Tag Archives: privacy

Breaking news: Spy agencies are spying!

Please say it ain’t so! Spy agencies are spying?

I’m actually going to go out on a limb here and present my (again – MY) opinion, which might pass as complicated by people with very deterministic views (or are being spoon-fed said views through the media of their choice).

First – I think that the Der Spiegel article that covers the “latest” NSA spying capabilities (http://www.spiegel.de/netzwelt/netzpolitik/quantumtheory-wie-die-nsa-weltweit-rechner-hackt-a-941149.html) is very important, and I applaud Jake and the crew that covered this. If you haven’t yet, go read it and go over the slides. Also make sure to read through the “product catalog” here: http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-catalog-of-exploits-for-nearly-every-major-software-hardware-firmware/

So you are back? Great! That being said, I do think that spy agencies should continue spying. BLAM! And yes, it makes total sense to me. Because I do think that spy agencies should keep spying in order to keep their corresponding nations safe. It’s all about the tradecraft and trying to keep a step ahead of your potential enemies.

Yes, that WILL entail walking (and falling over) a very fine line between legal implications and privacy. It means that as always – agencies will spy on foreign nationals AND citizens. Because yes – terrorists and adversaries do not have boundaries that are defined by the color of your passport. And opposed Jake’s claim in his CCC talk, “carpet bombing” is a totally legitimate way to collect and analyze data. I’m not saying that it’s nice, or legal, or ethical, but it’s effective. It’s up to the agency using this technique to justify and qualify what they do. And yes – keep it quiet – just because of this delicate nature of collection.

Now, back to the data. Yes – agencies (and I’m not picking on the NSA here, these kinds of capabilities exist with lots of other agencies), have these kinds of capabilities to wiretap, modify, exploit and persist on a lot of kinds of accounts and systems. It’s what they are tasked with doing. That’s not even news. But I think that the fact that this comes up again is critical because of something completely different: OPSEC. Operational Security.

The NSA has fallen (again) to the oldest sin of spying – getting cocky. You can see the same behavior from anyone who’s picking up a new capability – be it a script kiddie picking up Metasploit for the first time, someone getting to be decent at martial arts, or any other skill. They get cocky. And think they are unbeatable. And that’s when mistakes start to show up. Basic OPSEC. And I believe that this is an important lesson to learn. Again. Because OPSEC is not a compliance thing that you check off once and forget about it. It’s a basic practice that (should be) taught to everyone that participates in tradecraft. And practiced. And apparently the NSA isn’t that great at it (surprise!). Hence their powerpoint slides are all over the Internet now.

So that’s my little 2c on the topic. Yes – I support spy agencies continued practice, and yes – I support anonymity and privacy, and yes – I support the law and the need to keep improving it. I support the creation of free and open source software designed to enhance your anonymity and privacy. I have actually met Jacob a couple of times (and found it funny that he’s freaking out every time we do meet), and actually think he’s a great guy. Same for Moxie. Complicated? I mentioned it at the beginning. So there you have it. Deal with it.

Now go watch Jake’s talk from CCC. You have to. Because I said so. And for crying out loud – get your OPSEC together.

Hiding behing the keyboard

This post is basically a placeholder to make sure that the materials concerning an ongoing investigation are published for everyone to see. The other reason is that it seems like people think they can get away with anything when hiding behind a keyboard.

WARNING – this post contains direct transcripts from online chats, some of which have been translated to the best of my knowledge from Hebrew to English in an attempt to preserve the original meaning. It contains foul language, profanities, and visual and direct threats of violence. It’s NSFW.

The story starts when a small number of member in the DC9723 group on Facebook started trolling (posting annoying messages, discrediting others, and then posting misogynistic comments that were borderline racist). As an open group that I am proud to be one of the founders of for over 2 years, the line taken is usually conservative in terms of moderation. This time we had to step in and remove some of the comments, and eventually some of the members (with an open invitation for them to come back once they realize the code of conduct in a group that is supposed to represent most how people should behave online).

For some reason these actions led to some nasty conversations starting with a person who’s not just hiding behind a thin profile, but a full-on fake one – “John Smith” (I kid you not).

After John Smith was remved from the group, he requested to join again, a request which has been denied. After requesting to join for the second time, I started a chat with him to verify that he understands the meaning of getting back on.

Apparently, during that time, another member in the group approved his membership and he was already in.

On June 21, 2013 5:22:18 AM PDT, Iftach Ian Amit wrote:

hey, I understand that you are ready to join the dc9723 group again…

On June 21, 2013 8:54:53 AM PDT, John Smith wrote:



On June 21, 2013 9:02:18 AM PDT, Iftach Ian Amit wrote:

You sent a request to join. If that’s not the case I’ll remove it.

On June 21, 2013 9:03:50 AM PDT, John Smith wrote:

you said “agin”?


you might not explain your self well

try again, i might understand

On June 21, 2013 9:05:42 AM PDT, Iftach Ian Amit wrote:

Forget it. I’ll make sure you are still out.

Talk to you when you are ready.

On June 21, 2013 9:06:30 AM PDT, John Smith wrote:

what are you talking? i never been to that group. are you mentaly disturbed?

On June 21, 2013 9:07:49 AM PDT, Iftach Ian Amit wrote:

There you go. Fixed it for you.

Have a great weekend!

On June 21, 2013 9:08:21 AM PDT, John Smith wrote:

fuck you ass hole i never been to that group you moron

now go fuck your tiny ass somewhere else

That seemed to take care of that.

Momentarily. As another member started arguing and trolling again in the discussion that spoke about ethics and code of conduct. That member was Daniel Feldman.

Unlike the conversation above, I’ll have to comment inline, as most of the chat was in Hebrew (see the original transcript from Facebook, which also has the translation at the end), and contained references to local lingo and other elements. The public discussion quickly deteriorated to Daniel attacking me personally, and thus a private chat has been initiated.

A couple of notes – I thought about trying to translate “Ars” but found it hard. It’s something between a lowlife, a pimp, sprinkle in a bit of redneck, guido?, and pimp. Not really the type you want to mingle with (but which unfortunately plagues large parts of Israel – especially outside of Tel-Aviv).

Also – the spelling mistakes in the translation are way funnier in Hebrew. I just tried to pass on the meaning of this. At this point things are getting more personal from his end, again, probably prompted by the fact that Daniel feels fairly anonymous (his Facebook profile is fairly well privatized, and there aren’t any pictures of him, or his whereabouts on it).


(This image is basically the conversation between us, at the “Ars” part, pointing to his public Google+ picture, and back to where he’s shooting racist homophobic profanities. Then him responding to my claim that he should calm down with the epic “I’m calm you son of a bitch!” – with the obvious “You mad bro” meme).

At some point, Daniel probably freaks out as he thought he’s completely protected behind the keyboard. Now there’s a picture of him, and he probably also knows that I know that he lives in Nazareth Illit .

Eventually, I had to take it to the police. Getting specific threats (promises), which included my family isn’t joking matter. There isn’t really a point in dealing with these kinds of trolls, but there’s a message that I personally believe needs to get by – you can’t be a complete dick on the internet, and expect to get away with it. You can be a troll (and I completely get the fine art of trolling where trolling is due), you and be a bit of a dick, but when it gets to very specific “promises” like this, you have crossed the line. Now time to deal with it.

So it goes – to Daniel Feldman ([email protected]), Drupal developer out of Nazareth Illit, Israel. Have a great life, and a successful career. Just make sure you don’t try to attack this site directly from your home IP address ( on June 22nd 23:49 Israel time, and on June 24th, 16:06 Israel time). Definitely try not to fall for tricks like WebLabyrinth when scanning with w3af as it’s most likely to crash 🙂

S Memo-1

 Police complaint filing. Case number 274719/2013

I’ll keep posting updates here if they become relevant, hopefully with some good news (and not how I found my premature departure because of an idiot who had a public Google+ profile with him picture and home address there).

BTW – if it wasn’t clear enough – I didn’t even try too hard to out the guys 😐 Here’s how it looked on Google’s image search yesterday (after he deleted his Google+ profile):

Screen Shot 2013-06-24 at 7.47.35 PM

And here’s his full resolution picture taken from Google+ on Saturday when he freaked out:

Daniel Feldman m.f.g.witchcraft@gmail.com


“Daniel Feldman” (sometimes goes by “Danny Feldman”). Image file aptly named “My picture corrected small.jpg”

Lovely, I know 🙂

Update 1: Wow, faster than I figured, some more NSFW stuff for you. Apparently someone can’t even stand behind their “promises”, and keep on hiding behind the temporary safety of a keyboard. And have set up a fake Facebook page, wait for it, just for me!

How lovely. My first Facebook hate page. Here are the screenshots as I’m not sure for how long it’s going to stay there:

Screen Shot 2013-06-25 at 2.58.41 PM
Screen Shot 2013-06-25 at 2.54.47 PM
Screen Shot 2013-06-25 at 3.06.37 PM
Screen Shot 2013-06-25 at 9.52.01 PM Screen Shot 2013-06-26 at 5.58.26 AM



Update 2: Apparently our friend has also been messing around with some of those “make money fast online” scams. From the scammer perspective that is 😉 : http://www.realmoney.co.il/archive/index.php/t-56868.html

Update 3: Finally Facebook have decided to remove the slandering homophobic hate page (after at least half a dozen people reported that their report was not accepted). Small wins I guess?

Update 4: I believe we can put this behind us. Someone owned up to their identity, and I’m pretty sure that the concept of owning up to your actions online when they affect another individual. Post has been shortened and the full transcript is available for download.

On the (dis)merits of privacy

Following up on my last post, after filing a complaint with the abuse department of privacyprotect.org (and blogging about the problem), I have just received an update noting that:


On investigating on your complaint , we have determined that the domain name “SPYWARESAFE.NET ” is in violation of the terms of usage of the Privacy Protect service. We have therefore,

  1. disabled the Privacy Protect service for the domain name, such that it now displays the putative contact details of the domain name holder, and
  2. notified the sponsoring Registrar about the complaint, who shall act upon the complaint in accordance with their policies.

For any further updates on this matter, you can contact ESTDOMAINS, INC.  , the sponsoring Registrar for “SPYWARESAFE.NET”.

We are extremely particular about preventing misuse of our services in any manner. Should you encounter any other such instances, please feel free to notify us immediately.


It’s interesting to note how a little exposure, combined with an email pointing out that the privacy protection is in direct violation of the service terms, gets some gears in motion. Don’t expect though to get complete verifiable details on the domain owner… The known issue with whois data is not limited to hideouts such as privacyprotect.org, but to the entire scheme of how domain registration works, and the accountability (or lack of) of the registrars to make sure that the details of domain owners are at least somewhat relevant. As you can see from the below data, trying to find a “Pavel” that lives in Russia, is like trying to find a “Mohammad” in Saudi-Arabia, or a “Mr. Smith” back in the states…


Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com


Pavel        ([email protected])
kremlin st. 1
Moskovskaya oblast,123456
Tel. +495.1231212

Creation Date: 05-Dec-2007
Expiration Date: 05-Dec-2008


At least the onion is starting to peel off and maybe hopefully law-enforcement can get better details on the owner, or work with the registrar to track him/her down.

Off to Amasterdam now – see you in BlackHat EU (Friday the 28th, track 2, 10am)!

Taking down a malicious site – the good, the bad, and the ugly…

As part of the “closure” on the February Malicious Page of the Month, which involved meoryprof.info (taken down), and spywaresafe.net we have contacted the appropriate parties in order to notify them that these websites contain malicious code.

Meoryprof.info was the first to buckle (probably under the press exposure), but spywaresafe.net have managed to stay afloat for quite a while. The problem with such domains these days, is that they are usually designed to hide the true owner in the best possible way.

Spywaresafe.net has been running in full-steam for only a short period of time, but has managed to rack up quite a track record of user visits and infections (see the below screenshot from its NeoSploit admin page)


(note that this screenshot is rather old and contains data on the first half of February only… nevertheless, almost 300k visits were logged to the main user and 150k more on the second user)

Looking into the whois record for spywaresafe.net would yield a disappointment – it is hidden using a service provided by privacyprotect.org. This service allows domain owners to hide behind an entity that would provide them “privacy”. The practice itself may seem questionable, but privacyprotect.org has a nice website with easy to access forms for requesting the disclosure of a domain owner in case there is some kind of “abuse” done by it.

Well… that didn’t really work. Sending a couple of these forms in the past month got us absolutely nowhere. No response, not even a decline for our request. These guys must be doing a too good of a job protecting something (definitely not internet users, but something…).

On the bright side, when we contacted the hosting company that was associated with the IP address for spywaresafe.net (, the response was surprisingly quick, and the security guys there took the offending site down (p.s. – always use email, trying to call in brought an unbridgeable language barrier):


The actions accepted by us:

Server IP: it is disconnected and formatted.


Although the company policy there is not to disclose details about the client who paid for this service (can’t blame us for trying 😉 ).

Moral of the story – undecided (hence – good, bad, ugly?). Seems like the law enforcement efforts does work, on targeted incidents (no follow up on the second domain). Trying to be the good samaritan does not always play well, and you get to hurdles such as these privacy protection schemes (which in my opinion have no place on the internet), and to surprises such as the guys in hosting.ua (Ukraine’s national hosting) who diligently stepped up to the plate. One has to admit that there really is no place for discrimination on the net…

In hope that we won’t have to do any more of this and have law enforcement and CERTs kick in for those cases, I’ll sign off for this time 🙂