[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:15.00,Default,,0000,0000,0000,,{\i1}34c3 intro{\i0}
Dialogue: 0,0:00:15.00,0:00:21.07,Default,,0000,0000,0000,,Herald: All right, it's my great pleasure\Nto introduce to you Mustafa Al-Bassam.
Dialogue: 0,0:00:21.09,0:00:26.50,Default,,0000,0000,0000,,He's gonna talk about uncovering British\Nspies' web of sockpuppet social media
Dialogue: 0,0:00:26.50,0:00:31.72,Default,,0000,0000,0000,,personas. Mustafa is a PhD student at the\NUniversity College in London, studying
Dialogue: 0,0:00:31.73,0:00:37.33,Default,,0000,0000,0000,,information security and focusing on\Ndecentralized systems. Mustafa was a co-
Dialogue: 0,0:00:37.33,0:00:43.92,Default,,0000,0000,0000,,founder of LulzSec, an hacker activist\Ngroup some of you might have heard of, and
Dialogue: 0,0:00:43.92,0:00:48.34,Default,,0000,0000,0000,,with that, please give a warm applause to\NMustafa.
Dialogue: 0,0:00:48.34,0:00:55.47,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:00:55.47,0:00:57.92,Default,,0000,0000,0000,,Mustafa Al-Bassam: Hey. So it seems that
Dialogue: 0,0:00:57.92,0:01:02.49,Default,,0000,0000,0000,,over the past year we've had a lot in the\Nmedia about this kind of idea that the
Dialogue: 0,0:01:02.49,0:01:06.07,Default,,0000,0000,0000,,people that you interact with on Twitter\Nand Facebook and other kinds of social
Dialogue: 0,0:01:06.07,0:01:11.58,Default,,0000,0000,0000,,media are not necessarily who they say\Nthey are, and sometimes not even be, they
Dialogue: 0,0:01:11.59,0:01:16.33,Default,,0000,0000,0000,,might not even be people at all. They\Nmight be bots. And we've heard about how
Dialogue: 0,0:01:16.33,0:01:21.01,Default,,0000,0000,0000,,this might be used to manipulate people\Ninto believing certain things or certain
Dialogue: 0,0:01:21.01,0:01:26.19,Default,,0000,0000,0000,,ideas. And this has become quite a big\Ntopic recently, especially after the U.S.
Dialogue: 0,0:01:26.19,0:01:32.16,Default,,0000,0000,0000,,presidential elections in 2016, where\Naccording to one study, up to one in five
Dialogue: 0,0:01:32.16,0:01:36.03,Default,,0000,0000,0000,,election related tweets weren't actually\Nfrom real people. And apparently it's
Dialogue: 0,0:01:36.03,0:01:40.76,Default,,0000,0000,0000,,it's such a big problem that even the\Npresident is being manipulated by, to say,
Dialogue: 0,0:01:40.76,0:01:46.25,Default,,0000,0000,0000,,bots. But, this has been a kind of\Nactivity that has been going on for a very
Dialogue: 0,0:01:46.25,0:01:49.12,Default,,0000,0000,0000,,long time, and not just from Russia or\NChina.
Dialogue: 0,0:01:49.12,0:01:53.87,Default,,0000,0000,0000,,The West also engages in these kind of\Nactivities including the UK and the US,
Dialogue: 0,0:01:53.87,0:02:00.80,Default,,0000,0000,0000,,but in other kinds, in other regions. So,\Ntoday I'm talking about what Britain does
Dialogue: 0,0:02:00.80,0:02:08.04,Default,,0000,0000,0000,,in this regard. So, in the UK we have a\NNSA-equivalent intelligence agency called
Dialogue: 0,0:02:08.04,0:02:13.28,Default,,0000,0000,0000,,GCHQ or Government Communications\NHeadquarters. And their job is basically
Dialogue: 0,0:02:13.28,0:02:20.50,Default,,0000,0000,0000,,like the UK's version of the NSA: to\Ncollect as much information as possible
Dialogue: 0,0:02:20.50,0:02:26.08,Default,,0000,0000,0000,,through wiretaps and mass surveillance\Nsystems. But they also have a subgroup or
Dialogue: 0,0:02:26.08,0:02:31.36,Default,,0000,0000,0000,,subteam within GCHQ called the Joint\NThreat Research Intelligence Group or
Dialogue: 0,0:02:31.36,0:02:36.42,Default,,0000,0000,0000,,JTRIG for short. And what these guys\Nbasically do is, its basically a fancy
Dialogue: 0,0:02:36.42,0:02:40.97,Default,,0000,0000,0000,,name for sitting on Twitter and Facebook\Nall day and trolling online. What they do is
Dialogue: 0,0:02:40.97,0:02:44.86,Default,,0000,0000,0000,,they conduct what they call Human\NIntelligence, which is kind of like the
Dialogue: 0,0:02:44.86,0:02:49.84,Default,,0000,0000,0000,,act of interacting with humans online to\Ntry to make something happen in the real
Dialogue: 0,0:02:49.84,0:02:54.39,Default,,0000,0000,0000,,world. And in their own words one of their\Nmissions is to use "dirty tricks" to
Dialogue: 0,0:02:54.39,0:03:00.15,Default,,0000,0000,0000,,"destroy, deny, degrade and disrupt\Nenemies" by "discrediting" them. And we've
Dialogue: 0,0:03:00.15,0:03:05.40,Default,,0000,0000,0000,,seen JTRIG has been involved in various\Ncampaigns and operations, including
Dialogue: 0,0:03:05.40,0:03:10.09,Default,,0000,0000,0000,,targeting hacktivist groups like Anonymous\Nand LulzSec, and also protests in the
Dialogue: 0,0:03:10.09,0:03:14.51,Default,,0000,0000,0000,,Middle East, during the Arab Spring and\Nalso the Iranian protest in 2009.
Dialogue: 0,0:03:14.51,0:03:20.62,Default,,0000,0000,0000,,So, a bit of context to what led me to\Nuncover this stuff and to actually
Dialogue: 0,0:03:20.62,0:03:24.93,Default,,0000,0000,0000,,research this stuff. So in 2011, I was\Ninvolved with the with the hacktivist
Dialogue: 0,0:03:24.93,0:03:29.51,Default,,0000,0000,0000,,group LulzSec. And to refresh your memory,\NLulzSec was a group that existed during
Dialogue: 0,0:03:29.51,0:03:34.65,Default,,0000,0000,0000,,the summer of 2011 and hacked into a bunch\Nof US corporate and government
Dialogue: 0,0:03:34.65,0:03:40.21,Default,,0000,0000,0000,,organizations, like the US Senate, their\Naffiliates and Sony and Fox. And in the
Dialogue: 0,0:03:40.21,0:03:46.18,Default,,0000,0000,0000,,same year I was arrested, and a year later\NI was officially indicted on a court
Dialogue: 0,0:03:46.18,0:03:50.68,Default,,0000,0000,0000,,indictment. But the thing that struck me\Nabout this indictment was that there was
Dialogue: 0,0:03:50.68,0:03:55.13,Default,,0000,0000,0000,,absolutely no mention in this court\Ndocument about how they managed to
Dialogue: 0,0:03:55.13,0:04:01.13,Default,,0000,0000,0000,,deanonymize me and my co-defendants. Or\Nhow they managed to actually link our
Dialogue: 0,0:04:01.13,0:04:06.82,Default,,0000,0000,0000,,online identities with offline identities.\NAnd I thought it was suspicious because
Dialogue: 0,0:04:06.82,0:04:15.01,Default,,0000,0000,0000,,our US counterparts, actually, their court\Nindictments had a very lengthy sections on
Dialogue: 0,0:04:15.01,0:04:20.54,Default,,0000,0000,0000,,how they were caught. For example, when\Nthe FBI arrested Jeremy Hammond, his court
Dialogue: 0,0:04:20.54,0:04:25.15,Default,,0000,0000,0000,,indictment had a, had very detailed\Ninformation about how those guys social
Dialogue: 0,0:04:25.15,0:04:28.54,Default,,0000,0000,0000,,engineered him and managed to track him\Nthrough his IP address and through Tor and
Dialogue: 0,0:04:28.54,0:04:33.60,Default,,0000,0000,0000,,whatnot. But then, fast forward a year\Nlater, Edward Snowden started leaking
Dialogue: 0,0:04:33.60,0:04:39.47,Default,,0000,0000,0000,,documents about the NSA and GCHQ, and then\Nin 2014, one of those documents or some of
Dialogue: 0,0:04:39.47,0:04:45.60,Default,,0000,0000,0000,,those documents were released on NBC that\Nshowed that GCHQ was targeting hacktivist
Dialogue: 0,0:04:45.60,0:04:49.85,Default,,0000,0000,0000,,groups like Anonymous and LulzSec. And\Nthat makes the a lot of sense in my head.
Dialogue: 0,0:04:49.85,0:04:55.82,Default,,0000,0000,0000,,Because if GCHQ was involved in this\Ndenanonymization process, then they
Dialogue: 0,0:04:55.82,0:04:59.41,Default,,0000,0000,0000,,wouldn't want to have that in the court\Nindictment, because it would reveal the
Dialogue: 0,0:04:59.41,0:05:03.83,Default,,0000,0000,0000,,operational techniques.\NAnd this is one of the leaked slides from
Dialogue: 0,0:05:03.83,0:05:09.87,Default,,0000,0000,0000,,GCHQ talking about some of the activist\Ngroups they target. One of the people
Dialogue: 0,0:05:09.87,0:05:17.46,Default,,0000,0000,0000,,they targeted was someone who went by the\Nnickname of "p0ke", who was chatting in an
Dialogue: 0,0:05:17.46,0:05:25.22,Default,,0000,0000,0000,,IRC channel, a public chat network. And\Nthis was a public chatting channel where
Dialogue: 0,0:05:25.22,0:05:30.52,Default,,0000,0000,0000,,people from Anonymous and other kinds of\Nhacktivists kind of sit and chat about
Dialogue: 0,0:05:30.52,0:05:38.58,Default,,0000,0000,0000,,various topics and also plan operations.\NAnd this person "p0ke" was chatting on
Dialogue: 0,0:05:38.58,0:05:47.49,Default,,0000,0000,0000,,this channel and boasted that they had a\Nlist of 700 FBI agents' emails and phone
Dialogue: 0,0:05:47.49,0:05:55.05,Default,,0000,0000,0000,,numbers and names. And then it turned out\Nthat a GCHQ agent was covertly in this
Dialogue: 0,0:05:55.05,0:06:00.95,Default,,0000,0000,0000,,channel observing what people were saying.\NAnd then the GCHQ agent initiated a
Dialogue: 0,0:06:00.95,0:06:05.51,Default,,0000,0000,0000,,private message with this person to kind\Nof get more information and to try to
Dialogue: 0,0:06:05.51,0:06:12.21,Default,,0000,0000,0000,,build a relationship with this person. And\Nthe agent asked them what was the site and
Dialogue: 0,0:06:12.21,0:06:16.49,Default,,0000,0000,0000,,then they just gave that information up\Nand they even gave them a sample of some
Dialogue: 0,0:06:16.49,0:06:22.56,Default,,0000,0000,0000,,of the leaked information. So it turns out\Nthat actually GCHQ was active in these IRC
Dialogue: 0,0:06:22.56,0:06:30.93,Default,,0000,0000,0000,,networks and chat networks for months if\Nnot years and they were in up to several
Dialogue: 0,0:06:30.93,0:06:35.59,Default,,0000,0000,0000,,hundred channels at a time. They were just\Nsitting there idling. They weren't really
Dialogue: 0,0:06:35.59,0:06:41.45,Default,,0000,0000,0000,,saying much or actually participating in\Nconversation, except that every few months
Dialogue: 0,0:06:41.45,0:06:46.27,Default,,0000,0000,0000,,you might notice them say "hey" or "lol"\Nin the chat even though it might be out of
Dialogue: 0,0:06:46.27,0:06:49.36,Default,,0000,0000,0000,,context of the conversation that was going\Non, presumably so that they wouldn't get
Dialogue: 0,0:06:49.36,0:06:53.52,Default,,0000,0000,0000,,kicked off the network because some\Nnetworks kick you off if you're idling
Dialogue: 0,0:06:53.52,0:06:58.42,Default,,0000,0000,0000,,there for too long. And then often what\Nthey would do is they would private
Dialogue: 0,0:06:58.42,0:07:03.14,Default,,0000,0000,0000,,message people in rooms to try and\Ncorroborate information about activities
Dialogue: 0,0:07:03.14,0:07:07.14,Default,,0000,0000,0000,,that were going on and being discussed or\Ntrying to entrap people by getting them to
Dialogue: 0,0:07:07.14,0:07:13.26,Default,,0000,0000,0000,,admit to things as we saw with p0ke.\NAnd he seemed to be quite a common theme
Dialogue: 0,0:07:13.26,0:07:19.47,Default,,0000,0000,0000,,that these undercover feds and agents were\Nsitting in these chat rooms. In the
Dialogue: 0,0:07:19.47,0:07:26.39,Default,,0000,0000,0000,,Europol meeting 2011, where 15 European\Ncountries were discussing what they were
Dialogue: 0,0:07:26.39,0:07:31.71,Default,,0000,0000,0000,,doing to tackle Anonymous and LulzSec,\Napparently there were certainly undercover
Dialogue: 0,0:07:31.71,0:07:36.52,Default,,0000,0000,0000,,cops in these channels that had an issue\Nwith undercover cops investigating each
Dialogue: 0,0:07:36.52,0:07:40.99,Default,,0000,0000,0000,,other.\N{\i1}laughter{\i0}
Dialogue: 0,0:07:40.99,0:07:53.28,Default,,0000,0000,0000,,So the GCHQ agent that was targeting p0ke\Nsent them a link to a BBC news article
Dialogue: 0,0:07:53.28,0:08:01.87,Default,,0000,0000,0000,,about hacktivists. And, according to this\Nleaked slide, this link enabled GCHQ to
Dialogue: 0,0:08:01.87,0:08:08.61,Default,,0000,0000,0000,,conduct signal intelligence to discover\Np0ke's real name, Facebook and email
Dialogue: 0,0:08:08.61,0:08:14.53,Default,,0000,0000,0000,,accounts etc. It doesn't say exactly how\Nthey did that, but it's not that hard if
Dialogue: 0,0:08:14.53,0:08:20.83,Default,,0000,0000,0000,,they have your IP address on user agent.\NBack then, in 2011, most websites weren't
Dialogue: 0,0:08:20.83,0:08:25.49,Default,,0000,0000,0000,,using HTTPS, including Facebook, so if\Nthey look up your IP address in XKeyscore
Dialogue: 0,0:08:25.49,0:08:29.52,Default,,0000,0000,0000,,or the dragnet surveillance system, they\Ncan easily see what other traffic is
Dialogue: 0,0:08:29.52,0:08:35.01,Default,,0000,0000,0000,,originating from that IP address, and what\NFacebook accounts are connected to that IP
Dialogue: 0,0:08:35.01,0:08:41.95,Default,,0000,0000,0000,,address for example. But in this in this\Nslide leaked by NBC the URL was redacted,
Dialogue: 0,0:08:41.95,0:08:46.40,Default,,0000,0000,0000,,but it wasn't very hard to actually find\Nthat URL, because these were public
Dialogue: 0,0:08:46.40,0:08:51.03,Default,,0000,0000,0000,,channels that GCHQ agents were talking in,\Nand people haven't been targeted in
Dialogue: 0,0:08:51.03,0:08:56.47,Default,,0000,0000,0000,,themselves including myself. We were able\Nto find out what that URL shortener was
Dialogue: 0,0:08:56.47,0:09:01.59,Default,,0000,0000,0000,,I mean what that website was but\Nwhich turned out to be a URL shortener so
Dialogue: 0,0:09:01.59,0:09:09.95,Default,,0000,0000,0000,,the website that was sent to p0ke to click\Nwas "lurl.me" and according to
Dialogue: 0,0:09:09.95,0:09:16.95,Default,,0000,0000,0000,,archive.org, here is a snapshot from\N"lurl.me" in 2013, just before it went
Dialogue: 0,0:09:16.95,0:09:21.28,Default,,0000,0000,0000,,offline, that basically showed it was a\NURL shortening service, it looks like a
Dialogue: 0,0:09:21.28,0:09:28.17,Default,,0000,0000,0000,,generic URL shortening service. One things\NI noticed is, the domain name sounds
Dialogue: 0,0:09:28.17,0:09:32.82,Default,,0000,0000,0000,,like "lure me" which is basically what\Nthey were doing,
Dialogue: 0,0:09:32.82,0:09:41.12,Default,,0000,0000,0000,,because JTRIG had this internal wiki\Nwhere they listed all the tech tools and
Dialogue: 0,0:09:41.12,0:09:47.15,Default,,0000,0000,0000,,techniques that they use in the operations\Nand one of the categories that they have
Dialogue: 0,0:09:47.15,0:09:54.100,Default,,0000,0000,0000,,is "shaping and honey pots" and in that\Ncategory they have a tool code named
Dialogue: 0,0:09:54.100,0:09:59.20,Default,,0000,0000,0000,,Deadpool which is described as a URL\Nshortening service and that's what
Dialogue: 0,0:09:59.20,0:10:07.97,Default,,0000,0000,0000,,"lurl.me" was. We first saw "lurl.me" in\N2009 - the domain name was registered in
Dialogue: 0,0:10:07.97,0:10:16.04,Default,,0000,0000,0000,,2009 - and almost immediately it was it\Nwas linked tweets about Iranian protests,
Dialogue: 0,0:10:16.04,0:10:21.68,Default,,0000,0000,0000,,and then it went offline in 2013, shortly\Nafter (every sudden) leaks in November,
Dialogue: 0,0:10:21.68,0:10:26.09,Default,,0000,0000,0000,,but interesting if you look up all of the\Ninstances of this URL shortener being used
Dialogue: 0,0:10:26.09,0:10:30.21,Default,,0000,0000,0000,,in social media and Twitter there's\Nprobably about 100-200 instances of it
Dialogue: 0,0:10:30.21,0:10:36.04,Default,,0000,0000,0000,,being used and every single one of those\Ninstances where it was used it was
Dialogue: 0,0:10:36.04,0:10:42.83,Default,,0000,0000,0000,,associated with political activities late\Nin the Middle East or Africa usually to
Dialogue: 0,0:10:42.83,0:10:49.27,Default,,0000,0000,0000,,protests. And the majority of the most\Ncommon were coming from the default
Dialogue: 0,0:10:49.27,0:10:54.22,Default,,0000,0000,0000,,Twitter accounts with no avatar, with very\Nfew tweets and they're accounts that were
Dialogue: 0,0:10:54.22,0:10:59.69,Default,,0000,0000,0000,,active for only a few months between 2009\Nand 2013.
Dialogue: 0,0:10:59.69,0:11:05.59,Default,,0000,0000,0000,,One of the techniques, or some of the\Ntechniques that JTRIG used, in their own
Dialogue: 0,0:11:05.59,0:11:09.68,Default,,0000,0000,0000,,words to conduct their operations is\Nincludes uploading YouTube videos
Dialogue: 0,0:11:09.68,0:11:13.72,Default,,0000,0000,0000,,containing persuasive messaging,\Nestablishing online aliases with Facebook
Dialogue: 0,0:11:13.72,0:11:18.97,Default,,0000,0000,0000,,and Twitter accounts, blogs on foreign\Nmemberships for conducting human
Dialogue: 0,0:11:18.97,0:11:23.13,Default,,0000,0000,0000,,intelligence, or encouraging discussion on\Nspecific issues, sending spoof emails and
Dialogue: 0,0:11:23.13,0:11:28.19,Default,,0000,0000,0000,,text messages as well as providing spoof\Nonline resources, and setting up spoof
Dialogue: 0,0:11:28.19,0:11:34.85,Default,,0000,0000,0000,,trace sites and this is exactly what we're\Ngoing to see in the next few slides and in
Dialogue: 0,0:11:34.85,0:11:39.75,Default,,0000,0000,0000,,most examples that they use for the\Noperations is they actually targeted the
Dialogue: 0,0:11:39.75,0:11:44.95,Default,,0000,0000,0000,,entire general population of Iran which is\Na pretty big target audience of 80 million
Dialogue: 0,0:11:44.95,0:11:48.28,Default,,0000,0000,0000,,people. According to them,\Nthey had several goals in Iran:
Dialogue: 0,0:11:48.28,0:11:53.39,Default,,0000,0000,0000,,the first goal was to discredit the\NIranian leadership and its nuclear program
Dialogue: 0,0:11:53.39,0:11:57.47,Default,,0000,0000,0000,,Second goal was to delay and disrupt on-\Nline access to materials used in the
Dialogue: 0,0:11:57.47,0:12:00.06,Default,,0000,0000,0000,,nuclear program. Third Goal was \Nconducting online Human
Dialogue: 0,0:12:00.08,0:12:02.74,Default,,0000,0000,0000,,Intelligence and the fourth goal was the most
Dialogue: 0,0:12:02.74,0:12:07.59,Default,,0000,0000,0000,,interesting goal my opinion: Counter\Ncensorship. It might seem might sound great
Dialogue: 0,0:12:07.59,0:12:12.77,Default,,0000,0000,0000,,it might sound like almost like GCHQ is\Nkind of aligned with the motives of the
Dialogue: 0,0:12:12.77,0:12:16.48,Default,,0000,0000,0000,,Internet freedom community by helping\Nthese Iranian activists to evade
Dialogue: 0,0:12:16.48,0:12:18.93,Default,,0000,0000,0000,,censorship.\NBut we're gonna see it's not really the
Dialogue: 0,0:12:18.93,0:12:24.55,Default,,0000,0000,0000,,case. The main kind of Iran the main kind\Nof sock puppet accounts on Twitter that
Dialogue: 0,0:12:24.55,0:12:32.01,Default,,0000,0000,0000,,JTRIG was running during this campaign in\N2009 was called "2000 Iran
Dialogue: 0,0:12:32.01,0:12:36.52,Default,,0000,0000,0000,,2009 Iran free".\NThis was the most kind of active Twitter
Dialogue: 0,0:12:36.52,0:12:41.68,Default,,0000,0000,0000,,account that it had and it had 216 tweets\Nand they also had I kind of like a bunch
Dialogue: 0,0:12:41.68,0:12:46.50,Default,,0000,0000,0000,,of other accounts that were less active\Nthat had default avatars probably just to
Dialogue: 0,0:12:46.50,0:12:51.39,Default,,0000,0000,0000,,kind of, kind of build up their social\Nnetwork that mostly retweeted things,
Dialogue: 0,0:12:51.39,0:12:57.51,Default,,0000,0000,0000,,retweeted the same things as a display\Naccount but slightly rewarded or even with
Dialogue: 0,0:12:57.51,0:13:00.05,Default,,0000,0000,0000,,them.\NAnd what this Twitter account essentially
Dialogue: 0,0:13:00.05,0:13:07.45,Default,,0000,0000,0000,,did was in quick succession, over a period\Nof like one or two weeks tweeted a bunch
Dialogue: 0,0:13:07.45,0:13:12.92,Default,,0000,0000,0000,,of links from this URL shortener for\Nvarious purposes for to various articles
Dialogue: 0,0:13:12.92,0:13:20.32,Default,,0000,0000,0000,,on blogs online and they also had actually\Na blogspot website with like one article
Dialogue: 0,0:13:20.32,0:13:28.71,Default,,0000,0000,0000,,to kind of expand their network I guess.\NOne of the activities that 2009 Iran free
Dialogue: 0,0:13:28.71,0:13:35.73,Default,,0000,0000,0000,,and the other sock puppets were doing\Nwas they were kind of trying to spread the
Dialogue: 0,0:13:35.73,0:13:42.27,Default,,0000,0000,0000,,same IP addresses as proxies to Iranians\Nto use as a counter cencorship. So for
Dialogue: 0,0:13:42.27,0:13:48.39,Default,,0000,0000,0000,,example you can see that they have a list\Nof IP addresses here that will hash like
Dialogue: 0,0:13:48.39,0:13:52.27,Default,,0000,0000,0000,,Iran election that they can use for\Nprotests and they and they might sometimes
Dialogue: 0,0:13:52.27,0:14:01.90,Default,,0000,0000,0000,,feed links to that to to this proxy is\Nusing that URL shortener and this is, this
Dialogue: 0,0:14:01.90,0:14:07.33,Default,,0000,0000,0000,,is quite concerning because well one of\Nthe tools used by JTRIG is also called
Dialogue: 0,0:14:07.33,0:14:12.64,Default,,0000,0000,0000,,codenamed Molten Magma which is basically\NHTTP proxy to with the ability to log all
Dialogue: 0,0:14:12.64,0:14:16.91,Default,,0000,0000,0000,,traffic and perform HTTPS man-in-the-\Nmiddle because, again, they were they were
Dialogue: 0,0:14:16.91,0:14:20.43,Default,,0000,0000,0000,,spreading exactly the same IP address all\Nof these all these sock puppet accounts
Dialogue: 0,0:14:20.43,0:14:26.01,Default,,0000,0000,0000,,were spreading exactly the same IP\Naddresses and same links to Iranians to
Dialogue: 0,0:14:26.01,0:14:33.12,Default,,0000,0000,0000,,help them to or to allegedly help them to\Na evade common cencorship. And they were
Dialogue: 0,0:14:33.12,0:14:37.57,Default,,0000,0000,0000,,even claiming that these for the same\Nproxies used by the Iranian government to
Dialogue: 0,0:14:37.57,0:14:41.25,Default,,0000,0000,0000,,get around their own firewalls so if they,\Napparently if they block these proxies
Dialogue: 0,0:14:41.25,0:14:45.62,Default,,0000,0000,0000,,they will block their own access to the\Noutside world.
Dialogue: 0,0:14:45.62,0:14:50.52,Default,,0000,0000,0000,,And this is essentially what they are\Ndoing here. In this kind of context GCHQ
Dialogue: 0,0:14:50.52,0:14:54.61,Default,,0000,0000,0000,,is kind of acting like the big bad wolf\Nfrom Red Riding Hood. We might seem like
Dialogue: 0,0:14:54.61,0:15:02.32,Default,,0000,0000,0000,,they're helping me but they're also\Ncausing you harm in the process.
Dialogue: 0,0:15:02.32,0:15:06.63,Default,,0000,0000,0000,,And this is a, this is a list that\Ncontains a list of some of the techniques
Dialogue: 0,0:15:06.63,0:15:13.32,Default,,0000,0000,0000,,that JTRIG used. This was also a leaked\Ndocument and this essentially kills two
Dialogue: 0,0:15:13.32,0:15:18.36,Default,,0000,0000,0000,,birds in one stone because what they do is\Nat the bottom it says one techniques is
Dialogue: 0,0:15:18.36,0:15:22.37,Default,,0000,0000,0000,,hosting targets' online communications for\Ncollecting signal intelligence as we saw
Dialogue: 0,0:15:22.37,0:15:27.12,Default,,0000,0000,0000,,with p0ke and which is why they tweet\Nthese links using URL shortener so they
Dialogue: 0,0:15:27.12,0:15:32.43,Default,,0000,0000,0000,,can conduct signal intelligence on people\Nwho are interested in clicking these
Dialogue: 0,0:15:32.43,0:15:38.84,Default,,0000,0000,0000,,things and also providing online access\Nuncensored materials and sending instant
Dialogue: 0,0:15:38.84,0:15:42.76,Default,,0000,0000,0000,,messages to specific individuals giving\Nthem instructions for accessing uncensored
Dialogue: 0,0:15:42.76,0:15:47.12,Default,,0000,0000,0000,,websites.\NOne of the forums that these proxies were
Dialogue: 0,0:15:47.12,0:15:53.94,Default,,0000,0000,0000,,posted in was whyweprotest.net and someone\Nactually kind of almost got it right.
Dialogue: 0,0:15:53.94,0:15:56.78,Default,,0000,0000,0000,,Someone asked: 'Why does the government use\Nproxies? That doesn't make any sense, they
Dialogue: 0,0:15:56.78,0:15:59.51,Default,,0000,0000,0000,,wouldn't need any proxies." And then\Nsomeone replied: "The Iranian government
Dialogue: 0,0:15:59.51,0:16:03.100,Default,,0000,0000,0000,,allegedly has set up proxies to monitor\Nconnections with from within Iran to be
Dialogue: 0,0:16:03.100,0:16:08.10,Default,,0000,0000,0000,,able to pinpoint the people who are trying\Nto bypass these blocks." So they're almost
Dialogue: 0,0:16:08.10,0:16:10.57,Default,,0000,0000,0000,,right because it wasn't the Iranian\Ngovernment that was actually monitoring
Dialogue: 0,0:16:10.57,0:16:18.76,Default,,0000,0000,0000,,connections in Iran. It was GCHQ.\NThere were also set up, I agree, basic
Dialogue: 0,0:16:18.76,0:16:25.53,Default,,0000,0000,0000,,websites, that basically acted as RSS\Nfeeds to English websites about Iran to
Dialogue: 0,0:16:25.53,0:16:29.63,Default,,0000,0000,0000,,presumably, but also for counter\Ncensorship reasons. One of the same
Dialogue: 0,0:16:29.63,0:16:34.89,Default,,0000,0000,0000,,things they did was mimic government\Nofficials. So for example they might
Dialogue: 0,0:16:34.89,0:16:39.98,Default,,0000,0000,0000,,post in a forum saying: "Attention users\Noutside Iran, you can call the president
Dialogue: 0,0:16:39.98,0:16:43.84,Default,,0000,0000,0000,,at this number to discuss the elections\Ndirect." And they were hesitant that you
Dialogue: 0,0:16:43.84,0:16:49.83,Default,,0000,0000,0000,,should not call this number if you are in\NIran. And then they will also give an
Dialogue: 0,0:16:49.83,0:16:55.67,Default,,0000,0000,0000,,email address for the vice president on\Nthe Twitter.
Dialogue: 0,0:16:55.67,0:17:00.37,Default,,0000,0000,0000,,This also matches up with another\Ntechnique that JTRIG uses, again according
Dialogue: 0,0:17:00.37,0:17:06.55,Default,,0000,0000,0000,,to the leaked documents, where they send\Nspoof emails and text messages from a fake
Dialogue: 0,0:17:06.55,0:17:11.67,Default,,0000,0000,0000,,person or mimicking a real person to\Ndiscredit, promote, distrust, dissuade,
Dialogue: 0,0:17:11.67,0:17:16.83,Default,,0000,0000,0000,,deceive, deter, delay or disrupt. Whatever\Nthe purpose was, they certainly managed to
Dialogue: 0,0:17:16.83,0:17:20.81,Default,,0000,0000,0000,,promote distrust because one of the\Nreplies to this post was: "This can't be
Dialogue: 0,0:17:20.81,0:17:24.60,Default,,0000,0000,0000,,the president's number because if it were\Nthe second call would be answered by
Dialogue: 0,0:17:24.60,0:17:29.85,Default,,0000,0000,0000,,Iranian intelligence services. So these are\Nstrange days. I suppose anything could
Dialogue: 0,0:17:29.85,0:17:33.76,Default,,0000,0000,0000,,happen at this point."\NSo that was most of the activity that we
Dialogue: 0,0:17:33.76,0:17:40.45,Default,,0000,0000,0000,,saw in 2009. There was a bunch of other\NTwitter accounts with default egg, default
Dialogue: 0,0:17:40.45,0:17:46.46,Default,,0000,0000,0000,,avatars associated with these links. You\Ncan find them if you search lurl.me with
Dialogue: 0,0:17:46.46,0:17:52.57,Default,,0000,0000,0000,,quotation marks and Google with sites\N-twitter.com. In 2010 there was absolutely
Dialogue: 0,0:17:52.57,0:18:00.12,Default,,0000,0000,0000,,no activity on Twitter or all social media\Nassociated with this URL shorter. Then, in
Dialogue: 0,0:18:00.12,0:18:08.75,Default,,0000,0000,0000,,2011, we saw some activity in Syria for\Nthis URL shortener for a similar purpose
Dialogue: 0,0:18:08.75,0:18:12.62,Default,,0000,0000,0000,,of conducting censorship resistance in\NSyria. And they were essentially doing the
Dialogue: 0,0:18:12.62,0:18:18.10,Default,,0000,0000,0000,,same thing, same techniques, giving people\NIP addresses to connect to, that you
Dialogue: 0,0:18:18.10,0:18:24.02,Default,,0000,0000,0000,,thought that they probably are MITM'd.\NBut one of the things they did here as
Dialogue: 0,0:18:24.02,0:18:28.27,Default,,0000,0000,0000,,well was they didn't just tweet stuff they\Nalso posted a YouTube video, like a very
Dialogue: 0,0:18:28.27,0:18:33.15,Default,,0000,0000,0000,,poorly made YouTube video with only\N300 views to try to get people to watch
Dialogue: 0,0:18:33.15,0:18:37.60,Default,,0000,0000,0000,,that. They didn't really try very hard\Nhere because if you actually look at the
Dialogue: 0,0:18:37.60,0:18:43.34,Default,,0000,0000,0000,,times on when these accounts tweeted,\Nall the accounts in Syria actually should
Dialogue: 0,0:18:43.34,0:18:49.75,Default,,0000,0000,0000,,have tweeted. The only tweet between 9 to\N5 p.m. UK time Monday to Friday.
Dialogue: 0,0:18:49.75,0:19:00.07,Default,,0000,0000,0000,,{\i1}laughter, applause{\i0}\NI mean, I think, I don't know I think
Dialogue: 0,0:19:00.07,0:19:06.27,Default,,0000,0000,0000,,they were lazy, or they were just, they\Ndidn't really bother or weren't motivated.
Dialogue: 0,0:19:06.27,0:19:10.70,Default,,0000,0000,0000,,But one of the limitations that JTRIG has,\Nthey actually had one in the leaked
Dialogue: 0,0:19:10.70,0:19:15.55,Default,,0000,0000,0000,,documents, that they had was they had a\Nlist of limitations that the staff have
Dialogue: 0,0:19:15.55,0:19:19.47,Default,,0000,0000,0000,,when conducting its operations. And one of\Nthem is that they have difficulty in
Dialogue: 0,0:19:19.47,0:19:24.55,Default,,0000,0000,0000,,maintaining more than a small number of\Nunique multi-dimension active aliases
Dialogue: 0,0:19:24.55,0:19:29.88,Default,,0000,0000,0000,,especially with doing online human\Nintelligence. Which is why we only see
Dialogue: 0,0:19:29.88,0:19:35.13,Default,,0000,0000,0000,,like one main twitter account for these\Nevents and then like a bunch of other kind
Dialogue: 0,0:19:35.13,0:19:38.61,Default,,0000,0000,0000,,of default expat accounts, usually like\Nfive or six. We didn't tend to see
Dialogue: 0,0:19:38.61,0:19:44.46,Default,,0000,0000,0000,,hundreds of them you only see about less\Nthan 10, because this was back in 2009,
Dialogue: 0,0:19:44.46,0:19:50.27,Default,,0000,0000,0000,,2011. They weren't doing it in an\Nautomated way. And they also said the lack
Dialogue: 0,0:19:50.27,0:19:55.56,Default,,0000,0000,0000,,of continuity in maintaining an alias or\Ncommunicating via an alias if a staff
Dialogue: 0,0:19:55.56,0:20:02.35,Default,,0000,0000,0000,,member is away and his or her work is\Ncovered by others and also the other one
Dialogue: 0,0:20:02.35,0:20:08.62,Default,,0000,0000,0000,,was lack of photographs, visual images, of\Naliases which is why we always see like
Dialogue: 0,0:20:08.62,0:20:12.28,Default,,0000,0000,0000,,egg or default avatars for these\Nsock puppet accounts because they can't
Dialogue: 0,0:20:12.28,0:20:16.63,Default,,0000,0000,0000,,unless they have like a full fledge\Ngraphics team or have faces of people to
Dialogue: 0,0:20:16.63,0:20:22.12,Default,,0000,0000,0000,,put in there and they can't really put\Nanything as avatar. They also apparently
Dialogue: 0,0:20:22.12,0:20:28.22,Default,,0000,0000,0000,,had a lack of sufficient number and varied\Ncultural language advisors eg in Russian,
Dialogue: 0,0:20:28.22,0:20:32.09,Default,,0000,0000,0000,,Arabic and Pashto which is why we see\Nhere on these Twitter accounts they're
Dialogue: 0,0:20:32.09,0:20:36.30,Default,,0000,0000,0000,,basically tweeting the same thing over and\Nover again with no variation. Here's the
Dialogue: 0,0:20:36.30,0:20:40.25,Default,,0000,0000,0000,,same text over and over again because they\Ndon't have lots of translators to
Dialogue: 0,0:20:40.25,0:20:48.39,Default,,0000,0000,0000,,translate that.\NThe other thing we saw in 2011 was a very
Dialogue: 0,0:20:48.39,0:20:54.18,Default,,0000,0000,0000,,targeted attack during the Bahrain\Nprotests. They had a twitter account
Dialogue: 0,0:20:54.18,0:21:00.49,Default,,0000,0000,0000,,called 'Freedom4Bahrain' and this, it just\Nsent two tweets, mentioning two accounts
Dialogue: 0,0:21:00.49,0:21:07.05,Default,,0000,0000,0000,,"14FebTV" and "14FebRevolution", and\Nthese were two accounts that were,
Dialogue: 0,0:21:07.05,0:21:09.47,Default,,0000,0000,0000,,like,\Nreally big kind of social media outlets in
Dialogue: 0,0:21:09.47,0:21:15.46,Default,,0000,0000,0000,,Bahrain that were covering the protests\Nthat were going on there. And these were
Dialogue: 0,0:21:15.46,0:21:21.77,Default,,0000,0000,0000,,targeted mentions of the kind that we saw\Nwith P0ke, so, presumably also here, they
Dialogue: 0,0:21:21.77,0:21:23.81,Default,,0000,0000,0000,,were using that to conduct Signal\NIntelligence,
Dialogue: 0,0:21:23.81,0:21:32.02,Default,,0000,0000,0000,,to discover who was running these two\Naccounts. In 2012 you also saw no activity
Dialogue: 0,0:21:32.02,0:21:42.01,Default,,0000,0000,0000,,associated with that URL shortener. During 2013 I managed\Nto find one tweet related to Kenya, to the
Dialogue: 0,0:21:42.01,0:21:47.34,Default,,0000,0000,0000,,Kenyan imposed national politics and this\Nperson isn't an education sock puppet, this
Dialogue: 0,0:21:47.34,0:21:52.70,Default,,0000,0000,0000,,person is a research assistant at the\NHuman Rights Watch. So this, but that begs
Dialogue: 0,0:21:52.70,0:21:58.08,Default,,0000,0000,0000,,the question of how did he actually get\Nthis URL? Probably a similar message to
Dialogue: 0,0:21:58.08,0:22:02.72,Default,,0000,0000,0000,,P0ke, they probably sent him a link\Nthrough a private message found that
Dialogue: 0,0:22:02.72,0:22:08.46,Default,,0000,0000,0000,,interesting and tweeted it, so not only\Nare they targeting protesters, they are
Dialogue: 0,0:22:08.46,0:22:16.75,Default,,0000,0000,0000,,also targeting NGOs. Then, in 2013,\Nall of the infrastructure associated with
Dialogue: 0,0:22:16.75,0:22:23.37,Default,,0000,0000,0000,,URL-shortener was shot offline, this was\Nin 2013, which was a few months after the
Dialogue: 0,0:22:23.37,0:22:26.79,Default,,0000,0000,0000,,Edward Snowden leaks, so they had a bit of\Ndelay of doing it, but it must have been a
Dialogue: 0,0:22:26.79,0:22:32.84,Default,,0000,0000,0000,,real pain in the arse for them to have to\Nrenew all their infrastructure, but I did
Dialogue: 0,0:22:32.84,0:22:38.34,Default,,0000,0000,0000,,do some digging into some of other host\Nnames that were hosted on this lurl.me
Dialogue: 0,0:22:38.34,0:22:44.82,Default,,0000,0000,0000,,server. Between 2009 and 2013, most of\Nthese host names seem to be random
Dialogue: 0,0:22:44.82,0:22:51.09,Default,,0000,0000,0000,,alphanumeric, the main names, and some of\Nthem are using publicly the DNS providers
Dialogue: 0,0:22:51.09,0:22:57.35,Default,,0000,0000,0000,,like DynDNS or DNSAlias, I wasn't able to\Nfind any websites archived for these
Dialogue: 0,0:22:57.35,0:23:02.04,Default,,0000,0000,0000,,domains, so it doesn't seem that there was\Nany websites there, but if you have any
Dialogue: 0,0:23:02.04,0:23:06.25,Default,,0000,0000,0000,,ideas let me know, because one of the\Nthings that I suspect is that these might
Dialogue: 0,0:23:06.25,0:23:09.81,Default,,0000,0000,0000,,have been malware endpoints or command\Ncontrol servers, that they were using, so
Dialogue: 0,0:23:09.81,0:23:13.88,Default,,0000,0000,0000,,if you have any and monitoring tools or\Nlogs then maybe you should look up some of
Dialogue: 0,0:23:13.88,0:23:18.76,Default,,0000,0000,0000,,these host names. But one of the\Ninteresting domain names that I thought
Dialogue: 0,0:23:18.76,0:23:25.05,Default,,0000,0000,0000,,was interesting there was dunes\Nadventures.net and this is the archived
Dialogue: 0,0:23:25.05,0:23:27.01,Default,,0000,0000,0000,,page for Dunesadventures
Dialogue: 0,0:23:27.01,0:23:29.44,Default,,0000,0000,0000,,which was another\Nwebsite based in Kenya. They were up to
Dialogue: 0,0:23:29.44,0:23:35.11,Default,,0000,0000,0000,,something in Kenya and it claimed that\Nthey were having this was a very basic one
Dialogue: 0,0:23:35.11,0:23:41.01,Default,,0000,0000,0000,,page website that was kind of very poorly\Nmade and they claimed that they were
Dialogue: 0,0:23:41.01,0:23:44.54,Default,,0000,0000,0000,,having site problems and apparently "we\Nhave noticed problems with our booking
Dialogue: 0,0:23:44.54,0:23:49.22,Default,,0000,0000,0000,,system, this has been taken offline until\Nour techs find the problem - we apologize
Dialogue: 0,0:23:49.22,0:23:53.25,Default,,0000,0000,0000,,for any inconvenience". but there was never\Nany booking system in the first place,
Dialogue: 0,0:23:53.25,0:23:58.27,Default,,0000,0000,0000,,this was just pretty much a ruse to make\Nit look like if you go to this website, a
Dialogue: 0,0:23:58.27,0:24:03.36,Default,,0000,0000,0000,,legitimate company was hosting there. So\Nif you mind anything about that, then I'd
Dialogue: 0,0:24:03.36,0:24:08.14,Default,,0000,0000,0000,,be curious as well. I also if there's any\NGCHQ agents in the room and then I'm
Dialogue: 0,0:24:08.14,0:24:15.78,Default,,0000,0000,0000,,happy to get drink with you as well.\NThat's all I have for today, does anyone
Dialogue: 0,0:24:15.78,0:24:26.96,Default,,0000,0000,0000,,have any questions?\N{\i1}applause{\i0}
Dialogue: 0,0:24:26.96,0:24:41.51,Default,,0000,0000,0000,,(Herald) {\i1}asks for questions{\i0}\N(Mic Question): OK, IRC asks: Deceiving
Dialogue: 0,0:24:41.51,0:24:46.35,Default,,0000,0000,0000,,a target into trusting you and leaking any form\Nof infos is used everywhere right now, IRC,
Dialogue: 0,0:24:46.35,0:24:50.97,Default,,0000,0000,0000,,Twitter and Facebook and so on. How would you\Nadvise people to distinguish between a
Dialogue: 0,0:24:50.97,0:24:54.06,Default,,0000,0000,0000,,genuine identity and an undercover agent?
Dialogue: 0,0:24:54.06,0:24:56.03,Default,,0000,0000,0000,,(Speaker): "I think that's a very good\Nquestion because-
Dialogue: 0,0:24:56.03,0:24:59.12,Default,,0000,0000,0000,,(H.): So just just a quick second, if you
Dialogue: 0,0:24:59.12,0:25:03.40,Default,,0000,0000,0000,,really have to leave the room right now,\Npeople, please do so quietly, we still
Dialogue: 0,0:25:03.40,0:25:08.02,Default,,0000,0000,0000,,have a talk going on and it's really\Nunrespectful if you make that much noise
Dialogue: 0,0:25:08.02,0:25:13.19,Default,,0000,0000,0000,,and interrupt this whole thing.\N{\i1}applause{\i0}
Dialogue: 0,0:25:13.19,0:25:17.30,Default,,0000,0000,0000,,I know a lot of people are interested in\Nthe talk afterwards but we'll all get you
Dialogue: 0,0:25:17.30,0:25:18.30,Default,,0000,0000,0000,,in and sorry.
Dialogue: 0,0:25:18.30,0:25:23.31,Default,,0000,0000,0000,,(S.): So I think I was very good question\Nbecause if you're conducting, if you're
Dialogue: 0,0:25:23.31,0:25:26.99,Default,,0000,0000,0000,,doing activism online and you need to be\Nanonymous and you dont want to meet up
Dialogue: 0,0:25:26.99,0:25:30.45,Default,,0000,0000,0000,,with people in person, then how do you\Nknow that the people you communicating
Dialogue: 0,0:25:30.45,0:25:34.35,Default,,0000,0000,0000,,with, or if you are like in a public group\Nwhere you personally accept new members
Dialogue: 0,0:25:34.35,0:25:39.49,Default,,0000,0000,0000,,into that group, how can you put, how do\Nyou know or kind of differentiate between
Dialogue: 0,0:25:39.49,0:25:44.30,Default,,0000,0000,0000,,who's actually there to harm your group or\Nwho's actually there to contribute? I
Dialogue: 0,0:25:44.30,0:25:51.25,Default,,0000,0000,0000,,think the answer there lies in, what you\Nshare. Don't share information that comes
Dialogue: 0,0:25:51.25,0:25:55.69,Default,,0000,0000,0000,,with anyone that could potentially put you\Nat harm, even with people that you trust,
Dialogue: 0,0:25:55.69,0:25:59.41,Default,,0000,0000,0000,,so essentially don't trust anyone and\Nthis is a basic OP Sec rule. This is
Dialogue: 0,0:25:59.41,0:26:06.80,Default,,0000,0000,0000,,how Jeremy Hammond messed up a few years\Nago, because they caught him, because he
Dialogue: 0,0:26:06.80,0:26:11.26,Default,,0000,0000,0000,,was revealing too much information about\Nhis life, like where where he eats or
Dialogue: 0,0:26:11.26,0:26:18.76,Default,,0000,0000,0000,,something like that or his previous drug\Nrecords and they were able to use that to
Dialogue: 0,0:26:18.76,0:26:22.94,Default,,0000,0000,0000,,kind of figure out who he was and that was\Nthe same mistake that P0ke made he, was
Dialogue: 0,0:26:22.94,0:26:30.30,Default,,0000,0000,0000,,too open and friendly to that agent for no\Nreason. So I think the kind of answer is
Dialogue: 0,0:26:30.30,0:26:34.59,Default,,0000,0000,0000,,to do your operations in a way where you\Ndont have to trust people.
Dialogue: 0,0:26:34.59,0:26:40.41,Default,,0000,0000,0000,,(Mic Question): "How effective do you
Dialogue: 0,0:26:40.41,0:26:45.35,Default,,0000,0000,0000,,think these methods are, because we've\Nseen the number of followers on Twitter
Dialogue: 0,0:26:45.35,0:26:50.35,Default,,0000,0000,0000,,and the number of views on YouTube were\Nvery low so, how much people can, is
Dialogue: 0,0:26:50.35,0:26:51.97,Default,,0000,0000,0000,,affected by this kind of operations"
Dialogue: 0,0:26:51.97,0:26:57.73,Default,,0000,0000,0000,,(S.): Yes, so there was also a slide I\Nmeant to put in there, that was leaked page
Dialogue: 0,0:26:57.73,0:27:03.11,Default,,0000,0000,0000,,another leaked page from GCHQ that had a\Nlist of bullet points on what they
Dialogue: 0,0:27:03.11,0:27:07.37,Default,,0000,0000,0000,,considered to be an effective operation\Nand some of those bullet points include
Dialogue: 0,0:27:07.37,0:27:11.93,Default,,0000,0000,0000,,how many people click that link, how many\Npeople, how many people watch the youtube
Dialogue: 0,0:27:11.93,0:27:15.12,Default,,0000,0000,0000,,video, etc, so it's pretty much the same\Nways that you would measure it how many
Dialogue: 0,0:27:15.12,0:27:19.89,Default,,0000,0000,0000,,people viewed a specific message. Now in\Ntheir specific use cases I don't think
Dialogue: 0,0:27:19.89,0:27:23.82,Default,,0000,0000,0000,,they were very successful on a large\Nscale, specifically in Iran protests
Dialogue: 0,0:27:23.82,0:27:27.50,Default,,0000,0000,0000,,because the Twitter accounts had very few\Nfollowers and their YouTube videos only
Dialogue: 0,0:27:27.50,0:27:33.28,Default,,0000,0000,0000,,had a few hundred views but they might\Nhave been, obviously more succesful in
Dialogue: 0,0:27:33.28,0:27:37.04,Default,,0000,0000,0000,,more target cases when targeting specific\Nindividuals by doing the Bahrain case or
Dialogue: 0,0:27:37.04,0:27:38.04,Default,,0000,0000,0000,,the p0ke case.
Dialogue: 0,0:27:38.04,0:27:39.61,Default,,0000,0000,0000,,(H.): over there please.
Dialogue: 0,0:27:39.61,0:27:45.22,Default,,0000,0000,0000,,(Mic Question): Sure, thank you, so I'm\Njust curious if you were familiar with the
Dialogue: 0,0:27:45.22,0:27:49.73,Default,,0000,0000,0000,,work of Erin Gallagher, she's done work to\Ntry to figure out, kind of quantitatively
Dialogue: 0,0:27:49.73,0:27:52.81,Default,,0000,0000,0000,,and make these visualizations, to try to\Nfigure out if a particular twitter account
Dialogue: 0,0:27:52.81,0:27:57.28,Default,,0000,0000,0000,,for example is a bot or whether it's a\Nperson and there's some you know rules of
Dialogue: 0,0:27:57.28,0:28:00.50,Default,,0000,0000,0000,,thumb regarding like, you know if the bots\Njust kind of interact with each other and
Dialogue: 0,0:28:00.50,0:28:01.91,Default,,0000,0000,0000,,don't react, don't interact with real\Npeople
Dialogue: 0,0:28:01.91,0:28:07.34,Default,,0000,0000,0000,,im just curious what, what techniques you\Nmay know of to, to figure out you know
Dialogue: 0,0:28:07.34,0:28:10.54,Default,,0000,0000,0000,,what is a bot and what is not and whether\Nyou are familiar with those particular
Dialogue: 0,0:28:10.54,0:28:11.56,Default,,0000,0000,0000,,lines of a research.
Dialogue: 0,0:28:11.56,0:28:16.96,Default,,0000,0000,0000,,(S.): I'm not familiar with with their\Nwork, but thank you all check out. In terms
Dialogue: 0,0:28:16.96,0:28:24.14,Default,,0000,0000,0000,,of what kind of metrics that you could use\Nor to use to see if a account is valid or
Dialogue: 0,0:28:24.14,0:28:29.72,Default,,0000,0000,0000,,not, I mean, I think, I guess they're,\Ntheir tweeting kind of, habits and when
Dialogue: 0,0:28:29.72,0:28:34.01,Default,,0000,0000,0000,,they tweet for example could be\Nindicative, so for example we saw this
Dialogue: 0,0:28:34.01,0:28:38.25,Default,,0000,0000,0000,,person only tweet at 9 to 5. Obviously\Nthat's quite easy to make that it's on the
Dialogue: 0,0:28:38.25,0:28:44.12,Default,,0000,0000,0000,,case and also I think one useful things\Nmight be might be interesting to do, is
Dialogue: 0,0:28:44.12,0:28:50.88,Default,,0000,0000,0000,,try to map the network of these accounts.\NIf you like build up like a web of
Dialogue: 0,0:28:50.88,0:28:55.91,Default,,0000,0000,0000,,followers, that you might be able to very\Neasy for graphically detect, very obvious
Dialogue: 0,0:28:55.91,0:28:59.10,Default,,0000,0000,0000,,clusters for accounts that are following\Neach other, to be to be very signal.
Dialogue: 0,0:28:59.10,0:29:01.37,Default,,0000,0000,0000,,(Mic): Yeah for sure, thank you.
Dialogue: 0,0:29:01.37,0:29:04.44,Default,,0000,0000,0000,,(H.) Lets switch over to mic 6 please
Dialogue: 0,0:29:04.46,0:29:05.31,Default,,0000,0000,0000,,(Mic 6 question): Thank you for the-
Dialogue: 0,0:29:05.31,0:29:11.58,Default,,0000,0000,0000,,thank you for the great talk, how would\Nyou compare the former British activities
Dialogue: 0,0:29:11.58,0:29:18.15,Default,,0000,0000,0000,,to the current Russian activities, maybe a\Ntalk in itself, but...
Dialogue: 0,0:29:18.15,0:29:20.43,Default,,0000,0000,0000,,(S.) To be honest, I haven't been digging
Dialogue: 0,0:29:20.43,0:29:23.92,Default,,0000,0000,0000,,too deep in the details or following too\Nmuch about the Russian activities, so I
Dialogue: 0,0:29:23.92,0:29:26.86,Default,,0000,0000,0000,,can't really comment about that, I don't\Nknow how prolific it is, I only mentioned
Dialogue: 0,0:29:26.86,0:29:31.76,Default,,0000,0000,0000,,it briefly in the beginning of the slides\Nbecause it was to give some context, so
Dialogue: 0,0:29:31.76,0:29:34.37,Default,,0000,0000,0000,,I'll have to research more to the Russian\Nactivities.
Dialogue: 0,0:29:34.37,0:29:39.02,Default,,0000,0000,0000,,(H.) Go to mic 5 again
Dialogue: 0,0:29:39.02,0:29:42.14,Default,,0000,0000,0000,,(Mic 5 Question): Thanks, to continue
Dialogue: 0,0:29:42.14,0:29:51.83,Default,,0000,0000,0000,,from the person who spoke, that would have\Nbeen my question. So, just to add up onto
Dialogue: 0,0:29:51.83,0:29:58.86,Default,,0000,0000,0000,,that, did you stumble upon similar\Npatterns coming from say Canberra or a
Dialogue: 0,0:29:58.86,0:30:00.23,Default,,0000,0000,0000,,Washington DC?
Dialogue: 0,0:30:00.23,0:30:05.44,Default,,0000,0000,0000,,(S.): So these accounts were very\Nspecific to just to the UK expressions,
Dialogue: 0,0:30:05.44,0:30:09.28,Default,,0000,0000,0000,,there was no kind of collaboration there\Nwith other countries within the five eyes,
Dialogue: 0,0:30:09.28,0:30:15.20,Default,,0000,0000,0000,,like the US or Australia, but I think they\Nmight have,
Dialogue: 0,0:30:15.20,0:30:19.12,Default,,0000,0000,0000,,GCHQ I think has collaborated with the NSA
Dialogue: 0,0:30:19.12,0:30:23.06,Default,,0000,0000,0000,,JTRIG specifically I think has collaborated\Nbefore with the NSA to delegitimize
Dialogue: 0,0:30:23.06,0:30:27.93,Default,,0000,0000,0000,,certain people. So for example\Nwe saw during a few years ago or last year
Dialogue: 0,0:30:27.93,0:30:34.23,Default,,0000,0000,0000,,I think there was a drone attack, someone\Nwas illegally killed in a drone strike in
Dialogue: 0,0:30:34.23,0:30:40.22,Default,,0000,0000,0000,,Iraq, he was a suspected to be an ISIS\Nmember, Junaid Hussain, and apparently the
Dialogue: 0,0:30:40.22,0:30:45.30,Default,,0000,0000,0000,,way that he was deanonymized or the way they\Nfound this location is that the US, the
Dialogue: 0,0:30:45.30,0:30:49.27,Default,,0000,0000,0000,,FBI specifically, had an informant that was\Ntalking to this person and that informant
Dialogue: 0,0:30:49.27,0:30:53.48,Default,,0000,0000,0000,,sent them and sent them a link that was\Ngenerated by GCHQ and then since that link
Dialogue: 0,0:30:53.48,0:30:56.71,Default,,0000,0000,0000,,they were able to deanonymize them so I\Nthink there's some collaboration there but
Dialogue: 0,0:30:56.71,0:30:59.11,Default,,0000,0000,0000,,this is mostly UK activity.
Dialogue: 0,0:30:59.11,0:31:04.32,Default,,0000,0000,0000,,(H.): Last question, we are out of time.\NThank you again, Mustafa. {\i1}applause{\i0}
Dialogue: 0,0:31:04.32,0:31:31.94,Default,,0000,0000,0000,,subtitles created by c3subtitles.de\Nin the year 2019. Join, and help us!