No MITM attack on Cryptome
Michael Best
themikebest at gmail.com
Fri Oct 2 15:38:17 PDT 2015
A week or two ago, a new Snowden was released that shows information about
a visitor to Cryptome. James Atkinson looked at the slide and concluded
that it was proof of a man in the middle (MITM) attack against Cryptome. He
sent his concerns to John and Deborah who then posted them on Cryptome.org
- https://cryptome.org/2015/09/gchq-illegal-spying-us.htm
I'm doing a little bit of research on the slide and decided to compare
notes with what had already been written about it, including Mr. Atkinson's
post. While examining his remarks about the alleged MITM attack, I noticed
that he seemed to be missing a piece of information that led him to a
faulty conclusion. I've copied and pasted the relevant bits below.
But here is the thing -- and this is crucial -- the address for Cryptome is
> listed to be the location of a fiber optic cable junction in Sterling, VA
> (next to an Amusement Machine company)... which is quite some distance away
> from your location in NYC, and a considerable distance from your ISP who
> hosts your file, and it is located away from any signal switching systems
> use in the area, but it is virtually next door to fiber that goes to a
> large NSA listening post nearby.
The reason it is notable, is that someone at or near the location in
> Sterling, VA is performing a MITM attack on Cryptome visitors, and this
> image out of the slidedeck with the two GPS coordinates is the U.S.
> Government performing a MITM attack against Cryptome and sharing the
> collected intelligence with the Brits, or the U.S. Government giving the
> British government backdoor access into the U.S. (illegal) collection
> systems.
This isn't a sign of a MITM attack, but rather of a misunderstanding. The
Cryptome servers aren't located in New York at the address listed for
Cryptome as a business. The servers are hosted by Network Solutions, which
is who the IP address appears to belong to, as shown below.
NetRange: 205.178.128.0 - 205.178.191.255
CIDR: 205.178.128.0/18
NetName: NTSL-01
NetHandle: NET-205-178-128-0-1
Parent: NET205 (NET-205-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS14441, AS19871, AS6245
Organization: Network Solutions, LLC (NETWO-59)
RegDate: 1999-02-09
Updated: 2012-03-02
Ref: http://whois.arin.net/rest/net/NET-205-178-128-0-1
A reverse DNS search shows that the IP address is used to host over 1,100
domains. I've attached two PDFs that include more detailed information
showing that there is no indication of a MITM attack against Cryptome.
Live versions of the PDFs can be found at
http://www.iptodomain.com/ip-205-178-146-236.php
and
http://www.tcpiputils.com/browse/ip-address/205.178.146.236
I hope this will help soothe some fears and paranoia about this particular
alleged MITM attack. Monitoring, almost certainly. Other MITM attacks at
other times, perhaps. The GCHQ slide just isn't any sort of proof that
there was a MITM attack on Cryptome.org during the times referenced by the
slide.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 7439 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20151002/d1caa6ed/attachment-0002.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IP reverse of 205.178.146.pdf
Type: application/pdf
Size: 129136 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20151002/d1caa6ed/attachment-0004.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 205.178.146.pdf
Type: application/pdf
Size: 413476 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20151002/d1caa6ed/attachment-0005.pdf>
More information about the cypherpunks
mailing list