16 October 2001: See Safeweb explanation of Anongo.com having a DoD address.

13 October 2001: Add data showing Anongo.com is Department of Defense domain.

13 October 2001: Add reader comment.

13 October 2001. Thanks to SC.

This relates to leak of an alleged secret RIAA meeting and tracing the leak:

http://cryptome.org/riaa-secret.htm

http://cryptome.org/riaa-safeweb.htm

SC's IP address replaced by xxx.xxx.xxx.xxx

Comments welcome, especially on the collection of user data by Safeweb and other anonymizers; send to: [email protected]


13 October 2001

I've tuned in late to the RIAA/Safeweb thing, but I'm chiming in with my bit.

Tracing from Safeweb.com is an interesting exercise; the geography is very typical of the Internet backbone and the router hops packets take.

I wrote a script to mail all possible headers from a connecting browser to myself. I installed it on my server

http://xxx.xxx.xxx.xxx:8140

and then connected from Safeweb.

The Safeweb anonymizer uses a caching proxy server, listening for connections on several IPs; it preserves client headers while obviously changing the IP of the originating connection; it preserves many of the originating headers; it adds some new headers.

Here's the output:

GATEWAY_INTERFACE..........CGI/1.1

REMOTE_ADDR..........64.124.150.136

DATE_LOCAL..........Saturday, 13-Oct-2001 01:22:45 EDT

REQUEST_METHOD..........GET

QUERY_STRING..........

DOCUMENT_URI........../index.html

HTTP_ACCEPT..........image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel,
application/msword, */*

REMOTE_PORT..........2513

SERVER_ADDR..........142.204.119.75

HTTP_ACCEPT_LANGUAGE..........en-us

HTTP_CACHE_CONTROL..........max-age=259200

REDIRECT_STATUS..........200

HTTP_ACCEPT_ENCODING..........gzip

SERVER_NAME..........xxx.xxx.xxx.xxx

HTTP_X_FORWARDED_FOR..........127.0.0.1

SERVER_PORT..........8140

DOCUMENT_NAME..........index.html

HTTP_IF_MODIFIED_SINCE..........Sat, 13 Oct 2001 05:15:44 GMT;
length=853

REDIRECT_URL........../

DATE_GMT..........Saturday, 13-Oct-2001 05:22:45 GMT

SERVER_PROTOCOL..........INCLUDED

HTTP_REFERER..........http://xxx.xxx.xxx.xxx

HTTP_USER_AGENT..........Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.0)

HTTP_CONNECTION..........keep-alive

REQUEST_URI........../

HTTP_HOST..........xxx.xxx.xxx.xxx:8140

HTTP_VIA..........1.0 anongo.com:3128 (Squid/2.3.STABLE3)

The last one in the list is the flavour of proxy Safeweb uses:

Squid/2.3.stable3

And the DNS name of the source box for the HTTP request is anongo.com, which I don't believe showed up in your trace logs. [See http://cryptome.org/riaa-safeweb.htm]

Basically a caching proxy server's header set.

The authoritative name servers for anongo.com are

ns3.above.net

www.anongo.com redirects to Safeweb. The boxes are standard UNIX/Apache with SSL. They have written scripts to replace the originating address header and keep track of the connection, receive requested files to their cache, and then serve from that cache to your browser.

The Safeweb machines would absolutely be configured to do sophisticated logging; there is no free lunch on the Net. While they appear to do a nice job, their server logs would be a goldmine. Everyone who uses a commercial web browser agrees to have their information gathered the first time they use the Safeweb browser - do you want to continue? When you say yes, you mean it!


From NSI Whois on Anongo.com:

    Organization:
       Jon Chun
       Jon Chun
       1085 Keith Av
       Berkeley, CA 94708
       US
       Phone: 510-558-6918
       Fax..: 650-618-1708
       Email: [email protected]

    Registrar Name....: Register.com
    Registrar Whois...: whois.register.com
    Registrar Homepage: http://www.register.com

    Domain Name: ANONGO.COM

       Created on..............: Tue, Jul 11, 2000
       Expires on..............: Fri, Jul 11, 2003
       Record last updated on..: Tue, May 01, 2001

    Administrative Contact:
       Jon Chun
       Jon Chun
       1085 Keith Ave
       Berkeley, CA 94708
       US
       Phone: 510-558-6918
       Fax..: 650-618-1708
       Email: [email protected]

    Technical Contact, Zone Contact:
       Register.Com
       Domain Registrar
       575 8th Avenue - 11th Floor
       New York, NY 10018
       US
       Phone: 212-798-9200
       Fax..: 212-629-9305
       Email: [email protected]

    Domain servers in listed order:

    NS.ABOVE.NET                                      207.126.96.162    
    NS3.ABOVE.NET                                     207.126.105.146   


For appearances of Anongo.com  (Squid/2.3.STABLE[x]) in log files (from Google):

http://akasatanaha.virtualave.net/cgi-bin/proxy/log.txt
0001 [07/28/2001 23:13:56] - 216.104.228.152 - 216.104.228.152 - 127.0.0.1 - 1.0 anongo.com:3128 (Squid/2.3.STABLE3) - Mozilla/4.73 [ja] (Windows NT 5.0; U)
0001 [03/04/2001 14:20:22] - 216.104.228.157 - 216.104.228.157 - 127.0.0.1 - 1.0 anongo.com:3128 (Squid/2.3.STABLE3) - Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)
0001 [03/04/2001 14:19:08] - 216.104.228.157 - 216.104.228.157 - 127.0.0.1 - 1.0 anongo.com:3128 (Squid/2.3.STABLE3) - Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)
0001 [03/04/2001 14:16:17] - 216.104.228.125 - 216.104.228.125 - 127.0.0.1 - 1.0 anongo.com:3128 (Squid/2.3.STABLE3) - Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)

The following Google listing promises anongo.com but does not download data from here:

http://narya.phy.qub.ac.uk/~mjl/local/apache_1.2.4/cgi-bin/core

But the Google cache of the file provided a single entry for

anongo.com:3128 (Squid/2.3.STABLE4) 
HTTP_X_FORWARDED_FOR=127.0.0.1 
HTTP_HOST=narya.phy.qub.ac.uk 
HTTP_CACHE_CONTROL=max-age=259200 
HTTP_CONNECTION=keep-alive 
PATH=/sbin:/usr/sbin:/usr/bin:/usr/bin/X11 
SERVER_SOFTWARE=Apache/1.2.4 
SERVER_NAME=narya.phy.qub.ac.uk 
SERVER_PORT=80 REMOTE_HOST=216.104.228.114 
REMOTE_ADDR=216.104.228.114 
DOCUMENT_ROOT=/usr/local/etc/httpd/htdocs 
[email protected] 
SCRIPT_FILENAME=/usr/local/etc/httpd/cgi-bin/w3-msql 
REMOTE_PORT=2878 
GATEWAY_INTERFACE=CGI/1.1 
SERVER_PROTOCOL=HTTP/1.0 
REQUEST_METHOD=GET 
QUERY_STRING= 
REQUEST_URI=/cgi-bin/w3-msql/quds/*.* 
SCRIPT_NAME=/cgi-bin/w3-msql 
PATH_INFO=/quds/*.* 
PATH_TRANSLATED=
 /usr/local/etc/httpd/htdocs/quds/*.* 
 /usr/local/etc/httpd/cgi-bin/w3-msql 
 /sbin/loader

Note similar Remote Address in the two log files:

216.104.228.114

Which resolves to Exodus Communications, a giant ISP.

Cryptome would like to receive other log file entries of Anongo.com. Delete information which would disclose the user of Safeweb or Anongo.com. Send to: [email protected]


From: mike
To: [email protected]
Cc: [email protected]
Subject: Re: RIAA Safeweb Proxy ID
Date: Sat, 13 Oct 2001 09:14:13 -0400

For anyone interested, Squid is basically just an HTTP/FTP cache.... similar to what AOL uses, for instance, and many satellite-based Net ISPs (Starband, DirecPC) use to maximize bandwidth utlization.

Black Helicopter alert: Squid is based on an ARPA-funded project called "Harvest".... a project that investigated "harversting" of data across large, presumably public, networks, for archiving and "study" :)

Squid itself is opensource.... if you're interested, check out

http://www.squid-cache.org

This is totally off-topic, but consider this: the way that a Proxy cache works (not just Squid, any cache) is that it stores all of the requested objects (web pages and files, in this case) on a series of local servers. Then, when a user requests them, it serves them off of ITS pages -- that way, it doesn't have to fetch them from the "public" Internet.

Now, what do you have? Yep... a complete archive on Safeweb's local servers of all pages requested by their users.

Not being a conspiracy nut, I won't connect the last dot.... but you see the value of this to someone like the CIA -- besides an opportunity to create a voyeur-google, you can also control selected pages' contents (be replacing them with your own contents and disabling HTTP refresh of the page through the cache).

To get back to the RIAA point, though:

What you're looking at are HTTP headers (what you'd see if you Telnet'ed to port 80 on Safeweb's web servers). Again, this won't get you any closer to identifying the path that someone took to get to Safeweb, and therefore, you cannot identify a target via this type of information.

(The more interesting point would be: can Safeweb do so? The answer is "you bet." The only thing they would have to do is classic log/connection-time synchronization analysis, and that would tell them the connection details of the user in question. But this can only be done by Safeweb or someone with access to Safeweb logs.)


Trace route and DNS by Cryptome.

The DoD domain could be a cover for the Central Intelligence Agency, an acknowledged Safeweb supporter.

==================================================
=== VisualRoute report on 13-Oct-01 9:39:35 AM ===
==================================================

Real-time report for anongo.com [215.104.228.144] (80% done)

Analysis: IP packets are being lost past network "Qwest Communications" at hop 13. There is insufficient cached information to determine the next network at hop 14. 

-------------------------------------------------------------------------------------------------------------------------------------------------------
| Hop | %Loss | IP Address      | Node Name                       | Location             | Tzone  | ms  | Graph      | Network                        |
-------------------------------------------------------------------------------------------------------------------------------------------------------
| 1   |       | 206.115.154.10  | tnt10.nyc3.da.uu.net            | New York, NY, USA    | -05:00 | 164 |    --x--   | UUNET Dial-Up Networks         |
| 2   |       | 206.115.245.2   | -                               | ?Fairfax, VA 22031   |        | 152 |    -x--    | UUNET Dial Access Network      |
| 3   |       | 152.63.23.190   | 230.at-2-1-0.HR2.NYC9.ALTER.NET | New York, NY, USA    | -05:00 | 156 |    -x--    | UUNET Technologies, Inc.       |
| 4   |       | 152.63.15.198   | 0.so-2-3-0.XL2.NYC9.ALTER.NET   | New York, NY, USA    | -05:00 | 168 |    --x--   | UUNET Technologies, Inc.       |
| 5   |       | 152.63.23.142   | 0.so-7-0-0.XR2.NYC9.ALTER.NET   | New York, NY, USA    | -05:00 | 173 |    --x---- | UUNET Technologies, Inc.       |

| 6   |       | 152.63.18.205   | 280.at-1-0-0.XR2.NYC8.ALTER.NET | New York, NY, USA    | -05:00 | 159 |    -x--    | UUNET Technologies, Inc.       |
| 7   |       | 152.63.23.173   | 182.ATM6-0.BR1.NYC8.ALTER.NET   | New York, NY, USA    | -05:00 | 128 |    x-----  | UUNET Technologies, Inc.       |
| 8   |       | 205.171.4.9     | jfk-brdr-02.inet.qwest.net      | New York, NY, USA    | -05:00 | 129 |    x----   | Colorado Supernet, Inc.        |
| 9   |       | 205.171.230.26  | jfk-core-03.inet.qwest.net      | New York, NY, USA    | -05:00 | 125 |    x--     | Colorado Supernet, Inc.        |
| 10  |       | 205.171.230.5   | jfk-core-01.inet.qwest.net      | New York, NY, USA    | -05:00 | 123 |    x--     | Colorado Supernet, Inc.        |
| 11  |       | 205.171.5.236   | wdc-core-01.inet.qwest.net      | Washington, DC, USA  | -05:00 | 129 |    x--     | Colorado Supernet, Inc.        |
| 12  |       | 205.171.24.82   | wdc-edge-05.inet.qwest.net      | Washington, DC, USA  | -05:00 | 127 |    x--     | Colorado Supernet, Inc.        |
| 13  |       | 63.148.66.222   | -                               | ?Arlington, VA 22203 |        | 133 |    -x---   | Qwest Communications           |
| ... |       |                 |                                 |                      |        |     |            |                                |
| ?   |       | 215.104.228.144 | anongo.com                      | ?Vienna, VA 22183    |        |     |            | DoD Network Information Center |
-------------------------------------------------------------------------------------------------------------------------------------------------------
Roundtrip time to 63.148.66.222, average = 133ms, min = 112ms, max = 234ms -- 13-Oct-01 9:39:35 AM

--------------

Look-up 215.104.228.144:

DoD Network Information Center (NETBLK-DDN-NIC16)
        7990 Boeing Court M/S CV-50
        Vienna, VA 22183
        US

        Netname: DDN-NIC16
        Netblock: 215.0.0.0 - 215.255.255.255
        Maintainer: DNIC

        Coordinator:
           DoD, Network  (MIL-HSTMST-ARIN)  [email protected]
           (703) 676-1051 (800) 365-3642 (FAX) (703) 676-1749

        Domain System inverse mapping provided by:

        AAA-VIENNA.NIPR.MIL          207.132.116.60
        AAA-KELLY.NIPR.MIL           199.252.162.251
        AAA-WHEELER.NIPR.MIL         199.252.180.251
        AAA-VAIHINGEN.NIPR.MIL       199.252.154.251

        Record last updated on 09-Jun-1998.
        Database last updated on 12-Oct-2001 23:25:26 EDT.