Privacy Workshop #9 - Analysis of a Compromised System
After attending the 2017 Rainbow Gathering in Oregon for 2 days and discovering without any doubt that the entire backbone of the event was run by undercover police dressed up like hippies, distributing fake 'acid' and baiting people into crimes with underage persons, I returned to my vehicle and travelled back to the city. I was concerned that at some point in time they might have accessed my Honda CRV in a no knock raid and placed hardware rootkits on my computers.
So I pulled into McDonald's, rebooted my computer, started Wireshark and turned capture on my wifi interface, then joined McDonald's wifi.
Before I started a single program there was so much traffic I had no chance to investigate even a small percentage of the addresses or gauge how much actual traffic was passing even though it was clearly a lot.
I let the capture go for about a minute before I was too freaked out to let it go any more. I shut the wifi off and stopped the capture, saved the .pcap file.
The .pcap file was 1.8 Megabyte of data. I was running OS X El Cap on a 2011 Macbook Pro at the time. I reinstalled my OS after this experience.
That rate of data could download a a feature length film in 12 minutes. Every text and image file on my desktop in less time. Enough to transmit real time audio or low res video.
This was/is a lot of data for a computer to be transmitting on boot without any action or notification of the user. At the least it is worth asking some questions, but I think it's pretty obvious this is a security event. Analysis of the .pcap shows 179 distinct ip addresses contacted in this minute and an astounding 6044(!) obscure tcp ports being used. I will list an exact copy of the ip addresses below but due to the extreme length of the port list I'll just show the screenshot.
Resolved addresses found in /Users/jmh/Desktop/pw 9/pcap2 6-21 copy.pcapng
I sorted them into some basic categories. In this IP list, my computer was the ip address 192.168.5.74 on the Mcdonald's LAN, the rest are foreign addresses my computer was talking with in the first minute after boot with no action taken by myself to start any processes. I have sorted them into basic groups for analysis(this took some time....)
McD (I am on their network so I am using their name servers(dns), so it makes some sense my computer will connect to these addresses, but every site i visit will be logged and tagged of course))
APPLE (just because i run the os doesn't mean i want to phone home every .3 seconds geez apple, lots of dns even though im using the McD dns, akadns.net is suspicious, we will investigate, my OS is not configured to do auto updates either so the phoning home ticks me off. At least they operate out of an obvious 17. ip block that is consistent.)
AKAMAI(a truly staggering number of connections to distinct ip's, we will investigate in the next section, but at least this is a known company that exists. With ipv6. Some .orgs in there that are odd, mostly edge, dns. Do I know akadns is really akamai? Nope. And these IP blocks are all over the place. Therefore when I pulled into mcdonald's and rebooted my computer, there was apparently some sort of global networking event, as in I moved electrons on all 5 continents and under every ocean during this single minute of non-activity on the internet.)
Facebooc(not running app or even browser, never used instsagram, ipv6 connection also. I had been using facebook at the time on firefox.)
AMAZON(no apps, no browser, 3 ipv6 connections, at least I have used amazon)
GOOGLE(chrome is installed but otherwise no google apps, but this is a huge number of addresses)
Spotify(which I have never, ever used)
(how the hell did spotify install on my system if I don't use it? )
twitter(I use but how does it install a phone home functionality?)
wayport.net (probably mcdonald's)
188.8.131.52 = 184.108.40.206 nmd.mcd26924.sea.wayport.net
MYSTERY SECTION (truly no idea what these are, we are going to research them in the next section)
dynect (mystery dns) (login to change the internet! https://portal.dynect.net/login/)
(safety rating unknown:https://www.mywot.com/scorecard/dynect.net, divergent reports from comments)
TWTR (mystery dns)(aha! mark monitor, brand protection https://www.whois.com/whois/twtrdns.net, also connected to dynect.net!)
HOWEVER dynECT is also this company: https://en.wikipedia.org/wiki/Dyn_ and GUESS WHAT they are directly connected to: The Oct 2016 internet outage coinciding with the Assange event in london! Very interesting. They say it was DDoS but if this is connected to deep state surveillance networks, all they would have had to do is take it down themselves to simulate an outage that would cover their actions.)
NSONE (mystery dns) (https://ns1.com/ whatever this is....)
fastly(banned in china for ties to us military but wikipedia is now taken down just the homepage: https://www.fastly.com/)
Incoming packet size total however turns out to be 1.6Mb and outgoing only .2Mb.
Let's look for the big outgoing addresses
.04 Mb to some seattle McDonald's waypoint that has some sort of auth mechanism attached, odd
220.127.116.11 = 18.104.22.168 nmd.mcd26924.sea.wayport.net
This mystery address looks like a Seattle McDonald's asset. But also here large numbers of Resets, Duplicates. Most packets sent here are acknowledgements, some say 'windows update' and some are GET requests for graphics, so this is probably some incompetent authorization implementation for mcdonad's wifi. Needing 42kb for a single minute of authorization processes is pretty horrible as far as efficiency goes. Some of the failed transmissions and resets could be due to wifi dropouts or unavailability but in a single minute, this is a staggering number of packets to send as part of overhead. This address stood out first because of the large number of error packets, which stands out graphically in wireshark.
Looking for the rest of the .16Mb of data my computer sent out in this one minute all over the world and drilling a little bit into what kind of traffic is being sent.
23.3.105.* is a bunch of akamai servers that get 50kb or .05Mb of the outgoing traffic. So between McD's waypoint and Akamai's mystery server farm we have accounted for at least half of my outgoing traffic. And in general there are a lot of other akamai matches, it would be difficult to make a filter that could count all the traffic here.
A small number of packets with an encrypted TLS handshake went to Twitter for some reason:
22.214.171.124 = 126.96.36.199 platform-eb.twitter.com
For some reason spotify also makes an encrypted but small connection
(* spotify's encrypted handshake)
I see other packets outgoing to apple but many of the other more obscure addresses only send packets in, which is not what I would have expected to find.
So if Akamai is the number one phone out address, what are they all about? Well it turns out to be worst case scenario.
Totally connected to US government, CEO on presidential advisory committee. Other founder former Israeli soldier that allegedly died on 9-11.
So basically, if you don't trust the American and Israeli cybersecurity, then this is the devil. And since I don't trust them, then this is worst case scenario.
Also owned partially by Blackrock, which is the worst. Literally the devil/illuminati. Also controversies regarding forwarding facebork data to the NSA etc.
So akamai is basically surveillance of one kind or another for global bad guys. And they are really interested in my computer.
So as Ali G. says, just like in a video game if you encounter the bad guys, you must be going in the right direction...
As for the scope of this article, I have,
a. demonstrated that I am being surveilled
b. demonstrated how to investigate the connections your computer is making behind your back
c. demonstrated that you don't have to be browsing or using any programs on your computer for numerous companies to be able to make encrypted connections to your system
d. given you a list of ip addresses that you can use to identify enemy surveillance infrastructure
One extra bonus tip: on OS X, a process that seems to be associated with surveillance events like this is the VTX Decoder:
So if you see this running in activity monitor, just kill it. I haven't noticed any performance issues after killing it, but after every reboot I have to deactivate it at some point when it spikes the cpu for no reason. Like usual apple forums on this are dead ends. (fwiw Apple discussions are total shit and whoever is responsible for those whitewashes the whole OS)
I find the connections to akamai and dynECT as well as Blackrock to be very disturbing. This connects my computer directly to the entities that are highly associated with two deep state events about whose official story I am in complete doubt: 9/11 and Wikileak's London events of Oct. 2016.
Remaining question: Why so many more packets incoming than outgoing? What point can there possibly be to hitting my computer with 1.6Mb of traffic inside of a minute if no information is received? Were they installing something? Were they attacking me somehow? I will keep the file on hand in a safe place of course and as time goes one and I learn more, and have time to do so, I will dig deeper into the packets themselves.
Any further insight or if you see an error in my analysis, please comment.
I have committed to doing one more Privacy Workshop on Steemit, but if nothing changes I am going to have to abandon this platform due to the low quality/sketchiness of the user base and the invalidity of the overall value algorithm. It's way too easy for disinformation to spread here and there are huge gangs of disinformation agents already camping/blocking/sliding all possible topics. This makes me doubt the overall validity and resiliency of the Steem blockchain, if it is so easily co-opted by tyrannical forces and if the things that I do fail to attract a single reputable other person(or if people are already too terrified of retribution to be associated with the truth...), then this platform will not be long lived.
I hope, but wonder if it's possible, that in some way what I have contributed here will have a long life and eventually be seen by more people. It's not for me to say, I am just writing what the smartest stuff I can say about what's I find most important. And I do that even if no one reads and even if no one pays.
I still haven't gotten a single BTC donation, really disappointed with the community. Also 300 followers but getting only a handful of upvotes from mostly fake or troll accounts. Look at my steemd, 99% of interactions I've had over the last few months have been with .1/14.99 delegated new accounts who don't have shit to say, and other people who comment are only here once and have next to nothing to say, and really not even a single person has demonstrated they have even partially read one of my posts.
If there were one word I would use to describe steemit, it would be "Braindead."
Prove me wrong or you get one maybe two more posts and that's it.
Let the good vibes get a lot stronger, (but it's probably safer at this point to start building your underground base and isolating yourself from the coming madness than to have any expectation of a safe and/or sane future on this planet )
p.s. i was censored at reddit for daring to suggest that the r/conspiracy mods work at military bases or fbi/mossad hq, so I think we can safely say that reddit has been fully co-opted by spies/police. The % of decent information I get there has been on the slide for a long time, now I have to sift through so much crap to get any actual information it is not much use. I have never in my life had has much difficulty either getting information or finding anyone real to interact with on the internet, and I do not think this is an accident. 99% is disinfo even though the truth is actually in plain sight, a strange arrangement indeed and makes me wonder how long this can go on for before something really bad happens and a chinese system takes over the entire world...