1
00:00:00,000 --> 00:00:15,005
34c3 intro
2
00:00:15,005 --> 00:00:21,070
Herald: All right, it's my great pleasure
to introduce to you Mustafa Al-Bassam.
3
00:00:21,090 --> 00:00:26,500
He's gonna talk about uncovering British
spies' web of sockpuppet social media
4
00:00:26,500 --> 00:00:31,720
personas. Mustafa is a PhD student at the
University College in London, studying
5
00:00:31,730 --> 00:00:37,329
information security and focusing on
decentralized systems. Mustafa was a co-
6
00:00:37,329 --> 00:00:43,921
founder of LulzSec, an hacker activist
group some of you might have heard of, and
7
00:00:43,921 --> 00:00:48,339
with that, please give a warm applause to
Mustafa.
8
00:00:48,339 --> 00:00:55,469
applause
9
00:00:55,469 --> 00:00:57,920
Mustafa Al-Bassam: Hey. So it seems that
10
00:00:57,920 --> 00:01:02,489
over the past year we've had a lot in the
media about this kind of idea that the
11
00:01:02,489 --> 00:01:06,070
people that you interact with on Twitter
and Facebook and other kinds of social
12
00:01:06,070 --> 00:01:11,580
media are not necessarily who they say
they are, and sometimes not even be, they
13
00:01:11,590 --> 00:01:16,329
might not even be people at all. They
might be bots. And we've heard about how
14
00:01:16,329 --> 00:01:21,009
this might be used to manipulate people
into believing certain things or certain
15
00:01:21,009 --> 00:01:26,189
ideas. And this has become quite a big
topic recently, especially after the U.S.
16
00:01:26,189 --> 00:01:32,159
presidential elections in 2016, where
according to one study, up to one in five
17
00:01:32,159 --> 00:01:36,030
election related tweets weren't actually
from real people. And apparently it's
18
00:01:36,030 --> 00:01:40,759
it's such a big problem that even the
president is being manipulated by, to say,
19
00:01:40,759 --> 00:01:46,250
bots. But, this has been a kind of
activity that has been going on for a very
20
00:01:46,250 --> 00:01:49,119
long time, and not just from Russia or
China.
21
00:01:49,119 --> 00:01:53,869
The West also engages in these kind of
activities including the UK and the US,
22
00:01:53,869 --> 00:02:00,799
but in other kinds, in other regions. So,
today I'm talking about what Britain does
23
00:02:00,799 --> 00:02:08,038
in this regard. So, in the UK we have a
NSA-equivalent intelligence agency called
24
00:02:08,038 --> 00:02:13,280
GCHQ or Government Communications
Headquarters. And their job is basically
25
00:02:13,280 --> 00:02:20,500
like the UK's version of the NSA: to
collect as much information as possible
26
00:02:20,500 --> 00:02:26,080
through wiretaps and mass surveillance
systems. But they also have a subgroup or
27
00:02:26,080 --> 00:02:31,360
subteam within GCHQ called the Joint
Threat Research Intelligence Group or
28
00:02:31,360 --> 00:02:36,420
JTRIG for short. And what these guys
basically do is, its basically a fancy
29
00:02:36,420 --> 00:02:40,970
name for sitting on Twitter and Facebook
all day and trolling online. What they do is
30
00:02:40,970 --> 00:02:44,860
they conduct what they call Human
Intelligence, which is kind of like the
31
00:02:44,860 --> 00:02:49,840
act of interacting with humans online to
try to make something happen in the real
32
00:02:49,840 --> 00:02:54,390
world. And in their own words one of their
missions is to use "dirty tricks" to
33
00:02:54,390 --> 00:03:00,150
"destroy, deny, degrade and disrupt
enemies" by "discrediting" them. And we've
34
00:03:00,150 --> 00:03:05,400
seen JTRIG has been involved in various
campaigns and operations, including
35
00:03:05,400 --> 00:03:10,090
targeting hacktivist groups like Anonymous
and LulzSec, and also protests in the
36
00:03:10,090 --> 00:03:14,510
Middle East, during the Arab Spring and
also the Iranian protest in 2009.
37
00:03:14,510 --> 00:03:20,620
So, a bit of context to what led me to
uncover this stuff and to actually
38
00:03:20,620 --> 00:03:24,930
research this stuff. So in 2011, I was
involved with the with the hacktivist
39
00:03:24,930 --> 00:03:29,510
group LulzSec. And to refresh your memory,
LulzSec was a group that existed during
40
00:03:29,510 --> 00:03:34,650
the summer of 2011 and hacked into a bunch
of US corporate and government
41
00:03:34,650 --> 00:03:40,211
organizations, like the US Senate, their
affiliates and Sony and Fox. And in the
42
00:03:40,211 --> 00:03:46,180
same year I was arrested, and a year later
I was officially indicted on a court
43
00:03:46,180 --> 00:03:50,680
indictment. But the thing that struck me
about this indictment was that there was
44
00:03:50,680 --> 00:03:55,130
absolutely no mention in this court
document about how they managed to
45
00:03:55,130 --> 00:04:01,130
deanonymize me and my co-defendants. Or
how they managed to actually link our
46
00:04:01,130 --> 00:04:06,820
online identities with offline identities.
And I thought it was suspicious because
47
00:04:06,820 --> 00:04:15,010
our US counterparts, actually, their court
indictments had a very lengthy sections on
48
00:04:15,010 --> 00:04:20,540
how they were caught. For example, when
the FBI arrested Jeremy Hammond, his court
49
00:04:20,540 --> 00:04:25,150
indictment had a, had very detailed
information about how those guys social
50
00:04:25,150 --> 00:04:28,540
engineered him and managed to track him
through his IP address and through Tor and
51
00:04:28,540 --> 00:04:33,600
whatnot. But then, fast forward a year
later, Edward Snowden started leaking
52
00:04:33,600 --> 00:04:39,470
documents about the NSA and GCHQ, and then
in 2014, one of those documents or some of
53
00:04:39,470 --> 00:04:45,600
those documents were released on NBC that
showed that GCHQ was targeting hacktivist
54
00:04:45,600 --> 00:04:49,850
groups like Anonymous and LulzSec. And
that makes the a lot of sense in my head.
55
00:04:49,850 --> 00:04:55,820
Because if GCHQ was involved in this
denanonymization process, then they
56
00:04:55,820 --> 00:04:59,410
wouldn't want to have that in the court
indictment, because it would reveal the
57
00:04:59,410 --> 00:05:03,830
operational techniques.
And this is one of the leaked slides from
58
00:05:03,830 --> 00:05:09,870
GCHQ talking about some of the activist
groups they target. One of the people
59
00:05:09,870 --> 00:05:17,460
they targeted was someone who went by the
nickname of "p0ke", who was chatting in an
60
00:05:17,460 --> 00:05:25,220
IRC channel, a public chat network. And
this was a public chatting channel where
61
00:05:25,220 --> 00:05:30,520
people from Anonymous and other kinds of
hacktivists kind of sit and chat about
62
00:05:30,520 --> 00:05:38,580
various topics and also plan operations.
And this person "p0ke" was chatting on
63
00:05:38,580 --> 00:05:47,490
this channel and boasted that they had a
list of 700 FBI agents' emails and phone
64
00:05:47,490 --> 00:05:55,050
numbers and names. And then it turned out
that a GCHQ agent was covertly in this
65
00:05:55,050 --> 00:06:00,950
channel observing what people were saying.
And then the GCHQ agent initiated a
66
00:06:00,950 --> 00:06:05,510
private message with this person to kind
of get more information and to try to
67
00:06:05,510 --> 00:06:12,210
build a relationship with this person. And
the agent asked them what was the site and
68
00:06:12,210 --> 00:06:16,490
then they just gave that information up
and they even gave them a sample of some
69
00:06:16,490 --> 00:06:22,560
of the leaked information. So it turns out
that actually GCHQ was active in these IRC
70
00:06:22,560 --> 00:06:30,930
networks and chat networks for months if
not years and they were in up to several
71
00:06:30,930 --> 00:06:35,590
hundred channels at a time. They were just
sitting there idling. They weren't really
72
00:06:35,590 --> 00:06:41,450
saying much or actually participating in
conversation, except that every few months
73
00:06:41,450 --> 00:06:46,270
you might notice them say "hey" or "lol"
in the chat even though it might be out of
74
00:06:46,270 --> 00:06:49,360
context of the conversation that was going
on, presumably so that they wouldn't get
75
00:06:49,360 --> 00:06:53,520
kicked off the network because some
networks kick you off if you're idling
76
00:06:53,520 --> 00:06:58,419
there for too long. And then often what
they would do is they would private
77
00:06:58,419 --> 00:07:03,139
message people in rooms to try and
corroborate information about activities
78
00:07:03,139 --> 00:07:07,139
that were going on and being discussed or
trying to entrap people by getting them to
79
00:07:07,139 --> 00:07:13,260
admit to things as we saw with p0ke.
And he seemed to be quite a common theme
80
00:07:13,260 --> 00:07:19,470
that these undercover feds and agents were
sitting in these chat rooms. In the
81
00:07:19,470 --> 00:07:26,389
Europol meeting 2011, where 15 European
countries were discussing what they were
82
00:07:26,389 --> 00:07:31,710
doing to tackle Anonymous and LulzSec,
apparently there were certainly undercover
83
00:07:31,710 --> 00:07:36,520
cops in these channels that had an issue
with undercover cops investigating each
84
00:07:36,520 --> 00:07:40,990
other.
laughter
85
00:07:40,990 --> 00:07:53,280
So the GCHQ agent that was targeting p0ke
sent them a link to a BBC news article
86
00:07:53,280 --> 00:08:01,870
about hacktivists. And, according to this
leaked slide, this link enabled GCHQ to
87
00:08:01,870 --> 00:08:08,610
conduct signal intelligence to discover
p0ke's real name, Facebook and email
88
00:08:08,610 --> 00:08:14,530
accounts etc. It doesn't say exactly how
they did that, but it's not that hard if
89
00:08:14,530 --> 00:08:20,830
they have your IP address on user agent.
Back then, in 2011, most websites weren't
90
00:08:20,830 --> 00:08:25,490
using HTTPS, including Facebook, so if
they look up your IP address in XKeyscore
91
00:08:25,490 --> 00:08:29,520
or the dragnet surveillance system, they
can easily see what other traffic is
92
00:08:29,520 --> 00:08:35,010
originating from that IP address, and what
Facebook accounts are connected to that IP
93
00:08:35,010 --> 00:08:41,948
address for example. But in this in this
slide leaked by NBC the URL was redacted,
94
00:08:41,948 --> 00:08:46,399
but it wasn't very hard to actually find
that URL, because these were public
95
00:08:46,399 --> 00:08:51,029
channels that GCHQ agents were talking in,
and people haven't been targeted in
96
00:08:51,029 --> 00:08:56,470
themselves including myself. We were able
to find out what that URL shortener was
97
00:08:56,470 --> 00:09:01,589
I mean what that website was but
which turned out to be a URL shortener so
98
00:09:01,589 --> 00:09:09,949
the website that was sent to p0ke to click
was "lurl.me" and according to
99
00:09:09,949 --> 00:09:16,950
archive.org, here is a snapshot from
"lurl.me" in 2013, just before it went
100
00:09:16,950 --> 00:09:21,279
offline, that basically showed it was a
URL shortening service, it looks like a
101
00:09:21,279 --> 00:09:28,170
generic URL shortening service. One things
I noticed is, the domain name sounds
102
00:09:28,170 --> 00:09:32,820
like "lure me" which is basically what
they were doing,
103
00:09:32,820 --> 00:09:41,119
because JTRIG had this internal wiki
where they listed all the tech tools and
104
00:09:41,119 --> 00:09:47,149
techniques that they use in the operations
and one of the categories that they have
105
00:09:47,149 --> 00:09:54,999
is "shaping and honey pots" and in that
category they have a tool code named
106
00:09:54,999 --> 00:09:59,200
Deadpool which is described as a URL
shortening service and that's what
107
00:09:59,200 --> 00:10:07,970
"lurl.me" was. We first saw "lurl.me" in
2009 - the domain name was registered in
108
00:10:07,970 --> 00:10:16,040
2009 - and almost immediately it was it
was linked tweets about Iranian protests,
109
00:10:16,040 --> 00:10:21,679
and then it went offline in 2013, shortly
after (every sudden) leaks in November,
110
00:10:21,679 --> 00:10:26,089
but interesting if you look up all of the
instances of this URL shortener being used
111
00:10:26,089 --> 00:10:30,209
in social media and Twitter there's
probably about 100-200 instances of it
112
00:10:30,209 --> 00:10:36,040
being used and every single one of those
instances where it was used it was
113
00:10:36,040 --> 00:10:42,829
associated with political activities late
in the Middle East or Africa usually to
114
00:10:42,829 --> 00:10:49,270
protests. And the majority of the most
common were coming from the default
115
00:10:49,270 --> 00:10:54,220
Twitter accounts with no avatar, with very
few tweets and they're accounts that were
116
00:10:54,220 --> 00:10:59,689
active for only a few months between 2009
and 2013.
117
00:10:59,689 --> 00:11:05,589
One of the techniques, or some of the
techniques that JTRIG used, in their own
118
00:11:05,589 --> 00:11:09,680
words to conduct their operations is
includes uploading YouTube videos
119
00:11:09,680 --> 00:11:13,720
containing persuasive messaging,
establishing online aliases with Facebook
120
00:11:13,720 --> 00:11:18,970
and Twitter accounts, blogs on foreign
memberships for conducting human
121
00:11:18,970 --> 00:11:23,129
intelligence, or encouraging discussion on
specific issues, sending spoof emails and
122
00:11:23,129 --> 00:11:28,189
text messages as well as providing spoof
online resources, and setting up spoof
123
00:11:28,189 --> 00:11:34,850
trace sites and this is exactly what we're
going to see in the next few slides and in
124
00:11:34,850 --> 00:11:39,749
most examples that they use for the
operations is they actually targeted the
125
00:11:39,749 --> 00:11:44,950
entire general population of Iran which is
a pretty big target audience of 80 million
126
00:11:44,950 --> 00:11:48,279
people. According to them,
they had several goals in Iran:
127
00:11:48,279 --> 00:11:53,389
the first goal was to discredit the
Iranian leadership and its nuclear program
128
00:11:53,389 --> 00:11:57,469
Second goal was to delay and disrupt on-
line access to materials used in the
129
00:11:57,469 --> 00:12:00,059
nuclear program. Third Goal was
conducting online Human
130
00:12:00,079 --> 00:12:02,739
Intelligence and the fourth goal was the most
131
00:12:02,739 --> 00:12:07,589
interesting goal my opinion: Counter
censorship. It might seem might sound great
132
00:12:07,589 --> 00:12:12,769
it might sound like almost like GCHQ is
kind of aligned with the motives of the
133
00:12:12,769 --> 00:12:16,480
Internet freedom community by helping
these Iranian activists to evade
134
00:12:16,480 --> 00:12:18,929
censorship.
But we're gonna see it's not really the
135
00:12:18,929 --> 00:12:24,550
case. The main kind of Iran the main kind
of sock puppet accounts on Twitter that
136
00:12:24,550 --> 00:12:32,009
JTRIG was running during this campaign in
2009 was called "2000 Iran
137
00:12:32,009 --> 00:12:36,519
2009 Iran free".
This was the most kind of active Twitter
138
00:12:36,519 --> 00:12:41,679
account that it had and it had 216 tweets
and they also had I kind of like a bunch
139
00:12:41,679 --> 00:12:46,499
of other accounts that were less active
that had default avatars probably just to
140
00:12:46,499 --> 00:12:51,389
kind of, kind of build up their social
network that mostly retweeted things,
141
00:12:51,389 --> 00:12:57,509
retweeted the same things as a display
account but slightly rewarded or even with
142
00:12:57,509 --> 00:13:00,050
them.
And what this Twitter account essentially
143
00:13:00,050 --> 00:13:07,449
did was in quick succession, over a period
of like one or two weeks tweeted a bunch
144
00:13:07,449 --> 00:13:12,920
of links from this URL shortener for
various purposes for to various articles
145
00:13:12,920 --> 00:13:20,319
on blogs online and they also had actually
a blogspot website with like one article
146
00:13:20,319 --> 00:13:28,709
to kind of expand their network I guess.
One of the activities that 2009 Iran free
147
00:13:28,709 --> 00:13:35,730
and the other sock puppets were doing
was they were kind of trying to spread the
148
00:13:35,730 --> 00:13:42,269
same IP addresses as proxies to Iranians
to use as a counter cencorship. So for
149
00:13:42,269 --> 00:13:48,389
example you can see that they have a list
of IP addresses here that will hash like
150
00:13:48,389 --> 00:13:52,269
Iran election that they can use for
protests and they and they might sometimes
151
00:13:52,269 --> 00:14:01,899
feed links to that to to this proxy is
using that URL shortener and this is, this
152
00:14:01,899 --> 00:14:07,329
is quite concerning because well one of
the tools used by JTRIG is also called
153
00:14:07,329 --> 00:14:12,639
codenamed Molten Magma which is basically
HTTP proxy to with the ability to log all
154
00:14:12,639 --> 00:14:16,910
traffic and perform HTTPS man-in-the-
middle because, again, they were they were
155
00:14:16,910 --> 00:14:20,429
spreading exactly the same IP address all
of these all these sock puppet accounts
156
00:14:20,429 --> 00:14:26,009
were spreading exactly the same IP
addresses and same links to Iranians to
157
00:14:26,009 --> 00:14:33,119
help them to or to allegedly help them to
a evade common cencorship. And they were
158
00:14:33,119 --> 00:14:37,569
even claiming that these for the same
proxies used by the Iranian government to
159
00:14:37,569 --> 00:14:41,249
get around their own firewalls so if they,
apparently if they block these proxies
160
00:14:41,249 --> 00:14:45,619
they will block their own access to the
outside world.
161
00:14:45,619 --> 00:14:50,519
And this is essentially what they are
doing here. In this kind of context GCHQ
162
00:14:50,519 --> 00:14:54,610
is kind of acting like the big bad wolf
from Red Riding Hood. We might seem like
163
00:14:54,610 --> 00:15:02,319
they're helping me but they're also
causing you harm in the process.
164
00:15:02,319 --> 00:15:06,629
And this is a, this is a list that
contains a list of some of the techniques
165
00:15:06,629 --> 00:15:13,319
that JTRIG used. This was also a leaked
document and this essentially kills two
166
00:15:13,319 --> 00:15:18,360
birds in one stone because what they do is
at the bottom it says one techniques is
167
00:15:18,360 --> 00:15:22,370
hosting targets' online communications for
collecting signal intelligence as we saw
168
00:15:22,370 --> 00:15:27,120
with p0ke and which is why they tweet
these links using URL shortener so they
169
00:15:27,120 --> 00:15:32,429
can conduct signal intelligence on people
who are interested in clicking these
170
00:15:32,429 --> 00:15:38,839
things and also providing online access
uncensored materials and sending instant
171
00:15:38,839 --> 00:15:42,759
messages to specific individuals giving
them instructions for accessing uncensored
172
00:15:42,759 --> 00:15:47,120
websites.
One of the forums that these proxies were
173
00:15:47,120 --> 00:15:53,939
posted in was whyweprotest.net and someone
actually kind of almost got it right.
174
00:15:53,939 --> 00:15:56,779
Someone asked: 'Why does the government use
proxies? That doesn't make any sense, they
175
00:15:56,779 --> 00:15:59,509
wouldn't need any proxies." And then
someone replied: "The Iranian government
176
00:15:59,509 --> 00:16:03,999
allegedly has set up proxies to monitor
connections with from within Iran to be
177
00:16:03,999 --> 00:16:08,100
able to pinpoint the people who are trying
to bypass these blocks." So they're almost
178
00:16:08,100 --> 00:16:10,569
right because it wasn't the Iranian
government that was actually monitoring
179
00:16:10,569 --> 00:16:18,760
connections in Iran. It was GCHQ.
There were also set up, I agree, basic
180
00:16:18,760 --> 00:16:25,529
websites, that basically acted as RSS
feeds to English websites about Iran to
181
00:16:25,529 --> 00:16:29,629
presumably, but also for counter
censorship reasons. One of the same
182
00:16:29,629 --> 00:16:34,889
things they did was mimic government
officials. So for example they might
183
00:16:34,889 --> 00:16:39,980
post in a forum saying: "Attention users
outside Iran, you can call the president
184
00:16:39,980 --> 00:16:43,839
at this number to discuss the elections
direct." And they were hesitant that you
185
00:16:43,839 --> 00:16:49,829
should not call this number if you are in
Iran. And then they will also give an
186
00:16:49,829 --> 00:16:55,670
email address for the vice president on
the Twitter.
187
00:16:55,670 --> 00:17:00,370
This also matches up with another
technique that JTRIG uses, again according
188
00:17:00,370 --> 00:17:06,549
to the leaked documents, where they send
spoof emails and text messages from a fake
189
00:17:06,549 --> 00:17:11,669
person or mimicking a real person to
discredit, promote, distrust, dissuade,
190
00:17:11,669 --> 00:17:16,829
deceive, deter, delay or disrupt. Whatever
the purpose was, they certainly managed to
191
00:17:16,829 --> 00:17:20,810
promote distrust because one of the
replies to this post was: "This can't be
192
00:17:20,810 --> 00:17:24,599
the president's number because if it were
the second call would be answered by
193
00:17:24,599 --> 00:17:29,850
Iranian intelligence services. So these are
strange days. I suppose anything could
194
00:17:29,850 --> 00:17:33,760
happen at this point."
So that was most of the activity that we
195
00:17:33,760 --> 00:17:40,450
saw in 2009. There was a bunch of other
Twitter accounts with default egg, default
196
00:17:40,450 --> 00:17:46,461
avatars associated with these links. You
can find them if you search lurl.me with
197
00:17:46,461 --> 00:17:52,570
quotation marks and Google with sites
-twitter.com. In 2010 there was absolutely
198
00:17:52,570 --> 00:18:00,120
no activity on Twitter or all social media
associated with this URL shorter. Then, in
199
00:18:00,120 --> 00:18:08,750
2011, we saw some activity in Syria for
this URL shortener for a similar purpose
200
00:18:08,750 --> 00:18:12,620
of conducting censorship resistance in
Syria. And they were essentially doing the
201
00:18:12,620 --> 00:18:18,100
same thing, same techniques, giving people
IP addresses to connect to, that you
202
00:18:18,100 --> 00:18:24,019
thought that they probably are MITM'd.
But one of the things they did here as
203
00:18:24,019 --> 00:18:28,270
well was they didn't just tweet stuff they
also posted a YouTube video, like a very
204
00:18:28,270 --> 00:18:33,150
poorly made YouTube video with only
300 views to try to get people to watch
205
00:18:33,150 --> 00:18:37,600
that. They didn't really try very hard
here because if you actually look at the
206
00:18:37,600 --> 00:18:43,340
times on when these accounts tweeted,
all the accounts in Syria actually should
207
00:18:43,340 --> 00:18:49,750
have tweeted. The only tweet between 9 to
5 p.m. UK time Monday to Friday.
208
00:18:49,750 --> 00:19:00,070
laughter, applause
I mean, I think, I don't know I think
209
00:19:00,070 --> 00:19:06,269
they were lazy, or they were just, they
didn't really bother or weren't motivated.
210
00:19:06,269 --> 00:19:10,700
But one of the limitations that JTRIG has,
they actually had one in the leaked
211
00:19:10,700 --> 00:19:15,549
documents, that they had was they had a
list of limitations that the staff have
212
00:19:15,549 --> 00:19:19,470
when conducting its operations. And one of
them is that they have difficulty in
213
00:19:19,470 --> 00:19:24,549
maintaining more than a small number of
unique multi-dimension active aliases
214
00:19:24,549 --> 00:19:29,880
especially with doing online human
intelligence. Which is why we only see
215
00:19:29,880 --> 00:19:35,130
like one main twitter account for these
events and then like a bunch of other kind
216
00:19:35,130 --> 00:19:38,610
of default expat accounts, usually like
five or six. We didn't tend to see
217
00:19:38,610 --> 00:19:44,460
hundreds of them you only see about less
than 10, because this was back in 2009,
218
00:19:44,460 --> 00:19:50,270
2011. They weren't doing it in an
automated way. And they also said the lack
219
00:19:50,270 --> 00:19:55,559
of continuity in maintaining an alias or
communicating via an alias if a staff
220
00:19:55,559 --> 00:20:02,350
member is away and his or her work is
covered by others and also the other one
221
00:20:02,350 --> 00:20:08,620
was lack of photographs, visual images, of
aliases which is why we always see like
222
00:20:08,620 --> 00:20:12,280
egg or default avatars for these
sock puppet accounts because they can't
223
00:20:12,280 --> 00:20:16,630
unless they have like a full fledge
graphics team or have faces of people to
224
00:20:16,630 --> 00:20:22,120
put in there and they can't really put
anything as avatar. They also apparently
225
00:20:22,120 --> 00:20:28,220
had a lack of sufficient number and varied
cultural language advisors eg in Russian,
226
00:20:28,220 --> 00:20:32,090
Arabic and Pashto which is why we see
here on these Twitter accounts they're
227
00:20:32,090 --> 00:20:36,299
basically tweeting the same thing over and
over again with no variation. Here's the
228
00:20:36,299 --> 00:20:40,249
same text over and over again because they
don't have lots of translators to
229
00:20:40,249 --> 00:20:48,390
translate that.
The other thing we saw in 2011 was a very
230
00:20:48,390 --> 00:20:54,179
targeted attack during the Bahrain
protests. They had a twitter account
231
00:20:54,179 --> 00:21:00,490
called 'Freedom4Bahrain' and this, it just
sent two tweets, mentioning two accounts
232
00:21:00,490 --> 00:21:07,050
"14FebTV" and "14FebRevolution", and
these were two accounts that were,
233
00:21:07,050 --> 00:21:09,470
like,
really big kind of social media outlets in
234
00:21:09,470 --> 00:21:15,460
Bahrain that were covering the protests
that were going on there. And these were
235
00:21:15,460 --> 00:21:21,770
targeted mentions of the kind that we saw
with P0ke, so, presumably also here, they
236
00:21:21,770 --> 00:21:23,809
were using that to conduct Signal
Intelligence,
237
00:21:23,809 --> 00:21:32,019
to discover who was running these two
accounts. In 2012 you also saw no activity
238
00:21:32,019 --> 00:21:42,009
associated with that URL shortener. During 2013 I managed
to find one tweet related to Kenya, to the
239
00:21:42,009 --> 00:21:47,340
Kenyan imposed national politics and this
person isn't an education sock puppet, this
240
00:21:47,340 --> 00:21:52,700
person is a research assistant at the
Human Rights Watch. So this, but that begs
241
00:21:52,700 --> 00:21:58,080
the question of how did he actually get
this URL? Probably a similar message to
242
00:21:58,080 --> 00:22:02,720
P0ke, they probably sent him a link
through a private message found that
243
00:22:02,720 --> 00:22:08,460
interesting and tweeted it, so not only
are they targeting protesters, they are
244
00:22:08,460 --> 00:22:16,750
also targeting NGOs. Then, in 2013,
all of the infrastructure associated with
245
00:22:16,750 --> 00:22:23,370
URL-shortener was shot offline, this was
in 2013, which was a few months after the
246
00:22:23,370 --> 00:22:26,790
Edward Snowden leaks, so they had a bit of
delay of doing it, but it must have been a
247
00:22:26,790 --> 00:22:32,840
real pain in the arse for them to have to
renew all their infrastructure, but I did
248
00:22:32,840 --> 00:22:38,340
do some digging into some of other host
names that were hosted on this lurl.me
249
00:22:38,340 --> 00:22:44,820
server. Between 2009 and 2013, most of
these host names seem to be random
250
00:22:44,820 --> 00:22:51,090
alphanumeric, the main names, and some of
them are using publicly the DNS providers
251
00:22:51,090 --> 00:22:57,350
like DynDNS or DNSAlias, I wasn't able to
find any websites archived for these
252
00:22:57,350 --> 00:23:02,039
domains, so it doesn't seem that there was
any websites there, but if you have any
253
00:23:02,039 --> 00:23:06,250
ideas let me know, because one of the
things that I suspect is that these might
254
00:23:06,250 --> 00:23:09,809
have been malware endpoints or command
control servers, that they were using, so
255
00:23:09,809 --> 00:23:13,880
if you have any and monitoring tools or
logs then maybe you should look up some of
256
00:23:13,880 --> 00:23:18,759
these host names. But one of the
interesting domain names that I thought
257
00:23:18,759 --> 00:23:25,049
was interesting there was dunes
adventures.net and this is the archived
258
00:23:25,049 --> 00:23:27,009
page for Dunesadventures
259
00:23:27,009 --> 00:23:29,440
which was another
website based in Kenya. They were up to
260
00:23:29,440 --> 00:23:35,110
something in Kenya and it claimed that
they were having this was a very basic one
261
00:23:35,110 --> 00:23:41,009
page website that was kind of very poorly
made and they claimed that they were
262
00:23:41,009 --> 00:23:44,539
having site problems and apparently "we
have noticed problems with our booking
263
00:23:44,539 --> 00:23:49,220
system, this has been taken offline until
our techs find the problem - we apologize
264
00:23:49,220 --> 00:23:53,250
for any inconvenience". but there was never
any booking system in the first place,
265
00:23:53,250 --> 00:23:58,270
this was just pretty much a ruse to make
it look like if you go to this website, a
266
00:23:58,270 --> 00:24:03,360
legitimate company was hosting there. So
if you mind anything about that, then I'd
267
00:24:03,360 --> 00:24:08,139
be curious as well. I also if there's any
GCHQ agents in the room and then I'm
268
00:24:08,139 --> 00:24:15,779
happy to get drink with you as well.
That's all I have for today, does anyone
269
00:24:15,779 --> 00:24:26,960
have any questions?
applause
270
00:24:26,960 --> 00:24:41,510
(Herald) asks for questions
(Mic Question): OK, IRC asks: Deceiving
271
00:24:41,510 --> 00:24:46,350
a target into trusting you and leaking any form
of infos is used everywhere right now, IRC,
272
00:24:46,350 --> 00:24:50,970
Twitter and Facebook and so on. How would you
advise people to distinguish between a
273
00:24:50,970 --> 00:24:54,059
genuine identity and an undercover agent?
274
00:24:54,059 --> 00:24:56,029
(Speaker): "I think that's a very good
question because-
275
00:24:56,029 --> 00:24:59,121
(H.): So just just a quick second, if you
276
00:24:59,121 --> 00:25:03,400
really have to leave the room right now,
people, please do so quietly, we still
277
00:25:03,400 --> 00:25:08,019
have a talk going on and it's really
unrespectful if you make that much noise
278
00:25:08,019 --> 00:25:13,190
and interrupt this whole thing.
applause
279
00:25:13,190 --> 00:25:17,300
I know a lot of people are interested in
the talk afterwards but we'll all get you
280
00:25:17,300 --> 00:25:18,300
in and sorry.
281
00:25:18,300 --> 00:25:23,309
(S.): So I think I was very good question
because if you're conducting, if you're
282
00:25:23,309 --> 00:25:26,990
doing activism online and you need to be
anonymous and you dont want to meet up
283
00:25:26,990 --> 00:25:30,450
with people in person, then how do you
know that the people you communicating
284
00:25:30,450 --> 00:25:34,350
with, or if you are like in a public group
where you personally accept new members
285
00:25:34,350 --> 00:25:39,490
into that group, how can you put, how do
you know or kind of differentiate between
286
00:25:39,490 --> 00:25:44,299
who's actually there to harm your group or
who's actually there to contribute? I
287
00:25:44,299 --> 00:25:51,250
think the answer there lies in, what you
share. Don't share information that comes
288
00:25:51,250 --> 00:25:55,690
with anyone that could potentially put you
at harm, even with people that you trust,
289
00:25:55,690 --> 00:25:59,409
so essentially don't trust anyone and
this is a basic OP Sec rule. This is
290
00:25:59,409 --> 00:26:06,799
how Jeremy Hammond messed up a few years
ago, because they caught him, because he
291
00:26:06,799 --> 00:26:11,259
was revealing too much information about
his life, like where where he eats or
292
00:26:11,259 --> 00:26:18,759
something like that or his previous drug
records and they were able to use that to
293
00:26:18,759 --> 00:26:22,940
kind of figure out who he was and that was
the same mistake that P0ke made he, was
294
00:26:22,940 --> 00:26:30,299
too open and friendly to that agent for no
reason. So I think the kind of answer is
295
00:26:30,299 --> 00:26:34,590
to do your operations in a way where you
dont have to trust people.
296
00:26:34,590 --> 00:26:40,409
(Mic Question): "How effective do you
297
00:26:40,409 --> 00:26:45,350
think these methods are, because we've
seen the number of followers on Twitter
298
00:26:45,350 --> 00:26:50,350
and the number of views on YouTube were
very low so, how much people can, is
299
00:26:50,350 --> 00:26:51,970
affected by this kind of operations"
300
00:26:51,970 --> 00:26:57,730
(S.): Yes, so there was also a slide I
meant to put in there, that was leaked page
301
00:26:57,730 --> 00:27:03,110
another leaked page from GCHQ that had a
list of bullet points on what they
302
00:27:03,110 --> 00:27:07,370
considered to be an effective operation
and some of those bullet points include
303
00:27:07,370 --> 00:27:11,929
how many people click that link, how many
people, how many people watch the youtube
304
00:27:11,929 --> 00:27:15,120
video, etc, so it's pretty much the same
ways that you would measure it how many
305
00:27:15,120 --> 00:27:19,889
people viewed a specific message. Now in
their specific use cases I don't think
306
00:27:19,889 --> 00:27:23,820
they were very successful on a large
scale, specifically in Iran protests
307
00:27:23,820 --> 00:27:27,499
because the Twitter accounts had very few
followers and their YouTube videos only
308
00:27:27,499 --> 00:27:33,279
had a few hundred views but they might
have been, obviously more succesful in
309
00:27:33,279 --> 00:27:37,039
more target cases when targeting specific
individuals by doing the Bahrain case or
310
00:27:37,039 --> 00:27:38,039
the p0ke case.
311
00:27:38,039 --> 00:27:39,610
(H.): over there please.
312
00:27:39,610 --> 00:27:45,220
(Mic Question): Sure, thank you, so I'm
just curious if you were familiar with the
313
00:27:45,220 --> 00:27:49,730
work of Erin Gallagher, she's done work to
try to figure out, kind of quantitatively
314
00:27:49,730 --> 00:27:52,809
and make these visualizations, to try to
figure out if a particular twitter account
315
00:27:52,809 --> 00:27:57,279
for example is a bot or whether it's a
person and there's some you know rules of
316
00:27:57,279 --> 00:28:00,499
thumb regarding like, you know if the bots
just kind of interact with each other and
317
00:28:00,499 --> 00:28:01,909
don't react, don't interact with real
people
318
00:28:01,909 --> 00:28:07,340
im just curious what, what techniques you
may know of to, to figure out you know
319
00:28:07,340 --> 00:28:10,539
what is a bot and what is not and whether
you are familiar with those particular
320
00:28:10,539 --> 00:28:11,559
lines of a research.
321
00:28:11,559 --> 00:28:16,960
(S.): I'm not familiar with with their
work, but thank you all check out. In terms
322
00:28:16,960 --> 00:28:24,140
of what kind of metrics that you could use
or to use to see if a account is valid or
323
00:28:24,140 --> 00:28:29,720
not, I mean, I think, I guess they're,
their tweeting kind of, habits and when
324
00:28:29,720 --> 00:28:34,010
they tweet for example could be
indicative, so for example we saw this
325
00:28:34,010 --> 00:28:38,251
person only tweet at 9 to 5. Obviously
that's quite easy to make that it's on the
326
00:28:38,251 --> 00:28:44,120
case and also I think one useful things
might be might be interesting to do, is
327
00:28:44,120 --> 00:28:50,879
try to map the network of these accounts.
If you like build up like a web of
328
00:28:50,879 --> 00:28:55,909
followers, that you might be able to very
easy for graphically detect, very obvious
329
00:28:55,909 --> 00:28:59,100
clusters for accounts that are following
each other, to be to be very signal.
330
00:28:59,100 --> 00:29:01,370
(Mic): Yeah for sure, thank you.
331
00:29:01,370 --> 00:29:04,440
(H.) Lets switch over to mic 6 please
332
00:29:04,460 --> 00:29:05,309
(Mic 6 question): Thank you for the-
333
00:29:05,309 --> 00:29:11,580
thank you for the great talk, how would
you compare the former British activities
334
00:29:11,580 --> 00:29:18,149
to the current Russian activities, maybe a
talk in itself, but...
335
00:29:18,149 --> 00:29:20,429
(S.) To be honest, I haven't been digging
336
00:29:20,429 --> 00:29:23,919
too deep in the details or following too
much about the Russian activities, so I
337
00:29:23,919 --> 00:29:26,860
can't really comment about that, I don't
know how prolific it is, I only mentioned
338
00:29:26,860 --> 00:29:31,760
it briefly in the beginning of the slides
because it was to give some context, so
339
00:29:31,760 --> 00:29:34,370
I'll have to research more to the Russian
activities.
340
00:29:34,370 --> 00:29:39,020
(H.) Go to mic 5 again
341
00:29:39,020 --> 00:29:42,140
(Mic 5 Question): Thanks, to continue
342
00:29:42,140 --> 00:29:51,830
from the person who spoke, that would have
been my question. So, just to add up onto
343
00:29:51,830 --> 00:29:58,860
that, did you stumble upon similar
patterns coming from say Canberra or a
344
00:29:58,860 --> 00:30:00,230
Washington DC?
345
00:30:00,230 --> 00:30:05,440
(S.): So these accounts were very
specific to just to the UK expressions,
346
00:30:05,440 --> 00:30:09,280
there was no kind of collaboration there
with other countries within the five eyes,
347
00:30:09,280 --> 00:30:15,200
like the US or Australia, but I think they
might have,
348
00:30:15,200 --> 00:30:19,120
GCHQ I think has collaborated with the NSA
349
00:30:19,120 --> 00:30:23,060
JTRIG specifically I think has collaborated
before with the NSA to delegitimize
350
00:30:23,060 --> 00:30:27,929
certain people. So for example
we saw during a few years ago or last year
351
00:30:27,929 --> 00:30:34,230
I think there was a drone attack, someone
was illegally killed in a drone strike in
352
00:30:34,230 --> 00:30:40,220
Iraq, he was a suspected to be an ISIS
member, Junaid Hussain, and apparently the
353
00:30:40,220 --> 00:30:45,299
way that he was deanonymized or the way they
found this location is that the US, the
354
00:30:45,299 --> 00:30:49,269
FBI specifically, had an informant that was
talking to this person and that informant
355
00:30:49,269 --> 00:30:53,480
sent them and sent them a link that was
generated by GCHQ and then since that link
356
00:30:53,480 --> 00:30:56,710
they were able to deanonymize them so I
think there's some collaboration there but
357
00:30:56,710 --> 00:30:59,110
this is mostly UK activity.
358
00:30:59,110 --> 00:31:04,315
(H.): Last question, we are out of time.
Thank you again, Mustafa. applause
359
00:31:04,315 --> 00:31:31,940
subtitles created by c3subtitles.de
in the year 2019. Join, and help us!