The "Anonymous" proxy.



  •  Today's wikileak announcement of the hacking of Sarah Palin's email account by Anonymous activists piqued my curiosity, particularly the bit that reads...

    [quote user="http://wikileaks.org/wiki/Sarah_Palin_Yahoo_inbox_2008"]

    "Nb. The 'ctunnel.com' reference in the browser screen shots is to a proxy
    service used to prevent the activists from being traced."

    [/quote] Well, I thought I'd go and find out what kind of proxy service this was, so I surfed along to http://ctunnel.com/ , where I was greeted by yer average "What-do-you-mean-some-people-don't-use-javascript" blank frontpage.  The first thing I noticed in the source was this: (line-wrapped to protect my sanity)

    [quote user="http://ctunnel.com/"]

    var myArray=new Array();
    myArray[0] = '%0n%0n%0n<pragre><sbag fvmr=6>
    <o>Pghaary.pbz</o></sbag><Oe>%0n<vzt fep=%22ighaary.wct%22><Oe>
    <Oe>%0n<sbag fvmr=4><O>Pghaary vf urer gb cebgrpg lbhe nabalzvgl bayvar!<Oe>
    </sbag></o><sbag fvmr=3>Oebjfr gur jro guebhtu bhe freire gb trg cnfg crfxl
    hey be vc onfrq svygref!</sbag></o><oe><Oe>%0n%0n<sbag fvmr=4><n uers=%22nobhg.ugzy%22>
    Nobhg Pghaary</n> <o>%7p</o> <n uers=%22yvaxf.ugzy%22>Yvaxf</n> <o>%7p</o> 
    <n uers=%22uggc://gvalhey.pbz/xrstg%22>Sbehzf</n></sbag></pragre><oe>%0n%0n<pragre>%0n%0n<pragre>%0n%0n%0n';
    
    

    [/quote]

    Wow.  ROT-13 is not a happy-making thing to see on a website that's supposed to be helping you stay secure.  And sure enough this is just a trivial CGI proxy, and the local plod are probably zooming round there with a sub poena or search warrant as we speak.  Those guys are quite possibly about to land in a metric shitload of trouble, because let me tell you, 

    [quote user="http://ctunnel.com/"]

    var myArray=new Array();
    myArray[0] = '%0n%0n%0n%0n%0n<Oe><oe>%0n%0n<gnoyr jvqgu=65%25><gq><gnoyr jvqgu=100%25
    otpbybe=qqqqqq pryycnqqvat=3><gq>%0n<n uers=%22uggcf://jjj.Pghaary.pbz%22>Ranoyr FFY Rapelcgvba</n><oe>%0n%0n<sbez anzr=%22ybtva%22 
    npgvba=%22uggc://pghaary.pbz/vaqrk.cuc/1010110N/20099p53o71244739q9oqr365318900%22 zrgubq=cbfg>%0n<vachg anzr=%22hfreanzr%22 fvmr=66 
    inyhr=%22uggc://jjj.LbhGhor.pbz%22><vachg glcr=fhozvg inyhr=%22   Ortva Oebjfvat   %22><Oe>%0nVafgnag Zrffratref: 
    <n uers=%22uggc://pghaary.pbz/vaqrk.cuc/1010110N/30509851s71q4n2op08nqq3143444040717794pop324pr5sn1ns7q684op792410s2618900%22>Zfa</n> 
    <n uers=%22uggc://pghaary.pbz/vaqrk.cuc/1010110N/30509851s71q4n2op08nqq3143444040717794pop324pr5sn1ns7q6451p492410s2618900%22>NVZ</n> 
    <n uers=%22uggc://pghaary.pbz/vaqrk.cuc/1010110N/30509851s71q4n2op08nqq3143444040717794pop324pr5sn1ns7q7p59p1q35r4926o39r18900%22>Lnubb</n>
     <n uers=%22uggc://pghaary.pbz/vaqrk.cuc/1010110N/30509851s71q4n2op08nqq3143444040717794pop324pr5sn1ns7q624pp8q05n4926o39r18900%22>Tgnyx</n><O';
    myArray[1] = 'e>%0n%0n<oe><vachg glcr=uvqqra vq=%22e4%22 anzr=%22e4%22 inyhr=%22 purpxrq%22>%0n<vachg glcr=purpxobk vq=%22ep%22 anzr=%22ep%22 >
    <ynory sbe=%22ep%22> Erzbir pbbxvrf</ynory>%0n<oe><vachg glcr=purpxobk vq=%22ef%22 anzr=%22ef%22 purpxrq> Erzbir Fpevcgf<oe><vachg glcr=uvqqra 
    vq=%22sn%22 anzr=%22sn%22 inyhr=%22%22>%0n<vachg glcr=purpxobk vq=%22oe%22 anzr=%22oe%22  purpxrq><ynory sbe=%22oe%22> Uvqr ersreere vasbezngvba</ynory>
    <Oe>%0n<vachg glcr=purpxobk vq=%22vs%22 anzr=%22vs%22  purpxrq><ynory sbe=%22vs%22> Fubj HEY sbez</ynory>%0n%0n%0n</sbez>%0n%0n</gq></gnoyr>
    %0n<u3><n uers=%22uggc://pghaary.pbz/vaqrk.cuc/0010110N/782d70726f78792f636f6f6b6965732f6d616e616765%22>Znantr pbbxvrf</n></u3>%0n</gq></gnoyr>
    %0n%0n<ue>%0n<pragre>%0nOl hfvat guvf jrofvgr, lbh zhfg nterr gb novqr vg%27f 
    <n uers=%22./grezf/vaqrk.ugz%22>grezf bs freivpr</n><oe>Vs lbh oryvrir guvf freivpr unf orra hfrq gb pbaqhpg nohfvir be vyyrtny npgvivgvrf, 
    cyrnfr pbagnpg hf ol rznvyvat <O>%28 nohfr[ng]bireavtugcp.arg %29</o>.%0n</';
    myArray[2] = 'obql>%0n</ugzy>%0n%0n';

    [/quote]

    trivially obfuscating your URLs with ROT-13 might get you past your school's net-nanny, but it aint gonna even slow down the feds.

    TRWTF, however, is their soopa-sekritt decoder ring, errr I mean function:

    [quote user="http://ctunnel.com/"]

    function base64(src)
    {
    var dst=new String('') ;
    	var len=src.length ; var b ; var t=new String('') ; 
    	if(len > 0) 
    	{ for(var ctr=0; ctr<len ; ctr++) 
    		{ b=src.charCodeAt(ctr); 
    		if( ( (b>64) && (b<78) ) || ( (b>96) && (b<110) ) ) 
    			{ b=b+13; } 
    		else 
    			{ if( ( (b>77) && (b<91) ) || ( (b>109) && (b<123) ) ) 
    				{ b=b-13; } } 
    		t=String.fromCharCode(b) ; dst=dst.concat(t) ;} 
    	}
    return dst;
    }

    [/quote]

    And since they copy and paste this function three times on the front page, I think I'm fully entitled to say:

    You keep using that word.  I do not think it means what you think it means.
     



  • It could've been worse. Some people talk about "encrypting" their passwords in BASE64. 



  • I'm sure they use it to fool filters that try to disable browsing through a proxy, like NetNanny. It's not meant to fool humans.



  • This whole story is pretty much a whole series of wtfs...

    The proxy: useless as mentioned.  (At least go through a country that is unlikely to respond to the FBI if you are doing something to get you chased by them)
    The "Hacker" who got in:  Was able to reset her password because she had the easiest possible security questions (though now people think Yahoo is "insecure")
    The access:  people act like he broke into Fort Knox... its more like he opened her mailbox in front of her house and looked over the post cards - since email (unless encrypted) goes through the net pretty much like a postcard goes through the USPS - NOT something you use for private information unless you encrypt it.  (Okay, its like she had a combo lock on her box, and a sticky note with "1234" taped right next to it)
    The idiotic move: So, after deciding there is nothing "incriminating" (if there ever was, I am sure she at least knows how to use the "delete" function, der..) and he realizes he can be caught easily...  does he A) leave it alone... hoping she tries to log in and thinks "stupid internet - it messed up my password, I better reset that" without calling the Feds, or B) Announce he broke into her email on the internet and prove it by showing her photos etc, thereby guaranteeing a whole slew of Feds breathing down his neck?


    This is what I call a serious multi-fail pileup on the WTF highway...



    I can picture his lawyer's opening defense now "I would like to submit, pertaining to my client's insanity plea, evidence that he willingly and of his own volition visited 4Chan on the date of..."



  • @BeenThere said:

    I can picture his lawyer's opening defense now "I would like to submit, pertaining to my client's insanity plea, evidence that he willingly and of his own volition visited 4Chan on the date of..."

    The really bad thing will be when the jury sees some of the other content from 4chan.  I have a feeling that pictures of shitting dick nipples and copious crapidshare links to volumes of child pornography will not help his case.. 



  • @BeenThere said:

    after deciding there is nothing "incriminating" (if there ever was, I am sure she at least knows how to use the "delete" function, der..)

    Actually, some people think that this "breach" had the potential of being the next Watergate, if the e-mail addy had been used for official stuff (or even better, unofficial stuff like in the original Watergate affair.) Using non-gov't e-mail for official stuff is pretty much in violation of US Government information acts, and it would've been a good case against Palin. Hell, maybe it would've scared other public workers enough to stop doing this idiotic practice.

    But nooooo, whoever did this went for "teh internetz" fame. And the feds have a nice trail leading back to the perpetrators. Damn, it is kind of like if Alan Turing had published worldwide that he cracked Enigma right in the middle of WW2!



  • @danixdefcon5 said:

    Actually, some people think that this "breach" had the potential of being the next Watergate, if the e-mail addy had been used for official stuff (or even better, unofficial stuff like in the original Watergate affair.)

    It seems to me you don't know what the Watergate Scandal actually entailed.

     

    @danixdefcon5 said:

    Using non-gov't e-mail for official stuff is pretty much in violation of US Government information acts, and it would've been a good case against Palin.

    That's arguable for at least 2 reasons.  For one, I'm not sure there is a Federal law that prohibits state workers from doing this and I'm not sure Alaska had such a law in place.  I'm too lazy to try to look this up.  Also, I'm not sure what "pretty much in violation" even means.  Either something is against the law or it is not.  Second, a court case would have been very difficult to pursue as the "evidence" would have been obtained illegally.  Popular opinion might swing against her, but I doubt it would do that much damage, unless something really insidious was uncovered.  Just run-of-the-mill government business conducted through a personal account probably wouldn't do much harm (if any) to her campaign.



  • @BeenThere said:

    The idiotic move: So, after deciding there is nothing "incriminating" (if there ever was, I am sure she at least knows how to use the "delete" function, der..) and he realizes he can be caught easily...  does he A) leave it alone... hoping she tries to log in and thinks "stupid internet - it messed up my password, I better reset that" without calling the Feds, or B) Announce he broke into her email on the internet and prove it by showing her photos etc, thereby guaranteeing a whole slew of Feds breathing down his neck?
     

    Yeh, it may be idiocy, but for some reason it's a traditional idiocy: the theory is that getting all your troll mates to come in and stomp over the place with big muddy footprints will somehow 'cover your tracks'.

    Of course, all it really does is make the first entry in the logs - the one immediately before everything went haywire - rise to very visible prominence. 

     



  • @morbiuswilters said:

    @danixdefcon5 said:

    Actually, some people think that this "breach" had the potential of being the next Watergate, if the e-mail addy had been used for official stuff (or even better, unofficial stuff like in the original Watergate affair.)

    It seems to me you don't know what the Watergate Scandal actually entailed.

     

    Wouldn't the slush fund and the plumbers qualify as unofficial? It would be as if he was using yahoo! mail to coordinate waht the plumbers' actions were adn how to direct the slush funds.



  • @DeLos said:

    @morbiuswilters said:

    @danixdefcon5 said:

    Actually, some people think that this "breach" had the potential of being the next Watergate, if the e-mail addy had been used for official stuff (or even better, unofficial stuff like in the original Watergate affair.)

    It seems to me you don't know what the Watergate Scandal actually entailed.

     

    Wouldn't the slush fund and the plumbers qualify as unofficial? It would be as if he was using yahoo! mail to coordinate waht the plumbers' actions were adn how to direct the slush funds.

    Obviously they were unofficial.  Re-read danix's statement.  How would this have the potential for being the next Watergate if the e-mail account was used for official business?  It's problematic, but also probably quite common and would most likely result in nothing significant.

     

    As far as unofficial activities go, it's a pretty big stretch to say that this has the potential for being the next Watergate just because someone had a personal email account that had an extremely remote possibility of containing evidence of illegal activities.  By that logic, everytime you got on a commercial jet you would say "some people think this plane has the potential to be the next 9/11".  It's such a pointless and inflammatory statement and it makes the person who said it look retarded.



  • @morbiuswilters said:

    everytime you got on a commercial jet you would say "some people think this plane has the potential to be the next 9/11"
    Thanks morbs.  I'm never flying again.



  •  So, first off, I don't agree with danix's analogy. However, if you were using an alternate e-mail for official business it would be perceived that you were going around the normal methods to avoid detection. 

    Your analogy of his analogy is good though.



  • @DeLos said:

    So, first off, I don't agree with danix's analogy
    I don't think it is danix's analogy.  He just mentioned it.  These things bug me. It's "the analogy that danix's mentioned."  Consequently, my wife hates arguing with me.

    I also think it's a stupid analogy.  



  • @belgariontheking said:

    Consequently, my wife hates arguing with me.

    I also think it's a she is stupid analogy.  

    FTFY


  • @morbiuswilters said:

    As far as unofficial activities go, it's a pretty big stretch to say that this has the potential for being the next Watergate just because someone had a personal email account that had an extremely remote possibility of containing evidence of illegal activities. 
     

    I definately agree that calling it a potential Watergate is very extreme and in poor taste...she's a governor, not a sitting president, and only a vice presidental canditate in the race.  If they found evidence of say, emails with DNC documents that were clearly stolen - then it would get "closer" but is still not on par with a scandal that brought down a sitting president.


    I will say though, the whole reason we have federal/state business mail servers is they meet the archiving requirements for FOIA requests and the like, not to mention security.  A breech in archiving or security falls upon specific departments that can be held accountable.  Whether she meant to hide anything or not, its not her place to decide what is "stately enough" and what's "not really important enough" to be archived - that's for other people who are part of the checks and balances to figure out should an investigation arise.

    Whether its legally an abuse or not, it definately goes against the spirit of transparent government, which bothers me personally. 

    (side note, hope 3 days in the ground isn't pushing necro status)



  • @BeenThere said:

    @morbiuswilters said:

    As far as unofficial activities go, it's a pretty big stretch to say that this has the potential for being the next Watergate just because someone had a personal email account that had an extremely remote possibility of containing evidence of illegal activities. 
     

    I definately agree that calling it a potential Watergate is very extreme and in poor taste...she's a governor, not a sitting president, and only a vice presidental canditate in the race.  If they found evidence of say, emails with DNC documents that were clearly stolen - then it would get "closer" but is still not on par with a scandal that brought down a sitting president.


    I will say though, the whole reason we have federal/state business mail servers is they meet the archiving requirements for FOIA requests and the like, not to mention security.  A breech in archiving or security falls upon specific departments that can be held accountable.  Whether she meant to hide anything or not, its not her place to decide what is "stately enough" and what's "not really important enough" to be archived - that's for other people who are part of the checks and balances to figure out should an investigation arise.

    Whether its legally an abuse or not, it definately goes against the spirit of transparent government, which bothers me personally. 

    (side note, hope 3 days in the ground isn't pushing necro status)

    I agree almost 100% except for one tiny thing: no official business was uncovered.  So basically a woman's personal email account was hacked and that's really shitty.  To then accuse someone of engaging in conspiratorial (or even inappropriate) behavior just for having a personal email account is absolutely sickening.  Then again, it's how partisan politics is in the US.  Sad but true.  I also agree that if someone were found it would bother me, but I would still have serious misgivings about how it was found.  Having private citizens violate civil rights trying to uncover scandal in the pursuit of vigilante justice is no more acceptable than the [insert political party you hate here] using government law enforcement agencies to spy on people.  The fact is, civil rights exist for a reason and condoning this kind of behavior leads to a downward spiral of abuses.  So not only was it a filthy smear job that aimed to act like some scandal was uncovered when none was, it was also legally and morally reprehensible from the get-go.



  • @morbiuswilters said:

    I agree almost 100% except for one tiny thing: no official business was uncovered.  So basically a woman's personal email account was hacked and that's really shitty.  To then accuse someone of engaging in conspiratorial (or even inappropriate) behavior just for having a personal email account is absolutely sickening.  Then again, it's how partisan politics is in the US.  Sad but true.  I also agree that if someone were found it would bother me, but I would still have serious misgivings about how it was found.  Having private citizens violate civil rights trying to uncover scandal in the pursuit of vigilante justice is no more acceptable than the [insert political party you hate here] using government law enforcement agencies to spy on people.  The fact is, civil rights exist for a reason and condoning this kind of behavior leads to a downward spiral of abuses.  So not only was it a filthy smear job that aimed to act like some scandal was uncovered when none was, it was also legally and morally reprehensible from the get-go.
     

     

    Well, firstly, I thought it was solidly established she was using it for state business. 

    http://www.juneauempire.com/stories/091608/sta_333013278.shtml
    The above article is light on citing evidence imo, due to which I find the tone unwarranted for a complete article.

    http://blog.wired.com/27bstroke6/2008/09/group-posts-e-m.html

    Wired cites information pulled from the actual screenshots:

    An index of the e-mails in her inbox, which includes sender, subject line and date sent, indicates that Palin received numerous e-mails from her aides in the governor's office, some of which could be work-related.

    An e-mail from her press secretary, Meghan Stapleton, indicates the message is about the "Motor Fuel Tax Suspension".


    The subject line of an e-mail from Randall Ruaro, her deputy chief of
    staff reads, "Draft letter to Governor Schwarzenegger." Another one
    from Ruaro says, "Please approve" and another one is about "Court of
    Appeals Nominations."


    Other e-mails from Ruaro indicate they're about employee and budget
    issues for the DPS. DPS is how Alaska refers to its Department of
    Public Safety.


    Palin's chief of staff, Michael Nizich, sent her an e-mail August 22
    with the subject line, "Using Royalty Oil to Lower the Cost of Fuel for
    Alaskans." The subject line of another e-mail from Nizich reads
    "CONFIDENTIAL Ethics Matter."

    Granted, this is not evidence in the literal sense - a screen shot with an email subject reading "I Sarah Palin like to eat babies for breakfast" wouldn't be grounds for charging her with infanticide or canabalism.  It does give the impression that state business was being done through her private email account, which does negatively effect my impression of her.  If someone hacked a priest's yahoo email account and posted his subject lines consistent with 'kiddie porn' it still wouldn't be legally actionable - but if you read about it in the paper, you may be less likely to send your kids to his summer camp.

    Also, I agree entirely that the act is not to be condoned, though I suspect he'll be subject to a sentence larger than I think should be warranted.  

    BTW, I found it especially amusing that after the guy stated he found no "smoking gun" of corruption (some state business, but nothing indicating a conspiracy) there were people calling him a "plant" to make Palin look clean.  As if an absense of evidence is evidence that evidence is being hidden - may as well argue with flat-earthers.



  • @belgariontheking said:

    I don't think it is danix's analogy.  He just mentioned it.  These things bug me. It's "the analogy that danix's mentioned."  Consequently, my wife hates arguing with me.

    I also think it's a stupid analogy.  

    Thanks. I didn't do the Watergate analogy, that was someone else. But just googling "palin +email +watergate" does give some hits... of course, so does "fake moon landing".

    However, the matter in case is if she did use this for official stuff. It isn't quite a personal email either; why would it be called "gov.palin"??? I doubt Schwarzenegger has some personal email named gov.arnie@yahoo.com, do you? Of course, nothing "bad" was actually found, and if there had been something, it would've been useless in court (illegally obtained, see?) but during election times, its the PR that matters.

    Anyway, whoever did it was stupid enough to leave a nice trail that basically says "I DID IT". If I remember well, this (or these) dude(s) are in for a federal crime (opening mail that isn't addressed to you.) Not the best way to get famous... 



  • @danixdefcon5 said:

    However, the matter in case is if she did use this for official stuff. It isn't quite a personal email either; why would it be called "gov.palin"??? I doubt Schwarzenegger has some personal email named gov.arnie@yahoo.com, do you?

    If When People Magazine names me Sexiest Man Alive, you better goddamn well believe I will get the email address sexiestmanalive.morbs@...

     

    @danixdefcon5 said:

    If I remember well, this (or these) dude(s) are in for a federal crime (opening mail that isn't addressed to you.) Not the best way to get famous... 

    WTF?  This would be covered by wire fraud and computer hacking laws, not postage ones. 


Log in to reply