RIAA Safeweb Proxy ID

mikecabot at fastcircle.com mikecabot at fastcircle.com
Sat Oct 13 06:14:13 PDT 2001 

For anyone interested, Squid is basically just an HTTP/FTP cache.... 
similar to what AOL uses, for instance, and many satellite-based Net 
ISPs (Starband, DirecPC) use to maximize bandwidth utlization.

Black Helicopter alert: Squid is based on an ARPA-funded project 
called "Harvest".... a project that investigated "harversting" of 
data across large, presumably public, networks, for archiving 
and "study" :)

Squid itself is opensource.... if you're interested, check out
http://www.squid-cache.org

This is totally off-topic, but consider this: the way that a Proxy 
cache works (not just Squid, any cache) is that it stores all of the 
requested objects (web pages and files, in this case) on a series of 
local servers. Then, when a user requests them, it serves them off of 
ITS pages -- that way, it doesn't have to fetch them from 
the "public" Internet.

Now, what do you have? Yep... a complete archive on SafeWeb's local 
servers of all pages requested by their users.

Not being a conspiracy nut, I won't connect the last dot.... but you 
see the value of this to someone like the CIA -- besides an 
opportunity to create a voyeur-google, you can also control selected 
pages' contents (be replacing them with your own contents and 
disabling HTTP refresh of the page through the cache). 

To get back to the RIAA point, though:

What you're looking at are HTTP headers (what you'd see if you 
Telnet'ed to port 80 on Safeweb's web servers). Again, this won't get 
you any closer to identifying the path that someone took to get to 
Safeweb, and therefore, you cannot identify a target via this type of 
information.

(The more interesting point would be: can Safeweb do so? The answer 
is "you bet." The only thing they would have to do is classic 
log/connection-time synchronization analysis, and that would tell 
them the connection details of the user in question. But this can 
only be done by Safeweb or someone with access to Safeweb logs.)

Mike

> Original Message from Sat, 13 Oct 2001 05:32:03 -0700:> 
> Thanks to SC:
> 
> [SC's IP address replaced by xxx.xxx.xxx.xxx]
> 
> -----
> 
> I've tuned in late to the riaa/safeweb thing, but I'm chiming in 
> with my bit.
> 
> Tracing from safeweb is an interesting exercise; the geography is
> very typical of the internet backbone and the router hops packets
> take.
> 
> I wrote a script to mail all possible headers from a connecting
> browser to myself. I installed it on my server
> 
>   http://xxx.xxx.xxx.xxx:8140, 
> 
> and then connected from Safeweb. 
> 
> This anonymizer uses a caching proxy server, listening for
> connections on several IPs; it preserves client headers while
> obviously changing the IP of the originating connection; it 
preserves
> many of the originating headers; it adds some new headers. 
> 
> Here's the output:
> 
> GATEWAY_INTERFACE..........CGI/1.1
> 
> REMOTE_ADDR..........64.124.150.136
> 
> DATE_LOCAL..........Saturday, 13-Oct-2001 01:22:45 EDT
> 
> REQUEST_METHOD..........GET
> 
> QUERY_STRING..........
> 
> DOCUMENT_URI........../index.html
> 
> HTTP_ACCEPT..........image/gif, image/x-xbitmap, image/jpeg,
> image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-
excel,
> application/msword, */*
> 
> REMOTE_PORT..........2513
> 
> SERVER_ADDR..........142.204.119.75
> 
> HTTP_ACCEPT_LANGUAGE..........en-us
> 
> HTTP_CACHE_CONTROL..........max-age=259200
> 
> REDIRECT_STATUS..........200
> 
> HTTP_ACCEPT_ENCODING..........gzip
> 
> SERVER_NAME..........xxx.xxx.xxx.xxx
> 
> HTTP_X_FORWARDED_FOR..........127.0.0.1
> 
> SERVER_PORT..........8140
> 
> DOCUMENT_NAME..........index.html
> 
> HTTP_IF_MODIFIED_SINCE..........Sat, 13 Oct 2001 05:15:44 GMT;
> length=853
> 
> REDIRECT_URL........../
> 
> DATE_GMT..........Saturday, 13-Oct-2001 05:22:45 GMT
> 
> SERVER_PROTOCOL..........INCLUDED
> 
> HTTP_REFERER..........http://xxx.xxx.xxx.xxx
> 
> HTTP_USER_AGENT..........Mozilla/4.0 (compatible; MSIE 6.0; Windows
> NT 5.0)
> 
> HTTP_CONNECTION..........keep-alive
> 
> REQUEST_URI........../
> 
> HTTP_HOST..........xxx.xxx.xxx.xxx:8140
> 
> HTTP_VIA..........1.0 anongo.com:3128 (Squid/2.3.STABLE3)
> 
> The last one in the list is the flavour of proxy they use:
> 
>   Squid/2.3.stable3
> 
> And the DNS name of the source box for the HTTP request
> is anongo.com, which I don't believe showed up in your trace 
> logs. 
> 
> Basically a caching proxy server's header set.
> 
> The authoritative name servers for anongo.com are 
> 
>   ns3.above.net
> 
> 
> www.anongo.com redirects to Safeweb. The boxes are standard
> unix/apache with ssl. They have written scripts to replace the
> originating address header and keep track of the connection, receive
> requested files to their cache, and then serve from that cache to
> your browser.
> 
> The machines would absolutely be configured to do sophisticated
> logging; there is no free lunch on the net. While they appear to do 
a
> nice job, their server logs would be a goldmine. Everyone who uses a
> commercial web browser agrees to have their information gathered the
> first time they use that browser - do you want to continue? When you
> say yes, you mean it!
> 
> -----
> 
> 
> 
> 

_______________________________________________________________________________
WANT YOUR OWN FREE AND SECURE WEB EMAIL ADDRESS?

Visit http://www.fastcircle.com

More information about the cypherpunks-legacy mailing list