UK's GCHQ Admits To Using Vulnerabilities To Hack Target Systems

Bismillah (993337) writes "Lawyers for the GCHQ have told the Investigatory Powers Tribunal in the UK that the agency carries out the same illegal Computer Network Exploitation (CNE) operations that criminals and hackers do. Except they do it legally. GCHQ is currently being taken to court by Privacy International and five ISPs from UK, Germany, the Netherlands, Zimbabwe and South Korea for CNE operations that the agency will not confirm nor deny as per praxis."

Beta is dead !!

Thankfully, the beta project has been abandoned.

How much abuse was required to accept what the users were complaining about from day one? It must be over a year?

Bunch of criminals.

And shameless, too.

Re:Bunch of criminals.

[fustakrakich]

Their behavior is highly rewarding. The voters approve, on both sides of the pond. What do they have to be ashamed of? The public that allows this are the ones who should be ashamed.

Per praxis?

[wonkey_monkey]

will not confirm nor deny as per praxis.

What does an explodey Klingon moon have to do with this?

Re:Per praxis?

[Chrisq]

will not confirm nor deny as per praxis.

What does an explodey Klingon moon have to do with this?

Didn't you know that the UK establishment is run by Klingons? Though they have let a Ferengi and a Vulcan enter the government too.

Re:Per praxis?

[serviscope_minor]

And a Sith Lord.

http://newsthump.com/2009/09/2...

Actually he was completely unelectable (it seems that British voters are not yet ready to vote for the power of the Dark Side), so Labour made him a lord so we couldn't get rid of him.

Who says it's "illegal"? Timothy?

[phayes]

Something is illegal when there are laws or treaties adopted by the country in question that render the actions illegal. If there is no law or treaty that interdicts the GCHQ from hacking third parties then it cannot be illegal.

Timothy & the people he likes to promote often use words like "unconstitutional" & "illegal" using their own private definitions of the words -- but all they do is render their utterances meaningless hype.

Re:Who says it's "illegal"? Timothy?

" If there is no law or treaty that interdicts the GCHQ from hacking third parties then it cannot be illegal."

They have already been found to have broken the law in UK jurisdiction.
https://privacyinternational.org/?q=node/482

There are plenty of laws. And GCHQ are not protected by Jurisdiction, Belgacom can prosecute for the Belgian telephone hack as can everyone else. The bit we know from Snowden shows its far worse than IPT are admitting, they did bulk collection, and defined British telecoms as foreign simply by defining it as foreign if it passed through any offshore server along the way. So all gmail and hotmail email were defined as foreign and open to surveillance, even Brit to Brit comms was intercepted and handed over the NSA.

Re:Who says it's "illegal"? Timothy?

[Sique]

Just because a police officer in the UK has the right to arrest and interrogate suspects, it is not legal for him to arrest and interrogate people in other countries too. And the lawsuits are in other countries.

Re:Who says it's "illegal"? Timothy?

I look forward to those responsible being identified and prosecuted to the full extent of the law.

Or past offences ignored and new laws enacted to make future actions legal or new laws enacted and applied retrospectively.

Re:Who says it's "illegal"? Timothy?

No you have this backwards. Laws work like that for citizens but not for the authorities. I.e for a citizen, if what he/she does is not deemed illegal by a law then it's legal. But for the authorities it's the opposite way, i.e if what it does is not actively marked as legal by the law then it's illegal. If an authority does something that is not sanctioned (i.e not actively marked as legal by any law) then it is performing an illegal act.

Re:Who says it's "illegal"? Timothy?

[aaaaaaargh!]

There are plenty of laws prohibiting GCHQ from hacking third parties, e.g. they are in direct violation of European and German law (both civil and criminal law). That's why ISPs have sued them.

The problem is just that it's damned hard to prove it, since GCHQ is somewhat sneaky and backed up by a corrupt and fascist government.

Re:Who says it's "illegal"? Timothy?

[ledow]

This is why almost every law is covered by an exemption for the purposes of law enforcement (police pretending to be someone else in a sting operation, for example) or national security (which is what GCHQ hide behind).

Like the "Google not paying UK tax" thing - what they did was ENTIRELY legal, or else they'd be before the courts. But it's considered morally "wrong" so the law gets changed over time to match with the expectation (the "spirit" of the law and not just the "word" of the law).

Almost by definition, anything that GCHQ - a military department, effectively, like MI5 etc. - claim they did in the name of national security is legal. Even murder. Otherwise all war would be illegal too.

The law is not one line in a book. Like group policy, it's the result of overlap of thousands of lines from hundreds of books, all with different precedence and priority, and all with confusing text to describe how they operate, to arrive at a single answer for whether someone is allowed to do X or not.

Re:Who says it's "illegal"? Timothy?

There is no law which exempts GCHQ in other countries. Spies are not operating legally in other countries. But if there isn't a rule in the EU contracts which prescribes serious penalties up to and including exclusion from the EU for "treasonous" behavior, then that's a massive oversight that needs to be corrected, and the UK needs to decide which side they're on.

Re:Who says it's "illegal"? Timothy?

[phayes]

That also depends on treaties signed between the two countries. As for lawsuits brought in country B on the sovereign government of country A, they almost always die a quiet death (Civil suits brought by victims of terrorism upon the Iranian government being an example in which the US State department has been arguing that the suits should be thrown out).

Re:Who says it's "illegal"? Timothy?

[phayes]

Snort, "corrupt and fascist government". You're either an anarchist opposed to all government or the hypocritical supporter of your own local flavor.

Every government has it's own spies. Germany's BND in particular having been shown to perform the same mass & targeted data collection that German politicians were claiming that only the NSA & the GCHQ were doing.

Re:Who says it's "illegal"? Timothy?

[phayes]

Bull. Court cases against sovereign governments are almost always squashed & most of the exceptions are generally kangaroo political courts. The protestations of Anonymous Cowards far far removed from practical repercussions have absolutely no weight.

Re:Who says it's "illegal"? Timothy?

[ledow]

In other countries, they are spies who will be treated as such if caught. Please do catch them.

Unless, of course, those other countries are allies or part of the EU where they may (or may not!) have allowed international co-operation for items of "national security" anyway.

The question is not what GCHQ does, but who is allowing them to do that. The answer in the UK is "the people who draft laws", the answer worldwide is "the people who draft laws" and/or "nobody".

Only for where they are explicitly disallowed will they face punishment abroad, and - let's just think about this - they are spies who need to spy on foreign risks, so the exact countries likely to prosecute (or more likely, assassinate) GCHQ members are exactly those countries they will be keeping an eye on.

Note that I'm not EXCUSING any of this. This is just the reason. But what they are doing to allies is allowed, what they are doing to "enemies" is not allowed in the enemy territory but it's an enemy anyway, and what doesn't come under those categories is extremely difficult to determine without co-operation of allies / enemies anyway.

This has, is, and will go on no matter what for what is essentially a spy agency. How legal it is on our own people, on our own soil is the only matter for UK law (the rest is really foreign policy), and UK law says they can. And EU law says they can. So we can ask to change the law, and the answer will be the same as ever "In the interest of national security..."

Re:Who says it's "illegal"? Timothy?

[aaaaaaargh!]

Neither of the two, I merely stated a fact.

Re:Who says it's "illegal"? Timothy?

[phayes]

I see that anonymous cowards are still abysmally stupid. If you can look forward to laws that retroactively make some behavior that you dislike illegal then you open the doors to all retroactive laws, like one that I would prefer that would find all the AC's posting dumb comments like yours and neutering them.

Re:Who says it's "illegal"? Timothy?

[phayes]

Says who? You, the hypocritical anarchist? Yeah, right...

Not legal

IPT is a rubber stamping agency, to hide the illegality from legal challenge by having a layer of yes men between it and the legal system.

But even they admit the illegal nature of spying on Brits for a foreign power. Although they're only limited to whether it violates some narrow rules, so they found it was illegal because it wasn't transparent, and now that Snowden has leaked it, its now transparent hence legal:

https://www.techdirt.com/articles/20150206/07190329935/uks-secretive-court-says-intelligence-sharing-between-nsa-gchq-was-unlawful-past-now-it-isnt.shtml

But hey, if you call it 'sharing' that makes it sound so much better! They didn't spy for America, they 'shared' a bulk collection feed of mostly British data with them. See? Not traitors betraying their countries secrets at all!

Hmm

[cascadingstylesheet]

"Police carry the same projectile weapons that criminals do. Except they do it legally."

Re:Hmm

"Police carry the same projectile weapons that criminals do. Except they do it legally".
But the police can still be prosecuted for the unlawful use of those weapons.

Re:Hmm

Mildly funny comment in context of a UK story.

Re:Hmm

"Police carry the same projectile weapons that criminals do. Except they do it legally".

But the police can still be prosecuted for the unlawful use of those weapons.

In what country? Certainly not in the UK or US.

Re:Hmm

[AmiMoJo]

Good job the police never accidentally shot anyone. Good job that no-one else will ever discover these exploits and begin quietly using them to screw the people that GCHQ is supposed to be protecting.

Re:Hmm

http://www.independent.co.uk/n...

Re:Hmm

This is not about tools, this is about use of tools.

"Police shoot innocent people just like criminals do. Except they do it legally."

Computer Misuse Act 1990 ..

[DougPaulson]

@phayes: "Something is illegal when there are laws or treaties adopted by the country in question that render the actions illegal. If there is no law or treaty that interdicts the GCHQ from hacking third parties then it cannot be illegal.

Computer Misuse Act 1990

'Sections 1-3 of the Act introduced three criminal offences:

unauthorised access to computer material, punishable by 6 months' imprisonment or a fine "not exceeding level 5 on the standard scale" (currently £5000);

unauthorised access with intent to commit or facilitate commission of further offences, punishable by 6 months/maximum fine on summary conviction or 5 years/fine on indictment;

unauthorised modification of computer material, subject to the same sentences as section 2 offences.'

Re:Computer Misuse Act 1990 ..

You know what the word "unauthorized" means, don't you? UK law allows for the authorization of this kind of access.

You're not going to get anywhere with this crowd

There are also laws against killing people, yet law enforcement and the military may lawfully do so in certain situations.

The summary would be accurate if it simply struck the word illegal:

"the agency carries out the same Computer Network Exploitation (CNE) operations that criminals and hackers do. Except they do it legally."

Is anyone surprised by this? NSA and CYBERCOM do it, too, under US Title 50 and Title 10 authorities, respectively.

And there is no equivalence between the actions of criminals and democratic governments, nor between repressive government and democratic governments, without an ugly morass of moral relativism.

GCHQ is an intelligence component of a free and democratic society operating with clear and specific legal authorities, even though some may disagree with them, utterly misunderstand them, or incorrectly believe that is not the case. Intelligence activities also require secrecy in order to be effective, even in free societies.

There appears to be a fundamental misunderstanding even in the tech companies of what GCHQ and NSA are actually doing and why. Gone are the days where the US or UK targeted foreign communications on distant shores, or cracked codes used only by our enemies. No one would have questioned the legitimacy of breaking the German or Japanese codes during WWII. The difference today is that our adversaries -- from terrorists to nation-states -- use the same systems, services, networks, operating systems, devices, software, hardware, cloud services, encryption standards, and so on, as our citizens and much of the rest of the world. The distinction is no longer the technology or the place, but the person(s) using a capability: the target. In a free society based on the rule of law, it is not the capability to do a thing, but the law which defines how we behave, that is paramount.

An important thing to remember here is that because adversaries use the same systems we're using, the fact that Americans or Britons or others also use them does not suddenly or magically mean that no element of US or UK intelligence should ever target them. When a terrorist in Somalia is using Hotmail -- or an iPhone -- instead of a walkie-talkie, that does not mean we pack our bags and go home. That means that, within legal authorities and duly authorized missions, we aggressively pursue any and all possible avenues, within the law, that may allow us to intercept and exploit the communications of foreign intelligence targets.

If they are using hand couriers, we target them. If they are using walkie-talkies, we target them. If they are using their own custom methods for protecting their communications, we target them. If they are using HF radios, VSATs, satellite phones, or smoke signals, we target them. If they are using GMail, Facebook, iPhones, Android, SSL, web forums running on Amazon Web Services, etc., we target them -- within clear and specific legal frameworks that govern the way our intelligence agencies operate, including with regard to our own citizens.

That doesn't mean it's always perfect; that doesn't mean things are not up for debate; that doesn't mean everyone will agree with every possible legal interpretation; that doesn't mean that some may fundamentally disagree with the approach to, e.g., counterterrorism. But the intelligence agencies do not make the rules, and while they may inform these, they do not define national policy or priorities.

"We're pretty aggressive within the law. As a professional, I'm troubled if I'm not using the full authority allowed by law." - General Michael Hayden, Director, National Security Agency (DIRNSA), November 2007

"Gone were the days when signals of interest [...] went along some dedicated microwave link between strategic rocket forces headquarters in Moscow and some ICBM in western Siberia. By the late '90s, what NSA calls targeted communications -- things like al Qaeda communications -- coexisted out there in a great global web with your phone calls and my e-mails. NSA needed the

How can voters 'approve' of secret programs?

How can voters 'approve' of secret programs, to spy on them?

Their people in the House of Lords recently tried to slip 'snoopers charter' into an amendment, the Lords rejected it demanding instead a debate of surveillance. Hence nobody can pretend this has approval, even the Lords want to find the details of it and debate it. Also you don't try to legalize something that is already legal. We found out they have a huge database of private British info, and its freely accessed by Ministry staff. No warrants, no checks, and Snoopers Charter would have made it legal retrospectively.

Good luck telling a judge that his private info, and that of his family are freely available to everyone in certain ministries without so much as a warrant, or check.

Fearmongering isn't necessary if approval is given:
https://www.privacysos.org/node/1660

"If you’re submitting budget proposals for a law enforcement agency, for an intelligence agency, you’re not going to submit the proposal that ‘We won the war on terror and everything’s great,’ cuz the first thing that’s gonna happen is your budget’s gonna be cut in half. You know, it’s my opposite of Jesse Jackson’s ‘Keep Hope Alive’—it’s ‘Keep Fear Alive.’ Keep it alive." - FBI assistant director Thomas Fuentes

Re:How can voters 'approve' of secret programs?

[gl4ss]

also, it still wouldn't make it legal elsewhere.

what all this shit is leading into is countries soon flat out refusing to even investigate hacker claims from other countries - I mean, why should they when the other country does jack all shit nothing to help to solve the crimes their agents committed?

Re:How can voters 'approve' of secret programs?

[ememisya]

Well, I think you should complain to your local government about your government spying on you... So yea... I personally believe Abraham Lincoln had a great quote when he said, "You can fool some of the people all of the time, and all of the people some of the time, but you can not fool all of the people all of the time." That is the post-Snowden era. But the million dollar question is, "Who can do what about it?" and the answer is obvious, it's here to stay because no one person can do anything about it. The technical reason is one of liability. When something bad happens, you don't want to hear, "Sorry, the data was encrypted.", or "We didn't collect everything because of privacy or constitutional reasons." A technical person told me, "We don't care about what porn you watch, it's just not what we do." But it is also interesting that a person out there does know what type of porn you watch, and again if one was to specifically categorize porn DNS not to be monitored, that's what all the hackers would use knowing it's not being monitored, that's the argument there. Another thing is, there is no monetary incentive on the side of privacy it would seem. There is a ton of money to be made from data of people. So that's where the world stands right now. Government's argument would be, "We've been watching you this whole time, it's just that you didn't know it, so shut up, forget about it, and we can go back to way things were." Concerned citizen argument is, "The authors of the government promised that it would work to make it impossible to have a system in which all your actions are recorded without your knowledge." It's pretty similar to stalking. Only time will tell.

Re:How can voters 'approve' of secret programs?

Can you say "House of Lords" without throwing up in your mouth a little?

Look, it's not about if something's legal or not. The people making laws are, by definition, above them.

That's why it doesn't matter what the laws say. The "Lords" (=rulers) make sure to immerse us in discussions about legality and "new investigatory powers" and "checks and balances" and so on exactly because it serves as a distraction.

They keep passing laws in stealthy ways, as last-minute additions to something that's voted on in some ad-hoc session on a Sunday morning. Every single time, it's clear they know the people would oppose whatever they're passing, because it's against our interests. Whatever is in their interests is against ours, and vice versa.

There are countless ways in which our rulers are showing us that having rulers is a *bad* idea. Now if only the masses would wake up to see it..

Re:How can voters 'approve' of secret programs?

[fustakrakich]

How can voters 'approve' of secret programs, to spy on them?

They do so by not demanding sufficient oversight and allowing too much secrecy, legal or otherwise. And they do it willfully because they believe propaganda. As much noise as we make about it here, the vast majority finds it all perfectly acceptable. Not that they will ever overtly admit to such. Code words like 'national security' and 'voting Arabs' are all you need to get everyone on board. The voters are not innocent by any means, they can pretend ignorance all they want, but that kind of BS doesn't fly.

GCHQ taken to court?

[some+old+guy]

Oh, my! Hah ha ha, please forgive me! Ha ha ha ha That's a good one!

Re:You're not going to get anywhere with this crow

What they've done is to use a blanket warrant to grab ALL data on the excuse of 'terrorism', that gives them a searchable database, which no longer has the individual judicial checks. In particular they've done a full take on the pipes into the UK, which by its nature carries mostly UK to UK data.

GCHQ then handed this feed to the NSA, who have indexed it, on the promise they won't misuse it, and NSA in return has given them access to a search interface, PRISM back on this data and others.

NSA built a haystack, and the one thing we know is it isn't likely to contain needles, because its easy-to-get bulk data on everyone, not difficult-to-get signals intelligence on terrorists. The quantity of 'hay' they collect is connected to the ease by which they can intercept it, not the likeliness of it for 'terrorism'.

And of course once you remove the judicial protections and checks and balances, it all goes out the window. We learned of the memo saying NSA should keep any UK intelligence useful to the US, despite the 5 eyes 'no-spy' treaty, and that the SWIFT agreement was circumvented by simply assigning NSA staff to the treasury. Well duh!

In the process of turning US industry into surveillance machines, they've undermined encryption, withheld security holes, signed secret corporate commercial surveillance agreements. Undermining US products by coercion and bribery.

All because one General decided that instead of 'thin thread' approach of going after just the info they needed, they'd do a big 'store it all', and then do the searches adhoc without judicial checks after the fact.

You say 'clear legal framework' but it was clear from the leaks that the FISA judge was misled about the database stuff. He approved a tap, for a specific purpose, and instead it went into a database for other purposes. If FISA judges cannot be told the truth then how can this be a 'clear' anything?

NSA lied to the court:
https://www.techdirt.com/articles/20130821/16331524274/declassified-fisa-court-opinion-shows-nsa-lied-repeatedly-to-court-as-well.shtml

None of this has been approved by the democracy it operates in. We get glimpses of how abused the systems was sometimes:
https://www.techdirt.com/articles/20140813/23203228207/unsealed-jewel-v-nsa-transcript-doj-has-nothing-contempt-american-citizens.shtml

Keep in mind we're not talking about detail here, the basis of "collect everything one judicial warrant then search it later without warrant", for Britain this was one of the parts of Snoopers Charter. When GCHQ failed to get it, it went ahead with Tempora anyway with a faulty legal interpretation. It was clearly a breach of the law, yet they did it anyway.

So now we're in the position where politics is corrupted in 5 eyes countries, where the hard line military leaders win elections, and up coming parties have their telephone calls leaked against them. All of that needs to be pulled back in, the protections put back in place, GCHQ staff involved need to be ejected (prosecuted even) and replaced by people loyal to their country, and GCHQ need to only hand narrow data over, on terrorism, with proper judicial checks each time.

Should GCHQ be spying on data, which is mostly British, including sensitive data on commercial, political, journalistic and democratic actors from 200 fibre optics, handing it to NSA who give it to 800,000 NSA staff and private contractors ? It's a no-brainer. No they should not.

https://orderoftruth.wordpress.com/2013/06/22/uk-communications-bill-snoopers-charter-legalises-illegal-activity-of-gchq-and-nsa-in-uk-exposed-by-snowden/

GCHQ staff, to me you are compartmentalized into seeing tiny parts of the bigger picture. Classic 'rubes'.

This is news?!

[RussH]

I'm sorry but did anyone even think that they DIDN'T already do this?

Re:This is news?!

Quite. We knew they hacked systems - how did we think they were doing it, if not using "vulnerabilities"?

And?

And water is wet.

To Hack Target Systems

[rossdee]

So are they responsible for the breach just before Christmas 2013 that exposed millions of credit card details?

Target should sue them, and there could be a class action lawsuit from the affected customers.
And the 1700 workers that were fired in the Twin Cities the other day should get some of the damages too.

Re:To Hack Target Systems

[H0p313ss]

I guess I need more coffee, I can't tell if you're joking, trolling or stupid.

If it was a joke you really need to work on that.

Laugh

[koan]

the agency carries out the same illegal Computer Network Exploitation (CNE) operations that criminals and hackers do. Except they do it legally.

LOL, So... it is a crime, not because it is morally and ethically questionable, but because you told us it is, and you told us it's OK for you to do it.

Re:Laugh

the agency carries out the same illegal Computer Network Exploitation (CNE) operations that criminals and hackers do. Except they do it legally.

If it is legal then it isn't illegal which means the submitter is trolling, and you bit.

LOL, So... it is a crime, not because it is morally and ethically questionable, but because you told us it is, and you told us it's OK for you to do it.

It's a crime for you to dress like a policeman and walk the streets telling people you are, yet it isn't for a real policeman to do so. It is illegal you you fly your private helicopter over the House of Commons at 100 feet yet it is legal for the military to do so. It is illegal for you to possess various substances like cocaine, but certain government agencies are legally allowed to in order to conduct research. What is your point? That there are things the government is legally allowed to do that private citizens are legally prohibited from doing? And this is a surprise to you?

Re:Laugh

The difference is those laws that made it legal for the government to do the things you list, were, for the most part, agreed to by the people and passed by lawful representatives.
In this case, no law was ever clearly passed by the people's representatives giving GHCQ the powers to do this or authorize itself. Since there is no such permission, they are subject to the same laws as everybody else by default.

Queen and Country

[zlives]

"it is not illegal if the president does it"

Re:Queen and Country

[zlives]

‘If the President Does It, That Means It’s Not Illegal’

misquoted earlier

Re:You're not going to get anywhere with this crow

[phayes]

Hear hear! That's the most intelligent comment I have ever read from an AC. So intelligent, that given that you posted it as an AC I'm stealing it for future reuse.

Some people ask me "why even attempt to argue against Timothy & his ilk". Your post is a great example of why.

Re:You're not going to get anywhere with this crow

[phayes]

Drivel. Utter drivel.

The NSA, GCHQ, DGSE, etc have all been authorized, even instructed by the elected officials & courts over them to perform the collection they do. That YOU as a basement dwelling AC with no clearance does not have proof of this & believe that your ignorance is proof of anything is just another sign of how ignorant you are.