WEBVTT
00:00:00.000 --> 00:00:15.005
34c3 intro
00:00:15.005 --> 00:00:21.070
Herald: All right, it's my great pleasure
to introduce to you Mustafa Al-Bassam.
00:00:21.090 --> 00:00:26.500
He's gonna talk about uncovering British
spies' web of sockpuppet social media
00:00:26.500 --> 00:00:31.720
personas. Mustafa is a PhD student at the
University College in London, studying
00:00:31.730 --> 00:00:37.329
information security and focusing on
decentralized systems. Mustafa was a co-
00:00:37.329 --> 00:00:43.921
founder of LulzSec, an hacker activist
group some of you might have heard of, and
00:00:43.921 --> 00:00:48.339
with that, please give a warm applause to
Mustafa.
00:00:48.339 --> 00:00:55.469
applause
00:00:55.469 --> 00:00:57.920
Mustafa Al-Bassam: Hey. So it seems that
00:00:57.920 --> 00:01:02.489
over the past year we've had a lot in the
media about this kind of idea that the
00:01:02.489 --> 00:01:06.070
people that you interact with on Twitter
and Facebook and other kinds of social
00:01:06.070 --> 00:01:11.580
media are not necessarily who they say
they are, and sometimes not even be, they
00:01:11.590 --> 00:01:16.329
might not even be people at all. They
might be bots. And we've heard about how
00:01:16.329 --> 00:01:21.009
this might be used to manipulate people
into believing certain things or certain
00:01:21.009 --> 00:01:26.189
ideas. And this has become quite a big
topic recently, especially after the U.S.
00:01:26.189 --> 00:01:32.159
presidential elections in 2016, where
according to one study, up to one in five
00:01:32.159 --> 00:01:36.030
election related tweets weren't actually
from real people. And apparently it's
00:01:36.030 --> 00:01:40.759
it's such a big problem that even the
president is being manipulated by, to say,
00:01:40.759 --> 00:01:46.250
bots. But, this has been a kind of
activity that has been going on for a very
00:01:46.250 --> 00:01:49.119
long time, and not just from Russia or
China.
00:01:49.119 --> 00:01:53.869
The West also engages in these kind of
activities including the UK and the US,
00:01:53.869 --> 00:02:00.799
but in other kinds, in other regions. So,
today I'm talking about what Britain does
00:02:00.799 --> 00:02:08.038
in this regard. So, in the UK we have a
NSA-equivalent intelligence agency called
00:02:08.038 --> 00:02:13.280
GCHQ or Government Communications
Headquarters. And their job is basically
00:02:13.280 --> 00:02:20.500
like the UK's version of the NSA: to
collect as much information as possible
00:02:20.500 --> 00:02:26.080
through wiretaps and mass surveillance
systems. But they also have a subgroup or
00:02:26.080 --> 00:02:31.360
subteam within GCHQ called the Joint
Threat Research Intelligence Group or
00:02:31.360 --> 00:02:36.420
JTRIG for short. And what these guys
basically do is, its basically a fancy
00:02:36.420 --> 00:02:40.970
name for sitting on Twitter and Facebook
all day and trolling online. What they do is
00:02:40.970 --> 00:02:44.860
they conduct what they call Human
Intelligence, which is kind of like the
00:02:44.860 --> 00:02:49.840
act of interacting with humans online to
try to make something happen in the real
00:02:49.840 --> 00:02:54.390
world. And in their own words one of their
missions is to use "dirty tricks" to
00:02:54.390 --> 00:03:00.150
"destroy, deny, degrade and disrupt
enemies" by "discrediting" them. And we've
00:03:00.150 --> 00:03:05.400
seen JTRIG has been involved in various
campaigns and operations, including
00:03:05.400 --> 00:03:10.090
targeting hacktivist groups like Anonymous
and LulzSec, and also protests in the
00:03:10.090 --> 00:03:14.510
Middle East, during the Arab Spring and
also the Iranian protest in 2009.
00:03:14.510 --> 00:03:20.620
So, a bit of context to what led me to
uncover this stuff and to actually
00:03:20.620 --> 00:03:24.930
research this stuff. So in 2011, I was
involved with the with the hacktivist
00:03:24.930 --> 00:03:29.510
group LulzSec. And to refresh your memory,
LulzSec was a group that existed during
00:03:29.510 --> 00:03:34.650
the summer of 2011 and hacked into a bunch
of US corporate and government
00:03:34.650 --> 00:03:40.211
organizations, like the US Senate, their
affiliates and Sony and Fox. And in the
00:03:40.211 --> 00:03:46.180
same year I was arrested, and a year later
I was officially indicted on a court
00:03:46.180 --> 00:03:50.680
indictment. But the thing that struck me
about this indictment was that there was
00:03:50.680 --> 00:03:55.130
absolutely no mention in this court
document about how they managed to
00:03:55.130 --> 00:04:01.130
deanonymize me and my co-defendants. Or
how they managed to actually link our
00:04:01.130 --> 00:04:06.820
online identities with offline identities.
And I thought it was suspicious because
00:04:06.820 --> 00:04:15.010
our US counterparts, actually, their court
indictments had a very lengthy sections on
00:04:15.010 --> 00:04:20.540
how they were caught. For example, when
the FBI arrested Jeremy Hammond, his court
00:04:20.540 --> 00:04:25.150
indictment had a, had very detailed
information about how those guys social
00:04:25.150 --> 00:04:28.540
engineered him and managed to track him
through his IP address and through Tor and
00:04:28.540 --> 00:04:33.600
whatnot. But then, fast forward a year
later, Edward Snowden started leaking
00:04:33.600 --> 00:04:39.470
documents about the NSA and GCHQ, and then
in 2014, one of those documents or some of
00:04:39.470 --> 00:04:45.600
those documents were released on NBC that
showed that GCHQ was targeting hacktivist
00:04:45.600 --> 00:04:49.850
groups like Anonymous and LulzSec. And
that makes the a lot of sense in my head.
00:04:49.850 --> 00:04:55.820
Because if GCHQ was involved in this
denanonymization process, then they
00:04:55.820 --> 00:04:59.410
wouldn't want to have that in the court
indictment, because it would reveal the
00:04:59.410 --> 00:05:03.830
operational techniques.
And this is one of the leaked slides from
00:05:03.830 --> 00:05:09.870
GCHQ talking about some of the activist
groups they target. One of the people
00:05:09.870 --> 00:05:17.460
they targeted was someone who went by the
nickname of "p0ke", who was chatting in an
00:05:17.460 --> 00:05:25.220
IRC channel, a public chat network. And
this was a public chatting channel where
00:05:25.220 --> 00:05:30.520
people from Anonymous and other kinds of
hacktivists kind of sit and chat about
00:05:30.520 --> 00:05:38.580
various topics and also plan operations.
And this person "p0ke" was chatting on
00:05:38.580 --> 00:05:47.490
this channel and boasted that they had a
list of 700 FBI agents' emails and phone
00:05:47.490 --> 00:05:55.050
numbers and names. And then it turned out
that a GCHQ agent was covertly in this
00:05:55.050 --> 00:06:00.950
channel observing what people were saying.
And then the GCHQ agent initiated a
00:06:00.950 --> 00:06:05.510
private message with this person to kind
of get more information and to try to
00:06:05.510 --> 00:06:12.210
build a relationship with this person. And
the agent asked them what was the site and
00:06:12.210 --> 00:06:16.490
then they just gave that information up
and they even gave them a sample of some
00:06:16.490 --> 00:06:22.560
of the leaked information. So it turns out
that actually GCHQ was active in these IRC
00:06:22.560 --> 00:06:30.930
networks and chat networks for months if
not years and they were in up to several
00:06:30.930 --> 00:06:35.590
hundred channels at a time. They were just
sitting there idling. They weren't really
00:06:35.590 --> 00:06:41.450
saying much or actually participating in
conversation, except that every few months
00:06:41.450 --> 00:06:46.270
you might notice them say "hey" or "lol"
in the chat even though it might be out of
00:06:46.270 --> 00:06:49.360
context of the conversation that was going
on, presumably so that they wouldn't get
00:06:49.360 --> 00:06:53.520
kicked off the network because some
networks kick you off if you're idling
00:06:53.520 --> 00:06:58.419
there for too long. And then often what
they would do is they would private
00:06:58.419 --> 00:07:03.139
message people in rooms to try and
corroborate information about activities
00:07:03.139 --> 00:07:07.139
that were going on and being discussed or
trying to entrap people by getting them to
00:07:07.139 --> 00:07:13.260
admit to things as we saw with p0ke.
And he seemed to be quite a common theme
00:07:13.260 --> 00:07:19.470
that these undercover feds and agents were
sitting in these chat rooms. In the
00:07:19.470 --> 00:07:26.389
Europol meeting 2011, where 15 European
countries were discussing what they were
00:07:26.389 --> 00:07:31.710
doing to tackle Anonymous and LulzSec,
apparently there were certainly undercover
00:07:31.710 --> 00:07:36.520
cops in these channels that had an issue
with undercover cops investigating each
00:07:36.520 --> 00:07:40.990
other.
laughter
00:07:40.990 --> 00:07:53.280
So the GCHQ agent that was targeting p0ke
sent them a link to a BBC news article
00:07:53.280 --> 00:08:01.870
about hacktivists. And, according to this
leaked slide, this link enabled GCHQ to
00:08:01.870 --> 00:08:08.610
conduct signal intelligence to discover
p0ke's real name, Facebook and email
00:08:08.610 --> 00:08:14.530
accounts etc. It doesn't say exactly how
they did that, but it's not that hard if
00:08:14.530 --> 00:08:20.830
they have your IP address on user agent.
Back then, in 2011, most websites weren't
00:08:20.830 --> 00:08:25.490
using HTTPS, including Facebook, so if
they look up your IP address in XKeyscore
00:08:25.490 --> 00:08:29.520
or the dragnet surveillance system, they
can easily see what other traffic is
00:08:29.520 --> 00:08:35.010
originating from that IP address, and what
Facebook accounts are connected to that IP
00:08:35.010 --> 00:08:41.948
address for example. But in this in this
slide leaked by NBC the URL was redacted,
00:08:41.948 --> 00:08:46.399
but it wasn't very hard to actually find
that URL, because these were public
00:08:46.399 --> 00:08:51.029
channels that GCHQ agents were talking in,
and people haven't been targeted in
00:08:51.029 --> 00:08:56.470
themselves including myself. We were able
to find out what that URL shortener was
00:08:56.470 --> 00:09:01.589
I mean what that website was but
which turned out to be a URL shortener so
00:09:01.589 --> 00:09:09.949
the website that was sent to p0ke to click
was "lurl.me" and according to
00:09:09.949 --> 00:09:16.950
archive.org, here is a snapshot from
"lurl.me" in 2013, just before it went
00:09:16.950 --> 00:09:21.279
offline, that basically showed it was a
URL shortening service, it looks like a
00:09:21.279 --> 00:09:28.170
generic URL shortening service. One things
I noticed is, the domain name sounds
00:09:28.170 --> 00:09:32.820
like "lure me" which is basically what
they were doing,
00:09:32.820 --> 00:09:41.119
because JTRIG had this internal wiki
where they listed all the tech tools and
00:09:41.119 --> 00:09:47.149
techniques that they use in the operations
and one of the categories that they have
00:09:47.149 --> 00:09:54.999
is "shaping and honey pots" and in that
category they have a tool code named
00:09:54.999 --> 00:09:59.200
Deadpool which is described as a URL
shortening service and that's what
00:09:59.200 --> 00:10:07.970
"lurl.me" was. We first saw "lurl.me" in
2009 - the domain name was registered in
00:10:07.970 --> 00:10:16.040
2009 - and almost immediately it was it
was linked tweets about Iranian protests,
00:10:16.040 --> 00:10:21.679
and then it went offline in 2013, shortly
after (every sudden) leaks in November,
00:10:21.679 --> 00:10:26.089
but interesting if you look up all of the
instances of this URL shortener being used
00:10:26.089 --> 00:10:30.209
in social media and Twitter there's
probably about 100-200 instances of it
00:10:30.209 --> 00:10:36.040
being used and every single one of those
instances where it was used it was
00:10:36.040 --> 00:10:42.829
associated with political activities late
in the Middle East or Africa usually to
00:10:42.829 --> 00:10:49.270
protests. And the majority of the most
common were coming from the default
00:10:49.270 --> 00:10:54.220
Twitter accounts with no avatar, with very
few tweets and they're accounts that were
00:10:54.220 --> 00:10:59.689
active for only a few months between 2009
and 2013.
00:10:59.689 --> 00:11:05.589
One of the techniques, or some of the
techniques that JTRIG used, in their own
00:11:05.589 --> 00:11:09.680
words to conduct their operations is
includes uploading YouTube videos
00:11:09.680 --> 00:11:13.720
containing persuasive messaging,
establishing online aliases with Facebook
00:11:13.720 --> 00:11:18.970
and Twitter accounts, blogs on foreign
memberships for conducting human
00:11:18.970 --> 00:11:23.129
intelligence, or encouraging discussion on
specific issues, sending spoof emails and
00:11:23.129 --> 00:11:28.189
text messages as well as providing spoof
online resources, and setting up spoof
00:11:28.189 --> 00:11:34.850
trace sites and this is exactly what we're
going to see in the next few slides and in
00:11:34.850 --> 00:11:39.749
most examples that they use for the
operations is they actually targeted the
00:11:39.749 --> 00:11:44.950
entire general population of Iran which is
a pretty big target audience of 80 million
00:11:44.950 --> 00:11:48.279
people. According to them,
they had several goals in Iran:
00:11:48.279 --> 00:11:53.389
the first goal was to discredit the
Iranian leadership and its nuclear program
00:11:53.389 --> 00:11:57.469
Second goal was to delay and disrupt on-
line access to materials used in the
NOTE Paragraph
00:11:57.469 --> 00:12:00.059
nuclear program. Third Goal was
conducting online Human
00:12:00.079 --> 00:12:02.739
Intelligence and the fourth goal was the most
00:12:02.739 --> 00:12:07.589
interesting goal my opinion: Counter
censorship. It might seem might sound great
00:12:07.589 --> 00:12:12.769
it might sound like almost like GCHQ is
kind of aligned with the motives of the
00:12:12.769 --> 00:12:16.480
Internet freedom community by helping
these Iranian activists to evade
00:12:16.480 --> 00:12:18.929
censorship.
But we're gonna see it's not really the
00:12:18.929 --> 00:12:24.550
case. The main kind of Iran the main kind
of sock puppet accounts on Twitter that
00:12:24.550 --> 00:12:32.009
JTRIG was running during this campaign in
2009 was called "2000 Iran
00:12:32.009 --> 00:12:36.519
2009 Iran free".
This was the most kind of active Twitter
00:12:36.519 --> 00:12:41.679
account that it had and it had 216 tweets
and they also had I kind of like a bunch
00:12:41.679 --> 00:12:46.499
of other accounts that were less active
that had default avatars probably just to
00:12:46.499 --> 00:12:51.389
kind of, kind of build up their social
network that mostly retweeted things,
00:12:51.389 --> 00:12:57.509
retweeted the same things as a display
account but slightly rewarded or even with
00:12:57.509 --> 00:13:00.050
them.
And what this Twitter account essentially
00:13:00.050 --> 00:13:07.449
did was in quick succession, over a period
of like one or two weeks tweeted a bunch
00:13:07.449 --> 00:13:12.920
of links from this URL shortener for
various purposes for to various articles
00:13:12.920 --> 00:13:20.319
on blogs online and they also had actually
a blogspot website with like one article
00:13:20.319 --> 00:13:28.709
to kind of expand their network I guess.
One of the activities that 2009 Iran free
00:13:28.709 --> 00:13:35.730
and the other sock puppets were doing
was they were kind of trying to spread the
00:13:35.730 --> 00:13:42.269
same IP addresses as proxies to Iranians
to use as a counter cencorship. So for
00:13:42.269 --> 00:13:48.389
example you can see that they have a list
of IP addresses here that will hash like
00:13:48.389 --> 00:13:52.269
Iran election that they can use for
protests and they and they might sometimes
00:13:52.269 --> 00:14:01.899
feed links to that to to this proxy is
using that URL shortener and this is, this
00:14:01.899 --> 00:14:07.329
is quite concerning because well one of
the tools used by JTRIG is also called
00:14:07.329 --> 00:14:12.639
codenamed Molten Magma which is basically
HTTP proxy to with the ability to log all
00:14:12.639 --> 00:14:16.910
traffic and perform HTTPS man-in-the-
middle because, again, they were they were
00:14:16.910 --> 00:14:20.429
spreading exactly the same IP address all
of these all these sock puppet accounts
00:14:20.429 --> 00:14:26.009
were spreading exactly the same IP
addresses and same links to Iranians to
00:14:26.009 --> 00:14:33.119
help them to or to allegedly help them to
a evade common cencorship. And they were
00:14:33.119 --> 00:14:37.569
even claiming that these for the same
proxies used by the Iranian government to
00:14:37.569 --> 00:14:41.249
get around their own firewalls so if they,
apparently if they block these proxies
00:14:41.249 --> 00:14:45.619
they will block their own access to the
outside world.
00:14:45.619 --> 00:14:50.519
And this is essentially what they are
doing here. In this kind of context GCHQ
00:14:50.519 --> 00:14:54.610
is kind of acting like the big bad wolf
from Red Riding Hood. We might seem like
00:14:54.610 --> 00:15:02.319
they're helping me but they're also
causing you harm in the process.
00:15:02.319 --> 00:15:06.629
And this is a, this is a list that
contains a list of some of the techniques
00:15:06.629 --> 00:15:13.319
that JTRIG used. This was also a leaked
document and this essentially kills two
00:15:13.319 --> 00:15:18.360
birds in one stone because what they do is
at the bottom it says one techniques is
00:15:18.360 --> 00:15:22.370
hosting targets' online communications for
collecting signal intelligence as we saw
00:15:22.370 --> 00:15:27.120
with p0ke and which is why they tweet
these links using URL shortener so they
00:15:27.120 --> 00:15:32.429
can conduct signal intelligence on people
who are interested in clicking these
00:15:32.429 --> 00:15:38.839
things and also providing online access
uncensored materials and sending instant
00:15:38.839 --> 00:15:42.759
messages to specific individuals giving
them instructions for accessing uncensored
00:15:42.759 --> 00:15:47.120
websites.
One of the forums that these proxies were
00:15:47.120 --> 00:15:53.939
posted in was whyweprotest.net and someone
actually kind of almost got it right.
00:15:53.939 --> 00:15:56.779
Someone asked: 'Why does the government use
proxies? That doesn't make any sense, they
00:15:56.779 --> 00:15:59.509
wouldn't need any proxies." And then
someone replied: "The Iranian government
00:15:59.509 --> 00:16:03.999
allegedly has set up proxies to monitor
connections with from within Iran to be
00:16:03.999 --> 00:16:08.100
able to pinpoint the people who are trying
to bypass these blocks." So they're almost
00:16:08.100 --> 00:16:10.569
right because it wasn't the Iranian
government that was actually monitoring
00:16:10.569 --> 00:16:18.760
connections in Iran. It was GCHQ.
There were also set up, I agree, basic
00:16:18.760 --> 00:16:25.529
websites, that basically acted as RSS
feeds to English websites about Iran to
00:16:25.529 --> 00:16:29.629
presumably, but also for counter
censorship reasons. One of the same
00:16:29.629 --> 00:16:34.889
things they did was mimic government
officials. So for example they might
00:16:34.889 --> 00:16:39.980
post in a forum saying: "Attention users
outside Iran, you can call the president
00:16:39.980 --> 00:16:43.839
at this number to discuss the elections
direct." And they were hesitant that you
00:16:43.839 --> 00:16:49.829
should not call this number if you are in
Iran. And then they will also give an
00:16:49.829 --> 00:16:55.670
email address for the vice president on
the Twitter.
00:16:55.670 --> 00:17:00.370
This also matches up with another
technique that JTRIG uses, again according
00:17:00.370 --> 00:17:06.549
to the leaked documents, where they send
spoof emails and text messages from a fake
00:17:06.549 --> 00:17:11.669
person or mimicking a real person to
discredit, promote, distrust, dissuade,
00:17:11.669 --> 00:17:16.829
deceive, deter, delay or disrupt. Whatever
the purpose was, they certainly managed to
00:17:16.829 --> 00:17:20.810
promote distrust because one of the
replies to this post was: "This can't be
00:17:20.810 --> 00:17:24.599
the president's number because if it were
the second call would be answered by
00:17:24.599 --> 00:17:29.850
Iranian intelligence services. So these are
strange days. I suppose anything could
00:17:29.850 --> 00:17:33.760
happen at this point."
So that was most of the activity that we
00:17:33.760 --> 00:17:40.450
saw in 2009. There was a bunch of other
Twitter accounts with default egg, default
00:17:40.450 --> 00:17:46.461
avatars associated with these links. You
can find them if you search lurl.me with
00:17:46.461 --> 00:17:52.570
quotation marks and Google with sites
-twitter.com. In 2010 there was absolutely
00:17:52.570 --> 00:18:00.120
no activity on Twitter or all social media
associated with this URL shorter. Then, in
00:18:00.120 --> 00:18:08.750
2011, we saw some activity in Syria for
this URL shortener for a similar purpose
00:18:08.750 --> 00:18:12.620
of conducting censorship resistance in
Syria. And they were essentially doing the
00:18:12.620 --> 00:18:18.100
same thing, same techniques, giving people
IP addresses to connect to, that you
00:18:18.100 --> 00:18:24.019
thought that they probably are MITM'd.
But one of the things they did here as
00:18:24.019 --> 00:18:28.270
well was they didn't just tweet stuff they
also posted a YouTube video, like a very
00:18:28.270 --> 00:18:33.150
poorly made YouTube video with only
300 views to try to get people to watch
00:18:33.150 --> 00:18:37.600
that. They didn't really try very hard
here because if you actually look at the
00:18:37.600 --> 00:18:43.340
times on when these accounts tweeted,
all the accounts in Syria actually should
00:18:43.340 --> 00:18:49.750
have tweeted. The only tweet between 9 to
5 p.m. UK time Monday to Friday.
00:18:49.750 --> 00:19:00.070
laughter, applause
I mean, I think, I don't know I think
00:19:00.070 --> 00:19:06.269
they were lazy, or they were just, they
didn't really bother or weren't motivated.
00:19:06.269 --> 00:19:10.700
But one of the limitations that JTRIG has,
they actually had one in the leaked
00:19:10.700 --> 00:19:15.549
documents, that they had was they had a
list of limitations that the staff have
00:19:15.549 --> 00:19:19.470
when conducting its operations. And one of
them is that they have difficulty in
00:19:19.470 --> 00:19:24.549
maintaining more than a small number of
unique multi-dimension active aliases
00:19:24.549 --> 00:19:29.880
especially with doing online human
intelligence. Which is why we only see
00:19:29.880 --> 00:19:35.130
like one main twitter account for these
events and then like a bunch of other kind
00:19:35.130 --> 00:19:38.610
of default expat accounts, usually like
five or six. We didn't tend to see
00:19:38.610 --> 00:19:44.460
hundreds of them you only see about less
than 10, because this was back in 2009,
00:19:44.460 --> 00:19:50.270
2011. They weren't doing it in an
automated way. And they also said the lack
00:19:50.270 --> 00:19:55.559
of continuity in maintaining an alias or
communicating via an alias if a staff
00:19:55.559 --> 00:20:02.350
member is away and his or her work is
covered by others and also the other one
00:20:02.350 --> 00:20:08.620
was lack of photographs, visual images, of
aliases which is why we always see like
00:20:08.620 --> 00:20:12.280
egg or default avatars for these
sock puppet accounts because they can't
00:20:12.280 --> 00:20:16.630
unless they have like a full fledge
graphics team or have faces of people to
00:20:16.630 --> 00:20:22.120
put in there and they can't really put
anything as avatar. They also apparently
00:20:22.120 --> 00:20:28.220
had a lack of sufficient number and varied
cultural language advisors eg in Russian,
00:20:28.220 --> 00:20:32.090
Arabic and Pashto which is why we see
here on these Twitter accounts they're
00:20:32.090 --> 00:20:36.299
basically tweeting the same thing over and
over again with no variation. Here's the
00:20:36.299 --> 00:20:40.249
same text over and over again because they
don't have lots of translators to
00:20:40.249 --> 00:20:48.390
translate that.
The other thing we saw in 2011 was a very
00:20:48.390 --> 00:20:54.179
targeted attack during the Bahrain
protests. They had a twitter account
00:20:54.179 --> 00:21:00.490
called 'Freedom4Bahrain' and this, it just
sent two tweets, mentioning two accounts
00:21:00.490 --> 00:21:07.050
"14FebTV" and "14FebRevolution", and
these were two accounts that were,
00:21:07.050 --> 00:21:09.470
like,
really big kind of social media outlets in
00:21:09.470 --> 00:21:15.460
Bahrain that were covering the protests
that were going on there. And these were
00:21:15.460 --> 00:21:21.770
targeted mentions of the kind that we saw
with P0ke, so, presumably also here, they
00:21:21.770 --> 00:21:23.809
were using that to conduct Signal
Intelligence,
00:21:23.809 --> 00:21:32.019
to discover who was running these two
accounts. In 2012 you also saw no activity
00:21:32.019 --> 00:21:42.009
associated with that URL shortener. During 2013 I managed
to find one tweet related to Kenya, to the
00:21:42.009 --> 00:21:47.340
Kenyan imposed national politics and this
person isn't an education sock puppet, this
00:21:47.340 --> 00:21:52.700
person is a research assistant at the
Human Rights Watch. So this, but that begs
00:21:52.700 --> 00:21:58.080
the question of how did he actually get
this URL? Probably a similar message to
00:21:58.080 --> 00:22:02.720
P0ke, they probably sent him a link
through a private message found that
00:22:02.720 --> 00:22:08.460
interesting and tweeted it, so not only
are they targeting protesters, they are
00:22:08.460 --> 00:22:16.750
also targeting NGOs. Then, in 2013,
all of the infrastructure associated with
00:22:16.750 --> 00:22:23.370
URL-shortener was shot offline, this was
in 2013, which was a few months after the
00:22:23.370 --> 00:22:26.790
Edward Snowden leaks, so they had a bit of
delay of doing it, but it must have been a
00:22:26.790 --> 00:22:32.840
real pain in the arse for them to have to
renew all their infrastructure, but I did
00:22:32.840 --> 00:22:38.340
do some digging into some of other host
names that were hosted on this lurl.me
00:22:38.340 --> 00:22:44.820
server. Between 2009 and 2013, most of
these host names seem to be random
00:22:44.820 --> 00:22:51.090
alphanumeric, the main names, and some of
them are using publicly the DNS providers
00:22:51.090 --> 00:22:57.350
like DynDNS or DNSAlias, I wasn't able to
find any websites archived for these
00:22:57.350 --> 00:23:02.039
domains, so it doesn't seem that there was
any websites there, but if you have any
00:23:02.039 --> 00:23:06.250
ideas let me know, because one of the
things that I suspect is that these might
00:23:06.250 --> 00:23:09.809
have been malware endpoints or command
control servers, that they were using, so
00:23:09.809 --> 00:23:13.880
if you have any and monitoring tools or
logs then maybe you should look up some of
00:23:13.880 --> 00:23:18.759
these host names. But one of the
interesting domain names that I thought
00:23:18.759 --> 00:23:25.049
was interesting there was dunes
adventures.net and this is the archived
00:23:25.049 --> 00:23:27.009
page for Dunesadventures
00:23:27.009 --> 00:23:29.440
which was another
website based in Kenya. They were up to
00:23:29.440 --> 00:23:35.110
something in Kenya and it claimed that
they were having this was a very basic one
00:23:35.110 --> 00:23:41.009
page website that was kind of very poorly
made and they claimed that they were
00:23:41.009 --> 00:23:44.539
having site problems and apparently "we
have noticed problems with our booking
00:23:44.539 --> 00:23:49.220
system, this has been taken offline until
our techs find the problem - we apologize
00:23:49.220 --> 00:23:53.250
for any inconvenience". but there was never
any booking system in the first place,
00:23:53.250 --> 00:23:58.270
this was just pretty much a ruse to make
it look like if you go to this website, a
00:23:58.270 --> 00:24:03.360
legitimate company was hosting there. So
if you mind anything about that, then I'd
00:24:03.360 --> 00:24:08.139
be curious as well. I also if there's any
GCHQ agents in the room and then I'm
00:24:08.139 --> 00:24:15.779
happy to get drink with you as well.
That's all I have for today, does anyone
00:24:15.779 --> 00:24:26.960
have any questions?
applause
00:24:26.960 --> 00:24:41.510
(Herald) asks for questions
(Mic Question): OK, IRC asks: Deceiving
00:24:41.510 --> 00:24:46.350
a target into trusting you and leaking any form
of infos is used everywhere right now, IRC,
00:24:46.350 --> 00:24:50.970
Twitter and Facebook and so on. How would you
advise people to distinguish between a
00:24:50.970 --> 00:24:54.059
genuine identity and an undercover agent?
00:24:54.059 --> 00:24:56.029
(Speaker): "I think that's a very good
question because-
00:24:56.029 --> 00:24:59.121
(H.): So just just a quick second, if you
00:24:59.121 --> 00:25:03.400
really have to leave the room right now,
people, please do so quietly, we still
00:25:03.400 --> 00:25:08.019
have a talk going on and it's really
unrespectful if you make that much noise
00:25:08.019 --> 00:25:13.190
and interrupt this whole thing.
applause
00:25:13.190 --> 00:25:17.300
I know a lot of people are interested in
the talk afterwards but we'll all get you
00:25:17.300 --> 00:25:18.300
in and sorry.
00:25:18.300 --> 00:25:23.309
(S.): So I think I was very good question
because if you're conducting, if you're
00:25:23.309 --> 00:25:26.990
doing activism online and you need to be
anonymous and you dont want to meet up
00:25:26.990 --> 00:25:30.450
with people in person, then how do you
know that the people you communicating
00:25:30.450 --> 00:25:34.350
with, or if you are like in a public group
where you personally accept new members
00:25:34.350 --> 00:25:39.490
into that group, how can you put, how do
you know or kind of differentiate between
00:25:39.490 --> 00:25:44.299
who's actually there to harm your group or
who's actually there to contribute? I
00:25:44.299 --> 00:25:51.250
think the answer there lies in, what you
share. Don't share information that comes
00:25:51.250 --> 00:25:55.690
with anyone that could potentially put you
at harm, even with people that you trust,
00:25:55.690 --> 00:25:59.409
so essentially don't trust anyone and
this is a basic OP Sec rule. This is
00:25:59.409 --> 00:26:06.799
how Jeremy Hammond messed up a few years
ago, because they caught him, because he
00:26:06.799 --> 00:26:11.259
was revealing too much information about
his life, like where where he eats or
00:26:11.259 --> 00:26:18.759
something like that or his previous drug
records and they were able to use that to
00:26:18.759 --> 00:26:22.940
kind of figure out who he was and that was
the same mistake that P0ke made he, was
00:26:22.940 --> 00:26:30.299
too open and friendly to that agent for no
reason. So I think the kind of answer is
00:26:30.299 --> 00:26:34.590
to do your operations in a way where you
dont have to trust people.
00:26:34.590 --> 00:26:40.409
(Mic Question): "How effective do you
00:26:40.409 --> 00:26:45.350
think these methods are, because we've
seen the number of followers on Twitter
00:26:45.350 --> 00:26:50.350
and the number of views on YouTube were
very low so, how much people can, is
00:26:50.350 --> 00:26:51.970
affected by this kind of operations"
00:26:51.970 --> 00:26:57.730
(S.): Yes, so there was also a slide I
meant to put in there, that was leaked page
00:26:57.730 --> 00:27:03.110
another leaked page from GCHQ that had a
list of bullet points on what they
00:27:03.110 --> 00:27:07.370
considered to be an effective operation
and some of those bullet points include
00:27:07.370 --> 00:27:11.929
how many people click that link, how many
people, how many people watch the youtube
00:27:11.929 --> 00:27:15.120
video, etc, so it's pretty much the same
ways that you would measure it how many
00:27:15.120 --> 00:27:19.889
people viewed a specific message. Now in
their specific use cases I don't think
00:27:19.889 --> 00:27:23.820
they were very successful on a large
scale, specifically in Iran protests
00:27:23.820 --> 00:27:27.499
because the Twitter accounts had very few
followers and their YouTube videos only
00:27:27.499 --> 00:27:33.279
had a few hundred views but they might
have been, obviously more succesful in
00:27:33.279 --> 00:27:37.039
more target cases when targeting specific
individuals by doing the Bahrain case or
00:27:37.039 --> 00:27:38.039
the p0ke case.
00:27:38.039 --> 00:27:39.610
(H.): over there please.
00:27:39.610 --> 00:27:45.220
(Mic Question): Sure, thank you, so I'm
just curious if you were familiar with the
00:27:45.220 --> 00:27:49.730
work of Erin Gallagher, she's done work to
try to figure out, kind of quantitatively
00:27:49.730 --> 00:27:52.809
and make these visualizations, to try to
figure out if a particular twitter account
00:27:52.809 --> 00:27:57.279
for example is a bot or whether it's a
person and there's some you know rules of
00:27:57.279 --> 00:28:00.499
thumb regarding like, you know if the bots
just kind of interact with each other and
00:28:00.499 --> 00:28:01.909
don't react, don't interact with real
people
00:28:01.909 --> 00:28:07.340
im just curious what, what techniques you
may know of to, to figure out you know
00:28:07.340 --> 00:28:10.539
what is a bot and what is not and whether
you are familiar with those particular
00:28:10.539 --> 00:28:11.559
lines of a research.
00:28:11.559 --> 00:28:16.960
(S.): I'm not familiar with with their
work, but thank you all check out. In terms
00:28:16.960 --> 00:28:24.140
of what kind of metrics that you could use
or to use to see if a account is valid or
00:28:24.140 --> 00:28:29.720
not, I mean, I think, I guess they're,
their tweeting kind of, habits and when
00:28:29.720 --> 00:28:34.010
they tweet for example could be
indicative, so for example we saw this
00:28:34.010 --> 00:28:38.251
person only tweet at 9 to 5. Obviously
that's quite easy to make that it's on the
00:28:38.251 --> 00:28:44.120
case and also I think one useful things
might be might be interesting to do, is
00:28:44.120 --> 00:28:50.879
try to map the network of these accounts.
If you like build up like a web of
00:28:50.879 --> 00:28:55.909
followers, that you might be able to very
easy for graphically detect, very obvious
00:28:55.909 --> 00:28:59.100
clusters for accounts that are following
each other, to be to be very signal.
00:28:59.100 --> 00:29:01.370
(Mic): Yeah for sure, thank you.
00:29:01.370 --> 00:29:04.440
(H.) Lets switch over to mic 6 please
00:29:04.460 --> 00:29:05.309
(Mic 6 question): Thank you for the-
00:29:05.309 --> 00:29:11.580
thank you for the great talk, how would
you compare the former British activities
00:29:11.580 --> 00:29:18.149
to the current Russian activities, maybe a
talk in itself, but...
00:29:18.149 --> 00:29:20.429
(S.) To be honest, I haven't been digging
00:29:20.429 --> 00:29:23.919
too deep in the details or following too
much about the Russian activities, so I
00:29:23.919 --> 00:29:26.860
can't really comment about that, I don't
know how prolific it is, I only mentioned
00:29:26.860 --> 00:29:31.760
it briefly in the beginning of the slides
because it was to give some context, so
00:29:31.760 --> 00:29:34.370
I'll have to research more to the Russian
activities.
00:29:34.370 --> 00:29:39.020
(H.) Go to mic 5 again
00:29:39.020 --> 00:29:42.140
(Mic 5 Question): Thanks, to continue
00:29:42.140 --> 00:29:51.830
from the person who spoke, that would have
been my question. So, just to add up onto
00:29:51.830 --> 00:29:58.860
that, did you stumble upon similar
patterns coming from say Canberra or a
00:29:58.860 --> 00:30:00.230
Washington DC?
00:30:00.230 --> 00:30:05.440
(S.): So these accounts were very
specific to just to the UK expressions,
00:30:05.440 --> 00:30:09.280
there was no kind of collaboration there
with other countries within the five eyes,
00:30:09.280 --> 00:30:15.200
like the US or Australia, but I think they
might have,
00:30:15.200 --> 00:30:19.120
GCHQ I think has collaborated with the NSA
00:30:19.120 --> 00:30:23.060
JTRIG specifically I think has collaborated
before with the NSA to delegitimize
00:30:23.060 --> 00:30:27.929
certain people. So for example
we saw during a few years ago or last year
00:30:27.929 --> 00:30:34.230
I think there was a drone attack, someone
was illegally killed in a drone strike in
00:30:34.230 --> 00:30:40.220
Iraq, he was a suspected to be an ISIS
member, Junaid Hussain, and apparently the
00:30:40.220 --> 00:30:45.299
way that he was deanonymized or the way they
found this location is that the US, the
00:30:45.299 --> 00:30:49.269
FBI specifically, had an informant that was
talking to this person and that informant
00:30:49.269 --> 00:30:53.480
sent them and sent them a link that was
generated by GCHQ and then since that link
00:30:53.480 --> 00:30:56.710
they were able to deanonymize them so I
think there's some collaboration there but
00:30:56.710 --> 00:30:59.110
this is mostly UK activity.
00:30:59.110 --> 00:31:04.315
(H.): Last question, we are out of time.
Thank you again, Mustafa. applause
00:31:04.315 --> 00:31:31.940
subtitles created by c3subtitles.de
in the year 2019. Join, and help us!