Web www.williambowles.info
Spy on the Spies - The Newbie’s Guide to Detecting the NSA

Tuesday, 27 June 2006

It’s not surprising that an expert hired by EFF should produce an analysis that supports the group’s case against AT&T. But last week’s public court filing of a redacted statement by J. Scott Marcus is still worth reading for the obvious expertise of its author, and the cunning insights he draws from the AT&T spy documents.

An internet pioneer and former FCC advisor who held a Top Secret security clearance, Marcus applies a Sherlock Holmes level of reasoning to his dissection of the evidence in the case: 120-pages of AT&T manuals that EFF filed under seal, and whistleblower Mark Klein’s observations inside the company’s San Francisco switching center.

If you’ve been following Wired News’ coverage of the EFF case, you won’t find many new hard revelations in Marcus’ analysis — at least, not in the censored version made public. But he connects the dots to draw some interesting conclusions:

  • The AT&T documents are authentic. That AT&T insists they remain under seal is evidence enough of this, but Marcus points out that the writing style is pure Bell System, with the “meticulous attention to detail that is typical of AT&T operations.”
  • There may be dozens of surveillance rooms in AT&T offices around the country. Among other things, Marcus finds that portions of the documents are written to cover a number of different equipment rack configurations, “consistent with a deployment to 15 to 20" secret rooms.
  • The internet surveillance program covers domestic traffic, not just international traffic. Marcus notes that the AT&T spy rooms are “in far more locations than would be required to catch the majority of international traffic”; the configuration in the San Francisco office promiscuously sends all data into the secret room; and there’s no reliable way an analysis could infer a user’s physical location from their IP address. This, of course, directly contradicts President Bush’s description of the “Terrorist Surveillance Program.”
  • The system is capable of looking at content, not just addresses. The configuration described in the Klein documents — presumably the Narus software in particular — “exists primarily to conduct sophisticated rule-based analysis of content”, Marcus concludes.

My bullet points don’t come close to conveying the painstaking reasoning he lays out to back each of his conclusions.

Perhaps the most interesting — and, in retrospect, obvious — point Marcus makes is that AT&T customers aren’t the only ones apparently being tapped. “Transit” traffic originating with one ISP and destined for another is also being sniffed if it crosses AT&T’s network. Ironically, because the taps are installed at the point at which that network connects to the rest of the world, the safest web surfers are AT&T subscribers visiting websites hosted on AT&T’s network. Their traffic doesn’t pass through the splitters.

With that in mind, here’s the 27B Stroke 6 guide to detecting if your traffic is being funneled into the secret room on San Francisco’s Folsom street.

If you’re a Windows user, fire up an MS-DOS command prompt. Now type tracert followed by the domain name of the website, e-mail host, VoIP switch, or whatever destination you’re interested in. Watch as the program spits out your route, line by line.

[Macintosh users can either run Network Utility or for a more detailed analysis run Terminal and at the prompt enter traceroute nsa.gov. For help with UNIX commands type help at the prompt.

A good site for checking out what's what is http://www.dnsstuff.com/]

C:\> tracert nsa.gov

1 2 ms 2 ms 2 ms
7 11 ms 14 ms 10 ms as-0-0.bbr2.SanJose1.Level3.net []
8 13 12 19 ms ae-23-56.car3.SanJose1.Level3.net []
9 18 ms 16 ms 16 ms
10 88 ms 92 ms 91 ms tbr2-p012201.sffca.ip.att.net []
11 88 ms 90 ms 88 ms tbr1-cl2.sl9mo.ip.att.net []
12 89 ms 97 ms 89 ms tbr1-cl4.wswdc.ip.att.net []
13 89 ms 88 ms 88 ms ar2-a3120s6.wswdc.ip.att.net []
14 102 ms 93 ms 112 ms
15 94 ms 94 ms 93 ms
16 * * *
17 * * *
18 * *

In the above example, my traffic is jumping from Level 3 Communications to AT&T’s network in San Francisco, presumably over the OC-48 circuit that AT&T tapped on February 20th, 2003, according to the Klein docs.

The magic string you’re looking for is sffca.ip.att.net. If it’s present immediately above or below a non-att.net entry, then — by Klein’s allegations — your packets are being copied into room 641A, and from there, illegally, to the NSA.

Of course, if Marcus is correct and AT&T has installed these secret rooms all around the country, then any att.net entry in your route is a bad sign.

more …

Friday, June 30

Check is NSA warrantless surveillance is looking at your IP traffic

AT&T technician Mark Klein learned of a secret room installed in the company’s San Francisco internet switching center … what he saw and learnt prompted him to call at the Electronic Frontier Foundation unannounced in late January 2005 with documents in hand. The EFF was already preparing a class-action lawsuit against AT&T for allegedly turning over customer phone-record data to the NSA — relying on reporting from the Los Angeles Times about AT&T giving the NSA access to a phone-record database with 1.88 trillion entries.More here at Wired.

Now a heavily redacted 40 page document document by internet expert J. Scott Marcus has been supplied and is available here. PDF Alert !! 40 pages.

Briefly Marcus says, based on the Klein documents, his experience, knowledge of AT&T and understanding of what equipment is available that ..

The AT&T documents that Klein supplied are genuine.

There could be 35 – 40 such rooms throughout the US.

The internet surveillance program covers domestic traffic not only just international traffic.Most International traffic enters the US through only 3 points Florida New York and San Francisco. Marcus notes that the AT&T spy rooms are “in far more locations than would be required to catch the majority of international traffic”

The system is capable of looking at content, not just addresses. The configuration described in the Klein documents — presumably the Narus software in particular — “exists primarily to conduct sophisticated rule-based analysis of content”, Marcus concludes.

The system looks at all traffic not just AT&T but those transiting AT&T networks.

Want to check to see of your Internet packets are being “sniffed” by AT&T.

First. A little history.

Way back when Bill Gates was designing a BASIC instruction set he (along with everybody else until Microsoft introduced Compiled or CBasic) which was interpretive. That means it took each line of code and processed it.

Troubleshooting was non -existent and de-bugging tools primitive. A utility resulted called TRON / TROFF was used , slow, cumbersome, but it worked and is best explained by the Commodore Basic handbook;

The TRON statement activates trace mode. When active, as each statement is executed, the line number of that statement is printed.

The TROFF statement turns off trace mode.

Of course most people will remember TRON as the 1982 (!) Disney movie, with Jeff Bridges and Bruce Boxleitner who played the young programmwer TRON – this was the very first movie to use computer generated graphics – which appear today to be unbeleivably primitive.

As systems, grew in complexity and multi-user tasking came along, and TCP/IP emerged, it became necessary to test what was happening as a packet was sent.A guy called Van Jacobson in 1987 from a suggestion by Steve Deering came up with a Unix utility called TRACE ROUTE or tracert.This is how Microsoft explain its function and method.

How the TRACERT Command Works (Microsoft on line help)

The TRACERT diagnostic utility determines the route taken to a destination by sending Internet Control Message Protocol (ICMP) echo packets with varying IP Time-To-Live (TTL) values to the destination. Each router along the path is required to decrement the TTL on a packet by at least 1 before forwarding it, so the TTL is effectively a hop count. When the TTL on a packet reaches 0, the router should send an ICMP Time Exceeded message back to the source computer.

TRACERT determines the route by sending the first echo packet with a TTL of 1 and incrementing the TTL by 1 on each subsequent transmission until the target responds or the maximum TTL is reached. The route is determined by examining the ICMP Time Exceeded messages sent back by intermediate routers. Note that some routers silently drop packets with expired TTLs and are invisible to TRACERT.

TRACERT prints out an ordered list of the routers in the path that returned the ICMP Time Exceeded message. If the -d switch is used (telling TRACERT not to perform a DNS lookup on each IP address), the IP address of the near- side interface of the routers is reported.

In a sense it works in a set wise mode just the way TRON/TROFF did decades ago.

Now you are ready to test if your packets are finding their way through AT&T , there’s the easy way ;

Go to www.dnsstuff.com you will find a range of tests you can perform, quickly and easily, on the right of the second row you will find a red box labeled Traceroute. Let us enter then , say the text … nsa.gov … or even their IP address… and press the button.

A list will be returned showing the times and route of the packet – you will in the column labelled HOSTNAME that the signal will travel through a switch labelled like this

tbr1-p013901.wswdc.ip.att.net. or maybe

or even


Now the att identifies the switch as AT&T ,you can identify the town (the system uses geolocation which is not very precise) by using the box in the centre of the fourth row “Find the city” by entering the IP address in the IP column immediately left of the HOSTNAME column

tbr2012701.phmaz.ip.att.net []
City: Morristown, New Jersey

tbr2-cl1592.dlstx.ip.att.net []
City: Morristown, New Jersey

tbr1-cl6.sl9mo.ip.att.net []
City: Fargo, North Dakota

tbr1-cl4.wswdc.ip.att.net []
City: Fargo, North Dakota

ar2-a3120s6.wswdc.ip.att.net []
City: Adrian, Michigan

Interestingly if you do a “Whois” query using the IP address you will find all these IP addresses were Registered on the 26th November 2003,at AT&T Worldnet Services,200 South Laurel Ave.Middletown NJ Zip 07748 there are also other curious similarities for you to ponder.

You can try the hard way and get the same results by calling up the MSDOS prompt and entering at the C:\Windows\ pompt

tracert nsa.gov

This will return the same list as the DNS utility but without the helpful notes etc.,

Now try this out with other IP addresses other than nsa.gov – as Marcus calculates 10% of all calls are passing through these rooms, don’t expect every IP adress to be picked up every time.

It would be neat if someone could co-ordinate the location of all the locations – which would give a precise number and location of the rooms. The list above is a start.

Back to Main Index | Spies R Us