Sunday, July 02, 2006

Spooked

I'm still not sure what to make of the "tracert nsa.gov" business discussed below. I asked for the services of a geek, and got a reply from someone named Doug who seemed to know what he was talking about. His message: "Not to worry." Alas, Doug turned out to be one of those unnecessarily combative types who accused me of making a pronouncement when I was asking a question. I had to wonder: Was I dealing with one of those net-nuts who love vituperation for its own sake (and lord knows there are plenty of those), or was something more sinister going on?

The second possibility now has some evidence to back it.

My piece originally derived from this post on the Wired site. Doug, the insulting geek commentator, claimed that Wired had pulled this piece due to inaccuracy. But they didn't. Click and see. I don't know if the claims on the 27B Stroke 6 blog are accurate or not, but that post definitely remains in view. And I have yet to find a retraction anywhere on the Wired site.

Sloppy work, my spooky friend. Sloppy.

6 comments:

Anonymous said...

First of all, it strikes me that you're unfair to Doug (or, at least, to his tone) -- he's a little impatient maybe, but hardly "hostile". And why a spook would bother to enter this discussion here is hard to fathom. What could it possibly accomplish? Throwing a few people off the scent on cannonfire isn't likely to end the debate, or put an end to interest in this question, including the legal questions raised by warrantless government surveillance.

And it's already widely accepted that no one should expect a high level of confidentiality or privacy from anything typed on the internet, even if the NSA isn't monitoring the connection. Doug himself points this out: it's always best to assume someone is listening, for the simple that it's easy enough to do so.

Lastly, it's possible EVERYONE'S email traffic is going through these rooms, for computer analysis. But we're talking about the same people who don't have the time or resources to translate KNOWN terrorist intercepts. Their incapacity hardly excuses the spying (if it's going on), but reading "everything" is the same as reading "nothing". If the set of data is the universe of internet traffic, they're hopelessly lost....

Anonymous said...

This is getting out of hand. All we need to know is, does "tracert nsa.gov" actually reveal whether any given internet connection is being spied upon by the government?

We've had one seemingly credible technical opinion on the subject, source unknown. But there must be a million computer science professionals able to settle this matter instantly. It's too rudimentary to lie about, even assuming all computer geeks were Republicans and Rovers (which ain't so!).

So do what journalists do, or are supposed to do: call an expert in the field. Live near a university? Try the computer science department. Also the hackers' publication, 2600.

Anonymous said...

I agree, Joseph, that Doug was both spooky and sloppy. But these days, aren't they all getting sloppy?

Fellas? Your boys are done. If you want to do something useful in response to that, start updating your c.v.s instead of making attempts to mess up the lives of blog writers.

I guess I also agree with Anon 10:19's post, though, that we shouldn't let Doug get us too riled up, especially considering how amateur he looked to be, and just refocus on the original question that started this mess. I wish I could help, but I am only a dork, not a geek. And many of the geeks I used to know went underground (some literally) after 2003 or so. Sucks.

Anonymous said...

anon from SF

Joseph,

I don't think Doug is being sinister, just another obnoxious IT Geek who talks down to his "end-users" and you have succeeded in getting him riled up because you don't understand tcp/ip routing and limitations of simple tracert commands. Obviously doug is wrong about Wired's source article being pulled but that doesn't make him sinister or a rightwingnut troll. All he is trying to say but is saying it in an impolite and insulting way is that you can't prove much regarding whether or not the feds are intercepting all your internet traffic doing a simple tracert DOS command. I have suffered from working with super geeks like Doug who talk down to me because I wasn't "one of them" and they considered me too technically ignorant to bother explaining what they were doing on the server/computer/network. Doug was trying to explain the limits of what can be done using a tracert and what can be identified and I agree with him, he has a point and he got insulting because you weren't getting it. Please don't take offense for me stating this. I am on your side.

so Joseph I have spent time this morning and evening going through the original Wired articles posted on may 23rd/may22nd regarding former AT&T employee Mark Klein's allegation about the alleged "secret room" and all of the nine pages of the comments posted to the Wired blog you posted. One reason why it is virtually impossible to figure out if your internet traffic is being intercepted by the feds is that any router can be setup by ATT, Verizon, Sprint, MCI such that all traffic is "split" off and there is no way to figure out if our data is being "split" by the ISP's router. "split" means that a copy of all the packets is being made from a circuit at the router level per Mark Klein's source documents he got from AT&T which documents this "splitting" that I have posted the link below. from the original May 22nd Wired article, you can even download the .pdf file that contains the AT&T info about "splitting".

As a public service, I have copied and pasted the best of those comments from the 9 pages and also excerpted the original Wired article in the hope of providing some other explanations coming from other techs why the tracert provides limited info and why it is virtually impossible to figure out if the feds are datamining all the internet trafic:

http://www.wired.com/news/technology/0,70944-0.html

Whistle-Blower's Evidence, Uncut

"In order to monitor such communications, one has to physically cut into the fiber somehow and divert a portion of the light signal to see the information.
This problem is solved with "splitters" which literally split off a percentage of the light signal so it can be examined. This is the purpose of the special cabinet referred to above: Circuits are connected into it, the light signal is split into two signals, one of which is diverted to the "secret room." The cabinet is totally unnecessary for the circuit to perform -- in fact it introduces problems since the signal level is reduced by the splitter -- its only purpose is to enable a third party to examine the data flowing between sender and recipient on the internet."

here are the best of the nine pages of posts to the wired blogsite and I have taken the time to copy and paste each comment and the URL from which it came from:

http://blog.wired.com/27BStroke6/?entry_id=1510938&page=3


Ok, people, stop...
You are trying to read WAY to much into a traceroute and ping.
It just so happens that AT&T owns a lot of damn fiber in this country, so there is a good chance that you will be routed through them one time or another.
A packet will attempt to find the shortest route possible when traversing the net. One time it might be AT&T another time it might be Sprint.
If you are concerned that you might be watched, then the least you can do is download and use TOR. It uses what they call Onion proxy servers. Your IP actually becomes the one attached to the server running at someones house. The novel thing of it is, is that the person running that server has no way of telling where your original IP is coming from. Rather than babble on about it, I suggest you read about it.
Google for TOR. Trust me, you will like it. If you dont like the IP you are connected to, just close the app and connect again to another one.

http://blog.wired.com/27BStroke6/?entry_id=1510938&page=1

There are a number of different commercial products to sniff data directly off of the fiber without a hop even appearing. It doesn't matter who the provider is, the feds are setup with all the major players to allow them to sniff their traffic and pull all the info they need. Generally br is border router and ar is access router so is sonet link. The router and interface IPs don't really have to map to the exact city/state because they are probably registered through a locality and then broken into pieces. They're not trying to trick you by misleading the dns naming, it really is easy to sniff that traffic, how to sort and manage all that data coming off the pipe is another story alltogether.

http://blog.wired.com/27BStroke6/?entry_id=1510938&page=4

Gents, plz calm down:
it is VERY easy to tap any communication without traces as long as you get physical access to the wire:
- bridges
- high-level encap
- prism in case of fiber
Many of these technologies are discussed around IDS-technology and are widely known - or, at least, should be.

You should really suspect, that ALL communication CAN be monitored without leaving ANY trace.
How to datamine this avalanche is wuite a different kettle of fish.

A router showing up in traceroute is either a sign of very, very bad craftmanship or a misleading lead - though, in fact it may be sniffing data.

http://blog.wired.com/27BStroke6/?entry_id=1510938&page=8

It looks like ATT / NSA has shut down reverse DNS / enabled "no-ip" routing on all associated nodes to cover it upthe nodes in the original post no longer resolve
tracert tbr2-p012201.sffca.ip.att.net
Unable to resolve target system name tbr2-p012201.sffca.ip.att.net.

tracert tbr1-cl2.sl9mo.ip.att.net
Unable to resolve target system name tbr1-cl2.sl9mo.ip.att.net.

tracert tbr1-cl4.wswdc.ip.att.net
Unable to resolve target system name tbr1-cl4.wswdc.ip.att.net.

tracert ar2-a3120s6.wswdc.ip.att.net
Unable to resolve target system name ar2-a3120s6.wswdc.ip.att.net.

tracert ae-23-56.car3.SanJose1.Level3.net

Tracing route to ae-23-56.car3.SanJose1.Level3.net <4.68.123.173>
over a maximum of 30 hops: (this one still works but it is non-ATT)

end of anon from SF comment

Anonymous said...

I founded one of the first public ISPs back in the early 90s and continue with web businesses. Doug is essentally right in his analysis, and I didn't think he was at all obnoxious, just a little frustrated with the comments and he missed the original meaning of the article. I think you over-reacted a little joseph.

Now, reading the wired analysis and pdfs, there were two "claims". First was that if your data went via sffca.ip.att.net then it was being sniffed by the NSA. Presumably because the NSA equipment was linked to that IP.

Technically, this is perfectly plausible.

The second was that *any* att.net address was potentially a problem because there is more than one sniffing "room".

Also perfectly plausible.

Now, one reason Doug got upset was purely the choice of tracing to nsa.gov. It looks like th nsa.gov website is connected via ATT - so no matter where you are in the world, you *must* go via ATT to reach their website. In my case I'm outside the US, but if I do a trace to nsa.gov I go via ATT (as I would expect, since the nsa.gov computer is apparently connected to the internet via ATT). But I did not see the sffca.ip.att.net address. So I'm apparently not being sniffed by the "room" where there is "evidence" of NSA activity.

Try some tracerts to other destinations. eg tracert microsoft.com or tracert bbc.co.uk. If every time you trace then sffca.ip.att.net appears - well, wait for the knock at the door :-). If you personally or your ISP is not connected directly to ATT, but sometimes ATT addresses appear, but not sffca.ip.att.net, and sometimes not - I wouldn't worry about it, you're just being routed around the internet normally. Some of your packets may be being intercepted in some ATT room somewhere, so either encrypt or GOTV so overwhelmingly that even Diebold can't help and change your government. :-)

Anonymous said...

I think Doug's just pissed that you busted him on his collection of LOTR action figures, not that there's anything wrong with that. ;)