16 October 2001: See Safeweb explanation of Anongo.com having a DoD address.
13 October 2001: Add data showing Anongo.com is Department of Defense domain.
13 October 2001: Add reader comment.
13 October 2001. Thanks to SC.
This relates to leak of an alleged secret RIAA meeting and tracing the leak:
http://cryptome.org/riaa-secret.htm
SC's IP address replaced by xxx.xxx.xxx.xxx
Comments welcome, especially on the collection of user data by Safeweb and other anonymizers; send to: [email protected]
13 October 2001
I've tuned in late to the RIAA/Safeweb thing, but I'm chiming in with my bit.
Tracing from Safeweb.com is an interesting exercise; the geography is very typical of the Internet backbone and the router hops packets take.
I wrote a script to mail all possible headers from a connecting browser to myself. I installed it on my server
http://xxx.xxx.xxx.xxx:8140
and then connected from Safeweb.
The Safeweb anonymizer uses a caching proxy server, listening for connections on several IPs; it preserves client headers while obviously changing the IP of the originating connection; it preserves many of the originating headers; it adds some new headers.
Here's the output:
GATEWAY_INTERFACE..........CGI/1.1 REMOTE_ADDR..........64.124.150.136 DATE_LOCAL..........Saturday, 13-Oct-2001 01:22:45 EDT REQUEST_METHOD..........GET QUERY_STRING.......... DOCUMENT_URI........../index.html HTTP_ACCEPT..........image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */* REMOTE_PORT..........2513 SERVER_ADDR..........142.204.119.75 HTTP_ACCEPT_LANGUAGE..........en-us HTTP_CACHE_CONTROL..........max-age=259200 REDIRECT_STATUS..........200 HTTP_ACCEPT_ENCODING..........gzip SERVER_NAME..........xxx.xxx.xxx.xxx HTTP_X_FORWARDED_FOR..........127.0.0.1 SERVER_PORT..........8140 DOCUMENT_NAME..........index.html HTTP_IF_MODIFIED_SINCE..........Sat, 13 Oct 2001 05:15:44 GMT; length=853 REDIRECT_URL........../ DATE_GMT..........Saturday, 13-Oct-2001 05:22:45 GMT SERVER_PROTOCOL..........INCLUDED HTTP_REFERER..........http://xxx.xxx.xxx.xxx HTTP_USER_AGENT..........Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) HTTP_CONNECTION..........keep-alive REQUEST_URI........../ HTTP_HOST..........xxx.xxx.xxx.xxx:8140 HTTP_VIA..........1.0 anongo.com:3128 (Squid/2.3.STABLE3)
The last one in the list is the flavour of proxy Safeweb uses:
Squid/2.3.stable3
And the DNS name of the source box for the HTTP request is anongo.com, which I don't believe showed up in your trace logs. [See http://cryptome.org/riaa-safeweb.htm]
Basically a caching proxy server's header set.
The authoritative name servers for anongo.com are
ns3.above.net
www.anongo.com redirects to Safeweb. The boxes are standard UNIX/Apache with SSL. They have written scripts to replace the originating address header and keep track of the connection, receive requested files to their cache, and then serve from that cache to your browser.
The Safeweb machines would absolutely be configured to do sophisticated logging; there is no free lunch on the Net. While they appear to do a nice job, their server logs would be a goldmine. Everyone who uses a commercial web browser agrees to have their information gathered the first time they use the Safeweb browser - do you want to continue? When you say yes, you mean it!
From NSI Whois on Anongo.com:
Organization: Jon Chun Jon Chun 1085 Keith Av Berkeley, CA 94708 US Phone: 510-558-6918 Fax..: 650-618-1708 Email: [email protected] Registrar Name....: Register.com Registrar Whois...: whois.register.com Registrar Homepage: http://www.register.com Domain Name: ANONGO.COM Created on..............: Tue, Jul 11, 2000 Expires on..............: Fri, Jul 11, 2003 Record last updated on..: Tue, May 01, 2001 Administrative Contact: Jon Chun Jon Chun 1085 Keith Ave Berkeley, CA 94708 US Phone: 510-558-6918 Fax..: 650-618-1708 Email: [email protected] Technical Contact, Zone Contact: Register.Com Domain Registrar 575 8th Avenue - 11th Floor New York, NY 10018 US Phone: 212-798-9200 Fax..: 212-629-9305 Email: [email protected] Domain servers in listed order: NS.ABOVE.NET 207.126.96.162 NS3.ABOVE.NET 207.126.105.146
For appearances of Anongo.com (Squid/2.3.STABLE[x]) in log files (from Google):
http://akasatanaha.virtualave.net/cgi-bin/proxy/log.txt0001 [07/28/2001 23:13:56] - 216.104.228.152 - 216.104.228.152 - 127.0.0.1 - 1.0 anongo.com:3128 (Squid/2.3.STABLE3) - Mozilla/4.73 [ja] (Windows NT 5.0; U) 0001 [03/04/2001 14:20:22] - 216.104.228.157 - 216.104.228.157 - 127.0.0.1 - 1.0 anongo.com:3128 (Squid/2.3.STABLE3) - Mozilla/4.0 (compatible; MSIE 5.5; Windows 95) 0001 [03/04/2001 14:19:08] - 216.104.228.157 - 216.104.228.157 - 127.0.0.1 - 1.0 anongo.com:3128 (Squid/2.3.STABLE3) - Mozilla/4.0 (compatible; MSIE 5.5; Windows 95) 0001 [03/04/2001 14:16:17] - 216.104.228.125 - 216.104.228.125 - 127.0.0.1 - 1.0 anongo.com:3128 (Squid/2.3.STABLE3) - Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)The following Google listing promises anongo.com but does not download data from here:
http://narya.phy.qub.ac.uk/~mjl/local/apache_1.2.4/cgi-bin/core
But the Google cache of the file provided a single entry for
anongo.com:3128 (Squid/2.3.STABLE4) HTTP_X_FORWARDED_FOR=127.0.0.1 HTTP_HOST=narya.phy.qub.ac.uk HTTP_CACHE_CONTROL=max-age=259200 HTTP_CONNECTION=keep-alive PATH=/sbin:/usr/sbin:/usr/bin:/usr/bin/X11 SERVER_SOFTWARE=Apache/1.2.4 SERVER_NAME=narya.phy.qub.ac.uk SERVER_PORT=80 REMOTE_HOST=216.104.228.114 REMOTE_ADDR=216.104.228.114 DOCUMENT_ROOT=/usr/local/etc/httpd/htdocs [email protected] SCRIPT_FILENAME=/usr/local/etc/httpd/cgi-bin/w3-msql REMOTE_PORT=2878 GATEWAY_INTERFACE=CGI/1.1 SERVER_PROTOCOL=HTTP/1.0 REQUEST_METHOD=GET QUERY_STRING= REQUEST_URI=/cgi-bin/w3-msql/quds/*.* SCRIPT_NAME=/cgi-bin/w3-msql PATH_INFO=/quds/*.* PATH_TRANSLATED= /usr/local/etc/httpd/htdocs/quds/*.* /usr/local/etc/httpd/cgi-bin/w3-msql /sbin/loader
Note similar Remote Address in the two log files:
216.104.228.114
Which resolves to Exodus Communications, a giant ISP.
Cryptome would like to receive other log file entries of Anongo.com. Delete information which would disclose the user of Safeweb or Anongo.com. Send to: [email protected]
From: mike
To: [email protected]
Cc: [email protected]
Subject: Re: RIAA Safeweb Proxy ID
Date: Sat, 13 Oct 2001 09:14:13 -0400
For anyone interested, Squid is basically just an HTTP/FTP cache.... similar to what AOL uses, for instance, and many satellite-based Net ISPs (Starband, DirecPC) use to maximize bandwidth utlization.
Black Helicopter alert: Squid is based on an ARPA-funded project called "Harvest".... a project that investigated "harversting" of data across large, presumably public, networks, for archiving and "study" :)
Squid itself is opensource.... if you're interested, check out
http://www.squid-cache.org
This is totally off-topic, but consider this: the way that a Proxy cache works (not just Squid, any cache) is that it stores all of the requested objects (web pages and files, in this case) on a series of local servers. Then, when a user requests them, it serves them off of ITS pages -- that way, it doesn't have to fetch them from the "public" Internet.
Now, what do you have? Yep... a complete archive on Safeweb's local servers of all pages requested by their users.
Not being a conspiracy nut, I won't connect the last dot.... but you see the value of this to someone like the CIA -- besides an opportunity to create a voyeur-google, you can also control selected pages' contents (be replacing them with your own contents and disabling HTTP refresh of the page through the cache).
To get back to the RIAA point, though:
What you're looking at are HTTP headers (what you'd see if you Telnet'ed to port 80 on Safeweb's web servers). Again, this won't get you any closer to identifying the path that someone took to get to Safeweb, and therefore, you cannot identify a target via this type of information.
(The more interesting point would be: can Safeweb do so? The answer is "you bet." The only thing they would have to do is classic log/connection-time synchronization analysis, and that would tell them the connection details of the user in question. But this can only be done by Safeweb or someone with access to Safeweb logs.)
Trace route and DNS by Cryptome.
The DoD domain could be a cover for the Central Intelligence Agency, an acknowledged Safeweb supporter.
================================================== === VisualRoute report on 13-Oct-01 9:39:35 AM === ================================================== Real-time report for anongo.com [215.104.228.144] (80% done) Analysis: IP packets are being lost past network "Qwest Communications" at hop 13. There is insufficient cached information to determine the next network at hop 14. ------------------------------------------------------------------------------------------------------------------------------------------------------- | Hop | %Loss | IP Address | Node Name | Location | Tzone | ms | Graph | Network | ------------------------------------------------------------------------------------------------------------------------------------------------------- | 1 | | 206.115.154.10 | tnt10.nyc3.da.uu.net | New York, NY, USA | -05:00 | 164 | --x-- | UUNET Dial-Up Networks | | 2 | | 206.115.245.2 | - | ?Fairfax, VA 22031 | | 152 | -x-- | UUNET Dial Access Network | | 3 | | 152.63.23.190 | 230.at-2-1-0.HR2.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 156 | -x-- | UUNET Technologies, Inc. | | 4 | | 152.63.15.198 | 0.so-2-3-0.XL2.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 168 | --x-- | UUNET Technologies, Inc. | | 5 | | 152.63.23.142 | 0.so-7-0-0.XR2.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 173 | --x---- | UUNET Technologies, Inc. | | 6 | | 152.63.18.205 | 280.at-1-0-0.XR2.NYC8.ALTER.NET | New York, NY, USA | -05:00 | 159 | -x-- | UUNET Technologies, Inc. | | 7 | | 152.63.23.173 | 182.ATM6-0.BR1.NYC8.ALTER.NET | New York, NY, USA | -05:00 | 128 | x----- | UUNET Technologies, Inc. | | 8 | | 205.171.4.9 | jfk-brdr-02.inet.qwest.net | New York, NY, USA | -05:00 | 129 | x---- | Colorado Supernet, Inc. | | 9 | | 205.171.230.26 | jfk-core-03.inet.qwest.net | New York, NY, USA | -05:00 | 125 | x-- | Colorado Supernet, Inc. | | 10 | | 205.171.230.5 | jfk-core-01.inet.qwest.net | New York, NY, USA | -05:00 | 123 | x-- | Colorado Supernet, Inc. | | 11 | | 205.171.5.236 | wdc-core-01.inet.qwest.net | Washington, DC, USA | -05:00 | 129 | x-- | Colorado Supernet, Inc. | | 12 | | 205.171.24.82 | wdc-edge-05.inet.qwest.net | Washington, DC, USA | -05:00 | 127 | x-- | Colorado Supernet, Inc. | | 13 | | 63.148.66.222 | - | ?Arlington, VA 22203 | | 133 | -x--- | Qwest Communications | | ... | | | | | | | | | | ? | | 215.104.228.144 | anongo.com | ?Vienna, VA 22183 | | | | DoD Network Information Center | ------------------------------------------------------------------------------------------------------------------------------------------------------- Roundtrip time to 63.148.66.222, average = 133ms, min = 112ms, max = 234ms -- 13-Oct-01 9:39:35 AM -------------- Look-up 215.104.228.144: DoD Network Information Center (NETBLK-DDN-NIC16) 7990 Boeing Court M/S CV-50 Vienna, VA 22183 US Netname: DDN-NIC16 Netblock: 215.0.0.0 - 215.255.255.255 Maintainer: DNIC Coordinator: DoD, Network (MIL-HSTMST-ARIN) [email protected] (703) 676-1051 (800) 365-3642 (FAX) (703) 676-1749 Domain System inverse mapping provided by: AAA-VIENNA.NIPR.MIL 207.132.116.60 AAA-KELLY.NIPR.MIL 199.252.162.251 AAA-WHEELER.NIPR.MIL 199.252.180.251 AAA-VAIHINGEN.NIPR.MIL 199.252.154.251 Record last updated on 09-Jun-1998. Database last updated on 12-Oct-2001 23:25:26 EDT.