Klatt's clunkers 3: Bernard Klatt misreads the user agent string

We have seen that for an award-winning "expert", Bernard Klatt makes lots of mistakes. Here's another from Klatt's affidavit in Warman v. Lemire (here, p. 9), paragraph 36:

You can see for yourself, however, that Klatt got this wrong:

As you can see, the user agent string is not "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" (as Klatt wrote in his sworn testimony), but "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Rogers Hi-Speed Internet; (R1 1.3))".

Other posts in the Klatt's clunkers series:

• Klatt's clunkers 1: Bernard Klatt given an award for tendentious testimony
  
• Klatt's clunkers 2: Bernard Klatt wrong on IE 6 date
• Klatt's clunkers 3: Bernard Klatt misreads the user agent string
• Klatt's clunkers 4: Bernard Klatt mistakes the combined log format for the common log format
• Klatt's clunkers 5: Bernard Klatt doesn't recognize RealPlayer browser
• Klatt's clunkers 6: Bernard Klatt on Rogers service in BC
• Klatt's Clunkers 7: Bernard Klatt doesn't understand Rogers web caching
• Klatt's Clunkers 8: Bernard Klatt comes close on proxies
• Klatt's Clunkers: why Bernard Klatt should be disbelieved (summary thread)

One of these things is not like the others: why Warman is innocent

Much of Canada's right-wing blogosphere is aflutter with the idea that human rights lawyer Richard Warman might have posted a racist comment about Canadian senator Anne Cools on freedomsite.com, a white-rights forum. The evidence? Freedomsite's logs preserve data from some visits of "lucy" (a handle Warman is known to have used) and from 90sAREover, who had posted a hasty racist screed against black senator Anne Cools. According to freedomsite's expert witness Bernard Klatt, both the IP and the user-agent data were identical for "lucy" and for "90sAREover". Until now we have had to take Klatt's word on this.

Recently these logs have become available for scrutiny (they were included in Klatt's affidavit, which I've recently posted here). The logs make it clear, however, that there are two important differences between the computer used during Warman's visits and those of 90sAREover (the Cools poster); both of these differences are exculpatory of Warman. Here is the evidence in reverse chronological order (compare what is underlined in red).

The log of Warman's visit from Nov. 23, 2003 (p. 33 of Klatt's affidavit):

The log of Warman's visit from Nov. 15, 2003 (p. 30 of Klatt's affidavit, here):

The log of Warman's visit from Nov. 11, 2003 (p. 29 of Klatt's affidavit, here):

The log of Warman's visit from Oct. 15, 2003 (widely cited, e.g. here):

All of Warman's visits from Oct. 15 — Nov. 23, 2003, show the same IP (66.185.84.204 = wc09.mtnk.rnc.net.cable.rogers.com; see the blue underline) and the same operating system and browser (MSIE 6.0; Windows 98 — see the red underline — which points to a generic version of Explorer 6.0 and Windows 98).

Here is the log of 90sAREover of Sept. 5, 2003 (p. 34 of Klatt's affidavit, here). Here the browser details are different (again underlined in red:

Although both Warman and 90sAREover have the same IP and operating system, 90sAREover's user agent string has two key differences from Warman's computer-setup. First, 90sAREover had a customized version of Explorer 6.0 installed, which had been supplied by Rogers (as is signaled by the phrase "Rogers Hi-Speed Internet"); second, he did not actually use IE 6.0 to post, but instead was using RealOne Player version 2 (hence "R1 1.3": see here). None of Warman's log entries, by contrast, show any sign of RealOne, and for all four of his visits his browser was recorded as a generic version of Explorer, not a Rogers one.

These differences are important and exculpatory and overthrow the technical argument for identifying Warman as "90sAREover", which (given that the IP used, 66.185.84.204, could have been anyone of millions of Rogers customers) has now collapsed. The computer that posted the Cools post was set up differently than the one Warman was using three months later.

(Re-written for clarity and context.)

experimenting with RealOne and Explorer's customization options

When RealPlayer is used as a browser, the user-agent string left behind reveals not only the version that is used to visit a site, but also some details about the version of Internet Explorer that is resident on the surfer's computer.

We have already seen (here) that Microsoft allows customization of user-agent strings. I customized a version of Explorer by inserting "Buckets", surfed over to useragentstring.com, and took this screen shot:

Then I exited Explorer, rebooted, and visited the same site using the RealOne Player.  Here is the screen shot:

Note that the change to the user agent string that I had made for Explorer (inserting 'Buckets') is still there, even though I'm using RealOne, not Explorer.

The presence of "Rogers Hi-speed Internet" in the user agent of 90sAREover, therefore, requires that his browser was one of those customized by Rogers, even if he wasn't using it to directly visit freedomsite.org.

Why Warman is probably innocent

Whenever you visit an internet site, you leave certain details behind about your computer, including what browser you use. These details are called your user agent string; the widget to the right (produced by danasoft) uses your user agent string to give you your own private message. (To learn more, see here.)

We have seen (here),that the notorious Cools post was made on Sept. 5, 2003, by a computer with a user agent that will have looked like this:

"Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Rogers Hi-Speed Internet; (R1 1.3))"

As we saw in the last post the details in red here show that the Cools poster, had a computer running Windows 98 and had a version of Microsoft Exporer 6 that had been supplied by Rogers cable (hence the "Rogers"-part of what is in red). The computer also had Real Player (version 1.3) installed and used it to visit the site.

We also know that Warman visited freedomsite.org on October 15, 2003, leaving behind this log entry:

The user agent is underlined in blue. There is an important difference from the Cools poster. What is red in the Cools poster's user agent data is missing from Warman's. Warman, like many Rogers' customers, has no "Rogers Hi-Speed Internet" in his user agent (the version of Explorer on this machine was a generic one, not one supplied by Rogers: see here). Moreover, he did not use Real Player to visit the site (thus no "R1 1.3").*

But this means the user agent data is not identical. So, what do we have to prove Warman wrote the Cools post? An IP shared by almost a million people, and a computer that is differently configured. One might begin to manufacture scenarios in which Warman made both posts, but they're getting into lottery-like odds. At the very least, the forensics require that the posts were made from different machines.

*Note. Commenter "freemarkets" points out (surely correctly) that the Real Player had to be both installed and playing in order for it to register in the user string. See now here.

Edited  and revised for clarity and accuracy.

For more commentary see this more recent post.

What does "R1 1.3" mean in a user agent?

In the last post (here), we saw that Bernard Klatt, Lemire's expert witness in his ongoing CHRC hearing, revealed 90sAREover's user agent data to be this:

"Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Rogers Hi-Speed Internet; (R1 1.3))"

Now, Klatt successfully identified the browser (Internet Explorer version 6.0) and Operating System (Windows 98). He was less successful in explaining the latter two items "Rogers Hi-Speed Internet; (R1 1.3))".

Apparently he didn't know User Agent String, a handy-dandy site that takes any user-agent and breaks it up into nice understandable parts. Entering our string yields the following table

Internet Explorer 6.0
Mozilla	It's a Mozilla based browser
4.0	Mozilla Version
compatible	Compatibility flag Indicates that this browser is compatible with a common set of features
MSIE 6.0	Name : MSIE 6.0 Version = 6.0
Windows 98	OS-or-CPU : Windows 98
Rogers Hi-Speed Internet	Rogers Communications Internet provider. Partnered with Yahoo! to offer Rogers-Yahoo! Hi-Speed Internet.
R1 1.3	Using Real Player as a browser
All Internet Explorer user agent strings

Now, especially to be noted is how wide of the mark is Klatt's explanation of R1 1.3. His explanation (p. 1634):

This is clearly wrong, as the useragent.com search shows. "R1 1.3" does not refer to Cisco firmware, but to the fact that the user of this computer had a Real Player installed.

The "Rogers Hi-Speed Internet" is less clear. Not all Rogers' users have it. In the thirty visits from a dozen or so users of 66.185.84.204 here, only a couple have it. (To judge from this, the Rogers-tag here means that the version of Explorer being used was one supplied by Rogers, not a generic version.)

More shortly.

Update. Commenter "freemarkets" points out that the Real Player only shows up in the string if it is being used, not installed.

Clarifications to Rogers Hi-Speed made; quote from Klatt on R113 added.

Klatt on 90sAREover's user agent

Here are pages 1633-5 of Richard Warman and the Canadian Human Rights Tribunal v. Marc Lemire (T1073/5405 vol. 9) of Feb. 8, 2007. In it, Lemire's expert witness, Bernard Klatt, is testifying about the logs of Lemire's site, and trying to make the case that "90sAREover" was identical to "lucy" (a username of Richard Warman). 

In the following passage, Klatt describes a few of the log-entries.  He has already pointed out that "90sAREover" and "lucy" share the same IP: 66.185.84.204, but as we've seen elsewhere, this does not prove they were identical: that IP is a proxy shared by hundreds of thousands of Rogers' customers.  Below Klatt describes other facts found in the entry:

p. 1633

p. 1634

p. 1635

Now, to judge from Klatt's remarks here, the log entry, which will have ended with user-agent data, must have looked something like this:

 "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Rogers Hi-Speed Internet; (R1 1.3))"

This is something that we have paralleled in weblogs elsewhere.  This exact same configuration can be found in this log of June 4, 2004, of the Engineering School at the University of Illinois.  The date of that log rather spoils Klatt's theory that this is a firmware update from Cisco.  There is a better explanation that we'll return to in the next post.

Update As you can see from the actual logs (which can be perused in my post on the Klatt affidavit in Warman v. Lemire), the conclusion reached above is correct and 90sAREover's user agent string was follows: "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Rogers Hi-Speed Internet; (R1 1.3))". Since this is different from the set-up used by Warman in October and November, the posts were made from different computers.