So I may have found THE SMOKING GUN. In 2016 my shills published an academic paper (click link) that contradicts their first and second reports made to the Court(s). Four revelations stand out:
Miller, Matthew; Stroschein, Joshua; and Podhradsky, Ashley, “Reverse Engineering a Nit That Unmasks Tor Users” (2016). Annual ADFSL Conference on Digital Forensics, Security and Law. 10.
- The DNS requests go over UDP and thus they can be spoofed. However, the cornhusker log indicates that DNS request was made via the the proxy server and thus that data was not logged in this case.
- There is no guarantee that the request made from gallery.swf was made by the same client that requested the Tor Hidden Service. Outbound connection monitoring would make it trivial to de- duce that something unusual was happening. Suppose that gallery.swf were to be placed on another website and given the same id parameter. Then the connection to cornhusker would have logged an inaccurate IP address.
- Another scenario is one which an actor that knew that the Tor Hidden Service site was deanonymizing users. The requests for the pages 1481.html and index.html could have been placed inside of hidden iframes within other legitimate Tor websites. We found no evidence to suggest that this occurred.
- The cornhusker server was unavailable for our analysis. Therefore we were unable to analyze any access controls that were in place for that server.
I’m not an expert when it comes to DNS, but number 1 appears VERY suspicious to me. And I’ve been arguing 2 – 4 all along, pissed to see they agree AFTER they lied at the Daubert hearing and in their first two reports. No wonder they refuse to talk to me. And I totally LOL’d when I read We found no evidence to suggest that this occurred for #3. That’s because they deliberately ignored the evidence! (There are 39 & 63 second delays between loading index.html & 1481.html and flash executing the socket connection. WOW-OMG-WOW)