-----BEGIN PGP SIGNED MESSAGE----- This message describes a computer on the Internet, one corvette.bxa.doc.gov (192.239.70.124) (hereafter corvette). This computer is owned by the Bureau of Export Administration (hereafter BXA), which itself is a branch of the Dept. of Commerce. Here I am exploring the idea that corvette runs a bot that scans the internet for materials regarding crypto export violation, and I will raise a few questions in regards to this. - From the BXA web page (www.bxa.doc.gov): The Bureau of Export Administration enhances the nation's security and its economic prosperity by controlling exports for national security, foreign policy, and short supply reasons. We administer the Export Administration Act by developing export control policies, issuing export licenses, and prosecuting violators. Additionally, BXA enforces the EAA's antiboycott provisions. A traceroute (timings excluded) from my computer system (a SLIP/PPP dialup to MhvNet, located in Poughkeepsie NY) to corvette yields: 1 annex1 (199.0.0.10) 2 router.mhv.net (199.0.0.1) 3 sl-gw8-pen-3-4-T1.sprintlink.net (144.228.160.41) 4 sl-bb1-pen-9-0-0.sprintlink.net (144.228.60.11) 5 144.228.180.10 (144.228.180.10) 6 nyc4-br2.bbnplanet.net (4.0.2.178) 7 nyc4-nbr2.bbnplanet.net (4.0.5.29) 8 vienna1-nbr2.bbnplanet.net (4.0.3.129) 9 vienna1-nbr3.bbnplanet.net (4.0.5.46) 10 washdc1-br1.bbnplanet.net (4.0.1.89) 11 washdc1-cr1.bbnplanet.net (4.0.1.174) 12 docosesa.bbnplanet.net (192.221.253.3) 13 corvette.bxa.doc.gov (192.239.70.124) It is especially useful to notice hops 10 and 11. The names of these two hosts seem to indicate that the hops have tended towards Washington DC. BBNPlanet is located in Washington, so it is probable that corvette is too (though this is not necessarily true). On April 22nd 1998, an anonymous connection was made from corvette to my personal computer, ismene. This connection is only possible through my main web page which is located on spice.mhv.net, which then links to my computer. This mechanism is needed because ismene gets a dynamic IP. Spice's logs show: corvette.bxa.doc.gov - - [22/Apr/1998:14:05:49 -0400] "GET /~mgraffam HTTP/1.0" 302 - corvette.bxa.doc.gov - - [22/Apr/1998:14:05:50 -0400] "GET /~mgraffam/ HTTP/1.0" 200 2019 corvette.bxa.doc.gov - - [22/Apr/1998:14:06:16 -0400] "GET /~mgraffam/misc/access.html HTTP/1.0" 200 629 The connector from corvette directly targeted my homepage, and then immediately went to the page that accesses ismene. The connector bypassed a page about crypto titled "Cryptotechnic Enlightenment". It is, perhaps, this odd combination of words that escaped a bot's notice, but would have surely been noticed by human. Instead the alleged bot picked up on "access.html" and left links to my RSA and PGP public keys untouched. If corvette is running a bot, it seems probable that they would ignore PGP keys because they surely generate a large amount of noise when exploring things of a cryptographic nature. This may account for the behavior. The access.html on spice has links to my computer. HTTP, FTP and telnet links are established, and direct links are made to copies of my public keys. The first three links to my keys via FTP are bypassed, and a connection is made via HTTP to my computer (ismene). The portions from ismene's httpd log follow: corvette.bxa.doc.gov - - [22/Apr/1998:13:58:51 -0400] "GET / HTTP/1.0" 200 1858 corvette.bxa.doc.gov - - [22/Apr/1998:13:59:48 -0400] "GET /crypto_index.zip HTTP/1.0" 200 19570 Corvette picks up the crypto_index.zip file, and leaves links titled "Index of unfinished works" and "Misc. projects". That corvette picked up the crypto_index.zip file establishes that it is looking for crypto related material. Why did it pass up the "Cryptotechnic Enlightenment" page then? I submit that it is because the word "cryptotechnic" did not trip the bot's sensor but the word "crypto" in the link title to crypto_index.zip did. I also believe that a human would have followed the "unfinished works" or "misc projects" links after getting a crypto index file. A human would be intelligent enough to intuit the connection; a spider is not. At this point, I imagine the bot reaching the end of ismene's main page, having picked up the file it thought was useful and returning back to the access.html file on spice and traversing to the next link. In this case, it is an ftp connection to my machine. A portion of my logs: Apr 22 14:00:13 localhost opieftpd[1509]: connect from firewall-user@192.239.70.124 Apr 22 14:00:14 localhost ftpd[1509]: connection from corvette.bxa.doc.gov at We d Apr 22 14:00:14 1998 Apr 22 14:00:15 localhost ftpd[1509]: Anonymous FTP connection made from host corvette.bxa.doc.gov. Apr 22 14:00:16 localhost ftpd[1509]: ANONYMOUS FTP login from corvette.bxa.doc.gov with ID mozilla@ After logging in corvette issues the following commands: Apr 22 14:00:22 localhost ftpd[1509]: <--- 200 Type set to I. Apr 22 14:00:23 localhost ftpd[1509]: command: SIZE /^M Apr 22 14:00:23 localhost ftpd[1509]: <--- 550 /: not a plain file. Apr 22 14:00:25 localhost ftpd[1509]: command: CWD /^M Apr 22 14:00:25 localhost ftpd[1509]: <--- 250 CWD command successful. Apr 22 14:00:28 localhost ftpd[1509]: command: LIST^M Apr 22 14:00:29 localhost ftpd[1509]: <--- 150 Opening BINARY mode data connection for /bin/ls. Apr 22 14:00:29 localhost ftpd[1509]: <--- 226 Transfer complete. Apr 22 14:00:35 localhost ftpd[1509]: command: PORT 192,239,70,124,7,228^M Apr 22 14:00:35 localhost ftpd[1509]: <--- 200 PORT command successful. Apr 22 14:00:36 localhost ftpd[1509]: command: SIZE /pub/^M Apr 22 14:00:36 localhost ftpd[1509]: <--- 550 /pub/: not a plain file. Apr 22 14:00:39 localhost ftpd[1509]: command: CWD /pub/^M Apr 22 14:00:39 localhost ftpd[1509]: <--- 250 CWD command successful. Apr 22 14:00:40 localhost ftpd[1509]: command: LIST^M Apr 22 14:00:40 localhost ftpd[1509]: <--- 150 Opening BINARY mode data connection for /bin/ls. Apr 22 14:00:40 localhost ftpd[1509]: <--- 226 Transfer complete. Apr 22 14:00:47 localhost ftpd[1509]: command: PORT 192,239,70,124,7,235^M Apr 22 14:00:47 localhost ftpd[1509]: <--- 200 PORT command successful. Apr 22 14:00:48 localhost ftpd[1509]: command: SIZE /pub/skey/^M Apr 22 14:00:48 localhost ftpd[1509]: <--- 550 /pub/skey/: not a plain file. Apr 22 14:00:50 localhost ftpd[1509]: command: CWD /pub/skey/^M Apr 22 14:00:50 localhost ftpd[1509]: <--- 250 CWD command successful. Apr 22 14:00:51 localhost ftpd[1509]: command: LIST^M Apr 22 14:00:51 localhost ftpd[1509]: <--- 150 Opening BINARY mode data connection for /bin/ls. Apr 22 14:00:51 localhost ftpd[1509]: <--- 226 Transfer complete. Apr 22 14:01:08 localhost ftpd[1509]: command: PORT 192,239,70,124,8,1^M Apr 22 14:01:08 localhost ftpd[1509]: <--- 200 PORT command successful. Apr 22 14:01:08 localhost ftpd[1509]: command: SIZE /pub/skey/README^M Apr 22 14:01:08 localhost ftpd[1509]: <--- 213 1149 Apr 22 14:01:09 localhost ftpd[1509]: command: RETR /pub/skey/README^M This series of commands ignores a directory called "keys" at root level, which is consistent with ignoring PGP keys above, and cd's to pub/skey. It then retrieves the README file (which is just a copy of NRL's readme) and leaves. The connection style itself (of SIZE'ing directory names) is odd, but this can be recreated with older versions of Netscape Navigator. I will assume that these connections are really from Netscape, and _not_ from a bot disguising itself as NS Navigator. Greg Broiles (gbroiles@netbox.com) forwarded portions of his logs on parrhesia to me: corvette.bxa.doc.gov - - [20/Mar/1998:10:18:07 -0800] "GET /wassenaar/ HTTP/1.0" 200 2253 "http://search.excite.com/search.gw?collection=web&display=html2,lb&search=w assenaar+countries" "Mozilla/2.0 (compatible; MSIE 3.02; Windows 3.1)" corvette.bxa.doc.gov - - [20/Mar/1998:10:18:46 -0800] "GET /wassenaar/ HTTP/1.0" 200 2253 "-" "Mozilla/2.0 (compatible; MSIE 3.02; Windows 3.1)" These shows connections from MSIE, can anyone confirm that MSIE makes FTP requests in the same manner as NS? Here I raise two questions that I would like to discuss, in private email if needed because it is off-topic. First, could Navigator be made to crawl the web? Could it be programmed via OLE, or Java? If it could, then it could easily be used as the protocol frontend to a spider that could easily crawl http, ftp, gopher, and news references looking for crypto export violations. If programming Navigator would entail pushing keystrokes into the keyboard buffer and simulating mouse events, I do not believe it would be used as tying up a machine's console in this manner would be vastly inefficient and it would be better justified to pay a programmer to develop the software to do it without NS. Now I would like to focus on a different aspect of my logs: the identification of a firewall-users@192.239.70.124. It seems as if corvette is a proxy server for other machines. A port probe of corvette yields the following services: corvette.bxa.doc.gov ftp 21/tcp corvette.bxa.doc.gov smtp 25/tcp mail corvette.bxa.doc.gov whois 43/tcp nicname corvette.bxa.doc.gov gopher 70/tcp corvette.bxa.doc.gov finger 79/tcp corvette.bxa.doc.gov www 80/tcp http ismene:~$ finger @corvette.bxa.doc.gov [corvette.bxa.doc.gov] Finger from your system is not permitted through the firewall. ismene:~$ ftp corvette.bxa.doc.gov Connected to corvette.bxa.doc.gov. 220-Proxy first requires authentication 220 corvette.bxa.doc.gov FTP proxy (Version 3.2) ready. - From these two connections, we can see that corvette is indeed a firewalling proxy. Because of this, we cannot be sure if all connections out of corvette belong to the possible spider. An altavista search for corvette.bxa.doc.gov turns up the web statistics logs of several servers, including military and foreign servers. Such a bot may crawl foreign servers looking for links or files from the U.S., and it may crawl military sites to see to it that regulated materials are not being exported (like the pgp fiasco). On the other hand, this is mere speculation, it is equally likely that humans at BXA are putzing around the net, looking at different sites. This latter fact can be established (or we must admit to an incredibly wide reaching bot that is not limited to crypto) because spice.mhv.net has logged connections from corvette to www.mhv.net/~donn/diet.html which is the main page for a health/fitness related hierarchy. It is apparently a popular site for that material and is linked to frequently by other sites. It is possible that a bot crawled around this way, but unlikely since from the evidence on my machine the bot (if it is one) is fairly discriminating about the links it follows. Humans use the corvette proxy. It is hard to tell which links drew corvette's attention from those sites that were hit up. Here is an attempt at a classification of sites that get connections from corvette: * Physics: nsi.net.kiae.su, a nuclear safety institute, keeps a log specifically of U.S. government computers that have connected to them. Corvette made 65 requests to nsi.net.kiae.su. University of Crete Physics Dept. (www.edu.physics.uch.gr) 21 times. * Other Science and Technology: The Bioscan project at genome.cs.unc.edu was hit twice. The BCD (Biological Computing Division) of the Weizmann Institute in Israel was hit 9 times. CSIRO Minerals, www.csiro.au, was hit 1. The Texas Agricultural Extension Service was hit twice. * Political: www.tbs-sct.gc.ca the Canadian Treasury Board was hit once. * Military: The U.S. Army's Signal Corps was hit 13 times. Several universities were hit as well, presumably because of a student pages. Other miscellaneous sites that were hit include a martial arts page, a personal interests page and a porn page. The urls for the pages in question are included below. If this sample of sites is representative of the connections made by corvette, then physics sites make up the bulk of those connections. No verifiable connections were made to crypto related sites other than my own. I do not know why the connections were made to the universities, I figure that it is because of student interests. Given the nature of BXA's mission, and the sort of material that I make available on my homepage on spice I still find it strange that the "Cryptotechnic Enlightenment" page was passed by. This is underscored by the fact that the "Misc." and "Unfinished" links were passed up, even when corvette is obviously looking for crypto stuff (by getting crypto_index.zip). However, there is a general lack of relevent connections made to crypto related sites by corvette on the internet as a whole. If corvette is proxying a bot, I think that the bot may be targeted at individuals and is not a wide-spread intelligence gathering device. I would be interested in hearing if corvette has made connections to crypto oriented sites. If those that run sites with crypto material could post any connections they have had from corvette, I would appreciate it. Michael Graffam (mgraffam@mhv.net) - ----------------------------------------------------------------------- URLS relating to corvette.bxa.doc.gov turned up by Altavista: http://chip.mcl.ucsb.edu/lopaka/usage/weeks/hosts/www.mcl.ucsb.edu.13.total-... http://www.tbs-sct.gc.ca/tbsstats/tbstats/N1997-06.TXT http://nsi.net.kiae.su/w3perl/Pays/US-Government.html http://www.tbs-sct.gc.ca/tbsstats/tbstats/N1997-03.TXT http://genome.cs.unc.edu/wusage/week59.html http://dapsas.weizmann.ac.il/reports/31Oct1997.hosts.html http://www.minerals.csiro.au/wusage/new/log.ext/log1997/sites0896.html http://www.gordon.army.mil/usage/H1997-01.TXT http://www.amherst.edu/~erreich/visitors.html http://www.ufl.edu/9607-14.html http://data.gc.peachnet.edu/APPS/WWW/USAGE/1996/H1996-07.TXT http://data.gc.peachnet.edu/APPS/WWW/USAGE/1996/H1996-09.TXT http://www.edu.physics.uch.gr/usage/week89.html http://www.edu.physics.uch.gr/usage/week56.html http://www.gordon.army.mil/usage/H1996-09.TXT (2) http://leviathan.tamu.edu:70/0/gnlog/1996/9612/9612.hosts http://lfowler.afternet.com/logfiles/sites0298.html http://www.chelt.ac.uk/usage/ws970622.htm http://www.splosh.co.uk/usage/weeks/hosts/splosh.9.total-hosts.html http://www.ufl.edu/9803-08.html http://www.italcultusa.org/home/_private/mailing.txt http://lfowler.afternet.com/logfiles/sites0198.html Michael J. Graffam (mgraffam@mhv.net) http://www.mhv.net/~mgraffam -- Philosophy, Religion, Computers, Crypto, etc I think that we should be men first, and subjects afterward. It is not desirable to cultivate a respect for the law, so much as for the right. Henry David Thoreau "Civil Disobedience" -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBNVS3VQKEiLNUxnAfAQFz2QP+Ow8vwjFYOM/tN4kcyOpxbxWbr4S6bkWv 5zBctIwWk9qWedLxHXMH67JV3AATou1aFUTXL2w4J56frkhgcPIcgjV1j7ME6y/r qNBvysaXzTkIUu/Vj9TJeigbKWTa7YiVgLn97X/RnjfjapD62e3ejhCOurEeDSPr 6u2BFhOGAIk= =fTJr -----END PGP SIGNATURE-----