Saint Eligius Updated 2025-06-12 +Created 2025-05-21
View more
Figure 1.
Saint Eligius by Petrus Christus
. Source. Eligius pool is named after Saint Eligius, patron of goldsmiths and miners[ref]
Read the full article
Magic: The Gathering is Turing complete Updated 2025-06-12 +Created 2025-05-21
View more
Video 1.
I Built a COMPUTER in Magic: The Gathering by Because Science (2019)
Source. Shows an explicit Turing complete Magic The Gathering setup with real cards in a standard "extremely lucky" 2 player game.
Read the full article
Exploration-exploitation dilemma Updated 2025-06-12 +Created 2025-05-21
Read the full article
Dimensionality reduction Updated 2025-06-12 +Created 2025-05-21
Read the full article
Updates / Translation of Xi Jinping saying those against raise their hands Updated 2025-06-12 +Created 2025-05-21
View more
I can't believe I had missed that meme until now, and I couldn't resist the temptation to translate it
Video 1.
Xi Jinping saying those against raise their hands (2017)
Source.
Video 2.
Xi Jinping saying those against raise their hands (2022)
Source.
Video 3.
Those against raise their hands Xi Jinping remix by Ciro Santilli
. Source. I also couldn't resist a Kdenlive exercise in voice sampling. It was remarkably easy to do, not bad.
Video 4.
Al Capone hits a homerun scene from the film The Untouchables
. Source.
Video 5.
Committee meeting scene from the film The Death of Stalin
. Source.
Read the full article
Updates / Understanding the state of 3x3 matrix multiplication Updated 2025-06-12 +Created 2025-05-21
View more
After yet another awesome announcement by DeepMind that it had improved theoretical 4x4 matrix multiplication reducing the number of scalar multiplications with its AlphaEvolve system, I decided to have a look at the smallest open size 3x3 to understand what was going on in there.
Read the full article
RoboCasa Updated 2025-06-12 +Created 2025-05-13
View more
Read the full article
Updates / Two Linux Kernel Module Cheat videos Updated 2025-06-12 +Created 2025-05-13
View more
I made not one but two quick presentation videos about my project Linux Kernel Module Cheat, an emulation setup to study and develop the Linux kernel and more:
I had meant to do this editing for a while and kept pushing it off because editing hurts, but finally sat down did it, partly prompted by my quick recent updates made to the projects part of post OurBigBook job search round 2025. At first I was thinking of making a single video, but after I recorded the demo a bit it seemed like two separate ones would make more sense.
I also created a bug report for Kdenlive, the video editor that I used, for a freeze that happens if you try to shift + delete the last item of the timeline: bugs.kde.org/show_bug.cgi?id=504103. Kdenlive is a good editor, but unfortunately it has new freezes and crashes relatively often.
One more useless task that I get off my head, on to the next!
Video 1.
Linux Kernel Module Cheat presentation
. Source.
Video 2.
Linux Kernel Module Cheat demo
. Source.
Read the full article
CIA 2010 covert communication websites / HTML title element Updated 2025-06-12 +Created 2025-05-07
View more
The discoverty of a possible HTML information leaks on HTML <title> of webofcheer.com which is cryptically set as:
pg1c
motivated us to download all HTML and have a grep.
We started grepping with:
grep -ai '<title>' */index.html
and to just get the titles alone for visual inspection:
grep -ahi '<title>' */index.html | sed -r 's/^\s*<title>//;s/<\/title>.*//'
Some mildly interesting facts include:
  • opensourcenewstoday.com is titled just as "Title"
    opensourcenewstoday.com/index.html:<title>Title</title>
  • a few sites are titled "Untitled Document" e.g.:
    media-coverage-now.com/index.html:<title>Untitled Document</title>
newsandsportscentral.com/index.html:  <title>Untitled Document</title>
newsincirculation.com/index.html:<title>Untitled Document</title>
newsworldsite.com/index.html:<title>Untitled Document</title>
primetimemovies.net/index.html:<title>Untitled Document</title>
unganadormundial.com/index.html:<title>Untitled Document</title>
    This may have been the default title in Adobe Dreamweaver.
  • some others have empty title:
    aeronet-news.com/index.html:<title></title>
al-rashidrealestate.com/index.html:             <title></title>
arabicnewsunfiltered.com/index.html:<title></title>
dailynewsandsports.com/index.html:<title></title>
electronictechreviews.com/index.html:<title></title>
indirectfreekick.com/index.html:<title></title>
iran-newslink-today.com/index.html:<title></title>
iraniangoals.com/index.html:<title></title>
kickitnews.com/index.html:<title></title>
mediocampodefutbol.com/index.html:<title></title>
middle-east-newstoday.com/index.html:      <title></title>
mygadgettech.com/index.html:<title></title>
sayaara-auto.com/index.html:<title></title>
techwatchtoday.com/index.html:<title></title>
the-open-book-online.com/index.html:<title></title>
thenewsofpakistan.com/index.html:<title></title>
theworld-news.net/index.html:<title></title>
todaysengineering.com/index.html:<title></title>
todaysnewsreports.net/index.html:<title></title>
worldnewsandent.com/index.html:<title></title>
  • some others are titled just "index" or a variant of it:
    all-sport-headlines.com/index.html:<title>index</title>
europeannewsflash.com/index.html:<title>Index</title>
fgnl.net/index.html:<title>Index Page</title>
iraniangoalkicks.com/index.html:<title>index</title>
just-the-news.com/index.html:<title>index</title>
mide-news.com/index.html:<title>index</title>
mytravelopian.com/index.html:<title>Index</title>
noticiasdelmundolatino.com/index.html:<title>index</title>
pakcricketgrd.com/index.html:  <title>index</title>
pangawana.com/index.html:<title>index</title>
sportsnewsfinder.com/index.html:<title>index</title>
thenewseditor.com/index.html:<title>index</title>
turkishnewslinks.com/index.html:<title>index2</title>
wahidfutbol.com/index.html:<title>index</title>
webscooper.com/index.html:<title>index</title>
webworldsports.com/index.html:<title>index</title>
  • a few don't have <title> at all:
    b2bworldglobal.com/index.html
bailandstump.com/index.html
businessexchangetoday.com/index.html
commercialspacedesign.com/index.html
court-masters.com/index.html
flyingtimeline.com/index.html
marketflows.net/index.html
nouvellesetdesrapports.com/index.html
senderosdemontana.com/index.html
sixty2media.com/index.htm
It is impossible to tell if these were oversights, or intentional to simulate common web development quircks. But they are cute in any case.
Read the full article
CIA 2010 covert communication websites / Binary files Updated 2025-06-12 +Created 2025-05-07
View more
As per:
grep . */index.html | grep 'binary file matches'
a few of the HTMLs are interpreted by grep as being binary:
grep: china-destinations.org/index.html: binary file matches
grep: classicalmusicboxonline.com/index.html: binary file matches
grep: driversinternationalgolf.com/index.html: binary file matches
grep: familyhealthonline.net/index.html: binary file matches
grep: grubbersworldrugbynews.com/index.html: binary file matches
grep: hai-pow.com/index.html: binary file matches
grep: hi-tech-today.com/index.html: binary file matches
grep: networkofnews.com/index.html: binary file matches
grep: nigeriastar.net/index.html: binary file matches
grep: noticias-caracas.com/index.html: binary file matches
grep: theentertainbiz.com/index.html: binary file matches
grep: thefilmcentre.com/index.html: binary file matches
grep: theinternationalgoal.com/index.html: binary file matches
grep: wildbirds-seasia.com/index.html: binary file matches
grep: worldedgenews.com/index.html: binary file matches
Read the full article
martinezjavier/ldd3 Updated 2025-06-12 +Created 2025-05-07
View more
This repo has ported the kernels up to 5.10 as of writing. github.com/martinezjavier/ldd3/pull/86 attempts to go further into 6.x but has been ignored for two years unfortunately.
Read the full article
CIA 2010 covert communication websites / HTML analysis Updated 2025-06-12 +Created 2025-05-07
View more
The HTML from the index page of Wayback Machine were:
The best way to analyse the HTML is to grap our dumps from: github.com/cirosantilli/cia-2010-websites-dump.
Some possibly interesting searches include:
  • list all HTML comments, maybe something spicy was left over:
    git grep '<!--'
  • search for weird file extensions:
    git ls-files | grep -Ev '\.(jpg|gif|html|txt|png|css|php|js|jar|cgi|htm|swf|ico|JPG|class|zip|sf)'
  • have a look at the largest folers:
    ncdu
Some of the HTML files contain conditional comments e.g. web.archive.org/web/20091023041107/http://aquaswimming.com/ contains:
<!--[if IE 6]> <link href="swimstyleie6.css" rel="stylesheet" type="text/css"> <![endif]-->
Varios of the non-English websites seem to have comments translating the content e.g.:
./noticiasmusica.net/20101230165001/index.html:<h2>Alguns dos Melhores Sites Nacionais</h2><!--some of the best national sites (in music)-->
This feels like it could be the translation helping the technical webdev team know what is what.
Many of the RSS frame pages use:
<base target="_blank" />
which is a weird HTML tag that would lead all links to open on new tabs, e.g. web.archive.org/web/20110202124411/http://thecricketfan.com/home.html.
Various websites have pages with .php extension. It feels likely that all websites were written in PHP.
Some URLs existed both in HTML and .php extension, or were converted at some point:
allworldstatistics.com/20110207151941/comprehensivesources.html
allworldstatistics.com/20130818155225/comprehensivesources.php
A few of the PHP urls have weird IDs in them like omktf, juqwt and qlaqft:
./middle-east-newstoday.com/20100829004127/omktf/uirl.php?ok=461128
./newsandsportscentral.com/20100327130237/juqwt/eubcek.php?pe=747155
./pondernews.net/20100826031745/lldwg/qlaqft.php?fc=281298
we wonder what they mean.
A few separate websites have an archive with the same pid parameter:
fightwithoutrules.com/20131220205811/?pid=2POQ7BC1G/index.html
half-court.net/20131223165013/?pid=2POQ7BC1G/index.html
health-men-today.com/20131223002237/?pid=2POQ7BC1G/index.html
intlnewsdaily.com/20131221121441/?pid=2POQ7BC1G/index.html
intoworldnews.com/20131217193621/?pid=2POQ7BC1G/index.html
It is unclear what it means. All of them contain something like:
<html>
<head>
<meta name="robots" content="noarchive" />
<meta name="googlebot" content="nosnippet" />
</head>
<body>
<div align=center>
<h3>Error. Page cannot be displayed. Please contact your service provider for more details.  (11)</h3>
</div>
</body>
</html>
so looks like an archival artifact only.
The following two websites have a feeds.php system for their RSS:
./mydailynewsreport.com/20110211111053/myrss/feeds.php?src=http:/www.refahemelli.com/pashto/news/rss.php&chan=y&desc=1&targ=y&utf=y
./magneticfieldnews.com/20110208063545/magneticfeeds/feeds.php?src=http:/www.bbc.co.uk/pashto/index.xml&chan=y&desc=1&targ=y&utf=y
Some of the HTML uses attributes without quotes, which is legal, but very unusual nowadays:
soldiersofsouthasia.com/20110207203705/home.htm: <a href=http://www.rss-to-javascript.com
We can try to search for any link leaks by listing all domains linked to with:
git grep --no-color -I -h --no-line -o 'https?://[^/">?]+[/">?]' | sed -r 's/.$//' | sort | uniq -c | sort -nk1
The first thing that shows up is that there are some IPs linked to directly! But they seem to be the direct IPs of legitimate websites, we are not sure why IPs were used rather than domain names:
We can also get the full line for each with sorted by least common domains with the slow:
git grep --no-color -I -h --no-line -o 'https?://[^/">?]+[/">?]' | sed -r 's/.$//' | sort | uniq -c | sort -nk1 | awk '{if ($1 < 10) print $2}' | xargs -I{} git --no-pager grep -h --no-line -o '{}.*<' | tee tmp.log
We can search for all IP-like strings with:
git grep '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\b'
Read the full article
Linux Device Drivers book 3rd edition Updated 2025-06-12 +Created 2025-05-07
View more
lwn.net/Kernel/LDD3/ contains the PDF of each chapter.
The book covers the Linux kernel version 2.6.10.
Read the full article
Directorate of Operations (CIA) Updated 2025-06-12 +Created 2025-05-07
Read the full article
Directorate of Digital Innovation (CIA) Updated 2025-06-12 +Created 2025-05-07
View more
Ciro Santilli believes that this recent directorate was likely created as a result of the massive failure of the CIA 2010 covert communication websites
Read the full article
Central Intelligence Agency Directorate of Science & Technology Updated 2025-06-12 +Created 2025-05-07
Read the full article
CIA 2010 covert communication websites / Possible HTML information leaks Updated 2025-06-12 +Created 2025-05-07
View more
This section is about possible "real-world" information leaks found in the HTML of the pages. Domain DNS metadata may of course expose more, and is more likely to do so, this section is only about in-page findings, notably in the HTML.
We haven found anything too mind-blowying so far, but the ones we have are curious.
The HTML <title> of webofcheer.com is cryptically set as:
pg1c
rather than a more natural title like "Web of cheer" as is the case for the other website. This feels like a forgotten placeholder for an internal page identifier, e.g. "page 1C" sounds plausible. At Section "HTML title element" we riefly inspected the <title> of every other hit with a wayback machine archive, and unfortunately none other seemed to have any such interesting title.
The 2010 archive of europeantravelcafe.com has a "plan your trip" link links to a different domain: secure-cert.net/~etc/transport.html. This appears to have been a link to the system used by CIA operators to manage the website. Furthermore, the link then was later removed from the 2011 version, so it was almost certainly a leak! "secure-cert.net" is obscure, the only other surviving online mention of it is www.leewillis.co.uk/wordpress-plugins/#comment-6513 to
secure-cert.net/~sayitint/products-page/bags-totes/duffel-bag/ We've grepped all the HTML downloaded as HTML analysis but no other links to it were found.
Figure 1.
2010 Wayback Machine archive of www.europeantravelcafe.com with "plan your trip" highlighted by us
. Source.
A similar thing happened to alljohnny.com Starting December 2004 the "Submit your favorite carlson quote" was mind blowingly switched to point to https://washington.serversecured.net/~alljohnn/cgi-bin/memlog.cgi thus likely leaking the control site URL. Beauty. It previously pointed to the more sensible: web.archive.org/web/20040901162621/https://secure.alljohnny.com/cgi-bin/memlog.cgi
Read the full article
CIA 2010 covert communication websites / Overview of Ciro Santilli's investigation Updated 2025-06-12 +Created 2025-05-07
View more
Ciro Santilli hard heard about the 2018 Yahoo article around 2020 while studying for his China campaign because the websites had been used to take down the Chinese CIA network in China. He even asked on Quora about it, but there were no publicly known domains at the time to serve as a starting point. Chris, Electrical Engineer and former Avionics Tech in the US Navy, even replied suggesting that obviously the CIA is so competent that it would never ever have its sites leaked like that:
Seriously a dumb question.
Figure 1.
"Seriously a dumb question" Quora answer by Chris from the US Navy
. Source.
In 2023, one year after the Reuters article had been published, Ciro Santilli was killing some time on YouTube when he saw a curious video: Video 1. "Compromised Comms by Darknet Diaries (2023)". As soon as he understood what it was about and that it was likely related to the previously undisclosed websites that he was interested in, he went on to read the Reuters article that the podcast pointed him to.
Being a half-arsed web developer himself, Ciro knows that the attack surface of a website is about the size of Texas, and the potential for fingerprinting is off the charts with so many bits and pieces sticking out. And given that there were at least 885 of them, surely we should be able to find a few more than nine, right?
In particular, it is fun how these websites provide to anyone "live" examples of the USA spying on its own allies in the form of Wayback Machine archives.
Given all of this, Ciro knew he had to try and find some of the domains himself using the newly available information! It was an irresistible real-life capture the flag.
Chris, get fucked.
Video 1.
Compromised Comms by Darknet Diaries (2023)
Source.
It was the YouTube suggestion for this video that made Ciro Santilli aware of the Reuters article almost one year after its publication, which kickstarted his research on the topic.
Full podcast transcript: darknetdiaries.com/transcript/75/
Ciro Santilli pinged the Podcast's host Jack Rhysider on Twitter and he ACK'ed which is cool, though he was skeptical about the strength of the fingerprints found, and didn't reply when clarification was offered. Perhaps the material is just not impactful enough for him to produce any new content based on it. Or also perhaps it comes too close to sources and methods for his own good as a presumably American citizen.
The first step was to try and obtain the domain names of all nine websites that Reuters had highlighted as they had only given two domains explicitly.
Thankfully however, either by carelessness or intentionally, this was easy to do by inspecting the address of the screenshots provided. For example, one of the URLs was:
https://www.reuters.com/investigates/special-report/assets/usa-spies-iran/screencap-activegaminginfo.com.jpg?v=192516290922
which corresponds to activegaminginfo.com.
Figure 2.
Inspecting the Reuters article HTML source code
. Source. The Reuters article only gave one URL explicitly: iraniangoals.com. But most others could be found by inspecting the HTML of the screenshots provided, except for the Carson website.
Once we had this, we were then able to inspect the websites on the Wayback Machine to better understand possible fingerprints such as their communication mechanism.
The next step was to use our knowledge of the sequential IP flaw to look for more neighbor websites to the nine we knew of.
This was not so easy to do because the websites are down and so it requires historical data. But for our luck we found viewdns.info which allowed for 200 free historical queries (and they seem to have since removed this hard limit and moved to only throttling), leading to the discovery or some or our own new domains!
This gave us a larger website sample size in the order of the tens, which allowed us to better grasp more of the possible different styles of website and have a much better idea of what a good fingerprint would look like.
Figure 3.
viewdns.info activegameinfo.com domain to IP
. Source.
Figure 4.
viewdns.info aroundthemiddleeast.com IP to domain
. Source.
The next major and difficult step would be to find new IP ranges.
This was and still is a hacky heuristic process for us, but we've had the most success with the following methods:
Figure 5.
DNS Census 2013 website
. Source. This source provided valuable historical domain to IP data. It was likely extracted with an illegal botnet. Data excerpt from the CSVs:
amazon.com,2012-02-01T21:33:36,72.21.194.1
amazon.com,2012-02-01T21:33:36,72.21.211.176
amazon.com,2013-10-02T19:03:39,72.21.194.212
amazon.com,2013-10-02T19:03:39,72.21.215.232
amazon.com.au,2012-02-10T08:03:38,207.171.166.22
amazon.com.au,2012-02-10T08:03:38,72.21.206.80
google.com,2012-01-28T05:33:40,74.125.159.103
google.com,2012-01-28T05:33:40,74.125.159.104
google.com,2013-10-02T19:02:35,74.125.239.41
google.com,2013-10-02T19:02:35,74.125.239.46
Figure 6.
The four communication mechanisms used by the CIA websites
. Java Applets, Adobe Flash, JavaScript and HTTPS
Figure 7.
Expired domain names by day 2011
. Source. The scraping of expired domain trackers to Github was one of the positive outcomes of this project.
Finally, at the very end of our pipeline, we were left with a a few hundred domains, and we just manually inspected them one by one as far as patience would allow it to confirm or discard them.
Figure 8.
You can never have enough Wayback Machine tabs open
. This is how the end of the fingerprint pipeline looks like: as many tabs as you have the patience to go through one by one!
Read the full article
CIA 2010 covert communication websites / Timeline of public disclosures Updated 2025-06-12 +Created 2025-05-07
View more
The existence of the websites emerged in various stages, some of which may refer to this network or to other closely related communications failure since the published information is sometimes not clear enough.
May 21, 2011: various Iranian news outlets reported that:
30 individual suspected of spying for the US were arrested and 42 CIA operatives were identified in connection with the network.
The network, which was set up by a considerable number of seasoned CIA operatives in several countries, attempted to trick citizens into spying for them under the guise of issuing visa, helping with permanent residency, and making job and study offers.
Iranian sources include:
The news were picked up and repeated by Western outlets on the same day e.g.:
At this point there were still no clear indications that the recruitment had been made with websites, however later revelations would later imply that.
Video 1.
Iran dismantles US-linked spy network broadcast by IRIB May 21, 2011
. Source. Reupload of shiatv.net/video/dd6ee2d708a4a6cb2429 by Ciro Santilli
December 2014: McClathy DC reported on "Intelligence, defense whistleblowers remain mired in broken system" that CIA contractor John A. Reidy had started raising concerns about the security of a communication systems used by the CIA and other sources mention that he started this in 2008[ref] The focus of the article is how he was then ignored and silenced for raising these concerns, which later turned out to be correct and leading to an intelligence catastrophe that started in 2010.[ref][ref] This appears to have come out after a heavily redacted appeal by Reidy against the CIA from October 2014 came into McClathy's possession.[ref] While Reidy's disclosures were responsible and don't give much away, given the little that they disclose it feels extremely likely that they were related to the same system we are interested in. Even heavily redacted, the few unredacted snippets of the appeal are pure gold and give a little bit of insight into the internal workings of the CIA. Some selections:
From January 2005 until January 2009, I worked as a government contractor at the CIA. I was assigned to [Directorate](ledger item 1) in the [Division] (ledger item 2). I served as a Uob) (ledger item 3) whose responsibility was to facilitate the dissemination of intelligence reporting to the Intelligence Community. I also served as a Oob 2) (ledger item 4) whose responsibility was to identify Human Intelligence (humint) targets of Interest for exploitation. I was assigned the telecommunications and information operations account.
As our efforts increased, we started to notice anomalies in our operations and conflicting intelligence reporting that indicated that several of our operations had been compromised. The indications ranged from [ redacted ] to sources abruptly and without reason ceasing all communications with us.
These warning signs were alarming due to the fact that our officers were approaching sources using [operational technique] (ledger item 16)
When our efforts began, ultimate operational authority rested with us. The other component provided the finances for the operation while we gave the operational guidance and the country specific knowledge.
knew we had a massive intelligence failure on our hands. All of our assets [ redacted ] were in jeopardy.
To give our compromise context, the U.S. communications infrastructure was under siege
All of this information was collected under the project cryptonym [cryptonym] (ledger item 52)
Meanwhile throughout 2010, I started to hear about catastrophic intelligence failures in the government office I formally worked for. More than one government employee reached out to me and notified me that the "nightmare scenario" I had described and tried to prevent had transpired. I was told that in upwards of 70% of our operations had been compromised.
it is not just a potential compromise in one country, It effects every country
May 2017: Mazzetti et al. reported for the New York Times at "Killing C.I.A. Informants, China Crippled U.S. Spying Operations" that:
The Chinese government systematically dismantled C.I.A. spying operations in the country starting in 2010, killing or imprisoning more than a dozen sources over two years and crippling intelligence gathering there for years afterward.
and that:
Some were convinced that a mole within the C.I.A. had betrayed the United States. Others believed that the Chinese had hacked the covert system the C.I.A. used to communicate with its foreign sources. Years later, that debate remains unresolved.
[...]
From the final weeks of 2010 through the end of 2012, [...] the Chinese killed at least a dozen of the C.I.A.’s sources. [...] One was shot in front of his colleagues in the courtyard of a government building — a message to others who might have been working for the C.I.A.
Figure 1.
Top image of the New York Times article
. Source.
January 2018: Pete Williams reported for NCB News at Alleged CIA China turncoat Lee may have compromised U.S. spies in Russia too that it was China that told Russia about the communications system:
It was a shocking blow to an American spy agency that prides itself on its field operations. There was also a devastating human cost: Some 20 CIA sources were executed by the Chinese government, two former officials said — a higher number of dead than initially reported by NBC News and the New York Times. Then an unknown number of Russian assets also disappeared, sources say.
Soon after the task force concluded the Chinese had penetrated covcom, it got an even more troubling report: That after a joint training session between Chinese and Russian intelligence officers, the Russians "came back saying we got good info on covcom," as the former official put it
and that some theorize that former CIA agent Jerry Chun Shing Lee had betrayed Chinese spies, which some theorize may have been how China became aware of the communication network:
FBI agents began to suspect Lee after they received a tip that he had passed information to Chinese intelligence officers while working for a Japanese tobacco company in Hong Kong, sources said, a detail first reported Thursday by the New York Times. They also found it suspicious when Lee took a job at an auction house in Hong Kong that was co-owned by a senior Communist Party official, sources said. He eventually ended up working for Christie's, the international auction house.
When agents searched Lee's hotel rooms in 2012, they found notebooks with the names of covert CIA sources, according to court documents.
But not all of the agent arrests and deaths could be linked to information possessed by Lee, who left the CIA in 2007, the former officials said.
According to Ex-C.I.A. Officer Sentenced to 19 Years in Chinese Espionage Conspiracy from November 2019 Lee was sentenced to 19 years in prison:
The former officer, Jerry Chun Shing Lee, 55, pleaded guilty in May to conspiring with Chinese intelligence agents starting in 2010, after he left the agency. Prosecutors detailed a long financial paper trail that they said showed that Mr. Lee received more than $840,000 for his work.
Mr. Lee, an Army veteran, worked for the C.I.A. from 1994 to 2007, including in China.
But F.B.I. agents who investigated whether he was the culprit passed on an opportunity to arrest him in the United States in 2013, allowing him to travel back to Hong Kong even after finding classified information in his luggage. F.B.I. agents had also covertly entered a hotel room Mr. Lee occupied in 2012, finding handwritten notes detailing the names and numbers of at least eight C.I.A. sources that he had handled in his capacity as a case officer.
Figure 2.
Jerry Chun Shing Lee in blue tie at the unveiling of Leonardo da Vinci's 'Salvator Mundi' painting at the Christie's showroom in Hong Kong on Oct. 13, 2017
.
August 2018: Zach Dorfman reported for Foreign Policy at "Botched CIA Communications System Helped Blow Cover of Chinese Agents" that:
It was considered one of the CIA’s worst failures in decades: Over a two-year period starting in late 2010, Chinese authorities systematically dismantled the agency’s network of agents across the country, executing dozens of suspected U.S. spies. But since then, a question has loomed over the entire debacle. How were the Chinese able to roll up the network?
and:
U.S. intelligence officers were also able to identify digital links between the covert communications system and the U.S. government itself, according to one former official—links the Chinese agencies almost certainly found as well. These digital links would have made it relatively easy for China to deduce that the covert communications system was being used by the CIA. In fact, some of these links pointed back to parts of the CIA’s own website, according to the former official.
Although no clear mention of websites is made in that article, the fact that there were "links" back to the CIA website strongly suggests that the communication was done through websites.
The report also reveals that there was a temporary "interim system" that new sources would use while they were being vetted, but that it used the same style of system as the main system. It would be cool if we managed to identify which sites are interim or not somehow:
When CIA officers begin working with a new source, they often use an interim covert communications system—in case the person turns out to be a double agent.
The communications system used in China during this period was internet-based and accessible from laptop or desktop computers, two of the former officials said.
This interim, or “throwaway,” system, an encrypted digital program, allows for remote communication between an intelligence officer and a source, but it is also separated from the main communications system used with vetted sources, reducing the risk if an asset goes bad.
Although they used some of the same coding, the interim system and the main covert communication platform used in China at this time were supposed to be clearly separated.
Figure 3.
Illustration of the Foreign Policy article
. Source.
November 2018: Zach Dorfman and Jenna McLaughlin reported for Yahoo News the first clear report that the communication system was made up of websites at: "The CIA's communications suffered a catastrophic compromise. It started in Iran.":
In 2013, hundreds of CIA officers — many working nonstop for weeks — scrambled to contain a disaster of global proportions: a compromise of the agency’s internet-based covert communications system used to interact with its informants in dark corners around the world. Teams of CIA experts worked feverishly to take down and reconfigure the websites secretly used for these communications
The usage of of Google dorking is then mentioned:
In fact, the Iranians used Google to identify the website the CIA was using to communicate with agents.
It seems to us that this would have been very difficult on the generically themed websites that we have found so far. This suggests the existence of a separate recruitment website network, perhaps the one reported in 2011 by Iran offering VISAs. It would be plausible that such network could link back to the CIA and other government websites. Recruited agents would only then later use the comms network to send information back. The target countries may have first found the recruitment network, and then injected double agents into it, who later came to know about the comms network. TODO: it would be awesome to find some of those recruitment websites!
Another very interesting mention is the platform had been over extended beyond its original domain application, which is in part why things went so catastrophically bad:
Former U.S. officials said the internet-based platform, which was first used in war zones in the Middle East, was not built to withstand the sophisticated counterintelligence efforts of a state actor like China or Iran. “It was never meant to be used long term for people to talk to sources,” said one former official. “The issue was that it was working well for too long, with too many people. But it was an elementary system.”
Figure 4.
Illustration in the Yahoo article
. Source.
December 2018: a followup Yahoo News article "At the CIA, a fix to communications system that left trail of dead agents remains elusive" gives an interesting internal organizational overview of the failed operation:
As a result, many who are directly responsible for working with sources on the ground within the CIA’s Directorate of Operations are furious
The fiascos in Iran and China continue to be sticking points between the Directorate of Operations and the CIA’s Directorate of Science and Technology (DS&T) — the technical scientists. “There is a disconnect between the two directorates,” said one former CIA official. “I’m not sure that will be fixed anytime soon.”
Entire careers in the CIA’s Office of Technical Service — the part of DS&T directly responsible for developing covert communications systems — were built on these internet-based systems, said a former senior official. Raising concerns about them was “like calling someone’s baby ugly,” said this person.
Much as in the case of Reidy, it is partly because of such internal dissatisfaction that so much has come out to the press, as agents feel that they have nowhere else to turn to.
That article also gives a cute insight into the OPSEC guidelines for the assets that used the websites:
CIA agents using the system were supposed to conduct “electronic surveillance detection routes” — that is, to bounce around on various sites on the internet before accessing the system, in order to cover their tracks — but often failed to do so, creating potentially suspicious patterns of internet usage, said this person.
Finally the article also gives us a cute terminology: COVCOM:
“And the agency would produce its own COVCOM [covert communications] systems in-house. We’d test it there. In denied areas, we had special systems.”
Figure 5.
Illustration for the December 2018 Yahoo News article
. Source.
The most important thing that this article gave were screenshots of nine websites, including the domain names of two of them: iraniangoals.com and iraniangoalkicks.com:
In addition, some sites bore strikingly similar names. For example, while Hosseini was communicating with the CIA through Iraniangoals.com, a site named Iraniangoalkicks.com was built for another informant. At least two dozen of the 350-plus sites produced by the CIA appeared to be messaging platforms for Iranian operatives, the analysts found.
The "350-plus" number is a bit random, given that their own analysts stated a much higher 885 in their report.
The article also reveals the critical flaw of the system; the usage of sequential IPs:
Online records they analyzed reveal the hosting space for these front websites was often purchased in bulk by the dozen, often from the same internet providers, on the same server space. The result was that numerical identifiers, or IP addresses, for many of these websites were sequential, much like houses on the same street.
It also mentions that other countries besides Iran and Chine were also likely targeted:
This vulnerability went far beyond Iran. Written in various languages, the websites appeared to be a conduit for CIA communications with operatives in at least 20 countries, among them China, Brazil, Russia, Thailand and Ghana, the analysts found.
Figure 6.
Banner of the Reuters article
. Source.
Figure 7.
Reuters reconstruction of what the iraniangoals.com applet would have looked like
. Source.
29 September 2022: on the same day that Reuters published their report, Citizenlab, which Reuters used as analysts for the article, also simultaneously published their more technical account of things at "Statement on the fatal flaws found in a defunct CIA covert communications system".
One of the most important information given in that report is the large number of sites found, 885, and the fact that they are available on Wayback Machine:
Using only a single website, as well as publicly available material such as historical internet scanning results and the Internet Archive's Wayback Machine, we identified a network of 885 websites and have high confidence that the United States (US) Central Intelligence Agency (CIA) used these sites for covert communication.
The million dollar question is "which website did they use" and "how much does it cost if anything" since our investigation has so far had to piece together a few different hacky sources but didn't spend any money. And a lot of money could be poured into this, e.g. DomainTools which might contain one of the largest historical databases, , seems to start at 15k USD / 1000 queries. One way to try and deduce which website they used is to look through their other research, e.g.:
The article mentioned the different types of communication mechanisms found:
The websites included similar Java, JavaScript, Adobe Flash, and CGI artifacts that implemented or apparently loaded covert communications apps. In addition, blocks of sequential IP addresses registered to apparently fictitious US companies were used to host some of the websites. All of these flaws would have facilitated discovery by hostile parties.
They describe the most common subject matters and language of the websites:
The websites, which purported to be news, weather, sports, healthcare, and other legitimate websites, appeared to be localized to at least 29 languages and geared towards at least 36 countries.
They also give the dates range in which the system was active, which is very helpful for better targeting our searches:
The bulk of the websites that we discovered were active at various periods between 2004 and 2013.
And then a bomb, they claim to have found information regarding specific officers:
Nevertheless, a subset of the websites are linked to individuals who may be former and possibly still active intelligence community employees or assets:
  • Several are currently abroad
  • Another left mainland China in the time frame of the Chinese crackdown
  • Another was subsequently employed by the US State Department
  • Another now works at a foreign intelligence contractor
Given that we cannot rule out ongoing risks to CIA employees or assets, we are not publishing full technical details regarding our process of mapping out the network at this time. As a first step, we intend to conduct a limited disclosure to US Government oversight bodies.
This basically implies that they must have either
  • found some communication layer level identifier, e.g. domain name registration HTTPS certificate certificate because it is impossible to believe that real agent names would have been present on the website content itself!
  • or they may be instead talking about a separate recruitment network which offered the VISAs which we conjecture might have existed but currently have no examples of, and which might conceivably contain real embassy contacts
We have so for not yet found any such clear references to real individuals.
October 2022 Zach Dorfman, author of the 2018 Yahoo News and Foreign Policy articles gave some good anecdotes he had heard from his sources notes after the Reuters expose in his personal blog post On Agent Compromise in the Field, giving a more personal account of some of the events that took place:
Now, an important caveat: I have known dedicated former CIA officials who have spoken of the care, respect, and obligation they felt toward their sources, and the lengths they would go to assist them. For many case officers — that is, the CIA's primary corps of spy handlers — this is a core part of their professional identity.
During the roll-up in China, for instance, a former U.S. official told me about a CIA officer who, aware that something was going terribly wrong there, organized final, assuredly dangerous, in-person meetings with agency sources. This distraught CIA officer essentially shoved wads of cash into sources' hands. This CIA officer warned them of the unfolding disaster and begged them to leave the country as fast as they could. Another source told me a story about a CIA official who, while being debriefed in Langley about the asset roll-up — and the slapdash COVCOM system — broke down in tears upon hearing that sources’ lives had been destroyed because of such obvious dereliction, of which they were previously unaware.
But I don’t want to oversell this point, either. By its nature, the world of espionage is steeped in the sordid aspects of human experience, exploiting people’s vulnerabilities for narrow informational gain. [...]
Indeed, many former CIA officials have a decidedly pragmatic and amoral conception of their profession. Bad things happen when you spy, or recruit others to do so. [...] I had a conversation once with a former senior CIA official with experience in Iran issues who had an almost naturalistic view of recurring asset losses there over the years: for him, it was a built-in, cyclical feature of the work and environment, like the denuding of deciduous forests every fall.
Read the full article
Compile Linux kernel for Ubuntu Updated 2025-06-12 +Created 2025-05-07
View more
This section describes our attempts at compiling the Linux kernel for Ubuntu so as to use the exact patches and build configuration as used for a given Ubuntu release. The same toolchain would also be ideal, but perhaps this would require a Linux distribution buildable from source.
canonical-kteam-docs.readthedocs-hosted.com/en/public/how-to/build-kernel.html seems promising it says that for Ubuntu 24.04 and above you should do the following which was tested on Ubuntu 24.10:
sudo cp /etc/apt/sources.list /etc/apt/sources.list~
sudo sed -Ei 's/^# deb-src /deb-src /' /etc/apt/sources.list
sudo apt-get update
sudo apt build-dep -y linux linux-image-unsigned-$(uname -r)
sudo apt install -y fakeroot llvm libncurses-dev dwarves
apt source linux-image-unsigned-$(uname -r)
~/tmp/ubuntu/linux-6.11.0
cd linux-6.11.0
chmod a+x debian/rules
chmod a+x debian/scripts/*
chmod a+x debian/scripts/misc/*
fakeroot debian/rules clean
fakeroot debian/rules binary
The build is extremely slow compared to a build of a more embedded and specifically targeted minimal kernel, and took about 2 hours on P14s. Their philosophy is likely to enable as many drivers as possible so that a single download will work for everyone. Which makes sense, fair enough. It would be cute though if there was a smarter way. Oh well.
After it finally finishes the build including our vmlinux is present at:
linux-6.11.0/debian/build/build-generic
Read the full article

There are unlisted articles, also show them or only show them.