Hacking Team child porn code
@OpDeathEatersUS on Twitter says - https://twitter.com/OpDeathEatersUS/status/619267423749828608 - that Hacking Team sells child porn evidence fabrication tools, and cites this code - https://github.com/hackedteam/rcs-common/blob/master/lib/rcs-common/evidence... - in support of the claim. Can someone more programming-proficient than I look at the code and tell me 1) what it does overall, and 2) what the highlighted line - which mentions "childporn.avi" and "pedoporno.mpg" - does in particular? Here's some background: http://arstechnica.com/security/2015/07/massive-leak-reveals-hacking-teams-m... http://www.wired.com/2015/07/fbi-spent-775k-hacking-teams-spy-tools-since-20...
From the Ars Technica article:
=== According to one spreadsheet first reported by Wired, the FBI paid Hacking Team more than $773,226.64 since 2011 for services related to the Hacking Team product known as "Remote Control Service," which is also marketed under the name "Galileo." One spreadsheet column listed simply as "Exploit" is marked "yes" for a sale in 2012, an indication Hacking Group may have bundled some sort of attack code that remotely hijacked targets' computers or phones. Previously, the FBI has been known to have wielded a Firefox exploit to decloak child pornography suspects using Tor. Security researchers have also scoured leaked Hacking Team source code for suspicious behavior. Among the findings, the embedding of references to child porn in code related to the Galileo. === Thanks, Douglas
On Sun, Feb 21, 2016 at 12:40:35AM -0800, Douglas Lucas wrote:
@OpDeathEatersUS on Twitter says - https://twitter.com/OpDeathEatersUS/status/619267423749828608 - that Hacking Team sells child porn evidence fabrication tools, and cites this code - https://github.com/hackedteam/rcs-common/blob/master/lib/rcs-common/evidence... - in support of the claim.
IMHO this needs more news coverage. Searching the leaked emails might give more "evidence" [sic]. e.g.: https://wikileaks.org/hackingteam/emails/?q=rcs&mfrom=&mto=&title=¬itle=&date=&nofrom=¬o=&count=50&sort=0#searchresult
looking into the code On Sun, Feb 21, 2016 at 10:34 AM, Georgi Guninski <guninski@guninski.com> wrote:
On Sun, Feb 21, 2016 at 12:40:35AM -0800, Douglas Lucas wrote:
@OpDeathEatersUS on Twitter says - https://twitter.com/OpDeathEatersUS/status/619267423749828608 - that Hacking Team sells child porn evidence fabrication tools, and cites this code -
https://github.com/hackedteam/rcs-common/blob/master/lib/rcs-common/evidence...
- in support of the claim.
IMHO this needs more news coverage.
Searching the leaked emails might give more "evidence" [sic].
e.g.:
-- Cari Machet NYC 646-436-7795 carimachet@gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet <https://twitter.com/carimachet> 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited.
On Feb 21, 2016 10:45 AM, "Douglas Lucas" <dal@riseup.net> wrote:
@OpDeathEatersUS on Twitter says - https://twitter.com/OpDeathEatersUS/status/619267423749828608 - that Hacking Team sells child porn evidence fabrication tools, and cites this code -
https://github.com/hackedteam/rcs-common/blob/master/lib/rcs-common/evidence...
- in support of the claim.
Can someone more programming-proficient than I look at the code and tell me 1) what it does overall, and 2) what the highlighted line - which mentions "childporn.avi" and "pedoporno.mpg" - does in particular?
From the code analyst:
Embedded in Galileo code 'pedoporn' 'childporn avi' One idea - considering hacking team w/FBI and DEA, you can embed that code to give the appearance that the flagged target is under surveillance for child porn but since there is already an FBI flag for that, it's a lie. It's a mask to hide that your surveilling someone but you have no legitimate legal reason to do it. a 'childporn.avi' - is a profile pic like an 'avatar' that flags the person as in a child porn ring but hacking team doesn't do 'rings' - they do targeted (activists, dissidents etc) surveillance. So that's off and since it's embedded "placed over the source code" - the LEA is using it to mask the real reason they are spying on this person LEA likes to use child porn as a 'plant' - it's like an old school cop 'planting' cocaine on someone they've violated. END
Here's some background:
http://arstechnica.com/security/2015/07/massive-leak-reveals-hacking-teams-m...
http://www.wired.com/2015/07/fbi-spent-775k-hacking-teams-spy-tools-since-20...
From the Ars Technica article:
=== According to one spreadsheet first reported by Wired, the FBI paid Hacking Team more than $773,226.64 since 2011 for services related to the Hacking Team product known as "Remote Control Service," which is also marketed under the name "Galileo." One spreadsheet column listed simply as "Exploit" is marked "yes" for a sale in 2012, an indication Hacking Group may have bundled some sort of attack code that remotely hijacked targets' computers or phones. Previously, the FBI has been known to have wielded a Firefox exploit to decloak child pornography suspects using Tor.
Security researchers have also scoured leaked Hacking Team source code for suspicious behavior. Among the findings, the embedding of references to child porn in code related to the Galileo. ===
Thanks,
Douglas
Cari Machet wrote:
On Feb 21, 2016 10:45 AM, "Douglas Lucas" <dal@riseup.net <mailto:dal@riseup.net>> wrote:
@OpDeathEatersUS on Twitter says - https://twitter.com/OpDeathEatersUS/status/619267423749828608 - that Hacking Team sells child porn evidence fabrication tools, and cites this code -
https://github.com/hackedteam/rcs-common/blob/master/lib/rcs-common/evidence...
- in support of the claim.
Can someone more programming-proficient than I look at the code and tell me 1) what it does overall, and 2) what the highlighted line - which mentions "childporn.avi" and "pedoporno.mpg" - does in particular?
From the code analyst:
Embedded in Galileo code 'pedoporn' 'childporn avi'
One idea - considering hacking team w/FBI and DEA, you can embed that code to give the appearance that the flagged target is under surveillance for child porn but since there is already an FBI flag for that, it's a lie. It's a mask to hide that your surveilling someone but you have no legitimate legal reason to do it.
a 'childporn.avi' - is a profile pic like an 'avatar' that flags the person as in a child porn ring but hacking team doesn't do 'rings' - they do targeted (activists, dissidents etc) surveillance. So that's off and since it's embedded "placed over the source code" - the LEA is using it to mask the real reason they are spying on this person
LEA likes to use child porn as a 'plant' - it's like an old school cop 'planting' cocaine on someone they've violated.
END
"childporn.avi" and "pedoporno.mpg" Those vids... Are they being planted on the site under attack by the hacking team or it's software or is it linked offsite? -- RR "Through counter-intelligence it should be possible to pinpoint potential trouble-makers ... And neutralize them, neutralize them, neutralize them"
Here's some background:
http://arstechnica.com/security/2015/07/massive-leak-reveals-hacking-teams-m...
http://www.wired.com/2015/07/fbi-spent-775k-hacking-teams-spy-tools-since-20...
From the Ars Technica article:
=== According to one spreadsheet first reported by Wired, the FBI paid Hacking Team more than $773,226.64 since 2011 for services related to the Hacking Team product known as "Remote Control Service," which is also marketed under the name "Galileo." One spreadsheet column listed simply as "Exploit" is marked "yes" for a sale in 2012, an indication Hacking Group may have bundled some sort of attack code that remotely hijacked targets' computers or phones. Previously, the FBI has been known to have wielded a Firefox exploit to decloak child pornography suspects using Tor.
Security researchers have also scoured leaked Hacking Team source code for suspicious behavior. Among the findings, the embedding of references to child porn in code related to the Galileo. ===
Thanks,
Douglas
It's pretty clear that these files just contain dummy values for debugging / test / placeholder purposes. There's no indication that these ever end up being pushed to devices. -Travis On Mon, Feb 22, 2016 at 11:26 PM, Rayzer <Rayzer@riseup.net> wrote:
Cari Machet wrote:
On Feb 21, 2016 10:45 AM, "Douglas Lucas" <dal@riseup.net <mailto:dal@riseup.net>> wrote:
@OpDeathEatersUS on Twitter says - https://twitter.com/OpDeathEatersUS/status/619267423749828608 - that Hacking Team sells child porn evidence fabrication tools, and cites
this
code -
https://github.com/hackedteam/rcs-common/blob/master/lib/rcs-common/evidence...
- in support of the claim.
Can someone more programming-proficient than I look at the code and tell me 1) what it does overall, and 2) what the highlighted line - which mentions "childporn.avi" and "pedoporno.mpg" - does in particular?
From the code analyst:
Embedded in Galileo code 'pedoporn' 'childporn avi'
One idea - considering hacking team w/FBI and DEA, you can embed that code to give the appearance that the flagged target is under surveillance for child porn but since there is already an FBI flag for that, it's a lie. It's a mask to hide that your surveilling someone but you have no legitimate legal reason to do it.
a 'childporn.avi' - is a profile pic like an 'avatar' that flags the person as in a child porn ring but hacking team doesn't do 'rings' - they do targeted (activists, dissidents etc) surveillance. So that's off and since it's embedded "placed over the source code" - the LEA is using it to mask the real reason they are spying on this person
LEA likes to use child porn as a 'plant' - it's like an old school cop 'planting' cocaine on someone they've violated.
END
"childporn.avi" and "pedoporno.mpg"
Those vids... Are they being planted on the site under attack by the hacking team or it's software or is it linked offsite?
-- RR "Through counter-intelligence it should be possible to pinpoint potential trouble-makers ... And neutralize them, neutralize them, neutralize them"
Here's some background:
http://arstechnica.com/security/2015/07/massive-leak-reveals-hacking-teams-m...
http://www.wired.com/2015/07/fbi-spent-775k-hacking-teams-spy-tools-since-20...
From the Ars Technica article:
=== According to one spreadsheet first reported by Wired, the FBI paid Hacking Team more than $773,226.64 since 2011 for services related to the Hacking Team product known as "Remote Control Service," which is also marketed under the name "Galileo." One spreadsheet column listed simply as "Exploit" is marked "yes" for a sale in 2012, an indication Hacking Group may have bundled some sort of attack code that remotely hijacked targets' computers or phones. Previously, the FBI has been known to have wielded a Firefox exploit to decloak child pornography suspects using Tor.
Security researchers have also scoured leaked Hacking Team source code for suspicious behavior. Among the findings, the embedding of
references
to child porn in code related to the Galileo. ===
Thanks,
Douglas
-- Twitter <https://twitter.com/tbiehn> | LinkedIn <http://www.linkedin.com/in/travisbiehn> | GitHub <http://github.com/tbiehn> | TravisBiehn.com <http://www.travisbiehn.com> | Google Plus <https://plus.google.com/+TravisBiehn>
Travis Biehn wrote:
It's pretty clear that these files just contain dummy values for debugging / test / placeholder purposes. There's no indication that these ever end up being pushed to devices.
-Travis
Just for giggles I did a search on those file names. pedoporno.mpg turns up articles on top about the Hacking Team childporn.avi turns up hits about the BAT_ETIMOLOD.A virus followed by Hacking Team hits farther down the page. At least one of these files is not always a dummy. -- RR "Through counter-intelligence it should be possible to pinpoint potential trouble-makers ... And neutralize them, neutralize them, neutralize them"
On Mon, Feb 22, 2016 at 11:26 PM, Rayzer <Rayzer@riseup.net <mailto:Rayzer@riseup.net>> wrote:
Cari Machet wrote: > > > On Feb 21, 2016 10:45 AM, "Douglas Lucas" <dal@riseup.net <mailto:dal@riseup.net> > <mailto:dal@riseup.net <mailto:dal@riseup.net>>> wrote: > > > > @OpDeathEatersUS on Twitter says - > > https://twitter.com/OpDeathEatersUS/status/619267423749828608 - that > > Hacking Team sells child porn evidence fabrication tools, and cites this > > code - > > > https://github.com/hackedteam/rcs-common/blob/master/lib/rcs-common/evidence... > > - in support of the claim. > > > > Can someone more programming-proficient than I look at the code and tell > > me 1) what it does overall, and 2) what the highlighted line - which > > mentions "childporn.avi" and "pedoporno.mpg" - does in particular? > > > From the code analyst: > > Embedded in Galileo code 'pedoporn' 'childporn avi' > > One idea - considering hacking team w/FBI and DEA, you can embed that > code to give the appearance that the flagged target is under > surveillance for child porn but since there is already an FBI flag for > that, it's a lie. It's a mask to hide that your surveilling someone > but you have no legitimate legal reason to do it. > > a 'childporn.avi' - is a profile pic like an 'avatar' that flags the > person as in a child porn ring but hacking team doesn't do 'rings' - > they do targeted (activists, dissidents etc) surveillance. So that's > off and since it's embedded "placed over the source code" - the LEA is > using it to mask the real reason they are spying on this person > > LEA likes to use child porn as a 'plant' - it's like an old school cop > 'planting' cocaine on someone they've violated. > > END >
"childporn.avi" and "pedoporno.mpg"
Those vids... Are they being planted on the site under attack by the hacking team or it's software or is it linked offsite?
> > > > Here's some background: > > > > > http://arstechnica.com/security/2015/07/massive-leak-reveals-hacking-teams-m... > > > > > http://www.wired.com/2015/07/fbi-spent-775k-hacking-teams-spy-tools-since-20... > > > > From the Ars Technica article: > > > > === > > According to one spreadsheet first reported by Wired, the FBI paid > > Hacking Team more than $773,226.64 since 2011 for services related to > > the Hacking Team product known as "Remote Control Service," which is > > also marketed under the name "Galileo." One spreadsheet column listed > > simply as "Exploit" is marked "yes" for a sale in 2012, an indication > > Hacking Group may have bundled some sort of attack code that remotely > > hijacked targets' computers or phones. Previously, the FBI has been > > known to have wielded a Firefox exploit to decloak child pornography > > suspects using Tor. > > > > Security researchers have also scoured leaked Hacking Team source code > > for suspicious behavior. Among the findings, the embedding of references > > to child porn in code related to the Galileo. > > === > > > > Thanks, > > > > Douglas >
Well, The strings for debug code can certainly show up, even these files themselves. Which you can see some samples of under /content (the video stuff is missing, fueling the conspiracy fire?) There's screenshots, wallet.dats and fake files. Even a picture of, presumably, one of the developers: https://github.com/hackedteam/rcs-common/blob/master/lib/rcs-common/evidence... Ref'd: https://github.com/hackedteam/rcs-common/blob/master/lib/rcs-common/evidence... In fact, if you look at all the modules in /evidence/ they all contain obvious dummy / test data. https://github.com/hackedteam/rcs-common/blob/master/lib/rcs-common/evidence... https://github.com/hackedteam/rcs-common/blob/master/lib/rcs-common/evidence... So on. Are they implanting pictures of themselves on hacked machines? Screenshots of their own code? It's obvious to anyone who can take a cursory read of these chunks of code in context that this is dummy test data. -Travis On Tue, Feb 23, 2016 at 12:35 PM, Rayzer <Rayzer@riseup.net> wrote:
Travis Biehn wrote:
It's pretty clear that these files just contain dummy values for debugging / test / placeholder purposes. There's no indication that these ever end up being pushed to devices.
-Travis
Just for giggles I did a search on those file names.
pedoporno.mpg turns up articles on top about the Hacking Team
childporn.avi turns up hits about the BAT_ETIMOLOD.A virus followed by Hacking Team hits farther down the page. At least one of these files is not always a dummy.
-- RR "Through counter-intelligence it should be possible to pinpoint potential trouble-makers ... And neutralize them, neutralize them, neutralize them"
On Mon, Feb 22, 2016 at 11:26 PM, Rayzer <Rayzer@riseup.net <mailto:Rayzer@riseup.net>> wrote:
Cari Machet wrote: > > > On Feb 21, 2016 10:45 AM, "Douglas Lucas" <dal@riseup.net <mailto:dal@riseup.net> > <mailto:dal@riseup.net <mailto:dal@riseup.net>>> wrote: > > > > @OpDeathEatersUS on Twitter says - > > https://twitter.com/OpDeathEatersUS/status/619267423749828608 - that > > Hacking Team sells child porn evidence fabrication tools, and cites this > > code - > > >
https://github.com/hackedteam/rcs-common/blob/master/lib/rcs-common/evidence...
> > - in support of the claim. > > > > Can someone more programming-proficient than I look at the code and tell > > me 1) what it does overall, and 2) what the highlighted line - which > > mentions "childporn.avi" and "pedoporno.mpg" - does in
particular?
> > > From the code analyst: > > Embedded in Galileo code 'pedoporn' 'childporn avi' > > One idea - considering hacking team w/FBI and DEA, you can embed that > code to give the appearance that the flagged target is under > surveillance for child porn but since there is already an FBI flag for > that, it's a lie. It's a mask to hide that your surveilling someone > but you have no legitimate legal reason to do it. > > a 'childporn.avi' - is a profile pic like an 'avatar' that flags
the
> person as in a child porn ring but hacking team doesn't do 'rings'
-
> they do targeted (activists, dissidents etc) surveillance. So
that's
> off and since it's embedded "placed over the source code" - the LEA is > using it to mask the real reason they are spying on this person > > LEA likes to use child porn as a 'plant' - it's like an old school cop > 'planting' cocaine on someone they've violated. > > END >
"childporn.avi" and "pedoporno.mpg"
Those vids... Are they being planted on the site under attack by the hacking team or it's software or is it linked offsite?
> > > > Here's some background: > > > > >
http://arstechnica.com/security/2015/07/massive-leak-reveals-hacking-teams-m...
> > > > >
http://www.wired.com/2015/07/fbi-spent-775k-hacking-teams-spy-tools-since-20...
> > > > From the Ars Technica article: > > > > === > > According to one spreadsheet first reported by Wired, the FBI
paid
> > Hacking Team more than $773,226.64 since 2011 for services related to > > the Hacking Team product known as "Remote Control Service," which is > > also marketed under the name "Galileo." One spreadsheet column listed > > simply as "Exploit" is marked "yes" for a sale in 2012, an indication > > Hacking Group may have bundled some sort of attack code that remotely > > hijacked targets' computers or phones. Previously, the FBI has been > > known to have wielded a Firefox exploit to decloak child pornography > > suspects using Tor. > > > > Security researchers have also scoured leaked Hacking Team source code > > for suspicious behavior. Among the findings, the embedding of references > > to child porn in code related to the Galileo. > > === > > > > Thanks, > > > > Douglas >
-- Twitter <https://twitter.com/tbiehn> | LinkedIn <http://www.linkedin.com/in/travisbiehn> | GitHub <http://github.com/tbiehn> | TravisBiehn.com <http://www.travisbiehn.com> | Google Plus <https://plus.google.com/+TravisBiehn>
On 2/23/16, Travis Biehn <tbiehn@gmail.com> wrote:
Well, The strings for debug code can certainly show up, even these files themselves. Which you can see some samples of under /content (the video stuff is missing, fueling the conspiracy fire?)
it was meatspin.mov renamed :o
There's screenshots, wallet.dats and fake files. Even a picture of, presumably, one of the developers: https://github.com/hackedteam/rcs-common/blob/master/lib/rcs-common/evidence...
:P
Ref'd: https://github.com/hackedteam/rcs-common/blob/master/lib/rcs-common/evidence...
In fact, if you look at all the modules in /evidence/ they all contain obvious dummy / test data.
E.g. "Show us in a demo, how your software finds the child pr0n, and sorts it by youngest first, then most disturbing, and queues in a playlist, for uh, foren-sick analysis" the agent asked while adjusting the crotch of his navy blue slacks, so they demo dumb keyword matching and pretend not hear the other part...
Are they implanting pictures of themselves on hacked machines? Screenshots of their own code?
It's obvious to anyone who can take a cursory read of these chunks of code in context that this is dummy test data.
not dummy test data, more like for the purposes of a demo data. otherwise, spot on sir! would read your analysis again++ best regards,
participants (6)
-
Cari Machet -
coderman -
Douglas Lucas -
Georgi Guninski -
Rayzer -
Travis Biehn