Today I was looking at a post at cryptome.org that shows all the IP addresses controlled by or somehow affiliated with the NSA. I had seen previous versions of this post and at first glance it seemed like someone did a lot of work to gather all of that detailed info. So today I was browsing through the latest update of this list and started to get suspicious of the content.

Seeing the sheer number of addresses and that there was no apparent basis for selecting which IP addresses made the list, I set out to prove that this guy was either just some conspiracy nut or this whole list was nothing more than a hoax. I extracted all the IP address ranges from the document, sorted them, and compared them to the list of IANA’s IPv4 assignments. It turns out that NSA list includes most of the allocated IPv4 address space with the exception of 15 or so class A and a few dozen class B networks.

But what caught my interest were the first two class A networks that didn’t even appear on the list:

• 029/8 Jul 91 Defense Information Systems Agency
• 034/8 Mar 93 Halliburton Company

I thought it was very strange that someone would go through that much trouble to build this list and happen to miss the entire 29/8 block assigned to DISA. And if there was any conspiracy that a company was working for the NSA, I’d definitely choose Haliburton over some of the other companies–such as Apple Computer or Amazon.com–on the list.

So digging deeper, I checked out some of the other class A ranges that didn’t make it. It turns out that several of the ranges not on the list, while assigned to various registries, weren’t actually in use so I crossed those out. From the ranges that remained, I found some to be very interesting:

130/8 see ftp://ftp.arin.net/pub/zones/130-ARIN (pentagon.mil, navy.mil, af.mil, army.mil, and some .gov’s)
131/8 see ftp://ftp.arin.net/pub/zones/131-ARIN (many .mil and .gov’s)
132/8 see ftp://ftp.arin.net/pub/zones/132-ARIN (many .mil and .gov’s)
135/8 see ftp://ftp.arin.net/pub/zones/135-ARIN (Lucent, AT&T, see http://w2.eff.org/legal/cases/att/faq.php)
138/8 see ftp://ftp.arin.net/pub/zones/138-ARIN (many .mil and .gov’s)

I found it very interesting that of the class A networks not listed at cryptome, that most of them had some US military, government, or other corporate connection with the NSA.

So that leaves us with one of three possibilities here:

1. The author of the list compiled, and updates, a 300k document that lists most of the assigned IPv4 address space as NSA-controlled but failed to list something so obvious as IP addresses owned by pentagon.mil and DISA. I find that hard to believe. And if this was just a mistake, that means he needs to add these to his list and therefore the list is pretty much the whole Internet so why even bother with a list?

2. The author of the list compiled, and updates, a 300k document accusing most of the world (including Iran and China) of being involved with the NSA but purposely left off all the .mil and .gov networks as a hoax (and the post office wants to charge 5 cents for every e-mail you send).

3. The NSA itself published this list as an attempt, knowing us paranoid internet people, to provide misinformation by listing pretty much every IP address but their own. I doubt someone would claim that as a clever way for the NSA to hide their own IP addresses, but it could very well be a way to discredit cryptome. You know, the NSA also controls hushmail and Windows smartphones.

If the purpose here was to ambush the credibility of cryptome.org, it certainly is working. Now when I see amazing headlines but then I see they link to cryptome I get something like theonion effect (wow really? oh… its theonion). If they continue to post these absurd posts based on nothing but claims from an anonymous poster, they will lose credibility fast.

So was the author incompetent? Is it a hoax? Or is it some NSA counterintelligence ploy? I really couldn’t say. But I am getting tired of everyone linking to cryptome’s posts as a source of news.

Related posts

• No related posts.