adn37's comments

> The first red arrow on the chart points to April 25th, 2019: the announcement of the OAG’s investigation. Notice how, as the investigation progresses, the issuance rate of Tether begins to rise — initially in large single blocks, of around $1B, every few months.

The below is an analysis of printed tethers vs known institutional buyers for 2020. I find a ratio of 4 to 1.

Tether market cap for 2020: march: 4.6B$, april: 6.3B$, may 8.8B$, july: 9.9B$, 29August: 10B$, 1stSept: 13B$, 28Sept: 15B$, Jan21: 24B$

Compared to known institutional buyers:

Grayscale: march: 500M$, april: 600M$, may: 1B$, july: 1.4B$, 31August: 1.8B$ (approx), 28Sept: 2B$

Microstrategy: 1.1B$ average price (august to september, as per https://bitcointreasuries.org/)

Difference: between march-september 2020, Tether printed 10B$ while the biggest known institutional buyers spent 2.6B$ (grayscale+microstrategy=1.5B$+1.1B$=2.6B$)

That is to say, Tether prints appear to be 4 times the big buyers amount.

ref for grayscale buy amounts: https://hackernoon.com/grayscales-gbtc-pump-effect-means-202...

I was curious about the technique used under the hood, so I decided to have a closer look.

-- What it does to intercept network trafic:

1/ The app spawns an android (java) service that, that performs the following as root when it starts:

# echo 1 > /proc/sys/net/ipv4/ip_forward

# iptables -t nat -I POSTROUTING -s 0/0 -j MASQUERADE

# iptables -t nat -I OUTPUT -j DNAT -p tcp --dport 1337 --to 127.0.0.1

# iptables -t nat -I PREROUTING -j DNAT -p tcp --dport 1337 --to xxxunclearherexxx

My understanding is that it redirects outgoing packets (targetted at port 1337) to loopback, where the native daemon listens (2/)

This is not visible in the video, but when the user clicks to use a caught Facebook profile, it seems to trigger an android Intent to actually go to Facebook on port 1337 instead of 80, so it gets caught by the iptables hook.

2/ It then execs the faceniff binary to go native (unpacked from resources) with some params (stealth/passive mode, license check), and polls its status every 1s.

-- Native part: I believe it handles most of the logic. Looking at the strings contained, it seems to deal with libpcap to intercept and forge headers on the fly.

Some interesting strings: libpcap version 0.9.8

new user found but the app is locked!

Unable to find ssid in cookies [%s]

HTTP/1.1 200 OK Content-Type: text/html Connection: close

Set-Cookie: %s=%s; expires=Fri, 14-Jul-2017 04:40:00 GMT; path=/; domain=.%s

<meta http-equiv='refresh' content='0;http://%s/>;

HTTP/1.1 200 OK Content-Type: text/html Connection: close

Date: Wed, 02 Feb 2011 01:51:18 GMT

<li><a href='http://%s:1337/%s>%s</a></li>;

client asking for: [%s]

Technically speaking, this is interesting. Please feel free to add info if you are familiar with the technique.

Developers have to come a long way to build an user base and good ratings, so it would have been fair to give a warning notice prior to removing the app, ihmo.

(speaking as an Android app dev; and yes it is too intrusive)

Care to elaborate please? (FIX engine?)

Indeed, thanks.

Also, about publishing eCPM/fill rate/CTR: as interesting as it is, it might be a problem regarding Admob's terms of service.

Link to pdf (better quality, no notes): http://ki.se/content/1/c6/06/45/23/Sarasvathy.pdf

Thanks!

Code injection (SetWindowsHookEx, WH_CBT) and API hooking allows to filter out other programs requesting topmost display.

But this is intrusive. And it can be bypassed by other vendors, whether they workaround it by using other APIs/tricks or unhook their own process' APIs at runtime themselves.

As said here in this thread, the only way to ensure full control is to patch the kernel (Window management related syscalls). And even there it's tricky to be exhaustive.

VM is the safe way to go.

Indeed.

I am speechless because they (started?) monetize going after the 'bad guys', while they have been publishing grey/black hat stuff on Rootkit.com for many years.

The trust is gone.

The most astonishing info here is that this is HBGary that is involved.

Come on, we are talking about the rootkit.com guys. Not taking side is one thing, taking the opposite side is a completely different one.

Pretty much everything I learned for fun about rootkits, I learned it thanks to these guys.

I am speechless.

Adding code samples (java & layouts) would be even more awesome. Very interesting, still.

Attacker sits at network / ISP level, and can therefore inject any (js, ...) payload in non-https web pages, on the fly.

> We've also developed our own Django-like templating system for Java

Any chance you could list viable alternatives, please? (I'm considering GAE/Java). Thanks for this interesting thread.

I used to do that at work with a software timer. Sprints of 20 to 40. The thing is, you still need to pace yourself.

I do agree. Some people have referrer turned off, but afaik, they are the minority and this should do the trick. Google surely though about it.

This also works the other way. If you rely on FB assets (images, ...), they can shut your access down immediately the very same way. Can't say I like it.

The true mistake is the one you do not correct.

Testing and code review should give you the opportunity to do so, among others. Also, there's always a trade off between bullet proof and time to market.

I'd love to use such a service, but for free. Ex: you get karma by giving your A/B preference, that you can then spend later in getting feedback yourself.

Would anybody know how to download them? (apart from 1x recording) I'd like to listen/view them while I'm in the subway, as they are pretty long.

I've been using CakePhp for about 3 years, on sideprojects.

Planning to learn a Java/Scala based 'equivalent'.

More info on the technical side would have been far more interesting, ihmo.

command control system implementation, software stack, coupling the capta with a captcha filling service...

(I do not support this kind of scheme)

Insightful, thanks. Please drop us a thread/article in a few months, so we may see the sales curve.