Hacker News new | past | comments | ask | show | jobs | submit login

Hi everyone - the team here at Recorded Future looked into this and dug into our logs to confirm what happened.

Our systems followed this URL after it was posted on a public site. Our system constantly explores links published on the web. We've checked our logs and confirmed that this is what happened in this specific case. It's not related to any Facebook chat messages containing this link. Our system doesn't access that information.

> Hi Andreas - I'm not saying it was posted publicly by you or someone in the Bosnadev team. Please contact me directly (matt at recordedfuture dot com) and I will share more details with you.

You left this comment on Bosnadev's blog. Mind sharing with the rest of us?

Maybe they posted the URL privately on some other platform (ie. slack, some instant messenger, whatsapp, who knows)? And recorded future got it from there?

That's basically right. Our system observed the URL elsewhere on the web - not on a private messaging service. We've offered to share those details with Bosnadev.

RE: whether these comments really are from the RF team, we're about to post the same info on our own blog.

Thank you.

Your link to the blog is broken (the href is missing an '=').

Unfortunately no new information for those following the threads. Are there any plans to release more details (links, logs) publicly?

xpost from comment on the orig blog

http://pastebin.com/ukBvSKyw - Look at the timestamps. And no "Recorded Future" here, hence published before their fetch.

Sorry, I don't follow. Could you unpack this?

Search Google for the "secret" URL. Make sure you click the option to show the "omitted" search results. In the search results, look for the results that date from before the article was posted. You will find an URL on pastebin.com. Look at the timestamp. This page contains a partial HTTP log, containing not only the relative URL but also, in the referrers, the complete "secret" URL. So, my conclusion is: in the group conducting the "secret" chat, somebody posted the HTTP log to Pastebin.com, and then, and only then, was the "secret" URL picked up by Recorded Future.

Can a log on pastebin containing a relative path be resolved to an absolute URL?

(continued from previous comment) The "secret" string to google is "/_temp/cork.png". People should be aware that once they post an HTTP log to pastebin, their "secret" URLs are not secret anymore.

(continued) And now, somebody has deleted that pastebin page. Because they want this hoax to thrive?

...weird, indeed.

Since the OP published the article implying such a grand circumstance, and commented "I assure you it was not posted publicly by any of us. Newly created URL and link c/p to fb chat.", I believe that there are still a few basic questions in order, in any case:

1. What "link generation" program was the OP using? Is it possible this program streamed its output through something like Pastebin - without the explicit knowledge of the OP - and if so, can we verify this is the case by following up with an example?

2. Can the representative from Recorded Future comment on whether or not this site, Pastebin, is being monitored?

Thanks all, for what we'd surely hope to be a trivial, if unusual, case of software being stealthy...

If what you're saying is true, then where was the source of the "leak"?

Perhaps you won't say, exactly, without the OP's permission?

Thank you for replying here.

Can you give us more information including:

- Proof you are from Recorded Future

- The public URL at which you picked up the links

- Any evidence you have that what you say happened indeed happened? That is specifically the log information you report on having investigated. Publishing this will allow the original publisher and independent analysis to corroborate your story.

The more information you can publish to quell any doubts, if this is completely benign, the better for your company/Facebook/CIA.

got any proof of any of this?

if the url is public, let's see it :)

I would say that simply giving the URL to the public site would be helpful in verifying this.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact