[free-sklyarov] U.S. DoD [seems to be djf] looking for pro-Sklyarov pages?

Rick Moen rick at linuxmafia.com
Tue Aug 28 15:06:38 PDT 2001 

Maybe I should ask the DoD if they have a recent cached copy of my
http://linuxmafia.com/~rick/dmitry-lnks textfile, since the best I
could find in recovering from my 35GB HD meltdown was Google's cached
copy from early July.  ;->

Seriously, if anyone happens to have a more-recent copy, I'd appreciate
getting it back.



(Subsequent forwards snipped; text cleaned up a bit.)

From: "mobythor" <mobythor at fuckmicrosoft.com>
To: <farber at eff.org>

U.S. DoD looking for pro-Sklyarov pages? 
(english)
by Mark Bialkowski
4:26pm Mon Aug 27 '01
<mailto:mbialkowski at home.com>mbialkowski at home.com

For some reason, U.S. Department of Defense machines are searching the web 
for pages related to Dmitry Sklyarov, the latest victim of the 
DMCA.  Webmasters: check your logs.

Early Sunday morning, long before dawn, I glanced through the results 
Webalizer pumped out for my Code Red-tainted Web access logs. In the 
section on hits by region, there was a tiny chunk of hits from US military 
(.mil) hosts.  Intrigued, I located the specific hostnames. Only two hosts 
accounted for the 47 recorded hits existing in my logs:


198.26.123.36 - BU-WCS1-KELLY.NIPR.MIL

198.26.123.37 - BU-WCS2-KELLY.NIPR.MIL
The best surprises were yet to come.  Searching through my logs using the 
wonderful Unix tool grep for the aforementioned IPs produced the following 
results:

198.26.123.37 - - [02/Aug/2001:13:55:35 -0400] "GET /robots.txt HTTP/1.0" 
404 337 "-" "Inktomi Search"
198.26.123.37 - - [02/Aug/2001:13:55:35 -0400] "GET /adobe.html HTTP/1.0" 
200 2121 "-" "Inktomi Search"
198.26.123.37 - - [02/Aug/2001:13:55:39 -0400] "GET /data/files/defcon.ppt 
HTTP/1.0" 200 139776 "-" "Inktomi Search"
198.26.123.37 - - [05/Aug/2001:14:27:19 -0400] "GET /robots.txt HTTP/1.0" 
404 337 "-" "Inktomi Search"
198.26.123.37 - - [05/Aug/2001:14:27:19 -0400] "GET /adobe.html HTTP/1.0" 
200 2121 "-" "Inktomi Search"
198.26.123.37 - - [05/Aug/2001:14:47:36 -0400] "GET /robots.txt HTTP/1.0" 
404 337 "-" "Inktomi Search"
198.26.123.37 - - [05/Aug/2001:14:47:39 -0400] "GET /data/files/defcon.ppt 
HTTP/1.0" 200 139776 "-" "Inktomi Search"
198.26.123.37 - - [07/Aug/2001:15:25:47 -0400] "GET /robots.txt HTTP/1.0" 
404 337 "-" "Inktomi Search"
198.26.123.37 - - [07/Aug/2001:15:25:49 -0400] "GET /adobe.html HTTP/1.0" 
200 2121 "-" "Inktomi Search"
198.26.123.37 - - [07/Aug/2001:16:16:32 -0400] "GET /robots.txt HTTP/1.0" 
404 337 "-" "Inktomi Search"
198.26.123.37 - - [07/Aug/2001:16:16:40 -0400] "GET /data/files/defcon.ppt 
HTTP/1.0" 200 139776 "-" "Inktomi Search"
198.26.123.37 - - [08/Aug/2001:15:57:56 -0400] "GET /robots.txt HTTP/1.0" 
404 337 "-" "Inktomi Search"
198.26.123.37 - - [08/Aug/2001:15:57:57 -0400] "GET /adobe.html HTTP/1.0" 
200 2121 "-" "Inktomi Search"
198.26.123.36 - - [09/Aug/2001:16:33:12 -0400] "GET /robots.txt HTTP/1.0" 
404 337 "-" "Inktomi Search"
198.26.123.37 - - [09/Aug/2001:16:33:30 -0400] "GET /data/files/defcon.ppt 
HTTP/1.0" 200 139776 "-" "Inktomi Search"
198.26.123.36 - - [09/Aug/2001:16:33:51 -0400] "GET /adobe.html HTTP/1.0" 
200 2121 "-" "Inktomi Search"
198.26.123.37 - - [11/Aug/2001:20:34:28 -0400] "GET /robots.txt HTTP/1.0" 
404 337 "-" "Inktomi Search"
198.26.123.37 - - [11/Aug/2001:20:34:48 -0400] "GET /data/files/defcon.ppt 
HTTP/1.0" 200 139776 "-" "Inktomi Search"
198.26.123.37 - - [11/Aug/2001:20:35:11 -0400] "GET /adobe.html HTTP/1.0" 
200 2121 "-" "Inktomi Search"
198.26.123.36 - - [11/Aug/2001:20:35:42 -0400] "GET /adobe.html HTTP/1.0" 
200 2121 "-" "Inktomi Search"
198.26.123.37 - - [12/Aug/2001:20:55:59 -0400] "GET /robots.txt HTTP/1.0" 
404 337 "-" "Inktomi Search"
198.26.123.37 - - [12/Aug/2001:20:55:59 -0400] "GET /adobe.html HTTP/1.0" 
200 2121 "-" "Inktomi Search"
198.26.123.37 - - [13/Aug/2001:20:35:36 -0400] "GET /robots.txt HTTP/1.0" 
404 337 "-" "Inktomi Search"
198.26.123.37 - - [13/Aug/2001:20:35:39 -0400] "GET /data/files/defcon.ppt 
HTTP/1.0" 200 139776 "-" "Inktomi Search"
198.26.123.37 - - [15/Aug/2001:23:11:59 -0400] "GET /robots.txt HTTP/1.0" 
404 337 "-" "Inktomi Search"
198.26.123.37 - - [15/Aug/2001:23:11:59 -0400] "GET /adobe.html HTTP/1.0" 
200 2121 "-" "Inktomi Search"
198.26.123.37 - - [15/Aug/2001:23:12:04 -0400] "GET /data/files/defcon.ppt 
HTTP/1.0" 200 139776 "-" "Inktomi Search"
198.26.123.37 - - [15/Aug/2001:23:12:34 -0400] "GET /data/files/defcon.ppt 
HTTP/1.0" 200 139776 "-" "Inktomi Search"
198.26.123.37 - - [16/Aug/2001:23:27:13 -0400] "GET /robots.txt HTTP/1.0" 
404 337 "-" "Inktomi Search"
198.26.123.37 - - [16/Aug/2001:23:27:16 -0400] "GET /data/files/defcon.ppt 
HTTP/1.0" 200 139776 "-" "Inktomi Search"
198.26.123.37 - - [17/Aug/2001:23:41:10 -0400] "GET /robots.txt HTTP/1.0" 
404 337 "-" "Inktomi Search"
198.26.123.37 - - [17/Aug/2001:23:41:11 -0400] "GET /adobe.html HTTP/1.0" 
200 2121 "-" "Inktomi Search"
198.26.123.37 - - [18/Aug/2001:23:47:39 -0400] "GET /robots.txt HTTP/1.0" 
404 337 "-" "Inktomi Search"
198.26.123.37 - - [18/Aug/2001:23:47:39 -0400] "GET /adobe.html HTTP/1.0" 
200 2121 "-" "Inktomi Search"
198.26.123.37 - - [18/Aug/2001:23:47:42 -0400] "GET /data/files/defcon.ppt 
HTTP/1.0" 200 139776 "-" "Inktomi Search"
198.26.123.37 - - [18/Aug/2001:23:48:14 -0400] "GET /data/files/defcon.ppt 
HTTP/1.0" 200 139776 "-" "Inktomi Search"
198.26.123.37 - - [20/Aug/2001:00:03:21 -0400] "GET /robots.txt HTTP/1.0" 
404 337 "-" "Inktomi Search"
198.26.123.37 - - [20/Aug/2001:00:03:24 -0400] "GET /data/files/defcon.ppt 
HTTP/1.0" 200 139776 "-" "Inktomi Search"
198.26.123.37 - - [20/Aug/2001:23:56:37 -0400] "GET /robots.txt HTTP/1.0" 
404 337 "-" "Inktomi Search"
198.26.123.37 - - [20/Aug/2001:23:56:38 -0400] "GET /adobe.html HTTP/1.0" 
200 2121 "-" "Inktomi Search"
198.26.123.37 - - [22/Aug/2001:00:11:04 -0400] "GET /robots.txt HTTP/1.0" 
404 337 "-" "Inktomi Search"
198.26.123.37 - - [22/Aug/2001:00:11:05 -0400] "GET /adobe.html HTTP/1.0" 
200 2121 "-" "Inktomi Search"
198.26.123.37 - - [22/Aug/2001:00:11:10 -0400] "GET /data/files/defcon.ppt 
HTTP/1.0" 200 139776 "-" "Inktomi Search"
198.26.123.37 - - [24/Aug/2001:00:17:32 -0400] "GET /robots.txt HTTP/1.0" 
404 337 "-" "Inktomi Search"
198.26.123.37 - - [24/Aug/2001:00:17:33 -0400] "GET /adobe.html HTTP/1.0" 
200 2128 "-" "Inktomi Search"
198.26.123.37 - - [24/Aug/2001:00:17:36 -0400] "GET /data/files/defcon.ppt 
HTTP/1.0" 200 139776 "-" "Inktomi Search"
198.26.123.37 - - [26/Aug/2001:00:19:19 -0400] "GET /robots.txt HTTP/1.0" 
404 337 "-" "Inktomi Search"

For the confused, each line above can be read as:
IP.address - - [Day/Month/Year:hour:minute:second -time zone] "File 
accessed" "-" "User agent"

NIPR.mil hosts weren't just spidering my site, they were specifically 
looking for three files:

  robots.txt, a file that, if it exists, tells Web spiders what to avoid.
  adobe.html, my small page on the Dmitry Sklyarov arrest.
  defcon.ppt, my copy of Sklyarov's presentation on Adobe eBook "security"

The spiders completely ignored my copy of Adobe PDF Processor.  I don't 
know why.

For more info on Dmitry Sklyarov, see freesklyarov.org, and keep in mind 
the known players in that case; Adobe and the Department of Justice.

Further research through my four weeks of back logs showed those two 
machines to be the only ones with "Inktomi Search" user agents. Inktomi 
"develops and markets network infrastructure software essential for global 
enterprises and service providers." [1]  Government organizations 
currently using Inktomi's products include "Argonne National Laboratory, 
Federal Communications Commission (FCC), Library of Congress, National 
Oceanic and Atmospheric Administration (NOAA), a division of the U.S. 
Department of Commerce, the U.S. Department of Energy, U.S. Department of 
Veterans Affairs, and the U.S Department of Agriculture [...] U.S. 
Department of State, U.S. Department of the Interior, U.S. Department of 
Commerce, U.S. Department of Transportation, U.S. Department of Education, 
U.S. Department of the Navy and the Executive Office of the President." [2]

NIPR belongs to none of the above groups.  NIPR.mil is the Network 
Operations Center for the U.S. Department of Defense, a division of the 
Defense Information Systems Agency. [3]  The particular machines that my 
spider hits came from are housed at Kelly AFB in Texas. [4]

All of this leads to a single question... why are Department of Defense 
computers being used to search for pages on the Sklyarov/Adobe case and 
Sklyarov's presentation?

I encourage webmasters hosting pages about Dmitry, and copies of the 
PowerPoint presentation, to check their logs for hits from the 198.25.0.0 
- 198.26.255.255 netblock; this is the block controlled by NIPR.  I'm 
specifically interested in hits from Inktomi Search spiders, looking for 
files related to Sklyarov.  I want to find out how widespread this 
activity is, and I intend to find out for what purpose this searching is 
taking place.

-Mark Bialkowski


[1] Inktomi's front page
[2] Press release: "Inktomi Delivers Award-Winning Search Technology to 
    Government Organizations," Aug. 20, 2001
[3] <http://www.carnicom.com>www.carnicom.com, "NIPR Activity Increases"
[4] Information from tin.nu WHOIS server gateway

For archives see: http://www.interesting-people.org/

More information about the Free-sklyarov mailing list