[dave at farber.net: [IP] The Newbie's Guide to Detecting the NSA]

Thu Jul 6 12:18:09 PDT 2006

Yeah...WTF?

Those taps were optical, and at the OC-N level. Layer 3 wasn't involved and 
IP traffic not re-routed through the NSA panopticon. In other words, NSA got 
an OPTICAL copy of the the optical signal and then sent that COPY into their 
own Intelligence Black Hole. Your packets never even knew that was going on.

-TD

>From: Eugen Leitl <eugen at leitl.org>
>To: cypherpunks at jfet.org
>Subject: [dave at farber.net: [IP] The Newbie's Guide to Detecting the NSA]
>Date: Fri, 30 Jun 2006 14:48:09 +0200
>
>Which idiot would assume his specific location is excluded? Especially,
>if it's a long-distance (transcontinental) link?
>
>----- Forwarded message from David Farber <dave at farber.net> -----
>
>From: David Farber <dave at farber.net>
>Date: Fri, 30 Jun 2006 08:40:08 -0400
>To: ip at v2.listbox.com
>Subject: [IP] The Newbie's Guide to Detecting the NSA
>X-Mailer: Apple Mail (2.752.2)
>Reply-To: dave at farber.net
>
>
>
>Begin forwarded message:
>
>From: John Bartas <jbartas at speakeasy.net>
>Date: June 30, 2006 3:38:22 AM EDT
>To: dave at farber.net
>Subject: The Newbie's Guide to Detecting the NSA
>
>Dave,
>
>     This entry from the blog at wired.com might be good for the IP
>list. The best part is at the end. Good old traceroute!
>--------------------------------------------------------
>The Newbie's Guide to Detecting the NSA
>http://blog.wired.com/27BStroke6/#1510938 ... "With that in mind,
>here's the 27B Stroke 6 guide to detecting if your traffic is being
>funneled into the secret room on San Francisco's Folsom street. If
>you're a Windows user, fire up an MS-DOS command prompt. Now type
>tracert followed by the domain name of the website, e-mail host, VoIP
>switch, or whatever destination you're interested in. Watch as the
>program spits out your route, line by line. C:\> tracert nsa.gov 1 2
>ms 2 ms 2 ms 12.110.110.204 [...] 7 11 ms 14 ms 10 ms
>as-0-0.bbr2.SanJose1.Level3.net [64.159.0.218] 8 13 12 19 ms
>ae-23-56.car3.SanJose1.Level3.net [4.68.123.173] 9 18 ms 16 ms 16 ms
>192.205.33.17 10 88 ms 92 ms 91 ms tbr2-p012201.sffca.ip.att.net
>[12.123.13.186] 11 88 ms 90 ms 88 ms tbr1-cl2.sl9mo.ip.att.net
>[12.122.10.41] 12 89 ms 97 ms 89 ms tbr1-cl4.wswdc.ip.att.net
>[12.122.10.29] 13 89 ms 88 ms 88 ms ar2-a3120s6.wswdc.ip.att.net
>[12.123.8.65] 14 102 ms 93 ms 112 ms 12.127.209.214 15 94 ms 94 ms 93
>ms 12.110.110.13 16 * * * 17 * * * 18 * * In the above example, my
>traffic is jumping from Level 3 Communications to AT&T's network in
>San Francisco, presumably over the OC-48 circuit that AT&T tapped on
>February 20th, 2003, according to the Klein docs. The magic string
>you're looking for is sffca.ip.att.net. If it's present immediately
>above or below a non-att.net entry, then -- by Klein's allegations --
>your packets are being copied into room 641A, and from there,
>illegally, to the NSA. Of course, if Marcus is correct and AT&T has
>installed these secret rooms all around the country, then any att.net
>entry in your route is a bad sign.
>
>-------------------------------------
>You are subscribed as eugen at leitl.org
>To manage your subscription, go to
>  http://v2.listbox.com/member/?listname=ip
>
>Archives at: http://www.interesting-people.org/archives/interesting-people/
>
>----- End forwarded message -----
>--
>Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
>______________________________________________________________
>ICBM: 48.07100, 11.36820            http://www.ativel.com
>8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
>
>[demime 1.01d removed an attachment of type application/pgp-signature which 
>had a name of signature.asc]