Original Message from Sat, 13 Oct 2001 05:32:03 -0700:> Thanks to SC:
[SC's IP address replaced by xxx.xxx.xxx.xxx]
-----
I've tuned in late to the riaa/safeweb thing, but I'm chiming in with my bit.
Tracing from safeweb is an interesting exercise; the geography is very typical of the internet backbone and the router hops packets take.
I wrote a script to mail all possible headers from a connecting browser to myself. I installed it on my server
and then connected from Safeweb.
This anonymizer uses a caching proxy server, listening for connections on several IPs; it preserves client headers while obviously changing the IP of the originating connection; it
For anyone interested, Squid is basically just an HTTP/FTP cache.... similar to what AOL uses, for instance, and many satellite-based Net ISPs (Starband, DirecPC) use to maximize bandwidth utlization. Black Helicopter alert: Squid is based on an ARPA-funded project called "Harvest".... a project that investigated "harversting" of data across large, presumably public, networks, for archiving and "study" :) Squid itself is opensource.... if you're interested, check out http://www.squid-cache.org This is totally off-topic, but consider this: the way that a Proxy cache works (not just Squid, any cache) is that it stores all of the requested objects (web pages and files, in this case) on a series of local servers. Then, when a user requests them, it serves them off of ITS pages -- that way, it doesn't have to fetch them from the "public" Internet. Now, what do you have? Yep... a complete archive on SafeWeb's local servers of all pages requested by their users. Not being a conspiracy nut, I won't connect the last dot.... but you see the value of this to someone like the CIA -- besides an opportunity to create a voyeur-google, you can also control selected pages' contents (be replacing them with your own contents and disabling HTTP refresh of the page through the cache). To get back to the RIAA point, though: What you're looking at are HTTP headers (what you'd see if you Telnet'ed to port 80 on Safeweb's web servers). Again, this won't get you any closer to identifying the path that someone took to get to Safeweb, and therefore, you cannot identify a target via this type of information. (The more interesting point would be: can Safeweb do so? The answer is "you bet." The only thing they would have to do is classic log/connection-time synchronization analysis, and that would tell them the connection details of the user in question. But this can only be done by Safeweb or someone with access to Safeweb logs.) Mike preserves
many of the originating headers; it adds some new headers.
Here's the output:
GATEWAY_INTERFACE..........CGI/1.1
REMOTE_ADDR..........64.124.150.136
DATE_LOCAL..........Saturday, 13-Oct-2001 01:22:45 EDT
REQUEST_METHOD..........GET
QUERY_STRING..........
DOCUMENT_URI........../index.html
HTTP_ACCEPT..........image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms- excel, application/msword, */*
REMOTE_PORT..........2513
SERVER_ADDR..........142.204.119.75
HTTP_ACCEPT_LANGUAGE..........en-us
HTTP_CACHE_CONTROL..........max-age=259200
REDIRECT_STATUS..........200
HTTP_ACCEPT_ENCODING..........gzip
SERVER_NAME..........xxx.xxx.xxx.xxx
HTTP_X_FORWARDED_FOR..........127.0.0.1
SERVER_PORT..........8140
DOCUMENT_NAME..........index.html
HTTP_IF_MODIFIED_SINCE..........Sat, 13 Oct 2001 05:15:44 GMT; length=853
REDIRECT_URL........../
DATE_GMT..........Saturday, 13-Oct-2001 05:22:45 GMT
SERVER_PROTOCOL..........INCLUDED
HTTP_REFERER..........http://xxx.xxx.xxx.xxx
HTTP_USER_AGENT..........Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP_CONNECTION..........keep-alive
REQUEST_URI........../
HTTP_HOST..........xxx.xxx.xxx.xxx:8140
HTTP_VIA..........1.0 anongo.com:3128 (Squid/2.3.STABLE3)
The last one in the list is the flavour of proxy they use:
Squid/2.3.stable3
And the DNS name of the source box for the HTTP request is anongo.com, which I don't believe showed up in your trace logs.
Basically a caching proxy server's header set.
The authoritative name servers for anongo.com are
ns3.above.net
www.anongo.com redirects to Safeweb. The boxes are standard unix/apache with ssl. They have written scripts to replace the originating address header and keep track of the connection, receive requested files to their cache, and then serve from that cache to your browser.
The machines would absolutely be configured to do sophisticated logging; there is no free lunch on the net. While they appear to do a nice job, their server logs would be a goldmine. Everyone who uses a commercial web browser agrees to have their information gathered the first time they use that browser - do you want to continue? When you say yes, you mean it!
-----
_______________________________________________________________________________ WANT YOUR OWN FREE AND SECURE WEB EMAIL ADDRESS? Visit http://www.fastcircle.com
On Sat, Oct 13, 2001 at 09:14:13AM -0400, mikecabot@fastcircle.com wrote:
To get back to the RIAA point, though:
What you're looking at are HTTP headers (what you'd see if you Telnet'ed to port 80 on Safeweb's web servers). Again, this won't get you any closer to identifying the path that someone took to get to Safeweb, and therefore, you cannot identify a target via this type of information.
(The more interesting point would be: can Safeweb do so? The answer is "you bet." The only thing they would have to do is classic log/connection-time synchronization analysis, and that would tell them the connection details of the user in question. But this can only be done by Safeweb or someone with access to Safeweb logs.)
A carnivore box at Safewb would work also for tying browsing habits to users. Think Safeweb with their CIA ties would balk at installing one? Do they already have one installed? Adam
It is certainly a strong possibility that the DoD domain listing for Anongo.com is a CIA cover. 215.104.228.144 | anongo.com | ?Vienna, VA 22183 | DoD Network Information Center | Adam Back wrote:
A carnivore box at Safewb would work also for tying browsing habits to users. Think Safeweb with their CIA ties would balk at installing one? Do they already have one installed?
This is totally off-topic, but consider this: the way that a Proxy cache works (not just Squid, any cache) is that it stores all of the requested objects (web pages and files, in this case) on a series of local servers. Then, when a user requests them, it serves them off of
It boggles one's mind - the idea that data will _not_ be collected just because someone says so. Using any concentration point to "anonymize" http access is like frequenting the facility marked "SAFE PLACE FOR DRUG DEALING" in huge red letters to cater for one's need for untaxed molecules. At best it can shield from naive end users - unless they get pissed like JYA. The only way to anonymize is, of course, visiting the cameraless internet cafe in the neighbouring city or 802.11-ing into some idiot's AP with the default settings. ===== end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: Make a great connection at Yahoo! Personals. http://personals.yahoo.com
participants (4)
-
Adam Back -
John Young -
mikecabot@fastcircle.com -
Morlock Elloi