Hacker News new | past | comments | ask | show | jobs | submit login
GCHQ's Boiling Frogs paper on software development (github.com/governmentcommunicationsheadq...)
111 points by kiyanwang on May 16, 2016 | hide | past | favorite | 83 comments

http://imgur.com/a/pbazB Contents of this PDF, page by page, in JPGs.

PNG would be more fitting for content like this.

(In case folks don't know, PNG better for text because JPG's compression introduces "ringing" artifacts around sharp edges, such as the black/white transition of text.) https://en.wikipedia.org/wiki/Ringing_artifacts

JPGs are also a lot safer as PDFs can ping remote resources using carefully hidden beacon images.

Although that said, I sometimes use this to see who opened my files. I once left hundreds of these on a very popular cloud hosting provider (not naming names), and somebody working there was stupid to open the PDF on a machine connected to the internet, thereby proving abuse by employees and proving any random stranger can access 'your' files in the so called 'cloud'.

Look up 'honeydocs'. Some interesting articles about this technique

Is that effective for non-adobe pdf viewers? What about the ones that disable javascript?

Look into canarytokens. Plenty of file types that do not rely on JavaScript nor macros etc

Maybe it was an indexer that for whatever reason runs the full PDF handling code?

Are the contents of the link so very pixelated that you are unable to follow along without PNG conversion? If yes, may I recommend a quick trip to your local optometrist?

My question is, why?

It's a PDF from GCHQ. It's almost certainly loaded with a surveillance payload.

Probably even some sort of of brainwave scanner.

I really doubt this PDF is infected with anything like people are suggesting, but why is it on here at all? It seems incredibly empty and buzzword-y to me, interspersed with such charming insights as "It can make good sense to use external suppliers." Lots of talk about "disruption". It reads... well, it reads exactly like what it is, a vacuous corporate "whitepaper".

Because GCHQ are having a PR drive and they have enough accounts here to up-vote it to the front page?

Would it really be a good investment for GCHQ to keep enough sockpuppet accounts on HN to upvote something like this to the front page?

What would they gain? And if they really have an eye on HN, that would probably mean that NSA as well. If that is true, would it inhibit a community like HN to self-censor?

There have been leaks from GCHQ on influencing internet forums.


What would they gain? Look at the slides, these are not normal people all working in a large circular building. What would Kennedy have gained from the Bay of Pigs crisis had it gone the other way? Group think is it's own force. Those slides are pretty disturbing IMHO as is pretty-much everything I've ever seen out of that org.

Damn. I was not aware of this.

I mean I was aware that spooks were aware of forums and watching them and such, but I never thought that a forum like HN would be a target for them.

But I guess that after thinking for a bit HN could definitely be a valuable target. It's just hard for me to accept that a community I visit regularly could be under the influence of these organizations.

Scary thoughts.

You wouldn't want to inhibit a community like HN, that would be useless.. but if you could shape it or get it to like you, that would be monumental.

Let's look at it from different scales..

Think on a very small scale: how many hugely successful companies were on YC combinator? A lot. Companies like Dropbox, Airbnb, etc. Companies that are now important. Imagine if you could influence their founders right at the beginning of their journey..

Where people spend their night and what files they store? That's great information to have.

Think on a slightly bigger scale: how many applied to YC? A whole lot more. What would you get if you influence those?

How many are on HN but haven't applied to YC (i.e: read and comment or just read): a lot, lot more..

Where are they? Could be anywhere. They could speak any language, be of any color, worship any deity.. They could be a teenager or a senior VP, an engineer or an artist. They could get any access to anyone, they could either know someone or know someone who knows someone.

They all are somewhat technically literate and can influence people around them. Right there, my friend, is the prime recruiting Tree of Knowledge for any Intelligence Officer in the world. Imagine if you could develop assets everywhere..

Or better yet, imagine if you can shape the image such a great demographic has about you to the point they look at you like a normal tech company: suddenly, you've reframed the interaction and took the controversy/guilt/moral dilemma out of it. They won't consider themselves assets since you're just like Google or Dropbox.. they won't think they're spying on their countries, it will just be filing a vulnerability report.

You could also have advocates that relay your thoughts on an issue about something: it's like having millions of megaphones. Or at least don't go hardcore on you..

Imagine all the communities each HN member is part of, and the reach this gives you.. Imagine all the places they access HN from..

Just imagine the possibilities if you get people that smart and dispersed to like and respect you.

I see the point.

Still scares the hell out of me.

Privacy is a very strange thing. Even though I know that what I comment in online forums like HN is public for all intents and purposes it sends chills down my spine to think that we as a community could be shaped as you say.

And if they are able to do so, how do they do it? I mean, besides the obvious tools like sockpuppet accounts and such, how do you build a strategy to steer an online community? what kind of psychological tools do you need to employ?

Obviously psyops and humint people have decades of research on public manipulation, but still... how do you measure success? how do you keep it out of the participants' attention in a community that is full of educated (on these issues) people, or at least more educated than the average Joe I would hope?

Well, a "community" can be shaped when its individuals delegate thinking for themselves. This is the case with places where traditions hinder critical thinking. Everyone in unison: "GO TO statements are bad; Dijkstra said so".

It also doesn't need to be kept out of the participant's attention to work or there wouldn't have been Hanssens and Polyakovs.. My point is that if the very people who do this for a living and are trained to counter an effort to turn them can be recruited, then anyone can be.

Smart people seem to be like a machine with more open ports than a microwave and knowing the knife is sharp doesn't make one bleed less.

> What would they gain?

Tech people being more willing to work there, being less opposed to their friends working there, being less likely to tell legislators that GCHQ is an embarrassment to their country or a threat to its values or future freedom.

Greater likelihood of tech companies being willing to cooperate with GCHQ requests or inquiries (whether for counterintelligence or espionage purposes).

Edit: Academic researchers being more willing to take research funding from GCHQ or collaborate with GCHQ on research projects.

I suspect it's more the novelty of a spy agency publishing an article on something people here know a lot about.

I like how all the members of that GitHub organisation have secret usernames:


Unfortunately, Q saying "Now pay attention a09631" doesn't quite have the same ring to it.

(pedants: yes I know it's not the same organisation).

Even so, I wonder how much information they accidentally leak this way. And how much effort they go through to keep such information leakage at acceptable levels.

when I just opened the pdf my xorg died (OOM) - I kid you not, first time that ever happend. funny coincidence..or is it? I figure now I got a reason to setup that new distro I was playing with burn all them compromised stuff

If they're any good then they've modified your BIOS or Intel SMM.

You'd be well advised to, too.

Couple of hours ago I created a throwaway account and commented here how Xorg held onto 1.1GB of memory after viewing the PDF with the github viewer and/or Atril. Tested and reproduced within a disposable Jessie / MATE VM.

I offered an opinion that this wasn't entirely usual behaviour.

The comment vanished. Not modded away, not "paled", just vanished.

Nothing to see here, move along now.

Viewing the PDF using either the github viewer in Iceweasel 38 or downloading it and viewing it in Atril resulted in 2.1GB memory usage in a spare Jessie / MATE VM I had lying around. Close Atril and Iceweasel, ps -ef to check they're gone, look at top - and Xorg still holds on to 1.14GB.

Kosher it ain't. Proceed at your own risk.

GCHQ have a puff piece planted in the FT today about their new twitter feed.

Anyone else going to roll over and forgive them for being the key component in Western citizen surveillance?

Even if they have got someone to draw some cute pictures of frogs whilst trawling all my email?

Not me.

Wait, the GCHQ has a GitHub profile where they share a Graph Database engine. Interesting.

"Gaffer's Accumulo Store is optimised for: Ingesting large amounts of data efficiently."

For some reason that made me feel slightly nervous.

Well it's not a secret anymore why GCHQ/NSA need large graph databases.

When was it?

I mean when was it a secret that and why GCHQ needed large graph databases?

It's kinda obvious.

Think it was announced a few months ago - https://news.ycombinator.com/item?id=10732609

SELinux is not a distro. It's an Linux Security Module (Mandatory Access Control thing) that comes with the upstream kernel that sysadmins need to STOP TURNING OFF: http://stopdisablingselinux.com

There are alternatives though. SELinux was designed for big machines with multiple physical users. You can use it with pretty much any scenario (and Android uses it for sandboxing apps), but AppArmor is much easier for common personal desktops and web servers.

On FreeBSD and Darwin, the similar thing is TrustedBSD: http://www.trustedbsd.org/mac.html

Qubes is exponetially superior to this distro. Open that PDF in a disposable Fedora sandbox, and physically disable the network plz

Because sandbox escapes aren't a thing GCHQ would have any knowledge of yeah?


yes qubes is

The sad thing is that they seem to be developing Gaffer on Windows. At least most files in the repo have the +x bit set...

The only thing coming out of GCHQ that I want to read is all the stuff GCHQ won't let anyone read.

Read your own email. They won't let you have that. Or write a transcript of a telephone conversation to the UK.

I tried cloning the repo and it hangs at 67%, so I kinda got suspicious and killed git. Hmm, maybe it's just a large repo, but being from GCHQ one cannot help but feel suspicious.

Has anyone been able to clone it?

> we offer this internal research paper publicly, not to present policy or guidelines, but to stimulate debate.

Is there anything these guys cannot do?

"The name is Hacker, James Hacker, id 007BA54781, and I have a licence to stimulate."

Personally, I suspect that organizational studies are like the famous 'killing joke': anyone who engages in it is at risk ...

(edit: penny drops)

... uh, oh.

Hah a PDF!

Nice try, folks...

Assuming they have a zero day vulnerability in acrobat (or other PDF readers), they wouldn't risk losing it by uploading a file with an exploit, using their own name, and in a wide distribution.

When the GCHQ wants to hack you, it won't be on GitHub. It will be a file served specifically to your computer, with content relevant specifically for you, from someone you trust and don't suspect.

For example datasheet pdf with mitm injected payload you just downloaded from alldatasheets. They tap cables and sit in bridge routers for a reason.

Sure, that's what they want you to think.

You know that PDFs aren't unsafe, right?

Yeah, those are vulnerabilities in some PDF readers. Different deal.

That's a bit no-true-Scotsman? There's a history of PDF exploits that have made people wary. The exploits are delivered in the PDF, therefore some PDFs are 'unsafe'.

(As other comments have said, we shouldn't take "omg gchq are going to serve me an exploit PDF" too seriously, but there have been incidents of security services using PDF exploits to spear-phish people)

Edit: an example bank PDF exploit is mentioned in: http://ftalphaville.ft.com/2016/05/13/2161789/how-to-steal-a...

That's true, only in the sense that all software ever published may have vulnerabilities, meaning there is no format which is 'safe'. That's fine, if that's your definition, but it's obviously useless for comparison.

No, it's not useless, if you don't round off to a binary "could have vulnerabilities". Many PDF readers have had many vulnerabilities; this is a historical fact. It's much less likely that e.g. some Markdown rendered to HTML by GitHub will have a zero-day.

This is a PDF from GCHQ we're talking about.

Use the github viewer?

That makes literally no sense.

It literally makes sense. Do you mean to say it is paranoid?

No. The origin of a PDF has no relation to the security or otherwise of the format.

But the viewer does matter.

If I view using pdf.js, then not only does the "format" need to be unsecure (whatever that means), but it would require a browser vulnerability that's exploitable through javascript.

At which point why go through the charade of a PDF at all?

unless there's an exploit that we don't know about yet.

Cool, ITIL for spooks. Can't wait till I see the multi-edition version that emphasises continuous simmering. Then I can get certified!

> For example, an organisation building public service websites would not build a software configuration management system for itself, this is a commodity capability that is best served by well-established tools such as the open source Git.


TARDIS metaphor is very cool though

Reminds me of the "Find Out if the NSA and GCHQ Spied on You" https://news.ycombinator.com/item?id=11705650

What an ironic title (no, I won't read the PDF) - since we're here, sitting in a boiling hot tub, getting warm and cosy with GCHQ sitting next to us in the next tub, aka GitHub repo.

This is very well written.

Actually I wasn't that impressed. I found it hard to focus on the text - there's a lot of government speak (like "ways of working") in there. Also, the author has a fixation on Conway's Law ("Conway" appears 40 times in the document), and everything else is really a spin on Wardley's evolution curve. Both are useful, to be sure, but there's nothing inherently profound or new here.

This is (should, maybe?) be targeted at CxOs of big corps, and I think has some value there - if only it were more pithy (which is not the English way).

There is also some irony in that they're saying "do away with big planning upfront" in the same document as "be big-data-driven". Big data needs big planning up front if it's going to be meaningful.

It might be dangerous to click on it, is there a tl;dr or text extract of it?

You could probably use an online pdf-to-text converter[1] or view the PDF from within a virtual machine.

[1]http://pdftotext.com (no affiliation, first search result)

It's OK - Github converts it to HTML. However, GCHQ could politely ask the NSA to force Github to give them the usernames and IP addresses that viewed the repo. Maybe use Tor?

I don't understand why everybody assumes GCHQ and NSA are completely inept amateurs. Getting a list of usernames and IP addresses from GitHub would have an insane signal to noise ratio - after all, there are plenty of perfectly legitimate reasons to want to read this document.

It's much easier to go to HN and grab the usernames and IPs of people you can see taking a rebellious position in discussions about these organisations.

Also, why would you assume that showing any interest whatsoever in Tor isn't going to land you on many more watchlists than reading a public PDF in GitHub?

> Getting a list of usernames and IP addresses from GitHub would have an insane signal to noise ratio

Or you could assume that they have that information already. Which I deem highly likely - private repos are a must-target for any intelligence service out there.

>> ..."GCHQ and NSA are completely inept amateurs."

Assuming anyone is inept is inept, since even the inept get lucky.

It didn't convert it for me. Oops.

Well, they know who I am anyway. Hi again!

(Edit: If you click on it from the repo file list at the top it converts it; don't do what I did and click on the link to download at the bottom of the readme)

Also known as "How GCHQ infected the internet with a PDF trojan" lol

Maybe a [dupe] tag, as this was submitted a few days ago too? https://news.ycombinator.com/item?id=11674394

Does HN have tags now?

Not sure what you mean. Other duplicate posts have "[dupe]" added to their title, so why the hassle this time?

Not hassle, I've just never personally seen a [dupe] tag so I didn't know what you meant.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact