..

Cryptome has been leaking its user logs for over a year

Note: After refusing to comment, denying it, accusing it of being disinfo, accusing me of stealing data, accusing me of advertising for a spy job, declaring that it was "a campaign" against them, accusing me of faking data, declaring that all logs leak and they pay for the internet, and deleting my post to the Cryptome mailing list alerting them to the leak, Cryptome has acknowledged that the leaked logs I found were legitimate.


If you haven't read why the alleged GCHQ slide showing spying on Cryptome.org's users could have been made by anyone, I recommend you do so before reading this. In summary, I showed that the information on the slide could have been mocked up, depsite matching the logs for Cryptome.org. Cryptome has denied the accuracy of my data, while oddly accusing me of stealing the data, and leaves me with no alternatives to posting the data online for others to review and verify.

The data came from Cryptome itself, on a pair of USBs they mailed to me. Within those USBs were server logs that include user IPs (spanning several months), .htaccess files, and a pwd file. After finding the data in the USB Cryptome had just sent me, I sent an email attempting to verify it hadn't been included as something extra that was not for public distrubition:

Subject: Quick USB question
Double checking that the USBs that you sent were prepared as-is and no different from any other versions, except updated through August 14 2015.

John Young sent back an accusatory email:

Don't know. Updates generated scratch. Prepare to be surprised if not deceived by anything digital or analogue or intergalactic. Especially if authenticated, signed, sealed, shipped through thickets of traps and contaminants. You know that, though, and are just being humorously baiting and entrapping. Like Archive.org and Wikipedia and gosh the whole mess seething with malevolence.

I replied to John:

Don't mean to bait or entrap, but asking questions with too much context can be leading. I'm not worried about hidden payloads or anything, I want to make sure that it was (as far as you know) the vanilla version of the August 2015 archive and you hadn't purposefully included any extra information for me to peruse before I posted my findings publicly. John did not respond.

Since John made a point out of the USBs being generated from scratch every time, I couldn't be sure how long the data had been available. After some digging, I found a copy of Cryptome's archive apparently uploaded by coderman@xxxxxxxxx AKA bandmon and re-uploaded to The Pirate Bay by bandmon. You can find that torrent here. I downloaded the torrent to a remote server, unzipped the files and confirmed there were log files there as well.

It was my strong preference not to post this, but since Cryptome has refused to validate the data, there is no other way to authenticate it than to release it to the public along with how to find that information in the Cryptome USBs/CDs and their various mirrors. It was not my intention to humiliate Cryptome or expose their users, only to demonstrate that the slide allegedly proving the GCHQ has spied on Cryptome.org could have come from anywhere. Despite being accurate, the information is not proof of surveillance or anything nefarious. In short, the alleged GCHQ could have been produced by GCHQ as an internal mockup, or forged by anyone with access to an internet connection.

In addition to the links below, you can also download a complete copy of the dataset from Cryptome as well as download a .zip of all of the leaked logs [removed following admission from John Young/Cryptome that the logs are legitimate] and peruse them in your own time.

Cryptome's leaked logs:

[Filenames only, files and links removed after veracity acknowledged by John Young/Cryptome]

access.pwd
awstats.1331504.0911.alldomains.html
awstats.1331504.0911.allhosts.html
awstats.1331504.0911.allrobots.html
awstats.1331504.0911.browserdetail.html
awstats.1331504.0911.errors404.html
awstats.1331504.0911.html
awstats.1331504.0911.keyphrases.html
awstats.1331504.0911.keywords.html
awstats.1331504.0911.lasthosts.html
awstats.1331504.0911.lastrobots.html
awstats.1331504.0911.osdetail.html
awstats.1331504.0911.refererpages.html
awstats.1331504.0911.refererse.html
awstats.1331504.0911.session.html
awstats.1331504.0911.unknownbrowser.html
awstats.1331504.0911.unknownip.html
awstats.1331504.0911.unknownos.html
awstats.1331504.0911.urldetail.html
awstats.1331504.0911.urlentry.html
awstats.1331504.0911.urlexit.html
awstats.1331504.0912.alldomains.html
awstats.1331504.0912.allhosts.html
awstats.1331504.0912.allrobots.html
awstats.1331504.0912.browserdetail.html
awstats.1331504.0912.errors404.html
awstats.1331504.0912.html
awstats.1331504.0912.keyphrases.html
awstats.1331504.0912.keywords.html
awstats.1331504.0912.lasthosts.html
awstats.1331504.0912.lastrobots.html
awstats.1331504.0912.osdetail.html
awstats.1331504.0912.refererpages.html
awstats.1331504.0912.refererse.html
awstats.1331504.0912.session.html
awstats.1331504.0912.unknownbrowser.html
awstats.1331504.0912.unknownip.html
awstats.1331504.0912.unknownos.html
awstats.1331504.0912.urldetail.html
awstats.1331504.0912.urlentry.html
awstats.1331504.0912.urlexit.html
awstats.1331504.1001.alldomains.html
awstats.1331504.1001.allhosts.html
awstats.1331504.1001.allrobots.html
awstats.1331504.1001.browserdetail.html
awstats.1331504.1001.errors404.html
awstats.1331504.1001.html
awstats.1331504.1001.keyphrases.html
awstats.1331504.1001.keywords.html
awstats.1331504.1001.lasthosts.html
awstats.1331504.1001.lastrobots.html
awstats.1331504.1001.osdetail.html
awstats.1331504.1001.refererpages.html
awstats.1331504.1001.refererse.html
awstats.1331504.1001.session.html
awstats.1331504.1001.unknownbrowser.html
awstats.1331504.1001.unknownip.html
awstats.1331504.1001.unknownos.html
awstats.1331504.1001.urldetail.html
awstats.1331504.1001.urlentry.html
awstats.1331504.1001.urlexit.html
awstats.1331504.1002.alldomains.html
awstats.1331504.1002.allhosts.html
awstats.1331504.1002.allrobots.html
awstats.1331504.1002.browserdetail.html
awstats.1331504.1002.errors404.html
awstats.1331504.1002.html
awstats.1331504.1002.keyphrases.html
awstats.1331504.1002.keywords.html
awstats.1331504.1002.lasthosts.html
awstats.1331504.1002.lastrobots.html
awstats.1331504.1002.osdetail.html
awstats.1331504.1002.refererpages.html
awstats.1331504.1002.refererse.html
awstats.1331504.1002.session.html
awstats.1331504.1002.unknownbrowser.html
awstats.1331504.1002.unknownip.html
awstats.1331504.1002.unknownos.html
awstats.1331504.1002.urldetail.html
awstats.1331504.1002.urlentry.html
awstats.1331504.1002.urlexit.html
awstats012010.1331504.txt
awstats022010.1331504.txt
awstats112009.1331504.txt
awstats122009.1331504.txt
home.htm
htaccess
htaccess (1)
htaccess (2)
htaccess (3)
htaccess (4)
index.shtml

If the information is a mockup as Cryptome alleges, then it was created and distributed by them as part of an insane piece of disinformation designed to implicate users who are innocent of even visiting Cryptome.org. Far more likely is that Cryptome has been unaware of these ongoing leaks, refused to discuss them with me and then attempted to deny their reality.

.@Cryptomeorg deleted its mailing list post alerting people to leaked logs & letting them judge the data themselves. Because transparency?

— (@NatSecGeek) October 7, 2015