Tuesday, August 16, 2016

How Tor Users Got Caught Part 2 Cliff Notes

The following is just my notes for my video, How Tor Users Got Caught Part 2.

In the video I go over a handful of cases and explain what happened. The vast majority of cases are human error, telling someone or selling drugs via the postal service however there are other cases where users have been de-anonymized via operations like Operation Onymous where malicious relays were set up and through other attacks users IP addresses and servers were discovered. The last case goes over the investigation process that police follow to discover someone. It is a good example of how well you need to cover your tracks because it only takes one piece of evidence to unravel everything.

Unknown 14 year old: https://www.deepdotweb.com/2016/06/09/dark-net-bomb-threats-shut-florida-high-school-one-minor-arrested/

The 14-year-old boy was identified through investigations, by talking to students, teachers, and other to hone in on the boy. A warrant was issued for the boy’s phone and investigators discovered that the boy had been surfing dark net.

“This student was so sophisticated with his knowledge that the phone he was sing is what we call jail broken, which means it may look like a normal phone but if you put a certain password in, there is a completely different operating system. That is where he was able to secure services from the dark web. You can buy anything from bazookas to bomb threats. Other illegal activity occurs on that off the grid website,” investigators said.

Jacob Theodore George IV, a major early heroin vendor known as “digitalink” on Silk Road, was arrested in January 2012, after his packages had been repeatedly intercepted for at least the previous six months. George knew about the interceptions, but he bragged online about how he had sweet talked his way out of any problems. Some buyers were unconvinced—more than one called him an idiot and predicted his imminent arrest—but digitalink kept shipping heroin and a handful of other drugs out to customers until the cops knocked down his door. It is not clear from George's plea agreement how or exactly when authorities located him, but he granted investigators access to emails, shipping records and financial statements related to his business, according to the document.

BRIAN RICHARD FARRELL, 27, who used the moniker “DoctorClu”
FARRELL was one of the small staff of online administrators and forum moderators who assisted Blake Benthall with the day-to-day operation of the website. Benthall and this small staff controlled and oversaw all aspects of Silk Road 2.0, including, among other things: the computer infrastructure and programming code underlying the website; the terms of service and commission rates imposed on vendors and customers of the website; and the massive profits generated from the operation of the illegal business. FARRELL, operating under the moniker “DoctorClu,” was involved in activities such as approving new staff and vendors for the website, and organizing a denial of service attack on a competitor. When a search warrant was served at FARRELL’s Bellevue home, agents seized $35,000 in cash as well as silver bullion and various types of drug paraphernalia.

“As one of the key masterminds and coordinator of the Silk Road criminal marketplace, Farrell profited from the destruction of untold lives,” said Brad Bench, Special Agent in Charge of HSI Seattle. “Criminals who operate digital black markets and those who trade their illicit goods on them quite mistakenly believe they are above the law. It is one of HSI’s top priorities to shut down these hidden websites and bring their criminal operators and customers to justice.”


According to the complaint, when federal agents asked Farrell if he could help them identify other top people who at been involved with Silk Road 2.0, Farrell told them “You're not going to find much of a bigger fish than me.”

The US has charged Farrell with one count of conspiracy to distribute cocaine, heroine, and methamphetamine.

Special Agent Michael Larson described how the feds found Farrell in a deposition:
Between January 2014 and July 2014, a source of information provided law enforcement with particular IP addresses that had accessed the vendor portion of SR2 [Silk Road 2.0]. A user could not accidentally end up on the vendor portion of SR2. Rather, SR2 administrators/moderators restricted access to the vendor portion of the site to vendors who had conducted a certain amount of transactions. In addition, a user required a username and password to access the vendor portion of SR2.

At the end of July, Homeland Security Investigations in Seattle received a lead on one of the IP addresses and pulled Comcast records to find that the IP address matched the address of one of the investigators' cooperating witnesses. The cooperating witness (abbreviated as CW1 in the complaint) was roommates with Farrell, and said “that he/she had learned about the Silk Road and the 'dark net' from FARRELL,” adding that he was a “computer wizard” and maintained a server in the garage. Farrell also “obsessively” tracked his packages online and “babysat” the mailbox according to CW1's information.

The roommate also provided the feds with a box of Xanax pills that had been addressed to Farrell. On January 2, 2015, agents served a search warrant on Farrell's residence, and confiscated “various computer media, various prescription medications, drug paraphernalia, silver bullion bars valued at $3,900, and approximately $35,000 dollars.

an FBI Source of Information (SOI) provided “reliable IP addresses for TOR and hidden services such as Silk Road 2.” There were pretty many places included, such as the main marketplace, the vendor section, the SR2 forum and the support interface.

The information that has been provided by the institute to the feds led to the location of the Silk Road 2 servers, which helped in the identification of “at least another seventeen black markets on TOR”, which refers to Operation Onymous where law enforcement authorities in several different countries took down dark net marketplaces and scam sites on the dark web in a synchronized operation. 

However, that’s not all the info, the warrant goes by this:
“The SOI also identified approximately 78 IP addresses that accessed a vendor .onion address,” it says, referring to the users of Silk Road 2.0.

When Farell’s case was held in the court, the defense made this statement:
“On October 12, 2015, the government provided defense counsel a letter indicating that Mr. Farrell’s involvement with Silk Road 2.0 was identified based on information obtained by a ‘university-based research institute’ that operated its own computers on the anonymous network used by Silk Road 2.0.”

The defense also asked for more evidence on the academic institute that anonymously provided information to the FBI. After that, the defense made this statement:
“To date, the government has declined to produce any additional discovery.”

There’s no proof to the case, rather just a speculation, however, there might be a chance that the group of relays that were trying to deanonymize Tor users were set up by the same university. The relays have joined at January 30 and were removed by the Tor Project at July 4. This interval was the same when the unnamed SOI provided info to the bureau. Nick Mathewson, the co-founder of the Tor Project made this statement regarding the case:

“If you’re doing an experiment without the knowledge or consent of the people you’re experimenting on, you might be doing something questionable—and if you’re doing it without their informed consent because you know they wouldn’t give it to you, then you’re almost certainly doing something wrong. Whatever you’re doing, it isn’t science.”

Farell wasn’t the only one who had to appear before court for different charges that came from the mysterious SOI. Gabriel Peterson-Siler, who’s hearing was held at November 1, was charged with the possession of child pornography. In June 2014, the same time interval Farrell’s IP address was provided to the FBI, an investigation into Peterson-Siler shown an IP address that belonged to the man. After his house was searched in September 2014, he was charged for possession of child pornography in April of this year, and pleaded not guilty to all charges. Peterson-Siler’s defense requested the same information and evidence on the source that provided the IP address that led to the man’s bust.

It is not confirmed, though, but there’s a big chance that the SOI academic institute was the Carnegie Mellon University, where researchers have been paid at least $1 million by the FBI. The Tor Project published this in a blog post:

“Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses “research” as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute. Legitimate privacy researchers study many online systems, including social networks — If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk.”

On 5 November 2014, as the final piece of Operation Onymous, the operator of Silk Road 2, Blake Benthall / “Defcon” was arrested in San Francisco (press release; complaint). It is highly likely that the undercover agent Cirrus had enabled the locating of the SR2 server, which Benthall apparently had rented under his own name (possibly at his employer Close’s hosting), after which his Bitcoin spending (on a Tesla) was noted and surveillance correlated Defcon’s activities with Benthall’s; after being arrested, he “did admit to everything”.

On 6 November 2014, David & Teri Schell were arrested in California for selling marijuana and marijuana wax (complaint,PACER); additional coverage indicated they were investigated after “discovering an Internet Protocol address was accessing the Silk Road 2.0 site” and then PO box surveillance nailed them. The DoctorClu case reveals that the seller portal for SR2 had been used to de-anonymize a few IPs (but not many), implying that an undercover agent (presumably Cirrus) had inserted a de-anonymization exploit similar to the previous Freedom Hosting exploit. They were probably the SR1 & SR2 seller “CaliforniaCanibas” (profile).

Richard Armendariz worked as a U.S. Customs and Border Protection analyst for 42 years. Two days ago a federal judge denied Richards bond at a hearing. Armendariz,69, was arrested as part of a massive investigation into child pornography on dark net. Dark net is only accessible with the use of Tor, a browser that allows you to view normal websites anonymously; but also lets you access websites normal browsers can’t.

Armendariz, as testimonies have revealed, is related to former Texas Appellate judge Albert Armendariz Sr.; who died in 2007. Sr. was a former civil rights leader; and founder of the Mexican American Legal Defense and Educational Fund. Armendariz Sr. was also a federal immigration judge.  During the time Richard Armendariz Sr. worked for the agency he was stationed in Miami, Florida; and in Colombia. He also had top-secret clearance.

When Richard retired five years ago he moved back to San Antonio, Texas where his two sons live. He was one of 215,000 people the FBI has connected to a website it seized that made child porn available on the Dark net. This is just one of the many arrests going to be made is the FBI takeover of Playpen. The FBIs investigation consisted of them infecting the site with malware, gaining control of Playpen, running it on their servers for two weeks in order to trace the websites users.
“There is a part of him that is completely unknown to his family. This man has had a demonstrated sexual interest in prepubescent children for 36 years,” Assistant U.S. Attorney Tracy Thompson told U.S. Magistrate Judge John Primomo during Tuesdays hearing.

At the hearing there was also a woman who alleged Armendariz molested her in El Paso. The woman said the molestations happened from the time she was 11 years old, until she was in high school. She stated that she was 20 when she finally told her parents what Armendariz was doing to her.
“It changed everything in my life. It made it difficult to have healthy sexual relationships. I was acting out. Trust is a big issue…a lot of destructive behavior,” the woman said in court. The woman’s father confronted Armendariz in the late 80’s and the alleged molestations stopped. He was never charged with anything.

Jeff Baker, an FBI Special agent told the court that their Playpen investigation targeted Armendariz specifically in in the beginning of May, 2015. It wasn’t until September that FBI agents raided his home and confiscated his laptop and computer equipment. Baker also testified that “Playpen was the largest child porn ring in existence on the Tor network.”
Armendariz testified he had been searching, and viewing child pornography via the encrypted Tor network for three years. Armendariz’ attorney also told the Magistrate “Armendariz favorite section was toddlers. Some of it involved horrible sexual abuse; some of it is described as mutilation.”
With more than 117,000 posts and an average of 11,000 unique visitors a week, Playpen has been proven to be one of the biggest on Tor. The Investigation was kept a secret until November by news reports in a San Antonio newspaper about three local men being charged in connection with the investigation. It’s still unclear how many of the 1,300 people identified by their IP addresses have been arrested.

Jeff Baker spend quite a few years investigating child abuse and exploitation cases. He also testified that the content of Playpen was some of the worst child abuse material he had ever seen and it included images and video of children of all ages being raped, and tortured. Items confiscated from Armendariz’s home contained 800 images and 140 videos of child pornography to varying degrees.
Armendariz defense attorney argued that he was forthcoming with the FBI during the September raid on his home and admitted to being in possession of child pornography. Defense attorney Davis also argued that her client is not a danger to the community because there was no evidence that Armendariz had any kind of sexual interaction with children other than 30-year-old accusations. Magistrate Primomo agreed that Armendariz was not a flight risk, but believes he is a danger to the community.

“I’ve known Baker for a long time, and for him to say this is the worst that he has ever seen leaves a strong impression in my mind.” Primomo said. “The evidence of the molestation is uncontested. There is no indication of remorse. There is no indication of any apologies,”. The judge went on to say that he couldn’t risk the possibility that Richard Armendariz would act out sexually with children if he we to release him on bond.

OPSEC Fail: Ex-Judge Arrested In Online Impersonation Case
Online impersonation is a crime in Texas, which is what former Judge Christoper Dupuy is being charged two counts of. In a case similar to that ofPreston Alexander McWaters’, the 43 year old also has problems with handling rejection from women.

You see, Dupuy had known a woman – let’s call her Jane – for 20 years and had dated her for 6 years until she ended the relationship in August 2014 and decided to marry someone else. That marriage didn’t work out and Jane got a divorce. She had Dupuy represent her in the divorce proceedings in which he at one point asked her if they could be in a relationship together again. Jane declined and he was angered by this.

Dupuy began aggressively stalking her on Facebook and making comments about other men she interacted with, he also saved pictures and sent them to her with derogatory remarks. Jane put up with this until her divorce was finalized in November 2014 and cut off all contact and ignored him. She told the investigating officer, Scott Hardcastle, that Dupuy had been harassing her ever since they broke up in August 2014.

In December 2014, he graduated from Facebook harassment to something more sinister. Jane began receiving several phone calls and text messages. Finally answering one the calls, she found out that she was on backpage.com purporting to be a prostitute. The advert stated she charged $70 an hour. Jane told the Deputy she contacted that she isn’t a prostitute, didn’t post the advert, and didn’t give anyone permission to post the advert. She told the Deputy that she suspects that Dupuy was behind this.

Hardcastle interviewed Jane in January 2015 where she told him what she told the Deputy. He then researched into Dupuy’s life and found out that he was a Judge. Six days later, he sent a subpoena to backpage.com and learned the user name, email address, home address, IP address, and credit card number of the account that posted the advert. The home address used was Jane’s and the account was associated with numerous IP addresses.

Apparently, the account made two adverts for the same person – Jane. One advert used a picture that Jane took while she was dating Dupuy and only sent to one person – Dupuy.
Hardcastle looked into the credit card number and using a BIN checker, he found that it was Visa credit card. After contacting Visa, he was redirected to GreenDot who told them it was gift card and wasn’t registered to anyone so they were of no help.

After that dead end, Hardcastle turned his attention toward the IP addresses. is an IP address in Germany connected to the provider 23Media and is an IP address in Venezuela connected to the provider Roya Hosting. He quickly determined that these IP addresses were VPNs.

When the Venezuelan national police cyber-crimes unit was contacted, they told Hardcastle that “resolves to the state owned telephone and internet company C’Amv” and that “that this hosting service is designed to conceal the true location of the user and that there would be no further way to discover the identity of the user”.

Germany was of no help either because when Hardcastle reached out to Homeland Security to assist him, they told him that weren’t able to trace the identity “due to the fact that Germany only retains IP Address logs for seven days”.

Hardcastle never determined which VPN service the IP addresses belonged to but the hosting providers have been associated with a few, including HideMyAss.  The Houston Press reports that Dupuy used HideMyAss but Hardcastle’s affidavit never states this.

And so, Hardcastle looked into the user name of the backpage account, “Don Tequila”. He determined that it was a false alias and was associated with a Facebook page that makes negative comments about Dupuy and hates him. Hardcastle moved onto the next piece of information associated with the backpage account – the email address, dontequila1900@hotmail.com.
A subpoena was issued to MSN Hotmail on late February 2015 and they responded with the requested information on May 2015. The name listed on the email address was Don Tequila and it was registered using a VPN IP address in Germany.

However, a history of IP addresses associated with the email address was given as well. One of those IP addresses being: located in League City, Texas provided by Comcast. Four days later, a subpoena to Comcast was sent and – surprise, surprise – the records show that the subscriber for that IP address is Christoper Dupuy.

A search warrant was executed on June 2015 for Dupuy’s residence, and when his door was kicked in, he was found in the kitchen. When asked to put his hands up, a bullet fell from his hand. Hardcastle asked for the gun and Dupuy complied and told him where it was. He found a 9mm pistol.
While Dupuy’s residence was searched, a bag was found in his bathroom hidden between the toilet and bathtub. 

Dupuy was charged with two counts of online impersonation and his bail was set at $600,000 but was later reduced to $400,000.

Robot Arrested: http://www.cnbc.com/2015/04/21/robot-with-100-bitcoin-buys-drugs-gets-arrested.html

Teenager Arrested for Trying To Buy Glock Pistol From The Dark Web
Megan Schadeberg (19), from Carmarthenshire, had attempted to buy a Glock handgun from the dark web and said she wanted to ”kill herself and kill the world” according to the court. During the house search, police found books on mass shootings where the girl made notes. They also found a diary where Schadeberg said that she “hated everyone” and “did not feeling anything for other people”.
On the 19-year-old’s iPhone, the law enforcement authorities found the link of a dark net marketplace where Schadeberg put a Glock G21 and ammunition for it in a shopping basket and uploaded £240 in Bitcoins to a wallet, which she could use for a down payment for the weapon and the bullets.
Schadeberg pleaded guilty to the attempt of buying a prohibited weapon in October last year when she appeared in the dock of Swansea Crown Court last week. According to official court documents, her plan to buy a gun came to light after she told a psychiatrist about it who then alerted police.
The court also heard that Schadeberg was suffering from “some form of psychotic illness”. According to Craig Jones, from defense, the girl’s actions had been “a cry for help”.
Judge Paul Thomas QC described the case as “terribly sad and also very worrying” and he made a hospital order detaining the teenager so she could be treated.


Introducing human error
In 2011, the Dark Net’s first drug markets opened up for business.

Silk Road, Black Market Reloaded, and the Farmer’s Market transformed the illicit goods industry within months of migrating to the anonymous Tor network. While the markets flourished quickly, the arrests actually began quietly the same year that Silk Road started.

An as-yet-unnamed confidential source gave federal investigators a crash course in how Silk Road worked in November 2011. He also gave them access to a vendor’s account, as well as the names and addresses of Silk Road customers around the world.
In 2012, the arrests became more prominent.

Over the next two years, dozens of dealers and customers were arrested for drug operations on the Dark Net. The cause wasn’t Tor itself—the most obvious common denominator—it was human error.
George’s shipments, and those by others like him, were caught and flagged while they were being mailed. Many had poor “stealth” for their packages, making them easily detected by postal workers and drug dogs.

Even some of Silk Road’s biggest operations have been brought down via the postal service. Deep Web heroin kingpin Steven Lloyd Sadler and his partner-in-crime girlfriend, Jenna White, sold heroin, cocaine, and meth by the bundle on the Dark Net, shipping high-quality product at premium prices to earn over $105,000 per month. But White was flagged by postal workers after she parked in front of security cameras at post offices, bought masses of stamps at once, and visited often enough to be identified as the woman with handwriting identical to those found on intercepted packages containing heroin.

Dark Net drug dealers don’t just make mistakes in the regular mail. They also make them in email.
In April 2012, the Farmer’s Market (TFM) was shuttered and its administrators arrested after a two-year investigation by the Drug Enforcement Agency.

TFM, which had been operating for at least six years online, had only recently made the move to Tor in order to improve security. TFM’s owners also used Hushmail, a Canadian operation that advertises itself as powerfully encrypted private email. The problem was that Hushmail itself could decrypt the emails, so when police subpoenaed the company, every single email was an open book for law enforcement.

When Silk Road fell in 2013, the arrests of dozens of Tor users for drug offenses were made public all at once. Many wondered, in the wake of Edward Snowden’s NSA leaks, if the program itself was broken.

Even today, months after Ross Ulbricht was sentenced to life in prison, there are still many unanswered questions about his arrest. The FBI claims that the black market accidently gave up its location due to trivial but profound mistakes made by Ulbricht when he configured Tor for the hidden service he operated. Critics among the information security community, however, believe the FBI hacked in by attacking Silk Road with unexpected commands and forcing the server to mistakenly give up its location.

The speculation surrounding the specifics of Silk Road’s fall have persisted even through Ulbricht’s surprisingly fast trial in February 2015.

In almost all the cases we know about, it’s trivial mistakes that tend to unintentionally expose Tor users.

Several top Silk Road administrators were arrested because they gave proof of identity to Dread Pirate Roberts, data that was owned by the police when Ulbricht was arrested. Giving your identity away, even to a trusted confidant, is always huge mistake.

A major meth dealer’s operation was discovered after the IRS started investigating him for unpaid taxes, and an OBGYN who allegedly sold prescription pills used the same username on Silk Road that she did on eBay.

Likewise, the September 2014 arrest of a pedophile could be traced to his use of “gateway sites” (such as Tor2Web), which allow users to access the Deep Web but, contrary to popular belief, do not offer the anonymizing power of Tor.

“There’s not a magic way to trace people [through Tor], so we typically capitalize on human error, looking for whatever clues people leave in their wake,” James Kilpatrick, a Homeland Security Investigations agent, told the Wall Street Journal.

Tor isn’t perfect. It’s an ambitious piece of open-source software run off of grants and donations that is constantly under scrutiny from all corners. The regular security updates and constant work that goes into the product prove that there is still work to be done.

Tor’s greatest Achilles’ heel, however, remains its users.

When Tor users are arrested, “it usually does not involve the core technology being cracked or being hacked in any way,” Nik Cubrilovic, an Australian cybersecurity consultant, told Politico. “It’s usually something else.”

Hackers with a badge
On the morning of Aug. 3, 2013, every site hosted by Freedom Hosting crashed.
Freedom Hosting was the most popular hosting service on the Deep Web, described by the FBI as the “largest facilitator of child porn on the planet.” It was even the target of attacks from groups like the hacker collective Anonymous.

The fall of Freedom Hosting—a case that is still in its early stages—is one of the big question marks in Tor history. The case has moved slowly due to its international nature, and police have revealed precious little about how they found Freedom Hosting and arrested its alleged owner, Irishman Eric Eoin Marques.

- See more at: http://kernelmag.dailydot.com/issue-sections/features-issue-sections/13606/tor-arrest-history/#sthash.EzDhoRU1.dpuf

Huge List:

On 26 September 2014, the 21yo South Australia man Ryan James Norman was arrested while picking up a package from the post office after Customs intercepted a shipment of ~5000 doses of 25i-NBOMe from Canada; he was sentenced in September 2015 to 3.5 years. It later emerged that he was a seller on SR2; I have identified Norman as the SR2 seller “MagicAU” based on similar products and MagicAU vanishing from SR2 during 26-28 September 2014, immediately after Norman was raided, and MagicAU’s relatively young vendor age which matches the description of Norman as having sold for ~2 months before being arrested.

During April 2015, a 40yo German man in W├╝rzburg was arrested for purchases of MDMA, cocaine, amphetamines, cannabis & “synthetic” drugs totaling kilograms off of SR2 (he does not seem to have been a SR2 seller, indicating he was a local reseller) and earlier markets starting in 2012. The investigation appears to have relied FBI forensic analysis of the seized SR2 server’s PMs (he, like many, apparently had not been using PGP in communicating with his sellers) and also German customs intercepts of several orders.

In early May 2014, the SR2 seller “Xanax King” (Jeremy Donagal) & his associates were arrested (DEA press release); he ran a very large operation with multiple employees, purchased ingredients using Western Union & wire transfers to China, “sold drugs locally, distributing Xanax tablets, GHB, and steroids”, some sort of clearnet website (xkloves.us, content removed in lieu of a now-defunct Tor hidden service), and had at least one “confidential informant” in his organization (see the anti-bail letter), who was handling their SR2 orders at the end according to a media report (some buyers reported being asked to resend their PGP-encrypted addresses).

The fall out from XK’s bust has been substantial: the anti-bail letter claims “In addition to the nine defendants in this case, evidence gathered from Defendant’s enterprise led to the arrest of nearly 60 other people throughout the country”. Several of his customers received controlled deliveries and have been arrested as well. 2 controlled deliveries on 28 May picked up 4 men in Bloomington, Indiana(Carlos Matthew Allen, David Christian Feigel, Paul Furto, & Andrew C. Dickey). Kory D. Kreider in New Orleans, Louisiana whose pickup of a package was surveilled managed to evade arrest on 29 May but was arrested a few days later using cellphone records & Facebook data. Some other CDs in late May/early June 2014 are highly likely to be XK-related. In Naperville, Illinois, Brian Patrick Noone was arrested on 30 May 2014 after a search warrant yielded 600 Xanax pills, apparently based on “a tip from a federal task force about drug trafficking in Naperville”. In Nashville, Tennessee, 3 people (Demarcus Blue, Markuite Matthews, & Adrevious Rayner) were arrested after a CD on 29 May 2014 of 5000 gel cap Xanax pills sent by a “An alleged drug ring” shipping from California and the mailer“was taken into custody at the end of last week”.
On 5 November 2014, as the final piece of Operation Onymous, the operator of Silk Road 2, Blake Benthall / “Defcon” was arrested in San Francisco (press release; complaint). It is highly likely that the undercover agent Cirrus had enabled the locating of the SR2 server, which Benthall apparently had rented under his own name (possibly at his employer Close’s hosting), after which his Bitcoin spending (on a Tesla) was noted and surveillance correlated Defcon’s activities with Benthall’s; after being arrested, he “did admit to everything”.

On 6 November 2014, David & Teri Schell were arrested in California for selling marijuana and marijuana wax (complaint,PACER); additional coverage indicated they were investigated after “discovering an Internet Protocol address was accessing the Silk Road 2.0 site” and then PO box surveillance nailed them. The DoctorClu case reveals that the seller portal for SR2 had been used to de-anonymize a few IPs (but not many), implying that an undercover agent (presumably Cirrus) had inserted a de-anonymization exploit similar to the previous Freedom Hosting exploit. They were probably the SR1 & SR2 seller “CaliforniaCanibas” (profile).

In “last fall” (Fall 2014), US Air Force cadet Nathaniel Penalosa’s dorm room was searched and a military investigation into his sale of drugs to fellow students at the USAF academy, including LSD, molly/methylenedioxy-methamphetamine, and modafinil. He had ordered them via mail from Silk Road 2 His court-martial began around August 2015, leading to the expulsion of 3 other cadets, and he accepted a plea-bargain for 3 years.

In November 2014, 37yo Louisiana man Michael Munro Jr. was arrested for importing Xanax & oxycodone bought on SR2 since March 2014.

The Washington man Brian Farrell & SR2 staffer “DoctorClu” was arrested 20 January 2015; his IP had been uncovered in July 2014 accessing the SR2 seller portal13, like CaliforniaCanibas, by CMU researchers and the information turned over to the FBI. Thelocal police investigated by post-office checks and then interviewing him & his roommate on 22 December 2014; the roommate spoke freely about Farrell’s drug use and online connections and the next day even provided some of Farrell’s drugs to the police, allowing a search warrant to search the house and uncover Farrell’s prescription drugs on 2 January 2015, at which point he confessed everything & to helping run SR2 as the employee DoctorClu and was then arrested (the charges being upgraded from local pill charges to federal conspiracy charges; complaint). He was sentenced to 8 years in June 2016.

Follow me on Twitter, @gFogerlie (https://twitter.com/gfogerlie), Google+ https://plus.google.com/+GarrettFogerlie and Facebook https://www.facebook.com/garrett.fogerlie

Subscribe: http://www.youtube.com/subscription_center?add_user=GarrettFogerlie

Have a video request? Let me know: https://www.youtube.com/user/GarrettFogerlie/discussion

Tuesday, April 12, 2016

Detailed Explanation of Hydra's Syntax for Web Form Attacks

This article will break down the syntax we used for Hydra in the article, Brute forcing a website login form using Hydra and the video Brute Force Website Login Attack Using Hydra

In general you can usually type 'man' followed by the program name to read the manual. However hydra doesn't have a manual, but just typing 'hydra' will show you the basic info or 'hydra -h' for more info. Below is the basic help. One of the best command for detailed help with a module is to use the '-U' option followed by the module name. Here are all the modules:

asterisk cisco cisco-enable cvs ftp ftps http[s]-{head|get} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql(v4) nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] rdp redis rexec rlogin rsh s7-300 sip smb smtp[s] smtp-enum snmp socks5 teamspeak telnet[s] vmauthd vnc xmpp 
So here is the command I used:
hydra -l root -p 557 -v attack.samsclass.info http-get-form "/brute4.php:login=^USER^&pin=^PASS^:Denied"

To start we have the program name, hydra followed by -l userName or -L userNameFile.txt The -l option is for a login name. Then we have the -p password or -P passwordFile.txt This is for the password or password file. The -v is optional, it stands for verbose (it is an option that most all programs have, and can come in handy to see what's happening.) Verbose just means that it will show you a lot of information that would not normally be shown (you can read more by running hydra -h )

Next we have attack.samsclass.info This is the domain name we will be attacking don't incluse the http:// or https:// and don't include anything past or including the / after the name. 

Now we have the service module to run, in this case it is http-get-form. This tells hydra that it will be attacking an http web form by making a get request (most forms use post, just FYI.) You can learn a ton more by running 'hydra -U http-get-form' Here is a quote of what it says:

The parameters take three ":" separated values, plus optional values.(Note: if you need a colon in the option string as value, escape it with "\:", but do not escape a "\" with "\\".)
Syntax:   <url>:<form parameters>:<condition string>[:<optional>[:<optional>]First is the page on the server to GET or POST to (URL).Second is the POST/GET variables (taken from either the browser, proxy, etc. with usernames and passwords being replaced in the "^USER^" and "^PASS^" placeholders (FORM PARAMETERS)Third is the string that it checks for an *invalid* login (by default) Invalid condition login check can be preceded by "F=", successful condition login check must be preceded by "S=". This is where most people get it wrong. You have to check the webapp what a failed string looks like and put it in this parameter!

Next we have the three required parameters in quotes separated by a colin ':', "/brute4.php:login=^USER^&pin=^PASS^:Denied" So first is the URL that the form posts to, /brute4.php. Then the posted query string or options, login=^USER^&pin=^PASS^ So this is what the form submits, if you look at a form, this would be the name of any input, checkbox etc. 

Here we have 'login' and 'pin'. Hydra replaces ^USER^ with the username or usernames from the username file and it replaces ^PASS^ with the provided password or passwords from the password file. Finally we have the third required parameter, Denied this is the text to look for to know the login failed. In our case it is Denied, but this will be different for different sites. Optionally you can look for a successful login text, something that is only shown when you successfully login. You can do this with a `S=' followed by the text. An example of a successful login text may be the username, as some sites show the username once you login.

Hopefully this has helped you understand what each part of the syntax we used does. Here is the full help for the http-get-form module:
Help for module http-get-form:===========================================================================Module http-get-form requires the page and the parameters for the web form.By default this module is configured to follow a maximum of 5 redirections ina row. It always gathers a new cookie from the same URL without variablesThe parameters take three ":" separated values, plus optional values.(Note: if you need a colon in the option string as value, escape it with "\:", but do not escape a "\" with "\\".)Syntax:   <url>:<form parameters>:<condition string>[:<optional>[:<optional>]First is the page on the server to GET or POST to (URL).Second is the POST/GET variables (taken from either the browser, proxy, etc. with usernames and passwords being replaced in the "^USER^" and "^PASS^" placeholders (FORM PARAMETERS)Third is the string that it checks for an *invalid* login (by default) Invalid condition login check can be preceded by "F=", successful condition login check must be preceded by "S=". This is where most people get it wrong. You have to check the webapp what a failed string looks like and put it in this parameter!The following parameters are optional: C=/page/uri     to define a different page to gather initial cookies from (h|H)=My-Hdr\: foo   to send a user defined HTTP header with each request                 ^USER^ and ^PASS^ can also be put into these headers!                 Note: 'h' will add the user-defined header at the end                 regardless it's already being sent by Hydra or not.                 'H' will replace the value of that header if it exists, by the                 one supplied by the user, or add the header at the endNote that if you are going to put colons (:) in your headers you should escape them with a backslash (\). All colons that are not option separators should be escaped (see the examples above and below). You can specify a header without escaping the colons, but that way you will not be able to put colons in the header value itself, as they will be interpreted by hydra as option separators.Examples: "/login.php:user=^USER^&pass=^PASS^:incorrect" "/login.php:user=^USER^&pass=^PASS^&colon=colon\:escape:S=authlog=.*success" "/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed" "/:user=^USER&pass=^PASS^:failed:H=Authorization\: Basic dT1w:H=Cookie\: sessid=aaaa:h=X-User\: ^USER^" "/exchweb/bin/auth/owaauth.dll:destination=http%3A%2F%2F<target>%2Fexchange&flags=0&username=<domain>%5C^USER^&password=^PASS^&SubmitCreds=x&trusted=0:reason=:C=/exchweb" 

Saturday, March 12, 2016

Using Burp Suite To Attack Website Logins - Video

This video shows you how to use Burp Suite to intercept login form posts, alter them in Burp Suite's Intruder and launch an automated attack that will work against most websites. In the video we attack a website that has an Antiforgery token that is hidden in the form. This, along with a tracking cookie that is submitted with the form prevents the server from even attempting to validate the login if these tokens don't match. This will prevent tools like Hydra from effectively hacking the login.

Here is the code that is run on the server when the Login Form is Posted:

As you can see, the AntiForgeryToken is checked before the server even enters the Login Action. Therefore if this token fails, the server will never even attempt to process the login.

While this video shows a method that will work against most websites, my company designs secure web applications that can mitigate such an attack. If you are interested in learning more about the applications we design, please email Garrett Fogerlie

Saturday, November 14, 2015

How Tor Users Got Caught by Government Agencies

4 examples of people who have used Tor for illegal activities and how they were caught. Multiple de-anonymization attacks are shown at the end of the video.

Case 0: Harvard guy Eldo Kim getting busted by being one of the only users at Harvard on the tor network, and admitting he emailed the bomb threat
Case 1: Sabu getting caught for logging on to IRC one time without tor and FBI using correlation
Case 2: Freedom Hosting admin under attack from Anonymous group previously fighting CP might have helped the FBI, later they skip to when a box was compromised and made it host a javascript exploit (nothing mentioned what happened between the Anonymous attacks and when the FBI smashed in his door)
Case 3: Silk Road admin making too many mistakes including using his own real name then changing it later to a username

Eldo Kim [harvard bomb threat]:

Eldo makes a bomb threat to Harvard's student newspaper and some other Harvard officials. Of all the reasons under the sun to do something like this his was that he wanted to get out of a final exam!? Maybe if we put our heads together we could come up with a less incriminating way to get out of a final exam. Less incriminating, meaning no prison time if caught, though he uses tor to send the threat via email, all tor exit nodes are publicly listed. Unless you use a tor bridge, bridges are not publicly listed as tor nodes, you will give the authorities an obvious starting point from which to launch their investigation.

But that's not the worst mistake, it gets better. He connects to tor through his student account.
Because of this fact and the fact that he was the only one connected to tor at the time the email was sent it was easy for them to correlate that he may have sent the threat. As if that wasn't enough, Eldo puts the final nail in his own coffin by actually admitting that he was the one who made the bomb threat.

Lessons Learned from Eldo:
1) Don't be the only person using Tor on a monitored network at a given time
2) Use a bridge
4) Correlation attacks are a bitch

Hector Xavier Monsegur (Sabu) and Jeremy Hammond (sup_g) [LulzSec]:

Hector was already being watched by the FBI. However, his mistake was that he became lackadaisical. Slipping up, he connected to IRC without tor, when he normally would. This allowed the FBI to get his home IP address. He sang like a caged canary after being caught, and then proceeded to set up his cohort Jeremy Hammond.
Jeremy, otherwise known as sup_g, when speaking with Hector on IRC spoke carelessly of places he had previously been arrested and other groups that he was involved with. The FBI used this information to narrow their suspect pool and allowed them to obtain a court order to monitor his internet traffic.

Once again correlation proves to be a bitch [​IMG] I say this because although the FBI did not
exploit tor to bust Jeremy they were, however, able to correlate the times 'sup_g' spoke with 'Sabu' on IRC with when Jeremy was at home using his computer.

Lessons Learned from LulzSec:
1) Use Tor consistently
2) Don't give personal information
3) Correlation attacks are still a bitch!

Eric Eoin Marques [Freedom Hosting]:

Freedom Hosting was known for hosting child pornography. This is enough to make you a mark for all sorts. In fact, Freedom had already been under attack from Anonymous during Op Darknet because of the child porn. The FBI was able to compromise Freedom because they were using an outdated version, 17 ESR, of tor browser. This allowed the FBI to exploit bug CVE-2013-1690. Mind you, tor had already came out with a patch, but for some reason Eric did not think it important to update.

The FBI used a payload called Magneto that gave them Freedom's IP address, MAC address, and Windows host name with the unique serial number that ties a user to a site visit. One of, if not the, biggest mistake(s) he made was leaving a trail of payment records that linked him directly to the Freedom Hosting servers. The important thing to generalize in this case is that he probably wouldn't have got busted if he didn't host child porn in any form, or fashion. Oh yeah, I almost forgot, when the cops busted him he "dived" for his laptop to shut it down.

Lessons Learned from Eric:
1) Don't host Captain Picard [Child Porn] or Julian Bashir [Jail Bait]
2) Patch, patch, patch
3) Follow the money
4) Leave encrypted laptops in a powered down state when not in use!

Ross Ulbricht (Dread Pirate Roberts) [The Silk Road]:

I think, and I hope I'm not making an ass out of myself ;| most of you anons should have at least heard of the infamous Silk Road. Apparently, Mr. Ulbricht had linked himself to this onion on more than one occasion. In an effort, I believe, to market his site [The Silk Road] he would post around in clear net forums. The earliest references to "Silk Road" that the FBI could find over the clear net was a post made in a shroomery forum by a user going under the name of altoid. In fact, Ulbricht's habits almost made correlating a non-essential.

The FBI claims the former physics and engineering student even publicly alluded to his alleged criminal enterprise on his LinkedIn profile, with a statement describing how his goals had "shifted" in accordance with his libertarian economic views since leaving grad school at Pennsylvania State University.

This statement comes from a CNN web site under an article titled "How FBI caught Ross Ulbricht, alleged creator of criminal marketplace Silk Road." Of the other sites where the FBI found him marketing his site BitCoinTalk was one of them. With all of the effort he puts behind making sure that people knew how to get to The Silk Road, by explaining how to use tor and then by posting the link, as if the explanation wasn't enough, to his site. He makes it hard for me not to believe that he may be suspect. What makes it even worst is that Ulbricht's BitCoinTalk account handle was also altoid. He makes the very same mistake yet again by posting in the same forum [BitCoinTalk] a request for a "pro" IT guy, under an account also named altoid, and routing all replies to "rossulbritcht at gmail.com." The request was titled "IT pro venture backed bitcoin startup."

The list goes on. He made little to no effort in shedding the connections between his true identity and the one with which he operated The Silk Road [Dread Pirate Roberts]. For instance, Dread Pirate Roberts had a link to the Mises Institute as part of his Silk Road forum signature and Ulbricht's Google+ profile show that he's also interested in the Mises Institute. He did stuff like this time and time again, like using tor to connect to StackOverflow and creating an account using his real name. Notice, he posted the operating system he uses, "ubuntu."

This is getting redundant so I think I'll stop here and just list what we can learn from Mr. Ulbricht. If you want to read in detail you can find slides and video here.  Basically, he made a plethora of connections to his real identity. He would go as far as the neighborhood Starbucks or library, which was just around the corner from his house, to logon to and administrate his Silk Road onion. The US Customs had intercepted all of his fake ID's, because although he changed his name on his id cards he never changed his face them. It was mistakes like these that lead to his arrest and the take down of The Silk Road.

Lessons Learned:
1) Keep online identities separate
2) Have a consistent story
3) Don't talk about personal interests
4) Don't volunteer information!

Thanks for reading, check out my YouTube videos, I have a lot of stuff on Tor and Kali. Follow me on Twitter, @gFogerlie, Google+ https://plus.google.com/+GarrettFogerlie and Facebook https://www.facebook.com/garrett.fogerlie and you can subscribe to me on Youtube if you want to keep up to date.

Wednesday, October 28, 2015

OS X VirtualBox No USB Devices Available

Visual Studio doesn't seem to run correctly in VirtualBox 5 and keep causing my Windows 8.1 guest OS to restart. I'm not certain this is because of VirtualBox 5, but the issue seems to have only happened after the update. I'm reverting back to VirtualBox 4.3.x by downloading it from here.

If you are running OS X El Capitan (10.11) and VirtualBox doesn't detect any USB devices, this is because Apple changed some security settings and VirtualBox 4 (even the current release,) hasn't caught up.

You can fix this easily by going to Oracle and downloading and installing the new VirtualBox 5. VirtualBox 4 won't detect the version 5 update, so you have to download it from Oracle. Some people recommend using the VirtualBox_Uninstall.tool to uninstall version 4.x, however I just installed VirtualBox 5 without uninstalling version 4.x and everything seems to be working fine.

Once you have installed VirtualBox and the extension pack, you will have full control of your USB devices again, including support for USB 3.0 devices.

In my case, I was running OS X 10.11.1 and VirtualBox 4.3.30 when I first noticed the No USB Devices Available so I checked for updates and updated to VirtualBox 4.3.32-103443 but the error remained, even when I rebooted. Installing VirtualBox 5.0.8-10 fixed the issue. Also, you should backup your virtual machines if you can just to be on the safe side.

Friday, October 16, 2015

Hacking the Vuse E-Cig to Fully Use Cartridges and Allow Refills

If you've ever used a Vuse e-cigarette, you may have noticed that eventually the unit will say the cartridge is empty and no longer allow you to use it. Unfortunately, the cartridge isn't actually empty but the cartridge keeps track of how much it was used and has a cut off when it reaches a certain value. In this article I'm going to show you three ways to prevent the cartridge from reaching this cut off point. One method is very simple and can be implemented by anyone. The second is more convenient but does require a bit of work initially, and the third I haven't tested. First though, let me give some background on how the unit works. From their website, 
VUSE is the only Digital Vapor Cigarette designed with a SmartLight™ Indicator to always keep consumers informed. The SmartLight Indicator informs on both the battery and Cartridge life. The SmartLight flashes white for two seconds when the Cartridge is getting low. When the SmartLight flashes white continuously, it is time to change the Cartridge.

VUSE is an electronic cigarette designed with "Smart Technology," according to their website. The VUSE Digital Vapor Cigarette contains a VaporDelivery Processor that uses algorithms in the same way a computer does, therefore it is "digital." The VaporDelivery Processor in the PowerUnit, working with the SmartMemory™ microchip in the Cartridge, monitors and adjusts the power and heat delivered to the Cartridge up to 2,000 times a second, ensuring consistently satisfying puffs.

As you can see from the picture above, the main processor (Atmel ATtiny84A) is in the battery pack, but the cartridge also contains an 8 pin eeprom or microcontroller where, among other things, it keeps track of how much it was used. While I don't know for sure how it works since I don't know the technical specifications of the chip used, I do have a pretty good idea what it is doing.

This is a picture of the main processor on the battery pack, this is located at the tip of the unit under the LED's that light up.
And this is the circuit board from the cartridge.

There are three main operations that happen when you take a puff.

  1. The Vuse battery will only work with Vuse cartridges, so the cartridge authenticates itself with the battery's processor and this communication (and possibly all communication between the processors) is encrypted. This makes it much harder to eavesdrop on this communication. 
  2. Power the heating element, as mentioned above, the battery's processor monitors and adjusts the power delivered to the cartridge using data it receives from the cartridge unit. I won't go too into how this works, but from the numerous patents (excerpts quoted at the end of this article,) of theirs that I've read, it likely monitors the airflow through the battery pack, and the resistance of a fusible link and the heating element located in the container. Keep in mind that the unit is calculating and adjusting the power up to 2,000 times a second.
  3. Having calculated how long or intense the puff was, a value is incremented (or possibly decremented) in the cartridge's microcontroller's eeprom. Note that some people think this is a simple puff counter, but I think it is more advanced than that. If you don't know what an eeprom is, it is just memory that can be read and written like a hard drive. An eeprom doesn't need power to retain its contents, unlike other types of memory. 

Step number 3 is the one that we care about. Because the puff value is written to the eeprom at the completion of a puff, the easiest way to keep a cartridge from expiring is to disconnect it quickly as you take your puff. Unfortunately the connector that connects the battery and the cartridge isn't very dependable and will probably end up breaking at some point. So another option is to carefully take the battery compartment apart and rig a tiny push button switch to the tip of the unit that disconnects the negative terminal of the battery. You can see this connection in the image below, the black wire is the negative terminal and it connects just below the LEDs and main processor.

One way for Vuse (R.J. Reynolds Vapor Company) to prevent this would be to increment the counter to the maximum value a puff can be before the puff starts and then once the puff is done, subtract a value if the puff didn't reach the maximum. Eeprom writes take a few processor cycles to initiate and around 5 to 10 milliseconds to complete. This along with the fact that eeproms can only be written to a limited number of time before they fail (usually 100,000+ but could be less on cheaper components,) is why you wouldn't want to constantly save the value during the puff.
There is a third method that others have reported that will allow you to reuse a cartridge and this method is easier than adding a switch and far more convenient than removing the cartridge every time. This is to sever the connection of the LED on the end of the battery pack. I believe it is this LED

I haven't verified that this will work, and you need to be careful not to damage other components, especially since the main processor is on the other side. If it does work though, it is fairly simple and the only downside is that you no longer have the white LED to indicate that the device is in use.

Thanks for reading, if you like it please share. Leave a comment and let me know if this worked for you or if you have another idea. Before I end this with some more pictures (my own and some from anticommander,) check out my YouTube videos. Follow me on Twitter, @gFogerlie, Google+ https://plus.google.com/+GarrettFogerlie and Facebook https://www.facebook.com/garrett.fogerlie and you can subscribe to me on Youtube if you want to keep up to date.

Here is a link to the photos I took during the teardown.

The big pads on the image above are likely ISP pinouts for programming the ATtiny microcontroller. 

Here is the pinout of the main processor. Pin 14 connects to the white LED, and pin 15 to the red.

So here are some extra images. This is the inside of a cartridge.

This is the battery charging circuit located in the battery pack where the cartridge would connect.

 Here are some excerpts from some of R.J. Reynolds Vapor Company's patents.

The present disclosure relates to an aerosol delivery device including a variable output flow sensor. The variable output flow sensor particularly can be a flex/bend sensor wherein output from the sensor varies based upon changes in electrical current flow (e.g., resistance) along an extension of the sensor relative to flexing or bending of the extension resulting from airflow across the extension. The disclosure further provides methods for controlling operation of an aerosol delivery device through utilization of a variable output flow sensor. In particular, control of functional elements (e.g., a heating member, a fluid delivery member, and a sensory feedback member) can allow for real-time changes in the operation of the aerosol delivery device relative to airflow through the device.
Read more: http://www.patentsencyclopedia.com/app/20150282527#ixzz3ojAfcn8F

In various embodiments of the smoking article, the heating connection comprising a fusible link and a heating element is in electrical connection with the power source and the control component when the control body and the cartridge body are engaged with one another. The control component can comprise a microcontroller. Furthermore, the control component can be configured to selectively actuate a first electrical current flow of a first set of conditions from the power source to the heating connection when the control body and the cartridge body are engaged, wherein the conditions of the first electrical current flow are insufficient to initiate heating by the heating element. The first set of conditions can comprise a voltage that is substantially the same as a voltage that defines a working voltage for the heating element and a current flow duration of about 45 milliseconds or less (e.g., about 5 milliseconds to about 25 milliseconds). The working voltage can be about 2 volts to about 6 volts.
Read more: http://www.faqs.org/patents/app/20140253144#ixzz3ojDJLor0

Various embodiments of the smoking article further comprise a current sense resistor, wherein the current sense resistor is adapted to establish an indication of the fusible link status. The control component can be further configured to initiate a command function based upon a cartridge status interpreted from the fusible link status indicated by the current sense resistor. Specifically, the current sense resistor can be adapted to sense a first resistance across the fusible link and a second resistance across the heating element. Sensing of the first resistance can be indicative of an unused cartridge. Sensing of the second resistance in the absence of the first resistance can be indicative of a used cartridge.
Read more: http://www.faqs.org/patents/app/20140253144#ixzz3ojDCT8pV

The control body 80 includes a control component 20, a flow sensor 30, and a battery 40. Although these components are illustrated in a specific alignment, it is understood that various alignments of the components are encompassed by the present disclosure. The control body 80 further includes a plurality of indicators 19 at a distal end 12 of the control body shell 81. Such indicators 19 can show the number of puffs taken or remaining from the smoking article can be indicative of an active or inactive status, can light up in response to a puff, or the like. The indicators can be provided in varying numbers and can take on different shapes and can even be simply an opening in the body (such as for release of sound when such indicators are present).
Read more: http://www.faqs.org/patents/app/20140253144#ixzz3ojE3wHNB

Generally, in use, when a consumer draws on the mouthend 11 of the cartridge, the flow sensor 30 detects the change in flow and activates the control component 20 to facilitate current flow through the resistive heating element 50. Thus, it is useful for air flow to travel through the control body 80 in a manner that flow sensor 30 detects air flow almost instantaneously.
Read more: http://www.faqs.org/patents/app/20140253144#ixzz3ojEccwtz

The control algorithm may call for power to the resistive heating element 50 to cycle and thus maintain a defined temperature. The control algorithm therefore can be programmed to automatically deactivate the smoking article 10 and discontinue power flow through the smoking article after a defined time lapse without a puff by a consumer. Moreover, the smoking article can include a temperature sensor to provide feedback to the control component. Such sensor can be, for example, in direct contact with the resistive heating element 50. Alternative temperature sensing means likewise may be used, such as relying upon logic control components to evaluate resistance through the resistive heating element and correlate such resistance to the temperature of the element. In other embodiments, the flow sensor 30 may be replaced by appropriate components to provide alternative sensing means, such as capacitive sensing. Still further, one or more control buttons can be included to allow for manual actuation by a consumer to elicit a variety of functions, such as powering the article 10 on and off, turning on the heating element 50 to generate a vapor or aerosol for inhalation, or the like.
Read more: http://www.faqs.org/patents/app/20140253144#ixzz3ojETq400

In particular embodiments, the smoking article can include components that define an electrical circuit whereby a control component is configured to controllably deliver a low power pulse from the power source to the heating connection according to one or more defined algorithms. As a non-limiting example, the control algorithm can include pulse width modulation, which can be based on comparison of a battery voltage with a lookup table. As a further non-limiting example, the control algorithm can include a constant voltage feedback loop, such as through utilization of heater voltage measurements. Specifically, in various embodiments of the smoking article, appropriate wiring can be included such that a cartridge engaging a control body defines a closed electrical circuit through which the control component can controllably deliver a low power pulse (as well as a higher power pulse). The low power pulse can be defined as an electrical current that does not exceed the limits of a fusible link as described herein. By contrast, the higher power electrical current that defines a working status of the heating element (i.e., wherein the heating element heats to a temperature sufficient to vaporize the aerosol precursor material) can exceed the limits of the fusible link.
In some embodiments, a low power pulse can have a voltage, a current, or both that is substantially similar to the same property of the higher power pulse, and pulse power can be defined by current flow duration. In particular, time can be adjusted such that the average power delivered to the circuit is constrained appropriately. In certain embodiments, the fusible link can exhibit a resistance that is lower than the resistance of the heating element. In some embodiments, the fusible link and the heating element are provided in parallel, a majority of the current entering the closed circuit can preferentially flow through the fusible link. When the duration of the electrical current flow is sufficiently long, the lower resistance fusible link will fail and thus allow all of the delivered current to pass through the heating element. Depending upon the type of material from which the fusible link is formed, a sufficiently long current flow time can be about 50 milliseconds or greater or about 100 milliseconds or greater, particularly about 50 to about 500 milliseconds. In various embodiments, the heating element can require that the current be applied for a time of about 0.5 seconds or greater or about 1 second or greater, particularly about 1 second to about 4 seconds for sufficient heating to occur. Therefore, in some embodiments, conditions defining a low power pulse can comprise a voltage, a current, or both a voltage and a current that is substantially the same as the same corresponding voltage, current, or both that is utilized for normal functioning of the heating element, and can also comprise an active flow unit time of about 45 milliseconds or less or about 25 milliseconds or less, particularly about 5 milliseconds to about 25 milliseconds.
In other embodiments, the low power pulse can be defined by a current and/or voltage that can be less than the current and/or voltage that define the working status of the heating element. For example, the electrical current that defines a working status of the heating element can exceed the current delivered by the low power pulse by a factor of 2 or more, 5 or more, or 10 or more. A voltage that defines a working voltage for the heating element can be about 2 volts to about 6 volts, about 2.5 volts to about 5.5 volts, or about 3 volts to about 5 volts. The working voltage is the voltage at which the heating element sufficiently heats to form the desired amount of aerosol during a current flow time as described above.
Read more: http://www.faqs.org/patents/app/20140253144#ixzz3ojFr59Bv

Saturday, September 5, 2015

How to Install Firefox in Kali 2.0

Iceweasel is often out of date, and this is true with Kali 2.0. So if you want a current version of FireFox then I will show you the easiest way I have found to install it. Unlike some other methods, this one shouldn't cause problems with other programs, and I've heard, but cannot confirm, you may not need to uninstall Iceweasel. I'll explain why I cannot confirm this after I show you how to install it.

So open terminal and enter the following to uninstall Iceweasel:
apt-get remove iceweasel
Now we need to tell Kali how to get a project that will get the latest version of FireFox for Kali (or other Debian systems.) To do this enter the following in terminal, it is all one line:
echo -e "\ndeb http://downloads.sourceforge.net/project/ubuntuzilla/mozilla/apt all main" | tee -a /etc/apt/sources.list > /dev/null
Next we need to add a key via apt-key in terminal:
apt-key adv --recv-keys --keyserver keyserver.ubuntu.com C1289A29
All that's left is to update and install firefox:
apt-get update
apt-get install firefox-mozilla-build
 That's it! Now you can find FireFox in the Application menu or run it from terminal by typing `firefox`. Don't worry if you see a GLib error when running it from terminal.

I said you may not need to uninstall Iceweasel but I cannot verify this because I uninstalled it while attempting a previous FireFox install. Now that I have installed FireFox via the method I showed, I tried to reinstall Iceweasel but I get the following error that is caused by having FireFox:
diversion of /usr/bin/firefox to /usr/bin/firefox.real by iceweasel' clashes with `diversion of /usr/bin/firefox to /usr/bin/firefox.ubuntu by firefox-mozilla-build

Thanks for reading, check out my YouTube videos, I have a lot of stuff on Tor and Kali. Follow me on Twitter, @gFogerlie, Google+ https://plus.google.com/+GarrettFogerlie and Facebook https://www.facebook.com/garrett.fogerlie and you can subscribe to me on Youtube if you want to keep up to date.