Interesting People mailing list archives
IP: U.S. DoD [seems to be djf] looking for pro-Sklyarov pages?
From: David Farber <dave () farber net>
Date: Wed, 29 Aug 2001 07:38:38 +1000
From: "mobythor" <mobythor () fuckmicrosoft com> To: <farber () eff org> U.S. DoD looking for pro-Sklyarov pages? (english) by Mark Bialkowski 4:26pm Mon Aug 27 '01 <mailto:mbialkowski () home com>mbialkowski () home com For some reason, U.S. Department of Defense machines are searching the web for pages related to Dmitry Sklyarov, the latest victim of the DMCA. Webmasters: check your logs. Early Sunday morning, long before dawn, I glanced through the results Webalizer pumped out for my Code Red-tainted web access logs. In the section on hits by region, there was a tiny chunk of hits from US military (.mil) hosts. Intrigued, I located the specific hostnames. Only two hosts accounted for the 47 recorded hits existing in my logs: 198.26.123.36 - BU-WCS1-KELLY.NIPR.MIL 198.26.123.37 - BU-WCS2-KELLY.NIPR.MIL The best surprises were yet to come. Searching through my logs using the wonderful Unix tool grep for the aforementioned IPs produced the following results: 198.26.123.37 - - [02/Aug/2001:13:55:35 -0400] "GET /robots.txt HTTP/1.0" 404 337 "-" "Inktomi Search" 198.26.123.37 - - [02/Aug/2001:13:55:35 -0400] "GET /adobe.html HTTP/1.0" 200 2121 "-" "Inktomi Search" 198.26.123.37 - - [02/Aug/2001:13:55:39 -0400] "GET /data/files/defcon.ppt HTTP/1.0" 200 139776 "-" "Inktomi Search" 198.26.123.37 - - [05/Aug/2001:14:27:19 -0400] "GET /robots.txt HTTP/1.0" 404 337 "-" "Inktomi Search" 198.26.123.37 - - [05/Aug/2001:14:27:19 -0400] "GET /adobe.html HTTP/1.0" 200 2121 "-" "Inktomi Search" 198.26.123.37 - - [05/Aug/2001:14:47:36 -0400] "GET /robots.txt HTTP/1.0" 404 337 "-" "Inktomi Search" 198.26.123.37 - - [05/Aug/2001:14:47:39 -0400] "GET /data/files/defcon.ppt HTTP/1.0" 200 139776 "-" "Inktomi Search" 198.26.123.37 - - [07/Aug/2001:15:25:47 -0400] "GET /robots.txt HTTP/1.0" 404 337 "-" "Inktomi Search" 198.26.123.37 - - [07/Aug/2001:15:25:49 -0400] "GET /adobe.html HTTP/1.0" 200 2121 "-" "Inktomi Search" 198.26.123.37 - - [07/Aug/2001:16:16:32 -0400] "GET /robots.txt HTTP/1.0" 404 337 "-" "Inktomi Search" 198.26.123.37 - - [07/Aug/2001:16:16:40 -0400] "GET /data/files/defcon.ppt HTTP/1.0" 200 139776 "-" "Inktomi Search" 198.26.123.37 - - [08/Aug/2001:15:57:56 -0400] "GET /robots.txt HTTP/1.0" 404 337 "-" "Inktomi Search" 198.26.123.37 - - [08/Aug/2001:15:57:57 -0400] "GET /adobe.html HTTP/1.0" 200 2121 "-" "Inktomi Search" 198.26.123.36 - - [09/Aug/2001:16:33:12 -0400] "GET /robots.txt HTTP/1.0" 404 337 "-" "Inktomi Search" 198.26.123.37 - - [09/Aug/2001:16:33:30 -0400] "GET /data/files/defcon.ppt HTTP/1.0" 200 139776 "-" "Inktomi Search" 198.26.123.36 - - [09/Aug/2001:16:33:51 -0400] "GET /adobe.html HTTP/1.0" 200 2121 "-" "Inktomi Search" 198.26.123.37 - - [11/Aug/2001:20:34:28 -0400] "GET /robots.txt HTTP/1.0" 404 337 "-" "Inktomi Search" 198.26.123.37 - - [11/Aug/2001:20:34:48 -0400] "GET /data/files/defcon.ppt HTTP/1.0" 200 139776 "-" "Inktomi Search" 198.26.123.37 - - [11/Aug/2001:20:35:11 -0400] "GET /adobe.html HTTP/1.0" 200 2121 "-" "Inktomi Search" 198.26.123.36 - - [11/Aug/2001:20:35:42 -0400] "GET /adobe.html HTTP/1.0" 200 2121 "-" "Inktomi Search" 198.26.123.37 - - [12/Aug/2001:20:55:59 -0400] "GET /robots.txt HTTP/1.0" 404 337 "-" "Inktomi Search" 198.26.123.37 - - [12/Aug/2001:20:55:59 -0400] "GET /adobe.html HTTP/1.0" 200 2121 "-" "Inktomi Search" 198.26.123.37 - - [13/Aug/2001:20:35:36 -0400] "GET /robots.txt HTTP/1.0" 404 337 "-" "Inktomi Search" 198.26.123.37 - - [13/Aug/2001:20:35:39 -0400] "GET /data/files/defcon.ppt HTTP/1.0" 200 139776 "-" "Inktomi Search" 198.26.123.37 - - [15/Aug/2001:23:11:59 -0400] "GET /robots.txt HTTP/1.0" 404 337 "-" "Inktomi Search" 198.26.123.37 - - [15/Aug/2001:23:11:59 -0400] "GET /adobe.html HTTP/1.0" 200 2121 "-" "Inktomi Search" 198.26.123.37 - - [15/Aug/2001:23:12:04 -0400] "GET /data/files/defcon.ppt HTTP/1.0" 200 139776 "-" "Inktomi Search" 198.26.123.37 - - [15/Aug/2001:23:12:34 -0400] "GET /data/files/defcon.ppt HTTP/1.0" 200 139776 "-" "Inktomi Search" 198.26.123.37 - - [16/Aug/2001:23:27:13 -0400] "GET /robots.txt HTTP/1.0" 404 337 "-" "Inktomi Search" 198.26.123.37 - - [16/Aug/2001:23:27:16 -0400] "GET /data/files/defcon.ppt HTTP/1.0" 200 139776 "-" "Inktomi Search" 198.26.123.37 - - [17/Aug/2001:23:41:10 -0400] "GET /robots.txt HTTP/1.0" 404 337 "-" "Inktomi Search" 198.26.123.37 - - [17/Aug/2001:23:41:11 -0400] "GET /adobe.html HTTP/1.0" 200 2121 "-" "Inktomi Search" 198.26.123.37 - - [18/Aug/2001:23:47:39 -0400] "GET /robots.txt HTTP/1.0" 404 337 "-" "Inktomi Search" 198.26.123.37 - - [18/Aug/2001:23:47:39 -0400] "GET /adobe.html HTTP/1.0" 200 2121 "-" "Inktomi Search" 198.26.123.37 - - [18/Aug/2001:23:47:42 -0400] "GET /data/files/defcon.ppt HTTP/1.0" 200 139776 "-" "Inktomi Search" 198.26.123.37 - - [18/Aug/2001:23:48:14 -0400] "GET /data/files/defcon.ppt HTTP/1.0" 200 139776 "-" "Inktomi Search" 198.26.123.37 - - [20/Aug/2001:00:03:21 -0400] "GET /robots.txt HTTP/1.0" 404 337 "-" "Inktomi Search" 198.26.123.37 - - [20/Aug/2001:00:03:24 -0400] "GET /data/files/defcon.ppt HTTP/1.0" 200 139776 "-" "Inktomi Search" 198.26.123.37 - - [20/Aug/2001:23:56:37 -0400] "GET /robots.txt HTTP/1.0" 404 337 "-" "Inktomi Search" 198.26.123.37 - - [20/Aug/2001:23:56:38 -0400] "GET /adobe.html HTTP/1.0" 200 2121 "-" "Inktomi Search" 198.26.123.37 - - [22/Aug/2001:00:11:04 -0400] "GET /robots.txt HTTP/1.0" 404 337 "-" "Inktomi Search" 198.26.123.37 - - [22/Aug/2001:00:11:05 -0400] "GET /adobe.html HTTP/1.0" 200 2121 "-" "Inktomi Search" 198.26.123.37 - - [22/Aug/2001:00:11:10 -0400] "GET /data/files/defcon.ppt HTTP/1.0" 200 139776 "-" "Inktomi Search" 198.26.123.37 - - [24/Aug/2001:00:17:32 -0400] "GET /robots.txt HTTP/1.0" 404 337 "-" "Inktomi Search" 198.26.123.37 - - [24/Aug/2001:00:17:33 -0400] "GET /adobe.html HTTP/1.0" 200 2128 "-" "Inktomi Search" 198.26.123.37 - - [24/Aug/2001:00:17:36 -0400] "GET /data/files/defcon.ppt HTTP/1.0" 200 139776 "-" "Inktomi Search" 198.26.123.37 - - [26/Aug/2001:00:19:19 -0400] "GET /robots.txt HTTP/1.0" 404 337 "-" "Inktomi Search" For the confused, each line above can be read as: IP.address - - [Day/Month/Year:hour:minute:second -time zone] "File accessed" "-" "User agent" NIPR.mil hosts weren't just spidering my site, they were specifically looking for three files: robots.txt, a file that, if it exists, tells web spiders what to avoid. adobe.html, my small page on the Dmitry Sklyarov arrest. defcon.ppt, my copy of Sklyarov's presentation on Adobe eBook "security" The spiders completely ignored my copy of Adobe PDF Processor. I don't know why. For more info on Dmitry Sklyarov, see freesklyarov.org, and keep in mind the known players in that case; Adobe and the Department of Justice. Further research through my four weeks of back logs showed those two machines to be the only ones with "Inktomi Search" user agents. Inktomi "develops and markets network infrastructure software essential for global enterprises and service providers." [1] Government organizations currently using Inktomi's products include "Argonne National Laboratory, Federal Communications Commission (FCC), Library of Congress, National Oceanic and Atmospheric Administration (NOAA), a division of the U.S. Department of Commerce, the U.S. Department of Energy, U.S. Department of Veterans Affairs, and the U.S Department of Agriculture [...] U.S. Department of State, U.S. Department of the Interior, U.S. Department of Commerce, U.S. Department of Transportation, U.S. Department of Education, U.S. Department of the Navy and the Executive Office of the President." [2] NIPR belongs to none of the above groups. NIPR.mil is the Network Operations Center for the U.S. Department of Defense, a division of the Defense Information Systems Agency. [3] The particular machines that my spider hits came from are housed at Kelly AFB in Texas. [4] All of this leads to a single question... why are Department of Defense computers being used to search for pages on the Sklyarov/Adobe case and Sklyarov's presentation? I encourage webmasters hosting pages about Dmitry, and copies of the PowerPoint presentation, to check their logs for hits from the 198.25.0.0 - 198.26.255.255 netblock; this is the block controlled by NIPR. I'm specifically interested in hits from Inktomi Search spiders, looking for files related to Sklyarov. I want to find out how widespread this activity is, and I intend to find out for what purpose this searching is taking place. -Mark Bialkowski [1] Inktomi's front page [2] Press release: "Inktomi Delivers Award-Winning Search Technology to Government Organizations," Aug. 20, 2001 [3] <http://www.carnicom.com>www.carnicom.com, "NIPR Activity Increases" [4] Information from tin.nu WHOIS server gateway
For archives see: http://www.interesting-people.org/
Current thread:
- IP: U.S. DoD [seems to be djf] looking for pro-Sklyarov pages? David Farber (Aug 28)