21 October 2001: See also "Safeweb Bandwidth Splitting:"
http://cryptome.org/safeweb-split.htm
21 October 2001: Add reader comments.
17 October 2001: Add reader comments.
16 October 2001
This is a Safeweb response about a file on Anongo.com: http://cryptome.org/riaa-anongo.htm
A rather astonishing policy by a privacy protection service for storing users' surfing data and responding to subpoenas which should be posted on the SafeWeb page. But see response below by Stephen Hsu, SafeWeb CEO, pointing to privacy policies at SafeWeb.
Date: Tue, 16 Oct 2001 19:42:17 +0000
From: Zach White <zwhite@safeweb.com>
To: jya@pipeline.com
Subject: SafeWeb, DoD, and other nonsense
Heya. Thought you might like some real information on what we do at safeweb,
so you can stop guessing. We're fairly open about things.
First, we have no ties to the DoD. That address was a typo, and I've just
emailed abovenet to have them fix it. It should be in DNS in an hour or
two (Give or take a few hours for propogation). If you'll notice,
215.104.228.144 is just one digit from 216.104.228.144. We hadn't noticed
that until now as the anongo name was abandoned a while ago, and is only
kept around because we still have it.
Secondly, what do we do with the logs? Every night we tar them up, ship them
to a central machine, compile stats on how many clients we served and how
many ads we served, gpg the logs, and store them for 7 days. After that they
get deleted, unless someone manages to supena them. In which case we pull
out only the entrys associated with the supena, and keep them around until
we're actually served with said supena.
Anything else you want to know? I can probably tell you so you don't have
to speculate.
If you want to verify my pgp key, and voice is sufficient, you can feel free
to phone me. If you want to actually be able to co-sign keys, and you happen
to be in the bay area, I'd be glad to meet up with so we can trade
credentials.
--
| Zach White <zwhite@safeweb.com> (510) 601-8855 ext. 115
| Sr. System Administrator - SafeWeb - http://www.safeweb.com
----+---- PGP key avalible from the pgp.net keyring
|
-+- Standard Disclaimer:
| The opinions above are not neccesarily those of my employer,
--+-- my significant other, or my cat.
/|
\/ | -><-
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: oSYqQAqA/tQvOsOBEDjQtsq9m//JvBk0
iQA/AwUBO8yNmG0+egmb1oMnEQIU8ACgraiYIc+pNJkWKxvcaDk3nQe6DFAAoPEr
9YdAYKijKW3kgkxTaAqA6HjK
=sU6I
-----END PGP SIGNATURE-----
Here is some stuff I came across re: anongo which didn't seem like anything but a little joke. I didn't include it in my original message because anongo.com had been established as an originating point-of-presence for safeweb by my header-mailer program. You might find it interesting.
I read with interest that Safeweb diligently preserves its logs for anyone with a subpoena, as I'm sure the rest of the net did. Mr. White's take on the 215/216 ip confusion seems irrelevant to me; they have names registered in DNS, they do their business on the addresses they secure from their ISP, answering DNS resolved browser requests from those addresses.
In my opinion, the 215.104.228.114 Arlington VA anongo.com machine is doing exactly the same thing as the 216.104.228.114 anongo.com machine, as well as the 65.107.16.45 safeweb machine which I have investigated below. These machines are all firewalled and are offering services on similar port numbers. They're proxy boxes. Anongo.com can most certainly point to two IPs - you own the domain name, you point it to machines with valid IPs; there's not necessarily a "typo" here. Domain names can point to multiple IPs; happens all the time.
Running nslookup on safeweb.com and anongo.com tells us that the two ip addresses are in the same subnet, as we already know. [xxxxxx by Cryptome.]
mrstef@ /home/xxxxxx># nslookup safeweb.com Server: nsprime.xxxxxx.on.ca Address: xxx.xxx.xxx.xxx
Non-authoritative answer: Name: safeweb.com Address: 216.104.228.139
mrstef@ /home/xxxxxx># nslookup anongo.com Server: nsprime.xxxxxx.on.ca Address: xxx.xxx.xxx.xxx
Name: anongo.com
Address: 216.104.228.144
If I do an nslookup on the standard alias for a mail server, mail.something.com for safeweb, I get this output:
mrstef@ /home/xxxxxx># nslookup mail.safeweb.com Server: nsprime.xxxxxx.on.ca Address: xxx.xxx.xxx.xxx
Non-authoritative answer: Name: redirect.pooka.safeweb.com Address: 65.107.16.45 Aliases: mail.safeweb.com
The 65 net address machines do proxying work for safeweb, as we saw in the safeweb header output from before.
This machine does not run any mail service on the standard mail ports 25, 110 or 143. Pooka seems to be a java based email client. Whatever.
If I type http://65.107.16.45 in my browser, I am redirected to https://www.safeweb.com ; this would explain the redirect part of this machine's name at any rate.
I am probably sent by a server redirect to the safeweb site; the only way for me to see any page at http://redirect.pooka.safeweb.com is to spoof a browser via telnet and look at the source the server sends to me.
Following is the output from a telnet request on port 80, the www port, for the default index.html page of this machine.
mrstef@ /home/xxxxxx># telnet redirect.pooka.safeweb.com 80 Trying 65.107.16.45... Connected to redirect.pooka.safeweb.com. Escape character is '^]'. GET / HTTP/1.0 HTTP/1.1 200 OK Date: Mon, 15 Oct 2001 00:51:28 GMT Server: Apache/1.3.12 (Unix) mod_ssl/2.6.4 OpenSSL/0.9.5a Content-Type: text/html Connection: close <!-- <META HTTP-EQUIV="Refresh" CONTENT="0;URL=https://www.safeweb.com"> --> <!-- safeweb.com -- WARNING REGEXP HARDCODE --> <html> <head> <title>Safeweb</title> <meta name="description" content="Safeweb provides the first free, completely private and secure way to surf the Web anywhere, anytime"> <meta name="keywords" content="Anonymity, Anonymous Dialup, Anonymous Email, Anonymous Mailer, Anonymous Web Browsing, Anonymous Web Surfing, Anonymous, Carnivore Killer, Carnivore, Cookie Filter, Cookie Manager, Encryption, Encrypted Dialup, Encrypted Email, Encrypted Mailer, Encrypted Web Surfing, Encrypted Web Browsing, Firewall, Internet Privacy, Internet Security, Online Privacy, Online Security, Personal Firewall, Pop-up Window Manager, Privacy Service, Privacy, Private Bookmarks, Proxy, SSH, Secure Access Proxy, Secure Dialup, Secure Proxy, Secure, Security, Spawn Suppression"> </head> <body> <font size=-20> <!--Pooka says Anongo rocks!--> </font> </body> </html> Connection closed by foreign host.
Buried in this page, which cannot be seen by any browser because of the server programmed redirect which immediately sends you to the main safeweb page, is an html comment referring to Anongo! It's even font-coded to not render for display, and is the only element in the body section of the page! I have generated a screenshot to confirm this output, attached as an ms word document [screenshot matches telnet output above].
Servers on the internet all get crawled and indexed. The "pooka" machine is simply doing some of their proxying work, maybe while they try to set it up for mail service, and since it's on the net and could get crawled, safeweb put an index page with lots of keywords for the search engines, and programmed a redirect to their main page to get maximum traffic out of their internet assets. But "Pooka says Anongo rocks"...??! Are they just goofing around, or thumbing their nose at us thinking no one would see their little secret?
Regards
SC
From: Anonymous
To: jya@pipeline.com
Date: 16 October 2001
You remarked:
"A rather astonishing policy by a privacy protection service for storing
users' surfing data and responding to subpoenas which should be posted
on the SafeWeb page."
If Zach's mail is legit -- and he seems to be willing to make efforts to authenticate it -- I wouldn't be "astonished" by such a statement.
In my experience, system administrators -- especially ones with ethics -- are kept on a really short leash by suits. Now, I know nothing about who runs safeweb, and I have no reason to trust them, but if they're structured like most other companies, even the most senior sysadmin is perceived as only a tool by corporate management. Who knows, this guy may get smacked down for saying as much as he did to you.
Just my way of saying that not expecting a cultural disconnect between sysadmins and management -- in any organization -- is unrealistic IMO.
Or maybe you were being sarcastic and it just went over my head? :)
_______________________
To: Anonymous
From: jya@pipeline.com
Date: 17 October 2001
I also think Zack is a straight-shooter. What bothers me is the failure of Safeweb to tell its users about how its handles their data -- that's what an honest privacy policy is all about, in particular for an anomymizing service.
For telling about Safeweb's policy Zack is most definitely commended.
Zack did not answer other questions about Anongo others have raised. What remains concealed about how Safeweb and Anongo fully work is in need of study and reporting to the public -- that investigation continues and we'll post it as it comes in [see SC above].
Without discovery and publication of the Anongo stuff by an eagle-eye no one would be wiser about Safeweb's snooping on its users. Though we know sysadmins do that all the time under rationale of needing to monitor their systems. Where shit happens is when unscrupulous, or harried, or coerced, or unwary sysadmins reveal what they know about customers to suits who see a marketing opportunity in betrayal of trust, not least that caused by fear of the authorities. That betrayal appears underway at Safeweb. I believe Zack knows that and is sending a signal loud and clear -- for only a part of what he knows and suggest there is more to be told, that is, users of anonymizing services should keep the pressure up so that full-bore competition for trustworthy privacy services will keep providers honest.
Sysadmins are indeed sending these signals of warning publicly all around the Web and via anonymous messages. We need to pay close attention to what they cannot say without getting fired, and to be wary of misleading sysadmin revelations being made under duress or deliberate deception -- healthy privacy and security skepticism in these days of wildfire disinformation, scare tactics and false assurance.
From: "Stephen Hsu" <stephen.hsu@safeweb.com>
To: <jya@pipeline.com>
Subject: SafeWeb clarifications
Date: Wed, 17 Oct 2001 11:39:25 -0700
Dear Cryptome,
As much as I am enjoying all of the black helicopter speculations of your readers, I thought I might try to clarify a few things:
1) Anongo and DOD. Anongo was a name we originally thought of launching the service under (as in "Go Anonymous!"). We even have a start page with a funky Anongo logo that we never used. When we launched we were primarily hosted at Exodus, although we had a smaller test-bed colo at an ISP in VA. The DOD IP address was a typo, nothing more. The www.anongo.com URL was never in use except during some beta testing. "Pooka" is the nickname of one of our developers.
2) Logging and subpoenas: Zack White (our sysadmin; see previous messages) didn't reveal anything that isn't prominently discussed in the privacy policy (https://fugu.safeweb.com/sjws/priv_policy.html) on our site. As a U.S. corporation, we have no choice but to comply with lawful orders such as subpoenas. The 7 day retention of logs is a compromise: for security reasons we have to keep logs to see who is trying to hack or probe us (this happens with some frequency). For business reasons it would actually be advantageous to destroy logs on a shorter timescale, to reassure users and to minimize the amount of work we have to do to comply with law enforcement. We compromised at 7 days, and I think you will find that other services have similar policies.
3) Our relationship with the CIA (through its venture fund In-Q-Tel) is well documented (see, e.g., http://fugu.safeweb.com/sjws/company/investors.html), and we have no relationship with the Department of Defense.
I hope this answers your questions. Sorry the world is not as interesting as some conspiracy theorists would like it to be.
Best regards,
Stephen Hsu
CEO and Chairman, SafeWeb, Inc.
(www.safewebinc.com)
Professor of theoretical physics, University of Oregon (on leave of absence)
From: S
Date: 17 October 2001
What Zach White told you about SafeWeb's log retention is consistent with what their CEO, Stephen Hsu, said at DEF CON.
It's also in line with what's published in their privacy policy:
https://fugu.safeweb.com/sjws/priv_policy.html
Everyone _did_ read their privacy policy before using their service, right?
From: SC
To: <jya@pipeline.com>
Date: Sun, 21 Oct 2001 00:47:53 -0400
Subject: I assume he meant that Safeweb was devoid of fact and technical
merit.
I note with some satisfaction that the average internet user appears to accept the Safeweb brass' explanations of the questions that have been raised about their service. There are examples on Cryptome of this; several followed this post to kuro5hin.org.
Safeweb is a Fed Front (Internet)By Crusader
Tue Oct 16th, 2001 at 07:28:46 AM ESTAn enterprising Cryptome reader has discovered that the vaunted web privacy provider (already known to have CIA funding) Safeweb utilizes a Department of Defense server(s?) (anongo.com) as a proxy for user requests.
The whois record for anongo.com shows that it's owned by Safeweb's CEO, Jon Chun (who made a big deal out of the fact that he's Chinese-American, and hopes that his service would be used by Chinese nationals with censored web service in the PRC). The netblock for anongo.com belongs to the Network Information Center of the Department of Defense (215.*.*.*); a simple traceroute to anongo.com and nic.mil confirms that packets travel through the same routerspace to get to both destinations.
So what is Safeweb? A honey trap for people believing their web surfing can be carried out without prying eyes ("if you have nothing to hide, you shouldn't be worrying about us watching you")? A mini-Carnivore for users considered to be worth watching by the Federal government?
This fellow is then blasted by the next 20 posts by credulous surfers who believe the "215 was a typo" and "we have to keep our logs" responses.
Believe what you want: the data speak for themselves.
Anyone who feels that this investigation is "devoid of fact or technical merit" is simply slinging mud, and I will not dignify that comment with further engagement. Read the data. It's there for any and all to see, and to draw conclusions.
The "DNS typo" thing is what I find most bothersome. Their position on logs should raise eyebrows, but why will people not believe their eyes on the DOD relationship? Why does this not add up for more people?
To recap:
1. We clearly have a traceroute from Oct. 13, 2001 showing anongo.com resolving to 215.104.228.114.
2. We know that Safeweb had this removed from DNS on Oct. 16, 2001.
3. We know that the 215.104.228.114 machine was advertising very similar services as the 216.104.228.114 machine on its ports up to and including Oct. 17, 2001.
4. We know that the 215.104.228.114 machine is no longer offering any services on its ports as of Oct. 20, 2001.
But people are choosing to believe the "DNS typo" cover instead of looking at this data. Perhaps the article was too long... Perhaps a snappy "net bite" accusation is needed.
It looks very much to me that some traffic was being directed or redirected to VIENNA 215 to analyze the capabilities of a Squid proxy system to track and trace users; I think a time-striped playback system of log-correlation to server-cached files as an alternative to Carnivore is a very real possibility. Given the terror panic we currently see, Carnivore's packet capture by court order seems an inconvenient method when a mirror of user activity can be recorded with a modified Squid proxy build. All that would be required is a clocking routine to synchronize a log read with a display of cached pages. Carnivore captures packets; Squid actually caches all pages from all browser requests.
It also looks to me that the test phase of the design is over, and that traffic from Safeweb is not being assigned or split off to the VIENNA 215 box anymore. Cover is blown on this one, so shut it down. And this is not just a function of the record being wiped from DNS; that box was doing a bunch of stuff a few days ago, and someone stopped it. DNS has nothing to do with that. As I have mentioned, multiple IPs can answer a browser request for a page from domain.com. Five IPs answer microsoft.com. Those IPs are all load-balancing routers that transparently split requests to dozens of different machines, all providing the same home page and website. Two or more IPs could certainly have answered anongo.com requests, and may well be right now, redirecting those requests to any number of mirrored boxes at any number of locations providing the same page and providing ostensibly the same services, subject to undetectable modification. If anyone is really looking for something "devoid of fact and technical merit" they should reread the Safeweb explanations. This kind of glib, "here's what we do, now run along and go back to your Windows" condescension should really make us all suspicious. Whenever I am told, "We know, you don't" by IT people, I know what they mean is "We don't want you to know, so don't ask". I think for myself, and when it comes to this kind of stuff, I'm usually right.