Analysis of Remarks by SAC Greg Bretzing at a Press Conference to Address the Ongoing Situation at the Malheur National Wildlife Refuge

With little fanfare, this is a raw analysis of the press conference that went with the release of Remarks by SAC Greg Bretzing at a Press Conference to Address the Ongoing Situation at the Malheur National Wildlife Refuge written statement present by FBI Portland
January 28, 2016

I will make it as easy to digest as possible within time constraints. This is not a polish piece. This is intended only to document in the most immediate fashion. If it warrants being polished this will be the draft it comes from. To use this analysis, please contact me. All rights reserved. This is the intellectual property of the Julia Clark Organization.

The source of the analysis is from shuff1111 of youtube. I do not know him. He only by chance was one of the first to have the Video of the press conference up. What I do find odd is that the press conference was not recorded and posted by any known agency or corporate media. Thank you shuff1111 for your service.


This is the Analysis derived: 

I have highlighted or noted points. This is not intended for laymen explanation. Please ask if you need more explanation or are curious about a highlight or note. 

1:10 trips over the word transparency

1:37 trips over the word several

3:42 video stream fails

3:42 says “Shortly the camera will pan back to” the video feed does not pan when it returns.

3:53 the video feed returns.

3:53 He says, “Oh, heads up.”

4:06 He says, “The camera is panning back to the jeep at this point.”

12:52 He states Oregon State Troupers were the ones that fired the weapons.

13:43 He uses “Umm” and tightened lips and sucked them inward

13:44 Shakes his head in a no fashion

13:47 He says, “That law enforcement showed great restraint while holding his hand in front of him in a barrier type way

13:50 He says “Then when the vehicle, then took off.” his voice quivers

13:51 Uses ‘Ummm”

13:52 He says, “you could see that it just about seriously injured, ahh, a law enforcement officer.”

13:53 a micro head shake

13:58 he says, “as its, as it barrels toward”

14:01 he says, “And that umm” pursed his lips together

14:06 He says, “based on the deadly force policy of the FBI and OSP Umm ahh that “

14:06 and extended blink

14:17 Uses “Umm” then says “as you can see afterwards and as I explained in the video, those pops and sounds that umm. Of course, there is no sounds in the video.”

14:28 He says, “flash bangs, ahh, sponge projectiles that pierce the window and oc gas

14:44 shakes head

14:44 He says “all occupants in the jeep surrendered without incident” shakes head again

14:50 He says “ahh with no violence”

15:00 smiles

15:06 Purse and smacks lips, their latest.

16:48 Serious look, looks, down and to the right, takes a deep breath uses “Umm” 3 times while explaining

18:23 He is asked if this is a stop for a traffic violation. The question clearly amuses him. He first clearly states, “no.” then says, “Not that I’m. Well, then. You know what, I don’t know, there might have been” takes a ha, “that was not the purpose of the call err the stop”

  • This is troubling. He clearly and jovially changes the case file to fit his theory. He says,”No.” firmly, then catches himself. Dismisses himself and stops that dismissal midsentence. then moves to the willing chair with the statement, “well, then”, and  makes a choice to fudge the records with the justification, “You know what” statement, then proceeds to change the record.
  • However, his utterance and mistaken word of using call instead of stop. Highly suggests that  that the call the Bundy’s had hours before from the FBI negotiator was also a fabrication and not in good faith.


18:29 He takes a question about distance. He says that he “You know, the exact distance, I can’t tell you. That’s why we actually show you the video. You can tell that a period of time went by and that they were traveling at a high rate of speed. Umm. He purses lips and licks them. “And they had plenty of. And again they were, they were stopped for well over four minutes. And then they chose.. as I said two nights ago or last night.” smacks lips, “Actions have consequences”

19:19 stumbles over the word truck, using car instead and correcting himself.

19:23 he says, “And is currently in our custody, umm” then purse lips

19:34 he says, “But umm as the video clearly shows”

Screenshots of questionable moments.

These are points noted while watching of questionable moments.


This is not inclusive of all points of analysis.





WikiLeaks posts ‘weaponized malware’ for all to download | ZDNet

Taking a look at it…

There are several components to this package. It’s not just one piece. There is an usb infection method along with accompanying 8g usb flash drives. There is an ISP method placed at the ISP acting as a man in the middle. There is an automated LAN/WAN component. There is the Web component (which was leaked first called FinFly-Web and appears to have been the actual demonstration copy) which included injection methods to infect a page itself. The test demonstration was on The web infection method masquerades as a Java, Flash, Realplayer and Chrome updates or a Missing Codec. I’m sure you have all seen this just about anywhere you surf the net. This was not sold ONLY to foreign governments and key information is being left out of the article above. There is also a point and click server interface that acts as a typical C&C type trojan also allowing a customized attack according to the target and vulnerabilities of that machine. There are also mobile payloads for all mobile os’s even blackberry. The web infection includes payloads for ALL os’s. not just windows. MAC and linux as well. The IOS infection requires the device to be jailbroken in order for most functions to work. All information can be found on the internet already as well as GammaGroup admitting the have “run out of governements to sell to” According to their twitter posts they have also begun selling to Security companies. The actual Product Flying states an intrusion can also be accomplished without knowing anything of the target but an email address. FinFisher V1 was detectable by only 6 out of 54 major AV products, V2 is undetectable by all AV products that exist. Since most are gullible and click when it says your “whatever” is out of date, it will install a RAT (Remote Access Trojan) to the system allowing monitoring (among other things) at will. There are articles from it’s first appearance on the net and a complete breakdown of it parts and methods that are dated several years ago and code is similar to other nation/state infections we have seen in the past. I wish, when people tell the story, they would tell the WHOLE story and not just bits and pieces. Entire package contents are listed in the Product brochure as following : (and it disgusts me to know all of this…)

Tactical IT Intrusion Portfolio

FinIntrusion Kit

FinUSB Suite


Remote Monitoring & Infection Solutions

FinSpy .


FinSpy Mobile

FinFly .

FinFly USB

FinFly LAN

FinFly Web

FinFly ISP

IT Intrusion Training Program

Basic & Advanced Intrusion

Wireless Intrusion

Practical Exploitation

Web Application Penetration

Custom IT Intrusion Training & Consulting

They also provide a cd that will bypass the windows logon process so as not to require the targets password to gain physical access to the machine. The master server is setup to allow anyone with no experience to use and craft attacks with 0 experience in hacking. Making this a script kiddies wet dream. Hence why information is all over the net.


16 September, 2014 17:42

Reply 11 Votes

via WikiLeaks posts ‘weaponized malware’ for all to download | ZDNet.

You Need To Quit Using Skype.

For the most part you should not use Skype. The exception being a media event or with people you know and trust their security levels.

I am not going to say Google is better, but it is what I use “when need be.”  The key words being “when need be” For the most part your camera should be covered and only used for common matters.

I have not conducted exploit research on Skype since the Yahoo exploits of 2008. However, every now and again I check to see what exploits are availed in the wild. And there is always some major hole.

Awesomely enough, now there is a handy-dandy automated open source tool to slurp up that last little bits of your data, profiles, contacts, messages, and calls.

I am of course being very jovial  .  I do not wish to slurp up your data; well… unless need be.

All silliness aside, the tool is useful in some aspects of research and forensics.  Of course it should not be used without authorization because it would be a violation of privacy.

Skype Freak by Osanda Malith

Skype Freak by Osanda Malith

Yahoo! blocks! Google! and ! Facebook! from! grabbing! ID! goodies! • The Register

Yahoo! blocks! Google! and ! Facebook! from! grabbing! ID! goodies! • The Register.

This is noted because three of the IDs that were connected to the exploitive use of SONYs data bases were known sport fanatics and made extensive use  of Yahoo!’s fantasy football tourneys across many forums to develop, nurture, and groom relationships. It is unknown if these forums enacted different security measures after the snowden revelations.  It is unknown the extent Yahoo! has addressed, secured, and changed security policy, if at all, concerning its user data and access to sub-networks and infrastructure networks. The exploits have not been probed in over a year and not released into the general knowledge base (wild) for other researchers.

Is Chrome Sync a Bad Idea?

Is Chrome Sync a Bad Idea?


Do you have a friend that is an activist, a friend of a friend, a friend of a friend of a friend, or a friend of a cousin that met your dog once. That might be reason enough to have what is called a “look see”. With rhymes with Goatsee and is about as pleasant.

You get notice saying , “You have logged out from another location. Do you want to log in again?” But wait, you are not signed into any other computer.

Google makes it easy to address security. Go to: Security Screen


We are going to discuss these areas. On the Password section, if you have not changed your password change it now.

Enable 2-step verification.

2 step verification

With the 2 step verification set your primary number and your backup number. Decide how your codes will be sent. And hard copy print a set of backup codes. & put them in a safe spot that you will remember where during a stressful time. Keep them under lock and key if you like or need to.

2 step verification trusted computers

I recommend not having any trusted computer. Especially, if you had any unusual activity, even logging in on a date you d not recall, on your usage history. It is not that inconvenient and is good security. I also recommend getting a cheep phone that is for your various 2 step log-in.

I am not going to do a screen capture of app password settings. Nevertheless , go through your apps and revoke anything you do not recall.

Check your recent activity. It is here that you will note any unusual activity. Err on the side of caution. It is OK after you have finished the above to change you pass word again.

If you have had the notice saying , “You have logged out from another location. Do you want to log in again?” you need to de-sync. You’ll do that under your chrome settings. You should be very familiar with your chrome settings, but if not it is the three bars in the top right hand corner of your chrome browser.

Fullscreen capture 12212013 24110 AM

Then select Advanced Sync settings.


In there deselect everything but one something unimportant to you. I choose Auto fill because most of that is public information or not saved.

Sync settings











You can change your password again and call it a session.

Cheers and happy sailing.


Backdoor Breach –

November 22, 2013

Report: Backdoor evidence observed:

I received an email yesterday from Team [redacted]:

We are currently investigating a security breach whereby some user’s login details may have been compromised. We currently have no indication that there has been any unauthorised activity on your account. Protecting our customer’s accounts is important to us.

The current investigation relates to an event that occurred in January 2013, upon which we advised you to change your password. Our records indicate that your password was reset based upon our prior notification to you.

I replied:

I did not receive any notice in Jan 2013 to change my password. 

They replied:

Thank you for contacting us.

We are sorry to hear about this problem. There are 2 possible reasons why
you may not be receiving some of our emails:

I did double check and responded. The incident ticket is still open and under investigation.

I had been suspecting breach of my box for a week or so. However, the above correspondence suggests I have had a backdoor on this box since January 2013. Reasons being I did not receive the security breach mail in January 2013. I use different passwords for all sites. None of them are recorded in digital form other than at the site itself. I do occasionally check the records of what Ips have connected to under my passwords and user names. I had not noted any unusual traffic. I have experienced low level events that caused me to check IP usage out of normal sequence. I did not note anything out of place.

I have been noticing unusual behavior from certain programs, such as [redacted] [redacted] and my spell check program connected to browser as if the dictionaries had been altered.

Maybe, a month or so ago I did have to wipe/reset my phone because it had become almost unusable. It would take a screen-shot when I pressed the right hand side button instead of coming out of sleep. It had gotten so bad I could not answer calls. – Note yesterday I experienced the screen-shot malfunction again. The only application I have installed other than what was issued with the phone is from June Fabrics. They will be notified of this security anomaly.

Last night I discussed the [redacted] breach, the anomalies on my box and phone, and other events that were disruptive financially and physically.

I pointed out that the backdoor I suspected and anomalies I am experiencing is related to a profile that sent a friend request to my facebook where by as I made an announcement to my contact list and specifically to friends and family that.

Important note: I went to find the post on my facebook profile to include it in this report. I could not locate it. I have requested my niece to review her time line for it. I recall she liked the post.

However, at this writing the post warning my friends and family that a known stalker of mine had made contact is missing from my timeline on facebook. The known stalker profile mentioned in the missing post is the same profile that I mentioned to [redacted] noting that the known stalker’s MO was backdooring box(es).

This morning when checking [redacted] [redacted] admin page I noticed that the some of the notifications had been marked as read. My computer would not let me take a screen shot.

I made a post on facebook about the backdoor. The [redacted] I use, which is [redacted] to the computer, vibrated, switched screens, and brought up the settings bar from the bottom. In other words, it appeared to be disengaging from remote after I had made my post about the backdoor.

When I could not take a screen shot, I used my camera phone. When using the camera on the phone twice the camera on the phone shut down. Nevertheless, I got the photos of the screen showing notification being one hour old and already read when I had just woken from over a four hour sleep.

Other anomalies I have noticed is with the spell check feature it appears as if it selectively works or in other words in real time words that I am not spelling correctly are not being allowed to be corrected. I can click on the corrected word but the incorrect word will not correct. This appears to be around words that are common and I should know, and if the word is uncommon or very difficult it will correct, then the next word would not. This has been going on for over two weeks. It is not consistent, suggesting that it is real time manipulation. This occurs in [redacted] and the browser spellcheck.

Also, in the [redacted] I have noticed that at times spell check and grammar check will not work at all. Though not witnessed as often, it does appear to happen when I am working on controversial documents.

I checked facebooks machines that are logged in under me. There was an extra one that appeared to be from the same location as me. I do not know if this is unusual because such has been usual for me in the past.

Also, when updating adobe recently it tried to update my box as a Linux OS box. I do not use, nor have downloaded, nor to my knowledge have Linux OS.

End Report.

Julia Clark

This slideshow requires JavaScript.


Update Nov 23 2013

I have an obscure blog at  Generally it is poems, free audio ebooks, and stichomancy. Nonsensical stuff at best. Emotive stuff. I put it at to make it difficult to lose. As can be noted, my emotive blogs have repeatedly been subject to harassment, hostile takeover, and the likes.

I went to write stichomancy this morning and noted that a linux box had an interest in one journal entry.

This slideshow requires JavaScript.

I am fortunate they were the only visitors. Usually I have somewhat high traffic there.

Which brings me to another issue that needs documentation.  Dominic Morris noted that was was coming up as internl server error, which would be kind of strange because all the server does is a redirect .

Fullscreen capture 11232013 64637 AM.bmp






The screen capture above is for the month of November 2013