Month: August 2023

I submit that when it looks like a conspiracy, it probably is… While, it’s not (in theory) inconceivable that a handful of people – operating on their own – with inadvertently aligned interests are capable of producing something that looks like a conspiracy; I believe that the probability that this could explain the actions of all the players in my prosecution is absolutely nil.

So, whether (or not) something conspiratorial actually occurred cannot be proven without a considerable amount evidence and I think I’ve attained that threshold with the discovery of the shill’s final report on the NIT. Therefore, my FOIA request (currently in litigation) will be the icing on the conspiratorial cake.

Here’s what I can prove:

In December of 2014, my CJA attorney hired the Shills – without my permission – instead of the experts I wanted (Dr. Mercuri’s Team). The Shills charged more per hour, $300 vs $275 and they had no criminal law expert witness experience – unlike Mercuri. Mercuri declared in her letter (posted earlier) that she knew the “just a flash application” explanation was nonsense and that she would examine my Linux Computer, the shills did neither.

In January of 2015, the shills examined the wrong server – out of a choice of three – that were clearly labeled by name. My NIT Report clearly says it’s for TB2 (#2 in the code), yet they examined #1. At that time I had two questions about my NIT report: 1) Why are the session ids different, when they should be the same? 2) Why is the browser reporting the previous page as the current page? The shills’ report answered neither of my questions and promoted the FBI’s nonsense that the NIT was just a flash application. From the code snippets they provided, I could tell (as a PHP expert) that they were showing code from a PHP software program called PHPBB. At that time I could deduce two things about their report: 1) The shills were lying, the code they proclaimed generated my session ids could not be the code they were showing (as it would produce identical ids, not different.) 2) They were dishonestly parroting the FBI’s nonsense about the NIT just being a flash app. When I e-mailed my CJA attorney my concerns it fell on deaf ears, so I fired him to fire the shills.

In April of 2015, Becker is not sure if the shills will be retained for the second NIT examination. So, he flies to the WDNY to obtain an indictment with the tainted evidence seized from my residence on April 9, 2013. The evidence was tainted because the search of my home was improper, which the government admits. There was also strong circumstantial evidence (only circumstantial because no defense expert ever examined my Linux computer) of planting evidence on my Linux box. At this time (April) I have 3 CJA lawyers, Gross & Howard in Nebraska and Slawinski in New York & five computer experts, Podhradksy, Miller, Stroschein & Kasel in NE & Gerry Grant in NY. None of the lawyers notice that the NIT warrants are for Nebraska and Elsewhere (forbidden at the time) and none of the experts examine my Linux computer, which is direct evidence of the conspiracy.

In May of 2015, I point out the problems with the evidence (fraudulent NIT Report & tainted evidence) to Slawinski and Grant in WDNY. They do nothing… Meanwhile in NE, my new CJA Howard, refuses to fire the shills and hire Mercuri and refuses to discuss it.

In June of 2015, the shills produce their second report. It contains, objective facts in the form of figures, gives knowingly incorrect answers to my questions and continues to parrot the government’s (now ridiculous) assertions that the NIT is just a flash app (their figures prove that this is not true). I now know I’m being railroaded and am desperate to stop it, but the shills and my attorneys thwart my efforts.

In July of 2015, I know I’m being railroaded and that my Daubert hearing will be the only way to stop this runaway train. I share the shills nonsensical report with any “expert” who will read it. They all agree it’s nonsense. One agrees to produce a small report (for free) and sends it to Howard, he ignores it. The shills continue to agree with the FBI’s now criminal assertion that the NIT was just a flash app, so my last defense is obliterated by the shills lies. My hearing will just be about the lost flash source code, whose function has no bearing on the NIT data validity.

On August 3, 2015, I’m helpless to stop my railroading thanks to the shills false testimony. (Confirmed in 2016 – See below) I’m coerced into taking a conditional plea (preserving my right to appeal the admissibility of the bogus NIT report). But that appeal is useless because it’s based on the false premise that the NIT was just the flash application, so it was destined to fail.

On December 16, 2015, I try to withdraw my plea for a “fair and just reason”, arguing that I was coerced into it based on the false testimony of all the experts, including mine. The judge denies it, because he believes all the lies.

On May 25, 2016, Unknown to me (as I’m in prison), the shills produce their final (third) report on the NIT. It still contains lies (they’re still ignoring that Tinyboard’s ‘visitors’ table is NOT legit), but much less than their previous two reports and many new facts & figures appear for the first time. Figures 3, 4 & 5 show that most of the information in the ‘visitors’ table was falsified. Figure 6 shows that the exploit wasn’t only a flash app, but Java and Javascript were also available. Figure 7 shows that javascript would have to be enabled to load the flash app on TB2. Figure 8 shows how the cipher text was created. Figure 9 shows that flash made a DNS query to 96.126.124.96.(40char.40char.16char).cpimagegallery.com and that the flash app would have 20 seconds to open the connection. (Actionscript has a default 20 second timeout for socket connects that can only be modified by ‘socket.timeout’. Since it isn’t in the code, the 20 second timeout was in play.) Figures 12 & 13, show that there is an impossible time gap between loading the flash app and each socket connection (39 seconds for index.html and 63 seconds for 1481.html)

Also, in the text of the third report, the shills (as first noted here) report that: “The DNS requests go over UDP and thus they can be spoofed. However, the cornhusker log indicates that DNS request was made via the the proxy server and thus that data was not logged in this case.” They also note what I’d been insisting all along: “Another scenario is one which an actor that knew that the Tor Hidden Service site was deanonymizing users. The requests for the pages 1481.html and index.html could have been placed inside of hidden iframes within other legitimate Tor websites.” But then lie: “We found no evidence to suggest that this occurred.” I think the fact that the time gaps for socket connections were impossible is what most people would consider a “clue”. No wonder they refuse to discuss this.

Now, I wait for my FOIA litigation to obtain more evidence of this – now confirmed – conspiracy against me…

So, today I’ll be mailing/filing my motion for a preliminary injunction against the government for intentionally delaying my receipt of the documents I requested. Which leads us to the WOW update.

So, one of the many problems with my NIT report is the long gaps between loading the html file (and the flash app) and the flash apps communication with another server via a socket connection.

Well, I found the answer. As the link verifies, those time gaps of 39 & 63 seconds are impossible with flash player 10 or later:

In Flash Player 10, ActionScript Socket and XMLSocket objects, all securityError events will be sent after a predefined amount of time has elapsed since the call to connect(). The predetermined timeout is 20 seconds by default but can be specified by ActionScript developers using the new Socket.timeout and XMLSocket.timeout APIs. If the timeout elapses and no connection has been established, the connection attempt will be aborted and a securityError dispatched.

Note: This change affects SWF files of all versions played in Flash Player 10 and later. This security change can potentially affect any SWF file that uses the Socket or XMLSocket classes. This change affects all non-app content in Adobe AIR (however, AIR app content itself is unaffected).

Adobe Link above (answer).

So I may have found THE SMOKING GUN. In 2016 my shills published an academic paper (click link) that contradicts their first and second reports made to the Court(s). Four revelations stand out:

1. The DNS requests go over UDP and thus they can be spoofed. However, the cornhusker log indicates that DNS request was made via the the proxy server and thus that data was not logged in this case.
2. There is no guarantee that the request made from gallery.swf was made by the same client that requested the Tor Hidden Service. Outbound connection monitoring would make it trivial to de- duce that something unusual was happening. Suppose that gallery.swf were to be placed on another website and given the same id parameter. Then the connection to cornhusker would have logged an inaccurate IP address.
3. Another scenario is one which an actor that knew that the Tor Hidden Service site was deanonymizing users. The requests for the pages 1481.html and index.html could have been placed inside of hidden iframes within other legitimate Tor websites. We found no evidence to suggest that this occurred.
4. The cornhusker server was unavailable for our analysis. Therefore we were unable to analyze any access controls that were in place for that server.

Miller, Matthew; Stroschein, Joshua; and Podhradsky, Ashley, “Reverse Engineering a Nit That Unmasks Tor Users” (2016). Annual ADFSL Conference on Digital Forensics, Security and Law. 10.

I’m not an expert when it comes to DNS, but number 1 appears VERY suspicious to me. And I’ve been arguing 2 – 4 all along, pissed to see they agree AFTER they lied at the Daubert hearing and in their first two reports. No wonder they refuse to talk to me. And I totally LOL’d when I read We found no evidence to suggest that this occurred for #3. That’s because they deliberately ignored the evidence! (There are 39 & 63 second delays between loading index.html & 1481.html and flash executing the socket connection. WOW-OMG-WOW)