13 October 2001: Link to identification of the Safeweb proxy server:
http://cryptome.org/riaa-anongo.htm
12 October 2001: Add reader comments.
12 October 2001
This relates to allegations made about a secret RIAA meeting:
http://cryptome.org/riaa-secret.htm
Comments welcome. Send to: jya@pipeline.com
Based some three dozen pings of Safeweb IP address 64.124.150.130 (- .144) from locations in the US and overseas, all pings conclude with variations on these 5 or 6 hops:
lga1-lhr3-stm64.lga1.above.net (64.125.31.182) (New York, NY) core2-lga1-oc192.lga2.above.net (208.184.232.198) (New York, NY) main1colo45-core2-oc48.lga2.above.net (216.200.127.174) (New York, NY)
About half the pings timed out before the last hop (or variation of):
208.184.48.173.safeweb.com (San Jose, CA)
A few hit a "private" address after 208.184.48.173:
10.100.0.2 (no location)
before ending at:
64.124.150.130.safeweb.com (San Jose, CA)
(The station locations were provided by trace route program VisualRoute.)
Interpretation of the pings is needed for:
1. How much about the Safeweb stations is true and how much cloaking.2. Why some pings timed out and others didn't.
3. Phantom station 10.100.0.2
4. Whether the San Jose hops actually go to San Jose or are spoofed.
5. Why go to New York then hop across the continent unless the last hops are just administrative not physical.
6. How is cloaking done on addresses and physical locations.
Is cloaking done by a Safeweb program, say by address spoofer or by phantom proxies, or is there a way to do this by special agreement with Network Central (whatever that is), say, as Intel Web and other classified systems do for cover use of the Web.
Recall that Safeweb was selected for financial support by the CIA so intel officers could use it to cloak their Net use. And other programs such as Onion make use of sub-Net features not easily available to the surface user.
Now, onto news of the RIAA leaker (not yet a proven hoaxer despite Declan McCullagh, RIAA and friends alleging that).
We received a third message yesterday from the alleged source of the RIAA allegations who was pissed at our attempts to trace the source. Use of Safeweb was admitted. Angry words were hurled at us. Allegations were made that parties have been punished for the leak though not the leaker who fears that information about the traces could be used for that. Here's Cryptome's response to the source (full messages and headers from the source will be published later if they are proven to be a hoax):
October 11, 2001I very much appreciate your concern. I have stated publicly that I do not yet believe there has been a hoax and that the source of the messages will not be disclosed if the messages can be shown to be legitimate. Not that I have any hard information on who you are. And don't need to know who you are so long as your information is reliable. Hell, it doesn't have to be reliable just provocative and unsettling.
Right now there is a push on by a host of people to promote that the messages are a hoax, and if they prevail RIAA will be the main beneficiary. And a great story becomes a bore.
It is to head off that win by RIAA, to avoid giving them improved protection against future abuses as a result of the alleged hoax, that I wish to get from you information that will demonstrate there was no hoax. Again without putting you in jeopardy.
In a tough fight like this RIAA and its supporters will do whatever they can to smear and deny your revelations. That's the way it is, so fighting back is the only answer to prevent an RIAA win by default as result of your valiant effort.
Listen, this very thing happens every time we put up a controversial document, and your protection is paramount, but opponents of publication will fight like hell to deny the truth. But you surely know that. Now is when the going gets tough. You need to decide how to avoid losing this battle, losing your reputation and the whole shebang.
I say come forth with proof of the meeting and comments made, provide it through a secure channel to protect your identity. But don't let this story die a useless death.
Tony Smith ducked and ran. Not here, the story stays on Cryptome, along with the story of what happened after your account was published. Disinformation is as good as information, maybe better.
But if you want to abandon what you started, I'll understand and wait for the next opportunity to buck the fuckers.
Sample pings from Cryptome:
================================================== === VisualRoute report on 11-Oct-01 2:35:20 PM === ================================================== Real-time report for 64.124.150.130 [64.124.150.130.safeweb.com] (20% done) Analysis: IP packets are being lost past network "Abovenet Communications, Inc." at hop 11. There is insufficient cached information to determine the next network at hop 12. ----------------------------------------------------------------------------------------------------------------------------------------------------------- | Hop | %Loss | IP Address | Node Name | Location | Tzone | ms | Graph | Network | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | 1 | | 206.115.154.5 | tnt5.nyc3.da.uu.net | New York, NY, USA | -05:00 | 151 | -x | UUNET Dial-Up Networks | | 2 | | 206.115.244.1 | - | ?Fairfax, VA 22031 | | 138 | x | UUNET Dial Access Network | | 3 | | 152.63.23.178 | 229.at-2-0-0.HR1.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 154 | -x | UUNET Technologies, Inc. | | 4 | | 152.63.15.126 | 0.so-1-3-0.XL1.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 143 | x | UUNET Technologies, Inc. | | 5 | | 152.63.9.57 | 0.so-0-0-0.XR1.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 138 | x- | UUNET Technologies, Inc. | | 6 | | 152.63.18.193 | 181.at-2-0-0.XR1.NYC8.ALTER.NET | New York, NY, USA | -05:00 | 146 | x- | UUNET Technologies, Inc. | | 7 | | 152.63.23.73 | 183.ATM4-0.BR1.NYC8.ALTER.NET | New York, NY, USA | -05:00 | 136 | x | UUNET Technologies, Inc. | | 8 | | 208.184.231.245 | abovenet-uunet-OC12.lga2.above.net | New York, NY, USA | -05:00 | 145 | x- | Abovenet Communications, Inc. | | 9 | | 216.200.127.169 | core2-core3-oc48.lga2.above.net | New York, NY, USA | -05:00 | 187 | --x | Abovenet Communications, Inc. | | 10 | | 216.200.127.174 | main1colo45-core2-oc48.lga2.above.net | New York, NY, USA | -05:00 | 239 | ----x- | Abovenet Communications, Inc. | | 11 | | 208.184.48.189 | 208.184.48.189.safeweb.com | ?San Jose, CA 95113 | | 148 | -x | Abovenet Communications, Inc. | | ... | | | | | | | | | | ? | | 64.124.150.130 | 64.124.150.130.safeweb.com | ?San Jose, CA 95113 | | | | Abovenet Communications, Inc. | ----------------------------------------------------------------------------------------------------------------------------------------------------------- Roundtrip time to 208.184.48.189, average = 148ms, min = 139ms, max = 152ms -- 11-Oct-01 2:35:20 PM ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ================================================== === VisualRoute report on 11-Oct-01 3:06:54 PM === ================================================== Real-time report for 64.124.150.144 [64.124.150.144.safeweb.com] (20% done) Analysis: IP packets are being lost past network "(private use)" at hop 12. There is insufficient cached information to determine the next network at hop 13. ----------------------------------------------------------------------------------------------------------------------------------------------------------- | Hop | %Loss | IP Address | Node Name | Location | Tzone | ms | Graph | Network | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | 1 | | 206.115.154.5 | tnt5.nyc3.da.uu.net | New York, NY, USA | -05:00 | 157 | x | UUNET Dial-Up Networks | | 2 | | 206.115.244.1 | - | ?Fairfax, VA 22031 | | 141 | -x | UUNET Dial Access Network | | 3 | | 152.63.23.178 | 229.at-2-0-0.HR1.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 137 | -x | UUNET Technologies, Inc. | | 4 | | 152.63.15.126 | 0.so-1-3-0.XL1.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 134 | -x- | UUNET Technologies, Inc. | | 5 | | 152.63.9.57 | 0.so-0-0-0.XR1.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 141 | -x- | UUNET Technologies, Inc. | | 6 | | 152.63.18.193 | 181.at-2-0-0.XR1.NYC8.ALTER.NET | New York, NY, USA | -05:00 | 135 | x | UUNET Technologies, Inc. | | 7 | | 152.63.23.73 | 183.ATM4-0.BR1.NYC8.ALTER.NET | New York, NY, USA | -05:00 | 134 | x | UUNET Technologies, Inc. | | 8 | | 208.184.231.245 | abovenet-uunet-OC12.lga2.above.net | New York, NY, USA | -05:00 | 133 | x | Abovenet Communications, Inc. | | 9 | | 216.200.127.169 | core2-core3-oc48.lga2.above.net | New York, NY, USA | -05:00 | 142 | x | Abovenet Communications, Inc. | | 10 | | 216.200.127.174 | main1colo45-core2-oc48.lga2.above.net | New York, NY, USA | -05:00 | 138 | -x | Abovenet Communications, Inc. | | 11 | | 208.184.48.173 | 208.184.48.173.safeweb.com | ?San Jose, CA 95113 | | 217 | x- | Abovenet Communications, Inc. | | 12 | | 10.100.0.2 | | | | 283 | --x- | (private use) | | ... | | | | | | | | | | ? | | 64.124.150.144 | 64.124.150.144.safeweb.com | ?San Jose, CA 95113 | | | | Abovenet Communications, Inc. | ----------------------------------------------------------------------------------------------------------------------------------------------------------- Roundtrip time to 10.100.0.2, average = 283ms, min = 207ms, max = 299ms -- 11-Oct-01 3:06:54 PM ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ================================================== === VisualRoute report on 11-Oct-01 2:49:20 PM === ================================================== Report for www.riaa.org [208.225.90.120] Analysis: 'www.riaa.org' was found in 12 hops (TTL=117). It is a HTTP server (running Microsoft-IIS/4.0). ----------------------------------------------------------------------------------------------------------------------------------------------------- | Hop | %Loss | IP Address | Node Name | Location | Tzone | ms | Graph | Network | ----------------------------------------------------------------------------------------------------------------------------------------------------- | 1 | | 206.115.154.5 | tnt5.nyc3.da.uu.net | New York, NY, USA | -05:00 | 198 | -x----- | UUNET Dial-Up Networks | | 2 | | 206.115.244.1 | - | ?Fairfax, VA 22031 | | 193 | -x------ | UUNET Dial Access Network | | 3 | | 152.63.23.178 | 229.at-2-0-0.HR1.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 221 | -x----- | UUNET Technologies, Inc. | | 4 | | 152.63.15.150 | 0.so-1-3-0.XL2.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 278 | -x----- | UUNET Technologies, Inc. | | 5 | | 152.63.23.142 | 0.so-7-0-0.XR2.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 233 | -x------- | UUNET Technologies, Inc. | | 6 | | 152.63.15.182 | 0.so-4-0-0.TR2.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 212 | -x------ | UUNET Technologies, Inc. | | 7 | | 152.63.10.73 | 125.at-6-0-0.TR2.DCA8.ALTER.NET | Washington, DC, USA | -05:00 | 230 | -x------ | UUNET Technologies, Inc. | | 8 | | 152.63.35.250 | 0.so-5-0-0.XL2.DCA8.ALTER.NET | Washington, DC, USA | -05:00 | 252 | x-------- | UUNET Technologies, Inc. | | 9 | | 152.63.37.33 | POS7-0.GW3.DCA8.ALTER.NET | Washington, DC, USA | -05:00 | 207 | -x-- | UUNET Technologies, Inc. | | 10 | | 157.130.58.61 | pos0-0.gw5.tco3.alter.net | Tysons Corner, VA, USA | -05:00 | 351 | --x-- | UUNET Technologies, Inc. | | 11 | | 63.101.250.3 | - | ?Fairfax, Virginia 22031 | | 220 | x-- | UUNET Technologies, Inc. | | 12 | | 208.225.90.120 | www.riaa.org | ?Fairfax, VA 22031 | | 256 | x--- | UUNET Technologies | ----------------------------------------------------------------------------------------------------------------------------------------------------- Roundtrip time to www.riaa.org, average = 256ms, min = 141ms, max = 563ms -- 11-Oct-01 2:49:20 PM ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ================================================== === VisualRoute report on 11-Oct-01 2:51:11 PM === ================================================== Report for www.weil.com [4.17.177.29] Analysis: Connections to HTTP port 80 on host 'www.weil.com' are working, but ICMP packets are being blocked past network "GENUITY" at hop 12. It is a HTTP server (running Lotus-Domino/Release-4.6.7). Node 4.1.135.218 at hop 12 in network "GENUITY" reports "The destination network is unreachable". ----------------------------------------------------------------------------------------------------------------------------------------------------- | Hop | %Loss | IP Address | Node Name | Location | Tzone | ms | Graph | Network | ----------------------------------------------------------------------------------------------------------------------------------------------------- | 1 | | 206.115.154.5 | tnt5.nyc3.da.uu.net | New York, NY, USA | -05:00 | 156 | -x---- | UUNET Dial-Up Networks | | 2 | | 206.115.244.1 | - | ?Fairfax, VA 22031 | | 156 | -x--- | UUNET Dial Access Network | | 3 | | 152.63.23.178 | 229.at-2-0-0.HR1.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 167 | -x- | UUNET Technologies, Inc. | | 4 | | 152.63.15.126 | 0.so-1-3-0.XL1.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 169 | -x-- | UUNET Technologies, Inc. | | 5 | | 152.63.18.225 | POS6-0.BR1.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 139 | x---- | UUNET Technologies, Inc. | | 6 | | 4.0.6.141 | p7-2.nycmny1-cr10.bbnplanet.net | New York, NY, USA | -05:00 | 155 | -x- | GENUITY | | 7 | | 4.24.8.169 | p1-0.nycmny1-nbr2.bbnplanet.net | New York, NY, USA | -05:00 | 160 | -x- | GENUITY | | 8 | | 4.24.6.49 | so-4-0-0.bstnma1-nbr2.bbnplanet.net | Boston, MA, USA | -05:00 | 167 | -x- | GENUITY | | 9 | | 4.24.10.217 | so-7-0-0.bstnma1-nbr1.bbnplanet.net | Boston, MA, USA | -05:00 | 155 | -x-- | GENUITY | | 10 | | 4.0.6.245 | p4-3.cambridge1-nbr1.bbnplanet.net | Cambridge, MA, USA | -05:00 | 150 | x-- | GENUITY | | 11 | | 4.0.1.154 | p0-0-0.cambridge1-cr20.bbnplanet.net | Cambridge, MA, USA | -05:00 | 148 | x-- | ?4.0.1.0 | | 12 | 100 | 4.1.135.218 | s0.internoded.bbnplanet.net | - | | 174 | -x- | GENUITY | | ... | | | | | | | | | | ? | | 4.17.177.29 | www.weil.com | ?Cambridge, MA 02141 | | | | InterNoded Inc | ----------------------------------------------------------------------------------------------------------------------------------------------------- Roundtrip time to 4.1.135.218, average = 174ms, min = 146ms, max = 187ms -- 11-Oct-01 2:51:11 PM ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ================================================== === VisualRoute report on 11-Oct-01 2:51:46 PM === ================================================== Real-time report for www.dvdcca.org [209.247.203.216] (60% done) Analysis: Connections to HTTP port 80 on host 'www.dvdcca.org' [dsl-gte-11597-2.linkline.com] are working, but ICMP packets are being blocked past network "Level 3 Communications, Inc." at hop 10. It is a HTTP server (running Apache/1.3.12 (Unix)). --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | Hop | %Loss | IP Address | Node Name | Location | Tzone | ms | Graph | Network | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | 1 | | 206.115.154.5 | tnt5.nyc3.da.uu.net | New York, NY, USA | -05:00 | 197 | --x- | UUNET Dial-Up Networks | | 2 | | 206.115.244.1 | - | ?Fairfax, VA 22031 | | 199 | --x-- | UUNET Dial Access Network | | 3 | | 152.63.23.178 | 229.at-2-0-0.HR1.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 207 | --x-- | UUNET Technologies, Inc. | | 4 | | 152.63.15.150 | 0.so-1-3-0.XL2.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 210 | --x-- | UUNET Technologies, Inc. | | 5 | | 152.63.22.229 | POS7-0.BR2.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 212 | --x-- | UUNET Technologies, Inc. | | 6 | | 209.244.160.161 | atm4-0-1.core2.NewYork1.Level3.net | New York, NY, USA | -05:00 | 171 | -x- | Level 3 Communications, Inc. | | 7 | | 64.159.17.65 | unknown.Level3.net | - | | 138 | x- | Level 3 Communications, Inc. | | 8 | | 64.159.0.218 | so-2-0-0.mp2.SanJose1.Level3.net | San Jose, CA, USA | -08:00 | 232 | x | Level 3 Communications, Inc. | | 9 | | 64.159.2.100 | gigabitethernet9-1.ipcolo2.SanJose1.Level3.net | San Jose, CA, USA | -08:00 | 231 | -x- | Level 3 Communications, Inc. | | 10 | | 209.247.153.58 | unknown.Level3.net | - | | 237 | x--- | Level 3 Communications, Inc. | | ... | | | | | | | | | | ? | | 209.247.203.216 | www.dvdcca.org | ?Louisville, CO 80027 | | | | Level 3 Communications, Inc. | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- Roundtrip time to 209.247.153.58, average = 237ms, min = 228ms, max = 328ms -- 11-Oct-01 2:51:46 PM ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ================================================== === VisualRoute report on 11-Oct-01 3:05:45 PM === ================================================== Report for www.mpaa.org [209.67.152.159] Analysis: 'www.mpaa.org' was found in 15 hops (TTL=240). It is a HTTP server (running Microsoft-IIS/5.0). ---------------------------------------------------------------------------------------------------------------------------------------------------- | Hop | %Loss | IP Address | Node Name | Location | Tzone | ms | Graph | Network | ---------------------------------------------------------------------------------------------------------------------------------------------------- | 1 | | 206.115.154.5 | tnt5.nyc3.da.uu.net | New York, NY, USA | -05:00 | 135 | x- | UUNET Dial-Up Networks | | 2 | | 206.115.244.1 | - | ?Fairfax, VA 22031 | | 145 | x--- | UUNET Dial Access Network | | 3 | | 152.63.23.178 | 229.at-2-0-0.HR1.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 142 | x-- | UUNET Technologies, Inc. | | 4 | | 152.63.15.126 | 0.so-1-3-0.XL1.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 153 | x---- | UUNET Technologies, Inc. | | 5 | | 152.63.18.225 | POS6-0.BR1.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 147 | x--- | UUNET Technologies, Inc. | | 6 | | 204.255.169.94 | - | ?Fairfax, VA 22031 | | 142 | x-- | UUNET Technologies, Inc. | | 7 | | 12.122.11.213 | tbr1-p012402.n54ny.ip.att.net | New York, NY, USA | -05:00 | 179 | -x----- | ?12.122.11.0 | | 8 | | 12.122.11.205 | tbr1-p013902.cgcil.ip.att.net | Chicago, IL, USA | -06:00 | 209 | x----- | ?12.122.11.0 | | 9 | | 12.122.11.209 | tbr2-p012702.cgcil.ip.att.net | Chicago, IL, USA | -06:00 | 209 | x----- | ?12.122.11.0 | | 10 | | 12.122.10.10 | tbr2-p012501.sl9mo.ip.att.net | St. Louis, MO, USA | -06:00 | 230 | -x--- | AT&T ITS | | 11 | | 12.122.11.221 | tbr2-p012402.la2ca.ip.att.net | Los Angeles, CA, USA | -08:00 | 244 | -x- | ?12.122.11.0 | | 12 | | 12.122.11.154 | gbr5-p40.la2ca.ip.att.net | Los Angeles, CA, USA | -08:00 | 203 | x- | ?12.122.11.0 | | 13 | | 12.123.222.1 | gar1-p361.irvca.ip.att.net | - | | 220 | -x | AT&T ITS | | 14 | | 216.148.4.18 | - | ?Santa Clara, CA 95054 | | 312 | --x---- | Exodus Communications | | 15 | | 209.67.152.159 | www.mpaa.org | ?Santa Clara, CA 95054 | | 205 | x- | Exodus Communications Inc. | ---------------------------------------------------------------------------------------------------------------------------------------------------- Roundtrip time to www.mpaa.org, average = 205ms, min = 201ms, max = 214ms -- 11-Oct-01 3:05:45 PM ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ================================================== === VisualRoute report on 11-Oct-01 3:03:29 PM === ================================================== Report for www.odci.gov [198.81.129.100] Analysis: Connections to HTTP port 80 on host 'www.odci.gov' are working, but ICMP packets are being blocked past network "UUNET Technologies, Inc." at hop 10. It is a HTTP server (running Netscape-Enterprise/4.1). ---------------------------------------------------------------------------------------------------------------------------------------------------- | Hop | %Loss | IP Address | Node Name | Location | Tzone | ms | Graph | Network | ---------------------------------------------------------------------------------------------------------------------------------------------------- | 1 | | 206.115.154.5 | tnt5.nyc3.da.uu.net | New York, NY, USA | -05:00 | 133 | x- | UUNET Dial-Up Networks | | 2 | | 206.115.244.1 | - | ?Fairfax, VA 22031 | | 131 | x--- | UUNET Dial Access Network | | 3 | | 152.63.23.178 | 229.at-2-0-0.HR1.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 138 | x---- | UUNET Technologies, Inc. | | 4 | | 152.63.15.150 | 0.so-1-3-0.XL2.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 147 | -x--- | UUNET Technologies, Inc. | | 5 | | 152.63.23.142 | 0.so-7-0-0.XR2.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 154 | -x--- | UUNET Technologies, Inc. | | 6 | | 152.63.15.182 | 0.so-4-0-0.TR2.NYC9.ALTER.NET | New York, NY, USA | -05:00 | 159 | -x---- | UUNET Technologies, Inc. | | 7 | | 152.63.9.61 | 125.at-7-1-0.TR2.DCA6.ALTER.NET | Washington, DC, USA | -05:00 | 144 | -x- | UUNET Technologies, Inc. | | 8 | | 152.63.33.221 | 186.at-5-1-0.XR2.DCA1.ALTER.NET | Washington, DC, USA | -05:00 | 166 | -x-- | UUNET Technologies, Inc. | | 9 | | 152.63.38.233 | 194.ATM7-0.GW6.RDU1.ALTER.NET | Raleigh, NC, USA | -05:00 | 164 | x- | UUNET Technologies, Inc. | | 10 | | 157.130.85.234 | u41001-gw.customer.alter.net | - | | 184 | -x-- | UUNET Technologies, Inc. | | ... | | | | | | | | | | ? | | 198.81.129.100 | www.odci.gov | ?Washington, DC 20505 | | | | Central Intelligence Agency | ---------------------------------------------------------------------------------------------------------------------------------------------------- Roundtrip time to 157.130.85.234, average = 184ms, min = 153ms, max = 233ms -- 11-Oct-01 3:03:29 PM -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
From: mike
To: jya@pipeline.com
Cc: cypherpunks@EINSTEIN.ssz.com
Subject: RIAA Safeweb Ping
Date: Fri, 12 Oct 2001 08:37:32 -0400
> main1colo45-core2-oc48.lga2.above.net (216.200.127.174) (New York, NY)
This last one above (216.200.127.174) is a colocated server at above.net in NYC.
From there, using a small piece of IP redirector software that they call "Triangle Boy", Safeweb just bounces packets around their network.
> About half the pings timed out before the last hop at: > > 208.184.48.173.safeweb.com (San Jose, CA) > > A few hit a "private" address after 208.184.48.173: > > 10.100.0.2 (no location)
Likely just an internal Proxy-less netblock.... this is done often for private, non-routable IP addresses within a network. In other words, packets route ONLY in the internal network, routers are programmed to ignore any packets within such netblocks.
> before ending at: > > 64.124.150.130.safeweb.com (San Jose, CA) > > Interpretation is needed for: > > 1. How much about the Safeweb stations is true and how much cloaking.
It's all true until you hit the colocated box. Then it's all cloaking.
> 2. Why some pings timed out and others didn't.
ICMP squelching is why.... you can selectively top ICMP return packets from being sent.... often done to protect the "topography" of a network. If you can't hear the pings, you can count the servers or hops in a network path.
> 3. Phantom station 10.100.0.2
See above... not a phantom, just can't route.
> 4. Whether the San Jose hops actually go to San Jose or are spoofed.
It doesn't really matter..... even if the server is physically in San Jose, which I doubt, so what? The end user connecting to that specific server could have been anywhere -- in the Hindu Kush mountains, for instance :)
> 5. Why go to New York then hop across the continent unless the > last hops are just administrative not physical.
They are probably not administrative... they exist to basically make the lives of anyone tracking a lone packet miserable :) Basically, it's just inserted path to hide the origin of the packet.
> 6. How is cloaking done on addresses and physical locations
Email me offline.... I can answer some questions on this, but to really understand it you basically have to understand how TCP works. But this kind of "cloaking" isn't really cloaking, it's just one simple technique partnered with a network that has enough depth to make it look like you're bouncing around from one place to another.
I forget the specifics, but there's an old physics problem involving a black box and inputs and outputs. That's what you have here..... the black box isn't really so big, but because you can't see in it, you don't know EXACTLY how big, or more to the point, exactly what is in it. That's the idea behind ICMP squelching.
btw, this is really a simple defense; it is somewhat easy to overcome, although that doesn't mean that you could actually learn anything useful by overcoming it.
> Is cloaking done by a Safeweb program, say by address spoofer or by > phantom proxies, or is there a way to do this by special agreement > with Network Central (whatever that is), say, as Intel Web and other > classified systems covertly use the Web.
:) Nothing special at all..... any well-designed network implements this right off the bat, to stop the little scripties from following a trail of bread crumbs. Safeweb DOES do some (simplistic) IP spoofing and "cloaking", but what you see is NOT it....
Date: Fri, 12 Oct 2001 08:44:57 -0400 (EDT)
From: Thomas
To: jya@pipeline.com
Subject: DNS servers for safeweb.com
I don't know if you are still interested in the safeweb.com stuff but I note (see below enclosed in horizontal lines) that the DNS servers for their domain have very bad security as anyone can download their zone tables. Note the bottom of it lists 7 hosts on their domain. safeweb.com should probably complain to above.net for the bad BIND configuration. Also note that this is standard Internet stuff so my looking up the data could not possibly be considered illegal!
------------------------------------------------------------------------ Non-authoritative answer: safeweb.com nameserver = NS.ABOVE.NET safeweb.com nameserver = NS3.ABOVE.NET safeweb.com internet address = 216.104.228.139 safeweb.com preference = 20, mail exchanger = norm.pooka.safeweb.com safeweb.com preference = 10, mail exchanger = cliff.pooka.safeweb.com Authoritative answers can be found from: safeweb.com nameserver = NS.ABOVE.NET safeweb.com nameserver = NS3.ABOVE.NET NS.ABOVE.NET internet address = 207.126.96.162 NS3.ABOVE.NET internet address = 207.126.105.146 norm.pooka.safeweb.com internet address = 216.104.228.115 cliff.pooka.safeweb.com internet address = 65.107.16.34 > server ns3.above.net Default Server: ns3.above.net Address: 207.126.105.146 > ls safeweb.com [ns3.above.net] $ORIGIN safeweb.com. @ 12H IN A 216.104.228.139 dns1.pooka 12H IN A 216.104.228.142 dns2.pooka 12H IN A 64.124.150.4 norm.pooka 12H IN A 216.104.228.115 redirect.pooka 12H IN A 65.107.16.45 mail.pooka 12H IN A 65.107.16.35 cliff.pooka 12H IN A 65.107.16.34 fugu 12H IN A 65.107.16.44 --------------------------------------------------------------------