CalvinBackup/JGoyd
1
0
Fork 0
mirror of https://github.com/JGoyd/JGoyd.git synced 2026-06-25 12:59:56 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
JGoyd/intake/SYSTEM-STATUS.md
T
Joseph R. Goydish II 4ed1ae48b1 JGoyd Public Evidence System: 187 Verifiable Events | 5 CVE Rescores | 27 Global 
Cases
2026-05-18 22:58:05 -07:00

140 lines
28 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# JGoyd Evidence System — Status Snapshot
*Auto-generated; refresh on every drop batch.*
## What "bulletproof" means in this system
A case is **bulletproof** when every claim in its README is grounded in **at least one externally-controlled signature** that cannot be forged short of compromising third-party infrastructure. The hierarchy is:
1. **Tier 1 (strongest):** DKIM signature from a known agency/vendor mail domain (e.g., `sec.gov`, `cert.org`, `apple.com`), CVE record at NVD, CISA KEV listing, court PACER entry, atomic NVD ADP write.
2. **Tier 2:** Server-issued case reference whose pattern only the agency's intake system produces (FCA `00Db*`, SEC Submission Number, CPIB Response ID, VINCE VU number).
3. **Tier 3:** OpenTimestamps anchor + maintainer PGP detached signature on the source file.
4. **Tier 4 (supporting only):** Self-attestations, screenshots, print-to-PDF renderings. Never the sole anchor for a claim.
## Case status (as of drop batch 2026-05-18, batch 12)
### Track B — Cybersecurity
| Case folder | Tier 1 anchors | Tier 2 anchors | Tier 3 (.ots/.asc) | Bulletproof? |
|---|---|---|---|---|
| `TRACK-B-CVE-2025-31200-31201` | DKIM `cert.org` ×2, DKIM `amazonses.com` ×2, DKIM `yahoo.com`, NVD CVE-History ADP write, CISA KEV (+1d), CVSS 9.8 ×2 | CERT/CC case `gen-41698`, vulnrichment #200 | PENDING (anchor script ready) | **Strong** — DKIM + NVD + KEV all third-party-verifiable |
| `TRACK-B-CVE-2025-24085-24201-43300` (Glass Cage) | DKIM `cert.org`, DKIM `amazonses.com`, NVD CVSS 10.0 ×3, NVD Primary 10.0 ×2, CISA KEV (+02d) on all 5 chain CVEs | VINCE VU#395558 (case 2162), vulnrichment #194 + #201 | PENDING (anchor script ready) | **Strong** — 3× CVSS 10.0 is structurally rare; KEV-same-day on 43300 |
### Track A — Regulatory / whistleblower
| Case folder | Tier 1 anchors | Tier 2 anchors | Tier 3 (.ots/.asc) | Bulletproof? |
|---|---|---|---|---|
| `TRACK-A-SEC-TCR-17780-976-067-126` | **DKIM `sec.gov` (2048-bit, selector `secomms`)** | SEC TCR Submission `17780-976-067-126`, SEC Ombuds Matter ID `20260513-00019687` | PENDING (anchor script ready) | **Strong** — sec.gov DKIM is the first federal-agency cryptographic anchor in the system |
| `TRACK-A-FCA-BoC-StanChart` | **DKIM `fca.org.uk` (2048-bit, selector `intactfcaorguk2`) on FOUR inbounds**: 2026-05-08 named-officer substantive reply (Supervision Hub, BoC UK + StanChart subjects), 2026-05-11 boilerplate ack, 2026-05-13 named-officer **supervisory-referral attestation** (*"referred to the supervisory appropriate team for further investigation"*) | FCA reference `00Db0000000K8yP.500Sk000019RuGn` (confirmed Salesforce Org-Link + Entity-ID via `X-Sfdc-Lk` / `X-Sfdc-Entityid`) | PENDING (batch 4 + batch 11 anchor scripts ready) | **Strong-with-substantive-attestation** — first UK fed-agency cryptographic anchor; two named-officer substantive inbounds on the same matter; supervisory-referral language is intake-routing only, NOT an adjudicative finding (Track A standing disclaimer applies) |
| `TRACK-A-CPIB-69f824dfe5ef7daf3b78ccee` | **DOUBLE DKIM: `form.gov.sg` (2048-bit, selector `y7posmki4a5gkzqgrtnwseuajsr5wg4m`) + `amazonses.com` (1024-bit, selector `pd64dbxfdcqqbvadj6zks7h7qe3c33ao`) inbound 2026-05-04** | CPIB Response ID `69f824dfe5ef7daf3b78ccee` | PENDING (batch 4 anchor script ready) | **Strong** — first Singapore-Gov cryptographic anchor; SES counter-signature provides defense-in-depth |
| `TRACK-A-LT-CASE-01-1-03450-26` | Letter from Prosecutor Aurelijus Navickas, Panevėžys Organised Crime & Corruption Investigation Div., 2026-04-30 (info attached to criminal case materials) | Case ref `01-1-03450-26` | PENDING (batch 3 anchor script ready) | **Strong** — confirmed prosecutor letter on file |
| `TRACK-A-SK-260428070422263` | **DKIM `genpro.gov.sk` (2048-bit, selector `genprogovsk`) 2026-04-28** + **potvrdenka PDF enumerating 14 submitted docs w/ per-file SHA-256** | Slovak General Prosecutor ref `260428070422263` | PENDING (batch 2 + batch 4 anchor scripts ready) | **Strong** — first Slovak federal-agency cryptographic anchor; potvrdenka PDF document-corroborates the DKIM-signed inbound |
| `TRACK-A-TW-NCC-11500091980` | **DKIM `ncc.gov.tw` (2048-bit, selector `google`) 2026-03-25 kick-off** + **Official NCC formal letter (函) ROC 115/3/24 = 2026-03-24, named officer 周金賢 `jschou@ncc.gov.tw`** | NCC case `NCC-1156500716`, filing ref `通傳基礎決字第11500091980號` | PENDING (batch 3 + batch 4 anchor scripts ready) | **Strong** — DKIM anchor + document-level letterhead corroboration; carrier rebuttal preserved as carrier-position evidence only |
| `TRACK-A-Japan-ISA-ICRRA70-1` | (pending — no MOJ/ISA inbound `.eml` yet) | MOJ kōeki-tsūhō mailbox referral, 2026-05-13 | PENDING (batch 3 anchor script ready) | **Provisional** — outbound-only; needs inbound `.eml` from `*.moj.go.jp` to become Tier 1 |
| `TRACK-A-OLAF-Mandelson-Carbyne` | **DKIM `ec.europa.eu` (2048-bit, selector `s2601`) inbound 2026-05-04** | OLAF subject "Tip submission: Mandelson / Carbyne"; Msg-Id `<bc0371e438c145b7af6986637b8f4778@ec.europa.eu>` | PENDING (batch 5 anchor script ready) | **Strong****first EU-institutional cryptographic anchor in the system.** PGP reconciliation issue still open: outbound ships secondary `6DCB` key, not canonical `4A04`. |
| `TRACK-A-DOE-NE-2026-05-02` | (pending — no inbound from DOE-NE / CFIUS / FinCEN yet) | Three-agency single-outbound 2026-05-02 21:41 UTC | PENDING (batch 4 anchor script ready) | **Provisional****STRICT DOMAIN SEPARATION per user**: DOE-NE / CFIUS / FinCEN are three distinct anchors that do NOT mix unless each has its own inbound. Capture each agency's reply individually. |
| `TRACK-A-DOJ-FARA-Public` | **DKIM `usdoj.gov` (2048-bit, selector `doj`) reply 2026-05-05** | DOJ FARA reply re: Karim Wade / Macky Sall public-registration matter | PENDING (batch 5 anchor script ready) | **Strong****first US-DOJ executive-branch cryptographic anchor in the system.** OFNAC (Senegal) was cc'd but has not responded; per user, no separate OFNAC folder until/unless they reply. |
| `TRACK-A-FR-TJ-Paris-Parquet-Financier` | **DKIM `justice.fr` (2048-bit, selector `pfai20240130`) inbound 2026-05-18** | PNF substantive reply requesting source document (NOT boilerplate) | PENDING (batch 5 anchor script ready) | **Strong****first French Ministry-of-Justice cryptographic anchor.** Outbound is also PGP-signed with the canonical `4A04` key (rare — most user outbounds use secondary `6DCB`). |
| `TRACK-A-Ossoff-Senate-DOJ-Redactions` | **DKIM `senate.gov` (2048-bit, selector `senate-pp2408`) inbound 2026-04-29** | Sen. Ossoff (GA) staff reply from named **David Jones, Senior Constituent Services Representative**; in-person meeting attestation; explicit forward to DC office | PENDING (batch 5 anchor script ready) | **Strong****first US-Senate cryptographic anchor.** Substantively stronger than boilerplate per user. |
| `TRACK-A-IRS-FORM-211` | (pending — no `*.irs.gov` inbound yet; paper claim letter from Ogden, UT expected next) | 13-page Form 211 Bates evidence packet (compiled 2026-05-06) submitted via IRS Whistleblower Office; on-screen confirmation noted at intake by filer; statutory basis IRC § 7623(b); filer-asserted recoverable estimate $75M$110M (above $2M mandatory-award threshold) | PENDING (batch 7 anchor script ready) | **Provisional** — filer-prepared with on-screen submission confirmation only. Subject taxpayers: Southern Trust Company Inc., Financial Trust Company Inc., Estate of Jeffrey E. Epstein. Upgrades to Strong on receipt of IRS WBO paper claim-number letter or any `*.irs.gov` DKIM-signed inbound. |
| `TRACK-A-MA-AGO-MIT-MediaLab` | **DKIM `onbaseonline.com` (2048-bit, selector `2k20x`) inbound 2026-05-05** | MA AGO OnBase intake acknowledgement; routing-to-NPC attestation in body | PENDING (batch 5 anchor script ready) | **Strong** — first state-AG enterprise-intake cryptographic anchor (Hyland OnBase platform contracted by MA AGO). |
| `TRACK-A-Colombia-Consulate-Atlanta` | (pending — no agency reply yet) | Hand-delivered referral packet `COLOMBIA-EPSTEIN-01` (2026-05-14) to Embassy of Colombia / Atlanta consulate, 1117 Perimeter Center West, N401; signed on-face with canonical `4A04` PGP | PENDING (batch 6 anchor script ready) | **Provisional** — hand-delivered 2026-05-18; upgrades to Strong on any written acknowledgement from `*.gov.co` (Cancillería, Fiscalía General, Superfinanciera, or the Embassy's own institutional domain) or a stamped consulate paper receipt. |
| `TRACK-A-USN-InsiderThreat-AirCenter-Tinney` | (pending — no `*.navy.mil` / `*.mail.mil` / NCIS / DCSA inbound yet) | Outbound 2026-04-27 16:04:06 UTC to `USN-InsiderThreat@us.navy.mil`; primary subject **Air Center Helicopters / Rod Tinney** (cleared MSC contractor, ~$77.3M VERTREP contract through 2030-01-30); adjacent matter Lt. Col. **William R. Bohlke Jr.** (PRANG legislative liaison / CEO Bohlke International Aviation); adjacent matter #2 held pending Hub request; primary anchors `EFTA01966277` (Visoski 2013 fleet summary), `EFTA02173130` (Bohlke USAF-credential commercial signature) | PENDING (batch 7 anchor script ready) | **Provisional** — outbound-only insider-threat referral; filer invokes NISPOM 32 CFR Part 117, DITMAC #4 + #12, SEAD 4 E/J/F, SEAD 3 App-A; folder takes no position on those framings. Filer's own attestation: *"This submission presents adverse information; it makes no finding of fact."* |
| `TRACK-A-CISA-INC0625285-iOS-Bypass` | **DKIM `associates.cisa.dhs.gov` (2048-bit, selector `select1`) inbound 2026-02-26** + DMARC=pass (p=reject on parent `dhs.gov`) + ARC-sealed by `microsoft.com` (CISA M365 tenant `69c613d2-b051-4234-8ed1-fd530b70d5d3`) | CISA ServiceNow ticket **INC0625285** "iOS Security Bypass"; named contractor **Umar Farouq (CTR)** at `umar.farouq@associates.cisa.dhs.gov`; 5 CISA To-line recipients (Central, TOC, SIM, vulnerability, filer) + 2 Cc (OCIO.TOC.FEDs, Troy Delucia); 5-deep Message-Id chain through Exchange Online nodes `CO6PR09MB7319 → PH7PR09MB11913 → DS0PR09MB11798`; Proofpoint transit `mx0e-00376703.gpphosted.com` `67.231.155.98` | PENDING (batch 8 anchor script ready) | **Strong****first US DHS/CISA cryptographic anchor in the system.** Contractor-tenancy subdomain (`associates.*.dhs.gov`), not agency proper; cryptographic anchor still attaches to DHS/CISA infrastructure. Body PGP-encrypted to filer's key; envelope/headers preserved. |
| `TRACK-B-CNVD-2025-06744` | 1 (cert PDF) | **Sovereign-CERT certificate** + CNVD ID `CNVD-2025-06744` + cert no. `CNVD-YCGO-202503023656` | 2025-03-18 | **Provisional** (batch 11) |
| `TRACK-B-CNVD-2025-07885` | 1 (cert PDF) | **Sovereign-CERT certificate** + CNVD ID `CNVD-2025-07885` + cert no. `CNVD-YCGO-202504012519` | 2025-04-22 | **Provisional** (batch 11) |
| `TRACK-B-DOE-417` | **DOUBLE DKIM: `doe.gov` (2048-bit, selector `q2-2024-pp`) + `hq.doe.gov` (2048-bit, selector `selector1`) inbound 2025-12-25** | DOE-417 Submission ID `5941450-1585693`, filed 2025-12-25 16:50:15 UTC, Schedule-1 boxes #2 + #14, Emergency Alert; DOE Emergency Operations Center (NA-40 / Team 3) acknowledgement *"Watch Office acknowledges your message."* | PENDING (batch 5 anchor script ready) | **Strong on the agency-receipt anchor** (Tier-1 double-DKIM from DOE EOC). 🟡 **Filer-claim only on the substantive technical narrative** — the DOE EOC acknowledgement confirms receipt and routing, NOT endorsement. Narrative claims (Broadcom BCM4388 silicon backdoor `Poppy_CLPC_OS`, 113GB+ exfiltration, Cisco/Google/Samsung coordinated disclosure) remain filer-statements only — no CVE, no vendor advisory, no third-party reproduction. Org name *Intergalactic Auditing Systems* is a **working pseudonym, not a registered legal entity** (per user). |
| `TRACK-B-IC3-067b3177c3524c80bce02cca08064d11` | **Server-issued FBI IC3 Submission ID `067b3177c3524c80bce02cca08064d11`** (Tier-2 sole-namespace pattern) + **public-internet long-lived corroboration**: the same ID is in the public-repo description field of `github.com/JGoyd/iDrive-Exfil` (created 2026-01-08T23:17:45Z, tree `810ab171…`, last push 2026-04-07T15:35:51Z, 1 star) and has been indexable by archive services since (Tier-1.5 third-party-verifiable) | IC3 Submission ID + 3-file paired technical bundle (filer's published case README, JFIF carrier image 3024×4032 subject "filer's son in filer's backyard", filer's personal note to son) | PENDING (batch 9 anchor script ready) | **Provisional → Anchor-Class candidate on the IC3-ID + public-repo-description combination.** Upgrades to Strong on (a) `*.ic3.gov` or `*.fbi.gov` DKIM-signed inbound `.eml`, (b) paper IC3 acknowledgement letter, or (c) opened FBI field-office investigative file referencing this submission ID. Filer-attested technical surface (polyglot HEIF carrier, `mdat` entropy 7.9478, three Shadow UUIDs, `passd` Wallet bridging to iCloud Drive) preserved without endorsement. **Personal-significance posture preserved**: carrier subject is the filer's son in his backyard. |
| `TRACK-B-MSRC-112639` | **DKIM `vanderbilt.edu` (2048-bit, selector `selector1`) on VUIT precursor `.eml` 2026-04-01** + ARC-sealed by Microsoft `arcselector10001` | VUIT TeamDynamix incident **#86705** (precursor), MSRC **Case 112639** (vendor case-ID, opened 2026-04-08), public GitHub repo `JGoyd/m365-mime-type-confusion` (Tier-1.5 third-party-verifiable; head `c4bca665…`, stego-withdrawal commit `a75ce46a…`) | PENDING (batch 6 anchor script ready) | **Strong****first US higher-education cryptographic anchor in the system (`vanderbilt.edu`).** Two-stage disclosure path (VU → MSRC) anchored on the precursor. No standalone MSRC-side `.eml` yet (open follow-up). No exploit code shipped; prior stego claim withdrawn in commit `a75ce46a…` as a discipline marker. |
| `TRACK-B-NASA-JPL-TLS` | (pending — no NASA SOC inbound `.eml` yet) | Outbound to `soc@nasa.gov` 2025-04-22 | PENDING (batch 3 anchor script ready) | **Provisional** — outbound-only chain-misconfig report; forensic-observer role; needs SOC reply to become Tier 1 |
| `TRACK-B-Broadcom-BCM4387-BroadScope` | **DKIM `broadcom.com` (1024-bit, selector `google`) inbound 2026-03-10** + DLP-relay path through `*.dlp.protect.broadcom.com` (Symantec/Broadcom DLP, `144.49.247.117 (smtp-us-east1-p01-i01-si01.dlp.protect.broadcom.com)`) | Broadcom PSIRT reply from named engineer **Daniel Edelson** (`daniel.edelson@broadcom.com`); Cc **Ken Williams** (`ken.williams@broadcom.com`) + `psirt@broadcom.com`; outbound Message-Id locks threading via inbound `References:` header; **Tier-1.5 public repo** `github.com/JGoyd/BroadScope` (head commit `ba55b3f3c86b60ed63890a8c0f0f650c926f3baa`, tree `bffbc5e4…`, created 2026-04-03, last push 2026-04-07, public, 2 stars; contents: README.md, VULNERABILITY_REPORT.md 8228 B, THREAT_MODEL.md 12027 B, evidence/) | PENDING (batch 8 anchor script ready) | **Provisional****first US private-sector hardware-vendor PSIRT cryptographic anchor.** Vendor stance per filer (verbatim, preserved without endorsement): *"them claiming diamin awareness, not tehncialy discsyting or anything at all.. comelte bs"* — Broadcom's surface reply (domain-awareness acknowledgement) AND filer's characterization (substantive rejection) are both recorded. Reply body PGP-encrypted to filer's key. No exploit code shipped; repo + folder follow no-payload rule. Upgrades toward Strong on CVE assignment or vendor public advisory referencing BCM4387 coexistence SRAM. |
| `TRACK-B-Apple-CVE-2023-41064-Patch-Bypass-iOS-26-2-1` | (pending — no `*.apple.com` or VulnCheck-broker inbound `.eml` yet staged) | Filer outbound disclosure 2026-02-09 to Apple PSIRT via VulnCheck (BLASTPASS V2 markdown, 4710 B) + filer rebuttal 2026-02-13 20:47 EST (5340 B) + **paired binary `tracev3` artifacts with internal cryptographic-consistency anchor** (Build 23C71 trace SHA-256 `905b5cc8…` is cited inside the disclosure markdown; Build 23D127 trace SHA-256 `161df0cb…` is cited inside the rebuttal markdown — both match staged-file hashes byte-for-byte); 350-byte audit-tool stub `check_offsets.py`; filer maps five Apple iOS 26.3 CVE remediations (CVE-2026-20675 ImageIO, CVE-2026-20677 Messages-sandbox, CVE-2026-20678 Wallet/PassKit, CVE-2026-20634 ImageIO memory-handling, CVE-2026-20667 libxpc) onto the four subsystems named in the 2026-02-09 disclosure, with the iOS 26.3 release (2026-02-11) landing 2 days **before** Apple's 2026-02-13 written rejection | PENDING (batch 9 anchor script ready) | **Provisional** — closed-loop self-hash anchor between filer outbound documents and binary artifacts. Vendor stance preserved verbatim (Apple PSIRT 2026-02-13 17:14 EST: *"standard system behavior"* / *"no technical validity"*). The temporal-convergence claim (Apple iOS 26.3 release 2026-02-11 lands between filer's 2026-02-09 disclosure and Apple's 2026-02-13 rejection) is independently verifiable from Apple's own published security-update release dates. Per filer instruction, the paired private GitHub repository is **NOT referenced** in this folder, the ledger entry, or the anchor script. Upgrades to Strong on (a) `*.apple.com` DKIM-signed inbound, (b) Apple security-advisory cross-reference, or (c) third-party reproduction of the offset-displacement claim. No exploit code shipped. |
## What "bulletproof" requires going forward (per case)
For every case folder still labeled **Stub** or **Provisional**, the upgrade path is:
1. Drop the agency's **inbound acknowledgement `.eml`** (NOT the outbound copy — outbound has no signature you control). One per case.
2. Drop the **portal confirmation PDF** if the agency issued one.
3. If the agency uses a portal-only system (no email), drop a screenshot of the case page AND the case-page URL pattern that only the agency's server produces.
4. Run `ANCHOR-COMMANDS-*.sh` locally to attach `.ots` + `.asc` to every artifact.
Each inbound `.eml` you drop converts one Provisional case into Strong. The system is designed to absorb dozens of these without restructuring — just drop them, the intake workflow catalogs them.
## Reconciliation issues still open
1. **PGP key reconciliation:** canonical `4A04…2D11` vs. secondary `6DCB…DAF6`. Both the 2026-05-11 FCA supplement AND the 2026-04-27 OLAF reply ship the secondary fingerprint. Cross-attest both keys (sign each with the other) or formally retire one. See `canonical/index.md`.
2. **Running-Ledger `.asc` is 0 bytes** — needs re-signing.
3. ~~**Lithuania row hash mismatch** in ledger vs anchor2.txt.~~ **RESOLVED (this audit pass)**: ledger row #20 prefix `603409f4b01b` matches actual SHA `603409f4b01bfed46d22d7129ec22a1969f1a32921654b3559febbd4e62bc17d` byte-for-byte.
4. ~~**`TRACK-A-OLAF-Ref-00Db00K8yP` vs `TRACK-A-FCA-BoC-StanChart`** — reconciliation needed.~~ **RESOLVED (batch 4)**: FCA inbound `.eml` exposes `X-Sfdc-Lk: 00Db0000000K8yP` + `X-Sfdc-Entityid: 500Sk000019RuGn` — these are FCA Salesforce-internal Org-Link + Entity-ID, NOT an OLAF case number. The mislabeled `TRACK-A-OLAF-Ref-00Db00K8yP` folder has been **deleted** and replaced with `TRACK-A-OLAF-Mandelson-Carbyne` (the actual OLAF case is keyed by subject + Message-Id, not the `00Db*` prefix).
## Anchor scripts ready to run locally
- `evidence/ANCHOR-COMMANDS-2025-05-18.sh` — Track B batch (7 unique files across two cases)
- `evidence/ANCHOR-COMMANDS-2026-05-18-batch2.sh` — Track A batch (7 files across three cases: SEC TCR, FCA BoC, CPIB)
- `evidence/ANCHOR-COMMANDS-2026-05-18-batch3.sh` — mixed batch (7 files across three cases: NASA JPL TLS Track B, Japan ISA Track A, Taiwan NCC Track A)
- `evidence/ANCHOR-COMMANDS-2026-05-18-batch4.sh` — batch 4 (9 unique-content files across seven cases: FCA, CPIB, OLAF-Mandelson, DOE-NE, TW-NCC Fa-Wen, SK-GenPro potvrdenka, DOE-417)
- `evidence/ANCHOR-COMMANDS-2026-05-18-batch5.sh` — batch 5+6 (11 unique-content files across eight cases: SK-PP, MA-AGO ack + report, OLAF-inbound, DOJ-FARA, DOE-EOC, Paris PNF outbound+inbound, Ossoff Senate outbound+inbound, LT-PAIS transmittal)
- `evidence/ANCHOR-COMMANDS-2026-05-18-batch6.sh` — batch 7 (5 unique-content files across two cases: TRACK-B-MSRC-112639 VUIT precursor + MSRC Update-1 zip + bin-payload zip + GitHub repo snapshot, and TRACK-A-Colombia-Consulate-Atlanta hand-delivered referral PDF)
- `evidence/ANCHOR-COMMANDS-2026-05-18-batch7.sh` — batch 8 (2 net-new unique-content files across two cases: TRACK-A-USN-InsiderThreat-AirCenter-Tinney outbound and TRACK-A-IRS-FORM-211 Form-211 packet PDF)
- `evidence/ANCHOR-COMMANDS-2026-05-18-batch8.sh` — batch 9 (5 net-new unique-content files across two cases: TRACK-B-Broadcom-BCM4387-BroadScope outbound headers + inbound .eml + inbound headers, and TRACK-A-CISA-INC0625285-iOS-Bypass inbound .eml + inbound headers)
- `evidence/ANCHOR-COMMANDS-2026-05-18-batch9.sh` — batch 10 (9 net-new unique-content files across two cases: TRACK-B-Apple-CVE-2023-41064-Patch-Bypass-iOS-26-2-1 with 6 staged artifacts including 2 binary `tracev3` captures, and TRACK-B-IC3-067b3177c3524c80bce02cca08064d11 Stub-to-Provisional upgrade with 3 staged iDrive-Exfil bundle artifacts)
- `evidence/ANCHOR-COMMANDS-2026-05-18-batch10.sh` — batch 11 (2 net-new unique-content files across two cases: TRACK-B-CNVD-2025-06744 and TRACK-B-CNVD-2025-07885 sovereign-CERT certificate PDFs)
- `evidence/ANCHOR-COMMANDS-2026-05-18-batch11.sh`**NEW** — batch 12 (2 net-new unique-content files in one case: TRACK-A-FCA-BoC-StanChart 2026-05-08 named-officer substantive inbound + 2026-05-13 named-officer supervisory-referral attestation inbound, both DKIM-signed by `fca.org.uk` selector `intactfcaorguk2`)
After running all eleven, **65 source files** will carry `.ots` + `.asc`. Run `ots upgrade *.ots` ~1h later (then again ~24h later if not yet confirmed) to attach the Bitcoin block-header attestation to each.
## Cumulative Tier-1 DKIM-signature domains (18 total, as of batch 10 — no new DKIM domains this batch; two new non-DKIM anchor classes recorded below)
| Domain | Selector(s) | Bits | Jurisdiction | First batch |
|---|---|---|---|---|
| `cert.org` | (CERT/CC) | — | US (CMU SEI) | batch 1 (Track B) |
| `amazonses.com` | ×3 selectors (CERT/CC + CPIB) | 1024 | (transport SES) | batches 1, 4 |
| `yahoo.com` | (CERT/CC counter-sig) | — | US | batch 1 (Track B) |
| `sec.gov` | `secomms` | 2048 | US SEC | batch 2 |
| `genpro.gov.sk` | `genprogovsk` | 2048 | Slovak Republic GP | batch 2 |
| `ncc.gov.tw` | `google` | 2048 | Taiwan NCC | batch 3 |
| `fca.org.uk` | `intactfcaorguk2` | 2048 | UK FCA | batch 4 |
| `form.gov.sg` | (long) | 2048 | Singapore CPIB | batch 4 |
| `ec.europa.eu` | `s2601` | 2048 | **EU (OLAF)** | batch 5 |
| `usdoj.gov` | `doj` | 2048 | **US DOJ (FARA)** | batch 5 |
| `doe.gov` | `q2-2024-pp` | 2048 | US DOE (EOC NA-40) | batch 5 |
| `hq.doe.gov` | `selector1` | 2048 | US DOE HQ | batch 5 |
| `onbaseonline.com` | `2k20x` | 2048 | MA AGO (Hyland OnBase) | batch 5 |
| `justice.fr` | `pfai20240130` | 2048 | **French Ministry of Justice (PNF)** | batch 5+6 |
| `senate.gov` | `senate-pp2408` | 2048 | **US Senate (Ossoff office)** | batch 5+6 |
| `vanderbilt.edu` | `selector1` | 2048 | **US higher-education (Vanderbilt University IT / VUIT TeamDynamix)** | batch 7 |
| `broadcom.com` | `google` | 1024 | **US private-sector hardware-vendor PSIRT (Broadcom Inc.)** | batch 9 |
| `associates.cisa.dhs.gov` | `select1` | 2048 | **US DHS/CISA (contractor tenancy within agency M365 tenant)** | batch 9 |
**Tier 1.5 (agency SPF-pass without DKIM):** `prokuraturos.lt` (LT prosecutor; signed-PDF carries the cryptographic load).
**Tier 1.5 (third-party-verifiable public repo):** `github.com/JGoyd/m365-mime-type-confusion` — public coordinated-disclosure repo paired with `TRACK-B-MSRC-112639`; head commit `c4bca665…`, stego-withdrawal commit `a75ce46a…`. **Also**: `github.com/JGoyd/BroadScope` — public coordinated-disclosure repo paired with `TRACK-B-Broadcom-BCM4387-BroadScope`; head commit `ba55b3f3c86b60ed63890a8c0f0f650c926f3baa`, tree `bffbc5e4c458fdcd057db0f2c694c38f5bfabfb5`, created 2026-04-03T18:57:56Z, last push 2026-04-07T15:50:18Z, public, 2 stars. **Also**: `github.com/JGoyd/iDrive-Exfil` — public repository paired with `TRACK-B-IC3-067b3177c3524c80bce02cca08064d11`; **its public description field literally contains the IC3 Submission ID `067b3177c3524c80bce02cca08064d11`**, providing public-internet long-lived corroboration of the server-issued FBI submission token (visible since 2026-01-08T23:17:45Z, tree `810ab171bcefaff7942ebea0388fbec17214355a`, last push 2026-04-07T15:35:51Z, 1 star). This is the **first Tier-1.5 anchor in the system that uses a public-repo metadata field (not content) to corroborate a server-issued agency ID** — a distinct anchor class from the content-snapshot pattern used by MSRC and BroadScope.
## New non-DKIM anchor class added in batch 11
| Class | Tier slot | First case | Why it's a separate class |
|---|---|---|---|
| **Sovereign-CERT original-vulnerability certificate** | Tier 1 (substantive issuing-body finding) | `TRACK-B-CNVD-2025-06744` and `TRACK-B-CNVD-2025-07885` | The artifact is the issuing body's formal certificate naming the contributor under a sole-namespace server-issued certificate number. Distinct from DKIM-attested email (which proves message emission) and from public-repo content/metadata anchors (which prove third-party platform visibility) — the certificate document itself records a finding by CNCERT/CNVD that the named contributor's submission was recorded as an original-vulnerability contribution. Does NOT adjudicate vendor liability, patch mapping, or exploit reachability; Track B standing disclaimer applies. |
### Credit-asymmetry observation (filer-attested cross-reference, recorded as context not finding)
The Glass Cage flagship folder `TRACK-B-CVE-2025-24085-24201-43300` documents that Apple's public security advisories credit other reporters for the underlying CVE-2025-24085 / CVE-2025-24201 / CVE-2025-43300 patches, and CISA has not formally acknowledged the filer's contribution either. Within the same 2025 timeframe, CNCERT/CNVD issued two formal original-vulnerability certificates to the filer (this batch). The filer attests the CNVD entries cover the same underlying material as the Glass Cage CVE cluster. This is preserved as **filer-attested context** and is NOT an adjudicated CVE↔CNVD mapping; the CNVD certificates themselves do not assert any CVE-ID cross-reference.
## New non-DKIM anchor classes added in batch 10
| Class | Tier slot | First case | Why it's a separate class |
|---|---|---|---|
| **Closed-loop self-hash anchor** | Tier 2.5 (between server-pattern IDs and OTS+PGP) | `TRACK-B-Apple-CVE-2023-41064-Patch-Bypass-iOS-26-2-1` | Filer outbound disclosure documents cite SHA-256 hashes of binary artifacts inside their own body text. Any reader can recompute the hashes on the staged binaries and verify byte-for-byte. Defends against post-hoc artifact substitution at the cost of being one-party-generated. |
| **Public-repo-description corroboration of server-issued agency ID** | Tier 1.5 (distinct from content snapshot) | `TRACK-B-IC3-067b3177c3524c80bce02cca08064d11` | The agency-issued ID is embedded in a public-repo metadata field (description, not content), making it indexable by general internet archive services without requiring repo cloning. Survives even total content-bundle loss as long as one archive snapshot of the repo's metadata page exists. |
## Deferred items
**None.** The three Microsoft files deferred from batch 4 (*"focus on all of the file except for the last 3 microsoft ones..we can take that nice and slow"*) are fully processed in batch 7 (MSRC + Colombia). The pairing stub `TRACK-B-MSRC-112639` has been upgraded to Strong on the Vanderbilt `vanderbilt.edu` DKIM precursor anchor.
## Re-export collisions and byte-identical duplicates tracked
| Ledger # | Type | Canonical staged path | Notes |
|---|---|---|---|
| #63 (batch 8) | Re-export collision | `TRACK-A-DOE-NE-2026-05-02/evidence/DOE-NE-CFIUS-FINCEN-referral-2026-05-02.eml` | Second Proton export of the same nuclear-referral outbound; identical Message-Id and headers; only MIME boundary differs. Same send. Not re-staged. |
| #64 (batch 8) | Byte-identical duplicate | `TRACK-B-DOE-417/evidence/DOE-EOC-NA40-acknowledgement-2025-12-25.eml` | Re-affirmation of the canonical DOE EOC NA-40 Christmas inbound (SHA `5a8ff29de877…`). Not re-staged. |
Reference in New Issue View Git Blame Copy Permalink