About as low as it gets……

IP addresses have played a role in recent outings, and we’ve also seen a few people playing fast and loose with issues of identity… so it does not surprise me at all that we now have an IP Spoofer in……

Unity, that doesn’t sound like a “spoof” to me. Spoofing techniques are used for Denial of Service and or SYN flood scanning. It can’t be used to anonymously browse the Internet. It simply wouldn’t work. If you spoof the IP header with a fake address (in this case you say Rachel’s) then by defintion when that connection is made, the SYN ACK will revert backwards to the original spoofed sourced i.e. Rachel. At which point it would fail because she had not initiayed the first SYN.

By implication, if what you say really did happen (and I have no reason to doubt your ability to read logs), then it is fair more likely that Rachel herself has been compromised and rather than the attack happening from somewhere else and being spoofed (which as I say wouldn’t work), it’s more likely the incidnet did come from Rachel’s machine, it just wasn’t her that did it (this asumes of course that Rachel pays for a static address from her ISP rather than having one dynamically allocated from a CIDR pool).

I’ve already advised Rachel to give her PC a full once over for trojans in case it has been compromised, but if she has that only makes matters even worse, as someone has then relayed off her PC, using her IP address with a specifically targeted attack using a spoof on her blog URL and directed herre.

That’s a lot of work just to drop a dodgy url on my blog and a few too many coincidence for my tastes.

I don’t want to go into details, but there are ways of spoofing an IP address either by using a proxy or by altering the contents of the HTTP header variable from which WP picks up the IP address, and there was an exploit related to this in WP 2.02 which was thought to be closed but which I may need to investigate further.

One piece of information would settle this - Rachel was away from home on the day the comment was posted and if she switches her PC off while she’s away then its impossible for anyone to have gated in to here by bouncing off it.

As for static v dynamic, with blueyonder, the point is moot as long as you don’t turn off the cable modem for any length of time, as although they claim to cycle their dynamic addresses every 24 hours, the also use lease allocations that run until 2038, so unless to specifically reliquish your current lease (for which you need to open a command line) or switch off for long enough to be noticed and your existing lease returned to the pool, your IP address won’t change.

There are OpenID plugins for Wordpress that seem fairly reliable by the way, in case you were wondering about a technical solution. OpenID seems a fairly reliable system; Livejournal have had it as an option for signing comments for some time, though only one person’s ever used it with me.

Fair enough Unity, I didn’t know she was on cable. 2038 is stupid though, someone should contact their NOC about that.

As for what you said about HTTP header contents, that is not really IP spoofing. IP spoofing is where you inject a different source address into the IP header of a packet, and as I said, it’s only useful for syn flood attacks or scanninng large networks in order to create a cloud of confusion about the source.

Usually when it’s done you find yourself hit from literally hundreds (sometimes thousands) of addresses of which one of them is real, but you have no way of knowing which. The attack usually ends before you get to that point. I’ve spent many an evening dealing with DDOS attacks in ISPs The days follwoing can be quite interesting when you’re poking around Cisco kit. Rare that one ever actually catches the f*ckers tho.

Unity, if was just the HTTP header where it was spoofed you may - if you have access to the server and have some stateful packet inspection running - be able to match its timing up withthe real IP that in the IP header. Just a thought.

It has crossed my mind, and as the comment was posted at brakfast time on Saturday, which is fairly quiet, it may not be such a reach to drag the info out of the server logs.

Whether that takes me anywhere is another matter, it depends on what being used to run the header spoof and whether its running on a local machine or gated via another anonymous proxy.

Then again, that alone should tell me something about the culprit as a script kiddie is likely to go direct, while a pro would bounce off an anonymous proxy, in which case the trail will end somewhere like the Sudan or Vietnam.

As I said, if someone wants to take a shot at me, then fair enough, but dragging a non-tech into things is completely off beam.

Agreed on bringing her into it if you were the target. Very odd. Anonymous proxies are not a total lost cause though, alot of providers for them can be quite helpful if request come through the abuse teams in ISPs. It’s quite a friendly small industry in that respect. Having said that, it may be more hassle than it’s worth to them as well. I know in some roels in the past for big tier one player we rarely went after anyone unless they caused serious damage e.g. DDOS’d a datacentre, so a post on a website prolly wouldn’t get much attention sadly.

It’s a bit wierd for someone to post to a uber christian fundamentalist site though and pretend to be someone else isn’t it? Very odd.

I can’t actually understand what you lot are talking about re. above comments as I am a total tech muppet, but I can confirm that I was away all weekend and I left the PC on all weekend. Well, my other half did, and he only went on it in the morning to look up the times of the footy match he was menat to be going to later, and to get cheats for Grand Theft Auto where he was stuck on a mission. Later on he came down to join me at my family’s house. He doesn’t ‘do’ blogs. So whoever it was and I have no idea who, didn’t do it from my flat, but must have pretended to be me from elsewhere. Or something.

I run Norton Antivirus all the time, I obviously need to do a Trojan horse search or something and will be getting advice on what to do to clean up the PC, which has been very slow recently even though I defragged.

Thanks everyone

Rach

It may well be my stalker. I am not going to say who the stalker is, as the matter is with police, and I don’t want to compromise the trial, however, if it WAS the stalker, they won’t do it again, as they are now in custody as of Sunday morning. And that is all I am able to say on THAT subject.

What with Unity being a a self professed l33t h4×0R an all I guess it’s time to take up the tinfoil helmet and start using Tor

Count:

We’re still working to establish precisely what happened and whether this is a matter of a nutjob stalker wandering into the middle of the current blog war at an inopportune time or not - and the nutjob is a blogger, I should add.

As I’ve said in an earlier post, I’ve no probs with people staying anonymous as long as they don’t abuse that anonymity, and spoofing is just such an abuse, but if someone just trolls here anonymously, they’ll be told to fuck off and that’s about it.

As for Tor, a few days network testing is all it needs to ID and block its ‘onin-skin servers’ so use it if you like, but the first time it’s used to fuck about I’ll block the network.

Re “making the wrong call,” I realise my rather flippant comment about people dividing on political lines was open to misinterpretation.

What I was trying to do was make the purely factual observation that, with one or two exceptions, the left-wing bloggers were supporting Tim while the right-wing ones were supporting Guido. I did not mean to suggest that personal politics was the reason that they were dividing thus, merely that, as a matter of observable fact, they were dividing along those lines.

When you think about it, though, isn’t it overwhelmingly the case that a campaign based around the (collectivist) idea of “netiquette” and “codes of honour” in which bloggers have mutual obligations to eachother, is going to appeal more to those of a left-wing bent, while Guido’s proprietorial “this is my website and I’ll do what I want with it” approach is more in tune with a right-wing worldview?

When you think about it, though, isn’t it overwhelmingly the case that a campaign based around the (collectivist) idea of “netiquette” and “codes of honour” in which bloggers have mutual obligations to eachother, is going to appeal more to those of a left-wing bent, while Guido’s proprietorial “this is my website and I’ll do what I want with it” approach is more in tune with a right-wing worldview?

Oddly enough, Paul, that’s not how it works in practice.

I cut my online debating ‘teeth’ largely on US-based newsgroups and discussion forums, and to be honest there were no stronger or fiercer advocates of netiquette in that environment than the right-wing libertarian crowd, most of whom would loathe the way Guido operates.

Netiquette pretty much is, as you suggest, a code of honour and a key part of the underpinnings of its communal responsibilities is a respect for other’s right to express themselves freely - as I’ve pointed out in another piece, netiquette was ‘born’ firmly in the US First Amendment culture of free expression and that very much informs its ethical code.

This is where the ‘generation gap’ thing comes into play - amongst my own *older* generation of netheads, Guido’s antics would get him hosed from all sides of political divide, because netiquette doesn’t run on political lines. If you have a beef with someone, you settle things out in the open and in plain sight.

It’s only with the internet going mass-market and bringing new bloggers into the frame who haven’t come up in that culture that the kind of political tribalism that ignores and blows off breaches of netiquette has started to emerge.

That’s not to say that the older crowd of netheads aren’t politically tribal in their views - just pop onto a US political forum with a mixed crowd and chuck in the right ‘lightning rod’ post on abortion rights or gun control (a classic troll ‘hand grenade’ is to suggest that the reference to ‘militia’ in the US Second Amendment - the right to bear arms - means that Jefferson was referring only to the National Guard) and you’ll quickly see how tribal (and vicious) it gets out there, but the ‘rules’ of netiquette still apply - start deleting or stealth editing posts and you’ll get called on it and get dogpiled from all sides, left and right.

Unity: I wasn’t being entirely serious, although I have been looking at tor of late out of interest. Of course there are legitimate reasons why such software should continue to exist, and anonymous sniping on a blog is not high up on the list. Blocking it may prove harder as it’s fairly trivial to set up a server as well as a client, which means you could theoretically be taking on the internet. Back in the real world, there are probably only a thousand odd servers available at any given time (guesstimate). I am not proxied at present, but my email address isn’t real cos, as any fule kno, giving away your real address in this day and age is just daft. TTFN and thanks for the posts.

My favourite hand grenade is to say George Washington was a traitorous terrorist scumbag. Always works

Interestingly, the rachel who has posted 2 comments at 8.22pm yesterday and 12.51 am today has a link from her name to www.rachelnorthlondon.blogPSot.com, which is that christian fundie crap that you were talking about Unity.
what’s the deal with that?

…and oddly enough, clicking the link from my post takes you to an error page, but clicking the rachel takes you to the mega bible studies site. how strange.

Ah, yes - I can see what’s happening here.

The two posts in question are both the real Rachel, unless our spammer has compromised her Gmail box, as both comments relate directly to e-mail conversations that were taking place behind the scenes shortly before the posts were made.

This link - http://www.blogpi.net/blogpsotcom - however explains the fundie crap - the guy behind it, whose WHOIS info I posted the other day, has registered the domain blogpsot.com with a wildcard DNS entry, so any mistyped link to anynameyoulike.blogpsot.com will lead you there, and transposing two letters in a URL is a easy mistake to make, but that’s not quite the same as the url used in the first spam and, more importantly, Rachel has indicated that she wasn’t home at the time that the first post was made.