TODO instance of what?

We've come across a few shallow and stylistically similar websites on suspicious ranges with this pattern.

No JS/JAR/SWF comms, but rather a subdomain, and an HTTPS page with .cgi extension that leads to a login page. Some names seen for this subdomain:

The question is, is this part of some legitimate tooling that created such patterns? And if so which? Or are they actual hits with a new comms mechanism not previously seen?

The fact that:suggests to Ciro that they are an actual hit.

In particular, the secure and ssl ones are overused, and together with some heuristics allowed us to find our first two non Reuters ranges! Section "secure subdomain search on 2013 DNS Census"

Some currently known URLsIf we could do a crawl search for secure.*com/cgi-bin/*.cgi that might be a good enough fingerprint, maybe even *.*com/cgi-bin/*.cgi. Edit: it is not perfect, but we kind of did it: Section "secure subdomain search on 2013 DNS Census".

Later on, we've also come across some stylistic hits in IP ranges with apparent slight variations of the CGI comms pattern:Since these are so rare, it is still a bit hard to classify them for sure, but they are of great interest no doubt, as as we start to notice these patterns more tend to come if it is a thing.

The CGI comms websites contain the only occurrence of HTTPS, so it might open up the door for a certificate fingerprint as proposed by user joelcollinsdc at: news.ycombinator.com/item?id=36280801!

crt.sh appears to be a good way to look into this:They all appear to use either of:

crt.sh/?q=globalnewsbulletin.com has a hit to: crt.sh/?id=774803. With login we can see: search.censys.io/certificates/5078bce356a8f8590205ae45350b27f58f4ac04478ed47a389a55b539065cee8. Issued by www.thawte.com/repository/index.html. No hits for certificates with same public key: search.censys.io/search?resource=certificates&q=parsed.subject_key_info.fingerprint_sha256%3A+714b4a3e8b2f555d230a92c943ced4f34b709b39ed590a6a230e520c273705af or any other "same" queries though.

Let's try another one for secure.altworldnews.com: search.censys.io/certificates/e88f8db87414401fd00728db39a7698d874dbe1ae9d88b01c675105fabf69b94. Nope, no direct mega hits here either.

The JavaScript of each website appears to be quite small and similarly sized. They are all minimized, but have reordered things around a bit.

For example consider: web.archive.org/web/20110202190932/http://feedsdemexicoyelmundo.com/mundo.js

First we have to know that the Wayback Machine adds some stuff before and after the original code. The actual code there starts at:and ends in:

We can use a JavaScript beautifier such as beautifier.io/ to be abe to better read the code.

It is worth noting that there's a lot of <script> tags inline as well, which seem to matter.

Further analysis would be needed.

Googling most domains gives only very few results, and most of them are just useless lists of expired domains. Skipping those for now.

Googling "dedrickonline.com" has a git at www.webwiki.de/dedrickonline.com# Furthermore, it also contains the IP address "65.61.127.174" under the "Technik" tab!

Unfortunately that website appears to be split by language? E.g. the English version does not contain it: www.webwiki.com/dedrickonline.com, which would make searching a bit harder, but still doable.

But if we can Google search those IPs there, we might just hit gold.

IP search did work! www.webwiki.de/65.61.127.174

But doesn't often/ever work unfortunately for others.

Searching on github.com: github.com/DrWhax/cia-website-comms by Jurre van Bergen from September 2022 contains some of the links to some of the ones reported by Reuters including some of their JARs, presumably for reversing purposees. Pinged him at: github.com/DrWhax/cia-website-comms/issues/1

This was one of the only bad experience Ciro had at Polytechnique, besides the inevitable fear of not graduating.

Ciro wanted to do a robotics internship in Germany, linked to his interests in artificial general intelligence, see also: Section "Ciro's 2D reinforcement learning games".

But the head of the applied mathematics department Polytechnique prevented him from going because Ciro didn't have the necessary grades, even though the Germans had already agreed to it: he had a C, but he needed a B. As mentioned at École Polytechnique, most Brazilians had crappy grades due to their Polytechnique-incompatible background.

This was done because in the past students with bad grades had abandoned their internships halfway and given foreigners a bad impression of Polytechnique.

It is impossible to say if the head of department really agreed with this bullshit policy, or if it was something beyond his powers and he hid his true opinion, but it felt like the agreed.

What an extremely limited view!!!

To leave the worse, the worse. To assume that grades mean anything!

And thus Ciro had to choose a last moment internship that he hated, rather than becoming the greatest roboticist that ever lived, and did terribly at it.

At least on the other hand Ciro learnt Python instead of working at the internship, and became the greatest programming tutorial writer that ever lived. Maybe.

Some less-trivial breakthroughs: