Your Chance to Hack the Pentagon

If you're feeling bored and fancy a challenge which may test your hacking skills then you're possibly in luck.  The Pentagon has followed the lead of many security savvy companies who allow people to attack their networks in order to test their security.  The project is called , rather unimaginatively I thought, Hack the Pentagon.

Of course, for many hackers the first thought is -

However it does seem that they are quite serious and are keen to attract talented hackers to test their digital defenses.  There is talk of even some sort of monetary reward, although the kudos of legitimately bypassing the Pentagon defense's will be enough for most of us!

But before you rush off and blow your cash and buy VPN servers across the world, then there are a few caveats.   First of all you must be a US citizen, and I'm not sure Edward Snowden counts.   Next you must register your intent officially, this is starting to sound less fun I would imagine.  Then you'll have to undergo a background check to assess your suitability to be granted approval to take on the Pentagon's security systems without a 'little knock on the door' following quickly afterwards.

But all going well, then some people will be given the go ahead to attack the Pentagon and try and breach their security infrastructure.

We'll keep you posted on the rules and regulations as they are released but it's expected to be happening in April sometime.   It should be mentioned that only selected services will be included in the first phase  project, presumably excluding sensitive and highly critical systems.


Hacking is not Illegal - If You're GCHQ

Hacking is bad, hacking is illegal - there's a host of legislation backing up this assertion from normal criminal law to very specific sections of the UK Computer Misuse Acts.  Moving outside the UK there's plenty of European privacy legislation in place to prevent hacking of devices, computers and accessing people's data without their permission. In fact many people worried about privacy across the world deliberately use a British VPN in order to utilise this legislation.

However it appears in all this legislation there's a single loophole, a way that you can bypass all this legislation and do whatever you want to anything or anyone online.  The solution is to work for GCHQ  and then it appears that you'll have carte blanche to hack into computers, camera, phones, install malware and keyloggers and pretty much anything else you decide you must do to fight crime and terrorism.

Some people think this is wrong, and the campaigners at Privacy International have just completed a legal challenge of these practices to the Investigatory Powers Tribunal  - read about it here. It's simply a complaint that the GCHQ shouldn't be allowed to act like some State sponsored hacking organisation at least whilst it's part of a country which is supposed to uphold principles of democracy, human rights and free speech.

There's plenty of evidence pointing that GCHQ has been involved in all sorts of covert surveillance and hacking.  In fact they actually admitted that their agents hack all sorts of devices both within the UK and abroad during the hearings.  Although they also stated that they have changed their working practices and now adhere to the new working practices published by the Home Office recently.

It seems not to matter as Privacy International asserted that "Hacking is one of the most intrusive surveillance capabilities available to intelligence agencies", or that until they were 'outed' by Edward Snowden and the like that the practices were denied.  There was little talk of guidelines and codes of conduct before GCHQ were caught and it would be no real surprise if they simply pay lip service to the advisory documents.

The practice of the State routinely and legitimately being able to hack anything or anyone they like routinely is clearly very worrying.  People's online privacy is being hugely impacted by the policy of simply trawling for criminals rather than specifically investigating and targeting wrong doers online.  IT's hardly surprising that the more innocent people are being spied on the more difficult it will become, with many people actively using encryption or seeking to buy proxy or VPN servers to hide their online activity.

Phillip Hammond smugly announced that the laws and practices of the UK security and intelligence services have been scrutinised by an independent body and deemed to be lawful.  However it is important to remember the denial of these initial practices by GCHQ and the very real threat that allowing a democratic state to legitimise the hacking of innocent people in order to fight terrorism.


Online You Are Just a Number

Just like the famous and incredibly stylish 1960s TV series, the Prisoner - when you do anything online you are basically just a number. Patrick McGoohan was designated the number 6 when he was transported to a rather strange prison, a categorisation that he wasn't too impressed with famously replying with

 I will not be pushed, filed, stamped, indexed, briefed or numbered.
The programme and star has become somewhat of an icon to many, with some of the incredibly bizarre situations becoming rather potentious  in our current surveillance world.

When you do anything online you are assigned a number, it's called an IP Address which stands for Internet Protocol.  This number isn't really assigned for a any sinister reason, it's simply used to enable the communication protocol of the internet - TCP/IP to function.

You'll often come across this address - currently they are in the format - and each is completely unique to every device connected to the internet. This uniqueness is essential, because without it then packets and data would be misdirected and the internet simply wouldn't work.  Unfortunately this is now being used to censor, filter and control access by the more commercial web sites on the web.

For instance a company like Netflix will secure copyright deals for films and movies based on specific countries, so they may have secured the rights to screen a programme in the USA but not in Europe.  The only way they can control this is by looking up your location when you connect, which can only be done by using your IP address.  It's extremely annoying particularly if you happen to spend any amount of time in certain countries without any agreements - my Netflix  account is quite often blocked when I travel abroad.

The number of sites that do this is increasing exponentially every year as companies seek to maximise profits and control access based on location.  It's hardly surprising that now people try and control their geolocation data by choosing to buy IP address services like the one in this video.

Services like these mean that the control switches to the user instead of the web site.  If I want to watch the news live on the BBC whilst holidaying in Spain, I merely select a UK IP address which will obscure my Spanish one.   It gives allows you to bypass all these country based filters and access sites which are normally inaccessible.

The other benefit of some of these services is the privacy aspect, a large proportion of them work as a secure VPN service like this.  This means as well as keeping your location secret, they also encrypt all the data you send online.  For travellers this is especially useful as it means that when you access confidential sites when using insecure, public wifi in places like hotels and cafes - your data is actually protected from being intercepted maliciously.

At the heart of these geotracking sites though is the fact that companies are still operating using a 20th century model.  By sticking to outdated economic models like price discrimination and regional copyright controls they will forever be battling these services and worst the growth of piracy as people simply steal and share their content.  The internet is a global marketplace and we all should be treated equally not split into profit centres to exploit and restrict.


Hiding the Proxy/VPN Service

For those of us who take steps to maintain our privacy online, then using a VPN is pretty much essential nowadays.  For example every time you visit a web site, watch a video, download some music - it's all logged in a variety of places in particular at your ISP.  Now ok, you might think that there's no harm in select Government Agencies having access to your complete online record but stop and think about it for a minute.

I'm based in the UK and we probably have one of the more benevolent and democratic Governments in the world, however I certainly wouldn't trust them with details of my entire online life.  Imagine a situation where a recovering drug addict, someone with sexual or mental health issues - would their online activities have any record of this?  Of course they would, and now imagine that information made it's way to other departments - perhaps a recovering (but clean) drug addict applied for a Civil service role?  Of course, there's also the huge possibility of misinterpretation, does the 19 year old Middle Eastern scholars web history bear any resemblance to that of a terrorist?   Very probably.

So using a VPN makes a huge amount of sense for any individual who simply wants to maintain their privacy. However there is an issue with this method especially if you are using one from a corporate or academic network which heavily monitors internet access - it's evident that you are using a proxy/VPN service.

Although it's highly unlikely that anyone would :
  • Notice
  • Figure it out.
Technically it's perfectly possible to figure out that an individual is using a proxy or VPN service from looking at the server logs.  Although no one can see the sites you visit or any other web activity, there is one piece of evidence that does give you away - the single IP address.  Instead of making connections to thousands of different web servers, the logs of a VPN user would have only one IP ADDRESS recorded that of the VPN server itself.   If anyone searched the logs it would be possible to identify those who used a proxy or VPN, so the secret is to rotate that IP address routinely.

As you can see you can, you can set the program to rotate between remote proxies automatically depending on your preferences effectively routing your connection all across the world.   This would obscure the fact that you are using a secure connection from most investigation.