All posts by Sanguinarious

The Gab Fail Chronicles: LOL DDOS, EULA, and NAZIS

Club Pepe

The dishonesty of Andrew Torba knows no bounds in the latest postings. The reality of the mater, as I understand it, is most of the down time was related to fixing the major security issues I’ve raised over the past few days. I do not know how much of it was fixed, but I’m sure there still are major problems to be found. Mr. Torba was well schooled the past few days, the usage of CloudFlare isn’t a magical shield of protection against everything.

gabnazi

It is common knowledge trying to do any kind of DDoS attack on a ClouldFlare IP will be futile with little to no needed intervention to block such an attack. His screams of DDoS is fairly laughable as the vast majority know, I do not engage in such ineffective behaviors, and I have always been against it. He will continue to tell lies to rile his angry Neo Nazi Muppets for exposing how bad Gab really is as an alternative to Twitter. It would be really ironic, if he rallied them for the real reason, exposing Gab as a massive fraudulent security black hole. I’m just not intimidated by his Neo Nazi Muppets and there isn’t anything anyone can do to stop me from publishing write ups about Gab. My words, on a computer screen, are far more deadly to Gab’s platform than any silly illegal attack nonsense.

scavengerhunt

The greatest issue I see here is why was any of this never fixed to begin with, or even considered to be an issue? If it took me 10 minutes to see major issues all over the place, does Gab really take the security of it’s users seriously? It’s just no, they don’t take security seriously, if the most basic skiddiot Hack Forums (There has been some claims Torba is regular of Hack Forums for irony) style methods work unchecked. This further solidifies Gab as being another pump and dump scam by Torba when a lot of the basics are not covered at all. Gab doesn’t even have a logout button, but they have an account delete link, that’s curious indeed! You have to change your password via a forgot your password reset link on the login page, and this is the recommended way by Gab Support LOL. UPDATE: Apparently there is a Logout button, in the Settings page, all the way at the bottom. That makes sense … if you’re on drugs.

ron-gabtweets

gabsnitch

I don’t wish to keep this post longer than it has to be but it’s worth mentioning parts of the updated EULA were a result of us. It’s humbling that Torba spent the day at his lawyers thinking of us, as he pushed out a new EULA from his nether regions, that still didn’t impress Apple enough. Even the greatest eJournalist to ever live, Ron Brynaert, noticed this updated EULA with the “snitch” clause. I’m not going to spoil the rest of it but any users of Gab really do need to read the updated EULA as well as the Privacy Policy.

Destroying Gab, with words, on a screen, but at least it’s not LiveJournal!

“build it yourself social media back end for blog comments”

NEW BLOG WITH UPDATES AND REPLIES TO GAB’S SILLINESS

Greetings Kids,

It’s been a while since I did a post exposing and pointing out major flaws while laughing hysterically. This might be the worse one yet, especially if the information about Gab’s founder, Andrew Torba, are correct. The reason he got kicked out of the big kid clubs was because he kept doing pump and dump schemes selling everyone’s data afterwards. I don’t know if his new social media platform will be the one project he isn’t going to abandon after raking in all his donations, we can hope this “Free Speech Warrior” will surprise everyone?  😉 Tigers can change their stripes guys, you just gotta wish and believe really hard? Is Gab running off of a $49 build-it-yourself social media kit an indicator of possible doom? Did Gab stopped doing live notifications for some nefarious reason? Nah! Of course not!

Gimmie Info

A lot of people heard of this social media platform because of Twitter’s lack of sanity and political censorship, which gets worse every year as stock prices keeping going lower and lower. Gab’s marketing was literally just “Got banned on twitter? Come to Gab! We’re different!”. When I eventually got in, it was a pro-trump utopia, but I never saw anything I’d really say is that bad. It was the biggest self serving hugbox I’ve ever seen and puts any SJWs to shame. You’d get live notifications with a frog croak that sounds like a small animal dying, 300 char posts where you could write something meaningful, but it was lacking a lot of basic features. A major one was private messaging as well as a lack of an API, which becomes apparent why the further I dug into it.

Pusher Gab API Pusher Gab API

External Images Loading

When I first started looking into the back end with my favorite debugging proxy fiddler, I noticed literally everything is written in JavaScript (can I emphasize literally?), and all the interactions between between gab’s server and the browser was all JSON. The biggest issue I saw was the Cross Site Scripting potential of this setup, as gab was actually pinging every single website, then having a client’s browser do direct requests to the website in order to having a fancy display summary images and such. This effectively has the potential to harvest any user’s IP address, and since it’s all in JavaScript, high potential of Cross Site Scripting drive by deanonymizing. After announcing a bit of this in public, some people have in private confirmed this not just likely but they can do Cross Site Scripting attacks on Gab. Say what you want about Twitter, but at least they have CDN caching to prevent leaking their own user’s information. But Gab DOES have a CDN from Microsoft Azure for static assets, so why are they not protecting their user’s information? The conclusion I’ve come to is Gab is made to be as cheap as possible but still somehow work dangling off a cliff. The reason why they have no API is because the API is pusher.

No Infrastructure

This isn’t suspicious at all!

The next surprise was looking at the home page on Gab, and seeing there was some kind of stats collector. I initially overlooked it, but I didn’t realize the significance until I did a second glance. This was some kind of build it yourself social media rapid deployment kit for dummies that handled all the back end work done. I browsed over to the pricing plans they had, did some collection as to current Gab’s usage of approximately 30k posts per day they seem to just fall into the $49 Startup plan at present. I suspect live notifications stopped working for a bit sometimes, because it might be a way to save from having to upgrade to the next paid plan, or it could just be incompetence, it’s honestly hard to tell.

Pusher Pricing

I do know someone is going to say the what if they did the custom solution consultation but pusher is for stuff like live chats and blog comments, not a knock off improved twitter, which is really 300 char blog comments. The amount of money spent doing that kind of consultation is way above making a deal with a single developer (or many) to help build it at a fraction of the price, or in this case a single developer rigging pusher. I think they use pusher as a means to not spend money on proper hosting and a better solution, like GNU Social, which would require a back end with their own servers, or at least Amazon Cloud.

What can you do in minutes?

This is a very significant discovery, as it explains the lack of coming out with features that are trivial for even a single developer to do, because there just isn’t any support for their build it yourself social media back end for blog comments. Gab has been doing donation drives and giving people check marks to help support it but there really isn’t much cost to run it as biggest parts of it are cheaply outsourced like pusher. The “beta testing” of uploading images before it becomes available to everyone is likely related to Microsoft Azure’s CDN prices per GB.

I’m not going to claim this is some kind of scam like the rest of Andrew’s projects but if I was doing an exit scam, this is how I’d do it! Low overhead! He’ll get that sweet user data and PayPal logins via password reuse, that is in my opinion!

Disclaimer: !LOL! Hacking is illegal !LOL!

Last Minute Update:

The notorious hacker, known as 4chin, has contacted me to include a list of things you really shouldn’t do on Gab. There is no input validation and issues with authentication so don’t use wget or curl, passing the cookies + UA + appropriate POST data anywhere, that is just naughty. The Grand 4chin also informed me that their data was already being sold by Gab and they have no hashing on their passwords. LOL! This might be in relation to the current PayPal donations and those silly people who reuse their passwords donating (Just a theory). I’m not saying anything but I think those people are going to have a bad time. There goes the neighborhood, oh well, epic sad face emoji that 😦 can’t express

This Is Libel

JOIN https://sealion.club/ FOR A SAFE SECURE ALTERNATIVE TODAY! I GOT PAID OVER $9,000 DOLLARS TO PUT THIS HERE, SO PLEASE GO THERE, OK?!!>##>@!

 

I accept legal documents, requests, inquiries, and other related legal stuff I can post and publicly ridicule via email at LOLUMAD @ OCCULTUSTERRA DOT COM. You can optionally rage like a Muppet at 1-860-263-9252.


Random Updates!

gab-fixes-httpsDays after these issues were raised by me, they start fixing some of the problems. The downtime to fix these problems were conveniently claimed to be DDoS attacks by girlfriend in order to solicit malicious attacks against us for pointing out most of Gab’s security flaws. Talk about Free Speech, Amiright? They don’t seem to like our Free Speech much, I wonder why! LOL!

What to watch out for in online activism ops

CommanderX Is A Wizard

“I am a law abiding citizen and can take no part in this Tom Foolery” – William Welna a.k.a. Sanguinarious

There is a lot of various organized protesting of issues online, often referred to as ops, that are started to get people arrested through intentionally being stupid or on behalf of government actors. A great example of this intentional stupidity is anything ever started or touched by Christopher Doyon, otherwise known as “Commander X”. Mr. Doyon, being indicted of using the most ineffective worthless DoS tool of the modern computing era ever since the invention and widespread usage of internet connections faster than dial-up, tried to take down PayPal via free WiFi offered by a StarBucks coffee shop. He has not learned and often encourages others to follow in his footsteps to be arrested on the same charges. He considers himself to be a political refuge for his courageous act of abusing free WiFi at a coffee shop to take down a online payment processor.

Anything calling for and supporting any illegal actions (claiming credit for, giving attention to, etc.), especially ones that are often all felonies, should always be avoided. Being linked to and involving yourself in such online activism brings in the watchful eye of the feds, who are always itching to arrest people on anything they can, as well as their informants that are always willing to snag an undesirable person on minor issues. It also gives way to possible conspiracy and accessory charges on you for the ill actions of others. Posting links and doing retweets can also end up as separate additional charges. Barrett Brown’s stupidity in linking Credit Card info of government contractors being a good example of things not to do.

The mistake that is all too common is thinking you can get away with some of these things without getting caught. You always assume your OPSEC is good enough, you’re good enough, they’ll never check that, and no one will find out, well, you’re wrong. Everyone always makes small mistakes leaking information. Only the few can keep up perfection in OPSEC with the added stress and have the knowledge to do so. Prosecution as well as superiority complexes always leads to dropping the soap on a bad day in prison. It is not a good time, unless you like that kind of thing.

“I came out of the tent and this thing goes right up on its fucking hind legs,” says Doyon, performing quite a credible impression of a roaring bear. “I got fucking piss running down my leg and shit. I just ran like hell.” – Christopher Doyon’s self-reflection on bears, camping, and why trying to cross the border into Canada as a fugitive isn’t fun.

Fun With Building Dedicated Encryption Devices

Sabu Model100

Introduction

With the advancements in technology in relation to being convenient has also created major issues for privacy. Major threats as of late have been reliance on smart phones, drive by exploits, emergence of the cloud, and Windows 10. Something as simple as clicking a link can mean total destruction of security leading to major privacy breaches as well as opsec. There was a simpler time where the majority of these threats did not exist due to the lack of attack vectors created by convenience, which in part inspired some of the choices for this project with the usage of old hardware.

Model100 Replaced Battery

Explaining Hardware Choices

The idea was to make something with a keyboard that would have a very low attack vector and ideally have none. I was looking a lot into prototyping and building a small microcomputer in the beginning based on possibly an ARM, 8085/8080, or even a Z80. The issues were that this would take a lot of time to do, it wouldn’t be easily accessible due to the skill required to build it, and it could get pretty expensive.

There is still available a mass amount of cheap easy to acquire vintage microcomputers and gaming devices I could easily take advantage of. This would solve the biggest problem I could see for practicality, which is accessibility. The Model 100 hardware and design is very ideal and easily fully exploited for this project. The keyboard has a nice feel and this was probably why it was so widely used for it’s simple word processing capabilities, from journalists writing stories to student usage in schools. You can also get them for around $100 USD and even less for ones in heavily worn condition easily off eBay. A big bonus is ease of software distribution as you can the load software onto it by playing a mp3, a cd, or go all out with an original tape deck.

I have decided to go with usage of the Tandy TRS-80 Model 100 computer for a variety of reasons, all of which I have explain here. The most obvious and first criticism I can think of for using such old hardware is why not use a Raspberry Pi or an Ardruino? Well, idiots use those, and I am not an idiot.

Ardruinos are mostly for the know it all who want a gold sticker they can program a microprocessor without any real need to truly understand the hardware or how it works. The entire some of their knowledge can be summed up as a few pretty graphs, a flow diagram, and digitalWrite(1, HIGH).

Using a Rasbery Pi would be even more uninteresting, very much like watching an ice cube melt. It would also defeat the purpose and go against the core inspirations of this project by having an operating system striving to be Microsoft Windows Hipster Edition. Link a few libraries, call SuperSekretEncrypt(“I LIEK CAKE”), and celebrate you are An Hero.

Model100 Case

Plans

The practical implementations of this project, in particular how two units would communicate, inspired much thought. At present I only see 3 possible mediums that could be implemented minus the very obvious manual keying everything in the keyboard like an 80s version of the German Enigma.

The first and most amusing solution is to get one of those mobile wireless modules that you put a SIM card in. The serial port of the Model 100 could handle communicating with one to send text messages with little effort via AT Commands. The issue with this is it could easily be tracked, monitored, and give a variety potential opsec failures.

The second solution would to use it very much like it was intended to be used with a bit of modernization for cell phones. There is a built-in and rather slow modem that could easily be connected to a headset jack. It’s possible to use a phone coupler on a pay phone to recreate the famous scene from the movie Hackers. I’d imagine would raise a few eyebrows if anyone saw you connect an ancient yellowing keyboard to a phone. This would suffer from the same issues as the first in relation to using some kind of phone.

The third solution I have opted to do and I have saved for last on this list. It seems the most practical to simply connect the Model 100 up to a modern computer using a USB to serial adapter. This will allow easy transfer of encrypted text from the Model 100 to the computer and vice versa. Making a null modem adapter requires little skill and fits into the practical implementation aspect of this project. You can buy commercially available adapters to further simply this. Connect cable, start terminal software on a modern computer, type your message, push a function button for sending, and copy the output from the terminal software on the modern computer into whatever communication medium you want. Decryption would be pushing the decryption function button, pasting the message into the terminal followed by an indicator like a double return to indicate end of said message, and read the message on the screen. This is a simplification of the steps involved as obviously it is a good idea to protect the private key with a symmetric encryption algorithm requiring a password among other standard practices for public key encryption.

The details of the encryption implementation I have not fully decided on as of yet. There will be the obvious public key encryption implementation of RSA and/or Diffie-Hellman coupled with a symmetric encryption algorithm. The three that come to mind that are practical in the restrained environment is skipjack, RC4, or a variant of TEA, specifically XXTEA. The thought of using skipjack kind of amuses me considering the history and it’s originally intended purpose. RC4 would be the easiest to implement, having the fastest encryption times, with flexible key lengths without resorting to encrypting already encrypted text a few times. Due to the key being randomly generated on each message it will not suffer from some of the common vulnerabilities we all know and love when they decided to use it in WEP. It can be susceptible, however, to a kind of plain text attack that could compromise parts of it’s keystream which kills it’s usefulness sadly for text communications.

The most important and critical requirement is a proper CSPRNG. Without this implemented properly it is essentially as good as having no encryption at all, or well at the very least, using a caesar cipher with a pen and paper. So how is it possible to get decent random numbers good enough for cryptology on hardware with no reliable random seeding? Well, we can take this further than just pseudo randomness, you build a TRNG obviously! (Dice not included) Welcome to the theory and implementation of very random seed source of zener diode avalanche noise. There is a few ways of making a true random number generator but this method is the easiest and most practical to build unless you want to go into messing with radioactive materials giving yourself a nice glowing touch. As strange as this may sound, there was an optional barcode reader with a corresponding connection port for the Model 100 which looks to be perfectly usable for connecting our TRNG up to.

Give me money

As you can imagine, this project will cost and has cost some money. I will be working on this project, regardless of any donations, to completion detailing specifics of building and programming in future blog posts. As I am putting all this information out in the public to benefit everyone, I would give the option of letting anyone that feels like contributing via funding some of the costs or just wants to give me money because I am Godly, can do so.

Bitcoin Address: 1Hbg26e7RRaguVG2ZuDZWMvGVWGfSykVCe

Model100s