Call of Cthulhu

Are These People Supposed to be Protecting US?

A funny thing happened in my traffic log: I saw a visit from CIFA.mil. Now those of you who pay attention to these things know that a visit from nipr.mil is something to raise an eyebrow over. But what is this CIFA thingy?

Well, after a quick Google search, I found this site:

The Defense Counterintelligence Field Activity (CIFA) is a transformation initiative created to lead the development of a “to-the-edge” counterintelligence system for the Department of Defense...with the ultimate goal of detecting and neutralizing the many different forms of espionage regularly conducted against the United States by terrorists, foreign intelligence services and other covert and clandestine groups

Interesting...but not to worry. After all, there's nothing on this blog that the DoD should be concerned over (although individual members may not like what I say about ShrubCo™). Still, I was more curious about CIFA than they were about me, and looky what I found:



Now there's three interesting things here:

1) The visitor wasn't on for more than a second--just long enough to figure out that they weren't where they wanted to be.
2) They were doing a Google search for "individual ready reserves" chat, and
3) They were sloppy enough to leave both a domain name and an IP address.

The problem with seeking information is that you often give away information at the same time, and usually without even realizing it. For instance, in back-tracking this, I've revealed that I know a little bit about the internet.

And what did my (brief) visitor reveal?

First, they're interested in "chats" involving the "individual ready reserve". It was prolly this post that google tripped over. It's the place on the Clark blog on which I sometimes mirror articles. The original is just below. It's the 24^th entry on Google, so this visitor was doing a bit of searching for their "chat".

The second thing I was able to deduce from this was that they were looking for something pretty specific. If they wanted to see what us "dirty librul" bloggers were writing about the IRR, they would've stayed longer. (Of course, I can't track stats on the Clark blog, so perhaps they read their fill there--but I think that if they were that interested, they would have vetted the rest of my blog just in case.)

The third thing I found was the funnest part of all. Look what happens when you do a "whois" on the IP pool:



Oh...why...hellooooo...Look, everyone: It's our old friends at nipr! Wave hello, everyone!

For those of you who are wondering, nipr.mil is the server domain that is supposed to act as a proxy for various gov't intel services when they access the internet. As Bhopal.net says:

"Nipr.mil is not a single domain a but a hush-hush web proxy that acts as a gateway for hundreds of U.S. military domains in order to hide their identities. It was established by the Defense Information Systems Agency (DISA) in response to a memorandum (CM-5 1099, INFOCOM) issued in March 1999 by the Chairman of the Joint Chiefs of Staff, calling for "actions to be taken to increase the readiness posture for Information Warfare." "Uncontrolled Internet connections," the document says, "pose a significant and unacceptable threat to all Department of Defense information systems and operations."

There is also this entry at Not Bored:

The "NIPRNET," the Unclassified but Sensitive Internet Protocol Router Network (formerly called the Non-secure Internet Protocol Router Net), is a network of Internet protocol routers owned by the Department of Defense (DOD). Created by the Defense Information Systems Agency (DISA), NIPRNET is used to exchange unclassified but sensitive information between "internal" users. It can thus be distinguished from the Secret Internet Protocol Router Network (SIPRNET), which is used by the DOD to exchange classified information in a totally secure environment. NIPRNET is also increasingly used by the DOD to allow its personnel to gain access the Internet without leaving their own computers open to "reverse entry" by hackers, foreign militaries, terrorists, etc etc.

Without donning my tinfoil hat, I think it's safe to say that some DoD employee, one of the only 400 working for CIFA, was curious about current events with the IRR, and that's about it.

But what bothers me is that CIFA shows up when it's supposed to be hidden behind nipr.mil, and that nipr shows up when it's supposed to be a proxy. Haven't these people heard of public proxy servers? It not as if the domain nipr.mil couldn't be hidden from casual view. If I wanted to deal with the lag-times, I could make this site look like it was hosted on a box in Japan, and that I was online via a server in Sweden. A quick Google search for "public proxy servers" is the hardest part of that misdirection.

So how is it that I can find out so much information about various intelligence networks--both conventional and virtual--with nothing more than a glance at my logs and a quick Google search? I'd never heard of CIFA before this morning, and had only heard of nipr a few days ago. Hmmm...

If the people who are running this tax-funded network can't do better than this, then I don't feel too safe. It's like a CIA operative running around with a neon sign that reads "I am a spy!" (And I don't even want to get into what a hacker can do when they have the name of a server on your farm).

Somewhere in Vienna, VA, is a NetAdmin who needs a smack upside the head. Sheesh.

Update 061504
Am told that nipr.mil is not supposed to be invisible, but is supposed to act as a front. Therefore, it should have been seen on my logs, although it should still have acted as a proxy for CIFA.mil. So maybe not a smack for the NetAdmin; perhaps a scathing memo? Then again, maybe the folks at CIFA don't care that they're broadcasting to the world (they dropped by again this morning, btw).