Archive for the ‘Big Brother’ Category

Final Post

October 2, 2009

No – I’m not dead yet!!

This is a final post at Tigerstail.wordpress.com because I am tired of seeking knowledge and bitching about that which is. It is time to use my skills to develope the solutions to all of the problems I have discovered.

Join Me at jimmicap.wordpress.com

Searching for the FBI

July 17, 2009

During the course of the trial I lost three computers to shut down Trojans while researching the source of the shutdown Trojan for the contraband computer held in evidence. I also lost another computer when challenged by the prosecution to visit a particular page at Cert. Prior to this, the prosecution had me identified for the record even though my position was a researcher and not a witness. To say the Department of Justice was interacting with my computers during the course of the trial is an understatement.

Over the past two years ago, I discovered my computer constantly interacting with IP numbers which were owned by my ISP. Since Carnivore was known to be stationed at a local ISP, I made the incorrect assumption that I was being monitored by that program. As time passed, I noticed extremely aggressive behavior and if I went to a suspected Federal Honeypot, as many as 60-100 ports would be opened with connections to my ISP. This reproducible behavior occurred with Linux and both current versions of Windows. (XP and Vista). When using a live Linux cd , there were no connections on start-up and the connections occurred only after I went to a suspicious site.

While I assumed that these connections were the FBI, I had no way to prove it until I stumbled on it last week. Since, I assume I am already a person of interest, I run a periodic search for the location of internet spy rooms to find out who is being watched. It should be obvious that if they can monitor my internet traffic, they can also monitor web sites offering seditious material using the same splitter technology. The perfect tool to track my signal is of course Neotrace which unfortunately has security issues so I install a new copy daily and repeat my work and use different ISP connections to verify the results.

One thing I never checked was the path to http://www.FBI.gov until last week when I ran Neotrace. I was shocked to find I was only 3 jumps from The FBI which had the same ISP as the constant connections to my machine. I double checked it with the DOS traceroute command and find that this is part of akamai technology, but the loop never leaves the United States Virgin Islands unlike any other akamai served connections I’ve traced.

Moreover, the constant connections are through parallel iexplore.exe connections which are usually spyware and the same block of IP’s have been in use for two years. (The iexplore.exe connection exists even when using Firefox) The supporting experiment of using the DOS command, “netstat –ano” allows you to observe that a browser call for http://www.fbi.gov increases the number of connections to my machine but no other new IP numbers connect to deliver content or probe my machine (aside from possibly Google.)

Interestingly enough, since this connection is being made intrastate, it may not be clearly illegal. First, most people would not dwell on the connection or try to block it as it is part of their ISP service so most would never notice or complain. Next, the site is clearly an FBI location and delivers the FBI homepage locally which is not exactly a clandestine operation. Next, Federal laws governing wiretaps, Keystroke loggers, and Trojans regulate interstate traffic and Neotrace finds no link to anything beyond the United States Virgin Islands.

As an aside, I asked a friend to do a tracert to the FBI in New York City and consistent with my suspicions, the IP she got was 204.2.199.25 which Neotrace places in New York City. I would expect that most connections to the FBI are intrastate connections.

If this is the so called Magic Lantern or the euphemism beyond that, it has a lot more power than previously described and is not simply a key stroke logger. It has the power to shut down by altering video settings, by altering the window’s registry settings so windows appear counterfeit, or by destroying the motherboard. It can also interfere with posting on a blog, and sending emails and temporarily freezing the system at an inopportune time.

Check it out yourself.

In DOS use “tracert http://www.fbi.gov” or in Linux Counsol use “traceroute http://www.fbi.gov” to find the IP of the FBI server which would deliver content to you. (It’s the last IP listed.) Give me the IP you got for http://www.fbi.gov in the comment section and I’ll let you know where it is located.

Live Linux CD -Dead Computer

February 19, 2008

It appears that linuxcrayon has the gift of prophecy or maybe just hard earned knowledge. I was using a Live CD to track the code on some disgustingly evil sites. Even though it was a Live CD on a minimal machine (no hard drive), I’m still in the habit of monitoring netstat to see who’s monitoring me. Now I was a little surprised to find that I had probes from carnivore and a couple of corporate spies watching me surf crap.

I wasn’t too worried as every time I turned the machine on it came back as a brand new machine with no tracks. On a regular machine with permanent programming, the Spyware is there the moment you turn the machine on so it’s pretty hard to find out where you caught the crap once you’ve got it. With a Live Linux CD, every day is a new machine with no history so you can start surfing while watching netstat and see where you get your invaders. If you miss it today you can try again after . Trust me, if you pick up military strength malware on a regular machine, you can never shake the crap so it’s tough to track it to the source.

Well pride about my cleverness came right before my fall and the knowledge of Linuxcrayon was predictive. I was using a Knoppix operating system and a Firefox browser and it started getting unstable. I switched to a DSL (Damn Small Linux) operating system and their proprietary version of Firefox. The stability lasted a few days and I thought that it was a malware injected into memory much like the Firefox Browser update which occurs every time you start-up a Live Linux CD and open the browser. But then everything went to hell.

I could no longer enter the Bios on start-up, Flashing and resetting the BIOS didn’t help and the system would not operate off line. So what ever damage was being done was permanent and not due to imbedded software. Then the machine just stopped working. Post card says my CPU is fried.

Well this noble machine had been through a lot. It started life as a windows machine which was slammed during the trial as I investigated various evidence sites which were still online. I gave the hard drive the lots wife tratment and replaced the CD drive and tried to rebuild it as either a windows machine or a LInux box to no avail. It was unstable. As a medium for running a live CD, the machine hung on for another 3-4 months doing reconisance on a lot of shit sites. and publishing the results. It was on this machine that I discovered Google Dorking 4 Kiddie Porn and exposed sites which should be Hacked to death.

Just for laughs, I have purchased a couple of motherboards and hope to return this box to active duty.

Dissecting a Kiddie Porn Cookie

February 11, 2008

Cookies can be used to transfer information about you to a website. Now when I started to use a Live CD, I got a little bolder in tracking source code on nasty sites and not shutting down between site visits. After all no permanent images would be stored and there wasn’t all that much information which could be transferred from a machine with no permanent memory of where it had been and what it had seen.

Well I found out there is an awful lot of information in temporary storage. like a cookie from any personal site you have visited, ie gmail, hotmail, hi5, myspace, facebook etc. Since I really hadn’t thought about it and therefore wasn’t avoiding it, I was able to get a peak at what kiddie porn sites wanted to learn about me.

From over at Fatsavage.wordpress.com, the original analysis of the cookie from americanthumbs.com was:

‘ucjc=xucjcxnoref
xucjcxnoref
xucjcx1
xucjcx0
xucjcx0
xucjcx
xucjcx; path=/;’

Now after a session of Google hacking for kiddie porn, I ended up with the following cookie from billpics.com or amglover.com which both use the ucj cookie.

‘ucjc=xucjxnocookie
xucjxnocookie
xucjx1
xucjx2
xucjxnone
xucjx|teens-girls.net|mymasha.com
xucjx; path=/;’

It would seem that a couple of sites I had not suspected of kiddie porn were of interest to the people from UCJ as both of their names show up as a variables in the cookie and the variable that was a 0 has now moved up to a 2. I guess they are counting the nasty places I had been. Apparently, I was cautious in this surfing secession as the “noref” variable had shifted to “nocookie”.

When I got sloppy, the changes in the cookie got really interesting.

‘ucjc=xucjxgoogle.co.vi
xucjxhttp://http://www.google.co.vi/search?hl=en&client=firefox
&rls=org.mozilla%3Aen-US%3Aunofficial&q=hq-teens.com&btnG=Search
xucjx1
xucjx0
xucjx0
xucjx
xucjx;

Well, I sort of figured this would happen so I had turned the machine on and went nowhere else except the Google search bar. Now in addition to my IP, they have my Google cookie, the country version of Google, that I search in English, that I’m using Firefox and that I pressed the search button while looking for information on hq-teens.com.

If I had checked my Hotmail or Gmail prior to the search, they would probably have my user name and everything else.

Tag I’m it, wandering in a forest of honeypots with Federal bees swarming to sting.

Why use a Virtual Machine?

February 9, 2008

Well their is good news and bad news about simple Virtual Machines. At it’s simplest, a virtual machine is just a live Linux CD on an old computer without even a hard drive. The one I’m currently using has a motherboard with a fried BIOs and an embedded Trojan but Linux does not rely on the BIOS and Trojans rarely are cross platform.

With a live Linux CD, you don’t need a storage area and with a gig of RAM, you can quickly surf without worrying about porn loaders or malware of any sort. The nice thing is there is no permanent record in hidden index.dat files or in log files written in geek. Shut the machine down and everything you did is gone including all cache files of images, cookies and history. Since possession of weird shit is the major crime and the easiest to prove with the un-erasable hidden files on your hard drive, you avoid that trap. Unbelievably, your hard drive holds a near permanent record of your surfing history and a copy of every image you have ever seen whether on purpose or not.

So on one hand you get some element of protection but on the other hand there is still information being conveyed to anybody that wants to spy on you. First, at the local level we have the FBI’s ability to spy on every private citizen in America. The powers of Carnivore and Echelon to track all of your surfing activity whether wired or wireless are incredible. I wouldn’t bet that a keystroke logger won’t work on a virtual machine. After all, my virtual machine uses an older version of Firefox which accepts an update and installs it in RAM. Not much different than accepting a keystroke logger with “ET call home” capabilities which would report on all of your surfing habits, emails, and instant messages. Since wireless intercepts are up close and personal and Carnovor is nestled at your ISP level, I’m not even sure that a proxy will help to hide your surfing activity because the spying is already done by the time you request reaches a proxy. (a keystroke logger even defeats encrypted URL’s)

This is one of those classic Mexican stand-offs. You will be observed and unless you are actually making kiddie porn or building bombs, I doubt that anybody would really want to explore spy technology at a trial because the Government’s technical capabilities of information gathering is probably being illegally used. It’s far easier to trash your machine, get you to a repair shop, and let you self incriminate as the courts have ruled that you have no expectation of privacy when you take a machine in to get it repaired so any evidence on the machine can be used to set you up. This is the biggest advantage to virtual machines- they dont go to repair shops.

While there is no evidence on your machine that you are engaging in dangerous activity, never assume there is no evidence at all.

I got a little bolder on my virtual machine and found out just how much information can be gathered from a virtual machine which allows cookies. (If you don’t allow cookies, you can’t explore many sites and as soon as you allow them there is information being transfered.)

Please check the comment section for an intelligent bit of information from linuxcrayon.

Beyond Google – Viral Traffic

February 6, 2008

If your discussing matters which are touchy to our government, you really have to expect their best effort at suppressing the information. It’s no secret that Google is cooperating with China in suppressing knowledge on a broad range of topics. It’s also obvious that as a socially responsible corporation, they probably hide or fail to list content on a broad range of topics. When they fail to list a site page, they sometimes let you know that the supporting documentation is at chillingeffects.org but only when the content is totally illegal.

For legal but sensitive material, they don’t really acknowledge content filtering but when caught, just release a statement about unintended errors which led to technical difficulties and an inability to find a specific YouTube movie etc. In our particular case, serious content filtering started at my Fatsavage blog with a condemnation of a known kiddie porn site, youngerbabes.com, which is still online. The technical proof of content filtering is offered on this blog.

Of course the immediate effect of content filtering is that your traffic gets slammed and you lose visitors, but there is an obvious solution, just keep on writing. My traffic at fatsavage has started rising again, and the site is ranked in the top million of 20 million sites monitored by quantcast.com. Yeah, I get more traffic if I avoid censored topics, but I’m not a singing caged bird.

Interestingly, my new exulted status is almost independent of Google referrals (Correlation Coefficient 33%) and much more dependent on loyal visitors.

This post is being published at both Fatsavge and Tigerstail Blogs, not because I’m lazy, but because I want the information to get out. If Google were bothering to feed my blog, this would almost certainly get this post de-listed for laziness or plagiarism. However, since they are no longer doing a great job for my traffic, it doesn’t matter which rules I break.

Content Filtering the Fatsavage.

January 28, 2008

Just because your site traffic drops, it does not mean that their is evidence of Content Filtering. In my last post, I described two blogs which are so dormant that their are no visitors and the information is so stale that there are few Google referrals. Still, this type of stagnant site does not happen overnight. It’s like turning an oven up or down. If you turn it up to speed cooking, it will take 15 minutes or so before you see the obvious effects and when you turn it off, the meal will keep on cooking as long as the temperature is above 140 Fahrenheit.

Following the procedure outlined in the last post, we can check for a stable relationship between site visitors due to Google referrals, regular visitors and how much of a viral effect there is. It’s pretty obvious where the break in the following data is, but even this part of the analysis does not prove that a sudden change occurs, it just proves there is a stable relationship.

Google referrals———–Total Visitors
141———————–291
113———————–231
123———————–250
157———————–340
102———————–231
45————————115
33———————— 81
37————————103
37———————— 92

The relationship is as follows with an incredible correlation coefficient (R squared) of 99%.

visitors equals 1.93(Google Referrals) plus 23.4(Regulars)

At this point, we know we have a stable relationship between visitors and Google referrals and the drop is obvious but is it significant enough to prove Google Content Filtering.

Well for the 21 days prior to the day with 340 visitors there had been a relatively constant rise starting from 112 visitors a day. The equation was:

Visitors equals 7(Day) plus 109(Regulars)

Now the correlation coefficient was somewhat low at only 67% but considering day to day variations in frequency of posting and the strength of the content, that is still a strong relationship. The weaker correlation lead to large Standard Error of the estimate of 32. Putting this in layman’s terms on a day where you expected 200, 95% of the time it would be between 136 and 264, and 99% of the time it would be between 103 and 297.

This broad range seems like we are shooting at the broad side of a barn but after the 24th day when we would have expected 277 or above 180 at the 99% confidence level we only had 115 visitors and after that it got even worse.

It’s pretty obvious, that there was a change and my most popular post at the time could no longer be found short of a direct entry of the title which was “Youngerbabes.com Hack This Site”. I can’t figure out why a rant about a know kiddie porn site which is still on line should have been blocked unless it’s protected government property.

Google Content Filtering in America!

January 26, 2008

If content filtering exists in America, there ought to be a way to prove it one way or the other. Any experiment should be open to the public with all assumptions identified and the experiment should be reproducible and have a scientific evaluation criteria.

As a working assumption, there should be three elements to the number of site visitors when averaged over time. First, there should be some measure or regular visitors who would average out over time to some relatively constant value. Next there should be a feed from the search engines which is a factor of the public interest in your topic. Also, there could be a viral effect where visitors recommend you to others and therefore one site visit by Google referral or one regular visit may translate into any number of visits. (This is probably highest with jokes and politics and lowest with technical). However, if both groups (regulars and referrals from Google) recommend you to about the same number of people, this doesn’t alter the mathematical approach.

For the past three weeks, this site has varied around 41 to 87 visitors a day with an average around 60 a day but WordPress only holds the search engine data for a week. So I have the following Google Data and site visitors.

Google Referrals—–Visitors
44——————53
51——————67
44——————64
48——————62
50——————75
33——————48
40——————54

Now I ran the above data through an online Linear regression tool and came up with a very high correlation coefficient of 86% (R squared 75%). For a moment just think of a fat reduction pill where the weight you lost was 75% related to the pills you took and independent of all other variables like food and alcohol consumption and exercise or other variables.

The equation is visitors equals 1.3(Google Referrals) plus 4.1(regulars)

Obviously no viral effect and a small number of regular visitors, but if you need the technical information you come because of a Google search.

Now the data is drifting down because the site has not been very active for the month but the average for the data above is 60 with a two standard deviation range of 42 to 78. I would be hard pressed to make a case for effective Content Filtering based on this data set because there is no sharp break in the curve and the number of visitors for the past week is much the same as it’s been for the past three weeks.

Just for fun, I have two very dormant sites one in business (2.6 visitors a day) and the other in recreation (5.4 visitors a day). The equations and correlations are as follows:

visitors equals 1.4(Google Referrals) plus NO(regulars) correlation coefficient 95%
visitors equals 1.0(Google Referrals) plus 1.8(regulars) correlation coefficient 89%

Once again there is no sign of content filtering as the sites just suffer from a lack of interest, both mine in writing on the topic and visitors needing information on the topic.

Content filtering is an on-off switch which is turned on when the content gets out of hand so there should be signs of a dramatic drop in traffic.

At Fatsavage.wordpresss.com I have seen three cases of dramatic content filtering over the past 6 months with two in the past month. Start reading at the home page and work backwards to December 18, 2007. In that short month (about 12 posts), I managed to piss of the Feds twice and been slammed by provable content filtering. Now, I was attempting to be offensive with all of it, but I failed 10 times as only two posts were serious enough to get blocked.

Can you figure out which two?

Kolmic.com, The Family Tree

January 12, 2008

For most people finding evil sites is tough and even after you get a browser hijack or a URL redirect from your Browser, you’re never quite sure what site infected you. Now my perspective is somewhat different, I have my list of known kiddie porn sites which exist by consent of the government and also associated law enforcement honeypots. I periodically go to these sites and check the source code to find out who the face page is linking to. It seems that all the control is usually from one master computer with face URL’s gathering their feeds and images from that master. When one feed site gets so famous that it is blocked by crapware protection, they switch to the next site. Right now everyone concerned with cnomy.com or Kolmic.com for crapware should also start blocking malkm.com at the firewall level.

Finding these associations is fairly easy once you know the starting point.

If your a sex starved teenage you might dream of multiple partners at:

Orgy.com where the source code shows the javascript and pictures come from Kolmic.com

Hell, you might even dream of multiple orgies at:

Orgies.com where the source code shows the javascript and pictures come from Kolmic.com

If your too young to dream of orgies, you may just want to see naked people at:

naked.com where the source code shows the javascript and pictures come from naked.com and a pop-up comes from kolmic.com

Now these are all tame sites so you might want something more raunchy at:

raunchy.com which redirects to freetube.com with a pop-up from Kolmic.com

Now at one point, the source code for kolmic.com showed scripts and pics from cnomy.com so it’s not surprising that:

femalesex.com also redirects to freetube.com with a cloned pop-up of kolmic from cnomy.com

If you can’t spell, orgie.com used to redirect to raunchy.com but now:

orgie.com redirects to freetube.com

Siteadvisor.com confirms the link between orgie.com and ranuchy.com

So what is the future bad boy on the block to serve our nation at war. My money is on malkm.com based on information obtained from Lolitacj.com which was one of two sites that sent Charles Stephano to jail. When you check siteadvisor.com for lolitacj.com it says it links to kolmic.com yet when you go to:

lolitacj.com, the source code is from malkm.com while the cloned pop-up of kolmic shows cnomy.com source code.

A quick check of malkm.com shows it is connected to erotika.ru and the list of entrapment sites continues to grow.

There are many branches of this tree with crooked roots.


Even Will Smith should be able to decide that kolmic.com was designed by evil people.

Born to Be Bad – Will Smith, Kolmic and Hitler.

January 7, 2008

Will Smith started quite a controversy when he said that he believed that all people are intrinsically good and because he used Hitler as an example the argument degenerated without thought. Well Mr. Smith, I beg to differ and I use as my argument the Internet which I doubt that you know too much about.

Internet usage seems to be dominated by the concept that people do bad just because they can and only do good when they want to. Christ, I might say that that concept even includes Government sites which have a tendency to politicize every fact for political correctness or to dissociate blame. I mean who can possibly believe the psycho who designed the online war game for young people using actual Army equipment interfaces to recruit people. No one could believe this site was designed to do intrinsic good for the nation unless you believe that the use of Gaming addicts as soldiers is the highest and best use of these compulsive children. On the civilian side, what psycho would want to take down Norad for bragging rights or open the secrets of NSA to the world just to prove it can be done?

The internet is full of very twisted people. I casually included Kolmic.com on a list of sites that couldn’t be explored using Google Hacking techniques and immediately people stated flocking to my sites with Kolmic as the search term. Seems I stumbled on Kolmic in my research on American Kiddie Porn and I do mean I was lucky to make the connection to Government supported kiddie porn sites.

On the surface, they are a dramatic success story. They are touted at killerstartups.com as a new search engine. Quantcast.com ranks the site as being 314 in the world while alexa.com ranks them at 1917. IPwalk.com shows them hosting 11,650 domains. Their daily traffic is over 150,000 people per day.

These are incredible numbers considering the site was only organized about 8 months ago and the ownership of this fantastically successful organization is secret with a stealth registration. The IP information suggests Boston but a more realistic guess would put them in Houston working with Everyones Internet.

So what’s bad about a fantastic success in only six months, other than the direct connection to domestic kiddie porn and law enforcement honeypots. It seems that this brand new site is already attracting complaints about URL redirection, start page hijacking and other techniques common to the porn industry and image loading to unsuspecting surfers. One very complete analysis can be found in the comment section of McAfee Site Advisor by phantazm.

Obviously Kolmic.com was a site born to be bad by people with very evil intentions who hide anonymously in cyberspace because of the cowards they are.

Too bad Mr. Smith, there really are some fucking evil people in this world.