as they need to" which leads us to "What's the first thing you would do to circumvent internet security if you had unlimited resources and the belief that you were in the right? The answers to that is simple, subvert the cert authorities. In fact, I would be surprised if we eventually find out that at least some of them are even owned outright by the NSA. It seems outlandish, but so far just about everything they've done has sounded outlandish up until the day we find out about it.

Re:Time For https:\\slashdot.org

[heypete]

Browsers like Chrome can come with cert data for major sites pre-pinned, so as to prevent MITMs even using certs from trusted CAs. Firefox users can use something like Cert Patrol to detect unexpected changes in certificates. The use of HTTPS would prevent malicious packets from being inserted into the data stream (encrypted data is MACed to ensure integrity).

It'd be quite unlikely for nobody to notice an unusual certificate change, particularly if expected cert changes were publicly announced through some other medium (e.g. other forums, Twitter, etc.). It's not perfect, of course, but it raises the bar considerably and would make any such attacks publicly visible.

Re:Time For https:\\slashdot.org

[smash]

If the spy has a copy of your site's SSL certificate, you're still screwed. As I suspect the NSA can/does do.

Re:Really? British intelligence went after slashdo

[s.petry]

I have a hard time believing that someone convinced them this site was worthwhile. Was this just some kind of training exercise for them, to make sure that they could handle the traffic volume from a dying site before they go and try to intercept traffic from one that is relevant?

Sites like Slashdot and Reddit are very legit targets. If you want to measure public opinion you actually need sites like this. I'm sure that they also scan forums on intellectual sites like Science, etc... How do you know how to spin things, or continue to spin things, if you don't know how much information the public has.

Do I think they use it to track individual users? I have no evidence of this, but that does not mean it does not happen. If we can't see what they do I have no trust in them. If they are capable of what we "know", they are capable of attempting to silence critics.

thats a relief.

[nimbius]

for a minute there I thought america was the only country that invented a secret court to grant secret warrants to undisclosed agencies seeking to wiretap undisclosed targets.
turns out now that everything you did to slashdot is "legal" we can move on to more pressing issues like when are we getting more Doctor Who? I feel like personally thats the only way i could ever call the whole 'we have no respect for the internet' thing squaresies

British Intelligence Responds?

[korbulon]

"We have no comment to make on this particular story."

How is this a response?

Re:British Intelligence Responds?

[Joining+Yet+Again]

Assuming this isn't a hoax, feathers successfully ruffled.

How often does GCHQ make an official statement in response to some random guys on the Internet claiming that they overstepped their bounds? It's surely not setting a precedent, so why has it respnded to this one?

["no comment"]
[junior PR flunky boilerplate sounding like it's from a FTSE 100 corp.]

Re:British Intelligence Responds?

[smash]

Of course it is a response. "Yes, we received your message".

Re:British Intelligence Responds?

oi, you twat, git fokt!
listen `ere you horrible bugger,
the israelis run prism.

Re:British Intelligence Responds?

My goodness, you seem an IRAte type, shame about those jEUROCRATS, the ECB, and the EU-version of COINTELPRO...
Honestly, old chap, what is your problem with the Israeli IT-domination scheme? It all seems legit and above-board, so kindly shove off slashdot with your anti-scimitaric drivel.
Don`t take it the wrong way, it`s only that slashdot is now a properly AIPAC-affiliated propaganda vehicle, and you cannot possible comment on behalf of the entire MOD, or (the lobby would) can you?

Re:British Intelligence Responds?

[ledow]

Er... it hasn't.

It's responded with "No Comment" like it has for just about every media outlet that has ever asked it.

It might even be legally bound to reply to "press enquiries", in whatever form. I'm pretty sure if I wrote them a letter, they would reply. Most likely with a similar response.

Just because they're spies does not mean they don't have a press office and/or a secretary who just fobs off anyone who asks. Hell, you can get replies from Santa if you post them in a Royal Mail postbox (even if you don't address the letter, but just put "To Santa" and have a return address!).

A response means nothing. The response given means nothing (it literally means "I have received your letter. I have no response").

Call me back when there's a story.

Re:British Intelligence Responds?

[Joining+Yet+Again]

I think I misread as GCHQ randomly responding to the article, but it could have been responding to an RFI.

Re:British Intelligence Responds?

"We have no comment to make on this particular story."

How is this a response?

Urquhart's motto - "You might think that, I couldn't possibly comment" http://www.youtube.com/watch?v=Oz8RjPAD2Jk

Re:British Intelligence Responds?

I'm pretty sure if I wrote them a letter, they would reply. Most likely with a similar response.

And you'd have a flag raised against your name.

The British are a joke.

There is no more British "empire".

The UK economy is in the toilet.

The UK weather sucks.

Go ahead and tap my communications, you sorry pale faced
warm beer drinking bad toothed pieces of subhuman shit.

I could care less.

Re:The British are a joke.

We gifted you a language and you can't even learn to use it properly, you poor excuse for a sub-human.

It's "I could NOT care less". No, don't reply with a retro-argued usage, the phrase is "I could not care less". Any attempt to explain how using a phrase that means the opposite is somehow correct just shows you are unable to either understand your mistake, or take responsibility for it.

Fucking colonials.

Re:The British are a joke.

Well our empire lasted longer than yours did you inbred merkin.

Re:The British are a joke.

We gifted you a language and you can't even learn to use it properly.

And if the US had not given you aid under the Marshall Plan, you'd be well versed in German
grammar, you sorry little cunt.

Re:The British are a joke.

I could care less.

Well then, why don't you?

Re:The British are a joke.

Maybe, and you know what, so would you. You sat on the side lines for 2 years letting people die because you're a bunch of pussies.

Holy fuck

Fuck the UK.

Re:Holy fuck

Fuck the UK.

The english are best at fucking themselves quite good.
Let's keep the good part, Scotland in the EU and toss away the putrid rest.

Re:Holy fuck

[gmhowell]

Fuck the UK.

The english are best at fucking themselves quite good.
Let's keep the good part, Scotland in the EU and toss away the putrid rest.

Don't you have Greece to fulfill the mandatory level of sheep fuckers required in the EU?

strict legal and policy framework

[sl4shd0rk]

I'm very glad they have this in place. Just knowing they are policing themselves with laws made to fit within the policies they've made up makes me feel so much better now. I'll never have to worrry about privacy again.

Re:strict legal and policy framework

[Virtucon]

Yes we can all feel safer that there's checks and balances to ensure that we don't do bad things.

Re: Self contradiction

The law says "to modify a computer or it's content without the owners knowledge or consent" is a virus, which is illegal, which is what they are doing, which they say is legal.
It's fine if a judge has agreed to issue a warrant to tap someone's communication when there is reasonable suspicion of illegal activity, but to just spy wholesale on people without any kind of checks or measures is counter to the laws of this country for which the perpetrators should be held to account.

They're not authorized to do it

Except they're not authorized or legal.

The "authorised, necessary and proportionate" is to imply that its legal under RIPA surveillance warrants, which let them grab bulk foreign data (not British data as they've been doing, and not sending out malware to hack computers as they've been doing).

So no, its not legal, not at all.

Re:Odour Burning Trousers

[Nerdfest]

Actually, yeah ... that would be handy quite a frequently. I was going to say that I should patent it, but I think I've actually seen them.

Re:Really? British intelligence went after slashdo

yes but that was because the Belgians are future-lookers, and there were plans afoot to abandon the yank/israeli/britishit GSM (Global{poor}StandardMobile), and implement faster,cleaner systems, with....wait for it............
much better privacy!
mysteries abound!

and YESYES, of course theyre on /. most of the commentators these days are either industry reps, lobby-types, or "intel" buffoons!

the real story here is that there are PEOPLE everywhere who are fed up with the PRISM israeli operation. it is simply a violation of national integrity to have those outlandish types riddling the apparati and the bureaucracys

Re:Really? British intelligence went after slashdo

[cold+fjord]

If we can't see what they do I have no trust in them.

If you can see what they do then so can the people they are trying to spy on. That is self-defeating.

If they are capable of what we "know", they are capable of attempting to silence critics.

"Capable of" and "intend to" are completely different questions, as well as matters of legal interest.

Better than what I thought

British Intelligence Responds:

"Yeah baby! Shall we shag now or shag later?!"

Translation

[twmcneil]

"Yeah, we hacked your shit. Now GFO."

Re:Translation

Don't worry your little fluffy heads about this, everything is all for the best. By the way your IP addresses have being retained for further investigation.

Try Tor and exclude US/US friendly exit nodes

[i_want_you_to_throw_]

With all the uproar over US spying, you could always use a Tor solution that excludes US and US intelligence friendly exit nodes. PAPARouter (disclaimer: my company) is a router that has Tor in it and US and US friendly exit nodes are excluded (US, UK, Australia, New Zealand and all Commonwealth countries) by default. Anonymize several devices just hooking to the wireless access point. (Or build your own Onion-Pi from Adafruit and save a couple of bucks)

Journalism on Slashdot!

[HalAtWork]

Very nice to see!

we have never cooperated...

we have never cooperated with any government agency

What they mean to say is, "We have never cooperated with any government agency, unless compelled by law, or because the FBI asked nicely while threatening to throw us in jail, and even if we did cooperate, we aren't allowed to reveal that we did, and even if we are allowed to reveal that we did, we wouldn't because that would make us look bad."

Re:we have never cooperated...

[Hartree]

Actually what they meant to say was: "The NSA pays AT&T and others millions every year for data, and the GCHQ didn't even offer us a damn dime! Wankers."

ive never had an account here

but i post and lurk for many moons

i just want to tell the fraud commiting gchq spys that we already knew all about it
we mitm -ed you while we were getting mitm-ed by you
your mom told me that you liked a reach-around
congrats on your excelent job well done!
stop hiding behind your mommys skirts and come out into the light
  i feel free but its not because of ANYTHING you or your ilk have EVER done
you guys are seriously worse in my eyes than al -queada
you have no honor

What is the meaning of "garbaging"?

[sirwired]

From TFS: "However, the story has been slightly garbaged into it being fake [LinkedIn and Slashdot] accounts, as opposed to network spoofing."

What on earth is "garbaging"? I always thought "garbage" was a noun. "Verb-ing" nouns is a time-honored tradition, but there are plenty of perfectly good verbs that would have worked here (mangled is the first that comes to mind) without devising a new one that is confusing, at best, in this context.

A quick googling does reveal garbaging as a verb, but in contexts that actually make sense. (Spreading garbage on somebody's lawn (Urban Dictionary), or something to do with garbage collection (various technical sites.))

Re:What is the meaning of "garbaging"?

Uninformed WAG here.
I think the GCHQ intended to write "rubbished", but thought it needed to be translated into American.

What qualifies as legal

GCHQ says everything they do is in 'accordance with a strict legal and policy framework'.
NSA probably has similar bounds, but these separate bounds may leave an interesting hole.

Not sure if this is what happened, but
if GCHQ did this at the request of NSA to watch somebody that was out of bounds for NSA, is this considered fair game?

Perhaps the bounds for NSA should prevent asking others to do things they are prevented from doing themselves.
Partaking of forbidden fruit has historically not been ok just because somebody else picked it from the tree.

Re:What qualifies as legal

:"if GCHQ did this at the request of NSA to watch somebody that was out of bounds for NSA, is this considered fair game?"

No, it's not, actually. NSA is prohibited by law from using second party nations (or anyone else) to collect information it couldn't collect on its own. Now, this doesn't matter to people who (erroneously) believe NSA ignores the law anyway, but what you describe is strictly and explicitly prohibited. And if anyone is paying attention, the whole reason this sort of thing occurs is to target FOREIGN intelligence targets of the US (or UK, etc.), which is what our foreign intelligence agencies are SUPPOSED to do.

Re:What qualifies as legal

Thanks for the answer. The law permits no bounds extension on the collection of domestic information through friends.

So do the laws say the GCHQ can watch US citizens and the NSA can watch Brits, but they can't swap the information?
If so, is it legal for the GCHQ to talk about US domestics, but not legal for the NSA to listen or act on the information?
If so, these are an interesting set of ground rules.

It appears that the NSA wants to only do things enabled by a legal theory that says it's legal
This is certainly not ignoring the law, but there is room for public debate on the legal theories.

For those paying attention, you say 'this sort of thing occurs'. Which sort of thing?

Re:Really? British intelligence went after slashdo

[damn_registrars]

I have a hard time believing that someone convinced them this site was worthwhile.

That's because you're letting your ego get in the way. This isn't about you.

I don't for a moment suspect this is about me. I'm incredibly uninteresting in pretty much every conceivable metric. My argument is that there are so few slashdot users at this point that the likelihood of anyone on here being worthwhile is remote at best.

This is about one or more specific targets that they believed or suspected were slashdot users.

I would think they'd have better luck on 4chan.

Sure thing

[X.25]

Of course, they haven't broken any/all the laws, because some secret people in secret room said so.

Laws only apply to "other people", obviously.

Re:Sure thing

[Hartree]

Oh no. They haven't broken any laws, not only because secret people in a secret room said so, but also because highly public people in both the administration and on both sides of the aisle in congress very publicly said they didn't.

Whether they did or not.

Re:Really? British intelligence went after slashdo

[damn_registrars]

If you want to measure public opinion you actually need sites like this.

This site skews so hard to the right that they'd be just as well off scanning an NRA forum. Saying that it accurately gauges public opinion on a whole is laughable.

How do you know how to spin things, or continue to spin things, if you don't know how much information the public has.

This site would show a lot of how little some vocal subset of the public has. As far as representing a cross-section of the public as a whole it is pretty near useless.

Re:Really? British intelligence went after slashdo

[s.petry]

If we can't see what they do I have no trust in them.

If you can see what they do then so can the people they are trying to spy on. That is self-defeating.

Wrong, simply wrong. 20 years ago a warrant was required. We did not need to know the target name, but could see the judges name that signed the warrant and the agency or office name associated with the wiretap. Most importantly we could see and scrutinize the compelling arguments for the warrant. Without giving up agent names, this allowed oversight. Judge A approving every warrant would have been questionable, and probably removed from the bench. Judge B that had approvals and denials would still not be off the hook, but we could see what was being done without the detail that would have jeopardized officers.

Today, there is no oversight. Looking at a nearly rubber stamp approval without knowing judges names, or having power to remove them from the bench, what can the public do? Nothing, obviously. The only thing we have is overall request and approval numbers. Maybe every single request submitted is valid, maybe not. We don't see the compelling arguments for warrants, we just know that 99.99% of them are approved. Knowing the numbers of approved does not allow oversight.

If they are capable of what we "know", they are capable of attempting to silence critics.

"Capable of" and "intend to" are completely different questions, as well as matters of legal interest.

Nice word twisting, let me rephrase more carefully. "We know some of the illegal activities that the Government has been involved in, acting in secrecy. There is no reason to assume that they are not acting in other illegal ways. The only way to clear them is to open everything up."

Re:Really? British intelligence went after slashdo

The following is from the Virginia Fusion Center 2009 Terrorism Threat Assessment found on wikileaks here:
http://wikileaks.org/wiki/2009_Virginia_Terrorism_Threat_Assessment,_Mar_2009

Pg. 45
Anonymous
"A "loose coalition of Internet denizens", Anonymous consists largely of users from multiple internet
sites such as 4chan, 711chan, 420chan, Something Awful, Fark, Encyclopedia Dramatica,
Slashdot, IRC channels, and YouTube. Other social networking sites are also utilized to mobilize
physical protests. Anonymous has no leader and is reliant on the collective power of individuals
acting in such a way that benefits the movement..."

Geek sites have been on LEA, and intelligence agencies radars for quite a while. Snowden himself was a comment contributor to Ars Technica. If you were an IA involved in counter-espionage, you might set up fake site to see if you could catch a potential leaker by infecting his computer with spyware. I'm guessing there's probably at least a few /. posters that could conceivably have enough governmental security clearance, or even just access to confidential corporate information that would make them attractive targets to foreign or domestic spys.

Re:Really? British intelligence went after slashdo

[s.petry]

This site skews so hard to the right that they'd be just as well off scanning an NRA forum. Saying that it accurately gauges public opinion on a whole is laughable.

I never claimed that this site was the whole of the public, take my generalization "sites" very literally. The generalization should have been obvious due to listing other potential sites to target.

Hey GHCQ

[Khyber]

I made a lot of the technology your horticultural sector needs to stay alive (and even got on the BBC for it so you know I'm not fucking joking.) Don't piss me off or you'll find the British Pound suddenly worth as much as a Zimbabwe dollar.

Backdoors and insurance. Much like Edward Snowden, I always carry a trump card or ten.

Game on, you fuckin' wankers.

paid trolls for industry and government post on /.

[Rujiel]

Where have you been? Just go into amy thread about Edward Snowden or assange.. or global warming, even. The phrases to watch out for are "narcissist" and "al gore", respectively

Executive summary

We did nothing illegal. Everything we do is legal. If something happened to actually be illegal, we just write retrospective laws to make it legal.

We need a test!

[slashmydots]

How do I know I'm on the real Slashdot right now then? Quick, someone post something snarky and bitch about Microsoft or I'll assume this is a fake.

Re:We need a test!

This is Slashdot, and yet you didn't spell Micro$oft with a dollar sign.

SPAI!

SAPPIN' MAH SLASHDOT!

Fuck these spooks

Encrypt the data, encrypt the transport, do a proper exchange and suck my average-sized, middle-aged, white, geek cock.

Re:Really? British intelligence went after slashdo

[Princeofcups]

That's because you're letting your ego get in the way. This isn't about you. This is about one or more specific targets that they believed or suspected were slashdot users.

We're probably not talking about people with their fingers on the detonators of bombs. More likely people who criticize certain people in power, you know, common slashdot conversations. Maybe it's MY ego getting in the way, but slashdot more and more is becoming the modern Federalist Papers, and that has to be of concern to the powers at be.

Suggestions to fight back - here are some

[burni2]

Hi,

the main problem is that anybody entering slashdot.org in the addressbar expects to get the data slashdot sends,
but as this MIM attack has shown, this data can be altered even for hand picked connections, these attacks were discussed in the past.

So we have a key problem here:

data transmission is compromised (yes even now it is compromised, because european traffic travels over great britian)
- by this compromise I cannot authentificate that slashdot.org data is really displayed to me (I cannot authentificate that I really communicate with /.)
- by this compromise I cannot authentificate that the data displayed doesn't contain an additional payload

the "solutions" in place to this day are

"https" - is compromised
this will display a warning if the certificate does not match the domain, this solution however is compromised today, because if
you have access to the private key you can fake the data as it is not encrypted. The private key exists in two places /. and the CA

Also your browser needs to be supplied with valid certificates (public keys) however if you take a look at what CAs issue these trustworthy keys
you could leaving your door wide open won't matter.

Also if the ssl cipher used is rc4, well you don't even need to know the private key you just crack the communication.

"VPN" - compromised
- needs a CA infrastructure
- cisco

The solution to this problem are the tor hidden services, /. needs to start a hidden service

pro
1.) the communication is authentificated, as long as /. does not give their XD48484jdd.onion key out of their hands (vs. NSL)
2.) MIM attacks are possible but are extremly complicated
3.) the communication is end-to-end encrypted

Please /. just start a hidden service, and annoy those GCHQ guys.

Re:Suggestions to fight back - here are some

[Tynin]

Great post, great suggestion!

Re:Suggestions to fight back - here are some

[tokencode]

The REAL problem is that Slashdot along with other websites such as SourceForge are owned by Dice Holdings Inc. which trades on the NYSE. They are bound by US law and have no choice but to comply. Fighting this is not advantageous to their shareholders. Whatever your work-around is, they will be compelled to implement another way. The only safe assumption is that everything they own is compromised in some way.

Re:Suggestions to fight back - here are some

[Greyfox]

Does that really buy you anything, though? Seems to me anyone able to force access to an SSL private key would also be able to gain access to any other encryption key with a similar warrant. IIRC, the CA doesn't hold your private key and only signs your public one.

In the event someone comes to you with a warrant demanding access to your private keys, your only two options as an operator are to comply or shut down. In the later case, you'll probably also be facing contempt of court charges. So at any point there is probably no way to verify that the operator on the other side of that connection isn't running with a gun to his head. He would also have no way to legally inform you that his keys have been compromised.

In which country do you live ?

[burni2]

- US . so NSLs apply to you

- can you authentificate yourself, that you are not one of the bad guys ?

not speaking to the real issue

[SethJohnson]

Trainee-

You are an apologist for an overreach of which you don't seem to fully comprehend or appreciate.

In the early days of these Snowden releases, Senator Nancy Pelosi represented your perspective. She downplayed the NSA programs saying there was full Congressional oversight and she had been aware of them through her briefings and they were ok.

Every week she was asked by reporters, "Did you know about such-and-such, and did you approve of it?" Early on she answered "Yes" to these queries. But somewhere along the way before it was revealed the NSA had tapped Angela Merkel's personal cellphone, Senator Pelosi realized there was a lot she didn't know about. The NSA had played her and her peers for fools. Now Senator Pelosi doesn't field those questions from reporters about oversight and what she had approved.

I predict as you learn more about the activities and programs of the NSA, you'll change your tune as well.

Re:Really? British intelligence went after slashdo

If they can MiTM the targets, then they certainly knew they were Slashdot users.

Re:Really? British intelligence went after slashdo

You of all people should know that intelligence analysis cares more about capability than intent. If they're not capable, you don't need to give a damn about intent.

Oh the secretary of state

Thats makes everything ok then.

It is binary.

Your first paragraph is divorced from the rest of post in content. I agree there are some things that should be kept secret: Names of undercover police, new weapon technologies we don't want potential enemies to have access to, and very little else. That's all well and good. But surveillance of citizenry is whole other ball of wax.

What irks me is people's reactionary "teh guv'ment's tryin' to take away mah freedomz!" to every discussion presented about government surveillance and/or intelligence activities. They have to know that it's necessary at some level,

No, it isn't.

The US has a constitution that states the conditions under which search and seizure can legally happen. Anything outside of that, to a US citizen, in the country or while abroad is unnecessary and illegal.

The EU has S17 and S18 that define a bar of "reasonable suspicion" that needs to be meet before a search can be made. Anything the UK does to a citizen of the EU, in the country or while abroad is unnecessary and illegal.

If you have evidence of a crime or reasonable suspicion, get a specific warrant from a normal court. Simple as that.

Espionage is covered under treaties. What is permissible and what constitutes an act of war is defined, but unfortunately not very clearly and not in a very enforceable manner.

[T]hey reduce this wide breadth of space from no surveillance to police society to a binary.

In regards to spying on its own citizens, it is binary. It's either legal, or it isn't. Is there some state of "sort of legal" that I'm aware?

Internationally, it is binary... Either it starts a war, or it doesn't.

  I don't understand why so many people engage in black and white thinking when the problem so obviously isn't as clear cut as the overwhelmingly vast majority of people argue it is.

[T]here's perfectly good discussion not happening because everyone flung themselves to the polar extremes. Why?

Can you name an instance where it legal in either US or EU law, to bulk collect the phone records of citzens without specific warrant?
Can you name an instance where it legal to perpetrate a blanket/mass MITM attack against your own nation under US or EU law?

The Lesson Learned

[scrabbleship]

Always use a VPN when you regularly use internet that isn't yours. If you don't, you are essentially handing over your right to privacy.

British Intelligence

There's an Oxymoron if ever I saw one.

That aside, GCHQ and the UK government, however delusional they wish to believe they are, are not above the law.

The Real Villains are Not NSA and MI6

[Steve1991]

Why is everyone so worried about NSA and MI6? Chances are the stuff you post publicly would be enough to send a squad of soldiers to your door if the government was so inclined.

The real problem is the private parties that plant malware on your computer or hack sites to get passwords and credit card numbers. And encryption isn't worth much. I read an article about someone who had a huge hash table and just used a brute force approach to generate passwords and see what matched the hash table. Pass phrases? He just pulled clumps of text out of common books. At the end he had about a billion hashes. His purpose was to decrypt a huge cache of leaked e-mails, but you can see how bad guys could exploit the technique. If they have the hashing algorithm and the hash table, making your personal password more secure is like hiding under a desk during a bank robbery and hoping they don't find you.

So what to do? Well, we could absolutely prohibit private monitoring of any computer, prohibit emplacement of software on any computer without specific permission of the user, prohibit possession of SSN's and credit card numbers without specific and narrowly drafted authorization. We could require O/S's to allow blocking of all external software installation. We could require computers to keep software in separate read-only memory, and I mean ONLY - make it physically impossible to write to that space from the CPU.

And while we do have laws that do some of those things, they're full of back doors and exceptions. Not mandated by the NSA. No, mandated by advertisers and software vendors. How can they see if you're using a paid version if they can't get into your computer? How can they gather those precious demographics without installing stuff on your computer? How can they tell if you're running AdBlock? How can they feed you those popups? These are the people who are keeping computers insecure and vulnerable to exploits, not the NSA. For all the hoo-hah over the NSA, nobody has really been able to produce a real victim, but millions of people are victims of identity theft every year, thanks to the built-in vulnerabilities mandated by advertisers and vendors.

Re:The Real Villains are Not NSA and MI6

Why don't you Shills stay under your respective rock ? All your claims are designed to whitewash out-of-control government agencies who would make the Spanish Inquisition jealous. What if all those allegedly commercially-motivated security problems are actually the result of NSLs ?

What if we learn the C language and Unix have been Defective By Government Design ? After all, AT&T was a government branch when they invented it. Some smart Admiral must have thought "all those nasty 8-bit computers can do more than SIGABA, and we cannot break that one. We must find a way to make these things insecure ! Let's start by destroying Fortran and Algol commercially, both are way too secure. Start by giving away a shite language and an OS written in the shite language. Subsidize away the proper stuff and replace it by the C cancer".

They now call it the "Cyber Warfare Domain". Now, muppets, whatabout "military intelligence being an oxymoron" ? I say these guys are smarter than everybody else 99% of the time.

Captcha: Muslin. WTF ?

Re:The Real Villains are Not NSA and MI6

[Pav]

Power attracts psychopaths. Policing/spying/enforcement done "by the book" is frustrating and difficult - psychopaths get frustrated and either overstep and get caught, or leave for greener pastures. Making enforcement easier corrupts the very agencies we want to empower. Imagine if we elected leaders with dictatorial powers - sure, they'd be more empowered to act in our interest... but...

Re:The Real Villains are Not NSA and MI6

[Pherdnut]

Uh... the NSA HAS been so inclined. Lots of protesters getting accused of terrorism in recent years. We've got three kids in Chicago that have been in jail since the NATO summit. It took several months for the actual charges to be brought against them. They can do that now. Throw you in jail with no charges and come up with 'em later. If they follow the usual pattern, they'll drop the charges in a year or two when absolutely everybody has stopped paying attention. I'm not some Occupy kid. The police reaction to the protests was downright spooky. That the NSA was involved in a domestic affair is deeply disturbing.

Re:Really? British intelligence went after slashdo

[Flere+Imsaho]

You do see the occasional call-to-arms when slashdotters feel outraged by the latest Snowden NSA reveal. Hell, I've made a few when feeling particularly keyboard-warriorish.

I wonder if the NSA takes interest in this site because of those?

Can anyone tell them apart?

[pupsocket]

GCHQ and NSA. Are they identical twins, or do they have some secret weapon that makes everyone see double when they look?

Re:Can anyone tell them apart?

[stiggle]

GCHQ is based in a donut and work around tea.
NSA is based in a shiny box and work around coffee.

GCHQ has invented some good stuff (like PKI - but they didn't tell anyone about it until the papers were declassified) http://cryptome.org/ukpk-alt.htm

Most peculiar

[pupsocket]

GCHG is a British thing. i.e. not much oversight from US branches of government.

Mr. Snowden worked for United States agencies only, yet he is the one disclosing this "retail" operation.

Plus, this sort of operation is "out of character" for the United Kingdom.

Is it remotely possible that the two countries do each others' dirty work, especially in cases one might have an advantage in avoiding oversight?

Re:Most peculiar

[MysteriousPreacher]

Sure. I'd say the NSA and GCHQ are engaged in an Atlantic-wide reach around. It's really not oversight - more some League of Doom thing done out of sight of their respective parents.

man?

I think the phrase man in the middle is sexist. Woman can load malware onto computers too.

Lost in Translation

[CanHasDIY]

FTFY:

'All GCHQ's [hereby referred to as "we" and "us"] work is carried out in accordance with a strict legal and policy framework [we come up with on the fly] which ensure that our activities are authorised [by us], necessary and proportionate [to us], and that there is rigorous oversight [by people who work for us], including from the Secretary of State [who also works for us], the Interception and Intelligence Services Commissioners [yup, us again!] and the Intelligence and Security Committee [figured it out yet?].'

COUNTERMEASURE

1. Yeah, it's kind of spamming on my side
2. It's for a good purpose
3. You get the sourde code
4. It's German-only at this point. Look at the pictures and use google translate.
5. It's effective in defeating all the Government Malware and Dragnet interception stuff at a systematic level

Here: http://scherbius2014.de/

The death of morality

[Taco+Cowboy]

... All GCHQ's work is carried out in accordance with a strict legal and policy framework which ensure that our activities are authorised, necessary and proportionate, and that there is rigorous oversight ...

Maybe in strict legal terms, what GCHQ has done, including the man-in-the-middle attack spoofing Slashdot's webpages to inject malwares to the intended (and/or unintended) victims, is Kosher, the official reply from GCHQ is but another confirmation that Morality Is Dead, for the regime holding power over many of those so-called "Democratic Nations"

I am no sociologist, so I do not know where the failure lies - it could be democracy itself, it could be society, it could be education, it could even be "trendy" - but...
 
... at the end of the day, when Morality dies, anything goes

What is more shocking is that, if the government is immoral, how long do you expect their subjects (the people, that is) to remain upright morally ?

Government (and/or regimes) are like parents.

If the parents are crooked, don't expect the children to be straight.

Re:The death of morality

[Mister+Liberty]

You are so right my friend.

I've watched and read your comments here, and you're nail on the head every time.
The problem of course is: how to create that groundswell. Peronally I'm in it even
for the sheer hate towards the smug degenerates that populate the 'ruling' class.

I for one would like to see some bodies hang from trees.

Re:The death of morality

[uninformedLuddite]

I would mod this up to +1000 if I had the points

Re:The death of morality

[cwsumner]

Governments have no Morality, only people can have Morality.

The Government is not your parents, much as some people spend their lives looking for replacement parents. It is more like the slave master, willing to take care of you for your whole life because they own you.

Governments are necessary to keep criminals away (including criminal governments), but it is like keeping a dog in the back yard to ward off robbers. You don't want the dog ruling the house.

You need a revolution periodically. Democracy with elections is a way of having a revolution without killing a lot of people.

Don't trust anyone who says they want to "take care of you" !

Re:The death of morality

[Pherdnut]

My vote's on corporations being allowed to buy votes with impunity, when what they and their lobbyists minions really deserve is to be drawn and quartered. I may not be entirely objective on the issue but I think that may have something to do with years of frustration of watching joe public getting beaten with a carrot and told to eat the stick and liking it.

Re: The death of morality

Good post!!!!

Re:Really? British intelligence went after slashdo

[Nyder]

I have a hard time believing that someone convinced them this site was worthwhile.

That's because you're letting your ego get in the way. This isn't about you. This is about one or more specific targets that they believed or suspected were slashdot users.

They were after me. Unfortunately for them I run with an adblocker & I'm in good standing with slashdot that I can turn my ads off.

Stupid Brits.

 

Just got invalid cert doing this post

Continuing anyway.

Two points.

APT is NSA.
Need alternative to CAs.

Context is everything....

Imagine the community's attitude/comments towards this story if the article started out with:

"The GCHQ agency, Britain's equivalent of the National Security Agency, "

vs.

"The GCHQ agency, Britain's intelligence agency"

I sure the comments would be very different. Great way to craft a message /.

Reminded me of...

Muir: Troy, do you remember when we could tell the good guys from the bad guys?