According to THN[0] and several linked supporting sites from there (particularly notable are analyses from Kenneth Buckler[1] and Vlad Tsyrklevich[2]), the payload delivered the MAC address and Windows hostname to 65.222.202.54[3]. I've read in public sources that that address is assigned to SAIC but I have not seen any hard data on that.
[0]: http://thehackernews.com/2013/08/Firefox-Exploit-Tor-Network-child-pornography-Freedom-Hosting.html [1]: https://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/TorFreedomHosting/ [2]: http://tsyrklevich.net/tbb_payload.txt On Mon, Aug 5, 2013 at 8:22 PM, <liberationt...@lewman.us> wrote: > On Mon, Aug 05, 2013 at 06:18:02PM -0400, r...@privacymaverick.com wrote 0.6K > bytes in 0 lines about: > : Does anybody have any indication on how the alleged operator of > : Freedom Hosting was identified. Everybody seems to be focusing on > : the javascript exploit but from what I've read, it appears that was > : placed on the server after the alleged operator was taken down and > : the operation compromised, or is my timing off? > > This is far more interesting to me than anything else. I've been > wondering the same thing. -- @kylemaxwell -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
