Archive for the ‘Vulcan Mind Probes’ Category

Final Post

October 2, 2009

No – I’m not dead yet!!

This is a final post at Tigerstail.wordpress.com because I am tired of seeking knowledge and bitching about that which is. It is time to use my skills to develope the solutions to all of the problems I have discovered.

Join Me at jimmicap.wordpress.com

The FBI and Akamai

July 19, 2009

My friendly sales rep from my ISP reminded me that the FBI is on Akami and showed me a tracert from his office which described a perfectly normal Akamai connection. For those who don’t know, I have discussed this technology before and am very uncomfortable connecting to a services which delivers content to/from? multiple ports and from multiple different IP’s and servers.

I tried to explain to him how this intrastate connection was dramatically different from any I had ever seen or discussed.

I mean the following is a tracert to Whitehouse.gov which you would expect to be well protected and I really don’t want to believe the FBI protects themselves better than they protect our President.

C:\Documents and Settings\Compaq_Owner>tracert whitehouse.gov

Tracing route to whitehouse.gov [96.16.226.135]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.0.1
2 27 ms 36 ms 36 ms nn-gw.viaccess.net [66.185.42.1]
3 30 ms 28 ms 21 ms auto-66.185.32.49.choice.vi [66.185.32.49]
4 164 ms 50 ms 35 ms 12.124.80.161
5 90 ms 86 ms 326 ms gbr2.ormfl.ip.att.net [12.123.32.78]
6 84 ms 86 ms 86 ms cr2.ormfl.ip.att.net [12.122.1.62]
7 101 ms 137 ms 137 ms cr1.attga.ip.att.net [12.122.5.142]
8 94 ms 94 ms 122 ms cr2.wswdc.ip.att.net [12.122.1.174]
9 109 ms 86 ms 101 ms 12.122.134.97
10 * * 87 ms 192.205.35.114
11 168 ms 86 ms 87 ms po-3.r04.asbnva01.us.bb.gin.ntt.net [129.250.6.4
5]
12 94 ms 93 ms 94 ms 168.143.97.2
13 106 ms 152 ms 93 ms a96-16-226-135.deploy.akamaitechnologies.com [96
.16.226.135]

In fact, the tracert he presented to me was extremely similar but then he was a supervisor on the system with the FBI server and perhaps not yet a target.

Now my tracert for http://www.fbi.gov was simplicity itself.

C:\Documents and Settings\Compaq_Owner>tracert http://www.fbi.gov

Tracing route to a33.g.akamai.net [66.185.33.88]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.0.1
2 32 ms 36 ms 57 ms nn-gw.viaccess.net [66.185.42.1]
3 24 ms 28 ms 43 ms auto-66.185.33.88.wirelessworld.vi [66.185.33.88
]

Akamai technology is supposed to maximize the utilization of Internet recourses by having cache memory for popular sites at many locations with many different routes to minimize delivery time. Putting the FBI on every ISP in America as independent system server is a logistic nightmare and with less than 6000 customers for very small ISP’s like mine, this becomes a horribly inept way to accomplish the goal of maximizing resource utilization.
.
As noted by others in the literature back to 2001, many commercial product updates come from exactly the same IP number as the FBI, including many antivirus products, Java, Macromedia, Adobe and Microsoft. It’s also bothersome to me that while my computer is being updated on parallel paths, some of the connections are from the IP which is owned by the software company, and some are the same IP as used by the FBI. Linux users should not be smug as the same FBI IP’s can be found continuously connected to my Linux machines. It’s also bothersome that when I switch antivirus and antispyware systems the infections discovered which are incompatible with the new product will have the same names as minor files used by Adaware, Trend Micro, Nortan, Micrrosoft, Sun Java and Adobe.

In a dark sort of way, I have come to accept being spied upon because, it seems to keep me free from outside infections. Now when I bother to check, my spyware, adware or antivirus shows that my machine is perfectly clean although a change of products will always bring new discoveries of infected minor files from major vendors.

Searching for the FBI

July 17, 2009

During the course of the trial I lost three computers to shut down Trojans while researching the source of the shutdown Trojan for the contraband computer held in evidence. I also lost another computer when challenged by the prosecution to visit a particular page at Cert. Prior to this, the prosecution had me identified for the record even though my position was a researcher and not a witness. To say the Department of Justice was interacting with my computers during the course of the trial is an understatement.

Over the past two years ago, I discovered my computer constantly interacting with IP numbers which were owned by my ISP. Since Carnivore was known to be stationed at a local ISP, I made the incorrect assumption that I was being monitored by that program. As time passed, I noticed extremely aggressive behavior and if I went to a suspected Federal Honeypot, as many as 60-100 ports would be opened with connections to my ISP. This reproducible behavior occurred with Linux and both current versions of Windows. (XP and Vista). When using a live Linux cd , there were no connections on start-up and the connections occurred only after I went to a suspicious site.

While I assumed that these connections were the FBI, I had no way to prove it until I stumbled on it last week. Since, I assume I am already a person of interest, I run a periodic search for the location of internet spy rooms to find out who is being watched. It should be obvious that if they can monitor my internet traffic, they can also monitor web sites offering seditious material using the same splitter technology. The perfect tool to track my signal is of course Neotrace which unfortunately has security issues so I install a new copy daily and repeat my work and use different ISP connections to verify the results.

One thing I never checked was the path to http://www.FBI.gov until last week when I ran Neotrace. I was shocked to find I was only 3 jumps from The FBI which had the same ISP as the constant connections to my machine. I double checked it with the DOS traceroute command and find that this is part of akamai technology, but the loop never leaves the United States Virgin Islands unlike any other akamai served connections I’ve traced.

Moreover, the constant connections are through parallel iexplore.exe connections which are usually spyware and the same block of IP’s have been in use for two years. (The iexplore.exe connection exists even when using Firefox) The supporting experiment of using the DOS command, “netstat –ano” allows you to observe that a browser call for http://www.fbi.gov increases the number of connections to my machine but no other new IP numbers connect to deliver content or probe my machine (aside from possibly Google.)

Interestingly enough, since this connection is being made intrastate, it may not be clearly illegal. First, most people would not dwell on the connection or try to block it as it is part of their ISP service so most would never notice or complain. Next, the site is clearly an FBI location and delivers the FBI homepage locally which is not exactly a clandestine operation. Next, Federal laws governing wiretaps, Keystroke loggers, and Trojans regulate interstate traffic and Neotrace finds no link to anything beyond the United States Virgin Islands.

As an aside, I asked a friend to do a tracert to the FBI in New York City and consistent with my suspicions, the IP she got was 204.2.199.25 which Neotrace places in New York City. I would expect that most connections to the FBI are intrastate connections.

If this is the so called Magic Lantern or the euphemism beyond that, it has a lot more power than previously described and is not simply a key stroke logger. It has the power to shut down by altering video settings, by altering the window’s registry settings so windows appear counterfeit, or by destroying the motherboard. It can also interfere with posting on a blog, and sending emails and temporarily freezing the system at an inopportune time.

Check it out yourself.

In DOS use “tracert http://www.fbi.gov&#8221; or in Linux Counsol use “traceroute http://www.fbi.gov&#8221; to find the IP of the FBI server which would deliver content to you. (It’s the last IP listed.) Give me the IP you got for http://www.fbi.gov in the comment section and I’ll let you know where it is located.

Vista OOBE Sucks!

November 26, 2007

As an old marketing practitioner, OOBE is an acronym for Out Of Box Experience

Forget that Microsoft has hijacked the term to mean their start up programming that bores you to tears while describing all the new bells and whistles and telling you how great they are and how much you will love them. To me OOBE includes all those factory preset conditions that make your computer act the way it does. I Know that there has been much written about how to turn off or correct many of the nasty conditions I’ll describe but that’s not the point. The average user does not know how to change the registry or turn off processes and shouldn’t have to learn.

All my complaints deal with the fact that this operating system is a total mismatch for current equipment. The worst manifestation is that it is slow, slow, so very slow. When I wake up and go to my hibernating machine I don’t know what to expect when I tap the enter key. It might spring to life in a minute it might take five minutes, only the Vista Gods may have a clue. I have programmed my human self to tap a key to wake it up before I start my morning tea and go to the bathroom, then my trusty Vista machine will probably wake up before I’m finished my morning ritual.

Now when my XP machine takes more than 2-7 seconds to come to life the first thing I do is run “netstat -ano” to see who’s connected to my machine and what they are doing. Running “netstat -bv” identifies the processes and the executables involved in each process by the connection name (This doesn’t work as well in Vista).

When I try to quickly run the netstat command on Vista DOS, Vista plays a silly game of Simon Says where it asks me if I am truly the person who clicked to open DOS and it will not open it until I click yes. I mean I am operating as administrator with administrative privileges, what’s above that? When you get to your answer for your request, you have no way of knowing how many connections were made and broken while you were playing Simon Says or waiting for your machine to come out of hibernation.

My next task is to identify the processes which the IP’s are connected to and when I run Task Manager, it plays that silly game of Simon Says again invoking my administrative privilege to proceed and then the first answer is not complete. You have to click on a box that asks if you want to see the processes for all users. I mean, I’m supposed to be the administrator with full administrative privileges and there are no other users on the machine yet more processes are identified as being operated by “system”.

By the time you get full administrative privileges there is no way to get full knowledge. All this crap slows you down so much it is impossible to know what wasn’t captured.

There are ways to work around this unnecessary crap but then why should I have to?

VMP’s or Vile Machine Probes!

October 10, 2007

Over the past several blogs, I’ve been reporting on netstat as a tool to find out who is connecting to my machine. I assumed up until yesterday that all of the Microsoft connections were beneficial updates and not data mining excursions. Now I know different. I was using both netstat and X-netstat 5.1 and in addition to (198.65.147.194) which I reported on in three different posts (1, 2, 3), I decided to check the rest of the connections from some sites.

First, I went to fatsavage.wordpress.com and found the ever present carnivore which you really can’t do much about. In addition there was the wordpress-Akamai services, the Snap tool, Google statistics and ltdomains.com which is also related to WordPress. In addition, there were connections from unknown.level3.net and Panther Express which is a direct competitor of Akamai and certainly wasn’t invited by ether them or I

When I went to this site (Tigerstail.wordpress.com), there were two connections from unknown.level 3 and Panther Express was gone. I went to a fairly non confrontational site and nobody bothered to monitor me except Google stats which is everywhere. I than went to fatsavage.com, home of the Fatsavage Shitlist of Law Enforcement Honeypots, and netstat lit up like a meteorite self destructing over Tunguska.

There were the normal connections by my blog host and Amazon and most of them used multiple connections to speed up the content feed but nothing like Carnivore from my local ISP. It tapped into my machine on 63 different ports at the same time. This is like the previously described hitbot on speed and I’m sure it was looking for hashed kiddie porn pictures which would identify the visitor as a pedophile instead of a libertarian protesting domestic spying.

This is not the first time I’ve witnessed VMP. I caught one site connecting on over 100 ports but was so stunned that I wasn’t quick enough to catch it on a hard copy.

VMP stands for Vile Machine Probes but is a direct tribute to Dr. Spock and the technical capabilities of the Vulcan Mind Probe. Of course the original VMP’s were dangerous because there was always a sharing of information and also a chance of physical damage to the weaker species. The same is true today.

By the way, I use a Firefox Browser on a Windows XP machine with updated PCcillin anti-virus and firewall. Once your using a Windows operating system, it’s splitting hairs to argue about who has the best antivirus.