1 00:00:00,000 --> 00:00:15,005 *34c3 intro* 2 00:00:15,005 --> 00:00:21,070 Herald: All right, it's my great pleasure to introduce to you Mustafa Al-Bassam. 3 00:00:21,090 --> 00:00:26,500 He's gonna talk about uncovering British spies' web of sockpuppet social media 4 00:00:26,500 --> 00:00:31,720 personas. Mustafa is a PhD student at the University College in London, studying 5 00:00:31,730 --> 00:00:37,329 information security and focusing on decentralized systems. Mustafa was a co- 6 00:00:37,329 --> 00:00:43,921 founder of LulzSec, an hacker activist group some of you might have heard of, and 7 00:00:43,921 --> 00:00:48,339 with that, please give a warm applause to Mustafa. 8 00:00:48,339 --> 00:00:55,469 *applause* 9 00:00:55,469 --> 00:00:57,920 Mustafa Al-Bassam: Hey. So it seems that 10 00:00:57,920 --> 00:01:02,489 over the past year we've had a lot in the media about this kind of idea that the 11 00:01:02,489 --> 00:01:06,070 people that you interact with on Twitter and Facebook and other kinds of social 12 00:01:06,070 --> 00:01:11,580 media are not necessarily who they say they are, and sometimes not even be, they 13 00:01:11,590 --> 00:01:16,329 might not even be people at all. They might be bots. And we've heard about how 14 00:01:16,329 --> 00:01:21,009 this might be used to manipulate people into believing certain things or certain 15 00:01:21,009 --> 00:01:26,189 ideas. And this has become quite a big topic recently, especially after the U.S. 16 00:01:26,189 --> 00:01:32,159 presidential elections in 2016, where according to one study, up to one in five 17 00:01:32,159 --> 00:01:36,030 election related tweets weren't actually from real people. And apparently it's 18 00:01:36,030 --> 00:01:40,759 it's such a big problem that even the president is being manipulated by, to say, 19 00:01:40,759 --> 00:01:46,250 bots. But, this has been a kind of activity that has been going on for a very 20 00:01:46,250 --> 00:01:49,119 long time, and not just from Russia or China. 21 00:01:49,119 --> 00:01:53,869 The West also engages in these kind of activities including the UK and the US, 22 00:01:53,869 --> 00:02:00,799 but in other kinds, in other regions. So, today I'm talking about what Britain does 23 00:02:00,799 --> 00:02:08,038 in this regard. So, in the UK we have a NSA-equivalent intelligence agency called 24 00:02:08,038 --> 00:02:13,280 GCHQ or Government Communications Headquarters. And their job is basically 25 00:02:13,280 --> 00:02:20,500 like the UK's version of the NSA: to collect as much information as possible 26 00:02:20,500 --> 00:02:26,080 through wiretaps and mass surveillance systems. But they also have a subgroup or 27 00:02:26,080 --> 00:02:31,360 subteam within GCHQ called the Joint Threat Research Intelligence Group or 28 00:02:31,360 --> 00:02:36,420 JTRIG for short. And what these guys basically do is, its basically a fancy 29 00:02:36,420 --> 00:02:40,970 name for sitting on Twitter and Facebook all day and trolling online. What they do is 30 00:02:40,970 --> 00:02:44,860 they conduct what they call Human Intelligence, which is kind of like the 31 00:02:44,860 --> 00:02:49,840 act of interacting with humans online to try to make something happen in the real 32 00:02:49,840 --> 00:02:54,390 world. And in their own words one of their missions is to use "dirty tricks" to 33 00:02:54,390 --> 00:03:00,150 "destroy, deny, degrade and disrupt enemies" by "discrediting" them. And we've 34 00:03:00,150 --> 00:03:05,400 seen JTRIG has been involved in various campaigns and operations, including 35 00:03:05,400 --> 00:03:10,090 targeting hacktivist groups like Anonymous and LulzSec, and also protests in the 36 00:03:10,090 --> 00:03:14,510 Middle East, during the Arab Spring and also the Iranian protest in 2009. 37 00:03:14,510 --> 00:03:20,620 So, a bit of context to what led me to uncover this stuff and to actually 38 00:03:20,620 --> 00:03:24,930 research this stuff. So in 2011, I was involved with the with the hacktivist 39 00:03:24,930 --> 00:03:29,510 group LulzSec. And to refresh your memory, LulzSec was a group that existed during 40 00:03:29,510 --> 00:03:34,650 the summer of 2011 and hacked into a bunch of US corporate and government 41 00:03:34,650 --> 00:03:40,211 organizations, like the US Senate, their affiliates and Sony and Fox. And in the 42 00:03:40,211 --> 00:03:46,180 same year I was arrested, and a year later I was officially indicted on a court 43 00:03:46,180 --> 00:03:50,680 indictment. But the thing that struck me about this indictment was that there was 44 00:03:50,680 --> 00:03:55,130 absolutely no mention in this court document about how they managed to 45 00:03:55,130 --> 00:04:01,130 deanonymize me and my co-defendants. Or how they managed to actually link our 46 00:04:01,130 --> 00:04:06,820 online identities with offline identities. And I thought it was suspicious because 47 00:04:06,820 --> 00:04:15,010 our US counterparts, actually, their court indictments had a very lengthy sections on 48 00:04:15,010 --> 00:04:20,540 how they were caught. For example, when the FBI arrested Jeremy Hammond, his court 49 00:04:20,540 --> 00:04:25,150 indictment had a, had very detailed information about how those guys social 50 00:04:25,150 --> 00:04:28,540 engineered him and managed to track him through his IP address and through Tor and 51 00:04:28,540 --> 00:04:33,600 whatnot. But then, fast forward a year later, Edward Snowden started leaking 52 00:04:33,600 --> 00:04:39,470 documents about the NSA and GCHQ, and then in 2014, one of those documents or some of 53 00:04:39,470 --> 00:04:45,600 those documents were released on NBC that showed that GCHQ was targeting hacktivist 54 00:04:45,600 --> 00:04:49,850 groups like Anonymous and LulzSec. And that makes the a lot of sense in my head. 55 00:04:49,850 --> 00:04:55,820 Because if GCHQ was involved in this denanonymization process, then they 56 00:04:55,820 --> 00:04:59,410 wouldn't want to have that in the court indictment, because it would reveal the 57 00:04:59,410 --> 00:05:03,830 operational techniques. And this is one of the leaked slides from 58 00:05:03,830 --> 00:05:09,870 GCHQ talking about some of the activist groups they target. One of the people 59 00:05:09,870 --> 00:05:17,460 they targeted was someone who went by the nickname of "p0ke", who was chatting in an 60 00:05:17,460 --> 00:05:25,220 IRC channel, a public chat network. And this was a public chatting channel where 61 00:05:25,220 --> 00:05:30,520 people from Anonymous and other kinds of hacktivists kind of sit and chat about 62 00:05:30,520 --> 00:05:38,580 various topics and also plan operations. And this person "p0ke" was chatting on 63 00:05:38,580 --> 00:05:47,490 this channel and boasted that they had a list of 700 FBI agents' emails and phone 64 00:05:47,490 --> 00:05:55,050 numbers and names. And then it turned out that a GCHQ agent was covertly in this 65 00:05:55,050 --> 00:06:00,950 channel observing what people were saying. And then the GCHQ agent initiated a 66 00:06:00,950 --> 00:06:05,510 private message with this person to kind of get more information and to try to 67 00:06:05,510 --> 00:06:12,210 build a relationship with this person. And the agent asked them what was the site and 68 00:06:12,210 --> 00:06:16,490 then they just gave that information up and they even gave them a sample of some 69 00:06:16,490 --> 00:06:22,560 of the leaked information. So it turns out that actually GCHQ was active in these IRC 70 00:06:22,560 --> 00:06:30,930 networks and chat networks for months if not years and they were in up to several 71 00:06:30,930 --> 00:06:35,590 hundred channels at a time. They were just sitting there idling. They weren't really 72 00:06:35,590 --> 00:06:41,450 saying much or actually participating in conversation, except that every few months 73 00:06:41,450 --> 00:06:46,270 you might notice them say "hey" or "lol" in the chat even though it might be out of 74 00:06:46,270 --> 00:06:49,360 context of the conversation that was going on, presumably so that they wouldn't get 75 00:06:49,360 --> 00:06:53,520 kicked off the network because some networks kick you off if you're idling 76 00:06:53,520 --> 00:06:58,419 there for too long. And then often what they would do is they would private 77 00:06:58,419 --> 00:07:03,139 message people in rooms to try and corroborate information about activities 78 00:07:03,139 --> 00:07:07,139 that were going on and being discussed or trying to entrap people by getting them to 79 00:07:07,139 --> 00:07:13,260 admit to things as we saw with p0ke. And he seemed to be quite a common theme 80 00:07:13,260 --> 00:07:19,470 that these undercover feds and agents were sitting in these chat rooms. In the 81 00:07:19,470 --> 00:07:26,389 Europol meeting 2011, where 15 European countries were discussing what they were 82 00:07:26,389 --> 00:07:31,710 doing to tackle Anonymous and LulzSec, apparently there were certainly undercover 83 00:07:31,710 --> 00:07:36,520 cops in these channels that had an issue with undercover cops investigating each 84 00:07:36,520 --> 00:07:40,990 other. *laughter* 85 00:07:40,990 --> 00:07:53,280 So the GCHQ agent that was targeting p0ke sent them a link to a BBC news article 86 00:07:53,280 --> 00:08:01,870 about hacktivists. And, according to this leaked slide, this link enabled GCHQ to 87 00:08:01,870 --> 00:08:08,610 conduct signal intelligence to discover p0ke's real name, Facebook and email 88 00:08:08,610 --> 00:08:14,530 accounts etc. It doesn't say exactly how they did that, but it's not that hard if 89 00:08:14,530 --> 00:08:20,830 they have your IP address on user agent. Back then, in 2011, most websites weren't 90 00:08:20,830 --> 00:08:25,490 using HTTPS, including Facebook, so if they look up your IP address in XKeyscore 91 00:08:25,490 --> 00:08:29,520 or the dragnet surveillance system, they can easily see what other traffic is 92 00:08:29,520 --> 00:08:35,010 originating from that IP address, and what Facebook accounts are connected to that IP 93 00:08:35,010 --> 00:08:41,948 address for example. But in this in this slide leaked by NBC the URL was redacted, 94 00:08:41,948 --> 00:08:46,399 but it wasn't very hard to actually find that URL, because these were public 95 00:08:46,399 --> 00:08:51,029 channels that GCHQ agents were talking in, and people haven't been targeted in 96 00:08:51,029 --> 00:08:56,470 themselves including myself. We were able to find out what that URL shortener was 97 00:08:56,470 --> 00:09:01,589 I mean what that website was but which turned out to be a URL shortener so 98 00:09:01,589 --> 00:09:09,949 the website that was sent to p0ke to click was "lurl.me" and according to 99 00:09:09,949 --> 00:09:16,950 archive.org, here is a snapshot from "lurl.me" in 2013, just before it went 100 00:09:16,950 --> 00:09:21,279 offline, that basically showed it was a URL shortening service, it looks like a 101 00:09:21,279 --> 00:09:28,170 generic URL shortening service. One things I noticed is, the domain name sounds 102 00:09:28,170 --> 00:09:32,820 like "lure me" which is basically what they were doing, 103 00:09:32,820 --> 00:09:41,119 because JTRIG had this internal wiki where they listed all the tech tools and 104 00:09:41,119 --> 00:09:47,149 techniques that they use in the operations and one of the categories that they have 105 00:09:47,149 --> 00:09:54,999 is "shaping and honey pots" and in that category they have a tool code named 106 00:09:54,999 --> 00:09:59,200 Deadpool which is described as a URL shortening service and that's what 107 00:09:59,200 --> 00:10:07,970 "lurl.me" was. We first saw "lurl.me" in 2009 - the domain name was registered in 108 00:10:07,970 --> 00:10:16,040 2009 - and almost immediately it was it was linked tweets about Iranian protests, 109 00:10:16,040 --> 00:10:21,679 and then it went offline in 2013, shortly after (every sudden) leaks in November, 110 00:10:21,679 --> 00:10:26,089 but interesting if you look up all of the instances of this URL shortener being used 111 00:10:26,089 --> 00:10:30,209 in social media and Twitter there's probably about 100-200 instances of it 112 00:10:30,209 --> 00:10:36,040 being used and every single one of those instances where it was used it was 113 00:10:36,040 --> 00:10:42,829 associated with political activities late in the Middle East or Africa usually to 114 00:10:42,829 --> 00:10:49,270 protests. And the majority of the most common were coming from the default 115 00:10:49,270 --> 00:10:54,220 Twitter accounts with no avatar, with very few tweets and they're accounts that were 116 00:10:54,220 --> 00:10:59,689 active for only a few months between 2009 and 2013. 117 00:10:59,689 --> 00:11:05,589 One of the techniques, or some of the techniques that JTRIG used, in their own 118 00:11:05,589 --> 00:11:09,680 words to conduct their operations is includes uploading YouTube videos 119 00:11:09,680 --> 00:11:13,720 containing persuasive messaging, establishing online aliases with Facebook 120 00:11:13,720 --> 00:11:18,970 and Twitter accounts, blogs on foreign memberships for conducting human 121 00:11:18,970 --> 00:11:23,129 intelligence, or encouraging discussion on specific issues, sending spoof emails and 122 00:11:23,129 --> 00:11:28,189 text messages as well as providing spoof online resources, and setting up spoof 123 00:11:28,189 --> 00:11:34,850 trace sites and this is exactly what we're going to see in the next few slides and in 124 00:11:34,850 --> 00:11:39,749 most examples that they use for the operations is they actually targeted the 125 00:11:39,749 --> 00:11:44,950 entire general population of Iran which is a pretty big target audience of 80 million 126 00:11:44,950 --> 00:11:48,279 people. According to them, they had several goals in Iran: 127 00:11:48,279 --> 00:11:53,389 the first goal was to discredit the Iranian leadership and its nuclear program 128 00:11:53,389 --> 00:11:57,469 Second goal was to delay and disrupt on- line access to materials used in the 129 00:11:57,469 --> 00:12:00,059 nuclear program. Third Goal was conducting online Human 130 00:12:00,079 --> 00:12:02,739 Intelligence and the fourth goal was the most 131 00:12:02,739 --> 00:12:07,589 interesting goal my opinion: Counter censorship. It might seem might sound great 132 00:12:07,589 --> 00:12:12,769 it might sound like almost like GCHQ is kind of aligned with the motives of the 133 00:12:12,769 --> 00:12:16,480 Internet freedom community by helping these Iranian activists to evade 134 00:12:16,480 --> 00:12:18,929 censorship. But we're gonna see it's not really the 135 00:12:18,929 --> 00:12:24,550 case. The main kind of Iran the main kind of sock puppet accounts on Twitter that 136 00:12:24,550 --> 00:12:32,009 JTRIG was running during this campaign in 2009 was called "2000 Iran 137 00:12:32,009 --> 00:12:36,519 2009 Iran free". This was the most kind of active Twitter 138 00:12:36,519 --> 00:12:41,679 account that it had and it had 216 tweets and they also had I kind of like a bunch 139 00:12:41,679 --> 00:12:46,499 of other accounts that were less active that had default avatars probably just to 140 00:12:46,499 --> 00:12:51,389 kind of, kind of build up their social network that mostly retweeted things, 141 00:12:51,389 --> 00:12:57,509 retweeted the same things as a display account but slightly rewarded or even with 142 00:12:57,509 --> 00:13:00,050 them. And what this Twitter account essentially 143 00:13:00,050 --> 00:13:07,449 did was in quick succession, over a period of like one or two weeks tweeted a bunch 144 00:13:07,449 --> 00:13:12,920 of links from this URL shortener for various purposes for to various articles 145 00:13:12,920 --> 00:13:20,319 on blogs online and they also had actually a blogspot website with like one article 146 00:13:20,319 --> 00:13:28,709 to kind of expand their network I guess. One of the activities that 2009 Iran free 147 00:13:28,709 --> 00:13:35,730 and the other sock puppets were doing was they were kind of trying to spread the 148 00:13:35,730 --> 00:13:42,269 same IP addresses as proxies to Iranians to use as a counter cencorship. So for 149 00:13:42,269 --> 00:13:48,389 example you can see that they have a list of IP addresses here that will hash like 150 00:13:48,389 --> 00:13:52,269 Iran election that they can use for protests and they and they might sometimes 151 00:13:52,269 --> 00:14:01,899 feed links to that to to this proxy is using that URL shortener and this is, this 152 00:14:01,899 --> 00:14:07,329 is quite concerning because well one of the tools used by JTRIG is also called 153 00:14:07,329 --> 00:14:12,639 codenamed Molten Magma which is basically HTTP proxy to with the ability to log all 154 00:14:12,639 --> 00:14:16,910 traffic and perform HTTPS man-in-the- middle because, again, they were they were 155 00:14:16,910 --> 00:14:20,429 spreading exactly the same IP address all of these all these sock puppet accounts 156 00:14:20,429 --> 00:14:26,009 were spreading exactly the same IP addresses and same links to Iranians to 157 00:14:26,009 --> 00:14:33,119 help them to or to allegedly help them to a evade common cencorship. And they were 158 00:14:33,119 --> 00:14:37,569 even claiming that these for the same proxies used by the Iranian government to 159 00:14:37,569 --> 00:14:41,249 get around their own firewalls so if they, apparently if they block these proxies 160 00:14:41,249 --> 00:14:45,619 they will block their own access to the outside world. 161 00:14:45,619 --> 00:14:50,519 And this is essentially what they are doing here. In this kind of context GCHQ 162 00:14:50,519 --> 00:14:54,610 is kind of acting like the big bad wolf from Red Riding Hood. We might seem like 163 00:14:54,610 --> 00:15:02,319 they're helping me but they're also causing you harm in the process. 164 00:15:02,319 --> 00:15:06,629 And this is a, this is a list that contains a list of some of the techniques 165 00:15:06,629 --> 00:15:13,319 that JTRIG used. This was also a leaked document and this essentially kills two 166 00:15:13,319 --> 00:15:18,360 birds in one stone because what they do is at the bottom it says one techniques is 167 00:15:18,360 --> 00:15:22,370 hosting targets' online communications for collecting signal intelligence as we saw 168 00:15:22,370 --> 00:15:27,120 with p0ke and which is why they tweet these links using URL shortener so they 169 00:15:27,120 --> 00:15:32,429 can conduct signal intelligence on people who are interested in clicking these 170 00:15:32,429 --> 00:15:38,839 things and also providing online access uncensored materials and sending instant 171 00:15:38,839 --> 00:15:42,759 messages to specific individuals giving them instructions for accessing uncensored 172 00:15:42,759 --> 00:15:47,120 websites. One of the forums that these proxies were 173 00:15:47,120 --> 00:15:53,939 posted in was whyweprotest.net and someone actually kind of almost got it right. 174 00:15:53,939 --> 00:15:56,779 Someone asked: 'Why does the government use proxies? That doesn't make any sense, they 175 00:15:56,779 --> 00:15:59,509 wouldn't need any proxies." And then someone replied: "The Iranian government 176 00:15:59,509 --> 00:16:03,999 allegedly has set up proxies to monitor connections with from within Iran to be 177 00:16:03,999 --> 00:16:08,100 able to pinpoint the people who are trying to bypass these blocks." So they're almost 178 00:16:08,100 --> 00:16:10,569 right because it wasn't the Iranian government that was actually monitoring 179 00:16:10,569 --> 00:16:18,760 connections in Iran. It was GCHQ. There were also set up, I agree, basic 180 00:16:18,760 --> 00:16:25,529 websites, that basically acted as RSS feeds to English websites about Iran to 181 00:16:25,529 --> 00:16:29,629 presumably, but also for counter censorship reasons. One of the same 182 00:16:29,629 --> 00:16:34,889 things they did was mimic government officials. So for example they might 183 00:16:34,889 --> 00:16:39,980 post in a forum saying: "Attention users outside Iran, you can call the president 184 00:16:39,980 --> 00:16:43,839 at this number to discuss the elections direct." And they were hesitant that you 185 00:16:43,839 --> 00:16:49,829 should not call this number if you are in Iran. And then they will also give an 186 00:16:49,829 --> 00:16:55,670 email address for the vice president on the Twitter. 187 00:16:55,670 --> 00:17:00,370 This also matches up with another technique that JTRIG uses, again according 188 00:17:00,370 --> 00:17:06,549 to the leaked documents, where they send spoof emails and text messages from a fake 189 00:17:06,549 --> 00:17:11,669 person or mimicking a real person to discredit, promote, distrust, dissuade, 190 00:17:11,669 --> 00:17:16,829 deceive, deter, delay or disrupt. Whatever the purpose was, they certainly managed to 191 00:17:16,829 --> 00:17:20,810 promote distrust because one of the replies to this post was: "This can't be 192 00:17:20,810 --> 00:17:24,599 the president's number because if it were the second call would be answered by 193 00:17:24,599 --> 00:17:29,850 Iranian intelligence services. So these are strange days. I suppose anything could 194 00:17:29,850 --> 00:17:33,760 happen at this point." So that was most of the activity that we 195 00:17:33,760 --> 00:17:40,450 saw in 2009. There was a bunch of other Twitter accounts with default egg, default 196 00:17:40,450 --> 00:17:46,461 avatars associated with these links. You can find them if you search lurl.me with 197 00:17:46,461 --> 00:17:52,570 quotation marks and Google with sites -twitter.com. In 2010 there was absolutely 198 00:17:52,570 --> 00:18:00,120 no activity on Twitter or all social media associated with this URL shorter. Then, in 199 00:18:00,120 --> 00:18:08,750 2011, we saw some activity in Syria for this URL shortener for a similar purpose 200 00:18:08,750 --> 00:18:12,620 of conducting censorship resistance in Syria. And they were essentially doing the 201 00:18:12,620 --> 00:18:18,100 same thing, same techniques, giving people IP addresses to connect to, that you 202 00:18:18,100 --> 00:18:24,019 thought that they probably are MITM'd. But one of the things they did here as 203 00:18:24,019 --> 00:18:28,270 well was they didn't just tweet stuff they also posted a YouTube video, like a very 204 00:18:28,270 --> 00:18:33,150 poorly made YouTube video with only 300 views to try to get people to watch 205 00:18:33,150 --> 00:18:37,600 that. They didn't really try very hard here because if you actually look at the 206 00:18:37,600 --> 00:18:43,340 times on when these accounts tweeted, all the accounts in Syria actually should 207 00:18:43,340 --> 00:18:49,750 have tweeted. The only tweet between 9 to 5 p.m. UK time Monday to Friday. 208 00:18:49,750 --> 00:19:00,070 *laughter, applause* I mean, I think, I don't know I think 209 00:19:00,070 --> 00:19:06,269 they were lazy, or they were just, they didn't really bother or weren't motivated. 210 00:19:06,269 --> 00:19:10,700 But one of the limitations that JTRIG has, they actually had one in the leaked 211 00:19:10,700 --> 00:19:15,549 documents, that they had was they had a list of limitations that the staff have 212 00:19:15,549 --> 00:19:19,470 when conducting its operations. And one of them is that they have difficulty in 213 00:19:19,470 --> 00:19:24,549 maintaining more than a small number of unique multi-dimension active aliases 214 00:19:24,549 --> 00:19:29,880 especially with doing online human intelligence. Which is why we only see 215 00:19:29,880 --> 00:19:35,130 like one main twitter account for these events and then like a bunch of other kind 216 00:19:35,130 --> 00:19:38,610 of default expat accounts, usually like five or six. We didn't tend to see 217 00:19:38,610 --> 00:19:44,460 hundreds of them you only see about less than 10, because this was back in 2009, 218 00:19:44,460 --> 00:19:50,270 2011. They weren't doing it in an automated way. And they also said the lack 219 00:19:50,270 --> 00:19:55,559 of continuity in maintaining an alias or communicating via an alias if a staff 220 00:19:55,559 --> 00:20:02,350 member is away and his or her work is covered by others and also the other one 221 00:20:02,350 --> 00:20:08,620 was lack of photographs, visual images, of aliases which is why we always see like 222 00:20:08,620 --> 00:20:12,280 egg or default avatars for these sock puppet accounts because they can't 223 00:20:12,280 --> 00:20:16,630 unless they have like a full fledge graphics team or have faces of people to 224 00:20:16,630 --> 00:20:22,120 put in there and they can't really put anything as avatar. They also apparently 225 00:20:22,120 --> 00:20:28,220 had a lack of sufficient number and varied cultural language advisors eg in Russian, 226 00:20:28,220 --> 00:20:32,090 Arabic and Pashto which is why we see here on these Twitter accounts they're 227 00:20:32,090 --> 00:20:36,299 basically tweeting the same thing over and over again with no variation. Here's the 228 00:20:36,299 --> 00:20:40,249 same text over and over again because they don't have lots of translators to 229 00:20:40,249 --> 00:20:48,390 translate that. The other thing we saw in 2011 was a very 230 00:20:48,390 --> 00:20:54,179 targeted attack during the Bahrain protests. They had a twitter account 231 00:20:54,179 --> 00:21:00,490 called 'Freedom4Bahrain' and this, it just sent two tweets, mentioning two accounts 232 00:21:00,490 --> 00:21:07,050 "14FebTV" and "14FebRevolution", and these were two accounts that were, 233 00:21:07,050 --> 00:21:09,470 like, really big kind of social media outlets in 234 00:21:09,470 --> 00:21:15,460 Bahrain that were covering the protests that were going on there. And these were 235 00:21:15,460 --> 00:21:21,770 targeted mentions of the kind that we saw with P0ke, so, presumably also here, they 236 00:21:21,770 --> 00:21:23,809 were using that to conduct Signal Intelligence, 237 00:21:23,809 --> 00:21:32,019 to discover who was running these two accounts. In 2012 you also saw no activity 238 00:21:32,019 --> 00:21:42,009 associated with that URL shortener. During 2013 I managed to find one tweet related to Kenya, to the 239 00:21:42,009 --> 00:21:47,340 Kenyan imposed national politics and this person isn't an education sock puppet, this 240 00:21:47,340 --> 00:21:52,700 person is a research assistant at the Human Rights Watch. So this, but that begs 241 00:21:52,700 --> 00:21:58,080 the question of how did he actually get this URL? Probably a similar message to 242 00:21:58,080 --> 00:22:02,720 P0ke, they probably sent him a link through a private message found that 243 00:22:02,720 --> 00:22:08,460 interesting and tweeted it, so not only are they targeting protesters, they are 244 00:22:08,460 --> 00:22:16,750 also targeting NGOs. Then, in 2013, all of the infrastructure associated with 245 00:22:16,750 --> 00:22:23,370 URL-shortener was shot offline, this was in 2013, which was a few months after the 246 00:22:23,370 --> 00:22:26,790 Edward Snowden leaks, so they had a bit of delay of doing it, but it must have been a 247 00:22:26,790 --> 00:22:32,840 real pain in the arse for them to have to renew all their infrastructure, but I did 248 00:22:32,840 --> 00:22:38,340 do some digging into some of other host names that were hosted on this lurl.me 249 00:22:38,340 --> 00:22:44,820 server. Between 2009 and 2013, most of these host names seem to be random 250 00:22:44,820 --> 00:22:51,090 alphanumeric, the main names, and some of them are using publicly the DNS providers 251 00:22:51,090 --> 00:22:57,350 like DynDNS or DNSAlias, I wasn't able to find any websites archived for these 252 00:22:57,350 --> 00:23:02,039 domains, so it doesn't seem that there was any websites there, but if you have any 253 00:23:02,039 --> 00:23:06,250 ideas let me know, because one of the things that I suspect is that these might 254 00:23:06,250 --> 00:23:09,809 have been malware endpoints or command control servers, that they were using, so 255 00:23:09,809 --> 00:23:13,880 if you have any and monitoring tools or logs then maybe you should look up some of 256 00:23:13,880 --> 00:23:18,759 these host names. But one of the interesting domain names that I thought 257 00:23:18,759 --> 00:23:25,049 was interesting there was dunes adventures.net and this is the archived 258 00:23:25,049 --> 00:23:27,009 page for Dunesadventures 259 00:23:27,009 --> 00:23:29,440 which was another website based in Kenya. They were up to 260 00:23:29,440 --> 00:23:35,110 something in Kenya and it claimed that they were having this was a very basic one 261 00:23:35,110 --> 00:23:41,009 page website that was kind of very poorly made and they claimed that they were 262 00:23:41,009 --> 00:23:44,539 having site problems and apparently "we have noticed problems with our booking 263 00:23:44,539 --> 00:23:49,220 system, this has been taken offline until our techs find the problem - we apologize 264 00:23:49,220 --> 00:23:53,250 for any inconvenience". but there was never any booking system in the first place, 265 00:23:53,250 --> 00:23:58,270 this was just pretty much a ruse to make it look like if you go to this website, a 266 00:23:58,270 --> 00:24:03,360 legitimate company was hosting there. So if you mind anything about that, then I'd 267 00:24:03,360 --> 00:24:08,139 be curious as well. I also if there's any GCHQ agents in the room and then I'm 268 00:24:08,139 --> 00:24:15,779 happy to get drink with you as well. That's all I have for today, does anyone 269 00:24:15,779 --> 00:24:26,960 have any questions? *applause* 270 00:24:26,960 --> 00:24:41,510 (Herald) *asks for questions* (Mic Question): OK, IRC asks: Deceiving 271 00:24:41,510 --> 00:24:46,350 a target into trusting you and leaking any form of infos is used everywhere right now, IRC, 272 00:24:46,350 --> 00:24:50,970 Twitter and Facebook and so on. How would you advise people to distinguish between a 273 00:24:50,970 --> 00:24:54,059 genuine identity and an undercover agent? 274 00:24:54,059 --> 00:24:56,029 (Speaker): "I think that's a very good question because- 275 00:24:56,029 --> 00:24:59,121 (H.): So just just a quick second, if you 276 00:24:59,121 --> 00:25:03,400 really have to leave the room right now, people, please do so quietly, we still 277 00:25:03,400 --> 00:25:08,019 have a talk going on and it's really unrespectful if you make that much noise 278 00:25:08,019 --> 00:25:13,190 and interrupt this whole thing. *applause* 279 00:25:13,190 --> 00:25:17,300 I know a lot of people are interested in the talk afterwards but we'll all get you 280 00:25:17,300 --> 00:25:18,300 in and sorry. 281 00:25:18,300 --> 00:25:23,309 (S.): So I think I was very good question because if you're conducting, if you're 282 00:25:23,309 --> 00:25:26,990 doing activism online and you need to be anonymous and you dont want to meet up 283 00:25:26,990 --> 00:25:30,450 with people in person, then how do you know that the people you communicating 284 00:25:30,450 --> 00:25:34,350 with, or if you are like in a public group where you personally accept new members 285 00:25:34,350 --> 00:25:39,490 into that group, how can you put, how do you know or kind of differentiate between 286 00:25:39,490 --> 00:25:44,299 who's actually there to harm your group or who's actually there to contribute? I 287 00:25:44,299 --> 00:25:51,250 think the answer there lies in, what you share. Don't share information that comes 288 00:25:51,250 --> 00:25:55,690 with anyone that could potentially put you at harm, even with people that you trust, 289 00:25:55,690 --> 00:25:59,409 so essentially don't trust anyone and this is a basic OP Sec rule. This is 290 00:25:59,409 --> 00:26:06,799 how Jeremy Hammond messed up a few years ago, because they caught him, because he 291 00:26:06,799 --> 00:26:11,259 was revealing too much information about his life, like where where he eats or 292 00:26:11,259 --> 00:26:18,759 something like that or his previous drug records and they were able to use that to 293 00:26:18,759 --> 00:26:22,940 kind of figure out who he was and that was the same mistake that P0ke made he, was 294 00:26:22,940 --> 00:26:30,299 too open and friendly to that agent for no reason. So I think the kind of answer is 295 00:26:30,299 --> 00:26:34,590 to do your operations in a way where you dont have to trust people. 296 00:26:34,590 --> 00:26:40,409 (Mic Question): "How effective do you 297 00:26:40,409 --> 00:26:45,350 think these methods are, because we've seen the number of followers on Twitter 298 00:26:45,350 --> 00:26:50,350 and the number of views on YouTube were very low so, how much people can, is 299 00:26:50,350 --> 00:26:51,970 affected by this kind of operations" 300 00:26:51,970 --> 00:26:57,730 (S.): Yes, so there was also a slide I meant to put in there, that was leaked page 301 00:26:57,730 --> 00:27:03,110 another leaked page from GCHQ that had a list of bullet points on what they 302 00:27:03,110 --> 00:27:07,370 considered to be an effective operation and some of those bullet points include 303 00:27:07,370 --> 00:27:11,929 how many people click that link, how many people, how many people watch the youtube 304 00:27:11,929 --> 00:27:15,120 video, etc, so it's pretty much the same ways that you would measure it how many 305 00:27:15,120 --> 00:27:19,889 people viewed a specific message. Now in their specific use cases I don't think 306 00:27:19,889 --> 00:27:23,820 they were very successful on a large scale, specifically in Iran protests 307 00:27:23,820 --> 00:27:27,499 because the Twitter accounts had very few followers and their YouTube videos only 308 00:27:27,499 --> 00:27:33,279 had a few hundred views but they might have been, obviously more succesful in 309 00:27:33,279 --> 00:27:37,039 more target cases when targeting specific individuals by doing the Bahrain case or 310 00:27:37,039 --> 00:27:38,039 the p0ke case. 311 00:27:38,039 --> 00:27:39,610 (H.): over there please. 312 00:27:39,610 --> 00:27:45,220 (Mic Question): Sure, thank you, so I'm just curious if you were familiar with the 313 00:27:45,220 --> 00:27:49,730 work of Erin Gallagher, she's done work to try to figure out, kind of quantitatively 314 00:27:49,730 --> 00:27:52,809 and make these visualizations, to try to figure out if a particular twitter account 315 00:27:52,809 --> 00:27:57,279 for example is a bot or whether it's a person and there's some you know rules of 316 00:27:57,279 --> 00:28:00,499 thumb regarding like, you know if the bots just kind of interact with each other and 317 00:28:00,499 --> 00:28:01,909 don't react, don't interact with real people 318 00:28:01,909 --> 00:28:07,340 im just curious what, what techniques you may know of to, to figure out you know 319 00:28:07,340 --> 00:28:10,539 what is a bot and what is not and whether you are familiar with those particular 320 00:28:10,539 --> 00:28:11,559 lines of a research. 321 00:28:11,559 --> 00:28:16,960 (S.): I'm not familiar with with their work, but thank you all check out. In terms 322 00:28:16,960 --> 00:28:24,140 of what kind of metrics that you could use or to use to see if a account is valid or 323 00:28:24,140 --> 00:28:29,720 not, I mean, I think, I guess they're, their tweeting kind of, habits and when 324 00:28:29,720 --> 00:28:34,010 they tweet for example could be indicative, so for example we saw this 325 00:28:34,010 --> 00:28:38,251 person only tweet at 9 to 5. Obviously that's quite easy to make that it's on the 326 00:28:38,251 --> 00:28:44,120 case and also I think one useful things might be might be interesting to do, is 327 00:28:44,120 --> 00:28:50,879 try to map the network of these accounts. If you like build up like a web of 328 00:28:50,879 --> 00:28:55,909 followers, that you might be able to very easy for graphically detect, very obvious 329 00:28:55,909 --> 00:28:59,100 clusters for accounts that are following each other, to be to be very signal. 330 00:28:59,100 --> 00:29:01,370 (Mic): Yeah for sure, thank you. 331 00:29:01,370 --> 00:29:04,440 (H.) Lets switch over to mic 6 please 332 00:29:04,460 --> 00:29:05,309 (Mic 6 question): Thank you for the- 333 00:29:05,309 --> 00:29:11,580 thank you for the great talk, how would you compare the former British activities 334 00:29:11,580 --> 00:29:18,149 to the current Russian activities, maybe a talk in itself, but... 335 00:29:18,149 --> 00:29:20,429 (S.) To be honest, I haven't been digging 336 00:29:20,429 --> 00:29:23,919 too deep in the details or following too much about the Russian activities, so I 337 00:29:23,919 --> 00:29:26,860 can't really comment about that, I don't know how prolific it is, I only mentioned 338 00:29:26,860 --> 00:29:31,760 it briefly in the beginning of the slides because it was to give some context, so 339 00:29:31,760 --> 00:29:34,370 I'll have to research more to the Russian activities. 340 00:29:34,370 --> 00:29:39,020 (H.) Go to mic 5 again 341 00:29:39,020 --> 00:29:42,140 (Mic 5 Question): Thanks, to continue 342 00:29:42,140 --> 00:29:51,830 from the person who spoke, that would have been my question. So, just to add up onto 343 00:29:51,830 --> 00:29:58,860 that, did you stumble upon similar patterns coming from say Canberra or a 344 00:29:58,860 --> 00:30:00,230 Washington DC? 345 00:30:00,230 --> 00:30:05,440 (S.): So these accounts were very specific to just to the UK expressions, 346 00:30:05,440 --> 00:30:09,280 there was no kind of collaboration there with other countries within the five eyes, 347 00:30:09,280 --> 00:30:15,200 like the US or Australia, but I think they might have, 348 00:30:15,200 --> 00:30:19,120 GCHQ I think has collaborated with the NSA 349 00:30:19,120 --> 00:30:23,060 JTRIG specifically I think has collaborated before with the NSA to delegitimize 350 00:30:23,060 --> 00:30:27,929 certain people. So for example we saw during a few years ago or last year 351 00:30:27,929 --> 00:30:34,230 I think there was a drone attack, someone was illegally killed in a drone strike in 352 00:30:34,230 --> 00:30:40,220 Iraq, he was a suspected to be an ISIS member, Junaid Hussain, and apparently the 353 00:30:40,220 --> 00:30:45,299 way that he was deanonymized or the way they found this location is that the US, the 354 00:30:45,299 --> 00:30:49,269 FBI specifically, had an informant that was talking to this person and that informant 355 00:30:49,269 --> 00:30:53,480 sent them and sent them a link that was generated by GCHQ and then since that link 356 00:30:53,480 --> 00:30:56,710 they were able to deanonymize them so I think there's some collaboration there but 357 00:30:56,710 --> 00:30:59,110 this is mostly UK activity. 358 00:30:59,110 --> 00:31:04,315 (H.): Last question, we are out of time. Thank you again, Mustafa. *applause* 359 00:31:04,315 --> 00:31:31,940 subtitles created by c3subtitles.de in the year 2019. Join, and help us!