Cryptome has been leaking its user logs for over a year

Michael Best themikebest@gmail.com
Wed Oct 7 14:26:51 PDT 2015


Let me begin by saying that Cryptome initially denied the leak, then that
the data was stolen, then that the whole thing was a fake "a lie by [a]
spy-newbie." Look at the data itself and examine the multiple sources, then
decide for yourself.

It's important to note that the logs were not just found in the USBs John
Young/Cryptome sent to me, but in the ones sent to "bandmon", who unless
I'm mistaken is coderman@gmail.com
https://thepiratebay.mn/torrent/11113511/Cryptome_archive_2014-06-02

Original post at
http://that1archive.neocities.org/subfolder1/cryptome-leaked-logs.html

If you haven't read why the alleged GCHQ slide showing spying on
Cryptome.org's users could have been made by anyone, I recommend you do so
before reading this
<http://that1archive.neocities.org/subfolder1/gchq-cryptome-slide.html>
http://that1archive.neocities.org/subfolder1/gchq-cryptome-slide.html. In
summary, I showed that the information on the slide could have been mocked
up, depsite matching the logs for Cryptome.org. Cryptome has denied the
accuracy of my data, while oddly accusing me of stealing the data, and
leaves me with no alternatives to posting the data online for others to
review and verify.

The data came from Cryptome itself, on a pair of USBs they mailed to me
<https://archive.org/details/cryptome-archive>
https://archive.org/details/cryptome-archive. Within those USBs were server
logs that include user IPs (spanning several months), .htaccess files, and
a pwd file. After finding the data in the USB Cryptome had just sent me, I
sent an email attempting to verify it hadn't been included as something
extra that was not for public distrubition:

Subject: Quick USB question
From: Michael Best
To: John Young
Double checking that the USBs that you sent were prepared as-is and no
different from any other versions, except updated through August 14 2015.

John Young sent back an accusatory email:

To: Michael Best
From: John Young
Subject: Re: Quick USB question
Don't know. Updates generated scratch. Prepare to be surprised if not
deceived by anything digital or analogue or intergalactic. Especially if
authenticated, signed, sealed, shipped through thickets of traps and
contaminants. You know that, though, and are just being humorously baiting
and entrapping. Like Archive.org and Wikipedia and gosh the whole mess
seething with malevolence.

I replied to John:

Subject: Re: Quick USB question
From: Michael Best
To: John Young
Don't mean to bait or entrap, but asking questions with too much context
can be leading. I'm not worried about hidden payloads or anything, I want
to make sure that it was (as far as you know) the vanilla version of the
August 2015 archive and you hadn't purposefully included any extra
information for me to peruse before I posted my findings publicly.

John did not respond.

Since John made a point out of the USBs being generated from scratch every
time, I couldn't be sure how long the data had been available. After some
digging, I found a copy of Cryptome's archive apparently uploaded by
coderman[at]gmail.com AKA bandmon. You can find that torrent here
<https://thepiratebay.mn/torrent/11113511/Cryptome_archive_2014-06-02>
https://thepiratebay.mn/torrent/11113511/Cryptome_archive_2014-06-02. I
downloaded the torrent to a remote server, unzipped the files and confirmed
there were log files there as well.

It was my strong preference **not** to post this, but since Cryptome has
refused to validate the data, there is no other way to authenticate it than
to release it to the public along with how to find that information in the
Cryptome USBs/CDs and their various mirrors. It was not my intention to
humiliate Cryptome or expose their users, only to demonstrate that the
slide allegedly proving the GCHQ has spied on Cryptome.org could have come
from anywhere. Despite being accurate, the information is not proof of
surveillance or anything nefarious. In short, the alleged GCHQ could have
been produced by GCHQ as an internal mockup, or forged by anyone with
access to an internet connection.

In addition to the links below, you can also download a complete copy of
the dataset from Cryptome <https://archive.org/details/cryptome-archive>
https://archive.org/details/cryptome-archive as well as download a .zip of
all of the leaked logs
<http://that1archive.neocities.org/cryptome/cryptome-leaked-logs.zip>
http://that1archive.neocities.org/cryptome/cryptome-leaked-logs.zip and
peruse them in your own time.

Cryptome's leaked logs:

http://That1Archive.neocities.org/cryptome/access.pwd
http://That1Archive.neocities.org/cryptome/htaccess (4)
http://That1Archive.neocities.org/cryptome/htaccess (3)
http://That1Archive.neocities.org/cryptome/htaccess (2)
http://That1Archive.neocities.org/cryptome/htaccess (1)
http://That1Archive.neocities.org/cryptome/htaccess
http://That1Archive.neocities.org/cryptome/awstats.1331504.0911.alldomains.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0911.allhosts.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0911.allrobots.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0911.browserdetail.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0911.errors404.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0911.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0911.keyphrases.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0911.keywords.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0911.lasthosts.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0911.lastrobots.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0911.osdetail.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0911.refererpages.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0911.refererse.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0911.session.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0911.unknownbrowser.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0911.unknownip.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0911.unknownos.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0911.urldetail.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0911.urlentry.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0911.urlexit.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0912.alldomains.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0912.allhosts.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0912.allrobots.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0912.browserdetail.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0912.errors404.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0912.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0912.keyphrases.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0912.keywords.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0912.lasthosts.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0912.lastrobots.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0912.osdetail.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0912.refererpages.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0912.refererse.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0912.session.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0912.unknownbrowser.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0912.unknownip.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0912.unknownos.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0912.urldetail.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0912.urlentry.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.0912.urlexit.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1001.alldomains.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1001.allhosts.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1001.allrobots.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1001.browserdetail.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1001.errors404.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1001.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1001.keyphrases.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1001.keywords.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1001.lasthosts.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1001.lastrobots.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1001.osdetail.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1001.refererpages.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1001.refererse.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1001.session.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1001.unknownbrowser.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1001.unknownip.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1001.unknownos.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1001.urldetail.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1001.urlentry.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1001.urlexit.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1002.alldomains.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1002.allhosts.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1002.allrobots.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1002.browserdetail.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1002.errors404.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1002.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1002.keyphrases.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1002.keywords.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1002.lasthosts.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1002.lastrobots.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1002.osdetail.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1002.refererpages.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1002.refererse.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1002.session.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1002.unknownbrowser.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1002.unknownip.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1002.unknownos.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1002.urldetail.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1002.urlentry.html
http://That1Archive.neocities.org/cryptome/awstats.1331504.1002.urlexit.html
http://That1Archive.neocities.org/cryptome/awstats012010.1331504.txt
http://That1Archive.neocities.org/cryptome/awstats022010.1331504.txt
http://That1Archive.neocities.org/cryptome/awstats112009.1331504.txt
http://That1Archive.neocities.org/cryptome/awstats122009.1331504.txt
http://That1Archive.neocities.org/cryptome/home.htm
http://That1Archive.neocities.org/cryptome/index.shtml

If the information is a mockup as Cryptome alleges, then it was created and
distributed by them as part of an insane piece of disinformation designed
to implicate users who are innocent of even visiting Cryptome.org. Far more
likely is that Cryptome has been unaware of these ongoing leaks, refused to
discuss them with me and then attempted to deny their reality.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cpunks.org/pipermail/cypherpunks/attachments/20151007/91a2bcef/attachment.html>


More information about the cypherpunks mailing list