Summary: EPO surveillance explained by another source, revealing a connection to Blue Coat, the notorious firm that performs surveillance on behalf of private clients

YESTERDAY we published an unconfirmed report about how the EPO conducts surveillance on staff, which has increasingly turned against the corrupt management. We have since been contacted by more sources, some of which reinforce what we wrote but some refute it. In the interest of accuracy, here is another explanation of how the EPO conducts its notorious surveillance. It has been no secret that the EPO spies on its staff, but some allege that it happens even outside of the workplace.

"The EPO monitors all electronic communications," said one source, "but the suggestion that traffic may be routed through Moscow is rather fanciful, as they wouldn't need Putin's help at all.

"The EPOrg acquired a large B-address block in the 1990s, at the time when IP address were cheap and plentiful, with 65536 endpoints of the form 145.64.xx.xx. These are normally routed either to The Hague or Munich. EPO users are thus rather easy to spot in server log files. (Many EPO online services such as Espacenet now use Amazon web services as a front end, but that's another story).

"Since a few years, web access from within the EPO is preceded in a flash by another one from 8.28.16.254 (US Pennsylvania), which belongs to an infamous US company called Blue Coat." See the RSF report for more information. The EPO is acting not much more ethically than the BND or the NSA now. To quote RSF, "American Company Blue Coat, specialized in online security, is best known for its Internet censorship equipment. This equipment also allows for the supervision of journalists, netizens and their sources. Its censorship devices use Deep Packet Inspection, a technology employed by many western Internet Service Providers to manage network traffic and suppress unwanted connections."

"I have a server with some documents occasionally accessed from the EPO," said our source, "and I started seeing these weird accessions in my log files. A telltale signature of BlueCoat is the dated browser signature, which is "Mozilla 4.0", usually followed by garbage or obsolete browser IDs.

"It has been no secret that the EPO spies on its staff, but some allege that it happens even outside of the workplace.""I have also seen strange accesses to the same documents from other continents which seem to correlate with BlueCoat probes, but even though the coincidences are troubling I can't quite see the connection or the use of these transfers.

"Try giving a look at your own Techrights.org or schestowitz.com log files.

"You can also perform traceroute to an EPO address, and see where it goes through. My own test do not show anything suspicious, but I don't live in Russia."

Curiously enough, one source of DDOS against Techrights.org has been looking like this (from less than one minute ago):

10.0.2.11 - - [19/Mar/2015:02:47:01 -0700] "GET /2011/12/ HTTP/1.1" 200 148164 "-" "Mozilla/4.0 (compatible;)" 10.0.2.11 - - [19/Mar/2015:02:47:00 -0700] "GET /2013/11/ HTTP/1.1" 200 136439 "-" "Mozilla/4.0 (compatible;)"

These requests basically hit the site almost every second, demanding about 8 aggregated articles (very greedy) at an alarmingly high pace, thus inducing very high load on the server. In addition to that, there are many cracking attempts (several per second, with increase at times of important releases about EPO). As every systems administrator ought to know (I do this also for a living, as part of my daytime job), determining the source of a DDOS attacks of cracking is very hard, especially if one pursues 100% certainty and has no privileged access to routers (like governments have). Let's leave it all an open question. ⬆