Is Your Mac Reporting Back to the US Army?

Despite anecdotal claims to the contrary Apple Mac computers are not invulnerable. As Sig Figs’ guest blogger Jenny Oliver has reported previously there are many security issues for Mac users. She sent me an update recently in which she seems to have uncovered a very worrying conspiracy surrounding a cluster of machines with an inbuilt trojan apparently reporting back to the US government.

“It is now almost two months since I have been unable to use my Macbook Pro online,” she says. “After various offers to allow anti-cybercrime persons access to my computer for information-gathering purposes in the interests of national and international security, I realized that my personal and business needs were obviously greater and did a total erase and reinstall this week. The unidentified Trojan (or equivalent) had zombified my laptop, and the agency involved had jammed open ssh (secure shell handling)… this meant that they had complete control over it. Indeed, if I had not used it in a while, it would hopefully switch itself on (even disconnected from the ‘net!), lid closed and all! Some programming skills there… note that the said ‘agency’ was waiting for a passing Mac-user to drop by.”

The panic begins when you do more digging than you should inside your machine. “When I first got my Mac, I did lots of exploring. I noticed that if I fired up Network Utility, under the Info tab it would report a network connection which looked quite alien,” she adds, “This would only be visible if examined when completely disconnected from the Net. “Odd!” I thought, and supposed then that it must connect with Apple for some reason, and did not take the matter further. It was only after I accidentally clicked on the bogus, malicious link in Google in September that I did some more investigation. The ‘default’ IP address was there after the hack, but it was then I recalled seeing it from the first … and the reinstall established that. I looked up the address on – the American Registry of Internet Numbers. The US Corps of Infrastructure and Engineers. This Corps is responsible for rebuilding in places such as Iraq and Afghanistan.”

I did a quick Google for that IP address and discovered a discussion forum talking rather haphazardly about the issue way back in November 2004, well before Jenny’s Mac purchase. Apparently the Apple Firewire TCP/IP defaults to a 144.x.x.x number on all Macs. What at first appears to be a US government conspiracy actually turns out to be nothing more than a legacy of the fact that the US government ran the first internet machines and these 144.x.x.x addresses are just some of the earliest IPs handed out to organisations, such as Apple, early on.

Anders HiPhi speaking on that forum points out that, “The server is part of the European ORSN network – a 13 strong server array network – through which all European internet traffic passes. The ORSN say they need the US side servers as they don’t have enough resources.” However, he asks, “Even if this is the reason for the IP to be a default in the OS, Apple has it’s own ORSN servers, so why should they program US ARMY servers as their deafult? USACE are almost certainly responsible for Cyber Operations as part of their brief, so why have APPLE put US ARMY CyOps servers as a default when they could have used their own?”

What does Apple have to say on this subject? Apparently, just because the machine defaults to this IP when it doesn’t have a real address to hook into does not mean it is an active address being packet sniffed by a US government employee. It’s an inactive address.

Who knows? Maybe Jenny is right and there is a conspiracy. I’m of a mind to assume that it’s nothing more than a pingback address to an ancient timeserver that is no longer used by Apple’s Firewire drives but that was hardwired in early in the design and is so low priority that there is no impetus to remove it now. Except that it would stop Mac users who dig too deep from worrying needlessly that the US Army is watching their every move. Indeed, I just spoke to Jenny Oliver again and she is relieved that I found this information but wonders why it is not more widely known and readily available to paranoid Mac users. Maybe there really is a conspiracy after all!