< Return to Video

34C3 - Uncovering British spies’ web of sockpuppet social media personas

  • 0:00 - 0:15
    34c3 intro
  • 0:15 - 0:21
    Herald: All right, it's my great pleasure
    to introduce to you Mustafa Al-Bassam.
  • 0:21 - 0:26
    He's gonna talk about uncovering British
    spies' web of sockpuppet social media
  • 0:26 - 0:32
    personas. Mustafa is a PhD student at the
    University College in London, studying
  • 0:32 - 0:37
    information security and focusing on
    decentralized systems. Mustafa was a co-
  • 0:37 - 0:44
    founder of LulzSec, an hacker activist
    group some of you might have heard of, and
  • 0:44 - 0:48
    with that, please give a warm applause to
    Mustafa.
  • 0:48 - 0:55
    applause
  • 0:55 - 0:58
    Mustafa Al-Bassam: Hey. So it seems that
  • 0:58 - 1:02
    over the past year we've had a lot in the
    media about this kind of idea that the
  • 1:02 - 1:06
    people that you interact with on Twitter
    and Facebook and other kinds of social
  • 1:06 - 1:12
    media are not necessarily who they say
    they are, and sometimes not even be, they
  • 1:12 - 1:16
    might not even be people at all. They
    might be bots. And we've heard about how
  • 1:16 - 1:21
    this might be used to manipulate people
    into believing certain things or certain
  • 1:21 - 1:26
    ideas. And this has become quite a big
    topic recently, especially after the U.S.
  • 1:26 - 1:32
    presidential elections in 2016, where
    according to one study, up to one in five
  • 1:32 - 1:36
    election related tweets weren't actually
    from real people. And apparently it's
  • 1:36 - 1:41
    it's such a big problem that even the
    president is being manipulated by, to say,
  • 1:41 - 1:46
    bots. But, this has been a kind of
    activity that has been going on for a very
  • 1:46 - 1:49
    long time, and not just from Russia or
    China.
  • 1:49 - 1:54
    The West also engages in these kind of
    activities including the UK and the US,
  • 1:54 - 2:01
    but in other kinds, in other regions. So,
    today I'm talking about what Britain does
  • 2:01 - 2:08
    in this regard. So, in the UK we have a
    NSA-equivalent intelligence agency called
  • 2:08 - 2:13
    GCHQ or Government Communications
    Headquarters. And their job is basically
  • 2:13 - 2:20
    like the UK's version of the NSA: to
    collect as much information as possible
  • 2:20 - 2:26
    through wiretaps and mass surveillance
    systems. But they also have a subgroup or
  • 2:26 - 2:31
    subteam within GCHQ called the Joint
    Threat Research Intelligence Group or
  • 2:31 - 2:36
    JTRIG for short. And what these guys
    basically do is, its basically a fancy
  • 2:36 - 2:41
    name for sitting on Twitter and Facebook
    all day and trolling online. What they do is
  • 2:41 - 2:45
    they conduct what they call Human
    Intelligence, which is kind of like the
  • 2:45 - 2:50
    act of interacting with humans online to
    try to make something happen in the real
  • 2:50 - 2:54
    world. And in their own words one of their
    missions is to use "dirty tricks" to
  • 2:54 - 3:00
    "destroy, deny, degrade and disrupt
    enemies" by "discrediting" them. And we've
  • 3:00 - 3:05
    seen JTRIG has been involved in various
    campaigns and operations, including
  • 3:05 - 3:10
    targeting hacktivist groups like Anonymous
    and LulzSec, and also protests in the
  • 3:10 - 3:15
    Middle East, during the Arab Spring and
    also the Iranian protest in 2009.
  • 3:15 - 3:21
    So, a bit of context to what led me to
    uncover this stuff and to actually
  • 3:21 - 3:25
    research this stuff. So in 2011, I was
    involved with the with the hacktivist
  • 3:25 - 3:30
    group LulzSec. And to refresh your memory,
    LulzSec was a group that existed during
  • 3:30 - 3:35
    the summer of 2011 and hacked into a bunch
    of US corporate and government
  • 3:35 - 3:40
    organizations, like the US Senate, their
    affiliates and Sony and Fox. And in the
  • 3:40 - 3:46
    same year I was arrested, and a year later
    I was officially indicted on a court
  • 3:46 - 3:51
    indictment. But the thing that struck me
    about this indictment was that there was
  • 3:51 - 3:55
    absolutely no mention in this court
    document about how they managed to
  • 3:55 - 4:01
    deanonymize me and my co-defendants. Or
    how they managed to actually link our
  • 4:01 - 4:07
    online identities with offline identities.
    And I thought it was suspicious because
  • 4:07 - 4:15
    our US counterparts, actually, their court
    indictments had a very lengthy sections on
  • 4:15 - 4:21
    how they were caught. For example, when
    the FBI arrested Jeremy Hammond, his court
  • 4:21 - 4:25
    indictment had a, had very detailed
    information about how those guys social
  • 4:25 - 4:29
    engineered him and managed to track him
    through his IP address and through Tor and
  • 4:29 - 4:34
    whatnot. But then, fast forward a year
    later, Edward Snowden started leaking
  • 4:34 - 4:39
    documents about the NSA and GCHQ, and then
    in 2014, one of those documents or some of
  • 4:39 - 4:46
    those documents were released on NBC that
    showed that GCHQ was targeting hacktivist
  • 4:46 - 4:50
    groups like Anonymous and LulzSec. And
    that makes the a lot of sense in my head.
  • 4:50 - 4:56
    Because if GCHQ was involved in this
    denanonymization process, then they
  • 4:56 - 4:59
    wouldn't want to have that in the court
    indictment, because it would reveal the
  • 4:59 - 5:04
    operational techniques.
    And this is one of the leaked slides from
  • 5:04 - 5:10
    GCHQ talking about some of the activist
    groups they target. One of the people
  • 5:10 - 5:17
    they targeted was someone who went by the
    nickname of "p0ke", who was chatting in an
  • 5:17 - 5:25
    IRC channel, a public chat network. And
    this was a public chatting channel where
  • 5:25 - 5:31
    people from Anonymous and other kinds of
    hacktivists kind of sit and chat about
  • 5:31 - 5:39
    various topics and also plan operations.
    And this person "p0ke" was chatting on
  • 5:39 - 5:47
    this channel and boasted that they had a
    list of 700 FBI agents' emails and phone
  • 5:47 - 5:55
    numbers and names. And then it turned out
    that a GCHQ agent was covertly in this
  • 5:55 - 6:01
    channel observing what people were saying.
    And then the GCHQ agent initiated a
  • 6:01 - 6:06
    private message with this person to kind
    of get more information and to try to
  • 6:06 - 6:12
    build a relationship with this person. And
    the agent asked them what was the site and
  • 6:12 - 6:16
    then they just gave that information up
    and they even gave them a sample of some
  • 6:16 - 6:23
    of the leaked information. So it turns out
    that actually GCHQ was active in these IRC
  • 6:23 - 6:31
    networks and chat networks for months if
    not years and they were in up to several
  • 6:31 - 6:36
    hundred channels at a time. They were just
    sitting there idling. They weren't really
  • 6:36 - 6:41
    saying much or actually participating in
    conversation, except that every few months
  • 6:41 - 6:46
    you might notice them say "hey" or "lol"
    in the chat even though it might be out of
  • 6:46 - 6:49
    context of the conversation that was going
    on, presumably so that they wouldn't get
  • 6:49 - 6:54
    kicked off the network because some
    networks kick you off if you're idling
  • 6:54 - 6:58
    there for too long. And then often what
    they would do is they would private
  • 6:58 - 7:03
    message people in rooms to try and
    corroborate information about activities
  • 7:03 - 7:07
    that were going on and being discussed or
    trying to entrap people by getting them to
  • 7:07 - 7:13
    admit to things as we saw with p0ke.
    And he seemed to be quite a common theme
  • 7:13 - 7:19
    that these undercover feds and agents were
    sitting in these chat rooms. In the
  • 7:19 - 7:26
    Europol meeting 2011, where 15 European
    countries were discussing what they were
  • 7:26 - 7:32
    doing to tackle Anonymous and LulzSec,
    apparently there were certainly undercover
  • 7:32 - 7:37
    cops in these channels that had an issue
    with undercover cops investigating each
  • 7:37 - 7:41
    other.
    laughter
  • 7:41 - 7:53
    So the GCHQ agent that was targeting p0ke
    sent them a link to a BBC news article
  • 7:53 - 8:02
    about hacktivists. And, according to this
    leaked slide, this link enabled GCHQ to
  • 8:02 - 8:09
    conduct signal intelligence to discover
    p0ke's real name, Facebook and email
  • 8:09 - 8:15
    accounts etc. It doesn't say exactly how
    they did that, but it's not that hard if
  • 8:15 - 8:21
    they have your IP address on user agent.
    Back then, in 2011, most websites weren't
  • 8:21 - 8:25
    using HTTPS, including Facebook, so if
    they look up your IP address in XKeyscore
  • 8:25 - 8:30
    or the dragnet surveillance system, they
    can easily see what other traffic is
  • 8:30 - 8:35
    originating from that IP address, and what
    Facebook accounts are connected to that IP
  • 8:35 - 8:42
    address for example. But in this in this
    slide leaked by NBC the URL was redacted,
  • 8:42 - 8:46
    but it wasn't very hard to actually find
    that URL, because these were public
  • 8:46 - 8:51
    channels that GCHQ agents were talking in,
    and people haven't been targeted in
  • 8:51 - 8:56
    themselves including myself. We were able
    to find out what that URL shortener was
  • 8:56 - 9:02
    I mean what that website was but
    which turned out to be a URL shortener so
  • 9:02 - 9:10
    the website that was sent to p0ke to click
    was "lurl.me" and according to
  • 9:10 - 9:17
    archive.org, here is a snapshot from
    "lurl.me" in 2013, just before it went
  • 9:17 - 9:21
    offline, that basically showed it was a
    URL shortening service, it looks like a
  • 9:21 - 9:28
    generic URL shortening service. One things
    I noticed is, the domain name sounds
  • 9:28 - 9:33
    like "lure me" which is basically what
    they were doing,
  • 9:33 - 9:41
    because JTRIG had this internal wiki
    where they listed all the tech tools and
  • 9:41 - 9:47
    techniques that they use in the operations
    and one of the categories that they have
  • 9:47 - 9:55
    is "shaping and honey pots" and in that
    category they have a tool code named
  • 9:55 - 9:59
    Deadpool which is described as a URL
    shortening service and that's what
  • 9:59 - 10:08
    "lurl.me" was. We first saw "lurl.me" in
    2009 - the domain name was registered in
  • 10:08 - 10:16
    2009 - and almost immediately it was it
    was linked tweets about Iranian protests,
  • 10:16 - 10:22
    and then it went offline in 2013, shortly
    after (every sudden) leaks in November,
  • 10:22 - 10:26
    but interesting if you look up all of the
    instances of this URL shortener being used
  • 10:26 - 10:30
    in social media and Twitter there's
    probably about 100-200 instances of it
  • 10:30 - 10:36
    being used and every single one of those
    instances where it was used it was
  • 10:36 - 10:43
    associated with political activities late
    in the Middle East or Africa usually to
  • 10:43 - 10:49
    protests. And the majority of the most
    common were coming from the default
  • 10:49 - 10:54
    Twitter accounts with no avatar, with very
    few tweets and they're accounts that were
  • 10:54 - 11:00
    active for only a few months between 2009
    and 2013.
  • 11:00 - 11:06
    One of the techniques, or some of the
    techniques that JTRIG used, in their own
  • 11:06 - 11:10
    words to conduct their operations is
    includes uploading YouTube videos
  • 11:10 - 11:14
    containing persuasive messaging,
    establishing online aliases with Facebook
  • 11:14 - 11:19
    and Twitter accounts, blogs on foreign
    memberships for conducting human
  • 11:19 - 11:23
    intelligence, or encouraging discussion on
    specific issues, sending spoof emails and
  • 11:23 - 11:28
    text messages as well as providing spoof
    online resources, and setting up spoof
  • 11:28 - 11:35
    trace sites and this is exactly what we're
    going to see in the next few slides and in
  • 11:35 - 11:40
    most examples that they use for the
    operations is they actually targeted the
  • 11:40 - 11:45
    entire general population of Iran which is
    a pretty big target audience of 80 million
  • 11:45 - 11:48
    people. According to them,
    they had several goals in Iran:
  • 11:48 - 11:53
    the first goal was to discredit the
    Iranian leadership and its nuclear program
  • 11:53 - 11:57
    Second goal was to delay and disrupt on-
    line access to materials used in the
  • 11:57 - 12:00
    nuclear program. Third Goal was
    conducting online Human
  • 12:00 - 12:03
    Intelligence and the fourth goal was the most
  • 12:03 - 12:08
    interesting goal my opinion: Counter
    censorship. It might seem might sound great
  • 12:08 - 12:13
    it might sound like almost like GCHQ is
    kind of aligned with the motives of the
  • 12:13 - 12:16
    Internet freedom community by helping
    these Iranian activists to evade
  • 12:16 - 12:19
    censorship.
    But we're gonna see it's not really the
  • 12:19 - 12:25
    case. The main kind of Iran the main kind
    of sock puppet accounts on Twitter that
  • 12:25 - 12:32
    JTRIG was running during this campaign in
    2009 was called "2000 Iran
  • 12:32 - 12:37
    2009 Iran free".
    This was the most kind of active Twitter
  • 12:37 - 12:42
    account that it had and it had 216 tweets
    and they also had I kind of like a bunch
  • 12:42 - 12:46
    of other accounts that were less active
    that had default avatars probably just to
  • 12:46 - 12:51
    kind of, kind of build up their social
    network that mostly retweeted things,
  • 12:51 - 12:58
    retweeted the same things as a display
    account but slightly rewarded or even with
  • 12:58 - 13:00
    them.
    And what this Twitter account essentially
  • 13:00 - 13:07
    did was in quick succession, over a period
    of like one or two weeks tweeted a bunch
  • 13:07 - 13:13
    of links from this URL shortener for
    various purposes for to various articles
  • 13:13 - 13:20
    on blogs online and they also had actually
    a blogspot website with like one article
  • 13:20 - 13:29
    to kind of expand their network I guess.
    One of the activities that 2009 Iran free
  • 13:29 - 13:36
    and the other sock puppets were doing
    was they were kind of trying to spread the
  • 13:36 - 13:42
    same IP addresses as proxies to Iranians
    to use as a counter cencorship. So for
  • 13:42 - 13:48
    example you can see that they have a list
    of IP addresses here that will hash like
  • 13:48 - 13:52
    Iran election that they can use for
    protests and they and they might sometimes
  • 13:52 - 14:02
    feed links to that to to this proxy is
    using that URL shortener and this is, this
  • 14:02 - 14:07
    is quite concerning because well one of
    the tools used by JTRIG is also called
  • 14:07 - 14:13
    codenamed Molten Magma which is basically
    HTTP proxy to with the ability to log all
  • 14:13 - 14:17
    traffic and perform HTTPS man-in-the-
    middle because, again, they were they were
  • 14:17 - 14:20
    spreading exactly the same IP address all
    of these all these sock puppet accounts
  • 14:20 - 14:26
    were spreading exactly the same IP
    addresses and same links to Iranians to
  • 14:26 - 14:33
    help them to or to allegedly help them to
    a evade common cencorship. And they were
  • 14:33 - 14:38
    even claiming that these for the same
    proxies used by the Iranian government to
  • 14:38 - 14:41
    get around their own firewalls so if they,
    apparently if they block these proxies
  • 14:41 - 14:46
    they will block their own access to the
    outside world.
  • 14:46 - 14:51
    And this is essentially what they are
    doing here. In this kind of context GCHQ
  • 14:51 - 14:55
    is kind of acting like the big bad wolf
    from Red Riding Hood. We might seem like
  • 14:55 - 15:02
    they're helping me but they're also
    causing you harm in the process.
  • 15:02 - 15:07
    And this is a, this is a list that
    contains a list of some of the techniques
  • 15:07 - 15:13
    that JTRIG used. This was also a leaked
    document and this essentially kills two
  • 15:13 - 15:18
    birds in one stone because what they do is
    at the bottom it says one techniques is
  • 15:18 - 15:22
    hosting targets' online communications for
    collecting signal intelligence as we saw
  • 15:22 - 15:27
    with p0ke and which is why they tweet
    these links using URL shortener so they
  • 15:27 - 15:32
    can conduct signal intelligence on people
    who are interested in clicking these
  • 15:32 - 15:39
    things and also providing online access
    uncensored materials and sending instant
  • 15:39 - 15:43
    messages to specific individuals giving
    them instructions for accessing uncensored
  • 15:43 - 15:47
    websites.
    One of the forums that these proxies were
  • 15:47 - 15:54
    posted in was whyweprotest.net and someone
    actually kind of almost got it right.
  • 15:54 - 15:57
    Someone asked: 'Why does the government use
    proxies? That doesn't make any sense, they
  • 15:57 - 16:00
    wouldn't need any proxies." And then
    someone replied: "The Iranian government
  • 16:00 - 16:04
    allegedly has set up proxies to monitor
    connections with from within Iran to be
  • 16:04 - 16:08
    able to pinpoint the people who are trying
    to bypass these blocks." So they're almost
  • 16:08 - 16:11
    right because it wasn't the Iranian
    government that was actually monitoring
  • 16:11 - 16:19
    connections in Iran. It was GCHQ.
    There were also set up, I agree, basic
  • 16:19 - 16:26
    websites, that basically acted as RSS
    feeds to English websites about Iran to
  • 16:26 - 16:30
    presumably, but also for counter
    censorship reasons. One of the same
  • 16:30 - 16:35
    things they did was mimic government
    officials. So for example they might
  • 16:35 - 16:40
    post in a forum saying: "Attention users
    outside Iran, you can call the president
  • 16:40 - 16:44
    at this number to discuss the elections
    direct." And they were hesitant that you
  • 16:44 - 16:50
    should not call this number if you are in
    Iran. And then they will also give an
  • 16:50 - 16:56
    email address for the vice president on
    the Twitter.
  • 16:56 - 17:00
    This also matches up with another
    technique that JTRIG uses, again according
  • 17:00 - 17:07
    to the leaked documents, where they send
    spoof emails and text messages from a fake
  • 17:07 - 17:12
    person or mimicking a real person to
    discredit, promote, distrust, dissuade,
  • 17:12 - 17:17
    deceive, deter, delay or disrupt. Whatever
    the purpose was, they certainly managed to
  • 17:17 - 17:21
    promote distrust because one of the
    replies to this post was: "This can't be
  • 17:21 - 17:25
    the president's number because if it were
    the second call would be answered by
  • 17:25 - 17:30
    Iranian intelligence services. So these are
    strange days. I suppose anything could
  • 17:30 - 17:34
    happen at this point."
    So that was most of the activity that we
  • 17:34 - 17:40
    saw in 2009. There was a bunch of other
    Twitter accounts with default egg, default
  • 17:40 - 17:46
    avatars associated with these links. You
    can find them if you search lurl.me with
  • 17:46 - 17:53
    quotation marks and Google with sites
    -twitter.com. In 2010 there was absolutely
  • 17:53 - 18:00
    no activity on Twitter or all social media
    associated with this URL shorter. Then, in
  • 18:00 - 18:09
    2011, we saw some activity in Syria for
    this URL shortener for a similar purpose
  • 18:09 - 18:13
    of conducting censorship resistance in
    Syria. And they were essentially doing the
  • 18:13 - 18:18
    same thing, same techniques, giving people
    IP addresses to connect to, that you
  • 18:18 - 18:24
    thought that they probably are MITM'd.
    But one of the things they did here as
  • 18:24 - 18:28
    well was they didn't just tweet stuff they
    also posted a YouTube video, like a very
  • 18:28 - 18:33
    poorly made YouTube video with only
    300 views to try to get people to watch
  • 18:33 - 18:38
    that. They didn't really try very hard
    here because if you actually look at the
  • 18:38 - 18:43
    times on when these accounts tweeted,
    all the accounts in Syria actually should
  • 18:43 - 18:50
    have tweeted. The only tweet between 9 to
    5 p.m. UK time Monday to Friday.
  • 18:50 - 19:00
    laughter, applause
    I mean, I think, I don't know I think
  • 19:00 - 19:06
    they were lazy, or they were just, they
    didn't really bother or weren't motivated.
  • 19:06 - 19:11
    But one of the limitations that JTRIG has,
    they actually had one in the leaked
  • 19:11 - 19:16
    documents, that they had was they had a
    list of limitations that the staff have
  • 19:16 - 19:19
    when conducting its operations. And one of
    them is that they have difficulty in
  • 19:19 - 19:25
    maintaining more than a small number of
    unique multi-dimension active aliases
  • 19:25 - 19:30
    especially with doing online human
    intelligence. Which is why we only see
  • 19:30 - 19:35
    like one main twitter account for these
    events and then like a bunch of other kind
  • 19:35 - 19:39
    of default expat accounts, usually like
    five or six. We didn't tend to see
  • 19:39 - 19:44
    hundreds of them you only see about less
    than 10, because this was back in 2009,
  • 19:44 - 19:50
    2011. They weren't doing it in an
    automated way. And they also said the lack
  • 19:50 - 19:56
    of continuity in maintaining an alias or
    communicating via an alias if a staff
  • 19:56 - 20:02
    member is away and his or her work is
    covered by others and also the other one
  • 20:02 - 20:09
    was lack of photographs, visual images, of
    aliases which is why we always see like
  • 20:09 - 20:12
    egg or default avatars for these
    sock puppet accounts because they can't
  • 20:12 - 20:17
    unless they have like a full fledge
    graphics team or have faces of people to
  • 20:17 - 20:22
    put in there and they can't really put
    anything as avatar. They also apparently
  • 20:22 - 20:28
    had a lack of sufficient number and varied
    cultural language advisors eg in Russian,
  • 20:28 - 20:32
    Arabic and Pashto which is why we see
    here on these Twitter accounts they're
  • 20:32 - 20:36
    basically tweeting the same thing over and
    over again with no variation. Here's the
  • 20:36 - 20:40
    same text over and over again because they
    don't have lots of translators to
  • 20:40 - 20:48
    translate that.
    The other thing we saw in 2011 was a very
  • 20:48 - 20:54
    targeted attack during the Bahrain
    protests. They had a twitter account
  • 20:54 - 21:00
    called 'Freedom4Bahrain' and this, it just
    sent two tweets, mentioning two accounts
  • 21:00 - 21:07
    "14FebTV" and "14FebRevolution", and
    these were two accounts that were,
  • 21:07 - 21:09
    like,
    really big kind of social media outlets in
  • 21:09 - 21:15
    Bahrain that were covering the protests
    that were going on there. And these were
  • 21:15 - 21:22
    targeted mentions of the kind that we saw
    with P0ke, so, presumably also here, they
  • 21:22 - 21:24
    were using that to conduct Signal
    Intelligence,
  • 21:24 - 21:32
    to discover who was running these two
    accounts. In 2012 you also saw no activity
  • 21:32 - 21:42
    associated with that URL shortener. During 2013 I managed
    to find one tweet related to Kenya, to the
  • 21:42 - 21:47
    Kenyan imposed national politics and this
    person isn't an education sock puppet, this
  • 21:47 - 21:53
    person is a research assistant at the
    Human Rights Watch. So this, but that begs
  • 21:53 - 21:58
    the question of how did he actually get
    this URL? Probably a similar message to
  • 21:58 - 22:03
    P0ke, they probably sent him a link
    through a private message found that
  • 22:03 - 22:08
    interesting and tweeted it, so not only
    are they targeting protesters, they are
  • 22:08 - 22:17
    also targeting NGOs. Then, in 2013,
    all of the infrastructure associated with
  • 22:17 - 22:23
    URL-shortener was shot offline, this was
    in 2013, which was a few months after the
  • 22:23 - 22:27
    Edward Snowden leaks, so they had a bit of
    delay of doing it, but it must have been a
  • 22:27 - 22:33
    real pain in the arse for them to have to
    renew all their infrastructure, but I did
  • 22:33 - 22:38
    do some digging into some of other host
    names that were hosted on this lurl.me
  • 22:38 - 22:45
    server. Between 2009 and 2013, most of
    these host names seem to be random
  • 22:45 - 22:51
    alphanumeric, the main names, and some of
    them are using publicly the DNS providers
  • 22:51 - 22:57
    like DynDNS or DNSAlias, I wasn't able to
    find any websites archived for these
  • 22:57 - 23:02
    domains, so it doesn't seem that there was
    any websites there, but if you have any
  • 23:02 - 23:06
    ideas let me know, because one of the
    things that I suspect is that these might
  • 23:06 - 23:10
    have been malware endpoints or command
    control servers, that they were using, so
  • 23:10 - 23:14
    if you have any and monitoring tools or
    logs then maybe you should look up some of
  • 23:14 - 23:19
    these host names. But one of the
    interesting domain names that I thought
  • 23:19 - 23:25
    was interesting there was dunes
    adventures.net and this is the archived
  • 23:25 - 23:27
    page for Dunesadventures
  • 23:27 - 23:29
    which was another
    website based in Kenya. They were up to
  • 23:29 - 23:35
    something in Kenya and it claimed that
    they were having this was a very basic one
  • 23:35 - 23:41
    page website that was kind of very poorly
    made and they claimed that they were
  • 23:41 - 23:45
    having site problems and apparently "we
    have noticed problems with our booking
  • 23:45 - 23:49
    system, this has been taken offline until
    our techs find the problem - we apologize
  • 23:49 - 23:53
    for any inconvenience". but there was never
    any booking system in the first place,
  • 23:53 - 23:58
    this was just pretty much a ruse to make
    it look like if you go to this website, a
  • 23:58 - 24:03
    legitimate company was hosting there. So
    if you mind anything about that, then I'd
  • 24:03 - 24:08
    be curious as well. I also if there's any
    GCHQ agents in the room and then I'm
  • 24:08 - 24:16
    happy to get drink with you as well.
    That's all I have for today, does anyone
  • 24:16 - 24:27
    have any questions?
    applause
  • 24:27 - 24:42
    (Herald) asks for questions
    (Mic Question): OK, IRC asks: Deceiving
  • 24:42 - 24:46
    a target into trusting you and leaking any form
    of infos is used everywhere right now, IRC,
  • 24:46 - 24:51
    Twitter and Facebook and so on. How would you
    advise people to distinguish between a
  • 24:51 - 24:54
    genuine identity and an undercover agent?
  • 24:54 - 24:56
    (Speaker): "I think that's a very good
    question because-
  • 24:56 - 24:59
    (H.): So just just a quick second, if you
  • 24:59 - 25:03
    really have to leave the room right now,
    people, please do so quietly, we still
  • 25:03 - 25:08
    have a talk going on and it's really
    unrespectful if you make that much noise
  • 25:08 - 25:13
    and interrupt this whole thing.
    applause
  • 25:13 - 25:17
    I know a lot of people are interested in
    the talk afterwards but we'll all get you
  • 25:17 - 25:18
    in and sorry.
  • 25:18 - 25:23
    (S.): So I think I was very good question
    because if you're conducting, if you're
  • 25:23 - 25:27
    doing activism online and you need to be
    anonymous and you dont want to meet up
  • 25:27 - 25:30
    with people in person, then how do you
    know that the people you communicating
  • 25:30 - 25:34
    with, or if you are like in a public group
    where you personally accept new members
  • 25:34 - 25:39
    into that group, how can you put, how do
    you know or kind of differentiate between
  • 25:39 - 25:44
    who's actually there to harm your group or
    who's actually there to contribute? I
  • 25:44 - 25:51
    think the answer there lies in, what you
    share. Don't share information that comes
  • 25:51 - 25:56
    with anyone that could potentially put you
    at harm, even with people that you trust,
  • 25:56 - 25:59
    so essentially don't trust anyone and
    this is a basic OP Sec rule. This is
  • 25:59 - 26:07
    how Jeremy Hammond messed up a few years
    ago, because they caught him, because he
  • 26:07 - 26:11
    was revealing too much information about
    his life, like where where he eats or
  • 26:11 - 26:19
    something like that or his previous drug
    records and they were able to use that to
  • 26:19 - 26:23
    kind of figure out who he was and that was
    the same mistake that P0ke made he, was
  • 26:23 - 26:30
    too open and friendly to that agent for no
    reason. So I think the kind of answer is
  • 26:30 - 26:35
    to do your operations in a way where you
    dont have to trust people.
  • 26:35 - 26:40
    (Mic Question): "How effective do you
  • 26:40 - 26:45
    think these methods are, because we've
    seen the number of followers on Twitter
  • 26:45 - 26:50
    and the number of views on YouTube were
    very low so, how much people can, is
  • 26:50 - 26:52
    affected by this kind of operations"
  • 26:52 - 26:58
    (S.): Yes, so there was also a slide I
    meant to put in there, that was leaked page
  • 26:58 - 27:03
    another leaked page from GCHQ that had a
    list of bullet points on what they
  • 27:03 - 27:07
    considered to be an effective operation
    and some of those bullet points include
  • 27:07 - 27:12
    how many people click that link, how many
    people, how many people watch the youtube
  • 27:12 - 27:15
    video, etc, so it's pretty much the same
    ways that you would measure it how many
  • 27:15 - 27:20
    people viewed a specific message. Now in
    their specific use cases I don't think
  • 27:20 - 27:24
    they were very successful on a large
    scale, specifically in Iran protests
  • 27:24 - 27:27
    because the Twitter accounts had very few
    followers and their YouTube videos only
  • 27:27 - 27:33
    had a few hundred views but they might
    have been, obviously more succesful in
  • 27:33 - 27:37
    more target cases when targeting specific
    individuals by doing the Bahrain case or
  • 27:37 - 27:38
    the p0ke case.
  • 27:38 - 27:40
    (H.): over there please.
  • 27:40 - 27:45
    (Mic Question): Sure, thank you, so I'm
    just curious if you were familiar with the
  • 27:45 - 27:50
    work of Erin Gallagher, she's done work to
    try to figure out, kind of quantitatively
  • 27:50 - 27:53
    and make these visualizations, to try to
    figure out if a particular twitter account
  • 27:53 - 27:57
    for example is a bot or whether it's a
    person and there's some you know rules of
  • 27:57 - 28:00
    thumb regarding like, you know if the bots
    just kind of interact with each other and
  • 28:00 - 28:02
    don't react, don't interact with real
    people
  • 28:02 - 28:07
    im just curious what, what techniques you
    may know of to, to figure out you know
  • 28:07 - 28:11
    what is a bot and what is not and whether
    you are familiar with those particular
  • 28:11 - 28:12
    lines of a research.
  • 28:12 - 28:17
    (S.): I'm not familiar with with their
    work, but thank you all check out. In terms
  • 28:17 - 28:24
    of what kind of metrics that you could use
    or to use to see if a account is valid or
  • 28:24 - 28:30
    not, I mean, I think, I guess they're,
    their tweeting kind of, habits and when
  • 28:30 - 28:34
    they tweet for example could be
    indicative, so for example we saw this
  • 28:34 - 28:38
    person only tweet at 9 to 5. Obviously
    that's quite easy to make that it's on the
  • 28:38 - 28:44
    case and also I think one useful things
    might be might be interesting to do, is
  • 28:44 - 28:51
    try to map the network of these accounts.
    If you like build up like a web of
  • 28:51 - 28:56
    followers, that you might be able to very
    easy for graphically detect, very obvious
  • 28:56 - 28:59
    clusters for accounts that are following
    each other, to be to be very signal.
  • 28:59 - 29:01
    (Mic): Yeah for sure, thank you.
  • 29:01 - 29:04
    (H.) Lets switch over to mic 6 please
  • 29:04 - 29:05
    (Mic 6 question): Thank you for the-
  • 29:05 - 29:12
    thank you for the great talk, how would
    you compare the former British activities
  • 29:12 - 29:18
    to the current Russian activities, maybe a
    talk in itself, but...
  • 29:18 - 29:20
    (S.) To be honest, I haven't been digging
  • 29:20 - 29:24
    too deep in the details or following too
    much about the Russian activities, so I
  • 29:24 - 29:27
    can't really comment about that, I don't
    know how prolific it is, I only mentioned
  • 29:27 - 29:32
    it briefly in the beginning of the slides
    because it was to give some context, so
  • 29:32 - 29:34
    I'll have to research more to the Russian
    activities.
  • 29:34 - 29:39
    (H.) Go to mic 5 again
  • 29:39 - 29:42
    (Mic 5 Question): Thanks, to continue
  • 29:42 - 29:52
    from the person who spoke, that would have
    been my question. So, just to add up onto
  • 29:52 - 29:59
    that, did you stumble upon similar
    patterns coming from say Canberra or a
  • 29:59 - 30:00
    Washington DC?
  • 30:00 - 30:05
    (S.): So these accounts were very
    specific to just to the UK expressions,
  • 30:05 - 30:09
    there was no kind of collaboration there
    with other countries within the five eyes,
  • 30:09 - 30:15
    like the US or Australia, but I think they
    might have,
  • 30:15 - 30:19
    GCHQ I think has collaborated with the NSA
  • 30:19 - 30:23
    JTRIG specifically I think has collaborated
    before with the NSA to delegitimize
  • 30:23 - 30:28
    certain people. So for example
    we saw during a few years ago or last year
  • 30:28 - 30:34
    I think there was a drone attack, someone
    was illegally killed in a drone strike in
  • 30:34 - 30:40
    Iraq, he was a suspected to be an ISIS
    member, Junaid Hussain, and apparently the
  • 30:40 - 30:45
    way that he was deanonymized or the way they
    found this location is that the US, the
  • 30:45 - 30:49
    FBI specifically, had an informant that was
    talking to this person and that informant
  • 30:49 - 30:53
    sent them and sent them a link that was
    generated by GCHQ and then since that link
  • 30:53 - 30:57
    they were able to deanonymize them so I
    think there's some collaboration there but
  • 30:57 - 30:59
    this is mostly UK activity.
  • 30:59 - 31:04
    (H.): Last question, we are out of time.
    Thank you again, Mustafa. applause
  • 31:04 - 31:32
    subtitles created by c3subtitles.de
    in the year 2019. Join, and help us!
Title:
34C3 - Uncovering British spies’ web of sockpuppet social media personas
Description:

more » « less
Video Language:
English
Duration:
31:32

English subtitles

Revisions