Just because you’re Paranoid doesn’t mean…..Well, you know the rest

Hey, all you Area 51 fans! Yeah you with the binoculars and lawnchair, sneaking around out in the desert, thinking you’re putting something over on the Feds. Let me tell you a little story which you may or may not choose to use as a life lesson. The names have not even been changed to protect the innocent (which is pretty much moi).

Let’s go back to July 13, 2003.  It was a dark and stormy night. No, wait…..It was a friggin’ hot Summer day, but that’s not as dramatic.

That morning I was doing some downloading, walked away from the PC for a while, came back and found the computer completely locked up. This had been happening with increasing occurrence and required a messy “power off” to fix (pull the damn plug). I really hate doing that, as it’s a bad way to shut down a computer. Some sort of software conflict, I suspected.  It did it two more times, shortly after rebooting and re-initiating the download. One glitch coincided with a ZoneAlarm burp (firewall software I was running at the time), so I thought that might be where the conflict was. I knew ZoneAlarm could be cranky, so I sighed and dived into more computer nonsense than I really wanted.

I went into the directories and looked for the logs ZoneAlarm kept on its activity, thinking I might be able to use those to debug the problem. Curiously, I found a number of repeated flags going back to June 1 (when this particularly logging sequence began). It seemed ZoneAlarm was blocking my computer’s attempt to connect to Port 137 of an IP address of 7.47.61.47. I also noted blocked attempts around the times of the lockups this morning.

Not what I expected, but interesting.

The next thing I did was run a whois on 7.47.61.47. My, my, my…..It seems that address is (or was at the time) owned by DISA, better known as the Defense Information Systems Agency of the DoD. Um,….Can you say “What the fuck??!”  I knew you could.

I extracted all of the blocked attempts out of the log, and found they occurred almost daily (Here’s a pdf of that log for your amusement). A little thought and I realized the blocked attempts happened shortly after I fired up the computer for the day (I usually turned the computer on when I get home in the evenings or in the morning on weekends).  They also occurred after each cold reboot that morning of July 13th.

My first thought was I had a weird virus, which was trying to make my system mess with the Feds. I didn’t really want to play in that particular sandbox, so I downloaded the latest virus profiles and did a thorough scan. Not a thing….Nada…..Zip…..Perfectly clean. This was now getting to be disturbingly interesting.

I cranked up the security level on my ZoneAlarm to extreme levels, rebooted the computer, and sat and glared at the little bastard. Nothing at first, but about 5 minutes later, there was another blocked attempt! My computer was trying to contact good ol’ 7.47.61.47 again.

I continued my downloading with the much higher security and monitored the system. A while later, I got another notification of blocking. But this was a little different. There were two. The first one was FROM 7.47.61.47, Port 47147 to Port 14576 of my computer. Two seconds later, ZoneAlarm blocked my computer from sending an outgoing message TO Port 137 of the same IP address. This was very disturbing, because if the incoming item was blocked, why and how did my machine want to talk back to Daddy DISA?

I checked what programs and processes I had running, and there was nothing out of the ordinary. Of course I wasn’t as computer savvy then as now. I looked through various newsgroups and websites and couldn’t find anything about some new, sneaky DoD programs.  All I knew for sure is that the Feds were pinging my computer with something, and that made it want to phone home.  It’s nice to feel wanted!

Now that I knew what was going on, it was easy to take some additional measures to kill that particular conversation. I watched for a few months more as the DISA IP sent out occasional pings as if to say, “Hey, we haven’t talked in forever! What have you been up to?”, but my PC remained silent, the blabby little cretin.

A year or so later, I found myself on the IT committee where I worked, and was attending a seminar on computer security. It was being given by some fairly high muckety-mucks from ACP, and they really knew their stuff. After the seminar was over and everyone else found better places to be, I wandered up to the two guys and told my tale of “PC, phone home”. I can’t be certain, but I thought their eyes got a little bit wide when I mentioned the part about DISA. They avowed as they had never heard of anything like that, and perhaps took a step or two backwards from me.

After the initial creepiness subsided, it was replaced by amusement. If the Feds were interested in knowing of quality porn sites or LolCats then it made sense to have a look at my PC.  And while I may be a goofball, I’m not stupid. Any sensitive discussions way back then regarding our favorite secret base (and there may have been one or two, I ain’t sayin’….) were done either in person or via snail mail. Oh yeah, and the snail mail envelopes? Special security envelopes sealed rather aggressively, with the internal contents wrapped in aluminum foil.

So remember all you Area 51 enthusiasts, it’s 1 AM…..Do you know who your computer is talking to?

 

Return to the Area 51 page