> The first red arrow on the chart points to April 25th, 2019: the announcement of the OAG’s investigation. Notice how, as the investigation progresses, the issuance rate of Tether begins to rise — initially in large single blocks, of around $1B, every few months.

The below is an analysis of printed tethers vs known institutional buyers for 2020. I find a ratio of 4 to 1.

Tether market cap for 2020: march: 4.6B$, april: 6.3B$, may 8.8B$, july: 9.9B$, 29August: 10B$, 1stSept: 13B$, 28Sept: 15B$, Jan21: 24B$

Compared to known institutional buyers:

Grayscale: march: 500M$, april: 600M$, may: 1B$, july: 1.4B$, 31August: 1.8B$ (approx), 28Sept: 2B$

Microstrategy: 1.1B$ average price (august to september, as per https://bitcointreasuries.org/)

Difference: between march-september 2020, Tether printed 10B$ while the biggest known institutional buyers spent 2.6B$ (grayscale+microstrategy=1.5B$+1.1B$=2.6B$)

That is to say, Tether prints appear to be 4 times the big buyers amount.

ref for grayscale buy amounts: https://hackernoon.com/grayscales-gbtc-pump-effect-means-202...

I was curious about the technique used under the hood, so I decided to have a closer look.

-- What it does to intercept network trafic:

1/ The app spawns an android (java) service that, that performs the following as root when it starts:

# echo 1 > /proc/sys/net/ipv4/ip_forward

# iptables -t nat -I POSTROUTING -s 0/0 -j MASQUERADE

# iptables -t nat -I OUTPUT -j DNAT -p tcp --dport 1337 --to 127.0.0.1

# iptables -t nat -I PREROUTING -j DNAT -p tcp --dport 1337 --to xxxunclearherexxx

My understanding is that it redirects outgoing packets (targetted at port 1337) to loopback, where the native daemon listens (2/)

This is not visible in the video, but when the user clicks to use a caught Facebook profile, it seems to trigger an android Intent to actually go to Facebook on port 1337 instead of 80, so it gets caught by the iptables hook.

2/ It then execs the faceniff binary to go native (unpacked from resources) with some params (stealth/passive mode, license check), and polls its status every 1s.

-- Native part: I believe it handles most of the logic. Looking at the strings contained, it seems to deal with libpcap to intercept and forge headers on the fly.

Some interesting strings: libpcap version 0.9.8

new user found but the app is locked!

Unable to find ssid in cookies [%s]

HTTP/1.1 200 OK Content-Type: text/html Connection: close

Set-Cookie: %s=%s; expires=Fri, 14-Jul-2017 04:40:00 GMT; path=/; domain=.%s

<meta http-equiv='refresh' content='0;http://%s/>;

HTTP/1.1 200 OK Content-Type: text/html Connection: close

Date: Wed, 02 Feb 2011 01:51:18 GMT

<li><a href='http://%s:1337/%s>%s</a></li>;

client asking for: [%s]

Technically speaking, this is interesting. Please feel free to add info if you are familiar with the technique.

Developers have to come a long way to build an user base and good ratings, so it would have been fair to give a warning notice prior to removing the app, ihmo.

(speaking as an Android app dev; and yes it is too intrusive)

I disagree. It's so obviously a cheap, nasty move that no warning should be necessary.

It's beyond intrusive. It's spam and Airpush will hopefully be out of business soon.

Care to elaborate please? (FIX engine?)

The C++ developers I've meet in London that earn 600 GBP/1000 GBP by day (consulting) are people who has been working for investment banks (JP Morgan for example) developing trading systems that use FIX Protocol (http://www.fixprotocol.org/).

Indeed, thanks.

Also, about publishing eCPM/fill rate/CTR: as interesting as it is, it might be a problem regarding Admob's terms of service.

Link to pdf (better quality, no notes): http://ki.se/content/1/c6/06/45/23/Sarasvathy.pdf

Thanks!

Code injection (SetWindowsHookEx, WH_CBT) and API hooking allows to filter out other programs requesting topmost display.

But this is intrusive. And it can be bypassed by other vendors, whether they workaround it by using other APIs/tricks or unhook their own process' APIs at runtime themselves.

As said here in this thread, the only way to ensure full control is to patch the kernel (Window management related syscalls). And even there it's tricky to be exhaustive.

VM is the safe way to go.

The most astonishing info here is that this is HBGary that is involved.

Come on, we are talking about the rootkit.com guys. Not taking side is one thing, taking the opposite side is a completely different one.

Pretty much everything I learned for fun about rootkits, I learned it thanks to these guys.

I am speechless.

Expertise with Win32 internals doesn't make you a competent sysadmin or web application developer. rootkit.com runs one of the worst custom web apps I've ever seen.

If you can't even get GET/POST/cookie escaping correct in PHP after years, you should probably not be building web apps.

It's a shame that their site is so bad when their book is so awesome.

Indeed.

I am speechless because they (started?) monetize going after the 'bad guys', while they have been publishing grey/black hat stuff on Rootkit.com for many years.

The trust is gone.

Yes to everything you said. The book is amazing, yet their web site is awful. It sucks seeing as how I'm in that list too.

p.s. - if anybody can crack my password, I'll be impressed.

Adding code samples (java & layouts) would be even more awesome. Very interesting, still.

They should make that part social - let devs upload their own, rate them, etc. Github for Android patterns, sort of.

We (Unitid / androidpatterns.com) like that idea. Maybe you (this group) can help us implement it.

Looking forward to your suggestions!

How many of these UI patterns are already codified in Android's app framework? It would be cool if these identified patterns were presented in a mini-framework.

Yes. UI is one thing, but many devs out there are using these patterns and everyone reinvents the wheel to implement them.

Attacker sits at network / ISP level, and can therefore inject any (js, ...) payload in non-https web pages, on the fly.