Monday, January 28, 2008

Warman's IP Address Again

Ezra is out there this morning being potentially defamatory again. So here's another bit of information to throw on the fire. Some background can be found in this earlier post.

Sunncity is the website of a Thai-based software development company. Truehits monitors traffic to Thai-based websites.

Three times in early 2003, Truehits tracked visits from a computer assigned the IP Address 66.185.84.204, the IP address from which Richard Warman apparently made at least one post to the Nazi website Freedomsite.

The record of these visits can be found, here, here, and here.

Now, the interesting thing is that Truehits classifies 66.185.84.204 as a "proxy server". That is, the kind of computer you might use to, oh I don't know, post anonymously to Nazi forums and in general keep your real IP address hidden for one reason or another. Perhaps your hunting Nazis, like Mr. Warman, or perhaps you're a Nazi yourself and don't want to be found.

Now, this does not prove that the computer Mark LeMire et al identify as Warman's was in fact merely a proxy server, as the Truehit records come from earlier in 2003. But if it was, then this would explain the large number of users associated with 66.185.84.204 when you run a Google Search on it (people interested in dog grooming, people visiting Italian sites in 2004, and so on). It would also answer the question: How likely would it be for two people to post to the same Nazi forum from the same IP address a couple of months apart?

Well, if the whole purpose of 66.185.84.204 at the time was to render the user's real IP untraceable, not unlikely at all.

(At the very least, I think it shows that a computer not belonging to Warman had the IP in question sometime during 2003)

h/t Buckets and thanks Mike for the technical assistance.

24 comments:

agent orange said...

BCL: If I understand your post correctly, we know that Warman has hidden behind this proxy server at least once to post on a nazi web site. Are you suggesting that it is unlikely that he would have done so again (i.e. hiding behind the same IP server to post on the same nazi web site)?

My own intuition would lead me to believe that it is more likely that Warman would reuse the same proxy server more than once to post on that web site. In fact I would find it highly unlikely that by chance a random genuine nazi used the same proxy server as Warman did to post on the same site as Warman.

I mean, Im assuming proxy servers are a dime a dozen online, but maybe this is just the proxy server of choice for nazis/fake nazis to post vile racist cr@p.

I dont even know how you go on a proxy server to fake your IP so maybe you can shed some light on this.

bigcitylib said...

AO,

You type in "list of proxy servers" on google and pick one from the long lists of them that Google returns. There are lots of them, but the point is, if you are a young Nazi posting to a Nazi website from someplace where it might get you into trouble, you might well choose an anonymizing proxy server.

agent orange said...

There are lots of them, but the point is, if you are a young Nazi posting to a Nazi website from someplace where it might get you into trouble, you might well choose an anonymizing proxy server.

That's true, but my point is, if the previous assumption (going back to your previous posts on this topic) was that Warman's IP was a Rogers IP which he could have held for only 2 weeks - a scenario which basically proved Warman had not posted the second post on Ann Cools - then the news that the IP in question is that of a proxy server makes it more likely, not less, that Warman is in fact the second poster.

Either way, nothing is certain, but there are 2 possible scenarios:

1st scenario: Warman posts on a nazi website using a proxy server. Months later, an unrelated, random, actual nazi posts on that same web site using the exact same proxy server Warman did a few months back.

2nd scenario: Warman posts on a nazi website using a proxy server. Months later, he does the same thing.

Unless I am mistaken in the 2 scenarios, I think Warman's chances to win a libel suit, where evidence is judged "on the balance of probabilities" are very slim.

In other words, here I think the balance of probabilities indicate that in fact Warman posted both posts on that nazi site, if only because of how unlikely scenario 1 is.

Obviously, some evidence might shed further light on this, if for example it is found that most posts on that nazi site use proxy servers, that would make it more likely that scenario 1 is true.

Ti-Guy said...

If I understand your post correctly, we know that Warman has hidden behind this proxy server at least once to post on a nazi web site.

How did you come to that conclusion?

I'm not even sure the two IP's Lemire documented to associate two usernames (one of which Warman admitted to using) with one device is irrefutable. So far as I know, that information only comes from Lemire's records, the authencity of which hasn't been determined and shouldn't be assumed, especially since Lemire's a nazi.

Scott Tribe said...

BCL: you got a direct link to Levant's new posts you're mentioning might be defamatory?

bigcitylib said...

First link now goes directly to post, Scott.

Scott Tribe said...

AO;

I've noticed there sure are a lot of wanna-be law experts from the right-wing claiming Warman won't win his suit; sounds to me as if the general idea is trying to scare him into not filing suit.

bigcitylib said...
This comment has been removed by the author.
Mark Francis said...

Is this a public proxy server? That is, a server one can voluntarily use to mask one's assigned IP? I don't think so. It appears to be a Rogers address, assigned to Rogers since at least 2001-11-01. See http://ws.arin.net/whois/?queryinput=66.185.84.204
for details.

That being said, Ti-Guy above is saying what I've been warning about all along: IP records are not tamper-proof.

I make no allegations. I'm simply saying that none of these records are carved in stone and if a person with access wanted to change them, he or she could without leaving a trace.

Be careful out there.

Ti-Guy said...

If Warman did go after Levant or Steyn, I would gladly cut him a cheque for at least $20.

I wouldn't. I'd become an embarrassing Steyn/Levant groupie, staking out space in front of the courthouse, decked out in nazi regalia and screaming about Islamozionist conspiracies to marginalise white christians.

Jeeze...that all doesn't sound that outrageous, does it?

agent orange said...

I've noticed there sure are a lot of wanna-be law experts from the right-wing claiming Warman won't win his suit; sounds to me as if the general idea is trying to scare him into not filing suit.

scott tribe: Im just trying to discuss whether the evidence available so far points to Warman having posted at the site in question under "Lucy" and "90sAreOver".

I am not pretending to be an expert in libel law. I just know that if you can prove a statement is true, then you can not be held liable for it, and I also know that in these cases, truth is determined on the balance of probabilities.

The post by BCL seemed to imply that the fact that the IP used by Warman is a proxy server makes it more likely that 90sAreOver was some other nazi using the same proxy server as Warman had used. I was merely discussing that point.

Mike said...

Mark,

Just because it was Rogers IP doesn't mean it wasn't a proxy of some sort at one time - with or without the actual computer owner's knowledge. You used to be able to go to all kinds of hacker-cracker sites and download lists of all kinds of PC's that had been compromised and turned into proxys. Today that list might have become zombies in a bot net.

But it still back up tha point that some on the right seem not willing to hear or understand - that the IP OS Browser information from a forums web logs is not enough to determine the identity of a psuedo-anonymous poster with enough certainty and accuracy to make the kinds of charges or accusations currently facing Warman. Especially if it is a DHCP IP and the records come from a questionable source with an ongoing grudge against the accused.

agent orange said...

IP OS Browser information from a forums web logs is not enough to determine the identity of a psuedo-anonymous poster with enough certainty and accuracy to make the kinds of charges or accusations currently facing Warman

ok sure enough. I'll be expecting the kind of restraint advocated above when accusations fly around a right-winger's anonymous postings.

But at the very least, the evidence currently available certainly points that further investigation is warranted. Warman has admitted to postings like that under the name "Lucy". Those postings have been traced to an IP address and so have the postings of "90sAreOver". This may not be proof beyond a reasonable doubt, but it certainly points to the possibility that Warman is also "90sAreOver".

I suspect, and I hope, that more evidence will surface one way or the other but in any event this topic is not settled.

passer-by said...

Agent Orange. This may not be proof beyond a reasonable doubt, but it certainly points to the possibility that Warman is also "90sAreOver".

But once this lands in court -- and we have no idea whether it will or not -- "the possibility" is not enough, especially if it can be shown that the defamatory postings did not characterize the identification as possible or probable, but certain.

Mike said...

Warman has admitted to postings like that under the name "Lucy". Those postings have been traced to an IP address and so have the postings of "90sAreOver". This may not be proof beyond a reasonable doubt, but it certainly points to the possibility that Warman is also "90sAreOver".

No, that points only to the fact that the posts came from the same IP address. It says nothing of the machine to which the address was assigned in a DHCP network. They seem to have logged the IP but not corresponding host names. They have also failed to show, if they exist, any other posts from that same IP on their forums. They have failed to show with any reasonable certainty that the IP was assigned to the same machine for both posts (for that would need a MAC address, not something found in most web access logs).

What is reasonable is that someone who has been running more than one web forum for at least the last 5 years (and longer) should have known that this information was not enough to make the serious accusation they made in their zeal to get a political enemy, which they represented as fact. It may have been enough to investigate further, but not to make the accusation. And now Warman can (and likely will) sue them for libel. And though it has been about 15 years since I studies private law, I would say that they had better hope by some miracle they are right about Warman, otherwise they have no defense - Warman could literally own them. Kathy Shaidle probably has a defense, but Connie and Mark are screwed unless the information they get (and most certainly do not currently have - IP records from Rogers, for instance) show them to be correct.

And since we are pointing out multiple instances where literally hundreds of other people had or used this IP, including the time between the posts in question, I'll wager they are wrong. Mistaken, but wrong.

As unlikely as it is that Warman and a Nazi posted from the same IP months apart, it is equally (or more) as unlikely that Warman himself would get the same IP back after demonstrably having lost it months apart.

I do security work for a living and I would never use the scant evidence these guys did to accuse anyone of anything, especially in public. Investigate further yes, but that isn't the question here.

bigcitylib said...

Since Rogers records are long gone (LeMire's "trechie" says so in his testimony), I'm not sure what there is left to investigate.

agent orange said...

haha I see you guys are quick to admonish wannabe law experts from the right, but obviously you guys are all expert in libel law. that's hilarious. (see scott tribe at 1:07 and passer-by at 3:08).

and mike, you start your post by saying my statement to the effect that there is a possibility that Warman is in fact the same poster is wrong, and then end up saying that the situation warrants further investigation. guess what: that's exactly my point. Nice plug on the fact that you work in "security" though.

And besides the new evidence discussed in BCL's original post shows that one can go and "grab" that IP whenever they want to not be traced. If that is true, and I dont know if it is other than from BCL, that was obviously part of Warman's MO in the past - get an untraceable IP to post racist comments - why you guys consider so unlikely that he would do it again I cant figure out.

Again, before Ti-Guy pops a vein in his head, Im not saying the allegations against Warman are necessarily true, but why is it so unlikely that this guy would get a proxy server IP to post when he has done so in the past?

Also, please explain to me why you guys are all in a knot defending this guy from these allegations when Warman himself has admitted to doing it at least once?

Mike said...

AO,

Don't get me wrong, I think it needs investigation to see who may have made those posts. I also think it requires investigation because I think it may show that there was a tampering with the logs in a ham-fisted attempt to frame Warman for this. The whole thing stinks.

But that doesn't change the fact that in my opinion, Connie and Mark in the very least jumped the gun. They had what seemed to be evidence, but it was inconclusive and required further investigation. There were (and still are in my opinion) too many holes in it. Indeed, BCL, Buckets and myself perhaps used what, 1 person day total to find all of the stuff we did about that IP. That information should have been enough to prevent someone from making the allegation they did, because the facts do not bear it out. But they didn't invest the time and now are rightly paying for it.

I mean the point of an untraceable IP is that it means these accusation can't be proven (BTW IP can be traced, to a point, but it requires a great deal more time and effort and a lot more data than 4 year old web access logs - try reading "Takedown" for an idea of what is involved).

"Also, please explain to me why you guys are all in a knot defending this guy from these allegations when Warman himself has admitted to doing it at least once?"

I think Warman is a dick for puling this nonsense that he has admitted to. I am a free speech absolutist, personally - say what ever you want so long as it causes no harm to anyone. I don't like HRC and libel laws are a bit too easily used to actually chill free speech. That being said, neo-Nazis are putrid scum that should be shot and pissed on at every chance. And I think if you are going to make an allegation against someone, you better have damn good evidence no matter who you are.

agent orange said...

mike: you make some very good points. I agree that it was foolish to make accusations like they did.

One reasonable course of action would have been to show people the evidence they had and let people draw their own conclusions.

Steyn has some interesting posts on this subject. He does not seem to fear a libel suit from Warman at all, and even seems to be taunting him. He also includes a link to a guy trying to make a case that Warman is more likely than not the actual poster.
Check it out:
www.steynonline.com/content/blogsection/14/128/

bigcitylib said...

AO,

The problem with Lance's post is that, no matter what he seems to know, alot of the posts from the IP we're talking about seem to have come from Toronto, Oshawa, and etc. He says they have to have come from within an couple of miles from Warman's house. Thats the way IPS work. But in this case that just seems false.

Blazing Cat Fur said...

Very good post on the subject.

http://tinyurl.com/2vvbbt

bigcitylib said...

BCF,

Thats the post I'm talking about.

beagles get hit by trucks said...

DIdn't Warman live in Ottawa in 2003?

Mike said...

lance makes some good points and runs the numbers well. He does, in my opinion, make a few errors in his calculations of the odds so they come out in favour of Warman being the poster.

I think it is still 1 in 4047 not 1 in 341, since he makes some erroneous extrapolation.

I think however, the issue remains that there is no evidence is forthcoming that the IP was ever assinged to Warman. they are connecting him to the IP because it is connected to 'lucy', an alias Warman apparently admits to using once (but not in the post in question). From that they say that Warman is the author of an early post because it shares the ip with 'lucy' even if it is from a different user name.

No evidence that Warman was assigned that IP and that he held it in both September and November of 2003.

Its a pretty weak case, no matter what lance's post says. Its not about 'odds' but about showing for certain.