Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Support > Re: Name-Shifting ?

Reply
Thread Tools

Re: Name-Shifting ?

 
 
VanguardLH
Guest
Posts: n/a
 
      05-17-2009
Judith Smith wrote:

> Please can anyone advise on the likely hood of these posts being from
> the same machine/person - and what are the things to check on in order
> to ascertain?


> Path: ...!z5g2000vba.googlegroups.com!not-for-mail
> From: Lou Knee <(E-Mail Removed)>
> Date: Sat, 16 May 2009 09:34:18 -0700 (PDT)
> NNTP-Posting-Host: 80.254.146.36


> Path: ...!t11g2000vbc.googlegroups.com!not-for-mail
> From: "Just zis Guy, you know?" <(E-Mail Removed)>
> Date: Fri, 15 May 2009 09:27:38 -0700 (PDT)
> NNTP-Posting-Host: 80.254.146.36


Timezone in the datestamp is the same for both posts (-0700). Posted in
less than 7 minutes apart. It is unlikely the poster had their IP
expired AND then they unbind from it (expiration only makes the IP
eligible for reassignment but the host hangs onto it until it unbinds
from it).

Same IP address for both posts (80.254.146.36). A reverse DNS lookup on
it returns 50ob.scansafe.net which doesn't look like it's a dial-up user
(that gets a different IP everytime they establish a session). That
means the poster is likely using a broadband connection which means
their IP address sticks with them for a long time. Although this domain
does not include a ccTLD (country-code top-level domain), like .uk, this
domain's registrant says they are in the UK (Scansafe Ops, 198 High
Holborn, WC1V 7BD, London, United Kingdom). That the poster uses an ISP
in the UK doesn't mean that is where the poster is physically located --
although the poster is posting to a UK newsgroup their timezone puts
them on the west cost of the USA.
 
Reply With Quote
 
 
 
 
Just zis Guy, you know?
Guest
Posts: n/a
 
      05-17-2009
On Sun, 17 May 2009 16:23:18 -0500, VanguardLH <(E-Mail Removed)> wrote:

>Timezone in the datestamp is the same for both posts (-0700). Posted in
>less than 7 minutes apart.


The timezone is GMT+1 (BST), not unexpected for posts to a UK specific
newsgroup, and you're wrong, the posts are a day apart. Everything
except the IP is different, including the OS version.

50ob.scansafe.net is an outbound node of ScanSafe. See
<http://openrbl.org/query?50ob.scansafe.net>.

Guy
--
http://www.chapmancentral.co.uk/urc | http://www.nohelmetlaw.org.uk/

"To every complex problem there is a solution which is
simple, neat and wrong" - HL Mencken

Newsgroup may contain nuts.
 
Reply With Quote
 
 
 
 
VanguardLH
Guest
Posts: n/a
 
      05-18-2009
Just zis Guy, you know? wrote:

> VanguardLH wrote:
>
>> Timezone in the datestamp is the same for both posts (-0700). Posted
>> in less than 7 minutes apart.

>
> The timezone is GMT+1 (BST), not unexpected for posts to a UK
> specific newsgroup, and you're wrong, the posts are a day apart.


My bad. I didn't notice the day of the month was different by one.

ALL posts through Google Groups are biased to GMT. Don't go by the
NNTP-Posting-Date X-Trace headers added by Google. I went by the Date
header that the poster's newsreader added. It is unlikely the poster
is changing their timezone before they post and then change it back.
Changing the timezone on one's host is doable but trolls just used
identities to nymshift.

Poster -> Date: Sun, 17 May 2009 12:38:51 -0700 (PDT)
Google -> X-Trace: ... (17 May 2009 19:38:52 GMT)
Google -> NNTP-Posting-Date: Sun, 17 May 2009 19:38:52 +0000 (UTC)

Since Google biases their timestamps to GMT, you can't use their headers
to figure out where is the poster. I used the Date header that the
poster's client added.

> Everything except the IP is different, including the OS version.


Where is the OS information specified in those headers in the example
posts?

> 50ob.scansafe.net is an outbound node of ScanSafe. See
> <http://openrbl.org/query?50ob.scansafe.net>.


See my other reply to you. I haven't trusted anything reported by
OpenRBL for years.

That multiple companies using ScanSafe for filtering so their web
traffic may all appear to come from the same host at ScanSafe does not
make their host an *open* proxy. It just means those posters are
coming from downstream customers of ScanSafe. If Level3 masked out
whomever used their service, all their customers (and their users)
would look like they were coming from Level3, too.
 
Reply With Quote
 
VanguardLH
Guest
Posts: n/a
 
      05-18-2009
VanguardLH wrote:

> Just zis Guy, you know? wrote:
>
>> VanguardLH wrote:
>>
>>> Timezone in the datestamp is the same for both posts (-0700). Posted
>>> in less than 7 minutes apart.

>>
>> The timezone is GMT+1 (BST), not unexpected for posts to a UK
>> specific newsgroup, and you're wrong, the posts are a day apart.

>
> My bad. I didn't notice the day of the month was different by one.
>
> ALL posts through Google Groups are biased to GMT. Don't go by the
> NNTP-Posting-Date X-Trace headers added by Google. I went by the Date
> header that the poster's newsreader added. It is unlikely the poster
> is changing their timezone before they post and then change it back.
> Changing the timezone on one's host is doable but trolls just used
> identities to nymshift.
>
> Poster -> Date: Sun, 17 May 2009 12:38:51 -0700 (PDT)
> Google -> X-Trace: ... (17 May 2009 19:38:52 GMT)
> Google -> NNTP-Posting-Date: Sun, 17 May 2009 19:38:52 +0000 (UTC)
>
> Since Google biases their timestamps to GMT, you can't use their headers
> to figure out where is the poster. I used the Date header that the
> poster's client added.
>
>> Everything except the IP is different, including the OS version.

>
> Where is the OS information specified in those headers in the example
> posts?


In another subthread, Beauregard showed me where folks were looking to
identify the OS.

X-HTTP-UserAgent: Mozilla/4.0 (... Windows NT 5.1; ...)
X-HTTP-UserAgent: Mozilla/5.0 (... Windows NT 6.0; ...)

Since the user-agent string can be whatever you want, I haven't used it
to do much identifying of a troll or nymshifter. An add-on utility
(http://www.ieaddons.com/en/details/o...gent_Switcher/)
lets me pick whatever UA string that I want. I've used it at some sites
to make it look like I'm using a different web browser (because they
coded okay for something other than the one that I use). It comes with
22 templates of different web browsers for different operating systems,
all of which can be edited once selected. I'm so used to being to
change the UA string that I never bother even looking at it to identify
the web browser or OS for the poster since it can be easily changed. I
suppose the nymshifter might not be as clever as for what I gave them
credit. I figure if I knew someone was lying to me about who they are
that I wouldn't trust the Lamborghini parked outside was theirs.
 
Reply With Quote
 
Nuxx Bar
Guest
Posts: n/a
 
      05-18-2009
Oh just admit it will you? This is the kind of thing which makes you
*so* despised: you don't just do the deed, you then lie about it, and
sneeringly call anyone who dares to challenge you a "troll". It's
pathetic. You're pathetic.
 
Reply With Quote
 
Just zis Guy, you know?
Guest
Posts: n/a
 
      05-18-2009
On Mon, 18 May 2009 00:06:34 -0500, VanguardLH <(E-Mail Removed)> wrote:

<snip hypothetical stuff>

Never heard of Occam's Razor, have you?

Guy
--
http://www.chapmancentral.co.uk/urc | http://www.nohelmetlaw.org.uk/

"To every complex problem there is a solution which is
simple, neat and wrong" - HL Mencken

Newsgroup may contain nuts.
 
Reply With Quote
 
Mike Easter
Guest
Posts: n/a
 
      05-18-2009
posted to 24hshd only

VanguardLH wrote:

> ALL posts through Google Groups are biased to GMT. Don't go by the
> NNTP-Posting-Date X-Trace headers added by Google. I went by the Date
> header that the poster's newsreader added.


GG stamps time/date in several places and they are identical adjusting for
tz. These are excerpts from a normal GG header:

Date: Thu, 14 May 2009 05:41:56 -0700 (PDT)

That line is always expressed in PDT regardless of source.

X-Trace: posting.google.com 1242304916 788 127.0.0.1 (14 May 2009 12:41:56
GMT)

That line is GMT and identical adjusted for tz offset.

NNTP-Posting-Date: Thu, 14 May 2009 12:41:56 +0000 (UTC)

That line is expressed as UTC; also identical.



--
Mike Easter


 
Reply With Quote
 
VanguardLH
Guest
Posts: n/a
 
      05-18-2009
Just zis Guy, you know? wrote:

> On Mon, 18 May 2009 00:06:34 -0500, VanguardLH <(E-Mail Removed)> wrote:
>
> <snip hypothetical stuff>
>
> Never heard of Occam's Razor, have you?
>
> Guy


Depends on your personal experience. In the newsgroups that I visit and
where trolls and nymshifters are truly a problem, they ARE smart enough
to know how to alter almost all the headers. There's a few that they
are stuck with if they don't operate their own NNTP server and peer it
to other NNTP servers.

I assumed the nymshifter was smart enough to know about UA strings. You
ASSUMED the nymshifter was uneducated on changing their UA string.
Those assumptions *do* have significant affect on the hypothesis derived
as a cause of those assumptions, so Occam's Razor does not apply.
 
Reply With Quote
 
VanguardLH
Guest
Posts: n/a
 
      05-18-2009
Mike Easter wrote:

> posted to 24hshd only
>
> VanguardLH wrote:
>
>> ALL posts through Google Groups are biased to GMT. Don't go by the
>> NNTP-Posting-Date X-Trace headers added by Google. I went by the Date
>> header that the poster's newsreader added.

>
> GG stamps time/date in several places and they are identical adjusting for
> tz. These are excerpts from a normal GG header:
>
> Date: Thu, 14 May 2009 05:41:56 -0700 (PDT)
>
> That line is always expressed in PDT regardless of source.
>
> X-Trace: posting.google.com 1242304916 788 127.0.0.1 (14 May 2009 12:41:56
> GMT)
>
> That line is GMT and identical adjusted for tz offset.
>
> NNTP-Posting-Date: Thu, 14 May 2009 12:41:56 +0000 (UTC)
>
> That line is expressed as UTC; also identical.


Which means that nothing of the poster's location can be deciphered from
the timestamps.

So we're back to just the NNTP-Posting-Host header. Yet that IP address
is just whatever host was seen by the Google server and may not be the
physical location of the poster. Considering that ScanSafe provides
proxy service to do web filtering for several customers, those customers
could be somewhere else geographically than the data centers operated by
ScanSafe, and the users of those customers could be even more
geographically diverse.

So we can't tell where is the Google Grouper.
 
Reply With Quote
 
Mike Easter
Guest
Posts: n/a
 
      05-18-2009
VanguardLH wrote:
> Mike Easter wrote:


>> Date: Thu, 14 May 2009 05:41:56 -0700 (PDT)
>>
>> That line is always expressed in PDT regardless of source.


> Which means that nothing of the poster's location can be deciphered from
> the timestamps.


Correct. GG timestamps are only good for the time.

> So we're back to just the NNTP-Posting-Host header. Yet that IP address
> is just whatever host was seen by the Google server and may not be the
> physical location of the poster.


Correct.

> Considering that ScanSafe provides
> proxy service to do web filtering


I'm not crystal clear on exactly what scansafe does. I've read their
website and I've read what Guy Chapman said. I presume/accept that they
provide something that results in the effect of a proxy IP.

> for several customers, those customers
> could be somewhere else geographically than the data centers operated by
> ScanSafe, and the users of those customers could be even more
> geographically diverse.


That is what I'm thinking/believing/accepting.

> So we can't tell where is the Google Grouper.


Well, the original question is somewhat different from that.

If I (or Judith Smith) were trying to derive/sleuth the persona of Lou Knee,
I would consider the 'gestalt' -- the total body of information consisting
of a posting history of 3 posts, 2 of which were made after the persona
Judith Smith attempting to out the persona as Guy Chapman. So, some
deception may have been afoot after the JS outing post.

I would consider what I call the 'handwriting' of Lou Knee, which
handwriting is also not 'consistent' between the 3 posts, but I also assume
that LK is being deceptive.

IMO the deception did not extend to any effort at header modification,
because GG posting doesn't lend itself to that. The deception efforts were
to post via 2 different IP routes, 1 looks like a claranet dialup while 2
were the scansafe IP.

The useragent was also different between the 3; all were XP, one browser
was IE8, the other two IE7.

The business of trying to 'pin' those posts on Guy Chapman would be
inconclusive, but I don't think that the scansafe route is 'open' -- so not
very many people in the world are going to be accessing it.

GC is a windows user. He has posted GG via the scansafe, his chapmancentral
IP, and via individual net. His usual nntp agent is exactly the same as v
as JS Forte Agent 5.00/32.1171.

He has an extensive posting history and a website to judge his handwriting.
He has posted to GG with a Vista running FF3 and from the scansafe IP.
Maybe that is work related.

Given that the nymshift isn't really very important except to JS, I would be
inclined to let it slide and not try to sleuth it out, except for the
hobbyist aspect of id sleuthing.


--
Mike Easter

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Advertisments