Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Blocked from Shareaza web site
28 views
Skip to first unread message
A Canuck
Feb 10, 2015, 12:59:14 PM2/10/15
to
I seem to have been barred from accessing Shareaza's web site and I'd
like to know why.
Symptoms of the block:
- Connecting from any IP belonging to my ISP: "Connection reset by peer".
So, my ISP is being denied at their firewall.
- All web proxies are blocked with 403 Forbidden responses. Ixquick, for
example.
- TOR exit notes get fobbed off with 503 "Guru Meditation" messages, for
some reason.
So they've gone to quite some trouble to ensure that nobody can reach
their web site anonymously, which didn't used to be the case. Last week
the site was definitely reachable through a variety of proxies and VPNs,
as well as through TOR.
And they've blocked Bell Canada at their firewall, which also wasn't the
case. Bell IPs were permitted through their firewall yesterday.
Does anyone know what the fuck is going on? Even if some other Bell
customer did something nasty (DoS attack?) at their web site, suddenly
blackholing not only an entire ISP but also pretty much every form of
anonymity tool on the web seems a bit excessive. Especially for a file-
sharing/free speech tool, which now cannot be safely found and downloaded
by citizens of repressive countries like China because of their sudden
new anti-proxy, anti-TOR policy.
like to know why.
Symptoms of the block:
- Connecting from any IP belonging to my ISP: "Connection reset by peer".
So, my ISP is being denied at their firewall.
- All web proxies are blocked with 403 Forbidden responses. Ixquick, for
example.
- TOR exit notes get fobbed off with 503 "Guru Meditation" messages, for
some reason.
So they've gone to quite some trouble to ensure that nobody can reach
their web site anonymously, which didn't used to be the case. Last week
the site was definitely reachable through a variety of proxies and VPNs,
as well as through TOR.
And they've blocked Bell Canada at their firewall, which also wasn't the
case. Bell IPs were permitted through their firewall yesterday.
Does anyone know what the fuck is going on? Even if some other Bell
customer did something nasty (DoS attack?) at their web site, suddenly
blackholing not only an entire ISP but also pretty much every form of
anonymity tool on the web seems a bit excessive. Especially for a file-
sharing/free speech tool, which now cannot be safely found and downloaded
by citizens of repressive countries like China because of their sudden
new anti-proxy, anti-TOR policy.
A Canuck
Feb 10, 2015, 1:52:32 PM2/10/15
to
On Tue, 10 Feb 2015 17:59:10 +0000, A Canuck wrote:
> - Connecting from any IP belonging to my ISP: "Connection reset by
> peer". So, my ISP is being denied at their firewall.
>
> - All web proxies are blocked with 403 Forbidden responses. Ixquick, for
> example.
>
> - TOR exit notes get fobbed off with 503 "Guru Meditation" messages, for
> some reason.
This is really fucking weird. Not only Shareaza's own site, but their
> - Connecting from any IP belonging to my ISP: "Connection reset by
> peer". So, my ISP is being denied at their firewall.
>
> - All web proxies are blocked with 403 Forbidden responses. Ixquick, for
> example.
>
> - TOR exit notes get fobbed off with 503 "Guru Meditation" messages, for
> some reason.
Sourceforge project page is unusable to me.
When I try to go to their Sourceforge project page, I get what I can only
describe as a "plastic facade". It *looks* like Shareaza's project page.
I can even drill down into the "Files" as far as a list of downloadable
binaries for the software. But if I select one (say,
Shareaza_2.7.8.0_Win32.exe) to download, instead of a download prompt I
get a blank HTML page with a <title> element that just says "Testing".
Every link (e.g. to code, tickets, wiki, support, etc.) inside the
project and every other Sourceforge navigation link (e.g. about, site
status, create a project, blog, help, jobs, log in, join, site
documentation) produces one of two responses. Some consistently produce
"Untrusted Connection" alerts, and others produce the same blank page
titled "Testing".
So, someone is apparently redirecting requests from my machine for *any*
Sourceforge page to a phony mockup of Sourceforge's website, which has a
few superficial parts of the site duplicated but quickly turns out to be
just an empty shell. And whoever it is is serving the https-protocol
pages with some certificate that is not Sourceforge's.
Scary! But what is this man-in-the-middle actually trying to accomplish?
Blocking my access to the Shareaza forum and substituting their fake
Sourceforge clone for any attempt by me to access the real Sourceforge
seems like it would make sense if the idea was to get me to download a
doctored version of Shareaza, or just plain malware, thinking it was the
real Shareaza, but then the download link doesn't work? It's like the
attacker went to all the trouble of executing 99% of the plan but left
out the actual payload or something.
Meanwhile, at the very least they've made the real Sourceforge utterly
inaccessible to millions of Canadians, in a manner impossible to
circumvent as once again the adversary is somehow able to block all TOR
and proxy use (anyone trying to access Sourceforge with a privacy tool
gets redirected to the same phony Sourceforge facade that I encountered
trying to connect from Bell IPs).
I don't know much about the dark-side hacking scene myself, so I'm hoping
someone here knows how to interpret one clue that I have to the identity
of the miscreants responsible. That clue is the certificate used for the
SSL parts of the fake Sourceforge facade. Firefox (and also TorBrowser,
which is based on Firefox) says the fake site's certificate belongs to:
"The certificate is only valid for the following names:
cloudfront.net , *.cloudfront.net"
Unfortunately, though I'm no expert I think that might just be one of the
really big hosting providers, placing the attacker in a haystack not very
much smaller than the whole Internet. :/
In the meantime, my right to receive and impart information, as
guaranteed under the Charter of Rights and Freedoms and the UN
Declaration of Human Rights, has been grossly violated by what I can only
assume is a nation-state adversary given how thorough the campaign of
blocking and redirecting links is. The Shareaza forum site could have
simply blocked me. But who could replace the entirety of SourceForge, or
even some subset of sourceforge.net/* URIs, with the facade I
encountered? Sourceforge themselves could, but they've no logical reason
to do so, and their replacing their own website with a cheap plastic fake
would not only make zero business sense for them but would also not
result in the certificate mismatches I saw, which clearly indicate that
someone OTHER THAN Sourceforge authored parts of the facade and didn't
have access to the real Sourceforge's signing keys. Which means, they
aren't the real Sourceforge, who certainly *do* have their own keys,
unless the real Sourceforge decided to try to *impersonate someone else
trying to impersonate Sourceforge* for some crazy convoluted reason, in
which case my head hurts, because only characters in Harry Potter and the
Methods of Rationality are supposed to go that meta, not real-world
adversaries, and besides Sourceforge isn't supposed to be an adversary.
So, given that Sourceforge didn't: who has the ability to intercept ALL
traffic headed for Sourceforge, and then selectively and transparently
redirect it (in a two-way manner, no mere spoofing of TCP packet headers
would suffice for this) to their own machine if it meets certain criteria
(e.g., comes from Bell Canada, comes from a TOR exit node, or comes from
a known proxy or VPN exit)?
Well, unless you've been living under a rock since June 2013 the name at
the top of your list just about has to be:
NSA
So riddle me this: why is the NSA suddenly trying to misdirect users of
one of Canada's biggest ISPs when they try to browse sites offering file-
sharing software?
Here's maybe-relevant background information.
One, Canada is one of the "Five Eyes" intelligence-sharing countries
working with the NSA on compromising Internet infrastructure and
backdooring sites and hardware.
Two, Canada's current evil Conservative government is trying to ram
through draconian anti-privacy laws that respectable publications
including the Globe and Mail have said amount to the creation of a police
state.
Three, CSIS, Canada's answer to the NSA, was just caught with its hands
in the proverbial cookie jar by a Snowden document revealing it to be
snooping on ... get this ... non-p2p file sharing. They've been
monitoring all traffic to sites like Mega and Rapidshare.
And now four, Canadian users of privacy and peer-to-peer tools are
apparently being misdirected by someone with NSA-like capabilities when
they visit discussion and download sites for such tools.
Perhaps the "Shareaza_2.7.8.0_Win32.exe" link at the plastic fake NSA
"Sourceforge" will go live in the next little while, and would even seem
to be a normally-functioning copy of Shareaza, but would contain some
sneaky back-door functions that tattle on the file sharing to the Five
Eyes. It certainly looks like someone in the evil Harper administration
has decided that peer to peer file sharing represents a problematic
loophole on their desire to spy on file sharing by monitoring traffic to
Mega and Rapidshare, and so they've decided to inhibit or backdoor
Canadian use of p2p software.
In violation of Canadians' Charter rights.
As a Canadian citizen possessed of those rights, I hereby demand that
"my" government (which seems increasingly unrepresentative these past few
years, hence the scare quotes) immediately cease and desist, and order
all American or other foreign allies to cease and desist, from any and
all interventions between Canadian Internet users (and *all* Internet
users using privacy tools that might therefore be Canadian) and all
Internet sites. This is Canada, not China. Erecting a "Great Firewall"
between us and sites like Sourceforge is strictly prohibited by the
Canadian Supreme Court and Constitution. Continuing to maintain the phony
facade I encountered, continuing to prevent network access to the genuine
Sourceforge, and continuing to prevent network access to Shareaza's forum
website will be considered an unlawful and hostile act and you will be
prosecuted to the maximum extent possible under the law. Given your
wilful violations of the Charter and clear intent to circumvent
Constitutionally-guaranteed rights of citizens, that extent might very
well include your having to answer to charges of treason, for which your
penalty might not be mere fines, or losing the 2015 election, but life
imprisonment without the possibility of parole. Prime Minister Harper,
that means you. Let me, and the rest of my countrymen and -women, access
(the real!!!) Sourceforge, or go to jail.
To all Canadians I urge that not a one of you vote Conservative in this
year's election. This here demonstrates the extreme lengths that Harper's
Conservatives will go to to undermine Canadians' rights to privacy and to
access to information. We have here prima facie evidence of a defacto
Great Firewall of Canada, for Christ's sake. If that isn't the smoking
gun to prove that Harper belongs, not only out of the Parliament
Buildings but in a barred cell, then I don't know WHAT the fuck is.
Vote NDP if they stand a good chance of outdoing the Liberal Party in
your riding. Vote independent or Green if they are likely to outperform
the Liberal party in your riding. Otherwise vote Liberal. Do not, under
any circumstances, vote Conservative.
And to all Internet users, this is the threat the Internet faces these
days. A proliferation of Great Firewalls and balkanization, in the name
of "fighting terrorism" as well as such crass commercial BS as
copyrights. This is a dark day indeed, when one of the historically
relatively-free nations has suddenly found its access to one of the major
Internet sites curtailed by shadowy actors bearing false SSL certificates
and capable of intercepting and redirecting traffic to that site from a
variety of specific sources: Canadian ISPs, TOR, and open Web proxies.
Make no mistake: this is a war, being fought by the powerful against the
ordinary citizenry and against the very concept of privacy. And you can
either go about your ordinary business until one day you're praising Big
Brother to your telescreens every day, or you can fight to keep the free
and open Internet that existed during the heady days of the '90s. You
guys stopped SOPA and PIPA. Now you need to stop the Canadian Great
Firewall and all of the others that will surely follow in its wake once
the conspiring capal of right-wing governments that are trying to destroy
democracy the world over manage to get one accepted in a (formerly)
liberal democratic nation.
Petition your governments to stop and/or never start doing these things.
Organize up another big web protest, like the successful anti-SOPA and
pro-net-neutrality ones of the recent past.
Do *something* to restore Canadians' access to the full uncensored Web,
to restore the same access to users of anonymity and privacy tools, and
to prevent any future incidents remotely similar to this one.
Crossposting this now to alt.anonymous, as this incident clearly
represents an attack on users of anonymity and privacy tools as well as
on users of p2p filesharing tools and on Canadian citizens.
A Canuck
Feb 10, 2015, 2:41:29 PM2/10/15
to
Here is another potential clue regarding the perpetrators of the fake
Sourceforge facade that Canadian (and TOR and other privacy tool using)
Internet users now get transparently redirected to when they try to visit
the real Sourceforge.
Here is the fake "Shareaza 2.7.8.0 download page" in the facade. It looks
identical to the real Sourceforge page, and shows sourceforge.net in the
browser's address bar. This is what one currently gets accessing that URL
using TOR.
http://upload.camzu.com/up/c42ad6a21a6f8a39bcc1e9132f94c4f5.jpg
Only clicking the links (almost any of the links other than to navigate
within "files") reveals the site to be a fake substitute:
http://upload.camzu.com/up/5dbfa46a4fe4e4be2930a3e3ae488677.jpg
This is the result of clicking the link on the first page for
"Shareaza_2.7.8.0_Win32.exe". That link displays in the browser on
mouseover as:
http://sourceforge.net/projects/shareaza/files/Shareaza/Shareaza-2.7.8.0/
Shareaza_2.7.8.0_Win32.exe/download
If the above URL is pasted into the address bar of TorBrowser (or is used
from at least one multi-million-user Canadian ISP, without TOR), one is
immediately redirected to this instead:
http://sourceforge.net/?_escaped_fragment_=/projects/shareaza/files/
Shareaza/Shareaza-2.7.8.0/Shareaza_2.7.8.0_Win32.exe/download#!/projects/
shareaza/files/Shareaza/Shareaza-2.7.8.0/Shareaza_2.7.8.0_Win32.exe/
download
which is the page shown above, the blank page that has a title element
saying "Testing".
There are two interesting things here. One, the redirect. What is that
for? Since the attackers are clearly able to send any response they want
to in response to certain hosts (e.g., TOR exit nodes) requesting "http://
sourceforge.net/*" URIs, they don't actually *need* to redirect. They
*could* have substituted the same bogus "web page" in response to the
request for:
http://sourceforge.net/projects/shareaza/files/Shareaza/Shareaza-2.7.8.0/
Shareaza_2.7.8.0_Win32.exe/download
Instead, they substituted a 300-series redirect at that URI, going to the
other, messier URI, and substituted the "Testing" page (and still not a
backdoored version of Shareaza, as of this writing) in response to *that*
URI. Why the hell?
And then there's something else. So far the one thing the NSA/whoever-it-
is has put of *their own*, not counting the word "testing", into the fake
site that I've been able to find.
And that is the favicon.
Look again:
http://upload.camzu.com/up/c42ad6a21a6f8a39bcc1e9132f94c4f5.jpg
The fake file list page, with copies of real SourceForge site graphics,
project logos for e.g. Ares Galaxy, and the like. Including a copy of the
real Sourceforge site icon, at top left. Now look again at the attackers'
"testing" page:
http://upload.camzu.com/up/5dbfa46a4fe4e4be2930a3e3ae488677.jpg
They didn't use the Sourceforge favicon on this one. This is something
else, and it is something weird. It's like an old X-Face: header image or
maybe a QR code or something similar.
And it's the one thing (besides the word "testing") that our miscreants
have put here that they didn't copy from Sourceforge. The one thing of
their own, in other words. And it's a part of the page that is normally
used to identify its ownership.
Could they be deliberately *or* accidentally giving us a clue as to their
identity and motivations? Nothing about this pixelated graphic shrieks
"NSA" at me -- no, it's the sophisticated interception capabilities
needed to pull off the substitution of their plastic facade for
Sourceforge's real site that does that. But perhaps it could clue us into
who they outsourced building the phony site to. Maybe it's associated
with Booz Allen, the contractor Snowden used to work for. Maybe someone
(maybe even Snowden himself) could weigh in with more information.
So I put this question out to everyone who might read this: does anyone,
anyone at all, know anything about that weird graphic, the favicon on the
"testing" blank page at the phony copy of the Sourceforge site that they
seem to have used for every page they decided not to include in their
mock up?
Sourceforge facade that Canadian (and TOR and other privacy tool using)
Internet users now get transparently redirected to when they try to visit
the real Sourceforge.
Here is the fake "Shareaza 2.7.8.0 download page" in the facade. It looks
identical to the real Sourceforge page, and shows sourceforge.net in the
browser's address bar. This is what one currently gets accessing that URL
using TOR.
http://upload.camzu.com/up/c42ad6a21a6f8a39bcc1e9132f94c4f5.jpg
Only clicking the links (almost any of the links other than to navigate
within "files") reveals the site to be a fake substitute:
http://upload.camzu.com/up/5dbfa46a4fe4e4be2930a3e3ae488677.jpg
This is the result of clicking the link on the first page for
"Shareaza_2.7.8.0_Win32.exe". That link displays in the browser on
mouseover as:
http://sourceforge.net/projects/shareaza/files/Shareaza/Shareaza-2.7.8.0/
Shareaza_2.7.8.0_Win32.exe/download
If the above URL is pasted into the address bar of TorBrowser (or is used
from at least one multi-million-user Canadian ISP, without TOR), one is
immediately redirected to this instead:
http://sourceforge.net/?_escaped_fragment_=/projects/shareaza/files/
Shareaza/Shareaza-2.7.8.0/Shareaza_2.7.8.0_Win32.exe/download#!/projects/
shareaza/files/Shareaza/Shareaza-2.7.8.0/Shareaza_2.7.8.0_Win32.exe/
download
which is the page shown above, the blank page that has a title element
saying "Testing".
There are two interesting things here. One, the redirect. What is that
for? Since the attackers are clearly able to send any response they want
to in response to certain hosts (e.g., TOR exit nodes) requesting "http://
sourceforge.net/*" URIs, they don't actually *need* to redirect. They
*could* have substituted the same bogus "web page" in response to the
request for:
http://sourceforge.net/projects/shareaza/files/Shareaza/Shareaza-2.7.8.0/
Shareaza_2.7.8.0_Win32.exe/download
Instead, they substituted a 300-series redirect at that URI, going to the
other, messier URI, and substituted the "Testing" page (and still not a
backdoored version of Shareaza, as of this writing) in response to *that*
URI. Why the hell?
And then there's something else. So far the one thing the NSA/whoever-it-
is has put of *their own*, not counting the word "testing", into the fake
site that I've been able to find.
And that is the favicon.
Look again:
http://upload.camzu.com/up/c42ad6a21a6f8a39bcc1e9132f94c4f5.jpg
The fake file list page, with copies of real SourceForge site graphics,
project logos for e.g. Ares Galaxy, and the like. Including a copy of the
real Sourceforge site icon, at top left. Now look again at the attackers'
"testing" page:
http://upload.camzu.com/up/5dbfa46a4fe4e4be2930a3e3ae488677.jpg
They didn't use the Sourceforge favicon on this one. This is something
else, and it is something weird. It's like an old X-Face: header image or
maybe a QR code or something similar.
And it's the one thing (besides the word "testing") that our miscreants
have put here that they didn't copy from Sourceforge. The one thing of
their own, in other words. And it's a part of the page that is normally
used to identify its ownership.
Could they be deliberately *or* accidentally giving us a clue as to their
identity and motivations? Nothing about this pixelated graphic shrieks
"NSA" at me -- no, it's the sophisticated interception capabilities
needed to pull off the substitution of their plastic facade for
Sourceforge's real site that does that. But perhaps it could clue us into
who they outsourced building the phony site to. Maybe it's associated
with Booz Allen, the contractor Snowden used to work for. Maybe someone
(maybe even Snowden himself) could weigh in with more information.
So I put this question out to everyone who might read this: does anyone,
anyone at all, know anything about that weird graphic, the favicon on the
"testing" blank page at the phony copy of the Sourceforge site that they
seem to have used for every page they decided not to include in their
mock up?
A Canuck
Feb 10, 2015, 3:46:11 PM2/10/15
to
On Tue, 10 Feb 2015 19:41:24 +0000, A Canuck wrote:
Canadian Internet users can no longer download software published at
sourceforge.net; all access to that site from Canadian broadband ISPs or
via the TOR privacy tool is being redirected to a fake "facade" clone of
the site (most of which consists of blank pages titled "Testing") as of
this morning:
http://upload.camzu.com/up/5dbfa46a4fe4e4be2930a3e3ae488677.jpg
All access via commonly known open web proxies produces 403 errors.
Hosted sub-sites (thingy.sourceforge.net) respond to Canadian ISP IPs
with RST packets (denied at firewall), to TOR exits with 503 errors, and
to web proxies with 403 errors.
Sourceforge is now banned in Canada, folks! Which means that as of this
morning, February 10, 2015, there is a Great Firewall of Canada.
If you are not interested in the technical details, skip to near the end
for voting advice for the forthcoming federal election. Assuming Harper
doesn't become bold enough to start ignoring that part of the
Constitution too. But he isn't willing as yet to make the blocked
Sourceforge content serve up a big banner saying "NOW OUTLAWED IN
CANADA", either...
Do not be fooled by party names that no longer reflect party ideologies.
Remember when at the polling stations what happened here today. Remember
that a vote for your riding's Conservative candidate is a vote for
Harper, and that a vote for Harper is a vote for Chinese-style state
Communism and web censorship, not a vote for any form of actual
conservatism! Another five years of Harper will probably see the adoption
of five year plans and reeducation camps here in Canada. That MUST NOT
happen.
> So I put this question out to everyone who might read this: does anyone,
> anyone at all, know anything about that weird graphic, the favicon on
> the "testing" blank page at the phony copy of the Sourceforge site that
> they seem to have used for every page they decided not to include in
> their mock up?
P.S. Google Reverse Image Search returns zero matches for this thing. I
screenshotted the fake "Testing" page, cropped out the 16x16 favicon,
saved it as a lossless PNG, and threw it at Google, with no results.
Its apparent nonexistence anywhere that Google can see on the World Wide
Web tells us several things, many of them encouraging:
1. Google still "sees" the real Sourceforge, not the fake facade I run
into now when trying to access Sourceforge from Canada (or via TOR),
or it would find this mysterious image there.
So, we can put to bed any fears that the Sourceforge site itself was
seized. (Of course, that the attackers lack Sourceforge's HTTPS
signing key already pointed strongly in that direction, though a remote
webserver compromise might not give the attackers access to such
things.)
2. The image is not just some default one that comes with some big,
common site authoring tool, nor is it the icon of some big, common
hosting provider, or Google would surely find other occurrences.
So, the icon on the "Testing" page probably really is something
unique to the attackers, rather than being part of some Dreamweaver
template or something that they lazily didn't replace with the copied
SF logo on the "Testing" page.
3. The image is not a part of existing widely publicized Snowden
revelations, or the public logo of any of the known NSA contractors,
or again Google would surely have found other instances out there.
So, this icon represents *new* information about, if not the NSA, then
some comparably-powerful adversary. Remember, while Google apparently
still sees the real Sourceforge,
a) every Bell Canada internet customer and
b) every TOR user
gets transparently served with the "facade" version of the site
instead, the one with this mysterious "Testing" page and graphic. I can
think of few adversaries with the power to do such a thing except the
NSA. In particular, to intercept not only all traffic to Sourceforge
crossing Canadian border routers but also all traffic from TOR exit
nodes *all over the world* requires having your tap close to
Sourceforge's own infrastructure. Perhaps even on site. Other than
Sourceforge themselves (who have no motive, and who have an SSL
signing key the attacker demonstrably lacks) that almost has to be the
NSA, or at least some organ of the United States government, given
where Sourceforge is physically hosted. And the NSA is the organ of US
government that has recently been caught with its hands in very
similar cookie jars, like when they intercepted physical shipments of
Cisco routers. One wonders if Sourceforge's owners know all the stops
*their* Cisco routers made on the way to Sourceforge data centers.
One more bit of encouraging news in all of this: the certificate errors
point to the adversary (almost certainly the NSA) continuing to lack the
capability to break SSL encryption (at least, not in real time). The
data, taken together, indicate that the system diagram is like this:
[Real Sourceforge] [Facade]
| |
[compromised border router]---------' <- Canadian ISPs and TOR exits
| redirected to Facade
|
[rest of net]
On the server labeled "Facade", SSL pages are served with a Cloudfront
signing key, not a Sourceforge one, and consequently when users' browsers
*think* they're talking to sourceforge.net (but are actually being
redirected to the Facade by the compromised border router) their browsers
reject the certificates as from the wrong domain. This tells us two
things:
1. Those responsible for the attack have not seized control of the real
Sourceforge data center (or their substitute pages would come from
real Sourceforge servers, and be signed with real Sourceforge
certificates), and they don't have Sourceforge's signing key or the
ability to break SSL encryption in real time. SSL security checks
succeed in detecting their man-in-the-middle attack on Sourceforge,
except when non-https pages are requested from that site.
2. Most likely, those responsible for the attack are hosting the Facade
at Cloudfront.
The phony "Testing" blank page that most of the links on the Facade
pothole to also points to certain lacks of resources on their part. In
particular, they scraped only parts of Sourceforge's site to construct
the Facade, perhaps by duplicating chunks of the site that passed through
the compromised border router in response to ordinary users' queries,
thus missing pages (like "about") that hardly anyone ever visits. If they
didn't get hits between the initial compromise and the erection of the
Facade, the pages didn't get duplicated in the Facade and the Facade
serves up the blank "Testing" page instead (probably by way of its 404
handler -- indeed, the same blank page, rather than a 404 page, is
returned for http://sourceforge.net/gobbledygook/
this_page_shouldnt_exist_fuseuygudfhbjmdkf.html, after the same kind of
weird _escaped_fragment redirection first).
The big question still unanswered is: What the fuck are they doing?
They ARE:
* Concealing who is responsible, as best they can. There's no big banner
coming up saying BLOCKED IN CANADA - Harper has outlawed access to
Sourceforge.net from your country. Instead, it looks at first like
you've successfully reached the site, only you can't actually do
anything useful there. So it looks almost like it's just
malfunctioning ... if you ignore the fact that it's malfunctioning only
for certain people, or that there are clear indications of a MITM
attack if you go to any https page there.
* Preventing any downloads of software from Sourceforge across the
Canadian border, including Shareaza. Whether this is narrowly targeted
at p2p software is unknown.
* Mocking up parts, but by no means all, of Sourceforge's site.
* Systematically redirecting TOR and Canadian ISP users to the Facade,
which could only reliably be done at border routers connecting
Sourceforge's data center to the wider Internet, or at Sourceforge's
ISP. This points to that ISP, Sourceforge themselves, or (much more
likely) the NSA/other US government actors, and indicates that the
miscreants in question probably physically installed hardware on
Sourceforge/its ISP's premises, or intercepted and altered hardware
bound for such a site. Most major US ISPs have been strong-armed into
allowing the NSA to install equipment on-premises, and the NSA has
intercepted and presumably altered Cisco routers en route to Cisco
customers, as revealed by Snowden documents.
They ARE NOT:
* Taking responsibility of any kind for their actions, or acknowledging
anything. The only content original to the attackers at the Facade seem
to be the "Testing" page's favicon and the word "Testing" itself.
* Substituting malware or spyware-included versions of Shareaza.
Attempting to download Shareaza results only in the blank "Testing"
page at this time. But that may change, or this whole affair may be a
"dry run" for future compromises based on substituting altered versions
of software hosted at Sourceforge. (Consider how many security
products, privacy tools, and other things are developed there, though
TOR thankfully seems to use a combination of Github and its own
torproject.org site; then shudder.)
* Disrupting any sites other than sourceforge.net and
shareaza.sourceforge.net, to my knowledge.
* Disrupting the use of web.archive.org to browse snapshots of
Sourceforge. However, web.archive.org does not archive exe files, so it
is impossible to download Shareaza from their mirror of Sourceforge,
though they have the 2.7.8.0 Files page, archived on Dec. 16, 2014.
Currently web.archive.org is the only way for a Canadian to view other
aspects of Shareaza, though; for example, tickets:
http://web.archive.org/web/20141216133329/http://sourceforge.net/p/
shareaza/tickets/?source=navbar
This is also from Dec. 16; the "live" version is substituted with the
Facade's "Testing" page for Canadian Internet users and TOR users right
now.
* Censoring Usenet. These posts are visible on an Italian newsserver, and
can be read from inside Canada, as of this writing. Of course, the goal
here doesn't seem to be censorshop per se, but rather surveillance.
Censorship specifically of decentralized and/or encrypting tools is all
we've seen evidence of so far during this incident.
They MAY BE:
* Hijacking other sites than *.sourceforge.net ones. I don't know.
There's no sign of them messing with torproject.net though. At least,
not yet.
* Intercepting and searching storage media at the Canadian border. Such
searches have to my knowledge been sporadic and random in the past,
rather than routine. If they remain sporadic and random, then copies of
Sourceforge-hosted software could be downloaded in the United States
and brought into Canada via sneakernet.
If there has been a sudden shift in policy at Canadian Customs to
searching *all* electronic storage media entering the country, in the
past day or so, it will be strong evidence that these web redirections,
though perpetrated by US government agencies, are being done at the
behest of the Harper Conservatives. The question being: what is it he
doesn't want Canadian citizens to have anymore? The answer almost
certainly being: privacy and anonymity tools, and tools that work peer
to peer instead of through centralized (and thus easily surveilled) web
sites. Which would mean Github and torproject.org are in the
crosshairs, even though they don't seem to have been attacked quite yet.
* Planning to attack other sites (Github, torproject) or media (Usenet)
in the future.
The intent of our enemy is clear: to block Canadians' access to any
method by which one might evade surveillance. HTTPS is permitted, because
centralized web sites can be leant on by the Five Eyes and monitored
centrally. P2P, on the other hand, lacks centralization, so the idea of
Canadians continuing to have access to software like Shareaza has Harper
crapping his pants.
The solution is equally clear: Throw the bums out.
1. If you are not a Canadian citizen, try to organize up some big Web
protest like the anti-SOPA and pro-net-neutrality ones that recently
succeeded big-time.
2. If you are a Canadian citizen, vote!
3. If the NDP is likely to outperform the Liberals in your riding this
year, vote NDP.
4. If an independent or Green is likely to outperform the Liberals, but
the NDP isn't, vote for them.
5. If nobody non-Conservative is likely to outperform the Liberals, vote
Liberal.
6. Do not, under any circumstances, vote Conservative. I don't care what
your local Conservative candidate is like. A vote for them is a vote
for Harper, and it's abundantly clear now that a vote for Harper is an
act of treason against Canadians, the Constitution, and the Charter of
Rights and Freedoms.
7. Encourage other Canadians to vote, and tell them about all of this,
and every other shitty thing Harper has done and plans to do.
Canadian Internet users can no longer download software published at
sourceforge.net; all access to that site from Canadian broadband ISPs or
via the TOR privacy tool is being redirected to a fake "facade" clone of
the site (most of which consists of blank pages titled "Testing") as of
this morning:
http://upload.camzu.com/up/5dbfa46a4fe4e4be2930a3e3ae488677.jpg
All access via commonly known open web proxies produces 403 errors.
Hosted sub-sites (thingy.sourceforge.net) respond to Canadian ISP IPs
with RST packets (denied at firewall), to TOR exits with 503 errors, and
to web proxies with 403 errors.
Sourceforge is now banned in Canada, folks! Which means that as of this
morning, February 10, 2015, there is a Great Firewall of Canada.
If you are not interested in the technical details, skip to near the end
for voting advice for the forthcoming federal election. Assuming Harper
doesn't become bold enough to start ignoring that part of the
Constitution too. But he isn't willing as yet to make the blocked
Sourceforge content serve up a big banner saying "NOW OUTLAWED IN
CANADA", either...
Do not be fooled by party names that no longer reflect party ideologies.
Remember when at the polling stations what happened here today. Remember
that a vote for your riding's Conservative candidate is a vote for
Harper, and that a vote for Harper is a vote for Chinese-style state
Communism and web censorship, not a vote for any form of actual
conservatism! Another five years of Harper will probably see the adoption
of five year plans and reeducation camps here in Canada. That MUST NOT
happen.
> So I put this question out to everyone who might read this: does anyone,
> anyone at all, know anything about that weird graphic, the favicon on
> the "testing" blank page at the phony copy of the Sourceforge site that
> they seem to have used for every page they decided not to include in
> their mock up?
screenshotted the fake "Testing" page, cropped out the 16x16 favicon,
saved it as a lossless PNG, and threw it at Google, with no results.
Its apparent nonexistence anywhere that Google can see on the World Wide
Web tells us several things, many of them encouraging:
1. Google still "sees" the real Sourceforge, not the fake facade I run
into now when trying to access Sourceforge from Canada (or via TOR),
or it would find this mysterious image there.
So, we can put to bed any fears that the Sourceforge site itself was
seized. (Of course, that the attackers lack Sourceforge's HTTPS
signing key already pointed strongly in that direction, though a remote
webserver compromise might not give the attackers access to such
things.)
2. The image is not just some default one that comes with some big,
common site authoring tool, nor is it the icon of some big, common
hosting provider, or Google would surely find other occurrences.
So, the icon on the "Testing" page probably really is something
unique to the attackers, rather than being part of some Dreamweaver
template or something that they lazily didn't replace with the copied
SF logo on the "Testing" page.
3. The image is not a part of existing widely publicized Snowden
revelations, or the public logo of any of the known NSA contractors,
or again Google would surely have found other instances out there.
So, this icon represents *new* information about, if not the NSA, then
some comparably-powerful adversary. Remember, while Google apparently
still sees the real Sourceforge,
a) every Bell Canada internet customer and
b) every TOR user
gets transparently served with the "facade" version of the site
instead, the one with this mysterious "Testing" page and graphic. I can
think of few adversaries with the power to do such a thing except the
NSA. In particular, to intercept not only all traffic to Sourceforge
crossing Canadian border routers but also all traffic from TOR exit
nodes *all over the world* requires having your tap close to
Sourceforge's own infrastructure. Perhaps even on site. Other than
Sourceforge themselves (who have no motive, and who have an SSL
signing key the attacker demonstrably lacks) that almost has to be the
NSA, or at least some organ of the United States government, given
where Sourceforge is physically hosted. And the NSA is the organ of US
government that has recently been caught with its hands in very
similar cookie jars, like when they intercepted physical shipments of
Cisco routers. One wonders if Sourceforge's owners know all the stops
*their* Cisco routers made on the way to Sourceforge data centers.
One more bit of encouraging news in all of this: the certificate errors
point to the adversary (almost certainly the NSA) continuing to lack the
capability to break SSL encryption (at least, not in real time). The
data, taken together, indicate that the system diagram is like this:
[Real Sourceforge] [Facade]
| |
[compromised border router]---------' <- Canadian ISPs and TOR exits
| redirected to Facade
|
[rest of net]
On the server labeled "Facade", SSL pages are served with a Cloudfront
signing key, not a Sourceforge one, and consequently when users' browsers
*think* they're talking to sourceforge.net (but are actually being
redirected to the Facade by the compromised border router) their browsers
reject the certificates as from the wrong domain. This tells us two
things:
1. Those responsible for the attack have not seized control of the real
Sourceforge data center (or their substitute pages would come from
real Sourceforge servers, and be signed with real Sourceforge
certificates), and they don't have Sourceforge's signing key or the
ability to break SSL encryption in real time. SSL security checks
succeed in detecting their man-in-the-middle attack on Sourceforge,
except when non-https pages are requested from that site.
2. Most likely, those responsible for the attack are hosting the Facade
at Cloudfront.
The phony "Testing" blank page that most of the links on the Facade
pothole to also points to certain lacks of resources on their part. In
particular, they scraped only parts of Sourceforge's site to construct
the Facade, perhaps by duplicating chunks of the site that passed through
the compromised border router in response to ordinary users' queries,
thus missing pages (like "about") that hardly anyone ever visits. If they
didn't get hits between the initial compromise and the erection of the
Facade, the pages didn't get duplicated in the Facade and the Facade
serves up the blank "Testing" page instead (probably by way of its 404
handler -- indeed, the same blank page, rather than a 404 page, is
returned for http://sourceforge.net/gobbledygook/
this_page_shouldnt_exist_fuseuygudfhbjmdkf.html, after the same kind of
weird _escaped_fragment redirection first).
The big question still unanswered is: What the fuck are they doing?
They ARE:
* Concealing who is responsible, as best they can. There's no big banner
coming up saying BLOCKED IN CANADA - Harper has outlawed access to
Sourceforge.net from your country. Instead, it looks at first like
you've successfully reached the site, only you can't actually do
anything useful there. So it looks almost like it's just
malfunctioning ... if you ignore the fact that it's malfunctioning only
for certain people, or that there are clear indications of a MITM
attack if you go to any https page there.
* Preventing any downloads of software from Sourceforge across the
Canadian border, including Shareaza. Whether this is narrowly targeted
at p2p software is unknown.
* Mocking up parts, but by no means all, of Sourceforge's site.
* Systematically redirecting TOR and Canadian ISP users to the Facade,
which could only reliably be done at border routers connecting
Sourceforge's data center to the wider Internet, or at Sourceforge's
ISP. This points to that ISP, Sourceforge themselves, or (much more
likely) the NSA/other US government actors, and indicates that the
miscreants in question probably physically installed hardware on
Sourceforge/its ISP's premises, or intercepted and altered hardware
bound for such a site. Most major US ISPs have been strong-armed into
allowing the NSA to install equipment on-premises, and the NSA has
intercepted and presumably altered Cisco routers en route to Cisco
customers, as revealed by Snowden documents.
They ARE NOT:
* Taking responsibility of any kind for their actions, or acknowledging
anything. The only content original to the attackers at the Facade seem
to be the "Testing" page's favicon and the word "Testing" itself.
* Substituting malware or spyware-included versions of Shareaza.
Attempting to download Shareaza results only in the blank "Testing"
page at this time. But that may change, or this whole affair may be a
"dry run" for future compromises based on substituting altered versions
of software hosted at Sourceforge. (Consider how many security
products, privacy tools, and other things are developed there, though
TOR thankfully seems to use a combination of Github and its own
torproject.org site; then shudder.)
* Disrupting any sites other than sourceforge.net and
shareaza.sourceforge.net, to my knowledge.
* Disrupting the use of web.archive.org to browse snapshots of
Sourceforge. However, web.archive.org does not archive exe files, so it
is impossible to download Shareaza from their mirror of Sourceforge,
though they have the 2.7.8.0 Files page, archived on Dec. 16, 2014.
Currently web.archive.org is the only way for a Canadian to view other
aspects of Shareaza, though; for example, tickets:
http://web.archive.org/web/20141216133329/http://sourceforge.net/p/
shareaza/tickets/?source=navbar
This is also from Dec. 16; the "live" version is substituted with the
Facade's "Testing" page for Canadian Internet users and TOR users right
now.
* Censoring Usenet. These posts are visible on an Italian newsserver, and
can be read from inside Canada, as of this writing. Of course, the goal
here doesn't seem to be censorshop per se, but rather surveillance.
Censorship specifically of decentralized and/or encrypting tools is all
we've seen evidence of so far during this incident.
They MAY BE:
* Hijacking other sites than *.sourceforge.net ones. I don't know.
There's no sign of them messing with torproject.net though. At least,
not yet.
* Intercepting and searching storage media at the Canadian border. Such
searches have to my knowledge been sporadic and random in the past,
rather than routine. If they remain sporadic and random, then copies of
Sourceforge-hosted software could be downloaded in the United States
and brought into Canada via sneakernet.
If there has been a sudden shift in policy at Canadian Customs to
searching *all* electronic storage media entering the country, in the
past day or so, it will be strong evidence that these web redirections,
though perpetrated by US government agencies, are being done at the
behest of the Harper Conservatives. The question being: what is it he
doesn't want Canadian citizens to have anymore? The answer almost
certainly being: privacy and anonymity tools, and tools that work peer
to peer instead of through centralized (and thus easily surveilled) web
sites. Which would mean Github and torproject.org are in the
crosshairs, even though they don't seem to have been attacked quite yet.
* Planning to attack other sites (Github, torproject) or media (Usenet)
in the future.
The intent of our enemy is clear: to block Canadians' access to any
method by which one might evade surveillance. HTTPS is permitted, because
centralized web sites can be leant on by the Five Eyes and monitored
centrally. P2P, on the other hand, lacks centralization, so the idea of
Canadians continuing to have access to software like Shareaza has Harper
crapping his pants.
The solution is equally clear: Throw the bums out.
1. If you are not a Canadian citizen, try to organize up some big Web
protest like the anti-SOPA and pro-net-neutrality ones that recently
succeeded big-time.
2. If you are a Canadian citizen, vote!
3. If the NDP is likely to outperform the Liberals in your riding this
year, vote NDP.
4. If an independent or Green is likely to outperform the Liberals, but
the NDP isn't, vote for them.
5. If nobody non-Conservative is likely to outperform the Liberals, vote
Liberal.
6. Do not, under any circumstances, vote Conservative. I don't care what
your local Conservative candidate is like. A vote for them is a vote
for Harper, and it's abundantly clear now that a vote for Harper is an
act of treason against Canadians, the Constitution, and the Charter of
Rights and Freedoms.
7. Encourage other Canadians to vote, and tell them about all of this,
and every other shitty thing Harper has done and plans to do.
A Canuck
Feb 10, 2015, 6:17:36 PM2/10/15
to
On Tue, 10 Feb 2015 20:46:03 +0000, A Canuck wrote:
[snip]
For the time being, it looks like Shareaza can be downloaded, and the
Harpercon ban circumvented, by downloading it from Sourceforge.jp:
http://sourceforge.jp/frs/g_redir.php?m=jaist&f=%2Fshareaza%2FShareaza%
2FShareaza-2.7.8.0%2FShareaza_2.7.8.0_Win32.exe
The software itself is multi-language so getting it from SF's Japanese
mirror shouldn't cause any headaches.
This also serves to highlight the futility of trying to block all avenues
for particular people (e.g. Chinese, or Canadians) to access particular
information (e.g. information about Tiananmen Square, or the Shareaza
2.7.8.0 installer). All of the NSA's horses and all of the NSA's men,
dancing to Harper's tune, can't keep one person of modest financial means
from downloading one itty bitty file they disapprove of. Bwaha ha. What a
bunch of losers.
Dangerous losers.
And hopefully, soon, election losers.
P.S. Did it occur to those idiots that anyone who *already has a copy* of
Shareaza or any other file sharing software can find the 2.7.8.0
installer right from inside that? Of course, that might be why
preexisting copies seem to have been mysteriously deleting themselves
from at least some people's hard drives in the past few days... But they
definitely deserve a razzing for overlooking Sourceforge.jp, and who
knows what other colossal blunders those goofballs have made as well?
Their incompetence is simultaneously heartening and frightening.
Heartening, because a halfway-competent resistance will win out in the
end even if they do go all totalitarian-state on us one day. Frightening,
because of the damage they'll do in the meantime, much of it to non-
resistance targets that they mistook for resistance. Already today we've
seen one of the biggest sites on the net hobbled and impersonated and in
their oafish clumsiness they've probably done a number on enough random
other sites to leave parts of the net resembling Tokyo after the events
of a Godzilla flick. Remember the collateral damage when a bunch of
copyright goons decided to take down a little blog called dajaz1 that was
republishing some content *with artist and label permission*? Not only a
target that was, actually, playing within the rules, but about 79,999
collateral casualties got taken down in that little fiasco.
And the same kind of clumsy idiots are now trying to prevent a whole
country (Canada) of 30 million people from accessing Shareaza ... and
failing spectacularly, while also hobbling access by Canadians to
everything *else* at Sourceforge, and doing who knows what other damage
in the meanwhile?
Vote them out in 2015. If you don't vote, or vote Con, you are voting for
more of this sort of crap. Today it's having to surf Japanese web sites
to download stuff that used to be available on English-language sites,
all because Harper and CSEC want to be able to know what Canadians are
downloading and uploading in the way of files, as was exposed by Ed
Snowden.
Tomorrow, who knows?
The only safe bet is to vote in a government that isn't Conservative. NDP
would be best. Liberal will do in a pinch. But absolutely, positively not
the Communi^H^H^H^H^Hnservative Party. Oh no.
[snip]
For the time being, it looks like Shareaza can be downloaded, and the
Harpercon ban circumvented, by downloading it from Sourceforge.jp:
http://sourceforge.jp/frs/g_redir.php?m=jaist&f=%2Fshareaza%2FShareaza%
2FShareaza-2.7.8.0%2FShareaza_2.7.8.0_Win32.exe
The software itself is multi-language so getting it from SF's Japanese
mirror shouldn't cause any headaches.
This also serves to highlight the futility of trying to block all avenues
for particular people (e.g. Chinese, or Canadians) to access particular
information (e.g. information about Tiananmen Square, or the Shareaza
2.7.8.0 installer). All of the NSA's horses and all of the NSA's men,
dancing to Harper's tune, can't keep one person of modest financial means
from downloading one itty bitty file they disapprove of. Bwaha ha. What a
bunch of losers.
Dangerous losers.
And hopefully, soon, election losers.
P.S. Did it occur to those idiots that anyone who *already has a copy* of
Shareaza or any other file sharing software can find the 2.7.8.0
installer right from inside that? Of course, that might be why
preexisting copies seem to have been mysteriously deleting themselves
from at least some people's hard drives in the past few days... But they
definitely deserve a razzing for overlooking Sourceforge.jp, and who
knows what other colossal blunders those goofballs have made as well?
Their incompetence is simultaneously heartening and frightening.
Heartening, because a halfway-competent resistance will win out in the
end even if they do go all totalitarian-state on us one day. Frightening,
because of the damage they'll do in the meantime, much of it to non-
resistance targets that they mistook for resistance. Already today we've
seen one of the biggest sites on the net hobbled and impersonated and in
their oafish clumsiness they've probably done a number on enough random
other sites to leave parts of the net resembling Tokyo after the events
of a Godzilla flick. Remember the collateral damage when a bunch of
copyright goons decided to take down a little blog called dajaz1 that was
republishing some content *with artist and label permission*? Not only a
target that was, actually, playing within the rules, but about 79,999
collateral casualties got taken down in that little fiasco.
And the same kind of clumsy idiots are now trying to prevent a whole
country (Canada) of 30 million people from accessing Shareaza ... and
failing spectacularly, while also hobbling access by Canadians to
everything *else* at Sourceforge, and doing who knows what other damage
in the meanwhile?
Vote them out in 2015. If you don't vote, or vote Con, you are voting for
more of this sort of crap. Today it's having to surf Japanese web sites
to download stuff that used to be available on English-language sites,
all because Harper and CSEC want to be able to know what Canadians are
downloading and uploading in the way of files, as was exposed by Ed
Snowden.
Tomorrow, who knows?
The only safe bet is to vote in a government that isn't Conservative. NDP
would be best. Liberal will do in a pinch. But absolutely, positively not
the Communi^H^H^H^H^Hnservative Party. Oh no.
0 new messages