Anakata translated hearings

April 30th, 2013 by qnrq

Pasted below is the translated hearings with Anakata regarding the Logica hacking case. The hearings have been transcribed by the Swedish government based on audio recordings of the hearings and then OCRed and translated (by me) to English.

2012 09 13
Interrogator: You are previously served on suspicion of several hacking cases, that you have prepared access to Logica’s servers.
G: Oh well…
Interrogator: What is your approach to the suspicion?
G: I deny crime.
Interrogator: This investigation, it has gone on since this spring and we have have quite a lot of material that we’ve been looking at. There are clear indications in this material that shows that you would be involved. Do you know of this breach of Logica?
G: No comments!
Interrogator: Do you have any special reasons to why you don’t want to comment?
G: No comments!
Interrogator: Do you know MG?
G: No comments!
Interrogator: Do you know KS?
G: No comments!
Interrogator: Does the lawyer have any questions?
Lawyer: I don’t have a question, no.
Interrogator: No. Then we finish the hearing here. Hearing finished at 13:07.

2012 10 11
Present during the hearing is lawyer Ola Salomonson (OS) interrigator Olle Wahlstrom (OW), co-interrigator John Steenmark (JS). Suspect is Gottfrid Svartholm Warg (GSW)

OW: Yes, since our last hearing… is there anything that you have thought of that you want to… (The interrigator doesn’t finish his question before the suspect replies)
G: No comments.
OW: This breach of Logica, do you have anything to say about that?
G: No comments.
OW: And if you know MG.
G: No comments.
OW: Or… CS?
G: No comments.
OW: Does the lawyer have any questions?
OS: No.
OW: The time is 09:57 and the hearing is finished.

2013 03 08
(Deputy interrogators, Joakim Persson and John Steenrnark from the County Criminal Police)

OW: I begin by asking, this apartment where you lived when you were arrested, how long had you lived there?
G: No comments.
OW: When you were in Cambodia did you have any job there or were you running any businesses?
G: Answer yes.
OW: Can you describe further what you worked with?
G: Yes… I freelanced as a consultant and also for nearly two years had an outsourcing company involved in web development.
OW: What was the name of that company?
G: No comments… yes that I can actually answer, it was called Arocore and later Finesy.
OW: You consulted for someone too you said?
G: I freelanced.
OW: At any particular company?
G: Freelanced.
OW: Did you have any income?
G: Yes
OW: Around how much?
G: No comments.
OW: A company called Mysec, have you worked any for them?
G: No comments.
OW: I guess you do not comment if you got any payment from them either?
G: No comment.
OW: In your apartment, we found two computers, a desktop and a MacBook. Were you using them?
G: Not personally, no, they are servers.
JP: Both?
G: Yes, it is quite clear on the laptop, if you doubt it the keyboard was broken. I might add that I actually think Steenmark here can confirm that I always had servers at home.
OW: Yes. If we take this desktop first. What is it used for then? In addition to being a server. What have you done with it?
G: It has been used as a server.
OW: For what purpose?
G: It has been used as a server.
OW: And the MacBook then?
G: It has been used as a server.
JP: What did you have for server software for it?
GS: I have already answered that.
JP: And the answer is?
GS: Yes… ssh, PowerShell Server, Remote Desktop, etc.
JP: On the MacBook?
GS: Yes
JP: What is the OS on the MacBook?
GS: There are two OS installed OS X and Windows 7
OW: And which one have you used?
GS: Both, or well yes I, both of them, I have used at various times.
OW: How long ago was it you used Mac part?
GS: No idea
OW: In the desktop computer, where there was a hard drive that was a bit loose, which had two partitions. My question is, the other partition what did you use it for?
GS: No idea, don’t remember.
JP: Do you remember what is located on the first partitions?
GS: How should I remember that? There are quite many months or years since it was partitioned.
JP: But the data on it is not that old is it?
GS: Yeah, I say what I said previously, it stood as a server. I do not know exactly what was on it. And it’s pretty ridiculous that you have to remember specific things like how my disks are partitioned so far into the future.
OW: The second hard drive which had a Linux OS installed, where you had six partitions. What are the last two partitions there, what do they contain, do you remember that?
GS: Do not remember.
OW: If we take your MacBook then, there was the Windows and Mac. You say you have used both the OS there.
GS: Both OS have been used on the computer and I want to emphasize that it is not me personally that has been using them recently.
OW: No, but have both been used?
GS: Yes, that sounds reasonable.
OW: In Windows, there are many accounts, do you remember who has had accounts on the computer?
GS: Yeah, I know approximately who they are, but…
OW: The account “A” for example?
GS: As I said I recall who they might be and I… for fear for my own life, I don’t choose… I don’t choose who they are.
OW: Are there people who have had physical access to your computers?
GS: In a couple of cases, yes.
OW: Over what period of time then?
GS: Some accounts have been used by multiple people.
OW: Over what period of time have these people had access to the computer physically?
GS: How would I be able to remember that?
OW: I don’t know.
GS: No exactly.
OW: But is it like a day, a week, a month or a year?
GS: How would I be able to remember that? How did you think that… I don’t write a diary.
OW: Yes. You have already talked about how others could access your computers remotely.
GS: Yes.
OW: Who could do that?
GS: I refer to my previous answer.
JP: And how has it been possible to remote access them?
GS: PowerShell Server, Remote Desktop, both installed and active.
OW: What computer are you talking about?
GS: I’m assuming that we are talking about the laptop…
OW: Mm… Remote desktop…
GS: …yes and PowerShell server.
OW: How often has someone connected via Remote Desktop to it?
GS: Don’t know.
OW: Is it often?
GS: Don’t know.
OW: Do they connect via Remote Desktop?
GS: Answer yes. I’m assuming so anyway, I haven’t kept track.
OW: I looked at your log files on the Windows computer, there is not a single connection via Remote Desktop.
GS: Yes… That said, I refer to my previous answers. Remember that PowerShell server is used also.
OW: But you said the Remote Desktop as an example.
GS: I said it as an example yes.
OW: SSH you said too
GS: Yes and PowerShell Server
OW: These people then, who have accessed it. Do you want to say something about them?
GS: Answer no.
OW: Is there any reason you do not want to say…..?
GS: Yes, because I fear for my own life.
OW: These people that you are afraid of, is it people you’ve met physically, who have visited you?
GS: Yes.
JP: Why have they visited you?
GS: No comments.
OW: In Cambodia, which ISP did you have?
GS: Don’t remember.
OW: Cogetel, could that be it?
GS: Don’t remember.
OW: Do you use any VPS or cloud service?
GS: Don’t remember.
OW: Don’t remember or don’t want to say?
GS: Don’t want to say.
OW: On your Windows partition here on the Mac, you can see that your clock is reset quite frequently, manually. Why is that?
GS: Because the backup battery in the computer is broken.
OW: To clarify. What happens then?
GS: To clarify. What happens then? Well, then the clock resets.
OW: To which date?
GS: … or alternatively, alternatively displays wrong.
OW: To which date is it reset?
GS: Good question. It depends on, eh, if when the battery is like half… half… (unhearable)
OW: But most common is?
GS: If it’s entirely nulled so, no I don’t know what that is.
OW: Can it be 1st January 2001?
GS: That sounds like a reasonable epoch date. I can’t comment any more.
OW: When you… adjusted the time then, when it’s wrong… How do you usually do then? Do you set the correct date or how?
GS: I don’t remember.
OW: Do you sync against a server?
GS: Don’t remember.
OW: On your Windows partition, there is a file named t001a, 16 Gb size. Do you recognize that?
GS: Don’t remember.
OW: If we say that it’s a TrueCrypt container
GS: Don’t know.
OW: Nothing you know anything about?
GS: No
OW: Have you ever used it?
GS: I just said that I don’t know about it.
OW: You don’t know about it at all?
GS: No
OW: But it’s still created already 2010 I think it is.
GS: I just said that the time in the computer is wrong.
OW: Yes, not since 2010 I hope.
GS: Bad quality on that fucking… fucking Mac
OW: Mac?
JP: It was almost new 2010
OW: PuTTY do you use it?
GS: No comments.
OW: MG do you know him?
GS: No comments.
OW: Do not want to comment or are you scared or do not know, can you answer that?
GS: No comments.
OW: diROX…?
GS: No Comments
OW: We can see, or we know from before that you had e-mail contact with MG already in 2006.
GS: Now you don’t stick to the time…
OW: Yes, but the question is if you know him.
GS: Yes, I leave no comment on it.
OW: In your computer, there are a number of different log files, the connections you have done to Logica… or that’s in your computer against Logica systems, what were these log files from?
GS: Probably from those who used the computer. Either locally or, more likely remote.
OW: Have you seen these log files?
GS: Answer no. On which of the computers was that?
OW: It’s on the MacBook.
JP: Windows partition
OW: Yes, on your computers, there is a fairly large amount of data coming from Logica, now we’re talking two computers. How did it get there?
GS: Referfing to previous answers.
JP: Which are?
GS: Referring to the previous answer.
OW: OK. I told you t001a was a TrueCrypt container, do you use the program TrueCrypt?
GS: No comment.
OW: Do you know if you autostart something with TrueCrypt?
GS: What?
OW: That it mounts anything when you start the computer?
GS: (Inaudible mumbling)
OW: I think we’ll do some questions, Joakim.
JP: Mm, exactly. As you may know MG is also served suspicion of the breach of Logica. And in his material we have found large amounts of chat logs… and now the question is: what username do you usually use on…..?
GS: Yeah, mine is pretty well known, Anakata
JP: Hmmm, do you use other one?
GS: Answer no.
JP: No?
GS: Not normally.
JP: Not normally. tLt. (Rest lost in transcription, MG chatting with tLt in logs.)
GS: I can not answer that.
JP: You can not answer that. In this chat, there’s quite a lot of evidence that a person who is called tLt would be involved in this breach of Logica. There are also indications that this person would be Gottfrid Svartholm Warg.
GS: So, I would like to point out that IRC does not have any form of registration of nicknames or something. It doesn’t require any passwords to…
JP: No.
GS: …
JP: But the nick Anakata is pretty well known.
GS: Yes
JP: Mm. For example diROX asks TiAMO where is Anakata? So he responds Cambodia, that’s correct isn’t it?
GS: That sounds reasonable.
JP: Later diROX writes, talking to tLt. tLt says he’s been very focused on z/OS. Do you know what that is?
GS: No I don’t.
JP: diROX then says that, yes, asks a bit and tLt says that maybe they should speak encryptedly and invites him to SSL mIRC on planet.wideopenbsd.org. Do you know that server?
GS: No Comments
JP: That’s a lot of material. tLt writes for example this also: “hello again, are you doing? right now I’m snorting amphetamine and swear a bit over the electricity, hope it doesn’t disappear again for 18 hours.” Could it be, perhaps that power is lost in Phnom Penh?
GS: I’ve been through lengthy power outages in Sweden too, so it…
JP: 18 hours is maybe a little…
GS: Locally in smaller areas I’ve experienced 36 hour outages.
JP: He also says, among other things… tLt, that he has an SSH key that he uses to backdoor an admin account
GS: Oh well
JP: tLt also writes: so download, and then he writes again that hoho they are so fucking owned, their RACF database tank/etc/passwd. Nothing you recognize?
GS: No
JP: Do you know what a RACF is?
GS: No Comments
JP: And you did not know MG?
GS: I said that I do not comment that.
JP: If we say like this then, in your computer we found a tool called HexMvsdump. Is it something you know anything about?
GS: No Comments
JP: Anyway here diROX writes asking, I need to access the police multi question and tLt replies that, have to crack the RACF database and it’s encrypted with DES encrypted with the password key and then tLt writes, I’m changing the password for a cop. Lower down he writes later, did you crack the db. Yes, says diROX. Looked through it briefly. Have you also gotten my HexMvsdump tool? No I don’t think so, tLt sends a link to Pastebin where it is, diROX replies now so (rest lost in OCR/transcription)
GS: No comments.
JP: Another excerpt here. tLt asking if diROX wants a pair of Infotorg accounts. Approximately 70000 and diROX asks if he has any police accounts. This is nothing you know anything about either?
JP: tLt also writes, I also have complete dumps of amongst others the bailiff registry, only that is 12 Gb haha, got hold of the table of contents, it’s a little easier to find fun things then. Do you know anything about this?
GS: I… just want to comment that bailiff records are public documents.
JP: In your computer we have found the records, which are 10.6 gig. It matches pretty well with this number. Do you have any comments about that?
GS: Nope. Can you show me the notorious bailiff register, what does it contain?
JP: Yes, I didn’t bring 12 Gb printed with me and so but…
GS: You did in the Pirate Bay trial.
JP: Yes, but you know, times change, unfortunately.
OW: Before the trial, you will see the material we present, of course.
JP: diROX also says he wants their records for the tax agency, tLt asks, don’t you want some money from the bailiff too. Yes says diROX, have 1700000 SEK in debt, tLt answers, yes if you have someone to put it on then maybe we can…
JP: Do you know of others who hang in #hack.se?
GS: No comments.
JP: In conjunction with this list of protected security number being put on Pastebin, diROX writes that the dump was stolen over a year ago, the one with the protected. tLt answes, yes. diROX responds, it didn’t even include names. tLt writes fuck what a lot of things, and then links to some files. tLt also writes that SPAR is not in the Infotorg/Sema/Logica anymore, however, makes KFMs register REX, you saw that I stole the entire thing.
OW: This specific dump, is it something that was on Pastebin that you recognize? That we talked about, with protected
GS: I’ve seen it on pastebin, yes.
OW: Have you had part of it yourself?
GS: Like I said I’ve seen it on… and it was as said only a list of social security numbers, no secret information in itself… More accurate way of saying it is that it’s the social security numbers for people with protected identities, not security numbers that are in itself protected.
OW: No, that’s right.
GS: I would personally be very surprised if it was on the Internet connected systems over. I assume that it is not…. intrusion has occurred…
JP: diROX also writes that, do you like Cambodia by the way? Mm, says tLt. diROX, found the border between Cambodia and Thailand to be pretty shitty. tLt, yes.
GS: And here I would like to comment that there is more than one Swedish person in Cambodia.
JP: Mm
GS: Even in time of writing, time of speaking
JP: tLt also pasted into a post, including where it says, port 443 is listening waiting for the APT callback, alert advancing port 443 threatning accepted presistent TCP connection from 93.1.86.1.70.54, port number, then commenting advanced printer typewriter fashion. Do you recognize this extract?
GS: No Comments
JP: In your computer, there is a script… exact same excerpt at least three times… And then tLt writes, well look at that. diROX asks, what does this mean now? tLt responds, yes, let get up some of that root. tLt, diROX writes and then, can you access everything now? There’s more; these are just a few excerpts contained in this material. Is that enough?
OW: Yeah, the last thing here, among others…. the script we talked about, there’s a lot of log files in your encrypted container, where this script is used. Do you know of it?
GS: Answer no.
OW: On your computer, in this encrypted container there is a file called prim.gz containing Logica RACF database that we talked about in the chat.
GS: I refer to the previous answer.
JP: Should we explain to the lawyer what RACF is?
ML: Yes, please.
JP: RACF database is a user permission database that Logica has in their mainframe systems, with usernames, details of passwords, and in cases where they have Infotorg accounts, also affiliation, organizational membership, and services or yes, company names and such things.
ML: Okay, thank you.
OW: When Logica themselves went through this intrusion, went through their system, they found a number of files that were uploaded to their system. Backdoors, various program files. They came from several different IP addresses. Common to these, many of them, is that they are on your computer, inside your encrypted container.
GS: Yes, I refer to previous answers.
OW: Eg a program called kuku, do you know that?
GS: I refer to the previous answer.
OW: During these breach so, he or they that did it. They compressed a whole lot of Logica’s material into tgz-files and then downloaded them with FTP. Even a portion of these compressed files are on your computer in…
GS: …referring to previous answers
OW: We spoke about a SSH key… in the chat, even that is in the encrypted container.
GS: Referring to my previous answer.
OW: In the computer there are also four files with usernames and passwords, it’s over 100 000. Anything you recognize?
GS: Referring to previous answers.
ML: Which computer?
OW: The MacBook. In your computer there is a file called just “out”, it includes a summary of data, raw data from the tax agency.
JP: I have it with me if you want to show it.
OW: Yes, no. This summary is about your security number, you.
GS: Partially I’m referring to previous answers and partially I also want to comment that I am somewhat famous. So there are a lot of reasons why people would look up my information… me.
OW: It’s not queries. They have withdrewn…
GS: Yes but queries… (interrupting eachother)
GS: You understand what I mean…
OW: So it is not you who has done this?
GS: No
OW: There is one about Fredrik Neij too, the same.
GS: I refer to the same thing, he is famous too. Famous for having large debts, if it’s the bailiff it’s about then I would like to add that it seems likely.
JP: These are datasets… that are a little, not only at the tax agency, but several different dataset that the data is gathered from, it’s not only tax agency or or bailiff data.
GS: What data is it then?
JP: Datasets that you have… that are on your computer.
GS: Yes it is good that people have decided that I am guilty already from the start. Thanks for that.
JP: I’m sorry, that’s not what I meant. I meant…
GS: …that’s exactly what you meant
JP: I just meant that your computer contains these datasets that the summary is based on.
GS: Yes queries, summary, whatever… I’m still wondering what kind of data it is.
JP: Shall we show it in that case?
OW: Yes, you can do that.
JP: Then you can see for yourself.
JP: The file… name is out.txt
GS: Yes, this is easy to understand?
OW: It’s various data about you.
GS: But where is it from? Half of it is entirely impossible to understand. Then there are some tips I can guess are cash amounts and… some obvious dates… so congratulations, somebody has done a credit check on me.
JP: If it now is a credit check…
GS: I’m guessing that it is.
JP: Considering that the dataset names are also here, D044, and the prefix D044… so it is very unlikely that it would be a credit check.
GS: Equivalent information at least.
OW: A last question about Logica here. We spoke about these social security numbers, the list with the security numbers that was on Pastebin. In your computer you have, in two places, that list.
GS: I’m referring to previous answers.
OW: There is an Excel spreadsheet called infotorgusers. It contains around 3 000 names, people and their permissions in Infotog. The main portion of these people are police employees. Do you know of this list?
GS: Answer no
OW: Does the lawyer have any questions regarding what we have talked about now?
ML: I don’t have any questions about what we talked about now.
OW: The time is 10:40 and we finish the hearing regarding Logica.

Everything important to Sweden is hacked

April 27th, 2013 by qnrq

“The case is of Swedish national interest due to the very extensive character of the intrusion. The preliminary investigation involves Swedish authorities such as the Swedish Prosecution Authority, the National Bureau of Investigation (Police), the Stockholm Regional Investigation Unit (Police) and the Swedish Security Service (Security Police). […] The accessed data may cause considerable damage to authorities, companies and individuals. The intrusion handled by the on-going criminal investigation is probably the most serious suffered by Swedish IT-systems linked to public authorities. […] The analysis of the intruded mainframe computer makes it evident that an IP-number connected to Cambodian Internet Service Providers/Hosting Services have been used for part of the criminal intrusions, including extensive copying of sensitive data from the mainframe computer.”

This writing covers the Swedish government’s legal aid request which you can read in PDF format here.

The Swedish government’s request for legal assistance again proves that the kidnapping had nothing to do with TPB. The trial conviction was a cheap flag for Interpol to wave so that the Cambodian authorities would act, unlike how they usually go “meh” over internationally wanted pedophiles and murderers hiding in the region.

4th October, while the prosecution spokesperson told the media that this circus was due to TPB, Cyrus Farivar wrote in an article published by Ars Technica: Femerstrand also accused the Swedish Security Service of conducting surveillance of Svartholm Warg in Cambodia, “since [at least] March 2012.” (The Swedish Security Service did not reply to our request for comment.) How did I know? They were checking me out too. They visited me in restaurants and documented what I was eating, they photographed the house that I lived in and they filmed me taking out my garbage. Spotting agents is sometimes easy, and probably much easier in Phnom Penh; they don’t blend in. They must’ve sent rookies to Cambodia, I mean we’re talking Hawaii shirts, straw hats and sunglasses. Reading about myself in the intel on Gottfrid as “one or more Swedish hacktivist in Cambodia ” confirms my previous suspicions that they did their homework about me.

Evidence in the case has been gathered from equipment seized from the suspects’ possessions, Pastebin, Ubuntu One, Passagen and IRC (primarily EFNet). Two computers seized from one of the suspects were, according to the lawsuit, encrypted and could not be analyzed by forensics personnel. A few individuals living in Sweden have been visited by Swedish Police agents and had equipment seized and forced to sit in hearings with IT forensics staff simply for having online contact with suspects in the case. Several friends who had IRC contact with Gottfrid have noticed hacking attempts on their machines that were traced back to Swedish police agencies. It appears safe to claim that the current police tactic is to throw rocks in the water to observe which rings form.

The Swedish government’s panic request for legal assistance claims that the alleged data breaches, when added together, is historically the most dangerous one targeting the Swedish government – ever. Interestingly enough the media hasn’t dared mentioning it despite it being said in the lawsuit that the machines that were used by the attackers to hack the Swedish Nordea bank (which spent over 10 billion SEK on their secure systems) were in fact owned by the Swedish Parliamentary Administration and the Swedish National Police, which is supposedly also entirely hacked. What should be more interesting to discuss than how somebody allegedly tries to increase some integers in database row columns is how somebody allegedly gained full control of a country’s most important infrastructural parts and not be noticed for two years.

The question regarding whether Gottfrid did or did not attempt to transfer money to his bank account is highly irrelevant. What’s actually interesting in this case is that no matter if Gottfrid is guilty or innocent the Swedish government is right now standing bent over with their pants down saying somebody took control of their most critical systems and they didn’t even notice it for two years, despite somebody taking full copies of the data. These obviously existing security issues are not limited to Sweden. The customers of computer systems, both in the public and private sector, are all purchasing IBM products. IBM mainframes are ranked most secure in the world. Regardless of whether Gottfrid is guilty or innocent the fact remains: somebody has broken the systems on which shoulders all society critical elements stand: governments and banks.

The digitalization of our entire society has been proved to be broken, is the world ready to discuss that or do you want to continue debating the morals of stealing money on a bank mainframe? Open your eyes, the entire world just broke down and a lonesome bearded supposed drug addict is the alleged mastermind. In your face, Sweden.

Tor node gets raided

In June 2012 the Swedish International Public Prosecution Office requested legal aid from Germany to retrieve all data related to IP 217.13.197.5 after it had been discovered that it was used to connect to Logica mainframes. The Berlin police agency raided the address and the IP owned by Speedbone Internet & Connectivity. The server turned out to be a Tor exit node and no information could be retrieved about any users. No evidence was found during the raid and nothing was seized. The mainframe accessed stored big amounts of personal and financial data for the Swedish tax agency. Big amounts of data stored on systems used by the Prosecution Office and police authorities were also accessed and downloaded.

No evidence from Leaseweb

In September 2012 the Swedish International Public Prosecution Office requested legal aid from Germany to retrieve all data related to IP 46.165.196.182. The customer that rented the server could never be found since the service had been terminated a long time before the request arrived and Leaseweb did not keep customer data.

The info below is from the PDF linked in the top and not my personal words.

Detailed information of suspect (12 July 2012)

National Bureau of Investigation
Cyber Crime Unit
Richard Ahlgren

Family name: SVARTHOLM WARG
Forename: Per Gottfrid
Sex: Male
Date of birth: 17/10/1984
Nationality: Sweden

Passport
Passport number: 23810667
Date of issue: 28/01/2003
Place of issue: Stockholm, Sweden
Expiry date: 28/01/2013

Description (dated 26/05/2011)
Height: 175 cm
Eye colour: Blue
Skin colour: Fair skinned
Hair colour: Medium blonde

Links to Cambodia
In September 2011 the trials concerning The Pirate Bay started in the Svea Court of Appealing. Gottfrid Svartholm Warg was not present and it was told that he was in Phnom Penh, Cambodia. He posted a medical certificate, written in Khmer, to his attorney stating that he suffered from some kind of illness.

According to an article 2009 on the blog of the travel writer Adam Bray, Svartholm Warg had lived for a time in an apartment on top of the Cadillac Bar & Grill in Phnom Penh.

This article also said that Svartholm Warg was the owner of the company Estoy Ltd. Seychelles IBC in Phnom Penh. When he registered the company’s website he stated the phone number +855 929 607 72 (Cambodian number).

In chat logs from the IRC network Svartholm Warg posted in 2009 and 2010 that he was operating from Cambodia. For instance he wrote that he uses the border crossing at Poipet from Thailand to Cambodia.

Driving license
In the seizure from the current investigation a picture of Gottfrid Svartholm Warg’s Cambodian driving license was found. The picture is attached to this document.
Card code: A1.000034
Issue date: 21/01/2009
Address of Svartholm Warg: 4 St. 104 Wat Phnom, Daun Penh

IP information
In chat logs from the investigation Svartholm Warg has been logged on from IP-numbers pointing to Cambodia. These IP-numbers with timestamps are:

124.248.174.161 unknown time Cogetel Online
124.248.167.191 25/03.2012 2015 (UTC 0) Cogetel Online
124.248.187.150 10/03/2012 12:42 (UTC 0) Cogetel Online
124.248.187.22 04/03/2012 16:11 (UTC 0) Cogetel Online

Other IP-numbers pointing to Cambodia in the investigation are:

203.176.141.205 10/03/2012 01:00 (UTC 0) Mekongnet
27.109.118.33 10/03/2012 19:30 (UTC 0) DTV Starnet

Credit card number
A credit card number with the name Gottfrid Svartholm was found in the investigation.
Number: 4111 3418 0000 2947
Expiry date: 12/10
Name: Gottfrid Svartholm
Issuing bank: Acleda Bank PLC, Cambodia

Intelligence information
The information about Svartholm Warg that follows is to be seen as unconfirmed intelligence information:
– he is a drug addict and a frequent user of marijuana and crystal meth
– he is in very bad shape and may have spent time in hospital recently
– he has earlier or recent rented a house in Cambodia from an unknown American citizen
– he may have contact with one or more Swedish hacktivist in Cambodia
– he (and his network) may have access to at least one Internet Service Provider in Cambodia. That ISP is Cogetel.
– he (and his network) may have access to the mail account of the Mayor of Phnom Penh

Request for assistance

Cyber Crime Unit
Richard Ahlgren

Dear colleagues,

The Swedish National Bureau of Investigation is currently involved in a Cyber Crime investigation concerning a serious computer intrusion. In this investigation we request assistance from the Cambodian Police.

Preamble
The criminal offence being investigated is a very serious case of breach of data secrecy according to the Swedish Penal Code Chapter 4, Section 9c. The case is of Swedish national interest due to the very extensive character of the intrusion. The preliminary investigation is handled by several Swedish authorities such as the Swedish Prosecution Authority, the National Bureau of Investigation, the Stockholm Regional Investigation Unit and the Swedish Security Service.

Suspects
Two suspects have been detained during part of the preliminary investigation and we would appreciate your help with a third one. All suspects are Swedish citizens. The third suspect is:

Family name: SVARTHOLM WARG
Forename: Per Gottfrid
Date of birth: 17/10/1984
Sex: Male

Gottfrid Svartholm Warg is suspected for a breach of data secrecy together with others, on numerous occasions during the period January 1 2012 to April 15 2012. There has not yet been application for a detention order.

Svartholm Warg is international wanted (Interpol file number 2012/318024) in another case as a result of an imposed sentence of 1 year imprisonment in the Svea Court of Appeal 17/04/2009. The diffusion is attached.

His present location is unknown though we believe that he lives in Phnom Penh, Cambodia. See more detailed information in the attached files.

Case details
Intrusions have been made against, inter alia, a mainframe computer operated by a private company, hosting large amounts of personal data/census data from the Swedish Tax Agency, including protected personal data, as well as data of financial nature. Large amounts of data from the Enforcement Authority and the Police have been accessed as well.

The accessed data may cause considerable damage to authorities, companies and individuals.

The intruion handled by the on-going criminal is probably the most serious suffered by Swedish IT-systems linked to public authorities.

Requested assistance
Our request concerns investigative assistance locating the suspect Gottfrid Svartholm Warg. Furthermore we would like assistance with surveillance of the suspect with the purpose of documenting and analyzing his activities, contacts and locations.

In order to locate the suspect, see the attached document with detailed information. There you can find information about, inter alia, IP-addresses, credit card number, driving license and intelligence information. We have tried to collect and analyse information about his specific whereabouts but we cannot come any gfurther. We now need your assistance.

When the suspect has been located the intention of the prosecutor in this case, Senior Public Prosecutor Henrik Olin, is to file a Rogatory Request concerning a search warrant. In addition to the arrest of Svartholm Warg we would like to seize his computers, mobile phones, hard drives, other digital storage media and personal belongings that can be used as evidence in our case. If necessary and if possible Swedish police officers can assist in the house search.

HAND OVER RECORDS

Evidence number Description
1 Hard Drive Seagate 80 G
2 Hard Drive Hitachi 80 G
3 USB Stick
4 USB Stick
5 USB Stick
6 Memory Card
7 Wireless Access Point
8 Pärm
9 3G Dongle With Sim Card
10 Modem Zon
11 Sim Card Tele2
12 Plastic Cover belonging to a Switch
13 Paper With Addresses
14 Business Card
15 Paper From EuroBank
16 Bagage Tag
17 Receipt
18 IPhone
19 Nokia Phone
20 Invoice for MacBook
21 Note Book
22 Bankbook
23 Bankbook
24 Bankbook
25 Passport
26 MacBook
27 Plastic Cover belonging to a Router
28 Surveillance Camera, CCTV
29 16 Home Burned CDs
30 Lock Picking Tools
31 Modem Online
32 Key
33 Key

TPB not the reason

March 22nd, 2013 by qnrq

The Swedish Ministry of Justice issued a statement on the 27th July, 2012, requesting assistance from Cambodia. They wanted anakata arrested. Bertil Olofsson, Head of the International Section of the National Police, and Tom Abrahamsson, Head of Adm and Consular Matters of the Swedish Embassy in Phnom Penh, was quoted by Sveriges Television saying that Gottfrid had been arrested to be brought home to serve his TPB prison sentence.

In reality the request was made in relation to “an ongoing preliminary investigation” [sic]. It turns out it’s not worth pulling people home from exotic countries over petty culture sharing. Admittedly it was a very effective smokescreen. Enjoy Lao, TiAMO :-))

Here’s the letter:

Stockholm, 27 July 2012

To the Competent Judicial Authority
Phnom Penh
The Kingdom of Cambodia

URGENT AND CONFIDENTIAL MATTER

Request for legal assistance in a criminal matter

The Swedish Ministry of Justice presents its compliments to the Competent Judicial Authority in the Kingdom of Cambodia and has the honour to forward a letter of request for legal assistance in a criminal matter.

The request is issued by the International Department of the Prosecution Authority in Stockholm, Sweden and is made in relation to an ongoing preliminary investigation.

The Ministry of Justice kindly asks for your assistance to arrange for the requested measure to be execute.

The Ministry of Justice avails itself of this opportunity to renew to the Competent Judicial Authority in the Kingdom of Cambodia the assurances of its highest consideration.

Harriet Birkeland
Desk Officer

Inside the anakata kidnappers’ lair

February 20th, 2013 by qnrq

This write-up continues the story of anakata’s arrest in Cambodia, previously “Sweden kidnapped my friend” (mirrored here). This piece is based on a public document, dnr UF2012/50964/UD/KC, retrieved from the Swedish Ministry for Foreign Affairs. The document is available in its full form here. According to the Swedish ministry one piece of information has been classified and is therefore missing from the PDF. The document includes the e-mail correspondence between the Swedish Embassy in Cambodia and the Swedish Ministry for Foreign Affairs that occurred when Gottfrid Svartholm Warg was arrested under mysterious circumstances late August, 2012. A translated summary has been included at the end of this article.

It is obvious from the document that several people hired by the Swedish Embassy were made uncomfortable and worried for their safety after being threatened and harassed as a direct result by the previous written story. I would therefore like to begin by saying that there is no way I will ever support such attacks. I highly value and respect everybody that takes the time to follow and try to involve themselves in this outrageous story, but sending hate mail is not the way to go. There are many of us that feel frustrated and angry but this is not the work of single individuals. These events are symptoms of a broken society. We can not fix broken societies by attacking individuals, even if they may be hired to do things that are very sensitive to us. Please do not harass anybody through hate mail  it’s not a very effective way to start debate. Thank you for remaining calm and maintaining hardline Kopimi.

”An interesting detail is that the same Interior Minister [Sar Kheng] visits the Ministry for Foreign Affairs in Sweden this Sunday.”
– Helena Wahlström, Swedish Ministry for Foreign Affairs secretary

Perhaps food for conspiracy thoughts, but the circumstances surrounding Gottfrid’s arrest on Cambodian soil are, to say the least, very intriguing. The public documents of e-mail communication between officials related to the case might not flabbergast those that remember how the US threatened Sweden with trade sanctions given that they did not (illegally) shut down The Pirate Bay’s hosting provider PRQ. The newly acquired information reveals some previously missing information:

  • 30 August, 2012: Gottfrid is arrested. US Trade Representative Ron Kirk lands in Phnom Penh. Gottfrid is initially placed in the Ministry of Interior’s Counter-Terrorism department.
  • 31 August, 2012: Gottfrid’s Cambodian visa expires. Gottfrid is visited by ambassador Tom Abrahamsson.
  • 5 September 2012: I personally visit Gottfrid at the Counter-Terrorism department. Swedish ambassador signs deal granting Cambodia $59.4 mln USD to Cambodia to strengthen democracy.
    Edit by Kristina Svartholm
  • 6 September 2012: Gottfrid is moved from the Ministry of Interior and disappears. Gottfrid’s last location, the Ministry of Interior, says that he has been transported to the embassy. The Swedish Ministry for Foreign Affairs denies to his mother over the phone that he is held in the embassy.
  • 7 September 2012: Cambodian Minister of Interior, Sar Kheng, signs the deportation order. Tom Abrahamsson travels from Phnom Penh to Sihanoukville. I personally visit the embassy which denies that Gottfrid has ever been there.
  • 9 September 2012: Sar Kheng visits the Ministry for Foreign Affairs in Stockholm.
  • 10 September 2012: Gottfrid re-appears in a Ministry of Interior holding cell in front of the airport and is later escorted by Swedish police agents to Stockholm through Bangkok.

The document proves what has previously been stated in the first article: anakata was initially held at the Cambodian Ministry of Interior’s Counter-Terrorism department, it was known that he had no Cambodian defense despite his right to fight in court, the Swedish embassy was visited first by me alone and later by me along with a lawyer, the embassy denied knowing where Gottfrid was being held, the reason why I went to the embassy was because Gottfrid did not have a legal representative and the Cambodian authorities had told us that he was being held at the embassy.

”The connection [between Gottfrid’s arrest and the $59.4 mln USD] is ridicilously far-fetched.”
– Anders Jörle, Swedish Ministry for Foreign Affairs spokesperson

The document ends with conclusions about how hateful and misinformative we are. On 12th September, 2012, Teo Zetterman tweeted using the Twitter account @SweMFA, belonging to the Swedish Ministry for Foreign Affairs. @mirkoschaefer asked for a comment on the first article that I wrote on this subject and received in response: “No, that is a work of fiction.” Those were the official words said by the Ministry for Foreign Affairs after they had received defensive e-mails from the ambassadors. I would love to hear from the Ministry about what exact parts were fictional. The public documents covering their e-mail correspondence sure syncs pretty well with what was previously said.

The reaction that the initial article sparked in these internal governmental cliques were rather expected. Logically the embassy would immediately defend itself and claim that everything was handled properly. Not because they had done something particular but because that’s the information they were provided, as it now turns out, from the agents working for the Swedish Security Service. As soon as the embassy was made aware of our interest through my presence at their office the first suggestion was that they would start talking through other mediums than e-mail. Why? Because e-mail is automatically logged and goes public after a while. Any suggestion to communicate over other channels is a giant threat to democratic transparency. Journalistic interest was immediately considered harmful and they reacted thereafter.

Now that the e-mail correspondence has gone public it is much easier to trace the faults in this circus. The embassy trusted that the agents working for the Swedish Security Service told the truth when they said that Gottfrid had been informed about his rights to legal defense in Cambodia. In the e-mails the embassy wrote saying that the Swedish agents claimed to have visited Gottfrid on a daily basis. According to himself Gottfrid was visited only once by the ambassador on the day of his arrest. He is unaware of being visited daily, which one might expect somebody who has been arrested and informed about his rights would be quite certain of.

”Cambodian and Swedish authorities blurred the lines between deportation and extradition to limit Svartholm Warg’s legal options.”
– Sok Sam Oeun, Cambodian Defenders Project

The Swedish embassy is obviously the source for the information that was later echoed officially by the Swedish Ministry for Foreign Affairs calling the previous piece “a work of fiction”. And instead of receiving responses saying “hey, maybe we should just let the kid with the attorney sent by that other kid’s mother through” they immediately turn into victims sending sympathies and making sure that everybody understands that everything has been handled correctly. Not because they prove it, or prove how the opposite side is lying, but because they were told so by agents working for the Swedish Security Service. The embassy wants to make it seem like the previous article was some sort of hate campaign trying to defame its employees personally, when what was said can now partially be found in these public documents. Previously they concluded my presence, mission and reasons. Gottfrid did not have a lawyer, that’s why I brought one. We heard that he was in the embassy and when we asked them they had no idea. They were unwilling to co-operate in finding one of their own citizens. With the documents from behind the scenes secured it appears that they were matter of fact unwilling to co-operate in going against the human rights violations played out by the Swedish Security Service.

I guess it’s time to find out exactly how dangerous it is to be right when the government is wrong.

Edit by Kristina Svartholm:
At 6 September I was told by Niklas that the Cambodian authorities once again said that Gottfrid had been moved to the embassy. This was denied (not confirmed – correction!) by HW to me over the phone. HW couldn’t tell me exactly where he was, however.

At 7 September I was really worried about Gottfrid. This was the third day that he was gone. Where was he??? Thus, in the morning I requested that someone from the embassy should find him and visit him. The answer from HW was that this was impossible. They had visited him once, a week before that, and this was enough, the embassy didn’t have time to do it again that same day. At this point my voice became loud; maybe I also cried on the phone.

Later the same day I was told by HW that they had visited Gottfrid and that he was ok. Today I can read in the documents that his visitor was from the Swedish police. According to the mail from HW this police man had met Gottfrid “every day”.

Why couldn’t the Ministry of Foreign Affairs tell me about this earlier???
So much worry, so much anxiety.
Was it really necessary to treat us like this?

 

UF2012/50964/UD/KC translated summary

Timestamps are specified as retrieved from the original Swedish document. Please note that the Swedish government has inconsistently excluded timestamps for unknown reasons. It is unknown if any additional modifications have been made by the government.

30 August 2012 10:07
Tom Abrahamsson (TA), Head of Adm and Consular Matters of the Swedish Embassy, Phnom Penh, Cambodia, sends a high priority e-mail to the Swedish Ministry for Foreign Affairs informing that a Swedish citizen, Gottfrid Svartholm Warg (GSW), has been arrested in Phnom Penh due to an international warrant.

30 August 2012 10:43
TA sends an e-mail asking: “Who contacts the mother? Who will keep in touch with the lawyer in Sweden?”.

30 August 2012 10:43
Helena Wahlström (HW), Department for Consular Affairs and Civil Law of Swedish Ministry for Foreign Affairs, announces that “this man has landed on my desk”.

31st August 2012 (timestamp removed)
HW writes that she hopes that the embassy will provide a confirmed reason for the arrest during the day. It is unconfirmed if the arrest is due to an international arrest warrant. Future questions about extradition treaties are further referred to the BIRS department of the Swedish Ministry of Justice.

31st August 2012 (timestamp removed)
HW writes that she has just hung up the phone with consular responsible TA who has just visited GSW. GSW is only replying with yes or no to questions and replied yes when asked if his mother should be informed. GSW is said to be at the Cambodian Ministry of Interior Counter-Terrorist department. HW speculates that the location might be due to lack of space in other places and that GSW might eventually be transferred to some sort of migration jail the coming week. It is unknown how the extradition process will occur, and if it even will.

31 August 2012 10:25
HW e-mails that she understands that GSW “is not so interested” in keeping contact with the embassy. She quotes GSW’s mother, Kristina Svartholm (KS), asking about the conditions that GSW is held in, whether he has food or not and if he is able to call the embassy. It is still unconfirmed that the arrest has happened due to an international arrest warrant.

4 September 2012 11:01
Camilla Åkesson Lindblom (unknown), e-mails HW saying that she has been called up by Monique Wadsted asking for information about GSW.

4 September 2012 (timestamp removed)
TA writes that there have been many questions from Swedish and international (mostly Cambodian) media. It is still uncertain what the following step will be in the eventual extradition process. TA also asks if anything can be said about legal defense for GSW. TA asks if GSW has been offered defense or if it has been solved privately.

6 September 2012 11:35
TA writes that GSW has not been moved out of the country. Supposedly the Cambodian government will decide today. When the decision is made it will take the Cambodian government 2-3 days to execute the extradition.

7 September 2012 06:49
Anne Höglund (AH) writes that she has been visited by GSW’s friend Niklas who brought a lawyer. “They had also been told that GSW would be here, which I of course strongly denied and referred them to Cambodian authorities”. AH also writes that she thinks that it is wise to keep in touch through mediums other than e-mail.

7 September 2012 11:44
HW writes that replies and referrals should be given by another ministry. KS has called saying that she heard from Cambodia that GSW has been moved to the embassy. KS also expressed concerns that GSW had been moved and dumped in a third country. HW continues saying that KS also told the Swedish Ministry for Foreign Affairs that GSW had not been provided a lawyer. “I have informed and resonated multiple times about the consular mission and what we can and can not do.”

7 September 2012 (timestamp removed)
HW writes that KS is calling and is very worried because the previously mentioned friend and lawyer is being told that GSW is held in the embassy. HW asks if it is possible to figure out where GSW is now being held.

7 September 2012 (timestamp removed)
HW writes that she has spoken to AH who was just visited by the Swedish police agents that will escort GSW to Sweden. The agents that picked up GSW’s temporary passport said that they had visited GSW “every day, last time this morning local time”. Their evaluation is that GSW is feeling very good despite the circumstances. AH does not know exactly where GSW is being held. The extradition order has now been signed by the Interior Minister [Sar Kheng]. The escorted extradition will occur on Monday the 10th September. “This can of course not be shared with external parties.” HW continues by writing that “an interesting detail” is that the same Interior Minister visits the Ministry for Foreign Affairs in Sweden “this Sunday”. She says that she will call “ASO” because “there might be questions”. The embassy has been visited by “a friend of GSW + a local lawyer” since Swedish ministries have continually stated that GSW is being held at the embassy, which was denied by AH. “Furthermore at the embassy it was insinuated that the embassy doesn’t comply with its consular missions etc. KS is also expressing this to me daily.”

7 September 2012 (timestamp removed)
HW writes that Swedish previous lawyer in Sweden, Ola Salomonsson (OS), has called asking if GSW may contact him; HW’s reply being that it will be discussed with the embassy but that it is a question for Cambodian authorities and that it’s uncertain whether the response can reach him before the weekend. OS also said that he had contacted a lawyer in Cambodia [Sok Sam Oeun].

10 September 2012 06:48
TA writes that GSW will be departing from Cambodia around 8 local time.

10 September 2012 07:21
TA writes that they are trying to figure out if OS can call GSW. “OS doesn’t know that GSW is leaving for Sweden tonight.”

10 September 2012 08:20
TA responds that Cambodian authorities gave permission to contact GSW. TA says that the embassy will let OS through because “KS has been worried” (sic).

10 September 2012 (timestamp removed)
HW writes that OS has been informed and will attempt to establish contact with GSW.

10 September 2012 12:30
HW writes a remark that OS doesn’t formally represent GSW legally.

10 September 2012 16:03
TA writes that GSW has been sent out of the country.

11 September 2012 05:42
AH writes a long defensive rant. She begins by saying that GSW’s friend Niklas is lying. She confirms what has previously been said: Niklas visited the embassy once and returned later with a lawyer after hearing that GSW had been held at the embassy. “I was always very friendly and correct towards them and we had a very civilized chat that they are now trying to turn into something else. Perhaps I should not have spoken to them alone but there was nobody updated present. And it is hard to reject him, then we would be criticized for that.” She later writes: “I suppose that the best now is to not answer to any questions at all. I have a feeling that anything we say will be distorted. Here in Cambodia people are used to human rights violations and always expect governmental abuse. Therefore nobody has been troubled to write anything about GSW and the crimes he has committed but the focus is on how he is being treated and people are always trying to find faults in the actions of the government. People in the embassy are worried that this will cause problems for us. Don’t know how much blogs like these can spread and if it can affect the Ministry for Foreign Affairs somehow.”

11 September 2012 08:46
Karl-Anders Larsson (KAL) writes saying: “Here is a link to a blog. If this spreads (which is highly likely) then we will have some problems. We partially already have it in today’s PPP. Would be good if we can talk about this on the broadcast meeting.” The link goes to http://qnrq.se/sweden-kidnapped-anakata/

Several governmental workers express their regards because of the “highly subjective” reports regarding GSW’s arrest.

September 13 2012 10:40
AH writes that the “attacks from PB followers” (sic) are very uncomfortable. AH continues that her e-mail has calmed down and that they have been given some food for thought in computer security. “These people are very hateful.”

rc_openpgpjs: Ending seven years of Roundcube insecurity

January 7th, 2013 by qnrq

Roundcube is a popular open source IMAP webmail application. Roundcube is used by Harvard University, UC Berkeley and University of Michigan. Apple Mac OS X 10.7 uses Roundcube per default in its Mail Server. While writing this a lazy Google dork estimates 133 000 public Roundcube installations.

PGP support was first requested seven years ago and set critical six years ago. PGP support has been requested actively ever since. One of the core developers began the development of his PHP implementation, the Enigma plugin, two years ago but the plugin has not been made functional yet.

Today I am proud to release a beta version of my Roundcube plugin that implements PGP using the OpenPGP.js (based on GPG4Browsers) JavaScript library. rc_openpgpjs enables OpenPGP to function in the user’s browser so that fundamental key storage security isn’t immediately broken by design, in opposite to the official Enigma plugin.

At its current beta stage; rc_openpgpjs is able to generate an encryption key pair, save it in HTML5 web storage (in your own browser, guys) and perform encryption and decryption of email. rc_openpgpjs works in any modern browser that can parse HTML5 and supports the window.crypto object. Unfortunately this is limited to Google Chrome today, but Mozilla is struggling working on it.

rc_openpgpjs is available on Github. rc_openpgpjs will become stable as soon as some small glitches have been corrected. It has been written for Roundcube 0.8.4 with the Larry skin.

Introducing TrueCrypt Volume Manager

January 5th, 2013 by qnrq

Linux has DM-CRYPT, FreeBSD has GEOM_ELI and Oracle is holding ZFS encryption options closed source. The incompatible nature of encrypted storage throughout various UNIX systems is an obvious problem. TrueCrypt supports most popular platforms but until now there hasn’t been a simple way to organize and maintain TrueCrypt containers over different types of systems. TrueCrypt Volume Manager aims to be this bridge.

TrueCrypt Volume Manager, shortened TCVM, is a UNIX shell environment written in Python. It provides a simple CLI shell interface to easily create, mount, unmount and list containers and also the possibility to easily change the passphrase of a given encryption container. Since TCVM is intended to run as a UNIX shell this allows you to securely administrate your TrueCrypt containers over the SSH protocol.

TCVM also provides the function to automatically generate secure passphrases for TrueCrypt containers and store the passphrases in a separate container. This function is fully optional to use and is essentially inspired by the KeePass project. TCVM flexes a custom wrapper for TrueCrypt.

Please note that TCVM is still new and may be slightly rough around the edges. I am happy to fix any issue you may encounter.

The project is available on Github.

Introducing panic_bcast

December 13th, 2012 by qnrq

panic_bcast is a network protocol panic button operating decentralized through UDP broadcasts and HTTP. It’s intended to act a panic button in a sensitive network making it harder to perform cold boot attacks. A serious freedom fighter will run something like this on all nodes in the computerized network.

How it works

1. An activist has uninvited guests at the door
2. The activist sends the panic signal, a UDP broadcast, with panic_bcast
3. Other machines in the network pick up the panic signal
4. Once panic_bcast has picked up the panic signal it kills truecrypt and powers off the machine.

panic_bcast was written with the intention to support any form of UNIX that can run Python. It has been tested successfully on Linux and FreeBSD.

To trigger the panic signal over HTTP simply request http://…:8080/panic from a machine that is running panic_bcast. Whichever will do.

Please note that panic_bcast is a beta and more sophisticated ways to prevent cold boot attacks are planned. You can view these plans by searching for the word “TODO” in the source code.

The source code is available on Github.

Remember kids: there’s no home for swap in opsec.

Sweden kidnapped my friend

September 10th, 2012 by qnrq

Gottfrid Svartholm Warg, anakata, was arrested in his Riverside Phnom Penh apartment late August. I was personally at Cadillac bar located on the ground floor of the same building where Gottfrid lived. I have visited him on several occasions since after I moved to Phnom Penh in January. It was nothing unusual for Kenny, Gottfrid’s friend and landlord working at Cadillac bar, to ask me if I would be going up to see him. This time was the first time that I went to Cadillac bar being alone and not visiting Gottfrid. Perhaps I chose not to because what they call gut feel. I don’t remember feeling anything strange, but for the very first time I decided not to drop by.

The very next day I had caught a bad fever and called in sick to work. I didn’t hear about the news until Saturday when a friend of mine called asking what I knew. I was still laying sick in bed, but as soon as I heard what had happened I went down to Cadillac bar to try and figure out what was going on.

When I reached Cadillac I immediately understood that I had been told the truth. Kenny would usually greet me with an enthusiastic smile upon my arrival. This time he sat pale white at the bar and didn’t even turn around to look at me when saying hello. The bar was however more crowded than I expected and I figured that it was probably for the best to not bother asking any questions. I finished my pasta dish, paid the note and said good bye to Kenny’s back before heading back home.

A mutual friend of mine and Gottfrid, who was in contact with his mother, spoke to me a couple of days later and asked me to speak to Kenny so we could organize something and also stream information between here and there more efficiently to keep Gottfrid’s parents updated. We cleared the trust issues and started talking.

I learned that Kenny was actually the best friend of Gottfrid available at this time. From the moment that Gottfrid was detained Kenny would go to the Ministry of Interior’s Counter Terrorism department on a daily basis to ensure that Gottfrid would meet a friendly face. He would bring food, soda and books. Everyday Kenny came and asked Gottfrid if he had been told anything, been asked questions or been visited by someone. Gottfrid was only visited the first day of arrival by the Swedish embassy but they never asked anything or told him his rights or really what was going on.

At this point in time the news had already hit the global mainstream press. Gottfrid’s Swedish lawyer, Ola Salomonsson, had no idea what was going on. Initially the Cambodian authorities said that Gottfrid had been detained due to breaking local laws and that after he had been detained they realized that he was internationally wanted by Interpol. The underlaying tone was that he had been found merely by coincidence. Later it turned out that they had arrested him in connection to his visa expiring.

The day after Kenny received the verification that I was OK to speak with, 5th September, he brought me to visit him at the Ministry of Interior. I left my phone in the office due to paranoia and when we arrived and I saw the big sign on the building with a Khmer sentence translated to “Counter Terrorism Department” I immediately understood that this was something bigger than an expired visa. Even though his passport had been revoked when he became internationally wanted by Interpol, Gottfrid still had a valid visa until the day of his arrest.

We entered the building and were put in a room with three huge CRT monitors connected to one desktop PC each facing the wall on the opposite side of the room. We were ordered to place the meals that we brought with us on a table with the plastic bag containing canned Fanta. The officers took no interest in the books that we brought for him. We were then told that we may go into the hallway again and continue into the room where Gottfrid was held. The door was already open and there were approximately 8 officers present and additional ones lurking in the shadows around the hallway. Kenny went in first and I followed. When Gottfrid saw me he immediately looked from officer to officer in what seemed like an attempt to figure out if there was something special related to my presence. I came in muttering “so this is where the terrorists hold the antiterrorist”.

The room looked like a classical classroom with lined up benches. Gottfrid was sitting at the front, where a teacher would stand in a school environment, in a tree chair woven tilted allowing him to lay with his back in 45 degrees and his legs in 90. He was sitting upright with his legs crossed wearing the blanket. The officers weren’t freezing but Gottfrid was obviously not enjoying the forced air condition. The second we started to speak Swedish with each other all officers but one left the room. A few minutes later they rushed back in and told us that we only had five minutes more. We headed out and passed the guard at the gate a $1 bill.

The following day when Kenny returned with all the regularities he was denied entrance. The officers at the Ministry of Interior said to him that Gottfrid had been transported to the Swedish embassy. We called the Swedish embassy who did not pick up the phone. We called the Swedish Ministry of Foreign Affairs who hung up in our ears. Later the Swedish Ministry of Foreign Affairs told Gottfrid’s mother over the phone, when she specifically asked for it, that he was in the ministry.

At this point Gottfrid still hadn’t been reached by Ola Salomonsson and Gottfrid was never offered a lawyer by the Swedish embassy. Swedish authorities told Swedish press that Gottfrid was being extradited because he was wanted by Interpol to serve his one year sentence which he was convicted to in The Pirate Bay trial. The Swedish authorities lied through their teeth. Gottfrid wasn’t being extradited, he was being deported under the Cambodian immigration law. But people that are deported can choose where to be sent and also leave the country by their own free will. Deported people also have the right to fight the decision in Cambodian court. Of course Gottfrid was never informed about this by the Swedish embassy. They also forgot to inform Gottfrids Swedish lawyer.

Suddenly we became very stressed about the whole situation. Gottfrid needed to know that he had the right to a Cambodian attorney and to fight in court and he also had to be informed that it was up to him to demand to. The Swedish embassy never told him this, as later confirmed by Anne Höglund: the ambassador who signed the $60 USM aid deal.

I went to the Swedish embassy in Phnom Penh on the10th floor in the Phnom Penh Tower. I felt really helpless and didn’t know what to do. I felt desperate to have a face to direct my questions and frustration towards. Since the information that we had available indicated that he was captured in the same embassy that refused him his rights my initial idea was to go there and pass him my message as loudly as I possibly could through the walls.

I reached the reception who asked me why I was present. I told them I was there as a friend of Gottfrid’s uninformed parents and soon enough I met Anne Höglund. I found her quite rude for never inviting me to any form of office room or something,  instead she had me standing in the reception asking her questions. She told me the opposite of that we had heard from the Cambodian Ministry of Interior and the Swedish Ministry of Foreign Affairs: Gottfrid had never been there. I explained in a very serious tone that this was a matter of human rights, that he hasn’t been convicted for anything but The Pirate Bay and that it is their job to do what they had not done.

We were interrupted by around 6 people that came into the embassy to speak to Anne Höglund. I let her know that our discussion was not over even though she didn’t assign another agent to handle my complaint and Tom Abrahamsson had coincidentally went on vacation to Sihanoukville this particular day. Gottfrid’s mother was informed that Tom, the Head of Adm and Consular Matters, was the person that had visited Gottfrid. He didn’t leave the country or so, he just travelled four hours out of the city but was entirely impossible to contact.

I left the embassy and came back with Gottfrid’s mother’s Cambodian legal representative: Mr. Sok Sam Oeun. Sok Sam Oeun is currently the Executive Director at the Cambodian Defenders Project. In 1995 he won the Award of Defenders of the Year presented by California Defender Association and in 2002 he won the International Human Right Awards presented by the American Bar Association. He has over 20 years of experience in human rights and is also an expert on the international relationship between Sweden and Cambodia. He was early to be quoted in some articles regarding Gottfrid’s deportation. I brought him with me back to the Swedish embassy.

When we arrived they were obviously tired of me already. Unluckily for them I am a Swedish citizen and thus they can not deny speaking to me. And this time I also brought my backup: Mr. Sok Sam Oeun. I went through the process of informing the reception about what I wanted. At one point the Khmer receptionist picked up a phone and pointed at another one on my side of the protective glass. I picked it up and heard him say something, but figured it was a too long sentence to be for me. He shouted at me asking if it worked. I shook my head. He pointed at one on the opposite side of the desk. I picked it up and he asked me again if it worked. No luck. He pressed some extra buttons which I figured was actually required to connect to the proper phone on the line and I picked it up. The receptionist stared deeply into my eyes and said “you’re here regarding Gottfrid, right?”. I told him that was correct. Without blinking and still staring at me he then proceeded by asking “the fool that got arrested, right?”. I was in a bad position to throw a fight over his wording and simply confirmed once again. “I will ask for permission and then we will see.”

Before 10 minutes passed Anne Höglund came into the waiting room. “Oh, it’s you again”, she muttered in Swedish, clearly unhappy over me. “Yes”, I said, “but this time I brought backup”, and presented her Mr. Sok Sam Oeun. I said that since this was a very high profile case we must make sure that everything is legally correct, and of course that Gottfrid’s parents was very worried. When Sok Sam Oeun spoke to Anne Höglund and asked her questions she quickly fell into absolute defense mode. She crossed her arms and her every movement increased in speed. She was very stressed. She continued to say all sorts of truly absurd things such as “he does not need a lawyer” and that they had done everything they have to do. I deceptively nodded and it seemed like she considered Sok Sam Oeun to be the bad guy and me to be the good guy in the situation. She was subconsciously looking for me to agree with her and I met her with a confirming face conforming her to continue her lies.

Anne told us that in “every normal case” the Swedish embassy would provide the suspect a list of attorneys from where they could freely pick their defense. I told her that it was absolutely irrelevant how they handle normal cases because if it was a normal case then Gottfrid wouldn’t be held by counter terrorists over an expired visa. An expired visa in Cambodia usually doesn’t generate more problems than having to pay a fine when leaving the country.

She denied that Gottfrid had ever been in the embassy and said that this idea was absurd. She got stuck in a loop, I think she repeated her nervous “no” at least a dozen times before asking “who said that?”. Apparently we needed to speak to the Cambodian authorities because this was a police issue. Anne said it was an issue handled to a 100 % by the police and that the embassy had no interest in this. “Even if he has disappeared?”, Sok Sam Oeun asked her. I told her that right now we have a situation where the Ministry of Interior, Gottfrid’s last known location, said that Gottfrid was in the embassy and the embassy is saying that they don’t know where he is. I never told her that we had also heard the same information independently from the Swedish Ministry of Foreign Affairs and that the information that Anne was giving us was the exact opposite of that. Anne stood her ground: she didn’t know anything, didn’t understand why we were at the embassy and was not willing to cooperate with us in an attempt to figure out Gottfrid’s whereabouts. She made herself entirely unavailable to us so we parted.

According to Cambodian law Gottfrid’s parents’ attorney has the same right to speak to Gottfrid as Gottfrid’s own attorney, if he would’ve had one. Anne obviously either forgot or ignored this and she was never interested in respecting Sok Sam Oeun’s authority. The way the case unfolded it is very obvious that the Swedish embassy lied to us, tried to convince us that Gottfrid was not in need of a lawyer and denied his fundamental human rights both in Sweden and in Cambodia. Gottfrid’s mother got similar information from the authorities in Sweden. She was told that the process of deportation would not be a juridical process as such and thus no lawyer would be involved. Anne wanted to convince us into believing that Gottfrid was detained because of his invalid visa. Either Anne Höglund is entirely incompetent or she tried misleading us and denied us our rights because she knew that we had the legal possibility to take the matter to court and possibly have Gottfrid sent to another country other than Sweden, since he was after all being deported and not extradited. Perhaps Anne is an incompetent liar who fails to understand why someone that is locked up by counter terrorists needs access to a lawyer whether he’s charged for a crime or not.

After the coincidence with the $60 USM aid package granted by Sweden to Cambodia was settled Anders Jörle, spokesperson for the Swedish Ministry of Foreign Affairs, told media that the connection between Gottfrid and the money was “ridiculously farfetched” and that nobody sentenced to one year in prison is worth that amount of money. Of course he never told the press exactly where Gottfrid was locked up in Phnom Penh or that parts of the case for what he is being kidnapped for is classed secret by the Swedish Ministry of Justice. He also forgot that somebody that has been openly involved in both The Pirate Bay and WikiLeaks might be worth it. Everything around Gottfrid must truly just be a big coincidence. We’re just waiting for them to stop shaking and cross their arms and show us exactly how they’ve acted correct according to current national and international laws before we can truly believe it. Until these things are cleared out and proven to be correct I’m going to refer to this incident as the event where Sweden illegally kidnapped by far the most intelligent person I have ever learned to know.

Until this day neither Gottfrid’s Swedish attorney or his mother’s Cambodian attorney has been able to contact Gottfrid.

We miss you, Gottfrid

Presenting DNSDH

March 29th, 2012 by qnrq

DNSDH is a protocol for exchanging cryptographic keys using the Diffie-Hellman algorithm. Instead of exchanging keys traditionally, the clients speak to a bogus DNS server to initiate an encrypted session in an existing channel of communication. The cryptographically relevant packets travel through a data path that appear to be normal domain name resolve queries to remain stealth and effective even behind limited and surveillanced networks. Please understand that the DNS server is only pretending to be a server for performing name lookups by using its language but performing different tasks.


The bogus DNS server is the center of the key exchange. It uses memcached to store data in memory and deletes any output after it’s been delivered to its recipient. The point of DNSDH is to establish a reliable network enabling anything that can perform a DNS request to exchange cryptographic keys using discrete bogus domain name queries. The nodes communicating, Alice and Bob, could possibly be two cellphones, IRC clients or even death stars. It’s also a great blast to teasingly merge cryptographic key exchanges with traffic that is rarely looked at by network administrators unless they want to censor or monitor you.

When initializing the session Alice first declares the values of p, g and Alice’s private key (alice_private) and then queries the bogus DNS server with dnsdhinit.p.g.alice_public. The DNS server creates a sessionid and stores it in the memory with the data provided in Alice’s query. Alice tells Bob that she wants to talk privately and sends him a packet containing the sessionid provided by the DNS server. Bob queries the DNS server with the sessionid recieved from Alice. The DNS server replies with the information provided in Alice’s query. Bob then proceeds by declaring his own private key (bob_private) and calculates the value of his public key: g^bob_private mod p. Bob can then calculate the secret he shares with Alice: alice_public^bob_private mod p. Then Bob queries the DNS server with dnsdhinit.bob_public, receives an id and sends it to Alice in a packet. Alice then queries the DNS server with the id, receives bob_public and calculates the secret she shares with Alice: bob_public^alice_secret mod p.

Alice

$ ./client.example.pl 1337 1338 init
[+] Generating keys...
[+] alice_pub_key: 7
[+] alice_priv_key: 19
[+] Query dnsdhinit.23.5.7
[+] SEND DNSDH_INIT: 6035559
[127.0.0.1:58602]: DNSDH_FINISH: 9300804
[+] Query sessionid.9300804
[+] p: 23
[+] g: 5
[+] bob_public: 1
[+] Shared secret: 1

Bob

$ ./client.example.pl 1338 1337
[127.0.0.1:60267]: DNSDH_INIT: 6035559
[+] Query sessionid.6035559
[+] p: 23
[+] g: 5
[+] alice_public: 7
[+] Generating keys...
[+] bob_pub_key: 1
[+] bob_priv_key: 0
[+] Shared secret: 1
[+] Query dnsdhinit.1
[+] SEND DNSDH_FINISH: 9300804

Source code

The source code is available on Github.

SE Banken multiple vulnerabilities

February 10th, 2012 by qnrq

Overview
Skandinaviska Enskilda Banken AB (SEB) is a Swedish financial group for corporate customers, institutions and private individuals with headquarters in Stockholm, Sweden. Its activities comprise mainly banking services, but SEB also carries out significant life insurance operations and also owns Eurocard. The bank was founded by and is controlled by the powerful Swedish Wallenberg family through their investment company Investor AB.

Problem
Page frame contents are decided by unsafely handled url parameters leaving the cms software globally vulnerable to xss attacks. Vulnerable domains are sebgroup.com, seb.no, seb.fi, seb.ua, seb.pl, seb.lt, seb.se and any other domain hosting the vulnerable cms. Customers may have illegitimate third party scripts executed on their computer or be subject to login credential theft and keylogging.

Proof of concept
http://www.seb.se/pow/wcp/top.asp?lang=se&website=%54%41%42%32%22%3e%3c%2f%61%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%27%77%61%7a%7a%75%70%27%29%3c%2f%73%63%72%69%70%74%3e

Timeline
2011-12-05: Vulnerabilities discovered
2012-01-12: Contacted SEB
2012-01-18: Received response (Computer Security Incident Response Team)
2012-01-19: SIRT notified
2012-02-09: Vulnerabilities patched
2012-02-10: Public disclosure