Wired has an article showing a traceroute output claiming they can see the NSA wiretap in San Francisco. I did the same traceroute to nsa.gov from New York City and have a strangely similar line in my output.
From the Wired post:
If you’re a Windows user, fire up an MS-DOS command prompt. Now type tracert followed by the domain name of the website, e-mail host, VoIP switch, or whatever destination you’re interested in. Watch as the program spits out your route, line by line.
C:\> tracert nsa.gov
1 2 ms 2 ms 2 ms [12.110.110.204]
[...]
7 11 ms 14 ms 10 ms as-0-0.bbr2.SanJose1.Level3.net [64.159.0.218]
8 13 12 19 ms ae-23-56.car3.SanJose1.Level3.net [4.68.123.173]
9 18 ms 16 ms 16 ms [192.205.33.17]
10 88 ms 92 ms 91 ms tbr2-p012201.sffca.ip.att.net [12.123.13.186]
11 88 ms 90 ms 88 ms tbr1-cl2.sl9mo.ip.att.net [12.122.10.41]
12 89 ms 97 ms 89 ms tbr1-cl4.wswdc.ip.att.net [12.122.10.29]
13 89 ms 88 ms 88 ms ar2-a3120s6.wswdc.ip.att.net [12.123.8.65]
14 102 ms 93 ms 112 ms [12.127.209.214]
15 94 ms 94 ms 93 ms [12.110.110.13]
16 * * *
17 * * *
18 * *In the above example, my traffic is jumping from Level 3 Communications to AT&T’s network in San Francisco, presumably over the OC-48 circuit that AT&T tapped on February 20th, 2003, according to the Klein docs.
The magic string you’re looking for is sffca.ip.att.net. If it’s present immediately above or below a non-att.net entry, then — by Klein’s allegations — your packets are being copied into room 641A, and from there, illegally, to the NSA.
Now here is MY output from NYC:
PB-G4-17:~ patrick$ sudo traceroute whitehouse.gov
traceroute to nsa.gov (63.161.169.137), 64 hops max, 40 byte packets1 * * *
[...]
5 pos3-0.nycmnyg-rtr1.nyc.rr.com (24.29.101.201)
6 pos0 (24.29.98.5)
7 24.29.97.25 (24.29.97.25)
8 so-7-1.car2.weehawken1.level3.net (63.208.104.41)
9 ge-7-0-0.mp1.weehawken1.level3.net (4.68.125.137)
10 so-4-2-0.bbr1.newyork1.level3.net (64.159.1.65)
11 ae-13-55.car3.newyork1.level3.net (4.68.97.146)
12 192.205.33.93 (192.205.33.93)
13 tbr2-p032301.n54ny.ip.att.net (12.123.3.110)
14 gbr5-p40.n54ny.ip.att.net (12.122.11.26)
15 12.123.214.57 (12.123.214.57)
16 12.126.221.90 (12.126.221.90)
17 12.110.110.132 (12.110.110.132)
18 * * *
19 * * *
20 * * *
Is this actually evidence of the NSA tapping the internet?
I guess it really comes down to the fact that these are traceroutes to nsa.gov and we may just be seeing the routing to that network. I don’t see this node when I traceroute any other address.
Here is my traceroute to whitehouse.gov:
PB-G4-17:~ patrick$ sudo traceroute whitehouse.gov
traceroute to whitehouse.gov (63.161.169.137), 64 hops max, 40 byte packets1 * * *
[...]
5 pos3-0.nycmnyg-rtr1.nyc.rr.com (24.29.101.201)
6 pos0 (24.29.98.5)
7 24.29.97.25 (24.29.97.25)
8 so-7-1.car2.weehawken1.level3.net (63.208.104.41)
9 ge-7-0-0.mp1.weehawken1.level3.net (4.68.125.137)
10 so-4-2-0.bbr1.newyork1.level3.net (64.159.1.65)
11 ge-6-0-0-55.gar3.newyork1.level3.net (4.68.97.132)
12 4.68.110.70 (4.68.110.70)
13 sl-bb23-pen-4-0-0.sprintlink.net (144.232.20.123)
14 sl-bb22-pen-14-0.sprintlink.net (144.232.8.178)
15 sl-bb21-pen-15-0.sprintlink.net (144.232.16.29)
16 sl-bb23-rly-0-0.sprintlink.net (144.232.20.32)
17 sl-gw19-rly-10-0.sprintlink.net (144.232.14.42)
18 sl-fema-1-0.sprintlink.net (144.232.184.78)
19 205.160.212.222 (205.160.212.222)
I certainly don’t profess to be an internet routing guru so you’ll have to decide for yourself.
