Friday, March 21, 2008

Rogers IP Addresses, Circa 2003

The blogging nerdosphere is atremble with anticipation at the thought of an upcoming confrontation between Richard Warman and the CHRC vs. Macleans Magazine, Mark Steyn, and the Nazis, which will take place in an Ottawa courtroom on March 25th. Some of the folks at FreeD are positively giddy at the thought of crashing the proceedings, breaking the camera ban (if one is in place), and blasting images of CHRC investigators all over the Internet:

They should go for the lifting of the camera ban, and if that is refused, video it in secret and post the proceedings everywhere possible all over the world. Let the whole world see what a Fascist State Canada has become.


Meanwhile, online investigator extraordinaire "Buckets" has been quietly chipping away at an answer to the most interesting question that will be raised during the course of this hearing: did Richard Warman post racist remarks using the pseud "90sAREover" to Freedomsite (a Nazi forum) in 2003?

There is more detail in my previous posts on the topic, but in short: the claim that Warman did make such a posting is based entirely on the fact that, later in 2003, he messaged Freedomsite under the name of Lucy from the same Rogers IP address (66.185.84.204) previously assigned to 90sAREover.

And, in short, Bucket's research challenges the reasoning behind this claim (which is, essentially, that once you get a Rogers address assigned to you, you are stuck with it for months or years at a time).

Bucket's rather ingenious method was to, painstakingly and at length, examine wikipedia edits (and other sources) from the time-period in question looking for this particular IP address, and other Rogers IP addresses, and track what happened to them, sometimes on a minute by minute basis. His general conclusion? They're fluid, baby, real fluid! Anyone assigned the IP in question might also have been assigned one of at least 16 other IP addresses, and anyone assigned one of these other IP addresses might also have been assigned, during their very next on-line session, or even during the course of the same on-line session, the IP 66.185.84.204.

Here's the money quote from his summary thread:

These [IP addresses] reflect, of course, only the tiniest fraction of what was really happening. Every time anyone visits a webpage, the visit is logged somewhere, but very few of those logs are ever published; only a tiny fraction of internet users edit wikipedia, and only a fraction of them do so without signing in, thereby allowing us to see their IPs.

Still, the evidence that we do have makes it is fairly clear that having any one of these IPs--indeed, any Roger IP--at one moment doesn't guarantee that you have it at another. The reason, of course, is that Rogers was using these IPs as proxies for all their traffic from a specific region.

Have a good Easter everyone, and happy hunting Buckets! And everyone beware them Nazis!

32 comments:

Reality Bites said...

I notice Buckets' post is dated "Sunday, August 03, 2008."

Any chance he could tell us who won the Stanley Cup and if we've had an election yet?

Ti-Guy said...

video it in secret and post the proceedings everywhere possible all over the world. Let the whole world see what a Fascist State Canada has become.

Indeed. Whenever the "free speech warriors" and their network of proto-fascists get a hold of personal information, we all get to see, with the inarguably actionable dissemination of this information, the outings, the naming, the shaming, the vilification, the public humiliation and the campaigns of cyber- and real-life stalking and harassment just how very fascist the state of Canada has become.

The irony of all the libel that comes out of this is about the only thing I find interesting.

buckets said...

RB. Date fixed. (Thanks.)

Mark Richard Francis said...

Is there no doubt as to the veracity of the evidence itself? IP logs are hardly tamper-proof.

bigcitylib said...

Mark, there is doubt about that as well. The origonal records from Rogers are gone.

http://bigcitylib.blogspot.com/2008/02/records-are-gone.html#links

Anonymous said...

That IP was passed around more than a 2 bit hooker during fleet week.

In addition to the fine work buckets has done there's the university of waterloo library that has 35 different users visiting with that IP from September 03 to January 04. That's an avg. of 7 people per month just at that one web site.

bigcitylib said...

Nbob,

where did you turn up that little bit?

Anonymous said...

was bored one night so I googled and yahooed the IP

http://www.lib.uwaterloo.ca/webreports/etd/etd-2003-4.htm

That's what I found.

note: they use visiter ID cookies so it's not one person visiting 35 times. Also the number of "users" does not equal the number of "visits" which would be the same if they were all the same person.

buckets said...

nbob. Nice find, but I suspect that those 35 visitors are the same person.

The log, I assume, is for http://etd.uwaterloo.ca/etd, which contains pdfs of Waterloo PhD and Masters theses. Is it even remotely possible that 35 different people found their way here? I would be more inclined to suppose that someone found their way to these theses and downloaded three dozen.

buckets said...

More on Waterloo. Look at 61.175.228.135, which resolves to Zhejiang Teachers College in China. According to the log, there were 226 'hits', for 153 'visitors', who accounted for bandwidth of 173.94 megabytes. Can we really suppose that these are 153 different users?

Anonymous said...

buckets-

I thought that too. But then I noticed a stat that said " each user has visited approx. 1.78 times so I went to the FastStats tech support page.

Somewhere in the FAQ and or manual it sez (paraphrase) " if you do not use cookies each time an IP visits they will be recorded as a " user". Because IP's are often reassigned this will not give you an accurate reading of actual individual users. To get an accurate number of users cookies should be used.

If you have visited the site you'll see you now have a visiter cookie installed.

buckets said...

Somehow I'm not getting a cookie. Did you? What is its name?

lance said...

Buckets, the only post of yours which is relevant is the first link. All the rest are 2004 or later. (I may have missed one, so I'll wait to be corrected.)

The first post links to a data set which shows a post from the 65.185.84 netblock on October 2nd, 2003 then a post on a completely different netblock of 63.139.3 during the 19th and 20th. (Sun/Mon and Thanksgiving that year was the 13th). Then the poster resumes on Nov. 30th from the *.84 netblock.

I do not find this proof of Rogers IP movement.

1) Firstly, anything after 2003 constitutes a new year and a new policy therefore anything after 2003 is trashed.

2) Three posts where the difference is over a weekend doesn't eliminate Occam's razor. The guy probably went home for the weekend and stayed on Monday.

In all your Wiki probing, nothing changes the fact that Wiki never logged anything from the IP address in question until the new year, as per here.

I do _not_ have a dog in this hunt, but the validity of my statements and posts previously have been questioned by BCL and others. I simply defend what I posted and commented previously.

Cheers,
lance

Anonymous said...

buckets-

There could well be 153 different users if the school is using an internal network and that is its gateway IP - no? ( see one of the FAQs below)

The cookie I have is:
website: .imprint.uwaterloo.ca
name: __utma
expires: January 17,2038

Do you have that?

Here's what else makes me think they're unique-

If you look at the general stats at the top of the page it sez there are 10,207 "Unique IP Addresses" however the list of "Visiting Domain Names" further down only comes to slightly more than 1000 IPs.

If you add up "Users" associated with each domain on that list it is the 10,207 they count as "unique"
( I was really bored that night and counted - I came up with 9,000 and something but that's probably due to input error on my part as there were more than 1000 entries and I wasn't being that careful)

Now if "users" was tracking the number of visits from each domain- as opposed to actual browsers- then one would expect there would be no difference between "unique IP" ( 10,207) and "Total Visiting Users" ( 18,215) but as you can see there's a difference of about 8000.

Keep in mind were talking 2003 when high speed cable was still very much in its infancy ( I was still on dial up back then). ISPs did not have the bandwidth they have now to assign each household a semi-permanent IP.

Likely they had a pool of "n" amount of IPs for a given area. If your browser was inactive for a set period of time you would loose your connection so it could be reassigned to another user- then if you clicked on a link a new connection would be established and you would be assigned the next free IP in the pool - that seems to be consistent with your findings.

Here are some of the relevant FAQs for the stats:

http://www.mach5.com/support/analyzer/manual/html/General/AboutSessions.htm


http://www.mach5.com/support/analyzer/manual/html/General/AboutIPAddress.htm


http://www.mach5.com/support/analyzer/manual/html/General/Cookies.htm

Anonymous said...

http://www.mach5.com/support/analyzer/manual/html/General/AboutSessions.htm

http://www.mach5.com/support/analyzer/manual/html/General/AboutIPAddress.htm


http://www.mach5.com/support/analyzer/manual/html/General/Cookies.htm

lets see if those work?

Anonymous said...

Hmm that's strange it's cutting off the last bit of each link-

Here's what they say:
About IP Addresses

Each user on the Internet is generally assigned a unique 32-bit number, called an IP address. IP addresses look like this: 206.102.200.1. Internet Service Providers (ISPs) who provide dial-up connections generally dynamically assign IP addresses to their users, so individuals coming to your site will not each have a unique IP address.

This is why FastStats Analyzer uses the I/PRO algorithm when calculating the number of visiting users.

To improve the ability of Analyzer to recognize separate users and track separate sessions, you can make sure your site sets an appropriate Visitor ID cookie, or at least that it sets a session cookie for a Session ID.

-----

About IP Addresses

Each user on the Internet is generally assigned a unique 32-bit number, called an IP address. IP addresses look like this: 206.102.200.1. Internet Service Providers (ISPs) who provide dial-up connections generally dynamically assign IP addresses to their users, so individuals coming to your site will not each have a unique IP address.

This is why FastStats Analyzer uses the I/PRO algorithm when calculating the number of visiting users.

To improve the ability of Analyzer to recognize separate users and track separate sessions, you can make sure your site sets an appropriate Visitor ID cookie, or at least that it sets a session cookie for a Session ID

-----

Visitor Tracking

During setup, Analyzer asks for the name of a Visitor ID cookie. If you are placing a visitor ID cookie on your visitors' browser, you can enter in the name of that cookie variable. Doing so will enable accurate session statistics for your reports. For most session-based reports, and especially for repeat visitor reports, Analyzer needs to be able to delineate clearly when a session starts and when one stops. Analyzer constructs a session identifier out of the IP address and the Visitor ID cookie value. If there is no Visitor ID value, Analyzer simply uses the IP address. But many users can share the same IP address, particularly from large ISPs like AOL that have internal networks. In either case, Analyzer uses the time between accesses with the same session identifier to determine sessions.

Anonymous said...

Arghh - sorry about the repeat above here's what it should have said

About Sessions

The concept of a user is hard to define. FastStats Analyzer uses the widely accepted I/PRO method of calculating the number of users who have visited. Each unique IP address visiting your web site is considered a user, and a request from that same IP address over 30 minutes after the last request also adds to the user count.

If your site uses a session cookie, you can set up Analyzer to read this cookie value, in which case Analyzer will incorporate the value into the session identifier along with the IP address. You will get a much more accurate breakdown of sessions this way.

The best solution is to use a visitor ID cookie, so that your site can assign an unique identifier to each visitor

buckets said...

Lance. Whether or not these are 'relevant' depends on the question being pursued. If your question is 'can we show that someone else had this IP' between the two posts in question, you're correct, they don't do that. I'm pursuing a slightly different series of points: first, that the IPs should be regarded as proxying 'pools', and second that these 'pools' might be serving a lot of customers (still to come). Some of this, I think will undermine behind the calculations that assume one customer per IP, but it will also undermine the arguments made by some (including me) that once an IP is seen in someone else's control, it is not likely to find its way back to an earlier user. Or, to put it differently, if we have a better idea how Rogers' IPs worked in this period, we'll have a better basis for judgment. That's what I'm working towards.

buckets said...

Thanks for that nbob. But again, I think it's best to seize hold of the first paragraph in your last post that two visits from the same IP that are 30 minutes apart count as two users. It strikes me as likeliest that the 66.185.86.204 users are one multiple visiter.

bigcitylib said...

Lance wrote:

"1) Firstly, anything after 2003 constitutes a new year and a new policy therefore anything after 2003 is trashed."

Sorry, but why would policy changes be linked to calender years? That it would requires some argument.

lance said...

Buckets, my mistake. You are correct in that I read BCL's post and your investigations as an attempt to answer rather than simply data-gathering.

Obviously, given that the DHCP logs are toast and that we haven't heard from the admin or know what Roger's DHCP policy was in 2003 then the more stats gathering the better in light of the questions.

Having said that, I think it's disingenuous to super-impose 2004 data to explain events in 2003.

BCL, re: policy change, yes, totally out of my hat. Bucket's investigation shows no IP movement in 2003 and movement in 2004. The SysAdmin in me says, "Hmm, someone changed the DHCP confs."

I found reading RFC 2131 for the definitive description of how DHCP works regarding assigning numbers to be very informative. 3.1, 3.2, and 4.4.5 specifically helpful.

Cheers,
lance

bigcitylib said...

"BCL, re: policy change, yes, totally out of my hat. Bucket's investigation shows no IP movement in 2003 and movement in 2004."

This particular bit of research maybe, but

http://bigcitylib.blogspot.com/2008/01/warmans-ip-address-again.html#links

...shows there was probably somebody not R. Warman using that IP from early '03 (I posted, but Buckets actually did the work).

buckets said...

Hi Lance. Obviously 2003 is better, but if we want to see how these Rogers IPs were handled, we should probably cast our net a little wider. Still, your wish is my command: if you look at Ringo, Ringo, Ringo, I think you'll see the same phenomenon in 2003 that I've been noting in 2004, a phenomenon that is in any case implicit in Klatt's testimony, where x.x.x.204 and x.x.x.200 are both mentioned.

As to where this goes, I'm not quite sure yet. I'm just enjoying trying to figure it out.

Anyway, I don't think that these shifting IPs are about DHCP, which if I understand governs how the host (Rogers) and client (its customer) interact--the H and C of DHCP. Rather, the issue is how Rogers proxy-servers were used.

Anonymous said...

CASE CLOSED!!!

So we know RW had the IP on Nov. 11/15/23 2003

So folks say he must have made the "Cools" post on Sept. 5 2003

Therefore it's safe to assume that he posted as "cdnenya" to a dog grooming site on Sept. 23,2003 18 days after the Cools post and about a month before the "known" posts

http://www.groomers.net/discus/messages/91/17395.html

How fascist and rule of law avoiding of him to fake the profile of cdnenya and use the name Carolyn Brown with a picture of a nice looking woman !

But it gets better !!!

On November 20,2003 - between two of his "known" posts he attempts to pass himself off as a simple sport fisher by signing the Leisure Island Guestbook as Nelson Gross !!

http://pdrenth.www2.onlink.net/guestbook/guestbook.html

Like I said the IP gets around-

Jan. 15, 2004 - someone named Jess has it
Jan.18,2004- someone named Hathim has it
Jan.26,2004- someone named Matt has it
Jan.282004 - someone named Nathalie has it

4 different people posting to 4 very different sites with in 14 days

buckets- you'll like these:
same day, one post right after the other Shane goes from 66.185.84.196 to 66.185.84.204

and here at 22:25 and again at 22:51 someone seems to be doing some biology homework - in seconds they go from 66.185.84.204 to 66.185.84.202

http://instruct.uwo.ca/Usage/IQ/Apr-2004

Anonymous said...

xbox365.com/news/

news.cgi/article/

EpVpykyVFEFpZcGYqu6531


Shane's post

also looks like you have to add html at the end of some of the above links

Anonymous said...

Oh and I also missed this one -also posted between the "known" dates of Nov.11/15/23

On Nov. 12, 2003 Ethan ( aka cafe ) posts some pictures of his watch:

http://www.larrybiggs.net/scwf/index.php?mod=103&action=0&id=1068684743

So that's 3 different people with the same IP in 12 days ( one the very next day after the other)

bigcitylib said...

Nbob,

You googled all this? Makes me wonder about google, because I've gone through the same exercise a number of times and missed a bunch of the stuff you found (although I knew about the dog groomer one, and a bunch of visits to an Italien website)

Anonymous said...

Google, Yahoo and Lycos

buckets said...

nbob. Thanks for all those details, which approach the question from a different angle than I was: these details show that many people had this IP, I was trying to show that those who used this IP often had different ones. It seems to me, however, that all this does not prove Warman innocent. What it shows, I think, is that these IPs were proxies that were serving a number of Rogers' customers, and that there were other people in the same pool that Warman was.

bigcitylib said...

Buckets,

Makes the odds its him longer though. The other thing is the geographic distribution of the computers using this IP. I thought there was some evidence for a few of the posts coming from outside of Ottawa. If that's the case, it means the pool is potentially quite large.

Anonymous said...

And the pool gets even larger-

On Nov.11 2003 - one of the days RW is known to have posted -someone going by caper ( mel w ) posts to the dog grooming site:

http://www.groomers.net/discus/messages/91/3156.html?1120598190

About 1 1/2 months later someone named tahnie (Donna) posts to the groomers (Jan 1 04)

I also found 3 others that had posted to boards on 9/24/03 , 12/10/03 and 12/31/03

So add them up and in the 4 months between Sept/03 and Jan 28/04 there are 13 different people with that IP - and that's only the ones who used it and left a name at a site which was also logged by a search engine. How many more might have had it with out posting something and/or been logged by yahoo/google/lycos?

As for geographic location - from the groomer site -one was from Barrie, another seems to be from London, one just sez Ontario and the 4th doesn't say.

As for the " what are the odds two different people would visit the same obscure site with the same IP with in 3 months" so called "proof"- well:

From April 3/03 to Jan 1/04 ( 9 months) 4 different people visit the grooming site - as noted 2 with in a month and a half.

Also there's a music board (tfmpe.com) where 4 different people post in one month ( 2/09/03 to 3/9/03).

Anonymous said...

And-

Ethan posts his pics to some obscure watch lovers site then 7 months later John Drake write about his watch from the same IP