0:00:00.000,0:00:15.005
<i>34c3 intro</i>

0:00:15.005,0:00:21.070
Herald: All right, it's my great pleasure[br]to introduce to you Mustafa Al-Bassam.

0:00:21.090,0:00:26.500
He's gonna talk about uncovering British[br]spies' web of sockpuppet social media

0:00:26.500,0:00:31.720
personas. Mustafa is a PhD student at the[br]University College in London, studying

0:00:31.730,0:00:37.329
information security and focusing on[br]decentralized systems. Mustafa was a co-

0:00:37.329,0:00:43.921
founder of LulzSec, an hacker activist[br]group some of you might have heard of, and

0:00:43.921,0:00:48.339
with that, please give a warm applause to[br]Mustafa.

0:00:48.339,0:00:55.469
<i>applause</i>

0:00:55.469,0:00:57.920
Mustafa Al-Bassam: Hey. So it seems that

0:00:57.920,0:01:02.489
over the past year we've had a lot in the[br]media about this kind of idea that the

0:01:02.489,0:01:06.070
people that you interact with on Twitter[br]and Facebook and other kinds of social

0:01:06.070,0:01:11.580
media are not necessarily who they say[br]they are, and sometimes not even be, they

0:01:11.590,0:01:16.329
might not even be people at all. They[br]might be bots. And we've heard about how

0:01:16.329,0:01:21.009
this might be used to manipulate people[br]into believing certain things or certain

0:01:21.009,0:01:26.189
ideas. And this has become quite a big[br]topic recently, especially after the U.S.

0:01:26.189,0:01:32.159
presidential elections in 2016, where[br]according to one study, up to one in five

0:01:32.159,0:01:36.030
election related tweets weren't actually[br]from real people. And apparently it's

0:01:36.030,0:01:40.759
it's such a big problem that even the[br]president is being manipulated by, to say,

0:01:40.759,0:01:46.250
bots. But, this has been a kind of[br]activity that has been going on for a very

0:01:46.250,0:01:49.119
long time, and not just from Russia or[br]China.

0:01:49.119,0:01:53.869
The West also engages in these kind of[br]activities including the UK and the US,

0:01:53.869,0:02:00.799
but in other kinds, in other regions. So,[br]today I'm talking about what Britain does

0:02:00.799,0:02:08.038
in this regard. So, in the UK we have a[br]NSA-equivalent intelligence agency called

0:02:08.038,0:02:13.280
GCHQ or Government Communications[br]Headquarters. And their job is basically

0:02:13.280,0:02:20.500
like the UK's version of the NSA: to[br]collect as much information as possible

0:02:20.500,0:02:26.080
through wiretaps and mass surveillance[br]systems. But they also have a subgroup or

0:02:26.080,0:02:31.360
subteam within GCHQ called the Joint[br]Threat Research Intelligence Group or

0:02:31.360,0:02:36.420
JTRIG for short. And what these guys[br]basically do is, its basically a fancy

0:02:36.420,0:02:40.970
name for sitting on Twitter and Facebook[br]all day and trolling online. What they do is

0:02:40.970,0:02:44.860
they conduct what they call Human[br]Intelligence, which is kind of like the

0:02:44.860,0:02:49.840
act of interacting with humans online to[br]try to make something happen in the real

0:02:49.840,0:02:54.390
world. And in their own words one of their[br]missions is to use "dirty tricks" to

0:02:54.390,0:03:00.150
"destroy, deny, degrade and disrupt[br]enemies" by "discrediting" them. And we've

0:03:00.150,0:03:05.400
seen JTRIG has been involved in various[br]campaigns and operations, including

0:03:05.400,0:03:10.090
targeting hacktivist groups like Anonymous[br]and LulzSec, and also protests in the

0:03:10.090,0:03:14.510
Middle East, during the Arab Spring and[br]also the Iranian protest in 2009.

0:03:14.510,0:03:20.620
So, a bit of context to what led me to[br]uncover this stuff and to actually

0:03:20.620,0:03:24.930
research this stuff. So in 2011, I was[br]involved with the with the hacktivist

0:03:24.930,0:03:29.510
group LulzSec. And to refresh your memory,[br]LulzSec was a group that existed during

0:03:29.510,0:03:34.650
the summer of 2011 and hacked into a bunch[br]of US corporate and government

0:03:34.650,0:03:40.211
organizations, like the US Senate, their[br]affiliates and Sony and Fox. And in the

0:03:40.211,0:03:46.180
same year I was arrested, and a year later[br]I was officially indicted on a court

0:03:46.180,0:03:50.680
indictment. But the thing that struck me[br]about this indictment was that there was

0:03:50.680,0:03:55.130
absolutely no mention in this court[br]document about how they managed to

0:03:55.130,0:04:01.130
deanonymize me and my co-defendants. Or[br]how they managed to actually link our

0:04:01.130,0:04:06.820
online identities with offline identities.[br]And I thought it was suspicious because

0:04:06.820,0:04:15.010
our US counterparts, actually, their court[br]indictments had a very lengthy sections on

0:04:15.010,0:04:20.540
how they were caught. For example, when[br]the FBI arrested Jeremy Hammond, his court

0:04:20.540,0:04:25.150
indictment had a, had very detailed[br]information about how those guys social

0:04:25.150,0:04:28.540
engineered him and managed to track him[br]through his IP address and through Tor and

0:04:28.540,0:04:33.600
whatnot. But then, fast forward a year[br]later, Edward Snowden started leaking

0:04:33.600,0:04:39.470
documents about the NSA and GCHQ, and then[br]in 2014, one of those documents or some of

0:04:39.470,0:04:45.600
those documents were released on NBC that[br]showed that GCHQ was targeting hacktivist

0:04:45.600,0:04:49.850
groups like Anonymous and LulzSec. And[br]that makes the a lot of sense in my head.

0:04:49.850,0:04:55.820
Because if GCHQ was involved in this[br]denanonymization process, then they

0:04:55.820,0:04:59.410
wouldn't want to have that in the court[br]indictment, because it would reveal the

0:04:59.410,0:05:03.830
operational techniques.[br]And this is one of the leaked slides from

0:05:03.830,0:05:09.870
GCHQ talking about some of the activist[br]groups they target. One of the people

0:05:09.870,0:05:17.460
they targeted was someone who went by the[br]nickname of "p0ke", who was chatting in an

0:05:17.460,0:05:25.220
IRC channel, a public chat network. And[br]this was a public chatting channel where

0:05:25.220,0:05:30.520
people from Anonymous and other kinds of[br]hacktivists kind of sit and chat about

0:05:30.520,0:05:38.580
various topics and also plan operations.[br]And this person "p0ke" was chatting on

0:05:38.580,0:05:47.490
this channel and boasted that they had a[br]list of 700 FBI agents' emails and phone

0:05:47.490,0:05:55.050
numbers and names. And then it turned out[br]that a GCHQ agent was covertly in this

0:05:55.050,0:06:00.950
channel observing what people were saying.[br]And then the GCHQ agent initiated a

0:06:00.950,0:06:05.510
private message with this person to kind[br]of get more information and to try to

0:06:05.510,0:06:12.210
build a relationship with this person. And[br]the agent asked them what was the site and

0:06:12.210,0:06:16.490
then they just gave that information up[br]and they even gave them a sample of some

0:06:16.490,0:06:22.560
of the leaked information. So it turns out[br]that actually GCHQ was active in these IRC

0:06:22.560,0:06:30.930
networks and chat networks for months if[br]not years and they were in up to several

0:06:30.930,0:06:35.590
hundred channels at a time. They were just[br]sitting there idling. They weren't really

0:06:35.590,0:06:41.450
saying much or actually participating in[br]conversation, except that every few months

0:06:41.450,0:06:46.270
you might notice them say "hey" or "lol"[br]in the chat even though it might be out of

0:06:46.270,0:06:49.360
context of the conversation that was going[br]on, presumably so that they wouldn't get

0:06:49.360,0:06:53.520
kicked off the network because some[br]networks kick you off if you're idling

0:06:53.520,0:06:58.419
there for too long. And then often what[br]they would do is they would private

0:06:58.419,0:07:03.139
message people in rooms to try and[br]corroborate information about activities

0:07:03.139,0:07:07.139
that were going on and being discussed or[br]trying to entrap people by getting them to

0:07:07.139,0:07:13.260
admit to things as we saw with p0ke.[br]And he seemed to be quite a common theme

0:07:13.260,0:07:19.470
that these undercover feds and agents were[br]sitting in these chat rooms. In the

0:07:19.470,0:07:26.389
Europol meeting 2011, where 15 European[br]countries were discussing what they were

0:07:26.389,0:07:31.710
doing to tackle Anonymous and LulzSec,[br]apparently there were certainly undercover

0:07:31.710,0:07:36.520
cops in these channels that had an issue[br]with undercover cops investigating each

0:07:36.520,0:07:40.990
other.[br]<i>laughter</i>

0:07:40.990,0:07:53.280
So the GCHQ agent that was targeting p0ke[br]sent them a link to a BBC news article

0:07:53.280,0:08:01.870
about hacktivists. And, according to this[br]leaked slide, this link enabled GCHQ to

0:08:01.870,0:08:08.610
conduct signal intelligence to discover[br]p0ke's real name, Facebook and email

0:08:08.610,0:08:14.530
accounts etc. It doesn't say exactly how[br]they did that, but it's not that hard if

0:08:14.530,0:08:20.830
they have your IP address on user agent.[br]Back then, in 2011, most websites weren't

0:08:20.830,0:08:25.490
using HTTPS, including Facebook, so if[br]they look up your IP address in XKeyscore

0:08:25.490,0:08:29.520
or the dragnet surveillance system, they[br]can easily see what other traffic is

0:08:29.520,0:08:35.010
originating from that IP address, and what[br]Facebook accounts are connected to that IP

0:08:35.010,0:08:41.948
address for example. But in this in this[br]slide leaked by NBC the URL was redacted,

0:08:41.948,0:08:46.399
but it wasn't very hard to actually find[br]that URL, because these were public

0:08:46.399,0:08:51.029
channels that GCHQ agents were talking in,[br]and people haven't been targeted in

0:08:51.029,0:08:56.470
themselves including myself. We were able[br]to find out what that URL shortener was

0:08:56.470,0:09:01.589
I mean what that website was but[br]which turned out to be a URL shortener so

0:09:01.589,0:09:09.949
the website that was sent to p0ke to click[br]was "lurl.me" and according to

0:09:09.949,0:09:16.950
archive.org, here is a snapshot from[br]"lurl.me" in 2013, just before it went

0:09:16.950,0:09:21.279
offline, that basically showed it was a[br]URL shortening service, it looks like a

0:09:21.279,0:09:28.170
generic URL shortening service. One things[br]I noticed is, the domain name sounds

0:09:28.170,0:09:32.820
like "lure me" which is basically what[br]they were doing,

0:09:32.820,0:09:41.119
because JTRIG had this internal wiki[br]where they listed all the tech tools and

0:09:41.119,0:09:47.149
techniques that they use in the operations[br]and one of the categories that they have

0:09:47.149,0:09:54.999
is "shaping and honey pots" and in that[br]category they have a tool code named

0:09:54.999,0:09:59.200
Deadpool which is described as a URL[br]shortening service and that's what

0:09:59.200,0:10:07.970
"lurl.me" was. We first saw "lurl.me" in[br]2009 - the domain name was registered in

0:10:07.970,0:10:16.040
2009 - and almost immediately it was it[br]was linked tweets about Iranian protests,

0:10:16.040,0:10:21.679
and then it went offline in 2013, shortly[br]after (every sudden) leaks in November,

0:10:21.679,0:10:26.089
but interesting if you look up all of the[br]instances of this URL shortener being used

0:10:26.089,0:10:30.209
in social media and Twitter there's[br]probably about 100-200 instances of it

0:10:30.209,0:10:36.040
being used and every single one of those[br]instances where it was used it was

0:10:36.040,0:10:42.829
associated with political activities late[br]in the Middle East or Africa usually to

0:10:42.829,0:10:49.270
protests. And the majority of the most[br]common were coming from the default

0:10:49.270,0:10:54.220
Twitter accounts with no avatar, with very[br]few tweets and they're accounts that were

0:10:54.220,0:10:59.689
active for only a few months between 2009[br]and 2013.

0:10:59.689,0:11:05.589
One of the techniques, or some of the[br]techniques that JTRIG used, in their own

0:11:05.589,0:11:09.680
words to conduct their operations is[br]includes uploading YouTube videos

0:11:09.680,0:11:13.720
containing persuasive messaging,[br]establishing online aliases with Facebook

0:11:13.720,0:11:18.970
and Twitter accounts, blogs on foreign[br]memberships for conducting human

0:11:18.970,0:11:23.129
intelligence, or encouraging discussion on[br]specific issues, sending spoof emails and

0:11:23.129,0:11:28.189
text messages as well as providing spoof[br]online resources, and setting up spoof

0:11:28.189,0:11:34.850
trace sites and this is exactly what we're[br]going to see in the next few slides and in

0:11:34.850,0:11:39.749
most examples that they use for the[br]operations is they actually targeted the

0:11:39.749,0:11:44.950
entire general population of Iran which is[br]a pretty big target audience of 80 million

0:11:44.950,0:11:48.279
people. According to them,[br]they had several goals in Iran:

0:11:48.279,0:11:53.389
the first goal was to discredit the[br]Iranian leadership and its nuclear program

0:11:53.389,0:11:57.469
Second goal was to delay and disrupt on-[br]line access to materials used in the

0:11:57.469,0:12:00.059
nuclear program. Third Goal was [br]conducting online Human

0:12:00.079,0:12:02.739
Intelligence and the fourth goal was the most

0:12:02.739,0:12:07.589
interesting goal my opinion: Counter[br]censorship. It might seem might sound great

0:12:07.589,0:12:12.769
it might sound like almost like GCHQ is[br]kind of aligned with the motives of the

0:12:12.769,0:12:16.480
Internet freedom community by helping[br]these Iranian activists to evade

0:12:16.480,0:12:18.929
censorship.[br]But we're gonna see it's not really the

0:12:18.929,0:12:24.550
case. The main kind of Iran the main kind[br]of sock puppet accounts on Twitter that

0:12:24.550,0:12:32.009
JTRIG was running during this campaign in[br]2009 was called "2000 Iran

0:12:32.009,0:12:36.519
2009 Iran free".[br]This was the most kind of active Twitter

0:12:36.519,0:12:41.679
account that it had and it had 216 tweets[br]and they also had I kind of like a bunch

0:12:41.679,0:12:46.499
of other accounts that were less active[br]that had default avatars probably just to

0:12:46.499,0:12:51.389
kind of, kind of build up their social[br]network that mostly retweeted things,

0:12:51.389,0:12:57.509
retweeted the same things as a display[br]account but slightly rewarded or even with

0:12:57.509,0:13:00.050
them.[br]And what this Twitter account essentially

0:13:00.050,0:13:07.449
did was in quick succession, over a period[br]of like one or two weeks tweeted a bunch

0:13:07.449,0:13:12.920
of links from this URL shortener for[br]various purposes for to various articles

0:13:12.920,0:13:20.319
on blogs online and they also had actually[br]a blogspot website with like one article

0:13:20.319,0:13:28.709
to kind of expand their network I guess.[br]One of the activities that 2009 Iran free

0:13:28.709,0:13:35.730
and the other sock puppets were doing[br]was they were kind of trying to spread the

0:13:35.730,0:13:42.269
same IP addresses as proxies to Iranians[br]to use as a counter cencorship. So for

0:13:42.269,0:13:48.389
example you can see that they have a list[br]of IP addresses here that will hash like

0:13:48.389,0:13:52.269
Iran election that they can use for[br]protests and they and they might sometimes

0:13:52.269,0:14:01.899
feed links to that to to this proxy is[br]using that URL shortener and this is, this

0:14:01.899,0:14:07.329
is quite concerning because well one of[br]the tools used by JTRIG is also called

0:14:07.329,0:14:12.639
codenamed Molten Magma which is basically[br]HTTP proxy to with the ability to log all

0:14:12.639,0:14:16.910
traffic and perform HTTPS man-in-the-[br]middle because, again, they were they were

0:14:16.910,0:14:20.429
spreading exactly the same IP address all[br]of these all these sock puppet accounts

0:14:20.429,0:14:26.009
were spreading exactly the same IP[br]addresses and same links to Iranians to

0:14:26.009,0:14:33.119
help them to or to allegedly help them to[br]a evade common cencorship. And they were

0:14:33.119,0:14:37.569
even claiming that these for the same[br]proxies used by the Iranian government to

0:14:37.569,0:14:41.249
get around their own firewalls so if they,[br]apparently if they block these proxies

0:14:41.249,0:14:45.619
they will block their own access to the[br]outside world.

0:14:45.619,0:14:50.519
And this is essentially what they are[br]doing here. In this kind of context GCHQ

0:14:50.519,0:14:54.610
is kind of acting like the big bad wolf[br]from Red Riding Hood. We might seem like

0:14:54.610,0:15:02.319
they're helping me but they're also[br]causing you harm in the process.

0:15:02.319,0:15:06.629
And this is a, this is a list that[br]contains a list of some of the techniques

0:15:06.629,0:15:13.319
that JTRIG used. This was also a leaked[br]document and this essentially kills two

0:15:13.319,0:15:18.360
birds in one stone because what they do is[br]at the bottom it says one techniques is

0:15:18.360,0:15:22.370
hosting targets' online communications for[br]collecting signal intelligence as we saw

0:15:22.370,0:15:27.120
with p0ke and which is why they tweet[br]these links using URL shortener so they

0:15:27.120,0:15:32.429
can conduct signal intelligence on people[br]who are interested in clicking these

0:15:32.429,0:15:38.839
things and also providing online access[br]uncensored materials and sending instant

0:15:38.839,0:15:42.759
messages to specific individuals giving[br]them instructions for accessing uncensored

0:15:42.759,0:15:47.120
websites.[br]One of the forums that these proxies were

0:15:47.120,0:15:53.939
posted in was whyweprotest.net and someone[br]actually kind of almost got it right.

0:15:53.939,0:15:56.779
Someone asked: 'Why does the government use[br]proxies? That doesn't make any sense, they

0:15:56.779,0:15:59.509
wouldn't need any proxies." And then[br]someone replied: "The Iranian government

0:15:59.509,0:16:03.999
allegedly has set up proxies to monitor[br]connections with from within Iran to be

0:16:03.999,0:16:08.100
able to pinpoint the people who are trying[br]to bypass these blocks." So they're almost

0:16:08.100,0:16:10.569
right because it wasn't the Iranian[br]government that was actually monitoring

0:16:10.569,0:16:18.760
connections in Iran. It was GCHQ.[br]There were also set up, I agree, basic

0:16:18.760,0:16:25.529
websites, that basically acted as RSS[br]feeds to English websites about Iran to

0:16:25.529,0:16:29.629
presumably, but also for counter[br]censorship reasons. One of the same

0:16:29.629,0:16:34.889
things they did was mimic government[br]officials. So for example they might

0:16:34.889,0:16:39.980
post in a forum saying: "Attention users[br]outside Iran, you can call the president

0:16:39.980,0:16:43.839
at this number to discuss the elections[br]direct." And they were hesitant that you

0:16:43.839,0:16:49.829
should not call this number if you are in[br]Iran. And then they will also give an

0:16:49.829,0:16:55.670
email address for the vice president on[br]the Twitter.

0:16:55.670,0:17:00.370
This also matches up with another[br]technique that JTRIG uses, again according

0:17:00.370,0:17:06.549
to the leaked documents, where they send[br]spoof emails and text messages from a fake

0:17:06.549,0:17:11.669
person or mimicking a real person to[br]discredit, promote, distrust, dissuade,

0:17:11.669,0:17:16.829
deceive, deter, delay or disrupt. Whatever[br]the purpose was, they certainly managed to

0:17:16.829,0:17:20.810
promote distrust because one of the[br]replies to this post was: "This can't be

0:17:20.810,0:17:24.599
the president's number because if it were[br]the second call would be answered by

0:17:24.599,0:17:29.850
Iranian intelligence services. So these are[br]strange days. I suppose anything could

0:17:29.850,0:17:33.760
happen at this point."[br]So that was most of the activity that we

0:17:33.760,0:17:40.450
saw in 2009. There was a bunch of other[br]Twitter accounts with default egg, default

0:17:40.450,0:17:46.461
avatars associated with these links. You[br]can find them if you search lurl.me with

0:17:46.461,0:17:52.570
quotation marks and Google with sites[br]-twitter.com. In 2010 there was absolutely

0:17:52.570,0:18:00.120
no activity on Twitter or all social media[br]associated with this URL shorter. Then, in

0:18:00.120,0:18:08.750
2011, we saw some activity in Syria for[br]this URL shortener for a similar purpose

0:18:08.750,0:18:12.620
of conducting censorship resistance in[br]Syria. And they were essentially doing the

0:18:12.620,0:18:18.100
same thing, same techniques, giving people[br]IP addresses to connect to, that you

0:18:18.100,0:18:24.019
thought that they probably are MITM'd.[br]But one of the things they did here as

0:18:24.019,0:18:28.270
well was they didn't just tweet stuff they[br]also posted a YouTube video, like a very

0:18:28.270,0:18:33.150
poorly made YouTube video with only[br]300 views to try to get people to watch

0:18:33.150,0:18:37.600
that. They didn't really try very hard[br]here because if you actually look at the

0:18:37.600,0:18:43.340
times on when these accounts tweeted,[br]all the accounts in Syria actually should

0:18:43.340,0:18:49.750
have tweeted. The only tweet between 9 to[br]5 p.m. UK time Monday to Friday.

0:18:49.750,0:19:00.070
<i>laughter, applause</i>[br]I mean, I think, I don't know I think

0:19:00.070,0:19:06.269
they were lazy, or they were just, they[br]didn't really bother or weren't motivated.

0:19:06.269,0:19:10.700
But one of the limitations that JTRIG has,[br]they actually had one in the leaked

0:19:10.700,0:19:15.549
documents, that they had was they had a[br]list of limitations that the staff have

0:19:15.549,0:19:19.470
when conducting its operations. And one of[br]them is that they have difficulty in

0:19:19.470,0:19:24.549
maintaining more than a small number of[br]unique multi-dimension active aliases

0:19:24.549,0:19:29.880
especially with doing online human[br]intelligence. Which is why we only see

0:19:29.880,0:19:35.130
like one main twitter account for these[br]events and then like a bunch of other kind

0:19:35.130,0:19:38.610
of default expat accounts, usually like[br]five or six. We didn't tend to see

0:19:38.610,0:19:44.460
hundreds of them you only see about less[br]than 10, because this was back in 2009,

0:19:44.460,0:19:50.270
2011. They weren't doing it in an[br]automated way. And they also said the lack

0:19:50.270,0:19:55.559
of continuity in maintaining an alias or[br]communicating via an alias if a staff

0:19:55.559,0:20:02.350
member is away and his or her work is[br]covered by others and also the other one

0:20:02.350,0:20:08.620
was lack of photographs, visual images, of[br]aliases which is why we always see like

0:20:08.620,0:20:12.280
egg or default avatars for these[br]sock puppet accounts because they can't

0:20:12.280,0:20:16.630
unless they have like a full fledge[br]graphics team or have faces of people to

0:20:16.630,0:20:22.120
put in there and they can't really put[br]anything as avatar. They also apparently

0:20:22.120,0:20:28.220
had a lack of sufficient number and varied[br]cultural language advisors eg in Russian,

0:20:28.220,0:20:32.090
Arabic and Pashto which is why we see[br]here on these Twitter accounts they're

0:20:32.090,0:20:36.299
basically tweeting the same thing over and[br]over again with no variation. Here's the

0:20:36.299,0:20:40.249
same text over and over again because they[br]don't have lots of translators to

0:20:40.249,0:20:48.390
translate that.[br]The other thing we saw in 2011 was a very

0:20:48.390,0:20:54.179
targeted attack during the Bahrain[br]protests. They had a twitter account

0:20:54.179,0:21:00.490
called 'Freedom4Bahrain' and this, it just[br]sent two tweets, mentioning two accounts

0:21:00.490,0:21:07.050
"14FebTV" and "14FebRevolution", and[br]these were two accounts that were,

0:21:07.050,0:21:09.470
like,[br]really big kind of social media outlets in

0:21:09.470,0:21:15.460
Bahrain that were covering the protests[br]that were going on there. And these were

0:21:15.460,0:21:21.770
targeted mentions of the kind that we saw[br]with P0ke, so, presumably also here, they

0:21:21.770,0:21:23.809
were using that to conduct Signal[br]Intelligence,

0:21:23.809,0:21:32.019
to discover who was running these two[br]accounts. In 2012 you also saw no activity

0:21:32.019,0:21:42.009
associated with that URL shortener. During 2013 I managed[br]to find one tweet related to Kenya, to the

0:21:42.009,0:21:47.340
Kenyan imposed national politics and this[br]person isn't an education sock puppet, this

0:21:47.340,0:21:52.700
person is a research assistant at the[br]Human Rights Watch. So this, but that begs

0:21:52.700,0:21:58.080
the question of how did he actually get[br]this URL? Probably a similar message to

0:21:58.080,0:22:02.720
P0ke, they probably sent him a link[br]through a private message found that

0:22:02.720,0:22:08.460
interesting and tweeted it, so not only[br]are they targeting protesters, they are

0:22:08.460,0:22:16.750
also targeting NGOs. Then, in 2013,[br]all of the infrastructure associated with

0:22:16.750,0:22:23.370
URL-shortener was shot offline, this was[br]in 2013, which was a few months after the

0:22:23.370,0:22:26.790
Edward Snowden leaks, so they had a bit of[br]delay of doing it, but it must have been a

0:22:26.790,0:22:32.840
real pain in the arse for them to have to[br]renew all their infrastructure, but I did

0:22:32.840,0:22:38.340
do some digging into some of other host[br]names that were hosted on this lurl.me

0:22:38.340,0:22:44.820
server. Between 2009 and 2013, most of[br]these host names seem to be random

0:22:44.820,0:22:51.090
alphanumeric, the main names, and some of[br]them are using publicly the DNS providers

0:22:51.090,0:22:57.350
like DynDNS or DNSAlias, I wasn't able to[br]find any websites archived for these

0:22:57.350,0:23:02.039
domains, so it doesn't seem that there was[br]any websites there, but if you have any

0:23:02.039,0:23:06.250
ideas let me know, because one of the[br]things that I suspect is that these might

0:23:06.250,0:23:09.809
have been malware endpoints or command[br]control servers, that they were using, so

0:23:09.809,0:23:13.880
if you have any and monitoring tools or[br]logs then maybe you should look up some of

0:23:13.880,0:23:18.759
these host names. But one of the[br]interesting domain names that I thought

0:23:18.759,0:23:25.049
was interesting there was dunes[br]adventures.net and this is the archived

0:23:25.049,0:23:27.009
page for Dunesadventures

0:23:27.009,0:23:29.440
which was another[br]website based in Kenya. They were up to

0:23:29.440,0:23:35.110
something in Kenya and it claimed that[br]they were having this was a very basic one

0:23:35.110,0:23:41.009
page website that was kind of very poorly[br]made and they claimed that they were

0:23:41.009,0:23:44.539
having site problems and apparently "we[br]have noticed problems with our booking

0:23:44.539,0:23:49.220
system, this has been taken offline until[br]our techs find the problem - we apologize

0:23:49.220,0:23:53.250
for any inconvenience". but there was never[br]any booking system in the first place,

0:23:53.250,0:23:58.270
this was just pretty much a ruse to make[br]it look like if you go to this website, a

0:23:58.270,0:24:03.360
legitimate company was hosting there. So[br]if you mind anything about that, then I'd

0:24:03.360,0:24:08.139
be curious as well. I also if there's any[br]GCHQ agents in the room and then I'm

0:24:08.139,0:24:15.779
happy to get drink with you as well.[br]That's all I have for today, does anyone

0:24:15.779,0:24:26.960
have any questions?[br]<i>applause</i>

0:24:26.960,0:24:41.510
(Herald) <i>asks for questions</i>[br](Mic Question): OK, IRC asks: Deceiving

0:24:41.510,0:24:46.350
a target into trusting you and leaking any form[br]of infos is used everywhere right now, IRC,

0:24:46.350,0:24:50.970
Twitter and Facebook and so on. How would you[br]advise people to distinguish between a

0:24:50.970,0:24:54.059
genuine identity and an undercover agent?

0:24:54.059,0:24:56.029
(Speaker): "I think that's a very good[br]question because-

0:24:56.029,0:24:59.121
(H.): So just just a quick second, if you

0:24:59.121,0:25:03.400
really have to leave the room right now,[br]people, please do so quietly, we still

0:25:03.400,0:25:08.019
have a talk going on and it's really[br]unrespectful if you make that much noise

0:25:08.019,0:25:13.190
and interrupt this whole thing.[br]<i>applause</i>

0:25:13.190,0:25:17.300
I know a lot of people are interested in[br]the talk afterwards but we'll all get you

0:25:17.300,0:25:18.300
in and sorry.

0:25:18.300,0:25:23.309
(S.): So I think I was very good question[br]because if you're conducting, if you're

0:25:23.309,0:25:26.990
doing activism online and you need to be[br]anonymous and you dont want to meet up

0:25:26.990,0:25:30.450
with people in person, then how do you[br]know that the people you communicating

0:25:30.450,0:25:34.350
with, or if you are like in a public group[br]where you personally accept new members

0:25:34.350,0:25:39.490
into that group, how can you put, how do[br]you know or kind of differentiate between

0:25:39.490,0:25:44.299
who's actually there to harm your group or[br]who's actually there to contribute? I

0:25:44.299,0:25:51.250
think the answer there lies in, what you[br]share. Don't share information that comes

0:25:51.250,0:25:55.690
with anyone that could potentially put you[br]at harm, even with people that you trust,

0:25:55.690,0:25:59.409
so essentially don't trust anyone and[br]this is a basic OP Sec rule. This is

0:25:59.409,0:26:06.799
how Jeremy Hammond messed up a few years[br]ago, because they caught him, because he

0:26:06.799,0:26:11.259
was revealing too much information about[br]his life, like where where he eats or

0:26:11.259,0:26:18.759
something like that or his previous drug[br]records and they were able to use that to

0:26:18.759,0:26:22.940
kind of figure out who he was and that was[br]the same mistake that P0ke made he, was

0:26:22.940,0:26:30.299
too open and friendly to that agent for no[br]reason. So I think the kind of answer is

0:26:30.299,0:26:34.590
to do your operations in a way where you[br]dont have to trust people.

0:26:34.590,0:26:40.409
(Mic Question): "How effective do you

0:26:40.409,0:26:45.350
think these methods are, because we've[br]seen the number of followers on Twitter

0:26:45.350,0:26:50.350
and the number of views on YouTube were[br]very low so, how much people can, is

0:26:50.350,0:26:51.970
affected by this kind of operations"

0:26:51.970,0:26:57.730
(S.): Yes, so there was also a slide I[br]meant to put in there, that was leaked page

0:26:57.730,0:27:03.110
another leaked page from GCHQ that had a[br]list of bullet points on what they

0:27:03.110,0:27:07.370
considered to be an effective operation[br]and some of those bullet points include

0:27:07.370,0:27:11.929
how many people click that link, how many[br]people, how many people watch the youtube

0:27:11.929,0:27:15.120
video, etc, so it's pretty much the same[br]ways that you would measure it how many

0:27:15.120,0:27:19.889
people viewed a specific message. Now in[br]their specific use cases I don't think

0:27:19.889,0:27:23.820
they were very successful on a large[br]scale, specifically in Iran protests

0:27:23.820,0:27:27.499
because the Twitter accounts had very few[br]followers and their YouTube videos only

0:27:27.499,0:27:33.279
had a few hundred views but they might[br]have been, obviously more succesful in

0:27:33.279,0:27:37.039
more target cases when targeting specific[br]individuals by doing the Bahrain case or

0:27:37.039,0:27:38.039
the p0ke case.

0:27:38.039,0:27:39.610
(H.): over there please.

0:27:39.610,0:27:45.220
(Mic Question): Sure, thank you, so I'm[br]just curious if you were familiar with the

0:27:45.220,0:27:49.730
work of Erin Gallagher, she's done work to[br]try to figure out, kind of quantitatively

0:27:49.730,0:27:52.809
and make these visualizations, to try to[br]figure out if a particular twitter account

0:27:52.809,0:27:57.279
for example is a bot or whether it's a[br]person and there's some you know rules of

0:27:57.279,0:28:00.499
thumb regarding like, you know if the bots[br]just kind of interact with each other and

0:28:00.499,0:28:01.909
don't react, don't interact with real[br]people

0:28:01.909,0:28:07.340
im just curious what, what techniques you[br]may know of to, to figure out you know

0:28:07.340,0:28:10.539
what is a bot and what is not and whether[br]you are familiar with those particular

0:28:10.539,0:28:11.559
lines of a research.

0:28:11.559,0:28:16.960
(S.): I'm not familiar with with their[br]work, but thank you all check out. In terms

0:28:16.960,0:28:24.140
of what kind of metrics that you could use[br]or to use to see if a account is valid or

0:28:24.140,0:28:29.720
not, I mean, I think, I guess they're,[br]their tweeting kind of, habits and when

0:28:29.720,0:28:34.010
they tweet for example could be[br]indicative, so for example we saw this

0:28:34.010,0:28:38.251
person only tweet at 9 to 5. Obviously[br]that's quite easy to make that it's on the

0:28:38.251,0:28:44.120
case and also I think one useful things[br]might be might be interesting to do, is

0:28:44.120,0:28:50.879
try to map the network of these accounts.[br]If you like build up like a web of

0:28:50.879,0:28:55.909
followers, that you might be able to very[br]easy for graphically detect, very obvious

0:28:55.909,0:28:59.100
clusters for accounts that are following[br]each other, to be to be very signal.

0:28:59.100,0:29:01.370
(Mic): Yeah for sure, thank you.

0:29:01.370,0:29:04.440
(H.) Lets switch over to mic 6 please

0:29:04.460,0:29:05.309
(Mic 6 question): Thank you for the-

0:29:05.309,0:29:11.580
thank you for the great talk, how would[br]you compare the former British activities

0:29:11.580,0:29:18.149
to the current Russian activities, maybe a[br]talk in itself, but...

0:29:18.149,0:29:20.429
(S.) To be honest, I haven't been digging

0:29:20.429,0:29:23.919
too deep in the details or following too[br]much about the Russian activities, so I

0:29:23.919,0:29:26.860
can't really comment about that, I don't[br]know how prolific it is, I only mentioned

0:29:26.860,0:29:31.760
it briefly in the beginning of the slides[br]because it was to give some context, so

0:29:31.760,0:29:34.370
I'll have to research more to the Russian[br]activities.

0:29:34.370,0:29:39.020
(H.) Go to mic 5 again

0:29:39.020,0:29:42.140
(Mic 5 Question): Thanks, to continue

0:29:42.140,0:29:51.830
from the person who spoke, that would have[br]been my question. So, just to add up onto

0:29:51.830,0:29:58.860
that, did you stumble upon similar[br]patterns coming from say Canberra or a

0:29:58.860,0:30:00.230
Washington DC?

0:30:00.230,0:30:05.440
(S.): So these accounts were very[br]specific to just to the UK expressions,

0:30:05.440,0:30:09.280
there was no kind of collaboration there[br]with other countries within the five eyes,

0:30:09.280,0:30:15.200
like the US or Australia, but I think they[br]might have,

0:30:15.200,0:30:19.120
GCHQ I think has collaborated with the NSA

0:30:19.120,0:30:23.060
JTRIG specifically I think has collaborated[br]before with the NSA to delegitimize

0:30:23.060,0:30:27.929
certain people. So for example[br]we saw during a few years ago or last year

0:30:27.929,0:30:34.230
I think there was a drone attack, someone[br]was illegally killed in a drone strike in

0:30:34.230,0:30:40.220
Iraq, he was a suspected to be an ISIS[br]member, Junaid Hussain, and apparently the

0:30:40.220,0:30:45.299
way that he was deanonymized or the way they[br]found this location is that the US, the

0:30:45.299,0:30:49.269
FBI specifically, had an informant that was[br]talking to this person and that informant

0:30:49.269,0:30:53.480
sent them and sent them a link that was[br]generated by GCHQ and then since that link

0:30:53.480,0:30:56.710
they were able to deanonymize them so I[br]think there's some collaboration there but

0:30:56.710,0:30:59.110
this is mostly UK activity.

0:30:59.110,0:31:04.315
(H.): Last question, we are out of time.[br]Thank you again, Mustafa. <i>applause</i>

0:31:04.315,0:31:31.940
subtitles created by c3subtitles.de[br]in the year 2019. Join, and help us!