Saturday, July 01, 2006

Spying on the spies

A few posts below, we discussed how you can use a simple tool on your computer to see if the NSA is peeking at your computer activity. Just go to your DOS prompt and type in "tracert nsa.gov" (without the quotes).

Many people reported that the number 12.110.110.131 showed up at the end of the trace. This number belongs to LinguaListek, a mysterious firm which seems to be a branch of dNovus, whose president is an ex NSA guy. dNovus may have a connection of some sort to Lockheed.

As my readers discovered, if you want to do this sort of work properly, you need a good tool to look up who is at the other end of an IP address. I recommend this one, called IP Lookup. It's freeware. Before unpacking the file, I hit it with a good anti-virus scanner (AntiVir) and with a decent anti-trojan/anti-spyware scanner (a-squared); both scanners pronounced the program clean. Works real nice, too.

Turns out LinguaListek owns IP numbers in the range 2.110.110.128 through 12.110.110.135. Their head tech guy appears to be someone named Montas Louis, phone number 1-410-953-0300, address mlouis@lingualistek.com.

(I tried to look up this person's home address -- fair is fair, right? -- and found a couple of listings for an "M. Louis" in Maryland. It occurs to me that the real name might be Louis Montas. There are a few people listed by that surname in Maryland, but none of them are a Louis.)

You can visit the good folks of LinguaListek at 9861 Broken Land Parkway, Suite 300, Columbia, MD, 21046. Tell 'em Uncle Joe says "Yo!"

Why am I giving all this info? Because as long as we are being spied upon, we might as well be properly introduced.

14 comments:

Anonymous said...

Any suggestions for Mac users?

Anonymous said...

Here is the actual dig output for lingualistek.com:

; <<>> DiG 9.2.2 <<>> lingualistek.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57013
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;lingualistek.com. IN A

;; ANSWER SECTION:
lingualistek.com. 86400 IN A 64.29.145.73

;; AUTHORITY SECTION:
lingualistek.com. 31301 IN NS ns3.carrierzone.com.
lingualistek.com. 31301 IN NS ns4.carrierzone.com.
lingualistek.com. 31301 IN NS ns1.carrierzone.com.
lingualistek.com. 31301 IN NS ns2.carrierzone.com.

;; ADDITIONAL SECTION:
ns1.carrierzone.com. 8665 IN A 64.29.144.67
ns2.carrierzone.com. 8665 IN A 64.29.154.67
ns3.carrierzone.com. 8665 IN A 216.251.32.106
ns4.carrierzone.com. 8665 IN A 69.49.105.100

;; Query time: 86 msec
;; SERVER: 207.69.188.185#53(207.69.188.185)
;; WHEN: Sat Jul 1 13:22:36 2006
;; MSG SIZE rcvd: 198

Based on this, the IP addresses of 12.110.110.13x don't seem to be associated with this domain.

A traceroute to lingualistek.com ends at:

miamfl6lcx1-pos6-0.wcg.net (64.200.119.102) 103.612 ms 102.810 ms 100.195 ms

A border router of wcg.net in Miami Florida. Again, this may be a hosting company.

Eleanore, your Mac is a Unix computer. All of the standard network analysis tools, like 'dig', 'host', 'traceroute' and others are all already on there, accessible via the command line. Alternately, you can use the "Network Utility" application that is in the "Utilities" folder of the "Applications" folder. All of the network analysis I have posted on this blog today I've done on a PowerBook G4.

Anonymous said...

Fascinating and vaguely ominous, Joseph. I tried this trace last night and ended up with the .132 code, after three or four intervening ISP's in NYC and DC (I live in Maine). My web use is entirely innocuous, if VERY "sinister" (as in left-oriented).

I know some ultra-conservatives with computers. I wonder if they would show the same traces...

Anonymous said...

Notice the owner of LinguaListek is Elizabeth Rendon. I don't recall there being a direct link between Elizabeth Rendon and John Rendon, of the infamous Rendon Group, who devised much of the Iraq War propaganda...

I don't know there's any connection, but it's a curious coincidance...

Anonymous said...

dqueue, from the link you provided, this is Elizabeth Rendon talking:
(snip)
"After supporting various programs throughout my years at Booz-Allen & Hamilton, I knew I had a good foundation to start and manage my own business. I started on a small scale and have grown the business to include 160 professionals. We provide localization of software programs, language services, and IT support for the Department of Defense.
I've had a few (mentors) including my dad, Victor Rendón who had his own business. Also others include Mike Noonberg and Marty Leshin at Booz-Allen & Hamilton."
(snip)

Booz-Allen is a highly connected law firm. Joe, got any immediate background on them?

Anonymous said...

Also, if that block of IP addresses is really "owned" by linguaListek, and 12.110.110.204 is the NSA, can't we conjecture that linguListek got that block from the NSA?

I mean, really, what are the odds that linguaListek just happened to draw a number series so close to the NSA's home IP address? The NSA (or the Feds, anyway) probably own ALL of 12.110.110...

So, did the NSA "loan" the IP address block to linguaListek, or give it to them? Can linguaListek be listed as owner if the IPs really belong to the government? There's something dirty going on...

Anonymous said...

Doug, if you are out there...

Your knowledge grasp of routing, etc, is amazing. However, and please don't jump all over me for explaining...

I have known the NSA is listening in to me (at least by keywords) since 1999, when they tried to draw me out. What I am interested in HERE is the relationship between the private companies of dNovus and linguaListek, and the NSA/DIA/DoD for whom they contract to do Signint collection and analysis. This isn't just an idle curiosity; it is possible, if not outright likely, that this cozy relationship is corrupt, in the same way as Wilkes/Foggo and the bribing of Cunningham was corrupt.

It seems to me that the more we know about NSA surveillance, how it is done and who does it for the NSA, the better.

Your suggestion about the donation to the EFF is an excellent one.

Please, though, temper your harsh tone. We are all on the same side here.

DrewL said...

Unirealist...Booz, Allen & Hamilton is not a "highly connected law firm", as you state. It is a very well-regarded management consulting firm, along the lines of McKinsey & Co. or Boston Consulting Group. BAH tends to be involved in engagements that include an engineering or process orientation vs. strictly management-oriented projects. One of my best friends from grad school worked for BAH for several years. They're one of the "biggies" of the consulting world.

Anonymous said...

Oh, come on, DrewL.

Booz, Allen has 10,00 employees and is headquartered in Maclean, Virginia. Ring a bell?

Booz, Allen has been awarded the contract for enterprise support at DHS.

Booz, Allen is a leader in RFID technology (including for DoD).

Booz, Allen is the auditor for the NSA in its latest intrusion--surveillance of global financial transaction.

Booz, Allen was just awarded a ten million dollar modification on a previously awarded contract with the Navy/DoD, for "special communications requirements."

Booz, Allen does the verification of subpoenas for wiretapping for the Bush Administration, when it wants to sidestep the courts.

Booz, Allen did the administrative work for DHS in the decisions to cut funds to NYC and DC because they had so few terrorist targets.

If these guys aren't well-connected, who is?

Anonymous said...

I don't think the NSA owns any netblocks. Consistent with our private industry driven military/govt agencies, they contract for net access, and LinguaLISTek is their provider.

This site provides a little more analysis: http://www.lastcallpdx.com/node/3

Their analysis suggest to me that LinguaLISTek is less a private company and more a means for the NSA to deploy software for collecting e-mail and internet traffic. That's fine as long as court warrants are involved.

Other than warrantless domestic spying, the real scandal as far as I'm concerned is that LingaLISTek may have a free ride from the NSA with no bid contracts and that laws were broken to make that happen.

Anonymous said...

Here's another wrinkle--while Netcraft shows LinguaLISTek as the owner of 12.110.110.204, ARIN says UUNET Technologies owns that netblock.

So what's the relationship between LinguaLISTek and UUNET or its owner MCI? And of course, what kind of working relationship does the NSA have with MCI?

Anonymous said...

Ahh, so the .204 is not NSA, but rather linguaListek? Perhaps MCI previously owned that IP block, and gave/loaned it to linguaListek for an NSA contract?

You guys figure this out. I'll be on vacation for a week. When I'm back, I'm going to want some answers!

And don't let Bushco start any more wars while I'm gone.

Anonymous said...

again for Mac users, download freeware "WhatRoute" from versiontracker.com.

Works on MacOS 9 and 10. Has trace, search, ping, and whois identity.

Anonymous said...

Doug is essentially correct if impolite.

I am a Network Engineer for a major corporation, so here is the deal from a geek translated to non-geek

The trace routes in this situation will tell you nothing useful unless the people who run the NSA spying program are as incompetent as the Neocon’s are with politics.

There is no need to “route” or redirect traffic through the NSA or any other place to eavesdrop on it. One need merely install a “tap” at any place along the way. Major backbone links such as those possessed by AT&T, SBC, L3, ect would be ideal. At the tap point the data is copied and that copy is sent off to wherever desired. The original data is sent along its way unchanged in anyway.

Also in many instances IP(source or destination) is not a reliable method of determining physical location. Say that corporation XYZ owns network address of 126.x.x.x. They may have locations all over the world that use sub-network addresses of this address.
In other cases the IP may be helpful in getting a physical location. ISP ABC uses addresses 12.123.x.x for one town and 12.124.x.x for another town and so forth, but this all requires a little investigation that you would be unlikely to do as you are “grabbing” data from a tap. More likely you just

Grab it all if you can store that much data
Search in the data for things you care about. Keywords, IP addresses of foreign govs, companies and people you don’t like, ect

If I had to take a guess I’d say they grab based on keywords or website addresses and store it all for latter analyses. And my $$ says this place is on the list.