Tracking IP addresses and Usenet posts?

Discussion in 'Computer Security' started by RayLopez99, Jan 3, 2011.

  1. RayLopez99

    ZnU Guest

    There are some characteristics of language use that can be very hard to
    deliberately alter -- particularly with the (generally low) amount of
    effort someone is likely to put into writing Usenet posts. Things like
    the frequency with which specific words are used over a statistically
    significant text sample, for instance.

    I don't know about off-the-shelf software for doing this sort of
    analysis, but techniques like these have been use to help determine
    whether to ascribe particular writings to particular historical authors,
    e.g. the "Were all of Shakespeare's plays really written by one man?"
    ZnU, Jan 4, 2011
    1. Advertisements

  2. RayLopez99

    Snit Guest

    FromTheRafters stated in post ifu205$vst$ on
    1/3/11 7:51 PM:
    While there are tools to try to determine if one set of text is written by
    the same author as another set, the tools are far from perfect and require a
    fairly long sample. I was working with a professor who had access to (and
    was improving) such tools. I used it to confirm my suspicions with Steve
    Carroll and some of his socks, but *alone* I would not have considered it
    enough evidence to be certain (though after I used about 100 of his posts
    and about 50 of his socks, the confidence level reported by the software was
    over 90%).

    Steve also has tried to mimic my style with other socks of his - and the
    best I found he could do was about a 60-65% level of confidence by the
    software, and much lower when his exact quotes of mine were removed (around
    40%). Still, the fact he was able to get above the baseline 5% or so was
    telling - it indicated that he could "capture" some of my style. I suspect
    others could do better.

    I also assume there might be better software out there to do this task, but
    I do not know of any.
    Snit, Jan 4, 2011
    1. Advertisements

  3. Yes, but if they continually misspell a certain set of words, that can
    be enough for a non-authority "fingerprint". Also, use of a certain
    phrase can be a clue. I recall a poster using "quiet" for "quite" among
    other things and some thrown in 'as it were' that convinced me it was a
    person already known to me under another nym - i didn't need an IP.
    FromTheRafters, Jan 4, 2011
  4. RayLopez99

    RayLopez99 Guest

    Yes, good point. The authorities are concerned with finding the
    contactable person, whereas non-authorities are concerned with 'nym-
    shifting' and finding what nyms a poster is using. As to the program,
    I'm pretty sure it was a custom written program and not commercially
    available. Remember reading about it around 7 years ago in a major

    RayLopez99, Jan 4, 2011
  5. RayLopez99

    RayLopez99 Guest

    [On software that can detect a person's writing style]

    Really? I am cross-posting this to
    humanities.lit.authors.shakespeare in the hope that they can tell us
    what the name of this software is, or whether they've heard of it.

    RayLopez99, Jan 4, 2011
  6. RayLopez99

    Snit Guest

    RayLopez99 stated in post
    on 1/4/11
    2:01 AM:
    I had access to a version of it a while back... and found it to be only
    moderately useful unless you had a fairly large sample. Even then it was not
    Snit, Jan 4, 2011
  7. RayLopez99

    Snit Guest

    An Old Friend stated in post on
    1/4/11 9:15 AM:
    Agreed. Esp. when used with Usenet, a medium it was not designed for. At
    least the tool I used was meant for longer pieces of text - mostly to see
    which parts of the bible were written by the same person (though with all
    the edits that was seen as unlikely to be of much use) and of some
    historical works which are assumed to not be (or be) from the claimed
    authors - such as the example of Shakespeare talked about before. There was
    also quit a bit of focus on Dickens and Twain. But, again, these were
    novels or at least short stories being looked at - not the type text
    generally seen in Usenet. Still, looking at large numbers of posts with the
    assumption that headers were enough to tell if they were at least from the
    same person was enough to give evidence of who's sock was who's. But, no,
    not strong enough where it could (or should!) be used in court.

    I no longer have access to the program. Was fun to play with when I did.
    Snit, Jan 4, 2011
  8. That's not the point, I labeled no-one, but I "knew" that posters with
    different nyms were the same because of an inability to change ingrained
    habits. Your 'if things were different, they wouldn't be the same'
    approach doesn't give me much faith in your competence either. I said
    "among other things" so can't be offended by your lame attempt at an ad
    hom remark.
    FromTheRafters, Jan 5, 2011
  9. I would guess it would be absolutely useless - in fact, prejudicial.

    It seems to me that even so, it can be a good investigative tool.
    FromTheRafters, Jan 5, 2011
  10. RayLopez99

    za kAT Guest

    That was a lame attempt at an ad hom remark. Who am I? You?
    za kAT, Jan 5, 2011
  11. Don't mix websites with email with Usnet. They are different protocols
    with different characteristics.

    Every modern NNTP server, or Usenet server if you wish, supports the
    use of the "NNTP-Posting-Host" header, described in RFC 2980 and other
    RFC's. This was finally implemented widely because of the history of
    forged cancellation messages by the cult of scientology. (No, I'm not
    kidding, loolk up the history of alt.religion.scientology and forged
    cancel messages and Usenet spew by cult members trying to bury a

    This is *NOT* the IP address of the sender. It is the IP address of
    the NNTP posting hosting host, which may be connected by any client by
    any means that server accepts and may display no record whatsoever of
    the connecting client. But it is the host that first submitted it to
    Usenet, accoriding to the handling by all other NNTP servers. But it
    is enough to do a lot of backtracking to the site that is hosting the
    abusing spammer or canceller or troll, and it's been helpful
    You can't backtrack material, even with voodoo tools, if the
    intervening hosts didn't record the data in the message or in their
    own system logs where you can access it. Few sites bother to keep such
    logs, or react kindly to requests for such information, especially
    without a warrant. Of course, if you're the NSA, you can just place
    illegal but federally forgiven taps on the nation's fiber-optic
    backbones. (Look up the AT&T fiber-optic tapping case: it was nasty.)
    Bulletin boards are not NNTP. Like Wiki's, they typically have logs of
    the incoming connections and their IP addresses which can be read, or
    if necessaary their traffic can be sniffed. Once a Usenet message
    message gets to you, though, those connections have been broken and
    may be very awkard to track.

    NNTP does suffer from header forgery, but the NNTP-Posting-Host has
    been very helpful in reducing abuse: it allows tracking back to the
    host that accepted the message, or at which the header was forged,
    pretty effectively.
    Getting such a subpoena is pretty awkard: I've tried, and was told not
    to wast the time of the otherwise friendly law enforcement if I was
    not the person suffering demonstrable monetary loss over a pretty
    generous limit. (It was $30,000 over 10 years ago, I'm sure it's
    increased since then.) They wouldn't be able to justify the manpower
    and the subpoena.
    Nico Kadel-Garcia, Jan 5, 2011
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.