RIAA Safeweb Proxy ID
mikecabot at fastcircle.com
mikecabot at fastcircle.com
Sat Oct 13 06:14:13 PDT 2001
For anyone interested, Squid is basically just an HTTP/FTP cache....
similar to what AOL uses, for instance, and many satellite-based Net
ISPs (Starband, DirecPC) use to maximize bandwidth utlization.
Black Helicopter alert: Squid is based on an ARPA-funded project
called "Harvest".... a project that investigated "harversting" of
data across large, presumably public, networks, for archiving
and "study" :)
Squid itself is opensource.... if you're interested, check out
http://www.squid-cache.org
This is totally off-topic, but consider this: the way that a Proxy
cache works (not just Squid, any cache) is that it stores all of the
requested objects (web pages and files, in this case) on a series of
local servers. Then, when a user requests them, it serves them off of
ITS pages -- that way, it doesn't have to fetch them from
the "public" Internet.
Now, what do you have? Yep... a complete archive on SafeWeb's local
servers of all pages requested by their users.
Not being a conspiracy nut, I won't connect the last dot.... but you
see the value of this to someone like the CIA -- besides an
opportunity to create a voyeur-google, you can also control selected
pages' contents (be replacing them with your own contents and
disabling HTTP refresh of the page through the cache).
To get back to the RIAA point, though:
What you're looking at are HTTP headers (what you'd see if you
Telnet'ed to port 80 on Safeweb's web servers). Again, this won't get
you any closer to identifying the path that someone took to get to
Safeweb, and therefore, you cannot identify a target via this type of
information.
(The more interesting point would be: can Safeweb do so? The answer
is "you bet." The only thing they would have to do is classic
log/connection-time synchronization analysis, and that would tell
them the connection details of the user in question. But this can
only be done by Safeweb or someone with access to Safeweb logs.)
Mike
> Original Message from Sat, 13 Oct 2001 05:32:03 -0700:>
> Thanks to SC:
>
> [SC's IP address replaced by xxx.xxx.xxx.xxx]
>
> -----
>
> I've tuned in late to the riaa/safeweb thing, but I'm chiming in
> with my bit.
>
> Tracing from safeweb is an interesting exercise; the geography is
> very typical of the internet backbone and the router hops packets
> take.
>
> I wrote a script to mail all possible headers from a connecting
> browser to myself. I installed it on my server
>
> http://xxx.xxx.xxx.xxx:8140,
>
> and then connected from Safeweb.
>
> This anonymizer uses a caching proxy server, listening for
> connections on several IPs; it preserves client headers while
> obviously changing the IP of the originating connection; it
preserves
> many of the originating headers; it adds some new headers.
>
> Here's the output:
>
> GATEWAY_INTERFACE..........CGI/1.1
>
> REMOTE_ADDR..........64.124.150.136
>
> DATE_LOCAL..........Saturday, 13-Oct-2001 01:22:45 EDT
>
> REQUEST_METHOD..........GET
>
> QUERY_STRING..........
>
> DOCUMENT_URI........../index.html
>
> HTTP_ACCEPT..........image/gif, image/x-xbitmap, image/jpeg,
> image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-
excel,
> application/msword, */*
>
> REMOTE_PORT..........2513
>
> SERVER_ADDR..........142.204.119.75
>
> HTTP_ACCEPT_LANGUAGE..........en-us
>
> HTTP_CACHE_CONTROL..........max-age=259200
>
> REDIRECT_STATUS..........200
>
> HTTP_ACCEPT_ENCODING..........gzip
>
> SERVER_NAME..........xxx.xxx.xxx.xxx
>
> HTTP_X_FORWARDED_FOR..........127.0.0.1
>
> SERVER_PORT..........8140
>
> DOCUMENT_NAME..........index.html
>
> HTTP_IF_MODIFIED_SINCE..........Sat, 13 Oct 2001 05:15:44 GMT;
> length=853
>
> REDIRECT_URL........../
>
> DATE_GMT..........Saturday, 13-Oct-2001 05:22:45 GMT
>
> SERVER_PROTOCOL..........INCLUDED
>
> HTTP_REFERER..........http://xxx.xxx.xxx.xxx
>
> HTTP_USER_AGENT..........Mozilla/4.0 (compatible; MSIE 6.0; Windows
> NT 5.0)
>
> HTTP_CONNECTION..........keep-alive
>
> REQUEST_URI........../
>
> HTTP_HOST..........xxx.xxx.xxx.xxx:8140
>
> HTTP_VIA..........1.0 anongo.com:3128 (Squid/2.3.STABLE3)
>
> The last one in the list is the flavour of proxy they use:
>
> Squid/2.3.stable3
>
> And the DNS name of the source box for the HTTP request
> is anongo.com, which I don't believe showed up in your trace
> logs.
>
> Basically a caching proxy server's header set.
>
> The authoritative name servers for anongo.com are
>
> ns3.above.net
>
>
> www.anongo.com redirects to Safeweb. The boxes are standard
> unix/apache with ssl. They have written scripts to replace the
> originating address header and keep track of the connection, receive
> requested files to their cache, and then serve from that cache to
> your browser.
>
> The machines would absolutely be configured to do sophisticated
> logging; there is no free lunch on the net. While they appear to do
a
> nice job, their server logs would be a goldmine. Everyone who uses a
> commercial web browser agrees to have their information gathered the
> first time they use that browser - do you want to continue? When you
> say yes, you mean it!
>
> -----
>
>
>
>
_______________________________________________________________________________
WANT YOUR OWN FREE AND SECURE WEB EMAIL ADDRESS?
Visit http://www.fastcircle.com
More information about the cypherpunks-legacy
mailing list