Archive for June, 2013

Fending off attacks

Tuesday, June 18th, 2013

Dear readers,

As you may or may not have noticed, qnrq.se was inaccessible between Friday the 14th until Monday the 17th. The site was totally unavailable for 65 hours due to a powerful DDoS attack that knocked out my host’s cluster on which the site resides (195.74.38.18). Downtime doesn’t affect me as a publisher: there is nothing here that is not backed up and I don’t intend to financially gain from the visitors of this site. Instead, it affects you as a reader. It affects your ability to access the information that is being spread through this domain. This is a serious attack on your right to access information freely. Therefor I would like to address how this situation will be handled to ensure that you can, at bare minimum, always access the content that I provide.

There are no restrictions that prevent search engines and other crawlers from accessing content published on this site. If it goes down you can always view the content through, for example, Google’s cache or the Internet Archive. I have also installed and configured Cloudflare, which caches and delivers content through their CDN even when the site is inaccessible. Please keep in mind that Cloudflare is an American company which by law has to co-operate with the NSA and similar organizations. If you wish to hide your activities on this site from such organizations then please use an anonymization service like IPredator or Tor.

Cloudflare is the first non-Swedish service which is involved in delivering content on this site since I first put it online nearly two years ago. There are no Google Analytics or similar foreign tracking you here. My host, Binero, is a Swedish company with their servers placed in Sweden. The Flattr buttons you see all over the site are served by a Swedish company with servers in Sweden. The Creeper icon in the menu on the right side is served by a Swedish server run by a group of Swedish open source fanatics. The top domain? Swedish. You get the point.

Limiting the site to be served from within the Swedish borders has always been a conscious decision. Originally publications were mostly limited to Sweden and I didn’t want my visitors’ data to be sent to a lot of fishy people I have no idea of who they are. Later the site grew in popularity and I now have almost as many international visitors as I have Swedish.

I have to both fend off attacks and ensure acceptable performance. The site is being run with a very limited budget and implementing Cloudflare seems to be the best alternative from a both financial and performance perspective. Introducing an American company into the chain isn’t exactly my dream scenario but the availability is important for me. Unfortunately this creates a conflict with users that care about their privacy, especially around America.

I hope to satisfy both the performance parts and privacy parts in different means. I have stuck to the same host, Binero, for many years now, but the way that they handled the recent DDoS is entirely unacceptable to me. I am not going to deal with a host that requires me to contact them to move my site to a cluster which is not affected by the attack by pure principle (“because it causes downtime for the already DDoSed customers”, they claimed). My attitude is that if I am paying somebody to deliver me a service then I expect them to do everything in their power to ensure that the service is delivered and not require me to walk extra miles for them and then waiting for three days for their support to react. With those conditions I would much rather have as much as possible in my control, and that’s the next phase.

I am breaking up with Binero and moving the site to a dedicated Swedish VPS. For security and other considerations I will abandon PHP on the new host and serve WordPress generated pages statically. Everything will remain the same for you as a reader in terms of accessing and reading. The positive thing is that I won’t have to deal with intrusion attempts directed at PHP and WordPress and also Cloudflare will be configured to cache the static pages so that you can access them even when my host goes offline. The negative part is that you will no longer be able to leave comments on the site, but that may be fixed sometime in the future. When the site has been migrated to the new host it will also be available through HTTPS.

I believe that this is the best solution available, please let me know if you feel otherwise by commenting on this post.

Cheers, stay critical.

The extradition (Morgan part 7)

Monday, June 17th, 2013

Nacka District Court has granted prosecutor Henrik Olin permissions to extradite Anakata to Denmark in accordance with the Danish order for arrest. Anakata will remain in solitary confinement until the extradition is executed. Whether Anakata is allowed contacting the outside world is up to the prosecutor, Henrik Olin, in the Swedish hacking and fraud charges.

Extradition can be executed by earliest 25th June, given that the District Court finalizes the judgement on time. Prosecutor Henrik Olin decides in co-operation with the Danish authorities when the extradition shall be executed. The District Court’s decision can be appealed to the Swedish Court of Appeal.

Morgan the Trial (part 6)

Saturday, June 1st, 2013

Below is the translated transcription of the hearing with GSW regarding charges related to intrusions in the Nordea Bank. Original Swedish recording can be downloaded here.

Dag 5, 2013-05-31
11:00 Förhör med tilltalad GSW (åp 5-13)

OLIN: Thank you. I think Ola Salomonsson has already answered some of my questions, but I thought I would ask you to make some comments. Perhaps you would first like to say something in general about these charges.
GSW: Yes, well… I don’t know what more to say than that I don’t have anything to do with it.
OLIN: Then I would like to ask a little about… first the harddrive, point 2. On it there are traces of all kinds of datasets from Nordea, do you have any comments on that?
GSW: I’m not denying that they are there, I’m denying that I have put them there.
OLIN: Yes. And you heard my statement about these 14 different IP addresses that were relevant and the 13 direct occurrence and 14 indirect occurrences in the MacBook, point 26. A big portion of them was from the ISP Cogetel, which perhaps is a big provider in Cambodia or?
GSW: I actually don’t know that.
OLIN: No. You said earlier that you had used that ISP?
GSW: Yes exactly.
OLIN: And yes… Perhaps it’s not so easy, but do you recognize any of these IP addresses?
GSW: No. I can say that I recognize that they are from Cogetel based on the numbers they are starting with but… I don’t recognize them otherwise.
OLIN: This other Cambodian ISP, what was the name again… Maybe you know that better than I? Citylink and Digi, do you recog–
GSW: No, it’s nothing I recognize. I may have heard the names but I haven’t been a customer of them.
OLIN: Malmö Borgarskola, (inaudible) group, nothing you–
GSW: Never heard of them.
OLIN: No familiar names at all?
GSW: No.
OLIN: Returning to this Mysec content that we discussed in previous hearings. In the Mysec content, if I can express myself like that… The files connected to Mysec in your computer, there are 4 of these IP addresses that are connected to the intrusion against Nordea.
GSW: Which page?
OLIN: Oh no… Perhaps I am wrong a little bit I’m realizing, these IP addresses…
?: Which page?
OLIN: I am on page 130. Oh, okay. Sorry. I will reformulate the question. I think that you should interpret this on page 130 that after contact with Mysec and in data that they have delivered they have informed that 4 out of these 14 IP addresses connected to Cambodia have been discovered at Mysec. Do you have any comment?
GSW: I will begin by pointing out that Cogetel uses so called dynamic IP addresses, meaning the customer gets a new IP address every time he connects. So you have to look at the timestamp also.
OLIN: Yes. But you have connected to Mysec’s environment from your computer in Cambodia.
GSW: That’s correct.
OLIN: And you naturally don’t know which IP?
GSW: No.
OLIN: Especially considering they are dynamic?
GSW: Mm.
OLIN: And that your defense already answered to but I’ll ask anyway at the risk of being a bit repetitive, but regarding these transactions… these names of individuals and companies, is there anything that is familiar to you?
GSW: The first time I heard any of the names was during the interrogation on 8th March.
OLIN: The company called (inaudible)?
GSW: Never heard of it. I think on 8th March you asked about three recipients.
OLIN: During interrogations?
GSW: Exactly.
OLIN: Oh, OK. But now that you’ve heard all names you don’t have any..
GSW: No.
OLIN: No. I have no more questions, thank you.
Judge: Ola Salomonsson.
OLA: The question can seem a bit distant in relation to all these technical things… But I will begin by asking you, without going into personal things, how are you living in Cambodia during this time? How is it financially for you?
GSW: I didn’t have any financial problems. I was partially working, running a business down there.
OLA: And you had a lot of employees too?
GSW: Yes, in the previous year.
OLA: But at this time, more exactly during the summer 2012.
GSW: I was freelancing as a consultant and didn’t have any financial problems at all. I was getting money from my parents too.
OLA: Is it the same residence and same conditions as you said in earlier hearings?
GSW: Yes.
OLA: I mean with the guestroom and the computers and so forth.
GSW: Exactly.
OLA: There is no difference I think. Now… the technology isn’t so easy at least for me, but when you say that the ISP in this case had a dynamic timestamp or…
GSW: Dynamic IP address.
OLA: That’s right, dynamic IP address. What does that mean, explain a little bit.
GSW: It means that customers are assigned new IP addresses every time they connect.
OLA: OK. So that many different IP addresses are occuring…
GSW: That can both mean that one and the same computer has multiple IP addresses or that multiple computers have the same IP address. They only have it at the same time.
OLA: If we apply that on the fact that there are 14 different IP addresses here, does it have any value then?
GSW: No, not really.
OLA: No, OK. I said but perhaps it should also come from you, or perhaps that question was asked. But you didn’t recognize any of these companies…
GSW: No.
OLA: that the money has supposedly been sent to…
GSW: Nothing.
OLA: We have Iran here, now your computer might have been remotely accessed but do you have any connection there?
GSW: No, none.
OLA: Do you have any similar reflection as you had on the previous charge, a slight idea over which individual or group could be behind this?
GSW: This is closer in time so it’s easier to remember things that have happened and I have my suspicions of who could…
OLA: Is that going in the same direction as what we talked about previously?
GSW: Yes, it’s more or less the same.
OLA: More or less the same?
GSW: It’s the same.
OLA: I have thought, and of course you think a lot about this case, it’s a pretty large investigation but… I am wondering if it’s not you that is responsible for the intrusion and transactions then one can ask, and you have your suspicions, but is there anything in this material that you can point at that shows that you didn’t do it?
GSW: It’s hard to say that it’s not me except by saying that I don’t know anyone of those involved.
(OLA and GSW talking at the same time, inaudible.)
GSW: Besides that I can say that I actually had work to do and didn’t have time to sit and do these things.
OLA: Summer 2012?
GSW: Yes exactly.
OLA: Maybe it doesn’t take so long to do this but you can tell anyway, what are you doing when you are busy?
GSW: I am freelancing as a consultant doing graphical development and other…
OLA: Mm, and it was a little bit what you said earlier.
GSW: Exactly.
OLA: So to say you were active summer 2012.
GSW: Yes.
OLA: One can either way ask, since we are specifically asking about the summer 2012, even though the intrusions happened a short while before that, were you physically in Phnom Penh where the computers stood?
GSW: Yes I was.
OLA: You know that you were?
GSW: Yes.
OLA: Have you had any guests at all?
GSW: I have had many.
OLA: Even during this timeframe?
GSW: Exactly. Also people that have been living there for longer periods. I had, like I said, a pretty large apartment very centrally so people often came to the city when living somewhere else in Cambodia or were temporarily in Cambodia and lived in my apartment instead of renting a hotel room.
OLA: I asked the question to the prosecutor if the intrusions and data transfers had to be made (inaudible) is there anything in that regard that you want to inform or say?
GSW: I have nothing to do with neither the intrusions nor the data transfers so I can just generally point out that it doesn’t have to be the same person.
OLIN: One more question from my side.
JUDGE: Go ahead.
OLIN: You don’t have any obligations to prove your innocence of course, Gottfrid. But now both under this charge and the previous one you have repeated these suspicions that you have, when you’ve said one part don’t you want to say the second part and give some more information about your suspicions?
GSW: Now I will speak personally from the heart so to say. You must understand that here you come and first you talk about several years in prison. Do you know what happens to so called snitches in prison?
OLIN: It’s not my part to answer any questions right now but I understand your viewpoint.
GSW: You have to understand that I can’t expose myself to the obvious risk losing life and limb. It’s also quite large sums of money so it’s very likely that the actual offenders would go after me if I…
OLIN: So your own security is the reason why you don’t want to say anything more. I respect your answer, that’s what I wanted an answer to. Thank you.
OLA: To add on the same theme, there are even journalists that have called me, not only one but pretty many, but people are wondering a little about whether you’ve been threatened or are afraid of threats from individuals or groups, have there been any?
GSW: I haven’t received any concrete threats, no.
OLA: This with the computer world, hackers breaking into every mainframe and banks and transfer money, this can spontaneously possibly be connected to international crime and serious crime…
GSW: It’s a little bit why I brought up this with that different people can have done the hackings and transfers.
OLA: I can imagine that this is extremely organized.
GSW: Exactly.