Input your ‘Enrolment Number’ in thefield provided on the new page along side date and time mentioned on your acknowledgement slip.
There is additionally captcha image on the page, that you would like to type within the box below precisely the method it shows.
Click on ‘Submit’ and therefore the new page would show the status of your Aadhar card.
The final page would show you whether or not your Aadhar card number is generated or not and if generated and sent, it might show you the delivery tracking details that would be all you need to track your Aadhar card.
I was recently browsing play store and what bumped in front of me was Xender. I thought lets give it a try. After trying that application, my life changed, first I used to used waste several hours waiting for bluetooth to complete file sharing but with xender, Now I can share apps with lightning speed. It is extremely easy to do so!
If you are having Question that how to download xender? Then look at the instructions I am going to provide: 1) Open playstore 2) Search Xender 3) Click Install 4) Wait for a few minutes 5) Let it get install 6) Done. Easy-peasy-japanese! If you want to download xender apk for android then you may like visiting our following link. http://bit.ly/1SEMXhn
How to install Xender on PC: For installing xender on pc, there are two methods: 1) Either with bluestacks 2) Or without Bluestacks For knowing how to install xender on pc click here.
Information Security Researcher :: PGP key https://pgp.mit.edu/pks/lookup?op=get&search=0xDB60C7B9BD531054
2 days ago12 min read
Between Lies and Bad Analysis
A well respected author with a lot of knowledge of the NSA has written an article for Reuters speculating that the ShadowBrokers “leak” was from “another Snowden.” It was not. Although I respect the work that Mr Bamford has done in the past in analysing the NSA, his Reuter’s article is littered with half truths, omissions and faulty analysis.
[Ed: I wanted to do a line by line annotation using Genius, but was unable to get it to work. Unfortunate, since that seems more appropriate given the number of problems with the article.]
The Analysis Bit
Every quote is from the original article. I’ve added emphasis to the parts I will discuss.
Where the Watergate burglars came away empty-handed and in handcuffs, the modern- day cyber thieves walked away with tens of thousands of sensitive political documents and are still unidentified.
This statement is, at best, a lie by omission. The threat actors behind the DNC compromise have been positively identified by CrowdStrike. The disinformation campaign (aka Guccifer 2.0) has been thoroughly debunked in some excellent reporting by Vice, as well as a number of a independent threat intelligence companies.
Bamford fails to mention that many sources, including the US intelligence community, believe it was Russia, even if only as an aside, “although numerous credible sources have alleged it was Russia…” For some examples see: herehereherehereherehere … etc.
Now, in the latest twist, hacking tools themselves, likely stolen from the National Security Agency, are on the digital auction block. Once again, the usual suspects start with Russia — though there seems little evidence backing up the accusation.
The Auction Fallacy
This assumes that the auction is real. There is no reason to believe that. The preparation for the distribution of the files — packaging, account creation, uploading, and announcing — spans weeks. From the way it was done we can conclude that the perpetrators were: careful (everything has been scrubbed, they used encrypted anonymous webmail); cautious (multiple locations guaranteeing wide dispersal and difficult removal); skilled (good crypto practices), and persistent (i.e. driven by purpose.) This is a lot of work for what is bound to be very little money (just over USD$1000, at this time.)
Anyone who is skilled enough to setup this operation should be knowledgeable enough to know that selling the tools to non-FVEY nation states would be more profitable. They could literally do the exact same thing (minus the public announcement) and contact individual embassies from Europe, Asia, Africa, etc. They would get more money and run less risk. Hell, even just giving the bugs to ZDI would generate a bigger payout!
Bitcoin is a terrible protocol to use when running an auction against the NSA. Determining where BTC are cashed out is simply a little bit of graph analysis. Know what the NSA is excellent at? Graph analysis. A Bitcoin based auction is not the way to monetise an NSA ops toolkit (and remain free.)
To quote daveaitel: No team of “hackers” would want to piss off Equation Group this much. That’s the kind of cojones that only come from having a nation state protecting you. — Source
If the auction was legitimate, there is no reason that 60% of the auction data would be “free” as proof. The screen shots and one or two tools/exploits (e.g. ones for old bugs) would be sufficient to pique the interest of potential bidders. Instead the “proof” file is, essentially, the entire kit and caboodle (pun absolutely intended.)
Absence of Evidence is Evidence of Absence
The idea that there would be a solid, publicly available, trail of evidence linking the ShadowBrokers to any particular threat actor is naive. This is not 1972. There are no propped open fire exits and dudes in ski masks rifling office cabinets. The only option is to use rigorous analytic techniques and methologies on the available evidence.
I will point to daveaitel’s piece as to why it was (probably) Russia. There is non-public evidence that is a solid link, but…it is not public. Read Dave’s analysis here: cybersec politics.
There are a number of operators that could have captured this kit. Almost any sizeable AV or Threat Intel company, or any intelligence service with a competent cyber espionage capability. No public company would risk releasing the tools like this (they would go from a marketing driven approach), and the number of competent cyber espionage services is fairly small. Hint: it wasn’t Angola.
Cyber Kremlinology Failure
In addition, if Russia had stolen the hacking tools, it would be senseless to publicize the theft, let alone put them up for sale. It would be like a safecracker stealing the combination to a bank vault and putting it on Facebook. Once revealed, companies and governments would patch their firewalls, just as the bank would change its combination.
Senseless To Who?
If Russia acquired the hacking tools (they did), they did so (probably) in late 2013. That is, three years ago. They would have had three years to pick the Firewall Ops kit clean. That is a nice run to extract value from the opposition’s toolkit. You can impersonate them, know what to look for, know what to patch, set up deliberate honeypots, etc. etc.
The reason to publicise the theft, after exploiting the ops toolkit for three years, may have everything to do with current geopolitics and nothing to do with trying to raise money.
There is a spat going on over the DNC leaks (a very one sided spat, to be sure.) Using a tool release as signalling that escalation will be painful and messy, as @Snowden said in “his” tweet storm, is a perfectly sensible reason to drop a three year old toolkit.
Alternatively, the dumping of the ops toolkit might be a way to distract the NSA at a time when they should be focussed on other things. Instead of looking into the DNC leaks situation with full focus, they are burning the midnight oil scrambling to replace NOPEN on 100,000 routers around the world.
They Are Not Up For Sale
See above. The auction is an obvious fake.
See, It Is Not Senseless
Although earlier having no plausible reason why the Russians would want to dump the NSA’s firewall ops toolkit, Bamford gives a perfectly good reason right here. Patching the vulnerabilities in this dump harms the NSA’s ability to compromise firewalls (and routers.) Hindering the ability of the opposition to operate freely and easily, increasing their costs and slowing them down, is a perfectly valid reason to burn their toolkit.
Assumption Chain and Misunderstanding Trifecta
A more logical explanation could also be insider theft. If that’s the case, it’s one more reason to question the usefulness of an agency that secretly collects private information on millions of Americans but can’t keep its most valuable data from being stolen, or as it appears in this case, being used against us.
These “ifs” and “coulds” are chained together to assert that NSA is not a useful agency. I will not bother addressing that claim, but I will say that “if…could” is not the foundation on which to build that statement.
Ops Kits Are Not Particularly Valuable
A firewall ops kit is designed and developed to be used on non-classified systems, what the NSA calls “the low side” (thats a nice way of saying, “other people’s computers.”) These are not the crown jewels of NSA data. Not by a long shot. The assumption is that they will be compromised at some point. This is why the operator is supposed to minimise the kit to just the required tools. That did not happen.
If, as the preceding waffling sentence suggests, Bamford believes that people are walking out of NSA with USB drives full of TAO operational tooling, then the sky is falling. Post Snowden, USB drives inside NSA environments (particularly the Remote Operations Center [ROC]) are a great way to lose your job, your clearance and possibly your liberty.
NSA Needs To Stop Writing Cisco’s Buggy Code
Althought I am unsure who, exactly, is using this toolkit against “us,” presumably the patching that Bamford warned about earlier isn’t happening? Or, if, like me, you are a non-US person and not based in the US, this toolkit was already being used against “us.” So… This just confuses me.
The remote access trojans [RAT] such as NOPEN are not very useful operational tools to anyone except the NSA. They are useful to non FVEY intelligence service (and companies, etc) who now know what sort of traffic and tools to look for on their firewalls. For defenders, this is a win. For NSA, this is a huge PITA.
Blaming the NSA for the incredibly poor quality of Cisco code is hardly fair. Cisco failed to implement stack cookies, ASLR, code review, or basically any sort of security protectionson their firewalls! The bugs were there for the taking, and easily exploitable too. Lets lay blame where it belongs here — with Cisco’s shoddy code.
Thats Not What How Hacktivists Operate
While the “auction” seemed tongue in cheek, more like hacktivists than Russian high command, the sample documents were almost certainly real.
Bamford admits the auction is fake, and yet only a few paragraphs ago he was going on about how the tools are up for sale. Actual analysis involves weighing the evidence using various analytic techniques and then choosing the “best fit” explanation. This piece fails at that because it gives full weight to “the auction” and uses that to invalidate the “it was Russia” hypothesis. Now, it is uses the opposite argument (“the auction is tongue in cheek”) to reach the same conclusion — invalidate the “it was Russia” hypothesis. You cannot have it both ways.
Hacktivists have an agenda (the hint is in the name: hacker + activist.) A hacktivist that got their hands on a firewall ops kit (which would be an impressive feat, since that requires a lot of tracing and hacking back from a detected NSA breach), and who decided to release it (releasing US data is generally a bad idea for a hacktivist, ask Jeremy Hammond), would link the release to their agenda. That is the very reason they are “hacktivists” — to advance their agenda.
Bamford is absolutely right here, Russia has never been known for disinformation or misdirection. They are an open book. 🙄
The most valuable are “zero day” exploits, meaning there have been zero days since Windows has discovered the “crack” in their programs.
The Firewall ops kit included a number of dead bugs (even at the time of the capture.) The most valuable exploit for an operator is the one that works. Whether the vendor is aware of it or not is irrelevant.
There were no Windows exploits in the Firewall ops kit because no one sane uses Windows as their core router / firewall. Although this sentence demonstrates a fundamental ignorance of cyber security, I’ll grant Bamford the benefit of the doubt and chalk it up to misunderstanding the technical jargon and attempting to explain it to a non technical audience.
Failure To Cyber Kremlinology
The reasons given for laying the blame on Russia appear less convincing, however. “This is probably some Russian mind game, down to the bogus accent,” James A. Lewis, a computer expert at the Center for Strategic and International Studies, a Washington think tank, told the New York Times. Why the Russians would engage in such a mind game, he never explained.
A number of credible sources have made statements providing convincing reasons for laying the blame on Russia. Including people such as ex TAO operator daveaitel, and current FSB asset Snowden, among others.
If, in the middle of the DNC leaks spat, it needs to be explained why Russia would engage in this sort of “mind game” then I point at Snowden’s tweet storm. Signalling from one service to another that escalation will be messy. There are other plausible reasons as well (some mentioned above), but this should be sufficient.
Speaking of Never Explaining
Rather than the NSA hacking tools being snatched as a result of a sophisticated cyber operation by Russia or some other nation, it seems more likely that an employee stole them. Experts who have analyzed the files suspect that they date to October 2013, five months after Edward Snowden left his contractor position with the NSA and fled to Hong Kong carrying flash drives containing hundreds of thousands of pages of NSA documents.
Sophisticate Cyber Operations Are What Russia Does
A sophisticated cyber operation by Russia is, in fact, a perfectly plausible explanation for how NSA operational toolkits where found. Why this is less likely than an employee stealing them, “he never explain[s].”
Good Luck Smuggling A USB Out Post-Snowden
Five months after Snowden walked out the door with a USB drive loaded with TS//SCI data, the NSA was in lockdown. There was a witch hunt and super paranoia about people with USB drives. It was a very very bad time to be trying to steal anything from the ROC, such as a TS//SCI operational toolkit on a USB!
If, for the sake of argument, we assume that a TAO operator loaded the full kit on a non classified system for the purpose of stealing it, then we can assume that it is equally plausible someone else stole it as well. This avoids the USB drive problem, but it opens up “it could be anyone” again. So this explanation does not provide a falsification for any hypothesis.
Consisting of about 300 megabytes of code, the tools could easily and quickly be transferred to a flash drive. But unlike the catalog, the tools themselves — thousands of ones and zeros — would have been useless if leaked to a publication. This could be one reason why they have not emerged until now.
In October 2013, bringing a USB flash drive into an NSA office was, for all intents and purposes, impossible. Seriously, USB flash drives going in and out of NSA is not a thing (Snowden had special dispensation because, as a system administrator, he needed to have access to Windows drivers, etc.) Further, if anyone was found with such a prohibited item (pretty much everything electronic, including mobile phones, USB drives, laptops, etc is verboten) they would find themselves out of a job and, quite possibly, in jail. Stealing TS//SCI data is a 30 year federal sentence, and the Americans don’t mess around with people who violate espionage laws.
This sentence is simply wrong. Publishing the tools is incredibly newsworthy. If this leak was given to any journalist in the world, they would publish. If the ops kit was given to a journalist covering the cyber security beat, the vulnerabilities would have been disclosed to the vendors before the public release. There is no part of leaking the ops kit to a news organisation that is “useless.”
Bamford uses the claim that releasing the toolkit earlier would have been “useless” then says that this is why they were not released “until now.” But why they were released now, “he never explain[s].”
The Tangent To Nowhere
There follows a long section where Bamford establishes that Assange was used as a cut out to launder the DNC emails hacked by the Russians. We get it mate, we know that Wikileaks is used as a cut out to launder hacked content, that is literally the reason it exists. This section includes a long bit about the ANT catalog and why Bamford believes it came from Wikileaks. How establishing that Assange was used as a Russian cut out makes it less likely that Russia stole the ops kit (which wasn’t even leaked by Wikileaks), “he never explain[s].” I am honestly baffled.
Bamford then links Assange to Appelbaum, and pivots into bizarre conspiracy land (minus any actual conspiracy.)
The Tor project does not have “customers,” it has users. Everything is free and open source. This sentence, and others (see above), suggests Bamford has limited understanding of cyber security issues.
The victims are not “unnamed.” A number have come forward and publicly presented their stories. Just as one example, Leigh Honeywell.
Last month, the New York Times published an article regarding the findings of the Tor project’s investigation (conducted by an independent investigator)— “a seven-week investigation into the allegations involving Mr. Appelbaum determined they were accurate.”
There doesn’t seem to be more to say here. Some of the victims came forward publicly and stated their case. The independent investigation found that the allegations were true. Everything that Bamford says here is a lie by omission or just plain false. And what it has to do with the origin of the firewall ops kit, “he never explain[s].”
At about the halfway mark I can no longer stand the level of BS in the article. It has simply overwhelmed my capacity to handle “wrong!” The only thing I’ll note is that the quality of the analysis, and rhetoric, does not improve in the rest of the piece.
If there is an argument to be made that the ShadowBroker’s files were sourced from HUMINT, this article is not it.
Reuters should retract the article.
See also: ShadowBroker Breakdown, my analysis of the currently available data on the source of the firewall ops kit.
Next Story — How I Could Have Hacked Multiple Facebook Accounts
Currently Reading - How I Could Have Hacked Multiple Facebook Accounts
How I Could Have Hacked Multiple Facebook Accounts
Let’s get into the nitty-gritty. The only way you can reset your password on Facebook (if you’ve forgotten one) is through entering a 6 digit passcode. Well that’s 10⁶ = 1,000,000 possible combinations. Some algorithm which Facebook uses (that is yet to be cracked) generates seemingly a random 6 digit code whenever a person requests a password reset. That code does not change if you request it from mbasic.facebook.com until that code gets “used.” That could possibly mean that if 1 million people request a password within a short amount of time such that no one uses their code to reset the password, then 1,000,0001 person to request a code will get a passcode that someone from the batch has already been assigned.
There are 2 options here: 1) Facebook either stores duplicate codes for multiple users if more than 1 million people request a password reset code, or 2) Every user gets a unique code and Facebook uses some divine way to handle the case where 1 million+ users request a code. Since I don’t know much about the divine, I put my money on option 1.
Hence, I decided to send double the number of emails (2 million of them), hoping that some people from my 2 million will get duplicate passcodes. This is a simple application of the Pigeonhole Principle. Then all I have to do is pick a random passcode following this rule: Integers less than 100,000 have a lower probability of occurring than integers between ranges of 300,000 and 699,999 or 800,000 and 999,999, which have higher probability of occurring. Again, this isn’t the golden rule of thumb but from my testing it will help us later. So now that we have picked a random passcode, we will brute force it against our 2 million batch to check whose ID is associated with our random passcode!
The bug isn’t difficult to understand but it’s execution is tough due to its large scale.
How do you send 2 million password reset emails quickly without getting blocked?
To send emails, you first need to get access to 2 million Facebook usernames. Web scraping time!
Point 1: Facebook IDs are generally 15 digits long, so I started with 100,000,000,000,000 and started making queries to Facebook Graph API to check which IDs were valid. I was also able to get profile picture and full name on the user’s account with ease since it seems there is no rate-limiting on public data (I just did it for fun). But wait! Facebook Graph API only lets authorized apps to fetch a user’s username, doesn’t it? Yes it does. Yes it does.
All you have to do after making sure the ID is valid is visit the following link: www.facebook.com/[ID HERE] and the url automatically redirects and changes the ID to the user’s username. So I compiled all this data into a nice JSON, which I guess doesn’t hurt to publish since it’s all public anyway.
Note: Some of the profile picture urls in the JSON are invalid.
Point 2: In order to avoid getting your IP blocked from repeatedly sending requests to send password reset emails, you need rotating IPs. This means that every email request will be sent from a batch of thousands of IP addresses to simulate a normal global network flow. There are several services online that offer this feature. In my case, all network traffic went through a proxy server that listened for HTTP requests and arbitraily assigned an IP address to each request.
Point 3: You need to simulate user behavior when requesting a passcode. So we will use PhantomJS (Headless browser) and write a multithreaded script in Java that requests a passcode to every user from our JSON file. I also scraped all User Agent strings for a Chrome browser from http://www.useragentstring.com/pages/useragentstring.php?name=Chrome to assign to my PhantomJS instance.
Point 4: Got a free trail of Google Compute Engine and hosted my scripts on a virtual machine. I set up 8 VMs (12 cores/20 GB RAM) over 4 different regions and instantiated 180 PhantomJS instances per VM for full CPU utilization. Then I let all my scripts do their thang!
I could’ve created a distributed system for my VMs but time is money.
Easier Part: Brute Force Guessed Passcode Against 2 million IDs.
I then guessed a 6 digit passcode 338625 using the aforementioned rule and brute forced all users at the following url by adding the ID to the key ‘u’ and my passcode to the key ‘n’: www.beta.facebook.com/recover/password?u=…&n…
Fighting hunger worldwide. The United Nations World Food Programme is the world's largest humanitarian agency on the front lines against hunger.
Aug 183 min read
Sharing Humanity: Mohamad’s Story
Today is World Humanitarian Day, a day dedicated to recognizing the sacrifices that are made by those working for humanitarian causes. To mark the day, we’re sharing stories from our team members who work in their country of birth to help end hunger. The final in the series, this is Mohamad’s story from Syria.
My name is Mohamad. I spent my childhood in Damascus, the Syrian capital, and my dream then was to become a famous footballer. I joined the World Food Programme in 2006, as a field monitor and am now the head of our office in Homs. Homs has suffered more than any place in Syria. Half the city has been destroyed and hundreds of thousands of people have had to flee to safer areas.
Access is always our biggest challenge. We can have all the resources in our warehouses and all the plans and logistics in place — but we still can’t reach all the people in need because of ongoing fighting and sieges by parties to the conflict. Mortars, car bombs and other explosive devices are always a threat. As a matter of fact, I can hear the sound of explosions now.
The most difficult moment since joining the World Food Programme was when we were taken prisoner by an extremist group, along with 16 other UN colleagues. We were returning from a cross-line mission to one of the besieged areas. We had just delivered food and non-food assistance to almost 70,000 people who had not been reached for 10 months. Luckily, after two hours, the entire team was released unharmed. But to suddenly find ourselves in a life-or-death situation was a shock I will never forget.
Speaking the language and respecting the traditions helps cut through barriers with local people and earn their trust. For example, once we were at a government checkpoint with food and non-food items waiting to cross the line to an opposition-held area in countryside north of Homs. A soldier was very upset with the UN team and screamed at us that we were delivering supplies to the people who had killed his brother.
First, I conveyed condolences to him in the local traditional way. Then, I explained to him that were trying to reach innocent civilians stuck in the middle of the fight — among them women, children and the elderly — and that they deserved to receive relief items. The soldier calmed down and eventually allowed the humanitarian supplies to go through.
My wife and 13-year-old son have lived with me for the last two years in Homs, since the security situation calmed down enough to permit them to come. My 19-year-old daughter currently studies in the US. They are all doing great, but every time an explosion happens, I fear for my son — whether he is in school or outside. Just last week, he ran home, terrified by an explosion near the place where he and his friends were playing football. The worst part is that people in Homs consider this a “routine” incident. The questions that usually follow are: where and how many dead?
Frankly speaking, the stress and pressure over the last five long years of conflict have taken their toll on my physical shape. I try my best to sleep, eat well and stay positive. I focus my thoughts on what I believe deep down: that no matter how long the crisis, this madness will eventually come to an end and people will start living together as before. I realize the great responsibility we at WFP hold: people need us and we have to stay strong for them. #ShareHumanity