Tech talk, social media, blogging, computing tips and tricks

Is Your Mac Reporting Back to the US Army?

December 4th, 2007 by David Bradley >> 11 Comments

Despite anecdotal claims to the contrary Apple Mac computers are not invulnerable. As Sig Figs’ guest blogger Jenny Oliver has reported previously there are many security issues for Mac users. She sent me an update recently in which she seems to have uncovered a very worrying conspiracy surrounding a cluster of machines with an inbuilt trojan apparently reporting back to the US government.

“It is now almost two months since I have been unable to use my Macbook Pro online,” she says. “After various offers to allow anti-cybercrime persons access to my computer for information-gathering purposes in the interests of national and international security, I realized that my personal and business needs were obviously greater and did a total erase and reinstall this week. The unidentified Trojan (or equivalent) had zombified my laptop, and the agency involved had jammed open ssh (secure shell handling)… this meant that they had complete control over it. Indeed, if I had not used it in a while, it would hopefully switch itself on (even disconnected from the ‘net!), lid closed and all! Some programming skills there… note that the said ‘agency’ was waiting for a passing Mac-user to drop by.”

The panic begins when you do more digging than you should inside your machine. “When I first got my Mac, I did lots of exploring. I noticed that if I fired up Network Utility, under the Info tab it would report a network connection which looked quite alien,” she adds, “This would only be visible if examined when completely disconnected from the Net. “Odd!” I thought, and supposed then that it must connect with Apple for some reason, and did not take the matter further. It was only after I accidentally clicked on the bogus, malicious link in Google in September that I did some more investigation. The ‘default’ IP address was there after the hack, but it was then I recalled seeing it from the first … and the reinstall established that. I looked up the address on www.arin.net – the American Registry of Internet Numbers. 144.3.8.0. The US Corps of Infrastructure and Engineers. This Corps is responsible for rebuilding in places such as Iraq and Afghanistan.”

I did a quick Google for that IP address and discovered a discussion forum talking rather haphazardly about the issue way back in November 2004, well before Jenny’s Mac purchase. Apparently the Apple Firewire TCP/IP defaults to a 144.x.x.x number on all Macs. What at first appears to be a US government conspiracy actually turns out to be nothing more than a legacy of the fact that the US government ran the first internet machines and these 144.x.x.x addresses are just some of the earliest IPs handed out to organisations, such as Apple, early on.

Anders HiPhi speaking on that forum points out that, “The server is part of the European ORSN network – a 13 strong server array network – through which all European internet traffic passes. The ORSN say they need the US side servers as they don’t have enough resources.” However, he asks, “Even if this is the reason for the IP to be a default in the OS, Apple has it’s own ORSN servers, so why should they program US ARMY servers as their deafult? USACE are almost certainly responsible for Cyber Operations as part of their brief, so why have APPLE put US ARMY CyOps servers as a default when they could have used their own?”

What does Apple have to say on this subject? Apparently, just because the machine defaults to this IP when it doesn’t have a real address to hook into does not mean it is an active address being packet sniffed by a US government employee. It’s an inactive address.

Who knows? Maybe Jenny is right and there is a conspiracy. I’m of a mind to assume that it’s nothing more than a pingback address to an ancient timeserver that is no longer used by Apple’s Firewire drives but that was hardwired in early in the design and is so low priority that there is no impetus to remove it now. Except that it would stop Mac users who dig too deep from worrying needlessly that the US Army is watching their every move. Indeed, I just spoke to Jenny Oliver again and she is relieved that I found this information but wonders why it is not more widely known and readily available to paranoid Mac users. Maybe there really is a conspiracy after all!


Leave a comment ↓

  • David Bradley // Dec 4, 2007 at 10:55 am

    Similarly, scary news emerged in November that Maxtor, Seagate external hard drives were pre-loaded with trojan horse software

  • Andy // Dec 4, 2007 at 11:00 am

    Macs look nice inside and out – granted.

    They get the job done, but I just can’t drag myself away from Bill’s Monopoly.

    Windows has got all the options, dials, switches and levers that I crave to set things up just how I want them :-)

    It will suck up every virus in sight, slow to a crawl and cause my hair to fall out sometimes but it’s become a habit – for better or worse – Bill’s got me right where he wants me :-(

    I know that Macs have come forward a million miles and can run most Windows programs very well because of the Intel processors and the software available, but I just can’t do it.

    As for anti virus software – I can recommend Panda.

  • Jenny Oliver // Dec 4, 2007 at 12:19 pm

    Thanks for publishing this, David. Well researched! I hope this reassures others like myself who perhaps did a little too much digging! However, given the current high state of alert re cyber-crime and terrorist activities, it is highly negligent of Apple not to explain this in a more public way. Their response to my attempts to communicate with them has been less than helpful until very recently… and no-one apart from you has given the above detailed answer, even now.
    I hope the lack of information will be rectified very soon, as it has been the absence of any knowledgeable response which has intensified the concern.
    With regard to Mac security, other users like myself might like also to keep an eye on a blog in the Washington Post by Brian Krebs, who reports on various computer security issues, including Macs.
    The latest item, just this November, is here: http://blog.washingtonpost.com/securityfix/2007/11/apple_plugs_44_security_holes_1.html
    All the best!

  • Jenny Oliver // Dec 4, 2007 at 4:16 pm

    Hi, again.
    On re-reading this I seem to come over as mildly paranoid! To set the record straight, although I did wonder initially about being linked to the US Army, my major concern was that there might have been a considerable abuse of trust by Chinese manufacturers (given the nature of the Google hacks in Sept 07). The principal worry was that it might have been an outside agency which was misusing Macs to hack the west, not so much the US authorities snooping on us (which I find mildly preferable!). This was reinforced by reading about the head of MI5 voicing concerns on 1/12/07 in The Times. http://business.timesonline.co.uk/tol/business/industry_sectors/technology/article2980250.ece

    A few things are also still a little disturbing. If the address is ‘not used’, why does it resolve? Why would ‘tracert’ try to find it? It gets as far as the Veterans Association and then bounces. This seems to suggest it is valid, even if general public can’t reach it.

    Now back to restoring everything to my poor depleted Mac….. :-[

  • David Bradley // Dec 4, 2007 at 5:15 pm

    Yes Jenny, you maybe came across as slightly paranoid in my write-up…but as you know, just because you’re not paranoid doesn’t mean they aren’t out to get you. 144.x.x.x may yet turn out to be some secret window through which Pentagon spooks are watching Mac users…I’ll keep digging, there are lots of references to that IP address on the web.

  • Jenny Oliver // Dec 5, 2007 at 9:25 am

    I know it’s unladylike, but :-P !

    OK, ‘business’. The matter has indeed been around for some time: snippet from an Apple Insider forum, from ‘John’:

    ‘I got curious about this, so I e-mailed the contact person for the IP address:

    “This IP address is showing up on my Ethernet Interface (fw0) (Firewire or high-speed IEEE 1394 Serial Bus) on my Apple Computer. This is the contact e-mail given by whois for that IP address. Do you have any idea why your IP address is showing up my computer?

    John”

    Reply:

    From: Gary.W.Decoff@us.army.mil
    Date: January 3, 2005 4:36:02 AM PST
    Subject: RE: IP Address 144.3.8.0
    Cc: Gerald.G.Roy@erdc.usace.army.mil

    “John,
    Yes I do know why.__ Apple Computer is using my IP space as a default for some of their interfaces….
    Please bring this to the attention of Apple Computer…__ If enough people tell them about this then just maybe they will stop doing it…

    Thanks
    Gary”

    Go figure.

    Edited: I sent it in as a bug report to Apple.’

    Several years later and the message still hasn’t got through! Perhaps it will now?

  • mike // Sep 12, 2008 at 9:54 pm

    same thing here, first it the IP of Army corps of engineers, about 9 months ago, now its a different army base here’s my whois results from the newest find of mine last week:
    NetName: CEEIS4
    NetHandle: NET-144-3-0-0-1
    Parent: NET-144-0-0-0-0
    NetType: Direct Assignment
    NameServer: NS01.ARMY.MIL
    NameServer: NS02.ARMY.MIL
    NameServer: NS03.ARMY.MIL
    Comment:
    RegDate: 1990-10-30
    Updated: 2008-02-26

    OrgTechHandle: BETHA2-ARIN
    OrgTechName: Egbert, Beth A
    OrgTechPhone: +1-520-538-2038
    OrgTechEmail: DOMAIN-REQUEST@aims7.army.mil

    # ARIN WHOIS database, last updated 2008-09-11 19:10
    # Enter ? for additional hints on searching ARIN’s WHOIS database.

    i’ve been pinging this IP and doing a little research on that and now it appears its not a good thing to ping the government? I don’t care, I have nothing to hide, I just feel that in America we should have the right to privacy from big brother.
    Also, trace route pulled up some NSA and CIA known IP’s I found in an article about this on the net. As well as MCI. Now a few years ago ATT kicked the NSA out of their headquarters for setting up a room inside their infrastructer at their building, this story is interesting and you should google it just so you don’t think i’m making stuff up. Like I said, I have nothing to hide but I didn’t buy a Mac to have my personal life exploited. What if the government doesn’t like the fact I listen to Pearl Jam, i’m in for it

  • mike // Sep 12, 2008 at 9:59 pm

    sorry i didn’t copy and paste the entire whois results from IP 144.3.8.0, here they are:

    Whois has started …

    OrgName: Headquarters, USAISC
    OrgID: HEADQU-3
    Address: NETC-ANC CONUS TNOSC
    City: Fort Huachuca
    StateProv: AZ
    PostalCode: 85613-5000
    Country: US

    NetRange: 144.3.0.0 – 144.3.255.255
    CIDR: 144.3.0.0/16
    NetName: CEEIS4
    NetHandle: NET-144-3-0-0-1
    Parent: NET-144-0-0-0-0
    NetType: Direct Assignment
    NameServer: NS01.ARMY.MIL
    NameServer: NS02.ARMY.MIL
    NameServer: NS03.ARMY.MIL
    Comment:
    RegDate: 1990-10-30
    Updated: 2008-02-26

    OrgTechHandle: BETHA2-ARIN
    OrgTechName: Egbert, Beth A
    OrgTechPhone: +1-520-538-2038
    OrgTechEmail: DOMAIN-REQUEST@aims7.army.mil

    # ARIN WHOIS database, last updated 2008-09-11 19:10
    # Enter ? for additional hints on searching ARIN’s WHOIS database.

    now this Fort Huachuca if you google it has some interesting functions for the US government. Head of Army computer intel, and interrogation training center. If there are more of us report stuff like this it gives it more validity, surely I didn’t make this IP addy up out of thin air.

  • Ike Garcia // Feb 21, 2009 at 2:28 am

    its truly amazing to me that people actually believe that the government is actually competent enough to pull off this level of reconnaissance. After dumping god knows how much money and resources into finding osama bin laden, do you actually believe that they can spare the analytic effort to monitor joe citizen? Do you realize how much data would be accumulated if they spied on “every one”? You’d have an easier time trying to find the next prime number with an abacus.

  • David Bradley // Feb 21, 2009 at 9:24 am

    Ike, it’s an interesting thought, but it’s not a case of spying on everyone at random…the British government is investigating tools that allow them to focus on trigger words, it’s irrelevant how much data is accumulated if red flags are raised at critical times. Incidentally, I think they recently used computational methods to narrow Bin Laden’s whereabouts to one of three locations, didn’t they?

  • mynameisntimportant // Apr 30, 2009 at 8:58 am

    Interesting to read about some forward movement in regards to this subject.
    I admire the curiosity that is typical of MAC users but marvel at how frequently perplexed users will overlook some of the simpler things.
    For instance, there is one informal general rule followed by all. Talk about anything you want with anyone but don’t discuss product.
    There is another saying that has been around way before the word technology.
    Curiosity killed the cat.
    I have another favorite.
    Nothing to fear, nothing to worry about.
    But for those who just have to know I would encourage them to consider the questions differently. Try substituting the why would someone be watching me with what advantage might be gained by keeping an eye on the type of experience your machine has during a lifetime of travels processing data that is never seen and has little or nothing to do with the user.
    Good luck.