Dailydave mailing list archives
Re: ndr.py and sarah palin
From: "Dave Korn" <dave.korn () artimi com>
Date: Wed, 17 Sep 2008 19:30:43 +0100
Dave Aitel wrote on 17 September 2008 18:44:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://wikileaks.org/wiki/Sarah_Palin_Yahoo_inbox_2008
From that page:
"Nb. The 'ctunnel.com' reference in the browser screen shots is to a proxy
service used to prevent the activists from being traced."
That intrigued me, so I browsed to ctunnel.com. Not being the
default-script-running type, I got a blank page, except for the html title
"Ctunnel.com will protect your anonymity on the internet, helping you evade
url and ip filters!". So I looked at the source, and it's full of stuff like
....
<script type='text/javascript'>
var myArray=new Array();
myArray[0] =
'%0n%0n%0n%0n%0n<Oe><oe>%0n%0n<gnoyr jvqgu=65%25><gq><gnoyr jvqgu=100%25
otpbybe=qqqqqq pryycnqqvat=3><gq>%0n<n
uers=%22uggcf://jjj.Pghaary.pbz%22>Ranoyr FFY Rapelcgvba</n><oe>%0n%0n<sbez
anzr=%22ybtva%22
npgvba=%22uggc://pghaary.pbz/vaqrk.cuc/1010110N/20099p53o71244739q9oqr36531890
0%22 zrgubq=cbfg>%0n<vachg anzr=%22hfreanzr%22 fvmr=66
inyhr=%22uggc://jjj.LbhGhor.pbz%22><vachg glcr=fhozvg inyhr=%22 Ortva
Oebjfvat %22><Oe>%0nVafgnag Zrffratref: <n
uers=%22uggc://pghaary.pbz/vaqrk.cuc/1010110N/30509851s71q4n2op08nqq3143444040
717794pop324pr5sn1ns7q684op792410s2618900%22>Zfa</n> <n
uers=%22uggc://pghaary.pbz/vaqrk.cuc/1010110N/30509851s71q4n2op08nqq3143444040
717794pop324pr5sn1ns7q6451p492410s2618900%22>NVZ</n> <n
uers=%22uggc://pghaary.pbz/vaqrk.cuc/1010110N/30509851s71q4n2op08nqq3143444040
717794pop324pr5sn1ns7q7p59p1q35r4926o39r18900%22>Lnubb</n> <n uers=%
Now. I haven't decoded and read this yet, but I recognise that XYYZ://
pattern anywhere.
So let me see if I've guessed this right: it's a proxy that rewrites all
your URLs in rot-13? And this is supposed to "protect your anonymity"?
Those activists are screwed. They better get out of the country PDQ.
Pardon me, but I'll be sticking with proper mix chains for now.
Oh, and TRWTF? The decoder function is pretty FAIL:
function base64(src)
{
var dst=new String('') ; var len=src.length ; var b ; var t=new
String('') ; if(len > 0) { for(var ctr=0; ctr<len ; ctr++) {
b=src.charCodeAt(ctr); if( ( (b>64) && (b<78) ) || ( (b>96) && (b<110) ) ) {
b=b+13; } else { if( ( (b>77) && (b<91) ) || ( (b>109) && (b<123) ) ) {
b=b-13; } } t=String.fromCharCode(b) ; dst=dst.concat(t) ;} }
return dst;
}
cheers,
DaveK
--
Can't think of a witty .sigline today....
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- ndr.py and sarah palin Dave Aitel (Sep 17)
- Re: ndr.py and sarah palin Dave Korn (Sep 17)
- Re: ndr.py and sarah palin Dan Moniz (Sep 19)
- Re: ndr.py and sarah palin Dave Korn (Sep 17)