 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
| HomeDiscussion GroupsGeneral TopicsAnalysisComputerChess Politics ChessKB.com Contact UsLink To UsSearch & Site Map |
Chess Forum / General Topics / March 2008Revision two: Analysis of Mottershead / Jones / Ulevitch reports
For the record, here is my analysis. I have some degree of expertise in this area; I estimate my own skills to be roughly equal to those of Mottershead, and I estimate both of us to have skills well below those of Robert Jones and David Ulevitch, both of whom are well-known experts. (2nd revision reflects the possibility that someone else had physical access to at least two of Truong's computers.) My analysis: I have based this analysis on the information found at the following URLs: http://rs235.rapidshare.com/files/62649719/mottershead.zip http://craic.com/forensics/uscf_usenet_analysis/USCF_Usenet_Abuse_Report_20071206.pdf http://chessusa.blogspot.com/2008/01/expert-opinion-mottershead-report.html After examining the above, I conclude: The mottershead.zip files show that when Truong moved to Lubbock, the author of some or all of the fake posts moved to Lubbock. When Truong visited Mexico City, the author of some or all of the fake posts visited Mexico City. The report from Robert Jones of Craic Computing concludes that the data he examined shows that some or all of the fake Usenet posts were sent from the IP address as USCF user "chesspromotion" (Truong), and that the IP addresses moved together as Mottershead described. The reports from David Ulevitch concludes that some or all of the fake posts were posted from the same physical locations that Truong was in at the time of the posts, and that the posts to the USCF forums by chesspromotion / Truong, were also made from those same physical locations. Here are all of the explanations that I can think of, some far more likely than others. My comments on each follow: Possible explanation #1: Truong or someone living in his house generated those particular fakes. Possible explanation #2: Mottershead fabricated the data that his report was based upon. Possible explanation #3: Someone else fabricated the logs Mottershead relied upon. Possible explanation #4: Someone controls Truong's PC remotely. Possible explanation #5: IP address spoofing Possible explanation #6: Identity theft. Can anyone think of another possibility, no matter how remote? Here is my analysis of each possible explanation, in reverse order: Possible explanation #6: Identity theft -- someone else was logging on to the USCF forums, posting some or all of the fakes, going to Mexico, etc. Not a reasonable explanation. Too many people saw Truong in the cities mentioned, and he has never reported being the victim of such a comprehensive identity theft Possible explanation #5: IP address spoofing -- the IP addresses themselves are faked. This is not possible from the user's location. See the Ulevitch report for an explanation as to why this is true. It *is* possible if the ISP itself is under control from someone who can change logs, etc., but that is not a reasonable explanation -- it would requite compromising multiple servers at multiple ISPs. Possible explanation #4: Someone controls Truong's PC remotely Not a reasonable explanation. To produce the timing shown in the logs, this controlling would pretty much have to happen while Truong was at the keyboard, Also, the person doing the controlling would have had to take control of Truong's new computer (a PC running the Tablet PC version of Vista) as soon as he got it. Possible explanation #3: Someone fabricated the logs Mottershead relied upon. Not a reasonable explanation. This would require the USCF servers to have been taken over remotely, the USCF sysadmins to be incompetent, and no other crackers or botnet operators using yhe same backdoor to take over and cause ill effects other than a few logs being changed. It would also require evading all malware scans since then. Possible explanation #2: Mottershead fabricated the data that his report was based upon. I cannot evaluate whether this is a reasonable explanation. Clearly, if the data that I and the two independent experts examined was a clever fake, we would all come to the same wrong conclusion. Is there any reason to believe that Mottershead might have motive as well as opportunity? Has anyone else examined the actual servers just in case such a fabrication was done through post editing? Or checked the timestamps and backups of the server data to see if the supposed fabrication missed a backup or two? I personally don't buy this as an explanation, yet I cannot say that it is impossible. Possible explanation #1: Truong or someone living in his house generated those particular fakes. We have not narrowed the author of these particular fakes down to Paul Truong himself. It could be someone who travels with him and uses his computer. We have, however narrowed it down to the physical location, a physical location that moves whenever Paul Truong moves. We also have not analysed all the fake posts, just a large number of them. Some of the unexamined fake posts may have come from some other source. Most of them, however appear to have come Paul Truong's physical location. Unless someone can show me another possible explanation or convince me that one of the above possible explanation's holds water, I can only conclude that the evidence presented so far points to Truong or someone living in his house generating the fakes analysed by Mottershead. Truong has repeatedly claimed to have evidence that he is withholding that proves his innocence. I cannot evaluate that claim without seeing that alleged evidence. Thus my final conclusion is still open to revision based on new evidence. Again I invite those who think that Truong did not generate any of the fake posts to please weigh in with possible explanations I may have missed, rational analysis of my comments below, or any other reasoned discussion. I would very much welcome anyone blowing holes in my reasoning. When will revision #3 be available? Thanks for sharing your "analysis" with us. > For the record, here is my analysis. I have some degree > of expertise in this area; I estimate my own skills to [quoted text clipped - 147 lines] > discussion. I would very much welcome anyone blowing > holes in my reasoning. "Guy Macon" offered: >Here are all of the explanations that I can think of, >Can anyone think of another possibility, no matter how remote? Of course anyone can, e.g. Possible explanation 1a: Someone living near but not in Truong's homes hacked into and used his broadband wireless home network, which I know for a fact was not secured with either WAP, WEP or better, and used just the standard "admin" password (admin) password, and such person/s generated those particular fakes. This is not at all the same as your explanation 4, since Paul's PC was not being remotely controlled (as via BOv3 or better). Paul has since learned better and has secured his network. Note the user-agent strings are trivial to spoof and also trivial to legitimately duplicate by using a similar windoze and browser environment. Denzil ----- Original Message ----- From: "Guy Macon" <http://www.guymacon.com/> Newsgroups: rec.games.chess.politics,rec.games.chess.misc Sent: Saturday, March 08, 2008 11:51 am Subject: Revision two: Analysis of Mottershead / Jones / Ulevitch reports For the record, here is my analysis. I have some degree of expertise in this area; I estimate my own skills to be roughly equal to those of Mottershead, and I estimate both of us to have skills well below those of Robert Jones and David Ulevitch, both of whom are well-known experts. (2nd revision reflects the possibility that someone else had physical access to at least two of Truong's computers.) My analysis: I have based this analysis on the information found at the following URLs: http://rs235.rapidshare.com/files/62649719/mottershead.zip http://craic.com/forensics/uscf_usenet_analysis/USCF_Usenet_Abuse_Report_20 071206.pdf http://chessusa.blogspot.com/2008/01/expert-opinion-mottershead-report.html After examining the above, I conclude: The mottershead.zip files show that when Truong moved to Lubbock, the author of some or all of the fake posts moved to Lubbock. When Truong visited Mexico City, the author of some or all of the fake posts visited Mexico City. The report from Robert Jones of Craic Computing concludes that the data he examined shows that some or all of the fake Usenet posts were sent from the IP address as USCF user "chesspromotion" (Truong), and that the IP addresses moved together as Mottershead described. The reports from David Ulevitch concludes that some or all of the fake posts were posted from the same physical locations that Truong was in at the time of the posts, and that the posts to the USCF forums by chesspromotion / Truong, were also made from those same physical locations. Here are all of the explanations that I can think of, some far more likely than others. My comments on each follow: Possible explanation #1: Truong or someone living in his house generated those particular fakes. Possible explanation #2: Mottershead fabricated the data that his report was based upon. Possible explanation #3: Someone else fabricated the logs Mottershead relied upon. Possible explanation #4: Someone controls Truong's PC remotely. Possible explanation #5: IP address spoofing Possible explanation #6: Identity theft. Can anyone think of another possibility, no matter how remote? Here is my analysis of each possible explanation, in reverse order: Possible explanation #6: Identity theft -- someone else was logging on to the USCF forums, posting some or all of the fakes, going to Mexico, etc. Not a reasonable explanation. Too many people saw Truong in the cities mentioned, and he has never reported being the victim of such a comprehensive identity theft Possible explanation #5: IP address spoofing -- the IP addresses themselves are faked. This is not possible from the user's location. See the Ulevitch report for an explanation as to why this is true. It *is* possible if the ISP itself is under control from someone who can change logs, etc., but that is not a reasonable explanation -- it would requite compromising multiple servers at multiple ISPs. Possible explanation #4: Someone controls Truong's PC remotely Not a reasonable explanation. To produce the timing shown in the logs, this controlling would pretty much have to happen while Truong was at the keyboard, Also, the person doing the controlling would have had to take control of Truong's new computer (a PC running the Tablet PC version of Vista) as soon as he got it. Possible explanation #3: Someone fabricated the logs Mottershead relied upon. Not a reasonable explanation. This would require the USCF servers to have been taken over remotely, the USCF sysadmins to be incompetent, and no other crackers or botnet operators using yhe same backdoor to take over and cause ill effects other than a few logs being changed. It would also require evading all malware scans since then. Possible explanation #2: Mottershead fabricated the data that his report was based upon. I cannot evaluate whether this is a reasonable explanation. Clearly, if the data that I and the two independent experts examined was a clever fake, we would all come to the same wrong conclusion. Is there any reason to believe that Mottershead might have motive as well as opportunity? Has anyone else examined the actual servers just in case such a fabrication was done through post editing? Or checked the timestamps and backups of the server data to see if the supposed fabrication missed a backup or two? I personally don't buy this as an explanation, yet I cannot say that it is impossible. Possible explanation #1: Truong or someone living in his house generated those particular fakes. We have not narrowed the author of these particular fakes down to Paul Truong himself. It could be someone who travels with him and uses his computer. We have, however narrowed it down to the physical location, a physical location that moves whenever Paul Truong moves. We also have not analysed all the fake posts, just a large number of them. Some of the unexamined fake posts may have come from some other source. Most of them, however appear to have come Paul Truong's physical location. Unless someone can show me another possible explanation or convince me that one of the above possible explanation's holds water, I can only conclude that the evidence presented so far points to Truong or someone living in his house generating the fakes analysed by Mottershead. Truong has repeatedly claimed to have evidence that he is withholding that proves his innocence. I cannot evaluate that claim without seeing that alleged evidence. Thus my final conclusion is still open to revision based on new evidence. Again I invite those who think that Truong did not generate any of the fake posts to please weigh in with possible explanations I may have missed, rational analysis of my comments below, or any other reasoned discussion. I would very much welcome anyone blowing holes in my reasoning. >"Guy Macon" offered: > [quoted text clipped - 20 lines] > >Denzil An *excellent* addition to the analysis, genuine! Makes me glad I have supported anonymous remailers for all these years. This is a great example of why such servies are needed; the above should be evaluated based on its own merits, not based on who wrote it, and indeed it does stand on its own merits. Good work! I will revise my analysis later, but before I do, a few questions: Assuming that a determined adversary also checked into the same hotel in Mexico City and tried to access that network, I would assume he wouldn't be able to hack into that wireless system and would have to get his own account, but if the hotel used NAT (very likely to be true) the IP addresses would still match. Any flaws in this reasoning? Would any of his neighbors have a motive for posting fake posts about various Chess personalities? Would any of them have a motive strong enough to move to Tevxas when he moved to Texas and vacation in Mexico City when he vacationed in Mexico City? Or are we envisioning someone parked in a van outside night after night? {I should have thought of this one myself, but it simply did not occur to me. Thanks!) >> Possible explanation 1a: >> Someone living near but not in Truong's homes hacked into and [quoted text clipped - 8 lines] > should be evaluated based on its own merits, not based on who > wrote it, and indeed it does stand on its own merits. Good work! No it doesn't. An unsubstantiated, anonymous claim that Truong's wireless network was open for all means nothing. Yes, it's a possibility that somebody gained access to Truong's wireless network and followed him to Texas and the hotel in Mexico. But nobody needs an anonymous remailer to point that out. Rather, the anonymous remailer is needed in order to make scurrilous allegations masquerading as fact, without revealing whose agenda is advanced by introducing the idea that Truong was lax about network security. Dave.  SignatureDavid Richerby Aquatic Erotic Chicken (TM): it's www.chiark.greenend.org.uk/~davidr/ like a farm animal but it's genuinely erotic and it lives in the sea! >>> Someone living near but not in Truong's homes hacked into and >>> used his broadband wireless home network, which I know for a fact >>> was not secured with either WAP, WEP or better, >No it doesn't. An unsubstantiated, anonymous claim that Truong's >wireless network was open for all means nothing. >Yes, it's a possibility that somebody gained access to Truong's >wireless network and followed him to Texas and the hotel in Mexico. >But nobody needs an anonymous remailer to point that out. Exactly. While conceding that someone may have good reasons for posting anonymously, claims of personal witness by an anonymouse usually should be disregarded. >>> Possible explanation 1a: >>> Someone living near but not in Truong's homes hacked into and [quoted text clipped - 11 lines] >No it doesn't. An unsubstantiated, anonymous claim that Truong's >wireless network was open for all means nothing. I didn't ask for substantiated claims. I asked for all possible explanations, no matter how unlikely. >Yes, it's a possibility that somebody gained access to Truong's >wireless network and followed him to Texas and the hotel in Mexico. That's what I asked for. My analysis will give my opinion as to how likely it is that one of Truong's immediate neighbors faked a bunch of USCH posts, followed him to a hotel in Mexico and somehow knew that he had changed operating systems. I will then ask the reader to draw his own conclusions. >But nobody needs an anonymous remailer to point that out. Rather, the >anonymous remailer is needed in order to make scurrilous allegations >masquerading as fact, without revealing whose agenda is advanced by >introducing the idea that Truong was lax about network security. I don't care whose agenda is advanced. I do technical analysis, not politics. I don't want to know who wrote it. I asked for possible explanations that I may have missed, and the anonymous poster came up with one. (thanks, anon!) I do not agree with your opinion about anonymous remailers. There are many reasons why one might use one. What if a celebrity wishes to weigh in on this issue? Imagine someone tracing an IP address and finding that Brittany Spears or OJ Simpson answered my question. Unlikely, but would you deny them the ability to answer my question if they wanted to? What if it was someone who feared retribution or someone who is hiding from a stalker, someone suing them, or the police? Would you deny them the right to answer my question as well? The United states was founded upon anonymous pamphlets that made what many considered to be scurrilous allegations against the King of England. The answer to falsehood is truth, not supression. > "Guy Macon" offered: > >Here are all of the explanations that I can think of, [quoted text clipped - 178 lines] > discussion. I would very much welcome anyone blowing > holes in my reasoning. Boring. How would the anonymous poster "know" anything about the defendants? Was the person living in a van? Any witnesses? Just a coincidence they had a chess axe to grind? Also, wouldn't this at least establish NEGLIGENCE? SignatureRay Gordon, The ORIGINAL Lifestyle Seduction Guru http://www.cybersheet.com/library.html Includes 29 Reasons Not To Be A Nice Guy Ray's new "Project 5000" is here: http://groups.yahoo.com/group/project-5000 Don't rely on overexposed, mass-marketed commercial seduction methods which no longer work. Thinking of taking a seduction "workshiop?" Read THIS: http://www.dirtyscottsdale.com/?p=1187 Beware! VH-1's "The Pickup Artst" was FRAUDULENT. Six of the eight contestants were actors, and they used PAID TARGETS in the club. The paid targets got mad when VH-1 said "there are no actors in this club" and ruined their prromised acting credit. What else has Mystery lied about? |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2010 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.