This is worrisome, I am curious whether publicizing his case may make matters worse than better. I would also be curious to see if someone would manage to contact relatives or friends in the area,

The ICC color profile in the PNG has a copyright string of Apple 2011. If he took them mid-last year, this doesn't make a ton of sense.

Perhaps someone at ZDNet re-saved them. If that is the case, they should release the originals.

The article makes it sound to me like the original letter/photos were actual printer/paper, not digital.

It is quite common view of halogen lights wiring here (Bulgaria). I have the same in my bathroom. First photo is standard transformer and second photo is a job done by some electrician not doing his job well. I do not see anything suspicious. And yes, we are EU and NATO members. Most USA citizens visiting here happily spend they time and really enjoying the visit. Without more information what was the case with Dancho Danchev (Данчо Данчев) it is nothing more then paranoia.

Have you got one of those transformers too? Is the black double insulated side supposed to be the low voltage or the high voltage side of the transformer?

In Bulgaria there is a list of people declared for national investigation (обявени за национално издирване). In this list there are people who need to be arrested, who need to be a witness in a case or who are missing(i.e. they are kidnapped or disapeared). If Dancho is truly missing since September then he should be on that list.

I tried to search for this list online but I couldn't find it (maybe it is not available yet). The article doesn't say anything about the official situation. It will be great if anyone can provide some official information.

A simple explanation of the transformer/wires is that he could be documenting an attempt to electrocute him.

Or, more likely, kill him in a fire that looked accidental.

According to Dnevnik.bg (http://www.dnevnik.bg/tehnologii/2011/01/17/1026425_ekspertu...):

Dancho Danchev, an expert on cybersecurity, is placed in a psychiatric hospital in Bulgaria. The information was confirmed by two sources of "Dnevnik", although the hospital refused to comment.

[...]

[...]

[...] according to reliable source of Dnevnik he was placed in a Bulgarian psychiatric hospital since December 11.

The electronic transformer looks like it could be used for low-voltage lighting. The wires look like they're running into mini LED or halogen lights.

Both of the photos are confusing, but the photo depicting the wires more so.

If you count the wires it seems right until you notice that the hacked up blue and white wires are not going to the lighting device at all. Or where the power (phase/neutral) are coming from. They go out of the frame to the left, instead.

I'm not sure what I'm looking at, but it looks like something is in the wall that requires power.

A couple of things come to mind:

- The man might be paranoid and mistook sloppy electrical work for evidence of ... something funny? A threat? I tend to think this is unlikely, as he's a security researcher and probably pretty well versed in these things. If he found a bug, taking a picture of it wouldn't mean anything.

- He's being extremely careful and photographed something that would only mean something to someone specific.

- The two wires that are kludged together seem to go into the wall. The white side is taped to what looks like standard romex, which seems to be where the phase/neutral for the lighting fixture comes from, but those wires travel outside of the frame to who knows where.

- The blue wire that's exposed doesn't look like CAT-5, but the color of the shielding is the same color as some bulk CAT-5 used in construction, though joining the wires under that blue tape seems like a really bad way to connect two exposed ends. I'm leaning towards it not being data cable, but being simple copper wire. Which, yes, could carry data.

- It's unlikely that the images contain information that would be easily deciphered. It's an in-case-of-emergency-break-glass message and it's not explicit as to what these images mean. It's probably intentional.

Anyway, fascinating story and I really hope this guy stays safe. Espionage and cyber crime are huge industries full of all sorts of bad actors.

One interpretation of the wiring:

* Wires coming through the wall are mains voltage. * Exposed wire is ground, the other two are active and neutral. They connect to two white wires. * These two active and neutral wires are connected to two white wires running into the transformer at the left of the photo (although you can't tell whether anything else is connected left of there). * A black double-insulated wire comes out of the transformer, and a brown and blue wire come out of the double insulation. * The brown and blue wires go into the first connector box, which connects via the black double wire to the second connector box. * Two white double wires come out of the second connector box, one going to each light.

GTV seems like it was a transformer manufacturer - it had a US trademark on the name for manufacturing many things until 2008, including for "electric transformers for lighting lamps".

One weird thing: the transformer purports to be a step-down transformer, but the black cable with blue and brown wires (standard colours for mains active and neutral) connects to the low voltage end, when it is probably supposed to connect to the mains end. It is almost as if the step-down transformer is being used as a step-up transformer. The transformer ratio is between 220V/11.6V and 240V/11.6V - so about 20. 240V*20 = 4800V.

If it was configured to produce 4800V on an easily accessible light, perhaps he is trying to say that someone was trying to electrocute him.

Update: I found this, which I think is a more recent model of a similar transformer, from the same manufacturer: http://gemini-technology.en.alibaba.com/productshowimg/30345... - this seems to confirm that the black double insulated wire is supposed to be the 240V input, not the low voltage output.

One more note about the wiring, it seems to be outside of a bathroom or bathtub of some sort. Note the toilet paper and its reflection in the tile.

I don't know if that's helpful, but it's good to understand all of the details; thanks for your analysis, elbrodeur.

It is not outside the bathroom, this is the lighting in the bathroom above the mirror above the water tap. You see the paper mirrored in the mirror.

I suspect that means someone is supposed to find that transformer. Presumably there may be something of interest with/in/near it. Its easy to hide a microSD

This sounds more reasonable than thinking that they photos are showing eavesdropping devices.

Presumably? If these photos were taken for proof/evidence they just don't cut it, especially coming from a security specialist/professional.

... Or, they could just be a photos of a shoddy light fixture installation.

I think that's sort of madmaze's point - the presumption being that the photos do indeed come from Danchev and that he is not crazy.

Spy devices are small, right? That's kind of the point. He said that someone might have hidden something small nearby, but if the real thing is small and hidden... why draw attention to it in the first place with a transformer? It doesn't make sense that "it was supposed to be found", as it alerts him to the fact that something's going on.

He would be far from the first geek to be overly paranoid.

The suggestion is that Danchev purposely sent a picture of what is obviously a large transformer hoping or knowing that it would mean something to someone - that the image itself is a message of some sort. I don't think anybody is suggesting that someone "covertly" installed a large transformer in Danchev's quarters to disguise a smaller device nearby.

You're right, it is of course possible that something is getting overanalyzed as we geeks are prone to do, but in the face of what is possibly a bad situation it's worth considering the worst case scenario.

They ARE photos of a shoddy light fixture installation... that is, unless government spying devices are dimmable!

The full text of the image once rotated reads:

ELECTRONIC TRANSFORMER MODEL: TE-60

(20-60W) PRI: 220-240V, 50Hz, CosΦ=0,99 SEC: 11,6V, max. 4.9A Ta: max. 50°C, Tc: max. 85°C

GTV (R)

Dimmable EMC Approved Surge Protection Overload Protection Short Circuit Protection

Symbols: CE, double insulated, don't throw away, and some I don't know.

I can't find it on Google, though.

That is very obviously what the photos appear to be. The discussion here is about whether, as the article claims, there is something else evident/hidden in these photographs.

From what's visible in the second photo, things look fairly legit (albeit shoddy) if the power feed is coming through the wall at the center of the image and the transformer is on the left below the ledge and the wires to/from it are going down through the hole and the wires heading out of the frame to the left are simply a splice between the feed line and the leads on the transformer.

Now if he cracked open the transformer and found a transmitter hidden inside - then it might get interesting...

That transformer is a standard fixture for halogen lights, which are the little circular items with the spring clips.

Changing my vote. I think the guy is nuts and/or running away. Stuff doesn't add up.

-He claims a particular LEO is after him for pro-western views. This is the hardest hit to his credibility. If he said that botnet authors came after him for outing them, that might be plausible. The Belgian government does not hunt and 'disappear' pro-western people.

-There is no stego in this image like some have suggested. If it was in a letter, there is no data to be read. If it did not come from a latter, it was taken recently, according to the metadata. Also, if he is making direct accusations, he is not hiding information. Either the whole message would be cryptic, or none of it. If he isn't afraid to name the guy, he wouldn't be afraid to plainly state that he found a recording device or whatever else.

-He acts like the image has a smoking gun, and it does not.

-He has never had a real, credible job in the industry. See his LinkedIn: http://nl.linkedin.com/in/danchodanchev It's either blogging, or "secret companies". And astalavista, which was warez/script kid forums and stuff.

-His blog is completely full of "cyber jihad" research and discussion of "cyber terrorist" nonsense. http://ddanchev.blogspot.com/

Belgium != Bulgaria

The rest of what you said makes sense, and it is possible that this is a script kid trying to make a name for himself - I would be very weary about making that assumption though without more serious evidence.

Dancho is not a "script kid".

I met him in September in a meeting for international law enforcement. He was lecturing.

I assume you're that Mikko Hypponen?

http://mikko.hypponen.com/

Nobody who does software security professionally would suggest Dancho is a "script kid". Your first tip-off might have been the article, where you'd learn that his disappearance was featured in the ZDNet security blog, where he is a contributor.

Yeah, sorry, I knew it was Bulgaria...just read an unrelated headline about the Belgian government and typed that instead.

I agree, it is worth looking into until there is real evidence either way. Hopefully he will come forward. Someone on twitter did say they heard from him on Dec 15th and he was fine.

My experience with these "independent security professionals" who are heavy on certification alphabet soup/government acronyms, and lacking in real credible work history, is that they are mostly playing "fake it until you make it". This especially applies to bloggers and those who heavily use terms like "cyber warfare" and "cyber terrorism". InfoSec is full of insecure charlatans who are broke or homeless and always making up outrageous nonsense.

Either that or some form of steganography is the pics were sent as digital and not paper forms.

This could also explain why "current situation in my bathroom" is in quotes.

I had trouble figuring out what those photos actually show.

Both of the images are large PNG files, which leaves lots of room for steganographic data. Given that they're meaningless if interpreted literally (but seem to vaguely hint at meaning, which makes them good as red herrings), that seems like the most likely interpretation.

So the question is, who has the key? It seems like if anyone has it, Ryan Naraine should. But if he did, his post would be quite different.

Why is “current situation in my bathroom” in quotes like that?

If "several" photographs were attached to his pleas for help, why did they elect to only include two of them?

I don't mean to insult Mr. Danchev, but let's not dismiss the most obvious answer: He may be having psychological issues or otherwise be pulling some shenanigans.

There's no evidence to suggest otherwise at this point in time. The pictures don't suggest anything to me and he's perfectly capable of not answering the phone, email, or instant messages.

I hope he is ok, both physically and mentally.

If you're going to downvote me into oblivion at least counter my points with facts. What does the real evidence show here?