From: mgraffam@mhv.net
Date: Sat, 9 May 1998 13:15:12 -0700 (PDT)
To: cypherpunks@toad.com
Subject: corvette.bxa.doc.gov followup
Message-ID: <Pine.LNX.3.96.980509160534.13731A-100000@localhost>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

This message describes a computer on the Internet, one
corvette.bxa.doc.gov (192.239.70.124) (hereafter corvette). This computer
is owned by the Bureau of Export Administration (hereafter BXA), which
itself is a branch of the Dept. of Commerce.

Here I am exploring the idea that corvette runs a bot that scans the
internet for materials regarding crypto export violation, and I
will raise a few questions in regards to this.

- From the BXA web page (www.bxa.doc.gov):

   The Bureau of Export Administration enhances the nation's security and
   its economic prosperity by controlling exports for national security,
   foreign policy, and short supply reasons. We administer the Export
   Administration Act by developing export control policies, issuing
   export licenses, and prosecuting violators. Additionally, BXA enforces
   the EAA's antiboycott provisions.    

A traceroute (timings excluded) from my computer system (a SLIP/PPP dialup
to MhvNet, located in Poughkeepsie NY) to corvette yields: 

 1  annex1 (199.0.0.10)
 2  router.mhv.net (199.0.0.1)
 3  sl-gw8-pen-3-4-T1.sprintlink.net (144.228.160.41)
 4  sl-bb1-pen-9-0-0.sprintlink.net (144.228.60.11)
 5  144.228.180.10 (144.228.180.10)
 6  nyc4-br2.bbnplanet.net (4.0.2.178)
 7  nyc4-nbr2.bbnplanet.net (4.0.5.29)
 8  vienna1-nbr2.bbnplanet.net (4.0.3.129)
 9  vienna1-nbr3.bbnplanet.net (4.0.5.46)
10  washdc1-br1.bbnplanet.net (4.0.1.89)
11  washdc1-cr1.bbnplanet.net (4.0.1.174)
12  docosesa.bbnplanet.net (192.221.253.3)
13  corvette.bxa.doc.gov (192.239.70.124)

It is especially useful to notice hops 10 and 11. The names of these two
hosts seem to indicate that the hops have tended towards Washington DC.
BBNPlanet is located in Washington, so it is probable that corvette
is too (though this is not necessarily true). 

On April 22nd 1998, an anonymous connection was made from corvette to my
personal computer, ismene. This connection is only possible through my
main web page which is located on spice.mhv.net, which then links to
my computer. This mechanism is needed because ismene gets a dynamic IP.

Spice's logs show: 

corvette.bxa.doc.gov - - [22/Apr/1998:14:05:49 -0400] "GET /~mgraffam 
	HTTP/1.0" 302 -
corvette.bxa.doc.gov - - [22/Apr/1998:14:05:50 -0400] "GET /~mgraffam/
	HTTP/1.0" 200 2019
corvette.bxa.doc.gov - - [22/Apr/1998:14:06:16 -0400] "GET
	/~mgraffam/misc/access.html HTTP/1.0" 200 629

The connector from corvette directly targeted my homepage, and then
immediately went to the page that accesses ismene. The connector bypassed
a page about crypto titled "Cryptotechnic Enlightenment". It is, perhaps,
this odd combination of words that escaped a bot's notice, but would have
surely been noticed by human. Instead the alleged bot picked up on
"access.html" and left links to my RSA and PGP public keys untouched. If
corvette is running a bot, it seems probable that they would ignore PGP
keys because they surely generate a large amount of noise when
exploring things of a cryptographic nature. This may account for the
behavior. 

The access.html on spice has links to my computer. HTTP, FTP and telnet
links are established, and direct links are made to copies of my public
keys. The first three links to my keys via FTP are bypassed, and a 
connection is made via HTTP to my computer (ismene). The portions from
ismene's httpd log follow:

corvette.bxa.doc.gov - - [22/Apr/1998:13:58:51 -0400] "GET / HTTP/1.0" 200 1858
corvette.bxa.doc.gov - - [22/Apr/1998:13:59:48 -0400] "GET /crypto_index.zip
	HTTP/1.0" 200 19570

Corvette picks up the crypto_index.zip file, and leaves links titled
"Index of unfinished works" and "Misc. projects". That corvette picked
up the crypto_index.zip file establishes that it is looking for crypto
related material. Why did it pass up the "Cryptotechnic Enlightenment"
page then? I submit that it is because the word "cryptotechnic" did not
trip the bot's sensor but the word "crypto" in the link title to
crypto_index.zip did. I also believe that a human would have followed the
"unfinished works" or "misc projects" links after getting a crypto
index file. A human would be intelligent enough to intuit the connection;
a spider is not.

At this point, I imagine the bot reaching the end of ismene's main page,
having picked up the file it thought was useful and returning back to
the access.html file on spice and traversing to the next link.

In this case, it is an ftp connection to my machine. A portion of my logs:

Apr 22 14:00:13 localhost opieftpd[1509]: connect from 
	firewall-user@192.239.70.124
Apr 22 14:00:14 localhost ftpd[1509]: connection from corvette.bxa.doc.gov
	at We d Apr 22 14:00:14 1998 
Apr 22 14:00:15 localhost ftpd[1509]: Anonymous FTP connection made from
	host corvette.bxa.doc.gov.
Apr 22 14:00:16 localhost ftpd[1509]: ANONYMOUS FTP login from
	corvette.bxa.doc.gov with ID mozilla@

After logging in corvette issues the following commands:

Apr 22 14:00:22 localhost ftpd[1509]: <--- 200 Type set to I.
Apr 22 14:00:23 localhost ftpd[1509]: command: SIZE /^M 
Apr 22 14:00:23 localhost ftpd[1509]: <--- 550 /: not a plain file.
Apr 22 14:00:25 localhost ftpd[1509]: command: CWD /^M 
Apr 22 14:00:25 localhost ftpd[1509]: <--- 250 CWD command successful.
Apr 22 14:00:28 localhost ftpd[1509]: command: LIST^M 
Apr 22 14:00:29 localhost ftpd[1509]: <--- 150 Opening BINARY mode data
	connection for /bin/ls.
Apr 22 14:00:29 localhost ftpd[1509]: <--- 226 Transfer complete.
Apr 22 14:00:35 localhost ftpd[1509]: command: PORT 192,239,70,124,7,228^M 
Apr 22 14:00:35 localhost ftpd[1509]: <--- 200 PORT command successful.
Apr 22 14:00:36 localhost ftpd[1509]: command: SIZE /pub/^M 
Apr 22 14:00:36 localhost ftpd[1509]: <--- 550 /pub/: not a plain file.
Apr 22 14:00:39 localhost ftpd[1509]: command: CWD /pub/^M 
Apr 22 14:00:39 localhost ftpd[1509]: <--- 250 CWD command successful.
Apr 22 14:00:40 localhost ftpd[1509]: command: LIST^M 
Apr 22 14:00:40 localhost ftpd[1509]: <--- 150 Opening BINARY mode data
	connection for /bin/ls.
Apr 22 14:00:40 localhost ftpd[1509]: <--- 226 Transfer complete.
Apr 22 14:00:47 localhost ftpd[1509]: command: PORT 192,239,70,124,7,235^M 
Apr 22 14:00:47 localhost ftpd[1509]: <--- 200 PORT command successful.
Apr 22 14:00:48 localhost ftpd[1509]: command: SIZE /pub/skey/^M 
Apr 22 14:00:48 localhost ftpd[1509]: <--- 550 /pub/skey/: not a plain file.
Apr 22 14:00:50 localhost ftpd[1509]: command: CWD /pub/skey/^M 
Apr 22 14:00:50 localhost ftpd[1509]: <--- 250 CWD command successful.
Apr 22 14:00:51 localhost ftpd[1509]: command: LIST^M 
Apr 22 14:00:51 localhost ftpd[1509]: <--- 150 Opening BINARY mode data
	connection for /bin/ls.
Apr 22 14:00:51 localhost ftpd[1509]: <--- 226 Transfer complete.
Apr 22 14:01:08 localhost ftpd[1509]: command: PORT 192,239,70,124,8,1^M 
Apr 22 14:01:08 localhost ftpd[1509]: <--- 200 PORT command successful.
Apr 22 14:01:08 localhost ftpd[1509]: command: SIZE /pub/skey/README^M 
Apr 22 14:01:08 localhost ftpd[1509]: <--- 213 1149
Apr 22 14:01:09 localhost ftpd[1509]: command: RETR /pub/skey/README^M 

This series of commands ignores a directory called "keys" at root level,
which is consistent with ignoring PGP keys above, and cd's to pub/skey.
It then retrieves the README file (which is just a copy of NRL's readme)
and leaves. The connection style itself (of SIZE'ing directory names)
is odd, but this can be recreated with older versions of Netscape
Navigator. 

I will assume that these connections are really from Netscape, and _not_
from a bot disguising itself as NS Navigator. 

Greg Broiles (gbroiles@netbox.com) forwarded portions of his logs on
parrhesia to me:

corvette.bxa.doc.gov - - [20/Mar/1998:10:18:07 -0800] "GET /wassenaar/
HTTP/1.0" 200 2253
"http://search.excite.com/search.gw?collection=web&display=html2,lb&search=w
assenaar+countries" "Mozilla/2.0 (compatible; MSIE 3.02; Windows 3.1)"

corvette.bxa.doc.gov - - [20/Mar/1998:10:18:46 -0800] "GET /wassenaar/
HTTP/1.0" 200 2253 "-" "Mozilla/2.0 (compatible; MSIE 3.02; Windows 3.1)"

These shows connections from MSIE, can anyone confirm that MSIE makes
FTP requests in the same manner as NS? 

Here I raise two questions that I would like to discuss, in private email
if needed because it is off-topic. First, could Navigator be made to
crawl the web? Could it be programmed via OLE, or Java? If it could, then
it could easily be used as the protocol frontend to a spider that could
easily crawl http, ftp, gopher, and news references looking for crypto
export violations.

If programming Navigator would entail pushing keystrokes into the keyboard
buffer and simulating mouse events, I do not believe it would be used as
tying up a machine's console in this manner would be vastly inefficient
and it would be better justified to pay a programmer to develop the
software to do it without NS.

Now I would like to focus on a different aspect of my logs: the
identification of a firewall-users@192.239.70.124. It seems as if
corvette is a proxy server for other machines.

A port probe of corvette yields the following services:

corvette.bxa.doc.gov           ftp                 21/tcp 
corvette.bxa.doc.gov           smtp                25/tcp mail
corvette.bxa.doc.gov           whois               43/tcp nicname
corvette.bxa.doc.gov           gopher              70/tcp
corvette.bxa.doc.gov           finger              79/tcp 
corvette.bxa.doc.gov           www                 80/tcp http

ismene:~$ finger @corvette.bxa.doc.gov
[corvette.bxa.doc.gov]
        Finger from your system is not permitted through the firewall.

ismene:~$ ftp corvette.bxa.doc.gov
Connected to corvette.bxa.doc.gov.
220-Proxy first requires authentication
220 corvette.bxa.doc.gov FTP proxy (Version 3.2) ready.

- From these two connections, we can see that corvette is indeed a
firewalling proxy. Because of this, we cannot be sure if all connections
out of corvette belong to the possible spider.

An altavista search for corvette.bxa.doc.gov turns up the web statistics
logs of several servers, including military and foreign servers. 
Such a bot may crawl foreign servers looking for links or files from the
U.S., and it may crawl military sites to see to it that regulated
materials are not being exported (like the pgp fiasco). On the other hand,
this is mere speculation, it is equally likely that humans at BXA are
putzing around the net, looking at different sites.

This latter fact can be established (or we must admit to an incredibly
wide reaching bot that is not limited to crypto) because spice.mhv.net
has logged connections from corvette to www.mhv.net/~donn/diet.html
which is the main page for a health/fitness related hierarchy. It is
apparently a popular site for that material and is linked to frequently
by other sites. It is possible that a bot crawled around this way, but
unlikely since from the evidence on my machine the bot (if it is one)
is fairly discriminating about the links it follows.

Humans use the corvette proxy.

It is hard to tell which links drew corvette's attention from those sites
that were hit up. Here is an attempt at a classification of sites that
get connections from corvette:

* Physics:
  nsi.net.kiae.su, a nuclear safety institute, keeps a log specifically of
  U.S. government computers that have connected to them. Corvette made 65
  requests to nsi.net.kiae.su. 

  University of Crete Physics Dept. (www.edu.physics.uch.gr) 21 times.

* Other Science and Technology:
  The Bioscan project at genome.cs.unc.edu was hit twice.
  
  The BCD (Biological Computing Division) of the Weizmann Institute in
  Israel was hit 9 times.

  CSIRO Minerals, www.csiro.au, was hit 1.

  The Texas Agricultural Extension Service was hit twice.

* Political:
  www.tbs-sct.gc.ca the Canadian Treasury Board was hit once. 

* Military:
  The U.S. Army's Signal Corps was hit 13 times.


Several universities were hit as well, presumably because of a student
pages. Other miscellaneous sites that were hit include a martial arts
page, a personal interests page and a porn page. 

The urls for the pages in question are included below.

If this sample of sites is representative of the connections made by 
corvette, then physics sites make up the bulk of those connections.

No verifiable connections were made to crypto related sites other than my
own. I do not know why the connections were made to the universities,
I figure that it is because of student interests.

Given the nature of BXA's mission, and the sort of material that I make
available on my homepage on spice I still find it strange that the 
"Cryptotechnic Enlightenment" page was passed by. This is underscored
by the fact that the "Misc." and "Unfinished" links were passed up,
even when corvette is obviously looking for crypto stuff (by getting
crypto_index.zip).

However, there is a general lack of relevent connections made to crypto
related sites by corvette on the internet as a whole. If corvette is
proxying a bot, I think that the bot may be targeted at individuals 
and is not a wide-spread intelligence gathering device. 

I would be interested in hearing if corvette has made connections to
crypto oriented sites. If those that run sites with crypto material could
post any connections they have had from corvette, I would appreciate it. 

Michael Graffam (mgraffam@mhv.net)

- -----------------------------------------------------------------------

URLS relating to corvette.bxa.doc.gov turned up by Altavista:

http://chip.mcl.ucsb.edu/lopaka/usage/weeks/hosts/www.mcl.ucsb.edu.13.total-hosts.html
http://www.tbs-sct.gc.ca/tbsstats/tbstats/N1997-06.TXT
http://nsi.net.kiae.su/w3perl/Pays/US-Government.html
http://www.tbs-sct.gc.ca/tbsstats/tbstats/N1997-03.TXT
http://genome.cs.unc.edu/wusage/week59.html
http://dapsas.weizmann.ac.il/reports/31Oct1997.hosts.html
http://www.minerals.csiro.au/wusage/new/log.ext/log1997/sites0896.html
http://www.gordon.army.mil/usage/H1997-01.TXT
http://www.amherst.edu/~erreich/visitors.html
http://www.ufl.edu/9607-14.html
http://data.gc.peachnet.edu/APPS/WWW/USAGE/1996/H1996-07.TXT
http://data.gc.peachnet.edu/APPS/WWW/USAGE/1996/H1996-09.TXT
http://www.edu.physics.uch.gr/usage/week89.html
http://www.edu.physics.uch.gr/usage/week56.html
http://www.gordon.army.mil/usage/H1996-09.TXT (2)
http://leviathan.tamu.edu:70/0/gnlog/1996/9612/9612.hosts
http://lfowler.afternet.com/logfiles/sites0298.html
http://www.chelt.ac.uk/usage/ws970622.htm
http://www.splosh.co.uk/usage/weeks/hosts/splosh.9.total-hosts.html
http://www.ufl.edu/9803-08.html
http://www.italcultusa.org/home/_private/mailing.txt
http://lfowler.afternet.com/logfiles/sites0198.html

Michael J. Graffam (mgraffam@mhv.net)
http://www.mhv.net/~mgraffam -- Philosophy, Religion, Computers, Crypto, etc
I think that we should be men first, and subjects afterward. It is not
desirable to cultivate a respect for the law, so much as for the right.
			Henry David Thoreau "Civil Disobedience"

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBNVS3VQKEiLNUxnAfAQFz2QP+Ow8vwjFYOM/tN4kcyOpxbxWbr4S6bkWv
5zBctIwWk9qWedLxHXMH67JV3AATou1aFUTXL2w4J56frkhgcPIcgjV1j7ME6y/r
qNBvysaXzTkIUu/Vj9TJeigbKWTa7YiVgLn97X/RnjfjapD62e3ejhCOurEeDSPr
6u2BFhOGAIk=
=fTJr
-----END PGP SIGNATURE-----