Incoming links: Domain name
From The Reuters websites and others we've found, we can establish see some clear stylistic trends across the websites which would allow us to find other likely candidates upon inspection:The most notable dissonance from the rest of the web is that there are no commercial looking website of companies, presumably because it was felt that it would be possible to verify the existence of such companies.
- natural sounding, sometimes long-ish, domain names generally with 2 or 3 full words. Most in English language, but a few in Spanish, and very few in other languages like French.
- shallow websites with a few tabs, many external links, sometimes many images, and few internal pages
- lots of rectangular images make up the top bar banner image. Stock images are often used to make the full image, and then the full image is split. An example
- common themes include:
- news
- hobbies, notably sports, travel and photography. Golf seems overrepresented. Must be a thing over there in Langley.
- .com and .net top-level domains, plus a few other very rare non .com .net TLDs, notably .info and .org
- each one has one "communication mechanism file": communication mechanisms
- narrow page width like in the days of old, lots of images
- each hit domain is the only domain for its IP, i.e. the websites are all private hosted, no shared web hosting service examples have been found so far
- split images images: many of the website banners are composed of several images cut up. Stock images were first assembled into the banner, and then the resulting image was cut. Possibly this was done to make reverse image search to their stock image provider harder. But it somewhat backfired and serves as a good marker that confirms authorship. Maybe it is some kind of outdated web design thing, which they took much further in time than the average website, like the JAR. Their websites do appear to follow common style guidelines form earlier eras, around the early 2000s notably, some legit sites that look a lot like hits:
- some common pattern they follow in their news lists:
ul.rss-items > li.rss-item, e.g.: web.archive.org/web/20110202092126/http://beamingnews.com/- links with class
a.newslinkanda.newslinkalte.g. web.archive.org/web/20110128181622/http://profile-news.com/
It would be fun to actually reverse search into one of their stock image provider's original images. Ones we've found:
citizenlab.ca/2022/09/statement-on-the-fatal-flaws-found-in-a-defunct-cia-covert-communications-system/ did an investigation and found 885 such websites, but decided not to disclose the list or methods:The question is which website. E.g. at citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ they used data from Censys.citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ mentions scans.io/. citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/ mentions: www.shodan.io/, Censys really seems to be their thing.
Using only a single website, as well as publicly available material such as historical internet scanning results and the Internet Archive's Wayback Machine, we identified a network of 885 websites and have high confidence that the United States (US) Central Intelligence Agency (CIA) used these sites for covert communication.The websites included similar Java, JavaScript, Adobe Flash, and CGI artifacts that implemented or apparently loaded covert communications apps. In addition, blocks of sequential IP addresses registered to apparently fictitious US companies were used to host some of the websites. All of these flaws would have facilitated discovery by hostile parties.The websites, which purported to be news, weather, sports, healthcare, and other legitimate websites, appeared to be localized to at least 29 languages and geared towards at least 36 countries.
We searched historical data from Censys
Another critical excerpt is:This basically implies that they must have found some communication layer level identifier, e.g. IP registration, domain name registration, or certificate because it is impossible to believe that real agent names would have been present on the website content itself!
The bulk of the websites that we discovered were active at various periods between 2004 and 2013. We do not believe that the CIA has recently used this communications infrastructure. Nevertheless, a subset of the websites are linked to individuals who may be former and possibly still active intelligence community employees or assets:Given that we cannot rule out ongoing risks to CIA employees or assets, we are not publishing full technical details regarding our process of mapping out the network at this time. As a first step, we intend to conduct a limited disclosure to US Government oversight bodies.
- Several are currently abroad
- Another left mainland China in the time frame of the Chinese crackdown
- Another was subsequently employed by the US State Department
- Another now works at a foreign intelligence contractor
The websites were used from at least as early as August 2008, as per Gholamreza Hosseini's account, and the system was only shutdown in 2013 apparently. citizenlab.ca/2022/09/statement-on-the-fatal-flaws-found-in-a-defunct-cia-covert-communications-system/ however claims that they were used since as early as 2004.
Notably, so as to be less suspicious the websites are often in the language of the country for which they were intended, so we can often guess which country they were intended for!
The Reuters article directly reported only two domains in writing:
- iraniangoals.com. Iranian language football website. As of 2023, the domain had been bought by Reuters and redirects to their website.
- iraniangoalkicks.com. Iranian language football website. Available in GoDaddy as of 2023.
But by looking at the URLs of the screenshots they provided from other websites we can easily uncover all others that had screenshots, except for the Johnny Carson one, which is just generically named. E.g. the image for the Chinese one is www.reuters.com/investigates/special-report/assets/usa-spies-iran/screencap-activegaminginfo.com.jpg?v=192516290922 which leads us to domain activegaminginfo.com.
Also none of those extra ones have any Google hits except for huge domain dumps such has Expired domain trackers, so maybe this counts as little bit of novel public research.
The full list of domains from screenshots is:
activegaminginfo.com: Chinese gaming information website.2011 archive: web.archive.org/web/20110208113503/http://activegaminginfo.com/. Contains mentions of 2010.Domain available in GoDaddy as of 2023.- As of 2023, it seemed to be an actual legit photography website by German (amateur?) photographer Klaus Wägele. Archive: web.archive.org/web/20230323102504/https://www.capture-nature.com/Ciro Santilli actually sent him a message to let him know about the CIA thing in case he didn't, and he replied that he wasn't aware of it.
www.headlines2day.com: Iranian language news website.2011 archive: web.archive.org/web/20110201164741/https://www.headlines2day.com/. Dated "Copyright 2009".As of 2023, this was a completly broken-looking news website but in English entitled:2023 archive: web.archive.org/web/20230121191348/https://www.headlines2day.com/. It makes one wonder if the CIA still operates it!Today's Headlines
fitness-dawg.com: English fitness website.2021 archive: web.archive.org/web/20110207104044/http://fitness-dawg.com/.Domain available as of 2023.rastadirect.net: English Rastafari culture website.2010 archive: web.archive.org/web/20100429002010/http://rastadirect.net/ dated as "Copyright 2008".Domain available as of 2023.fightwithoutrules.com: Russian fighting website.2011 archive: web.archive.org/web/20110203021315/http://fightwithoutrules.com/. Contains mentions of 2009 news.Domain available as of 2023.alljohnny.com: Johnny Carson fansiteDomain available as of 2023.
This brings up to 8 known domain names with Wayback Machine archives, plus the yet unidentified Johnny Carlson one, see also: Section "Searching for Carson", which is also almost certainly is on Wayback Machine somewhere given that they have a screenshot of it.
Governments should provide basic Internet infrastructure Updated 2025-03-25 +Created 1970-01-01
Companies are getting too much power to distort regulations and destroy privacy.
Taxes pay for the physical car roads, so why shouldn't they also pay for the "online roads" of today?
The following services are obvious picks because they are so simple:
Other less simple ones that might also be feasible:
- geographic information system. Notable anti-example: United Kingdom's Ordnance Survey's apparently non-free-data
- App stores
All of them should have strong privacy enabled by default: end-to-end encryption, logless, etc. Governments are not going to like this part.
And then if you ever forget a password or lose a multi-factor authentication token, you can just go to an ID center with your ID to recover it.