Tag Archives: Other

Library of Congress Might Become a Piracy Hub, RIAA Warns

Post Syndicated from Ernesto original https://torrentfreak.com/library-congress-might-become-piracy-hub-riaa-warns-160827/

cassetteWith an impressive collection of more than 160 million items, the Library of Congress is the second largest library in the world.

The Library also serves as a legal repository for the copyright office. By law, everyone who publishes a copyrighted work in the U.S. is required to deposit two copies at the library.

This also applies to music and videos but up until now, content produced in an online-only format has been exempted from this mandatory deposit requirement.

However, now that digital is becoming the standard for more copyrighted works, the Copyright Office is considering a change. As a result, music publishers will be required to submit all digital works to the Library of Congress.

These files will then become freely accessible to the public through a secured system.

“Under any rule requiring mandatory deposit of online-only sound recordings, the Library would provide public access to such recordings,” the Copyright Office writes in its proposal.

“The Library currently has a system by which authorized users can access and listen to digitized copies of physical sound recordings collected through other means at the Madison Building of the Library of Congress.”

This proposal has been met with scrutiny by the music industry group RIAA, which states that it has “serious concerns.”

According to the RIAA, there is a risk that content hosted by the Library may be exploited by pirates, who could copy the music and share it on various pirate sites. This could then crush the major record labels’ revenues.

“It is well-established that the recorded music industry has been inundated with digital piracy,” the RIAA writes.

“If sound recordings available through the Library – whether on-premises or online – were managed in a way that patrons could use those recordings for uploading to pirate web sites and unlicensed streaming services or if the Library’s collection of sound recordings were made electronically available to the public at large, that could have a devastating impact on our member companies’ revenues.”

The RIAA further states that the current proposal lacks information on what security measures would apply to the storage of and access to sound recordings.

In addition to a general concern that the public could copy sound recordings in the library, the RIAA notes that there’s also a risk that the entire Library of Congress database could be hacked if people are allowed to access it over the Internet.

Should this happen, millions of digital sound recordings may leak to the public.

“In an age where servers are hacked on a regular basis, no electronic server is secure. Government servers are no different,” the RIAA writes.

“Given the inherent vulnerability of servers believed to be secure, we question the need for anyone to have remote access to a server that stores commercially valuable digital sound recordings.”

Since people have so many options to enjoy digital music nowadays, the RIAA sees no reason for the Library of Congress to allow electronic copying or distribution of the sound recordings of its members.

If the Copyright Office goes ahead, the RIAA urges it to consult the record labels to make sure that state of the art technological protection measures are deployed to secure their work.

RIAA’s full comments are available here (pdf).

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

WebTorrent: 250K Downloads & Strong With Zero Revenue

Post Syndicated from Andy original https://torrentfreak.com/webtorrent-250k-downloads-strong-with-zero-revenue-160827/

Stanford University graduate Feross Aboukhadijeh is passionate about P2P technology. The founder of
P2P-assisted content delivery network PeerCDN (sold to Yahoo in 2013), Feross is also the inventor of WebTorrent.

In its classic form, WebTorrent is a BitTorrent client for the web. No external clients are needed for people to share files since everything is done in the user’s web browser with Javascript. No browser plugins or extensions need to be installed, nothing needs to be configured.

In the beginning, some doubted that it could ever work, but Feross never gave up on his dream.

“People thought WebTorrent was crazy. One of the Firefox developers literally said it wouldn’t be possible. I was like, ‘challenge accepted’,” Feross told TF this week.

WebTorrent

webt

A few months after WebTorrent’s debut, Feross announced the arrival of WebTorrent Desktop (WD), a standalone torrent client with a few tricks up its sleeve.

After posting a torrent or magnet link into its somewhat unusual client interface, content can be played almost immediately via an inbuilt player. And with AirPlay, Chromecast and DLNA support, WD is at home at the heart of any multi-display household.

webdesk-main

But WebTorrent Desktop’s most interesting feature is its ability to find peers not only via trackers, DHT and PEX, but also using the WebTorrent protocol. This means that WD can share content with people using the web-based version of WebTorrent too.

WebTorrent Desk

Since our April report, WebTorrent has been under constant development. It is now more responsive and uses fewer resources, casting has been improved, and subtitles are auto-detected, to name just a few improvements. As a result, the client has been growing its userbase too.

“The WebTorrent project is going full steam ahead and there has been lots of progress in the past few months,” Feross informs TF.

“We just passed a quarter million total downloads of the app – 254,431 downloads as of right now.”

For a young and totally non-commercial project, that’s an impressive number, but the accolades don’t stop there. The project currently has more than 2,083 stars on Github and it recently added its 26th new contributor.

In all, WebTorrent has nine people working on the core team, but since the client is open source and totally non-commercial, no one is earning anything from the project. According to Feross, this only makes WebTorrent stronger.

“People usually think that having revenue, investors, and employees gives you an advantage over your competition. That’s definitely true for certain things: you can hire designers, programmers, marketing experts, product managers, etc. to build out the product, add lots of features,” the developer says.

“But you have to pay your employees and investors, and these pressures usually cause companies to resort to adding advertising (or worse) to their products. When you have no desire to make a profit, you can act purely in the interests of the people using your product. In short, you can build a better product.”

So if not money, what drives people like Feross and his team to give up their time to create something and give it away?

“The real reason I care so much about WebTorrent is that I want decentralized apps to win. Right now, it’s so much easier to build a centralized app: it’s faster to build, uses tried-and-true technology, and it’s easier to monetize because the app creator has all the control. They can use that control to show you ads, sell your data, or make unilateral product changes for their own benefit,” he says.

“On the other hand, decentralized apps are censorship resistant, put users in control of their data, and are safe against user-hostile changes.

“That last point is really important. It’s because of the foresight of Bram Cohen that WebTorrent is even possible today: the BitTorrent protocol is an open standard. If you don’t like your current torrent app, you can easily switch! No one person or company has total control.”

WebTorrent Desktop developer DC Posch says that several things motivate him to work on the project, particularly when there’s no one to order him around.

“There’s satisfaction in craftsmanship, shipping something that feels really solid. Second, it’s awesome having 250,000 users and no boss,” he says.

“Third, it’s something that I want to exist. There are places like the Internet Archive that have lots of great material and no money for bandwidth. BitTorrent is a technologically elegant way to do zero cost distribution. Finally, I want to prove that non-commercial can be a competitive advantage. Freed from the need to monetize or produce a return, you can produce a superior product.”

To close, last year TF reported that WebTorrent had caught the eye of Netflix. Feross says that was a great moment for the project.

“It was pretty cool to show off WebTorrent at Netflix HQ. They were really interested in the possibility of WebTorrent to help during peak hours when everyone is watching Netflix and the uplink to ISPs like Comcast gets completely saturated. WebTorrent could help by letting Comcast subscribers share data amongst themselves without needing to traverse the congested Comcast-Netflix internet exchange,” he explains.

For now, WebTorrent is still a relative minnow when compared to giants such as uTorrent but there are an awful lot of people out there who share the ethos of Feross and his team. Only time will tell whether this non-commercial project will fulfill its dreams, but those involved will certainly have fun trying.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Notes on that StJude/MuddyWatters/MedSec thing

Post Syndicated from Robert Graham original http://blog.erratasec.com/2016/08/notes-on-that-stjudemuddywattersmedsec.html

I thought I’d write up some notes on the StJude/MedSec/MuddyWaters affair. Some references: [1] [2] [3] [4].

The story so far

tl;dr: hackers drop 0day on medical device company hoping to profit by shorting their stock

St Jude Medical (STJ) is one of the largest providers of pacemakers (aka. cardiac devices) in the country, around ~$2.5 billion in revenue, which accounts for about half their business. They provide “smart” pacemakers with an on-board computer that talks via radio-waves to a nearby monitor that records the functioning of the device (and health data). That monitor, “Merlin@Home“, then talks back up to St Jude (via phone lines, 3G cell phone, or wifi). Pretty much all pacemakers work that way (my father’s does, although his is from a different vendor).

MedSec is a bunch of cybersecurity researchers (white-hat hackers) who have been investigating medical devices. In theory, their primary business is to sell their services to medical device companies, to help companies secure their devices. Their CEO is Justine Bone, a long-time white-hat hacker. Despite Muddy Waters garbling the research, there’s no reason to doubt that there’s quality research underlying all this.

Muddy Waters is an investment company known for investigating companies, finding problems like accounting fraud, and profiting by shorting the stock of misbehaving companies.

Apparently, MedSec did a survey of many pacemaker manufacturers, chose the one with the most cybersecurity problems, and went to Muddy Waters with their findings, asking for a share of the profits Muddy Waters got from shorting the stock.

Muddy Waters published their findings in [1] above. St Jude published their response in [2] above. They are both highly dishonest. I point that out because people want to discuss the ethics of using 0day to short stock when we should talk about the ethics of lying.

“Why you should sell the stock” [finance issues]

In this section, I try to briefly summarize Muddy Water’s argument why St Jude’s stock will drop. I’m not an expert in this area (though I do a bunch of investment), but they do seem flimsy to me.
Muddy Water’s argument is that these pacemakers are half of St Jude’s business, and that fixing them will first require recalling them all, then take another 2 year to fix, during which time they can’t be selling pacemakers. Much of the Muddy Waters paper is taken up explaining this, citing similar medical cases, and so on.
If at all true, and if the cybersecurity claims hold up, then yes, this would be good reason to short the stock. However, I suspect they aren’t true — and they are simply trying to scare people about long-term consequences allowing Muddy Waters to profit in the short term.
@selenakyle on Twitter suggests this interest document [4] about market-solutions to vuln-disclosure, if you are interested in this angle of things.
Update from @lippard: Abbot Labs agreed in April to buy St Jude at $85 a share (when St Jude’s stock was $60/share). Presumable, for this Muddy Waters attack on St Jude’s stock price to profit from anything more than a really short term stock drop (like dumping their short position today), Muddy Waters would have believe this effort will cause Abbot Labs to walk away from the deal. Normally, there are penalties for doing so, but material things like massive vulnerabilities in a product should allow Abbot Labs to walk away without penalties.

The 0day being dropped

Well, they didn’t actually drop 0day as such, just claims that 0day exists — that it’s been “demonstrated”. Reading through their document a few times, I’ve created a list of the 0day they found, to the granularity that one would expect from CVE numbers (CVE is group within the Department of Homeland security that assigns standard reference numbers to discovered vulnerabilities).

The first two, which can kill somebody, are the salient ones. The others are more normal cybersecurity issues, and may be of concern because they can leak HIPAA-protected info.

CVE-2016-xxxx: Pacemaker can be crashed, leading to death
Within a reasonable distance (under 50 feet) over several hours, pounding the pacemaker with malformed packets (either from an SDR or a hacked version of the Merlin@Home monitor), the pacemaker can crash. Sometimes such crashes will brick the device, other times put it into a state that may kill the patient by zapping the heart too quickly.

CVE-2016-xxxx: Pacemaker power can be drained, leading to death
Within a reasonable distance (under 50 feet) over several days, the pacemaker’s power can slowly be drained at the rate of 3% per hour. While the user will receive a warning from their Merlin@Home monitoring device that the battery is getting low, it’s possible the battery may be fully depleted before they can get to a doctor for a replacement. A non-functioning pacemaker may lead to death.

CVE-2016-xxxx: Pacemaker uses unauthenticated/unencrypted RF protocol
The above two items are possible because there is no encryption nor authentication in the wireless protocol, allowing any evildoer access to the pacemaker device or the monitoring device.

CVE-2016-xxxx: Merlin@Home contained hard-coded credentials and SSH keys
The password to connect to the St Jude network is the same for all device, and thus easily reverse engineered.

CVE-2016-xxxx: local proximity wand not required
It’s unclear in the report, but it seems that most other products require a wand in local promixity (inches) in order to enable communication with the pacemaker. This seems like a requirement — otherwise, even with authentication, remote RF would be able to drain the device in the person’s chest.

So these are, as far as I can tell, the explicit bugs they outline. Unfortunately, none are described in detail. I don’t see enough detail for any of these to actually be assigned a CVE number. I’m being generous here, trying to describe them as such, giving them the benefit of the doubt, there’s enough weasel language in there that makes me doubt all of them. Though, if the first two prove not to be reproducible, then there will be a great defamation case, so I presume those two are true.

The movie/TV plot scenarios

So if you wanted to use this as a realistic TV/movie plot, here are two of them.
#1 You (the executive of the acquiring company) are meeting with the CEO and executives of a smaller company you want to buy. It’s a family concern, and the CEO really doesn’t want to sell. But you know his/her children want to sell. Therefore, during the meeting, you pull out your notebook and an SDR device and put it on the conference room table. You start running the exploit to crash that CEO’s pacemaker. It crashes, the CEO grabs his/her chest, who gets carted off the hospital. The children continue negotiations, selling off their company.
#2 You are a hacker in Russia going after a target. After many phishing attempts, you finally break into the home desktop computer. From that computer, you branch out and connect to the Merlin@Home devices through the hard-coded password. You then run an exploit from the device, using that device’s own radio, to slowly drain the battery from the pacemaker, day after day, while the target sleeps. You patch the software so it no longer warns the user that the battery is getting low. The battery dies, and a few days later while the victim is digging a ditch, s/he falls over dead from heart failure.

The Muddy Water’s document is crap

There are many ethical issues, but the first should be dishonesty and spin of the Muddy Waters research report.

The report is clearly designed to scare other investors to drop St Jude stock price in the short term so that Muddy Waters can profit. It’s not designed to withstand long term scrutiny. It’s full of misleading details and outright lies.

For example, it keeps stressing how shockingly bad the security vulnerabilities are, such as saying:

We find STJ Cardiac Devices’ vulnerabilities orders of magnitude more worrying than the medical device hacks that have been publicly discussed in the past. 

This is factually untrue. St Jude problems are no worse than the 2013 issue where doctors disable the RF capabilities of Dick Cheney’s pacemaker in response to disclosures. They are no worse than that insulin pump hack. Bad cybersecurity is the norm for medical devices. St Jude may be among the worst, but not by an order-of-magnitude.

The term “orders of magnitude” is math, by the way, and means “at least 100 times worse”. As an expert, I claim these problems are not even one order of magnitude (10 times worse). I challenge MedSec’s experts to stand behind the claim that these vulnerabilities are at least 100 times worse than other public medical device hacks.

In many places, the language is wishy-washy. Consider this quote:

Despite having no background in cybersecurity, Muddy Waters has been able to replicate in-house key exploits that help to enable these attacks

The semantic content of this is nil. It says they weren’t able to replicate the attacks themselves. They don’t have sufficient background in cybersecurity to understand what they replicated.

Such language is pervasive throughout the document, things that aren’t technically lies, but which aren’t true, either.

Also pervasive throughout the document, repeatedly interjected for no reason in the middle of text, are statements like this, repeatedly stressing why you should sell the stock:

Regardless, we have little doubt that STJ is about to enter a period of protracted litigation over these products. Should these trials reach verdicts, we expect the courts will hold that STJ has been grossly negligent in its product design. (We estimate awards could total $6.4 billion.15)

I point this out because Muddy Waters obviously doesn’t feel the content of the document stands on its own, so that you can make this conclusion yourself. It instead feels the need to repeat this message over and over on every page.

Muddy Waters violation of Kerckhoff’s Principle

One of the most important principles of cyber security is Kerckhoff’s Principle, that more openness is better. Or, phrased another way, that trying to achieve security through obscurity is bad.

The Muddy Water’s document attempts to violate this principle. Besides the the individual vulnerabilities, it makes the claim that St Jude cybersecurity is inherently bad because it’s open. it uses off-the-shelf chips, standard software (line Linux), and standard protocols. St Jude does nothing to hide or obfuscate these things.

Everyone in cybersecurity would agree this is good. Muddy Waters claims this is bad.

For example, some of their quotes:

One competitor went as far as developing a highly proprietary embedded OS, which is quite costly and rarely seen

In contrast, the other manufacturers have proprietary RF chips developed specifically for their protocols

Again, as the cybersecurity experts in this case, I challenge MedSec to publicly defend Muddy Waters in these claims.

Medical device manufacturers should do the opposite of what Muddy Waters claims. I’ll explain why.

Either your system is secure or it isn’t. If it’s secure, then making the details public won’t hurt you. If it’s insecure, then making the details obscure won’t help you: hackers are far more adept at reverse engineering than you can possibly understand. Making things obscure, though, does stop helpful hackers (i.e. cybersecurity consultants you hire) from making your system secure, since it’s hard figuring out the details.

Said another way: your adversaries (such as me) hate seeing open systems that are obviously secure. We love seeing obscure systems, because we know you couldn’t possibly have validated their security.

The point is this: Muddy Waters is trying to profit from the public’s misconception about cybersecurity, namely that obscurity is good. The actual principle is that obscurity is bad.

St Jude’s response was no better

In response to the Muddy Water’s document, St Jude published this document [2]. It’s equally full of lies — the sort that may deserve a share holder lawsuit. (I see lawsuits galore over this). It says the following:

We have examined the allegations made by Capital and MedSec on August 25, 2016 regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading.

If that’s true, if they can prove this in court, then that will mean they could win millions in a defamation lawsuit against Muddy Waters, and millions more for stock manipulation.

But it’s almost certainly not true. Without authentication/encryption, then the fact that hackers can crash/drain a pacemaker is pretty obvious, especially since (as claimed by Muddy Waters), they’ve successfully done it. Specifically, the picture on page 17 of the 34 page Muddy Waters document is a smoking gun of a pacemaker misbehaving.

The rest of their document contains weasel-word denials that may be technically true, but which have no meaning.

St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions. 

Our software has been evaluated and assessed by several independent organizations and researchers including Deloitte and Optiv.

In 2015, we successfully completed an upgrade to the ISO 27001:2013 certification.

These are all myths of the cybersecurity industry. Conformance with security standards, such as ISO 27001:2013, has absolutely zero bearing on whether you are secure. Having some consultants/white-hat claim your product is secure doesn’t mean other white-hat hackers won’t find an insecurity.

Indeed, having been assessed by Deloitte is a good indicator that something is wrong. It’s not that they are incompetent (they’ve got some smart people working for them), but ultimately the way the security market works is that you demand of such auditors that the find reasons to believe your product is secure, not that they keep hunting until something is found that is insecure. It’s why outsiders, like MedSec, are better, because they strive to find why your product is insecure. The bigger the enemy, the more resources they’ll put into finding a problem.

It’s like after you get a hair cut, your enemies and your friends will have different opinions on your new look. Enemies are more honest.

The most obvious lie from the St Jude response is the following:

The report claimed that the battery could be depleted at a 50-foot range. This is not possible since once the device is implanted into a patient, wireless communication has an approximate 7-foot range. This brings into question the entire testing methodology that has been used as the basis for the Muddy Waters Capital and MedSec report.

That’s not how wireless works. With directional antennas and amplifiers, 7-feet easily becomes 50-feet or more. Even without that, something designed for reliable operation at 7-feet often works less reliably at 50-feet. There’s no cutoff at 7-feet within which it will work, outside of which it won’t.

That St Jude deliberately lies here brings into question their entire rebuttal. (see what I did there?)

ETHICS EHTICS ETHICS

First let’s discuss the ethics of lying, using weasel words, and being deliberately misleading. Both St Jude and Muddy Waters do this, and it’s ethically wrong. I point this out to uninterested readers who want to get at that other ethical issue. Clear violations of ethics we all agree interest nobody — but they ought to. We should be lambasting Muddy Waters for their clear ethical violations, not the unclear one.

So let’s get to the ethical issue everyone wants to discuss:

Is it ethical to profit from shorting stock while dropping 0day.

Let’s discuss some of the issues.

There’s no insider trading. Some people wonder if there are insider trading issues. There aren’t. While it’s true that Muddy Waters knew some secrets that nobody else knew, as long as they weren’t insider secrets, it’s not insider trading. In other words, only insiders know about a key customer contract won or lost recently. But, vulnerabilities researched by outsiders is still outside the company.

Watching a CEO walk into the building of a competitor is still outsider knowledge — you can trade on the likely merger, even though insider employees cannot.

Dropping 0day might kill/harm people. That may be true, but that’s never an ethical reason to not drop it. That’s because it’s not this one event in isolation. If companies knew ethical researchers would never drop an 0day, then they’d never patch it. It’s like the government’s warrantless surveillance of American citizens: the courts won’t let us challenge it, because we can’t prove it exists, and we can’t prove it exists, because the courts allow it to be kept secret, because revealing the surveillance would harm national intelligence. That harm may happen shouldn’t stop the right thing from happening.

In other words, in the long run, dropping this 0day doesn’t necessarily harm people — and thus profiting on it is not an ethical issue. We need incentives to find vulns. This moves the debate from an ethical one to more of a factual debate about the long-term/short-term risk from vuln disclosure.

As MedSec points out, St Jude has already proven itself an untrustworthy consumer of vulnerability disclosures. When that happens, the dropping 0day is ethically permissible for “responsible disclosure”. Indeed, that St Jude then lied about it in their response ex post facto justifies the dropping of the 0day.

No 0day was actually dropped here. In this case, what was dropped was claims of 0day. This may be good or bad, depending on your arguments. It’s good that the vendor will have some extra time to fix the problems before hackers can start exploiting them. It’s bad because we can’t properly evaluate the true impact of the 0day unless we get more detail — allowing Muddy Waters to exaggerate and mislead people in order to move the stock more than is warranted.

In other words, the lack of actual 0day here is the problem — actual 0day would’ve been better.

This 0day is not necessarily harmful. Okay, it is harmful, but it requires close proximity. It’s not as if the hacker can reach out from across the world and kill everyone (barring my movie-plot section above). If you are within 50 feet of somebody, it’s easier shooting, stabbing, or poisoning them.

Shorting on bad news is common. Before we address the issue whether this is unethical for cybersecurity researchers, we should first address the ethics for anybody doing this. Muddy Waters already does this by investigating companies for fraudulent accounting practice, then shorting the stock while revealing the fraud.

Yes, it’s bad that Muddy Waters profits on the misfortunes of others, but it’s others who are doing fraud — who deserve it. [Snide capitalism trigger warning] To claim this is unethical means you are a typical socialist who believe the State should defend companies, even those who do illegal thing, in order to stop illegitimate/windfall profits. Supporting the ethics of this means you are a capitalist, who believe companies should succeed or fail on their own merits — which means bad companies need to fail, and investors in those companies should lose money.

Yes, this is bad for cybersec research. There is constant tension between cybersecurity researchers doing “responsible” (sic) research and companies lobbying congress to pass laws against it. We see this recently how Detroit lobbied for DMCA (copyright) rules to bar security research, and how the DMCA regulators gave us an exemption. MedSec’s action means now all medical devices manufacturers will now lobby congress for rules to stop MedSec — and the rest of us security researchers. The lack of public research means medical devices will continue to be flawed, which is worse for everyone.

Personally, I don’t care about this argument. How others might respond badly to my actions is not an ethical constraint on my actions. It’s like speech: that others may be triggered into lobbying for anti-speech laws is still not constraint on what ethics allow me to say.

There were no lies or betrayal in the research. For me, “ethics” is usually a problem of lying, cheating, theft, and betrayal. As long as these things don’t happen, then it’s ethically okay. If MedSec had been hired by St Jude, had promised to keep things private, and then later disclosed them, then we’d have an ethical problem. Or consider this: frequently clients ask me to lie or omit things in pentest reports. It’s an ethical quagmire. The quick answer, by the way, is “can you make that request in writing?”. The long answer is “no”. It’s ethically permissible to omit minor things or do minor rewording, but not when it impinges on my credibility.

A life is worth about $10-million. Most people agree that “you can’t put value on a human life”, and that those who do are evil. The opposite is true. Should we spend more on airplane safety, breast cancer research, or the military budget to fight ISIS. Each can be measured in the number of lives saved. Should we spend more on breast cancer research, which affects people in their 30s, or solving heart disease, which affects people’s in their 70s? All these decisions means putting value on human life, and sometimes putting different value on human life. Whether you think it’s ethical, it’s the way the world works.

Thus, we can measure this disclosure of 0day in terms of potential value of life lost, vs. potential value of life saved.

Is this market manipulation? This is more of a legal question than an ethical one, but people are discussing it. If the data is true, then it’s not “manipulation” — only if it’s false. As documented in this post, there’s good reason to doubt the complete truth of what Muddy Waters claims. I suspect it’ll cost Muddy Waters more in legal fees in the long run than they could possibly hope to gain in the short run. I recommend investment companies stick to areas of their own expertise (accounting fraud) instead of branching out into things like cyber where they really don’t grasp things.

This is again bad for security research. Frankly, we aren’t a trusted community, because we claim the “sky is falling” too often, and are proven wrong. As this is proven to be market manipulation, as the stock recovers back to its former level, and the scary stories of mass product recalls fail to emerge, we’ll be blamed yet again for being wrong. That hurts are credibility.

On the other the other hand, if any of the scary things Muddy Waters claims actually come to pass, then maybe people will start heading our warnings.

Ethics conclusion: I’m a die-hard troll, so therefore I’m going to vigorously defend the idea of shorting stock while dropping 0day. (Most of you appear to think it’s unethical — I therefore must disagree with you).  But I’m also a capitalist. This case creates an incentive to drop harmful 0days — but it creates an even greater incentive for device manufacturers not to have 0days to begin with. Thus, despite being a dishonest troll, I do sincerely support the ethics of this.

Conclusion

The two 0days are about crashing the device (killing the patient sooner) or draining the battery (killin them later). Both attacks require hours (if not days) in close proximity to the target. If you can get into the local network (such as through phishing), you might be able to hack the Merlin@Home monitor, which is in close proximity to the target for hours every night.

Muddy Waters thinks the security problems are severe enough that it’ll destroy St Jude’s $2.5 billion pacemaker business. The argument is flimsy. St Jude’s retort is equally flimsy.

My prediction: a year from now we’ll see little change in St Jude’s pacemaker business earners, while there may be some one time costs cleaning some stuff up. This will stop the shenanigans of future 0day+shorting, even when it’s valid, because nobody will believe researchers.

Nextcloud 10 released

Post Syndicated from ris original http://lwn.net/Articles/698344/rss

Nextcloud 10 has been released
with new features for system administrators to control and direct the flow
of data between users on a Nextcloud server. “Rule based file tagging and responding to these tags as well as other triggers like physical location, user group, file properties and request type enables administrators to specifically deny access to, convert, delete or retain data following business or legal requirements. Monitoring, security, performance and usability improvements complement this release, enabling larger and more efficient Nextcloud installations.

Secure, Monitor and Control your data with Nextcloud 10

Post Syndicated from ris original http://lwn.net/Articles/698344/rss

Nextcloud 10 has been released
with new features for system administrators to control and direct the flow
of data between users on a Nextcloud server. “Rule based file tagging and responding to these tags as well as other triggers like physical location, user group, file properties and request type enables administrators to specifically deny access to, convert, delete or retain data following business or legal requirements. Monitoring, security, performance and usability improvements complement this release, enabling larger and more efficient Nextcloud installations.

Who Are The Alleged Top Men Behind KickassTorrents?

Post Syndicated from Andy original https://torrentfreak.com/the-alleged-top-men-behind-kickasstorrents-160826/

katThe sudden shutdown last month of KickassTorrents left a sizeable hole in the torrent landscape. KAT was the largest torrent index on the planet and much-loved by those who frequented it.

On day one of the shutdown, the United States government revealed that they had one prime suspect in their sights. Ukrainian Artem Vaulin was said to be the mastermind of KickassTorrents, coordinating an international operation through Cryptoneat, a front company in Kharkiv, Ukraine.

Yesterday the United States officially indicted Vaulin (aka ‘tirm’) along with two of his alleged KickassTorrents co-conspirators – Oleksandr Radostin (aka ‘pioneer’) and Ievgen Kutsenko (aka ‘chill’). All are said to have worked at Cryptoneat but little else is known about them. Today we can put some meat on the bones.

Artem Vaulin

Artem Vaulin is a 30-year-old man from Ukraine. Born in 1985, he is married with a young son. According to an investigation carried out by Vesti, his business life had simple roots.

After graduating from school, Vaulin went on to set up a vending machine business focusing on chewing gum and soft toys.

“My parents gave me $3000. They said: ‘Cool, you do not have to count on us. Now you have your own money’,” Vaulin told reporters in 2004.

Since then, Vaulin’s business empire seems to have taken off but despite reportedly having interests in several local companies (three with registered capital of more than $8.5m total), Vaulin appears to have been able to keep a reasonably low profile.

However, it is Vaulin’s love of squash that leads us to the only images available of him online. Ukrainian squash portal Squashtime.com.ua has a full profile, indicating his date and place of birth, and even his racquet preference.

vaulin-1

Vesti approached the club where Vaulin trained but due to data protection issues it would not share any information on the businessman. However, local news resource Segodnya tracked down Vaulin’s squash coach, Evgeny Ponomarenko.

“I know it only from the positive side. Artem is a good man and a family man with a growing son,” Ponomarenko said.

Vaulin is also said to have signed petitions on the Ukranian president’s website, one requesting that the country join NATO and another seeking to allow Ukranians to receive money from abroad via PayPal.

Oleksandr (Alexander) Radostin

Alexander Radostin appears to have been a software architect and/or lead engineer at Cryptoneat but other than that, very little is known about him.

There are several references to him online in Ukraine in relation to the shutdown of KickassTorrents, but most merely speculate that as an employee of Cryptoneat, Radostin might be best placed to confirm Vaulin’s current arrest status.

Many former Cryptoneat employees have purged their social networking presence but some of Radostin’s details are still available via Ukranian-based searches, including the Linkedin image below.

radostin-linkedin-1

While almost nothing is known about the third indicted KickassTorrents operator, Ievgen Kutsenko, images of the offices from where he and his colleagues allegedly ran the site can be hunted down.

The image below shows a screenshot from a Ukranian job seeking site where Cryptoneat had a page. It lists both Vaulin and Radostin to the right of some tiny thumbnails of photographs apparently taken inside the Kickass/Cryptoneat offices.

crypto-jobs

TF managed to track down a full-size version of the third image from the left and the environment looks very nice indeed.

crypto-4

While Vaulin is currently being held in a Polish jail, the whereabouts of his alleged co-conspirators is unknown. However, if they are still in Ukraine it might not be straightforward to have them extradited to the United States.

“Ukraine and the United States do not have an extradition treaty,” the U.S. Embassy confirms on its Ukraine website.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

iOS 9.3.5 Fixes Malware Exploit: Install It, but Backup First!

Post Syndicated from Peter Cohen original https://www.backblaze.com/blog/install-ios-935-backup-first/

Update your iPhone or iPad

Apple this week posted important an update to iOS 9. Version 9.3.5 is ready for download from Apple’s servers. Experts advise you to upgrade right away, since it closes a malware security vulnerability. It’s good advice, even if the risk is small to most of us. Make sure to back up your iPhone or iPad first, though. Here’s info on what’s going on and how to protect yourself.

First of all, if there’s one takeaway from the story: Don’t click on a link unless you know what’s inside.

A human rights dissident named Ahmed Mansoor received a strange text message on his iPhone encouraging him to click a link. He didn’t. Instead Mansoor reported it to a security research firm. Researchers think that it was a sophisticated effort to take over Mansoor’s iPhone. The code belongs to a company that makes government spyware.

The security group alerted Apple and didn’t publicize the break until after Apple issued the patch.

What is a zero-day exploit?

The original report says that hackers have combined “zero-day” exploits in iOS to remotely jailbreak a targeted iPhone. “Zero-day” is security shorthand for “this problem hadn’t been patched by the software maker when it was found.” (“Jailbreaking” enables software to be installed on the iPhone that Apple doesn’t allow otherwise.)

The folks at Macworld have the skinny on what’s going on here:

When used together, the exploits allow someone to hijack an iOS device and control or monitor it remotely. Hijackers would have access to the device’s camera and microphone, and could capture audio calls even in otherwise end-to-end secured apps like WhatsApp. They could also grab stored images, tracking movements, and retrieve files.

It’s important to understand that according to the security experts who have examined the code, this particular exploit was targeted to be delivered to a specific person. It was only his general awareness and suspicion something was wrong that prevented the software from getting installed.

In other words, this isn’t like a phishing or a botnet scheme, where the goal is to get as many devices infected as possible. Instead, this was an effort by government actors to target a specific individual.

That means that the risk to you that you might be exploited by this particular problem is relatively low, unless you’re in the crosshairs of a government agency (or unless malware programmers figure out another way to exploit this particular threat for other reasons).

Risk, low. So don’t panic. But the threat is still there, which is why Apple’s pushed the 9.3.5 update and is recommending that everyone who’s running iOS 9 install it promptly.

Should I back up before I update?

Yes! Backup before you make any fundamental changes to your device. It’s a good idea to make sure any essential information is stored safely somewhere else.

You can backup your device using iTunes on the Mac or PC. Use the Lightning cable that came with your iOS device and connect it to an open USB port, then open iTunes to backup. You can also use iCloud Backup, Apple’s cloud-based backups ervice. Here’s a guide to backing up your iPhone or iPad with more details.

In general, we advocate the 3-2-1 Backup Strategy. Always have three copies of your data. One is your local copy (the data on your iPhone or iPad, for example). The second is a local backup (using iTunes on your Mac or PC, for example). The third is a copy stored safely offsite, in case anything happens – the cloud, for example.

iCloud Backup is one option for offsite backup. Backblaze will back up your computer’s iTunes files including that local backup. So if you backup to your computer, then use Backblaze, you’re all set.

How do I update my iPhone or iPad?

Follow these steps to make sure iOS 9.3.5 is installed on your device. First of all, make sure your device is charged and connected to a Wi-Fi network.

  1. Tap the iPhone or iPad’s Home button.
  2. Tap Settings.
  3. Tap General.
  4. Tap Software Update.
  5. The device will check for an update. Your device will automatically restart after it’s done.

How to Update to 9.3.5

What do I do now?

Breathe a sigh of relief now that you have iOS 9.3.5 installed. At least until the next security exploit pops up. Just make sure to backup early and often, to make sure your device and your data is safe.

The post iOS 9.3.5 Fixes Malware Exploit: Install It, but Backup First! appeared first on Backblaze Blog | Cloud Storage & Cloud Backup.

Inside ‘The Attack That Almost Broke the Internet’

Post Syndicated from BrianKrebs original https://krebsonsecurity.com/2016/08/inside-the-attack-that-almost-broke-the-internet/

In March 2013, a coalition of spammers and spam-friendly hosting firms pooled their resources to launch what would become the largest distributed denial-of-service (DDoS) attack the Internet had ever witnessed. The assault briefly knocked offline the world’s largest anti-spam organization, and caused a great deal of collateral damage to innocent bystanders in the process. Here’s a never-before-seen look at how that attack unfolded, and a rare glimpse into the shadowy cybercrime forces that orchestrated it.

The following are excerpts taken verbatim from a series of Skype and IRC chat room logs generated by a group of “bullet-proof cybercrime hosts” — so called because they specialized in providing online hosting to a variety of clientele involved in spammy and scammy activities.

Facebook profile picture of Sven Olaf Kamphuis

Facebook profile picture of Sven Olaf Kamphuis

Gathered under the banner ‘STOPhaus,’ the group included a ragtag collection of hackers who got together on the 17th of March 2013 to launch what would quickly grow to a 300+Gigabits per second (Gbps) attack on Spamhaus.org, an anti-spam organization that they perceived as a clear and present danger to their spamming operations.

The attack –a stream of some 300 billion bits of data per second — was so large that it briefly knocked offline Cloudflare, a company that specializes in helping organizations stay online in the face of such assaults. Cloudflare dubbed it “The Attack that Almost Broke the Internet.

The campaign was allegedly organized by a Dutchman named Sven Olaf Kamphuis (pictured above). Kamphuis ran a company called CB3ROB, which in turn provided services for a Dutch company called “Cyberbunker,” so named because the organization was housed in a five-story NATO bunker and because it had advertised its services as a bulletproof hosting provider.

Kamphuis seemed to honestly believe his Cyberbunker was sovereign territory, even signing his emails “Prince of Cyberbunker Republic.” Arrested in Spain in April 2013 in connection with the attack on Spamhaus, Kamphuis was later extradited to The Netherlands to stand trial. He has publicly denied being part of the attacks and his trial is ongoing.

According to investigators, Kamphuis began coordinating the attack on Spamhaus after the anti-spam outfit added to its blacklist several of Cyberbunker’s Internet address ranges. The following logs, obtained by one of the parties to the week-long offensive, showcases the planning and executing of the DDoS attack, including digital assaults on a number of major Internet exchanges. The record also exposes the identities and roles of each of the participants in the attack.

The logs below are excerpts from a much longer conversation. The entire, unedited chat logs are available here. The logs are periodically broken up by text in italics, which includes additional context about each snippet of conversation. Also please note that the logs below may contain speech that some find offensive.

====================================================================

THE CHAT LOG MEMBERS
————————————————————
Aleksey Frolov : vainet[dot]biz, vainet[dot].ru, Russian host.
————————————————————
Alex Optik : Russian ‘BP host’. AKA NEO
————————————————————
Andrei Stanchevici : secured[dot]md Moldova
————————————————————
Cali : Vitalii Boiko AKA Vitaliyi Boyiko AKA Cali Yhzar, alleged by Spamhaus to be dedicated crime hosters urdn[dot]com.ua AKA Xentime[dot]com AKA kurupt[dot]ru
————————————————————
Darwick : Zemancsik Zsolt, 23net[dot]hu, Hungarian host.
————————————————————
eDataKing : Andrew Jacob Stephens, Ohio/Florida based spamware seller formerly listed on Spamhaus’s Register of Known Spam Operations (ROKSO). Was main social media mouthpiece of Stophaus (e.g. see @stophaus). Andrew threatens to sue everyone for libel, and is likely to show up in the comments below and do the same here.
————————————————————
Erik Bais : A2B Internet, Netherlands
————————————————————
Goo : Peter van Gorkum AKA Gooweb.nl, alleged by Spamhaus to be a botnet supplier in the Netherlands.
————————————————————
Hephaistos : AKA @AnonOps on Twitter
————————————————————
HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: Sven Olaf Kamphuis
AKA Cyberbunker AKA CB3ROB
————————————————————
Karlin König : Suavemente/SplitInfinity, San Diego based host.
————————————————————
marceledler : German hoster that Spamhaus says has a history of hosting spammers, AKA Optimate-Server[dot]de
————————————————————
Mark – Evgeny Pazderin : Russian, alleged by Spamhaus to be hoster of webinjects used for man-in-the-middle attacks (MITM) against online banking sessions.
————————————————————
Mastermind of Possibilities : Norman “Chris” Jester AKA Suavemente/SplitInfinity, alleged by Spamhaus to be San Diego based spam host.
————————————————————
Narko :Sean Nolan McDonough, UK-based teenager, trigger man in the attack. Allegedly hired by Yuri to perform the DDoS. Later pleaded guilty to coordinating the attack in 2013.
————————————————————
NM : Nikolay Metlyuk, according to Spamhaus a Russian botnet provider
————————————————————
simomchen : Simon Chen AKA idear4business counterfeit Chinese products, formerly listed on Spamhaus ROKSO.
————————————————————
Spamahost : As its name suggests, a Russian host specializing in spam, spam and spam.
————————————————————
twisted : Admin of Cyberbunker[dot]com
————————————————————
valeralelin : Valerii Lolin, infiumhost[dot]com, Ukraine
————————————————————
Valeriy Uhov : Per Spamhaus, a Russian ‘bulletproof hoster’.
————————————————————
WebExxpurts : Deepak Mehta, alleged cybercrime host specializing in hosting botnet C&Cs. AKA Turbovps (<bd[at]turbovps[dot]com>).
————————————————————
wmsecurity : off-sho[dot]re ‘Bulletproof’ hoster. Lithuania. AKA “Antitheist”. Profiled in this story.
————————————————————
Xennt : H.J. Xennt, owner of Cyberbunker.
————————————————————
Yuri : Yuri Bogdanov, owner of 2×4[dot]ru. According to Spamhaus, 2×4[dot]ru is a longtime spam friendly Russian host, formerly part of Russian Business Network (RBN). Allegedly hired Narko to launch DDoS attack against Spamhaus.
============================================================

[17.03.2013 19:51:31] eDataKing: watch the show: http://www.webhostingtalk.com/showthread.php?t=1247982
[17.03.2013 19:52:02] -= Darwick =-: hell yeah! :)
[17.03.2013 19:52:09] -= Darwick =-: hit them hard :)
[17.03.2013 19:54:07] -= Darwick =-: is that a ddos attack?
[17.03.2013 19:54:56] eDataKing: but let’s forget what it is and focus on it’s consequence lol 😉

====================================================================

A number of chat members chastise eDataKing for incessantly posting comments to what they refer to as “nanae,” a derisive reference to the venerable USENET anti-spam list (news.admin.net-abuse.email) that focused solely on exposing spammers and their spamming activities. eDataKing is flustered and posting on nanae with rapid-fire, emotional replies to anti-spammers, but his buddies don’t want that kind of attention to their cause.

[17.03.2013 20:27:57] Mastermind of Possibilities: Andrew why are you posting in nanae? Stop man lol

====================================================================

Some of the chat participants begin debating whether they should consider adopting residence in a country that does not play well with the United States in terms of extradition.

[18.03.2013 02:28:30] eDataKing: what about a place that takes an ex-felon from the US for citizenship or expat?

====================================================================

The plotters begin running scans to find misconfigured or ill-protected systems that can be enslaved in attacks. They’re scanning the Web for domain name servers (DNS) systems that can be used to amplify and disguise or “reflect” the source of their attacks. Narko warns Sven about trying to enlist servers hosted by Dutch ISP Leaseweb, which was known to anticipate such activity and re-route attack traffic back to the true source of the traffic.

[18.03.2013 16:39:22] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: is just global transit thats filtered with them
[18.03.2013 16:39:33] narko: they change the ip back to your real server ip
[18.03.2013 16:39:38] narko: you will ddos your own server if you try this attack at leaseweb
[18.03.2013 16:39:46] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: hmm
[18.03.2013 16:39:50] Antitheist: what about root.lu?
[18.03.2013 16:39:54] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: very creative of them
[18.03.2013 16:39:55] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[18.03.2013 16:40:21] Antitheist: and nforce
18.03.2013 16:49:22] Antitheist: i host many cc shops, they even appeared on krebs blog 😀
[18.03.2013 16:49:27] narko: where?

At around 4 p.m. GMT that same day, Sven announces that the group’s various cyber armies had succeeded in knocking Spamhaus off the Internet. Incredibly, Sven advertises his involvement with the group to all 3,850 of his Facebook friends.

17.03.2013 22:30:01] my 3850 facebook friends <img src=” class=”wp-smiley” style=”height: 1em; max-height: 1em;” />” class=”wp-smiley” style=”height: 1em; max-height: 1em;” />” class=”wp-smiley” style=”height: 1em; max-height: 1em;” /> www.spamhaus.org still down, and that criminal bunch of self declared internet dictators will still remain down, until our demands are met <img src=” class=”wp-smiley” style=”height: 1em; max-height: 1em;” />” class=”wp-smiley” style=”height: 1em; max-height: 1em;” />” class=”wp-smiley” style=”height: 1em; max-height: 1em;” /> over 48h already <img src=” class=”wp-smiley” style=”height: 1em; max-height: 1em;” />” class=”wp-smiley” style=”height: 1em; max-height: 1em;” />” class=”wp-smiley” style=”height: 1em; max-height: 1em;” /> resolving your shit. end of the line buddy <img src=” class=”wp-smiley” style=”height: 1em; max-height: 1em;” />” class=”wp-smiley” style=”height: 1em; max-height: 1em;” />” class=”wp-smiley” style=”height: 1em; max-height: 1em;” /> should have called and paid for the damages.
[17.03.2013 22:25:54] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: rokso no longer exists haha
[17.03.2013 22:29:51] Mastermind of Possibilities: Where is that posted ?
[17.03.2013 22:30:01] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: my 3850 facebook friends 😛
[17.03.2013 22:30:12] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: you know, stuff people actually -use-… unlike smtp and nntp
[17.03.2013 22:30:12] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[17.03.2013 22:30:23] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP:facebook.com/cb3rob

====================================================================

Spamhaus uses a friendly blog — Wordtothewise.com — to publish an alert that it is “under major dDos.” While Spamhaus is offline, various parties to the attack begin hatching ways to take advantage by poisoning search-engine results so that when one searches for “Spamhaus,” the first several results instead redirect to Stophaus[dot]org, the forum this group set up to coordinate the attacks.

w2tw

18.03.2013 13:09:09] Alex Optik:http://www.stopspamhaus.org/2013_02_01_archive.html
[18.03.2013 13:09:35] Alex Optik: as i see there is already has same projects
[18.03.2013 13:09:59] narko: (wave)
[18.03.2013 13:10:17] eDataKing: that site is owned by a person in this group Alex
stealing seo to bump spamhaus while it’s offline 3 days
[18.03.2013 16:14:14] Antitheist: do you mind if we put spamhaus metatags on stophaus?
[18.03.2013 16:14:24] Antitheist: so we can come up first on google soon 😀
file fake info alert to ICANN
[18.03.2013 16:26:45] narko: Your report concerning whois data inaccuracy regarding the domain spamhaus.org has been confirmed. You will receive an email with further details shortly. Thank you.
[18.03.2013 16:29:26] narko: Any future correspondence sent to ICANN must contain your report ID number.
Please allow 45 days for ICANN’s WDPRS processing of your Whois inaccuracy
claim. This 45 day WDPRS processing cycle includes forwarding the complaint
to the registrar for handling, time for registrar action and follow-up by
ICANN if necessary.

====================================================================

Sven Kamphuis then posts to Pastebin about “OPERATION STOPHAUS,” a tirade that includes a lengthy list of demands Sven says Spamhaus will have to meet in order for the DDoS attack to be called off. Meanwhile, another spam-friendly hosting provider — helpfully known as “Spamahost[dot].com,” joins the chat channel. At this point, the attack has kept Spamhaus.org offline for the better part of 48 hours.

Narko's account on Stophaus.

Narko’s account on Stophaus.

[19.03.2013 00:02:43] Yuri: another one hoster, spamahost.com added.
[19.03.2013 00:02:48] Yuri: i hope he can help with some servers.
[19.03.2013 00:02:57] spamahost: Will do ^^ :)
[19.03.2013 00:05:49] eDataKing: be safe when accessing this link, but there was an edu writeup:http://isc.sans.edu/diary/Spamhaus+DDOS/15427
[19.03.2013 00:05:51] spamahost: Spamhaus can blow me.
[19.03.2013 00:06:00] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: me too 😛
[19.03.2013 00:06:20] spamahost: What software you using to send out attacks?
[19.03.2013 00:06:22] spamahost: IRC and bots?
[19.03.2013 00:06:28] Yuri: spamhaus like spamahost very very much.
[19.03.2013 00:06:35] Yuri: that’s the realy true love
[19.03.2013 00:06:37] spamahost: Yes they love us
[19.03.2013 00:38:20] Yuri: MEGALOL
[19.03.2013 00:38:27] Yuri: spamhaus is down 3 days
[19.03.2013 00:38:58] Yuri: this is the graph of our mail server http://mx1.2×4.ru/cgi-bin/mailgraph.cgi
that shows amount of spam rejected by our mail server.
last days there are much less SPAm
[19.03.2013 00:39:13] Yuri: http://mail.2×4.ru same graph here.

====================================================================

The Stophaus members discover that Spamhaus is now protected by Cloudflare. This amuses the Stophaus members, who note that Spamhaus has frequently listed large swaths of Cloudflare Internet addresses as sources of spam.

cloudflare

[19.03.2013 00:47:07] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: cloudflare
[19.03.2013 00:47:48] Antitheist: fuck who would believe
[19.03.2013 00:48:10] Antitheist: after they listed all cloudlares /24 for being criminal supportive because of free reverse proxying
[19.03.2013 00:49:11] Antitheist: here we go again…
[19.03.2013 00:49:12] Antitheist: http://www.spamhaus.org/sbl/query/SBL179312
[19.03.2013 00:49:14] Antitheist: lol
[19.03.2013 00:49:46] Antitheist: it had been officialy bought…b-o-u-g-h-t
[19.03.2013 00:50:45] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: hmm
[19.03.2013 00:50:57] Antitheist: narko?
[19.03.2013 00:51:11] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: k… just take down the spamhaus.org nameservers…all 8 of em
[19.03.2013 00:51:22] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: after all the client on cloudflare is ‘spamhaus.eu’
[19.03.2013 00:51:33] Cali: spamhaus under cloudflare?
[19.03.2013 00:51:35] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: they still need the spamhaus.org nameservers for that and their shitlist to work
[19.03.2013 00:51:40] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: yeah with spamhaus.eu
[19.03.2013 00:51:46] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: which is a cname to spamhaus.org
[19.03.2013 00:51:59] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: so just take out the 8 spamhaus nameservers and stop targetting the old website
[19.03.2013 00:52:09] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: that ALSO takes out their dns shitlists…
[19.03.2013 00:52:12] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: indirectly
[19.03.2013 00:52:22] Yuri: that’s a fuck. a lot of work for us
[19.03.2013 00:53:20] Yuri: may be just let’s make cloudflare down ?
[19.03.2013 00:53:29] Antitheist: thats hard yuri
[19.03.2013 00:53:31] Yuri: so they will refuse any spamhaus
[19.03.2013 00:53:43] Antitheist: you need to cripple level3 and nlayer
[19.03.2013 00:54:04] Antitheist: |OR|
[19.03.2013 00:54:12] Antitheist: you need to spend too much traffic
[19.03.2013 00:54:16] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: narko: new target… the 8 nameservers of spamhaus.org… and still smtp-ext-layer.spamhaus.org ofcourse
[19.03.2013 00:54:20] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: no morewww.spamhaus.org
[19.03.2013 00:54:24] Antitheist: since cloudflares packages are traffic volume priced
[19.03.2013 00:55:44] Karlin Konig: I don’t think they are charging spamhaus
[19.03.2013 00:56:27] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: as stated before, unfair competition, in many ways
[19.03.2013 00:56:28] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lulz
[19.03.2013 00:57:46] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: hmm is cloudflare hosting? or a reverse proxy?
[19.03.2013 00:57:57] Cali: reverse proxy.
[19.03.2013 00:58:00] Yuri: reverse
[19.03.2013 00:58:09] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: as when its a reverse proxy, it probably goes to that spamhaus.as1101.net box
[19.03.2013 00:58:13] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: aka, surfnet.
[19.03.2013 01:00:10] Cali: already offline 😀
[19.03.2013 01:00:17] Cali: This website is offline
[19.03.2013 01:02:26] narko: I will make down their cloudflare 😉 if I have enough free servers
[19.03.2013 01:02:30] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: they moved it to cloudlfare
[19.03.2013 01:02:31] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[19.03.2013 01:02:43] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: then just go for the nameservers on spamhaus.org
[19.03.2013 01:02:49] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: which also breaks their dns shitlist
[19.03.2013 01:02:52] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: after 24h
[19.03.2013 01:02:55] Cali: usually websites use cloudflare dns as well.
[19.03.2013 01:02:58] Cali: so they might change soon.
[19.03.2013 01:03:03] Cali: I think you should give them some hope
[19.03.2013 01:03:10] Cali: because they will be so proud to bring it back
[19.03.2013 01:03:14] Cali: then you switch it off again :)
[19.03.2013 01:03:20] Cali: they will rage :)
[19.03.2013 01:03:23] Karlin Konig: it’s down again
[19.03.2013 01:03:24] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: they do… spamhaus.EU is on cloudflare dns
[19.03.2013 01:03:25] Karlin Konig: lol
[19.03.2013 01:03:30] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP:spamhaus.org… is on spamhaus dns
[19.03.2013 01:03:45] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: for the very obvious reason that they have 70 dns shitlist servers in that zone
[19.03.2013 01:03:49] Cali: yeah but I think they might change that soon.
[19.03.2013 01:03:52] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: and those use their weird rotating system
[19.03.2013 01:03:54] Cali: ahah
[19.03.2013 01:03:57] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: cloudflare can’t do that
[19.03.2013 01:04:04] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: they can’t change the domain of the dns shitlist
[19.03.2013 01:04:05] Cali: even with the paid version?
[19.03.2013 01:04:07] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: so they have to keep that
[19.03.2013 01:04:30] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: soo… if they come up again, just kill the dns servers on their main domainspamhaus.org
[19.03.2013 01:04:33] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: 😛
[19.03.2013 01:04:33] Cali: ok, now it is online and responds.
[19.03.2013 01:04:50] narko: ok
[19.03.2013 01:04:52] narko: moment
[19.03.2013 01:05:07] Cali:http://www.spamhaus.org/images/spamhaus_dnsbl_basic.gif “meet spamhaus policy”
[19.03.2013 01:05:07] Cali: lol
[19.03.2013 01:05:14] Cali: like IPs have to meet Spamhaus policies
[19.03.2013 01:05:18] Cali: lol
[19.03.2013 01:05:24] narko: they are using the cloudflare paid plan
[19.03.2013 01:05:31] narko: as they have 5 IP
[19.03.2013 01:05:31] narko: not 2
[19.03.2013 01:05:44] narko: i think it means that cf will keep them longer
[19.03.2013 01:05:46] narko: :(
[19.03.2013 02:09:03] narko: added some extra gbit/s to two dns servers that seemed half-up :) lets see if google dns renews it now
[19.03.2013 02:09:28] Yuri: fuck.. no dns resolve :))))
[19.03.2013 02:09:45] narko: (mm)
[19.03.2013 02:09:57] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: when -these- time out, they’re out of business
[19.03.2013 02:10:01] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: <<>> DiG 9.8.1-P1 <<>> A b.ns.spamhaus.org
[19.03.2013 08:01:24] Yuri: good morning
[19.03.2013 08:01:32] Yuri: it was short night for me…. fuck
[19.03.2013 08:01:40] Yuri: spamhaus is down ? again :) ?
[19.03.2013 08:02:09] Yuri: looks it’s some our friend work
[19.03.2013 08:10:30] simomchen: how about we hijack spamhaus’s IP together , if can not take them down again ?
[19.03.2013 08:10:59] Yuri: we would like to.
[19.03.2013 08:11:08] Yuri: but we need upstream who will allow us to do that
[19.03.2013 08:11:25] simomchen: we can just announce those over IX exchange
[19.03.2013 08:11:34] simomchen: them , do not need upstream allow this
[19.03.2013 08:11:39] nmetluk: Russian upstreams allow:)
[19.03.2013 08:13:10] Yuri: (at least we have one good russian upstream here)
[19.03.2013 08:14:15] Yuri: spamhaus desided to bring some shit sbls toinfiumhost.com, /22 listed just for nothing.and some extra SBLs to pinspb
[19.03.2013 08:14:28] eDataKing: that is how they do it
[19.03.2013 08:14:35] eDataKing: that is why it is terrorism
[19.03.2013 08:14:57] simomchen: SH will force upstreams disconnect them
[19.03.2013 08:15:05] simomchen: that’s their next step
[19.03.2013 08:15:15] Yuri: they are too big to be disconneted
[19.03.2013 08:15:22] eDataKing: yes, the upstream does not really make the decision because the decision is coerced through damages
[19.03.2013 08:15:43] eDataKing: who is too big to be disconnected?
[19.03.2013 08:16:03] simomchen: infiumhost.com ?
[19.03.2013 08:16:31] Yuri: pinspb.ru
[19.03.2013 08:16:33] Yuri: gpt.ru
[19.03.2013 08:16:42] Yuri: and other that was with some new sbls today
[19.03.2013 08:16:50] Yuri: currenty it’s just nothing serious
[19.03.2013 08:16:58] Yuri: they keep searching
[19.03.2013 08:24:33] simomchen: Donate to the fund needed to shut SH down for good. Send your donations via Bitcoin to 17SgMS56W6s1oMU7oEZ66NFkbEk1socnTJ

====================================================================

At this point, several media outlets begin erroneously reporting that the DDoS attack on Spamhaus and Cloudflare is the work of Anonymous (probably because Kamphuis ended his manifesto with the Anonymous tagline, “We do not forgive. We do not forget”).

[19.03.2013 12:35:51] Antitheist: lol, anonymous indonesia took the responsibility for the spamhaus ddos
[19.03.2013 12:35:51] Antitheist: https://twitter.com/anonnewsindo
[19.03.2013 12:36:38] Antitheist: wait no, its all over softpedia! hahaha
[19.03.2013 12:37:31] Antitheist: http://news.softpedia.com/news/Anonymous-Hackers-Launch-DDOS-Attack-Against-Spamhaus-338382.shtml
[19.03.2013 12:46:11] narko: http://www.spamhaus.org/sbl/query/SBL179322
[19.03.2013 12:46:39] Antitheist: http://www.spamhaus.org/sbl/query/SBL179321
[19.03.2013 12:55:30] Yuri: people report that MAIL from spamhaus start working
[19.03.2013 12:55:42] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: oeh! spam!
[19.03.2013 12:56:03] Antitheist: the mail is their weakest point, since cloudflare cannot protect it
[19.03.2013 12:56:22] Antitheist: so we need to hit there. the result means no SBL removals :)
[19.03.2013 12:56:33] Antitheist: mad mad admins pulling off hair 😀
[19.03.2013 14:46:09] Yuri: news.softpedia.com
[19.03.2013 14:46:16] Antitheist: they think its anonymous because of Svens pastebin
[19.03.2013 14:46:48] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: also good
[19.03.2013 14:46:56] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: then the rest of anon also thinks its anon 😛
[19.03.2013 14:47:00] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: and starts to help
[19.03.2013 14:47:01] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[19.03.2013 14:47:17] Yuri: wow what a news
[19.03.2013 14:47:17] Antitheist: lol anon-amplification yeah
[19.03.2013 14:47:26] Yuri: spamhaus says in twitter that softpedia new is false
[19.03.2013 14:47:29] Yuri: :)))
[19.03.2013 14:47:40] Yuri:http://www.spamhaus.org/news/article/693/softpedia-publish-misleading-story-of-anonymous-attack-on-spamhaus
[19.03.2013 15:10:05] eDataKing: 1. Let them think Anons were behind it and do not dispute
[19.03.2013 15:10:05] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: can’t sign up for twitter as i don’t have any working email lol
[19.03.2013 15:10:21] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: edataking: its allready all over the press that its not anons lol.
[19.03.2013 15:10:22] Antitheist: I know Mohit from thehackernews, if it gets posted there it will soon be viral
[19.03.2013 15:10:26] eDataKing: or 2. Remind them that Anons are everyone and Anonymous as a group did not orchestrate it
[19.03.2013 15:10:30] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: at least in .nl its quite clear that its the republic cyberbunker and others
[19.03.2013 15:10:30] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: haha
[19.03.2013 15:10:58] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: that anon also has some ehm… stuff to ‘arrange’ with spamhaus, is a different story
[19.03.2013 15:11:19] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: *points out that over half of my facebook friends have the masks anyway*
[19.03.2013 15:11:28] eDataKing: Anonymous name gets major media
[19.03.2013 15:11:33] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: and that i’m still officially the PR guy for anonymous germany
[19.03.2013 15:14:36] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: y my name don’t fit twitter..
[19.03.2013 15:14:40] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: HRH Sven Olaf Prince
getting twitter accounts shut down, listing stophaus on the sbl.

====================================================================

Spamhaus has by now worked out the identity of many Stophaus members, and has begun retaliating at them individually by listing Internet addresses tied to their businesses and personal life. Here, Narko reveals that he runs his own (unprofitable) hosting firm that Spamhaus found and listed it as an address to be blocked because it was hosting stophaus[dot]org.

[19.03.2013 17:50:04] narko: im back
[19.03.2013 17:50:25] narko: the nameservers for stophaus need to be changed
[19.03.2013 17:51:04] narko: spamhaus SBLed my site and my host will terminate me unless spamhaus tells them that it’s ok
[19.03.2013 17:51:08] narko: fucking internet police
[19.03.2013 17:52:57] eDataKing: ok, what are we changing them to?
[19.03.2013 17:53:40] narko: i will set up dns servers on my home connection
[19.03.2013 17:53:41] narko: lol
[19.03.2013 17:53:45] narko: i dont think my isp gives a shit
[19.03.2013 17:53:48] narko: i’m alraedy in PBL
[19.03.2013 17:53:56] eDataKing: lol, as long as you are safe
[19.03.2013 17:53:59] narko: what does it matter if i’m in SBL? 😛
[19.03.2013 17:54:04] narko: well.. as long as they won’t ddos me
[19.03.2013 17:54:05] eDataKing: ok, then it should be all good
[19.03.2013 17:54:06] narko: I have a static ip
[19.03.2013 17:54:18] eDataKing: what about your upstream?
[19.03.2013 17:54:50] narko: I want to buy a /24 and host this just to fuck spamhaus
[19.03.2013 17:54:57] narko: anyone selling /24 😛 i pay €200
[19.03.2013 17:55:34] narko: i cannot believe that my host is telling me i need to leave for a fake SBL listing that is not even hosted at their network
[19.03.2013 17:55:38] Yuri: they will list all network at once and put upsteam
[19.03.2013 17:55:39] narko: why do they listen to spamhaus..?
[19.03.2013 18:21:28] simomchen: let me make a CC to them in China
[19.03.2013 18:21:35] eDataKing: then this will kill them in the end
[19.03.2013 18:21:49] Antitheist: https://www.cloudflare.com/business
[19.03.2013 18:22:10] Yuri: stophaus.com moved to new DNS.
[19.03.2013 18:22:16] simomchen: I brought 50K adsl Broilers just now
[19.03.2013 18:22:48] eDataKing: Then their DNS is a ticking timebomb dependent on public support. They don’t have a lot of that left
[19.03.2013 18:23:46] Yuri: 50k of what?
[19.03.2013 18:23:52] Antitheist: DNS of stophaus should be hosted on cloudflare imho
[19.03.2013 18:24:13] Antitheist: they will be afraid to list it lol
[19.03.2013 18:24:20] simomchen: 50000 ADSL broilers zombies , hehe
[19.03.2013 18:24:23] Yuri: cloudflare will kick off
[19.03.2013 18:24:27] Yuri: oohh.. shit.
[19.03.2013 18:24:48] Yuri: we need a plan how to fight :)
[19.03.2013 18:27:02] simomchen: Antitheist:
<<< we need bots that will do large POST requests on the search form of ROKSOyes, that’s CC attack I said just now. ROKSO is not big enought , I’m CC their http://www.spamhaus.org/sbl/latest/ currently
[19.03.2013 18:27:11] simomchen: do not know cloudflare can handle that
[19.03.2013 18:27:24] Antitheist: SBL are not in mysql
[19.03.2013 18:27:53] Antitheist: there is no search on the DB when you request them [19.03.2013 18:28:06] eDataKing: true
[19.03.2013 18:28:12] Antitheist: but a search form, any of them, must have at least 1 SELECT statement [19.03.2013 18:28:15]
simomchen: okay, http://www.spamhaus.org/rokso/ how about this page ?
[19.03.2013 18:28:23] Antitheist: yes, see the search form
[19.03.2013 18:28:27] eDataKing: RBLs are on a Logistics server at abuseat.org
[19.03.2013 18:28:29] Antitheist: you need to post long random shit there
[19.03.2013 18:28:34] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: SBL157600 5.157.0.0/22 webexxpurts.com 19-Mar 13:53 GMT Spammer hosting (escalation) SBL157599 5.153.238.0/24 webexxpurts.com 19-Mar 13:53 GMT Spammer hosting (escalation)
[19.03.2013 18:28:36] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[19.03.2013 18:28:41] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: wasn’t he in here the other day 😛
[19.03.2013 18:28:46] eDataKing: at least the cbl is
[19.03.2013 18:28:54] eDataKing: yes
[19.03.2013 18:28:59] eDataKing: He left?
[19.03.2013 18:29:05] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: dunno
[19.03.2013 18:29:05] simomchen: okay, let me make a ‘search’
[19.03.2013 18:29:08] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: changed names?
[19.03.2013 18:29:12] eDataKing: maybe
[19.03.2013 18:29:21] eDataKing: that was who I thought Darwin was
[19.03.2013 18:29:47] eDataKing: like he changed his name in the middle of a conversation
[19.03.2013 18:29:54] eDataKing: and Darwin picked up the chat
[19.03.2013 18:29:54] Antitheist: oh good news, its available in GET as well
[19.03.2013 18:30:01] Antitheist: http://www.spamhaus.org/rokso/search/?evidence=LONGSHITGOESHERE
[19.03.2013 18:30:40] eDataKing: They are desperate to take down the content though
[19.03.2013 18:30:55] eDataKing: I knew they would be scared to show their faces to public scrutiny
[19.03.2013 18:36:03] Yuri: SBL179370 66.192.253.42/32 twtelecom.net 19-Mar 15:15 GMT Suavemente/SplitInfinity/Innova Direct
: Feed to Jelly Digital (AS4323 >>> AS33431)
SBL179369 4.53.122.98/32 level3.net
19-Mar 15:03 GMT Suavemente/SplitInfinity/Innova Direct : Feed to Critical Data Network, Inc. (AS3356 >>> AS53318) spamhaus started to fuck hardly everywhere. they are angry.
[19.03.2013 18:37:39] Antitheist: no mercy anymore, everyone who they scraped out of stophaus members gets the entire /24 listed in ROKSO :)
[19.03.2013 18:37:40] simomchen: cloudflare service them , we are angry too
[19.03.2013 18:40:35] simomchen: but if the ddos keeping , I think spamhaus would go bankrupt
[19.03.2013 18:40:52] narko: they won’t go bankrupt
[19.03.2013 18:40:55] narko: he will just buy a smaller boat
[19.03.2013 18:41:00] simomchen: because cloudflare must charge tons of money form them
[19.03.2013 18:41:34] simomchen: what they can do in that boat ? if they do not pay to cloudflare , they will down again
[19.03.2013 18:41:48] narko: cloudflare only cost $200 per month
[19.03.2013 19:02:27] Yuri: For SBLs spamhaus
use
[19.03.2013 19:02:27] Yuri:
<<< http://stopforumspam.com/
https://www.projecthoneypot.org/ – этот точно
https://zeustracker.abuse.ch/
https://spyeyetracker.abuse.ch/those sites 100%
[19.03.2013 19:02:39] narko: ok let’s make these down 😉
[19.03.2013 21:32:06] narko: i run my host company since FEB 2012 and i am still losing like 350$ per month lol
[19.03.2013 21:32:28] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: we’ve been doing it commercially since 1996 on ‘cb3rob’
[19.03.2013 21:32:34] eDataKing: how much would that be?
[19.03.2013 21:32:39] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: and well.. there are times where it runs at a loss 😛
[19.03.2013 21:32:45] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: and there are times where it makes heaps 😛
[19.03.2013 21:32:55] narko: i have not had a single month
[19.03.2013 21:33:01] narko: where the costs of servers+licenses were covered..
[19.03.2013 21:33:12] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: you don’t have your own servers either/
[19.03.2013 21:33:13] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: ?
[19.03.2013 21:33:16] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: just reselling?
[19.03.2013 21:33:32] narko: rent server, install cpanel, advertise
[19.03.2013 21:33:33] narko: (y)
[19.03.2013 21:33:45] eDataKing: agreed
[19.03.2013 21:33:54] narko: but I think soon i will buy my own servers and colo
[19.03.2013 21:33:56] narko: it will be cheaper
[19.03.2013 21:34:04] eDataKing: agreed as well
[19.03.2013 21:34:06] narko: the problem is
[19.03.2013 21:34:11] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: i’d say thats the only way to do it 😛
[19.03.2013 23:43:05] narko: i don’t understand this
[19.03.2013 23:43:16] narko: how can cloudflare take 100gbps of udp and latency is not even increased by 1ms
[19.03.2013 23:47:05] Antitheist:http://www.apricot2013.net/__data/assets/pdf_file/0009/58878/tom-paseka_1361839564.pdf
[19.03.2013 23:47:19] Antitheist: CloudFlare has seen DNS reflection attacks hit 100Gbit traffic globally
[19.03.2013 23:47:23] Antitheist: they are used to it
[19.03.2013 23:47:49] narko: when they were hosting at rethem hosting
[19.03.2013 23:47:52] narko: I took down sprint
[19.03.2013 23:47:54] narko: i took down level3
[19.03.2013 23:47:56] narko: i took down cogent
[19.03.2013 23:48:06] narko: but cloudflare nothing!
[19.03.2013 23:48:26] narko: back in 2009 cloudflare went down with 10gbps
[19.03.2013 23:48:28] narko: all down..
[19.03.2013 23:49:34] narko: o i’m causing some dropped packets now 😛
[19.03.2013 23:56:06] Cali: narko, was it you who DDoSed us like a year and half ago ? 😀
[19.03.2013 23:56:14] narko: what network?
[19.03.2013 23:56:27] narko: or site
[19.03.2013 23:56:32] narko: sent it me in private chat and i can tell you
[20.03.2013 00:05:39] narko: http://i.imgur.com/M2mbNE0.png
[20.03.2013 00:05:44] narko: Spamhaus cloudflare current status
[20.03.2013 00:05:48] narko: with over 100Gbps of attack traffic
[20.03.2013 00:07:39] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: hmm does this affect other cloudflare customers, as in that case its bye bye spamhaus pretty soon
[20.03.2013 00:07:40] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[20.03.2013 00:07:49] narko: i dont know
[20.03.2013 00:07:56] narko: i hope so because i cant keep such traffic up for a long time
[20.03.2013 00:08:02] narko: it’s probably closer to 200 than 100 Gbps
[20.03.2013 00:08:07] Cali: it will be harder than that I think.
[20.03.2013 00:09:35] Cali: no more icmp @cloudflare?
[20.03.2013 00:09:52] narko: 7 * * * Request timed out.

[20.03.2013 00:22:24] Antitheist: they list every IP/DNS that resolves stophaus in any way
[20.03.2013 00:22:31] narko: “Please update us when this client no longer utilises *any* part of our network so we can get back in touch with Spamhaus.”
[20.03.2013 00:22:35] Antitheist: we can change it every hour and block the entire internet lol
[20.03.2013 00:22:47] narko: They do not understand the word “THIS CLIENT HAS NOTHING TO DO WITH YOUR NETWORK”
[20.03.2013 00:22:53] narko: they treat it like it’s a request from law enforcement
[20.03.2013 00:22:56] narko: not some moron on a boat
[20.03.2013 00:47:00] Antitheist: so whats up with wordtothewise
[20.03.2013 00:47:02] narko: i only met you peoples on friday and never heard of most of you before then 😛
[20.03.2013 00:47:29] eDataKing: lol, I just talk like I know everyone
[20.03.2013 00:47:48] eDataKing: It’s better than being secretive. I get nervous around quite people.
[20.03.2013 00:47:59] eDataKing: I think they are plotting on me lol 😉
[20.03.2013 00:48:01] narko: I said too much already in this chat
[20.03.2013 00:48:04] narko: I’m expecting the raid soon
[20.03.2013 00:48:06] narko: 😛

====================================================================

Narko has directed most of his botnet resources at Cloudflare now instead of Spamhaus, and the group is surprised to see Spamhaus go offline when it was hidden behind Cloudflare’s massive DDoS protection resources. Also, Yuri enlists the help of some other attackers to join in the assault.

[20.03.2013 01:00:32] Antitheist: This website is offline. No cached version is available
[20.03.2013 01:00:33] Antitheist: LOL
[20.03.2013 01:00:47] narko: lol
[20.03.2013 01:00:50] narko: not working for me either
[20.03.2013 01:00:56] Antitheist: narko you are the king
[20.03.2013 01:00:59] Antitheist: haha
[20.03.2013 01:01:00] narko: i didnt do anything
[20.03.2013 01:01:03] narko: i was just attacking cloudflare
[20.03.2013 01:01:16] Antitheist: well, thats not something they wanted to have
[20.03.2013 01:01:17] narko: see now its back up :(
[20.03.2013 01:01:36] Cali: It is offline here.
[20.03.2013 01:01:44] Antitheist: off…
[20.03.2013 01:01:45] narko: it went down again
[20.03.2013 01:01:51] narko: and back
[20.03.2013 01:03:11] Cali: yup
[20.03.2013 01:04:33] narko: let’s create some more records
[20.03.2013 01:04:36] narko: for DNS of stophaus
[20.03.2013 01:04:47] narko: dummy records, such as the IP of softlayer.com , etc
[20.03.2013 01:04:55] narko: it won’t affect the site because it will just try from the next server
[20.03.2013 01:05:01] narko: but they’re going to SBL some big sites
[20.03.2013 01:05:02] narko: lol
[20.03.2013 01:05:47] Antitheist: it will create more damage if we list MTAs
[20.03.2013 01:06:06] narko: ok let’s see
[20.03.2013 01:06:20] narko:
[20.03.2013 02:16:57] narko: Cloudflare changed the ips
[20.03.2013 02:16:59] narko: put only 2 IPs now
[20.03.2013 02:17:05] narko: will move attack to these IPs
[20.03.2013 02:18:24] narko: also I have a friend with a small botnet. I asked him to contribute
[20.03.2013 02:19:45] Yuri: i see.
[20.03.2013 02:19:59] Yuri: i asked some hackers to assist also
[20.03.2013 02:20:31] narko: my friend is in saudi arabia. he has bots in arab regions. will provide some diversity to the attack.
[20.03.2013 02:20:52] Yuri: spamhaus sbl site is the high end of iceberg
[20.03.2013 02:21:11] Yuri: did you try to put down spamhas relates sites?
[20.03.2013 02:21:23] narko: after spamhaus.org main site :))
[20.03.2013 02:21:55] narko: i am just getting very annoyed at this company now
[20.03.2013 02:22:08] narko: i just received 2 minutes ago “We are sorry to inform that your account has been terminated.” from my host.
[20.03.2013 02:22:14] narko: due to SBL
[20.03.2013 02:22:43] Yuri: on what host?
[20.03.2013 02:22:52] narko: EuroVPS.com
[20.03.2013 02:23:02] Yuri: write me pm what do you need
[20.03.2013 03:13:26] narko: lets host here
[20.03.2013 03:13:38] narko:http://www.beltelecom.by/business/hosting/virtual-dedicated-server
[20.03.2013 03:13:45] narko: i dont think they can even speak english. to read the abuse report from spamhaus. 😀
[20.03.2013 03:14:03] Cali: lol
20.03.2013 17:07:45] eDataKing: lol
[20.03.2013 17:27:58] narko: looks like one of the cloudflare dc is down
[20.03.2013 17:28:08] narko: previously my connection to spamhaus was to amsterdam
[20.03.2013 17:28:10] narko: now it’s to paris :)
[20.03.2013 17:28:53] simomchen: keeping ddos them , then , cloudflare will cick SH out
[20.03.2013 17:29:03] narko: i am adding more
[20.03.2013 17:29:20] narko: if you know anyone with botnet – ask them to help too. there will be a point where even the $2000 cloudflare enterprise plan is not worth it to them.
[20.03.2013 17:31:42] simomchen: maybe someone joined us. SH released xxx is making ddos them. and some other guys saw this.but do not connect us. they was blackmailed by SH before. so , it’s a hidden retaliation time for them
[20.03.2013 17:32:04] narko: hope so
[20.03.2013 17:32:09] narko: it seems they split the load between 2 dc [datacenters] actually
[20.03.2013 17:32:12] Antitheist: who is ddosing them?
[20.03.2013 17:32:17] narko: spamhauas has 2 ip and 1 is amsterdam other is paris
[20.03.2013 17:32:18] Antitheist: where did you see it idear4business
[20.03.2013 17:33:16] Yuri: look, there too much people who is not active here. may be we could remove them from this chat ?
[20.03.2013 17:33:29] narko: yes I think that’s good idea. there’s some people who i have never seen one messaage
[20.03.2013 17:33:48] simomchen: they do not wanna to show their identity, just wanna to make retaliation. I guess those. can not seeing this. but at least , some of our clients also joined , and making ddos SH from China. they hate spamhaus , because SH made their domains ‘clent hold’ (over 50000 domains) in the passed year
[20.03.2013 17:33:49] Yuri: let’s create new one subchat and move there. how is the idea?
[20.03.2013 17:34:32] Antitheist: spamhaus made 500 of my domains hold
[20.03.2013 17:34:38] narko: everyone who has bp host
[20.03.2013 17:34:40] Antitheist: cnobin, its a bizcn reseller
[20.03.2013 17:34:46] narko: hijack the botnets of your clients and ddos spamhaus 😛
[20.03.2013 17:34:51] Antitheist: lol)))
[20.03.2013 17:35:14] narko: my experience with BP hosts – you can always get some free bots from whoever used the IP previously :))))
[20.03.2013 17:35:27] Antitheist: if you have the same panel
[20.03.2013 17:35:40] narko: well I just adapt my software to accept their commands
[20.03.2013 17:35:41] simomchen: no need to hijack , if our clients wanna to ddos someone , they will buy some botnets. it’s cheap in China , like 0.01 EUR/each
[20.03.2013 17:35:44] narko: most of them are not encrypted at all
[20.03.2013 17:35:45] NM: :)
[20.03.2013 17:35:50] simomchen: Sven also know that
[20.03.2013 17:35:56] narko: each bot?
[20.03.2013 17:36:01] simomchen: yes
[20.03.2013 17:36:06] simomchen: ADSL bot
[20.03.2013 17:36:10] narko: what is the upload speed of china ADSL?
[20.03.2013 17:36:16] simomchen: with dynamic IP
[20.03.2013 17:36:24] simomchen: just 50-100Kbps
[20.03.2013 17:36:40] narko: we need some netherland/sweden/romania bots 😛
[20.03.2013 17:36:49] narko: they have 100mbps or more
[20.03.2013 17:37:04] NM: In Russia too
[20.03.2013 17:37:33] simomchen: SH is not works in China till now. and sometime , they are going up down up down.
[20.03.2013 17:38:09] narko: spamhaus can make down .cn domains ?
[20.03.2013 17:38:18] Yuri: yes.
[20.03.2013 17:38:39] simomchen: our clients is selling something to EU and US, so , they do not use .cn
[20.03.2013 17:38:50] simomchen: usually , they use .com/net
[20.03.2013 17:39:16] narko: they should apply for a new tld
[20.03.2013 17:39:17] narko: .ugg
[20.03.2013 17:39:33] simomchen: yes
[20.03.2013 17:39:51] Antitheist: .rx
[20.03.2013 17:39:54] Yuri: )))))
[20.03.2013 17:40:09] Yuri: .ugg (y)
[20.03.2013 17:40:17] narko: (sun)
[20.03.2013 17:40:43] narko: i hosted botnets under .w2c.ru domain
[20.03.2013 17:41:10] narko: and the domain was not made down
[20.03.2013 17:41:34] Yuri: hey. wtf, it’s my domain :)
[20.03.2013 17:41:41] narko: yes I had dedicated server
[20.03.2013 17:41:44] narko: free subdomain
[20.03.2013 17:41:57] Yuri: :O:D
[20.03.2013 17:42:11] narko: but i needed to move
[20.03.2013 17:42:19] narko: because a big ISP in Europe blocked all your ip range 😛
[20.03.2013 17:42:26] narko: i lost half my bots
[20.03.2013 17:44:53] narko: ok. currently i have running against spamhaus:
[20.03.2013 17:45:15] narko: ~100Gbps UDP
~ 20M pps TCP
~ 65k req/s HTTP
distributed between the 2 IP
[20.03.2013 17:45:21] narko: cloudflare must remove them soon..
[20.03.2013 17:45:21] narko: cloudflare must remove them soon.
[20.03.2013 19:25:20] narko: i think spamhaus wrote to my pamyent processor
[20.03.2013 19:25:23] narko: has it happened before?
[20.03.2013 19:25:44] narko: an IP address started to browse my site. assigned to 2Checkout Inc. now my merchant account is put into a review status.
[20.03.2013 19:27:32] eDataKing: How did they get your processor’s info?
[20.03.2013 19:27:43] narko: they require it to be written in the site
[20.03.2013 19:27:48] narko: “Services provided by 2Checkout Inc”
[20.03.2013 19:27:51] eDataKing: Also, they tried that with my Paypal account for 3 years. We are still Top-Tier members
[20.03.2013 19:28:03] eDataKing: they reviewed the records and it took 6 hours to be restored
[20.03.2013 19:28:18] eDataKing: no other complaint ever made it past the first level of abuse
[20.03.2013 19:28:20] narko: lol
[20.03.2013 19:28:31] narko: someone called paypal and said i was threatening to kill them unless they paid me money
[20.03.2013 19:28:34] narko: and my account was limited for a week

====================================================================

At this point, Narko is sending between 150-300 Gbps of packet love at Cloudflare’s major datacenter Internet addresses. Cloudflare.com briefly goes offline. Cloudflare publishes a blog post stating that the attack was successfully handled and mitigated by Cloudflare. Narko disagrees, saying Cloudflare was able to mitigate the attack because he paused it. Spamhaus posts an update on the ongoing attacks, claiming that most of its operations are returning to normal.

Narko shares this screenshot in the chat forum. It shows that the attack on Cloudflare is at more than 100 Gbps, which is more than enough to knock most sites offline.

Narko shares this screenshot in the chat forum. It shows that the attack on Cloudflare is at more than 100 Gbps, which is more than enough to knock most sites offline.

20.03.2013 19:58:21] narko: did someone else start attack to cloudflare? their site is even down now :))
[20.03.2013 19:58:27] Yuri: we need to post it to the public, in twitter and etc?
[20.03.2013 20:33:19] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: we’ll just break the god damn internet if thats what it takes 😛
[20.03.2013 20:33:20] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[20.03.2013 20:46:19] eDataKing: http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho
[20.03.2013 20:46:38] eDataKing: The DDoS That Knocked Spamhaus Offline (And How We Mitigated It)
[20.03.2013 20:46:43] eDataKing: they mitigated it?
[20.03.2013 20:46:45] eDataKing: news to me
[20.03.2013 20:47:11] eDataKing: hmm
[20.03.2013 20:47:12] eDataKing: CloudFlare’s own history grew out of Project Honey Pot, which started as an automated service to track the resources used by spammers and publishes the HTTP:BL.
[20.03.2013 20:47:21] eDataKing: good data
[20.03.2013 20:47:24] eDataKing: didn’t know that
[20.03.2013 20:48:53] eDataKing: Beginning on March 18th?
[20.03.2013 20:48:59] eDataKing: that is factually incorrect
[20.03.2013 20:51:11] narko: reading now
[20.03.2013 20:51:47] eDataKing: the attack did not start a day before their great admins mitigated it
[20.03.2013 20:51:54] eDataKing: is it even mitigated?
[20.03.2013 20:52:12] narko: hehehehe :)))))))))))))))))))))
[20.03.2013 20:52:15] narko: this is like 140Gbps
[20.03.2013 20:52:27] eDataKing: lol
[20.03.2013 20:52:37] eDataKing: don’t look like mitigation to me lol
[20.03.2013 20:52:57] eDataKing: Their article almost reads as a challenge
[20.03.2013 20:53:14] narko: I stopped the attack
[20.03.2013 20:53:25] narko: i am generating a new dns list. then I will start again and it will be over 200 gbps
[20.03.2013 20:53:30] narko: the current list is quite old

====================================================================

Narko grows concerned about getting busted because Andrew (eDataKing) mistakenly published on the anti-spam Google Group forum NANAE a screenshot that included Narko’s Skype screen name. Helpfully for the U.K. authorities closing in on him, Narko provides a link to view the screenshot that includes what he identifies as his Skype screen name.

Narko's screen as he's in the middle of launching attacks on Spamhaus. A portion of his Skype address at the time can be seen in the upper right corner of the screenshot.

Narko’s screen as he’s in the middle of launching attacks on Spamhaus. A portion of his Skype address at the time can be seen in the upper right corner of the screenshot.

20.03.2013 21:08:59] eDataKing: lol,
[20.03.2013 21:08:59] eDataKing: This morning at 09:47 UTC CloudFlare effectively dropped off the Internet. The outage affected all of CloudFlare’s services including DNS and any services that rely on our web proxy. During the outage, anyone accessing CloudFlare.com or any site on CloudFlare’s network would have received a DNS error. Pings and Traceroutes to CloudFlare’s network resulted in a “No Route to Host” error.
[20.03.2013 21:09:15] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: 😛
[20.03.2013 21:09:25] eDataKing: sry, that was on 03-03
[20.03.2013 21:09:27] eDataKing: not related
[20.03.2013 21:09:38] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: someone was doing it better than narko ?
[20.03.2013 21:09:40] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: wth
[20.03.2013 21:09:41] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[20.03.2013 21:09:48] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: get that guy in here too haha
[20.03.2013 21:09:57] eDataKing: wait to see what narko does next though
[20.03.2013 21:15:03] Yuri: spamhaus down ?
[20.03.2013 21:15:07] Yuri: cloudflare shows down
[20.03.2013 21:15:34] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: nope
[20.03.2013 21:15:38] eDataKing: nope
[20.03.2013 21:19:37] narko: we need to find more people.
[20.03.2013 21:19:49] narko: cloudflare network just has a lag with my attack
[20.03.2013 21:20:00] narko: my attack + some botnets will take them down entirely. then they have no choice but to kick spamhaus.
[20.03.2013 22:24:39] narko: who posted the screenshot on nanae please remove it
[20.03.2013 22:24:41] narko: it has written my skype name
[20.03.2013 22:24:59] narko: t.ravis
[20.03.2013 22:25:04] eDataKing: that was the indian
[20.03.2013 22:25:13] eDataKing: you said to post it
[20.03.2013 22:25:22] eDataKing: I’ll tell him
[20.03.2013 22:25:31] eDataKing: I don’t think it can be removed though
[20.03.2013 22:25:52] eDataKing: argh, why didn’t you edit that image?
[20.03.2013 22:26:01] eDataKing: I will be sure to check all images from here out
[20.03.2013 22:26:11] eDataKing: but doesn’t the image only say probing?
[20.03.2013 22:26:24] narko: no it has my skype username
[20.03.2013 22:26:27] narko: i didn’t expcet it to be posted
[20.03.2013 22:26:29] narko: i just said
[20.03.2013 22:26:31] narko: narko:
<<< http://i.imgur.com/prDIVYU.png — current status
[20.03.2013 22:27:51] Yuri: don’t see any info on screenshot
[20.03.2013 22:28:09] eDataKing: I see all but the last digit
[20.03.2013 22:28:16] eDataKing: enough to run a trace on that skype account
[20.03.2013 22:28:28] eDataKing: but nothing incriminating
[20.03.2013 22:28:48] eDataKing: don’t they already blame you though?
[20.03.2013 22:28:59] narko: no one on nanae/spamhaus knows about me
[20.03.2013 22:29:03] eDataKing: I’ll tell the indian to wait for approval bwefore posting anything else
[20.03.2013 22:29:16] eDataKing: I will also look at the images if there are any more screens
[20.03.2013 22:29:38] eDataKing: can you grab a new skype account and nix this one just in case?
[20.03.2013 22:29:44] narko: i am just worried. because it has my skype name < i am uploaded the image from my home connection, and FBI in USA already has a case on me ddosing before, they were going to people in america and asking them questions about me
[20.03.2013 22:29:44] narko: no
[20.03.2013 22:29:45] narko: its fine for me
[20.03.2013 22:29:48] narko: for now *
[20.03.2013 22:29:50] eDataKing: you said this one was for this session only right?
[20.03.2013 22:29:53] narko: yes
[20.03.2013 22:30:22] eDataKing: the image won’t have any hex code though because it is on imgur
[20.03.2013 22:30:24] Yuri: other solution – is to upload same imase from other IPs
[20.03.2013 22:30:31] eDataKing: yes
[20.03.2013 22:30:36] Yuri: so they have to think who is that was…
[20.03.2013 22:30:41] eDataKing: oh, gotcha
[20.03.2013 22:30:44] eDataKing: yeah
[20.03.2013 22:31:13] eDataKing: I am so used to be completly anon that I would have never imagined you imported that from home
[20.03.2013 22:31:54] eDataKing: can you delete it from imgur?
[20.03.2013 22:32:30] eDataKing: I want to mitigate any issues because the indian is my dude and I feel responsible for what he did
[20.03.2013 22:32:34] narko: no
[20.03.2013 22:32:37] narko: nothing will happen
[20.03.2013 22:32:41] narko: nothing has ever happened
[20.03.2013 22:40:58] narko: but I ran an illegal site (carding, ddos, etc) from 2010-2012 and 90% customers were US
[21.03.2013 03:40:43] narko: well i’m going to sleep
[21.03.2013 03:40:49] narko: wll attack cloudflare again tomorrow :)

====================================================================

Stophaus claims victory when Spamhaus moves off of Cloudflare’s network and over to Amazon. The Stophaus members begin planning their next move.

[21.03.2013 10:00:21] eDataKing: CBL (cbl,http://t.co/M9Jz8KKvi5) is up again, after a heavy DDOS. It is now protected through amazon cloud. #spamhaus
[21.03.2013 10:14:19] simomchen: so , SH have separated , and protedted by 2 cloud ?
[21.03.2013 10:14:54] eDataKing: yep
[21.03.2013 10:15:10] eDataKing: but they are only buying a short amlunt of time really
[21.03.2013 10:16:23] simomchen: they must have a contract with cloudflare and amazon , once ddos leave over 7 days. maybe, they will break the contract with these 2 companies
[21.03.2013 13:19:10] Antitheist: congratilations narko your SBL was removed
[21.03.2013 13:19:25] narko: after 3 days 😛 I’m still moving. I have server from new DC in russia now
[21.03.2013 13:19:31] Antitheist: pin?
[21.03.2013 13:19:34] narko: yes
[21.03.2013 13:20:02] narko: I will not deal with the british datacenters any more
[21.03.2013 13:20:08] narko: even swiftway didn’t give a shit about the SBL
[21.03.2013 13:20:18] narko: but Racksrv treats it like they’re the secret police
[21.03.2013 14:15:03] Yuri: looks spamhaus pissed off
they try to piss everywhere
[21.03.2013 14:15:07] Yuri: SBL179470
217.65.0.0/22 citytelecom.ru
21-Mar-2013 11:59 GMT
Spammer hosting (escalation)
[21.03.2013 14:15:30] narko: is this for providing connectivity to 2×4?
[21.03.2013 14:15:35] narko: or another
[21.03.2013 14:15:41] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: no this is for being russians haha
[21.03.2013 14:15:46] narko: lol
[21.03.2013 14:16:00] Yuri: he provide us and some others.
[21.03.2013 14:16:02] NM: i cant open their site
[21.03.2013 14:42:49] Yuri: i found why
——————
spamahost wrote yesturday in facebook.
One of our VPS nodes is undergoing a node transfer. We are moving the “Zeus” node to a different upstream (which now supports full emailing!), as well as upgraded hardware. Please check your emails for more information, as well as your client areas!
——————-
and his website was on our network.
[21.03.2013 14:42:57] Yuri: so spamhaus pissed on it.
[21.03.2013 15:17:13] narko: i go to feed my addiction to chinese food now.brb
[21.03.2013 15:17:40] narko: when i’m back in few minutes. let’s ddos some more shit
[21.03.2013 15:17:41] narko: (hug)

====================================================================

Spamhaus succeeds in getting Stophaus[dot]org suspended at the domain registry level. This angers Prinz Sven, who begins coming unglued — threatening to attack or harm the domain registrar and anyone else involved in the suspension. Sven even goes so far as to post a manifesto on his Facebook account, taking on the persona of a pirate and lobbing threats of additional DDoS attacks as well as physical violence against Spamhaus members.

[21.03.2013 17:35:41] Antitheist: fuckers
[21.03.2013 17:35:42] narko: fuck! how they did this
[21.03.2013 17:35:56] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: hmm?
[21.03.2013 17:35:57] Antitheist: who are ahnames?
[21.03.2013 17:36:02] narko: advanced hosters ltd
[21.03.2013 17:36:13] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: say what
[21.03.2013 17:36:18] narko: the domain is suspended
[21.03.2013 17:36:22] narko: by the registrar
[21.03.2013 17:36:45] Antitheist: what kind of a shit registrar was it
[21.03.2013 17:36:59] narko: www.ahnames.com
[21.03.2013 17:37:03] Antitheist: webnames.ru or naunet.ru are pissing on spamhaus
[21.03.2013 17:37:13] Antitheist: had to get domain from them
[21.03.2013 17:37:19] narko: well now nothing can be done
[21.03.2013 17:37:21] Antitheist: its still possible to transfer
[21.03.2013 17:37:37] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: then do so
[21.03.2013 17:37:44] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: to -their- domain registrar 😛
[21.03.2013 17:37:56] narko: gandi is a bad registrar
[21.03.2013 17:46:33] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: Domain Name: STOPHAUS.COM

Abuse email: abuse@ahnames.com

DOMAIN SUSPENDED DUE TO VIOLATION OF OUR TOS
Arr! · · Promote
now turn it back on before we send those 80gbit/s down your ass.
[21.03.2013 17:47:02] narko: you have very big balls
[21.03.2013 17:47:12] narko: writing ddos threads on facebook? I would not even do that and I am the person doing th attacks 😛 lol
[21.03.2013 17:47:21] narko: threats *
[21.03.2013 17:47:33] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: who cares, they just ddossed us 😛
[21.03.2013 17:47:40] Yuri: most men in this chat are with big balls.
[21.03.2013 17:47:40] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: by disabling the domain without a proper excuse
[21.03.2013 17:47:44] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: so might as well disable theirs
[21.03.2013 17:47:53] eDataKing: what’s wrong with ahnames?
[21.03.2013 17:47:56] eDataKing: what did they do?
[21.03.2013 17:47:59] narko: they banned the domain
[21.03.2013 17:48:01] Yuri: did somebody stoped our domain ?
[21.03.2013 17:48:02] narko: suspended it
[21.03.2013 17:48:09] Yuri: wtf
[21.03.2013 17:48:10] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: actually i threattened to have steve linford terminated physically a minute before that on my own profile
[21.03.2013 17:48:11] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[21.03.2013 17:48:14] Yuri: we could change to RU
[21.03.2013 17:48:17] Yuri: stophaus.ru
[21.03.2013 17:48:19] Goo: xD
[21.03.2013 17:48:19] eDataKing: then we should hit them
[21.03.2013 17:48:21] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: just call them and have em turn it back on
[21.03.2013 17:48:26] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: or else we take THEM down
[21.03.2013 17:48:29] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: simple as that
[21.03.2013 17:48:32] narko: we need .com back because it’s already in google, linked in pages, etc
[21.03.2013 17:48:32] eDataKing: suspending the domain is a direct challenge
[21.03.2013 17:48:41] eDataKing: yes, the .com needs up
[21.03.2013 17:49:01] eDataKing: We need to contact ahnames and tell them to allow us to transfer the domain
[21.03.2013 17:49:06] Yuri: we need to transfer it to nic.ru
[21.03.2013 17:49:07] eDataKing: they have allowed it before
[21.03.2013 17:49:13] Yuri: they not slose it.
[21.03.2013 17:49:16] narko: domain transfer takes 5-6 days
[21.03.2013 17:49:18] Yuri: they have balls
[21.03.2013 17:49:21] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: im going to announce ALL of their motherfucking nameservers.
[21.03.2013 17:49:25] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: need to make some changes
[21.03.2013 17:49:27] Yuri: ok
[21.03.2013 17:49:31] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: hmm wait better not do that lol
[21.03.2013 17:49:40] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: that ehm would cost us quite a few peerings haha
[21.03.2013 17:49:49] eDataKing: no, it is way faster
[21.03.2013 17:49:58] narko: it doesnt mtater
[21.03.2013 17:50:00] narko: matter
[21.03.2013 17:50:04] narko: you are already offline from most locations
[21.03.2013 17:50:05] narko: :))
[21.03.2013 17:50:27] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: they responded
[21.03.2013 17:50:50] narko: facebook asks me to log in to see it
[21.03.2013 17:50:51] narko: what a joke
[21.03.2013 17:50:56] narko: i will never register to that site
[21.03.2013 17:51:50] eDataKing: if we show them that we will not tolerate them playing spamhaus games they may see that it could cost them to do so
[21.03.2013 17:52:19] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: Sven Olaf Kamphuis how about, its not a question, we know damn well that steve linford of spamhaus has been spreading lies again, this here undermines our freedom of speech, after all there is nothing on that forum that isn’t done 904903 times as much by spamhaus itself… so, if you’re not with us, you’re against us. turn it back on or we turn YOU OFF.
a few grains o’ sand ago · Arr!
Sven Olaf Kamphuis there is no clause in your TOS that states you have to be friends with ‘spamhaus’
a few grains o’ sand ago · Arr!
Sven Olaf Kamphuis so take your pick… 80gbit/s up your ass, orrrr… turning the domain back on
a few grains o’ sand ago · Arr!
[21.03.2013 17:52:25] eDataKing: perfect Sven
[21.03.2013 17:52:29] eDataKing: that is what they need to hear
[21.03.2013 17:53:01] Yuri: stophaus.org also our domain?
[21.03.2013 17:53:17] Goo: haha nice sven
[21.03.2013 17:53:22] Goo: they will be scared
[21.03.2013 17:53:32] Goo: otherwise they’re fucked haha
[21.03.2013 17:53:56] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: send them a few packets so they know
[21.03.2013 17:54:03] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: narko: ddos on that ahnames for like 1 minute
[21.03.2013 17:54:04] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: 😛
[21.03.2013 17:54:05] Yuri: also .to – they will not close, they ignore everything
[21.03.2013 17:54:30] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: we;re not gonna change the god damn domain name
[21.03.2013 17:54:35] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: we’re gonna make them turn it back on
[21.03.2013 17:54:37] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: simple as that.
[21.03.2013 17:56:16] Goo: i’m bored, shall i hack spamhaus?
[21.03.2013 17:56:27] Yuri: +1
[21.03.2013 17:56:39] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: goo: sure 😛
[21.03.2013 17:56:44] Goo: alright
[21.03.2013 17:56:48] Goo: Goo grabs some donuts
[21.03.2013 17:56:55] Goo: let do this
[21.03.2013 17:57:34] eDataKing: ok, I just collabed with my buddy here he has a good sugg.
[21.03.2013 18:15:24] Cali: your stophaus is offline.
[21.03.2013 18:15:25] Cali: what happened?
[21.03.2013 18:15:37] narko: the domain got suspended by the registrar
[21.03.2013 18:15:47] Cali: lame.
[21.03.2013 18:16:07] Cali: but you should have never registered a .com
[21.03.2013 18:16:23] Antitheist: its not about the tld its about the registrar
[21.03.2013 18:16:55] Antitheist: normal registrar will not suspend domains because of some stupid threats
[21.03.2013 18:17:33] Yuri: Cali, go other chat
[21.03.2013 18:17:40] Yuri: new one
[21.03.2013 18:17:43] Cali: well if it has not been suspended by the .tld then that’s even more lame.
[21.03.2013 18:17:53] Cali: new one?
[21.03.2013 18:18:25] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: as far as i recall marco rinaudo ran a registrar…
[21.03.2013 18:42:32] Valeriy Uhov: today spamhaus very angry
[21.03.2013 18:42:37] Valeriy Uhov: lists everybody
[21.03.2013 18:43:00] narko: yes they listed /25 of hostkey and /25 of burstnet
[21.03.2013 18:43:02] narko: really angry 😀
[21.03.2013 18:43:14] eDataKing: yeah, they are definitely fighting back
[21.03.2013 18:43:18] Yuri: spamhaus should be blind
[21.03.2013 18:43:39] Yuri: we can make a lit what spamhaus can;t close
[21.03.2013 18:43:44] eDataKing: but why wouldn’t they…this is very likely to be their version of Custard’s Last Stand
[21.03.2013 18:44:11] Yuri: like twitter, email account, icq, facebook, home LAN ADSL IP, domains in the next zones like .ru, .su, .to
[21.03.2013 18:44:27] Valeriy Uhov: .ru and .su it closes
[21.03.2013 18:44:39] Yuri: if botnets- yes. its ok.
[21.03.2013 18:44:45] Yuri: but for other things – they can’t close.
[21.03.2013 18:44:49] Yuri: my layer is the guard.
[21.03.2013 18:44:51] Valeriy Uhov: they close for spam
[21.03.2013 18:44:53] Valeriy Uhov: etc
[21.03.2013 18:44:59] eDataKing: what is spam again?
[21.03.2013 18:45:37] Yuri: for INFORMATION: write to other one chat
[21.03.2013 18:45:47] Valeriy Uhov: which one?
[21.03.2013 18:46:09] Valeriy Uhov: http://en.wikipedia.org/wiki/Spam
[21.03.2013 18:48:50] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: steve linford has -6- people on facebook that like his wikipedia page.
[21.03.2013 18:48:53] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: -6- 😛
[21.03.2013 18:48:56] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: so why even bother lol
[22.03.2013 04:18:56] valeralelin: http://clip2net.com/s/4MLYWZ
[22.03.2013 04:41:13] narko: (party)
[22.03.2013 04:46:07] valeralelin: i can get more documents about sh
[22.03.2013 04:50:22] narko: get a document with his real address on it
[22.03.2013 04:50:25] narko: not some virtual offices
[22.03.2013 04:54:08] edataking: let me see that one
[22.03.2013 04:54:17] edataking: post under his name in the records area
[23.03.2013 16:41:24] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: its running into the 95% percentile bandwith billing on cloudflare’s transits atm
[23.03.2013 16:41:43] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: and cloudflare has network issues, so at some point they’ll have to boot spamhaus as it affects their other clients
[23.03.2013 16:42:00] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: at which point, spamhaus has nowhere else to go that can cover them 😛
[23.03.2013 16:42:13] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: i doubt google is stupid enough to take them lol 😛

====================================================================

The Skype chat goes quiet at this point and resumes four weeks later. Narko’s worries about his Skype screen name showing up in a screenshot that eDataKing posted to anti-spam forum turn out to be warranted: It is this very screenshot that authorities in the United Kingdom use to later track him down and arrest him.

In April 2013, Kamphuis is arrested in Spain and eventually sent back to the Netherlands, where he is currently on trial. He publicly denies being involved in launching the attacks on Spamhaus.

Narko was a juvenile when he was arrested by the U.K.’s National Crime Agency (NCA); when the NCA raided Narko’s home, they found his computer still logged in to crime forums, and they seized £70,000 from his bank account (believed to be payments for DDoS attacks). Narko later pleaded guilty to coordinating the attacks, but because of his age and in return for cooperating with the NCA he avoided a jail term.

[26.04.2013 18:36:32] Hephaistos: guys
[26.04.2013 18:36:49] Hephaistos: I just got noticed in the news that sven got arrested
[26.04.2013 18:39:39] ??????? ?????: where in the new
[26.04.2013 18:39:39] ??????? ?????: news
[26.04.2013 18:40:40] Hephaistos:
http://translate.google.be/translate?sl=nl&tl=en&u=http%3A%2F%2Fwww.telegraaf.nl%2Fbinnenland%2F21518021%2F
__Nederlander_aangehouden_in_Spanje_vanwege_cyberaanvallen__.html
[26.04.2013 18:40:43] Hephaistos: dutch news
[26.04.2013 18:45:05] Hephaistos: his large-scale DDoS attacks last
month were also performed on Spamhaus partners in the Netherlands, the
United States and Great Britain. The attackers were using fake IP addresses.
As yet, no evidence that the cyber attack on Spamhaus related to the
attacks are later deployed to include banks, payment system iDeal and
DigiD. The house of the suspect, who lives in Barcelona, ??is examined.
Is expected to K. transferred to the Dutch Public Prosecution Service.
[26.04.2013 19:12:40] Hephaistos: http://translate.google.be/translate?sl=nl&tl=en&u=http%3A//www.om.nl/actueel/nieuws-persberichten/@160856/nederlander/
[26.04.2013 19:18:48] The STOPhaus Movement: I thought something was wrong
[26.04.2013 19:19:02] The STOPhaus Movement: is he arrested or just being searched and forensics?
[26.04.2013 19:19:13] Hephaistos: arrested
[26.04.2013 19:19:19] The STOPhaus Movement:
[26.04.2013 19:19:21] Hephaistos: as far as I can see.
[26.04.2013 19:19:33] Hephaistos: it goes off in twitter
[26.04.2013 19:19:39] The STOPhaus Movement: everyone else is ok though right?
[26.04.2013 19:19:45] Hephaistos: on irc anonops there is a channel #freecb3rob
[26.04.2013 19:19:54] Hephaistos: https://twitter.com/freecb3rob
[26.04.2013 19:20:06] Hephaistos: well I have not seen Narko for 2 days.
[26.04.2013 19:20:16] The STOPhaus Movement:
[26.04.2013 19:20:27 |changed 19:20:34] The STOPhaus Movement: we need an update from him
[26.04.2013 19:20:59] The STOPhaus Movement: narko is never offline that long
[26.04.2013 19:21:26] Hephaistos: thing is that I cannot connect to his irc server either.
[26.04.2013 19:21:56] The STOPhaus Movement: I thought anonops was talking shit about Sven promoting CB via STOP when I saw the chatroom?
[26.04.2013 19:22:12 | changed 19:22:22] The STOPhaus Movement: Now there is a channel. I am glad, but that’s some flip-flop stuff right there
[26.04.2013 19:22:14] Hephaistos: well I created the channel
[26.04.2013 19:22:22] Hephaistos: if they have a problem with me .. bring it on
[26.04.2013 19:22:22] The STOPhaus Movement: oh ok
[26.04.2013 19:22:29] The STOPhaus Movement: lulz
[26.04.2013 19:22:40] The STOPhaus Movement: Self-righteous assholes
[26.04.2013 19:28:44] Cali: Sven from cb3rob has been arrested.
[26.04.2013 19:40:19] Hephaistos: Sven = cb3rob
[26.04.2013 19:40:47] Cali: yeah
[26.04.2013 19:40:49] Cali: so he’s been stopped
[26.04.2013 19:40:52] Cali: in Spain.
[26.04.2013 19:40:57] Hephaistos: yes
[26.04.2013 19:41:05] NM: Is it truth? Not fake?
[26.04.2013 19:41:13] Cali: it is in dutch news.
[26.04.2013 19:41:16] Hephaistos: it is truth
[26.04.2013 19:41:21] Hephaistos: and all over twitter
[26.04.2013 19:43:13] Hephaistos: https://twitter.com/search?q=%23freecb3rob&src=hash
[26.04.2013 20:27:00] Hephaistos: http://www.ibtimes.co.uk/articles/461848/20130426/spamhaus-suspect-arrests-spain-kamphuis.htm
[26.04.2013 20:29:30] Yuri: heh.
[26.04.2013 20:30:07] Hephaistos: On twitter “Sven Olaf Kamphuis #freecb3rob possible source behind
record braking 300gbps #DDos arrested. #Anonymous will now try and break that record!”
[26.04.2013 20:32:31] Cali: So, it has made some PR for spamhaus.
[26.04.2013 20:32:37] Cali: that sucks.
[26.04.2013 20:34:06] Hephaistos: negative is still good.
[26.04.2013 20:34:36] Cali: this information has gone to press and media.
[26.04.2013 20:34:48] Cali: thus to the people
[26.04.2013 20:34:58] Hephaistos: well once they read what stophaus is.
[26.04.2013 20:35:05] Cali: who are at 90% dumb.
[26.04.2013 20:35:09] Hephaistos: true
[26.04.2013 20:35:14] Hephaistos: You got a point there
[26.04.2013 20:35:15] Cali: So now that make them think that spamhaus is doing well.
[26.04.2013 20:41:22] Hephaistos: pastebin.com/qzhcE1nV
[26.04.2013 20:41:25] Hephaistos: more badnews
[26.04.2013 20:41:56] Cali: Who has written that?
[26.04.2013 20:42:09] Hephaistos: I have no idea.
[26.04.2013 20:42:23] Hephaistos: its over the news everyone is freaking out
[26.04.2013 20:42:25] Cali: It seems to have be written by a 12 years old.
[26.04.2013 20:42:31] Cali: been*
[26.04.2013 20:42:52] Hephaistos: correct, seems like a trol to me. But tell that to the media
[26.04.2013 20:43:03] Hephaistos: and the 90% dumb people
[26.04.2013 20:43:09] Cali: Also I don’t understand.
[26.04.2013 20:43:23] Cali: How is it possible to get such reflection in media by posting something on pastebin?
[26.04.2013 20:43:37] Cali: So if I post that I am going to attack the U.S on pastebin, I would be in the news?
[26.04.2013 20:43:58] Hephaistos: Well, thing is that people think that banks will be ddosed and cannot get their
money. So their hoping that there will be a bankrun.
[26.04.2013 20:44:45] Cali: It is very doubtful that DDoSing the website of a bank will prevent the bank from operating.
[26.04.2013 20:46:45] Hephaistos: it will cost the bank money
[26.04.2013 20:47:32] Cali: Maybe to crap bank.
[26.04.2013 20:48:07] Cali: it will be insignifiant
[26.04.2013 20:48:11] Cali: insignificant.
[26.04.2013 18:21:36] Erik Bais: http://www.om.nl/actueel/nieuws-persberichten/@160856/nederlander/
[26.04.2013 18:26:15] Yuri: wtf
[26.04.2013 18:26:42] Yuri: is that about sven?
[26.04.2013 18:26:53] Erik Bais: looks like it.
[26.04.2013 18:27:03] NM: what does it mean?)))
[26.04.2013 18:28:17] Yuri: looks like some new that somebody got arrested becouse of some attacks of spamhaus…
heh… looks spamhaus has long hands.
[26.04.2013 18:29:49] Yuri: not so fine.
[26.04.2013 18:31:11] Yuri: afk
[26.04.2013 18:31:44] Yuri: Eric, can you call Sven and check if he is available?
[26.04.2013 18:31:55] Erik Bais: yes.
[26.04.2013 18:32:30] Erik Bais: I also just asked Twisted on Skype. he didn’t knew about it..
He hasn’t spoken to him yet today (he did yesterday) ..
[26.04.2013 18:33:59] Erik Bais: his spanish nr is not working (I get a message in spanish .. ) could be because the number is off.
[26.04.2013 21:51:16] Erik Bais: http://pastebin.com/qzhcE1nV
[26.04.2013 21:51:51] Erik Bais: http://www.telegraaf.nl/binnenland/21518021/__Arrest_NL_er_cyberaanvallen__.html
[26.04.2013 21:52:11] Erik Bais: http://tweakers.net/nieuws/88767/nederlander-opgepakt-voor-ddos-aanvallen-spamhaus.html
[26.04.2013 21:53:32] Erik Bais: http://krebsonsecurity.com/2013/04/dutchman-arrested-in-spamhaus-ddos/
[26.04.2013 21:53:50] Yuri: shit is going on..
[26.04.2013 21:56:17] Erik Bais: where did the pastbin thing came from ? Any idea ?
[26.04.2013 22:02:14] Yuri: don’t know
[26.04.2013 22:02:46] Yuri: may be we should use other system for chat?
[26.04.2013 22:18:07] Erik Bais: they have taken all his phones, data carriers and servers / computers located in Spain..
[26.04.2013 22:18:24] WebExxpurts: what is patebin
[26.04.2013 22:18:25] WebExxpurts: pastebin
[26.04.2013 22:18:39] Erik Bais: [26 April 2013 21:51] Erik Bais: <<< http://pastebin.com/qzhcE1nV
[26.04.2013 22:18:50] WebExxpurts: i mean who created that?
[26.04.2013 22:19:21] Erik Bais: no idea. I got it pasted from someone.. and it is also linked in various media outings on the Netherlands.
[26.04.2013 22:20:27] WebExxpurts: who is someone? that is interested
[26.04.2013 22:20:33] WebExxpurts: what sven did?
[26.04.2013 22:20:53] WebExxpurts: nonsense reports
[26.04.2013 22:21:20] Erik Bais: I got it from Xennt
[26.04.2013 22:21:45] Erik Bais: the owner of Cyberbunker. he got it linked by someone (I don’t know who. )
[26.04.2013 22:24:55] WebExxpurts: i m sure that sven is mistaken identity and authority have made mistake

====================================================================

To my knowledge, nobody else associated with this attack has been arrested or brought to justice. This chat log is fascinating because it highlights how easy it has been and remains for cybercriminals to commit massively disruptive attacks and get away with it.

These days, some of the biggest and most popular DDoS attack resources are in the hands of a few young men operating DDoS-for-hire “booter” or “stresser” services that in some cases accept both credit cards and PayPal, as well as Bitcoin. An upcoming investigation to be published soon by KrebsOnSecurity will provide perhaps the most detailed look yet at the this burgeoning and quite profitable industry. Stay tuned!

Further reading (assuming your eyes still work after this wall of text):

The Guardian: The Man Accused of Breaking the Internet

The Daily Beast: Yeah, We Broke the Internet: The Inside Story of the Biggest Attack Ever

Also, if you enjoy reading this kind of thing, you’ll probably get a kick out of Spam Nation.

Update, 7:40 p.m. ET: Corrected reference to NANAE anti-spam list.

Call me Ishmael

Post Syndicated from Lorna Lynch original https://www.raspberrypi.org/blog/call-me-ishmael/

“I write this sitting in the kitchen sink”. “It was the best of times, it was the worst of times”. “When Gregor Samsa woke one morning from troubled dreams, he found himself transformed right there in his bed into some sort of monstrous insect”. “It was the day my grandmother exploded”. The opening line of a novel can catch our attention powerfully, and can stay with us long after the book itself is finished. A memorable first line is endlessly quotable, and lends itself to parody (“It is a truth universally acknowledged that a zombie in possession of brains must be in want of more brains”). Sometimes, a really cracking first line can even inspire a group of talented people to create a unique and beautiful art object, with a certain tiny computer at its heart. 

IMG_5975

Stephanie Kent demonstrates the Call Me Ishmael Phone at ALA 2016

If you read the roundup of our trip to ALA 2016, you will already have caught a glimpse of this unusual Pi-powered project: the Call Me Ishmael Phone. The idea originated back in 2014 when founders Logan Smalley and Stephanie Kent were discussing their favourite opening lines of books: they were both struck by Herman Melville’s laconic phrase in Moby Dick, and began wondering, “What if Ishmael had a phone number? What if you actually could call him?” Their Call Me Ishmael project began with a phone number (people outside the US can Skype Ishmael instead), an answering machine, and an invitation to readers to tell Ishmael a story about a book they love, and how it has shaped their life. The most interesting, funny, and poignant stories are transcribed by Stephanie on a manual typewriter and shared on social media. Here’s a playlist of some of the team’s favourites: 

Having created Ishmael’s virtual world, Stephanie and Logan collaborated with artist and maker Ayodamola Okunseinde to build the physical Call Me Ishmael Phone. Ayo took a commercially available retro-style telephone and turned it into an interactive book-recommendation device. For the prototype, he used a Raspberry Pi 2 Model B, but the production model of the phone uses the latest Pi 3. He explains, “we have a USB stick drive connected to the Pi that holds audio files, configuration, and identification data for each unit. We also have a small USB-powered speaker that amplifies the audio output from the Pi”. The Pis are controlled by a Python script written by programmer Andy Cavatorta.

CMI-Phone-in-Shop_Steph_Andy_Ayo-min-min

Stephanie, Andy, and Ayo in the workshop. 

The phone can be installed in a library, bookshop, or another public space. The phone is loaded with a number of book reviews, some mapped to individual buttons on the phone, and some which can be selected at random. When a person presses the dial buttons on the phone, the GPIO pins detect the input. This subsequently triggers an audio file to play. If, during play, another button is pressed, the Pi switches audio output to the associated button. Hanging up the phone causes the termination of the playing audio file. The system consists of several units in different locations that have audio and data files pushed to them daily from a control server. The system also has an app that allows users to push and pull content from individual Pis as well as triggering a particular phone to ring.

CMI-Phone-Avid-center-floor-stand-flush-right-min-min

The finished unit installed in a bookshop.

The Call Me Ishmael Phone is a thoughtful project which uses the Raspberry Pi in a very unusual way: it’s not often that programming and literature intersect like this. We’re delighted to see it, and we can’t wait to see what ways the makers might come up with to use the Raspberry Pi in future. And if you have a book which has changed your life, why not call Ishmael and share your story?

The post Call me Ishmael appeared first on Raspberry Pi.

The NSA is Hoarding Vulnerabilities

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/08/the_nsa_is_hoar.html

The National Security Agency is lying to us. We know that because of data stolen from an NSA server was dumped on the internet. The agency is hoarding information about security vulnerabilities in the products you use, because it wants to use it to hack others’ computers. Those vulnerabilities aren’t being reported, and aren’t getting fixed, making your computers and networks unsafe.

On August 13, a group calling itself the Shadow Brokers released 300 megabytes of NSA cyberweapon code on the internet. Near as we experts can tell, the NSA network itself wasn’t hacked; what probably happened was that a “staging server” for NSA cyberweapons ­ that is, a server the NSA was making use of to mask its surveillance activities ­ was hacked in 2013.

The NSA inadvertently resecured itself in what was coincidentally the early weeks of the Snowden document release. The people behind the link used casual hacker lingo, and made a weird, implausible proposal involving holding a bitcoin auction for the rest of the data: “!!! Attention government sponsors of cyber warfare and those who profit from it !!!! How much you pay for enemies cyber weapons?”

Still, most people believe the hack was the work of the Russian government and the data release some sort of political message. Perhaps it was a warning that if the US government exposes the Russians as being behind the hack of the Democratic National Committee ­ or other high-profile data breaches ­ the Russians will expose NSA exploits in turn.

But what I want to talk about is the data. The sophisticated cyberweapons in the data dump include vulnerabilities and “exploit code” that can be deployed against common internet security systems. Products targeted include those made by Cisco, Fortinet, TOPSEC, Watchguard, and Juniper ­ systems that are used by both private and government organizations around the world. Some of these vulnerabilities have been independently discovered and fixed since 2013, and some had remained unknown until now.

All of them are examples of the NSA ­ despite what it and other representatives of the US government say ­ prioritizing its ability to conduct surveillance over our security. Here’s one example. Security researcher Mustafa al-Bassam found an attack tool codenamed BENIGHCERTAIN that tricks certain Cisco firewalls into exposing some of their memory, including their authentication passwords. Those passwords can then be used to decrypt virtual private network, or VPN, traffic, completely bypassing the firewalls’ security. Cisco hasn’t sold these firewalls since 2009, but they’re still in use today.

Vulnerabilities like that one could have, and should have, been fixed years ago. And they would have been, if the NSA had made good on its word to alert American companies and organizations when it had identified security holes.

Over the past few years, different parts of the US government have repeatedly assured us that the NSA does not hoard “zero days” ­ the term used by security experts for vulnerabilities unknown to software venders. After we learned from the Snowden documents that the NSA purchases zero-day vulnerabilities from cyberweapons arms manufacturers, the Obama administration announced, in early 2014, that the NSA must disclose flaws in common software so they can be patched (unless there is “a clear national security or law enforcement” use).

Later that year, National Security Council cybersecurity coordinator and special adviser to the president on cybersecurity issues Michael Daniel insisted that US doesn’t stockpile zero days (except for the same narrow exemption). An official statement from the White House in 2014 Vulnerabilities Equities Process (VEP). It’s an inter-agency process, and it’s complicated.

There is a fundamental tension between attack and defense. The NSA can keep the vulnerability secret and use it to attack other networks. In such a case, we are all at risk of someone else finding and using the same vulnerability. Alternatively, the NSA can disclose the vulnerability to the product vendor and see it gets fixed. In this case, we are all secure against whoever might be using the vulnerability, but the NSA can’t use it to attack other systems.

There are probably some overly pedantic word games going on. Last year, the NSA said that it discloses 91 percent of the vulnerabilities it finds. Leaving aside the question of whether that remaining 9 percent represents 1, 10, or 1,000 vulnerabilities, there’s the bigger question of what qualifies in the NSA’s eyes as a “vulnerability.”

Not all vulnerabilities can be turned into exploit code. The NSA loses no attack capabilities by disclosing the vulnerabilities it can’t use, and doing so gets its numbers up; it’s good PR. The vulnerabilities we care about are the ones in the Shadow Brokers data dump. We care about them because those are the ones whose existence leaves us all vulnerable.

Because everyone uses the same software, hardware, and networking protocols, there is no way to simultaneously secure our systems while attacking their systems ­ whoever “they” are. Either everyone is more secure, or everyone is more vulnerable.

If the NSA believes no one else will find a vulnerability it has identified, it may decline to make it public. It’s an evaluation prone to both hubris and optimism.

Pretty much uniformly, security experts believe we ought to disclose and fix vulnerabilities. And the NSA continues to say things that appear to reflect that view, too. Recently, the NSA told everyone that it doesn’t rely on zero days ­ very much, anyway.

Earlier this year at a security conference, Rob Joyce, the head of the NSA’s Tailored Access Operations (TAO) organization ­ basically the country’s chief hacker ­ gave a rare public talk, in which he said that credential stealing is a more fruitful method of attack than are zero days: “A lot of people think that nation states are running their operations on zero days, but it’s not that common. For big corporate networks, persistence and focus will get you in without a zero day; there are so many more vectors that are easier, less risky, and more productive.”

The distinction he’s referring to is the one between exploiting a technical hole in software and waiting for a human being to, say, get sloppy with a password.

A phrase you often hear in any discussion of the Vulnerabilities Equities Process is NOBUS, which stands for “nobody but us.” Basically, when the NSA finds a vulnerability, it tries to figure out if it is unique in its ability to find it, or whether someone else could find it, too. If it believes no one else will find the problem, it may decline to make it public. It’s an evaluation prone to both hubris and optimism, and many security experts have cast doubt on the very notion that there is some unique American ability to conduct vulnerability research.

The vulnerabilities in the Shadow Brokers data dump are definitely not NOBUS-level. They are run-of-the-mill vulnerabilities that anyone ­ another government, cybercriminals, amateur hackers ­ could discover, as evidenced by the fact that many of them were discovered between 2013, when the data was stolen, and this summer, when it was published. They are vulnerabilities in common systems used by people and companies all over the world.

So what are all these vulnerabilities doing in a secret stash of NSA code that was stolen in 2013? Assuming the Russians were the ones who did the stealing, how many US companies did they hack with these vulnerabilities? This is what the Vulnerabilities Equities Process is designed to prevent, and it has clearly failed.

If there are any vulnerabilities that ­ according to the standards established by the White House and the NSA ­ should have been disclosed and fixed, it’s these. That they have not been during the three-plus years that the NSA knew about and exploited them ­ despite Joyce’s insistence that they’re not very important ­ demonstrates that the Vulnerable Equities Process is badly broken.

We need to fix this. This is exactly the sort of thing a congressional investigation is for. This whole process needs a lot more transparency, oversight, and accountability. It needs guiding principles that prioritize security over surveillance. A good place to start are the recommendations by Ari Schwartz and Rob Knake in their report: These include a clearly defined and more public process, more oversight by Congress and other independent bodies, and a strong bias toward fixing vulnerabilities instead of exploiting them.

>And as long as I’m dreaming, we really need to separate our nation’s intelligence-gathering mission from our computer security mission: We should break up the NSA. The agency’s mission should be limited to nation state espionage. Individual investigation should be part of the FBI, cyber war capabilities should be within US Cyber Command, and critical infrastructure defense should be part of DHS’s mission.

I doubt we’re going to see any congressional investigations this year, but we’re going to have to figure this out eventually. In my 2014 book Data and Goliath, I write that “no matter what cybercriminals do, no matter what other countries do, we in the US need to err on the side of security by fixing almost all the vulnerabilities we find. …” Our nation’s cybersecurity is just too important to let the NSA sacrifice it in order to gain a fleeting advantage over a foreign adversary

This essay previously appeared on Vox.com.

FBI-Controlled Megaupload Domain Now Features Soft Porn

Post Syndicated from Ernesto original https://torrentfreak.com/fbi-controlled-megaupload-domain-now-features-soft-porn-160826/

fbiantiMegaupload was shutdown nearly half a decade ago, but all this time there has been little progress on the legal front.

Last December a New Zealand District Court judge ruled that Kim Dotcom and his colleagues can be extradited to the United States to face criminal charges, a decision that will be appealed shortly.

With the criminal case pending, the U.S. Government also retains control over several of the company’s assets.

This includes cash, cars, but also over a dozen of Megaupload’s former domain names, including Megastuff.co, Megaclicks.org, Megaworld.mobi, Megaupload.com, Megaupload.org, and Megavideo.com.

Initially, the domains served a banner indicating they had been seized as part of a criminal investigation. However, those who visit some of the sites today are in for a surprise.

This week we discovered that Megaupload.org is now hosting a site dedicated to soft porn advertisements. Other seized domains are also filled with ads, including Megastuff.co, Megaclicks.org, and Megaworld.mobi.

Megaupload?

megauploaorg

Interestingly, this all happened under the watch of the FBI, which is still listed as the administrative and technical contact for the domain names in question.

So how can this be?

Regular readers may recall that something similar happened to the main Megaupload.com domain last year. At the time we traced this back to an expired domain the FBI used for their nameservers, Cirfu.net.

After Cirfu.net expired, someone else took over the domain name and linked Megaupload.com to scammy ads. The U.S. authorities eventually fixed this by removing the nameservers altogether, but it turns out that they didn’t do this for all seized domains.

A few weeks ago the Cirfu.net domain expired once more and again it was picked up by an outsider. This unknown person or organization parked it at Rook Media, to generate some cash from the FBI-controlled domains.

As can be seen from the domain WHOIS data, Megaupload.org still uses the old Cirfu.net nameservers, which means that an outsider is now able to control several of the seized Megaupload domain names.

cirfu

The ‘hijacked’ domains don’t get much traffic but it’s still quite embarrassing to have them linked to ads and soft porn. Commenting on our findings, Kim Dotcom notes that the sloppiness is exemplary of the entire criminal case.

“Their handling of the Megaupload domain is a reflection of the entire case: Unprofessional,” Dotcom tells us.

What’s clear is that the U.S. authorities haven’t learned from their past mistakes. It literally only takes a few clicks to update the nameserver info and reinstate the original seizure banner. One would assume that the FBI has the technical capabilities to pull that off.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Priorities in security

Post Syndicated from Matthew Garrett original http://mjg59.dreamwidth.org/44363.html

I read this tweet a couple of weeks ago:

and it got me thinking. Security research is often derided as unnecessary stunt hacking, proving insecurity in things that are sufficiently niche or in ways that involve sufficient effort that the realistic probability of any individual being targeted is near zero. Fixing these issues is basically defending you against nation states (who (a) probably don’t care, and (b) will probably just find some other way) and, uh, security researchers (who (a) probably don’t care, and (b) see (a)).

Unfortunately, this may be insufficient. As basically anyone who’s spent any time anywhere near the security industry will testify, many security researchers are not the nicest people. Some of them will end up as abusive partners, and they’ll have both the ability and desire to keep track of their partners and ex-partners. As designers and implementers, we owe it to these people to make software as secure as we can rather than assuming that a certain level of adversary is unstoppable. “Can a state-level actor break this” may be something we can legitimately write off. “Can a security expert continue reading their ex-partner’s email” shouldn’t be.

comment count unavailable comments

Notes on the Apple/NSO Trident 0days

Post Syndicated from Robert Graham original http://blog.erratasec.com/2016/08/notes-on-applenso-trident-0days.html

I thought I’d write up some comments on today’s news of the NSO malware using 0days to infect human rights activist phones. For full reference, you want to read the Citizen’s Lab report and the Lookout report.

Press: it’s news to you, it’s not news to us

I’m seeing breathless news articles appear. I dread the next time that I talk to my mom that she’s going to ask about it (including “were you involved”). I suppose it is new to those outside the cybersec community, but for those of us insiders, it’s not particularly newsworthy. It’s just more government malware going after activists. It’s just one more set of 0days.

I point this out in case press wants to contact for some awesome sounding quote about how exciting/important this is. I’ll have the opposite quote.

Don’t panic: all patches fix 0days

We should pay attention to context: all patches (for iPhone, Windows, etc.) fix 0days that hackers can use to break into devices. Normally these 0days are discovered by the company itself or by outside researchers intending to fix (and not exploit) the problem. What’s different here is that where most 0days are just a theoretical danger, these 0days are an actual danger — currently being exploited by the NSO Group’s products. Thus, there’s maybe a bit more urgency in this patch compared to other patches.

Don’t panic: NSA/Chinese/Russians using secret 0days anyway

It’s almost certain the NSA, the Chinese, and the Russian have similar 0days. That means applying this patch makes you safe from the NSO Group (for a while, until they find new 0days), but it’s unlikely this patch makes you safe from the others.

Of course it’s multiple 0days

Some people are marveling how the attack includes three 0days. That’s been the norm for browser exploits for a decade now. There’s sandboxes and ASLR protections to get through. There’s privilege escalation to get into the kernel. And then there’s persistence. How far you get in solving one or more of these problems with a single 0day depends upon luck.

It’s actually four 0days

While it wasn’t given a CVE number, there was a fourth 0day: the persistence using the JavaScriptCore binary to run a JavaScript text file. The JavaScriptCore program appears to be only a tool for developers and not needed the functioning of the phone. It appears that the iOS 9.3.5 patch disables. While technically, it’s not a coding “bug”, it’s still a design bug. 0days solving the persistence problem (where the malware/implant runs when phone is rebooted) are worth over a hundred thousand dollars all on their own.

That about wraps it up for VEP

VEP is Vulnerability Equities Process that’s supposed to, but doesn’t, manage how the government uses 0days it acquires.

Agitators like the EFF have been fighting against the NSA’s acquisition and use of 0days, as if this makes us all less secure. What today’s incident shows is that acquisition/use of 0days will be widespread around the world, regardless what the NSA does. It’s be nice to get more transparency about what they NSA is doing through the VEP process, but the reality is the EFF is never going to get anything close to what it’s agitating for.

That about wraps is up for Wassenaar

Wassenaar is an internal arms control “treaty”. Left-wing agitators convinced the Wassenaar folks to add 0days and malware to the treaty — with horrific results. There is essentially no difference between bad code and good code, only how it’s used, so the the Wassenaar extensions have essentially outlawed all good code and security research.

Some agitators are convinced Wassenaar can be still be fixed (it can’t). Israel, where NSO Group is based, is not a member of Wassenaar, and thus whatever limitations Wassenaar could come up with would not stop the NSO.

Some have pointed out that Israel frequently adopts Wassenaar rules anyway, but they would then simply transfer the company somewhere else, such as Singapore.

The point is that 0day development is intensely international. There are great 0day researchers throughout the non-Wassenaar countries. It’s not like precision tooling for aluminum cylinders (for nuclear enrichment) that can only be made in an industrialized country. Some of the best 0day researchers come from backwards countries, growing up with only an Internet connection.

BUY THAT MAN AN IPHONE!!!

The victim in this case, Ahmed Mansoor, has apparently been hacked many time, including with HackingTeam’s malware and Finfisher malware — notorious commercial products used by evil government’s to hack into dissident’s computers.

Obviously, he’ll be hacked again. He’s a gold mine for researchers in this area. The NSA, anti-virus companies, Apple jailbreak companies, and the like should be jumping over themselves offering this guy a phone. One way this would work is giving him a new phone every 6 months in exchange for the previous phone to analyze.

Apple, of course, should head the list of companies doing this, proving “activist phones” to activists with their own secret monitoring tools installed so that they can regularly check if some new malware/implant has been installed.

iPhones are still better, suck it Android

Despite the fact that everybody and their mother is buying iPhone 0days to hack phones, it’s still the most secure phone. Androids are open to any old hacker — iPhone are open only to nation state hackers.

Use signal, use Tor

I didn’t see Signal on the list of apps the malware tapped into. There’s no particular reason for this, other than NSO haven’t gotten around to it yet. But I thought I’d point how yet again, Signal wins.

SMS vs. MitM

Some have pointed to SMS as the exploit vector, which gave Citizen’s Lab the evidence that the phone had been hacked.

It’s a Safari exploit, so getting the user to visit a web page is required. This can be done over SMS, over email, over Twitter, or over any other messaging service the user uses. Presumably, SMS was chosen because users are more paranoid of links in phishing emails than they are SMS messages.

However, the way it should be doing is with man-in-the-middle (MitM) tools in the infrastructure. Such a tool would wait until the victim visited any webpage via Safari, then magically append the exploit to the page. As Snowden showed, this is apparently how the NSA does it, which is probably why they haven’t gotten caught yet after exploiting iPhones for years.

The UAE (the government who is almost certainly trying to hack Mansoor’s phone) has the control over their infrastructure in theory to conduct a hack. We’ve already caught other governments doing similar things (like Tunisia). My guess is they were just lazy, and wanted to do it the easiest way for them.


Dotcom Wants Extradition Hearing Live-Streamed, U.S. Does Not

Post Syndicated from Andy original https://torrentfreak.com/dotcom-wants-extradition-hearing-live-streamed-u-s-does-not-160825/

kimfugitiveEarlier this month, Kim Dotcom experienced a setback when the 4th Circuit Court of Appeals rejected his efforts to regain control over millions of dollars in assets seized by the US Government.

Branding the Megaupload founder a fugitive, the Court effectively denied Dotcom the ability to properly defend himself, should he be extradited to the United States from New Zealand.

Together with his former Megaupload colleagues Mathias Ortmann, Bram van der Kolk and Finn Batato, Dotcom was found eligible for extradition to the United States last December. His appeal will take place at the High Court in Auckland this month and Dotcom wants the whole world to see.

While many jurisdictions internationally will not grant permission for a live video or audio feed to be transmitted from a courtroom, in New Zealand the proposition is not out of the question.

All courts nationwide allow cameras and the recording of proceedings, as long as there are no serious privacy breaches, compromising of witnesses, or risks to the right to a fair trial.

Just recently the Chief Justice requested a report from a panel of judges on guidelines relating to recording in court. The report (pdf) found that 93% of District and High Court Judges had not experienced an instance where recording in court had resulted in a fair trial issue arising.

While the panel’s recommendations were accepted by the Chief Justice, live-streaming of court proceedings did not receive widespread support among submissions from judges. However, upon successful application and in important cases such as Dotcom’s, such transmissions can go ahead.

“Live-streaming may be an available option, particularly if there are fixed cameras in court.Live streaming will remain an option in certain major cases, and would be considered if an application is made,” the Judges’ recommendations read.

While it’s possible that Dotcom’s application will be accepted, no feed coming out of the High Court would be truly live. All transmissions would be subjected to a 10-minute delay to protect all parties involved in proceedings.

“A meaningful check on actual publication gives Judges and counsel the opportunity to consider evidence as it is adduced, and decide on whether suppression is appropriate in a measured way,” the Judges note.

“We are aware of numerous instances when that delay has been critical
to give a Judge time to stop an otherwise potentially disastrous publication. A short delay is a small price to pay for in-court coverage.”

But while Dotcom and his legal team are clearly in favor of having the six-week hearing transmitted (almost) live, the U.S. Government is reportedly pulling in the opposite direction. Dotcom reports that his application has already received objections from lawyers in the United States.

At the time of publication, Dotcom hadn’t responded to our request for comment so the grounds for the US Government’s objection aren’t yet clear. However, the media circuses surrounding the televised trials of both O.J Simpson and Michael Jackson are still within recent memory and under huge scrutiny neither went well for the prosecution.

Whether live-streaming is granted or not, Dotcom won’t be giving up the fight, even if his extradition appeal fails. The entrepreneur has already stated that he’ll take his case all the way to the Supreme Court if necessary.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Confusing Security Risks with Moral Judgments

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/08/confusing_secur.html

Interesting research that shows we exaggerate the risks of something when we find it morally objectionable.

From an article about and interview with the researchers:

To get at this question experimentally, Thomas and her collaborators created a series of vignettes in which a parent left a child unattended for some period of time, and participants indicated the risk of harm to the child during that period. For example, in one vignette, a 10-month-old was left alone for 15 minutes, asleep in the car in a cool, underground parking garage. In another vignette, an 8-year-old was left for an hour at a Starbucks, one block away from her parent’s location.

To experimentally manipulate participants’ moral attitude toward the parent, the experimenters varied the reason the child was left unattended across a set of six experiments with over 1,300 online participants. In some cases, the child was left alone unintentionally (for example, in one case, a mother is hit by a car and knocked unconscious after buckling her child into her car seat, thereby leaving the child unattended in the car seat). In other cases, the child was left unattended so the parent could go to work, do some volunteering, relax or meet a lover.

Not surprisingly, the parent’s reason for leaving a child unattended affected participants’ judgments of whether the parent had done something immoral: Ratings were over 3 on a 10-point scale even when the child was left unattended unintentionally, but they skyrocketed to nearly 8 when the parent left to meet a lover. Ratings for the other cases fell in between.

The more surprising result was that perceptions of risk followed precisely the same pattern. Although the details of the cases were otherwise the same -­ that is, the age of the child, the duration and location of the unattended period, and so on -­ participants thought children were in significantly greater danger when the parent left to meet a lover than when the child was left alone unintentionally. The ratings for the other cases, once again, fell in between. In other words, participants’ factual judgments of how much danger the child was in while the parent was away varied according to the extent of their moral outrage concerning the parent’s reason for leaving.

Backing Up for Non-Profits

Post Syndicated from Peter Cohen original https://www.backblaze.com/blog/backing-up-for-non-profits/

Backing Up for Nonprofits

A lot of us dedicate our time and effort to causes we believe in. If you’re responsible for the data used by your non-profit, here are some guidelines to think about. Develop a backup plan of your own by answering these questions.

Backing up copies of crucial organizational information like financial and bank statements, donation lists and other material vital to your organization’s operation should be mandatory. But if you don’t have the budget to outlay for a lot of expensive hardware or software to throw at the backup problem, what do you do? Come up with a plan that works with your budget. Here’s how.

What are 3-2-1 backups?

Here at Backblaze, we like to talk about the 3-2-1 backup strategy: Keep three copies of your important data. Why three?

The first one is your local copy – the one on your computer’s hard drive. The second one is a local backup – an external hard drive, network storage device or server. The third one goes in the cloud: that’s what Backblaze is for.

This strategy hedges your bet against data failure. You’ve got a “live” copy of the data you can work on with your computer. There’s a nearby backup if you need to restore or recover the file. Then there’s a copy on Backblaze’s secure servers just in case anything happens.

What backup media should I use?

External hard drives, burnable CDs and DVDs, USB thumbdrives. There are myriad local storage options, depending on your budget. Most of us are content to back up crucial data on an external hard disk drive using USB 2 or USB 3, depending on the speed of the computer.

If portability is your main concern, consider using a USB thumbdrive. USB thumbdrives can easily slip in your pocket for portability, with capacities of up to hundreds of gigabytes.

Hard disk drives come in much larger capacities. Some drives are big enough to store multiple computer backups, if you have more than one machine that needs backup.

Burnable CDs, DVDs and Blu-ray Discs are an option to consider if you’re interested in long-term archival. Hard drive contents can easily be changed, while optical discs are burnt and then put away. This makes optical media handy once you’ve finished a big project. If you want to preserve it in amber like the mosquitos in Jurassic Park, optical media is the way to go.

Whatever physical backup medium you use, just remember that things break and stop working. That’s why it’s a good idea to use more than one device for a backup. The old adage about not putting all your eggs in one basket may have come from the farm, but it still holds true in the 21st century.

What backup software should I use?

Macs and Windows PCs come with backup software built right in, so start with that. It may require you to make an investment in additional external USB-based storage, like a hard drive or thumb drive, but it’s the easiest and most effective way to get your stuff backed up.

Macs and PCs’s built-in backup software enable you to archive and duplicate the contents of your hard drive elsewhere. On the Mac it’s called Time Machine, and on the PC it’s in the “Update & security” settings. Since most operating systems have some sort of built-in backup software, it’s crazy not to use it. It’s simply an added layer of protection. While it may seem like an added encumbrance when you’re first setting it up, the payoff is in the peace of mind you’ll have knowing your data is safe.

What’s cloud storage?

Depending on how much information you have to back up, cloud-based services give you that third line of defense I’ve talked about. Dropbox, Google Drive, OneDrive, iCloud Drive: You can’t go too far online without bumping into a cloud storage service. Backblaze backs up the contents of your computer’s hard drive to our own cloud storage safely and securely.

If you’re not using Backblaze, make sure to take appropriate security safeguards when it comes to sharing your files on any sort of network. Make sure that the cloud storage provider supports file encryption.

Of course, the major downside to any sort of Internet services is what happens when the Internet is not available. As long as you’re syncing a local directory, you will still be able to access your files. But it bears repeating that you should have your data locally and remotely, so you’re never susceptible to a single point of failure.

What do I back up, and how often?

At the outset I said that you should make sure your organization’s most essential data is safe. That includes financial records, any government forms and any other records you might need as a matter of compliance. It’s a good idea to backup contact and client databases, contracts, and any other records your organization might need later for accounting and record keeping.

In terms of frequency, the nice thing about using cloud-based backup like Backblaze is that it’s pretty much set-and-forget. As long as you have a persistent Internet connection, Backblaze will back up as quickly as it can.

A single local backup can be sufficient if you need to restore data in a hurry, but if you don’t want to take chances, consider adding a second local backup. Backup software like Apple’s Time Machine, built into the Mac, can manage multiple backup drives automatically once you’ve set them up. One way or the other, allow the backup software to do a complete backup, then store incremental backups to save time.

Hopefully I’ve given you a few ideas to get started. Still have questions? Have specific implementation issues? Give me a heads up in the comments.

The post Backing Up for Non-Profits appeared first on Backblaze Blog | Cloud Storage & Cloud Backup.

In Case You Missed These: AWS Security Blog Posts from June, July, and August

Post Syndicated from Craig Liebendorfer original https://blogs.aws.amazon.com/security/post/Tx3KVD6T490MM47/In-Case-You-Missed-These-AWS-Security-Blog-Posts-from-June-July-and-August

In case you missed any AWS Security Blog posts from June, July, and August, they are summarized and linked to below. The posts are shown in reverse chronological order (most recent first), and the subject matter ranges from a tagging limit increase to recording SSH sessions established through a bastion host.

August

August 16: Updated Whitepaper Available: AWS Best Practices for DDoS Resiliency
We recently released the 2016 version of the AWS Best Practices for DDoS Resiliency Whitepaper, which can be helpful if you have public-facing endpoints that might attract unwanted distributed denial of service (DDoS) activity.

August 15: Now Organize Your AWS Resources by Using up to 50 Tags per Resource
Tagging AWS resources simplifies the way you organize and discover resources, allocate costs, and control resource access across services. Many of you have told us that as the number of applications, teams, and projects running on AWS increases, you need more than 10 tags per resource. Based on this feedback, we now support up to 50 tags per resource. You do not need to take additional action—you can begin applying as many as 50 tags per resource today.

August 11: New! Import Your Own Keys into AWS Key Management Service
Today, we are happy to announce the launch of the new import key feature that enables you to import keys from your own key management infrastructure (KMI) into AWS Key Management Service (KMS). After you have exported keys from your existing systems and imported them into KMS, you can use them in all KMS-integrated AWS services and custom applications.

August 2: Customer Update: Amazon Web Services and the EU-US Privacy Shield
Recently, the European Commission and the US Government agreed on a new framework called the EU-US Privacy Shield, and on July 12, the European Commission formally adopted it. AWS welcomes this new framework for transatlantic data flow. As the EU-US Privacy Shield replaces Safe Harbor, we understand many of our customers have questions about what this means for them. The security of our customers’ data is our number one priority, so I wanted to take a few moments to explain what this all means.

August 2: How to Remove Single Points of Failure by Using a High-Availability Partition Group in Your AWS CloudHSM Environment
In this post, I will walk you through steps to remove single points of failure in your AWS CloudHSM environment by setting up a high-availability (HA) partition group. Single points of failure occur when a single CloudHSM device fails in a non-HA configuration, which can result in the permanent loss of keys and data. The HA partition group, however, allows for one or more CloudHSM devices to fail, while still keeping your environment operational.

July

July 28: Enable Your Federated Users to Work in the AWS Management Console for up to 12 Hours
AWS Identity and Access Management (IAM) supports identity federation, which enables external identities, such as users in your corporate directory, to sign in to the AWS Management Console via single sign-on (SSO). Now with a small configuration change, your AWS administrators can allow your federated users to work in the AWS Management Console for up to 12 hours, instead of having to reauthenticate every 60 minutes. In addition, administrators can now revoke active federated user sessions. In this blog post, I will show how to configure the console session duration for two common federation use cases: using Security Assertion Markup Language (SAML) 2.0 and using a custom federation broker that leverages the sts:AssumeRole* APIs (see this downloadable sample of a federation proxy). I will wrap up this post with a walkthrough of the new session revocation process.

July 28: Amazon Cognito Your User Pools is Now Generally Available
Amazon Cognito makes it easy for developers to add sign-up, sign-in, and enhanced security functionality to mobile and web apps. With Amazon Cognito Your User Pools, you get a simple, fully managed service for creating and maintaining your own user directory that can scale to hundreds of millions of users.

July 27: How to Audit Cross-Account Roles Using AWS CloudTrail and Amazon CloudWatch Events
In this blog post, I will walk through the process of auditing access across AWS accounts by a cross-account role. This process links API calls that assume a role in one account to resource-related API calls in a different account. To develop this process, I will use AWS CloudTrail, Amazon CloudWatch Events, and AWS Lambda functions. When complete, the process will provide a full audit chain from end user to resource access across separate AWS accounts.

July 25: AWS Becomes First Cloud Service Provider to Adopt New PCI DSS 3.2
We are happy to announce the availability of the Amazon Web Services PCI DSS 3.2 Compliance Package for the 2016/2017 cycle. AWS is the first cloud service provider (CSP) to successfully complete the assessment against the newly released PCI Data Security Standard (PCI DSS) version 3.2, 18 months in advance of the mandatory February 1, 2018, deadline. The AWS Attestation of Compliance (AOC), available upon request, now features 26 PCI DSS certified services, including the latest additions of Amazon EC2 Container Service (ECS), AWS Config, and AWS WAF (a web application firewall). We at AWS are committed to this international information security and compliance program, and adopting the new standard as early as possible once again demonstrates our commitment to information security as our highest priority. Our customers (and customers of our customers) can operate confidently as they store and process credit card information (and any other sensitive data) in the cloud knowing that AWS products and services are tested against the latest and most mature set of PCI compliance requirements.

July 20: New AWS Compute Blog Post: Help Secure Container-Enabled Applications with IAM Roles for ECS Tasks
Amazon EC2 Container Service (ECS) now allows you to specify an IAM role that can be used by the containers in an ECS task, as a new AWS Compute Blog post explains. 

July 14: New Whitepaper Now Available: The Security Perspective of the AWS Cloud Adoption Framework
Today, AWS released the Security Perspective of the AWS Cloud Adoption Framework (AWS CAF). The AWS CAF provides a framework to help you structure and plan your cloud adoption journey, and build a comprehensive approach to cloud computing throughout the IT lifecycle. The framework provides seven specific areas of focus or Perspectives: business, platform, maturity, people, process, operations, and security.

July 14: New Amazon Inspector Blog Post on the AWS Blog
On the AWS Blog yesterday, Jeff Barr published a new security-related blog post written by AWS Principal Security Engineer Eric Fitzgerald. Here’s the beginning of the post, which is entitled, Scale Your Security Vulnerability Testing with Amazon Inspector:

July 12: How to Use AWS CloudFormation to Automate Your AWS WAF Configuration with Example Rules and Match Conditions
We recently announced AWS CloudFormation support for all current features of AWS WAF. This enables you to leverage CloudFormation templates to configure, customize, and test AWS WAF settings across all your web applications. Using CloudFormation templates can help you reduce the time required to configure AWS WAF. In this blog post, I will show you how to use CloudFormation to automate your AWS WAF configuration with example rules and match conditions.

July 11: How to Restrict Amazon S3 Bucket Access to a Specific IAM Role
In this blog post, I show how you can restrict S3 bucket access to a specific IAM role or user within an account using Conditions instead of with the NotPrincipal element. Even if another user in the same account has an Admin policy or a policy with s3:*, they will be denied if they are not explicitly listed. You can use this approach, for example, to configure a bucket for access by instances within an Auto Scaling group. You can also use this approach to limit access to a bucket with a high-level security need.

July 7: How to Use SAML to Automatically Direct Federated Users to a Specific AWS Management Console Page
In this blog post, I will show you how to create a deep link for federated users via the SAML 2.0 RelayState parameter in Active Directory Federation Services (AD FS). By using a deep link, your users will go directly to the specified console page without additional navigation.

July 6: How to Prevent Uploads of Unencrypted Objects to Amazon S3
In this blog post, I will show you how to create an S3 bucket policy that prevents users from uploading unencrypted objects, unless they are using server-side encryption with S3–managed encryption keys (SSE-S3) or server-side encryption with AWS KMS–managed keys (SSE-KMS).

June

June 30: The Top 20 AWS IAM Documentation Pages so Far This Year
The following 20 pages have been the most viewed AWS Identity and Access Management (IAM) documentation pages so far this year. I have included a brief description with each link to give you a clearer idea of what each page covers. Use this list to see what other people have been viewing and perhaps to pique your own interest about a topic you’ve been meaning to research. 

June 29: The Most Viewed AWS Security Blog Posts so Far in 2016
The following 10 posts are the most viewed AWS Security Blog posts that we published during the first six months of this year. You can use this list as a guide to catch up on your blog reading or even read a post again that you found particularly useful.

June 25: AWS Earns Department of Defense Impact Level 4 Provisional Authorization
I am pleased to share that, for our AWS GovCloud (US) Region, AWS has received a Defense Information Systems Agency (DISA) Provisional Authorization (PA) at Impact Level 4 (IL4). This will allow Department of Defense (DoD) agencies to use the AWS Cloud for production workloads with export-controlled data, privacy information, and protected health information as well as other controlled unclassified information. This new authorization continues to demonstrate our advanced work in the public sector space; you might recall AWS was the first cloud service provider to obtain an Impact Level 4 PA in August 2014, paving the way for DoD pilot workloads and applications in the cloud. Additionally, we recently achieved a FedRAMP High provisional Authorization to Operate (P-ATO) from the Joint Authorization Board (JAB), also for AWS GovCloud (US), and today’s announcement allows DoD mission owners to continue to leverage AWS for critical production applications.

June 23: AWS re:Invent 2016 Registration Is Now Open
Register now for the fifth annual AWS re:Invent, the largest gathering of the global cloud computing community. Join us in Las Vegas for opportunities to connect, collaborate, and learn about AWS solutions. This year we are offering all-new technical deep-dives on topics such as security, IoT, serverless computing, and containers. We are also delivering more than 400 sessions, more hands-on labs, bootcamps, and opportunities for one-on-one engagements with AWS experts.

June 23: AWS Achieves FedRAMP High JAB Provisional Authorization
We are pleased to announce that AWS has received a FedRAMP High JAB Provisional Authorization to Operate (P-ATO) from the Joint Authorization Board (JAB) for the AWS GovCloud (US) Region. The new Federal Risk and Authorization Management Program (FedRAMP) High JAB Provisional Authorization is mapped to more than 400 National Institute of Standards and Technology (NIST) security controls. This P-ATO recognizes AWS GovCloud (US) as a secure environment on which to run highly sensitive government workloads, including Personally Identifiable Information (PII), sensitive patient records, financial data, law enforcement data, and other Controlled Unclassified Information (CUI).

June 22: AWS IAM Service Last Accessed Data Now Available for South America (Sao Paulo) and Asia Pacific (Seoul) Regions
In December, AWS IAM released service last accessed data, which helps you identify overly permissive policies attached to an IAM entity (a user, group, or role). Today, we have extended service last accessed data to support two additional regions: South America (Sao Paulo) and Asia Pacific (Seoul). With this release, you can now view the date when an IAM entity last accessed an AWS service in these two regions. You can use this information to identify unnecessary permissions and update policies to remove access to unused services.

June 20: New Twitter Handle Now Live: @AWSSecurityInfo
Today, we launched a new Twitter handle: @AWSSecurityInfo. The purpose of this new handle is to share security bulletins, security whitepapers, compliance news and information, and other AWS security-related and compliance-related information. The scope of this handle is broader than that of @AWSIdentity, which focuses primarily on Security Blog posts. However, feel free to follow both handles!

June 15: Announcing Two New AWS Quick Start Reference Deployments for Compliance
As part of the Professional Services Enterprise Accelerator – Compliance program, AWS has published two new Quick Start reference deployments to assist federal government customers and others who need to meet National Institute of Standards and Technology (NIST) SP 800-53 (Revision 4) security control requirements, including those at the high-impact level. The new Quick Starts are AWS Enterprise Accelerator – Compliance: NIST-based Assurance Frameworks and AWS Enterprise Accelerator – Compliance: Standardized Architecture for NIST High-Impact Controls Featuring Trend Micro Deep Security. These Quick Starts address many of the NIST controls at the infrastructure layer. Furthermore, for systems categorized as high impact, AWS has worked with Trend Micro to incorporate its Deep Security product into a Quick Start deployment in order to address many additional high-impact controls at the workload layer (app, data, and operating system). In addition, we have worked with Telos Corporation to populate security control implementation details for each of these Quick Starts into the Xacta product suite for customers who rely upon that suite for governance, risk, and compliance workflows.

June 14: Now Available: Get Even More Details from Service Last Accessed Data
In December, AWS IAM released service last accessed data, which shows the time when an IAM entity (a user, group, or role) last accessed an AWS service. This provided a powerful tool to help you grant least privilege permissions. Starting today, it’s easier to identify where you can reduce permissions based on additional service last accessed data.

June 14: How to Record SSH Sessions Established Through a Bastion Host
A bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet. Because of its exposure to potential attack, a bastion host must minimize the chances of penetration. For example, you can use a bastion host to mitigate the risk of allowing SSH connections from an external network to the Linux instances launched in a private subnet of your Amazon Virtual Private Cloud (VPC). In this blog post, I will show you how to leverage a bastion host to record all SSH sessions established with Linux instances. Recording SSH sessions enables auditing and can help in your efforts to comply with regulatory requirements.

June 14: AWS Granted Authority to Operate for Department of Commerce and NOAA
AWS already has a number of federal agencies onboarded to the cloud, including the Department of Energy, The Department of the Interior, and NASA. Today we are pleased to announce the addition of two more ATOs (authority to operate) for the Department of Commerce (DOC) and the National Oceanic and Atmospheric Administration (NOAA). Specifically, the DOC will be utilizing AWS for their Commerce Data Service, and NOAA will be leveraging the cloud for their “Big Data Project." According to NOAA, the goal of the Big Data Project is to “create a sustainable, market-driven ecosystem that lowers the cost barrier to data publication. This project will create a new economic space for growth and job creation while providing the public far greater access to the data created with its tax dollars.”

June 2: How to Set Up DNS Resolution Between On-Premises Networks and AWS by Using Unbound
In previous AWS Security Blog posts, Drew Dennis covered two options for establishing DNS connectivity between your on-premises networks and your Amazon Virtual Private Cloud (Amazon VPC) environments. His first post explained how to use Simple AD to forward DNS requests originating from on-premises networks to an Amazon Route 53 private hosted zone. His second post showed how you can use Microsoft Active Directory (also provisioned with AWS Directory Service) to provide the same DNS resolution with some additional forwarding capabilities. In this post, I will explain how you can set up DNS resolution between your on-premises DNS with Amazon VPC by using Unbound, an open-source, recursive DNS resolver. This solution is not a managed solution like Microsoft AD and Simple AD, but it does provide the ability to route DNS requests between on-premises environments and an Amazon VPC–provided DNS.

June 1: How to Manage Secrets for Amazon EC2 Container Service–Based Applications by Using Amazon S3 and Docker
In this blog post, I will show you how to store secrets on Amazon S3, and use AWS IAM roles to grant access to those stored secrets using an example WordPress application deployed as a Docker image using ECS. Using IAM roles means that developers and operations staff do not have the credentials to access secrets. Only the application and staff who are responsible for managing the secrets can access them. The deployment model for ECS ensures that tasks are run on dedicated EC2 instances for the same AWS account and are not shared between customers, which gives sufficient isolation between different container environments.

If you have comments  about any of these posts, please add your comments in the "Comments" section of the appropriate post. If you have questions about or issues implementing the solutions in any of these posts, please start a new thread on the AWS IAM forum.

– Craig

U.S. Government Indicts Three Alleged KickassTorrents Operators

Post Syndicated from Ernesto original https://torrentfreak.com/u-s-government-indicts-three-alleged-kickasstorrents-operators160825/

kickasstorrents_500x500Last month, Polish law enforcement officers arrested Artem Vaulin, the alleged owner of KickassTorrents, who’s been held in a local prison since.

Polish authorities acted on a criminal complaint from the U.S. Government which contained several damning allegations.

This week, the Department of Justice (DoJ) followed up the complaint with a full grand jury indictment, which presents several new allegations.

In addition to Vaulin, it charges two other defendants, Ievgen Kutsenko and Oleksandr Radostin. The three men, all from Ukraine, are charged with several counts of copyright infringement and money laundering.

“Kickass Torrents, or ‘KAT,’ was a commercial website that facilitated and promoted the reproduction and distribution of copyrighted content over the Internet without authorization of the copyright owners,” the DoJ writes.

KAT’s seizure banner

katseized

According to the indictment, the ‘KAT conspiracy’ involved a variety of piracy-related websites. It mentions that the torrent storage service Torcache.net, which went offline together with KAT, was operated by the same people.

In addition, the defendants were involved in a variety of direct download sites where users could download or stream copyright-infringing content, sometimes in exchange for payments.

These sites include the popular streaming portal Solarmovie, which disappeared last month, as well as the defunct torrent leeching service Leechmonster.

“Leechmonster.com, rolly.com, solarmovie.com, solarmovie.ph, iwatchfilm.com, movie2b.com, hippomovies.com, bino.tv, and moviepro.net were commercial websites that enabled registered users to download or stream copyrighted movies and other media directly from the website,” the indictment reads.

katindictment

According to the U.S. Government, the three men used the sites to generate millions of dollars in revenue.

“…defendants […] and others designed, developed, and operated KAT, torcache.net, and the direct download websites in order to encourage, induce, facilitate, engage in, and generate millions of dollars from the unlawful reproduction and distribution of copyright-protected media,” the indictment states.

The authorities describe KickassTorrents as a site that was developed purposefully to facilitate copyright infringements. Among other things, this included the sorting of torrents by genre, so they would be easier to find.

In addition, the defendants are also accused of developing a BitTorrent client to facilitate piracy, and of operating the subtitle repository Subtitlesource.com.

On the money laundering side, the indictment includes various examples of advertising payments that were made to bank accounts that were operated by the defendants. This includes a payment from an undercover IRS investigator, who posed as an advertiser.

The Department of Justice has yet to comment on the indictment and it’s currently unknown where the two additional defendants reside and if they have been arrested. The court record shows that two warrants were submitted yesterday, but these remain sealed for now.

Meanwhile, Artem Vaulin is still being held in a Polish prison, awaiting his extradition process.

His lawyer previously asked the Department of Justice to release his client. The defense argued that Vaulin can’t be held responsible for the potentially infringing actions of the KAT’s users, since criminal secondary or indirect copyright infringement does not exist under U.S. law.

A copy of the full indictment obtained by TorrentFreak is available here.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Another lesson in confirmation bias

Post Syndicated from Robert Graham original http://blog.erratasec.com/2016/08/another-lesson-in-confirmation-bias.html

The biggest problem with hacker attribution is the confirmation bias problem. Once you develop a theory, your mind shifts to distorting evidence trying to prove the theory. After a while, only your theory seems possible as one that can fit all your carefully selected evidence.

You can watch this happen in two recent blogposts [1] [2] by Krypt3ia attributing bitcoin payments to the Shadow Broker hackers as coming from the government (FBI, NSA, TAO). These posts are absolutely wrong. Nonetheless, the press has picked up on the story and run with it [*]. [Note: click on the pictures in this post to blow them up so you can see them better].

The Shadow Brokers published their bitcoin address (19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK) asking for donations to release the rest of their tools. They’ve received 66 transactions so far, totally 1.78 bitcoin, or roughly $1000 at today’s exchange rate.

Bitcoin is not anonymous by pseudonymous. Bitcoin is a public ledger with all transaction visible by everyone. Sometimes we can’t tie addresses back to people, but sometimes we can. There are a lot of researchers who spent a lot of time on “taint anlysis” trying to track down the real identity of evildoers. Thus, it seems plausible that we might be able to discover the identities of those people making contributions to Shadow Brokers.

The first of Krypt3ia’s errant blogposts tries to use the Bitcoin taint analysis plugin within Maltego in order to do some analysis on the Shadow Broker address. What he found was links to the Silk Road address — the address controlled by the FBI since they took down that darknet marketplace several years ago. Therefore, he created the theory that the government (FBI? NSA? TAO?) was up to some evil tricks, such as trying to fill the account with money so that they could then track where the money went in the public blockchain.

But he misinterpreted the links. (He was wrong.) There were no payments from the Silk Road accounts to the Shadow Broker account. Instead, there were people making payments to both accounts. As a prank.

To demonstrate how this prank wors, I made my own transaction, where I pay money to the Shadow Brokers (19BY2…), to Silk Road (1F1A…), and to a few other well-known accounts controlled by the government.

The point here is that anybody can do these shenanigans. That government controlled addresses are involved means nothing. They are public, and anybody can send coin to them.

That blogpost points to yet more shenanigans, such as somebody “rick rolling”, to confirm that TAO hackers were involved. What you see in the picture below is a series of transactions using bitcoin addresses containing the phrase “never gonna give you up“, the title of Rich Astley’s song (I underlined the words in red).

Far from the government being involved, somebody else took credit for the hack, with the Twitter handle @MalwareTechBlog. In a blogpost [*], he describes what he did. He then proves his identity by signing a message at the bottom of his post, using the same key (the 1never…. key above) in his tricks. Below is a screenshot of how I verified (and how anybody can verify) the key.

Moreover, these pranks should be seen in context. Goofball shenanigans on the blockchain are really, really common. An example is the following transaction:

Notice the vanity bitcoin address transfering money to the Silk Road account. There is also a “Public Note” on this transaction, a feature unique to BlockChain.info — which recently removed the feature because it was so extensively abused.

Bitcoin also has a feature where 40 bytes of a message can be added to transactions. The first transaction sending bitcoins to both Shadow Brokers and Silk Road was this one. If you tell it to “show scripts”, you see that it contains an email address for Cryptome, the biggest and oldest Internet leaks site (albeit not as notorious as Wikileaks).

The point is this: shenanigans and pranks are common on the Internet. What we see with Shadow Brokers is normal trickery. If you are unfamiliar with Bitcoin culture, it may look like some extra special trickery just for Shadow Brokers, but it isn’t.

After much criticism why his first blogpost was wrong, Krypt3ia published a second. The point of the second was to lambaste his critics — just because he jotted down some idle thoughts in a post doesn’t make him responsible for journalists like ZDnet picking up as a story that’s now suddenly being passed around.

But his continues with the claim that there is somehow evidence of government involvement, even though his original claim of payments from Silk Road were wrong. As he says:

However, my contention still stands that there be some fuckery going on here with those wallet transactions by the looks of it and that the likely candidate would be the government

Krypt3ia goes onto then claim, about the Rick Astley trick:

So yeah, these accounts as far as I can tell so far without going and spending way to many fucking hours on bitcoin.ifo or some such site, were created to purposely rick roll and fuck with the ShadowBrokers. Now, they may be fractions of bitcoins but I ask you, who the fuck has bitcoin money to burn here? Any of you out there? I certainly don’t and the way it was done, so tongue in cheek kinda reminds me of the audacity of TAO…

Who has bitcoin money to burn? The answer is everyone. Krypt3ia obvious isn’t paying attention to the value of bitcoin here, which are pennies. Each transaction of 0.0001337 bitcoins is worth about 10 cents at current exchange rates, meaning this Rick Roll was less than $1. It takes minutes to open an account (like at Circle.com) and use your credit card (or debit card) to $1 worth of bitcoin and carry out this prank.

He goes on to say:

If you also look at the wallets that I have marked with the super cool “Invisible Man” logo, you can see how some of those were actually transfering money from wallet to wallet in sequence to then each post transactions to Shadow. Now what is that all about huh? More wallets acting together? As Velma would often say in Scooby Doo, JINKY’S! Something is going on there.

Well, no, it’s normal bitcoin transactions. (I’ve made this mistake too — learned about it, then forgot about it, then had to relearn about it). A Bitcoin transaction needs to consume all the previous transactions that it refers to. This invariably leaves some bitcoin left over, so has to be transferred back into the user’s wallet. Thus, on my hijinx at the top of this post, you see the address 1HFWw… receives most of the bitcoin. That was a newly created by my wallet back in 2014 to receive the unspent portions of transactions. While it looks strange, it’s perfectly normal.

It’s easy to point out that Krypt3ia just doesn’t understand much about bitcoin, and is getting excited by Maltego output he doesn’t understand.

But the real issue is confirmation bias. He’s developed a theory, and searches for confirmation of that theory. He says “there are connections that cannot be discounted”, when in fact all the connections can easily be discounted with more research, with more knowledge. When he gets attacked, he’s becomes even more motivated to search for reasons why he’s actually right. He’s not motivated to be proven wrong.

And this is the case of most “attribution” in the cybersec issue. We don’t have smoking guns (such as bitcoin coming from the Silk Road account), and must make do with flimsy data (like here, bitcoin going to the Silk Road account). Sometimes our intuition is right, and this flimsy data does indeed point us to the hacker. In other cases, it leads us astray, as I’ve documented before in this blog. The less we understand something, the more it confirms our theory rather than conforming we just don’t understand. That “we just don’t know” is rarely an acceptable answer.

I point this out because I’m always the skeptic when the government attributes attacks to North Korea, China, Russia, Iran, and so on. I’ve seen them be right sometimes, and I’ve seem them be absolutely wrong. And when they are wrong, it’s easy figuring out why — because of things like confirmation bias.

Maltego plugin showing my Bitcoin hijinx transaction from above

Creating vanity addresses, for rickrolling or other reasons