A week or two ago, a new Snowden was released that shows information about a visitor to Cryptome. James Atkinson looked at the slide and concluded that it was proof of a man in the middle (MITM) attack against Cryptome. He sent his concerns to John and Deborah who then posted them on Cryptome.org - https://cryptome.org/2015/09/gchq-illegal-spying-us.htm I'm doing a little bit of research on the slide and decided to compare notes with what had already been written about it, including Mr. Atkinson's post. While examining his remarks about the alleged MITM attack, I noticed that he seemed to be missing a piece of information that led him to a faulty conclusion. I've copied and pasted the relevant bits below. But here is the thing -- and this is crucial -- the address for Cryptome is
listed to be the location of a fiber optic cable junction in Sterling, VA (next to an Amusement Machine company)... which is quite some distance away from your location in NYC, and a considerable distance from your ISP who hosts your file, and it is located away from any signal switching systems use in the area, but it is virtually next door to fiber that goes to a large NSA listening post nearby.
The reason it is notable, is that someone at or near the location in
Sterling, VA is performing a MITM attack on Cryptome visitors, and this image out of the slidedeck with the two GPS coordinates is the U.S. Government performing a MITM attack against Cryptome and sharing the collected intelligence with the Brits, or the U.S. Government giving the British government backdoor access into the U.S. (illegal) collection systems.
This isn't a sign of a MITM attack, but rather of a misunderstanding. The Cryptome servers aren't located in New York at the address listed for Cryptome as a business. The servers are hosted by Network Solutions, which is who the IP address appears to belong to, as shown below. NetRange: 205.178.128.0 - 205.178.191.255 CIDR: 205.178.128.0/18 NetName: NTSL-01 NetHandle: NET-205-178-128-0-1 Parent: NET205 (NET-205-0-0-0-0) NetType: Direct Allocation OriginAS: AS14441, AS19871, AS6245 Organization: Network Solutions, LLC (NETWO-59) RegDate: 1999-02-09 Updated: 2012-03-02 Ref: http://whois.arin.net/rest/net/NET-205-178-128-0-1 A reverse DNS search shows that the IP address is used to host over 1,100 domains. I've attached two PDFs that include more detailed information showing that there is no indication of a MITM attack against Cryptome. Live versions of the PDFs can be found at http://www.iptodomain.com/ip-205-178-146-236.php and http://www.tcpiputils.com/browse/ip-address/205.178.146.236 I hope this will help soothe some fears and paranoia about this particular alleged MITM attack. Monitoring, almost certainly. Other MITM attacks at other times, perhaps. The GCHQ slide just isn't any sort of proof that there was a MITM attack on Cryptome.org during the times referenced by the slide.