<nettime> 418 I'm a teapot

William Waites on Fri, 25 Feb 2022 22:10:15 +0100 (CET)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> 418 I'm a teapot

To: nettime-l@kein.org
Subject: <nettime> 418 I'm a teapot
From: William Waites <ww@styx.org>
Date: Fri, 25 Feb 2022 21:09:47 +0000
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=styx.org; s=charon; t=1645823388; bh=DT1Zr6blWyleSFBAN/lGgpwD08aUleGs+hN/717EOXk=; h=From:Subject:Date:To; b=ui9MSyzGyimoXseDKxAxV08zASSvmi13jeQXa0PSQuQBGaUOMDB5+Ved6mtd0GIGu RwAlwpm74vaF1f+7q02aHsbcSlVJMplcnYo6fM3pOhX9qCHFBdgIQEFUF41Kji1io2 NoJdFtA5mGno3ySILQtCOkFYYH3HRWPfdUV3HER8=

Yesterday, as Russia began its invasion of Ukraine, some people on the Internet
noticed a strange thing. I'm not going to comment on the big picture except to say
that the situation is terrible, the invasion criminal and the failure of other
countries to do anything meaningful to stop it, reprehensible. Nor will I attempt
to expound on how the conditions for this to happen came to exist; there are 
plenty of people who know more about that than I do. Instead, I will examine this
strange detail that will surely be just a minor footnote in this terrible conflict,
try to explain what it means, and, at the end, indulge in some hopeful speculation
into how it got there.

The web site of the Russian Ministry of Defence looks like it's "down" from the
perspective of nearly everyone outside of Russia and a small number of other
countries. If you point a web browser at it right now, you'll get a blank page.
But the _way_ that it is down is interesting. If you look closely, you'll see
that it is producing an error code 418. This can be reproduced more clearly
with a tool like [curl(1)]:

```
% curl -I https://mil.ru/
HTTP/1.1 418 
Date: Fri, 25 Feb 2022 19:23:07 GMT
Content-Length: 0
Connection: keep-alive
Server: Ministry of Defence of the Russian Federation
```

All successful conversations between your web browser and a web server include
a [status code]. A status code is a three digit number, and it has meaning. If it
starts with a 2, like 200, that means everything is ok, and you'll get a web
page along with it to look at. If it starts with a 3, that means whatever you're
looking for has moved somewhere else and you'll be redirected there. If it starts
with a 4, it means you've done something wrong. Maybe you've asked for something
that's not there and you'll get 404 which means "Not Found".

So far so good. The Russian MoD is telling us we're not allowed to look
at their web site, right? If that were the case, the natural choice would be 403
which means "Forbidden" or perhaps 410 which means "Gone". But 418 is a strange
one. It means "I'm a teapot". It comes from April Fool's day 1998 when the 
IETF published their traditional joke standard ([RFC2324]), in that case about
connecting coffee pots to the Internet. As the joke goes, if you've connected
a teapot instead, you should get an error: *418 I'm a teapot*.

But there's another layer. In colloquial Russian, to be a teapot (чайник) 
means, approximately, to be computer illiterate. The connotation is slightly
different than the English term though it umambiguously suggests ignorance of
how a computer system works. So is the Russian Ministry of Defense claiming to
the outside world that they are computer illiterate? Do they have a geeky,
impish, self-effacing sense of humour? That seems a little implausible...

## Who is a teapot?

We can find out a little more about what's going on with some simple tools.
This teapot message either originates on the Ministry of Defense's web server
itself, or somewhere fairly close by since, by all accounts, nearly everyone
sees the same thing. To find this out, we can find out what actually answers
a TCP connection on the HTTPS port using [tcptraceroute(1)],

```
# tcptraceroute mil.ru 443
Tracing the path to mil.ru (82.202.190.92) on TCP port 443 (https), 30 hops max
 [...]
 8  uk-lon03a-ri2-ae-2-0.aorta.net (84.116.135.46)  28.784 ms  19.933 ms  24.521 ms
 9  ae16-209.RT.TC2.LON.UK.retn.net (87.245.245.22)  26.014 ms  24.460 ms  47.426 ms
10  ae1-3.RT.OK.MSK.RU.retn.net (87.245.232.7)  66.608 ms  67.573 ms  67.430 ms
11  GW-Indrik.retn.net (87.245.253.219)  69.701 ms  67.521 ms  68.754 ms
12  * * *
13  82.202.190.92 [open]  66.221 ms  -9016.769 ms [closed]  -8215.307 ms
```

Without belabouring the details of how to read a traceroute, and eliding the
parts closest my computer, the path goes clealy over a major backbone provider,
RETN, from London to Moskow and then to something called the Indrik gateway.
Nice bit of mythology there. [Indrik] is a kind of chimeric bull-deer-horse
-unicorn beast from Russian folklore. There's another hop not responding after
that, and then an answer. The round trip time to the last hop, which has the
same address as what we asked for, 82.202.190.92, the address of mil.ru, is
plausible. So whatever response we're getting, it's coming from Moscow, and
it's coming from the place that whoever operates mil.ru intends.

That address, 82.202.190.92, however, is not owned by the Russian Ministry
of Defense. It is part of a [network] that belongs to Kaspersky Labs. I did not
realise before looking into it just now, but Kaspersky appears to operate a
substantial amount of network infrastructure. They're not just a software
company. If an intruder had done this to embarass the Russian Ministry of
Defense, I would have expected it to be noticed and fixed by now.

So we're left with two possibilities that I can think of. Either the MoD
is in on the joke or they are not. It's hard to believe that they are in
on the joke. Perhaps it could have happened like this. The MoD said to
Kaspersky, "make it so that outsiders cannot see our web site",
and Kaspersky responded, "da, tovarishch, right away", leaving this easter
egg for us to find.

If this is true, it gives us some hope. It shows that there are people in
Russia, well-placed and with privileged access to infrastructure, that 
are against this war and think the Russian Military is illiterate and
incompetent. More importantly, they have bravely found a way, from the
very heart of the beast, to telegraph this to the world.

[status code]: https://datatracker.ietf.org/doc/html/rfc7231
[RFC2324]: https://datatracker.ietf.org/doc/html/rfc2324
[curl(1)]: https://linux.die.net/man/1/curl
[tcptraceroute(1)]: https://linux.die.net/man/1/tcptraceroute
[чайник]: https://en.wikipedia.org/wiki/Chainik
[Indrik]: https://en.wikipedia.org/wiki/Indrik
[network]: https://apps.db.ripe.net/db-web-ui/query?searchtext=82.202.190.0%2F24&rflag=true&source=RIPE&bflag=false
#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: http://mx.kein.org/mailman/listinfo/nettime-l
#  archive: http://www.nettime.org contact: nettime@kein.org
#  @nettime_bot tweets mail w/ sender unless #ANON is in Subject:

Prev by Date: <nettime> Utopia is finally over
Next by Date: Re: <nettime> Utopia is finally over
Previous by thread: Re: <nettime> Utopia is finally over
Next by thread: <nettime> Almost zero
Index(es):
- Date
- Thread