Antenna of Freedom and XtraNotes
Friday, 01 April 2011
The collection of information via intelligence appliances, with the aid of modern technical procurement
operations, is one of the essential tasks of TRON-DELTA.ORG. This article exemplifies intelligence gathering and
dependent counter-intelligence procedures.
The continuous search for new technologies is therefore one of the first important steps in that context. During that search our organization regularly makes use of a large amounts of diverse information sources, including thousands of RSS feeds, newsletters and forums of various websites [1]. Also, different information search systems, mainly in the form of specific person, image, or metasearch engines, are taken into account. Using these machines includes inter alia looking for a number of key words in various combinations, and using search engine compatible queries, with logical conjunctions and Boolean operators. During a search commenced, members of staff found an article, on the right-wing website "Politically Incorrect", which primarily focuses on political issues.
The continuous search for new technologies is therefore one of the first important steps in that context. During that search our organization regularly makes use of a large amounts of diverse information sources, including thousands of RSS feeds, newsletters and forums of various websites [1]. Also, different information search systems, mainly in the form of specific person, image, or metasearch engines, are taken into account. Using these machines includes inter alia looking for a number of key words in various combinations, and using search engine compatible queries, with logical conjunctions and Boolean operators. During a search commenced, members of staff found an article, on the right-wing website "Politically Incorrect", which primarily focuses on political issues.
Regardless of the political content of this magazine, which is not relevant for our organization nor was it for
this research, the article "Plugin-weapon against one-sided reporting" with the keyword combination
"reporting", "antenna", "plugin", "information" and "verify" aroused our
attention. This combination is quite unique, and for that reason more than 40 days passed from the date when the
article went online until our systems actually revealed it. In that course we were able to find even more sources
on that topic, such as those of the online magazine "Blue Narcissus", which contained an article, about
the yet unknown technology, called "Plagiarism warning! The digital weapon against one-sided reporting".
Both articles contained a reference on the website "Antenna of Freedom", which was then subjected to
scrutiny as a result. "Antenna of Freedom" can be downloaded from the creators' official website
[2].
Through the "Install Now" tab, a Firefox plugin along with a brief guide for installation, plus an installation recommendation, was visible to its users. The functionality of that plugin was already known to us, due to the the aforementioned articles. Interesting in that context was a first explicit indication that the plugin, apparently responsible for the aggregation of content, can be downloaded and used without registration or login, in an anonymous and free manner. One paragraph expressly stated: "Also no IP addresses will be captured or saved. No one, including the participating blogs, has information on the number of users or user behavior". This was surprising, considering the fact that the link tinyurl.com/6jsho9h with parameter "psn=123456" refered to the plugin on xtranotes.com [3]. The procedure itself is usual when users should not be given any direct information about the target of a hyperlink.
Another search for "xtranotes" lead to Layers4Web GmbH in Heidelberg, Germany. In stark contrast to the statement on "Antenna of Freedom", author and CEO Friedrich-Wilhelm Uthe of Layers4Web GmbH required users to register with the service on xtranotes.com. From the perspective of a potential user a lot of data was being collected, such as Name, address, zip code, city and state, without which a download and subsequent use of the plugin did not seem to be possible. It clearly appeared to be about revealing the full identity of a person, which in principle would have been possible already, even with a reduced number of unique attributes requested.
As a part of further investigation, two members of our organization had put the Firefox plugin "XtraNotes" to a more accurate code analysis. The contents of the file with the extension .xpi were unzipped, like this can be done with an archive type of the extension .zip, and then unpacked via "jar xf /xtranotes.jar" in a final step [4]. Within the subdirectory "chrome/content/scripts" the file "xtranotes.js" resided, which was actually the core file of the plugin. In a series of string analyzes (e.g. "server", "send", "get", "onnect", "auth-token", "asswor", "this.execute", "SERVICE", "xtranotes.de", "es.de", "http", "es.com", "er.address", etc.), cross-comparisons, substitutions and other code-audit methods, about 2780 lines of code within the "./scripts" directory were finally evaluated.
The result was in fact not a surprise to our analysts. In several sections of the core scripts, connections to the main server of Layers4Web GmbH were ment to be established [5]. Without going too much into technical details, the main problem of "XtraNotes" in essence is, that one can create complete user profiles from both, the operator side and also on the side of the participating websites. From the operator's point of view this is possible, because by the call of the plugin's base functions (e.g. "CMD_LOAD_PAGE_INFO", "CMD_LOGIN", "CMD_NOTIFY_NOTE_VIEWED", etc.), the transfer of various amounts of data takes place within persistent sessions. This, of course happens while the registration data that resides within the plugin's configuration is loaded. Even in the case of use without prior registration on xtranotes.com, such as recommended by "Antenna of Freedom", any given participating website could still create user profiles, though semi-anonymously only.
In any case, such tracking of user activity would also be possible, by analyzing the referrer (RFC 2616) with the help of web server log files or, simply by the use of so-called "evercookies" [6]. In both cases the creation of considerable user profiles would be possible. From the perspective of an intelligence organization like TRON-DELTA.ORG, such or similar technology would be quite useful for our adversaries, in addition to the tools and methods they already use.
Through the "Install Now" tab, a Firefox plugin along with a brief guide for installation, plus an installation recommendation, was visible to its users. The functionality of that plugin was already known to us, due to the the aforementioned articles. Interesting in that context was a first explicit indication that the plugin, apparently responsible for the aggregation of content, can be downloaded and used without registration or login, in an anonymous and free manner. One paragraph expressly stated: "Also no IP addresses will be captured or saved. No one, including the participating blogs, has information on the number of users or user behavior". This was surprising, considering the fact that the link tinyurl.com/6jsho9h with parameter "psn=123456" refered to the plugin on xtranotes.com [3]. The procedure itself is usual when users should not be given any direct information about the target of a hyperlink.
Another search for "xtranotes" lead to Layers4Web GmbH in Heidelberg, Germany. In stark contrast to the statement on "Antenna of Freedom", author and CEO Friedrich-Wilhelm Uthe of Layers4Web GmbH required users to register with the service on xtranotes.com. From the perspective of a potential user a lot of data was being collected, such as Name, address, zip code, city and state, without which a download and subsequent use of the plugin did not seem to be possible. It clearly appeared to be about revealing the full identity of a person, which in principle would have been possible already, even with a reduced number of unique attributes requested.
As a part of further investigation, two members of our organization had put the Firefox plugin "XtraNotes" to a more accurate code analysis. The contents of the file with the extension .xpi were unzipped, like this can be done with an archive type of the extension .zip, and then unpacked via "jar xf /xtranotes.jar" in a final step [4]. Within the subdirectory "chrome/content/scripts" the file "xtranotes.js" resided, which was actually the core file of the plugin. In a series of string analyzes (e.g. "server", "send", "get", "onnect", "auth-token", "asswor", "this.execute", "SERVICE", "xtranotes.de", "es.de", "http", "es.com", "er.address", etc.), cross-comparisons, substitutions and other code-audit methods, about 2780 lines of code within the "./scripts" directory were finally evaluated.
The result was in fact not a surprise to our analysts. In several sections of the core scripts, connections to the main server of Layers4Web GmbH were ment to be established [5]. Without going too much into technical details, the main problem of "XtraNotes" in essence is, that one can create complete user profiles from both, the operator side and also on the side of the participating websites. From the operator's point of view this is possible, because by the call of the plugin's base functions (e.g. "CMD_LOAD_PAGE_INFO", "CMD_LOGIN", "CMD_NOTIFY_NOTE_VIEWED", etc.), the transfer of various amounts of data takes place within persistent sessions. This, of course happens while the registration data that resides within the plugin's configuration is loaded. Even in the case of use without prior registration on xtranotes.com, such as recommended by "Antenna of Freedom", any given participating website could still create user profiles, though semi-anonymously only.
In any case, such tracking of user activity would also be possible, by analyzing the referrer (RFC 2616) with the help of web server log files or, simply by the use of so-called "evercookies" [6]. In both cases the creation of considerable user profiles would be possible. From the perspective of an intelligence organization like TRON-DELTA.ORG, such or similar technology would be quite useful for our adversaries, in addition to the tools and methods they already use.
References:
- ↟ "Yahoo Pipes: Rewire the web"↗. Yahoo! Inc. / P. Sadri, E. Ho, J. Trevor, K. Cheng and D. Raffel. Retrieved 01 April 2011.
- ↟ "Antenne-der-Freiheit | The digital weapon against biased media coverages"↗. AdF. Retrieved 01 April 2011.
- ↟ "L4w / XtraNotes - Download [download-x-plugin (PSN: 123456)]"↗. xtranotes.com / F. Uthe, et al. Retrieved 01 April 2011.
- ↟ "Mozilla DN | Structure of an installable bundle"↗. Mozilla Developer Network & individual contributors. Retrieved 01 April 2011.
- ↟ "Domaintools - WHOIS, DNS, & Domain Info for XTraNotes.com"↗. DomainTools / J. Westerdal. Retrieved 01 April 2011.
- ↟ "RFC 2616 - Hypertext Transfer Protocol (HTTP)"↗. Association Management Solutions, LLC. / IETF®. Retrieved 01 April 2011.
Last Updated (Monday, 01 January 2018)
