August 3rd, 2013
WARNING: Someone is Trying to Set Up Liberty Activists Using Child Porn

This a warning to all of our members, readers, supporters, and to the general liberty movement.

Please be extremely careful with email, and do not open any attachments from anyone who you don’t know, or from any suspicious email, such as tormail. And even if it seems to be from someone you know, take the time to read the email address carefully, to see if it is from a Tormail account, or other anonymous email service. It could be someone impersonating someone you know, to trick you into opening files with child-porn on them.

No one here at Oath Keepers uses tormail or any other anonymous email service, so if you see an email purporting to be from Oath Keepers, or from anyone in leadership at Oath Keepers, from such an email service, do not open it.

There have been a string of anonymous attacks on liberty activists, all attempting to trick people into opening email attachments containing child-porn. We know of at least four such attempts within the past few weeks.

The first was when someone emailed Luke Rudkowski, Founder of We Are Change and tried to trick him into opening attached jpeg files containing child porn. Luke was able to use the “view” function of his email to see that the images were child porn and he did not open them.

Then, someone using a tormail account tried to do the same thing to Dan Johnson, Founder of People Against the NDAA (PANDA). Whoever emailed Dan Johnson pretended to be me, Stewart Rhodes, but using a Tormail account. Fortunately, Dan knew that I don’t use Tormail, and therefore he did not open the attachments. Instead, he had a computer security expert examine the files, and that expert determined that they contained child porn. You can read more about that attack, and watch a video we made about it, here.

Well, a few days later it happened again, to two other liberty activists we know. They have chosen, for the time being, to not go public about it, in the hopes that the FBI will have a better chance of catching the perp. All of us have reported these incidents to the FBI, through attorney Sue Basko.

Sue has written a very well done description of what happened, what we did to report it, and some important advice on how you can keep from being victimized by whoever is doing this. Here is an excerpt of that tutorial. Please take her advice to heart, and be very careful online.

Stewart Rhodes

TUTORIAL BY ATTORNEY SUE BASKO:

Child Porn Emailed to Activists to Try to Frame Them
by Sue Basko

See also about Luke Rudkowski receiving similar email

I have been assisting a group of activist men to whom someone emailed child porn in an attempt to set them up for criminal charges. Whoever is doing this is extremely sinister.

I am writing this to warn others to beware. I’ll give specific info on what to do if it happens to you.

First, Luke Rudkowski, a media activist at We Are Change, was sent child porn via email while he was in Europe and crossing borders between nations. Luckily, he previewed the images and reported the situation to the FBI at the Embassy in the city he was visiting.

Then, Dan Johnson of PANDA (People Against the NDAA) received an email that looked like it was from Stewart Rhodes of Oath Keepers. Dan was suspicious of the email because he had heard about what happened to Luke Rudkowski. Also, the email was a tormail account, which is untraceable, and Dan did not know Stewart to use such an account. In addition, there were attachments.

Dan did not open the attachments, because he was suspicious of them. Instead, he gave access to his email account to a computer security expert. The expert opened the files in a live forensics environment, and saw they were child porn images. The method he used did not leave the files on his computer or drive. The metadata on the files was fixed to the names of Stewart and Oath Keepers, to make it look as if the pictures came from Stewart.

Two days later, the same scenario was repeated, with two men from different organizations. The same computer security expert examined those files, and found they were the same images as in the previous email, but the metadata on the images had been changed to match the name of the supposed sender and his organization.

Whoever did this attempted to set up both the men in whose names they were sending the emails, as well as the men who were to receive the images. This is evil to the max.

WHAT WE DID: I made a group report to the FBI on behalf of all the men, including the computer security expert. With all the information neatly arranged in one report, hopefully the FBI will be able to get some leads on who is behind these dastardly set-up attempts. The men are from all over the nation, so filing separate reports would have diluted the reports’ effectiveness for law enforcement purposes. A good deal of forensics examination has already been done by the computer security expert, and hopefully, he will be able to share his information with the FBI.

WHAT TO DO IF IT HAPPENS TO YOU: If you receive such an email, try to get the files checked out by a security expert before you open them. In any case, you MUST make a report to the police or FBI, because there is child porn involved. It is illegal to view, possess, or pass child porn. The criminal penalties are extreme and include forfeiture of assets, including homes, cash, and personal belongings. Therefore, even the computer security person has to file a report.

By law, you are required to make the report to a law enforcement agency promptly, and to either destroy the images or make the images available to law enforcement. I’d say wait and see if they want the images before you destroy them. Also, don’t delete the email until you file your report, because the routing information on the email may be helpful to police. Also, you need to alert the person whose name was put on the email as the sender. You need to let that person make a police report, too. They have been as victimized as you have, if not moreso.

If you receive such an email and open the files, you are likely to be shocked, or to feel shame, fear, or a desire to push this away and pretend it did not happen. You can’t do that because you need to report it so you don’t risk being caught up in child porn charges, even years down the line. If you need to go to therapy or seek other help to work out your shock over seeing the images and being set up, you should do that, but promptly make the police report. Keep in mind that someone is, in fact, targeting you specifically and trying to harm you terribly. Therefore, it may be wise to take extra safety precautions for yourself and your family.

WARNING SIGNS THAT AN EMAIL MAY CONTAIN CHILD PORN:
1) Use of tormail account or other untraceable email account.
2) Uses the name of someone you know, but from an email account you don’t recognize.
3) Has jpegs or pdf files attached.
4) Has an email message that DOES NOT HINT at the files containing child porn, but encourages you to open the files and spread them to all your friends/ compatriots.
5) The email may have veiled threats against you or your group.

WHAT TO DO:
1) Don’t open the files. Try to get help from a computer security expert.
2) If there is child porn, REPORT THE SITUATION TO THE POLICE OR FBI.
3) Share what happened to warn others.
4) Take care of yourself. Talk to a friend, get counseling if needed, take safety precautions for yourself and your family, etc.

Read the rest here. Be sure to go to Sue’s site, and thank her for her help.

http://subliminalridge.blogspot.com/2013/07/child-porn-emailed-to-activists-to-try.html

WHAT TO DO:
1) Don’t open the files. Try to get help from a computer security expert.
2) If there is child porn, REPORT THE SITUATION TO THE POLICE OR FBI.
3) Share what happened to warn others.
4) Take care of yourself. Talk to a friend, get counseling if needed, take safety precautions for yourself and your family, etc.

BREAKING: HALF OF TOR SITES COMPROMISED, INCLUDING TORMAIL

The founder of Freedom Hosting has been arrested in Ireland and is awaiting extradition to USA.

In a crackdown that FBI claims to be about hunting down pedophiles, half of the onion sites in the TOR network has been compromised, including the e-mail counterpart of TOR deep web, TORmail.

http://www.independent.ie/irish-new...childporn-dealer-on-planet-29469402.html

This is undoubtedly a big blow to the TOR community, Crypto Anarchists, and more generally, to Internet anonymity. All of this happening during DEFCON.

If you happen to use and account name and or password combinations that you have re used in the TOR deep web, change them NOW.

Eric Eoin Marques who was arrested runs a company called Host Ultra Limited.

http://www.solocheck.ie/Irish-Company/Host-Ultra-Limited-399806
http://www.hostultra.com/

He has an account at WebHosting Talk forums.

http://www.webhostingtalk.com/showthread.php?t=157698

A few days ago there were mass outages of Tor hidden services that predominantly effected Freedom Hosting websites.

http://postimg.org/image/ltj1j1j6v/

"Down for Maintenance
Sorry, This server is currently offline for maintenance. Please try again in a few hours."

If you saw this while browsing Tor you went to an onion hosted by Freedom Hosting. The javascript exploit was injected into your browser if you had javascript enabled.

What the exploit does:

The JavaScript zero-day exploit that creates a unique cookie and sends a request to a random server that basically fingerprints your browser in some way, which is probably then correlated somewhere else since the cookie doesn't get deleted. Presumably it reports the victim's IP back to the FBI.

An iframe is injected into FH-hosted sites:

TOR/FREEDOM HOST COMPORMISED
By: a guest on Aug 3rd, 2013
http://pastebin.com/pmGEj9bV

Which leads to this obfuscated code:

Javascript Mozilla Pastebin
Posted by Anonymous on Sun 4th Aug 02:52
http://pastebin.mozilla.org/2776374

FH STILL COMPROMISED
By: a guest on Aug 3rd, 2013
http://pastebin.com/K61QZpzb

FBI Hidden Service in connection with the JavaScript exploit:
7ydnpplko5lbgfx5

Who's affected Time scales:

Anyone who accessed an FH site in the past two days with JavaScript enabled. Eric Eoin Marques was arrested on Sunday so that's the earliest possible date.

"In this paper we expose flaws both in the design and implementation of Tor’s hidden services that allow an attacker to measure the popularity of arbitrary hidden services, take down hidden services and deanonymize hidden services
Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization"

http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf

The FBI Ran a Child Porn Site for Two Whole Weeks
http://gizmodo.com/why-the-fbi-ran-a-child-porn-site-for-two-whole-weeks-510247728

http://postimg.org/image/o4qaep8pz/

On any other day one would say these sick perverts got what they deserved. Unfortunately the Feds are stepping far beyond just pedophiles in this latest issue.

The js inserted at Freedom Hosting? Nothing really, just an iframe inject script with a UUID embedded server-side.

The iframe then delivers an exploit kit that appears to be a JavaScript 0day leading to...something. It only attempts to exploit Firefox (17 and up) on Windows NT. There's definitely some heap spraying and some possible shell code. The suspect shell code block contains some strings that look to formulate an HTTP request, but I haven't been able to collect the final payload yet. The shell code also contains the UUID with which the exploit was delivered. Any UUID will work to get this part of the exploit.

I'm still pulling this little bundle of malware apart. So far, I've got that the attack is split across three separate files, each loaded into an iframe. Calls are made between the frames to further obfuscate the control flow. The 'content_2.html' and 'content_3.html' files are only served up if the request "looks like" Firefox and has a correct Referer header. The 'content_2.html' is loaded from the main exploit iframe and in turn loads 'content_3.html'.

Short version. Preliminary analysis: This little thing probably CAN reach out without going through Tor. It appears to be exploiting the JavaScript runtime in Firefox to download something.

UPDATE: The exploit only affects Firefox 17 and involves several JS heap-sprays. Note that the current Extended Support Release is Firefox 17, so this may also affect some large organizations using Firefox ESR.

http://pastebin.mozilla.org/2777139

The script will only attempt the exploit on Firefox 17, so I'm no longer worried about it being some new 0day. Enough of the "Critical" MFSAs are for various sorts of memory corruption that I don't have the time to find out if this is actually a new exploit or something seen before.

http://postimg.org/image/mb66vvjsh/

Logical outcomes from this?

1. FBI/NSA just shut down the #1 biggest hosting site and #1 most wanted person on Tor

2. Silkroad is next on their list, being the #2 most wanted (#1 was Child Porn, #2 is drugs)

3. Bitcoin and all crypto currenecies set to absolutely CRASH as a result since the feds can not completely control this currency as they please.

I don't always call the Feds agenda transparent, but when i do, I say they can be trying harder.