Tag Archives: paypal

Who Are The Alleged Top Men Behind KickassTorrents?

Post Syndicated from Andy original https://torrentfreak.com/the-alleged-top-men-behind-kickasstorrents-160826/

katThe sudden shutdown last month of KickassTorrents left a sizeable hole in the torrent landscape. KAT was the largest torrent index on the planet and much-loved by those who frequented it.

On day one of the shutdown, the United States government revealed that they had one prime suspect in their sights. Ukrainian Artem Vaulin was said to be the mastermind of KickassTorrents, coordinating an international operation through Cryptoneat, a front company in Kharkiv, Ukraine.

Yesterday the United States officially indicted Vaulin (aka ‘tirm’) along with two of his alleged KickassTorrents co-conspirators – Oleksandr Radostin (aka ‘pioneer’) and Ievgen Kutsenko (aka ‘chill’). All are said to have worked at Cryptoneat but little else is known about them. Today we can put some meat on the bones.

Artem Vaulin

Artem Vaulin is a 30-year-old man from Ukraine. Born in 1985, he is married with a young son. According to an investigation carried out by Vesti, his business life had simple roots.

After graduating from school, Vaulin went on to set up a vending machine business focusing on chewing gum and soft toys.

“My parents gave me $3000. They said: ‘Cool, you do not have to count on us. Now you have your own money’,” Vaulin told reporters in 2004.

Since then, Vaulin’s business empire seems to have taken off but despite reportedly having interests in several local companies (three with registered capital of more than $8.5m total), Vaulin appears to have been able to keep a reasonably low profile.

However, it is Vaulin’s love of squash that leads us to the only images available of him online. Ukrainian squash portal Squashtime.com.ua has a full profile, indicating his date and place of birth, and even his racquet preference.

vaulin-1

Vesti approached the club where Vaulin trained but due to data protection issues it would not share any information on the businessman. However, local news resource Segodnya tracked down Vaulin’s squash coach, Evgeny Ponomarenko.

“I know it only from the positive side. Artem is a good man and a family man with a growing son,” Ponomarenko said.

Vaulin is also said to have signed petitions on the Ukranian president’s website, one requesting that the country join NATO and another seeking to allow Ukranians to receive money from abroad via PayPal.

Oleksandr (Alexander) Radostin

Alexander Radostin appears to have been a software architect and/or lead engineer at Cryptoneat but other than that, very little is known about him.

There are several references to him online in Ukraine in relation to the shutdown of KickassTorrents, but most merely speculate that as an employee of Cryptoneat, Radostin might be best placed to confirm Vaulin’s current arrest status.

Many former Cryptoneat employees have purged their social networking presence but some of Radostin’s details are still available via Ukranian-based searches, including the Linkedin image below.

radostin-linkedin-1

While almost nothing is known about the third indicted KickassTorrents operator, Ievgen Kutsenko, images of the offices from where he and his colleagues allegedly ran the site can be hunted down.

The image below shows a screenshot from a Ukranian job seeking site where Cryptoneat had a page. It lists both Vaulin and Radostin to the right of some tiny thumbnails of photographs apparently taken inside the Kickass/Cryptoneat offices.

crypto-jobs

TF managed to track down a full-size version of the third image from the left and the environment looks very nice indeed.

crypto-4

While Vaulin is currently being held in a Polish jail, the whereabouts of his alleged co-conspirators is unknown. However, if they are still in Ukraine it might not be straightforward to have them extradited to the United States.

“Ukraine and the United States do not have an extradition treaty,” the U.S. Embassy confirms on its Ukraine website.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Inside ‘The Attack That Almost Broke the Internet’

Post Syndicated from BrianKrebs original https://krebsonsecurity.com/2016/08/inside-the-attack-that-almost-broke-the-internet/

In March 2013, a coalition of spammers and spam-friendly hosting firms pooled their resources to launch what would become the largest distributed denial-of-service (DDoS) attack the Internet had ever witnessed. The assault briefly knocked offline the world’s largest anti-spam organization, and caused a great deal of collateral damage to innocent bystanders in the process. Here’s a never-before-seen look at how that attack unfolded, and a rare glimpse into the shadowy cybercrime forces that orchestrated it.

The following are excerpts taken verbatim from a series of Skype and IRC chat room logs generated by a group of “bullet-proof cybercrime hosts” — so called because they specialized in providing online hosting to a variety of clientele involved in spammy and scammy activities.

Facebook profile picture of Sven Olaf Kamphuis

Facebook profile picture of Sven Olaf Kamphuis

Gathered under the banner ‘STOPhaus,’ the group included a ragtag collection of hackers who got together on the 17th of March 2013 to launch what would quickly grow to a 300+Gigabits per second (Gbps) attack on Spamhaus.org, an anti-spam organization that they perceived as a clear and present danger to their spamming operations.

The attack –a stream of some 300 billion bits of data per second — was so large that it briefly knocked offline Cloudflare, a company that specializes in helping organizations stay online in the face of such assaults. Cloudflare dubbed it “The Attack that Almost Broke the Internet.

The campaign was allegedly organized by a Dutchman named Sven Olaf Kamphuis (pictured above). Kamphuis ran a company called CB3ROB, which in turn provided services for a Dutch company called “Cyberbunker,” so named because the organization was housed in a five-story NATO bunker and because it had advertised its services as a bulletproof hosting provider.

Kamphuis seemed to honestly believe his Cyberbunker was sovereign territory, even signing his emails “Prince of Cyberbunker Republic.” Arrested in Spain in April 2013 in connection with the attack on Spamhaus, Kamphuis was later extradited to The Netherlands to stand trial. He has publicly denied being part of the attacks and his trial is ongoing.

According to investigators, Kamphuis began coordinating the attack on Spamhaus after the anti-spam outfit added to its blacklist several of Cyberbunker’s Internet address ranges. The following logs, obtained by one of the parties to the week-long offensive, showcases the planning and executing of the DDoS attack, including digital assaults on a number of major Internet exchanges. The record also exposes the identities and roles of each of the participants in the attack.

The logs below are excerpts from a much longer conversation. The entire, unedited chat logs are available here. The logs are periodically broken up by text in italics, which includes additional context about each snippet of conversation. Also please note that the logs below may contain speech that some find offensive.

====================================================================

THE CHAT LOG MEMBERS
————————————————————
Aleksey Frolov : vainet[dot]biz, vainet[dot].ru, Russian host.
————————————————————
Alex Optik : Russian ‘BP host’. AKA NEO
————————————————————
Andrei Stanchevici : secured[dot]md Moldova
————————————————————
Cali : Vitalii Boiko AKA Vitaliyi Boyiko AKA Cali Yhzar, alleged by Spamhaus to be dedicated crime hosters urdn[dot]com.ua AKA Xentime[dot]com AKA kurupt[dot]ru
————————————————————
Darwick : Zemancsik Zsolt, 23net[dot]hu, Hungarian host.
————————————————————
eDataKing : Andrew Jacob Stephens, Ohio/Florida based spamware seller formerly listed on Spamhaus’s Register of Known Spam Operations (ROKSO). Was main social media mouthpiece of Stophaus (e.g. see @stophaus). Andrew threatens to sue everyone for libel, and is likely to show up in the comments below and do the same here.
————————————————————
Erik Bais : A2B Internet, Netherlands
————————————————————
Goo : Peter van Gorkum AKA Gooweb.nl, alleged by Spamhaus to be a botnet supplier in the Netherlands.
————————————————————
Hephaistos : AKA @AnonOps on Twitter
————————————————————
HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: Sven Olaf Kamphuis
AKA Cyberbunker AKA CB3ROB
————————————————————
Karlin König : Suavemente/SplitInfinity, San Diego based host.
————————————————————
marceledler : German hoster that Spamhaus says has a history of hosting spammers, AKA Optimate-Server[dot]de
————————————————————
Mark – Evgeny Pazderin : Russian, alleged by Spamhaus to be hoster of webinjects used for man-in-the-middle attacks (MITM) against online banking sessions.
————————————————————
Mastermind of Possibilities : Norman “Chris” Jester AKA Suavemente/SplitInfinity, alleged by Spamhaus to be San Diego based spam host.
————————————————————
Narko :Sean Nolan McDonough, UK-based teenager, trigger man in the attack. Allegedly hired by Yuri to perform the DDoS. Later pleaded guilty to coordinating the attack in 2013.
————————————————————
NM : Nikolay Metlyuk, according to Spamhaus a Russian botnet provider
————————————————————
simomchen : Simon Chen AKA idear4business counterfeit Chinese products, formerly listed on Spamhaus ROKSO.
————————————————————
Spamahost : As its name suggests, a Russian host specializing in spam, spam and spam.
————————————————————
twisted : Admin of Cyberbunker[dot]com
————————————————————
valeralelin : Valerii Lolin, infiumhost[dot]com, Ukraine
————————————————————
Valeriy Uhov : Per Spamhaus, a Russian ‘bulletproof hoster’.
————————————————————
WebExxpurts : Deepak Mehta, alleged cybercrime host specializing in hosting botnet C&Cs. AKA Turbovps (<bd[at]turbovps[dot]com>).
————————————————————
wmsecurity : off-sho[dot]re ‘Bulletproof’ hoster. Lithuania. AKA “Antitheist”. Profiled in this story.
————————————————————
Xennt : H.J. Xennt, owner of Cyberbunker.
————————————————————
Yuri : Yuri Bogdanov, owner of 2×4[dot]ru. According to Spamhaus, 2×4[dot]ru is a longtime spam friendly Russian host, formerly part of Russian Business Network (RBN). Allegedly hired Narko to launch DDoS attack against Spamhaus.
============================================================

[17.03.2013 19:51:31] eDataKing: watch the show: http://www.webhostingtalk.com/showthread.php?t=1247982
[17.03.2013 19:52:02] -= Darwick =-: hell yeah! :)
[17.03.2013 19:52:09] -= Darwick =-: hit them hard :)
[17.03.2013 19:54:07] -= Darwick =-: is that a ddos attack?
[17.03.2013 19:54:56] eDataKing: but let’s forget what it is and focus on it’s consequence lol 😉

====================================================================

A number of chat members chastise eDataKing for incessantly posting comments to what they refer to as “nanae,” a derisive reference to the venerable USENET anti-spam list (news.admin.net-abuse.email) that focused solely on exposing spammers and their spamming activities. eDataKing is flustered and posting on nanae with rapid-fire, emotional replies to anti-spammers, but his buddies don’t want that kind of attention to their cause.

[17.03.2013 20:27:57] Mastermind of Possibilities: Andrew why are you posting in nanae? Stop man lol

====================================================================

Some of the chat participants begin debating whether they should consider adopting residence in a country that does not play well with the United States in terms of extradition.

[18.03.2013 02:28:30] eDataKing: what about a place that takes an ex-felon from the US for citizenship or expat?

====================================================================

The plotters begin running scans to find misconfigured or ill-protected systems that can be enslaved in attacks. They’re scanning the Web for domain name servers (DNS) systems that can be used to amplify and disguise or “reflect” the source of their attacks. Narko warns Sven about trying to enlist servers hosted by Dutch ISP Leaseweb, which was known to anticipate such activity and re-route attack traffic back to the true source of the traffic.

[18.03.2013 16:39:22] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: is just global transit thats filtered with them
[18.03.2013 16:39:33] narko: they change the ip back to your real server ip
[18.03.2013 16:39:38] narko: you will ddos your own server if you try this attack at leaseweb
[18.03.2013 16:39:46] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: hmm
[18.03.2013 16:39:50] Antitheist: what about root.lu?
[18.03.2013 16:39:54] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: very creative of them
[18.03.2013 16:39:55] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[18.03.2013 16:40:21] Antitheist: and nforce
18.03.2013 16:49:22] Antitheist: i host many cc shops, they even appeared on krebs blog 😀
[18.03.2013 16:49:27] narko: where?

At around 4 p.m. GMT that same day, Sven announces that the group’s various cyber armies had succeeded in knocking Spamhaus off the Internet. Incredibly, Sven advertises his involvement with the group to all 3,850 of his Facebook friends.

17.03.2013 22:30:01] my 3850 facebook friends <img src=” class=”wp-smiley” style=”height: 1em; max-height: 1em;” />” class=”wp-smiley” style=”height: 1em; max-height: 1em;” />” class=”wp-smiley” style=”height: 1em; max-height: 1em;” /> www.spamhaus.org still down, and that criminal bunch of self declared internet dictators will still remain down, until our demands are met <img src=” class=”wp-smiley” style=”height: 1em; max-height: 1em;” />” class=”wp-smiley” style=”height: 1em; max-height: 1em;” />” class=”wp-smiley” style=”height: 1em; max-height: 1em;” /> over 48h already <img src=” class=”wp-smiley” style=”height: 1em; max-height: 1em;” />” class=”wp-smiley” style=”height: 1em; max-height: 1em;” />” class=”wp-smiley” style=”height: 1em; max-height: 1em;” /> resolving your shit. end of the line buddy <img src=” class=”wp-smiley” style=”height: 1em; max-height: 1em;” />” class=”wp-smiley” style=”height: 1em; max-height: 1em;” />” class=”wp-smiley” style=”height: 1em; max-height: 1em;” /> should have called and paid for the damages.
[17.03.2013 22:25:54] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: rokso no longer exists haha
[17.03.2013 22:29:51] Mastermind of Possibilities: Where is that posted ?
[17.03.2013 22:30:01] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: my 3850 facebook friends 😛
[17.03.2013 22:30:12] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: you know, stuff people actually -use-… unlike smtp and nntp
[17.03.2013 22:30:12] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[17.03.2013 22:30:23] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP:facebook.com/cb3rob

====================================================================

Spamhaus uses a friendly blog — Wordtothewise.com — to publish an alert that it is “under major dDos.” While Spamhaus is offline, various parties to the attack begin hatching ways to take advantage by poisoning search-engine results so that when one searches for “Spamhaus,” the first several results instead redirect to Stophaus[dot]org, the forum this group set up to coordinate the attacks.

w2tw

18.03.2013 13:09:09] Alex Optik:http://www.stopspamhaus.org/2013_02_01_archive.html
[18.03.2013 13:09:35] Alex Optik: as i see there is already has same projects
[18.03.2013 13:09:59] narko: (wave)
[18.03.2013 13:10:17] eDataKing: that site is owned by a person in this group Alex
stealing seo to bump spamhaus while it’s offline 3 days
[18.03.2013 16:14:14] Antitheist: do you mind if we put spamhaus metatags on stophaus?
[18.03.2013 16:14:24] Antitheist: so we can come up first on google soon 😀
file fake info alert to ICANN
[18.03.2013 16:26:45] narko: Your report concerning whois data inaccuracy regarding the domain spamhaus.org has been confirmed. You will receive an email with further details shortly. Thank you.
[18.03.2013 16:29:26] narko: Any future correspondence sent to ICANN must contain your report ID number.
Please allow 45 days for ICANN’s WDPRS processing of your Whois inaccuracy
claim. This 45 day WDPRS processing cycle includes forwarding the complaint
to the registrar for handling, time for registrar action and follow-up by
ICANN if necessary.

====================================================================

Sven Kamphuis then posts to Pastebin about “OPERATION STOPHAUS,” a tirade that includes a lengthy list of demands Sven says Spamhaus will have to meet in order for the DDoS attack to be called off. Meanwhile, another spam-friendly hosting provider — helpfully known as “Spamahost[dot].com,” joins the chat channel. At this point, the attack has kept Spamhaus.org offline for the better part of 48 hours.

Narko's account on Stophaus.

Narko’s account on Stophaus.

[19.03.2013 00:02:43] Yuri: another one hoster, spamahost.com added.
[19.03.2013 00:02:48] Yuri: i hope he can help with some servers.
[19.03.2013 00:02:57] spamahost: Will do ^^ :)
[19.03.2013 00:05:49] eDataKing: be safe when accessing this link, but there was an edu writeup:http://isc.sans.edu/diary/Spamhaus+DDOS/15427
[19.03.2013 00:05:51] spamahost: Spamhaus can blow me.
[19.03.2013 00:06:00] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: me too 😛
[19.03.2013 00:06:20] spamahost: What software you using to send out attacks?
[19.03.2013 00:06:22] spamahost: IRC and bots?
[19.03.2013 00:06:28] Yuri: spamhaus like spamahost very very much.
[19.03.2013 00:06:35] Yuri: that’s the realy true love
[19.03.2013 00:06:37] spamahost: Yes they love us
[19.03.2013 00:38:20] Yuri: MEGALOL
[19.03.2013 00:38:27] Yuri: spamhaus is down 3 days
[19.03.2013 00:38:58] Yuri: this is the graph of our mail server http://mx1.2×4.ru/cgi-bin/mailgraph.cgi
that shows amount of spam rejected by our mail server.
last days there are much less SPAm
[19.03.2013 00:39:13] Yuri: http://mail.2×4.ru same graph here.

====================================================================

The Stophaus members discover that Spamhaus is now protected by Cloudflare. This amuses the Stophaus members, who note that Spamhaus has frequently listed large swaths of Cloudflare Internet addresses as sources of spam.

cloudflare

[19.03.2013 00:47:07] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: cloudflare
[19.03.2013 00:47:48] Antitheist: fuck who would believe
[19.03.2013 00:48:10] Antitheist: after they listed all cloudlares /24 for being criminal supportive because of free reverse proxying
[19.03.2013 00:49:11] Antitheist: here we go again…
[19.03.2013 00:49:12] Antitheist: http://www.spamhaus.org/sbl/query/SBL179312
[19.03.2013 00:49:14] Antitheist: lol
[19.03.2013 00:49:46] Antitheist: it had been officialy bought…b-o-u-g-h-t
[19.03.2013 00:50:45] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: hmm
[19.03.2013 00:50:57] Antitheist: narko?
[19.03.2013 00:51:11] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: k… just take down the spamhaus.org nameservers…all 8 of em
[19.03.2013 00:51:22] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: after all the client on cloudflare is ‘spamhaus.eu’
[19.03.2013 00:51:33] Cali: spamhaus under cloudflare?
[19.03.2013 00:51:35] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: they still need the spamhaus.org nameservers for that and their shitlist to work
[19.03.2013 00:51:40] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: yeah with spamhaus.eu
[19.03.2013 00:51:46] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: which is a cname to spamhaus.org
[19.03.2013 00:51:59] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: so just take out the 8 spamhaus nameservers and stop targetting the old website
[19.03.2013 00:52:09] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: that ALSO takes out their dns shitlists…
[19.03.2013 00:52:12] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: indirectly
[19.03.2013 00:52:22] Yuri: that’s a fuck. a lot of work for us
[19.03.2013 00:53:20] Yuri: may be just let’s make cloudflare down ?
[19.03.2013 00:53:29] Antitheist: thats hard yuri
[19.03.2013 00:53:31] Yuri: so they will refuse any spamhaus
[19.03.2013 00:53:43] Antitheist: you need to cripple level3 and nlayer
[19.03.2013 00:54:04] Antitheist: |OR|
[19.03.2013 00:54:12] Antitheist: you need to spend too much traffic
[19.03.2013 00:54:16] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: narko: new target… the 8 nameservers of spamhaus.org… and still smtp-ext-layer.spamhaus.org ofcourse
[19.03.2013 00:54:20] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: no morewww.spamhaus.org
[19.03.2013 00:54:24] Antitheist: since cloudflares packages are traffic volume priced
[19.03.2013 00:55:44] Karlin Konig: I don’t think they are charging spamhaus
[19.03.2013 00:56:27] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: as stated before, unfair competition, in many ways
[19.03.2013 00:56:28] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lulz
[19.03.2013 00:57:46] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: hmm is cloudflare hosting? or a reverse proxy?
[19.03.2013 00:57:57] Cali: reverse proxy.
[19.03.2013 00:58:00] Yuri: reverse
[19.03.2013 00:58:09] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: as when its a reverse proxy, it probably goes to that spamhaus.as1101.net box
[19.03.2013 00:58:13] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: aka, surfnet.
[19.03.2013 01:00:10] Cali: already offline 😀
[19.03.2013 01:00:17] Cali: This website is offline
[19.03.2013 01:02:26] narko: I will make down their cloudflare 😉 if I have enough free servers
[19.03.2013 01:02:30] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: they moved it to cloudlfare
[19.03.2013 01:02:31] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[19.03.2013 01:02:43] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: then just go for the nameservers on spamhaus.org
[19.03.2013 01:02:49] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: which also breaks their dns shitlist
[19.03.2013 01:02:52] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: after 24h
[19.03.2013 01:02:55] Cali: usually websites use cloudflare dns as well.
[19.03.2013 01:02:58] Cali: so they might change soon.
[19.03.2013 01:03:03] Cali: I think you should give them some hope
[19.03.2013 01:03:10] Cali: because they will be so proud to bring it back
[19.03.2013 01:03:14] Cali: then you switch it off again :)
[19.03.2013 01:03:20] Cali: they will rage :)
[19.03.2013 01:03:23] Karlin Konig: it’s down again
[19.03.2013 01:03:24] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: they do… spamhaus.EU is on cloudflare dns
[19.03.2013 01:03:25] Karlin Konig: lol
[19.03.2013 01:03:30] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP:spamhaus.org… is on spamhaus dns
[19.03.2013 01:03:45] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: for the very obvious reason that they have 70 dns shitlist servers in that zone
[19.03.2013 01:03:49] Cali: yeah but I think they might change that soon.
[19.03.2013 01:03:52] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: and those use their weird rotating system
[19.03.2013 01:03:54] Cali: ahah
[19.03.2013 01:03:57] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: cloudflare can’t do that
[19.03.2013 01:04:04] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: they can’t change the domain of the dns shitlist
[19.03.2013 01:04:05] Cali: even with the paid version?
[19.03.2013 01:04:07] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: so they have to keep that
[19.03.2013 01:04:30] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: soo… if they come up again, just kill the dns servers on their main domainspamhaus.org
[19.03.2013 01:04:33] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: 😛
[19.03.2013 01:04:33] Cali: ok, now it is online and responds.
[19.03.2013 01:04:50] narko: ok
[19.03.2013 01:04:52] narko: moment
[19.03.2013 01:05:07] Cali:http://www.spamhaus.org/images/spamhaus_dnsbl_basic.gif “meet spamhaus policy”
[19.03.2013 01:05:07] Cali: lol
[19.03.2013 01:05:14] Cali: like IPs have to meet Spamhaus policies
[19.03.2013 01:05:18] Cali: lol
[19.03.2013 01:05:24] narko: they are using the cloudflare paid plan
[19.03.2013 01:05:31] narko: as they have 5 IP
[19.03.2013 01:05:31] narko: not 2
[19.03.2013 01:05:44] narko: i think it means that cf will keep them longer
[19.03.2013 01:05:46] narko: :(
[19.03.2013 02:09:03] narko: added some extra gbit/s to two dns servers that seemed half-up :) lets see if google dns renews it now
[19.03.2013 02:09:28] Yuri: fuck.. no dns resolve :))))
[19.03.2013 02:09:45] narko: (mm)
[19.03.2013 02:09:57] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: when -these- time out, they’re out of business
[19.03.2013 02:10:01] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: <<>> DiG 9.8.1-P1 <<>> A b.ns.spamhaus.org
[19.03.2013 08:01:24] Yuri: good morning
[19.03.2013 08:01:32] Yuri: it was short night for me…. fuck
[19.03.2013 08:01:40] Yuri: spamhaus is down ? again :) ?
[19.03.2013 08:02:09] Yuri: looks it’s some our friend work
[19.03.2013 08:10:30] simomchen: how about we hijack spamhaus’s IP together , if can not take them down again ?
[19.03.2013 08:10:59] Yuri: we would like to.
[19.03.2013 08:11:08] Yuri: but we need upstream who will allow us to do that
[19.03.2013 08:11:25] simomchen: we can just announce those over IX exchange
[19.03.2013 08:11:34] simomchen: them , do not need upstream allow this
[19.03.2013 08:11:39] nmetluk: Russian upstreams allow:)
[19.03.2013 08:13:10] Yuri: (at least we have one good russian upstream here)
[19.03.2013 08:14:15] Yuri: spamhaus desided to bring some shit sbls toinfiumhost.com, /22 listed just for nothing.and some extra SBLs to pinspb
[19.03.2013 08:14:28] eDataKing: that is how they do it
[19.03.2013 08:14:35] eDataKing: that is why it is terrorism
[19.03.2013 08:14:57] simomchen: SH will force upstreams disconnect them
[19.03.2013 08:15:05] simomchen: that’s their next step
[19.03.2013 08:15:15] Yuri: they are too big to be disconneted
[19.03.2013 08:15:22] eDataKing: yes, the upstream does not really make the decision because the decision is coerced through damages
[19.03.2013 08:15:43] eDataKing: who is too big to be disconnected?
[19.03.2013 08:16:03] simomchen: infiumhost.com ?
[19.03.2013 08:16:31] Yuri: pinspb.ru
[19.03.2013 08:16:33] Yuri: gpt.ru
[19.03.2013 08:16:42] Yuri: and other that was with some new sbls today
[19.03.2013 08:16:50] Yuri: currenty it’s just nothing serious
[19.03.2013 08:16:58] Yuri: they keep searching
[19.03.2013 08:24:33] simomchen: Donate to the fund needed to shut SH down for good. Send your donations via Bitcoin to 17SgMS56W6s1oMU7oEZ66NFkbEk1socnTJ

====================================================================

At this point, several media outlets begin erroneously reporting that the DDoS attack on Spamhaus and Cloudflare is the work of Anonymous (probably because Kamphuis ended his manifesto with the Anonymous tagline, “We do not forgive. We do not forget”).

[19.03.2013 12:35:51] Antitheist: lol, anonymous indonesia took the responsibility for the spamhaus ddos
[19.03.2013 12:35:51] Antitheist: https://twitter.com/anonnewsindo
[19.03.2013 12:36:38] Antitheist: wait no, its all over softpedia! hahaha
[19.03.2013 12:37:31] Antitheist: http://news.softpedia.com/news/Anonymous-Hackers-Launch-DDOS-Attack-Against-Spamhaus-338382.shtml
[19.03.2013 12:46:11] narko: http://www.spamhaus.org/sbl/query/SBL179322
[19.03.2013 12:46:39] Antitheist: http://www.spamhaus.org/sbl/query/SBL179321
[19.03.2013 12:55:30] Yuri: people report that MAIL from spamhaus start working
[19.03.2013 12:55:42] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: oeh! spam!
[19.03.2013 12:56:03] Antitheist: the mail is their weakest point, since cloudflare cannot protect it
[19.03.2013 12:56:22] Antitheist: so we need to hit there. the result means no SBL removals :)
[19.03.2013 12:56:33] Antitheist: mad mad admins pulling off hair 😀
[19.03.2013 14:46:09] Yuri: news.softpedia.com
[19.03.2013 14:46:16] Antitheist: they think its anonymous because of Svens pastebin
[19.03.2013 14:46:48] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: also good
[19.03.2013 14:46:56] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: then the rest of anon also thinks its anon 😛
[19.03.2013 14:47:00] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: and starts to help
[19.03.2013 14:47:01] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[19.03.2013 14:47:17] Yuri: wow what a news
[19.03.2013 14:47:17] Antitheist: lol anon-amplification yeah
[19.03.2013 14:47:26] Yuri: spamhaus says in twitter that softpedia new is false
[19.03.2013 14:47:29] Yuri: :)))
[19.03.2013 14:47:40] Yuri:http://www.spamhaus.org/news/article/693/softpedia-publish-misleading-story-of-anonymous-attack-on-spamhaus
[19.03.2013 15:10:05] eDataKing: 1. Let them think Anons were behind it and do not dispute
[19.03.2013 15:10:05] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: can’t sign up for twitter as i don’t have any working email lol
[19.03.2013 15:10:21] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: edataking: its allready all over the press that its not anons lol.
[19.03.2013 15:10:22] Antitheist: I know Mohit from thehackernews, if it gets posted there it will soon be viral
[19.03.2013 15:10:26] eDataKing: or 2. Remind them that Anons are everyone and Anonymous as a group did not orchestrate it
[19.03.2013 15:10:30] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: at least in .nl its quite clear that its the republic cyberbunker and others
[19.03.2013 15:10:30] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: haha
[19.03.2013 15:10:58] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: that anon also has some ehm… stuff to ‘arrange’ with spamhaus, is a different story
[19.03.2013 15:11:19] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: *points out that over half of my facebook friends have the masks anyway*
[19.03.2013 15:11:28] eDataKing: Anonymous name gets major media
[19.03.2013 15:11:33] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: and that i’m still officially the PR guy for anonymous germany
[19.03.2013 15:14:36] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: y my name don’t fit twitter..
[19.03.2013 15:14:40] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: HRH Sven Olaf Prince
getting twitter accounts shut down, listing stophaus on the sbl.

====================================================================

Spamhaus has by now worked out the identity of many Stophaus members, and has begun retaliating at them individually by listing Internet addresses tied to their businesses and personal life. Here, Narko reveals that he runs his own (unprofitable) hosting firm that Spamhaus found and listed it as an address to be blocked because it was hosting stophaus[dot]org.

[19.03.2013 17:50:04] narko: im back
[19.03.2013 17:50:25] narko: the nameservers for stophaus need to be changed
[19.03.2013 17:51:04] narko: spamhaus SBLed my site and my host will terminate me unless spamhaus tells them that it’s ok
[19.03.2013 17:51:08] narko: fucking internet police
[19.03.2013 17:52:57] eDataKing: ok, what are we changing them to?
[19.03.2013 17:53:40] narko: i will set up dns servers on my home connection
[19.03.2013 17:53:41] narko: lol
[19.03.2013 17:53:45] narko: i dont think my isp gives a shit
[19.03.2013 17:53:48] narko: i’m alraedy in PBL
[19.03.2013 17:53:56] eDataKing: lol, as long as you are safe
[19.03.2013 17:53:59] narko: what does it matter if i’m in SBL? 😛
[19.03.2013 17:54:04] narko: well.. as long as they won’t ddos me
[19.03.2013 17:54:05] eDataKing: ok, then it should be all good
[19.03.2013 17:54:06] narko: I have a static ip
[19.03.2013 17:54:18] eDataKing: what about your upstream?
[19.03.2013 17:54:50] narko: I want to buy a /24 and host this just to fuck spamhaus
[19.03.2013 17:54:57] narko: anyone selling /24 😛 i pay €200
[19.03.2013 17:55:34] narko: i cannot believe that my host is telling me i need to leave for a fake SBL listing that is not even hosted at their network
[19.03.2013 17:55:38] Yuri: they will list all network at once and put upsteam
[19.03.2013 17:55:39] narko: why do they listen to spamhaus..?
[19.03.2013 18:21:28] simomchen: let me make a CC to them in China
[19.03.2013 18:21:35] eDataKing: then this will kill them in the end
[19.03.2013 18:21:49] Antitheist: https://www.cloudflare.com/business
[19.03.2013 18:22:10] Yuri: stophaus.com moved to new DNS.
[19.03.2013 18:22:16] simomchen: I brought 50K adsl Broilers just now
[19.03.2013 18:22:48] eDataKing: Then their DNS is a ticking timebomb dependent on public support. They don’t have a lot of that left
[19.03.2013 18:23:46] Yuri: 50k of what?
[19.03.2013 18:23:52] Antitheist: DNS of stophaus should be hosted on cloudflare imho
[19.03.2013 18:24:13] Antitheist: they will be afraid to list it lol
[19.03.2013 18:24:20] simomchen: 50000 ADSL broilers zombies , hehe
[19.03.2013 18:24:23] Yuri: cloudflare will kick off
[19.03.2013 18:24:27] Yuri: oohh.. shit.
[19.03.2013 18:24:48] Yuri: we need a plan how to fight :)
[19.03.2013 18:27:02] simomchen: Antitheist:
<<< we need bots that will do large POST requests on the search form of ROKSOyes, that’s CC attack I said just now. ROKSO is not big enought , I’m CC their http://www.spamhaus.org/sbl/latest/ currently
[19.03.2013 18:27:11] simomchen: do not know cloudflare can handle that
[19.03.2013 18:27:24] Antitheist: SBL are not in mysql
[19.03.2013 18:27:53] Antitheist: there is no search on the DB when you request them [19.03.2013 18:28:06] eDataKing: true
[19.03.2013 18:28:12] Antitheist: but a search form, any of them, must have at least 1 SELECT statement [19.03.2013 18:28:15]
simomchen: okay, http://www.spamhaus.org/rokso/ how about this page ?
[19.03.2013 18:28:23] Antitheist: yes, see the search form
[19.03.2013 18:28:27] eDataKing: RBLs are on a Logistics server at abuseat.org
[19.03.2013 18:28:29] Antitheist: you need to post long random shit there
[19.03.2013 18:28:34] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: SBL157600 5.157.0.0/22 webexxpurts.com 19-Mar 13:53 GMT Spammer hosting (escalation) SBL157599 5.153.238.0/24 webexxpurts.com 19-Mar 13:53 GMT Spammer hosting (escalation)
[19.03.2013 18:28:36] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[19.03.2013 18:28:41] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: wasn’t he in here the other day 😛
[19.03.2013 18:28:46] eDataKing: at least the cbl is
[19.03.2013 18:28:54] eDataKing: yes
[19.03.2013 18:28:59] eDataKing: He left?
[19.03.2013 18:29:05] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: dunno
[19.03.2013 18:29:05] simomchen: okay, let me make a ‘search’
[19.03.2013 18:29:08] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: changed names?
[19.03.2013 18:29:12] eDataKing: maybe
[19.03.2013 18:29:21] eDataKing: that was who I thought Darwin was
[19.03.2013 18:29:47] eDataKing: like he changed his name in the middle of a conversation
[19.03.2013 18:29:54] eDataKing: and Darwin picked up the chat
[19.03.2013 18:29:54] Antitheist: oh good news, its available in GET as well
[19.03.2013 18:30:01] Antitheist: http://www.spamhaus.org/rokso/search/?evidence=LONGSHITGOESHERE
[19.03.2013 18:30:40] eDataKing: They are desperate to take down the content though
[19.03.2013 18:30:55] eDataKing: I knew they would be scared to show their faces to public scrutiny
[19.03.2013 18:36:03] Yuri: SBL179370 66.192.253.42/32 twtelecom.net 19-Mar 15:15 GMT Suavemente/SplitInfinity/Innova Direct
: Feed to Jelly Digital (AS4323 >>> AS33431)
SBL179369 4.53.122.98/32 level3.net
19-Mar 15:03 GMT Suavemente/SplitInfinity/Innova Direct : Feed to Critical Data Network, Inc. (AS3356 >>> AS53318) spamhaus started to fuck hardly everywhere. they are angry.
[19.03.2013 18:37:39] Antitheist: no mercy anymore, everyone who they scraped out of stophaus members gets the entire /24 listed in ROKSO :)
[19.03.2013 18:37:40] simomchen: cloudflare service them , we are angry too
[19.03.2013 18:40:35] simomchen: but if the ddos keeping , I think spamhaus would go bankrupt
[19.03.2013 18:40:52] narko: they won’t go bankrupt
[19.03.2013 18:40:55] narko: he will just buy a smaller boat
[19.03.2013 18:41:00] simomchen: because cloudflare must charge tons of money form them
[19.03.2013 18:41:34] simomchen: what they can do in that boat ? if they do not pay to cloudflare , they will down again
[19.03.2013 18:41:48] narko: cloudflare only cost $200 per month
[19.03.2013 19:02:27] Yuri: For SBLs spamhaus
use
[19.03.2013 19:02:27] Yuri:
<<< http://stopforumspam.com/
https://www.projecthoneypot.org/ – этот точно
https://zeustracker.abuse.ch/
https://spyeyetracker.abuse.ch/those sites 100%
[19.03.2013 19:02:39] narko: ok let’s make these down 😉
[19.03.2013 21:32:06] narko: i run my host company since FEB 2012 and i am still losing like 350$ per month lol
[19.03.2013 21:32:28] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: we’ve been doing it commercially since 1996 on ‘cb3rob’
[19.03.2013 21:32:34] eDataKing: how much would that be?
[19.03.2013 21:32:39] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: and well.. there are times where it runs at a loss 😛
[19.03.2013 21:32:45] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: and there are times where it makes heaps 😛
[19.03.2013 21:32:55] narko: i have not had a single month
[19.03.2013 21:33:01] narko: where the costs of servers+licenses were covered..
[19.03.2013 21:33:12] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: you don’t have your own servers either/
[19.03.2013 21:33:13] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: ?
[19.03.2013 21:33:16] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: just reselling?
[19.03.2013 21:33:32] narko: rent server, install cpanel, advertise
[19.03.2013 21:33:33] narko: (y)
[19.03.2013 21:33:45] eDataKing: agreed
[19.03.2013 21:33:54] narko: but I think soon i will buy my own servers and colo
[19.03.2013 21:33:56] narko: it will be cheaper
[19.03.2013 21:34:04] eDataKing: agreed as well
[19.03.2013 21:34:06] narko: the problem is
[19.03.2013 21:34:11] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: i’d say thats the only way to do it 😛
[19.03.2013 23:43:05] narko: i don’t understand this
[19.03.2013 23:43:16] narko: how can cloudflare take 100gbps of udp and latency is not even increased by 1ms
[19.03.2013 23:47:05] Antitheist:http://www.apricot2013.net/__data/assets/pdf_file/0009/58878/tom-paseka_1361839564.pdf
[19.03.2013 23:47:19] Antitheist: CloudFlare has seen DNS reflection attacks hit 100Gbit traffic globally
[19.03.2013 23:47:23] Antitheist: they are used to it
[19.03.2013 23:47:49] narko: when they were hosting at rethem hosting
[19.03.2013 23:47:52] narko: I took down sprint
[19.03.2013 23:47:54] narko: i took down level3
[19.03.2013 23:47:56] narko: i took down cogent
[19.03.2013 23:48:06] narko: but cloudflare nothing!
[19.03.2013 23:48:26] narko: back in 2009 cloudflare went down with 10gbps
[19.03.2013 23:48:28] narko: all down..
[19.03.2013 23:49:34] narko: o i’m causing some dropped packets now 😛
[19.03.2013 23:56:06] Cali: narko, was it you who DDoSed us like a year and half ago ? 😀
[19.03.2013 23:56:14] narko: what network?
[19.03.2013 23:56:27] narko: or site
[19.03.2013 23:56:32] narko: sent it me in private chat and i can tell you
[20.03.2013 00:05:39] narko: http://i.imgur.com/M2mbNE0.png
[20.03.2013 00:05:44] narko: Spamhaus cloudflare current status
[20.03.2013 00:05:48] narko: with over 100Gbps of attack traffic
[20.03.2013 00:07:39] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: hmm does this affect other cloudflare customers, as in that case its bye bye spamhaus pretty soon
[20.03.2013 00:07:40] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[20.03.2013 00:07:49] narko: i dont know
[20.03.2013 00:07:56] narko: i hope so because i cant keep such traffic up for a long time
[20.03.2013 00:08:02] narko: it’s probably closer to 200 than 100 Gbps
[20.03.2013 00:08:07] Cali: it will be harder than that I think.
[20.03.2013 00:09:35] Cali: no more icmp @cloudflare?
[20.03.2013 00:09:52] narko: 7 * * * Request timed out.

[20.03.2013 00:22:24] Antitheist: they list every IP/DNS that resolves stophaus in any way
[20.03.2013 00:22:31] narko: “Please update us when this client no longer utilises *any* part of our network so we can get back in touch with Spamhaus.”
[20.03.2013 00:22:35] Antitheist: we can change it every hour and block the entire internet lol
[20.03.2013 00:22:47] narko: They do not understand the word “THIS CLIENT HAS NOTHING TO DO WITH YOUR NETWORK”
[20.03.2013 00:22:53] narko: they treat it like it’s a request from law enforcement
[20.03.2013 00:22:56] narko: not some moron on a boat
[20.03.2013 00:47:00] Antitheist: so whats up with wordtothewise
[20.03.2013 00:47:02] narko: i only met you peoples on friday and never heard of most of you before then 😛
[20.03.2013 00:47:29] eDataKing: lol, I just talk like I know everyone
[20.03.2013 00:47:48] eDataKing: It’s better than being secretive. I get nervous around quite people.
[20.03.2013 00:47:59] eDataKing: I think they are plotting on me lol 😉
[20.03.2013 00:48:01] narko: I said too much already in this chat
[20.03.2013 00:48:04] narko: I’m expecting the raid soon
[20.03.2013 00:48:06] narko: 😛

====================================================================

Narko has directed most of his botnet resources at Cloudflare now instead of Spamhaus, and the group is surprised to see Spamhaus go offline when it was hidden behind Cloudflare’s massive DDoS protection resources. Also, Yuri enlists the help of some other attackers to join in the assault.

[20.03.2013 01:00:32] Antitheist: This website is offline. No cached version is available
[20.03.2013 01:00:33] Antitheist: LOL
[20.03.2013 01:00:47] narko: lol
[20.03.2013 01:00:50] narko: not working for me either
[20.03.2013 01:00:56] Antitheist: narko you are the king
[20.03.2013 01:00:59] Antitheist: haha
[20.03.2013 01:01:00] narko: i didnt do anything
[20.03.2013 01:01:03] narko: i was just attacking cloudflare
[20.03.2013 01:01:16] Antitheist: well, thats not something they wanted to have
[20.03.2013 01:01:17] narko: see now its back up :(
[20.03.2013 01:01:36] Cali: It is offline here.
[20.03.2013 01:01:44] Antitheist: off…
[20.03.2013 01:01:45] narko: it went down again
[20.03.2013 01:01:51] narko: and back
[20.03.2013 01:03:11] Cali: yup
[20.03.2013 01:04:33] narko: let’s create some more records
[20.03.2013 01:04:36] narko: for DNS of stophaus
[20.03.2013 01:04:47] narko: dummy records, such as the IP of softlayer.com , etc
[20.03.2013 01:04:55] narko: it won’t affect the site because it will just try from the next server
[20.03.2013 01:05:01] narko: but they’re going to SBL some big sites
[20.03.2013 01:05:02] narko: lol
[20.03.2013 01:05:47] Antitheist: it will create more damage if we list MTAs
[20.03.2013 01:06:06] narko: ok let’s see
[20.03.2013 01:06:20] narko:
[20.03.2013 02:16:57] narko: Cloudflare changed the ips
[20.03.2013 02:16:59] narko: put only 2 IPs now
[20.03.2013 02:17:05] narko: will move attack to these IPs
[20.03.2013 02:18:24] narko: also I have a friend with a small botnet. I asked him to contribute
[20.03.2013 02:19:45] Yuri: i see.
[20.03.2013 02:19:59] Yuri: i asked some hackers to assist also
[20.03.2013 02:20:31] narko: my friend is in saudi arabia. he has bots in arab regions. will provide some diversity to the attack.
[20.03.2013 02:20:52] Yuri: spamhaus sbl site is the high end of iceberg
[20.03.2013 02:21:11] Yuri: did you try to put down spamhas relates sites?
[20.03.2013 02:21:23] narko: after spamhaus.org main site :))
[20.03.2013 02:21:55] narko: i am just getting very annoyed at this company now
[20.03.2013 02:22:08] narko: i just received 2 minutes ago “We are sorry to inform that your account has been terminated.” from my host.
[20.03.2013 02:22:14] narko: due to SBL
[20.03.2013 02:22:43] Yuri: on what host?
[20.03.2013 02:22:52] narko: EuroVPS.com
[20.03.2013 02:23:02] Yuri: write me pm what do you need
[20.03.2013 03:13:26] narko: lets host here
[20.03.2013 03:13:38] narko:http://www.beltelecom.by/business/hosting/virtual-dedicated-server
[20.03.2013 03:13:45] narko: i dont think they can even speak english. to read the abuse report from spamhaus. 😀
[20.03.2013 03:14:03] Cali: lol
20.03.2013 17:07:45] eDataKing: lol
[20.03.2013 17:27:58] narko: looks like one of the cloudflare dc is down
[20.03.2013 17:28:08] narko: previously my connection to spamhaus was to amsterdam
[20.03.2013 17:28:10] narko: now it’s to paris :)
[20.03.2013 17:28:53] simomchen: keeping ddos them , then , cloudflare will cick SH out
[20.03.2013 17:29:03] narko: i am adding more
[20.03.2013 17:29:20] narko: if you know anyone with botnet – ask them to help too. there will be a point where even the $2000 cloudflare enterprise plan is not worth it to them.
[20.03.2013 17:31:42] simomchen: maybe someone joined us. SH released xxx is making ddos them. and some other guys saw this.but do not connect us. they was blackmailed by SH before. so , it’s a hidden retaliation time for them
[20.03.2013 17:32:04] narko: hope so
[20.03.2013 17:32:09] narko: it seems they split the load between 2 dc [datacenters] actually
[20.03.2013 17:32:12] Antitheist: who is ddosing them?
[20.03.2013 17:32:17] narko: spamhauas has 2 ip and 1 is amsterdam other is paris
[20.03.2013 17:32:18] Antitheist: where did you see it idear4business
[20.03.2013 17:33:16] Yuri: look, there too much people who is not active here. may be we could remove them from this chat ?
[20.03.2013 17:33:29] narko: yes I think that’s good idea. there’s some people who i have never seen one messaage
[20.03.2013 17:33:48] simomchen: they do not wanna to show their identity, just wanna to make retaliation. I guess those. can not seeing this. but at least , some of our clients also joined , and making ddos SH from China. they hate spamhaus , because SH made their domains ‘clent hold’ (over 50000 domains) in the passed year
[20.03.2013 17:33:49] Yuri: let’s create new one subchat and move there. how is the idea?
[20.03.2013 17:34:32] Antitheist: spamhaus made 500 of my domains hold
[20.03.2013 17:34:38] narko: everyone who has bp host
[20.03.2013 17:34:40] Antitheist: cnobin, its a bizcn reseller
[20.03.2013 17:34:46] narko: hijack the botnets of your clients and ddos spamhaus 😛
[20.03.2013 17:34:51] Antitheist: lol)))
[20.03.2013 17:35:14] narko: my experience with BP hosts – you can always get some free bots from whoever used the IP previously :))))
[20.03.2013 17:35:27] Antitheist: if you have the same panel
[20.03.2013 17:35:40] narko: well I just adapt my software to accept their commands
[20.03.2013 17:35:41] simomchen: no need to hijack , if our clients wanna to ddos someone , they will buy some botnets. it’s cheap in China , like 0.01 EUR/each
[20.03.2013 17:35:44] narko: most of them are not encrypted at all
[20.03.2013 17:35:45] NM: :)
[20.03.2013 17:35:50] simomchen: Sven also know that
[20.03.2013 17:35:56] narko: each bot?
[20.03.2013 17:36:01] simomchen: yes
[20.03.2013 17:36:06] simomchen: ADSL bot
[20.03.2013 17:36:10] narko: what is the upload speed of china ADSL?
[20.03.2013 17:36:16] simomchen: with dynamic IP
[20.03.2013 17:36:24] simomchen: just 50-100Kbps
[20.03.2013 17:36:40] narko: we need some netherland/sweden/romania bots 😛
[20.03.2013 17:36:49] narko: they have 100mbps or more
[20.03.2013 17:37:04] NM: In Russia too
[20.03.2013 17:37:33] simomchen: SH is not works in China till now. and sometime , they are going up down up down.
[20.03.2013 17:38:09] narko: spamhaus can make down .cn domains ?
[20.03.2013 17:38:18] Yuri: yes.
[20.03.2013 17:38:39] simomchen: our clients is selling something to EU and US, so , they do not use .cn
[20.03.2013 17:38:50] simomchen: usually , they use .com/net
[20.03.2013 17:39:16] narko: they should apply for a new tld
[20.03.2013 17:39:17] narko: .ugg
[20.03.2013 17:39:33] simomchen: yes
[20.03.2013 17:39:51] Antitheist: .rx
[20.03.2013 17:39:54] Yuri: )))))
[20.03.2013 17:40:09] Yuri: .ugg (y)
[20.03.2013 17:40:17] narko: (sun)
[20.03.2013 17:40:43] narko: i hosted botnets under .w2c.ru domain
[20.03.2013 17:41:10] narko: and the domain was not made down
[20.03.2013 17:41:34] Yuri: hey. wtf, it’s my domain :)
[20.03.2013 17:41:41] narko: yes I had dedicated server
[20.03.2013 17:41:44] narko: free subdomain
[20.03.2013 17:41:57] Yuri: :O:D
[20.03.2013 17:42:11] narko: but i needed to move
[20.03.2013 17:42:19] narko: because a big ISP in Europe blocked all your ip range 😛
[20.03.2013 17:42:26] narko: i lost half my bots
[20.03.2013 17:44:53] narko: ok. currently i have running against spamhaus:
[20.03.2013 17:45:15] narko: ~100Gbps UDP
~ 20M pps TCP
~ 65k req/s HTTP
distributed between the 2 IP
[20.03.2013 17:45:21] narko: cloudflare must remove them soon..
[20.03.2013 17:45:21] narko: cloudflare must remove them soon.
[20.03.2013 19:25:20] narko: i think spamhaus wrote to my pamyent processor
[20.03.2013 19:25:23] narko: has it happened before?
[20.03.2013 19:25:44] narko: an IP address started to browse my site. assigned to 2Checkout Inc. now my merchant account is put into a review status.
[20.03.2013 19:27:32] eDataKing: How did they get your processor’s info?
[20.03.2013 19:27:43] narko: they require it to be written in the site
[20.03.2013 19:27:48] narko: “Services provided by 2Checkout Inc”
[20.03.2013 19:27:51] eDataKing: Also, they tried that with my Paypal account for 3 years. We are still Top-Tier members
[20.03.2013 19:28:03] eDataKing: they reviewed the records and it took 6 hours to be restored
[20.03.2013 19:28:18] eDataKing: no other complaint ever made it past the first level of abuse
[20.03.2013 19:28:20] narko: lol
[20.03.2013 19:28:31] narko: someone called paypal and said i was threatening to kill them unless they paid me money
[20.03.2013 19:28:34] narko: and my account was limited for a week

====================================================================

At this point, Narko is sending between 150-300 Gbps of packet love at Cloudflare’s major datacenter Internet addresses. Cloudflare.com briefly goes offline. Cloudflare publishes a blog post stating that the attack was successfully handled and mitigated by Cloudflare. Narko disagrees, saying Cloudflare was able to mitigate the attack because he paused it. Spamhaus posts an update on the ongoing attacks, claiming that most of its operations are returning to normal.

Narko shares this screenshot in the chat forum. It shows that the attack on Cloudflare is at more than 100 Gbps, which is more than enough to knock most sites offline.

Narko shares this screenshot in the chat forum. It shows that the attack on Cloudflare is at more than 100 Gbps, which is more than enough to knock most sites offline.

20.03.2013 19:58:21] narko: did someone else start attack to cloudflare? their site is even down now :))
[20.03.2013 19:58:27] Yuri: we need to post it to the public, in twitter and etc?
[20.03.2013 20:33:19] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: we’ll just break the god damn internet if thats what it takes 😛
[20.03.2013 20:33:20] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[20.03.2013 20:46:19] eDataKing: http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho
[20.03.2013 20:46:38] eDataKing: The DDoS That Knocked Spamhaus Offline (And How We Mitigated It)
[20.03.2013 20:46:43] eDataKing: they mitigated it?
[20.03.2013 20:46:45] eDataKing: news to me
[20.03.2013 20:47:11] eDataKing: hmm
[20.03.2013 20:47:12] eDataKing: CloudFlare’s own history grew out of Project Honey Pot, which started as an automated service to track the resources used by spammers and publishes the HTTP:BL.
[20.03.2013 20:47:21] eDataKing: good data
[20.03.2013 20:47:24] eDataKing: didn’t know that
[20.03.2013 20:48:53] eDataKing: Beginning on March 18th?
[20.03.2013 20:48:59] eDataKing: that is factually incorrect
[20.03.2013 20:51:11] narko: reading now
[20.03.2013 20:51:47] eDataKing: the attack did not start a day before their great admins mitigated it
[20.03.2013 20:51:54] eDataKing: is it even mitigated?
[20.03.2013 20:52:12] narko: hehehehe :)))))))))))))))))))))
[20.03.2013 20:52:15] narko: this is like 140Gbps
[20.03.2013 20:52:27] eDataKing: lol
[20.03.2013 20:52:37] eDataKing: don’t look like mitigation to me lol
[20.03.2013 20:52:57] eDataKing: Their article almost reads as a challenge
[20.03.2013 20:53:14] narko: I stopped the attack
[20.03.2013 20:53:25] narko: i am generating a new dns list. then I will start again and it will be over 200 gbps
[20.03.2013 20:53:30] narko: the current list is quite old

====================================================================

Narko grows concerned about getting busted because Andrew (eDataKing) mistakenly published on the anti-spam Google Group forum NANAE a screenshot that included Narko’s Skype screen name. Helpfully for the U.K. authorities closing in on him, Narko provides a link to view the screenshot that includes what he identifies as his Skype screen name.

Narko's screen as he's in the middle of launching attacks on Spamhaus. A portion of his Skype address at the time can be seen in the upper right corner of the screenshot.

Narko’s screen as he’s in the middle of launching attacks on Spamhaus. A portion of his Skype address at the time can be seen in the upper right corner of the screenshot.

20.03.2013 21:08:59] eDataKing: lol,
[20.03.2013 21:08:59] eDataKing: This morning at 09:47 UTC CloudFlare effectively dropped off the Internet. The outage affected all of CloudFlare’s services including DNS and any services that rely on our web proxy. During the outage, anyone accessing CloudFlare.com or any site on CloudFlare’s network would have received a DNS error. Pings and Traceroutes to CloudFlare’s network resulted in a “No Route to Host” error.
[20.03.2013 21:09:15] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: 😛
[20.03.2013 21:09:25] eDataKing: sry, that was on 03-03
[20.03.2013 21:09:27] eDataKing: not related
[20.03.2013 21:09:38] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: someone was doing it better than narko ?
[20.03.2013 21:09:40] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: wth
[20.03.2013 21:09:41] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[20.03.2013 21:09:48] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: get that guy in here too haha
[20.03.2013 21:09:57] eDataKing: wait to see what narko does next though
[20.03.2013 21:15:03] Yuri: spamhaus down ?
[20.03.2013 21:15:07] Yuri: cloudflare shows down
[20.03.2013 21:15:34] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: nope
[20.03.2013 21:15:38] eDataKing: nope
[20.03.2013 21:19:37] narko: we need to find more people.
[20.03.2013 21:19:49] narko: cloudflare network just has a lag with my attack
[20.03.2013 21:20:00] narko: my attack + some botnets will take them down entirely. then they have no choice but to kick spamhaus.
[20.03.2013 22:24:39] narko: who posted the screenshot on nanae please remove it
[20.03.2013 22:24:41] narko: it has written my skype name
[20.03.2013 22:24:59] narko: t.ravis
[20.03.2013 22:25:04] eDataKing: that was the indian
[20.03.2013 22:25:13] eDataKing: you said to post it
[20.03.2013 22:25:22] eDataKing: I’ll tell him
[20.03.2013 22:25:31] eDataKing: I don’t think it can be removed though
[20.03.2013 22:25:52] eDataKing: argh, why didn’t you edit that image?
[20.03.2013 22:26:01] eDataKing: I will be sure to check all images from here out
[20.03.2013 22:26:11] eDataKing: but doesn’t the image only say probing?
[20.03.2013 22:26:24] narko: no it has my skype username
[20.03.2013 22:26:27] narko: i didn’t expcet it to be posted
[20.03.2013 22:26:29] narko: i just said
[20.03.2013 22:26:31] narko: narko:
<<< http://i.imgur.com/prDIVYU.png — current status
[20.03.2013 22:27:51] Yuri: don’t see any info on screenshot
[20.03.2013 22:28:09] eDataKing: I see all but the last digit
[20.03.2013 22:28:16] eDataKing: enough to run a trace on that skype account
[20.03.2013 22:28:28] eDataKing: but nothing incriminating
[20.03.2013 22:28:48] eDataKing: don’t they already blame you though?
[20.03.2013 22:28:59] narko: no one on nanae/spamhaus knows about me
[20.03.2013 22:29:03] eDataKing: I’ll tell the indian to wait for approval bwefore posting anything else
[20.03.2013 22:29:16] eDataKing: I will also look at the images if there are any more screens
[20.03.2013 22:29:38] eDataKing: can you grab a new skype account and nix this one just in case?
[20.03.2013 22:29:44] narko: i am just worried. because it has my skype name < i am uploaded the image from my home connection, and FBI in USA already has a case on me ddosing before, they were going to people in america and asking them questions about me
[20.03.2013 22:29:44] narko: no
[20.03.2013 22:29:45] narko: its fine for me
[20.03.2013 22:29:48] narko: for now *
[20.03.2013 22:29:50] eDataKing: you said this one was for this session only right?
[20.03.2013 22:29:53] narko: yes
[20.03.2013 22:30:22] eDataKing: the image won’t have any hex code though because it is on imgur
[20.03.2013 22:30:24] Yuri: other solution – is to upload same imase from other IPs
[20.03.2013 22:30:31] eDataKing: yes
[20.03.2013 22:30:36] Yuri: so they have to think who is that was…
[20.03.2013 22:30:41] eDataKing: oh, gotcha
[20.03.2013 22:30:44] eDataKing: yeah
[20.03.2013 22:31:13] eDataKing: I am so used to be completly anon that I would have never imagined you imported that from home
[20.03.2013 22:31:54] eDataKing: can you delete it from imgur?
[20.03.2013 22:32:30] eDataKing: I want to mitigate any issues because the indian is my dude and I feel responsible for what he did
[20.03.2013 22:32:34] narko: no
[20.03.2013 22:32:37] narko: nothing will happen
[20.03.2013 22:32:41] narko: nothing has ever happened
[20.03.2013 22:40:58] narko: but I ran an illegal site (carding, ddos, etc) from 2010-2012 and 90% customers were US
[21.03.2013 03:40:43] narko: well i’m going to sleep
[21.03.2013 03:40:49] narko: wll attack cloudflare again tomorrow :)

====================================================================

Stophaus claims victory when Spamhaus moves off of Cloudflare’s network and over to Amazon. The Stophaus members begin planning their next move.

[21.03.2013 10:00:21] eDataKing: CBL (cbl,http://t.co/M9Jz8KKvi5) is up again, after a heavy DDOS. It is now protected through amazon cloud. #spamhaus
[21.03.2013 10:14:19] simomchen: so , SH have separated , and protedted by 2 cloud ?
[21.03.2013 10:14:54] eDataKing: yep
[21.03.2013 10:15:10] eDataKing: but they are only buying a short amlunt of time really
[21.03.2013 10:16:23] simomchen: they must have a contract with cloudflare and amazon , once ddos leave over 7 days. maybe, they will break the contract with these 2 companies
[21.03.2013 13:19:10] Antitheist: congratilations narko your SBL was removed
[21.03.2013 13:19:25] narko: after 3 days 😛 I’m still moving. I have server from new DC in russia now
[21.03.2013 13:19:31] Antitheist: pin?
[21.03.2013 13:19:34] narko: yes
[21.03.2013 13:20:02] narko: I will not deal with the british datacenters any more
[21.03.2013 13:20:08] narko: even swiftway didn’t give a shit about the SBL
[21.03.2013 13:20:18] narko: but Racksrv treats it like they’re the secret police
[21.03.2013 14:15:03] Yuri: looks spamhaus pissed off
they try to piss everywhere
[21.03.2013 14:15:07] Yuri: SBL179470
217.65.0.0/22 citytelecom.ru
21-Mar-2013 11:59 GMT
Spammer hosting (escalation)
[21.03.2013 14:15:30] narko: is this for providing connectivity to 2×4?
[21.03.2013 14:15:35] narko: or another
[21.03.2013 14:15:41] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: no this is for being russians haha
[21.03.2013 14:15:46] narko: lol
[21.03.2013 14:16:00] Yuri: he provide us and some others.
[21.03.2013 14:16:02] NM: i cant open their site
[21.03.2013 14:42:49] Yuri: i found why
——————
spamahost wrote yesturday in facebook.
One of our VPS nodes is undergoing a node transfer. We are moving the “Zeus” node to a different upstream (which now supports full emailing!), as well as upgraded hardware. Please check your emails for more information, as well as your client areas!
——————-
and his website was on our network.
[21.03.2013 14:42:57] Yuri: so spamhaus pissed on it.
[21.03.2013 15:17:13] narko: i go to feed my addiction to chinese food now.brb
[21.03.2013 15:17:40] narko: when i’m back in few minutes. let’s ddos some more shit
[21.03.2013 15:17:41] narko: (hug)

====================================================================

Spamhaus succeeds in getting Stophaus[dot]org suspended at the domain registry level. This angers Prinz Sven, who begins coming unglued — threatening to attack or harm the domain registrar and anyone else involved in the suspension. Sven even goes so far as to post a manifesto on his Facebook account, taking on the persona of a pirate and lobbing threats of additional DDoS attacks as well as physical violence against Spamhaus members.

[21.03.2013 17:35:41] Antitheist: fuckers
[21.03.2013 17:35:42] narko: fuck! how they did this
[21.03.2013 17:35:56] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: hmm?
[21.03.2013 17:35:57] Antitheist: who are ahnames?
[21.03.2013 17:36:02] narko: advanced hosters ltd
[21.03.2013 17:36:13] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: say what
[21.03.2013 17:36:18] narko: the domain is suspended
[21.03.2013 17:36:22] narko: by the registrar
[21.03.2013 17:36:45] Antitheist: what kind of a shit registrar was it
[21.03.2013 17:36:59] narko: www.ahnames.com
[21.03.2013 17:37:03] Antitheist: webnames.ru or naunet.ru are pissing on spamhaus
[21.03.2013 17:37:13] Antitheist: had to get domain from them
[21.03.2013 17:37:19] narko: well now nothing can be done
[21.03.2013 17:37:21] Antitheist: its still possible to transfer
[21.03.2013 17:37:37] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: then do so
[21.03.2013 17:37:44] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: to -their- domain registrar 😛
[21.03.2013 17:37:56] narko: gandi is a bad registrar
[21.03.2013 17:46:33] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: Domain Name: STOPHAUS.COM

Abuse email: abuse@ahnames.com

DOMAIN SUSPENDED DUE TO VIOLATION OF OUR TOS
Arr! · · Promote
now turn it back on before we send those 80gbit/s down your ass.
[21.03.2013 17:47:02] narko: you have very big balls
[21.03.2013 17:47:12] narko: writing ddos threads on facebook? I would not even do that and I am the person doing th attacks 😛 lol
[21.03.2013 17:47:21] narko: threats *
[21.03.2013 17:47:33] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: who cares, they just ddossed us 😛
[21.03.2013 17:47:40] Yuri: most men in this chat are with big balls.
[21.03.2013 17:47:40] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: by disabling the domain without a proper excuse
[21.03.2013 17:47:44] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: so might as well disable theirs
[21.03.2013 17:47:53] eDataKing: what’s wrong with ahnames?
[21.03.2013 17:47:56] eDataKing: what did they do?
[21.03.2013 17:47:59] narko: they banned the domain
[21.03.2013 17:48:01] Yuri: did somebody stoped our domain ?
[21.03.2013 17:48:02] narko: suspended it
[21.03.2013 17:48:09] Yuri: wtf
[21.03.2013 17:48:10] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: actually i threattened to have steve linford terminated physically a minute before that on my own profile
[21.03.2013 17:48:11] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: lol
[21.03.2013 17:48:14] Yuri: we could change to RU
[21.03.2013 17:48:17] Yuri: stophaus.ru
[21.03.2013 17:48:19] Goo: xD
[21.03.2013 17:48:19] eDataKing: then we should hit them
[21.03.2013 17:48:21] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: just call them and have em turn it back on
[21.03.2013 17:48:26] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: or else we take THEM down
[21.03.2013 17:48:29] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: simple as that
[21.03.2013 17:48:32] narko: we need .com back because it’s already in google, linked in pages, etc
[21.03.2013 17:48:32] eDataKing: suspending the domain is a direct challenge
[21.03.2013 17:48:41] eDataKing: yes, the .com needs up
[21.03.2013 17:49:01] eDataKing: We need to contact ahnames and tell them to allow us to transfer the domain
[21.03.2013 17:49:06] Yuri: we need to transfer it to nic.ru
[21.03.2013 17:49:07] eDataKing: they have allowed it before
[21.03.2013 17:49:13] Yuri: they not slose it.
[21.03.2013 17:49:16] narko: domain transfer takes 5-6 days
[21.03.2013 17:49:18] Yuri: they have balls
[21.03.2013 17:49:21] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: im going to announce ALL of their motherfucking nameservers.
[21.03.2013 17:49:25] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: need to make some changes
[21.03.2013 17:49:27] Yuri: ok
[21.03.2013 17:49:31] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: hmm wait better not do that lol
[21.03.2013 17:49:40] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: that ehm would cost us quite a few peerings haha
[21.03.2013 17:49:49] eDataKing: no, it is way faster
[21.03.2013 17:49:58] narko: it doesnt mtater
[21.03.2013 17:50:00] narko: matter
[21.03.2013 17:50:04] narko: you are already offline from most locations
[21.03.2013 17:50:05] narko: :))
[21.03.2013 17:50:27] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: they responded
[21.03.2013 17:50:50] narko: facebook asks me to log in to see it
[21.03.2013 17:50:51] narko: what a joke
[21.03.2013 17:50:56] narko: i will never register to that site
[21.03.2013 17:51:50] eDataKing: if we show them that we will not tolerate them playing spamhaus games they may see that it could cost them to do so
[21.03.2013 17:52:19] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: Sven Olaf Kamphuis how about, its not a question, we know damn well that steve linford of spamhaus has been spreading lies again, this here undermines our freedom of speech, after all there is nothing on that forum that isn’t done 904903 times as much by spamhaus itself… so, if you’re not with us, you’re against us. turn it back on or we turn YOU OFF.
a few grains o’ sand ago · Arr!
Sven Olaf Kamphuis there is no clause in your TOS that states you have to be friends with ‘spamhaus’
a few grains o’ sand ago · Arr!
Sven Olaf Kamphuis so take your pick… 80gbit/s up your ass, orrrr… turning the domain back on
a few grains o’ sand ago · Arr!
[21.03.2013 17:52:25] eDataKing: perfect Sven
[21.03.2013 17:52:29] eDataKing: that is what they need to hear
[21.03.2013 17:53:01] Yuri: stophaus.org also our domain?
[21.03.2013 17:53:17] Goo: haha nice sven
[21.03.2013 17:53:22] Goo: they will be scared
[21.03.2013 17:53:32] Goo: otherwise they’re fucked haha
[21.03.2013 17:53:56] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: send them a few packets so they know
[21.03.2013 17:54:03] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: narko: ddos on that ahnames for like 1 minute
[21.03.2013 17:54:04] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: 😛
[21.03.2013 17:54:05] Yuri: also .to – they will not close, they ignore everything
[21.03.2013 17:54:30] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: we;re not gonna change the god damn domain name
[21.03.2013 17:54:35] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: we’re gonna make them turn it back on
[21.03.2013 17:54:37] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: simple as that.
[21.03.2013 17:56:16] Goo: i’m bored, shall i hack spamhaus?
[21.03.2013 17:56:27] Yuri: +1
[21.03.2013 17:56:39] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: goo: sure 😛
[21.03.2013 17:56:44] Goo: alright
[21.03.2013 17:56:48] Goo: Goo grabs some donuts
[21.03.2013 17:56:55] Goo: let do this
[21.03.2013 17:57:34] eDataKing: ok, I just collabed with my buddy here he has a good sugg.
[21.03.2013 18:15:24] Cali: your stophaus is offline.
[21.03.2013 18:15:25] Cali: what happened?
[21.03.2013 18:15:37] narko: the domain got suspended by the registrar
[21.03.2013 18:15:47] Cali: lame.
[21.03.2013 18:16:07] Cali: but you should have never registered a .com
[21.03.2013 18:16:23] Antitheist: its not about the tld its about the registrar
[21.03.2013 18:16:55] Antitheist: normal registrar will not suspend domains because of some stupid threats
[21.03.2013 18:17:33] Yuri: Cali, go other chat
[21.03.2013 18:17:40] Yuri: new one
[21.03.2013 18:17:43] Cali: well if it has not been suspended by the .tld then that’s even more lame.
[21.03.2013 18:17:53] Cali: new one?
[21.03.2013 18:18:25] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: as far as i recall marco rinaudo ran a registrar…
[21.03.2013 18:42:32] Valeriy Uhov: today spamhaus very angry
[21.03.2013 18:42:37] Valeriy Uhov: lists everybody
[21.03.2013 18:43:00] narko: yes they listed /25 of hostkey and /25 of burstnet
[21.03.2013 18:43:02] narko: really angry 😀
[21.03.2013 18:43:14] eDataKing: yeah, they are definitely fighting back
[21.03.2013 18:43:18] Yuri: spamhaus should be blind
[21.03.2013 18:43:39] Yuri: we can make a lit what spamhaus can;t close
[21.03.2013 18:43:44] eDataKing: but why wouldn’t they…this is very likely to be their version of Custard’s Last Stand
[21.03.2013 18:44:11] Yuri: like twitter, email account, icq, facebook, home LAN ADSL IP, domains in the next zones like .ru, .su, .to
[21.03.2013 18:44:27] Valeriy Uhov: .ru and .su it closes
[21.03.2013 18:44:39] Yuri: if botnets- yes. its ok.
[21.03.2013 18:44:45] Yuri: but for other things – they can’t close.
[21.03.2013 18:44:49] Yuri: my layer is the guard.
[21.03.2013 18:44:51] Valeriy Uhov: they close for spam
[21.03.2013 18:44:53] Valeriy Uhov: etc
[21.03.2013 18:44:59] eDataKing: what is spam again?
[21.03.2013 18:45:37] Yuri: for INFORMATION: write to other one chat
[21.03.2013 18:45:47] Valeriy Uhov: which one?
[21.03.2013 18:46:09] Valeriy Uhov: http://en.wikipedia.org/wiki/Spam
[21.03.2013 18:48:50] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: steve linford has -6- people on facebook that like his wikipedia page.
[21.03.2013 18:48:53] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: -6- 😛
[21.03.2013 18:48:56] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: so why even bother lol
[22.03.2013 04:18:56] valeralelin: http://clip2net.com/s/4MLYWZ
[22.03.2013 04:41:13] narko: (party)
[22.03.2013 04:46:07] valeralelin: i can get more documents about sh
[22.03.2013 04:50:22] narko: get a document with his real address on it
[22.03.2013 04:50:25] narko: not some virtual offices
[22.03.2013 04:54:08] edataking: let me see that one
[22.03.2013 04:54:17] edataking: post under his name in the records area
[23.03.2013 16:41:24] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: its running into the 95% percentile bandwith billing on cloudflare’s transits atm
[23.03.2013 16:41:43] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: and cloudflare has network issues, so at some point they’ll have to boot spamhaus as it affects their other clients
[23.03.2013 16:42:00] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: at which point, spamhaus has nowhere else to go that can cover them 😛
[23.03.2013 16:42:13] HRH Prinz Sven Olaf von CyberBunker-Kamphuis MP: i doubt google is stupid enough to take them lol 😛

====================================================================

The Skype chat goes quiet at this point and resumes four weeks later. Narko’s worries about his Skype screen name showing up in a screenshot that eDataKing posted to anti-spam forum turn out to be warranted: It is this very screenshot that authorities in the United Kingdom use to later track him down and arrest him.

In April 2013, Kamphuis is arrested in Spain and eventually sent back to the Netherlands, where he is currently on trial. He publicly denies being involved in launching the attacks on Spamhaus.

Narko was a juvenile when he was arrested by the U.K.’s National Crime Agency (NCA); when the NCA raided Narko’s home, they found his computer still logged in to crime forums, and they seized £70,000 from his bank account (believed to be payments for DDoS attacks). Narko later pleaded guilty to coordinating the attacks, but because of his age and in return for cooperating with the NCA he avoided a jail term.

[26.04.2013 18:36:32] Hephaistos: guys
[26.04.2013 18:36:49] Hephaistos: I just got noticed in the news that sven got arrested
[26.04.2013 18:39:39] ??????? ?????: where in the new
[26.04.2013 18:39:39] ??????? ?????: news
[26.04.2013 18:40:40] Hephaistos:
http://translate.google.be/translate?sl=nl&tl=en&u=http%3A%2F%2Fwww.telegraaf.nl%2Fbinnenland%2F21518021%2F
__Nederlander_aangehouden_in_Spanje_vanwege_cyberaanvallen__.html
[26.04.2013 18:40:43] Hephaistos: dutch news
[26.04.2013 18:45:05] Hephaistos: his large-scale DDoS attacks last
month were also performed on Spamhaus partners in the Netherlands, the
United States and Great Britain. The attackers were using fake IP addresses.
As yet, no evidence that the cyber attack on Spamhaus related to the
attacks are later deployed to include banks, payment system iDeal and
DigiD. The house of the suspect, who lives in Barcelona, ??is examined.
Is expected to K. transferred to the Dutch Public Prosecution Service.
[26.04.2013 19:12:40] Hephaistos: http://translate.google.be/translate?sl=nl&tl=en&u=http%3A//www.om.nl/actueel/nieuws-persberichten/@160856/nederlander/
[26.04.2013 19:18:48] The STOPhaus Movement: I thought something was wrong
[26.04.2013 19:19:02] The STOPhaus Movement: is he arrested or just being searched and forensics?
[26.04.2013 19:19:13] Hephaistos: arrested
[26.04.2013 19:19:19] The STOPhaus Movement:
[26.04.2013 19:19:21] Hephaistos: as far as I can see.
[26.04.2013 19:19:33] Hephaistos: it goes off in twitter
[26.04.2013 19:19:39] The STOPhaus Movement: everyone else is ok though right?
[26.04.2013 19:19:45] Hephaistos: on irc anonops there is a channel #freecb3rob
[26.04.2013 19:19:54] Hephaistos: https://twitter.com/freecb3rob
[26.04.2013 19:20:06] Hephaistos: well I have not seen Narko for 2 days.
[26.04.2013 19:20:16] The STOPhaus Movement:
[26.04.2013 19:20:27 |changed 19:20:34] The STOPhaus Movement: we need an update from him
[26.04.2013 19:20:59] The STOPhaus Movement: narko is never offline that long
[26.04.2013 19:21:26] Hephaistos: thing is that I cannot connect to his irc server either.
[26.04.2013 19:21:56] The STOPhaus Movement: I thought anonops was talking shit about Sven promoting CB via STOP when I saw the chatroom?
[26.04.2013 19:22:12 | changed 19:22:22] The STOPhaus Movement: Now there is a channel. I am glad, but that’s some flip-flop stuff right there
[26.04.2013 19:22:14] Hephaistos: well I created the channel
[26.04.2013 19:22:22] Hephaistos: if they have a problem with me .. bring it on
[26.04.2013 19:22:22] The STOPhaus Movement: oh ok
[26.04.2013 19:22:29] The STOPhaus Movement: lulz
[26.04.2013 19:22:40] The STOPhaus Movement: Self-righteous assholes
[26.04.2013 19:28:44] Cali: Sven from cb3rob has been arrested.
[26.04.2013 19:40:19] Hephaistos: Sven = cb3rob
[26.04.2013 19:40:47] Cali: yeah
[26.04.2013 19:40:49] Cali: so he’s been stopped
[26.04.2013 19:40:52] Cali: in Spain.
[26.04.2013 19:40:57] Hephaistos: yes
[26.04.2013 19:41:05] NM: Is it truth? Not fake?
[26.04.2013 19:41:13] Cali: it is in dutch news.
[26.04.2013 19:41:16] Hephaistos: it is truth
[26.04.2013 19:41:21] Hephaistos: and all over twitter
[26.04.2013 19:43:13] Hephaistos: https://twitter.com/search?q=%23freecb3rob&src=hash
[26.04.2013 20:27:00] Hephaistos: http://www.ibtimes.co.uk/articles/461848/20130426/spamhaus-suspect-arrests-spain-kamphuis.htm
[26.04.2013 20:29:30] Yuri: heh.
[26.04.2013 20:30:07] Hephaistos: On twitter “Sven Olaf Kamphuis #freecb3rob possible source behind
record braking 300gbps #DDos arrested. #Anonymous will now try and break that record!”
[26.04.2013 20:32:31] Cali: So, it has made some PR for spamhaus.
[26.04.2013 20:32:37] Cali: that sucks.
[26.04.2013 20:34:06] Hephaistos: negative is still good.
[26.04.2013 20:34:36] Cali: this information has gone to press and media.
[26.04.2013 20:34:48] Cali: thus to the people
[26.04.2013 20:34:58] Hephaistos: well once they read what stophaus is.
[26.04.2013 20:35:05] Cali: who are at 90% dumb.
[26.04.2013 20:35:09] Hephaistos: true
[26.04.2013 20:35:14] Hephaistos: You got a point there
[26.04.2013 20:35:15] Cali: So now that make them think that spamhaus is doing well.
[26.04.2013 20:41:22] Hephaistos: pastebin.com/qzhcE1nV
[26.04.2013 20:41:25] Hephaistos: more badnews
[26.04.2013 20:41:56] Cali: Who has written that?
[26.04.2013 20:42:09] Hephaistos: I have no idea.
[26.04.2013 20:42:23] Hephaistos: its over the news everyone is freaking out
[26.04.2013 20:42:25] Cali: It seems to have be written by a 12 years old.
[26.04.2013 20:42:31] Cali: been*
[26.04.2013 20:42:52] Hephaistos: correct, seems like a trol to me. But tell that to the media
[26.04.2013 20:43:03] Hephaistos: and the 90% dumb people
[26.04.2013 20:43:09] Cali: Also I don’t understand.
[26.04.2013 20:43:23] Cali: How is it possible to get such reflection in media by posting something on pastebin?
[26.04.2013 20:43:37] Cali: So if I post that I am going to attack the U.S on pastebin, I would be in the news?
[26.04.2013 20:43:58] Hephaistos: Well, thing is that people think that banks will be ddosed and cannot get their
money. So their hoping that there will be a bankrun.
[26.04.2013 20:44:45] Cali: It is very doubtful that DDoSing the website of a bank will prevent the bank from operating.
[26.04.2013 20:46:45] Hephaistos: it will cost the bank money
[26.04.2013 20:47:32] Cali: Maybe to crap bank.
[26.04.2013 20:48:07] Cali: it will be insignifiant
[26.04.2013 20:48:11] Cali: insignificant.
[26.04.2013 18:21:36] Erik Bais: http://www.om.nl/actueel/nieuws-persberichten/@160856/nederlander/
[26.04.2013 18:26:15] Yuri: wtf
[26.04.2013 18:26:42] Yuri: is that about sven?
[26.04.2013 18:26:53] Erik Bais: looks like it.
[26.04.2013 18:27:03] NM: what does it mean?)))
[26.04.2013 18:28:17] Yuri: looks like some new that somebody got arrested becouse of some attacks of spamhaus…
heh… looks spamhaus has long hands.
[26.04.2013 18:29:49] Yuri: not so fine.
[26.04.2013 18:31:11] Yuri: afk
[26.04.2013 18:31:44] Yuri: Eric, can you call Sven and check if he is available?
[26.04.2013 18:31:55] Erik Bais: yes.
[26.04.2013 18:32:30] Erik Bais: I also just asked Twisted on Skype. he didn’t knew about it..
He hasn’t spoken to him yet today (he did yesterday) ..
[26.04.2013 18:33:59] Erik Bais: his spanish nr is not working (I get a message in spanish .. ) could be because the number is off.
[26.04.2013 21:51:16] Erik Bais: http://pastebin.com/qzhcE1nV
[26.04.2013 21:51:51] Erik Bais: http://www.telegraaf.nl/binnenland/21518021/__Arrest_NL_er_cyberaanvallen__.html
[26.04.2013 21:52:11] Erik Bais: http://tweakers.net/nieuws/88767/nederlander-opgepakt-voor-ddos-aanvallen-spamhaus.html
[26.04.2013 21:53:32] Erik Bais: http://krebsonsecurity.com/2013/04/dutchman-arrested-in-spamhaus-ddos/
[26.04.2013 21:53:50] Yuri: shit is going on..
[26.04.2013 21:56:17] Erik Bais: where did the pastbin thing came from ? Any idea ?
[26.04.2013 22:02:14] Yuri: don’t know
[26.04.2013 22:02:46] Yuri: may be we should use other system for chat?
[26.04.2013 22:18:07] Erik Bais: they have taken all his phones, data carriers and servers / computers located in Spain..
[26.04.2013 22:18:24] WebExxpurts: what is patebin
[26.04.2013 22:18:25] WebExxpurts: pastebin
[26.04.2013 22:18:39] Erik Bais: [26 April 2013 21:51] Erik Bais: <<< http://pastebin.com/qzhcE1nV
[26.04.2013 22:18:50] WebExxpurts: i mean who created that?
[26.04.2013 22:19:21] Erik Bais: no idea. I got it pasted from someone.. and it is also linked in various media outings on the Netherlands.
[26.04.2013 22:20:27] WebExxpurts: who is someone? that is interested
[26.04.2013 22:20:33] WebExxpurts: what sven did?
[26.04.2013 22:20:53] WebExxpurts: nonsense reports
[26.04.2013 22:21:20] Erik Bais: I got it from Xennt
[26.04.2013 22:21:45] Erik Bais: the owner of Cyberbunker. he got it linked by someone (I don’t know who. )
[26.04.2013 22:24:55] WebExxpurts: i m sure that sven is mistaken identity and authority have made mistake

====================================================================

To my knowledge, nobody else associated with this attack has been arrested or brought to justice. This chat log is fascinating because it highlights how easy it has been and remains for cybercriminals to commit massively disruptive attacks and get away with it.

These days, some of the biggest and most popular DDoS attack resources are in the hands of a few young men operating DDoS-for-hire “booter” or “stresser” services that in some cases accept both credit cards and PayPal, as well as Bitcoin. An upcoming investigation to be published soon by KrebsOnSecurity will provide perhaps the most detailed look yet at the this burgeoning and quite profitable industry. Stay tuned!

Further reading (assuming your eyes still work after this wall of text):

The Guardian: The Man Accused of Breaking the Internet

The Daily Beast: Yeah, We Broke the Internet: The Inside Story of the Biggest Attack Ever

Also, if you enjoy reading this kind of thing, you’ll probably get a kick out of Spam Nation.

Update, 7:40 p.m. ET: Corrected reference to NANAE anti-spam list.

KickassTorrents Crew Ask For Donations to Rebuild The Site

Post Syndicated from Ernesto original https://torrentfreak.com/kickasstorrents-crew-ask-for-donations-to-rebuild-the-site-160811/

kickasstorrents_500x500With an active community and millions of regular visitors, KickassTorrents (KAT) was much more than a site to leech the latest torrents from.

Many considered it to be their virtual home where they gathered with friends on a daily basis.

This ended abruptly last month. When the site’s alleged operator was arrested following a criminal investigation of the U.S. Government, the official site went down with him.

While it’s unlikely that the original site will return anytime soon, a group of KAT-crew members have been working hard to keep the community together.

Within a few days a new forum was launched at Katcr.to, supported by several high ranking moderators of the original site. In the weeks that followed thousands of members returned to the community, which now has plans to expand.

The site started a fundraising campaign asking for money to repair and rebuild the “authentic KAT site code.” The team is accepting donations through PayPal and a Gofundme campaign, hoping to collect several thousands dollars.

“This site we now inhabit is costing money: Money that a few individuals put up to ensure the survival of this Community. This is still not the Kat we all remember but on a daily basis it is getting closer,” Johnno23 says.

Katcr.to fundraiser

kat-donations

The big question is whether this means that the torrent download and upload functionality will be returned to its former glory. For the time being, this appears to be one of the long-term goals.

To find out more TorrentFreak spoke with Mr.Gooner aka the President, a long time KAT-crew member and one of the top admins at the original site.

Mr. Gooner explains that many of the original site staffers have returned to the community, but that funds are needed to develop and maintain it during the months to come.

While the initial focus will be on the community element, torrents are expected to return as well in the future.

“At this stage, it very much depends on pending legal action and rulings in regards to the legality of torrents in the US. However the community can be reassured that in one way or another, KAT will return to its former glory,” Mr. Gooner says.

That said, fully restoring the old site with the original database is not an option at this moment.

The site administrators and crew, all regular users at one point, were clearly separated from the people who technically and financially ran the site. This means that the people in charge of Katcr.to don’t have access to the original code and data.

“It is our understanding that the databases have been secured in such a way that the information inside would become useless if an unauthorised attempt was made to access them,” Mr. Gooner says.

So, if torrent sharing is added to the current community site, it has to be coded by new people. This will take time and money, obviously, and the current crew is not certain if that will happen anytime soon.

Fundraisers are always welcomed with a healthy dose of scepticism, which is no different this time around.

From the information we have gathered so far, it’s safe to say that people shouldn’t expect the original KAT functionality to be restored fully in the near future.

In that regard, Mr. Gooner and others still encourage people to continue uploading in the meantime, even when that’s on other torrent sites.

“Run those seedboxes and torrent clients 24/7 where possible. Just because uploading stopped at KAT we are all still pirates and we will always encourage uploading,” he says.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Russia Plans Social Media Piracy Crackdown

Post Syndicated from Andy original https://torrentfreak.com/russia-plans-social-media-piracy-crackdown-160810/

peopleDespite a reputation for not doing enough to thwart online piracy, Russian authorities have become unusually keen to make amends in recent years.

Site-blocking, for example, is now a common occurrence, with sites that infringe multiple times now being subjected to a permanent lifetime injunction, actioned by local ISPs.

But while users continue to flock to torrent sites and streaming portals, copyright holders and local authorities are concerned that social networking platforms are a potentially more serious threat.

In many cases, users are allowed to upload content at will, thereby creating huge libraries of infringing material, a serious headache for copyright holders.

To tackle this problem, authorities and entertainment industry groups are now in the process of drafting fresh legislation aimed at those social media platforms that allow users to upload content.

According to Izvestia, the Ministry of Culture and groups including the National Federation of the Music Industry (NFMI) and the Association of Producers of Cinema and Television (APKIT), believe that a change in the law will make it harder for social platforms to evade liability.

Under Article 1253.1 of the Civil Code, social media sites are considered “information brokers”, meaning that sites like vKontakte (Russia’s Facebook) can avoid being held liable for infringing content uploaded by their users.

Rightsholders would like that legislation to be removed or rewritten in a way that would provide them with more useful options to enforce their intellectual property rights.

Also under consideration are changes to the law that would further punish sites that have already been ordered to be blocked by the Moscow City Court. Currently, local ISPs currently put Internet blockades in place but rightsholders foresee a situation where the finances of infringing sites are put under pressure too.

On the table are proposals to ban those sites from carrying advertising. In the West, advertisers are working on voluntary schemes that aim to keep their funding away from ‘pirate’ sites but it appears that Russia is considering enshrining those principles into law.

Additionally, rightsholders are asking for sites that run on a subscription basis to be forbidden from accepting payments from their users. Again, voluntary agreements with companies such as Visa, MasterCard and PayPal are already in place in the United States and Europe, but legislation could compel Russian companies to comply.

Also continuing its path through the system is another bill designed to tackle the rise of so-called mirrors, sites that crop up after a site is blocked in order to facilitate access to the same content.

The draft bill, which also proposes an obligation to have search engines strip content from results and measures to tackle VPNs and proxies, has already been sent to the Ministry of Communications.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

The Reincarnation of a Bulletproof Hoster

Post Syndicated from BrianKrebs original https://krebsonsecurity.com/2016/08/the-reincarnation-of-a-bulletproof-hoster/

In April 2016, security firm Trend Micro published a damning report about a Web hosting provider referred to only as a “cyber-attack facilitator in the Netherlands.” If the Trend analysis lacked any real punch that might have been because — shortly after the report was published — names were redacted so that it was no longer immediately clear who the bad hosting provider was. This post aims to shine a bit more light on the individuals apparently behind this mysterious rogue hosting firm — a company called HostSailor[dot]com.

The Trend report observes that the unnamed, Netherlands-based virtual private sever (VPS) hosting provider appears to have few legitimate customers, and that the amount of abuse emanating from it “is so staggering that this company will remain on our watchlist in the next few months.”

hstm

What exactly is the awfulness spewing from the company that Trend takes great pains not to name as HostSailor.com? For starters, according to Trend’s data (PDF) HostSailor has long been a home for attacks tied to a Russian cyber espionage campaign dubbed “Pawn Storm.” From the report:

“Pawn Storm seems to feel quite at home. They used the VPS hosting company for at least 80 attacks since May 2015. Their attacks utilized C&C servers, exploit sites, spear-phishing campaigns, free Webmail phishing sites targeting high profile users, and very specific credential phishing sites against Government agencies of countries like Bulgaria, Greece, Malaysia, Montenegro, Poland, Qatar, Romania, Saudi Arabia, Turkey, Ukraine, and United Arab Emirates. Pawn Storm also uses the VPS provider in the Netherlands for domestic espionage in Russia regularly.”

“Apart from Pawn Storm, a less sophisticated group of threat actors called DustySky (PDF link added) is using the VPS provider. These actors target Israel, companies who do business in Israel, Egypt and some other Middle Eastern governments.”

WHO IS HOSTSAILOR?

Trend’s report on HostSailor points to a LinkedIn profile for an Alexander Freeman at HostSailor who lists his location as Dubai. HostSailor’s Web site says the company has servers in The Netherlands and in Romania, and that it is based in Dubai. The company first came online in early 2013.

Ron Guilmette, an anti-spam researcher who tipped me off to the Trend report and whose research has been featured several times on this blog, reached out to Freeman via email. Guilmette later posted at the Ripe.net mailing list the vitriolic and threatening response he said he received in reply.

A snippet from the response that Guilmette said he received from a HostSailor employee named Alexander Freeman.

A snippet from the response that Guilmette said he received from a HostSailor employee named Alexander Freeman.

Perhaps Mr. Freeman’s ire was previously leveled at Trend Micro, which could explain their redaction of the name “HostSailor” from its report. A spokesperson for Trend Micro declined to explain why the company redacted its own report post-publication, saying only that “at the time of publication, we were following our standard disclosure protocol.”

In any case, I began to suspect that “Alexander Freeman” was just a pseudonym (Trend noted this suspicion in its report as well). In combing through the historic WHOIS registration records for the domain hostsailor.com, I noticed that the domain name changed hands sometime in late 2012. Sure enough, a simple Google search popped up this thread at Webhostingtalk.com back in Dec. 2012, which was started by a Jordan Peterson who says he’s looking to sell hostsailor.com.

Contacted by KrebsOnSecurity, Mr. Peterson said the person who responded about purchasing the domain was named Ali Al-Attiyah, and that this individual used the following email addresses:

ali.alattiyah@yahoo.com
ali.alattiyah@mail.com
hostsailor@hush.com

“I remember Ali telling me he didn’t have a paypal so a friend sent me the money for the domain, I looked up the paypal info for you and [Ali’s friend’s] name is Khalid Cook, masrawyz@yahoo.com,” Peterson told me. “The legal information for the domain transfer was given as:

152-160 City Road
London ec1v 2nx
UK”

That street address corresponds to a business named “yourvirtualofficelondon.co.uk,” which offers call answering services for companies that wish to list a prestigious London address without actually having a physical presence there.

Ali Al-Attiyah is listed as the official registrant of hostsailor.com and several other very similar domains. More interesting, however, is that email address given for Mr. Khalid Cook: masrawyz@yahoo.com. According to a “reverse WHOIS” search ordered from DomainTools.com, that Yahoo email address was used in the original registration records for exactly one domain: santrex.net.

Santrex (better known on Webhostingtalk.com as “Scamtrex“) was an extremely dodgy “bulletproof hosting” company — essentially a mini-ISP that specializes in offering services that are largely immune from takedown requests and pressure from Western law enforcement agencies. At the time, Google’s Safebrowsing database warned that almost 90 percent of the sites on Santrex’s network were attempting to foist malicious software on visitors or were hosting malware used in online attacks.

Santrex was forced out of business in early 2013, after the company’s core servers were massively hacked and the PayPal and credit card accounts it used to accept payments from customers were reportedly seized by unknown parties. In its final days as a hosting provider, Santrex’s main voice on Webhostingtalk.com — a user named “khalouda” — posted many rants that eerily echo the invective leveled at Guilmette by HostSailor’s Mr. Freeman.

Google’s take on the world’s most densely malicious networks over the past 12 months.

Google’s take on the world’s most densely malicious networks over the past 12 months.

WHO IS KHALID COOK?

I began to suspect that Khalid Cook may also be a pseudonym. A few minutes of digging online unearthed this February 2013 Santrex profile at gidforums[dot]net, which states that Santrex first appeared in 2001 as a hosting company called connectpower[dot]net.

Alas, the original WHOIS registration records for connectpower[dot]net indicate that it was registered November 2001 to a Khalid Hemida, an individual who gave a physical address in Egypt and the email address botland@masrawy.com. This archive.org cache of connectpower[dot]net’s “Staff” page seems to confirm the organization’s presence in Egypt, saying ConnectPower customers living in Egypt can pay through one of the staff members, in cash. This page also reveals Hemida’s ICQ number.

ConnectPower's Web site in 2003.

ConnectPower’s Web site in 2003.

A Google search on Khalid Hemida turns up at least two different connectpower[dot]net business listings which include the email address khalidhemida@hotmail.com, and which claim the Web site “botland.org.”

That Hotmail address appears to have been used to register a Facebook account for a user from Doha, Qatar who registered under the name Khalid Hemida but who is now using the name “Karam Khalid.” The account’s profile picture apparently was lifted from an issue of BusinessWeek, according to the image search service Tineye.com. A different Khalid Hemida account on Facebook belongs to an older individual who says he’s from Egypt and that his current town is Dubai.

But what of that “botland” reference — both the botland@masrawy.com address claimed by Hemida and the domain botland[dot]org? This cached page of botland[dot]org recorded by the Internet Archive in June 2011 references “an automated BotLending Channel,” run by at least four main users from Romania.

Botland was a channel on Undernet, a vast sea of text-based communities called Internet Relay Chat (IRC) networks. Botland was a place where people could download special bots designed to manage users and preserve order on an IRC server, but mainly to guard the channel from being hijacked by other users or bots. The reason I mention it is that Undernet in 2001 would have been the perfect place to meet new customers seeking dodgy Web hosting businesses.

To bring this full circle back to the Trend Report: I should note that if HostSailor is being truthful about where the company is incorporated — in Dubai — then it has long been facilitating the aforementioned Pawn Storm cyber espionage attacks against its own host country. For that reason, I imagine some government authorities within the United Arab Emirates might be interested in looking more closely into HostSailor and its operations.

For the record, I requested comment from HostSailor and from the various addresses listed in this story for Messrs. Freeman, Cook and Hemida. I’ll update this story in the event that any of these pings generate a reply.

UK Government Expands Crackdown on Online Piracy

Post Syndicated from Andy original https://torrentfreak.com/uk-government-expands-crackdown-on-online-piracy-160510/

In various publications and reports in recent months, the UK has been described as a world leader in intellectual property enforcement. Indeed, news of various operations and dozens of arrests carried out by the Police Intellectual Property Crime Unit (PIPCU) have regularly appeared in the media.

This morning the UK Government has announced that it intends to build on this reputation with the publication of a new strategy titled Protecting Creativity, Supporting Innovation: IP Enforcement 2020.

The document outlines a four-year strategy which aims to provide an environment in which UK rightsholders have access to “proportionate and effective mechanisms to resolve disputes and tackle IP infringement” both at home and overseas.

The strategy has six key points, with reducing the level of illegal online content placed at the top of the list and strengthening the law closely after. The government also wants to increase its educational programs with the aim of building respect for intellectual property.

A significant emphasis on dealing with online infringement sees the government focus on a number of key areas, from those sharing files online to the sites facilitating infringement. Search engines also come under the spotlight.

Interestingly, the main points are all framed at helping the consumer to both recognize and then avoid copyright infringing websites.

Notice and takedown, notice and trackdown

Given the Copyright Office DMCA review currently underway in the United States, it’s no surprise to find a review of notice and takedown procedures heading the list in the UK. The government says that it wants to “improve and streamline the process” while considering the scope for introducing a Code of Practice for intermediaries.

More controversially, the four-year strategy also includes the possibility of introducing a system of “notice and trackdown” which would enable rightsholders to not only send notices but also take action directly against identified infringers.

Safe harbor (or platform liability as its referred to in the report) will come under the spotlight as well, with the government seeking clarification from the EU on current rules.

Dealing with pirating Internet users

On top of the “notice and trackdown” elements detailed above (presumably for the minority who post infringing links on websites etc), the report envisions effort being placed on encouraging consumers to buy from legitimate sources. Mainly, this will be achieved through the long-delayed warning notice system under development at ISPs.

“This government will also build on progress made under our voluntary anti-piracy projects to warn internet users when they are breaching copyright and work to ensure that search engines do not link to the worst-offending sites. This is in recognition of the fact that the clear majority of consumers want to do the right thing, to abide by the law and support our creative industries,” says Minister for Intellectual Property Baroness Neville-Rolfe.

“Helping those consumers to understand what is, and is not, allowed online, and helping guide them to legal content when they search, will help ensure that the vast appetite that exists for new and creative content benefits the legitimate creators, and not those criminals who cynically exploit the hard work of others.”

To help users make the right choice, the government is promising to give more support to industry initiatives such as FindanyFilm.com and the GetitRight campaign while encouraging education campaigns focused on children and students.

“We will work with intermediaries, rights holders and trade bodies to highlight all the UK’s legal sources of content,” the government says.

Targeting pirate sites, services, and their operators

In addition to honing the existing Infringing Website List (IWL), emphasis will be placed on depriving sites of their income via the “Follow the Money” approach and reducing the numbers of visitors they currently enjoy.

“We will continue to work with brand advertisers, advertising intermediaries and
law enforcement partners to highlight the value of the IWL and will support groups
such as the Digital Trading Standards group (DTSG) in promoting their UK good
practice principles,” the report notes.

Existing efforts to deprive sites of the ability to process funds will be maintained, with the government promising to seek commitments from payment processors such as PayPal, MasterCard and VISA to make it more easy for service to be declined following complaints from law enforcement.

Of course, no “pirate site” strategy would be complete without the inclusion of a blocking regime and as expected the UK government leaves no stone unturned.

“This government has also pledged to protect intellectual property by continuing to require internet service providers to block sites that carry large amounts of illegal content, including their proxies,” Baroness Neville-Rolfe explains.

“The UK has a good track record in the development of injunctive relief for online infringement, but this is something that must be preserved, and even enhanced to cope with the sheer numbers of infringing websites that spring up every month, and the new business models they employ.”

The government further sees an opportunity to make the blocking process easier to access for smaller businesses.

“We will continue our work to support businesses of any size to navigate and utilize the civil court system by improving the guidance that is currently available, including guidance on the minimum levels of evidence required for website blocking orders, and by ensuring that court judgments and cases are published on a regular and consistent basis,” the report reads.

The UK also sees potential for cooperation with the EU on injunctions, more on that in a moment.

Interestingly, it appears that ‘pirate’ set-top streaming boxes have rightsholders and by extension the government pretty rattled. They get a special mention in the report with the government noting that a greater understanding of the challenges they present is required. Furthermore, the report says that the government will consider what kind of new legislation might be needed to tackle them.

Search engines and social media

According to the report, the government will work with search engines and social media platforms to reduce the availability of infringing content. This will include a review of their current “notice and takedown” procedures and see the government considering the options for rightsholders to challenge infringers under “notice and trackdown” as detailed above.

The review process will also determine whether Codes of Practice are required for platforms including Google, Facebook and Twitter.

Overseas cooperation

While there are issues locally, the government sees the piracy problem as one to be solved cooperatively on an international basis. To this end there will be requests to partners overseas to carry out “domain and hosting enforcement action” when UK interests are at stake.

“This will include exploring with European colleagues the options for mutual recognition of the evidence required for injunctions and court orders in various member states,” the report reads.

This item is of particular interest since around 1,000 ‘pirate’ sites are already blocked by injunction in the UK. Streamlining the process EU-wide would be a major bonus for rightsholders.

The UK Government’s four-year IP enforcement strategy can be found here (pdf)

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Portugal Blocks 330 Pirate Sites in Just Six Months

Post Syndicated from Andy original https://torrentfreak.com/portugal-blocks-330-pirate-sites-in-just-six-months-160430/

One of copyright holders’ most-favored anti-piracy mechanisms in place today involves site-blocking. Censoring sites at the ISP level is effective, rightsholders insist, not to mention cheaper than direct legal action against pirate sites.

In most countries where site-blocking is already in place, authorities have previously determined that the legal system must be involved. In the UK, for example, existing legislation was deemed to offer rightsholders the tools they need. Australia, on the other hand, decided to introduce legal amendments to keep things on the straight and narrow.

Portugal decided to take a different approach, one that simply involved an agreement between rightsholders, ISPs and the government. Now, if a site is considered to be illegal by these parties, it can be blocked without stepping into a courtroom.

For copyright holders it’s the Holy Grail and they’re taking full advantage of the new system. This week during a conference in the capital, Lisbon, the Portuguese Association for the Protection of Audiovisual Works revealed the extent of the program and it’s as critics feared.

Executive Director Antonio Paulo Santos reported that Portugal is now blocking a vast range of file-sharing and related sites, offering movies, TV, shows and music to streaming sports and books. In total more than 330 sites are now being blocked by local Internet service providers.

The rate of blocking is unprecedented. In October 2015 more than 50 sites were blocked by ISPs, including KickassTorrents, ExtraTorrent, Isohunt and RARBG. The following month another 40 were added, including BitSnoop, YourBitorrent, SeedPeer, Torlock and Torrentfunk.

Since then another 240 sites have been quietly added to the list. This rapid growth means that along with the United Kingdom and Italy, Portugal is already a world leader in pirate site blockades. All this has been achieved without ever going near a court room.

It is this kind of voluntary agreement that Hollywood and the major record labels are pushing for internationally, whether they’re with Internet service providers, domain registries or companies such as PayPal, Visa and Mastercard. The process in Portugal ticks all the right boxes for the entertainment companies so expect it to be championed elsewhere.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Kim Dotcom Warns Mega Users to Backup Their Files

Post Syndicated from Andy original http://feedproxy.google.com/~r/Torrentfreak/~3/X3Fpj-PkE74/

In 2012, a combined effort by the United States and New Zealand governments brought Kim Dotcom’s Megaupload empire to its knees. Coordinated raids in multiple locations carried out by heavily armed officers ensured that a clear message was sent to copyright infringers.

But despite the overwhelming show of force, Dotcom refused to lie down and just a year later he launched a brand new file-hosting service. Known simply as ‘Mega’, the platform launched to great fanfare in 2013.

Mega quickly became a force to be reckoned with in the hosting market, with Dotcom promoting the platform at every turn. Nevertheless, controversy was never far away.

In September 2014, Mega was branded a “piracy haven” in a Digital Citizens Alliance report into the activities of “shadowy cyberlockers.”

As a direct consequence and under pressure from the U.S. government, in early 2015 PayPal stopped processing payments for Mega. There can be little doubt that hurt the site.

But behind the scenes other matters were becoming a distraction. In May 2015, Mega’s bid for a stock listing fell through and just two months later Dotcom’s earlier praise for the company turned sour.

“Mega has experienced a hostile takeover and is no longer in the control of people who care about Internet Freedom. The New Zealand Government and Hollywood have seized a significant share of the company,” Dotcom told TorrentFreak.

“The combined shares seized by the NZ government and Hollywood were significant enough to stop our listing on the New Zealand stock exchange.”

Dotcom had already resigned as a director of Mega in September 2013 but now he was publicly warning people against using the site.

Today Dotcom repeated those calls, warning users of Mega over what he sees as the precarious position of the company.

“Mega had to survive without a credit card payment processor for almost 2 years now. The air is getting thin. Backup your Mega files,” he told users via Twitter.

But while a lack of payment processing options certainly won’t be helping Mega, Dotcom sees more danger in the reported controller of Mega, Chinese national and New Zealand citizen Bill Liu.

Back in 2009, Liu made headlines when it was revealed that despite being wanted for fraud in China, he was granted citizenship in New Zealand. Now it’s been revealed by kiwi Prime Minister John Key that Liu is ranked number five on China’s “Top 100” extradition list.

“I haven’t seen the list, but there is a list,” Key said.

“They’ve also put out a list worldwide of the Top 100. Bill Liu is number five on it,” he said of the Chinese government.

New Zealand police have already seized millions of dollars of assets that are believed to belong to Liu, including some held in Mega, although Liu denies all wrong doing. Dotcom, however, remains unconvinced.

“The 5th most wanted criminal in China is in control of Mega and he wants to float the business in HK? Good luck,” he said this morning.

As these situations go, the short history of Mega is utterly unique. Never before has a platform in the file-sharing space had two entrepreneurs each worth millions of dollars being pursued for extradition by two of the world’s most powerful governments for entirely different reasons.

It’s currently very late evening in New Zealand so we’re not expecting an immediate response from Mega to our requests for comment. We’ll add them here as soon as they arrive.

Update: Statement from Mega chairman Stephen Hall

“Mega has significant funding and strong support from shareholders so its financial position is certainly not precarious. Dotcom’s comment is factually incorrect and the motive is unknown,” Hall informs TF.

“Mega continues to experience strong growth which illustrates the global appreciation of the quality of its services. Mr Liu has a shareholding interest but has no management or board position so he certainly doesn’t control Mega.”

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

MPA: We’ve Reached a Turning Point on Piracy

Post Syndicated from Andy original http://feedproxy.google.com/~r/Torrentfreak/~3/8GNVhbvQArs/

mpaAfter many years of litigation aimed at forcing the world’s largest pirate sites to their knees, the situation on the ground hasn’t changed very much for Hollywood.

Despite having many important legal wins under their belts, almost every single movie is available for immediate download within a few mouse clicks. In fact in some respects the position today is much worse than it was five or even ten years ago.

But while the sites themselves continue largely as before, progress is being made with other players in the Internet ecosystem, a fact recognized by MPA Europe president Stan McCoy as he addressed colleagues in France last week.

“Protecting creativity takes commitment from a whole ecosystem of people and organizations, from theater owners and operators, to technology companies and online service providers, to retailers both large and small, to Internet intermediaries, to law enforcement authorities,” he said.

While relationships with Hollywood are somewhat fragile, Google has indeed made many gestures towards the entertainment industries by helping to make copyright-infringing content harder to find. Payment processors are also doing their part, with Visa, MasterCard and PayPal all trying to stop pirate operations from using their services.

Nevertheless, the overarching message is that Google can always do more and indeed isn’t doing enough. One only has to look at the war of words taking place over the recent Copyright Office DMCA submission process to see that the battle is far from over and more blood is yet to be spilled.

But McCoy appears optimistic and notes that those engaged indirectly in the piracy ecosystem are beginning to come round to Hollywood’s way of thinking that they must together share responsibility to solve the problem.

“I put it to the audience that we may have come to a turning point in our fight against piracy, a point where intermediaries begin to understand that the creative industry does not seek to shy away from its duties and responsibilities – and it really has not – but that instead all players in the ecosystem, which of course includes not only access providers, but also search engines and payment processors amongst others – have a role to play,” said.

If that is the case then Hollywood has probably come a long way. It certainly isn’t going to solve this problem on its own and having powerful allies on board will certainly help its cause. The emphasis these days is indeed on voluntary cooperation such as warning notices schemes but it’s unclear how much further ISPs are prepared to go and whether the notices even have much effect.

But of course one shouldn’t forget the consumers so it’s no surprise that McCoy had something to say about the European Union Intellectual Property Office (EUIPO) study published last week which found that 38% of young people see nothing morally wrong in piracy.

“What is more staggering is that nearly one in four believed that they were doing nothing wrong in accessing digital content from illegal sources for personal use,” McCoy said.

“Clearly it is important that young people understand that making a film, writing a book or recording a song, the amount of time, effort and investment is more than a passion – it is also someone’s livelihood. Let’s remember that 7 million people work in the creative industry in Europe.”

But what that very same survey also found is that the number one reason (58%) for young people to stop using illegal sources would be the availability of affordable content from legal sources. The MPAA is campaigning heavily at the moment claiming it is doing just that, but there are also clear signs that the EU’s plans to outlaw geo-blocking and open up content EU-wide aren’t sitting well with the studios.

In a posting to his LinkedIn page, McCoy likens Europeans’ distrust of genetically modified food to the EU’s plan to tweak copyright law.

“Many Europeans are skeptical of genetic modification when it comes to foods. Should they also be skeptical of genetic modification of … copyright laws?” he asks.

“With its efforts to institute the Digital Single Market and the recent Proposal for a Regulation on Portability, the European Commission seems intent on tinkering with the DNA of the current copyright law. This could have uncertain results for the 7 million people in Europe’s core creative industries, whose livelihoods depend on the copyright system.”

Pointing to a study financed by the EU Commission itself, McCoy suggests there is no need to outlaw geo-blocking, since all but 10% of people are available to find everything they want online.

“The European Commission should rigorously apply its own better regulation guidelines to all copyright proposals, including ensuring that they are backed by strong evidence,” he adds.

“In cases where the evidence isn’t there, then maybe we should stay away from genetically modified rights … and stick with organic.”

Needless to say, not everyone agrees with his stance.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Encrypt all the things!

Post Syndicated from Mark Henderson original http://blog.serverfault.com/2016/02/09/encrypt-all-the-things/

Let’s talk about encryption. Specifically, HTTPS encryption. If you’ve been following any of the U.S. election debates, encryption is a topic that the politicians want to talk about – but not in the way that most of us would like. And it’s not just exclusive to the U.S. – the U.K. is proposing banning encrypted services, Australia is similar. If you’re really into it, you can get information about most countries cryptography laws.

But one thing is very clear – if your traffic is not encrypted, it’s almost certainly being watched and monitored by someone in a government somewhere – this is the well publicised reason behind governments opposing widespread encryption. The NSA’s PRISM program is the most well known, which is also contributed to by the British and Australian intelligence agencies.

Which is why when the EFF announced their Let’s Encrypt project (in conjunction with Mozilla, Cisco, Akamai and others), we thought it sounded like a great idea.

The premise is simple:

Provide free encryption certificates
Make renewing certificates and installing them on your systems easy
Keep the certificates secure by installing them properly and issuing them best practices
Be transparent. Issued and revoked certificates are publically auditable
Be open. Make a platform and a standard that anyone can use and build on.
Benefit the internet through cooperation – don’t let one body control access to the service

Let’s Encrypt explain this elegantly themselves:

The objective of Let’s Encrypt and the ACME protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention.

The process goes a bit like this:

Get your web server up and running, as per normal, on HTTP.
Install the appropriate Let’s Encrypt tool for your platform. Currently there is ACME protocol support for:

Apache (Let’s Encrypt)
Nginx (Let’s Encrypt — experimental)
HAProxy (janeczku)
IIS (ACMESharp)

Run the tool. It will generate a Certificate Signing Request for your domain, submit it to Let’s Encrypt, and then give you options for validating the ownership of your domain. The easiest method of validating ownership is one that the tool can do automatically, which is creating a file with a pre-determined, random file name, that the Let’s Encrypt server can then validate
The tool then receives the valid certificate from the Let’s Encrypt Certificate Authority and installs it onto your systems, and configures your web server to use the certificate
You need to renew the certificate in fewer than 90 days – so you then need to set up a scheduled task (cron job for Linux, scheduled task for Windows) to execute the renewal command for your platform (see your tool’s documentation for this).

And that’s it. No copy/pasting your CSR into poorly built web interfaces, or waiting for the email to confirm the certificate to come through, or hand-building PEM files with certificate chains. No faxing documents to numbers in foreign countries. No panicking at the last minute because you forgot to renew your certificate. Free, unencumbered, automatically renewed, SSL certificates for life.

Who Let’s Encrypt is for

People running their own web servers.

You could be small businesses running Windows SBS server
You could be a startup offering a Software as a Service platform
You could be a local hackerspace running a forum
You could be a highschool student with a website about making clocks

People with a registered, publically accessible domain name

Let’s Encrypt requires some form of domain name validation, whether it be a file it can probe over HTTP to verify your ownership of the domain name, or creating a DNS record it can verify
Certificate Authorities no longer issue certificates for “made-up” internal domain names or reserved IP addresses

Who Let’s Encrypt is not for

Anyone on shared web hosting

Let’s Encrypt requires the input of the server operator. If you are not running your own web server, then this isn’t for you.

Anyone who wants to keep the existence of their certificates a secret

Every certificate issued by Let’s Encrypt is publically auditable, which means that if you don’t want anyone to know that you have a server on a given domain, then don’t use Let’s Encrypt
If you have sensitive server names (such as finance.corp.example.com), even though it’s firewalled, you might not want to use Let’s Encrypt

Anyone who needs a wildcard certificate

Let’s Encrypt does not issue wildcard certificates. They don’t need to – they offer unlimited certificates, and you can even specify multiple Subject Alternative Names on your certificate signing request
However, you may still need a wildcard if:

You have a lot of domains and can’t use SNI (I’m looking at you, Android 2.x, of which there is still a non-trivial number of users)
You have systems that require a wildcard certificate (some unified communications systems do this)

Anyone who needs a long-lived certificate

Let’s Encrypt certificates are only valid for 90 days, and must be renewed prior to then. If you need a long-lived certificate, then Let’s Encrypt is not for you

Anyone who wants Extended Validation

Let’s Encrypt only validates that you have control over a given domain. It does not validate your identity or business or anything of that nature. As such you cannot get the green security bar that displays in the browser for places like banks or PayPal.

Anyone who needs their certificate to be trusted by really old things

If you have devices from 1997 that only trust 1997’s list of CA’s, then you’re going to have a bad time
However, this is likely the least of your troubles
Let’s Encrypt is trusted by:

Android version 2.3.6 and above, released 2011-09-02
FireFox version 2.0 and above, released 2006-10-24
Internet Explorer on Windows Vista or above (For Windows XP, see this issue), released 2007-01-30
Google Chrome on Windows Vista or above (For Windows XP, see this issue), released 2008-08-02
Safari on OSX v4.0 or above (Mac OSX 10.4 or newer), released 2005-04-29
Safari on iOS v3.1 or above, released 2010-02-02

However, these are mostly edge cases, and if you’re reading this blog post, then you will know if they apply to you or not.

So let’s get out there and encrypt!

The elephant in the room

“But hang on!”, I hear the eagle-eyed reader say. “Stack Overflow is not using SSL/TLS!” you say. And you would be partly correct.

We do offer SSL on all our main sites. Go ahead, try it:

https://stackoverflow.com/
https://serverfault.com/
https://meta.stackexchange.com/

However, we have some slightly more complicated issues at hand. For details about our issues, see the great blog post by Nick Craver. It’s from 2013 and we have fixed many of the issues that we were facing back then, but there is still some way to go.

However, all our signup and login pages however are delivered over HTTPS, and you can switch to HTTPS manually if you would prefer – for most sites.

Let’s get started

So how do you get started? If you have a debian-based Apache server, then grab the Let’s Encrypt tool and go!

If you’re on a different platform, then check the list of pre-build clients above, or take a look at a recent comparison of the most common *nix scripts.

 

Addendum: Michael Hampton pointed out to me that Fedora ships with the Let’s Encrypt package as a part of their distribution and is also in EPEL if you’re on RedHat, CentOS or another distribution that can make use of EPEL packages.

Фонд ЗДОИ, справката в ГРАО, Търговския регистър и Kiva

Post Syndicated from Боян Юруков original http://feedproxy.google.com/~r/yurukov-blog/~3/dEwcoG1tkzw/

Това е една много закъсняла статия. Миналия август изпратих запитване до ГРАО за това колко български граждани са родени в чужбина за последните 10 години по държави. Отговориха ми, че тази справка се заплаща по установена тарифа и ще струва 108 лв. Съвсем нормално е да има такса, но нямам отделен бюджет за такива неща. Писах в Twitter, че справката би била наистина интересна и е жалко, че няма да я видим.
Веднага ме питаха за сметка/Paypal и в рамките на час-два сумата беше събрана. След 24 часа събраните пари вече бяха 250 лв. заедно с моя принос. Платих на ГРАО и три дни по-късно публикувах оригиналната справка. Разпитах дарителите какво да правим с остатъка и общото мнение беше да останат при мен за бъдещи такива справки. Направих таблица, за да се следят нещата. Нарекохме го „Фонд ЗДОИ“.
От тогава насам се случиха няколко интересни неща. Първо пуснах две статии с извадки от данните – за българите в Германия и идея как механично да се увеличи статистиката за родените българи. На няколко пъти се опитах да направя карта на света показваща родените по държави, но не ми остана време да я завърша. Основният проблем беше, че срещах трудности с CartoDB, но най-вече, че доста от имената на държавите не бяха стандартни. Навярно някой друг би могъл да направи такава карта. (Допълнение: пуснах карта)

Забелязах обаче неточности в справката на ГРАО. Включваха данни за деца родени в Чехословакия и „Сърбия и Черна гора“ доста след като такива държави са спрели да съществуват. Имаше грешки за поне 100-тина деца. Първата ми идея беше, че може би справката не е по година на раждане, а по дата на регистрация в общината. Т.е. някое дете е родено в Чехословакия през 1990, но е регистрирано като български гражданин едва през 2006-та. Попитах ГРАО и се оказа, че не е така – в ЕСРАГОН наистина е имало грешки. Месец по-късно получих благодарствен мейл, че съм отбелязал тези несъответствия. Изглежда служителите в общините са избирали грешно страните във формуляра. Последвалата проверка е поправила мястото на раждане в актовете на всички такива деца. Изпратиха ми обновена справка. Двете справки ще намерите в по-удобен вид тук.
Този случай е добър пример защо данните трябва да са отворени и публични. Ако не бях седнал да се занимавам, ако хора не бяха дарили за каузата и не бяхме разгледали данните, нямаше да разберем, че доста деца са със сгрешени актове за раждане. Това можеше да е сериозен проблем по-нататък в живота им. Замислете се какви други грешки има в базите данни на администрацията, които могат да се хванат по същия начин. Какъв ефект може да има от тези грешки?
Цялата комуникация с ГРАО беше по мейл – заявката, бележката за превода, получаването на справка и дискусията след това. Затова бях учуден, когато получих писмо по пощата. Snailmail. Всъщност не е толкова странно – за почти всички запитвания по ЗДОИ съм получавал писма, защото „такава била процедурата“. Това трябва да ви говори колко напред сме с електронния документооборот. Интересното в писмото беше, че съдържаше договор, който се предполагаше, че трябва да подпиша, за да ми дадат справката. Получих го доста след като платих и взех данните, така че не съм подписвал и връщал нищо на ГРАО. Притеснителното в договора беше една клауза, че нямам право да споделям информацията получена по тази заявка. Това беше странно, още повече, че я бях споделил седмици по-рано.
Следващата идея за „фонда“ е да се плати таксата за цялата база данни на Търговския регистър. Както писах преди, промените на новия кабинет свалиха значително таксата. Агенцията по вписванията обаче продължава да упорства държейки базата данни като бащиния. В началото на януари са направили промени в стандартния договор, които силно ограничават отвореността на данните и усложняват получаването им. Когато тези проблеми бъдат изчистени, ще платя таксата и ще получим една от най-важните бази данни в държава ни. Доколкото знам, Министерски съвет работи в тази насока.
Междувременно, в края на миналата година реших, че няма смисъл парите да седят просто така и ги обърнах в Kiva кредит. Kiva e система за микрокредитиране, чрез която може да заемете 25 долара или повече на хора по цял свят. Няма лихви или такси по преводите. Парите се връщат в 98.79% то случаите. Рискът идва от природни бедствия, болести или икономически катастрофи. Ползата от тези микрокредити е, че не са дарения – тоест получателите трябва да предоставят план за връщане и имат стимул да подобряват бизнеса или средата си. Когато трябва да платим за справка, ще възстановя от Kiva и ще покрия евентуални загуби. Просто мисля, че има много повече смисъл парите да помагат за пречиствателна станция в училище в Уганда, където отиде последният заем, отколкото да стоят в Paypal.


Lapni.bg – лапни го ти

Post Syndicated from Илия Горанов original http://9ini.babailiica.com/lapni-bg-2/

Човек и добре да живее, все някой ден се сблъсква с on-line търговията.
Горното може да обобщи най-кратко и ясно тъжната картинка на българската on-line търговия, ако изобщо може да се нарече on-line и ако изобщо може да се нарече търговия. Историята започва с това, че решавам, да си закупя ваучер за нещо (тук се абстрахираме за какво точно, защото няма връзка с историята) от някой сайт… например от Lapni.bg. Всичко е прекрасно, избрал съм офертата и съм готов да пазарувам:
1. Проверявам как може да се плати. Разбира се – информация на сайта няма, той се състои от купчина оферти. А може и да има, ама е скрита някъде на тайно място. Обаче виждам на началната страница, че има големи лога на различни платежни инструменти. И сред тях се мъдри логото на PayPal – явно приемат плащания и с PayPal. Супер – продължаваме.
Явно приемат PayPal
2. Откривам с изненада, че имам регистрация в сайта, естествено не си помня паролата… кликвам, че е забравена и след известна стандартна процедура получавам нова парола. Дотук всичко ОК. Решавам да си сменя новогенерираната парола с нещо, което се надявам, че ще запомня по-лесно и започва едно търсене… Оказва се, 10 минути по-късно, че паролата се сменя от менюто “Моите ваучери”. Супер, как не се сетих по-рано, а? Добре, в “Моите ваучери” има подменю “Настройки”… А там – има смяна на парола… и паролата се въвежда в? Не познахте – не в поле за парола, а в обикновено текстово поле. Признавам – много е удобно – виждаш си паролата!
3. Дотук – бели кахъри. Смених си паролата и се отправих към тайната страница за поръчване на оферта. И какво имам там – голям бутон “Направи подарък”… ОК, няма да се правя на ударен, сетих се, че се поръчва с големия червен плюс, ама не беше чак толкова очевидно.
Червения плюс
Кликваш на червения плюс и след няколко екрана за приключване на поръчката се озоваваш при един бутон “Плати сега”. Кликваш го и се зарежда следната форма:
Формата за плащане
Не знам, дали на вас ви прави впечатление, но на мен ми прави впечатление, че в изброените опции за плащане няма PayPal – доста разочароващо. След известен размисъл решавам, че ще избера опцията “Кредитна / Дебитна карта – Плащане директно с Вашата кредитна/дебитна карта”. Въпреки, че по-принцип съм доста мнителен, да не кажа параноичен по отношение на всевъзможни платежни системи със съмнително качество, произход и функционалност. Продължаваме нанатък и – изненада! Попадаме на някакъв зловещ сайт на БОРИКА, който изглежда приблизително така:
БОРИКА
Да започнем с това, че логото на търговеца не се зарежда… в едни браузъри се изписва мъдрият надпис “Merchant Logo”, в други стои дупка с очертание. Първото ми подозрение беше, че логото не е по https и затова не се зарежда, при по-обстойната проверка установих, че просто не работи – сървърът просто връща празен отговор, на всичкото отгоре с header Content-Typе: text/plain. Е не че нещо ме учудва – това е БОРИКА все пак.
След това – отдолу се мъдри следната забележка: “Ако Вашата карта поддържа 3D автентификация, може да се наложи да се идентифицирате след натискане на бутона “Плащане”.” И понеже моята карта не е беше с 3D автентикация, продължих най-спокойно нататък. Излезе съобщение, че всъщност моята карта поддържа 3D сигурност и въпреки, че аз съм отказал в банката да използвам тази опция – ако желая да платя през системата на БОРИКА, ще се наложи да се съглася да използвам въпросната 3D сигурност. Но затова по-късно…
4. Попълних всички полета и кликнах заветния бутон “Плащане”. Замърдаха някакви progress bar-ове… и “Системата каза не” – изписа ми, че е възникнала грешка… някаква грешка, никой не знае каква точно, да опитам отново по-късно. Обаче не става ясно, минало ли е плащане или не? Голяма работа – опитайте пак, ако платите два пъти – здраве да е.
Тук правя неочаквано отклонение, което не беше планирано в целия процес на on-line търговията. Вадя си електрическия подпис, пускам другия лаптоп, защото там е инсталирано всичок за него… и влизам в on-line банкерането на банката, която е издала картата, за да проверя, дали имам някакви картови авторизации през последния час. Барем, ако е минало плащане – да ходя да се разправям с някого. Да де, ама не е минало, сакън.
5. Понеже на сайта на БОРИКА има голям надпис, да не се използва BACK бутон или REFRESH (това е от грамотност на програмистите, от опит го знам) – решавам, да се върна ръчно на Lapni.bg и да опитам втори път да платя. Връщам се, обаче там няма опция да направиш плащане за поръчка, която първия път не е била платена по някаква причина. Добре – ще пуснем нова поръчка… Техниката вече е отработена – цък, цък, цък… готово, вече сме на сайта на БОРИКА… попълвам пак данните, “Плащане”… progress bar… ура – няма грешка… излиза надпис, че тази карта поддържа 3D сигурност и трябва да посоча някаква парола, която аз естествено нямам, понеже нямам 3D сигурност. След четене на някакъв help, който между другото е настроен да се отваря по подразбиране, като натиснеш Enter в някое поле на формата става ясно, че въпреки, че аз не ползвам 3D сигурност, ако искам да платя през тази система, ще трябва да си регистрирам картата за 3D сигурност в банката, която я е издала…
Следва една друга част, която може да разкажа някой друг път… но да речем, че след около 20 – 30 минути вече имам 3D сигурност на картата и си знам въпросната парола… Естествено – сесията в БОРИКА вече е изтекла и всичок започва отначало.
Тук трябав да отбележим, че бройт на ваучерите в Lapni.bg е ограничен и това изрично е посочено в офертата. Прави ми впечатление, че всеки път, като поръчам ваучер и не успея да го платя – бройката на “продадените” се увеличава. И ако си мислите, че причината е, че някой друг също си купува в момента – аз не мисля така, защото действието се развива в малките часове на нощта и просто по-вероятният сценарий е, системата да е малоумна.
6. Минавам през целия сценарий, пускам нова поръчка, вече знам всички подводни камъни, стигам до плащането на БОРИКА, няма грешка и няма да трябва да опитам пак по-късно… пита ме за тайната парола за 3D сигурност… въвеждам я (буквално преди минути съм я получил от банката)… и “Системата каза не” – паролата била грешна. Въвеждам я втори път… “Системата каза не“… трети път, много внимателно, въвеждам я извън полето за парола, за да виждам точно какво се изписва (тук иронично си припомних, колко е удобна формата на Lapni.bg където за паролата не се използва поле за пароли), копирам 100% сигурно правилната парола, поставям я и “Системата каза не“… На третия опит вече ми каза, че съм лош хакер и не мога да платя и ме изхвърли… Егаси!
7. Върнах се до on-line банкерането, да проверя, да не би да съм въвел грешно паролата при регистрацията за 3D сигурност… въпреки, че имаше поле за повторно въвеждане на паролата, но уви – оказа се, че няма как да го проверя. Единствената опция е, да си сменя паролата срещу скромната сума от 10 стотинки. Теглих им една майна на всичките (за пореден път)… и реших, че преди да сменям паролата (въпросът е принципен, не в 10-те стотинки) ще се опитам още веднъж да мина по цялата пътечка отначало – докрай. Барем нещо стане най-накрая… Междувременно след всеки неуспешен опит ходя да проверя дали имам картова авторизация, щото вече на никого и на никоя система вяра нямам.
И така – започнах за пореден, не знам кой подрес път, да попълвам всички полета и поленца отначало… намерих офертата, поръчах я още веднъж, избрах метод на плащане, отидох на сайта на БОРИКА, въведох данните, попита ме за паролата за 3D сигурност… и О!Чудо – същата парола, която използвах преди малко и беше грешна, без да я сменям – сега вече не е грешна.
8. Надпис – успешно плащане, проверявам в банката – имаме успешна картова авторизация, пристига SMS за плащането, фамфари, конфети… радост, едночасова битка е на път да приключи с победа на човека над on-line търговията. Връщам се в Lapni.bg и там няма нищо… Когато използваш on-line инструменти за плащане и търговия очакваш, че нещата се случват в реално време – уви, оказва се, че се случвали до няколко минути… След няколко минути всичко се появи.
9. Междувременно други проблеми които възникнаха, но не са описани по-горе:
9.1. На сайта на Lapni.bg няма контактен телефон, на окйто да се обадиш, ако имаш проблеми като горе описаните.
9.2. На сайта на БОРИКА пише, да се свържа с администратора, но естествено също няма нито телефон, нито e-mail.
9.3. На Lapni.bg има едни тайни линкове, до които успях да се докопам чак на другия ден, защото някой титан на техническата мисъл е сложил JavaScript за infinite scroll и в момента в който скролнеш най-долу, да да видиш линковете във footer-а, динамично се зареждат още оферти и footer-а изчезва надолу… и така може да си го гониш до умопомрачаване.
9.4. Търсачката на Lapni.bg бърза да търси, докато пишеш… че пишеш разбира по това, че се натискат клавиши. Да обаче няма сложен timeout и колкото и бързо да пишеш – на всеки клавиш се опитва да презареди резултатите. В резултат на това става мазало. На всичкото отгоре – ако натискаш стрелките в полето за търсене (т.е. нищо не пишеш) – резултатите от търсенето отново се презареждат.
И така, някои биха заключили, че опитът ми за on-line търговия е бил успешен, защото всичко е добре, когато завършва добре. Аз обаче ще кажа – НЕ, ОПИТЪТ БЕШЕ НЕУСПЕШЕН, защото не вярвам, че енормално елементарна покупка от Интернет да отнеме в крайна сметка почти два астрономически часа! Това е дейност, която се очаква да бъде бърза, достъпна и лесна.
P.S. докато пишех този пост и правех screenshots в сайтовете на Lapni.bg и БОРИКА, ненадейно установих, че всъщност има опция за плащане с PayPal… просто я има в други оферти. От никъде и от нищо не става ясно, защо едни оферти могат да бъдат платени с PayPal, а други не. Може би цената е определяща, а може би нещо друго. Това обаче не се споменава в сайта… в “Често задавани въпроси” пише: “PayPal.com е международна система за електронни плащания. Поддържа всички видове кредитни карти, както и дебитни карти Visa Electron, които поддържат електронни плащания. За да платите от PayPal.com, трябва предварително да имате регистриран акаунт, както и добавена и потвърдена банкова карта. Ако нямате акаунт в PayPal.com, разгледайте останалите начини за плащане.“.

Using Perl PayPal API on Debian wheezy

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2013/10/07/paypal-perl.html

I recently upgraded
to Debian wheezy.
On, Debian squeeze, I
had no problem using the stock Perl module Business::PayPal::API
to import PayPal transactions for Software Freedom Conservancy, via the
Debian package libbusiness-paypal-api-perl.

After the wheezy upgrade, something goes wrong and it doesn’t work.
I reviewed
some similar complaints
, that seem to relate
to this
resolved bug
, but that wasn’t my problem, I don’t think.

I ran strace to dig around and see what was going on. The working
squeeeze install did this:

select(8, [3], [3], NULL, {0, 0}) = 1 (out [3], left {0, 0})
write(3, “SOMEDATA”…, 1365) = 1365
rt_sigprocmask(SIG_BLOCK, [ALRM], [], 8) = 0
rt_sigaction(SIGALRM, {SIG_DFL, [], 0}, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [ALRM], [], 8) = 0
rt_sigaction(SIGALRM, {0xxxxxx, [], 0}, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
alarm(60) = 0
read(3, “SOMEDATA”, 5) = 5

But the same script on wheezy did this at the same point:

select(8, [3], [3], NULL, {0, 0}) = 1 (out [3], left {0, 0})
write(3, “SOMEDATA”…, 1373) = 1373
read(3, 0xxxxxxxx, 5) = -1 EAGAIN (Resource temporarily unavailable)
select(0, NULL, NULL, NULL, {0, 100000}) = 0 (Timeout)
read(3, 0xxxxxxxx, 5) = -1 EAGAIN (Resource temporarily unavailable)
select(0, NULL, NULL, NULL, {0, 100000}) = 0 (Timeout)
read(3, 0xxxxxxxx, 5) = -1 EAGAIN (Resource temporarily unavailable)
select(0, NULL, NULL, NULL, {0, 100000}) = 0 (Timeout)
read(3, 0xxxxxxxx, 5) = -1 EAGAIN (Resource temporarily unavailable)

I was pretty confused, and basically I still am, but then I
noticed this
in the documentation for Business::PayPal::API
,
regarding SOAP::Lite:

if you have already loaded Net::SSLeay (or IO::Socket::SSL), then Net::HTTPS
will prefer to use IO::Socket::SSL. I don’t know how to get SOAP::Lite to
work with IO::Socket::SSL (e.g., Crypt::SSLeay uses HTTPS_* environment
variables), so until then, you can use this hack:
local $IO::Socket::SSL::VERSION = undef;

That hack didn’t work, but I did confirm via strace that on
wheezy, IO::Socket::SSL was getting loaded instead
of Net::SSL. So, I did this, which was a complete and much worse
hack:

use Net::SSL;
use Net::SSLeay;
$ENV{‘PERL_LWP_SSL_VERIFY_HOSTNAME’} = 0;
# Then:
use Business::PayPal::API qw(GetTransactionDetails TransactionSearch);

… And this incantation worked. This isn’t the right fix, but I
figured I should publish this, as this ate up three hours, and it’s worth
the 15 minutes to write this post, just in case someone else tries to use
Business::PayPal::API on wheezy.

I used to be a Perl expert once upon a time. This situation convinced me
that I’m not. In the old days, I would’ve actually figured out what was
wrong.