13 October 2001: Link to identification of the Safeweb proxy server:

http://cryptome.org/riaa-anongo.htm

12 October 2001: Add reader comments.

12 October 2001

This relates to allegations made about a secret RIAA meeting:

http://cryptome.org/riaa-secret.htm

Comments welcome. Send to: [email protected]


Based some three dozen pings of Safeweb IP address 64.124.150.130 (- .144) from locations in the US and overseas, all pings conclude with variations on these 5 or 6 hops:

  lga1-lhr3-stm64.lga1.above.net (64.125.31.182)  (New York, NY)
  core2-lga1-oc192.lga2.above.net (208.184.232.198)  (New York, NY)
  main1colo45-core2-oc48.lga2.above.net (216.200.127.174)  (New York, NY)

About half the pings timed out before the last hop (or variation of):

  208.184.48.173.safeweb.com (San Jose, CA)

A few hit a "private" address after 208.184.48.173:

  10.100.0.2 (no location)

before ending at:

  64.124.150.130.safeweb.com (San Jose, CA)

(The station locations were provided by trace route program VisualRoute.)

Interpretation of the pings is needed for:

1. How much about the Safeweb stations is true and how much cloaking.

2. Why some pings timed out and others didn't.

3. Phantom station 10.100.0.2

4. Whether the San Jose hops actually go to San Jose or are spoofed.

5. Why go to New York then hop across the continent unless the last hops are just administrative not physical.

6. How is cloaking done on addresses and physical locations.

Is cloaking done by a Safeweb program, say by address spoofer or by phantom proxies, or is there a way to do this by special agreement with Network Central (whatever that is), say, as Intel Web and other classified systems do for cover use of the Web.

Recall that Safeweb was selected for financial support by the CIA so intel officers could use it to cloak their Net use. And other programs such as Onion make use of sub-Net features not easily available to the surface user.

Now, onto news of the RIAA leaker (not yet a proven hoaxer despite Declan McCullagh, RIAA and friends alleging that).

We received a third message yesterday from the alleged source of the RIAA allegations who was pissed at our attempts to trace the source. Use of Safeweb was admitted. Angry words were hurled at us. Allegations were made that parties have been punished for the leak though not the leaker who fears that information about the traces could be used for that. Here's Cryptome's response to the source (full messages and headers from the source will be published later if they are proven to be a hoax):

October 11, 2001

I very much appreciate your concern. I have stated publicly that I do not yet believe there has been a hoax and that the source of the messages will not be disclosed if the messages can be shown to be legitimate.  Not that I have any hard information on who you are. And don't need to know who you are so long as your information is reliable. Hell, it doesn't have to be reliable just provocative and unsettling.

Right now there is a push on by a host of people to promote that the messages are a hoax, and if they prevail RIAA will be the main beneficiary. And a great story becomes a bore.

It is to head off that win by RIAA, to avoid giving them improved protection against future abuses as a result of the alleged hoax, that I wish to get from you information that will demonstrate there was no hoax. Again without putting you in jeopardy.

In a tough fight like this RIAA and its supporters will do whatever they can to smear and deny your revelations. That's the way it is, so fighting back is the only answer to prevent an RIAA win by default as result of your valiant effort.

Listen, this very thing happens every time we put up a controversial document, and your protection is paramount, but opponents of publication will fight like hell to deny the truth. But you surely know that. Now is when the going gets tough. You need to decide how to avoid losing this battle, losing your reputation and the whole shebang.

I say come forth with proof of the meeting and comments made, provide it through a secure channel to protect your identity. But don't let this story die a useless death.

Tony Smith ducked and ran. Not here, the story stays on Cryptome, along with the story of what happened after your account was published. Disinformation is as good as information, maybe better.

But if you want to abandon what you started, I'll understand and wait for the next opportunity to buck the fuckers.


Sample pings from Cryptome:

==================================================
=== VisualRoute report on 11-Oct-01 2:35:20 PM ===
==================================================

Real-time report for 64.124.150.130 [64.124.150.130.safeweb.com] (20% done)

Analysis: IP packets are being lost past network "Abovenet Communications, Inc." at hop 11. There is insufficient cached information to determine the next network at hop 12. 

-----------------------------------------------------------------------------------------------------------------------------------------------------------
| Hop | %Loss | IP Address      | Node Name                             | Location            | Tzone  | ms  | Graph      | Network                       |
-----------------------------------------------------------------------------------------------------------------------------------------------------------
| 1   |       | 206.115.154.5   | tnt5.nyc3.da.uu.net                   | New York, NY, USA   | -05:00 | 151 |     -x     | UUNET Dial-Up Networks        |
| 2   |       | 206.115.244.1   | -                                     | ?Fairfax, VA 22031  |        | 138 |     x      | UUNET Dial Access Network     |
| 3   |       | 152.63.23.178   | 229.at-2-0-0.HR1.NYC9.ALTER.NET       | New York, NY, USA   | -05:00 | 154 |     -x     | UUNET Technologies, Inc.      |
| 4   |       | 152.63.15.126   | 0.so-1-3-0.XL1.NYC9.ALTER.NET         | New York, NY, USA   | -05:00 | 143 |     x      | UUNET Technologies, Inc.      |
| 5   |       | 152.63.9.57     | 0.so-0-0-0.XR1.NYC9.ALTER.NET         | New York, NY, USA   | -05:00 | 138 |     x-     | UUNET Technologies, Inc.      |
| 6   |       | 152.63.18.193   | 181.at-2-0-0.XR1.NYC8.ALTER.NET       | New York, NY, USA   | -05:00 | 146 |     x-     | UUNET Technologies, Inc.      |
| 7   |       | 152.63.23.73    | 183.ATM4-0.BR1.NYC8.ALTER.NET         | New York, NY, USA   | -05:00 | 136 |     x      | UUNET Technologies, Inc.      |
| 8   |       | 208.184.231.245 | abovenet-uunet-OC12.lga2.above.net    | New York, NY, USA   | -05:00 | 145 |     x-     | Abovenet Communications, Inc. |
| 9   |       | 216.200.127.169 | core2-core3-oc48.lga2.above.net       | New York, NY, USA   | -05:00 | 187 |     --x    | Abovenet Communications, Inc. |
| 10  |       | 216.200.127.174 | main1colo45-core2-oc48.lga2.above.net | New York, NY, USA   | -05:00 | 239 |     ----x- | Abovenet Communications, Inc. |
| 11  |       | 208.184.48.189  | 208.184.48.189.safeweb.com            | ?San Jose, CA 95113 |        | 148 |     -x     | Abovenet Communications, Inc. |
| ... |       |                 |                                       |                     |        |     |            |                               |
| ?   |       | 64.124.150.130  | 64.124.150.130.safeweb.com            | ?San Jose, CA 95113 |        |     |            | Abovenet Communications, Inc. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------
Roundtrip time to 208.184.48.189, average = 148ms, min = 139ms, max = 152ms -- 11-Oct-01 2:35:20 PM

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

==================================================
=== VisualRoute report on 11-Oct-01 3:06:54 PM ===
==================================================

Real-time report for 64.124.150.144 [64.124.150.144.safeweb.com] (20% done)

Analysis: IP packets are being lost past network "(private use)" at hop 12. There is insufficient cached information to determine the next network at hop 13. 

-----------------------------------------------------------------------------------------------------------------------------------------------------------
| Hop | %Loss | IP Address      | Node Name                             | Location            | Tzone  | ms  | Graph      | Network                       |
-----------------------------------------------------------------------------------------------------------------------------------------------------------
| 1   |       | 206.115.154.5   | tnt5.nyc3.da.uu.net                   | New York, NY, USA   | -05:00 | 157 |     x      | UUNET Dial-Up Networks        |
| 2   |       | 206.115.244.1   | -                                     | ?Fairfax, VA 22031  |        | 141 |    -x      | UUNET Dial Access Network     |
| 3   |       | 152.63.23.178   | 229.at-2-0-0.HR1.NYC9.ALTER.NET       | New York, NY, USA   | -05:00 | 137 |    -x      | UUNET Technologies, Inc.      |
| 4   |       | 152.63.15.126   | 0.so-1-3-0.XL1.NYC9.ALTER.NET         | New York, NY, USA   | -05:00 | 134 |    -x-     | UUNET Technologies, Inc.      |
| 5   |       | 152.63.9.57     | 0.so-0-0-0.XR1.NYC9.ALTER.NET         | New York, NY, USA   | -05:00 | 141 |    -x-     | UUNET Technologies, Inc.      |
| 6   |       | 152.63.18.193   | 181.at-2-0-0.XR1.NYC8.ALTER.NET       | New York, NY, USA   | -05:00 | 135 |     x      | UUNET Technologies, Inc.      |
| 7   |       | 152.63.23.73    | 183.ATM4-0.BR1.NYC8.ALTER.NET         | New York, NY, USA   | -05:00 | 134 |     x      | UUNET Technologies, Inc.      |
| 8   |       | 208.184.231.245 | abovenet-uunet-OC12.lga2.above.net    | New York, NY, USA   | -05:00 | 133 |     x      | Abovenet Communications, Inc. |
| 9   |       | 216.200.127.169 | core2-core3-oc48.lga2.above.net       | New York, NY, USA   | -05:00 | 142 |     x      | Abovenet Communications, Inc. |
| 10  |       | 216.200.127.174 | main1colo45-core2-oc48.lga2.above.net | New York, NY, USA   | -05:00 | 138 |    -x      | Abovenet Communications, Inc. |
| 11  |       | 208.184.48.173  | 208.184.48.173.safeweb.com            | ?San Jose, CA 95113 |        | 217 |       x-   | Abovenet Communications, Inc. |
| 12  |       | 10.100.0.2      |                                       |                     |        | 283 |       --x- | (private use)                 |
| ... |       |                 |                                       |                     |        |     |            |                               |
| ?   |       | 64.124.150.144  | 64.124.150.144.safeweb.com            | ?San Jose, CA 95113 |        |     |            | Abovenet Communications, Inc. |
-----------------------------------------------------------------------------------------------------------------------------------------------------------
Roundtrip time to 10.100.0.2, average = 283ms, min = 207ms, max = 299ms -- 11-Oct-01 3:06:54 PM

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

==================================================
=== VisualRoute report on 11-Oct-01 2:49:20 PM ===
==================================================

Report for www.riaa.org [208.225.90.120]

Analysis: 'www.riaa.org' was found in 12 hops (TTL=117). It is a HTTP server (running Microsoft-IIS/4.0). 

-----------------------------------------------------------------------------------------------------------------------------------------------------
| Hop | %Loss | IP Address     | Node Name                       | Location                 | Tzone  | ms  | Graph      | Network                   |
-----------------------------------------------------------------------------------------------------------------------------------------------------
| 1   |       | 206.115.154.5  | tnt5.nyc3.da.uu.net             | New York, NY, USA        | -05:00 | 198 | -x-----    | UUNET Dial-Up Networks    |
| 2   |       | 206.115.244.1  | -                               | ?Fairfax, VA 22031       |        | 193 | -x------   | UUNET Dial Access Network |
| 3   |       | 152.63.23.178  | 229.at-2-0-0.HR1.NYC9.ALTER.NET | New York, NY, USA        | -05:00 | 221 | -x-----    | UUNET Technologies, Inc.  |
| 4   |       | 152.63.15.150  | 0.so-1-3-0.XL2.NYC9.ALTER.NET   | New York, NY, USA        | -05:00 | 278 | -x-----    | UUNET Technologies, Inc.  |
| 5   |       | 152.63.23.142  | 0.so-7-0-0.XR2.NYC9.ALTER.NET   | New York, NY, USA        | -05:00 | 233 | -x-------  | UUNET Technologies, Inc.  |
| 6   |       | 152.63.15.182  | 0.so-4-0-0.TR2.NYC9.ALTER.NET   | New York, NY, USA        | -05:00 | 212 | -x------   | UUNET Technologies, Inc.  |
| 7   |       | 152.63.10.73   | 125.at-6-0-0.TR2.DCA8.ALTER.NET | Washington, DC, USA      | -05:00 | 230 | -x------   | UUNET Technologies, Inc.  |
| 8   |       | 152.63.35.250  | 0.so-5-0-0.XL2.DCA8.ALTER.NET   | Washington, DC, USA      | -05:00 | 252 |  x-------- | UUNET Technologies, Inc.  |
| 9   |       | 152.63.37.33   | POS7-0.GW3.DCA8.ALTER.NET       | Washington, DC, USA      | -05:00 | 207 | -x--       | UUNET Technologies, Inc.  |
| 10  |       | 157.130.58.61  | pos0-0.gw5.tco3.alter.net       | Tysons Corner, VA, USA   | -05:00 | 351 | --x--      | UUNET Technologies, Inc.  |
| 11  |       | 63.101.250.3   | -                               | ?Fairfax, Virginia 22031 |        | 220 |  x--       | UUNET Technologies, Inc.  |
| 12  |       | 208.225.90.120 | www.riaa.org                    | ?Fairfax, VA 22031       |        | 256 |  x---      | UUNET Technologies        |
-----------------------------------------------------------------------------------------------------------------------------------------------------
Roundtrip time to www.riaa.org, average = 256ms, min = 141ms, max = 563ms -- 11-Oct-01 2:49:20 PM

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

==================================================
=== VisualRoute report on 11-Oct-01 2:51:11 PM ===
==================================================

Report for www.weil.com [4.17.177.29]

Analysis: Connections to HTTP port 80 on host 'www.weil.com' are working, but ICMP packets are being blocked past network "GENUITY" at hop 12. It is a HTTP server (running 
Lotus-Domino/Release-4.6.7). Node 4.1.135.218 at hop 12 in network "GENUITY" reports "The destination network is unreachable". 

-----------------------------------------------------------------------------------------------------------------------------------------------------
| Hop | %Loss | IP Address    | Node Name                            | Location             | Tzone  | ms  | Graph      | Network                   |
-----------------------------------------------------------------------------------------------------------------------------------------------------
| 1   |       | 206.115.154.5 | tnt5.nyc3.da.uu.net                  | New York, NY, USA    | -05:00 | 156 |     -x---- | UUNET Dial-Up Networks    |
| 2   |       | 206.115.244.1 | -                                    | ?Fairfax, VA 22031   |        | 156 |     -x---  | UUNET Dial Access Network |
| 3   |       | 152.63.23.178 | 229.at-2-0-0.HR1.NYC9.ALTER.NET      | New York, NY, USA    | -05:00 | 167 |     -x-    | UUNET Technologies, Inc.  |
| 4   |       | 152.63.15.126 | 0.so-1-3-0.XL1.NYC9.ALTER.NET        | New York, NY, USA    | -05:00 | 169 |     -x--   | UUNET Technologies, Inc.  |
| 5   |       | 152.63.18.225 | POS6-0.BR1.NYC9.ALTER.NET            | New York, NY, USA    | -05:00 | 139 |     x----  | UUNET Technologies, Inc.  |
| 6   |       | 4.0.6.141     | p7-2.nycmny1-cr10.bbnplanet.net      | New York, NY, USA    | -05:00 | 155 |     -x-    | GENUITY                   |
| 7   |       | 4.24.8.169    | p1-0.nycmny1-nbr2.bbnplanet.net      | New York, NY, USA    | -05:00 | 160 |     -x-    | GENUITY                   |
| 8   |       | 4.24.6.49     | so-4-0-0.bstnma1-nbr2.bbnplanet.net  | Boston, MA, USA      | -05:00 | 167 |     -x-    | GENUITY                   |
| 9   |       | 4.24.10.217   | so-7-0-0.bstnma1-nbr1.bbnplanet.net  | Boston, MA, USA      | -05:00 | 155 |     -x--   | GENUITY                   |
| 10  |       | 4.0.6.245     | p4-3.cambridge1-nbr1.bbnplanet.net   | Cambridge, MA, USA   | -05:00 | 150 |     x--    | GENUITY                   |
| 11  |       | 4.0.1.154     | p0-0-0.cambridge1-cr20.bbnplanet.net | Cambridge, MA, USA   | -05:00 | 148 |     x--    | ?4.0.1.0                  |
| 12  | 100   | 4.1.135.218   | s0.internoded.bbnplanet.net          | -                    |        | 174 |     -x-    | GENUITY                   |
| ... |       |               |                                      |                      |        |     |            |                           |
| ?   |       | 4.17.177.29   | www.weil.com                         | ?Cambridge, MA 02141 |        |     |            | InterNoded Inc            |
-----------------------------------------------------------------------------------------------------------------------------------------------------
Roundtrip time to 4.1.135.218, average = 174ms, min = 146ms, max = 187ms -- 11-Oct-01 2:51:11 PM

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

==================================================
=== VisualRoute report on 11-Oct-01 2:51:46 PM ===
==================================================

Real-time report for www.dvdcca.org [209.247.203.216] (60% done)

Analysis: Connections to HTTP port 80 on host 'www.dvdcca.org' [dsl-gte-11597-2.linkline.com] are working, but ICMP packets are being blocked past network "Level 3 
Communications, Inc." at hop 10. It is a HTTP server (running Apache/1.3.12 (Unix)). 

---------------------------------------------------------------------------------------------------------------------------------------------------------------------
| Hop | %Loss | IP Address      | Node Name                                      | Location              | Tzone  | ms  | Graph      | Network                      |
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
| 1   |       | 206.115.154.5   | tnt5.nyc3.da.uu.net                            | New York, NY, USA     | -05:00 | 197 |    --x-    | UUNET Dial-Up Networks       |
| 2   |       | 206.115.244.1   | -                                              | ?Fairfax, VA 22031    |        | 199 |    --x--   | UUNET Dial Access Network    |
| 3   |       | 152.63.23.178   | 229.at-2-0-0.HR1.NYC9.ALTER.NET                | New York, NY, USA     | -05:00 | 207 |    --x--   | UUNET Technologies, Inc.     |
| 4   |       | 152.63.15.150   | 0.so-1-3-0.XL2.NYC9.ALTER.NET                  | New York, NY, USA     | -05:00 | 210 |    --x--   | UUNET Technologies, Inc.     |
| 5   |       | 152.63.22.229   | POS7-0.BR2.NYC9.ALTER.NET                      | New York, NY, USA     | -05:00 | 212 |    --x--   | UUNET Technologies, Inc.     |
| 6   |       | 209.244.160.161 | atm4-0-1.core2.NewYork1.Level3.net             | New York, NY, USA     | -05:00 | 171 |    -x-     | Level 3 Communications, Inc. |
| 7   |       | 64.159.17.65    | unknown.Level3.net                             | -                     |        | 138 |    x-      | Level 3 Communications, Inc. |
| 8   |       | 64.159.0.218    | so-2-0-0.mp2.SanJose1.Level3.net               | San Jose, CA, USA     | -08:00 | 232 |       x    | Level 3 Communications, Inc. |
| 9   |       | 64.159.2.100    | gigabitethernet9-1.ipcolo2.SanJose1.Level3.net | San Jose, CA, USA     | -08:00 | 231 |      -x-   | Level 3 Communications, Inc. |
| 10  |       | 209.247.153.58  | unknown.Level3.net                             | -                     |        | 237 |       x--- | Level 3 Communications, Inc. |
| ... |       |                 |                                                |                       |        |     |            |                              |
| ?   |       | 209.247.203.216 | www.dvdcca.org                                 | ?Louisville, CO 80027 |        |     |            | Level 3 Communications, Inc. |
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Roundtrip time to 209.247.153.58, average = 237ms, min = 228ms, max = 328ms -- 11-Oct-01 2:51:46 PM

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
==================================================
=== VisualRoute report on 11-Oct-01 3:05:45 PM ===
==================================================

Report for www.mpaa.org [209.67.152.159]

Analysis: 'www.mpaa.org' was found in 15 hops (TTL=240). It is a HTTP server (running Microsoft-IIS/5.0). 

----------------------------------------------------------------------------------------------------------------------------------------------------
| Hop | %Loss | IP Address     | Node Name                       | Location               | Tzone  | ms  | Graph      | Network                    |
----------------------------------------------------------------------------------------------------------------------------------------------------
| 1   |       | 206.115.154.5  | tnt5.nyc3.da.uu.net             | New York, NY, USA      | -05:00 | 135 |   x-       | UUNET Dial-Up Networks     |
| 2   |       | 206.115.244.1  | -                               | ?Fairfax, VA 22031     |        | 145 |   x---     | UUNET Dial Access Network  |
| 3   |       | 152.63.23.178  | 229.at-2-0-0.HR1.NYC9.ALTER.NET | New York, NY, USA      | -05:00 | 142 |   x--      | UUNET Technologies, Inc.   |
| 4   |       | 152.63.15.126  | 0.so-1-3-0.XL1.NYC9.ALTER.NET   | New York, NY, USA      | -05:00 | 153 |   x----    | UUNET Technologies, Inc.   |
| 5   |       | 152.63.18.225  | POS6-0.BR1.NYC9.ALTER.NET       | New York, NY, USA      | -05:00 | 147 |   x---     | UUNET Technologies, Inc.   |
| 6   |       | 204.255.169.94 | -                               | ?Fairfax, VA 22031     |        | 142 |   x--      | UUNET Technologies, Inc.   |
| 7   |       | 12.122.11.213  | tbr1-p012402.n54ny.ip.att.net   | New York, NY, USA      | -05:00 | 179 |   -x-----  | ?12.122.11.0               |
| 8   |       | 12.122.11.205  | tbr1-p013902.cgcil.ip.att.net   | Chicago, IL, USA       | -06:00 | 209 |    x-----  | ?12.122.11.0               |
| 9   |       | 12.122.11.209  | tbr2-p012702.cgcil.ip.att.net   | Chicago, IL, USA       | -06:00 | 209 |    x-----  | ?12.122.11.0               |
| 10  |       | 12.122.10.10   | tbr2-p012501.sl9mo.ip.att.net   | St. Louis, MO, USA     | -06:00 | 230 |    -x---   | AT&T ITS                   |
| 11  |       | 12.122.11.221  | tbr2-p012402.la2ca.ip.att.net   | Los Angeles, CA, USA   | -08:00 | 244 |    -x-     | ?12.122.11.0               |
| 12  |       | 12.122.11.154  | gbr5-p40.la2ca.ip.att.net       | Los Angeles, CA, USA   | -08:00 | 203 |    x-      | ?12.122.11.0               |
| 13  |       | 12.123.222.1   | gar1-p361.irvca.ip.att.net      | -                      |        | 220 |    -x      | AT&T ITS                   |
| 14  |       | 216.148.4.18   | -                               | ?Santa Clara, CA 95054 |        | 312 |    --x---- | Exodus Communications      |
| 15  |       | 209.67.152.159 | www.mpaa.org                    | ?Santa Clara, CA 95054 |        | 205 |    x-      | Exodus Communications Inc. |
----------------------------------------------------------------------------------------------------------------------------------------------------
Roundtrip time to www.mpaa.org, average = 205ms, min = 201ms, max = 214ms -- 11-Oct-01 3:05:45 PM

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

==================================================
=== VisualRoute report on 11-Oct-01 3:03:29 PM ===
==================================================

Report for www.odci.gov [198.81.129.100]

Analysis: Connections to HTTP port 80 on host 'www.odci.gov' are working, but ICMP packets are being blocked past network "UUNET Technologies, Inc." at hop 10. It is a HTTP 
server (running Netscape-Enterprise/4.1). 

----------------------------------------------------------------------------------------------------------------------------------------------------
| Hop | %Loss | IP Address     | Node Name                       | Location              | Tzone  | ms  | Graph      | Network                     |
----------------------------------------------------------------------------------------------------------------------------------------------------
| 1   |       | 206.115.154.5  | tnt5.nyc3.da.uu.net             | New York, NY, USA     | -05:00 | 133 |     x-     | UUNET Dial-Up Networks      |
| 2   |       | 206.115.244.1  | -                               | ?Fairfax, VA 22031    |        | 131 |     x---   | UUNET Dial Access Network   |
| 3   |       | 152.63.23.178  | 229.at-2-0-0.HR1.NYC9.ALTER.NET | New York, NY, USA     | -05:00 | 138 |     x----  | UUNET Technologies, Inc.    |
| 4   |       | 152.63.15.150  | 0.so-1-3-0.XL2.NYC9.ALTER.NET   | New York, NY, USA     | -05:00 | 147 |     -x---  | UUNET Technologies, Inc.    |
| 5   |       | 152.63.23.142  | 0.so-7-0-0.XR2.NYC9.ALTER.NET   | New York, NY, USA     | -05:00 | 154 |     -x---  | UUNET Technologies, Inc.    |
| 6   |       | 152.63.15.182  | 0.so-4-0-0.TR2.NYC9.ALTER.NET   | New York, NY, USA     | -05:00 | 159 |     -x---- | UUNET Technologies, Inc.    |
| 7   |       | 152.63.9.61    | 125.at-7-1-0.TR2.DCA6.ALTER.NET | Washington, DC, USA   | -05:00 | 144 |     -x-    | UUNET Technologies, Inc.    |
| 8   |       | 152.63.33.221  | 186.at-5-1-0.XR2.DCA1.ALTER.NET | Washington, DC, USA   | -05:00 | 166 |     -x--   | UUNET Technologies, Inc.    |
| 9   |       | 152.63.38.233  | 194.ATM7-0.GW6.RDU1.ALTER.NET   | Raleigh, NC, USA      | -05:00 | 164 |      x-    | UUNET Technologies, Inc.    |
| 10  |       | 157.130.85.234 | u41001-gw.customer.alter.net    | -                     |        | 184 |      -x--  | UUNET Technologies, Inc.    |
| ... |       |                |                                 |                       |        |     |            |                             |
| ?   |       | 198.81.129.100 | www.odci.gov                    | ?Washington, DC 20505 |        |     |            | Central Intelligence Agency |
----------------------------------------------------------------------------------------------------------------------------------------------------
Roundtrip time to 157.130.85.234, average = 184ms, min = 153ms, max = 233ms -- 11-Oct-01 3:03:29 PM

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------



From: mike
To: [email protected]
Cc: [email protected]
Subject: RIAA Safeweb Ping
Date: Fri, 12 Oct 2001 08:37:32 -0400

>   main1colo45-core2-oc48.lga2.above.net (216.200.127.174)  (New York, NY)

This last one above (216.200.127.174) is a colocated server at above.net in NYC.

From there, using a small piece of IP redirector software that they call "Triangle Boy", Safeweb just bounces packets around their network.

> About half the pings timed out before the last hop at:
> 
>   208.184.48.173.safeweb.com (San Jose, CA)
> 
> A few hit a "private" address after 208.184.48.173:
> 
>   10.100.0.2 (no location)

Likely just an internal Proxy-less netblock.... this is done often for private, non-routable IP addresses within a network. In other words, packets route ONLY in the internal network, routers are programmed to ignore any packets within such netblocks.

> before ending at:
> 
>   64.124.150.130.safeweb.com (San Jose, CA)
> 
> Interpretation is needed for:
> 
> 1. How much about the Safeweb stations is true and how much 
cloaking.

It's all true until you hit the colocated box. Then it's all cloaking.

> 2. Why some pings timed out and others didn't.

ICMP squelching is why.... you can selectively top ICMP return packets from being sent.... often done to protect the "topography" of a network. If you can't hear the pings, you can count the servers or hops in a network path.

> 3. Phantom station 10.100.0.2

See above... not a phantom, just can't route.

> 4. Whether the San Jose hops actually go to San Jose or are spoofed.

It doesn't really matter..... even if the server is physically in San Jose, which I doubt, so what? The end user connecting to that specific server could have been anywhere -- in the Hindu Kush mountains, for instance :)

> 5. Why go to New York then hop across the continent unless the
> last hops are just administrative not physical.

They are probably not administrative... they exist to basically make the lives of anyone tracking a lone packet miserable :) Basically, it's just inserted path to hide the origin of the packet.

> 6. How is cloaking done on addresses and physical locations

Email me offline.... I can answer some questions on this, but to really understand it you basically have to understand how TCP works. But this kind of "cloaking" isn't really cloaking, it's just one simple technique partnered with a network that has enough depth to make it look like you're bouncing around from one place to another.

I forget the specifics, but there's an old physics problem involving a black box and inputs and outputs. That's what you have here..... the black box isn't really so big, but because you can't see in it, you don't know EXACTLY how big, or more to the point, exactly what is in it. That's the idea behind ICMP squelching.

btw, this is really a simple defense; it is somewhat easy to overcome, although that doesn't mean that you could actually learn anything useful by overcoming it.

> Is cloaking done by a Safeweb program, say by address spoofer or by 
> phantom proxies, or is there a way to do this by special agreement 
> with Network Central (whatever that is), say, as Intel Web and other 
> classified systems covertly use the Web.

:) Nothing special at all..... any well-designed network implements this right off the bat, to stop the little scripties from following a trail of bread crumbs. Safeweb DOES do some (simplistic) IP spoofing and "cloaking", but what you see is NOT it....


Date: Fri, 12 Oct 2001 08:44:57 -0400 (EDT)
From: Thomas
To: [email protected]
Subject: DNS servers for safeweb.com

I don't know if you are still interested in the safeweb.com stuff but I note (see below enclosed in horizontal lines) that the DNS servers for their domain have very bad security as anyone can download their zone tables. Note the bottom of it lists 7 hosts on their domain. safeweb.com should probably complain to above.net for the bad BIND configuration. Also note that this is standard Internet stuff so my looking up the data could not possibly be considered illegal!

------------------------------------------------------------------------
Non-authoritative answer:
safeweb.com	nameserver = NS.ABOVE.NET
safeweb.com	nameserver = NS3.ABOVE.NET
safeweb.com	internet address = 216.104.228.139
safeweb.com	preference = 20, mail exchanger = norm.pooka.safeweb.com
safeweb.com	preference = 10, mail exchanger = cliff.pooka.safeweb.com

Authoritative answers can be found from:
safeweb.com	nameserver = NS.ABOVE.NET
safeweb.com	nameserver = NS3.ABOVE.NET
NS.ABOVE.NET	internet address = 207.126.96.162
NS3.ABOVE.NET	internet address = 207.126.105.146
norm.pooka.safeweb.com	internet address = 216.104.228.115
cliff.pooka.safeweb.com internet address = 65.107.16.34
> server ns3.above.net
Default Server:	ns3.above.net
Address:  207.126.105.146

> ls safeweb.com
[ns3.above.net]
$ORIGIN safeweb.com.
@			12H IN A	216.104.228.139
dns1.pooka		12H IN A	216.104.228.142
dns2.pooka		12H IN A	64.124.150.4
norm.pooka		12H IN A	216.104.228.115
redirect.pooka		12H IN A	65.107.16.45
mail.pooka		12H IN A	65.107.16.35
cliff.pooka		12H IN A	65.107.16.34
fugu			12H IN A	65.107.16.44

--------------------------------------------------------------------