The GCHQ Cryptome Slide Could Be a Mockup

October 2, 2015 - A few days ago, a new Snowden slide was released that appeared to show that the GCHQ was monitoring Cryptome in near-real-time by examining the browsing data of one of the websites' visitors. John and Deborah of Cryptome later verified that the information in the slide matched their logs, which seemingly verified the legitimacy of the slide and the information presented about KARMA POLICE.

However, after examining the slide and all the information available, I realized that it was possible to create the slide (or one like it) with accurate data without any of the sources cited/assumed/alleged. To demonstrate this, I put together some comparable information. To respect the privacy of visitors to Cryptome, the end of each IP address is redacted and I've provided only a little information about several users instead of focusing on one user to provide detailed information about.

A few notes before getting into the data:

I didn't receive this information from anyone in law enforcement or the intelligence, nor stolen through malicious hacking, social engineering, or electronic intrusion. Neither is it the result of surveillance directed against Cryptome or its users, or of any other illegal action. It was compiled from my legitimate archives. I have confirmed that the information was available to others by locating pre-existing sources online. This is not meant to accuse any one of forging a document, simply pointing out that it can't necessarily be verified by confirming the information with Cryptome's server logs. If the slide is a mockup, it could be an internal mockup produced by GCHQ, a deliberate piece of disinformation from within or without GCHQ, a document altered by Snowden, his friends/"friends" in Russia, or anyone else in the chain of custody. Given that Snowden didn't review all of the documents he handed over, he might not recognize if one had been altered, embellished, forged, or taken out of context prior to publication. Or it could be genuine - proving that something could be a fake isn't quite the same as proving it's a fake. If the document was forged, the only group I have reason to suspect are the chekist security agencies who have access to both the documents and to Snowden. This was the result of a few rushed hours of work in a single afternoon, and thus may contain minor mistakes. The times should be Eastern/US, but this is an unverified assumption. These comments are unrelated to my debunking of the MITM attack against Cryptome which was seemingly implied by this slide.

Visitor IP correlated with page, time and date

IP: 212.48.158.*

Date: 2010-02-10

Time: 23:06:15

URL: http://cryptome.org/cartome/foucault.htm



Note that I manually translated the time and date from a time code, so it may be slightly incorrect. The original timestamp was 20100210230615.

Twelve Days of Cryptomas

In case I mistranslated the timestamp or anyone thinks that it was a fluke, here are twelve time and dates along with the redacted IP address that visited Cryptome at that time. These time and dates were originally rendered in a human readable format, so there is no danger that I mistranslated them.

December 25 2009 16:22 - 74.208.77.* December 26 2009 18:19 - 65.98.224.* December 27 2009 22:23 - 208.80.193.* December 28 2009 21:51 - 69.113.197.* December 29 2009 18:28 - 76.92.164.* December 30 2009 03:30 - 88.80.205.* December 31 2009 23:59 - 210.107.62.* January 01 2010 00:13 - 71.56.6.* January 02 2010 14:14 - 91.98.9.* January 03 2010 01:23 - 88.87.4.* January 04 2010 23:22 - 79.224.172.* January 05 2010 06:16 - 65.55.110.*

Internet search strings used to find Cryptome

Finally, a semi-obscure phrase from the that was put into a search engine - complete with the original typo.

"architectural engineering in miidle east" - it may appear in the logs as "architectural+engineering+in+miidle+east"

Conclusion

All of this information should be readily verifiable by John and Deborah at Cryptome, demonstrating that each of the pieces of the slide could have been created without the benefit of a surveillance program or large budget. In other words, the guilty knowledge implied by the accuracy of the slide can imply things other than being guilt of surveillance.

Update October 6, 2015 15:51 Eastern: Cryptome replied by email, saying "You're doing well on this on your own. Keep at it."

21:12 Eastern: Cryptome has not contradicted the accuracy of my findings or denied the presence of the IP addresses listed in their logs at the specified times. Cryptome quickly denied the presence of the IP address listed in the slide released by The Intercept in their logs, then confirmed it after accounting for the time zone.

Update October 7, 2015 09:29 Eastern: Cryptome has indirectly confirmed my findings, saying "You are attacking like the spies, sanctimonious, invading users, stealing data."

@NatSecGeek You are attacking like the spies, sanctimonious, invading users, stealing data. — Cryptome (@Cryptomeorg) October 7, 2015

Of course, no data was stolen - it was quite legitimately found. Cryptome then blocked my account on twitter.

Cryptome uses several infosec systems, PK just one. Open to more. Compromise should be publicized but seldom is: hide, deny, ignore, delude. — Cryptome (@Cryptomeorg) September 16, 2015

More importantly, if they won't directly confirm the validity of the data, is there any other way to validate it than to release the unredacted data and the method to the public? Alternative suggestions are most welcomed.

Update: Cryptome has denied that saying the data is stolen implies that it is accurate. See here for my response along with the data.

Update: Cryptome has finally confirmed the information is accurate.