Tracking a troll..

BLITZKRIEG BOPP

http://evertb.wordpress.com/2012/09/26/tracking-a-troll/

BLITZKRIEG BOPP
My ramblings from the world of entrepreneurship, free market economics, strong opinions & all-round contrariness Stay updated via RSS

Tracking a troll..
Posted: September 26, 2012 in news, Uncategorized Tags: evert bopp, foursquare, Google Streetview, Internet service provider, IP address, Leo Traynor, Protocols, trolls 38

Like many people I have read Leo Traynors latest blogpost (h.p://www.traynorseye.com/2012/09 /meeting-troll.html) in which he tells about how online trolling lead to actual death treats made against him and his family IRL (In Real Life) as well as shocking and insulting artefacts being left on his doorstep. It makes for frightening reading and rst right in to the ongoing debate about trolling (h.p://en.wikipedia.org/wiki/Troll_(Internet)). The story has gone viral and is picked up by the international media. Whats more it has generated a spin-o debate on the method used by Leo to locate the troll in question. He did this be having a friend use the IP addresses associated with oensive comments on his blog and tracing these IP addresses. A lot of ignorant comments are being made how this would not be possible without access to ISP records which can only be accessed with a warrant. This is far from true. An IP address, for those unfamiliar with it, is a numerical label assigned to each device (e.g., computer, printer) participating in a computer network that uses the Internet Protocol

1 de 13

30/09/2012 17:26

Tracking a troll.. BLITZKRIEG BOPP

http://evertb.wordpress.com/2012/09/26/tracking-a-troll/

(h.p://en.wikipedia.org/wiki/Internet_Protocol) for communication. An IP address serves two principal functions: host or network interface identication and location addressing. This means that every device contacted to the Internet, and hence used to troll people, has an assigned IP address. It used to be that almost all IP address assigned by IPSs were done so on a dynamic basis. This meant that a user was assigned a new IP address every time they connected to the Internet. This was done because an IPSs network assets could not handle all users at the same time so they had to rotate IP addressed between users. However ISPs have increased their assets and most people have been assigned semi-permanent IP addressed by their provider. This means that in the majority of cases an IP address will point to an individual or a specic location. This information is used in lots of ways by popular web services. Take for instance Foursquare (h.p://www.foursquare.com/), this geo-location service will determine your location even if you use it on a device without built-in GPS. It does simply by using your IP address and related information. Some websites also use your IP address to provide you with location specic information. Just think of the various online shops such as Amazon who determine your location solely by your IP address. But your IP address can be used to nd out a lot more detailed information about you. Let me explain by using an example; It is very easy to retrieve IP addresses. Every comment left on a blog is tagged with the originating IP address. This can only be seen by the blog administrator. See the below image for an example.

(h.p://evertb.les.wordpress.com/2012/09/blog_comments_ip1.jpg) The above image shows you a number of comments on my blog, there is a range of information but for now were only going to take the IP address. Once you have this you can go to one of the many online IP tracker services such as IPTrackerOnline.com (h.p://www.iptrackeronline.com), type in the IP address in question and hit ENTER. Within seconds you will have a wealth of information. It will show you the users Internet Provider, a fairly exact location, the map coordinates and a satellite view of their location. Plug the location into Google Streetview and it will give you the actual address. You can then put the address into Google to nd out more details. (NOTE: this does not work in all cases but even a general location is a piece in the puzzle when tracking a troll). The above method will give you a specic address or a general area of the person harassing you. Of course it is not foolproof and can be circumvented but as Leo Traynors example showed not everyone is devious enough to do so. In fact the majority of Internet trolls are either too stupid or arrogant to completely hide their identity or location. Another method is looking for IP

2 de 13

30/09/2012 17:26

Tracking a troll.. BLITZKRIEG BOPP

http://evertb.wordpress.com/2012/09/26/tracking-a-troll/

addresses connected with discussion forum postings. A lot of forums will include the posters IP address in their message so with a bit of luck you will be able to nd out more about the trolls online habits. In the past I have come across people posting trolling/harassment spam from the same IP address that they used when engaging in professional discussions online. Every bit if information gathered using the above method can then be cross-referenced with other databases leading to a wealth of information and quite often a very detailed prole of someone including personal & professional information as well as relevant locations. So by taking this simple set of numbers which follows people online like a trail of breadcrumbs you can not only nd out their location but you can also trace their name as well as nd a lot of personal details. Enough to give you some tools to work with when trying to shut a troll up. And all of this is public information that can be legally obtained and which does *not* require any warrants. Note: I am not an IT security professional, blackhat hacker or anything like that. I do however have about 17 years of IT/networking experience and have on quite a few occasions helped people track down someone who was harassing them or someone close to them online. The above method is not 100% watertight but it works in most cases and is perfectly legal. Related articles

(h.p://techcrunch.com/2012/09/25/the-story-of-an-internet-troll-with-asurprising-twist/) The Story Of An Internet Troll With A Surprising Twist (h.p://techcrunch.com/2012/09/25/the-story-of-an-internet-troll-with-a-surprising-twist/)

(h.p://hothardware.com/News/When-Porn-Copyright-Trolls-A.ackAnd-Judges-Fight-Back/) When Porn Copyright Trolls A.ack And Judges Fight Back (h.p://hothardware.com/News/When-Porn-Copyright-Trolls-A.ack-And-Judges-Fight-Back/)

(h.p://www.dailymail.co.uk/news/article-2208835/Leo-Traynor-The-dayI-confronted-Twi.er-troll-stalked-3-years.html?ITO=1490) Leo Traynor: The day I confronted Twi.er troll who stalked me for 3 years (h.p://www.dailymail.co.uk/news/article-2208835 /Leo-Traynor-The-day-I-confronted-Twi.er-troll-stalked-3-years.html?ITO=1490) (h.p://www.zemanta.com/?px) Comments 1. Brd says: September 26, 2012 at 9:09 pm Ive just put my IP address into IPTrackerOnline.com and it tells me Im beside Ballynahinch. It oers me a satellite picture of a bunch of trees. Im not surprised. Im in north Co. Dublin. These things are notoriously unreliable. Most of the time, when I was with Vodafone, IP Trackers put me in Limerick.

3 de 13

30/09/2012 17:26

Tracking a troll.. BLITZKRIEG BOPP

http://evertb.wordpress.com/2012/09/26/tracking-a-troll/

Accuracy rates on deriving a city from an IP address uctuate between 50 and 80 percent, according to DNS Stu, a Massachuse.s-based DNS and networking tools rm. h.p://whatismyipaddress.com/geolocation-accuracy Reply Theodore M. Seeber says: September 28, 2012 at 5:59 pm My IP address says Im in the middle of the Atlantic Ocean. As Im in Portland, Oregon, I think this isnt as useful as it rst appears. Reply evertb says: September 28, 2012 at 6:09 pm Theodore, It actually doesnt as it locates your IP address in Portland Oregon. A 2 minute Google session shows me that you possible live in Silverton or Beaverton, and your phone number possible starts with 503-873, 503-882, 503-643 or 503-318. You work (or have worked) for the Oregon Institute of Technology in an software related role. Am I warm yet? Reply QuestionOfTruth says: September 28, 2012 at 6:17 pm Yeah, and his name is Theodore M. Seeber. See, didnt even need an IP. Reply evertb says: September 28, 2012 at 6:22 pm But the point it that I got that information *without* using your name. Reply 2. evertb says: September 26, 2012 at 9:42 pm Brid, I noticed that youre using a mobile broadband connection. These are indeed very unreliable when tracing. However in the majority of cases a combination of IP-tracing via databases, Google-ing and cross referencing will provide a rather accurate picture. But, as I said in the post, nothing is 100% accurate. I also didnt go into detail on other technologies which are more accurate Reply royblumenthal says: September 28, 2012 at 6:39 am

4 de 13

30/09/2012 17:26

Tracking a troll.. BLITZKRIEG BOPP

http://evertb.wordpress.com/2012/09/26/tracking-a-troll/

I think the key here is that a troll leaves MANY posts, and the information accumulates over time. For instance, if the troll MAINLY uses mobile broadband (with a vague physical location), but SOMETIMES uses a xed IP address, the combination reveals information. Firstly, the mobile broadband range reveals the service provider, and broad geographic location. Secondly, the xed IP address gives more specic location info. Thirdly, the frequency of mobile and xed reveals a pa.ern. As soon as there is enough data, it becomes obvious whether or not ALL of the data originates with one person. Add this to signature tics that all online types have, and you can easily narrow things down. Some people use commas and apostrophes incorrectly, for example. And they ALWAYS make the same signature mistakes. Some use quirky punctuation. Fourthly, this data isnt about making a bullet-proof positive identication. There are other tools for that. This is about investigating, chasing back the cat, ge.ing a grip on who it MIGHT be. Reply 3. Dia Positief says: September 26, 2012 at 10:04 pm Reblogged this on Onder Zeeniveau and commented: Read an article about Leo Traynor Reply 4. Brd says: September 26, 2012 at 10:08 pm I noticed that youre using a mobile broadband connection I am. But when I was with Vodafone, I was on DSL through my phoneline. Trackers still put me in Limerick! Reply 5. Brd says: September 26, 2012 at 10:14 pm I should add: Mr Traynors experience was horric. And if it had been me, Id have tried to track the li.le b*st*rd too. Im just wondering if hes sure that what his IT friend did was above board. Reply 6. evertb says: September 26, 2012 at 10:57 pm Brid, I have discussed this with Leo and you can take my word that the methods used were

5 de 13

30/09/2012 17:26

Tracking a troll.. BLITZKRIEG BOPP

http://evertb.wordpress.com/2012/09/26/tracking-a-troll/

completely above board. Reply 7. Leo Traynor says: September 26, 2012 at 11:15 pm Hi Brd, Id have asked exactly the same question. The methods I used were veried as legal & above board by an independent data protection specialist. My blog was read by a lawyer & by the youths parents before I published it and I removed a lot of the specics to protect the minors identity. Reply 8. QuestionOfTruth says: September 26, 2012 at 11:41 pm Im afraid that the method youve given wont resolve to the correct location for the vast majority of home internet users who will have DHCP assigned IPs from their ISP. As such it almost certainly cant be the method used. Assuming the real method used was actually above board then its kind of puzzling that hes hesitant to release it. I wouldnt even care if he used more underhanded methods, I certainly would be willing to if faced with what he was faced with, but he has specically said that they were above board while also maintaining the need to be vague. Reply 9. evertb says: September 27, 2012 at 12:13 am @QuestionOfThruth Yes & no. ISPs do indeed in the majority of cases assign ip addresses to users via DHCP. However the important point is how long the lease on the assigned IP address is. The trends has moved to longer & longer leases resulting in a large enough time window to event track a dynamically assigned IP address. I actually mention that in the post already. Note: I also mention that no method is 100% foolproof. Reply QuestionOfTruth says: September 27, 2012 at 12:25 am Okay, I concur that a router can keep the same IP for a very long time these days, particularly on some ISPs (and possibly even indenitely), and also that there are other methods and that none are foolproof. However, I dont think that the length of time the IP stays on the same router is relevant in this case. The only way for the IP to ever get tracked via legitimate means by one of these database would be via something not based on the IP and requiring code to be run at the location or information to be freely given. For instance a page with html5 geolocation being run and the results being logged by IP. I dont know of any legitimate sites that actually do this though, the iptrackeronline site certainly makes no mention of it. And the
6 de 13 30/09/2012 17:26

Tracking a troll.. BLITZKRIEG BOPP

http://evertb.wordpress.com/2012/09/26/tracking-a-troll/

site would have to be pre.y ubiquitous to have any impact. Devices that do make anonymous geolocation reports to the databases of google etc are clear that theyre anonymous I havent actually checked but I would have assumed that means they dont include IPs. Failing the above, the database is just going to have the same information it has always had, namely that the IP address comes from a pool of IPs owned by your ISP and thought to be handed out to users in city X. Reply evertb says: September 27, 2012 at 12:32 am 1) As I said this is not 100% foolproof but works in a lot of cases. 2) As I have done this before I can a.est that it works. Even in cases where an exact address cannot be extracted you will get a fairly general location which will assist with further searches and cross referencing. Tracing the IP address alone will more often than not be enough but its the rst the rst step that will guide you in the right direction. Reply QuestionOfTruth says: September 27, 2012 at 12:51 am Well, I have to say that I think its going not to give you even street level accuracy on a home user 99% time, so really were just talking about region of the country or city the vast majority of the time. This might be enough to get you going if youve already decided on a narrow pool of suspects (e.g., people you know) and there happens to be not too many candidates in the area, but not otherwise. Im only currently seeing two legitimate reasons why he wouldnt just give the method 1) It involved him trying to trap a lot of his friends (through tracking emails etc), who might be hurt by the fact they were under suspicion. I guess this could be extended to some other totally legal but slightly unethical methods. 2) It involves something that would only be applicable to the culprit. Such as the dad was running a business from home and had a DNS entry for his static IP address. Of course, if either of those were true then the IP geolocation thing would be something of a red herring. Obviously it could be a reason I havent thought of. FWIW Im just curious. Ive realised my username is demanding truth for truths sake but thats not actually what Im going for. Im just genuinely interested in how it went down. Reply 10. evertb says: September 27, 2012 at 1:12 am @QuestionOfTruth Youre incorrect in your assumptions, both on the accuracy of linking an IP

7 de 13

30/09/2012 17:26

Tracking a troll.. BLITZKRIEG BOPP

http://evertb.wordpress.com/2012/09/26/tracking-a-troll/

address to a geographical location with a satisfactory level of accuracy *and* in your reasoning on Leo Traynors methods. Reply QuestionOfTruth says: September 27, 2012 at 1:23 am Interesting. If you come up with an example of a DHCP home users IP address resolving to something thats even claiming to be their street address (rather than location given to the pool that the address came from) then please post it, as Ive never seen it. Any example will do. wrt my reasoning on his methods, I had denitely expected 2 to be correct. If the method doesnt reveal the culprit and is both ethical and legal then it seems odd that were having this conversation. Reply evertb says: September 27, 2012 at 10:10 am OK, I am not going to disclose anyones personal details here but will give you a few IP addresses which you can simply run through the website referred to above. Again, this is only part of the process (as I have explained ad nauseum). However these IP addresses will trace back to locations in residential areas rather than some ISPs oce. 62.8.228.24 79.97.248.75 Another good source for tracking details are the numerous websites listing IP address against user details. Crunchbase is one of them: h.p://www.crunchbase.com /edits?page=54820 Reply QuestionOfTruth says: September 27, 2012 at 12:48 pm Youve given two examples: 62.8.228.24: A eld in Germany that the surrounding IP addresses also map to. 79.97.248.75: A UPC address, tracking to the same place that all the other UPC addresses in Dublin track to, either the grand canal by Mespil Rd or Dame st, depending on which service you use to do the lookup (you can look at mine if you dont believe me). Neither of these examples demonstrate the accuracy you are suggesting. I said that were talking about region of the country or city the vast majority of the time. and you said that I was incorrect, but you havent given an reasonable example. Crunchbase! Finally something new (previous to this you hadnt given anything that wasnt already in Leos post, just a more detailed explanation of it). This is NOT ip geolocation, and you and Leo havent this method before. The likes of wikipedia do the same. However, they generally do NOT map IP addresses to users as you say, but rather IP addresses to edits. If the person has logged in then their username will

8 de 13

30/09/2012 17:26

Tracking a troll.. BLITZKRIEG BOPP

http://evertb.wordpress.com/2012/09/26/tracking-a-troll/

be shown rather than their IP address. It would denitely be possible that you could work out information about an IP using such methods, particularly if theyre very active in the internet. Reply evertb says: September 27, 2012 at 12:59 pm OK, I gave you the wrong set of IP addresses. (smacks head): 71.57.25.113 76.25.207.82 Anyway, I think you get my point by now. Reply DaveJ says: September 27, 2012 at 11:34 am Nope, QoT is not incorrect in his assumptions. It is practically impossible to pinpoint to the degree you claim, by websites like these. The websites you mention do not have any other information than what is publicly available. Unless the ISP add home address information to the routing mechanisms of their equipment, it is just not possible. the closest you could get (depending on the level of division of the ISPs network) is a cluster of houses, a steet, a neigbourhood. Sometimes the end user IP has no DNS record agains it, sometimes it does. If it does (the ISP does this for management reasons) then you might glean a li.le more information about the location. But an actual address? I think Mr. Traynors IT friend was extremely lucky with his trace. You must not forget that Mr. Traynor has not divulged all information that was harvested from his pals exercise, he could have been given more information that led him to the culprit. but a simple scan? unlikely, very unlikely! Reply evertb says: September 27, 2012 at 12:43 pm @Dave As I keep expalining over & over again; plugging the IP address into one of these trackers nrrows down the location fairly signicantly. Once you have this information you can then cross-reference it with other data which is readily available online to help you form a clearer picture of the person in question. If the IP address links to a name online you can then add this name to the search keywords to nd out even more. Its all parts of the same puzzle. Basically its nothing but good old fashioned research. I fully agree that no IP address will give you an exact address and *thats all you need*. However my point is (and I seem to have failed in bringing this across) that nobody is as anonymous online as they think they are.. Reply 11.
9 de 13

Andrew says:
30/09/2012 17:26

Tracking a troll.. BLITZKRIEG BOPP

http://evertb.wordpress.com/2012/09/26/tracking-a-troll/

September 27, 2012 at 12:12 pm I am interested in the methodology used. Funnily enough the people commenting on this at the Guardian in particular are really surprised at the easiest section of the process (tracing an IP to a physical address) but Im pre.y sure Twi.er doesnt make IP addresses public in the tweet or message headers so Im confused about how youd get an IP to look up from those. Well, legally at least. Reply QuestionOfTruth says: September 27, 2012 at 12:51 pm @Andrew, the twi.er account was closed and the troll was lured to another place (like this blog for instance) where the owner can see the IP addresses of those posting. However, the tracing an IP to a physical address section has not yet been resolved. Reply Andrew says: September 27, 2012 at 1:02 pm Oh I dont know, if his IP was static you can get a decent idea and if you have access to previous emails from the address its easy enough to just take a look for a matching IP. If its dynamic then itll probably renew once every 24-72 hours so that puts a time constraint on it but its still possible. I missed the bit about a private blog in the story so I assumed hed got an IP from Twi.er, thatd mean either a man-in-the-middle or someone breaking into Twi.ers database for DMs and nding the entry for that message. Both very illegal but with that solved the rest of this is perfectly routine. Reply QuestionOfTruth says: September 27, 2012 at 1:52 pm @Andrew, nah if the IP is dynamic it isnt going to renew at anything close to that rate. In any case, what youre talking about is matching the IP to somebody youre in contact with (via email or IM or whatever). This is not tracing an IP to a physical address, its matching the IP to one of your contacts. Thats denitely possible but it isnt what theyre saying they did. Reply Andrew says: September 27, 2012 at 2:21 pm The renew rate is actually variable by a huge margin but Ive dealt with home connections that renewed at the far ends of that estimate. As variable as that is the quality and precision of tracing an IP address to a physical location since it depends so heavily on the network topology, however Ive routinely been able to track company addresses to physical buildings to roughly a streets accuracy, I think it depends a fair amount on what part of the country youre in. As for the precise method of tracking, all it says in the blog entry is that three IP

10 de 13

30/09/2012 17:26

Tracking a troll.. BLITZKRIEG BOPP

http://evertb.wordpress.com/2012/09/26/tracking-a-troll/

addresses were retrieved, one of which belonged to his friend. If it were me and I was looking for a match Id start by nding a rough area and working out which of my suspects lived inside that area rather than trying to use a single method. Id guess that the IP address was roughly in the area of one of his friends and that the IT bloke had probably been given a by any means necessary license and had emails to check it against. Either that or he got given a rough area and decided to blu the rest to try and elicit a confession. I really wouldnt say whether this is true or false but given that its possible and that this isnt said to happen all that often it wouldnt surprise me if someone had nally got lucky. Reply QuestionOfTruth says: September 27, 2012 at 2:31 pm I think were in agreement here. A home DHCP address isnt going to be renewed every 24-72 hours unless the connection is apping a lot. Company IPs are a totally dierent beast, as theyll often have DNS records or have the IPs registered to their name. I agree on it being possible to trace an IP if it belongs to a limited pool of suspects but I already suggested this and Evert said it didnt happen like that (i.e. even with a rough area theyre still dealing with everybody who lives in that area rather than a select group). Reply 12. Tim says: September 27, 2012 at 1:03 pm I wonder if all people commenting have read both Mr. Traynors blog and this one. He clearly states that he baited the troll on his blog and the bait was taken. His administrative rights to his blog provided the most accurate information. Reply Andrew says: September 27, 2012 at 1:08 pm Well I wouldnt know about his blog but I read it on the Grauniad and on there its only briey alluded to, it says he redirected people to his g+, facebook and personal blog and two of those three have the same issue as Twi.er, I just skipped over one word. Reply 13. Tom says: September 27, 2012 at 2:14 pm Speaking as one of the ignorant people who queried this (FYI I work in a major ISP and am partly responsible for the IP trace systems) it is *not* generally possible to take an IP and resolve *to an address*, as Leo Traynors original post suggested, as that kind of thing requires IP lease records and customer account details which tend to be rather closely held. Of course, in many cases steps as suggested here will get you to the approximate area and if you have other data to cross-reference you might get closer than that but my very non-moving

11 de 13

30/09/2012 17:26

Tracking a troll.. BLITZKRIEG BOPP

http://evertb.wordpress.com/2012/09/26/tracking-a-troll/

very geolocated cable public IP is commonly placed across about half of west London by online location services. I assumed that for the sake of brevity/legality/privacy that not all steps in the investigation were included, such as cross-referencing the IP, which is pre.y much what Mr. Traynors saying in the comments. Reply evertb says: September 27, 2012 at 2:19 pm @Tom, you are absolutely correct. Both in pointing out that it needs to be cross-reerenced (as I said before) and in assuming that for the sake of brevity/legality/privacy that not all steps in the investigation were included. Point is that Leo with some help was able to nd the person behind all the abuse and that it did *not* require protected data only accesible with a warrant. Reply 14. It was like a game thing, said the troll. The mind is an unexplored country. says: September 28, 2012 at 10:19 am [...] Tracking a troll. [...]

Reply 15. How To Bait and Catch The Anonymous Person Harassing You On The Internet - Forbes says: September 28, 2012 at 4:08 pm [...] to remain anonymous, but another IT professional, Evert Bopp, outlines the techniques involved on his blog. Here are the [...] Reply 16. [REDACTED] says: September 30, 2012 at 1:43 am These tactics are all interesting, but useless when dealing with a technically able USENET troll, that knows how to use a re-mailer service, Google Groups, and forged headers. Recently theres been a spate of trolls in the alt.support.shyness USENET newsgroup, Perhaps the maintainer of this blog can use his talents to ensure the these trolls are unmasked and appropriate care given. Reply evertb says: September 30, 2012 at 8:33 am I agree. If you are harassed by someone who has the skills you describe it will be almost impossible to trace them. However in most cases people who troll/stalk/harass other people online do not have such skills or eventually slip up in some way. We can discuss exceptions as much as we want but the methodology described in my blogpost works in the majority of cases. Reply
12 de 13 30/09/2012 17:26

Tracking a troll.. BLITZKRIEG BOPP

http://evertb.wordpress.com/2012/09/26/tracking-a-troll/

Blog at WordPress.com. | Theme: Greyzed by The Forge Web Creations.

13 de 13

30/09/2012 17:26