
GCHQ's Boiling Frogs paper on software development - kiyanwang
https://github.com/GovernmentCommunicationsHeadquarters/BoilingFrogs
======
wyzellak
[http://imgur.com/a/pbazB](http://imgur.com/a/pbazB) Contents of this PDF,
page by page, in JPGs.

~~~
distances
PNG would be more fitting for content like this.

~~~
linuxlizard
(In case folks don't know, PNG better for text because JPG's compression
introduces "ringing" artifacts around sharp edges, such as the black/white
transition of text.)
[https://en.wikipedia.org/wiki/Ringing_artifacts](https://en.wikipedia.org/wiki/Ringing_artifacts)

~~~
xrorre
JPGs are also a lot safer as PDFs can ping remote resources using carefully
hidden beacon images.

Although that said, I sometimes use this to see who opened my files. I once
left hundreds of these on a very popular cloud hosting provider (not naming
names), and somebody working there was stupid to open the PDF on a machine
connected to the internet, thereby proving abuse by employees and proving any
random stranger can access 'your' files in the so called 'cloud'.

Look up 'honeydocs'. Some interesting articles about this technique

~~~
DarkLinkXXXX
Is that effective for non-adobe pdf viewers? What about the ones that disable
javascript?

~~~
nexar
Look into canarytokens. Plenty of file types that do not rely on JavaScript
nor macros etc

------
dTal
I really doubt this PDF is infected with anything like people are suggesting,
but why is it on here at all? It seems incredibly empty and buzzword-y to me,
interspersed with such charming insights as "It can make good sense to use
external suppliers." Lots of talk about "disruption". It reads... well, it
reads exactly like what it is, a vacuous corporate "whitepaper".

~~~
branchless
Because GCHQ are having a PR drive and they have enough accounts here to up-
vote it to the front page?

~~~
saganus
Would it really be a good investment for GCHQ to keep enough sockpuppet
accounts on HN to upvote something like this to the front page?

What would they gain? And if they really have an eye on HN, that would
probably mean that NSA as well. If that is true, would it inhibit a community
like HN to self-censor?

~~~
branchless
There have been leaks from GCHQ on influencing internet forums.

[https://theintercept.com/2014/02/24/jtrig-
manipulation/](https://theintercept.com/2014/02/24/jtrig-manipulation/)

What would they gain? Look at the slides, these are not normal people all
working in a large circular building. What would Kennedy have gained from the
Bay of Pigs crisis had it gone the other way? Group think is it's own force.
Those slides are pretty disturbing IMHO as is pretty-much everything I've ever
seen out of that org.

~~~
saganus
Damn. I was not aware of this.

I mean I was aware that spooks were aware of forums and watching them and
such, but I never thought that a forum like HN would be a target for them.

But I guess that after thinking for a bit HN could definitely be a valuable
target. It's just hard for me to accept that a community I visit regularly
could be under the influence of these organizations.

Scary thoughts.

------
dotemacs
I like how all the members of that GitHub organisation have secret usernames:

[https://github.com/orgs/GovernmentCommunicationsHeadquarters...](https://github.com/orgs/GovernmentCommunicationsHeadquarters/people)

~~~
tragomaskhalos
Unfortunately, Q saying "Now pay attention a09631" doesn't quite have the same
ring to it.

(pedants: yes I know it's not the same organisation).

------
kinai
when I just opened the pdf my xorg died (OOM) - I kid you not, first time that
ever happend. funny coincidence..or is it? I figure now I got a reason to
setup that new distro I was playing with _burn all them compromised stuff_

~~~
rwmj
If they're any good then they've modified your BIOS or Intel SMM.

------
branchless
GCHQ have a puff piece planted in the FT today about their new twitter feed.

Anyone else going to roll over and forgive them for being the key component in
Western citizen surveillance?

Even if they have got someone to draw some cute pictures of frogs whilst
trawling all my email?

Not me.

------
cm3
Wait, the GCHQ has a GitHub profile where they share a Graph Database engine.
Interesting.

~~~
kirykl
NSA has a linux distro [https://en.wikipedia.org/wiki/Security-
Enhanced_Linux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux)

~~~
xrorre
Qubes is exponetially superior to this distro. Open that PDF in a disposable
Fedora sandbox, and physically disable the network plz

~~~
justinclift
Because sandbox escapes aren't a thing GCHQ would have any knowledge of yeah?

/s

------
tomelders
The only thing coming out of GCHQ that I want to read is all the stuff GCHQ
won't let anyone read.

~~~
branchless
Read your own email. They won't let you have that. Or write a transcript of a
telephone conversation to the UK.

------
cm3
I tried cloning the repo and it hangs at 67%, so I kinda got suspicious and
killed git. Hmm, maybe it's just a large repo, but being from GCHQ one cannot
help but feel suspicious.

~~~
cm3
Has anyone been able to clone it?

------
B1FF_PSUVM
> we offer this internal research paper publicly, not to present policy or
> guidelines, but to stimulate debate.

Is there anything these guys cannot do?

"The name is Hacker, James Hacker, id 007BA54781, and I have a licence to
stimulate."

Personally, I suspect that organizational studies are like the famous 'killing
joke': anyone who engages in it is at risk ...

(edit: penny drops)

... uh, oh.

------
cyberpunk
Hah a PDF!

Nice try, folks...

~~~
dkopi
Assuming they have a zero day vulnerability in acrobat (or other PDF readers),
they wouldn't risk losing it by uploading a file with an exploit, using their
own name, and in a wide distribution.

When the GCHQ wants to hack you, it won't be on GitHub. It will be a file
served specifically to your computer, with content relevant specifically for
you, from someone you trust and don't suspect.

~~~
rasz_pl
For example datasheet pdf with mitm injected payload you just downloaded from
alldatasheets. They tap cables and sit in bridge routers for a reason.

------
chris_wot
Cool, ITIL for spooks. Can't wait till I see the multi-edition version that
emphasises continuous simmering. Then I can get certified!

------
awinter-py
> For example, an organisation building public service websites would not
> build a software configuration management system for itself, this is a
> commodity capability that is best served by well-established tools such as
> the open source Git.

Hmm

TARDIS metaphor is very cool though

------
nxzero
Reminds me of the "Find Out if the NSA and GCHQ Spied on You"
[https://news.ycombinator.com/item?id=11705650](https://news.ycombinator.com/item?id=11705650)

------
lr
virustotal scan of document:

[https://virustotal.com/en/url/1ecad5426be630531d4e5c9d4091a0...](https://virustotal.com/en/url/1ecad5426be630531d4e5c9d4091a04dc0012af72e710e6d3a88c6d64dea79c9/analysis/)

------
chinathrow
What an ironic title (no, I won't read the PDF) - since we're here, sitting in
a boiling hot tub, getting warm and cosy with GCHQ sitting next to us in the
next tub, aka GitHub repo.

------
nbevans
This is very well written.

~~~
cm3
It might be dangerous to click on it, is there a tl;dr or text extract of it?

~~~
cantagi
It's OK - Github converts it to HTML. However, GCHQ could politely ask the NSA
to force Github to give them the usernames and IP addresses that viewed the
repo. Maybe use Tor?

~~~
mseebach
I don't understand why everybody assumes GCHQ and NSA are completely inept
amateurs. Getting a list of usernames and IP addresses from GitHub would have
an insane signal to noise ratio - after all, there are plenty of perfectly
legitimate reasons to want to read this document.

It's much easier to go to HN and grab the usernames and IPs of people you can
see taking a rebellious position in discussions about these organisations.

Also, why would you assume that showing any interest whatsoever in Tor isn't
going to land you on many more watchlists than reading a public PDF in GitHub?

~~~
chinathrow
> Getting a list of usernames and IP addresses from GitHub would have an
> insane signal to noise ratio

Or you could assume that they have that information already. Which I deem
highly likely - private repos are a must-target for any intelligence service
out there.

------
wjd2030
Also known as "How GCHQ infected the internet with a PDF trojan" lol

------
justinclift
Maybe a [dupe] tag, as this was submitted a few days ago too?
[https://news.ycombinator.com/item?id=11674394](https://news.ycombinator.com/item?id=11674394)

~~~
nicky0
Does HN have tags now?

~~~
justinclift
Not sure what you mean. Other duplicate posts have "[dupe]" added to their
title, so why the hassle this time?

~~~
nicky0
Not hassle, I've just never personally seen a [dupe] tag so I didn't know what
you meant.

