>>1597307 (lb - how vpn filter works)
ah! i see.
so it's not that a "program" or "malicious code" is embedded in the picture at all.
one of the EXIF fields is used to supply data to the compromised router. it is a trigger - an out-of-band signalling component.
clever. i'm going to look into which EXIF fields it's talking about - or do you have that handy?
baker
my post 1596755 was a slight misfire. here's the collection of images WITH the transformer connection. thanks!
Morris/Gwendolyn Cafritz were the originals, from Lithuania. Morris' brother was Edward.
Pam Cafritz (Raniere's lover) was Edward's granddaughter. She and her brother Charles C. Sandy Wilkes are both 'First Cousins Once Removed' from Calvin Cafritz, again pictured here with Heather Podesta.
Raniere - Pam Cafritz - Calvin Cafritz - Podesta
Raniere - Pam - Charles - Pryor - Podesta
Raniere - Pam/Charles - Calvin - Alefantis
if you dig into the Cafritz family at all, they immediately start connecting to orphanages, children's support networks, at-risk kids…they touch the lives of many young people. there is clearly a known connection between the cafritz/alefantis/podesta families…what is new here, over the last few days is HOW that connects to Raniere/NXIVM.
(also replied at >>1597324 )
ah! i see.
so it's not that a "program" or "malicious code" is embedded in the picture at all.
one of the EXIF fields is used to supply data to the compromised router. it is a trigger - an out-of-band signalling component.
clever. i'm going to look into which EXIF fields it's talking about - or do you have that handy?
luckily, i work for free so EVERYTHING is above my paygrade.
here's an archive of an analysis:
http:// archive.is/72EL0
basically, an infected device will grab a picture from a specific photobucket page or from a hard-coded domain. the GPS coordinates in that picture can be converted to an IP, which points the device to another location for further commands.
it's like DNS, in a sense, through EXIF. pretty neat in that it'd be hard to detect/stop if you were a network admin. i know how to block rogue DNS requests, or compromised nodes…but if a compromised device is resolving addresses through a non-conventional method, good luck.
oh, my archive link broke.
here's the actual link:
https:// securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/
it's kaspersky, though - so don't trust it if you don't want to.
all three are iphones, for one thing, that jumped out at me the first time we saw it.
the frustration i read into the insistence, coupled with my own goofy feeling of i know i'm missing something and when it clicks i'm going to feel really dumb…it's something i'm used to.
i'll get it, i know i will.
i sense strongly that the one 'map' image posted on 4ch, after which q said "confirmed" is "the key" for more than just information, or more than just what it says on its face. the shape of it, the position of specific elements, something about that graphic was key.
oh look, i have that file right here.
i'm playing around with the two "confirmed" graphics from Q. making the smaller one transparent and lining it up at various points throughout. leads to some - interesting alignments but nothing conclusive.
have you guys done this, or are you aware of any other efforts to fit the two together somehow?
it's clear to me that Q called out those two files, i just feel like i'm missing something so obvious.
(for instance)
i have a long two days ahead of me. i have things to do for people whom i love, and i won't be back on this effort until…monday?
everyone take care.
love all of you.
(i didn't adjust any resolutions - this is a direct overlay at 50%)