British Intelligence Responds To Slashdot About Man-in-Middle Attack

← Back to Stories (view on slashdot.org)

British Intelligence Responds To Slashdot About Man-in-Middle Attack

Posted by samzenpus on Monday November 11, 2013 @03:24AM from the what-do-you-have-to-say dept.

Nerval's Lobster writes "The GCHQ agency, Britain's equivalent of the National Security Agency, reportedly used fake LinkedIn and Slashdot pages to load malware onto computers at Belgian telecommunications firm Belgacom. In an emailed statement to Slashdot, the GCHQ's Press and Media Affairs Office wrote: 'We have no comment to make on this particular story.' It added: 'All GCHQ's work is carried out in accordance with a strict legal and policy framework which ensure that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Intelligence and Security Committee.' Meanwhile, LinkedIn's representatives suggested they had no knowledge of the reported hack. 'We have read the same stories, and we want to clarify that we have never cooperated with any government agency,' a spokesperson from the social network wrote in an email to Slashdot, 'nor do we have any knowledge, with regard to these actions, and to date, we have not detected any of the spoofing activity that is being reported.' An IT security expert with extensive knowledge of government intelligence operations, but no direct insight into the GCHQ, hypothesized to Slashdot that carrying out a man-in-the-middle attack was well within the capabilities of British intelligence agencies, but that such a 'retail' operation also seemed somewhat out of character. 'Based on what we know they've done, they are doing industrialized, large scale traffic sweeping and net hacking,' he said. 'They operate a wholesale, with statistical techniques. By "statistical" I mean that they send something that may or may not work.' With that in mind, he added, it's plausible that the GCHQ has software that operates in a similar manner to the NSA's EGOTISTICAL GIRAFFE, and used it to redirect Belgacom employees to a fake download. 'However, the story has been slightly garbaged into it being fake [LinkedIn and Slashdot] accounts, as opposed to network spoofing.'" Update: You can read the official statement from Slashdot's parent company, Dice Holdings, here on our blog.

50 of 256 comments (clear)

Min score:

Reason:

Sort:

First Spoof by anagama · 2013-11-11 03:28 · Score: 3, Funny

First Spoof.
Though this is no laughing matter.

--
What changed under Obama? Nothing Good
@slashdot: use https per default! by Anonymous Coward · 2013-11-11 03:28 · Score: 3, Insightful

That would make MIM attacks much more difficult
1. Re: @slashdot: use https per default! by Antony+T+Curtis · 2013-11-11 03:38 · Score: 4, Interesting
  
  Using HTTPS is not the solution when the only thing people see is that some trusted certificate was used. If a trusted Certificate Authority was compromised or issued `fake' certificates for government spy agencies, the target wouldn't know that a MITM attack has occurred because the little green icon is showing just fine.
  However, if we had something like a GPG content encoding, if the site hasn't already been trusted by the user, red flags will immediately be showing.
  Like as like not, with the proliferation of CAs which exist, MITM attacks are easier than ever because people have been conditioned to trust HTTPS.
  
  --
  No sig. Move along - nothing to see here.
2. Re: @slashdot: use https per default! by heypete · 2013-11-11 03:50 · Score: 4, Insightful
  
  True, but it would prevent the insertion of malicious packets (the "Quantum Insert" technique they describe in the various articles). Invalid SSL/TLS packets would simply be discarded and it would not be possible to insert malicious packets into the encrypted, MACed datastream.
  Yes, MITM would be possible but Slashdot could implement certificate pinning (either through having browsers like Chrome have the cert details baked-in, or having users use something like Cert Patrol for Firefox) to make this harder. It's not foolproof, but it would certainly make this type of attack considerably more difficult and easier to detect.
3. Re: @slashdot: use https per default! by smash · 2013-11-11 03:54 · Score: 2
  
  out-of-band, self signed certs for the win!
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
4. Re: @slashdot: use https per default! by Antony+T+Curtis · 2013-11-11 04:08 · Score: 3, Interesting
  
  Although I like where your head is, wouldn't the CPU power required to do on-the-fly GPG decoding of content be prohibitive? Or am I misunderstanding the proposed solution?
  A large amount of the content on the internet is static. The static assets can be stored on the disk, already signed. This has the added advantage that HTTPS cannot provide: The static assets are cacheable and they are tamper-proof, should the server be compromised.
  When it comes to dynamic content, one can 'cheat' a little by reusing the same session key for the same connection. The startup cost is not much different than existing HTTPS which uses DH for key exchange.
  It's not going to be much slower than what we have today with HTTPS for interactive sites, where humans are the slow link in the chain.
  
  --
  No sig. Move along - nothing to see here.
5. Re: @slashdot: use https per default! by yakatz · 2013-11-11 04:35 · Score: 3, Interesting
  
  Google Chrome supports certificate pinning so you can't go to a site if the certificate used does not match the known one on the list compiled into the browser, which sort-of solves the wrongly issued certificate problem.
  RFC 6844 has a proposed DNS type for verifying the proper certificate was served (requires DNSSEC to make sure the DNS was not tampered with).
6. Re: @slashdot: use https per default! by Culture20 · 2013-11-11 05:06 · Score: 2
  
  make the CA and its fingerprint known to everyone.
  What out of band method do you propose to do that? Word of mouth? TV? Radio? Postcards? Flashing circuit boards magnetically attached around Boston? Facebook?
7. Re: @slashdot: use https per default! by dgatwood · 2013-11-11 05:26 · Score: 5, Interesting
  
  The problem is that certificates change regularly. What you really want is public key pinning, where you are warned if the public key changes, without regard to what CA signed it—not just the key fingerprint, either—the entire key. After all, you have the server's public key. Why would you ever start trusting a different public key for the same server?
  AFAICT, there are only two valid to reasons rekey a server: if the key gets compromised (which, being a serious security problem, should be publicly disclosed on your server in some way) or because you're upgrading to a larger key. In the latter case, you should ideally sign the new key with the old key so that it is verifiable, and the browser should ignore that the old key is not trusted for key signing when it is only being used as a secondary signature for verifying a key change.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
8. Re: @slashdot: use https per default! by Andy+Dodd · 2013-11-11 06:21 · Score: 5, Insightful
  
  In addition to this, if you recall some of the recent Lavabit disclosures, we know that large Internet companies have been forced to provide their private SSL certs via secret court orders.
  If the NSA/GCHQ have a site's private certs, they can MITM you without you knowing.
  
  --
  retrorocket.o not found, launch anyway?
9. Re: @slashdot: use https per default! by IamTheRealMike · 2013-11-11 12:26 · Score: 3, Interesting
  
  Yes, indeed. This meme that SSL is broken or useless is very damaging and needs to end.
  The fact is that despite all the handwaving and noise, nobody has yet presented proof that a CA has been subverted by intelligence agencies, let alone knowingly. It's certainly possible that this has happened and one may think it is even likely, but in the absence of any proof it's hard to credibly argue the entire system is hosed.
  The difficulty of course is finding such a proof. If a CA was found to have been routinely issuing certificates to intelligence agencies, it's very very likely that browser makers would revoke that CA and destroy the business. Their written policies are quite clear on this point and do not make governments special, that's why GoDaddy revoked LavaBit's SSL cert after learning the private key had been disclosed to the FBI. So far we don't have any evidence that the NSA or GCHQ were willing to risk destruction of a civilian business in order to reach one of their targets - though I guess there are still plenty of Snowden disclosures to come.
  But even if there have been such certs issued, SSL is not useless. Firstly, it raises the complexity a lot. And secondly, there are initiatives underway to prevent subversion even by multi-billion-dollar intelligence agencies. For example the certificate transparency initiative is intending to upgrade the certificate format to contain a proof of inclusion in a public log. Browsers will start requiring the presence of these proofs in future, and thus it will no longer be possible to issue secret SSL certs that nobody can see except the victim. This is a large, complex upgrade of a massive infrastructure so it will take years, but eventually this system will raise the bar for SSL attackers to the point where they will either have to give up, or actually pass new laws that formally subvert SSL to the will of governments (at which point of course it does not matter if they are detected and there is no need to compromise CA's).
  Which will happen is an open question at this point. However, Slashdot should get its ass into gear and switch on SSL and HSTS by default. Saying it's an option for logged in users just isn't good enough, especially when that option is so well buried I can't actually find it! SSL all the time should be the default, these days, there's just no reason not to anymore.
Heh. by girlintraining · 2013-11-11 03:31 · Score: 5, Insightful

All GCHQ's work is carried out in accordance with a strict legal and policy framework which ensure that our activities are authorised, necessary and proportionate, and that there is rigorous oversight
The Stasi said the same thing in East Germany. But that's circular logic: We're authorized to do this because we authorized it.

--
#fuckbeta #iamslashdot #dicemustdie
1. Re:Heh. by s.petry · 2013-11-11 03:40 · Score: 5, Insightful
  
  The Stasi said the same thing in East Germany. But that's circular logic: We're authorized to do this because we authorized it.
  Exactly! They claim that they use laws to control what they snoop, and have oversight. When the laws are "secret", the courts are "secret", and the oversight is internal how much should we trust them? None at all!
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
2. Re:Heh. by cold+fjord · 2013-11-11 03:45 · Score: 3
  
  I expect that it was the People's Chamber, or "Volkskammer*," that granted the Stasi it's authority to spy.
  In the UK it would be up to the democratically elected Parliament to pass legislation authorizing GCHQ's work.
  * To an English speaking ear that is oddly similar to Volks hammer or people's hammer. Oddly appropriate in reference to the Stasi which combined both surveillance and repression. I think I would also stay away from any "People's Courts."
  
  --
  much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
3. Re:Heh. by lorinc · 2013-11-11 03:55 · Score: 5, Interesting
  
  It's funny to see people finally realize that the world we're headed to is very similar to that of East Germany, with the slight difference that you won't be assured to have a house, a job and food every day. Probably these points were not among the good things to retain from the Commies, whereas global surveillance was.
  
  --
  Video of some good progressive thrash music
4. Re:Heh. by girlintraining · 2013-11-11 04:04 · Score: 3, Interesting
  
  Exactly! They claim that they use laws to control what they snoop, and have oversight. When the laws are "secret", the courts are "secret", and the oversight is internal how much should we trust them? None at all!
  Not necessarily. Some things need to be secret. When we put spies on trial, we shouldn't showcase all the classified documents they stole for public inspection. It's evidence, but it's secret evidence -- and the sensitive nature of the documents is sufficient justification for doing so. The problem is not secrecy, anymore than keeping your password secret is a security vulnerability. The problem is when secrecy exceeds its mandate; when it crosses a line from matters of true national security to matters that are politically embarassing or unpopular. And as we can see in contemporary society, that line seems to be quite muddled.
  What irks me is people's reactionary "teh guv'ment's tryin' to take away mah freedomz!" to every discussion presented about government surveillance and/or intelligence activities. They have to know that it's necessary at some level, but they reduce this wide breadth of space from no surveillance to police society to a binary. I don't understand why so many people engage in black and white thinking when the problem so obviously isn't as clear cut as the overwhelmingly vast majority of people argue it is.
  I mean, the government's using circular logic, and that's wrong. But the people raging against it are using equally broken logic. And there's perfectly good discussion not happening because everyone flung themselves to the polar extremes. Why?
  
  --
  #fuckbeta #iamslashdot #dicemustdie
5. Re:Heh. by MysteriousPreacher · 2013-11-11 04:05 · Score: 3, Insightful
  
  The laws aren't secret, but some of the court decisions have been, and even some of those are being declassified. The courts use ordinary judges that rotate in from other courts, the courts aren't secret, but the warrants are. The oversight comes from Congress, the courts, and the executive branch.
  GCHG is a British thing. i.e. not much oversight from US branches of government.
  
  --
  -- Using the preview button since 2005
6. Re:Heh. by girlintraining · 2013-11-11 04:24 · Score: 2
  
  If you look very carefully, you might avoid looking like a total moron on your rebuttal. The OP never mentioned the United States. The article is about the Brisih. The OP mentioned the courts. The British, unless something has gone terribly wrong in London very recently, still have courts. They wear wigs and robes, and that's worth a chuckle, but the courts are still a very real thing. We inherited them from the British, warts and all. And believe me, the common law system... is a very. big. wart.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
7. Re:Heh. by crashcy · 2013-11-11 04:25 · Score: 3, Insightful
  
  cold fjord is rushing so quickly to defend the NSA that he no longer waits for them to be mentioned. Think he gets overtime?
8. Re:Heh. by s.petry · 2013-11-11 04:26 · Score: 4, Insightful
  
  I never mentioned "secrets", like your example of trial evidence, I said "secret" as in know outside knowledge of ruling/decision. If the rulings are all secret, oversight is impossible. It's not just the US FISA courts that make "secret" rulings, but the UK has numerous secret courts as well.
  We have had a similar discussion before. I _agree_ that some things should not be public knowledge. Plans for making weapons, locations of CIA houses, lists of operative names, etc.. are all fine to be restricted from the public. We don't need those to be available to have discussion on mass surveillance. The public should be aware of the Government plans to scoop all data from everyone everywhere using ever possible means including those that are considered illegal by their respective countries laws.
  For example, if you start dumping all of the traffic from a site you could (and perhaps would depending on the target) go to jail based on numerous wiretapping laws related to computers. The list of laws is extensive, I'll suggest you get a book on CEH, CISSP, etc.. that explain those all of those laws. If the Government is going to break all of those laws, that should be a matter of public knowledge and debate. Not the agents names, and maybe not even the agency doing the work. The actions are what is important.
  
  I mean, the government's using circular logic, and that's wrong. But the people raging against it are using equally broken logic. And there's perfectly good discussion not happening because everyone flung themselves to the polar extremes. Why?
  I don't agree with there only being two extremes, and I don't agree that the majority of the discussion about mass surveillance is using broken logic. Most of the discussion against it has been using law which is not circular. The Government debate for mass surveillance is mostly that they don't have to follow the law, which is also not circular logic.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
9. Re:Heh. by oobayly · 2013-11-11 04:30 · Score: 2
  
  Unfortunately the US doesn't have a monopoly on "secret courts". I truly wish it did, but we can't get everything we wish for.
10. Re:Heh. by s.petry · 2013-11-11 04:30 · Score: 2
  
  First, thanks for paying attention to which country we are talking about. Congress does not have oversight over the UKs GCHQ.
  Second, even if we were talking about the NSA you would be dishonest. Congress has no oversight of FISA rulings, none, zero, zip, nada!
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
11. Re:Heh. by mrbester · 2013-11-11 04:31 · Score: 2
  
  There are secrets courts and secret rulings on UK with regard to security matters. US calls it FISA. We don't have a name for it as the secrecy also encompasses Family Court and super injunctions.
  
  --
  "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
12. Re:Heh. by Heed00 · 2013-11-11 04:38 · Score: 4, Insightful
  
  They have to know that it's necessary at some level...
  If by "it" you mean some sort of surveillance that's targeted, based on suspicion and granted on a case by case basis by an oversight (court, law, etc.) body that's just not a rubber stamp factory, then yes -- but I haven't really seen anyone argue against that, so I don't know where you are getting the notion of a false dichotomy.
  
  Unless by "it" you mean "suspicionless mass surveillance" -- in which case, no, it is not necessary at some level.
  
  --
  Thought thinks itself.
13. Re:Heh. by pixelpusher220 · 2013-11-11 05:06 · Score: 2
  
  The problem is when secrecy exceeds its mandate
  The problem is that without detailed and extensive oversight of the secrecy, it *will* exceed it's mandate. It's simply human nature.
  
  --
  People in cars cause accidents....accidents in cars cause people :-D
14. Re:Heh. by cold+fjord · 2013-11-11 05:10 · Score: 2
  
  What about you? Can you point out any of the United State's secret courts? Can you name judges, or supply the addresses at which these judges hold court? Can you name the officers of the courts?
  The FISA court is staffed by regular judges from other courts that rotate through it.
  Here are 9 of the 11 judges.
  
  Every few months, the FISA judges set aside their regular, public cases, travel to Washington, and take the bench inside a secure, windowless courtroom at 333 Constitution Avenue. Prosecutors and federal agents appear to answer questions about warrants before individual judges, rather than a panel.
  Generally, the judges rotate on a week-long schedule. Three judges live in the Washington area and are available for emergencies. FISA judges do not receive extra pay.
  Foreign Intelligence Surveillance Court
  
  --
  much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
15. Re:Heh. by AmiMoJo · 2013-11-11 05:48 · Score: 3, Informative
  
  Read their statement carefully. They say it was "authorized" and "necessary", but not "legal". As recent Snowden leaks have shown they know it isn't legal, but seem to have the support of politicians and the police since there has not been a criminal investigation started.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
16. Re:Heh. by lorinc · 2013-11-11 06:25 · Score: 3, Insightful
  
  I don't need to go back and look at some photos, I was born there.
  
  --
  Video of some good progressive thrash music
17. Re:Heh. by interkin3tic · 2013-11-11 06:28 · Score: 4, Insightful
  
  What irks me is people's reactionary "teh guv'ment's tryin' to take away mah freedomz!" to every discussion presented about government surveillance and/or intelligence activities. They have to know that it's necessary at some level, but they reduce this wide breadth of space from no surveillance to police society to a binary. I don't understand why so many people engage in black and white thinking when the problem so obviously isn't as clear cut as the overwhelmingly vast majority of people argue it is.
  I'd suggest the overreaction is caused by the government's actions. Looking at the level of lying going on with NSA, and how many abuses the war on terror has been used to justified, I can't fathom how anyone would make a "lets not throw the baby out with the bathwater." They've justified an overreaction toward the side of freedom rather than security. I think at this point it's only safe to assume the worst of the government.
  
  It seems pretty black and white to them. There seem to be alarmingly few voices inside the government expressing concern over moving to a police state. Those few that do seem to be expelled through groupthink, see Snowden and Manning for examples. Even very high government officials who voiced opposition were subject to backlash. Ashcroft decided stellar wind went too far. Bush sent people to harass him in the hospital trying to get him to cave. The attorney general, they did this to. And Bush went around him anyway. There seems to be no line the government isn't willing to cross.
  
  Partisan politics as of late have also convinced me that the only way to fight determined zealots is with equally determination in the opposite direction. When you try to be reasonable with such stubbornness, you don't arrive at a middle ground that's a good balance for all, you end up being pushed backwards more and more. So if the government is willing to go full throttle towards police state, the only response is for us to go full throttle... whatever the opposite is. No state secrets. Ever. Oh, that will potentially endanger people? I'm dubious. There's two giant oceans between us and most people who would harm us, we have enough military might to literally kill everyone on earth, and anyone who would attack us is too dumb to cause any real damage. Moreover, we've faced bigger threats before without spying on everyone. You can't tell me we need the NSA spy program to defeat a bunch of islamic cultists but we DIDN'T need it to defeat the Nazis or get through the Cold War.
  
  Even if it does endanger some people, I can live with that on my conscience better than I can live with allowing big brother to develop.
18. Re:Heh. by cheekyjohnson · 2013-11-11 11:16 · Score: 2
  
  Nobody's freedom being infringed on.
  Really? We have free speech zones, the NSA, the TSA, constitution-free zones, and a host of other nonsense. Just because you don't notice it, that doesn't mean your freedoms aren't under attack; they are.
  
  --
  Filthy, filthy copyrapists!
https? by Anonymous Coward · 2013-11-11 03:33 · Score: 5, Insightful

So, when is Slashdot going to turn on https and stop the attack vector?
1. Re:https? by Gravis+Zero · 2013-11-11 03:52 · Score: 4, Insightful
  
  So, when is Slashdot going to turn on https and stop the attack vector?
  the real question is when will the internet switch to an uncompromised encryption scheme.
  
  --
  Anons need not reply. Questions end with a question mark.
2. Re:https? by ledow · 2013-11-11 03:58 · Score: 3, Insightful
  
  When they enable IPv6 and stop publishing IPv6 stories, most probably.
3. Re:https? by smash · 2013-11-11 04:00 · Score: 2
  
  Nah, the real question is when more than 1% of the internet's user base give a shit enough to be concerned enough to even consider whether or not the remote site they are talking to is trustworthy. Let's start with trying to stop them from opening attachments first, then we'll worry about solving global surveillance issues, eh? Baby steps.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
4. Re:https? by ColdWetDog · 2013-11-11 04:10 · Score: 4, Insightful
  
  No need. All you have to do is insert some unicode in your post or response. If it renders correctly either 1) Hell just froze over or 2) You've been pawned.
  
  --
  Faster! Faster! Faster would be better!
5. Re:https? by girlintraining · 2013-11-11 04:30 · Score: 3, Funny
  
  2) You've been pawned.
  1.e4 e5
  2.Bc4 Nf6
  3.d3 c6
  4.Bg5 h6
  5.Bxf6 Qxf
  6 6.Nc3 b5
  7.Bb3 a5
  8.a3 Bc5
  9.Nf3 d6
  10.Qd2 Be6
  11.Bxe6 fxe6
  12.O-O g5
  13.h3 Nd7
  14.Nh2 h5
  15.g3 Ke7
  16.Kg2 d5
  17.f3 Nf8
  18.Ne2 Ng6
  19.c3 Rag8
  20.d4 Bb6
  21.dxe5 Qxe5
  22.Nd4 Kd7
  23.Rae1 h4
  24.Qf2 Bc7
  25.Ne2 hxg3
  26.Qxg3 Qxg3+
  27.Nxg3 Nf4+
  28.Kh1 Rxh3
  29.Rg1 Rxh2+
  You were saying?
  
  --
  #fuckbeta #iamslashdot #dicemustdie
Really? British intelligence went after slashdot? by damn_registrars · 2013-11-11 03:37 · Score: 3, Funny

I have a hard time believing that someone convinced them this site was worthwhile. Was this just some kind of training exercise for them, to make sure that they could handle the traffic volume from a dying site before they go and try to intercept traffic from one that is relevant?

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Re:Really? British intelligence went after slashdo by drinkypoo · 2013-11-11 03:40 · Score: 5, Interesting

I have a hard time believing that someone convinced them this site was worthwhile.
That's because you're letting your ego get in the way. This isn't about you. This is about one or more specific targets that they believed or suspected were slashdot users.

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Re:Really? British intelligence went after slashdo by Captain+Hook · 2013-11-11 03:41 · Score: 4, Informative

Really? British intelligence went after slashdot?
No, the target were Belgium Telco workers.

GCHQ needed a way to insert malicous scripts on the workers PC in order to gain a foothold on the Belgium Telcoms networks. The way they did that was to run a man-in-the-middle attack on the sites that those workers were going to visit.

--
These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
Re:Really? British intelligence went after slashdo by s.petry · 2013-11-11 03:44 · Score: 2

I have a hard time believing that someone convinced them this site was worthwhile. Was this just some kind of training exercise for them, to make sure that they could handle the traffic volume from a dying site before they go and try to intercept traffic from one that is relevant?
Sites like Slashdot and Reddit are very legit targets. If you want to measure public opinion you actually need sites like this. I'm sure that they also scan forums on intellectual sites like Science, etc... How do you know how to spin things, or continue to spin things, if you don't know how much information the public has.
Do I think they use it to track individual users? I have no evidence of this, but that does not mean it does not happen. If we can't see what they do I have no trust in them. If they are capable of what we "know", they are capable of attempting to silence critics.

--
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Re:British Intelligence Responds? by Joining+Yet+Again · 2013-11-11 03:52 · Score: 3, Interesting

Assuming this isn't a hoax, feathers successfully ruffled.
How often does GCHQ make an official statement in response to some random guys on the Internet claiming that they overstepped their bounds? It's surely not setting a precedent, so why has it respnded to this one?
["no comment"]
[junior PR flunky boilerplate sounding like it's from a FTSE 100 corp.]
Try Tor and exclude US/US friendly exit nodes by i_want_you_to_throw_ · 2013-11-11 04:15 · Score: 2

With all the uproar over US spying, you could always use a Tor solution that excludes US and US intelligence friendly exit nodes. PAPARouter (disclaimer: my company) is a router that has Tor in it and US and US friendly exit nodes are excluded (US, UK, Australia, New Zealand and all Commonwealth countries) by default. Anonymize several devices just hooking to the wireless access point. (Or build your own Onion-Pi from Adafruit and save a couple of bucks)
Re:British Intelligence Responds? by ledow · 2013-11-11 04:31 · Score: 2

Er... it hasn't.
It's responded with "No Comment" like it has for just about every media outlet that has ever asked it.
It might even be legally bound to reply to "press enquiries", in whatever form. I'm pretty sure if I wrote them a letter, they would reply. Most likely with a similar response.
Just because they're spies does not mean they don't have a press office and/or a secretary who just fobs off anyone who asks. Hell, you can get replies from Santa if you post them in a Royal Mail postbox (even if you don't address the letter, but just put "To Santa" and have a return address!).
A response means nothing. The response given means nothing (it literally means "I have received your letter. I have no response").
Call me back when there's a story.
we have never cooperated... by Anonymous Coward · 2013-11-11 04:34 · Score: 2, Funny

we have never cooperated with any government agency
What they mean to say is, "We have never cooperated with any government agency, unless compelled by law, or because the FBI asked nicely while threatening to throw us in jail, and even if we did cooperate, we aren't allowed to reveal that we did, and even if we are allowed to reveal that we did, we wouldn't because that would make us look bad."
1. Re:we have never cooperated... by Hartree · 2013-11-11 14:22 · Score: 2
  
  Actually what they meant to say was: "The NSA pays AT&T and others millions every year for data, and the GCHQ didn't even offer us a damn dime! Wankers."
Re:Really? British intelligence went after slashdo by s.petry · 2013-11-11 05:22 · Score: 4, Insightful

If we can't see what they do I have no trust in them.
If you can see what they do then so can the people they are trying to spy on. That is self-defeating.
Wrong, simply wrong. 20 years ago a warrant was required. We did not need to know the target name, but could see the judges name that signed the warrant and the agency or office name associated with the wiretap. Most importantly we could see and scrutinize the compelling arguments for the warrant. Without giving up agent names, this allowed oversight. Judge A approving every warrant would have been questionable, and probably removed from the bench. Judge B that had approvals and denials would still not be off the hook, but we could see what was being done without the detail that would have jeopardized officers.
Today, there is no oversight. Looking at a nearly rubber stamp approval without knowing judges names, or having power to remove them from the bench, what can the public do? Nothing, obviously. The only thing we have is overall request and approval numbers. Maybe every single request submitted is valid, maybe not. We don't see the compelling arguments for warrants, we just know that 99.99% of them are approved. Knowing the numbers of approved does not allow oversight.

If they are capable of what we "know", they are capable of attempting to silence critics.
"Capable of" and "intend to" are completely different questions, as well as matters of legal interest.
Nice word twisting, let me rephrase more carefully. "We know some of the illegal activities that the Government has been involved in, acting in secrecy. There is no reason to assume that they are not acting in other illegal ways. The only way to clear them is to open everything up."

--
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
In which country do you live ? by burni2 · 2013-11-11 06:18 · Score: 2

- US . so NSLs apply to you
- can you authentificate yourself, that you are not one of the bad guys ?
not speaking to the real issue by SethJohnson · 2013-11-11 06:38 · Score: 2

Trainee-

You are an apologist for an overreach of which you don't seem to fully comprehend or appreciate.

In the early days of these Snowden releases, Senator Nancy Pelosi represented your perspective. She downplayed the NSA programs saying there was full Congressional oversight and she had been aware of them through her briefings and they were ok.

Every week she was asked by reporters, "Did you know about such-and-such, and did you approve of it?" Early on she answered "Yes" to these queries. But somewhere along the way before it was revealed the NSA had tapped Angela Merkel's personal cellphone, Senator Pelosi realized there was a lot she didn't know about. The NSA had played her and her peers for fools. Now Senator Pelosi doesn't field those questions from reporters about oversight and what she had approved.

I predict as you learn more about the activities and programs of the NSA, you'll change your tune as well.

--
$5 / month hosted VPS on linux = awesome!
The death of morality by Taco+Cowboy · 2013-11-11 11:27 · Score: 3, Interesting

... All GCHQ's work is carried out in accordance with a strict legal and policy framework which ensure that our activities are authorised, necessary and proportionate, and that there is rigorous oversight ...
Maybe in strict legal terms, what GCHQ has done, including the man-in-the-middle attack spoofing Slashdot's webpages to inject malwares to the intended (and/or unintended) victims, is Kosher, the official reply from GCHQ is but another confirmation that Morality Is Dead, for the regime holding power over many of those so-called "Democratic Nations"
I am no sociologist, so I do not know where the failure lies - it could be democracy itself, it could be society, it could be education, it could even be "trendy" - but...

... at the end of the day, when Morality dies, anything goes
What is more shocking is that, if the government is immoral, how long do you expect their subjects (the people, that is) to remain upright morally ?
Government (and/or regimes) are like parents.
If the parents are crooked, don't expect the children to be straight.

--
Muchas Gracias, Señor Edward Snowden !
Re:Can anyone tell them apart? by stiggle · 2013-11-11 23:57 · Score: 2

GCHQ is based in a donut and work around tea.
NSA is based in a shiny box and work around coffee.
GCHQ has invented some good stuff (like PKI - but they didn't tell anyone about it until the papers were declassified) http://cryptome.org/ukpk-alt.htm