Posted by: GoRight | July 15, 2010

You’re not paranoid …

when they really ARE out to get you!

The IP that edited my talk page yields the following reverse DNS information:

A few hours earlier a message was left on Hipocrite’s talk page.  The IP that left that message yields the following reverse DNS information:

A coincidence?  I doubt it.  These were the same person, identity unknown.  These do not appear to be open proxies as far as I can tell.  Nothing in the reverse DNS names would indicate a TOR exit node, but then again there is no requirement that TOR exit nodes self-identify as such.

So, on the one hand it is entirely possible that these edits were made by someone who simply has access to the Research in Motion Limited network.

On the other hand I have already pointed out the stupid and clumsy way TOR exit nodes have been used recently (i.e. by using nodes that self identify as being TOR nodes in their reverse DNS data), so it is by no means surprising that the person who had made that error would now be more careful in the selection of which nodes to edit from.

Notice that the nodes we are examining today, like the TOR nodes identified earlier, all geolocate to Ontario, Canada.  This is reasonably good evidence that while these nodes don’t self-identify as being TOR nodes they may still be part of a TOR network that is being hosted in Ontario, Canada.

Someone is likely using a TOR network and for whatever reason they are selecting nodes which originate from Ontario, Canada.  This by no means suggests that the individual or individuals in question actually reside or have any real affiliation with Ontario, they could be anywhere in the world.

Personally I find Hipocrite’s response to the message left on his talk page to be quite enlightening under the current circumstances, but YMMV.  I’m suspecting a rather transparent attempt at obfuscation.  Remember, this was left by an IP that is likely a TOR exit and the same person that left the message on my user page a few hours later.

Note to you check users out there: Any existing Wikipedia accounts which have been using IPs that directly or indirectly suggest they are part of a TOR network being hosted in Ontario, Canada are prime candidates for being the perpetrators behind these IP socks.

Special thanks goes out to ChrisO for looking after my talk page in this case.



  1. There may not be as much to this as you think. Every privately-owned (as opposed to corporate) blackberry handheld will appear to come from, resolving to Waterloo, ON, no matter who the user is or where they are in the world. Since there have been at least 50 million blackberries sold, it’s quite possibly just a coincidence.

  2. If true then I certainly agree it may be just a coincidence. It may also be just another attempt to evade detection using an alternate editing path. I think the list of likely suspects is still rather low, but that may be my own biases talking.

  3. […] first two ( track back to the Blackberry network, which we have run into previously.  The last one ( maps back to an old Cingular mobile account that was bought up by […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: