Dhole Moments

2021-01-09 12:59:50

In 2015, a subreddit called /r/The_Donald was created. This has made a lot of people very angry and widely been regarded as a bad move.

Roughly 5 years after its inception, the Reddit staff banned /r/The_Donald because it was a cesspool of hateful content and harmful conspiracy theories. You can learn more about it here.

Why are we talking about this in 2021?

Well, a lot has happened in the first week of the new year. A lot of words have been written about the fascist insurrection that attempted a coup on the U.S. legislature, so I won’t belabor the point more than I have to.

But as it turns out: The shitty people who ran /r/The_Donald didn’t leave well enough alone when they got shit-canned.

Remember: You can’t recycle fash.
(Art by Khia.)

Instead, they spun up a Reddit clone under the domain thedonald.win and hid it behind CloudFlare.

Even worse: Without Reddit rules to keep them in check, they’ve gone all in on political violence and terrorism.

(Content Warning: Fascism, political violence, and a myriad of other nastiness in the Twitter thread below.)

https://twitter.com/Viking_Sec/status/1347758893976457217

If you remember last year, I published a blog post about identifying the real server IP address from email headers. This is far from a sophisticated technique, but if simple solutions work, why not use them?

(Related, I wrote a post in 2020 about more effectively deplatforming hate and harassment. This knowledge will come in handy if you find yourself needing to stop the spread of political violence, but is strictly speaking not relevant to the techniques discussed on this page.)

Unmasking TheDonald.win

The technique I outlined in my previous post doesn’t work on their Reddit clone software: Although it asks you for an (optional) email address at the time of account registration, it never actually emails you, and there is no account recovery feature (a.k.a. “I forgot my password”).

Foiled immediately! What’s a furry to do?
(Art by Khia.)

However, their software is still a Reddit clone!

Reddit has this feature where you can submit links and it will helpfully fetch the page title for you. It looks like this:

When I paste a URL into this form, it automatically fetches the title.

How this feature works is simple: They initiate an HTTP request server-side to fetch the web page, parse out the title tag, and return it.

So what happens if you control the server that their request is being routed to, and provide a unique URL?

Leaking TheDonald.win’s true IP address from behind CloudFlare.

Well, that was easy! To eliminate false positives, I performed all of this sampling with Tor Browser and manually rebuilt the Tor Circuit multiple times, and always got the same IP address: 167.114.145.140.

An Even Lazier Technique

Just use Shodan, lol

https://twitter.com/_rarecoil/status/1347768188017143808

Apparently chuds are really bad at OpSec, and their IP was exposed on Shodan this whole time.

You can’t help but laugh at their incompetence.
(Art by Khia.)

The Road to Accountability

Okay, so we have their real IP address. What can we do with it?

The easiest thing to do is find out who’s hosting their servers, with a simple WHOIS lookup on their IP address.

Hosted by OVH Canada, eh? After all, nothing screams “Proud American” like hosting your website with a French company in a Canadian datacenter.

Dunking on these fools for the inconsistencies in their worldview is self-care and I recommend it, even though I know they don’t care one iota about hypocrisy.

I immediately wondered if their ISP was aware they were hosting right-wing terrorists, so I filed an innocent abuse report with details about how I obtained their IP address and the kind of behavior they’re engaging in. Canada’s laws about hate speech and inciting violence are comparably strict, after all.

I’ll update this post later if OVH decides to take action.

Lessons to Learn

First, don’t tolerate violent political extremists, or you’ll end up with political violence on your hands. Deplatforming works.

https://twitter.com/witchiebunny/status/1347624481318166528

Second, and most important: Online privacy is hard. Hard enough that bigots, terrorists, and seditious insurrectionists can’t do it right.

This bears emphasizing: None of the techniques I’ve shared on the history of my blog are particularly clever or novel. But they work extremely well, and they’re useful for exposing shitty people.

Remember: Sunlight is the best disinfectant.

Conversely: Basic OSINT isn’t hard; merely tedious.

Other Techniques (from Twitter)

Subdomain leaks (via @z3dster):

https://twitter.com/z3dster/status/1347807318478639106

Exploiting CloudFlare workers (via @4dwins):

https://twitter.com/4dwins/status/1347809701291937792

DNS enumeration (via @JoshFarwell):

https://twitter.com/JoshFarwell/status/1347840751720304641

If the site in question is running WordPress, you can use Pingbacks to get WordPress to cough up the server IP address. If you aren’t sure if something runs WordPress, here’s the lazy way to detect that: view any page’s source code and see if the string /wp-content shows up in any URLs (especially for CSS). If it’s found, you’re probably dealing with WordPress.

Gab’s (another platform favored by right-wing extremists) IP address discovered through their Image Proxy feature to be 216.66.0.222 (via @kubeworm):

https://twitter.com/kubeworm/status/1348162193523675136

The Alt-Right Notices this Blog Post

Shortly after I posted this online, some users from thedonald.win noticed this blog post and hilarity ensued.

https://twitter.com/SoatokDhole/status/1348204577154326528

I want to make something clear in case anyone (especially members of toxic Trump-supporting communities) is confused:

What’s published on this page isn’t doxing, nor do I have any interest in doxing people. That’s the job of law enforcement, not furry bloggers who sometimes write about computer topics. And law enforcement definitely doesn’t need my help: When you create an account, you must solve a ReCAPTCHA challenge, which sends an HTTP request directly to Google servers–which means law enforcement could just subpoena Google for the IP address of the server, even if the above leaks were all patched.

This also isn’t the sort of thing I’d ever brag about, since the entire point I’ve been making is what I’ve done here isn’t technically challenging. If I wanted to /flex, I’d just talk more about my work on constant-time algorithm implementations.

If, in response to my abuse report, OVH Canada determines that their website isn’t violating OVH’s terms of service, then y’all have nothing to worry about.

But given the amount of rampant hate speech being hosted in Canadian jurisdiction, I wouldn’t make that bet.

Addendum (2021-01-19)

Additionally, this wasn’t as simple as running a WHOIS search on thedonald.win either, since that only coughs up the CloudFlare IP addresses. I went a step further and got the real IP address of the server behind CloudFlare, not just CloudFlare’s IP.

This isn’t rocket science, folks.

According to CBC Canada, they moved off OVH Canada the same day this blog post went live. I’m willing to bet a simple WHOIS query won’t yield their current, non-CloudFlare IP address. (To wit: If you think the steps taken in this blog post are so unimpressive to warrant mockery, why not discover the non-CloudFlare IP for yourselves? I’ll bet you can’t.)

There are a lot of ways to deflect criticism for your system administrators’ mistakes, but being overly reductionist and claiming I “just” ran a WHOIS query (which, as stated above, wouldn’t work because of CloudFlare) is only hurting your users by instilling in them a false sense of security.

Just admit it: You fucked up, and got outfoxed by a random furry blogger, and then moved hosting providers after patching the IP leak. How hard is that?

Also, if anyone from CloudFlare is reading this: You should really dump your violent extremist customers before they hurt more people. I’m a strong proponent of freedom of speech–especially for sex workers, the most censored group online–but they’re actively spreading hate and planning violent attacks like the Capitol Hill Riot of January 6, 2021. Pull the damn plug, man.

Finally, I highly recommend Innuendo Studios’ series, The Alt-Right Playbook, for anyone who’s trying to make sense of the surge in right-wing violence we’ve been seeing in America for the past few years.

How Do You Know This IP Wasn’t Bait?

After I published this article, the developers of their software hobbled the Get Suggested Title feature of their software, and the system administrators cancelled their OVH hosting account and moved to another ISP. (Source.)

You can independently verify that their software is hobbled: Try to fetch the page title for a random news website, or Wikipedia article, with the developer console open. It will stall for a while then return an empty string instead of the page title.

They also changed their domain name to patriots.win.

If the IP address I’d found was bait, why would they break a core piece of their software’s functionality and then hurriedly migrate their server elsewhere?

The very notion doesn’t stand up to common sense, let alone greater scrutiny. The whole point of bait is to catch people making a mistake–presumably so you can mock them while remaining totally unaffected–not so you can do these things in a hurry.

A much more likely story: Anyone who makes this claim is trying to downplay a mistake and save face.

---

Header art by Kyume

https://soatok.blog/2021/01/09/masks-off-for-thedonald-win/

#cloudflare #deanonymize #hateSpeech #OnlinePrivacy #Technology

Dhole Moments

2020-05-08 12:01:49

Cryptographers around the world are still designing privacy-preserving contact tracing systems for combating the spread of COVID-19.

Even though some papers have been published (one using zero-knowledge proofs, another based on blockchain (sigh)), the ink is still very wet. The first framework designed by Apple and Google needs work but was surprisingly not god-awful.

That is to say: As of 2020-05-08, there is currently no implementation of privacy-preserving contact tracing available to the world. It might be coming soon, but it ain’t here yet.

But a quick search through the Google Play Store would surely lead you to believe otherwise.

What you see when you search “contact tracing” on the Google Play Store.

The first thing that leaps out is that there are two advertisements for things that are mostly irrelevant to contact tracing. Since “contact tracing” is a hot topic (and will only become increasingly hot when the real apps are ready to be deployed), it’s clear that there’s a profit incentive at work.

But with a little further study, we can see that this profit motive persists as we look down the list.
Ads and in-app purchases? That sure fits the “contact tracing” use case.You’re awfully SURE of yourself, aren’t ya?
The first one (an app named simply “Contact Tracing”) was first published in March 2020, so it was clearly created to capitalize on the pandemic.

The source code for their app (which was written in Cordova, and thus didn’t even require any effort reverse-engineering) contains a lot of references to a product named “Crypto Account Manager” by the same company.
In case anyone needs it, their contact information is apparently: Piusworks LLC. 969G Edgewater Blvd. #750. Foster City, CA 94404.
Ah yes, Cryptocurrency! That’s exactly what an Android user wanted when they search for “contact tracing”.

This is exactly the kind of disingenuous behavior you expect from the sorts of bottom-feeders that would capitalize on a pandemic for profit.

Worth noting: The CDC app at the bottom was legitimate, but their development team is clearly having a tough time.
I can relate to your struggles, CDC-employed app developers.
There’s probably a lot more to be found (if anyone wants to take the time). You might even find actual Android malware. (As far as I can tell, these apps are only trying to exploit humans, not machines, so I cannot classify them as malware.)

But what you won’t find is a privacy-preserving contact tracing app, so don’t look for it just yet.

Want to know when one is available? Follow me on Twitter for updates: @SoatokDhole.

Which Apps Aren’t Fraudulent?

The CDC app, which was originally created for Tuberculosis contact tracing, is legitimate (but not privacy-preserving in the way that cryptographers care about).

The TraceTogether app is the contact tracing app produced by the Singapore government.

The Takeaway

Just because it’s in the Google Play Store doesn’t mean it’s authentic or trustworthy. This should be common knowledge, but it never hurts to remind everyone.

That being said, I really wish Google would police its app store better.

I also wish they would forbid advertisements relating to national or global emergencies; i.e. COVID-19.

https://soatok.blog/2020/05/08/fraudulent-apps-on-the-google-play-store-covid-19-contact-tracing-edition/

#Android #contactTracing #COVID19 #Cybercrime #fraudulentApps #GooglePlay #GooglePlayStore #informationSecurity

Dhole Moments

2020-04-22 22:13:34

There are two news stories today. Unfortunately, some people have difficulty uncoupling the two.

1. The Team Fortress 2 Source Code has been leaked.
2. Hackers discovered a Remote Code Execution exploit.

The second point is something to be concerned about. RCE is game over. The existence of an unpatched RCE vulnerability, with public exploits, is sufficient reason to uninstall the game and wait for a fix to be released. Good on everyone for reporting that. You’re being responsible. (If it’s real, that is! See update at the bottom.)

The first point might explain why the second happened, which is fine for the sake of narrative… but by itself, a source code leak is a non-issue that nobody in their right mind should worry about from a security perspective.

Anyone who believes they’re less secure because the source code is public is either uninformed or misinformed.

I will explain.
Professor Dreamseeker is in the house. Twitch Emote by Swizz.

Why Source Code Leaks Don’t Matter for Security

You should know that, throughout my time online as a furry, I have been awarded thousand dollar bounties through public bounty programs.

How did you earn those bounties?
By finding zero-day vulnerabilities in those companies’ software.

But only some of those were for open source software projects. CreditKarma definitely does not share their Android app’s source code with security researchers.

How did you do it?
I simply reverse engineered their apps using off-the-shelf tools, and studied the decompiled source code.

Why are you making that sound trivial?
Because it is trivial!

If you don’t believe me, choose a random game from your Steam library.

Right click > Properties. Click on the Local Files tab, then click “Browse Local Files”. Now search for a binary.
Me, following these steps to locate the No Man’s Sky binary.
If your game is a typical C/C++ project, you’ll next want to install Ghidra.

Other platforms and their respective tools:

• Java games (.jar files): Luyten
• .NET games: ILSpy
• Android apps: dex2jar then Luyten (as per Java)

If you see a bunch of HTML and JS files, you can literally use beautifier.io to make the code readable.

Open your target binary in the appropriate reverse engineering software, and you can decompile the binary into C/C++ code.
Decompiled code from No Man’s Sky’s NMS.exe file on Windows.
Congratulations! If you’ve made it this far, you’re neck-and-neck with any attacker who has a leaked copy of the source code.

Every Information Security Expert Knows This

Almost literally everyone working in infosec knows that keeping a product’s source code a secret doesn’t actually improve the security of the product.

There’s a derisive term for this belief: Security Through Obscurity.

The only people whose job will be made more difficult with the source code leak are lawyers dealing with Intellectual Property (IP) disputes.

In Conclusion

Remote Code Execution is bad.

The Source Code being public? Yawn.
Pictured: Soatok trying to figure out why people are worried about source code disclosure when he publishes everything publicly on Github anyway (2020). Art by Riley.
Update: Shortly after I made this post, I was made aware of another news story worthy of everyone’s attention far more than FUD about source code leaks.

With the Source leaks happening today, I think everyone is missing the most important part: how much does Valve swear? I tallied up instances of these words in the leak*:

"fuck": 116
"shit": 63
"damn": 109

*There was some non-Valve stuff in the leak; I didn't count it

— @tj (@tjhorner) April 22, 2020

Well damn if that doesn’t capture my interest.
Now this is the kind of story that makes Twitter worthwhile!

Is the RCE Exploit Even Real?

Update 2: I’ve heard a lot of reports that the alleged RCE exploit is fake. I haven’t taken the time to look at Team Fortress 2 or CS:GO in any meaningful way, but the CS:GO team did have this to say about the leaks:

We have reviewed the leaked code and believe it to be a reposting of a limited CS:GO engine code depot released to partners in late 2017, and originally leaked in 2018. From this review, we have not found any reason for players to be alarmed or avoid the current builds.

— CS2 (@CounterStrike) April 22, 2020

Fake news and old news are strange (yet strangely common) bedfellows.

https://soatok.blog/2020/04/22/source-code-leak-is-effectively-meaningless-to-endpoint-security/

#commonSense #informationSecurity #infosec #misinformation #reverseEngineering #security #securityThroughObscurity #sourceCode