What upsets me most is that NRC is withholding information in name of "US national security". Having a crooked government is bad, but when journalists rather side with the man than stand up to him (as they're supposed to in a democratic society), all hope is lost. They don't admit doing this in the English version of this article, which reads:
A spokesperson for the American government stated that
the publication of classified information is a threat to
US national security.
But the Dutch version does:
De Amerikaanse overheid laat in een reactie weten dat
publicatie van staatsgeheimen de nationale veiligheid
schaadt. Om die reden publiceert deze krant belangrijke
technische details niet.
Translation:
A spokesperson for the American government stated that
the publication of classified information is a threat to
US national security. For this reason, the paper won't
publish important technical details.
The Dutch government is conducting illegal activities and its citizens deserve to know exactly how their government is screwing them.
A lot of forums like phpBB are installed via cPanel and may have default passwords and not be secured fully.
If you have a machine in the ISP, which just means renting 1 machine per ISP, then scan the local IP ranges for open MySQL ports... or more nefariously scan for Memcached as that is hardly ever secured.
Then use the default credentials or the credentials stolen from Memcached to access MySQL.
You're dealing with a known set of forum software, probably phpBB, Vanilla, vBulletin and Invision. So you only need to map out a few schema to be able to make sense of hundreds if not thousands of sites.
Forums are slow moving, even the big ones only have a few thousand to low tens of thousand of posts per day... and your rented machine could easily poll for differences and send it back to HQ.
This is all just speculation of course, but it wouldn't surprise me that this is how it was done.
You're making some pretty big assumptions there. I don't think there is any evidence that MySQL databases set up via cPanel (or any other control panel) have default passwords or are inherently insecure. If this was the case, we would be seeing websites being hacked left and right, and not just by intelligence services.
> “They use sweeps to collect data from all users of web forums. The use of these techniques could easily lead to mass surveillance by the government.”
Which implies that they are not scanning traffic constantly but are instead performing a sweep across the fora and gathering all data. Which implies querying the databases on a schedule and pulling info as the full dataset nevers exists in the ephemeral traffic.
> “They acquire MySQL databases via CNE access”
Which states that they exploit something on the network to "acquire" the data from MySQL databases.
Those two things together suggest periodic access to the databases.
And given the previous behaviour from accessing networks and hardware without permission of the companies operating on those networks (the Google dark fibre intercept) it isn't too much of a stretch to imagine a similar scenario that could give them access to these databases without asking first.
And the easiest way to get access to a large volume of forums would be to use a common platform as the attack point: A common deployment (cPanel, Plesk, etc) or a common technology that could give up credentials (memcached).
Of course they could use a vulnerability in MySQL, but I bet that's harder work than just trying default passwords or pulling credentials from the unsecured memory cache.
National security /is/ about standing up for the people. And yes, that should be closely monitored by journalists, but that does not mean that everything should be public.
In this case, everything should be made public because the government needs to be held accountable. Governments should serve the people, not the other way around. Without proper scrutiny, there's no way to tell if the proper balance is maintained going forward.
Making things like that public helps terrorists to hide their communication in ways that cannot be decrypted or broken into. That is clearly a threat to all civilians. Giving journalists access to documents and not publishing details is a good balance IMO. The government is still held accountable, it's just not held directly accountable by you. That's the way a democracy works.
By that logic TLS, PGP, etc. should only be available to governments because it can help terrorists to hide their communication in ways that cannot be decrypted or broken into. And let's outlaw pressure cookers, because terrorists have used them as crude bombs so clearly they're a threat to all civilians. Heck, we should all stop wearing clothes and bags because terrorists can use them to conceal weapons.
Governments are to serve the people and we cannot blindly trust them with power regardless of how they're formed. As long as people continue to subscribe to scaremongering for terrorism, the terrorists have already won anyway. The surveillance states of late have powers blown way out of proportion. They ought to save lives in face of threats, not save lives for retrieval by automated data systems. I have no problems with the former, but I do very much have problems with the latter.
The NOS reported that at least four important political parties are outraged and want an investigation on the issue. In my opinion this is better than the american government's response.
I believe the Dutch are not being screwed by their government, but simply by inadequate control on its intelligence agencies. The government can fix this.
If you all remember the fuss about the "terughackwet", a law that would allow the police to hack people, this is what I meant when I said that the AIVD (general intelligence agency) and MIVD (military intelligence agency) have had this power since the beginning of time. This merely proves that they're actively using their capabilities and that the police doesn't really need it; they can just ask another agency.
I would assume the same for forcing passwords out of people, something which is still supposed to be illegal in the Netherlands but isn't. The AIVD and MIVD have the right to do this.
I've got one question though: does anyone know what they mean with "They acquire mySQL databases via CNE access." What is CNE?
According to the document the Dutch “are looking at marrying the forum data with other social network info, and trying to figure out good ways to mine the data that they have.”
The posts for one individual on one forum are maybe not that interesting. But by connecting this data to the data of his/her other internet activities, you get the total information awareness idea. E.g. Facebook, Gmail, other forums accounts, Whatsapp messages, websites visited etc.
It definitely is a dragnet kinda approach; let's just collect all the data, chuck it into a big database and see if we find any connections with insert random justification here.
Sounds like something Fravia did between breakfast and brushing teeth. :-) Considering the age of the referenced documents this mechanism should be in place by now.
Everyone likes to think that the forum targeted are by terrorists related to middle east, Syria, etc.
I think that gathering such large amounts of data, allows you to do very specific sentiment analysis on specific groups of the population, in addition to twitter and facebook having fora access is a big deal.
All these are speculations of course. Our agencies are guided by people and more often than not inadequate people. They might be collecting data just because the NSA does it, with no specific purpose. Data just waiting to be abused by someone in a position of power.
To make a comment not regarding moral and civilizational impact, I'm wondering what kind of value targeting forums can have.
Does this really worth the cost, compared to something like making friending bots on social networks and weight analyzing content for keywords ?
I suppose their definition of forum should be considered, here. Do we speak of the canonical form of a forum, like a punBB powered website, or is any website aiming to allow people to chat a forum ?
Some extremist groups set up separate single issue groups to introduce people to extremist ideas.
An example would be the British National Front and BNP (both right wing extremist groups) setting up an animal rights group which mostly campaigns about slaughter methods, especially ritual slaughter.
Some animal rights groups are also extremist. (Digging up corpses; setting incendiary[1] devices which burnt down several large departments stores; setting fires to trucks and truck depots; etc.)
Monitoring these groups makes some kind of sense. So long as police keep that data secure, and it's only used for legitimate law enforcement and isn't used to tarnish reputations or stifle lawful campaigning.
[1] The intent was to cause water damage by triggering sprinkler systems. The fact the sprinkler systems didn't work, allowing the stores to burn down is worrying. This, and IRA bombing campaigns, is one reason that pockets come stitched shut now. The well dressed man / woman will have a stitch ripper to remove these closings, but it's surprising to see how many people have never heard of stitch rippers.
Do you have source to back up the claim that pockets come stitched because of bombing-threats? My wife is certified seamstress and swears that pockets on higher-range clothing has always been stitched close, because that keeps their model in better shape. But there might be more to it, so I am curious to what makes you say this.
Not surprised - part of a university project for a class I took a few years back built a scraper for forums/Facebook/Twitter. The assumption there was that agencies would get access tokens from Twitter - but this is much easier...
Recall that de-anonymization analysis is pretty effective these days. Even if you post under a made-up user name, there's a pretty good chance they can figure out who you are.
That's one reason I post under my own name; anonymity wouldn't buy me much anyway. Even in forums where I'm technically anonymous, I don't try hard to preserve any secrecy about my identity. It's more a matter of "There's a culture here of intemperate posts protected by anonymity, so if you notice me posting there, please also understand that I might be responding in kind."
(i) correlating social graphs
(ii) correlating likes/dislikes/reviews etc. across different networks.
(iii) Lots of data to do (i) and (ii)
And it's still difficult to do for random people on the internet (as opposed to the NSA or serious attackers such as those willing to put in the effort to crawl and analyze the entire linkedin graph.) I believe deanonymization based on just textual analysis is still a little bit of an academic effort.
Anonymity does buy quite a bit - especially on a forum like HN - where there isn't a social graph and the like/dislike information is private.
The main purpose of monitoring communicatins is to monitor public sentiment and guide it or sway it. It is not for security purposes, being able to manipulate the populace is the primary goal.
It is basically to subvert the effective functioning of the democratic system in a subtle but perfectly legal manner, by manipulating the information fed to the public and actively shaping the public mood in the desired manner
And yet strangely, I'm not surprised. There seems to be a race by intelligence agencies to collect as much data as possible in recent years (well, the past decade). And while in the West, the Americans is leading the pack, the others aren't shining away without a fight.
I wouldn't be surprised to learn that it has become more a sport than a national security measure by these agencies. They have gone cocky, so to speak, thinking that because they are government agencies they are above the law that regular hackers supposedly are not.
How do we quantify who is "leading the pack"? This would assume we have representative coverage of different countries' activities and that is certainly not true.
It's all about connecting the dots. They want to gather as much information as possible and try to get a better picture of what each individual thinks, does and his/her social ties. The forums are just a piece of the puzzle.
[XXX] intelligence agency routinely hacks [YYY]; generally to make good with the NSA. From now on we can just report what XXX and YYY are and dispense with the details.
True, in English it would be 'forums'. In fact it would be 'internet forums' in two words, but this is clearly written as it is in Dutch, where it would be «internetfora».
Although, only the title of this thread is 'internetfora', while the article has separated it into two words.
