Monday, March 31, 2008

66.185.84.204 and the promiscuity of Rogers' IPs (Summary thread)

Rogers IPs
Update. When I first posted this, I didn't realize that these were all Rogers' web-caching proxy servers. The shifting that I've documented is presumably a result of the practice of load-balancing (on which see here).

Over the last several weeks and in dozens of posts, we've seen how liquid some of Rogers' IPs were in the years 2003-2005. IPs in 66.185.84.xxx range seem to have changed without warming; in extreme cases a surfer might have several IPs in several minutes. (See, for example, here from 2004 where there are five IPs in half-a-day; or here from 2003, where there are three in 8 minutes; or some of the other listed under the label "quick change").

The shifts between these IPs are trackable, but the details are widely dispersed and the overall picture difficult to make out. Hence the graphic above. Each line connects two of the Rogers' IPs in our pool; I colour-coded them by year (see the key at the top right). The evidence for some of the equivalencies are more certain than for others, which can be checked via this index:
This list reflects, of course, only the tiniest fraction of the internet traffic. Every visit to any web-page is logged somewhere, but very few of those logs are ever published online and therefore become available to us, and only a tiny fraction of internet users edit wikipedia anonymously.

Who else used 66.185.84.204 in 2003?

The list of appearances of 66.185.84.204 in 2003 grew too lengthy for a single list, so I've divided its content into these shorter lists:

Sunday, March 30, 2008

rip-off (75 = 76 = 77 =78 =79 =81)

“There are three things in the world that deserve no mercy -- hypocrisy, fraud, and tyranny,” someone said. This is presumably why the internet is so merciless.

In this thread at Howard Forums, dating from March 2004, to judge from the Wayback machine, "drumming27" complains that he had agreed to sell an xbox to "Mr. Chow", but had never been paid, and now is unable to contact Chow. Drumming gives all the information that he has on "Chow", including the shipping address, all the IPs that in the communications. The list of IPs is again telling, since they are mostly Rogers:
    192.139.71.69 (torfw1.nesbittburns.com)
    209.161.243.29 (209.161.243.29) 24.102.71.218 (CPE00045ae17926-CM012069962605.cpe.net.cable.rogers.com)
    24.153.37.33 (CPE000c6efd4c43-CM000e5c6eb738.cpe.net.cable.rogers.com)
    24.156.41.95 (CPE000c6e83883a-CM014270033677.cpe.net.cable.rogers.com)
    63.230.237.230 (63-230-237-230.phnx.qwest.net)
    65.48.68.214 (65.48.68.214)
    65.50.50.102 (CPE000c6e806d9b-CM014310003972.cpe.net.cable.rogers.com)
    66.185.84.75 (wc08.wlfdle.rnc.net.cable.rogers.com)
    66.185.84.76 (wc09.wlfdle.rnc.net.cable.rogers.com)
    66.185.84.77 (wc10.wlfdle.rnc.net.cable.rogers.com)
    66.185.84.78 (wc11.wlfdle.rnc.net.cable.rogers.com)
    66.185.84.79 (wc12.wlfdle.rnc.net.cable.rogers.com)
    66.185.84.81 (wc14.wlfdle.rnc.net.cable.rogers.com)
    66.75.109.220 (cpe-66-75-109-220.socal.rr.com)
Some might have been struck by the number of IPs involved in such a simple transaction. But for those who have been following my recent posts, Rogers IPs within this group seem to do this a lot. Here it seems that Chow, too, had IP shifts from x.x.x.75 to x.x.x.76, etc., in early 2004.

another user of 66.185.84.204

The Armed Forces Institute of Pathology is part of the American Defense Department, it provides consultation, education and research. Its educational wing offers courses, and the registration logs for some of these can be seen on line. In January, 2004, someone registered in one of their on-line courses using the IP 66.185.84.204 (see here, here, and here).  You can see the name by clicking on the links and searching the IPs -- but it an Ottawa area physician who is listed among the authors of a paper on Calcified Colonic Mass.

How many different users used 66.185.84.204 to visit northern sites in 2002-2003?

ArcticCircle.ca is a web-host and central hub for a variety of northern communities. It has some great photo-albums and attracts a fair bit of traffic from across the country.

Included in its traffic are numerous visits from the mysterious Rogers IP, 66.185.84.204. Indeed, within its logs are 32 separate visits from that IP between January 2002 and April 2003. The logs preserve date, time, site visited, and details about the operating-system and browser of the visitor.

Here are the 32 visits by 66.185.84.204, in chronological order, together with the logged data.

no. date config log
1 20-Jan-02 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461) here
2 23-Jan-02 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461) here
3 31-Jan-02 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461) here
4 03-Feb-02 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461) here
5 28-Feb-02 Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Q312461) here
6 03-Mar-02 Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) here
7 11-Apr-02 Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90; Hotbar 3.0) here
8 11-Apr-02 Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; AtHome0107) here
9 25-Apr-02 Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)(R1 1.1) here
10 01-May-02 Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90) here
11 02-May-02 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461) here
12 23-May-02 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461) here
13 26-May-02 Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; AtHome0107) here
14 07-Jun-02 Mozilla/4.78 [en] (Win98; U) here
15 10-Jun-02 Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90; MSOCD; AtHome021SI) here
16 17-Jun-02 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705) here
17 20-Jun-02 Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; H010818; Rogers Hi-Speed Internet) here
18 24-Jun-02 Mozilla/4.0 (compatible; MSIE 5.5; Windows 98) here
19 13-Oct-02 Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Q312461; MSOCD; AtHome021SI; YComp 5.0.0.0; .NET CLR 1.0.3705) here
20 30-Oct-02 Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; AtHome0107) here
21 06-Jan-03 Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) here
22 06-Jan-03 Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) here
23 11-Jan-03 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) here
24 02-Feb-03 Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Rogers Hi-Speed Internet) here
25 16-Feb-03 Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; MSOCD; AtHome021SI; (R1 1.1)) here
26 26-Feb-03 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) here
27 01-Mar-03 Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Q312461; YComp 5.0.2.5) here
28 05-Apr-03 Mozilla/4.0 (compatible; MSIE 5.16; Mac_PowerPC) here
29 18-Apr-03 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rogers Hi-Speed Internet) here
30 21-Apr-03 Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Rogers Hi-Speed Internet) here
These are obviously not all the same individual, though some of these are return visitors. Here are the easier identifications:
  • 1 =2 =3 =4 =11 =12
  • 5 = 29?
  • 6 = 21 =22
  • 7 = 15?
  • 8 (= 20?)
  • 9 = 13?
  • 10 = 17? = 19?
  • 14
  • 16 ?= 23 = 26 29
  • 18 = 20
  • 24 = 30
  • 25
  • 28
A few of these, too, might also be the same individual using a different computer via a wireless network, etc.

But one way or another it is difficult to avoid the conclusion that up to a dozen different individuals visited one of the sites at ArcticCircle.ca using the same IP address.

Quincy Library group (204 = 201)

In the guest log of the Quincy Library group are several examples of quick shifts between 66.185.84.204 and 66.185.84.201 in June 2002.
  • 66.185.84.201 - [06/16/02 02:18:18 PDT] - ERR: No Comments
  • 66.185.84.204 - [06/16/02 02:18:50 PDT] - ERR: No Comments
  • 66.185.84.201 - [06/17/02 22:33:33 PDT] - ERR: No Comments
  • 66.185.84.204 - [06/17/02 22:35:26 PDT] - ERR: No Comments
  • 66.185.84.201 - [06/19/02 19:28:07 PDT] - ERR: No Comments
  • 66.185.84.204 - [06/19/02 19:28:18 PDT] - ERR: No Comments

Kelly Inn Yellowstone (204 = 202; 209 = 202; 81 = 74; 73 = 74; 201=202)

Extracted here are the entries for the Rogers IPs in the 66.185.84.xxx-range from the Kelly Inn, in Wyoming.  These are probably all the same user, but especially to be noted are the coloured pairs, where we see IPs quickly shifting in the midst of a visit.  (I'll limit myself here to shifts of two minutes or less.)
907 Wed Mar 27 16:59:56 2002 66.185.84.204 http://www.wyellowstone.com/kellyinn/
908 Wed Mar 27 17:00:23 2002 66.185.84.202 http://www.wyellowstone.com/kellyinn/
2780 Mon Apr 15 15:16:59 2002 66.185.84.209 http://www.wyellowstone.com/kellyinn/
2781 Mon Apr 15 15:17:28 2002 66.185.84.209 http://www.wyellowstone.com/kellyinn/
2783 Mon Apr 15 15:18:20 2002 66.185.84.202 http://www.wyellowstone.com/kellyinn/
3353 Sat Apr 20 14:49:58 2002 66.185.84.209 http://www.wyellowstone.com/kellyinn/
3354 Sat Apr 20 14:56:01 2002 66.185.84.202 http://www.wyellowstone.com/kellyinn/
3355 Sat Apr 20 15:03:12 2002 66.185.84.209 http://www.wyellowstone.com/kellyinn/
3359 Sat Apr 20 15:13:15 2002 66.185.84.209 http://www.wyellowstone.com/kellyinn/
3360 Sat Apr 20 15:31:20 2002 66.185.84.202 http://www.wyellowstone.com/kellyinn/
3361 Sat Apr 20 15:31:23 2002 66.185.84.202 http://www.wyellowstone.com/kellyinn/
12891 Thu Jun 20 22:06:18 2002 66.185.84.81 http://www.wyellowstone.com/kellyinn/
12892 Thu Jun 20 22:06:42 2002 66.185.84.74 http://www.wyellowstone.com/kellyinn/
13360 Mon Jun 24 9:33:59 2002 66.185.84.209 http://www.wyellowstone.com/kellyinn/
13361 Mon Jun 24 9:35:34 2002 66.185.84.202 http://www.wyellowstone.com/kellyinn/
40173 Thu May 15 16:00:20 2003 66.185.84.201
40187 Thu May 15 18:37:25 2003 66.185.84.201
46977 Wed Jun 25 20:40:20 2003 66.185.84.201 http://www.wyellowstone.com/kellyinn/
47768 Mon Jun 30 22:22:23 2003 66.185.84.73 http://www.wyellowstone.com/kellyinn/
47769 Mon Jun 30 22:23:10 2003 66.185.84.74 http://www.wyellowstone.com/kellyinn/
54685 Tue Aug 5 19:49:34 2003 66.185.84.73 http://www.wyellowstone.com/kellyinn/
54686 Tue Aug 5 19:49:54 2003 66.185.84.74 http://www.wyellowstone.com/kellyinn/
54865 Wed Aug 6 20:00:26 2003 66.185.84.201
54866 Wed Aug 6 20:01:19 2003 66.185.84.202
62646 Sat Dec 20 9:18:34 2003 66.185.84.201 http://www.wyellowstone.com/kellyinn/
64440 Mon Feb 2 20:13:36 2004 66.185.84.73 http://www.wyellowstone.com/kellyinn/
64441 Mon Feb 2 20:15:25 2004 66.185.84.74 http://www.wyellowstone.com/kellyinn/
Again we see the fluidity of these IPs: one could not be sure that one's IP would be the same from the beginning of a session to the end.

Saturday, March 29, 2008

Visiting Huizhou (197 = 198 = 206 = 196)

Below is bit of a log from a site run by the Chinese government for the administrative district of Huizhou  is highly suggestive of how Rogers worked.  The links are all dead now, which is probably just as well since I don't read Chinese. Still, they give an idea of one surfer's progress.
时 间 IP 操作系统 浏览器 来 源 网 页
15 3/14/02 4:47:44 211.155.36.46 Win XP MSIE 6.x http://xiaogang.net/lb5000/forums.cgi?forum=6
14 3/14/02 4:46:39 211.155.36.46 Win XP MSIE 6.x http://xiaogang.net/lb5000/forums.cgi?forum=6
13 3/14/02 4:45:55 211.155.36.46 Win XP MSIE 6.x http://xiaogang.net/lb5000/forums.cgi?forum=5
12 3/14/02 4:45:55 211.155.36.46 Win XP MSIE 6.x http://xiaogang.net/lb5000/forums.cgi?forum=5
11 3/14/02 4:45:12 66.185.84.196 Win XP MSIE 6.x http://www.xiaogang.net/lb5000/forums.cgi?forum=15
10 3/14/02 4:44:55 66.185.84.197 Win XP MSIE 6.x http://www.xiaogang.net/lb5000/forums.cgi?forum=15
9 3/14/02 4:44:02 218.6.192.132 Win XP MSIE 6.x
8 3/14/02 4:43:34 66.185.84.206 Win XP MSIE 6.x http://www.xiaogang.net/lb5000/forums.cgi?forum=15
7 3/14/02 4:43:22 66.185.84.198 Win XP MSIE 6.x http://www.xiaogang.net/lb5000/forums.cgi?forum=15
6 3/14/02 4:42:14 211.155.36.46 Win XP MSIE 6.x http://xiaogang.net/lb5000/forums.cgi?forum=3&action=resetposts
5 3/14/02 4:42:08 66.185.84.198 Win XP MSIE 6.x http://www.xiaogang.net/lb5000/forums.cgi?forum=5&show=25
4 3/14/02 4:40:42 66.185.84.197 Win XP MSIE 6.x http://www.xiaogang.net/lb5000/forums.cgi?forum=5
3 3/14/02 4:40:13 66.185.84.197 Win XP MSIE 6.x http://www.xiaogang.net/lb5000/forums.cgi?forum=5
2 3/14/02 4:39:23 211.155.36.46 Win XP MSIE 6.x http://xiaogang.net/lb5000/forums.cgi?forum=3
1 3/14/02 4:38:39 66.185.84.198 Win XP MSIE 6.x http://www.xiaogang.net/lb5000/post.cgi?action=reply&forum=5&topic=81

There seem to be three people visiting the site at the same, one of them is from Beijing (211.155.36.46, nos. 2, 6, 12-15), another from Chengdu (218.6.192.132: no. 9), and the third a Rogers customer from Ontario, whose IP is shifting (nos. 1, 3-5, 7-8, 10-11).

Beginning at the bottom (no. 1), our Rogers' customer has posted something to forum 5 with x.x.x.198; a minute later, he looks at forum 5 (nos. 3-4), but now has x.x.x.197; he goes to read post (?) 25 of forum 5 (no. 5), but with x.x.x.198 again; then, still x.x.x.198, he looks at forum 15 (no. 7), but within seconds his IP becomes x.x.x.206 (no. 8), then x.x.x.197 (no. 10), then x.x.x.196 (no. 11).

Addendum.  From the same site, the log from Feb. 27, 2002, shows that x.x.x.204 = x.x.x.198.

Addendum 2.  From the same site, the log from March 11, 2002, shows that x.x.x.197 = x.x.x.198 = x.x.x.205.

Addendum 3.  From the same site, the logs from March 14, 2002, and March 21, 2002, show that x.x.x.198 = x.x.x.203


This post has 22 minutes (197 = 206)

Over the last five years, the wikipedia articles on subjects to do with Canadian television have been heavily reworked by the Rogers IPs that we have been following. If you look at the contribution histories of 66.185.84.208 (here) and 66.185.84.206 (here) you'll see many, many edits to articles such as Rick Mercer, the CBC, the List of English programs on the CBC, etc.  

A very popular show with these IPs is This Hour has 22 Minutes, which a handful of the Rogers IPs that we have been tracking have made hundreds of edits to.  

And so, December 5-6, 2003, the edit history shows a dozen or so edits by 66.185.84.206 (here), all reworking the same section.  Then we see this: 
    (diff) 20:53, 6 December 2003 66.185.84.206
    (diff) 20:52, 6 December 2003 66.185.84.197
    (diff) 20:51, 6 December 2003 66.185.84.206
The quick shift from x.x.x.203 to x.x.x.197 and back again all took place within a couple minutes, and again shows how fluid these IPs could be.

Lichen (78 = 80)

This pair of edits to the wikipedia article on Lichen probably shows another example of shifting Rogers IPs:
    (diff) 21:12, 4 August 2004 66.185.84.78
    (diff) 21:12, 4 August 2004 66.185.84.80
The two edits were made within the same minute.  The earlier edit (the second one listed here) was simple vandalism -- "Mark likes lichen" -- and the second edit deleted it, apparently after changing his mind.

Nisha on Tamil music (78 = 73 = 79 = 72 = 75)

We have been tracking a group of Rogers' IPs to see how they could shift in the years 2003-5.  One of the most useful sources of data have been message boards that post both a handle and an IP for each post.  Combining name, IP, and time has shown several interesting shifts.

Another case in point are the posts of a certain "Nisha" on a board concerning Tamil music (here).   Googling "Nisha" on this site gives 80 or 90 posts on a variety of subjects from July 2002 until December 2004. Almost all of these posts report her IP as 66.185.84.78 -- a Rogers IP that is part of the pool that we've been tracking.  At several points, however, Rogers seems to have shunted her off to another IP. The first is in the summer of 2003:
    Jul 18 2003 18:46:51 66.185.84.78
    Jul 31 2003 21:29:40 66.185.84.73
    Aug 5 2003 00:32:37 66.185.84.78
Something similar happened in February '04:
    Feb 5 2004 21:25:49 66.185.84.78
    Feb 6 2004 20:26:01 66.185.84.78
    Feb 6 2004 20:32:23 66.185.84.79
    Feb 11 2004 19:15:47 66.185.84.78
Nisha seems to have left the board for a few months beginning in Sept. '04, but returned with these edits:
    Nov 11 2004 17:01:35 66.185.84.68
    Nov 12 2004 18:33:37 66.185.84.68
    Dec 1 2004 15:23:25 66.185.84.72
    Dec 22 2004 12:31:48 66.185.84.75
In all three cases, the general picture is as we have seen previously.  Although almost all of her posting comes from x.x.x.78, Rogers can shift her to other numbers in the pool as needed.

Magic Adventures of Mumfie (208 = 206 = 79 =81)

Below is a screen-capture of the first dozen edits to the Magic Adventures of Mumfie (a children's show created by creator of Thomas the Tank Engine). In it we see the same pattern that we have seen elsewhere with Roger's IPs -- especially well illustrated with the Thomas the Tank Engine articles (see here, here, here, and here) -- that they can shift around.
Here we see some of the old equivalencies. On 27 December the article was created by someone using x.x.x.208; they immediately return to edit it, but with x.x.x.206.  A few days later, he returns to add material, and is again x.x.x.208.  Over the coming months, the article continues to grow.  After a few edits in March and May from a different range (although these also used to be Rogers), 66.185.84.xxx returns with x.x.x.81 and x.x.x.79 in late 2004 and early 2005, presumably the same editor as before.

plagiarizing the First Canadian Army (80 = 78)

One of wikipedia's on-going problems is copy-right violation -- well-meaning editors often copy and paste whole articles from elsewhere, thereby undermining the quality of the encyclopedia and, at least theoretically, exposing it to legal action. Wikipedia's policy on this can be seen here, and as you can see there (and here), copy-right violations are immediately deleted.

A Roger's editor breeched that policy in January 2004, copy-and-pasting eight paragraphs from Legion Magazine, as was pointed out when the page was deleted in November of that year.

In the meantime, there had been these 17 edits to the page (which wikipedia administrators can see here):
  • 20:02, 29 November 2004 . . Indefatigable (Talk | contribs | block) (Copyright violation)
  • 18:08, 19 November 2004 . . GJeffery (Talk | contribs | block) (fixed link)
  • 15:49, 4 September 2004 . . Bryan Derksen (Talk | contribs | block) (Category:World War II military units)
  • 03:53, 22 August 2004 . . 69.196.224.243 (Talk | block)
  • 01:53, 21 August 2004 . . 69.196.224.243 (Talk | block)
  • 20:55, 19 August 2004 . . Indefatigable (Talk | contribs | block) (Category:Canadian military formations)
  • 13:00, 2 June 2004 . . Topbanana (Talk | contribs | block) (Fix some broken links)
  • 00:58, 27 May 2004 . . Adam Bishop (Talk | contribs | block) (fixing links)
  • 05:15, 5 March 2004 . . Anthony (Talk | contribs | block)
  • 23:04, 11 February 2004 . . David Newton (Talk | contribs | block)
  • 02:59, 28 January 2004 . . Gsl (Talk | contribs | block) (copyedit, links)
  • 01:36, 15 January 2004 . . 66.185.84.78 (Talk | block)
  • 01:08, 15 January 2004 . . 66.185.84.78 (Talk | block)
  • 00:59, 15 January 2004 . . 66.185.84.78 (Talk | block)
  • 23:23, 14 January 2004 . . 66.185.84.78 (Talk | block)
  • 23:19, 14 January 2004 . . 66.185.84.78 (Talk | block)
  • 21:55, 14 January 2004 . . 66.185.84.80 (Talk | block)
The bottom half-dozen edits are interesting.  The article was created at 21:55 with a rule-breaking copy-and-paste (as I mentioned) by x.x.x.80.  Then, over the next few hours, the editor returns as x.x.x.78 and fixes some formatting issues that first cut-and-paste had created.

Clearly x.x.x.80 and x.x.x.78 are the same editor, whose IP was changed by Rogers in mid-stream: the article is less than two hours old when x.x.x.78 returns, and he clearly is picking up where he had left off as x.x.x.80.

Again, the fluidity of Rogers IPs is seen.

Addendum.  The same relation between IPs is probably demontrated by this edit in Nov. '03, where x.x.x.78 clears the messages off the talk-page of x.x.x.80.  When one goes to edit a wikipedia page, you receive a notice of new messages on your talk page.  Here it seems the wikimedia software detected this user's IP as x.x.x.80, but by the time he edited his talk-page, his IP had shifted to x.x.x.78.

Friday, March 28, 2008

fourmilab (202 = 74?)

This one I don't understand at all.  Fourmilab, founded by John Walker of AutoCAD fame, is an eclectic download site for a wide variety of computer utilities, articles on mathematics, nanotechnology, etc.  
You can see its access logs for January 2004, here, which is presented in descending order of the amount of traffic that was coming from an IP.  Here is a screen-cap of the top four 'heavy hitters':


This log suggests that two of the IPs that we've been tracking had hit this site 100,000 times over three months. Also present is 66.185.85.74 (not one of the IPs that we've been tracking).

Also puzzling is the fact that these three Rogers IPs, which began their visits to the site within a day or so of one another, and all begin with wc07. I think that we have to assume that they are somehow related, and that this reflects the kind of shifting back and forth that we've noticed elsewhere, but over a longer timescale for a massive amount of traffic.

Gato at Guanacos (77 = 205)

Another message board that publishes the IPs of its contributers is GuanacosEnLinea.com from El Salvador. In the fall of 2004, a certain "gato" posted several messages, logging these IPs:
The shift from x.x.x.77 to x.x.x.205 is typical of what we've seen of Rogers IPs in this period.

Pete C at e-filler.ca (77 = 209)

Another message board that shows both a poster's chosen handle and the underlying IP is E-Filler.ca, where users post comments on recent events.

The comments of a certain "Pete C" in late 2004 and early 2005 perhaps connect 77 and 209.

At this thread on Nov. 18, 2004 he posted from 66.185.84.209.

In a comment of Jan. 5, 2005, however, his IP was 66.185.84.77, which it was on Jan. 14 and Jan. 16, too.

Robbie McBride at RPM Factor (76 = 77)

Message boards that post both names and handles of visitors have provided interesting examples of the fluidity of Rogers' IPs in the 66.185.84.xxx-range.

Another example of this is the postings of a certain "Robbie McBride" on a message board called RPM Factor Babbler. Most of his postings from mid-2004 come from 66.185.84.76 and 66.185.84.77. Especially noteworthy are these:And this one, where McBride starts a thread on July 21 2004 at 5:35 PM with 66.185.84.77, and posts to it 30 minutes later (at 6:03 PM) from 66.185.84.76.


Jiya on Kkusum (70 = 77)

At a message board on the Indian telvision show Kkusum we have entries from a certain Jiya:
  • Sunday, September 19, 02:14:06am -- 66.185.84.70
  • Sunday, September 19, 02:14:43am -- 66.185.84.77
Unfortunately for our argument, no year is reported for the dates. But the quick shift from x.x.x.70 to x.x.x.77 is reminiscent of patterns we have seen elsewhere with this group of IPs.


Thursday, March 27, 2008

66.185.84.204 arranges for March break, 2004

On Nov. 12, 2003, an inquiry was sent to www.florida-discount-travel.com about the Sheraton Lucaya. The request was for March 11 - 13th of the following year:
    We have two parties. One party has 2 adults and 2 children under 12. the other party has 1 adults 1 child
The IP was logged, "66.185.84.204", together with browser and system details ("Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"). The date ("11/12/2003") and time ("11:54 AM") were also recorded, and the log is viewable here.

The log records the inquirer's name ("Marg *****"), email ("marg*****@rogers.com"), and phone number "905 ***-****". (I redact these out of respect for the privacy of the individual; if you go to the site, you can see it for yourself.)

The email address and phone number (which is a land line in Aurora, Ontario, according to www.411.ca) can be confirmed.

Googling the email shows that this woman is the president of an association of time-share owners in Maine; the email and phone number are the same as in the florida-discount-travel log. See the graphic on the right (again, out of respect for this person's privacy I obliterate the names and phone numbers -- but a quick google can confirm the details for any doubting Thomas.

The date, Nov. 12, 2003, is highly significant, for according to the testimony of Bernard Klatt, the same IP was used by Richard Warman to access the White Supremacist site, freedomsite.org, on November 11th (the day before Marg did), but before the 15th and 23rd.

Wednesday, March 26, 2008

waterloo student on treasurer traders (203 = 208 = 79)

Another interesting example of the impermanence of Rogers IPs is found in the posts of "fairplayer" at factnet.org, a discussion board dedicated to exposing various kinds of chicanery. Fairplayer was involved in some threads concerning Treasure Traders International, which is apparently a mail-order gemstone company.

Here are a list of his posts to that board in the last two months of 2004:
    November 04, 2004- 12:41 am: 66.185.84.203
    November 05, 2004 - 12:48 am: 66.185.84.203
    November 29, 2004 - 10:08 am: 129.97.83.155*
    November 29, 2004 - 12:04 pm: 66.185.84.208
    December 03, 2004 - 11:59 am: 129.97.22.32*
    December 07, 2004 - 11:38 pm: 66.185.84.79
    December 10, 2004- 8:29 pm: 129.97.83.240*
Fairplayer describes himself as a university student in one of his posts (here), and since the IPs 129.97.xxx.xxx resolve to the University of Waterloo, it seems safe to conclude that the Rogers IPs are from home, and the University addresses are from campus -- note that the two posts from November 29th are less than two hours apart.   Note, however, that in the six weeks, his "home" IP changes from x.x.x.203 to x.x.x.208 to x.x.x.79, a shift that is typical of those that we've been seeing elsewhere.

At Zodiackiller.com (208 = 203)

A handful of edits by a certain "Mike J. Doe" to a discussion board dedicated to the Zodiac Killer at www.zodiackiller.com again illustrate the fluidity of Rogers' IPs:
  • Wednesday, June 18, 2003 - 11:26 am: 66.185.84.208
  • Sunday, June 22, 2003 - 01:09 pm: 66.185.84.208
  • Wednesday, June 25, 2003 - 11:25 pm: 66.185.84.208
  • Friday, July 04, 2003 - 11:47 am: 66.185.84.203
  • Friday, July 04, 2003 - 11:37 pm: 66.185.84.208
Here it seems that Mr. Doe regularly has 66.185.84.208. For some reason, on July 4, 2003, he was shifted to x.x.x.203, and then back.

University of California dreaming (or 68=71=72=74=76=77=78=81=197=198=199=200=204)?

It will surprise no one that a site like that of Earth Sciences at the University of California at Irvine attracts a lot of traffic -- almost 70,000 different IPs visited there in the fall of 2003, and these are recorded in the logs linked to below.  Among them are some of the Rogers IPs that we have been tracking in other posts: that is, those with the numbers 66.185.84.xxx (see the summary thread, here).   
Extracting these IPs from the log of September 2003 yields the following list:
    hits files kbytes visits IP
    3 3 155 1 66.185.84.68
    73 70 1972 7 66.185.84.71
    44 44 584 4 66.185.84.72
    4 4 206 2 66.185.84.76
    1 1 24 0 66.185.84.196
    2 2 59 0 66.185.84.198
    86 80 1558 5 66.185.84.199
    43 43 841 5 66.185.84.200
    1 1 1 0 66.185.84.201
    1 1 54 1 66.185.84.204
    26 26 635 2 66.185.84.209
Now, given the specific data at hand, it is impossible to tell whether these IPs reflect ten different individuals or one, since we don't have dates and times for their visits.  Still, since the IPs listed here are the same ones that we see shifting elsewhere (see the summary here), and since some of the visits are fleeting (x.x.x.78 somehow registers as zero visits), we should probably incline towards a smaller number.

The logs for October 2003 provide a similar group of IPs:
    hits files kbytes visits IP
    1 1 54 1 66.185.84.68
    194 165 4526 17 66.185.84.71
    73 72 1773 6 66.185.84.72
    1 1 24 0 66.185.84.74
    19 19 3432 2 66.185.84.76
    1 1 12 1 66.185.84.77
    1 1 24 0 66.185.84.78
    22 13 156 3 66.185.84.81
    12 12 120 2 66.185.84.197
    2 2 107 1 66.185.84.198
    168 152 2265 12 66.185.84.199
    48 48 709 7 66.185.84.200
    6 6 80 1 66.185.84.204
As do the logs from November, 2003:
    hits files kbytes visits IP
    9 9 328 1 66.185.84.68
    2 2 180 1 66.185.84.69
    7 4 29 1 66.185.84.70
    193 167 3344 16 66.185.84.71
    69 68 1657 8 66.185.84.72
    14 6 130 5 66.185.84.76
    1 0 0 0 66.185.84.77
    1 0 0 0 66.185.84.78
    1 1 44 0 66.185.84.79
    11 11 290 0 66.185.84.80
    25 23 642 2 66.185.84.81
    247 230 4095 11 66.185.84.199
    22 22 441 3 66.185.84.200
    1 1 80 0 66.185.84.201
    1 1 80 0 66.185.84.202
    24 23 147 4 66.185.84.204
    1 1 24 0 66.185.84.208
    5 5 558 1 66.185.84.209
And December, 2003:
    hits files kbytes visits IP
    73 69 645 5 66.185.84.71
    12 12 228 0 66.185.84.72
    4 4 198 2 66.185.84.76
    1 1 24 0 66.185.84.78
    1 1 24 0 66.185.84.79
    1 0 0 1 66.185.84.81
    48 47 1774 7 66.185.84.199
    32 32 783 2 66.185.84.200
    14 14 509 1 66.185.84.204
    22 22 495 1 66.185.84.208
In all,  there are twenty-two IPs listed in these months.  How many users is this?  Less than 22, presumably -- especially given the number of singletons in the "hits" and zeros in "visits".


Monday, March 24, 2008

studying at Waterloo (202 = 204 = 206 = 208 = 209)

An interesting sample of how oddly Rogers IP address can sometimes operate comes from a log of an instruction site from the University of Waterloo, here. As you can see, the log covers 24 hours, beginning a few minutes after midnight on 29 April, 2004. There are 1420 entries from 138 IPs; 268 of the log entries come from some of the Rogers IPs that we have been following: 263 hits from 66.185.84.202; two from 66.185.84.204; and one each from 66.185.84.206, 66.185.84.208, and 66.185.84.209.

As I said, almost all the posts are from x.x.x.202. But the five instances where there is a handoff to other Rogers IPs are interesting. Here they are, extracted with their immediate context, and excluding all non-Rogers IPs:
    166.185.84.202 04/29/04 11:12 "POST /cgi-bin/iq/biology/272b/final04.iq HTTP/1.1" 200 8882
    66.185.84.209 04/29/04 11:13 "GET /cgi-bin/geniq/biology/272b/final04.iq HTTP/1.1" 200 11083
    66.185.84.202 04/29/04 11:16 "POST /cgi-bin/iq/biology/272b/final04.iq HTTP/1.1" 200 9458
    ---------------------
    266.185.84.202 04/29/04 16:01 "POST /cgi-bin/iq/biology/272b/final04.iq HTTP/1.1" 200 9471
    66.185.84.206 04/29/04 16:01 "GET /cgi-bin/geniq/biology/272b/final04.iq HTTP/1.1" 200 11069
    66.185.84.202 04/29/04 16:01 "POST /cgi-bin/iq/biology/272b/final04.iq HTTP/1.1" 200 9470
    ---------------------
    366.185.84.202 04/29/04 17:18 "POST /cgi-bin/iq/biology/272b/final04.iq HTTP/1.1" 200 9468
    66.185.84.208 04/29/04 18:00 "GET /cgi-bin/geniq/biology/272b/final04.iq HTTP/1.1" 200 11083
    66.185.84.202 04/29/04 18:02 "GET /cgi-bin/geniq/biology/272b/final04.iq HTTP/1.1" 200 11076
    ---------------------
    466.185.84.202 04/29/04 22:24 "POST /cgi-bin/iq/biology/272b/quiz1.iq HTTP/1.1" 200 7349
    66.185.84.204 04/29/04 22:25 "GET /cgi-bin/geniq/biology/272b/final04.iq HTTP/1.1" 200 11069
    66.185.84.202 04/29/04 22:25 "POST /cgi-bin/iq/biology/272b/final04.iq HTTP/1.1" 200 12661
    ---------------------
    566.185.84.202 04/29/04 22:49 "POST /cgi-bin/iq/biology/272b/final04.iq HTTP/1.1" 200 9463
    66.185.84.204 04/29/04 22:51 "GET /cgi-bin/geniq/biology/272b/final04.iq HTTP/1.1" 200 11076
    66.185.84.202 04/29/04 22:51 "POST /cgi-bin/iq/biology/272b/final04.iq HTTP/1.1" 200 4035
Over the course of the day, some student has been accessing the site more or less continuously, and (as I said) almost all his traffic shows up in the log as coming from x.x.x.202. Nonetheless, on five occasions (numbered 1-5), the stream of x.x.x.202 is interrupted by another IP. In all the cases, the switch comes too quickly from the preceding and following posts to allow us to suppose that these are two different users, as does the consistency of files accessed, which all seem to relate to Biology 272b, which is a course at Waterloo (see here).

The series again illustrates the fluid nature of Rogers IPs. Potentially more interesting, however, is to compare this log with the description here, where we again see shifting IPs between "getting" and "posting".

Hat-tip, Nbob in BCL's comments.

Sunday, March 23, 2008

Thomas the Tank Engine IV: or how 206 = 208

We have already noted the edits made by a Rogers customer to the wikipedia articles related to Thomas the Tank Engine (see here, here, here).  At about the same time, the same editor (one assumes) was responsible for a number of edits of the series' founder, Britt Allcroft. The first eight  edits of the article's history can be seen here:
    19:10, 31 December 2003 66.185.84.208 (Talk)
    21:42, 27 December 2003 66.185.84.208 (Talk)
    21:31, 27 December 2003 66.185.84.208 (Talk)
    (diff) 21:31, 11 November 2003 66.185.84.208 (Talk)
    (diff) 06:38, 11 November 2003 Jimfbleak (Talk | contribs) m (it's-->its)
    (diff) 00:46, 11 November 2003 66.185.84.208 (Talk)
    (diff) 00:45, 11 November 2003 Angela (Talk | contribs) m (fmt)
    (diff) 00:44, 11 November 2003 66.185.84.206 (Talk)
What we see here is similar what we've seen before. Wikipedia logs read from the bottom, so the very first edit to the article was made by x.x.x.206. Within a minute, a signed in user, Angela (presumably on what is now called new page patrol) noticed the new article and edited it to conform with the wikipedia
 manual of style. Within another minute, the original editor returns, but now as x.x.x.208, which he or she still had (or perhaps had again) when they returned to edit the article six weeks later. 

Ringo, Ringo, Ringo! (Or, 208 = 207 = 199)

We have been seeing that Rogers IPs could change unpredictably even while its customers were surfing. Consider the article of Ringo Starr. You can see part of its history from November 2003, here:

    (diff) 14:22, 16 November 2003 66.185.84.199
    (diff) 14:15, 16 November 2003 66.185.84.208
    (diff) 14:14, 16 November 2003 66.185.84.207
    (diff) 21:23, 14 November 2003 66.185.84.208
    (diff) 21:22, 14 November 2003 66.185.84.208
    (diff) 21:22, 14 November 2003 66.185.84.208
    (diff) 21:22, 14 November 2003 66.185.84.208
    (diff) 21:21, 14 November 2003 66.185.84.208
    (diff) 21:17, 14 November 2003 66.185.84.208
The changes are all minor -- click on diff if you want to see them -- the editor can't seem to make up his mind what image he wants to use and in the end decides on none.   The edits from the 14 November all come from one IP x.x.x.208.  The three edits (here red) from 16 November, however, again illustrate the tendency of these Rogers IPs to change even in the middle of a session.  Within a few minutes, our Beetles fan has shifted from x.x.x.207, to x.x.x.208, and then to x.x.x.199.

(In the next few months, however, this editor returns, but seems only to have been allocated x.x.x.208: see here.)

Wednesday, March 19, 2008

I don't, I don't, I don't: why same-sex marriage does not necessarily lead to legalized polygamy

Michael Coren has many virtues that I find admirable: he is intelligent, articulate, and--given his religious convictions--surprisingly independent in his thinking. Despite this he sometimes takes bizarre positions. Take, for example, his call to nuke Iran in 2006. One shakes one's head.

A few days ago, he again went a bit astray in a column that revisited same-sex marriage and argued that the decision will inevitably lead to the legalization of polygamy. Coren provided a convenient summary for his case:
And thus the inevitable. I predict that polygamy will be legal and accepted in this country within five years. Any Charter challenge in support of the custom would not only be backed by the revolutionary precedent of same-sex marriage redefinition but also by guaranteed freedom of religion clauses.
Coren's position has a superficial logic to it: if the rules can change for one group, they can for another, and at first glance the polygamists have two avenues by which they might make their argument.

But constitutional law is not a vending machine into which a coin is inserted, thereby guaranteeing a tasty snack. Nor do judges overthrow existing law on a whim. Any future change will require a test-case and a legal argument.

Such was the case with the constitutional challenge that led to marriage equality. The principle at question was the equal protection of the law: that if the state issues marriage licenses, it is unconstitutional to disallow someone a marriage license because she is a lesbian, just as it would be to disallow it for a Chinese, an octogenarian, or a Catholic. Not everyone likes the argument or is persuaded by it -- but the court was convinced, parliament ultimately agreed, and the matter was legally settled, if not politically.

How would this principle apply to polygamy? Essentially, the state limits the number of marriage licenses to one per customer. Do you want to marry someone else? First, your first marriage must be dissolved. At the moment the law is applied to all equally--Catholics, Muslims, Mormons, and atheists are all allowed only to have one spouse at a time. So, too, gays and lesbians. A polygamist can no more acquire a second wife under this principle than he could could have more than one SIN number. There is no avenue for a constitutional challenge here -- at least that I can see.

Coren supposes that the charter principle of freedom of religion might also be invoked. This is less than obvious, however. Freedom of religion prevents the state requiring someone to perform an action that their religion forbids, or forbidding someone from doing something that their religion requires.

As far as I know, however, polygamy is not, a requirement of any religion. Mormonism abandoned it long ago, and although conservative Islam allows men to take up to four wives, it does not require it and never has. (In fact, it is relatively rare even in those countries where it is legal, and Islam doesn't even encourage it: see here and here).

Now, even a superficial consideration of our legal system and various religions' moral systems shows that they operate in different registers. There are any behaviours that religions forbid but the state allows (consumption of alcohol, blood transfusions, divorce); there are behaviours that the state forbids or regulates that religions are silent about (speed limits, the structure of legal trusts, the filing deadline of one's taxes).

In light of this, a successful constitutional challenge to legalize polygamy seems unlikely to me -- there is no obvious legal avenue for a challenge. So, unlike Coren, I doubt whether multiple "I do"s are in any of our futures.

Sunday, March 16, 2008

Vampire Chronicles (72 = 81?)

Wikipedia attracts The wikipedia article on Ann Rice's series, The Vampire Chronicles.  Here are a few edits from its edit history:
    (diff) 20:28, 4 December 2004 66.185.84.81 (Talk) (→''Vittorio, the Vampire'') 
    (diff) 20:27, 4 December 2004 66.185.84.72 (Talk) (→''Blood and Gold'') 
    (diff) 20:26, 4 December 2004 66.185.84.81 (Talk) (→''Blood and Gold'') 
If you click on the diffs, you can see that the edits are vandalism, with x.x.x.81 "STEPHEN S IS A BIG POO FACE YOU EATS POO", x.x.x.72 erasing it, and then x.x.x.81 re-inserting it.

Given the fluidity of the IPs, it seems x.x.x.72 is erasing his own handiwork.  

The Inklings (or 78 = 81)

The article on theologian C.S. Lewis shows another interesting example of IP-shifting. Three edits were made to the external links section within a few minutes of one another.  (For the edit history, see here)
    (diff) 03:53, 21 November 2004 66.185.84.78
    (diff) 03:51, 21 November 2004 66.185.84.81
    (diff) 03:50, 21 November 2004 66.185.84.81
Again, this is the same user, whose IP seems to have changed while they were surfing.  Apparently, however, x.x.x.78 was only held for a few minutes., because a few minutes later x.x.x.81 reappears at the article on the writer Charles Williams, adding that C.S. Lewis was one of Williams friends.  The edit can be seen here:
    (diff) 03:50, 21 November 2004 66.185.84.81
(Williams, Lewis, and J.R.R. Tolkien were three members of the informal literary society called the 'Inklings', which met regularly in the famous Oxford pub, the Eagle and child.)

Saturday, March 08, 2008

Fluidity of Rogers IPs in 2003/4 (Summary thread)

Note.  More complete, more easily accessible version of this data can be seen in this later post.

In a series of earlier posts, we've seen how liquid the IPs of Rogers customers were in the years 2003 and 2004.  Customers who sometimes had IPs 66.185.84.204, which were involved in some controversial edits in the fall of 2003, might find themselves with one of these IPs:
These reflect, of course, only the tiniest fraction of what was really happening.  Every time anyone visits a webpage, the visit is logged somewhere, but very few of those logs are ever published; only a tiny fraction of internet users edit wikipedia, and only a fraction of them do so without signing in, thereby allowing us to see their IPs.

Still, the evidence that we do have makes it is fairly clear that having any one of these IPs--indeed, any Roger IP--at one moment doesn't guarantee that you have it at another.  The reason, of course, is that Rogers was using these IPs as proxies for all their traffic from a specific region. 

That Rogers used some of these IPs as proxies is something that we already knew. What we don't know is how large a number of Rogers subscribers was served by this pool of IPs. Dozens? Hundreds? Thousands? Tens of thousands?


Updated and expanded; re-edited to make dates clearer