The GCHQ Cryptome slide could be a mockup/disinfo

Michael Best themikebest@gmail.com
Fri Oct 2 19:23:12 PDT 2015 

For the latest version:
http://that1archive.neocities.org/subfolder1/gchq-cryptome-slide.html

A few days ago, a new Snowden slide
<https://theintercept.com/2015/09/25/gchq-radio-porn-spies-track-web-users-online-identities/>
was
released that appeared to show that the GCHQ was monitoring Cryptome in
near-real-time by examining the browsing data of one of the websites'
visitors. John and Deborah of Cryptome later verified that the information
in their slides matched their logs, seemingly verifying the legitimacy of
the slide itself and the information presented about KARMA POLICE.


However, after examining the slide and all the information available, I
realized that it was possible to create the slide (or one like it) with
accurate data without any of the sources cited/assumed/alleged. To
demonstrate this, I put together some comparable information. To respect
the privacy of visitors to Cryptome, the end of each IP address is redacted
and I've provided only a little information about several users instead of
focusing on one user to provide detailed information about.

A few notes before getting into the data:

   1. I didn't receive this information from anyone in law enforcement or
   the intelligence, nor stolen through malicious hacking, social engineering,
   or electronic intrusion. Neither is it the result of surveillance directed
   against Cryptome or its users, or of any other illegal action. It was
   compiled from my legitimate archives.
   2. I have confirmed that the information was available to others by
   locating pre-existing sources online.
   3. This is not meant to accuse any one of forging a document, simply
   pointing out that it can't necessarily be verified by confirming the
   information with Cryptome's server logs.
   4. If the slide *is* a mockup, it could be an internal mockup produced
   by GCHQ, a deliberate piece of disinformation from within or without GCHQ,
   a document altered by Snowden, his friends/"friends" in Russia, or anyone
   else in the chain of custody. Given that Snowden didn't review all of the
   documents he handed over, he might not recognize if one had been altered,
   embellished, forged, or taken out of context prior to publication. Or it
   could be genuine - proving that something could be a fake isn't quite the
   same as proving it's a fake.
   5. If the document was forged, the only group I have reason to suspect
   are the chekist security agencies who have access to both the documents and
   to Snowden.
   6. This was the result of a few rushed hours of work in a single
   afternoon, and thus may contain minor mistakes.
   7. The times should be Eastern/US, but this is an unverified assumption.
   8. These comments are unrelated to my debunking
   <https://cpunks.org/pipermail/cypherpunks/2015-October/009565.html> of
   the MITM attack against Cryptome which was seemingly implied
   <https://cryptome.org/2015/09/gchq-illegal-spying-us.htm> by this slide.

Visitor IP correlated with page, time and date

*IP: *212.48.158.*
*Date: *2010-02-10
*Time: *23:06:15
*URL: *http://cryptome.org/cartome/foucault.htm

Note that I manually translated the time and date from a time code, so it
may be slightly incorrect. The original timestamp was 20100210230615.
Twelve Days of Cryptomas

In case I mistranslated the timestamp or anyone thinks that it was a fluke,
here are twelve time and dates along with the redacted IP address that
visited Cryptome at that time. These time and dates were originally
rendered in a human readable format, so there is no danger that I
mistranslated them.
- December 25 2009 16:22 - 74.208.77.*
- December 26 2009 18:19 - 65.98.224.*
- December 27 2009 22:23 - 208.80.193.*
- December 28 2009 21:51 - 69.113.197.*
- December 29 2009 18:28 - 76.92.164.*
- December 30 2009 03:30 - 88.80.205.*
- December 31 2009 23:59 - 210.107.62.*
- January 01 2010 00:13 - 71.56.6.*
- January 02 2010 14:14 - 91.98.9.*
- January 03 2010 01:23 - 88.87.4.*
- January 04 2010 23:22 - 79.224.172.*
- January 05 2010 06:16 - 65.55.110.*Internet search strings used to find
Cryptome

Finally, a semi-obscure phrase from the that was put into a search engine -
complete with the original typo.

"architectural engineering in miidle east" - it may appear in the logs as
"architectural+engineering+in+miidle+east"

Conclusion

All of this information should be readily verifiable by John and Deborah at
Cryptome, demonstrating that each of the pieces of the slide could have
been created without the benefit of a surveillance program or large budget.
In other words, the guilty knowledge implied by the accuracy of the slide
can imply things other than being guilt of surveillance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cpunks.org/pipermail/cypherpunks/attachments/20151002/2fc390c7/attachment.html>

More information about the cypherpunks mailing list