Shake that fake
How do you know your LinkedIn profile has been spoofed by the NSA?
- General Keith Alexander has endorsed you for Poison Pills, Dead Drops, and Ninja Killing Techniques.
- When you click the "Who's viewed your profile" link it says, "We could tell you, but then we'd have to kill you."
- The People You May Know list includes Jason Bourne, Maxwell Smart, and some guy named Bond.
- Glenn Greenwald just sent you a networking request.
Sussing out Slashdot spoofs is much simpler: If you've been posting comments on Slashdot for more than five minutes and no one's called you an idiot, you're clearly on a fake page.
All kidding aside, here's the larger, more serious point: When NSA and GCHQ talk about "targets," they'd like you to think they're talking about terrorists and their friends. Quite frankly, nobody is likely to shed a tear over the spooks doing their jobs and taking down the bad guys before anyone gets hurt.
The rationale has always been, yes, some innocent people might get swept up along with the bad 'uns, but a) this is rare, b) we do everything we can to minimize that risk, and c) adult supervision is nearby to make sure nothing gets out of hand.
This time, the targets aren't potential terrorists. They aren't part of a massive haystack of anonymous users that needs to combed to find a few bad needles. They aren't world leaders surrounded by teams of security. They're working stiffs who happen to have jobs in sensitive positions where they hold the keys to a kingdom that's of particular interest to the Surveillance Powers That Be.
They're engineers. They're innocent. And the spooks don't care.
Slashdot reached out to GCHQ for an explanation as to why it was spoofed. The response bristled with arrogance:
All GCHQ's work is carried out in accordance with a strict legal and policy framework which ensure that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Intelligence and Security Committee.
Translation: We asked ourselves for permission and decided it was OK.
Trust never sleeps
It would be incredibly naïve to assume these spoof attacks were limited to LinkedIn or Slashdot, or happened only to particular people at a handful of companies. It would be equally naïve to assume the only victims here are the individuals who got spied on, their employers, and services like LinkedIn and Slashdot whose legitimacy is in tatters.
When the spooks can target anyone anywhere, using any service for any reason, nothing we do online can be trusted. The basic legitimacy of the Internet itself is in question.
Is that Gmail page legit or a cunningly crafted fake? How about your Facebook account? What about the page you're reading right now? You could strap on every security tool you can find and turn your PC into a fortress, yet still never be sure that none of them have been compromised.
How do you really know?
What methods do you use to protect yourself on the Net? Weigh in below or email me: email@example.com.
This article, "It's spooks vs. geeks in LinkedIn, Slashdot hacks," was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely's Notes from the Field blog, and subscribe to Cringely's Notes from the Underground newsletter.