I'm Cthulhu » Cthulhu https://www.thecthulhu.com Sat, 07 Nov 2015 19:22:28 +0000 en-GB hourly 1 http://wordpress.org/?v=4.3.1 A VAT MOSS Victory! https://www.thecthulhu.com/a-vat-moss-victory/ https://www.thecthulhu.com/a-vat-moss-victory/#comments Sat, 07 Nov 2015 19:22:28 +0000 https://www.thecthulhu.com/?p=204 I’d just like to take a moment to share a recent victory of mine. Before 2015, EU companies used to charge VAT at the rate of where the business was, leading to companies like Amazon setting up in in low VAT jurisdictions and making sales from there to lower the overall cost of an item, irrespective of where the customer resided in the EU. On the 1st January 2015 however, the VAT MOSS system was introduced which mandated VAT for online sales should be charged in the country of the customer, in an alleged reasoning to make the VAT system fair. However, this imposed a very problematic situation: a requirement for the company to know where the customer is located.

The VAT MOSS guidance added further headaches, especially to one of my upcoming business projects by requiring “proofs” of customer location information, as detailed within the explanatory notes to the legislation. After hours of reading through the document, the main issues arising were that for an anonymous web hosting service, any information being collection would not only breach the breach the privacy of customers, but negates the entire point of the business. As the guidance offers no advice as to how to handle anonymous online transactions, I consulted with HMRC, the UK’s tax authority which is where my company is registered.

Throughout a series of exchanges, HMRC repeated to me the need for 2 proofs to be in line with the VAT MOSS system. However, I have always rejected that happening as I would rather close my business than break the promises I offer. I made various offers to the tax authority on how to reach a middle ground, such as assuming the UK rate is payable on global sales, and to also possibly switch to another VAT scheme even if it costed my business more money.

The deadlock has finally been broken! I received this email from HMRC recently which has now been verified by an accountant to be binding for my business. This means unless there is a law change or the EU courts come to a different conclusion, I may now process transactions anonymously without being required to know the address or any other information about a customer and still charge the required VAT on transactions. Hip hip hooray!

———————————————

Dear Mr White

Thank you for your email and I apologise for the delay you have experienced in getting a reply to your question, which presents an unusual and difficult situation.

As you collect no information on where your customers belong, and therefore cannot evidence a different place of supply, we will expect you to charge and account for UK VAT on your supplies on the basis that the supply of services are made in the UK.

If a customer contacts you to say that they belong outside the UK, we will expect you to retain the evidence to support the non-application of UK VAT. A simple assertion that they do not belong in the UK will not suffice. If the customer does not provide you with a VAT number, you will be liable to register in the customer’s Member State. If the records presented by the customer enable you to meet the record keeping requirements you may be able to use MOSS to bring the VAT to account.

I hope this is helpful but if you have any further questions please do not hesitate to ask.

Yours sincerely
[HMRC Rep name redacted]

———————————————

]]>
https://www.thecthulhu.com/a-vat-moss-victory/feed/ 0
The Legality of Sharing Dumped Data https://www.thecthulhu.com/legality-of-dumped-data/ https://www.thecthulhu.com/legality-of-dumped-data/#comments Wed, 14 Oct 2015 19:15:58 +0000 https://www.thecthulhu.com/?p=191 Note: The below does contain information as indirect quotes or paraphrasing of legally privileged communications with my solicitor. I have not authorised the disclosure of legally privileged material and the below disclosures, therefore, do not constitute a right for law enforcement to snoop further privileged communications.

Over the last few months, as per my other posts, I have tried to explain my reasoning for posting leaked data. Some have claimed I haven’t thought it through, others have said I am simply reckless. I want to assure everyone that I am neither reckless nor naive in the consequences for my actions.

Having spoken to my legal team, who have already demonstrated to me their exceptional legal knowledge in defending me from legal charges, they have assured me that my position from a legal perspective is just. I have explained openly what I am doing and have made no attempts to mislead people in my actions and have also posted plenty of warnings on where my responsibility ends for anything downloaded from my mirrors.

Some possible legislation any charges could be brought up are the following:

 

The Data Protection Act 1998: As I am not covered under the definition of a data controller or handler, I am exempt from regulation under the act.

 

Computer Misuse Act 1990: This Act of Parliament introduced three offences within the scope of the act that are as follows:
1. unauthorised access to computer material, punishable by 12 months’ imprisonment and/or a fine “not exceeding level 5 on the standard scale” (since 2015, unlimited);
2. unauthorised access with intent to commit or facilitate commission of further offences, punishable by 12 months/maximum fine on summary conviction and/or 5 years/fine on indictment;
3. unauthorised modification of computer material, punishable by 12 months/maximum fine on summary conviction and/or 10 years/fine on indictment;

My initial impression was that under offences 1 and 2, I may be liable as I did not have authorisation to access or provide access to the material. However, the offences above apply only to those who took the initial data and that is where the breach of proper authority to access it took place. Subsequently, when I download data from the open internet (even if said material has been stolen when unauthorised), I am not accessing that material unlawfully. If I was to download the material from the source (i.e., directly from the Patreon or Ashley Madison servers) then that would constitute an offence.

 

Theft Act 1968: Section 22(1) provides the scope for an offence usually associated to shoplifting or buying stolen goods, usually referred to as “Handling stolen goods”. The actual offence is as follows:
“A person handles stolen goods if (otherwise than in the course of the stealing) knowing or believing them to be stolen goods he dishonestly receives the goods, or dishonestly undertakes or assists in their retention, removal, disposal or realisation by or for the benefit of another person, or if he arranges to do so.”
There is an element of me making the data available to the public being construed as the retention of stolen goods for the benefit of another person, however as I have not paid for the data or otherwise encouraged the original offence of stealing the data, and that I accessed such data through legitimate means (downloading from a public source), I have been assured that it is highly unlikely a prosecution can be brought forward under these charges.

 

I believe most angles to prosecute are covered in the above and most have good case law to back me up in the event criminal investigations are ever launched into my conduct. That said, I have been warned by my legal team of the potential repercussions in other jurisdictions. For example, he has acknowledged that while US law is not his area, he believes my actions would constitute an offence under the Computer Fraud and Abuse Act (CFAA) which is a US law. Fortunately, I am not a US citizen, nor do I ever plan to visit the US or use US infrastructure (I make a point of boycotting US products where possible). Therefore, their laws do not apply to me and they never shall, so as far as I am concerned their level of authority over me matches the authority of Ghana’s legal system or North Korea even.

All in all, I still stand by my comments on why I am willing to host the data even when it is highly controversial. In extreme circumstances, I would be willing to omit some sections of the data or even remove the data. If that ever does need to happen I will clearly explain why and what sections of data were removed. Until that day though, my work shall continue.

]]>
https://www.thecthulhu.com/legality-of-dumped-data/feed/ 4
On the importance of decentralisation https://www.thecthulhu.com/on-the-importance-of-decentralisation/ https://www.thecthulhu.com/on-the-importance-of-decentralisation/#comments Sun, 04 Oct 2015 02:49:19 +0000 https://www.thecthulhu.com/?p=185 As many of you have noticed, there was an FBI seizure page on some of my mirrors earlier tonight. Thankfully, these were fake, and I put them there, intending to ensure this message reaches as many people as possible and to draw attention to the problem that we face. Firstly, for verification though:

echo “You may have just seen the takedown notice on https://patreon.thecthulhu.com. This notice was put up by myself and was not a real takedown thankfully. It is, I hope, a reminder to everyone of the importance of decentralisation and that just because somebody like myself posts a resource, does not mean it will be there forever. I encourage everyone to repost the magnet URI on their sites or setup their own mirrors to prevent such a single point of failure in the future. I included the SHA1 and SHA256 sums of the file for a very good reason too if you wish to verify the integrity of data downloaded from other sources before executing or opening it.” | sha1sum | awk ‘{print $1}’

Produces: 63300df2199f61822fef6c440014359f052ffe61

The hash should match here: https://twitter.com/CthulhuSec/status/650451139473862656

The problem we face is that since the Patreon leak, I have been the only known mirror out there offering the full file, as well as a magnet URI. Many people have been downloading and investigating the data, but no new mirrors have popped up, not even simple magnet URI reposts. This causes a dangerous centralisation problem if I become the only mirror, thus heightening the chance of law enforcement targeting me, but also means there are fewer sources for people to verify the integrity of the data.

Mirroring the data is not hard. The magnet link I provided on the page ensures just linking to that data, is sufficient to mirror it (magnets are a modern replacement for torrents to minimize the need to host a file) securely, but very few have done so. I would like to encourage everybody to make mirrors somewhere of the magnet URI at least, and if possible a full download available over TLS. This not only helps me but improves the security of everyone seeking the files.

I understand not everyone has the resources to put up a mirror, but for those that do and have downloaded the data, remember to give back to the cause in some way. Mirroring data, donations to organisations like Tor Project, or teaching others how to improve their security are all great ways we can make a positive impact on our societies, and I encourage everyone to get involved to do so.

]]>
https://www.thecthulhu.com/on-the-importance-of-decentralisation/feed/ 3
A short reasoning for sharing leaked data https://www.thecthulhu.com/a-short-reasoning-for-sharing-leaked-data/ https://www.thecthulhu.com/a-short-reasoning-for-sharing-leaked-data/#comments Fri, 02 Oct 2015 11:48:04 +0000 https://www.thecthulhu.com/?p=181 There have been plenty of times I have received personal abuse, deaths threats and other forms of harassment online in response to my efforts hosting leaked data, most recently in the case of Patreon. As a result, I thought I would take some time out of the day to explain why I do what I do, and what I hope to accomplish with it.

Hosting the leaked data is a risky business. I accept the fact that one day I may be arrested for handling the data if it is alleged to have been stolen. As a result, my legal team are aware of my actions and we already have legal challenges to such an arrest should it be made. However, my reason for doing so is that there is a public interest whenever such data is leaked, both from journalists in established outlets and independent forms of media.

The alternative of not sharing the data is also rather grim. Frankly whether or not I make it available, that data will still be on the internet, and it only takes a quick Google search to reveal this. Most of the other places to obtain the data, however, are from unknown sources and are very difficult to verify the authenticity of the data. Not to mention, I have come across plenty of these sources where said files have malware attached to them, designed to work as people scramble to fulfill their curiosity and download the material without any form of scrutiny as to their origin. So regardless of who hosts it, that data shall always be available. By taking the responsibility to host a copy, it allows journalists and others to focus on the work of analysing the data and leaving the management of that source to me.

The exposure of the information further allows the public to vet what procedures are in place at companies to protect data. The unfortunate reality is that their security is already bypassed at the point of the leak, but that isn’t the end of the story. Passwords for example in the Patreon leak used bcrypt, a hashing algorithm designed to be extraordinarily difficult to brute force and reveal a user’s true password. This is an example of a very good security measure that other organisations and businesses should take note of, especially the many who still store passwords in plain text. It also allows people to identify vulnerabilities, such as how although Ashley Madison employed bcrypt as well, but this was negated thanks to them cutting corners and using MD5 in the process of storing the login tokens (see Joseph’s article on Motherboard here).

Using leaked data allows us an understanding of the true state of affairs of how companies handle your personal data and emphasises to the corporations that personal data is not just another commodity. An organisation with strong password hashing policies like LastPass or indeed Patreon, means they have plenty of time to warn users to change their login credentials. Furthermore, a timely disclosure can repair the company image much better than trying to ignore the problem, as HackingTeam found out (and who still hold a grudge against me to this day for). All in all, the only way to avoid a major catastrophe is for companies to start adopting better ways they collect, use and dispose of data. If they do not need to store some information, then it should be disposed of, a fatal flaw in the operations of Ashley Madison. One of the reasons I support the use of bitcoin is that with no fraud risk from chargebacks, personal information does not need to be collected in the very first place.

Like many of the data breaches this year, it is not what happens once the data is leaked that is a problem, but what you do before it that matters. Taking the proper precautions and maintaining minimal user information, is the only way to safeguard against misuse either from the legal forces in play, or the rogue hackers looking for their next victim.

]]>
https://www.thecthulhu.com/a-short-reasoning-for-sharing-leaked-data/feed/ 3
Goodbye Jabber.ccc.de, Hello OpenXMPP.com https://www.thecthulhu.com/goodbye-jabber-ccc-de-hello-openxmpp-com/ https://www.thecthulhu.com/goodbye-jabber-ccc-de-hello-openxmpp-com/#comments Tue, 29 Sep 2015 16:10:31 +0000 https://www.thecthulhu.com/?p=173 Hello all,

As you may have noticed, Jabber.ccc.de has been down for over 24 hours now for reasons at this time, are unknown. As a result of constant downtime over the past year on the service, and the rather sobering fact so many of us in the tech community use Jabber.ccc.de, I have decided to launch my own XMPP server that anyone can sign up to and use.

OpenXMPP.com is now open for registrations. I will be making improvements over the coming weeks that would guarantee 99.99% to 100% uptime. It has upstream DDOS protection, fast connectivity and works perfectly in tandem with existing XMPP servers so you can add contacts who are using any federated service.

As with everything I do, maintaining privacy for users is very important, and, as a result, we will always be trimming back on the amount of data logged. Furthermore, we will regularly clear the system of all but the bare necessities to stay online. Even with this, I still recommend using OTR and Tor for your conversations to guarantee end-to-end encryption.

I foresee this server growing considerably in the coming 12 months and hope everyone uses the service responsibly!

-Cthulhu

]]>
https://www.thecthulhu.com/goodbye-jabber-ccc-de-hello-openxmpp-com/feed/ 2
I stand with Lauri Love https://www.thecthulhu.com/i-stand-with-lauri-love/ https://www.thecthulhu.com/i-stand-with-lauri-love/#comments Thu, 16 Jul 2015 22:43:33 +0000 https://www.thecthulhu.com/?p=159 Further information: http://thecryptosphere.com/2015/07/16/alleged-hacker-lauri-love-arrested-in-uk-us-demands-extradition/

I have known Lauri for a while now, and we have both talked at length of our own struggles, shared some comforting advice and helped one another progress through difficulties as they arise. Today it deeply saddened and enraged me to hear his extradition has been demanded by the United States of Assholes.

Lauri Love is a British citizen. He lives in the UK. Therefore following this assumption, any alleged wrongdoing must fall within British laws. I, therefore, question why the need for extradition must exist when the frameworks for his prosecution in the UK are already in place if he was indeed guilty of any offense. Should he be found guilty of any offence then he should also be punished under British law, which is where he resides.

The only thoughts that cross my mind on why an extradition would be necessary are as follows; the US knows what evidence it has will not stand up to scrutiny in British courts. Protocols exist where evidence gathered overseas can be used against citizens in a UK court, and so it would seem logical to prosecute a person in their home country as it would be quicker, easier and cheaper for everyone involved. Furthermore, to prosecute Lauri in the UK would at least show some respect to British sovereignty and that British laws must rule the actions of it’s citizens.

Instead, the US has again sought to bring a person into their own territory for prosecution. I find this deeply insulting. Unlike many countries in the world, the US attempts to force the laws of its nation upon all people, irrespective of where they reside and assume their laws reign supreme over all others. If the UK or any other country where to make such an assumption, it is likely that the US would refuse to comply or kick up a fuss about the matter seeing it as an insult to them, without regard to their hypocrisy.

So I feel it is time to use this phrase, despite my hatred of it: If the US has nothing to hide in prosecuting Mr Love, why are they not using established protocols for the presentation of evidence in British courts? “Nothing to hide nothing to fear” huh? If the US has material that they feel is in some way privileged and thus cannot be handed over the UK, then this would be a clear violation of Article 6 of the EU Convention on Human Rights. In that case, the extradition request should be denied immediately.

On this matter, I stand firmly by Lauri’s side. So to the US government I would like to remind you that I am not a member of Anonymous, nor do I agree with many things that they do. But I do not forgive or forget either. You should perhaps look into your sins very deeply because new alliances are forming against you daily, and I am firmly within their ranks on this matter.

]]>
https://www.thecthulhu.com/i-stand-with-lauri-love/feed/ 2
Today we have lost a friend https://www.thecthulhu.com/today-we-have-lost-a-friend/ https://www.thecthulhu.com/today-we-have-lost-a-friend/#comments Thu, 09 Jul 2015 12:00:52 +0000 https://www.thecthulhu.com/?p=156 I, like many today, was shocked to hear that our friend Caspar Bowden has sadly passed away. He was a man of passion and conviction, a force in the privacy debate that never waned nor held back. Everyone who knew him can certainly testify to his moral courage to stand for what is right and just, regardless of who he was facing.

I first met Caspar a few years ago and talked to him on many occasions. One conversation that stood out to me is during the Tor Project summer developer meeting in Paris in mid-2014. Little did I know what started as a small matter would soon turn into a pattern of me becoming a surveillance target of the UK government, followed by a campaign of intimidation and bullying. Throughout my ordeal, Caspar was there for me with his vast reserves of expert knowledge, patience and care, like a father to us all. He never cared for what somebody stood accused of or who they were, he was willing to stand there for everybody equally.

He was a friend, a mentor, a teacher. If the time ever came where you had lost all hope in the fight against tyranny and injustice, along Caspar came to pick you up with a new found drive to continue.

RIP Caspar Bowden. You will be missed.

]]>
https://www.thecthulhu.com/today-we-have-lost-a-friend/feed/ 0
I’m a bad person to threaten https://www.thecthulhu.com/im-a-bad-person-to-threaten/ https://www.thecthulhu.com/im-a-bad-person-to-threaten/#comments Wed, 24 Jun 2015 23:11:30 +0000 https://www.thecthulhu.com/?p=150 So, somebody took to XMPP a few minutes ago to threaten my recent investigation into poorly configured hidden services. From the broken English and half the words still being in Russian, I am pretty confident the person is from one of the Russian marketplaces.

I should point out that I am not a good person to threaten. The idea of a threat is to subdue or otherwise intimidate another to your will. As somebody acting on their own identity and with the capability to de-anonymise a lot of the sites out there, I am a pretty poor target for such threats.

So here we go. The Russian market/classified area onion address is:
http://map2rampqm6qxbvz.onion/

 

I feel obliged to point out I have no idea if this was the market making the threat, nor do I care. I hope this serves as a gentle reminder that as somebody doing research and trying to remind people about vulnerabilities in their sites, I am not against the “dark net” sites. I can’t use magic and thus if you have no vulnerabilities, you are safe from me. If I can find your server, so can a capable state agency, and who would you prefer sent you this reminder?

 

So, here is some of the information on the site:

IP: 188.32.214.154
Document root: /home/map2ramp/www/
Server admin: root@work.local3
Internal IP: 10.0.0.13
OS: Gentoo

 

Unmasking this server was rather straightforward and again is down to a misconfiguration on their behalf. This time, however, it was a poorly configured PHP module with the web server. Another reason not to use PHP.

]]>
https://www.thecthulhu.com/im-a-bad-person-to-threaten/feed/ 3
Shoddy “Dark Web” Journalism https://www.thecthulhu.com/shoddy-dark-web-journalism/ https://www.thecthulhu.com/shoddy-dark-web-journalism/#comments Wed, 24 Jun 2015 21:25:00 +0000 https://www.thecthulhu.com/?p=147 As outlets have a history of removing content where they make some mistakes, I have made a copy of the article below:

http://thecthulhu.com/wp-content/uploads/article_biuk/index.html

The original can be found here:

http://uk.businessinsider.com/dark-web-researcher-discovers-ip-addresses-in-plain-sight-2015-6?r=US

A few days ago I complained that part of the “dark web” problem is that we often see sensationalist claims from media outlets who don’t put the time into proper research. Well, I have one excellent example of this that I was to dissect for some quite key errors.

 

“This specific forum, called the Tor Carding Forum v2, was quietly shut down, but White was still able to uncover its hosting address even though the forum currently appears to be completely shut down. “

The article on Motherboard, along the with the accompanying information on my blog and Twitter, made clear that I seized the unmasking information many months prior to publication. I intentionally placed emphasis on this fact through the use of hashes and including the original tweet, which is dated. I have not in any way been able to recover the IP address of the service since it shut down. The reason that it is published now is precisely due to the fact it is now offline.

 

“Additionally, White found another dark web marketplaceā€™s IP address: A site called Kiss Marketplace, which reportedly offered goods like illegal drugs. The IP address White posted on his website still works if you put it in any browser, meaning that the servers powering this site have ostensibly been unmasked.”

No. Again, this marketplace is now offline and has been for a few weeks according to DeepDotWeb before I published, this was an intentional action. The IP address, therefore, does not work and at this point, is obvious to me you haven’t even tried. The screenshot included on Motherboard was taken by @josephfcox several months back when I first showed him the information. We sat on the information until we deemed it safe to release.

 

“With the IP addresses of these dark web marketplaces becoming public knowledge thanks to White’s recent discoveries, the police will also be able to use this knowledge to shut down the websites if they decide to follow up on White’s findings.”

The police might be able to chase up who rented the server associated with the IP address, but at this point it is questionably useful since it is unlikely there will be remaining forensic data to extract. Furthermore, for it to stand it court it is likely they would need my testimony on how the evidence was obtained. I have made clear that I am totally unwilling to assist law enforcement at this point for how they have treated me in recent months/years.

 

“It appears that criminals are scrambling online to use these new ways to create black markets, but their lack of diligence shows.”

Speak for yourself.

]]>
https://www.thecthulhu.com/shoddy-dark-web-journalism/feed/ 0
Another Small Release – TCF V2 https://www.thecthulhu.com/another-small-release-tcf-v2/ https://www.thecthulhu.com/another-small-release-tcf-v2/#comments Sat, 20 Jun 2015 19:20:17 +0000 https://www.thecthulhu.com/?p=144 Another day, another release. This time, the Tor Carding Forum v2 which to my knowledge has now closed down and so this is another one, like yesterday, that will no longer be of much interest to law enforcement. The other possibility being they have quietly taken it down. Either way, I have no further responsibility to withhold this information and since there are still other major hidden services out there not taking basic security steps (such as forcing external data grabs to go through Tor), please remember I have many more sites to go through yet and nobody is untouchable from naming and shaming.

cthulhu@cthulhu:~$ echo -n “The Tor Carding Forum V2 at hidden service address ba6i2qxajcioadj4.onion and IP address 185.10.57.138 will be seized by the British or Dutch police in the very near future. They have used no magic or special technical ability and Tor is not broken.” | sha1sum | awk ‘{print $1}’
ba993b4a132df12537aab9fde4b297197b92a45a

 

From 3rd February 2015: https://twitter.com/CthulhuSec/status/562549685802774528

Information was still correct up until the time of closure. This fuck-up was thanks to them not routing their external lookups through Tor. They also must not check the logs of their webserver given how often I performed this to validate it and it was never fixed.

]]>
https://www.thecthulhu.com/another-small-release-tcf-v2/feed/ 4