"“We have lent a huge amount of money to the U.S. Of course we are concerned about the safety of our assets. To be honest, I am definitely a little worried.” "


Chinese premier Wen Jiabao 12th March 2009


""We have a financial system that is run by private shareholders, managed by private institutions, and we'd like to do our best to preserve that system."


Timothy Geithner US Secretary of the Treasury, previously President of the Federal Reserve Bank of New York.1/3/2009

Friday, June 30, 2006

Check if NSA warrantless surveillance is looking at your IP traffic

AT&T technician Mark Klein learned of a secret room installed in the company's San Francisco internet switching center ... what he saw and learnt prompted him to call at the Electronic Frontier Foundation unannounced in late January 2005 with documents in hand. The EFF was already preparing a class-action lawsuit against AT&T for allegedly turning over customer phone-record data to the NSA -- relying on reporting from the Los Angeles Times about AT&T giving the NSA access to a phone-record database with 1.88 trillion entries.More here at Wired.

Now a heavily redacted 40 page document document by internet expert J. Scott Marcus has been supplied and is available here. PDF Alert !! 40 pages.

Briefly Marcus says, based on the Klein documents, his experience, knowledge of AT&T and understanding of what equipment is available that ..

The AT&T documents that Klein supplied are genuine.

There could be 35 - 40 such rooms throughout the US.

The internet surveillance program covers domestic traffic not only just international traffic.Most International traffic enters the US through only 3 points Florida New York and San Francisco. Marcus notes that the AT&T spy rooms are "in far more locations than would be required to catch the majority of international traffic"

The system is capable of looking at content, not just addresses. The configuration described in the Klein documents -- presumably the Narus software in particular -- "exists primarily to conduct sophisticated rule-based analysis of content", Marcus concludes.

The system looks at all traffic not just AT&T but those transiting AT&T networks.

Want to check to see of your Internet packets are being "sniffed" by AT&T.

First. A little history.

Way back when Bill Gates was designing a BASIC instruction set he (along with everybody else until Microsoft introduced Compiled or CBasic) which was interpretive. That means it took each line of code and processed it.

Troubleshooting was non -existent and de-bugging tools primitive. A utility resulted called TRON / TROFF was used , slow, cumbersome, but it worked and is best explained by the Commodore Basic handbook;

The TRON statement activates trace mode. When active, as each statement is executed, the line number of that statement is printed.

The TROFF statement turns off trace mode.

Of course most people will remember TRON as the 1982 (!) Disney movie, with Jeff Bridges and Bruce Boxleitner who played the young programmwer TRON - this was the very first movie to use computer generated graphics - which appear today to be unbeleivably primitive.

As systems, grew in complexity and multi-user tasking came along, and TCP/IP emerged, it became necessary to test what was happening as a packet was sent.A guy called Van Jacobson in 1987 from a suggestion by Steve Deering came up with a Unix utility called TRACE ROUTE or tracert.This is how Microsoft explain its function and method.

How the TRACERT Command Works (Microsoft on line help)

The TRACERT diagnostic utility determines the route taken to a destination by sending Internet Control Message Protocol (ICMP) echo packets with varying IP Time-To-Live (TTL) values to the destination. Each router along the path is required to decrement the TTL on a packet by at least 1 before forwarding it, so the TTL is effectively a hop count. When the TTL on a packet reaches 0, the router should send an ICMP Time Exceeded message back to the source computer.

TRACERT determines the route by sending the first echo packet with a TTL of 1 and incrementing the TTL by 1 on each subsequent transmission until the target responds or the maximum TTL is reached. The route is determined by examining the ICMP Time Exceeded messages sent back by intermediate routers. Note that some routers silently drop packets with expired TTLs and are invisible to TRACERT.

TRACERT prints out an ordered list of the routers in the path that returned the ICMP Time Exceeded message. If the -d switch is used (telling TRACERT not to perform a DNS lookup on each IP address), the IP address of the near- side interface of the routers is reported.

In a sense it works in a set wise mode just the way TRON/TROFF did decades ago.

Now you are ready to test if your packets are finding their way through AT&T , there's the easy way ;

Go to www.dnsstuff.com you will find a range of tests you can perform, quickly and easily, on the right of the second row you will find a red box labeled Traceroute. Let us enter then , say the text ... nsa.gov ... or even their IP address... 12.110.110.204 and press the button.

A list will be returned showing the times and route of the packet - you will in the column labelled HOSTNAME that the signal will travel through a switch labelled like this

tbr1-p013901.wswdc.ip.att.net. or maybe
ar2-a3120s6.wswdc.ip.att.net.

or even

unknown.att.net

Now the att identifies the switch as AT&T ,you can identify the town (the system uses geolocation which is not very precise) by using the box in the centre of the fourth row "Find the city" by entering the IP address in the IP column immediately left of the HOSTNAME column

tbr2012701.phmaz.ip.att.net [12.123.206.30]
City: Morristown, New Jersey

tbr2-cl1592.dlstx.ip.att.net [12.122.10.81]
City: Morristown, New Jersey

tbr1-cl6.sl9mo.ip.att.net [12.122.10.89]
City: Fargo, North Dakota

tbr1-cl4.wswdc.ip.att.net [12.122.10.29]
City: Fargo, North Dakota

ar2-a3120s6.wswdc.ip.att.net [12.123.8.65]
City: Adrian, Michigan

Interestingly if you do a "Whois" query using the IP address you will find all these IP addresses were Registered on the 26th November 2003,at AT&T Worldnet Services,200 South Laurel Ave.Middletown NJ Zip 07748 there are also other curious similarities for you to ponder.


You can try the hard way and get the same results by calling up the MSDOS prompt and entering at the C:\Windows\ pompt

tracert nsa.gov

This will return the same list as the DNS utility but without the helpful notes etc.,

Now try this out with other IP addresses other than nsa.gov - as Marcus calculates 10% of all calls are passing through these rooms, don't expect every IP adress to be picked up every time.

It would be neat if someone could co-ordinate the location of all the locations - which would give a precise number and location of the rooms. The list above is a start.

7 comments:

Anonymous said...

DNS: tbr2-cl11.cgcil.ip.att.net
IP Address: 12.122.10.61
City: Fargo, North Dakota

DNS: tbr1-cl22.cgcil.ip.att.net
IP Address: 12.122.9.133
City: Morristown, New Jersey

DNS: tbr1-cl14.n54ny.ip.att.net
IP Address: 12.122.10.1
City: Fargo, North Dakota

DNS: gbr5-p30.n54ny.ip.att.net
IP Address: 12.122.11.10
City: Morristown, New Jersey

DNS: tbr2033201.sffca.ip.att.net
IP Address: 12.123.12.126
City: Palo Alto, California

DNS: 12.119.199.21
IP Address: 12.119.199.21
City: Morristown, New Jersey

DNS: 12.127.6.46
IP Address: 12.127.6.46
City: Bellevue, Washington

DNS: 12.127.6.61
IP Address: 12.127.6.61
City: Bellevue, Washington

DNS: 12.118.177.49
IP Address: 12.118.177.49
City: Morristown, New Jersey

DNS: gr1-p350.st6wa.ip.att.net
IP Address: 12.123.44.126
City: Seattle, Washington

DNS: tbr1-p012601.st6wa.ip.att.net
IP Address: 12.122.12.161
City: Morristown, New Jersey

DNS: 12.127.6.57
IP Address: 12.127.6.57
City: Bellevue, Washington


The main domain listings of IP ranges are registered to the following addresses:

NetRange: 12.0.0.0 - 12.255.255.255
OrgName: AT&T WorldNet Services
OrgID: ATTW
Address: 200 S. Laurel AVE.
City: MIDDLETOWN
StateProv: NJ
PostalCode: 07748

NetRange: 12.127.0.0 - 12.127.255.255
CustName: AT&T Worldnet Services
Address: 412 Mount Kemble Ave.
Address: P.O. Box 1995
City: Morristown
StateProv: NJ
PostalCode: 07962

NetRange: 12.112.0.0 - 12.119.255.255
CustName: AT&T Worldnet Services
Address: 412 Mount Kemble Ave.
Address: P.O. Box 1995
City: Morristown
StateProv: NJ
PostalCode: 07962

NetRange: 12.122.0.0 - 12.123.255.255
CustName: AT&T Worldnet Services
Address: 200 South Laurel Ave.
City: Middletown
StateProv: NJ
PostalCode: 07748



Please keep in mind, that although ever tracert completed from my location did incurr a AT&T ip address, you must also understand the history of my ISP Comcast.

In 2001 Comcast made a move to buy internet provider AT&T Broadband.

Although some may believe this to be why they are seeing the AT&T IP Ranges from at least the Comcast internet provision, please also keep in mind that these ranges were established in 2003, two full years after the aquisition by Comcast and the movment by AT&T to rebuild it's Broadband network.

AT&T has also recently merged with SBC and the chart can be seen by going to the following URL: http://upload.wikimedia.org/wikipedia/en/e/ed/Newatt.gif

Anonymous said...

From my brief research, additional cities and addresses of spy rooms include the following (please corroborate):

Durham, NC
Washington, DC
San Mateo, CA
New York, NY
Coudersport, PA
Pembroke, Massachusetts
Vineyard Haven, Massachusetts

More details here:

OrgName: HopOne Internet Corporation
OrgID: HOPO
Address: 1010 Wisconsin Avenue N.W.
City: Washington
StateProv: DC
PostalCode: 20007-3603
Country: US

CustName: Adelphia
Address: 1 North Main Street
City: Coudersport
StateProv: PA
PostalCode: 16915
Country: US
RegDate: 2002-10-28
Updated: 2002-10-28
NetRange: 66.109.0.0 - 66.109.15.255
CIDR: 66.109.0.0/20
NetName: ADEL-NATION
NetHandle: NET-66-109-0-0-2
Parent: NET-66-109-0-0-1
NetType: Reassigned
Comment:
RegDate: 2002-10-28
Updated: 2002-10-28

Hope this helps.

Anon

Anonymous said...

Hope this begins to help all 35-40+ spy rooms around the US. Blessings in Christ Jesus, the conqueror of all tyrants!

Anonymous said...

I meant to say,

Hope this begins to help to identify/locate/expose all 35-40+ spy rooms around the US. Blessings in Christ Jesus, the conqueror of all tyrants!

Anonymous said...

love all that history of tron/troff.. used to sell radio shack's model 1 computers... keep up the good info .. everyone needs to be aware

live free / die free

Anonymous said...

My Traceroute listings included the following:

IP: 12.118.132.33
Hostname: unknown.att.net
City: Morristown, New Jersey

IP: 12.123.8.42
Hostname:tbr1-p013901.wswdc.ip.att.net
City: Adrian, Michigan

IP: 12.123.8.65
Hostname: ar2-a3120s6.wswdc.ip.att.net
City: Adrian, Michigan

IP: 12.127.209.214
Hostname: unknown.att.net
City: Marengo, Ohio

IP: 12.110.110.131
Hostname: unknown.att.net
City: Columbia, Maryland

IP: 12.110.110.141
Hostname: unknown.att.net
City: Columbia, Maryland

IP: 12.110.110.204
Hostname: unknown.att.net
City: Columbia, Maryland

Anonymous said...

lets back track here...what do we know?
We were told by a former agent that if you have sffca.ip.att.net theres something fishy going on right? we have to assume
this person is trustworthy. but is there actually any concrete proof of this domain watching people? (not att watching people the domain). no there is no concrete proof that this domain is monitoring people.

"and so what about *.ip.att.net. shouldn't we be suspicious about that to?"

not really, if you know anything about the domain namespace. We know that '.' is the root domain. we also see that net is the top-level domain and att is the second-level domain. and ip the third. this is how att structures their domains. *.*.ip.att.net are just systems most likely routers part of the ip.att.net domain that is in control of routing your information through the internet.

"isnt' it weird that they are all going through ip.att.net?"

no. analyze your traceroutes you'll see most hops have the same domain structure.
what about ip.att.net? well, first of all i think we have all heard of att's global ip network right? lets visit
http://ipnetwork.bgtmo.ip.att.net/pws/index.html
see the domain structure of the url? hostname.third-level domain.ip.att.net. ip.att.net is the domain of att's global ip network. and if you have seen the commercials, its well....GLOBAL.

visit here:
http://ipnetwork.bgtmo.ip.att.net/pws/current_network_performance.shtml

here you will see the major back-bone nodes of att global ip network (ip.att.net domain) i havent confirmed this due to lack of time but these back-bone nodes are most likely the names in the third-level domain.
so, lets see what their domain namespace is structured like so far:

router.back-bone node.domain of the ip network.att.net.

tbr1-cl2. sffca . ip .att.net

"but att IS monitoring traffic!"

this may be the case. but att is HUGE and controls a enormous ammount of internet traffic.
just because you have *.*.ip.att.net in your traceroute does not mean they are watching you. not even close. what that does mean is that your traffic is passing through a router which is appart of att's global ip network.

"ok fine, but what about everybodys traffic passing through the same wswdc.ip.att.net network?"

if you clicked the link to see a map of att's back-bone nodes you will see that .... theres only 17. how many internet users are there? dont try to answer. the point is, many many people will see their traffic passing through one of these back-bone nodes.

"ip tracerouted nsa.gov and i didn't get any ip.att.net but when i tracerouted aljazeera.net i got sffca.ip.att.net. I'M BEING WATCHED!"

slow down. you may have not passed through att's network going to nsa.gov because ....its in the united states. a site out of the country will most likely pass through a common node that takes traffic out of the USA, while traffic in the US will not have to pass through this node.

" I did traceroute a site in japan and a site in the uk and none passed through the same back-bone node of sffca."

regardless, knowing this you can't come to any conclusion that you are being watched.
we are just passing through the sffca back-bone node, remember theres only 17 of these back-bone nodes in the united states. these control a ton of internet traffic. and because your traffic is traveling outside the US, it requires your packets to take a different path plain and simple, and in taking a different path (way different path) you'll pass through a different node.

(C) Very Seriously Disorganised Criminals 2002/3/4/5/6/7/8/9 - copy anything you wish