A triptych is a work of art that is divided into three sections or panels. These panels are usually hinged together and can be displayed either open or closed. Triptychs have been used in various forms of art throughout history, particularly in painting, but they can also be found in sculpture and photography. Traditionally, triptychs were common in medieval Christian art and often depicted religious scenes, such as altarpieces in churches.
Zimmer's conjecture is a significant hypothesis in the field of mathematics, particularly in the areas of differential geometry, group theory, and dynamical systems. Proposed by Robert Zimmer in the 1980s, the conjecture suggests that any smooth action of a higher-rank Lie group on a compact manifold admits some form of rigidity.
CIA 2010 covert communication websites iraniangoals.com JavaScript reverse engineering by
Ciro Santilli 37 Updated 2025-07-16
Some reverse engineering was done at: twitter.com/hackerfantastic/status/1575505438111571969?lang=en.
Notably, the password is hardcoded and its hash is stored in the JavaScript itself. The result is then submitted back via a POST request to
/cgi-bin/goal.cgi.TODO: how is the SHA calculated? Appears to be manual.
CIA 2010 covert communication websites feedsdemexicoyelmundo.com JavaScript reverse engineering by
Ciro Santilli 37 Updated 2025-07-16
The JavaScript of each website appears to be quite small and similarly sized. They are all minimized, but have reordered things around a bit.
For example consider: web.archive.org/web/20110202190932/http://feedsdemexicoyelmundo.com/mundo.js
First we have to know that the Wayback Machine adds some stuff before and after the original code. The actual code there starts at:and ends in:
ap={fg:['MSXML2.XMLHTTPck++;};return fu;};Further analysis would be needed.
CIA 2010 covert communication websites Google searches for known domains and IPs by
Ciro Santilli 37 Updated 2025-07-16
Googling most domains gives only very few results, and most of them are just useless lists of expired domains. Skipping those for now.
Googling
"dedrickonline.com" has a git at www.webwiki.de/dedrickonline.com# Furthermore, it also contains the IP address "65.61.127.174" under the "Technik" tab!Unfortunately that website appears to be split by language? E.g. the English version does not contain it: www.webwiki.com/dedrickonline.com, which would make searching a bit harder, but still doable.
IP search did work! www.webwiki.de/65.61.127.174
But doesn't often/ever work unfortunately for others.
Searching on github.com: github.com/DrWhax/cia-website-comms by Jurre van Bergen from September 2022 contains some of the links to some of the ones reported by Reuters including some of their JARs, presumably for reversing purposees. Pinged him at: github.com/DrWhax/cia-website-comms/issues/1
Some less-trivial breakthroughs:
- finding 2013 DNS Census
- CGI comms characterization
- secure subdomain search on 2013 DNS Census let to a few hits
- 2013 DNS Census virtual host cleanup heuristic keyword searches was massive and led to many new ranges
CIA 2010 covert communication websites secure subdomain search on 2013 DNS Census by
Ciro Santilli 37 Updated 2025-07-16
Grepping the 2013 DNS Census first by overused CGI comms subdomains
secure. and ssl. leaves 200k lines. Grepping for the overused "news" led to hits:- secure.worldnewsandent.com,2012-02-13T21:28:15,208.254.40.117
- ssl.beyondnetworknews.com,2012-02-13T20:10:13,66.104.175.40
Also tried but failed:
sports:- secure.motorsportdealers.com,2012-04-10T20:19:09,64.73.117.38 web.archive.org/web/20110501000000*/motorsportdealers.com
OK, after the initial successes in New results: only one...
secure., we went a bit more data intensive:- took all
secure.*ssl.*URLs in the 2013 DNS Census, 70k entries - cleaned up a bit, e.g. only
.comor.net. this left only, 30k entries only - lopped over all of them in archive CDX: Wayback Machine CDX scanning, searching for those that also end in
.cgiweb.archive.org/cdx/search/cdx?url=$domain&matchType=domain&filter=urlkey:.*.cgi&to=20140101000000. Took an afternoon, but no rate limit block. - this leaves about 1000, so we loop over all of them manually on web archive with a script, and opened any that had the pattern of very vew hits between 2010 and 2013 only, and on those check for visual/thematic style match. Careful not to make more than 15 requests per minute or else 5 min blacklist!
- 208.254.42.205 secure.driversinternationalgolf.com,2012-02-13T10:42:20,
After 2013 DNS Census virtual host cleanup heuristic keyword searches we later understood why there were so few hits here: the 2013 DNS Census didn't capture the
secure. subdomains of many domains it had for some reason. Shame, because if it had, this method would have yielded many more results. CIA 2010 covert communication websites Oleg Shakirov's findings by
Ciro Santilli 37 Updated 2025-07-16
Starting at twitter.com/shakirov2036/status/1746729471778988499, Russian expat Oleg Shakirov comments "Let me know if you are still looking for the Carson website".
He then proceeded to give Carson and 5 other domains in private communication. His name is given here with his consent. His advances besides not being blind were Yandexing for some of the known hits which led to pages that contained other hits:
- moyistochnikonlaynovykhigr.com contains a copy of myonlinegamesource.com, and both are present at www.seomastering.com/audit/pefl.ru/, an SEO tracker, because both have backlinks to
pefl.ru, which is apparently a niche fantasy football website - 4 previously unknown hits from: "Mass Deface III" pastebin. He missed one which Ciro then found after inspecting all URLs on Wayback Machine, so leading to a total of 5 new hits from that source.
Edit: Carson was found Oleg Shakirov's findingsby Oleg Shakirov:
alljohnny.com, communicated at: twitter.com/shakirov2036/status/1746729471778988499, earliest archive from 2004 (!): web.archive.org/web/20040113025122/http://alljohnny.com/, The domain was hidden in plain sight, it was present in a not very visible watermark visible in the Reuters article screenshot! The watermark was added to the CIA to the background image, it is actually present on the website. In retrospect, it was actually present at on the expired domain trackers dataset, but the mega discrete all second word made Ciro Santilli miss it: github.com/cirosantilli/expired-domain-names-by-day-2015/blob/9d504f3b85364a64f7db93311e70011344cff788/07/05/02#L15722004 Wayback Machine archive of alljohnny.com
. What follows is the previous
The fact that the Reuters article has a screenshot of it, and therefore a Wayback Machine link, plus the specificity of the website topic, will likely keep Ciro awake at night for a while until someone finds that domain.
Some text visible on the Reuters screenshot:It is unclear however if this text is plaintext or part of a an image.
Johnny Carson and The Tonight Show
Your Favorite Host and Comedic Genius
Submit Your Favorite Carson Moment
Heeere's Johnny!
Holy crap, the "Here's Johnny" line from The Shining (1980) is a reference to Johnny Carson: www.youtube.com/watch?v=WDpipB4yehk, www.youtube.com/watch?v=aYnyPAkgyvc, Ciro never knew that... but every American would have understood it at the time.
Some failed attempts, either dry guesses or from DNS grepping dataset searches:
- johnnycarson.com: official
- johnnycarson.net: fan site: web.archive.org/web/20010501225614/http://johnnycarson.net/
- johnnycarsontonight.com
- carson-johnny.com: legit
- johnnycarsonshow.com: web.archive.org/web/20110208005558/http://johnnycarsonshow.com/captcha/index.php?d=johnnycarsonshow.com your IP has been blocked
- tributetojohnnycarson.com: only one archive web.archive.org/web/20180805132430/http://tributetojohnnycarson.com/
- bestofjohnnycarson.com: web.archive.org/web/20130525035938/http://bestofjohnnycarson.com/ Lived past 2013.
- bestofjohnny.com/: web.archive.org/web/20130506011824/http://bestofjohnny.com/ empty
- johnnycarsonvideo.com: dead early 2000s web.archive.org/web/20130605152818/http://johnnycarsonvideo.com/
- johnnycarsontv.com: web.archive.org/web/20230000000000*/johnnycarsontv.com
- thejohnnycarsonshow.com: web.archive.org/web/20230000000000*/thejohnnycarsonshow.com
- carsonsbest.com: web.archive.org/web/20230000000000*/carsonsbest.com
- johnnycarsonfans.com: web.archive.org/web/20230000000000*/johnnycarsonfans.com
- web.archive.org/web/20230000000000*/carsonified.com
- night:
- amazing:
- johnnyamazing.com: broken archives: web.archive.org/web/*/http://johnnyamazing.com/*
- carson
- johnneycarson.com: no archives
- johnnycarson.co: no archives
- johnnycarsons.info
- johnnycarsons.com
- johnnycarson.org
- johnnycarsonsdesk.com
- johnny-carson-video.com
- johnnycarsondvd.org
- johnnycarsondvds.org
- johnnycarsondvd.net
- johnnycarsondvd.tv
- johnnycarsondvds.net
- johnnycarsondvds.tv
- johnnycarson.tv
- johnnyguitarcarson.com
- johnnycarsonmovie.com
- hookedonjohnnycarson.com
- johnnycarsonbook.com
- licensingjohnnycarson.com
- johnnnycarson.com
- johnnycarson360.com
- koalajohnnycarson.com
- johnny-carson.com
- johnnycarsonbirthplace.com
- johnnycarsonbirthplace.net
- johnny:
- heres:
- heresjohnnyfilm.com: web.archive.org/web/20131011115733/http://www.heresjohnnyfilm.com/ legit
- hereisjohnny.net: no archives
- heresjohnnyradioshow.com: web.archive.org/web/20130509042107/http://heresjohnnyradioshow.com/, Legit most likely: web.archive.org/web/20140517103512/http://heresjohnnyradioshow.com/
- wherejohnnylives.net: broken archives
- heresjohnny.com: squat web.archive.org/web/20130607145841/http://heresjohnny.com/ Many other TlD like .net, .co.uk
- heeeeresjohnny.com: web.archive.org/web/20130612211448/http://heeeeresjohnny.com/: legit
- night:
- johnnylatenight.com: web.archive.org/web/20150801132622/http://johnnylatenight.com/ Legit broken
- web.archive.org/web/20110208161513/http://www.johnnysnight.com/
- heres:
- johnnycarson.org: squatted past 2013, nothing before
- carsonshow.com: squat: web.archive.org/web/20110224211714/http://carsonshow.com/
- tonightshow247.net: web.archive.org/web/20101226190209/http://tonightshow247.net/: squat
- tonightshow.tv: web.archive.org/web/20141221222442/http://www.tonightshow.tv/: legit
Searching the Wayback Machine proved fruitless. There is no full text search: Wayback Machine full text search, and a heuristic web.archive.org/web/20230000000000*/Johnny%20Carson search has relevant hits but not the one we want.
Another attempt was to search for "carson" on webmasterhome.cn which lists expired domains in bulk by expiration day, and it search engine friendly. It contains most of the domains we've found so far. Google either doesn't support partial word search or requires you to be a God to find it
so we settle for DuckDuckGo which supports it: duckduckgo.com/?q=site%3Awebmasterhome.cn+%22carson%22&t=h_&ia=web Adding years also helps: duckduckgo.com/?q=site%3Awebmasterhome.cn+%22carson%22+2011&ia=web with this we might be getting all possible results. Ciro went through all in 2011, 2012 and 2013 but no luck. Also fuck en.wikipedia.org/wiki/Carson_City,_Nevada and en.wikipedia.org/wiki/Carson,_California :-)
Let's search tools.whoisxmlapi.com/reverse-whois-search for "carson" contained in any historic domain name. 10,001 lines. Grepping those, no good Wayback machine hits for those that also contain "johnny" or "show". Data at: raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/tools.whoisxmlapi.com_reverse-whois-search_carson.csv in case anyone want to try and dig...
Scrapped justdropped data, patched:and then:
+++ b/cia-2010-covert-communication-websites/cdx-post.sh
@@ -1,7 +1,7 @@
#!/usr/bin/env bash
# Post process the output of cdx.sh to enrich IDs even further, and reconstruct easier to Web Archive inspect domain names.
-grep -P -e '([^,)]+)\)\/\1\.swf|\)/[^/]+.jar|([^,)]+),([^,)]+),([^,)]+)\)/cgi-bin/[^/]+\.cgi' "$1" |
- sed -r 's/\).*//' | awk -F, '{ printf("%s.%s\n", $2, $1) }' | uniq -c | awk '$1 == 1{ print $2 }' | tee $1.post
+grep -P -e '([^,)]+)\)\/\1\.swf|\)/[^/]+.jar|([^,)]+),([^,)]+),([^,)]+)\)/cgi-bin/[^/]+\.cgi' "$1"|
+ sed -r 's/\).*//' | awk -F, '{ printf("%s.%s\n", $2, $1) }' | uniq -c | awk '{ print $2 }' | tee $1.post./hupo-cdx-tor.sh out 'news|headline|internationali|mondo|mundo|mondi|iran|today' 2006 2022web.archive.org/web/20110203041325/http://financecentraltoday.com/
- viewdns.info/iphistory/?domain=financecentraltoday.com
- 208.91.197.27 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-11-08
- 69.90.163.85 Canada COGECO-PEER1 2013-09-26
- 69.90.160.75 Canada COGECO-PEER1 2011-06-22 viewdns.info/reverseip/?t=1&host=69.90.160.75 says small virtual. Checked all but no hits.
- securitytrails.com/domain/financecentraltoday.com/history/a
- 69.90.160.75 Aptum Technologies 2010-04-04 (15 years) 2010-04-27 (15 years) 23 days
- 69.42.58.70 Aptum Technologies 2009-01-07 (16 years) 2009-01-28 (16 years) 21 days. Near health-men-today.com.
web.archive.org/web/20110202221328/http://thenewsofpakistan.com/
- viewdns.info/iphistory/?domain=thenewsofpakistan.com
- 50.22.27.227 Dallas - United States SOFTLAYER 2013-06-30
- 174.133.70.18 United States SOFTLAYER 2012-11-12. In range.
- securitytrails.com/domain/thenewsofpakistan.com/history/a
web.archive.org/web/20110201184753/http://shadesofnews.com/
- viewdns.info/iphistory/?domain=shadesofnews.com
- 64.6.225.2 United States WEBINT 2013-11-29 viewdns.info/reverseip/?t=1&host=64.6.225.2 mid virtual.
- securitytrails.com/domain/shadesofnews.com/history/a
web.archive.org/web/20050424123432/http://www.pokernewsweb.com/ likely legit in the intended emulated style
web.archive.org/web/20101226225311/http://world-news-online.net/ domainsbyproxy.com registered 2006-06-14T21
- viewdns.info/iphistory/?domain=world-news-online.net
- 199.187.208.12 Miami - United States PERFORMIVE 2013-12-02 viewdns.info/reverseip/?t=1&host=199.187.208.12 is small virtual, checked all in there and 199.187.208.5 - 199.187.208.15
- 63.247.81.241 United States NTHL 2011-09-07 viewdns.info/reverseip/?t=1&host=63.247.81.241 searching 63.247.81.249
- 63.247.81.241 web.archive.org/web/20110202210855/http://motornstyle.com/ off
- 63.247.81.244 web.archive.org/web/20110106222053/http://puzzlesgalore.net/ under construction
- 63.247.81.245 web.archive.org/web/20110202102921/http://chairyogavideo.com/ under construction
- 63.247.81.247 web.archive.org/web/20110207131727/http://pccubeservice.com/indexPage.jsp
- securitytrails.com/domain/world-news-online.net/history/a
web.archive.org/web/20100923090646/http://mideasttoday.net/
- viewdns.info/iphistory/?domain=mideasttoday.net says:
- 208.91.197.27 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-12-09
- 65.98.118.97 United States FORTRESSITX 2013-12-02
- 65.98.118.101 United States FORTRESSITX 2013-05-20. viewdns.info/reverseip/?t=1&host=65.98.118.101 empty
- securitytrails.com/domain/mideasttoday.net/history/a says:
web.archive.org/web/20110209045123/http://dryterrainnews.com/
- viewdns.info/iphistory/?domain=dryterrainnews.com says:
- 50.22.27.227 Dallas - United States SOFTLAYER 2013-11-29
- 174.133.70.18 United States SOFTLAYER 2012-11-12
- securitytrails.com/domain/dryterrainnews.com/history/a
web.archive.org/web/20100206221718/http://euronewsonline.net/
- viewdns.info/iphistory/?domain=euronewsonline.net says:
- 74.220.207.94 United States UNIFIEDLAYER-AS-1 2013-12-09
- 184.168.221.55 United States AS-26496-GO-DADDY-COM-LLC 2013-11-25
- 74.220.207.94 United States UNIFIEDLAYER-AS-1 2013-09-23. viewdns.info/reverseip/?t=1&host=74.220.207.94 says medium virtual.
- securitytrails.com/domain/euronewsonline.net/history/a also says
web.archive.org/web/20110208063146/http://news-and-sports.com/ Hit.
- viewdns.info/iphistory/?domain=news-and-sports.com says:
- 204.11.56.25 British Virgin Islands CONFLUENCE-NETWORK-INC 2014-07-05
- 208.91.197.19 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-05-20
- 66.104.175.42 United States XO-AS15 2012-06-29 In range.
web.archive.org/web/20110202054628/http://intoworldnews.com/ hit.
- viewdns.info/iphistory/?domain=intoworldnews.com says:
- securitytrails:
web.archive.org/web/20110207171340/http://mydailynewsreport.com/ hit
- viewdns.info/iphistory/?domain=mydailynewsreport.com says
- 208.91.197.132 British Virgin Islands CONFLUENCE-NETWORK-INC 2014-03-15
- 74.52.51.139 United States SOFTLAYER 2012-06-29 viewdns.info/reverseip/?t=1&host=74.52.51.139 says small virtual
On that same IP...- web.archive.org/web/20110208004005/http://networkconnectionsite.com/ Hit. viewdns.info/iphistory/?domain=networkconnectionsite.com says only at that IP.
- web.archive.org/web/20110207103008/http://soccerguidesite.com/ Korean site, would be unusual given a splash page. Has a JAR at: web.archive.org/web/20110207103045/http://soccerguidesite.com/tools.jar but everything else unarchived. JAR is atypical.
Around checked 74.52.51.133 - 74.52.51.149- viewdns.info/reverseip/?t=1&host=74.52.51.136 large virtual
- securitytrails.com/domain/mydailynewsreport.com/history/a says
- 74.52.51.139 SoftLayer Technologies Inc. 2011-03-06 (14 years) 2011-03-21 (14 years) 15 days
- 174.123.39.202 SoftLayer Technologies Inc. 2010-12-08 (14 years) 2011-03-05 (14 years) 3 months
- 75.125.247.170 SoftLayer Technologies Inc. 2010-02-20 (15 years) 2010-05-22 (15 years) 3 months
- 205.178.189.129 Network Solutions, LLC 2010-02-10 (15 years) 2010-02-20 (15 years) 10 days. viewdns.info/reverseip/?t=1&host=205.178.189.129 is large virtual.
web.archive.org/web/20050508220858/http://www.asianewsupdate.com/ this looks like the exact format of legitimate site the CIA was emulating. Copyright 2005, a CGI link to as: www.asianewsupdate.com:80/cgi-sys/FormMail.cgi There's a phone there 01 647-0910 so seems less likely?
2010. JAR unarchived. rss, split image
- viewdns.info/iphistory/?domain=newsdelivered.net says:
- 192.96.218.41 United States 123NET 2013-06-10
- 196.40.84.210 Costa Rica RADIOGRAFICA COSTARRICENSE 2013-05-20
- 50.63.202.40 United States AS-26496-GO-DADDY-COM-LLC 2013-04-08
- 74.220.207.158 United States UNIFIEDLAYER-AS-1 2013-03-11. viewdns.info/reverseip/?host=74.220.207.158&t=1 says large virtual.
- securitytrails:
2010. JAR. Split header.
- viewdns.info/iphistory/?domain=latinamericanewsbeat.com says:
- 184.168.221.34 United States AS-26496-GO-DADDY-COM-LLC 2013-03-23
- 74.91.172.195 United States INTERNAP-BLOCK-4 2012-11-12
- 76.162.90.179 United States WINDSTREAM 2011-09-08. viewdns.info/reverseip/?host=76.162.90.179&t=1 says small virtual? Explored 76.162.90.174 - 76.162.90.183.
- securitytrails.com/domain/latinamericanewsbeat.com/history/a
2011. JAR unarchived. Split header.
- viewdns.info/iphistory/?domain=inkfreenews.com says:
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2012-09-21
- 128.121.9.46 United States NTT-LTD-2914 2012-06-29. Reverse empty. Checked: 128.121.9.43 - 128.121.9.53
- securitytrails.com/domain/inkfreenews.com/history/a
2011. JAR. a.newslink, a.newslinkalt.
- viewdns.info/iphistory/?domain=profile-news.com says:
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2012-06-29
- 199.204.248.105 United States WEBINT 2012-01-11. viewdns.info/reverseip/?host=199.204.248.105&t=1 says large virtual.
- 205.214.86.38 United States DATABANK-LATISYS 2011-08-11. viewdns.info/reverseip/?host=205.214.86.38&t=1 says small virtual.
- securitytrails.com/domain/profile-news.com/history/a
2011. Arabic. RSS.
- viewdns.info/iphistory/?domain=nejadnews.com says: 208.254.38.56 United States COLO-PREM-VZB 2012-06-29.
- viewdns.info/reverseip/?host=208.254.38.56&t=1 says single domain and we see that todaysengineering.com was not too far confirming a new range
web.archive.org/web/20110129115400/http://kmirano.com/ shallow but off style? Has a kmirano.sfw... viewdns.info/iphistory/?domain=kmirano.com says 211.1.224.71 Japan NTT SmartConnect Corporation 2012-01-11
2011. JAR. Copyright 2008. Split header and other images. They are obsessed about CDMA (2G).
- viewdns.info/iphistory/?domain=wiredworldnews.com says:
- 69.89.237.152 United States RINGSQUARED 2012-01-11. Empty.
- 67.213.209.10 Atlanta - United States UK-2 Limited 2011-04-04. Virtual.
- securitytrails.com/domain/wiredworldnews.com/history/a
- 69.89.237.152 RingSquared 2011-06-25 (14 years) 2011-07-30 (14 years) 1 month
- 69.89.237.152 RingSquared 2011-06-14 (14 years) 2011-06-24 (14 years) 10 days
- 67.213.209.10 UK-2 Limited 2008-12-03 (16 years) 2009-02-10 (16 years) 2 months
- 69.4.225.2 SoftLayer Technologies Inc. 2008-09-01 (17 years) 2008-09-09 (17 years) 8 days. viewdns.info/reverseip/?t=1&host=69.4.225.2 empty.
2011. JAR. split header, RSS.
- viewdns.info/iphistory/?domain=the-news-scene.com says 74.81.69.194 United States NTHL 2012-01-11. viewdns.info/reverseip/?host=74.81.69.194&t=1 says virtual.
- securitytrails.com/domain/the-news-scene.com/history/a says
- 74.81.69.194 NETWORK TRANSIT HOLDINGS LLC 2009-12-24 (15 years) 2010-03-23 (15 years) 3 months
- 209.51.136.178 QuickMeg Inc 2008-09-01 (17 years) 2009-12-24 (15 years) 1 year. viewdns.info/reverseip/?t=1&host=209.51.136.178 says small virtual and in there we obtain:Explored viewdns.info 209.51.136.170 - 209.51.136.185 empty.
2010. Suspicious. But no clear fingrenprint. Also not as shallow as others. Also Joomla based which would be novel.
- viewdns.info/iphistory/?domain=eqranews.com says:
- 69.64.147.243 United States RIGHTSIDE 2012-03-03
- 67.228.81.180 Seattle - United States SOFTLAYER 2011-04-04. viewdns.info/reverseip/?t=1&host=67.228.81.180 says virtual.
- securitytrails.com/domain/eqranews.com/history/a says
- 69.64.147.243 Amazon.com, Inc. 2011-04-28 (14 years) 2012-01-19 (13 years) 9 months
- 67.228.81.180 SoftLayer Technologies Inc. 2011-04-18 (14 years) 2011-04-28 (14 years) 10 days
- 174.37.172.68 SoftLayer Technologies Inc. 2011-04-13 (14 years) 2011-04-18 (14 years) 5 days
- 67.228.81.180 SoftLayer Technologies Inc. 2011-03-19 (14 years) 2011-04-13 (14 years) 25 days
- 74.220.215.62 Unified Layer 2010-03-18 (15 years) 2011-03-19 (14 years) 1 year
2010. JAR.
- viewdns.info/iphistory/?domain=magneticfieldnews.com says 173.205.124.151 United States IMH-IAD 2012-01-11. viewdns.info/reverseip/?host=173.205.124.151&t=1 says large-ish virtual.
- dnshistory.org/dns-records/magneticfieldnews.com empty
- securitytrails.com/domain/magneticfieldnews.com/history/a
2011. JAR. RSS, Split header images.
- viewdns.info/iphistory/?domain=segomonews.com 204.13.11.6 United States KATTARE 2012-01-11. viewdns.info/reverseip/?host=204.13.11.6&t=1 says virtual.
- dnshistory.org/historical-dns-records/a/segomonews.com same
- securitytrails.com/domain/segomonews.com/history/a same
newspapergateway.com/ web.archive.org/web/20110208070309/http://newspapergateway.com/ hard to tell but generally off. Has both JAR and SWF.
- viewdns.info/iphistory/?domain=newspapergateway.com says:
- 63.251.171.80 United States INTERNAP-BLOCK-4 2011-11-13
- 66.115.138.101 United States PERFORMIVE 2011-09-08
2011 Farsi. JAR. RSS.
- dnshistory.org/dns-records/pondernews.net nothing
- viewdns.info/iphistory/?domain=pondernews.net. privatesystems.net.
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-11-28
- 67.222.6.108 Atlanta - United States PRIVATESYSTEMS 2011-10-31. Virtual. Also here on very quick look at promising names:
- web.archive.org/web/20100517070603/http://middle-east-newstoday.com/ Only at that IP. JS.
- securitytrails.com/domain/pondernews.net/history/a
2011. English. Split header, RSS.
- viewdns.info/iphistory/?domain=internationalnewsworthiness.com says 216.86.153.116 United States STEADFAST 2011-04-04. Checking 216.86.153.106 - 216.86.153.125
- viewdns.info/reverseip/?host=216.86.153.114&t=1 big virtual
- viewdns.info/reverseip/?host=216.86.153.116&t=1 says it became a medium virtual
- dnshistory.org/dns-records/internationalnewsworthiness.com empty
- securitytrails.com/domain/internationalnewsworthiness.com/history/a
sandstormnews.com 2011, SWF Arabic.
ul.rss-items > li.rss-item, split header- viewdns.info/iphistory/?domain=sandstormnews.com
- 68.178.232.99 United States AS-26496-GO-DADDY-COM-LLC 2011-04-04. viewdns.info/reverseip/?t=1&host=68.178.232.99 says big virtual.
- securitytrails.com/domain/sandstormnews.com/history/a
zerosandonesnews.com 2011. SWF Split header,
ul.rss-items > li.rss-item- viewdns.info/iphistory/?domain=zerosandonesnews.com empty
- dnshistory.org/dns-records/zerosandonesnews.com empty
- securitytrails.com/domain/zerosandonesnews.com/history/a says 62.22.61.200 which is in range
differentviewtoday.com: web.archive.org/web/20110202185635/http://differentviewtoday.com/ split header images JAR archived at: web.archive.org/web/20110202185659/http://differentviewtoday.com/bwm.jar
lasthournews.com web.archive.org/web/20100513182623/http://lasthournews.com/. Urdu. JAR at: web.archive.org/web/20100513182724/http://lasthournews.com/recent.jar. Split header images.
- viewdns.info/iphistory/?domain=lasthournews.com no relevant IPs
- dnshistory.org/historical-dns-records/a/lasthournews.com mentions 2010-02-27 -> 2010-08-07 216.93.248.194
- securitytrails.com/domain/lasthournews.com/history/a says
mynepalnews.com, split header images,
ul.rss-items > li.rss-item, Unarchived jar:- viewdns.info/iphistory/?domain=mynepalnews.com
- 5.9.240.230 Falkenstein - Germany Hetzner Online GmbH 2014-01-31
- 142.4.222.67 Canada OVH SAS 2013-12-20
- 72.9.137.7 Nepal WorldLink Communications Pvt Ltd 2013-06-30. Big virtual.
- 64.71.179.79 United States HURRICANE 2012-11-12. Nothing else on 64.71.179.71 - 64.71.179.89.This IP address also shows up on web.archive.org/web/20110204095753/http://mynepalnews.com/cgi-bin/check.cgi/
SERVER_ADDR = 64.71.179.79There we also see:which appears to be the crawler's IP: github.com/duy13/vDDoS-Protection/issues/29REMOTE_ADDR = 204.236.235.245
- securitytrails.com/domain/mynepalnews.com/history/a
- 5.9.219.166 Hetzner Online GmbH 2013-12-31 (11 years) 2014-01-08 (11 years) 8 days
- 142.4.222.67 OVH SAS 2013-12-02 (11 years) 2013-12-31 (11 years) 29 days
- 72.9.137.7 WorldLink Communications Pvt Ltd 2013-01-24 (12 years) 2013-04-02 (12 years) 2 months
- 64.71.179.79 Hurricane Electric LLC 2008-09-01 (17 years) 2008-10-21 (16 years) 2 months
- web.archive.org/web/20111008211517/http://elgintoday.com/ wordpress so unlikely
- 50.63.202.88 United States AS-26496-GO-DADDY-COM-LLC 2014-02-21
- 97.74.249.128 United States AS-26496-GO-DADDY-COM-LLC 2014-01-11 big virtual
Summary: this is just a red herring. Wakatime owner likely registered the domains just after this article was published as a publicity stunt. Fair play though.
As raised at: news.ycombinator.com/item?id=36280666, many, but not all, of the domains currently redirect to wakatime.com/ as of 2023, and apparently they were taken up in 2013 (TODO how to confirm that). TODO what is the explanation for that? Some examples that do:But some failed resolution examples:Even more suspiciously, according to his LinkedIn: www.linkedin.com/in/alanhamlett/, the owner of Wakatime, Alan Hamlett, worked at WhiteHat Security, Inc from Aug 2011 - Sep 2013. The company was then acquired by Synopsys in 2022. Holy crap!!! As shown at: web.archive.org/web/20131013193406/https://www.whitehatsec.com/ that company made website security tools. Did that dude use the tools to find the vulnerabilty and then just gobble up all the domains??? What a fucking legend if he did!!!
Let's try:
Running e.g.gives:so we see that he must have setup redirection with Namecheap as mentioned at: www.namecheap.com/support/knowledgebase/article.aspx/385/2237/how-to-redirect-a-url-for-a-domain/
curl -vvv dedrickonline.com* Trying 162.255.119.197:80...
* Connected to dedrickonline.com (162.255.119.197) port 80 (#0)
> GET / HTTP/1.1
> Host: dedrickonline.com
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Mon, 12 Jun 2023 20:30:19 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 55
< Connection: keep-alive
< Location: https://wakatime.com
< X-Served-By: Namecheap URL Forward
< Server: namecheap-nginx
<
<a href='https://wakatime.com'>Moved Permanently</a>.
* Connection #0 to host dedrickonline.com left intactLet's also try DNS history
- whoisrequest.com/history/:
- tools.whoisxmlapi.com/whois-history-search
- dedrickonline.com:
- CIA (registrar: Godaddy, registrant name: domainsbyproxy.com)
- Created Date: October 27, 2010 00:00:00 UTC
- Updated Date: October 28, 2013 00:00:00 UTC
- Expires Date: October 27, 2014 00:00:00 UTC
- Alan (namecheap):
- CIA (registrar: Godaddy, registrant name: domainsbyproxy.com)
- activegaminginfo.com:
- CIA (Network Solutions, registrant name: LLC. Corral, Elizabeth|ATTN ACTIVEGAMINGINFO.COM|care of Network Solutions)
- Created Date: January 26, 2010 00:00:00 UTC
- Updated Date: November 27, 2010 00:00:00 UTC
- Expires Date: January 26, 2012 00:00:00 UTC
- Alan:
- CIA (Network Solutions, registrant name: LLC. Corral, Elizabeth|ATTN ACTIVEGAMINGINFO.COM|care of Network Solutions)
- iraniangoalkicks.com:
- iraniangoals.com:
- CIA (registrar: Godaddy, registrant name: domainsbyproxy.com):
- Reuters:
- Created Date: September 29, 2022 11:16:09 UTC
- Updated Date: September 29, 2022 11:16:09 UTC
- Expires Date: September 29, 2023 11:16:09 UTC
- dedrickonline.com:
So these suggest Alan might have just come along in 2023 way after the 2022 Reuters article and did the same basic IP range search that Ciro is doing now, so possibly no new tech. Let's ask... twitter.com/cirosantilli/status/1668369786865164289
Searching tools.whoisxmlapi.com/reverse-whois-search with term "Corral, Elizabeth" gave no results unfortunately.
Basic search under tools.whoisxmlapi.com/reverse-whois-search for "Corral" also empty. They can't see their own data? Ah, need advanced. Marked "Historic" and selected "Corral, Elizabeth", ony one hit, activegaminginfo.com.
Sources of whois history include:
- whois-history.whoisxmlapi.com/ from whoisXMLAPI. Notably they also have historical reverse WHOIS... tools.whoisxmlapi.com/reverse-whois-search but it needs credits. TODO we need to squeeze this a but further at some point.
When that data comes in JSON format as from whoisXMLAPI, we are going to just dump it in github.com/cirosantilli/media/blob/master/cia-2010-covert-communication-websites/whois.json
The vast majority of domains seem to be registered either via domainsbyproxy.com which likely intgrates with Godaddy and is widely used, and seems to give zero infromation at all about the registrar.
A much smaller number however uses other methods, some of which sometimes leak a little bit of data:Big question: webmasters.stackexchange.com/questions/13237/how-do-you-view-domain-whois-history DomainTools also has it.
- Network Solutions, LLC. These sometimes give a tiny bit of information: one name. Other times they are hidden behind Perfect Privacy, LLC. Examples>Pulley, Tammy
- alljohnny.net: L. Glaze. tools.whoisxmlapi.com/reverse-whois-search "Glaze, L." has
- webstorageforme.com. web.archive.org/web/20130917230604/http://webstorageforme.com/ broken, cqcounter.com/whois/www/webstorageforme.com.html blank
- welcometonyc.net. Hit!
- international-smallbusiness.com. Same IP as alljohnny.net and quite possibly hit..
- alljohnny.com. Hit!
- locateontheweb.com. cqcounter.com/whois/www/locateontheweb.com.html broken/test page
- rolling-in-rapids.com. web.archive.org/web/20111101080224/rolling-in-rapids.com no archives but cqcounter.com/whois/www/rolling-in-rapids.com.html hit style! viewdns.info/iphistory/?domain=rolling-in-rapids.com puts it at:
- 208.91.197.132 British Virgin Islands CONFLUENCE-NETWORK-INC 2014-01-31
- 65.218.91.9 United States UUNET 2013-12-20 so matchwith welcometonyc.com but not listed at viewdns.info/reverseip/?t=1&host=65.218.91.9 because of the viewdns.info reverse IP bug!
- differentviewtoday.com: tools.whoisxmlapi.com/whois-history-search kind of empty no name
but presumably these are the names of employees of the company? We are yet to see two identical names however, which also suggests fake names. Network Solutions appears to offer both hosting and domain registration, and the CIA seems to have used this service combo a lot.- golf-on-holiday.com: Pulley, Tammy. No tools.whoisxmlapi.com/whois-history-search reverse hits.
- intoworldnews.com: Benjamin McGrew. Only that hit for reverse name at tools.whoisxmlapi.com/reverse-whois-search
- magneticfieldnews.com: Sarah Lowell tools.whoisxmlapi.com/reverse-whois-search has 9 domains
- sarahlowell.com: web.archive.org/web/20110208130657/http://sarahlowell.com/ Yoga instructor.
- puppychallengesacademy.com
- sarahlowelldogtraining.com
- puppychallenges.com. web.archive.org/web/20130517151924/http://puppychallenges.com/ wordpress.
- puppychallenges.net
- realwomensduathlon.com. No archives of era: web.archive.org/web/20180808101430/http://realwomensduathlon.com/
- magneticfieldnews.com. Hit.
- highflyingagility.com. Legit? Service offer.
- ropies.com. web.archive.org/web/20111101080224/http://ropies.com/
- medicatechinfo.com: Jason Noll. Has the following hits at tools.whoisxmlapi.com/reverse-whois-search
- dreamschemedesigns.com. Legit
- dreamschemedesigns.net
- aviationturbinesinternational.com. No relevant archives.
- garysluhan.com. Seems legit.
- cjlogic.com: registrar Godaddy (not Network Services!) and contact:This image is his Gmail's current profile image as of 2025: openclipart.org/detail/19437/high-wing-airplane
Noll, Jason noll.jason@gmail.com 104 Southridge Ct. Marthasville, Missouri 63357 United States (660) 441-0780 Fax -- - medicatechinfo.com. Hit.
- health-men-today.com. Hit. Holy fuck it has two hits out of 7!!!
- mydailynewsreport.com: Rebecca Melancon on tools.whoisxmlapi.com/reverse-whois-search:
- rebecca-melancon.com. web.archive.org/web/20180808172531/http://rebecca-melancon.com/ pilates teacher
- swlabuyahome.net
- swlalistmyhome.net
- rebeccaworking4yousite.com
- mylakecharlescityguide.com
- swlalistmyhome.com
- rebeccaworking4you.com
- swlabuyahome.com
- calcasieuhouses.com web.archive.org/web/20111013212502/http://calcasieuhouses.com/. Wordpress. Copyright Rebecca Melancon, Equal Housing Opportunity.
Message from Rebecca
Welcome to Calcasieu Houses! Here you will find not only information about Real Estate in Calcasieu Parish & the Lake Charles area, but also information about the area itself. I am constantly adding content so please check back often. I can help you with relocation, buying, selling, as well as looking for a great restaurant or a new activity to do! There will be information on Lake Charles, Sulphur, Westlake, & Moss Bluff. If you have something you would like to see added to the website, please feel free to contact me!
- mydailynewsreport.com. Hit.
- plugged-into-news.net: Godfrey Hubbard. Searching tools.whoisxmlapi.com/reverse-whois-search for two terms "Godfrey" "Hubbard" gives a small list of 20 domains including plugged-into-news.net. They all appear to have both words in them. Searching just "Hubbard, Godfrey" has only 3 hits:so it seems to match the strings exactly!
- hubbardgodfrey.online
- plugged-into-news.net
- hubbardgodfrey.com
- alljohnny.net: L. Glaze. tools.whoisxmlapi.com/reverse-whois-search "Glaze, L." has
- godaddy without domainsbyproxy.com: a few of the websites are registered in Godaddy without domainsbyproxy. These might be the ones that gives out the most information:
- baocontact.com
How on Earth did did Citizen Labs find what seems to be a DNS fingerprint??? Are there simply some very rare badly registered domains? What did they see!
whoisxmlapi WHOIS history April 11, 2011:Folowed by reuters registration in 2022.
- Created Date: March 6, 2008 00:00:00 UTC
- Updated Date: March 7, 2011 00:00:00 UTC
- Expires Date: March 6, 2014 00:00:00 UTC
- Registrant Name: domainsbyproxy.com.
- Registrant Organization: Domains by Proxy, Inc.
- Registrant Street: 15111 N. Hayden Rd., Ste 160,
- Registrant City: Scottsdale
- Registrant State/Province: Arizona
- Registrant Postal Code: 85260
- Registrant Country: UNITED STATES
- Name servers: NS29.WORLDNIC.COM|NS30.WORLDNIC.COM
whoisrequest.com/history/ mentions:
- 1 Apr, 2008: Domain created*, nameservers added. Nameservers:
- ns1.webhostingpad.com
- ns2.webhostingpad.com
E.g. with our qiskit/hello.py, we obtain the Bell state circuit:
OPENQASM 2.0;
include "qelib1.inc";
qreg q[2];
creg c[2];
h q[0];
cx q[0],q[1];
measure q[0] -> c[0];
measure q[1] -> c[1];whoisxmlapi WHOIS history March 23, 2011:
whoisrequest.com/history/ mentions:
1 May, 2007: Domain created*, nameservers added. Nameservers:
1 May, 2007: Domain created*, nameservers added. Nameservers:
- ns1.qwknetllc.com
- ns2.qwknetllc.com
It seems that all/almost all of them do. Quite cool.
FPGA Architecture of the Quantum Control System by Keysight (2022)
Source. They actually have a dedicated quantum team! Cool.whoisxmlapi WHOIS history March 22, 2011:
- Registrar Name: NETWORK SOLUTIONS, LLC.
- Created Date: January 26, 2010 00:00:00 UTC
- Updated Date: November 27, 2010 00:00:00 UTC
- Expires Date: January 26, 2012 00:00:00 UTC
- Registrant Name: Corral, Elizabeth|ATTN ACTIVEGAMINGINFO.COM|care of Network Solutions
- Registrant Street: PO Box 459
- Registrant City: PA
- Registrant State/Province: US
- Registrant Postal Code: 18222
- Registrant Country: UNITED STATES
- Administrative Name: Corral, Elizabeth|ATTN ACTIVEGAMINGINFO.COM|care of Network Solutions
- Administrative Street: PO Box 459
- Administrative City: Drums
- Administrative State/Province: PA
- Administrative Postal Code: 18222
- Administrative Country: UNITED STATES
- Administrative Email: xc2mv7ur8cw@networksolutionsprivateregistration.com
- Administrative Phone: 5707088780
- Name servers: NS23.DOMAINCONTROL.COM|NS24.DOMAINCONTROL.COM
Pinned article: Introduction to the OurBigBook Project
Welcome to the OurBigBook Project! Our goal is to create the perfect publishing platform for STEM subjects, and get university-level students to write the best free STEM tutorials ever.
Everyone is welcome to create an account and play with the site: ourbigbook.com/go/register. We belive that students themselves can write amazing tutorials, but teachers are welcome too. You can write about anything you want, it doesn't have to be STEM or even educational. Silly test content is very welcome and you won't be penalized in any way. Just keep it legal!
Intro to OurBigBook
. Source. We have two killer features:
- topics: topics group articles by different users with the same title, e.g. here is the topic for the "Fundamental Theorem of Calculus" ourbigbook.com/go/topic/fundamental-theorem-of-calculusArticles of different users are sorted by upvote within each article page. This feature is a bit like:
- a Wikipedia where each user can have their own version of each article
- a Q&A website like Stack Overflow, where multiple people can give their views on a given topic, and the best ones are sorted by upvote. Except you don't need to wait for someone to ask first, and any topic goes, no matter how narrow or broad
This feature makes it possible for readers to find better explanations of any topic created by other writers. And it allows writers to create an explanation in a place that readers might actually find it.Figure 1. Screenshot of the "Derivative" topic page. View it live at: ourbigbook.com/go/topic/derivativeVideo 2. OurBigBook Web topics demo. Source. - local editing: you can store all your personal knowledge base content locally in a plaintext markup format that can be edited locally and published either:This way you can be sure that even if OurBigBook.com were to go down one day (which we have no plans to do as it is quite cheap to host!), your content will still be perfectly readable as a static site.
- to OurBigBook.com to get awesome multi-user features like topics and likes
- as HTML files to a static website, which you can host yourself for free on many external providers like GitHub Pages, and remain in full control
Figure 3. Visual Studio Code extension installation.Figure 4. Visual Studio Code extension tree navigation.Figure 5. Web editor. You can also edit articles on the Web editor without installing anything locally.Video 3. Edit locally and publish demo. Source. This shows editing OurBigBook Markup and publishing it using the Visual Studio Code extension.Video 4. OurBigBook Visual Studio Code extension editing and navigation demo. Source. - Infinitely deep tables of contents:
All our software is open source and hosted at: github.com/ourbigbook/ourbigbook
Further documentation can be found at: docs.ourbigbook.com
Feel free to reach our to us for any help or suggestions: docs.ourbigbook.com/#contact






