One must know that AT&T customers aren’t the only ones apparently being tapped. “Transit” traffic originating with one ISP and destined for another is also being sniffed if it crosses AT&T’s network. Ironically, because the taps are installed at the point at which that network connects to the rest of the world, the safest web surfers are AT&T subscribers visiting websites hosted on AT&T’s network. Their traffic doesn’t pass through the splitters.
With that in mind, here’s the 27B Stroke 6 guide to detecting if your traffic is being funneled into the secret room on San Francisco’s Folsom street.
If you’re a Windows user, fire up an MS-DOS command prompt. Now type tracert followed by the domain name of the website, e-mail host, VoIP switch, or whatever destination you’re interested in. Watch as the program spits out your route, line by line.
You are looking for traffic that is jumping from Level 3 Communications to AT&T’s network in San Francisco, presumably over the OC-48 circuit that AT&T tapped on February 20th, 2003, according to the Klein docs. In the above example, mine is not routed that way. The magic string you’re looking for is sffca.ip.att.net. If it’s present immediately above or below a non-att.net entry, then — by Klein’s allegations — your packets are being copied into room 641A, and from there, to the NSA. Of course, if Marcus, the AT&T whistleblower is correct and AT&T has installed these secret rooms all around the country, then any att.net entry in your route is a bad sign.