Hackers Beware: You are in the Crosshairs of the ‘Hunter’

You might be naive enough to think that, if a hacker does something bad to you, you can, in turn, do something bad to them. If a hacker holds your computer for ransom, for example, you might think you have the right to do the same to them or at least go after them and cause them some discomfort. If you believe this, however, you are not only mistaken, you are far more likely than the hacker to find yourself in prison. In the real world, you can carry a gun. In the cyber world, you cannot.

 You may think this is ridiculous, but there is some basis for this stance. It’s called, attribution. It’s very difficult for a victim to tell who the attacker actually is. Criminals may mask their origin in a number of ways. So, if you strike back, you might hit one of the devices they laundered their address through rather than theirs. It’s as if you defended yourself against a punch from an attacker by hitting his mother. If you make a mistake and disable the wrong computer or network, you could be accused of hacking. How would anyone know what your true motives were?

 Nonetheless, many believe that victims of cyber crimes should have more weapons at their disposal. Representative Tom Graves of Georgia is one of them. He has proposed the Active Cyber Defense Certainty Act to address this imbalance.  He wants to give the victim the opportunity to “gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim’s own network.” Admittedly, this is a little vague. The proposed act adds the following clarification. Such defense “does not include conduct that destroys the information stored on a computers [sic] of another; causes physical injury to another person; or creates a threat to the public health or safety.”

 So, apparently, you could hack into a computer of someone you feel is an attacker, look around for evidence that they attacked you, and give that information to law enforcement authorities. It seems the act will also allow you to “disrupt’ further attacks against you or your enterprise, but this is open to a wide range of interpretations, especially since you cannot destroy any information on the criminal’s computer.

 In a DDoS attack, one enterprise may be attacked by thousands, if not millions, of computers. So who do you hack back against? True, there is always some organizer behind a botnet attack, but, if cybersecurity experts can’t figure out who that is, how can the average guy running an IT department? In other words, though the proposed act does try to give victims more power, it ends up getting caught in the net of reality. In short, there is little that the average firm can do without either getting themselves into trouble or causing harm to innocent individuals. To add to the confusion, former FBI Director, James Comey, dissuaded companies from hacking back because they may trip over FBI employees who are trying to infiltrate the same computers. In other words, you may start by trying to unmask an attacker and end up being investigated by the FBI.

 Currently, individuals and enterprises have few options for turning the tables on hackers. What they do have are honeypots, honeynets, and sinkholes. These use points on a network that offer seemingly attractive data for hackers but which are, in fact, points of false data. Hackers looking for specific information may be lured in by the data and end up either getting nothing or giving up identifying information. Honeynets are whole false networks which can make it difficult for a hacker to get out of once they get into them. Sinkholes redirect attackers to another domain. Such architecture may frustrate hackers but does not really cause them harm. They are also hard to maintain and can be detected by good hackers. In short, they are expensive, passive, malware information collectors. They work only after an attack has already occurred.

 Recently, a new attack-detecting program has been getting some attention. It is more active and, to some extent, even proactive. That is, it can sometimes detect an attack even before it begins. This new defense strategy goes under the banner of Malware Hunter and is produced by the developers of the Shodan search engine. I have no connection to the firm. I simply see this as an interesting twist that may be tweaked into a new level of cyber defense. Call it a reverse search engine, if you like. Malware Hunter pretends to be an infected computer/device/network calling back home to its commander. Just like every mother can identify the cry of their own baby, malware command and control (C2) centers detect the specific cry of a device infected by their malware. By responding to such a cry, the commanders give away the servers upon which they lay in wait. They give away their locations, which is the last thing they want to do.

 mal hunter

But Malware Hunter does not shoot. It only hunts. Once it finds the C2, it hands the information over to others who may take more direct action. To date, it has found thousands of C2 locations. Those subscribing to the service can get this information and, if they are in charge of a company network, use it to block attacks before they ever occur. New remote access trojans (RATs) have been found before they began their nefarious careers because they were tricked into responding to fake calls created by Malware Hunter. The same C2s used by other RATs unwittingly responded to these calls, thus, giving themselves away. It is not a happy development for criminals.

 Below is an example of a server that delivers the RAT, DarkComet. It is a comprehensive description of this device, including a map showing its general location. This owner of the device probably has no idea it is being used as a server and may be an innocent victim. The device exists to serve up the RAT and then receive information that it can send on to the C2.

 darkcomet location

 If you were a network administrator, you could block communications with this server.

 Malware Hunter searches for open ports and accessible IoT devices. During such a search, Malware Hunter will find devices using default passwords. After receiving the results of one of these searches, I found a router still using a default password. I was offered to sign into it and did so.

 default password router.JPG

 This led me to a page where I could have reconfigured the router and changed the login information. However, this would have made life tough for a naive user in Thailand.

 router access

 Actually, it seems that I could arrange for remote access if I wanted to.

 remote access

 So, couldn’t hackers use aspects of Malware Hunter to further their attack strategies? After all, if attackers subscribed to Malware Hunter, they could find out if their servers have been uncovered, right? 

 Such uses are possible but, these negative points aside, programs like Malware Hunter may become more mainstream if the U.S. government allows firms and individuals to be more proactive in their responses to hacking. For the moment, hackers have the upper hand. The chances of getting caught are low and the chances of paying a price for their crimes are even lower. Malware Hunter might not catch the perpetrator outright, but it may disturb their peace of mind. It is a step in the right direction which could easily be upgraded with, perhaps, a little help from U.S. government intelligence software.  Such integration could allow victims to hack back with more precision and more devastation. In short, anything that endangers hacker anonymity is a step in the right direction



Posted in Uncategorized | Tagged , , | Leave a comment

Trolls: A Product of the Internet, Society, or a Psychological Disorder?

Let’s get straight to the point. Real trolls have serious psychological problems. That’s not just my opinion. It’s the opinion of experts who have researched the subject. People with psychological disorders have been around long before the internet was ever conceived of. The internet simply gives such people a way to satisfy the compulsions associated with their disorders in a way that is much safer than it would have been in the past. In the past, they would have had to face those they insulted, and that comes with some risks.

I mention ‘real trolls’ to differentiate them from people who simply exhibit temporary anger while on internet sites. According to a YouGov poll, 28% of Americans admitted to “trolling-like” behavior. This behavior included “malicious arguing with a stranger”. True, the anonymity of the internet may allow a person to express their anger more than they would in person, but this is different from troll behavior. Trolls do what they do to achieve a very different outcome. A person who argues with a stranger may really be angry at that person and somehow want to prove a point. A troll really doesn’t care if he or she proves a point or not.

So what is the actual percentage of Americans who are real trolls? The YouGov poll found that 12% of those taking the poll admitted to saying something so controversial that they were banned by moderators. This percentage seems closer to the true troll population. If we combine this finding with medical statistics on psychological disorders, we may begin to get some focus on an actual percentage of online trolls. One study found that “15% of the population — have at least one serious personality disorder”. But not all personality disorders are created equal. In other words, what personality disorders are most associated with trolls?

In an in-depth study of troll behavior published in 2014, it was found that troll behavior correlated positively with four psychological disorders: sadism, narcissism, psychopathology, and Machiavellianism. The study found that about 6% of internet users openly admitted that trolling gave them the most satisfaction. The authors of the study believed that the 6% figure probably under-represented the true number of trolls. However, the following graph shows which psychological problems were associated with that group.

troll psychology

The researchers found a particularly high correlation between trolling and sadism, in its many varieties. They state that this correlation is “so strong that it might be said that online trolls are prototypical everyday sadists.” They went on to observe that “we found clear evidence that sadists tend to troll because they enjoy it”…Both trolls and sadists feel sadistic glee at the distress of others. Sadists just want to have fun . . . and the Internet is their playground!”

So what percentage of Americans fit this particular demographic? According to one study sadistic personality traits and disorders (SPD) are prevalent in 8.1% of the population. Combine this with narcissists and other people with antisocial psychological disorders and you get a figure between 10 and 15%. This is the percentage of online Americans who take pleasure in causing others misery or who find that the internet gives them a way to feed their psychological disorders.

Not all of these sick individuals take pleasure in hurting people. Narcissists and psychopaths, for example, don’t take pleasure in hurting others because they simply cannot sympathize with them. However, narcissists may enjoy the attention they are getting on the internet. Narcissists will become angry if they encounter others who disagree with their opinions because their opinion represents the inflated image they have of themselves. These are the people who will argue ceaselessly with others on forum and social media sites.

Psychopaths cannot relate to the feelings of others any more than narcissists do, but they don’t care whether they are liked or not. They don’t need the attention that motivates narcissists. They are predatory. They seek certain goals at all costs. The frustration of not getting what they want will cause them to overstep any social norm in order to get it.

Different psychological disorders will drive those with them towards different internet sites. Narcissists prefer sites like Facebook. One study found that the “narcissists’ use of Facebook for attention-seeking and validation explained their greater likelihood of updating about their accomplishments and their diet and exercise routine.”

Psychopaths are groomers and charmers. Though they understand, logically, how emotions can be used to control people, they feel no emotions themselves. Psychologists refer to online psychopaths as, ‘ipredopaths’. According to them, “iPredopathy is an advanced stage characterological disorder describing any adolescent to adult male or female who skillfully uses Information and Communications Technology [ICT] to troll, identify, control and manipulate their human targets.”  They “experience no remorse or shame for the harm they cause others.” They target those who are “unsuspecting, vulnerable, (and) submissive”. These targets often include “internet-safety-ignorant children, older adults, unprepared businesses, and psychologically distressed adults.” Depending on their individual perversions, psychopaths can be found looking for victims on dating sites, gaming chat rooms, or forums. They are charming and, although they feel no emotions themselves, learn how to fake the emotions that can influence the actions and gain the trust of normal people. However, most of us don’t consider these people as trolls, in the regular use of the word. Trolls are those nasty individuals who are seeking to hurt or inflame the emotions of others. They are certainly not the charmers that psychopaths are.

So, what does a troll look like? First of all, they are predominantly male. One writer categorizes the average troll as “young, male and troubled”. That said, some of the most infamous trolls have been female. Lori Drew, posing as a young male called, Josh, pushed Megan Meier to commit suicide. The bad news is that nothing could have pleased this troll more. That’s just how it is. Other trolls have been convicted of attacking the parents of children who have tragically died, taking great delight in causing them even more misery. One researcher concluded that “It’s hard to get demographics on who trolls are, but you note that their targets are usually women, people of color and LGBT people, and sometimes Christians and Republicans.” Oddly, the people that the trolls attack may hold views that are similar to the troll’s own. It’s not the views that matter. It’s the pain that their comments can cause that gives their lives meaning.

Although trolls will attack any vulnerable individual, they “seem to find women – particularly feminists – more fun to harass.” The internet has added a new dimension to these attacks. Sadistic trolls will form groups and then concentrate on one woman for a sustained attack. The reason for this is that a massive troll attack is more difficult to moderate, meaning that the malevolent messages are more likely to get posted and stay on the site longer.

The internet also gives trolls anonymity and security. Most realize they will never get caught and, even if they are, they will never have to pay any serious penalties. The fact that they don’t confront their victims in person means it is easier to disassociate themselves from the victims. The victims don’t seem to be real people. Then, there’s desensitization. The average internet user is simply beginning to get used to trolls. Trolls have begun to think of their behavior as normal. That’s where the true problems begin.

The open dehumanizing of victims on the internet can result in a back propagation into society at large. The level of tolerance of hate speech on the internet can give some the impression that it is now allowable in non-cyber contexts. There are those who may get the impression that they can say whatever they want to whomever they want and expect no opposition. In fact, any opposition may startle or even outrage them.

In a climate where trolling behavior is grudgingly tolerated, more people may begin to participate in it. Troll behavior could extend beyond the usual base of people with psychological disorders to include those with borderline psychological disorders, or even people considered more or less normal. This increase in troll-like behavior among the general public could augment the number of trolls on the internet in a sort of ever-growing, self-reinforcing upward spiral. In other words, I would expect trolling to become, at least in a sense, more mainstream. More people will think it is an acceptable and entertaining endeavor.

For anyone who becomes a victim of a troll attack, the advice is to never respond to them. If you are trolled on a social media site, report the person to the site’s administrators. Good luck with this on Facebook. You will get a standard digital form to fill out with limited questions. I’ve reported fake Facebook sites of dating predators and have had no success in closing them down. Don’t even read the comments that trolls may post. Delete them instantly.

And for any trolls reading this, get yourself professional help…really.



Posted in Uncategorized | Tagged , , | Leave a comment

Washington Post Report on Putin Election Hacking Leaves Major Questions Unanswered

The Washington Post’s recent article on Kremlin involvement in the 2016 election primarily questions President Obama’s reactions to it. The article points out the seriousness of the attack while contrasting it with what they consider to be Obama’s anemic response. In retaliation for what the Post claims to be the political “crime of the century”, Obama took actions that the Post criticizes as “modest”, “largely symbolic”, and without “proportionate consequences”.  The weak Obama response caused one former senior Obama administration official to admit that, “I feel like we sort of choked.”

Here is what we know about this extremely top secret report. Former CIA Director, John Brennan, must have received this intelligence well before August, 2016 because he released the report on it to President Obama early that month. The report claims the CIA “captured Putin’s specific instructions” on discrediting and defeating Hillary Clinton while assisting Donald Trump. Remember, however, that the Russians had been in the DNC network for over a year at this point and that 20,000 documents were released to Wikileaks on July, 22, 2016. The hacking had already been attributed to the Russians by cybersecurity firm, CrowdStrike, in April. In other words, these new revelations raise a number of questions that are not answered in the article. First of all, when exactly did the CIA get the information on Putin ordering a Clinton-discrediting cyber attack? Was it prior to the infiltration of the DNC and, if so, why did they take so long to give the president this information? Moreover, if they got this information earlier, why didn’t they take steps to stop the attack from occurring in the first place?

FBI Director, James Comey, alerted the DNC of possible Russian infiltration as early as September, 2015. Did he know something that the CIA did not? Don’t these agencies talk to each other? When Brennan decided to release his information on the Putin-directed cyberattack, he didn’t include the FBI. He didn’t initially even tell President Obama. He contacted chief of staff, Denis McDonough, deputy national security adviser, Avril Haines, and national security adviser, Susan Rice.

John Brennan

Why did he feel it necessary to tell them first? Was he testing the waters to see what Obama’s response might be? Was he wondering whether to give the president this information at all? These are questions that need to be answered. Interestingly, the official declassified report states that it is a “version of a highly classified assessment that has been provided to the President and to recipients approved by the President.” Well, which is it? Clearly, the president couldn’t have approved of the information being given to those mentioned above if they received it before he did.

Although the CIA and FBI now claim they have high confidence in Putin/Russian meddling in the election, they did not, apparently, have such confidence in July, 2016. At the Aspen Security Forum on July, 28th, 2016, Director of National Intelligence, James Clapper, had this interchange with CNN’s Chief National Security Correspondent, Jim Sciutto.

James Clapper

SCIUTTO: …the official in the White House described — said to me there is little doubt it’s Russia.  I just wonder does the intelligence community share that certainty?

 CLAPPER: Well, I will just say that I don’t think we are quite ready yet to make a call on attribution.  I mean, we all know there’re just a few usual suspects out there, but in terms of the process that we try to stick to, I don’t think we are ready to make a public call on that yet.

 SCIUTTO: And is that because you haven’t made a decision to publicly name and shame or because there’s still some uncertainty?

 CLAPPER: Little both, little both.

 SCIUTTO: Good.  Do you think that we in the media, but also some officials who have been speaking to us in the media have gotten ahead of the certainty on this?

 CLAPPER: Yes, I guess, yes.


It was not until October 7th that the intelligence community agreed to a statement naming Russia as being behind the election hacks. The statement was signed by Jeh Johnson and Clapper, but Comey removed his signature, saying it was too close to the election and he did not want to make it look as if the bureau was trying to influence the outcome, even though he did intervene two weeks later. That same day, Susan Rice summoned Russian Ambassador, Sergey Kislyak, to the White House and handed him a message to deliver to Putin.

Although initial drafts of the statement mentioned Putin as being behind the attack, the final version changed this to “Russia’s senior-most officials”. As luck would have it, the carefully written statement went largely unnoticed, as it coincided with the Trump-incriminating Access Hollywood tape and the first release, by Wikileaks, of the John Podesta emails. Perhaps, if Putin was directly mentioned in the statement, more attention would have been paid to it. But with the election looming and a Clinton victory seemingly in the cards, everyone probably thought that it would be better to wait until the election was over before releasing details which could influence the results.

There are other hazy areas in the Washington Post article. In the article, The Post writes that they are “withholding some details of the intelligence at the request of the U.S. government.” This must include information on how Putin was hacked. Putin is said to be very cautious about being a hacking target. So how did U.S. intelligence get this information?

The answer to this might be found in leaks released by a Ukrainian hacking group known as, CyberHunta, which, possibly with the help of U.S. intelligence, hacked the communications of Vladislav Surkov, a close aide to Putin. It could be that U.S. intelligence was able to intercept some communications which indicated that Putin was interested in promoting a hack on the DNC. The Post article even remarks that “some of the most critical technical intelligence on Russia came from another country.” However, there is no evidence in the Surkov leaks that directly points to Putin ordering a hack on the DNC. Does the U.S. intelligence community possess the necessary cyber tools to hack the Kremlin? Probably, yes, but it would be easier to do so with a little inside help. Barring more specific information, it cannot be concluded that Putin, himself, was hacked. At this time, any evidence of Putin’s direct involvement in the hack seems to be either circumstantial or arrived at by intercepting third party correspondence and is, therefore, not conclusive.

The shock of the Trump victory plunged the White House and the intelligence community into morbid introspection. “What if we had…?” A growing narrative emerged which blamed the Clinton loss on Russian meddling coupled with the weak government response to it. This sentiment eventually evolved into a desire for revenge against the protagonists. In a December, 2016 meeting organized by Rice and attended by Clapper, Brennan, Kerry, and Deputy FBI Director, Andrew McCabe, the attendees were told to retaliate against Russia to the “max of their comfort zones.” This caused Obama to send 35 suspected Kremlin operatives packing on December 29th. But this was also the time of the Trump transition with the normal confusion that accompanies all such transitions. This Russian can of worms was dumped in the lap of Trump’s designated national security adviser, Michael Flynn, who, in an apparent attempt to calm the Russian ambassador, only managed to get himself fired.

Susan Rice

In the scramble to retaliate against Russia before he left office, Obama issued executive Order 12333 which expanded government surveillance and made unmasking easier. Clapper signed the order on December 15, 2016 and Attorney General, Loretta Lynch, signed it two weeks before leaving office on January 6, 2017. Obama also approved the use of destructive malware or “implants” on sensitive parts of Russia’s infrastructure; infrastructure components that were “important to the adversary and that would cause them pain and discomfort if they were disrupted.” This remotely triggered malware could be related to the Nitro Zeus malware which, in turn, is related to Stuxnet.

The only surprise about this revelation is that it is considered a revelation. Infrastructure-destroying malware was likely already in the Russian infrastructure as theirs is already in place in the infrastructure of the U.S. Possibly, Obama only agreed on its upgrade.

The Post article does not address what is the main question about the investigation: Why didn’t the F.B.I. have its own forensic team examine the DNC servers? I understand that the government has worked with CrowdStrike for years but in such a serious case, wouldn’t it be good to get a second opinion, especially since CrowdStrike has subsequently lowered its confidence level on Russian involvement from ‘highly confident’ to ‘moderately confident’? Comey admitted that the F.B.I. made “multiple requests at different levels” to get access to these servers, but the requests were rebuffed. Why? Was there something that the DNC didn’t want the F.B.I. to know? Something’s just not right here and I’m not the only one who thinks so. Until we get more answers, it only looks like the government and intelligence agencies are trying to cover up their poor behavior by using the Washington Post as a shill.

Posted in Uncategorized | Tagged , , | Leave a comment

Fireball Malware Strikes a Quarter Billion Computers

Unlike most malware, for which attribution is hard to determine, everyone knows where Fireball Malware comes from. Not only is it known to originate in China, but it is also known to be designed by the Chinese digital advertising firm, Rafotech. In fact, this may have been an advertising angle that got out of control. Digital advertising is a competitive business so many advertisers use browser plug-ins to increase their advertising effectiveness. That’s kind of what Rafotech did; at least initially.

The company’s website has disappeared, but its Linkedin page describes the company, in a somewhat garbled manner, as follows.

“Being years of publisher ourselves, Rafotech has deep understanding of what it means to monetize more. Started as a business unit of Rafo Technology Inc, one of the premium publisher powering over 6 billion monthly impressions, our solution to monetize both display and search traffic has been proved profitable and sustainable. It is a solution made by publisher and for publishers.”

My guess is that they are saying they can help you make more money by advertising more effectively. Well, they kind of kept their promise.

Initially, Rafotech installed plug-ins in browsers that could be used to control what ads appeared on pages that the user navigated to. Then they got a little too creative. They took advantage of the fact that all of us use a default search engine, and for many of us, that search engine is google.com or yahoo.com.


From the Check Point Report

 By redirecting victims from their normal default search page to a Rafotech-approved search page, Fireball designers can position themselves to implant tracking pixels into browsers to gather user information. They can use the same technique to replace your normal home page with one of these search engines, like the one shown below.


Example of a Fireball-approved Search Engine

The reason they use this technique is to find out what a user is interested in and then target them with ads based on this interest. This advertising approach is not, in itself, dangerous. Its main use is to generate money for the company and its affiliates. However, the fact that the company controls your browser means Rafotech, or others, can use it to install malware onto your computer. They could, for example, send users to a malicious site that is designed to download remote access malware and take full control of your device. Although Rafotech has not done this, as far as we know, they have opened a backdoor that others could, perhaps, take advantage of.


From the Check Point Report

 Actually, the line between this advertising strategy and a malware attack is very fuzzy. Adware distribution is not, in itself, considered a crime or the CEOs of all major social media firms would be in prison.

Check Point, the cybersecurity firm that discovered this malware, calls Fireball, “possibly the largest infection operation in history.” The main question, then, is: How did Fireball manage to infect 250 million computers?  In a word, the answer is, bundling. Bundling is including other, usually unwanted programs, in a download that the user has chosen. Normally, when installing the wanted download, the user is given the option of a customized installation. If they do not choose this option, the malware or adware is automatically installed. In other words, the company did nothing wrong because you, the user, have accepted the extra programs in the bundle. And good luck trying to uninstall these programs. This is something left to experts only. Still, there is no law that says you have to make your programs easy to uninstall. To illustrate this difficulty, here is the advice given for uninstalling the Trotux search engine shown above.

“How to remove Trotux.com redirect (Removal Guide)

This malware removal guide may appear overwhelming due to the amount of the steps and numerous programs that are being used. We have only written it this way to provide clear, detailed, and easy to understand instructions that anyone can use to remove malware for free. Please perform all the steps in the correct order. If you have any questions or doubt at any point, STOP and ask for our assistance.”

At other times, you may not be given the choice of what adware or browser plug-ins are installed with your chosen download. You won’t even know they are there until your browser begins to act in unpredictable ways, suddenly leading you to sites you never chose to visit or opening your browser to a new home page. Again, it will be difficult to remove these browser controllers because, even when they are deleted from your browser, they will reinstall themselves once the browser is opened again. Sometimes, the only option left may be resetting your browser to its default settings.

Check Point also suspects that Fireball spreads by less than legitimate means, such as through spam or by using fake names on the freeware to make it appear as something that it isn’t. It would be difficult to get such a huge number of infections installed if bundling were the only distribution method. That’s because the infection power of this malware can only be called, astounding. In Indonesia, for example, 60% of corporate networks are infected. Check Point claims that 20% of the world’s corporate networks are infected with Fireball. The U.S. is just beginning to be targeted with ‘only’ 10.7% of U.S. corporate networks infiltrated.

The tools for a major security breech are, thus, in place. As Check Point notes, “Rafotech holds the power to initiate a global catastrophe.” I guess that about sums it up. What else could you say if 20% of the world’s corporate networks could be breached and sensitive information stolen? What if these computers were used in a DDoS attack? It is no exaggeration to say that most of the world’s internet services would be knocked offline. Keep in mind that the Mirai Botnet DDoS attack took down major internet sites around the world with only 100,000 infected endpoints. Fireball is hundreds of millions of times bigger. Just think about that for a while.

Are you or your enterprise network infected? Go to the Check Point post to read the removal instructions. Good luck.


Posted in Uncategorized | Tagged , , , , | Leave a comment

Movie Review: Risk: The Julian Assange Documentary

Risk Poster

The reviews for this documentary are all over the place. Reviewers who are firm advocates of WikiLeaks tend to over-exaggerate the film’s virtues, while those who find the organization’s actions reprehensible tend to hate it. For this reason, I tried to watch the film as an objective reviewer.

Some have called the film a sleeper and there are parts of the film that live up to that branding. These episodes occur mainly at the beginning of the film when scenes shift quickly and conversations are somewhat baffling and vapid. Some conversations seem to emerge without enough context to give them comprehensibility. It also seems to lack a coherent theme.

Assange emerges as an emotionally remote character who hides his true personality behind his dedication to WikiLeaks. He even states that what he does is more important than who he is. The only scene in which we get a glimpse into his repressed character is when he is interviewed by Lady Gaga, dressed in her Wicked-Witch-of-the West costume. Ms. Gaga, like most celebrities, tries to hide her insecurity behind false bravado and seemingly unfiltered, clumsy questions which tell us more about her than Assange. In a clear case of projection, she asks about his relationship to his parents, wherein Assange claimed his father was “abstract”.

We do get some glimpses into the life Assange lives within the Ecuadorean Embassy. We learn about his relationships with his team. We see what he does to pass the time and plan strategies, and we learn a few ways that the organization keeps itself protected from government intrusion. A pervading and probably justified paranoia surrounds everything they do. This look into daily life at Wikileaks may hold some interest for some viewers.

The latter half of the film is more interesting, especially when the topic turns to the DNC hacking. I only wish this were expanded more as it is more timely. It is at this point in the film that Assange gives more information on his view of the world. He talks about the Earth as being so interconnected that any action must be evaluated in a global context. It is an interesting an important viewpoint that should be considered. It is not simply “think globally, act locally”. It is closer to the idea that even a small local action may have global implications.

The film leaves many questions unanswered and, as a whole, doesn’t flow very well. It could have been better made. There is nothing compelling in it, meaning that a viewer may be tempted to stop watching the film entirely at certain points. There is no hook that makes us want to see how it ends. There are no compelling relationships and some issues seem unresolved that could easily have been. Still, a few scenes are definitely worth seeing. For those interested in the world of cyber security, political intrigue, and government surveillance, this documentary may be of interest. For the general public, however, except for a few scenes, it may simply be too dull. I’ll give it a 6 out of 10.


See all my reviews at http://imdb.com/user/ur25920573/comments

Posted in Uncategorized | Leave a comment

How Xerox, Google, and The Intercept Exposed an Anonymous NSA Document Leaker

The ironically named Reality Winner was not one. Reality bites. It bites any anonymous leaker from any government agency who may be naïve enough to believe that their anonymity will be guaranteed. Likely motivated by her desire to expose Russian connections to “a soulless, ginger orangutan” (a.k.a. Donald Trump), Reality Winner sought out and leaked a document that she probably thought would achieve this end. Sadly for her, she only exposed her connections to the leaked document.

Winner began working for NSA contractor, Pluribus International Corporation, shortly after Trump was inaugurated. Winner is a vegetarian weightlifter and an environmental activist who supported Bernie Sanders.


When Trump approved construction of the Keystone/Dakota Pipelines, Winner wrote on Twitter, “Repeat after me: In the United States of America, in the year 2017, access to clean, fresh, water is not a right, but a privilege based off one’s socio-economic status. If that didn’t feel good to say aloud, contact your senators today and tell them those exact words as to why the Keystone XL and Dakota Access pipelines cannot be built on American soil. Let’s fix the pipes meant to bring water, sans lead or pollutants, to our citizens before we build pipes meant to benefit big oil and poison the land.”

No doubt Trump’s June 1st withdrawal from the Paris Climate Accord further fueled Reality’s pro-environmental flames. Coincidentally, it was on that same day that the FBI was notified by the NSA that someone had leaked a top secret document to the online news outlet, The Intercept.  The Intercept had informed the NSA that it was in possession of a top secret document that they were going to release. They gave the NSA a copy of this report in order for them to verify its authenticity. The Intercept seems to have naively believed that they were not compromising the anonymity of the leaker by doing this. That was a mistake.

Many new printers print nearly invisible yellow dots on any document it prints. The dots and the pattern they create can be used to identify the type of printer, the model number, the serial number of the actual printer used, and the precise time the document was printed. Any scanned document, like the one Winner sent to The Intercept and The Intercept sent the NSA, would contain these dots.

Here are a series of pictures which show these dots on the leaked NSA document and the pattern they created. To show what these dots are like and how they can be used, I created the images below. The first image shows the upper left hand corner of the original document, which is already magnified to some degree; yet, no obvious yellow dots (or pixels) are evident, at least to my eye. (The encircled area shows where the dots exist and indicates the area which will be subsequently magnified.)

the yellow dots


I then magnified the above image to 600% and, perhaps, some sharp-eyed readers can begin to see a few faint yellow areas.

dots 600x

However, to really see these dots, I had to increase color saturation. So, at 600% magnification, with color saturation, here is what the dots looked like on the NSA document.

dots saturation

The complete pattern with the decoded information it includes is shown in the following image. (For more information on hidden document codes visit the EFF website.)

leaked document pattern

I have since confirmed that the pattern persists even when the document is copied into another program, such as Word, or onto other websites.

So The Intercept, in effect, told the FBI that one of the 4,000 employees at Pluribus International Corporation, Georgia, printed this document on a specific printer with the above serial number at 6:20am on May 9th. At 6:20am? That, in itself, should limit the number of people who could have done this. In the end, it was found that only six people had printed out this report. This pretty much outed poor Reality.

This top secret report was first published four days earlier on May 5th, so Reality was, in my opinion, either tipped off on its existence or was diligently conducting ongoing searches for incriminating documents. In short, she had an agenda. In any event, according to the affidavit, the six people who printed this document had their company computers investigated. Among them, only one, Winner, had had email contact with The Intercept.

Interestingly, Winner did not use the company email for this contact but her Gmail account. She probably thought that this would be safer. This was a mistake. The company likely monitors all emails going through its systems. It was simply a matter of searching their database for any communication with The Intercept. Yes, the communication was innocent, (she wanted a transcript of a podcast) but it showed she was at least aware of the news outlet’s existence.

However, this alone would not be enough to arrest her. It is possible the company had a keylogger installed on all of its computers, so they may have had a record of her Gmail password which they could use to access her account. This would allow them to see if she had any other further correspondence with The Intercept from computers outside the company.  However, if they did this, the company would be in danger of committing a criminal act.

Thus, it is likely that the FBI will have to ask Google for access to Winner’s Gmail account. Will Google give this information to them? If you have to ask this question, see my last post on Google tracking and privacy. Google will almost always give access to user accounts when government agencies request it.  Although Google claims that it carefully reviews all such requests before allowing government agencies to access an account, in truth, they will only rarely refuse to do so. If it is found that Winner had further correspondence with The Intercept via her Gmail account, this would be the conclusive evidence that the government would need to convict her. It will be interesting to see how this aspect of the case develops.

The Intercept further implicated Winner when one of its reporters contacted an inside informant at the NSA who later contacted the FBI. So much for trusted sources. The affidavit states the belief that Winner may have communicated with The Intercept in other ways and that evidence of such communication, or of the documents themselves, may be found on her home computer or other devices.

When contacted on June 3rd, “Winner admitted intentionally identifying and printing the classified intelligence reporting at issue despite not having a ‘need to know,’ and with knowledge that the intelligence reporting was classified. Winner further admitted removing the classified intelligence reporting from her office space, retaining it, and mailing it from Augusta, Georgia, to the News Outlet, which she knew was not authorized to receive or possess the documents. Winner further acknowledged that she was aware of the contents of the intelligence reporting and that she knew the contents of the reporting could be used to the injury of the United States and to the advantage of a foreign nation.”

It is no surprise that Winner confessed when she was confronted with the above evidence. However, she has subsequently pleaded not guilty, which is somewhat baffling. More baffling is the fact that the government did not interfere with The Intercept publishing this top secret document two days later on June 5th. Interestingly, the announcement of Winner’s arrest followed within hours of the document’s publication. This made it  appear, perhaps intentionally, that The Intercept was not a viable outlet to send a leak to. Wikileak’s Julian Assange lambasted the unprofessional conduct of the outlet and offered a $10,000 reward for information “leading to the public exposure & termination” of the reporter. Assange had no choice but to take this action because those publishers who do not protect their sources cast a shadow on all leak platforms.

The bottom line here is that Winner will be made an example of to deter potential leakers from misusing their access to secret information in the hope of affecting the political landscape. Making leaking platforms look unstable will also make those with access to sensitive information think twice before giving this information to leak publishing organizations. In short, leakers should only do so with the full expectation that they will likely be caught. If they truly believe that their actions have a moral value that supersedes any penalty they may have to pay, then nothing the government does to Reality will stop them.

Posted in Uncategorized | Tagged , , , | Leave a comment