Good summary of the XZ Utils supply chain attack, by Sigi Goode

“… some previously unknown accounts popped up to report bugs and submit feature requests to Collin, putting pressure on him to take on a helper in maintaining the project. Jia Tan was the logical candidate.

Over the next two years, Jia Tan become more and more involved and, we now know, introduced a carefully hidden weapon into the software’s source code.

“The revised code secretly alters another piece of software, a ubiquitous network security tool called OpenSSH, so that it passes malicious code to a target system. As a result, a specific intruder will be able to run any code they like on the target machine.”

– Sigi Goode (4 April 2024). An anonymous coder nearly hacked a big chunk of the internet. How worried should we be?

UK Google searches for “conscription”

There seems to be more press coverage suggesting that conscription will be likely in the UK in the coming years. This was seemingly prompted by Dutch Admiral Rob Bauer’s intervention on 17 Jan 2024, which was followed by other comments, e.g., by Gen Sir Patrick Sanders on 23rd, a flutter of comment on Gen Z’s apparent reluctance to go to war, and a YouGov poll.

I was curious to discover what press coverage is doing to Google searches. Let’s have a look at Google Trends. First, zooming into the last seven days:

Searches began to pick up around 9pm on the 23rd, peaking 11pm on the 24th before fading out again:

Date Searches
2024-01-23T20 1
2024-01-23T21 2
2024-01-23T22 4
2024-01-23T23 6
2024-01-24T00 8
2024-01-24T01 8
2024-01-24T02 14
2024-01-24T03 25
2024-01-24T04 22
2024-01-24T05 28
2024-01-24T06 37
2024-01-24T07 43
2024-01-24T08 38
2024-01-24T09 35
2024-01-24T10 38
2024-01-24T11 46
2024-01-24T12 61
2024-01-24T13 71
2024-01-24T14 70
2024-01-24T15 69
2024-01-24T16 64
2024-01-24T17 75
2024-01-24T18 85
2024-01-24T19 82
2024-01-24T20 78
2024-01-24T21 72
2024-01-24T22 92
2024-01-24T23 100
2024-01-25T00 86
2024-01-25T01 81
2024-01-25T02 78
2024-01-25T03 71
2024-01-25T04 58
2024-01-25T05 57
2024-01-25T06 67
2024-01-25T07 75
2024-01-25T08 65
2024-01-25T09 55

That’s a notably bigger increase than over the past year:

Zooming out, this year’s spike is more pronounced than one in Feb 2022, coinciding with Russia’s full-scale invasion of Ukraine on the 24th.

Here’s all the data:

(Corrected final two graphs on 4 Feb 2024 to take account of all data in Jan 2024.)

Defence and international affairs (Commons Library briefings)

Really useful selection of Commons Library research briefings for a general debate on defence and international affairs in the Commons Chamber on 24 January 2024.

Topics covered:

  • Middle East: Houthis, Yemen, Israel, Hamas, Occupied Palestinian Territories, Iran
  • Ukraine
  • Africa – notable how BIG Africa is and how few reports there are on it here
  • Asia: Taiwan and China
  • Defence: disruptive technologies, undersea infrastructure, parliamentary approval for military action
  • Armed forces
  • Arms exports
  • AUKUS submarine
  • Nuclear weapons, including the Iran nuclear deal and UK deterrent
  • International development, including aid spend reductions
  • International organisations: how the UN works and UK’s role
  • Rwanda
  • Pandemics
  • And finally: space!

Russian state disinformation campaigns

Two interesting reports:

European Commission, Directorate-General for Communications Networks, Content and Technology (2023). Digital Services Act: Application of the risk management framework to Russian disinformation campaigns. Publications Office of the European Union.

“During the first year of Russia’s illegal war in Ukraine, social media companies enabled the Kremlin to run a large-scale disinformation campaign targeting the European Union and its allies, reaching an aggregate audience of at least 165 million and generating at least 16 billion views. Preliminary analysis suggests that the reach and influence of Kremlin-backed accounts has grown further in the first half of 2023, driven in particular by the dismantling of Twitter’s safety standards.”

Microsoft Threat Analysis Center (2023). Russia’s African coup strategy.

“Today we are sharing a report from the Microsoft Threat Analysis Center (MTAC) on Russian influence operations in Africa, principally focused on the Niger coup. We believe it is vital there is wider understanding of the ways in which the internet is being used to stoke political instability around the world.”

“Silence was imperative…”

Peter Wright (1987, pp. 70-71) recounts the tale of a delicate MI5 operation to bug an embassy in London:

The house next door was temporarily empty, and A2 obtained access to install a series of microphones. Hugh Winterborn and I led a team of twelve officers from A Branch. Silence was imperative because we knew that the target premises were permanently manned near the party wall. I made a tremendous fuss insisting that everyone remove his shoes to avoid making noise on the bare floorboards. We worked nonstop for four hours in the freezing cold. All the floorboards on the first floor had been raised and I was patiently threading the cables along the void between the joists. After a time one of the leads became tangled on a split joist. Unable to clear the obstruction by hand, I began to ease myself down until one foot was resting on a masonry nail sticking out from one side of a joist. Just as I was inching toward the tangled cable, the nail gave way, and I plunged through the ceiling below. A large section of ceiling crashed fourteen feet to the floor below, reverberating around Portland Place like a wartime bomb. The noise and dust subsided, leaving me wedged tightly up to my waist in the hole in the ceiling. For a moment there was total silence.

“Good thing we removed our shoes,” quipped Winterborn dryly as laughter began to echo around the empty building.

– Peter Wright (1987, pp. 70-71), Spycatcher. Viking Penguin, Inc.

XOR encryption

GCHQ recently posted the following JavaScript code on its Instagram and Twitter accounts:

The code contains two messages. The first is represented as a simple numerical encoding. The second is a secret message that has been encrypted, alongside code for decrypting it. Here are some clues to make sense of how this second message has been encrypted.

The message uses a symmetric-key encryption approach, the XOR cipher, that involves applying the exclusive or (XOR) operator to each letter of the message and the key, recycling the key until all characters have been decoded. The secret message is wrapped up in a Base64 encoding, which is a way of ensuring that all its characters are printable letters and symbols, so it’s possible to include the message within the JavaScript as “gNSkYr+VqyGl1Lhko8fqYq7UpGajiuo67w==”.

Here’s a shorter version of the code in R:

gchq_message <- "gNSkYr+VqyGl1Lhko8fqYq7UpGajiuo67w==" |>
                   base64enc::base64decode()
gchq_key <- c(0xc6, 0xb5, 0xca, 0x01) |> as.raw()
xor(gchq_message, gchq_key) |> rawToChar()

(No spoilers here…)

So, the steps to decrypt are:

  1. Translate the Base64 encoded message to raw bytes
  2. XOR those raw bytes with the key
  3. Translate the bytes to ASCII characters so we can read the message

The nice thing about this form of encryption is that the same algorithm does both encrypting and decrypting. So, if you wanted to reply, “No thanks, I’m good” you just do the same in reverse:

  1. Translate your ASCII text message to raw bytes
  2. XOR those bytes with the key
  3. Translate the result to Base64

In R:

"No thanks, I'm good" |>
  charToRaw() |>
  xor(gchq_key) |>
  base64enc::base64encode()

This gives “iNrqda7UpGq1mepI4djqZqnarg==”.

Fun! Also, I have a tattoo that uses the same approach, except I used Braille ASCII instead of Base64 to ensure that all the characters were tattooable 🙂

If you’re watching The Undeclared War, look out for the shout out to Base64 too:

But why is the key c6b5ca01? It’s not obviously the letters G, C, H, Q. In decimal, it looks like an IP address, but there’s nothing obvious at 198.181.202.1, and any four 8 bit numbers look like an IP address if you stare long enough.

Hewitt and Harman v. the UK

This is an interesting case from a while back. concerning Patricia Hewitt and Harriet Harman.

“In 1985, evidence emerged that MI5 (also known as the Security Service) was systematically infringing the applicants’ rights under the [Euro Human Rights] Convention when a former officer of MI5, Ms Cathy Massiter, made certain allegations to this effect on a television program. According to Ms Massiter, the applicants had been classified as subversive and as communist sympathizers, and these grave libels were published within MI5 and were available for publication to other agencies with whom MI5 had a relationship. Their files recorded details of passport applications, data from surveillance by local police, Special Branch and by special agents, and references to them or by them on telephone intercepts picked up under warrants issued in relation to other persons. Such intercepts, in the second applicant’s case, were likely to include confidential conversations which she, as a practising solicitor, had had with certain of her clients. The first applicant’s file included information about her personal relationship with a former member of the Communist Party. Surveillance of both applicants was continued after they had left the National Council for Civil Liberties on the basis that they were both candidates for elected office.

“On 19 May 1986, the applicants lodged an application with the European Commission of Human Rights against the United Kingdom government alleging breaches of their right to privacy (Article 8), their right to freedom of expression (Article 10), their right to freedom of association (Article 11) and their right to an effective remedy (Article 13) in respect of the violations arising from the nature and consequences of the surveillance to which they had been subjected by MI5. The application was declared admissible on 12 May 1988.

“In its Report dated 9 May 1989 the Commission concluded by a majority that given the existence of practices in the United Kingdom permitting secret surveillance and given further the reasonable likelihood that the applicants were the subjects of surveillance the compilation and retention by the Security Service of information concerning the private lives of the applicants constituted an infringement of their right to privacy under Article 8 (1) of the Convention. The Commission further concluded that the domestic law of the United Kingdom contained neither legal rules formulated with sufficient precision nor a framework indicating with the requisite degree of certainty the scope and manner of the exercise of discretion by the Security Service in the carrying out of secret surveillance activities to render interference “in accordance with the law” within Article 8 (2). Finally the Commission concluded that since no information was forthcoming in relation to how the United Kingdom had chosen to provide an effective remedy under its domestic law that the applicants did not have an effective remedy as required by Article 13.”

There’s some interesting detail therein about the workings of the Security Service, e.g.,

“The procedure for opening a file is strictly controlled. It may start as a temporary file, which has a maximum life of three years, when there is uncertainty whether the criteria for opening a permanent file are satisfied. These criteria have their basis in the Service’s functions and require high standards of accuracy. If and when these criteria are satisfied, the permanent file will be opened. The Service then applies a system of colour coding which controls how files are used. Once a file is opened, there is a period coded “green:, during which inquiries may be made about the subject. The length of the green period varies according to the reason why the particular file was made. It may be extended as a result of the receipt of new information. At the end of the green period it changes to “amber”, under which inquiries are prohibited, but any relevant information that the Service receives about the subject may be added to the file. After the designated amber period the file is coded “red”. During this period, inquiries continue to be prohibited and any addition of substantive information is also prohibited. Finally, after a period of red coding, the file is microfilmed. The hard copy is destroyed and the entry for the file in the Service’s central index is transferred from the Live Index to the Research Index. The Research Index is usually consulted only when it is thought that old files may exist which are relevant to current work. In practice the volume of check against the Research Index is small: for instance, it is not consulted in vetting checks.”

GCHQ’s director’s Turing speech – a research team manual?

Just read the (4 Oct 2012) speech about Alan Turing, given by Iain Lobban, Director GCHQ, at the University of Leeds.

Fantastic stuff in there. Here are some excerpts.

On learning to solve problems

“… [Turing] reported to Bletchley Park as agreed and immediately started working with [Dilly] Knox [expert on the Enigma cypher …]. Knox’s influence on Turing at this time is immense. The older veteran cryptanalyst shared everything he knew about Enigma with Turing, who eventually used this knowledge to write the first four chapters of his treatise on Enigma […]

“…[Turing] was happy to learn from Dilly Knox, happy to use that knowledge as the foundation for what he would develop subsequently, and was diligent in recording what he had learned and how he developed that into new areas so that others could profit from his knowledge just as he had profited from that of Knox.”

Knox could only take Turing so far and his quest for experience-based understanding of the cryptanalysis of Enigma took Turing to France in January 1940…”

Team work

There are lots of different ways in which people can work as part of a team.  Turing’s way was to take in other people’s ideas, develop and build on them, and then pass the product on to other people to be the foundation for the next stage.  He took the idea of electromechanical processing of Enigma messages from the Poles but developed their idea into something radically different.  When Welchman later enhanced the Bombe with his diagonal board, Turing was among the first to congratulate him on this major improvement.  Turing was part of the team, and shared in the success of the team.”

Respecting diversity

“I strongly believe a Sigint agency needs the widest range of skills possible if it is to be successful, and to deny itself talent just because the person with the talent doesn’t conform to a social stereotype is to starve itself of what it needs to thrive.”

“I don’t want to pretend that GCHQ was an organisation with twenty-first century values in the twentieth century, but it was at the most tolerant end of the cultural spectrum.  In an organisation which valued the skills and characteristics that difference can bring, Turing’s homosexuality was less of a talking point than his insights into the complex crypt problems of the day.  When he was put on trial, Hugh Alexander, the Head of Cryptanalysis at GCHQ went, with official approval, to speak as a character witness on his behalf, saying in court that Turing was a national asset.”

Exploiting serendipity

“Geoffrey Tandy was posted to Bletchley by the Admiralty in a spirit of helpfulness: his posting officer had understood him to be an expert in cryptograms, a word still used in the Admiralty at that time to mean messages signalled in code.  In fact he was an expert in cryptogams: non-flowering plants like ferns, mosses and seaweeds.  But while this knowledge might not have appeared to be of much use, Tandy became expert in German naval Enigma and because of his work on seaweed was able to provide unique advice on the preservation of cryptologic documents rescued from the sea.”

The role of management

“Part of my job is to continue to foster that atmosphere: to attract the very best people and harness their talents, and not allow preconceptions and stereotypes to stifle innovation and agility.”

Datamining to catch terrorists

Apparently it wouldn’t work, say the following groups of the US National Academies:

in this book: Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Assessment.

[via The Register]