Croatian Government Electronic Public Discussions
On this page you can find, at least for now, really not sure about the whims of the "elites" in power... some of the technical aspects of how Croatian government organize public discussion via electronic posting by Croatian nationals.
This part of the entire discussion is brought to you in this section in its technical details, but if you're interested in some details of the moral aspect of this discussion, pls. see the separate page in another section of our website:
WARNING: Familiarity with and use of some Unix-like OS such as GNU/Linux or BSD, (or being able to use Cygwin on Windows but I haven't tested that yet) is required to be able to follow.
Most of the original files of this section are produced with my (primitive) set of scripts:
Notice there are different scripts there, some I use for minimal anonymization of the dumps (dump_perl_repl.sh). Ah, and another could be useful for downloading, instead of of click-downloading each file in a list (dump_dLo.sh). If not downloading uncenz, you can get it directly: https://raw.githubusercontent.com/miroR/uncenz/master/dump_dLo.sh or later version if that looks too old.
For analysis/stream extraction I often use my modest and lacking in good programming practices, but doing what I created them for, scripts:
as well as:
workPCAPs which can run tshark-streams and tshark-hosts-conv
( and from May 2018 also stream-cont.pl from program
on (a lot) of PCAP(s) (usually) non-interactively.
Readers are advised to try and analyze the traffic dumps for themselves, with the above programs (I also try to offer some educational usefulness to them). There would anyway be too little point posting all the streams and the listings that those would produce. I usually post just the ones among that produce which are crucial for the discussion in question.
And just another one thing: I post lots of command lines and snippets of scripts. Be aware that some of those are in HTML, so before using them, check that they correspond to what the page shows, and of course, report (find miro.rovis or such at the front page of www.croatiafidelie.hr) back to me the typoes and errors if you find any.
The viewing of the screencast is of little use... Just pls. do notice, that throughout all the browsing of the comments the url in the address bar remains unmoved. It all happens to the benefit or irritation, but completely for their own comfortable browsing really, of those inside, not the browsing of the general population, no! We have to perform acrobatic feats to get to places in among the comments... Especially if you are used to tabbed browsing... Ah, lest I forget! There's a delay at their server, for which the opening of each of the ten newest pages of comments was so slow. And the usual Firefox (I do use Pale Moon, but it is..., most things in it are same things as just a little older Firefoxen --which are still in use--) [the usual Firefox] hotkeys --the keyboard shortcuts-- don't work or work slowly... I hope the admins, once they get this page in their sight, will be able to at least improve about that... As well as the delay at their server! That delay was the predominant reason for the slowliness in opening new comments (I also looked up a string that I wrote about --in maybe my third and fourth comment, somewhere in those hard-to-browse comments pages--, but that looking up, or searching, with Ctrl-F, of mine does not account for much of the time lost at all, no!)... And I do have fiber broadband.
Could you fix that --all that, or at least some of that-- to something normal, dear government? ...Please! For the benefit of your people, and of democracy. Sincerely!
Now the analysis. This is probably the shortest of paths to go. Should be easily reproducible by readers with sufficient understanding. I ran:
$ tshark-hosts-conv.sh -r dump_170801_0641_gdO.pcap \ -k dump_170801_0641_gdO_SSLKEYLOGFILE.txt
One of the files produced was necessary for the analysis presented here (so far):
$ ls -ABRgo dump_170801_0641_gdO.POST -rw-r--r-- 1 79206 2017-08-01 09:12 dump_170801_0641_gdO.POST $
Pls. open up that file (best if you got it by running the tshark-hosts-conv.sh --but it must correspond, I think to the bit, with the file dump_170801_0641_gdO.POST in the download--) in a good text editor/viewer like Vim.
It's this frame that holds the content that I wish to extract.
Frame 1565: 1198 bytes on wire (9584 bits), 1198 bytes captured (9584 bits)
I am never told what my address is by T-com, the provider of some 80% of the market in Croatia.... How arrogant of them! Hide users' own temporary address from them... The 192.168.1.5 is my computer IP on the... router's network. Are you ever going to change that shutting-your-users-down, that blinding-your-users attitude, you... you T-cogne... It's not yours, those IP addresses, alright!? Not even who controls the entire T-com Croatia is the rightful owner, because you grew on corruption and stolen property from your people, but this is not the place to dwell on that.
Internet Protocol Version 4, Src: 192.168.1.5, Dst: 126.96.36.199
And, but if you ran tshark-hosts-conv (and you should have) pls. look it up in dump_170801_0641_gdO.conv-ip and in dump_170801_0641_gdO.hosts that you got, the line in the latter ought to be 188.8.131.52 esavjetovanja.gov.hr. [And] that's the site, the server with the same-address-no-matter-where-you-go in that discussion...
Transmission Control Protocol, Src Port: 55072, Dst Port: 443, Seq: 878, Ack: 4090, Len: 1130 Source Port: 55072 Destination Port: 443
The Stream index is what I, after this perusal, take into the next round of analysis:
[Stream index: 20] [TCP Segment Len: 1130]
Another perl of this bag of... perls. The POST always, no matter it be the first or any next all through to the last pages of the comments, the POST always requests that same GetSliceComments below:
Hypertext Transfer Protocol POST /ECon/MainScreen/GetSliceComments HTTP/1.1\r\n
This is the browser that I'm using. It's actually built by Windows nerds, and Windows users are its main "customers" --I do recommend it--, but also works on Linux:
... Request Version: HTTP/1.1 Host: esavjetovanja.gov.hr\r\n User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.9) Gecko/20100101 Goanna/3.2 Firefox/45.9 PaleMoon/27.4.0\r\n Accept: application/json, text/plain, */*\r\n Accept-Language: en-US,en;q=0.5\r\n Accept-Encoding: gzip, deflate\r\n __RequestVerificationToken: NyikagNAYXUL1zqd9DK3qUUpqsazZD28asqdSr1lfiVzomqZSXViO4xW2RJ_ iBtjFAAq3RwaeOg3G6YYGrhq3AilnJkl9WtwC3q0NLOT6es1\r\n Content-Type: application/json;charset=utf-8\r\n
(some lines above manually split for legibility)
Yes, that's the url that you always see, only always that url, the entityId=5638 url. The referer it is, I believe, and since it never budges, it is also the target, and probably much more :( ...:
I don't understand all the details of all these things... No, surely not all... But the ASP.NET surely is the Windows technique, just like PHP was originally developed in Linux, but can perfectly be used in Windows... Only most of the institutional networks, servers, are in M$ technology in Croatia... GNU/Linux is free, and possibly better...
( Mr Linux, y'know, the Torvalds guy, recently ruined the chances all the more for GNU/Linux, by, in possible cahoots with Google the Schmoog, ousting the best there was available in GNU/Linux for more than one decade and a half: the grsecurity... Holes and hollowyness in Linux can only be growing dire now because the best security guys there were, two true geniuses, have been, kind of, made to leave, spender and PaX Team... I'm so sad I can't even tell you... So I can't say any more that Linux is surely better, esp. not with Systemd and Poetterware and stuff... And esp. with the Schmoog dominating the realm, and having under its wings: the security of Linux. That obstinate world spy the Schmoog, those guys, the Eric, the Sergey and the Larry Schmoog, them, well, their own empire --ooh, empires crush y'know, and even worlds, all worlds end, and what with your hearts so soaked with moneys?-- them doing, organizing, hiring people for security in Linux! Shall we cry or shall we laugh or shall we... <can't write any more>... )
... [truncated]Cookie: _ga=GA1.2.1148138201.1501475015; _gid=GA1.2.1148034945.1501475015; cookiesDirective=1; ASP.NET_SessionId=yqde4jnizmgt3t3ftpwkdivc; __RequestVerificationToken=Uu1nN1xvwXvZsZyHIDsh-qHr3kprL_yvmKcQpWnvTUIl-sVPz86L1zZej3tE1
(the line above manually split for legibility)
Yeah, that's ASP pages, above, and below. And, in other places if you analyze the dump with my tools, you easily find it's Microsoft IIS, the server.
Cookie pair: ASP.NET_SessionId=yqde4jnizmgt3t3ftpwkdivc
Always this Full request URI, in all the 610 or so seconds of the dump:
skipping some more of JS lingo...
Member Key: SortingOrder Number value: 1 Key: SortingOrder
Mostly only the value below would change. And this one:
Member Key: CurrentPageIndex Number value: 5
held the texts that I wanted to extract.
Key: CurrentPageIndex Member Key: NumElementsPerPage Number value: 10 Key: NumElementsPerPage Key: paging
But again, it's the Stream index of that Frame (that packet) that I need for the next round of the analysis. So, what was due now was to extract that stream that contains that packet (frame). The tshark-hosts-conv can not do that, but the tshark-streams can:
$ mkdir dump_170801_0641_gdO_tStreams $ cp -iav dump_170801_0641_gdO.pcap dump_170801_0641_gdO_SSLKEYLOGFILE.txt \ dump_170801_0641_gdO_tStreams $ cd dump_170801_0641_gdO_tStreams $ tshark-streams.sh -r dump_170801_0641_gdO.pcap -k dump_170801_0641_gdO_SSLKEYLOGFILE.txt \ -Y "tcp.stream==20"
We'll use only the:
$ ls -ABRgo dump_170801_0641_gdO_s020-ssl.bin -rw-r--r-- 1 38426 2017-08-01 08:58 dump_170801_0641_gdO_s020-ssl.bin $
I opened it in Vim (WARNING: Vim is fine with binary files, but indeed not all editors are, actually very few are... I'm sure Emacs is, don't know about others), and found where the texts that I wanted to extract start and end, at what byte.
But first, about what I was saying above, sure, not far from the start of that file you can easily find:
Date: Tue, 01 Aug 2017 06:44:47 GMT Server: Microsoft-IIS/7.5
But, back to extracting posted content, having opened it in Vim, I took the numbers, and was able to run:
cat dump_170801_0641_gdO_s020-ssl.bin | cut -b 186-733 | tail -1 | sed 's/\\n/\n/g' cat dump_170801_0641_gdO_s020-ssl.bin | cut -b 2354-15635 | tail -1 | sed 's/\\n/\n/g'The last two lines, of course, once the reader gets it right, should include redirections like this:
cat dump_170801_0641_gdO_s020-ssl.bin | cut -b 186-733 | tail -1 | sed 's/\\n/\n/g' \ > dump_170801_0641_gdO_s020-ssl_MiroslavRovis_comment.txt cat dump_170801_0641_gdO_s020-ssl.bin | cut -b 2354-15635 | tail -1 | sed 's/\\n/\n/g' \ > dump_170801_0641_gdO_s020-ssl_UImeObitelji_comment.txt
Because it's the comments that I will now post to the "political page", embellished with links clickable (the more important one -- they are not so on the government's pages; poor are the government who are shy/afraid/avert of/to their own people; or be it only lazy with... Just one thing: don't even think about if you want to improve it, that more moneys are required... You got young people leaving this country... you got people working for a pittance... You ought to organize it and put it up for whatever you already are regularly receiving...).
But those, the dump_170801_0641_gdO_s020-ssl_UImeObitelji_comment.txt and dump_170801_0641_gdO_s020-ssl_MiroslavRovis_comment.txt are included in the download, as extracted by the commands above.
The files necessary for this entire study are listed in:
dump_170801_0641_gdO.pcap dump_170801_0641_gdO.POST dump_170801_0641_gdO_s020-ssl.bin dump_170801_0641_gdO_s020-ssl_MiroslavRovis_comment.txt dump_170801_0641_gdO_s020-ssl_UImeObitelji_comment.txt dump_170801_0641_gdO_SSLKEYLOGFILE.txt Screen_170801_0641_gdO.png Screen_170801_0641_gdO.webmand verify to: ls-1.sum signed by: ls-1.sum.asc