Sunday, April 13, 2008

Why Warman is probably innocent

Whenever you visit an internet site, you leave certain details behind about your computer, including what browser you use. These details are called your user agent string; the widget to the right (produced by danasoft) uses your user agent string to give you your own private message. (To learn more, see here.)

We have seen (here),that the notorious Cools post was made on Sept. 5, 2003, by a computer with a user agent that will have looked like this:
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Rogers Hi-Speed Internet; (R1 1.3))"
As we saw in the last post the details in red here show that the Cools poster, had a computer running Windows 98 and had a version of Microsoft Exporer 6 that had been supplied by Rogers cable (hence the "Rogers"-part of what is in red). The computer also had Real Player (version 1.3) installed and used it to visit the site.

We also know that Warman visited freedomsite.org on October 15, 2003, leaving behind this log entry:
    LemireLogOct
The user agent is underlined in blue. There is an important difference from the Cools poster. What is red in the Cools poster's user agent data is missing from Warman's. Warman, like many Rogers' customers, has no "Rogers Hi-Speed Internet" in his user agent (the version of Explorer on this machine was a generic one, not one supplied by Rogers: see here). Moreover, he did not use Real Player to visit the site (thus no "R1 1.3").*

But this means the user agent data is not identical. So, what do we have to prove Warman wrote the Cools post? An IP shared by almost a million people, and a computer that is differently configured. One might begin to manufacture scenarios in which Warman made both posts, but they're getting into lottery-like odds. At the very least, the forensics require that the posts were made from different machines.

*Note. Commenter "freemarkets" points out (surely correctly) that the Real Player had to be both installed and playing in order for it to register in the user string. See now here.

Edited  and revised for clarity and accuracy.

For more commentary see this more recent post.

8 comments:

Mark Richard Francis said...

Buckets,

Are you a deity?

Good work!

Dr.Dawg said...

Well, Buckets, I think that about wraps it up. Congratulations!

freemarkets said...

To check the accuracy of this post I ran a few tests of my own.

The RealPlayer identification (R1 1.3) only showed up in my logs while browsing using RealPlayer itself (I had installed RealPlayer 1.6 so my user-agent differed somewhat). When browsing using IE, the User-Agent remained unchanged after I installed RealPlayer. To doublecheck this, I used IE to browse to a site to load a RealPlayer movie, browsed back to my test page and nothing happened. Still no (R1 1.6) in my user-agent string while using IE even though RealPlayer was installed on my computer.

The absence of the (R1 1.3) in Warman's user-agent string does not prove that RealPlayer was absent from his computer. It only shows that he wasn't using the RealPlayer browser at that time. In fact, using the RealPlayer browser is tedious so it is entirely possible (and plausible) that someone would have another browser for everyday use.

This isn't to say that Warman did indeed make the Cools post. It only shows that the "lottery-like odds" you mention are not as improbable as you would lead your readers to believe.

buckets said...

Thanks to Mark and Dawg for their kind words.

Freemarkets, thanks for checking that -- intuitively I'm sure that you're correct. One might have different browsers, and the user agent details will reflect not what you have installed, but what you're actually using. There is still the "Rogers" tag, which I'll post about soon.

buckets said...

Freemarket. I don't suppose you can say whether the same thing happens if the Real Player plug-in is installed? (That would, I think, make more sense--if you google Mozilla and R1, you'll find a lot of these user agents in various logs -- but the kinds of logs that are searchable on the net are not going to have much video.)

freemarkets said...

I just tried a variety of scenarios under both Firefox and Internet Explorer. Now I am using different versions for my tests, so I'm making an assumption that nothing was changed with respect to User-Agent behaviour for the applications involved.

I believe that when you install RealPlayer it also installs the plug-in for your browser. With both Firefox and IE, I'd browse to a page that utilized realplayer (in this case I went to the music section at realplayer.com). I then tried two different scenarios. I opened a new tab (so that realplayer was still running in another tab) and browsed to my test page. No (R1 1.6) in my logs.

I also tried staying within the same tab and browsing to my test page. Again, no (R1 1.6) in my logs.

The only time I could get the R1 1.6 to show up is when I used the browser within RealPlayer. I suspect that RealPlayer just uses a customized version of IE because the User-Agent is identical with the exception of the (R1 1.6).

If I am correct that RealPlayer (the application itself and not the plugin) uses one's currently installed IE (and then customizes it) then the user-agent would probably contain the Rogers Hi-Speed Internet if the Roger's Internet Explorer was installed.

For reference, my current system runs Windows Vista, I have IE 7.0.6000.16643 installed (but not default) and Firefox 2.0.0.14 is set as my default browser. The version of RealPlayer I installed is 11.0.2. Also, my tests are being performed locally using the Apache 2.2 web server.


What does all this mean? Well if the user-agent behaviour hasn't changed or if I'm not missing something (both are big "if"s) then the Cools post had to have been made using the RealPlayer application's browser. Simply loading the plugin didn't change the user-agent for me.

buckets said...

Thanks for the update, Freemarkets, and for your efforts in this matter. It would be worth knowing whether or not that was the case with earlier versions of real-player.

Your conclusion that the Cools poster was using the Real Player's browser is kind of weird: who would use the real player browser to go to Freedomsite.org, or indeed any of the other sites where we find it buried in the logs?

Also, the "Rogers Hi-Speed" item in the user-agent string refers (as I note in the next post) to a customized version of Explorer. How would this relate to using the Real Player browser?

I, too, have been trying to figure this all out, but with a slightly different methodology: I've looking at logs where we find "R1 1.3" (or different versions) to see if I could find cases where the same IP is showing user-agent strings that differ only with regard to the Real Player item. No luck so far -- though I have plenty of cases of return visitors whose Real-Player status remains unchanged.

One thing you mention is that you've been doing this all on your own site and your own logs. If you get a chance to do other experiments, it might be simpler to use useragentstring.com, which spits out your user agent when you visit.

buckets said...

Update. I've been experimenting with various downloads of RealPlayer available at oldversion.com and can get "R1 1.3" in a user agent string by using RealOne Player 2.0. Like Freemarkets, however, I can only get this to show up in the userstring by using the browser within RealOne. (There is, apparently, an Explorer buried within it.) I will start a new post with a screencap right away. Let us take further commentary there. (I will close comments to this post.)