Although that said, I sometimes use this to see who opened my files. I once left hundreds of these on a very popular cloud hosting provider (not naming names), and somebody working there was stupid to open the PDF on a machine connected to the internet, thereby proving abuse by employees and proving any random stranger can access 'your' files in the so called 'cloud'.
Look up 'honeydocs'. Some interesting articles about this technique
Probably even some sort of of brainwave scanner.
What would they gain? And if they really have an eye on HN, that would probably mean that NSA as well. If that is true, would it inhibit a community like HN to self-censor?
What would they gain? Look at the slides, these are not normal people all working in a large circular building. What would Kennedy have gained from the Bay of Pigs crisis had it gone the other way? Group think is it's own force. Those slides are pretty disturbing IMHO as is pretty-much everything I've ever seen out of that org.
I mean I was aware that spooks were aware of forums and watching them and such, but I never thought that a forum like HN would be a target for them.
But I guess that after thinking for a bit HN could definitely be a valuable target. It's just hard for me to accept that a community I visit regularly could be under the influence of these organizations.
Let's look at it from different scales..
Think on a very small scale: how many hugely successful companies were on YC combinator? A lot. Companies like Dropbox, Airbnb, etc. Companies that are now important. Imagine if you could influence their founders right at the beginning of their journey..
Where people spend their night and what files they store? That's great information to have.
Think on a slightly bigger scale: how many applied to YC? A whole lot more. What would you get if you influence those?
How many are on HN but haven't applied to YC (i.e: read and comment or just read): a lot, lot more..
Where are they? Could be anywhere. They could speak any language, be of any color, worship any deity.. They could be a teenager or a senior VP, an engineer or an artist. They could get any access to anyone, they could either know someone or know someone who knows someone.
They all are somewhat technically literate and can influence people around them. Right there, my friend, is the prime recruiting Tree of Knowledge for any Intelligence Officer in the world. Imagine if you could develop assets everywhere..
Or better yet, imagine if you can shape the image such a great demographic has about you to the point they look at you like a normal tech company: suddenly, you've reframed the interaction and took the controversy/guilt/moral dilemma out of it. They won't consider themselves assets since you're just like Google or Dropbox.. they won't think they're spying on their countries, it will just be filing a vulnerability report.
You could also have advocates that relay your thoughts on an issue about something: it's like having millions of megaphones. Or at least don't go hardcore on you..
Imagine all the communities each HN member is part of, and the reach this gives you.. Imagine all the places they access HN from..
Just imagine the possibilities if you get people that smart and dispersed to like and respect you.
Still scares the hell out of me.
Privacy is a very strange thing. Even though I know that what I comment in online forums like HN is public for all intents and purposes it sends chills down my spine to think that we as a community could be shaped as you say.
And if they are able to do so, how do they do it? I mean, besides the obvious tools like sockpuppet accounts and such, how do you build a strategy to steer an online community? what kind of psychological tools do you need to employ?
Obviously psyops and humint people have decades of research on public manipulation, but still... how do you measure success? how do you keep it out of the participants' attention in a community that is full of educated (on these issues) people, or at least more educated than the average Joe I would hope?
It also doesn't need to be kept out of the participant's attention to work or there wouldn't have been Hanssens and Polyakovs.. My point is that if the very people who do this for a living and are trained to counter an effort to turn them can be recruited, then anyone can be.
Smart people seem to be like a machine with more open ports than a microwave and knowing the knife is sharp doesn't make one bleed less.
Tech people being more willing to work there, being less opposed to their friends working there, being less likely to tell legislators that GCHQ is an embarrassment to their country or a threat to its values or future freedom.
Greater likelihood of tech companies being willing to cooperate with GCHQ requests or inquiries (whether for counterintelligence or espionage purposes).
Edit: Academic researchers being more willing to take research funding from GCHQ or collaborate with GCHQ on research projects.
(pedants: yes I know it's not the same organisation).
Couple of hours ago I created a throwaway account and commented here how Xorg held onto 1.1GB of memory after viewing the PDF with the github viewer and/or Atril. Tested and reproduced within a disposable Jessie / MATE VM.
I offered an opinion that this wasn't entirely usual behaviour.
The comment vanished. Not modded away, not "paled", just vanished.
Nothing to see here, move along now.
Kosher it ain't. Proceed at your own risk.
Anyone else going to roll over and forgive them for being the key component in Western citizen surveillance?
Even if they have got someone to draw some cute pictures of frogs whilst trawling all my email?
For some reason that made me feel slightly nervous.
It's kinda obvious.
There are alternatives though. SELinux was designed for big machines with multiple physical users. You can use it with pretty much any scenario (and Android uses it for sandboxing apps), but AppArmor is much easier for common personal desktops and web servers.
On FreeBSD and Darwin, the similar thing is TrustedBSD: http://www.trustedbsd.org/mac.html
Is there anything these guys cannot do?
"The name is Hacker, James Hacker, id 007BA54781, and I have a licence to stimulate."
Personally, I suspect that organizational studies are like the famous 'killing joke': anyone who engages in it is at risk ...
(edit: penny drops)
... uh, oh.
Nice try, folks...
When the GCHQ wants to hack you, it won't be on GitHub. It will be a file served specifically to your computer, with content relevant specifically for you, from someone you trust and don't suspect.
(As other comments have said, we shouldn't take "omg gchq are going to serve me an exploit PDF" too seriously, but there have been incidents of security services using PDF exploits to spear-phish people)
Edit: an example bank PDF exploit is mentioned in: http://ftalphaville.ft.com/2016/05/13/2161789/how-to-steal-a...
At which point why go through the charade of a PDF at all?
TARDIS metaphor is very cool though
This is (should, maybe?) be targeted at CxOs of big corps, and I think has some value there - if only it were more pithy (which is not the English way).
There is also some irony in that they're saying "do away with big planning upfront" in the same document as "be big-data-driven". Big data needs big planning up front if it's going to be meaningful.
http://pdftotext.com (no affiliation, first search result)
It's much easier to go to HN and grab the usernames and IPs of people you can see taking a rebellious position in discussions about these organisations.
Also, why would you assume that showing any interest whatsoever in Tor isn't going to land you on many more watchlists than reading a public PDF in GitHub?
Or you could assume that they have that information already. Which I deem highly likely - private repos are a must-target for any intelligence service out there.
Assuming anyone is inept is inept, since even the inept get lucky.
Well, they know who I am anyway. Hi again!
(Edit: If you click on it from the repo file list at the top it converts it; don't do what I did and click on the link to download at the bottom of the readme)