Final Post

October 2, 2009

No – I’m not dead yet!!

This is a final post at Tigerstail.wordpress.com because I am tired of seeking knowledge and bitching about that which is. It is time to use my skills to develope the solutions to all of the problems I have discovered.

Join Me at jimmicap.wordpress.com

Advertisements

The FBI and Akamai

July 19, 2009

My friendly sales rep from my ISP reminded me that the FBI is on Akami and showed me a tracert from his office which described a perfectly normal Akamai connection. For those who don’t know, I have discussed this technology before and am very uncomfortable connecting to a services which delivers content to/from? multiple ports and from multiple different IP’s and servers.

I tried to explain to him how this intrastate connection was dramatically different from any I had ever seen or discussed.

I mean the following is a tracert to Whitehouse.gov which you would expect to be well protected and I really don’t want to believe the FBI protects themselves better than they protect our President.

C:\Documents and Settings\Compaq_Owner>tracert whitehouse.gov

Tracing route to whitehouse.gov [96.16.226.135]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.0.1
2 27 ms 36 ms 36 ms nn-gw.viaccess.net [66.185.42.1]
3 30 ms 28 ms 21 ms auto-66.185.32.49.choice.vi [66.185.32.49]
4 164 ms 50 ms 35 ms 12.124.80.161
5 90 ms 86 ms 326 ms gbr2.ormfl.ip.att.net [12.123.32.78]
6 84 ms 86 ms 86 ms cr2.ormfl.ip.att.net [12.122.1.62]
7 101 ms 137 ms 137 ms cr1.attga.ip.att.net [12.122.5.142]
8 94 ms 94 ms 122 ms cr2.wswdc.ip.att.net [12.122.1.174]
9 109 ms 86 ms 101 ms 12.122.134.97
10 * * 87 ms 192.205.35.114
11 168 ms 86 ms 87 ms po-3.r04.asbnva01.us.bb.gin.ntt.net [129.250.6.4
5]
12 94 ms 93 ms 94 ms 168.143.97.2
13 106 ms 152 ms 93 ms a96-16-226-135.deploy.akamaitechnologies.com [96
.16.226.135]

In fact, the tracert he presented to me was extremely similar but then he was a supervisor on the system with the FBI server and perhaps not yet a target.

Now my tracert for http://www.fbi.gov was simplicity itself.

C:\Documents and Settings\Compaq_Owner>tracert http://www.fbi.gov

Tracing route to a33.g.akamai.net [66.185.33.88]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.0.1
2 32 ms 36 ms 57 ms nn-gw.viaccess.net [66.185.42.1]
3 24 ms 28 ms 43 ms auto-66.185.33.88.wirelessworld.vi [66.185.33.88
]

Akamai technology is supposed to maximize the utilization of Internet recourses by having cache memory for popular sites at many locations with many different routes to minimize delivery time. Putting the FBI on every ISP in America as independent system server is a logistic nightmare and with less than 6000 customers for very small ISP’s like mine, this becomes a horribly inept way to accomplish the goal of maximizing resource utilization.
.
As noted by others in the literature back to 2001, many commercial product updates come from exactly the same IP number as the FBI, including many antivirus products, Java, Macromedia, Adobe and Microsoft. It’s also bothersome to me that while my computer is being updated on parallel paths, some of the connections are from the IP which is owned by the software company, and some are the same IP as used by the FBI. Linux users should not be smug as the same FBI IP’s can be found continuously connected to my Linux machines. It’s also bothersome that when I switch antivirus and antispyware systems the infections discovered which are incompatible with the new product will have the same names as minor files used by Adaware, Trend Micro, Nortan, Micrrosoft, Sun Java and Adobe.

In a dark sort of way, I have come to accept being spied upon because, it seems to keep me free from outside infections. Now when I bother to check, my spyware, adware or antivirus shows that my machine is perfectly clean although a change of products will always bring new discoveries of infected minor files from major vendors.

Searching for the FBI

July 17, 2009

During the course of the trial I lost three computers to shut down Trojans while researching the source of the shutdown Trojan for the contraband computer held in evidence. I also lost another computer when challenged by the prosecution to visit a particular page at Cert. Prior to this, the prosecution had me identified for the record even though my position was a researcher and not a witness. To say the Department of Justice was interacting with my computers during the course of the trial is an understatement.

Over the past two years ago, I discovered my computer constantly interacting with IP numbers which were owned by my ISP. Since Carnivore was known to be stationed at a local ISP, I made the incorrect assumption that I was being monitored by that program. As time passed, I noticed extremely aggressive behavior and if I went to a suspected Federal Honeypot, as many as 60-100 ports would be opened with connections to my ISP. This reproducible behavior occurred with Linux and both current versions of Windows. (XP and Vista). When using a live Linux cd , there were no connections on start-up and the connections occurred only after I went to a suspicious site.

While I assumed that these connections were the FBI, I had no way to prove it until I stumbled on it last week. Since, I assume I am already a person of interest, I run a periodic search for the location of internet spy rooms to find out who is being watched. It should be obvious that if they can monitor my internet traffic, they can also monitor web sites offering seditious material using the same splitter technology. The perfect tool to track my signal is of course Neotrace which unfortunately has security issues so I install a new copy daily and repeat my work and use different ISP connections to verify the results.

One thing I never checked was the path to http://www.FBI.gov until last week when I ran Neotrace. I was shocked to find I was only 3 jumps from The FBI which had the same ISP as the constant connections to my machine. I double checked it with the DOS traceroute command and find that this is part of akamai technology, but the loop never leaves the United States Virgin Islands unlike any other akamai served connections I’ve traced.

Moreover, the constant connections are through parallel iexplore.exe connections which are usually spyware and the same block of IP’s have been in use for two years. (The iexplore.exe connection exists even when using Firefox) The supporting experiment of using the DOS command, “netstat –ano” allows you to observe that a browser call for http://www.fbi.gov increases the number of connections to my machine but no other new IP numbers connect to deliver content or probe my machine (aside from possibly Google.)

Interestingly enough, since this connection is being made intrastate, it may not be clearly illegal. First, most people would not dwell on the connection or try to block it as it is part of their ISP service so most would never notice or complain. Next, the site is clearly an FBI location and delivers the FBI homepage locally which is not exactly a clandestine operation. Next, Federal laws governing wiretaps, Keystroke loggers, and Trojans regulate interstate traffic and Neotrace finds no link to anything beyond the United States Virgin Islands.

As an aside, I asked a friend to do a tracert to the FBI in New York City and consistent with my suspicions, the IP she got was 204.2.199.25 which Neotrace places in New York City. I would expect that most connections to the FBI are intrastate connections.

If this is the so called Magic Lantern or the euphemism beyond that, it has a lot more power than previously described and is not simply a key stroke logger. It has the power to shut down by altering video settings, by altering the window’s registry settings so windows appear counterfeit, or by destroying the motherboard. It can also interfere with posting on a blog, and sending emails and temporarily freezing the system at an inopportune time.

Check it out yourself.

In DOS use “tracert http://www.fbi.gov&#8221; or in Linux Counsol use “traceroute http://www.fbi.gov&#8221; to find the IP of the FBI server which would deliver content to you. (It’s the last IP listed.) Give me the IP you got for http://www.fbi.gov in the comment section and I’ll let you know where it is located.

IE8 Privacy is an Oxymoron

September 20, 2008

I could have said that the IE8 privacy function is a lie or a joke but I happen to like the word oxymoron. In my preliminary tests I was acting as if my life and future depended on my online privacy and didn’t bother doing a comparison. I found my surfing history in cache memory, that Ccleaner didn’t wipe the cache memory information and that there was a hidden system file called PrivacIE (pronounce that “Priv A C”) which contained a hashed index.dat file which was untouchable. Not a bad find for a quick survey. I did a preliminary test against Firefox 3 automatically wiping all privacy data on closing and found a few lingering cookies which Ccleaner seemed to wipe out but no cache memory of the sites I visited.

I sort of find a hashed index.dat file (in a folder called PrivacIE) and a record of my surfing history in cache memory an insulting and direct compromise of the promise of real internet privacy.

If anyone cares about the method, I’ll do a post on it.

Resistance is Futile!

July 21, 2008

Once you realize that Resistance is Futile, knowledge truly is soporific. The problem is, life without knowledge acquisition becomes somewhat boring. After all how much, sex, booze,beach time and loud music can a sing person handle. So for various reasons such as the potential for my liver falling out and fear of going brain dead, I decided to sober up and read the content of all my emails from Sans to see what I’ve been missing since April. The following is extracted from various Sans newsletters and attracted my attention because of the “unique” content.

WINDOWS SECURITY
Researchers at the Internet Storm Center estimate that it takes about
four minutes for an unpatched Windows PC to be compromised once it
connects to the Internet. The survival time has consistently dropped
over the past years due to the increasing number of worms and viruses
and hackers using more and more automated attacking tools. However, a
researcher with the German Honeypot Project claims the survival time is
much higher than 4 minutes and in fact is nearer 16 hours. Either way its less than one day on line.

Google can’t stand the competition
A controversial law was narrowly voted
in last month and allows Swedish security services to eavesdrop on all
international calls into and out of Sweden. In response to the new law
TeliaSonera, the Finnish-Swedish telecoms operator, has moved its
servers from Sweden to Finland and Google is also considering a similar
course of action. After all, why should Google allow anyone other than Google to snoop on your surfing
habits and keep a history of your actions

Google Caches Retain Stolen Data
Stolen sensitive personal data, including financial account information,
have been found to linger in Google caches for months even after the
server holding the stolen information has been disabled. Cyber
criminals collect information through keystroke loggers and store the
data on servers. When the servers are discovered, they are taken down,
but the Google pages are not unless specific requests are made. A
Google spokesperson said that in general, the company does not remove
cached information, but that it eventually disappears on its own after
the original source is no longer accessible.

Coming to America!

Phorm’s technology can be
used by Internet Service Providers to track end user activity on the
Internet and place advertisements based on their online activity. Phorm
already has agreements in place with some of the U.K.’s top ISPs such
as the BT Group PLC (BT), Carphone Warehouse’s (CPW.LN) Talk Talk and
Virgin Media.

Expanding the Patriot Act
The Foreign Intelligence Surveillance
Act (FISA) allows for warrantless surveillance of
telecommunications and immunity from subsequent lawsuits served against
the telecommunications companies facilitating the surveillance. A
lawsuit claims that FISA breaches the Fourth Amendment of the U.S.
Constitution, which prevents the government from unreasonable searches
and seizures. Supporters of the law claim it is a vital weapon in the
fight against terrorism.

Don’t Xerox any $3 Bills
A feature built into many modern laser printers is raising concerns
among civil liberties groups that individuals’ privacy may be eroded.
The feature uses technology to print hidden yellow dots that are unique
to the printer onto each page. These dots are invisible to the eye, but
when viewed under a blue LED light they can identify the printer and the time of use. The
technology is used to track those who attempt to use color laser
printers to create counterfeit money. However, privacy advocates are
concerned that the technology could be misused to track and identify
whistleblowers or dissidents in totalitarian regimes.

Read it and Weep!

Vista Blue Screen of Death!

February 21, 2008

Did you ever wonder what Microsoft personnel call the world famous “Blue Screen of Death.” Well at least one programmer must have a sense of humor or submitted the following error message as a resignation.

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6000.2.0.0.768.2
Locale ID: 1033

Additional information about the problem:
BCCode: 1000007e
BCP1: C0000005
BCP2: 8B0CAB9F
BCP3: 87599BA8
BCP4: 875998A4
OS Version: 6_0_6000
Service Pack: 0_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\Mini021908-02.dmp
C:\Users\USER\AppData\Local\Temp\WER-46332-0.sysdata.xml
C:\Users\USER\AppData\Local\Temp\WER43C3.tmp.version.txt

Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409

The biggest improvement over Windows 98 and Windows Me is that the Blue Screen is a quick flash before the computer goes dead whereas in the old days it would stay on your monitor to torment you. None of my friends can recall a blue screen effect with Windows XP SP2 so Vista must be engaging in a nostalgia trip.

Live Linux CD -Dead Computer

February 19, 2008

It appears that linuxcrayon has the gift of prophecy or maybe just hard earned knowledge. I was using a Live CD to track the code on some disgustingly evil sites. Even though it was a Live CD on a minimal machine (no hard drive), I’m still in the habit of monitoring netstat to see who’s monitoring me. Now I was a little surprised to find that I had probes from carnivore and a couple of corporate spies watching me surf crap.

I wasn’t too worried as every time I turned the machine on it came back as a brand new machine with no tracks. On a regular machine with permanent programming, the Spyware is there the moment you turn the machine on so it’s pretty hard to find out where you caught the crap once you’ve got it. With a Live Linux CD, every day is a new machine with no history so you can start surfing while watching netstat and see where you get your invaders. If you miss it today you can try again after . Trust me, if you pick up military strength malware on a regular machine, you can never shake the crap so it’s tough to track it to the source.

Well pride about my cleverness came right before my fall and the knowledge of Linuxcrayon was predictive. I was using a Knoppix operating system and a Firefox browser and it started getting unstable. I switched to a DSL (Damn Small Linux) operating system and their proprietary version of Firefox. The stability lasted a few days and I thought that it was a malware injected into memory much like the Firefox Browser update which occurs every time you start-up a Live Linux CD and open the browser. But then everything went to hell.

I could no longer enter the Bios on start-up, Flashing and resetting the BIOS didn’t help and the system would not operate off line. So what ever damage was being done was permanent and not due to imbedded software. Then the machine just stopped working. Post card says my CPU is fried.

Well this noble machine had been through a lot. It started life as a windows machine which was slammed during the trial as I investigated various evidence sites which were still online. I gave the hard drive the lots wife tratment and replaced the CD drive and tried to rebuild it as either a windows machine or a LInux box to no avail. It was unstable. As a medium for running a live CD, the machine hung on for another 3-4 months doing reconisance on a lot of shit sites. and publishing the results. It was on this machine that I discovered Google Dorking 4 Kiddie Porn and exposed sites which should be Hacked to death.

Just for laughs, I have purchased a couple of motherboards and hope to return this box to active duty.

GSI 4 Firefox – Cool Tool!

February 14, 2008

Sometimes you trip on Browser add ons that are a fantastic idea. I mean you hit a site you want to explore and you can click the page links, get lost and never explore both the depth and breadth of the site. You may leave without finding what you want. What the Google Site Index does is draw a site map based on Googlebots knowledge of the public area of the Web site. Now certain cites like youngerbabes.com and young-models.org (which can’t be searched with the site command) cannot be indexed. Others which have thousands of pages like thehun.net yield a very organized site index which is less than a page.

Installation is simple, and once installed it’s easy to use. Just click on tools and open up GSI (or right click on the screen) and up pops the interface. Confirm the Domain, click start and the site is indexed. You should probably stay away from the recursive search as after trying twice with two different sites, it locked both times. Then Google accused me of having a virus and locked me out until I entered some twisted letters.

If I have a complaint, the results pop up as a html page that you can only click on one link before it disappears. The workaround is to save the page as html on your desktop and work from there. If you have basic HTML skills, you might want to open the page in notepad and cut the script at the bottom before you start exploring the site. While GSI indexing is totally anonymous, your site visits are not unless you do the standard Google trick of saving the URL’s in notepad and using the Google cache while stripping all images or by using a proxy.

So far, I haven’t used GSI for anything serious if you don’t count looking at the good, the bad, and the ugly architecture of my own Web sites.

Dissecting a Kiddie Porn Cookie

February 11, 2008

Cookies can be used to transfer information about you to a website. Now when I started to use a Live CD, I got a little bolder in tracking source code on nasty sites and not shutting down between site visits. After all no permanent images would be stored and there wasn’t all that much information which could be transferred from a machine with no permanent memory of where it had been and what it had seen.

Well I found out there is an awful lot of information in temporary storage. like a cookie from any personal site you have visited, ie gmail, hotmail, hi5, myspace, facebook etc. Since I really hadn’t thought about it and therefore wasn’t avoiding it, I was able to get a peak at what kiddie porn sites wanted to learn about me.

From over at Fatsavage.wordpress.com, the original analysis of the cookie from americanthumbs.com was:

‘ucjc=xucjcxnoref
xucjcxnoref
xucjcx1
xucjcx0
xucjcx0
xucjcx
xucjcx; path=/;’

Now after a session of Google hacking for kiddie porn, I ended up with the following cookie from billpics.com or amglover.com which both use the ucj cookie.

‘ucjc=xucjxnocookie
xucjxnocookie
xucjx1
xucjx2
xucjxnone
xucjx|teens-girls.net|mymasha.com
xucjx; path=/;’

It would seem that a couple of sites I had not suspected of kiddie porn were of interest to the people from UCJ as both of their names show up as a variables in the cookie and the variable that was a 0 has now moved up to a 2. I guess they are counting the nasty places I had been. Apparently, I was cautious in this surfing secession as the “noref” variable had shifted to “nocookie”.

When I got sloppy, the changes in the cookie got really interesting.

‘ucjc=xucjxgoogle.co.vi
xucjxhttp://http://www.google.co.vi/search?hl=en&client=firefox
&rls=org.mozilla%3Aen-US%3Aunofficial&q=hq-teens.com&btnG=Search
xucjx1
xucjx0
xucjx0
xucjx
xucjx;

Well, I sort of figured this would happen so I had turned the machine on and went nowhere else except the Google search bar. Now in addition to my IP, they have my Google cookie, the country version of Google, that I search in English, that I’m using Firefox and that I pressed the search button while looking for information on hq-teens.com.

If I had checked my Hotmail or Gmail prior to the search, they would probably have my user name and everything else.

Tag I’m it, wandering in a forest of honeypots with Federal bees swarming to sting.

Why use a Virtual Machine?

February 9, 2008

Well their is good news and bad news about simple Virtual Machines. At it’s simplest, a virtual machine is just a live Linux CD on an old computer without even a hard drive. The one I’m currently using has a motherboard with a fried BIOs and an embedded Trojan but Linux does not rely on the BIOS and Trojans rarely are cross platform.

With a live Linux CD, you don’t need a storage area and with a gig of RAM, you can quickly surf without worrying about porn loaders or malware of any sort. The nice thing is there is no permanent record in hidden index.dat files or in log files written in geek. Shut the machine down and everything you did is gone including all cache files of images, cookies and history. Since possession of weird shit is the major crime and the easiest to prove with the un-erasable hidden files on your hard drive, you avoid that trap. Unbelievably, your hard drive holds a near permanent record of your surfing history and a copy of every image you have ever seen whether on purpose or not.

So on one hand you get some element of protection but on the other hand there is still information being conveyed to anybody that wants to spy on you. First, at the local level we have the FBI’s ability to spy on every private citizen in America. The powers of Carnivore and Echelon to track all of your surfing activity whether wired or wireless are incredible. I wouldn’t bet that a keystroke logger won’t work on a virtual machine. After all, my virtual machine uses an older version of Firefox which accepts an update and installs it in RAM. Not much different than accepting a keystroke logger with “ET call home” capabilities which would report on all of your surfing habits, emails, and instant messages. Since wireless intercepts are up close and personal and Carnovor is nestled at your ISP level, I’m not even sure that a proxy will help to hide your surfing activity because the spying is already done by the time you request reaches a proxy. (a keystroke logger even defeats encrypted URL’s)

This is one of those classic Mexican stand-offs. You will be observed and unless you are actually making kiddie porn or building bombs, I doubt that anybody would really want to explore spy technology at a trial because the Government’s technical capabilities of information gathering is probably being illegally used. It’s far easier to trash your machine, get you to a repair shop, and let you self incriminate as the courts have ruled that you have no expectation of privacy when you take a machine in to get it repaired so any evidence on the machine can be used to set you up. This is the biggest advantage to virtual machines- they dont go to repair shops.

While there is no evidence on your machine that you are engaging in dangerous activity, never assume there is no evidence at all.

I got a little bolder on my virtual machine and found out just how much information can be gathered from a virtual machine which allows cookies. (If you don’t allow cookies, you can’t explore many sites and as soon as you allow them there is information being transfered.)

Please check the comment section for an intelligent bit of information from linuxcrayon.