
Spy agencies in covert push to infiltrate virtual world of online gaming - r0h1n
http://www.theguardian.com/world/2013/dec/09/nsa-spies-online-games-world-warcraft-second-life
======
beloch
MMO's are packed with possible communication channels in addition to chat.
Ever wonder if that annoying gnome in the auction hall is jumping in morse
code? Could signals be sent with bids? Could a character's inventory contents
be arranged to leave a message to someone else who shares the login info? Is
that nonsense coming from what you presume to be a bot-controlled gold-farming
crew really nonsense? When a game goes to great lengths to simulate a world,
the possibilities for covert communication are nearly limitless!

I find the task of finding terrorist communications in MMO's so daunting that
I'd never even consider making an attempt at it. However, the NSA is one
organization that seems to have nearly infinite resources to throw at
impossible problems. This is an organization that is literally trying to "hack
the planet"! I seriously doubt they'll ever managed to uncover anything
significant, even if they're plugged directly into the servers at Blizzard,
etc.. However, at least some spooks get to play WoW for a living on the
government's dime!

Seriously... The NSA makes military spending look frugal!

~~~
rolux
> MMO's are packed with possible communication channels in addition to chat.
> Ever wonder if that annoying gnome in the auction hall is jumping in morse
> code? Could signals be sent with bids? Could a character's inventory
> contents be arranged to leave a message to someone else who shares the login
> info? Is that nonsense coming from what you presume to be a bot-controlled
> gold-farming crew really nonsense?

Precisely. WOW itself is the first level of steganography ("I'm not
communicating, I'm gaming"), but one can think of many more, inside and
outside of MMOs.

Given proper use of steganography, small groups will always be able to
communicate with low risk of detection. But for obvious reasons, you will
always have to roll your own scheme, and may end up overlooking aspects that
render it insecure.

~~~
prawks
Is anyone aware of articles or books that deal with the creation of these
types of systems? I'm guessing some sort of cryptography text would lead to
it, but the last sentence of your post has me particularly interested. What
kind of considerations need to be made when creating such a system, especially
in today's age?

~~~
sillysaurus2
Nope, cryptography != steganography. The situation with stego, currently, is
much the same as the situation with crypto was before the invention of public
key encryption: truly high-grade stego is only available to governments,
mostly because nobody knows how to do it in a secure way. In other words,
stego is an art, not a science, just like crypto was before PKE. There are no
good texts as far as I'm aware.

Your best bet is to read whitepapers on stego. See
[https://news.ycombinator.com/item?id=6843575](https://news.ycombinator.com/item?id=6843575)
for related discussion.

~~~
hershel
>>stego is art not science

what about "provably secure steganogrpahy"? there seems to be some papers on
this. isn't is by definition science, not art?

------
zacinbusiness
God I wish I worked for the NSA.

"Hey man, are you watching porn?"

"Hell yeah! Because terrorists are using it to send messages! It's in the
Mise-en-scène! I'm doing this for freedom!"

"My God. You're right!"

"Also, I'm pretty sure they're doing the same thing in strip clubs. And with
really high-quality whiskey. So...I'm going to need some really high-quality
whiskey. And a fist-full of singles."

"Anything you need! You brave bastard!"

~~~
jnbiche
I hope I just upvoted you but I was laughing so hard I may have hit the down
button by accident.

~~~
zacinbusiness
I go where I'm needed :-)

~~~
nealabq
You brave bastard!

------
VLM
"the difficulty of proving terrorists were even thinking about using games to
communicate"

The article is pretty good in most areas, but an epic fail in this specific
small subpart. The solution to the problem is simply follow the cultural trend
of redefining what terrorism means. The article fails by listing some actual
real terrorists. The article succeeds by listing non-terrorists as terrorists
such as academic scientists who are employed in a perfectly legitimate
capacity by a government that our government doesn't happen to like at this
moment. The article fails by not mentioning that most of the terrorists
they're tracking are prank telephone callers, internet bullying, anyone who
ever disagrees with anything our government does in any manner or the actions
of any individual government employee, anyone who belongs to a religion or no
religion at all, political candidates and supporters on whichever is the
losing side, teens toilet papering houses, minorities who do illegal things
like drive while black in white neighborhoods, you know, new school terrorism
as opposed to the old school stuff they used to be concerned with like
crashing planes and stuff.

What we really need is a .gov organization oriented against old school
terrorism instead of the new school 1984 stuff.

~~~
salient
I'm hoping one of the results from the NSA reform will be that we'll properly
name who and what exactly is a terrorist. The government spies on everyone,
and then to justify their spying they're calling all of them potential
terrorists. That line of thinking must go.

~~~
VLM
Yes the funny part is the scientist they labeled as a terrorist is not a
terrorist at all, but is a perfectly legitimate surveillance target. They not
only have the wrong label for the wrong people, they have the wrong label for
the right people.

As a followup to my original post we probably need two new .gov agencies not
just one. One would focus on state level threats to the country like foreign
nuclear scientists, pretty much the pre-1984 style CIA stuff, or at least the
fraction of CIA activities that were actually legal. The other would be more
police like and focus on nutty individual threats, that aren't national
threats, more or less James Bond evil villain type stuff. Both groups might or
might not "fit" under the same gov org. Probably neither fits under the
existing 1984 organizations, and unfortunately no one is apparently working on
those two problems, in favor of the much more exciting "stamp out political
dissidents / implement Stasi/SS secret police in the USA" model.

------
rolux
These two comments on theguadian.com sum it up rather aptly:

> > This is beyond farcical. Does any working at GCHQ or NSA actually have a
> fully functioning brain?

> Yes they do, and recognize a well paid cushy job when they see one.

~~~
walshemj
GCHQ is not well paid ;-)

------
bowlofpetunias
I grew up in a world in which the Stasi infiltrating church groups was seen as
state security going beyond the pale.

This is just beyond insanity.

These agencies should not just be reined in anymore, the need to be abolished
and replaced if we are ever to return to an acceptable level of state
surveillance.

------
Theodores
This is not as silly as it appears.

I spend a lot of time 'in' an online game playing with one of my relatives. We
have a collective circle of online friends and we know when something is up
with any of our friends. If they have not logged on all day that is a cause of
concern. Equally, if someone is going to be away from the game for a few days
then they will let everyone know. I doubt they would email the same to
everyone in their address book.

With aforementioned relative I know if she is working from home, on business
or with time to herself. Her involvement in the game shows that. I know more
from her gameplay than I do from emails or from what anyone else in the family
has to say. Important family news is relayed in game rather than on the phone
or in email. Email might be moved to if something needs to be discussed away
from a public forum, but, that first message, in-game is best.

As for online friends, I am not that picky. I have online in-game friends from
all over the world and I don't care if they are raving Christian nutters. In
real life I would not have time for those that want to quote the bible to me
every day, but I will tolerate it in-game, so long as they further my game
goals. Therefore I am easier to befriend in-game than in real life.

I get up to things that my friends and family don't get to hear about, they
are not to know. However, if I was to be targeted for spying then the in-game
communication would show whether I was busy with something else or not. I
don't have to conspire with others in-game for the communications to be
useful, so I don't think the NSA/GCHQ actually have to be looking for 'bomb
plots', just a level of game devotion.

~~~
Zigurd
> _This is not as silly as it appears._

Oh yes it is. This is the readily and deservedly lampoon-ready tail end of
snooping on everything without know what you are looking for.

------
adnans
Some poor NSA analyst was caught playing WoW in work and had to develop this
enormous ploy to explain his actions as a way to capture chat terrorist
traffic in-game. It just blew up from there.

------
JonSkeptic
>The agencies, the documents show, have built mass-collection capabilities
against the Xbox Live console network, which boasts more than 48 million
players.

In other news, the NSA to start a new reality TV show: Living Room Security!
Find out who's added to a no-fly list this week as we take you live inside
your own living room. Brought to you by the Xbox Kinect.

~~~
uchi
Strangely, for once I wouldn't be very mad if they put angry, profane Call of
Duty children on no fly lists.

------
kabdib
Online games are interesting to infiltrate because they can be a conduit for
downloaded code; a lot of the clients are native code with the capability for
remote execution (e.g., for anti-cheat challenges).

I have no evidence that the NSA has done this.

To the NSA, your user base is just another set of people to monitor, just
another set of machines to infiltrate. They don't care about your user's
trust.

------
_delirium
I thought this was reasonably public information for a few years now. IARPA
(basically the intelligence agencies' version of DARPA) has had a series of
public grant calls since the late 2000s for research on various kinds of data-
mining in MMOs and virtual worlds, ranging from behavior modeling to
transaction tracking. Of course, they didn't say precisely why they were
interested in such research, but one could surmise...

edit: Here's a 2008 Bruce Schneier post about it:
[https://www.schneier.com/blog/archives/2008/03/searching_for...](https://www.schneier.com/blog/archives/2008/03/searching_for_t.html)

------
r721
>According to the briefing notes, so many different US intelligence agents
were conducting operations inside games that a "deconfliction" group was
required to ensure they weren't spying on, or interfering with, each other.

I can't understand how this can be true, 48 million players vs. 30,000-40,000
NSA employees[1], number of agents is probably a few orders lower.

[1]
[http://en.wikipedia.org/wiki/National_Security_Agency#Employ...](http://en.wikipedia.org/wiki/National_Security_Agency#Employees)

~~~
prawks
Say there are a couple hundred servers in various games they're observing and
participating in (not an absurd number given that one person with a 40-hour
week could play quite a bit), it's reasonable to assume multiple agencies
might overlap servers.

~~~
r721
Well, I was just hinting on overspending: if a few agents are watching one
target it's miscommunication and mild overspending, but when there's a whole
"deconfliction group" it's overspending squared.

~~~
VLM
Aside from overspending you might want to look into existing BATF sting
operations. If the majority of the criminal activity in an area is law
enforcement sting operations trying to catch the small fraction of actual
criminals, then you need a deconfliction group or the vast majority of arrests
will be law enforcement agents arresting each other.

Imagine if the city cops decide to crack down on prostitution by posing as
johns in a sting, the same night that county sheriffs decide to crack down on
prostitution as prostitutes in a sting, and the streets are 90% full of cops
arresting each other. LOL all you want, this has happened IRL, also with drug
trafficking. There is also something of a meme that the majority of underage
girls on chat services are creepy FBI agents.

~~~
r721
Yeah, it's bureaucracy gone wild: one criminal per fifty employees. But I
guess it's even less than so in this case: no convicted criminals, so many
agents that a "deconfliction group" (how many employees were in that "group"?
3-5? 10?) was needed.

------
digitalengineer
I suppose HN is also infiltrated. Those damn 'hackers' _must_ be reading
Hackers News, right? I hear some are even 'small government' types. I can
understand why people think that must be the reason every NSA article
disappears of the frontpage after 40 comments...

------
throwawaykf
Relevant (from 2010):

"Detecting Money Laundering and Terrorism Financing Activity in Second Life
and World of Warcraft", Angela S M Irwin, Jill Slay - University of South
Australia

[http://ro.ecu.edu.au/icr/5/](http://ro.ecu.edu.au/icr/5/)

------
tokenadult
This ought to finally get the script kiddies up in arms about government
surveillance.

------
rl3
I wonder if NSA has reversed chat protocols for non-MMO games in order to
facilitate broad, keyword-based intercept directly from player network
traffic.

Namely games that don't send chat traffic through a centralized server.
Perhaps older games that had lackluster releases and are currently ghost towns
in terms of active players. If bad guys are trying to fly under the radar,
those are probably a smart bet (relatively speaking) compared to games that
are popular. Most non-MMOs don't even require an account, let alone billing
details.

It would be laughable if firing up some ancient, crappy game that nobody plays
is all it takes to dodge dragnet surveillance. On the other hand, I imagine
dragnet surveillance never was intended to catch smart people (only blackmail
them), and terrorists by definition tend to be dumb.

Obviously if someone is already targeted, reverse engineering game chat
protocols becomes irrelevant. Analysts would just read screenshots and key-
logger data courtesy of NSA TAO (or whatever GCHQ's equivalent is).

------
eudox
See also Andrea Sharpton's notes on Linden Lab and its opposition to allowing
users to chat over OTR:
[http://pastebay.net/1371265](http://pastebay.net/1371265)

------
ChrisAntaki
> A later memo noted that among the game's active subscribers were "telecom
> engineers, embassy drivers, scientists, the military and other intelligence
> agencies".

Perhaps these were the targets.

~~~
VLM
If not targets, an idea not discussed so far is bribery victims?

"Sure, I can op you... but we like to know when ops will be around, you know,
for coverage so there's always one online, so if you could just let us know
when you'll be working (embassy driver) overtime hours..."

------
coldcode
Even if this was a legitimate concern to the NSA, if you don't cover every
game you wouldn't catch any possible terrorist. If I were a smart terrorist,
I'd just simply use a fairly obscure game unlikely to be targeted.

~~~
mynameismiek
You mean, like, Furcadia?

"This 'dream' is trying to tell someone something. I just can't figure out
what 'yiffing' is..."

------
officemonkey
Terrorists: we will Candy Crush you.

~~~
Ygg2
This just in. Head of Al Qaeda has this to say:

    
    
        "The inf1del n00bz of the Alliance, will be crushed by 
       our grand Jihad Horde. We will bomb their cities, and rain    
        death in Arathi Basin on all major servers. Allah is great!"
     
    

General Alexander wasn't able to comment, because he was apparently speed
leveling his Paladin. Anonymous sources cite that his palandin is still level
30 and that quote: "Keith is quite a newb. He doesn't know that he can insta
level his Paladin.".

------
FBT
It is always great when evil is incompetent. I dislike that the NSA, GCHQ,
etc. are spying on everyone and violating everyone's basic dignities, but it's
great that they waste time doing so in rather insane ways, e.g. by playing
video games.

Basicly, I hate the NSA's spying, but if they want to spy on me in
ridiculously convoluted ways... it's better than them being actually
competent.

~~~
zacinbusiness
That's a good point. This has to be one of the most Rube Goldberg ways I've
ever heard of someone trying to collect intelligence. Did that teenager really
have sex with my mother? Or is that some sort of code! Or is he just mad that
I fragged his team and broke his streak? Or was the streak itself some sort of
code!

------
7952
This sounds like it is actually closer to traditional spy work than most of
the revelations we have heard recently. If you tell an NSA agent (or anyone
online) something they will know what you tell them. It is more worrying if
they are leaving vulnerabilities un-patched as this could allow anyone to
exploit the same methods. Are foreign governments using this to spy on
Americans?

------
calewis
When I read this I just though of the Penguin Party scene from Four Lions,
[http://www.youtube.com/watch?v=Ew-
SrlQ9tlI](http://www.youtube.com/watch?v=Ew-SrlQ9tlI). Turns out these morons
get there ideas from satirical black comedies.

~~~
walshemj
Or the laundry verse where the external assets experimented with using WOW to
communicate.

Persephone has a "WWLJD" bracelet. When she's trying to infiltrate Schiller's
compound, everyone naturally assumes it stands for "What would Lord Jesus do?"
Actually, it's "What would Leeroy Jenkins do?"

------
cokernel_hacker
From what little has been confirmed, the system we know about works "better"
the more connections you feed into it.

I doubt they intended to find anyone directly using this information. Instead,
what is more likely is that collecting data in these games might help identify
"friends" of people considered suspicious via some other means.

Although now that I think of it, games like WoW and EVE Online do make for
quite a milieu. I know that several of my colleagues play such games and with
each other.

It certainly chills the spine a bit when you realize that there are people
who've had this kind of data for quite some time, using it for who-knows-
what...

------
DanBC
They have to monitor the cesspool of XBox Online screeching 14 year olds?

I feel sorry for them.

------
Cthulhu_
tl;dr, NSA analysts want to play WoW during working hours. Can't blame 'em.

------
eamsen
If you have to monitor all online communication, then infiltrating private
message boards by means of technology or human interaction is essential. An
in-game chat is just an additional communication protocol next to email,
Skype, etc.

Leaving such communication channels unmonitored would pose a potential threat.
This behavior is in line with the current state of affairs and should be
expected.

------
ommunist
Well, this is a good excuse for gaming MI5 analysts, and probably a reason for
their recent Russian vacancies, someone has to play Russian MMORPGs (just
kidding). But seriously speaking - do you remember that American spy killed in
Tripoli before the Lybian war (if memory serves)? He was a huge authority in
EVE Online as it turned out.

------
dobbsbob
Wasn't Topiary busted because of using Xbox live? Wonder about that informant
now

------
mbuchanan
Or... you find players that are obsessive 1st person shooter players, you
cross reference their mental health history and access to guns. That pops up
Adam Lanza in Newtown. You engage him and coerce him. hmm..

------
BrandonMarc
As always, Randall Monroe had a pithy comic about such monitoring: xkcd 1223
"Dwarf Fortress"

[http://xkcd.com/1223/](http://xkcd.com/1223/)

------
natch
I wonder about the financial impact on gaming companies once users get creeped
out by this. Nice job, NSA.

------
JoeAltmaier
Most important question not answered: were the Alliance or Horde?

------
timbro
I think it's becoming very clear now:

Either the NSA/government goes or technology goes.

If we want to attain a sane degree of democracy in our Western world, both can
not continue to coexist in their current form.

~~~
a3n
But you can't get rid of the NSA when there are real threats in the world.
It's just not going to happen, because there actually are real threats (the
number is debatable), and the existence of more than an anomaly of threats
will always be justification for NSA and their ilk.

The only way to _get rid of the NSA_ is to get rid of the threats. The most
effective long term way is to work for and achieve a much higher level of
peace, tolerance and community than the world currently has.

~~~
dragonwriter
> But you can't get rid of the NSA when there are real threats in the world.

Sure you can. The existence of real threats does not mean that the NSA is the
only means of dealing with them, nor even that it is an effective way of
dealing with them even before considering the negative impacts it has, nor,
finally -- and this is the key consideration -- that it is a net positive
considering the benefits it provides against the threats against the direct
threat it produces to freedom.

~~~
a3n
I'll concede that getting rid of the NSA regardless of threats is within the
realm of possibility. But it's very unlikely. Maybe more unlikely than world
peace.

------
bassclef
i thought this was an onion article.. america has become quite sad.

~~~
notaspy
The United States is collapsing, and the show will take a while. I'd say sit
back and enjoy, but in this show most of us die, and those who don't will wish
they did.

~~~
PavlovsCat
The passive spectator stance is part of what causes this, not really a sane
reaction to it. It's not a show, it's the result of our (in)actions.

