Forum Shill gets Busted: ATS and GLP Censor to Cover his Tracks

A Forum Shill gets busted. Something very interesting happened over at GLP March 24th at 9:28 pm. Something that did not go unnoticed by GLP posters and many others around the interwebz. On page 7 of a thread titled “Medical Type Says Sandy Hook is Total BS”, a user from “Kazakhstan” posted the following:

Re: Medical Type Says Sandy Hook is Total Bullshit

[0x1a970000, 0x1ab00000, 0x27570000>

[rdpclip.exe, "iostatZd15.1"]



you copied a large amount of data onto the clipboard ...Do you want to save this data on the clipboard?

User ID: 35850666 Korea

User ID: 36689081 Korea

User ID: 33951304 Kazak

User ID: 36809983 Kazak

N.C.S. logo.jpg

//SECRET

C:\\SharePoint012\USNCSSAD_Wrk\c9\inet-N-7339.tx​t

**********************************

REMINDERS —— NOTES

**********************************

Sensitivity Level

Action Code

Team 5.A/

SITE

Location of official Agency folder

None NPRC

Team Contact

Sheila N******

CHECKLIST

Do any of the respondents display the urge to supply information that could be helpful to your mission?

Do the respondents appear hostile to your attempts to steer the discussion?

Have you made a personal chart taking care to note who appear to be the “leaders” versus who appear to be the “followers”?

Have you attempted to gauge the “temperature” of the forum’s users?

In other words, the prevailing social psychology of the forum’s members?

Have you been more successful with one or the other XStart methods that were demonstrated in N-7015A.DOC?

Have more technical members (Computer Programmers, Administrators, or Moderators) of the forum deduced or accused you of hiding behind a proxy?

Would you gain more trust and/or credibility if you were to use one of the Agency’s allotted “HOME” pools? (most often needed when handling EVTS that are more sensitive to the pop. of a specific locale but also location centered web sites such as FB or Patch)

Has your PREDEV “persona” been successful or do you gauge that the users find you to be too obtrusive? Accusations of being “ever present” are.

Quote by member: Our “korean” friend is probably part of the Sandy Hoax team. I’m guessing he is one of the many Israeli firsters we have seen so many of in SH. But he is not really helping his employer that much. His presence and views in different topics works as a litmus test telling if the OP is on to something or not.I bet one million shekels that he wouldn’t show up in a thread about Lt Vance shapeshifting…But he’s probably a nice guy doing what he thinks is the right thing.

Forum Shill gets Busted:ATS and GLP Censor to Cover his Tracks

Needless to say suspicions were aroused and investigations into specific terms in the text were Googled. Namely N-7015A.DOC, PREDEV persona, etc. An early search for N-7015A.DOC resulted in this entry:

Second from the bottom we see eda.ogden.disa.mil. If you do the same search, only the forum references appear. The eda site was very quickly removed from the Google string. How very very interesting…

Notes by Kennedy:

A search for N-7015A.DOC still gives me the result for the EDA website. Update: As of 3/29/13 I’m unable to re-produce the Google Search Resultfor the document on the eda.ogden.mil website. ATS has deleted the screenshots of the Google results, which were posted on page 2 in the thread.

UPDATE: We have received referrals from the 4Chan community yesterday and it seems the shills are very active over there too. A 4chan member made a post about JIDF. The Jewish Internet Defense Force (JIDF) after the Boston Bombing. He was immediately trolled by shills.

The Jewish Internet Defense Force (JIDF) is a private, independent, non-violent protest organization representing a collective of activists, operating under the name “Jewish Internet Defense Force” since the 2008 massacre at the Mercaz HaRav Yeshiva in Jerusalem.

We’re on the cutting edge of pro-Israel digital online advocacy, presenting news, viewpoints, and information throughout a large network reaching hundreds of thousands via email, Facebook, YouTube, RSS feeds, Twitter, and other digital hubs to those who share our concerns for Israel and about about antisemitic and jihadist online content.

Our ACTION ALERTS are now well known throughout the Jewish and Israel advocacy world, and by our many enemies, as they have led to the removal of thousands of antisemitic and jihadist pages online. (JIDF)

The shill had a copy fail just like our Korean friend on GLP. He deleted his mistake quickly, but a screenshot and link back to this article were quickly posted 🙂

Click below banner for full image!

You can see the same method. The program he uses has a couple fake accounts, that he uses for his shill copy and paste jobs.

We have a lot of visits from the Reddit community today, and from a private subreddit 🙂 Thanks Folks! Please spread the word. These paid government shills are all over the interwebs, trying to stir our opinions and discussion. #noshills!!

UPDATE – Explained by folks at Lunaticoutpost

rdpclip.exe is the process that handles copy/paste & file copy transactions for terminal services during a REMOTE DESKTOP session. A few of you have questioned how the two text groups can be combined. rdpclip caches both clear-text and file copy data on each end during the transaction (the remote desktop server & client). After it completes the transaction, I think rdpclip calls a method (iostatZd15.1) to clear it’s cache for the next job. This, however, didn’t happen, so the rdpclip cache was still populated with 1) the error message and 2) the text content of the file that it was downloading for the client from Sharepoint cloud (C:\SharePoint012USNCSSAD_Wrkc9inet-N-7339.tx​t).

Next, the handler was probably using the remote server as it’s bot host to interact with the website it was posting to. If the handler (either manually or automatically) pasted the thread reply and hit “post” the rdpclip process on the server was populated with not only the text reply for the thread, but also the existing data artifacts that were not successfully purged earlier. That explains how the error message, the .txt file (with the checklist) and the text reply got sent to the website as the reply from “Korea guy” (bot).

Summary:

1. We know the handler uses Remote Desktop to connect to the bot machine

2. We know the handler uses Remote Desktop to connect to Sharepoint cloud

3. We know that something broke rdpclip.exe during a transaction (evidenced by the windows exception stack values, header, and the warning dialogue)

4. We know that the rdpclip cache was not properly purged, and the error message was amalgamated with the contents of the last file copy job (the .txt file), and subsequently the text payload including quoted text and reply text.

EDIT: iostatZd15.1 is not a method, but a return from IOSTAT, in this case, when rdpclip ran out of room on the clipboard during a transaction, most likely a copy job via remote desktop as hypothesized above. I need to do more research on rdpclip.

The actual error which occurred appears to be a known one involving Remote Desktop Protocol v5.1, since fixed in RDP v6, that involves something known as the “clipboard viewer chain”.

It is an error that dates back to (at least) Windows 2000.

The actual bug surfaces because of the way the clipboard viewer chain (hereafter abbreviated to CBVC) is managed internally by Windows.

The CBVC is basically a Linked list.

This list of clipboard viewers is global, and each application shares it. Windows, however, only maintains a reference pointer to the first member of the list, and it is expected that each application, if interested in being made aware of changes in the state of clipboard, first register with the system. Registering adds that application’s viewer to the global chain. Each CBVC member must maintain a reference pointer to the next member in the chain (why I emphasized this will be clear momentarily, if it is not already…).

Windows sends notification of clipboard changes by sending the WM_DRAWCLIPBOARD message to the 1st member in the CBVC, whose pointer, remember is maintained by Windows. This member has to deal with the event and pass it along to the next member in the list whose pointer it maintains, and so on and so forth.

So the simplest explanation of the bug, would also be the most obvious:

having each separate application sharing the responsibility of managing the pointers to an OS-level operation (the clipboard), is a really stupid and byzantine implementation.

The following paragraph, found here are a typical use-case for the manifestation of the type of failure we seem to be dealing with:

———>

I use Remote Desktop all the time to work inside of my development systems hosted by Microsoft Virtual Server. I use the host system to browse the web for documentation and searches as I work and when I need to copy some text from the web browser I find many times the link between the host clipboard and the remote clipboard is broken. In the past I have read that somehow the remote clipboard utility, rdpclip.exe, gets locked and no longer allows the clipboard to be relayed between the host and the client environment. My only way to deal with it was to use the internet clipboard, cl1p.net. I would create my own space and use it to send content between environments. But that is a cumbersome step if you are doing it frequently.

The only way I really knew to fix the clipboard transfer was to close my session and restart it. That meant closing the tools I was using like Visual Studio, Management Studio and the other ancillary processes I have running as I work and then restarting all of it just to restore the clipboard. But today I found a good link on the Terminal Services Blog explaining that what is really happening. The clipboard viewer chain is somehow becoming unresponsive on the local or remote system and events on the clipboards are not being relayed between systems. It is not necessarily a lock being put in place but some sort of failed data transmission. It then goes on to explain the 2 steps you can take to restore the clipboard without restarting your session.

Use Task Manager to kill the rdpclip.exe process

Run rdpclip.exe to restart it

———————————-

Kennedy Ray

****End Update

We have highlighted certain abbreviations in the shill copy fail . Below you can view our findings:

NCS = National Clandestine Services

The National Clandestine Service (NCS) (known as the Directorate of Plans from 1951 to 1973 and as the Directorate of Operations from 1973 to 2005) is one of the Central Intelligence Agency’s four main components.

Created in 2005, the NCS “serves as the clandestine arm of the Central Intelligence Agency (CIA) and the national authority for the coordination, de-confliction, and evaluation of clandestine operations across the Intelligence Community of the United States

SAD = Special Activities Division

The Special Activities Division (SAD) is a division in the United States Central Intelligence Agency’s (CIA) National Clandestine Service (NCS) responsible for covert operations known as “special activities”. Within SAD there are two separate groups, one for tactical paramilitary operations and another for covert political action.[1] The Political Action Group within SAD is responsible for covert activities related to political influence, psychological and economic warfare. The rapid development of technology has added cyberwarfare to their mission. Tactical units within SAD are also capable of carrying out covert political action. A large covert operation usually has components that involve many, or all, of these categories, as well as paramilitary operations.

Shills are all over the Sandy Hook story, and have been from the outset. ATS censored Sandy Hook threads and deleted them with impunity. That story was covered in more detail here.

On GLP, the threads, that were started regarding the Shill were deleted immediately, only traces of quotes from the original post remain.

A thread about the shill post was started on ATS and it was deleted the following day. You can access a cashed version of the first page of that thread here

This seems to be a peek behind the curtain of the shadowy world of counterintelligence operations employed to stymie the efforts of people who are quite rightly searching for the truth of the Sandy Hook debacle. ATS once again implicates itself in the cover-up of an important event that threatens to lead to further erosion of rights and freedoms of the American people.

How do the individuals working for clandestine services rationalize their efforts to hide the truth from the people? Is it just a paycheck? Do they have the same disdain for ordinary citizens that the elites have displayed? Do they feel that they are part of the elite, and must protect the interests of the elites in favor of all else? Just following orders?

The ship has too many leaks at this point. It is damage control mode 24/7 for these operators and I’m hoping that an attack of conscience might grip one or more of them. I won’t hold my breath, but it happens.

UPDATE

Vocabulary: HUMINT (Human Intelligence)

Human Intelligence (frequently abbreviated HUMINT) is intelligence gathered by means of interpersonal contact, as opposed to the more technical intelligence gathering disciplines such as Signals Intelligence, Imagery Intelligence and MASINT. NATO defines HUMINT as “a category of intelligence derived from information collected and provided by human sources.” Typical HUMINT activities consist of interrogations and conversations with persons having access to information.

Displaying the missing image:

N.C.S. logo.jpg

Alphabet Soup Letters on text code:

“USNCSSAD”

US Geolocation of the operatives: The United States of America (USA or U.S.A.), commonly called the United States (US or U.S.) and America, is a federal republic[10][11] consisting of fifty states and a federal district as well as several territories with differing degrees of autonomy.[4] The country is situated mostly in central North America, where its forty-eight contiguous states and Washington, D.C., the capital district, lie between the Pacific and Atlantic Oceans, bordered by Canada to the north and Mexico to the south.

NCS (National Clandestine Service)

The NCS consists of six different types of officers:

For a more detailed description, visit the CIA website.

1) Operations Officers:

Operations Officers (OOs) are focused full time on clandestinely spotting, assessing, developing, recruiting, and handling individuals with access to vital foreign intelligence on the full range of national security issues.

2) Collection Management Officers:

Core Collector-certified Collection Management Officers (CMOs) oversee and facilitate the collection, evaluation, classification, and dissemination of foreign intelligence developed from clandestine sources. CMOs play a critical role in ensuring that foreign intelligence collected by clandestine sources is relevant, timely, and addresses the highest foreign policy and national security needs of the nation.

3) Staff Operations Officers:

Based out of CIA Headquarters in Washington, DC, Staff Operations Officers (SOOs) plan, guide and support intelligence collection operations, counterintelligence activities and covert action programs.

4) Targeting Officers:

Officers in this career track will directly support and drive complex worldwide NCS operations to develop actionable intelligence against the highest priority threats to U.S. national security.

5) Paramilitary Operations Officers:

Paramilitary operations officers are chosen mainly from the ranks of U.S. special operations forces.[9] SAD operatives are the most specialized because they combine the best special operations and clandestine intelligence capabilities in one individual. They operate in any environment (sea, air, or ground), with limited to no support. They originate in the SAD’s Special Operations Group (SOG), considered one of the most elite special operations units in the world.[20] Paramilitary operations officers are the primary recipients of the coveted Distinguished Intelligence Cross and the Intelligence Star, the CIA’s two highest medals for valor. Not surprisingly, the majority of those memorialized on the Wall of Honor at the CIA’s headquarters were covert operatives.

6) NCS Language Officers

Performing a critical and dynamic function within the NCS, the Language Officer applies advanced foreign language skills, experience, and expertise to provide high-quality translation, interpretation, and language-related support for a variety of NCS clandestine operations.

SAD (Special Activities Division)

is a division in the United States Central Intelligence Agency’s (CIA) National Clandestine Service (NCS) responsible for covert operations known as “special activities”. Within SAD there are two separate groups, one for tactical paramilitary operations and another for covert political action. The Political Action Group within SAD is responsible for covert activities related to political influence, psychological and economic warfare. The rapid development of technology has added cyberwarfare to their mission. Tactical units within SAD are also capable of carrying out covert political action. A large covert operation usually has components that involve many, or all, of these categories, as well as paramilitary operations.

Propaganda includes: leaflets, newspapers, magazines, books, radio, and television, all of which are geared to convey the U.S. message appropriate to the region. These techniques have expanded to cover the internet as well. They may employ officers to work as journalists, recruit agents of influence, operate media platforms, plant certain stories or information in places it is hoped it will come to public attention, or seek to deny and/or discredit information that is public knowledge. In all such propaganda efforts, “black” operations denote those in which the audience is to be kept ignorant of the source; “white” efforts are those in which the originator openly acknowledges himself; and “gray” operations are those in which the source is partly but not fully acknowledged.

Notes:

Thanks to recall15 of the Golden Thread Forum.

HUMIN Wiki

Special Activities Division – Wiki

UPDATE 4/30/13

In case you were not sold on the idea that Facebook is data mining, here’s this:

In-Q-Tel, the investment arm of the CIA and the wider intelligence community, is putting cash into Visible Technologies, a software firm that specializes in monitoring social media. It’s part of a larger movement within the spy services to get better at using “open source intelligence” – information that’s publicly available, but often hidden in the flood of TV shows, newspaper articles, blog posts, online videos and radio reports generated every day.

“CIA Admits Full Monitoring of Facebook and other Social Networks”

source

Pilot