Main
Date: 08 Mar 2008 16:51:25
From: Guy Macon
Subject: Revision two: Analysis of Mottershead / Jones / Ulevitch reports




For the record, here is my analysis. I have some degree
of expertise in this area; I estimate my own skills to
be roughly equal to those of Mottershead, and I estimate
both of us to have skills well below those of Robert
Jones and David Ulevitch, both of whom are well-known
experts.

(2nd revision reflects the possibility that someone else
had physical access to at least two of Truong's computers.)


My analysis:

I have based this analysis on the information found at
the following URLs:

http://rs235.rapidshare.com/files/62649719/mottershead.zip
http://craic.com/forensics/uscf_usenet_analysis/USCF_Usenet_Abuse_Report_20071206.pdf
http://chessusa.blogspot.com/2008/01/expert-opinion-mottershead-report.html


After examining the above, I conclude:

The mottershead.zip files show that when Truong moved
to Lubbock, the author of some or all of the fake posts
moved to Lubbock. When Truong visited Mexico City, the
author of some or all of the fake posts visited Mexico City.

The report from Robert Jones of Craic Computing concludes
that the data he examined shows that some or all of the
fake Usenet posts were sent from the IP address as USCF
user "chesspromotion" (Truong), and that the IP addresses
moved together as Mottershead described.

The reports from David Ulevitch concludes that some or
all of the fake posts were posted from the same physical
locations that Truong was in at the time of the posts,
and that the posts to the USCF forums by chesspromotion
/ Truong, were also made from those same physical locations.



Here are all of the explanations that I can think of,
some far more likely than others. My comments on each
follow:


Possible explanation #1:
Truong or someone living in his house generated those
particular fakes.

Possible explanation #2:
Mottershead fabricated the data that his report was based upon.

Possible explanation #3:
Someone else fabricated the logs Mottershead relied upon.

Possible explanation #4:
Someone controls Truong's PC remotely.

Possible explanation #5:
IP address spoofing

Possible explanation #6:
Identity theft.

Can anyone think of another possibility, no matter how remote?



Here is my analysis of each possible explanation, in reverse order:

Possible explanation #6:
Identity theft -- someone else was logging on to the USCF forums,
posting some or all of the fakes, going to Mexico, etc.

Not a reasonable explanation. Too many people saw Truong in the
cities mentioned, and he has never reported being the victim of
such a comprehensive identity theft


Possible explanation #5:
IP address spoofing -- the IP addresses themselves are faked.

This is not possible from the user's location. See the Ulevitch
report for an explanation as to why this is true.

It *is* possible if the ISP itself is under control from someone
who can change logs, etc., but that is not a reasonable
explanation -- it would requite compromising multiple servers
at multiple ISPs.


Possible explanation #4:
Someone controls Truong's PC remotely

Not a reasonable explanation. To produce the timing shown in
the logs, this controlling would pretty much have to happen
while Truong was at the keyboard, Also, the person doing the
controlling would have had to take control of Truong's new
computer (a PC running the Tablet PC version of Vista) as
soon as he got it.


Possible explanation #3:
Someone fabricated the logs Mottershead relied upon.

Not a reasonable explanation. This would require the USCF servers
to have been taken over remotely, the USCF sysadmins to be
incompetent, and no other crackers or botnet operators using
yhe same backdoor to take over and cause ill effects other than
a few logs being changed. It would also require evading all
malware scans since then.


Possible explanation #2:
Mottershead fabricated the data that his report was based upon.

I cannot evaluate whether this is a reasonable explanation.
Clearly, if the data that I and the two independent experts
examined was a clever fake, we would all come to the same wrong
conclusion. Is there any reason to believe that Mottershead
might have motive as well as opportunity? Has anyone else
examined the actual servers just in case such a fabrication
was done through post editing? Or checked the timestamps and
backups of the server data to see if the supposed fabrication
missed a backup or two? I personally don't buy this as an
explanation, yet I cannot say that it is impossible.


Possible explanation #1:
Truong or someone living in his house generated those
particular fakes.

We have not narrowed the author of these particular fakes
down to Paul Truong himself. It could be someone who
travels with him and uses his computer. We have, however
narrowed it down to the physical location, a physical
location that moves whenever Paul Truong moves.

We also have not analysed all the fake posts, just a large
number of them. Some of the unexamined fake posts may have
come from some other source. Most of them, however appear
to have come Paul Truong's physical location.

Unless someone can show me another possible explanation or
convince me that one of the above possible explanation's
holds water, I can only conclude that the evidence presented
so far points to Truong or someone living in his house
generating the fakes analysed by Mottershead.

Truong has repeatedly claimed to have evidence that he is
withholding that proves his innocence. I cannot evaluate
that claim without seeing that alleged evidence. Thus my
final conclusion is still open to revision based on new
evidence.

Again I invite those who think that Truong did not
generate any of the fake posts to please weigh in with
possible explanations I may have missed, rational
analysis of my comments below, or any other reasoned
discussion. I would very much welcome anyone blowing
holes in my reasoning.







 
Date: 11 Mar 2008 03:39:37
From: genuine expert unlike Mooterhead Ulevitch Jones
Subject: Re: Revision two: Analysis of Mottershead / Jones / Ulevitch reports
"Guy Macon" offered:
>Here are all of the explanations that I can think of,

>Can anyone think of another possibility, no matter how remote?

Of course anyone can, e.g.

Possible explanation 1a:
Someone living near but not in Truong's homes hacked into and
used his broadband wireless home network, which I know for a fact
was not secured with either WAP, WEP or better, and used just the
standard "admin" password (admin) password, and such person/s
generated those particular fakes.

This is not at all the same as your explanation 4, since Paul's
PC was not being remotely controlled (as via BOv3 or better).

Paul has since learned better and has secured his network. Note
the user-agent strings are trivial to spoof and also trivial to
legitimately duplicate by using a similar windoze and browser
environment.

Denzil

----- Original Message -----
From: "Guy Macon" <http://www.guymacon.com/ >
Newsgroups: rec.games.chess.politics,rec.games.chess.misc
Sent: Saturday, ch 08, 2008 11:51 am
Subject: Revision two: Analysis of Mottershead / Jones / Ulevitch reports

For the record, here is my analysis. I have some degree
of expertise in this area; I estimate my own skills to
be roughly equal to those of Mottershead, and I estimate
both of us to have skills well below those of Robert
Jones and David Ulevitch, both of whom are well-known
experts.

(2nd revision reflects the possibility that someone else
had physical access to at least two of Truong's computers.)


My analysis:

I have based this analysis on the information found at
the following URLs:

http://rs235.rapidshare.com/files/62649719/mottershead.zip
http://craic.com/forensics/uscf_usenet_analysis/USCF_Usenet_Abuse_Report_20
071206.pdf
http://chessusa.blogspot.com/2008/01/expert-opinion-mottershead-report.html


After examining the above, I conclude:

The mottershead.zip files show that when Truong moved
to Lubbock, the author of some or all of the fake posts
moved to Lubbock. When Truong visited Mexico City, the
author of some or all of the fake posts visited Mexico City.

The report from Robert Jones of Craic Computing concludes
that the data he examined shows that some or all of the
fake Usenet posts were sent from the IP address as USCF
user "chesspromotion" (Truong), and that the IP addresses
moved together as Mottershead described.

The reports from David Ulevitch concludes that some or
all of the fake posts were posted from the same physical
locations that Truong was in at the time of the posts,
and that the posts to the USCF forums by chesspromotion
/ Truong, were also made from those same physical locations.



Here are all of the explanations that I can think of,
some far more likely than others. My comments on each
follow:


Possible explanation #1:
Truong or someone living in his house generated those
particular fakes.

Possible explanation #2:
Mottershead fabricated the data that his report was based upon.

Possible explanation #3:
Someone else fabricated the logs Mottershead relied upon.

Possible explanation #4:
Someone controls Truong's PC remotely.

Possible explanation #5:
IP address spoofing

Possible explanation #6:
Identity theft.

Can anyone think of another possibility, no matter how remote?



Here is my analysis of each possible explanation, in reverse order:

Possible explanation #6:
Identity theft -- someone else was logging on to the USCF forums,
posting some or all of the fakes, going to Mexico, etc.

Not a reasonable explanation. Too many people saw Truong in the
cities mentioned, and he has never reported being the victim of
such a comprehensive identity theft


Possible explanation #5:
IP address spoofing -- the IP addresses themselves are faked.

This is not possible from the user's location. See the Ulevitch
report for an explanation as to why this is true.

It *is* possible if the ISP itself is under control from someone
who can change logs, etc., but that is not a reasonable
explanation -- it would requite compromising multiple servers
at multiple ISPs.


Possible explanation #4:
Someone controls Truong's PC remotely

Not a reasonable explanation. To produce the timing shown in
the logs, this controlling would pretty much have to happen
while Truong was at the keyboard, Also, the person doing the
controlling would have had to take control of Truong's new
computer (a PC running the Tablet PC version of Vista) as
soon as he got it.


Possible explanation #3:
Someone fabricated the logs Mottershead relied upon.

Not a reasonable explanation. This would require the USCF servers
to have been taken over remotely, the USCF sysadmins to be
incompetent, and no other crackers or botnet operators using
yhe same backdoor to take over and cause ill effects other than
a few logs being changed. It would also require evading all
malware scans since then.


Possible explanation #2:
Mottershead fabricated the data that his report was based upon.

I cannot evaluate whether this is a reasonable explanation.
Clearly, if the data that I and the two independent experts
examined was a clever fake, we would all come to the same wrong
conclusion. Is there any reason to believe that Mottershead
might have motive as well as opportunity? Has anyone else
examined the actual servers just in case such a fabrication
was done through post editing? Or checked the timestamps and
backups of the server data to see if the supposed fabrication
missed a backup or two? I personally don't buy this as an
explanation, yet I cannot say that it is impossible.


Possible explanation #1:
Truong or someone living in his house generated those
particular fakes.

We have not narrowed the author of these particular fakes
down to Paul Truong himself. It could be someone who
travels with him and uses his computer. We have, however
narrowed it down to the physical location, a physical
location that moves whenever Paul Truong moves.

We also have not analysed all the fake posts, just a large
number of them. Some of the unexamined fake posts may have
come from some other source. Most of them, however appear
to have come Paul Truong's physical location.

Unless someone can show me another possible explanation or
convince me that one of the above possible explanation's
holds water, I can only conclude that the evidence presented
so far points to Truong or someone living in his house
generating the fakes analysed by Mottershead.

Truong has repeatedly claimed to have evidence that he is
withholding that proves his innocence. I cannot evaluate
that claim without seeing that alleged evidence. Thus my
final conclusion is still open to revision based on new
evidence.

Again I invite those who think that Truong did not
generate any of the fake posts to please weigh in with
possible explanations I may have missed, rational
analysis of my comments below, or any other reasoned
discussion. I would very much welcome anyone blowing
holes in my reasoning.



  
Date: 13 Mar 2008 23:27:40
From: Ray Gordon, creator of the \pivot\
Subject: Re: Revision two: Analysis of Mottershead / Jones / Ulevitch reports
How would the anonymous poster "know" anything about the defendants?

Was the person living in a van? Any witnesses? Just a coincidence they had
a chess axe to grind?

Also, wouldn't this at least establish NEGLIGENCE?


--
Ray Gordon, The ORIGINAL Lifestyle Seduction Guru
http://www.cybersheet.com/library.html
Includes 29 Reasons Not To Be A Nice Guy

Ray's new "Project 5000" is here:
http://groups.yahoo.com/group/project-5000

Don't rely on overexposed, mass-keted commercial seduction methods which
no longer work.

Thinking of taking a seduction "workshiop?" Read THIS:
http://www.dirtyscottsdale.com/?p=1187

Beware! VH-1's "The Pickup Artst" was FRAUDULENT. Six of the eight
contestants were actors, and they used PAID TARGETS in the club. The paid
targets got mad when VH-1 said "there are no actors in this club" and ruined
their prromised acting credit. What else has Mystery lied about?





  
Date: 11 Mar 2008 05:38:09
From: Bases
Subject: Re: Revision two: Analysis of Mottershead / Jones / Ulevitch reports
In article <[email protected] >
genuine expert unlike Mooterhead Ulevitch Jones <[email protected] > wrote:
>
> "Guy Macon" offered:
> >Here are all of the explanations that I can think of,
>
> >Can anyone think of another possibility, no matter how remote?
>
> Of course anyone can, e.g.
>
> Possible explanation 1a:
> Someone living near but not in Truong's homes hacked into and
> used his broadband wireless home network, which I know for a fact
> was not secured with either WAP, WEP or better, and used just the
> standard "admin" password (admin) password, and such person/s
> generated those particular fakes.
>
> This is not at all the same as your explanation 4, since Paul's
> PC was not being remotely controlled (as via BOv3 or better).
>
> Paul has since learned better and has secured his network. Note
> the user-agent strings are trivial to spoof and also trivial to
> legitimately duplicate by using a similar windoze and browser
> environment.
>
> Denzil
>
> ----- Original Message -----
> From: "Guy Macon" <http://www.guymacon.com/>
> Newsgroups: rec.games.chess.politics,rec.games.chess.misc
> Sent: Saturday, ch 08, 2008 11:51 am
> Subject: Revision two: Analysis of Mottershead / Jones / Ulevitch reports
>
> For the record, here is my analysis. I have some degree
> of expertise in this area; I estimate my own skills to
> be roughly equal to those of Mottershead, and I estimate
> both of us to have skills well below those of Robert
> Jones and David Ulevitch, both of whom are well-known
> experts.
>
> (2nd revision reflects the possibility that someone else
> had physical access to at least two of Truong's computers.)
>
>
> My analysis:
>
> I have based this analysis on the information found at
> the following URLs:
>
> http://rs235.rapidshare.com/files/62649719/mottershead.zip
> http://craic.com/forensics/uscf_usenet_analysis/USCF_Usenet_Abuse_Report_20
> 071206.pdf
> http://chessusa.blogspot.com/2008/01/expert-opinion-mottershead-report.html
>
>
> After examining the above, I conclude:
>
> The mottershead.zip files show that when Truong moved
> to Lubbock, the author of some or all of the fake posts
> moved to Lubbock. When Truong visited Mexico City, the
> author of some or all of the fake posts visited Mexico City.
>
> The report from Robert Jones of Craic Computing concludes
> that the data he examined shows that some or all of the
> fake Usenet posts were sent from the IP address as USCF
> user "chesspromotion" (Truong), and that the IP addresses
> moved together as Mottershead described.
>
> The reports from David Ulevitch concludes that some or
> all of the fake posts were posted from the same physical
> locations that Truong was in at the time of the posts,
> and that the posts to the USCF forums by chesspromotion
> / Truong, were also made from those same physical locations.
>
>
>
> Here are all of the explanations that I can think of,
> some far more likely than others. My comments on each
> follow:
>
>
> Possible explanation #1:
> Truong or someone living in his house generated those
> particular fakes.
>
> Possible explanation #2:
> Mottershead fabricated the data that his report was based upon.
>
> Possible explanation #3:
> Someone else fabricated the logs Mottershead relied upon.
>
> Possible explanation #4:
> Someone controls Truong's PC remotely.
>
> Possible explanation #5:
> IP address spoofing
>
> Possible explanation #6:
> Identity theft.
>
> Can anyone think of another possibility, no matter how remote?
>
>
>
> Here is my analysis of each possible explanation, in reverse order:
>
> Possible explanation #6:
> Identity theft -- someone else was logging on to the USCF forums,
> posting some or all of the fakes, going to Mexico, etc.
>
> Not a reasonable explanation. Too many people saw Truong in the
> cities mentioned, and he has never reported being the victim of
> such a comprehensive identity theft
>
>
> Possible explanation #5:
> IP address spoofing -- the IP addresses themselves are faked.
>
> This is not possible from the user's location. See the Ulevitch
> report for an explanation as to why this is true.
>
> It *is* possible if the ISP itself is under control from someone
> who can change logs, etc., but that is not a reasonable
> explanation -- it would requite compromising multiple servers
> at multiple ISPs.
>
>
> Possible explanation #4:
> Someone controls Truong's PC remotely
>
> Not a reasonable explanation. To produce the timing shown in
> the logs, this controlling would pretty much have to happen
> while Truong was at the keyboard, Also, the person doing the
> controlling would have had to take control of Truong's new
> computer (a PC running the Tablet PC version of Vista) as
> soon as he got it.
>
>
> Possible explanation #3:
> Someone fabricated the logs Mottershead relied upon.
>
> Not a reasonable explanation. This would require the USCF servers
> to have been taken over remotely, the USCF sysadmins to be
> incompetent, and no other crackers or botnet operators using
> yhe same backdoor to take over and cause ill effects other than
> a few logs being changed. It would also require evading all
> malware scans since then.
>
>
> Possible explanation #2:
> Mottershead fabricated the data that his report was based upon.
>
> I cannot evaluate whether this is a reasonable explanation.
> Clearly, if the data that I and the two independent experts
> examined was a clever fake, we would all come to the same wrong
> conclusion. Is there any reason to believe that Mottershead
> might have motive as well as opportunity? Has anyone else
> examined the actual servers just in case such a fabrication
> was done through post editing? Or checked the timestamps and
> backups of the server data to see if the supposed fabrication
> missed a backup or two? I personally don't buy this as an
> explanation, yet I cannot say that it is impossible.
>
>
> Possible explanation #1:
> Truong or someone living in his house generated those
> particular fakes.
>
> We have not narrowed the author of these particular fakes
> down to Paul Truong himself. It could be someone who
> travels with him and uses his computer. We have, however
> narrowed it down to the physical location, a physical
> location that moves whenever Paul Truong moves.
>
> We also have not analysed all the fake posts, just a large
> number of them. Some of the unexamined fake posts may have
> come from some other source. Most of them, however appear
> to have come Paul Truong's physical location.
>
> Unless someone can show me another possible explanation or
> convince me that one of the above possible explanation's
> holds water, I can only conclude that the evidence presented
> so far points to Truong or someone living in his house
> generating the fakes analysed by Mottershead.
>
> Truong has repeatedly claimed to have evidence that he is
> withholding that proves his innocence. I cannot evaluate
> that claim without seeing that alleged evidence. Thus my
> final conclusion is still open to revision based on new
> evidence.
>
> Again I invite those who think that Truong did not
> generate any of the fake posts to please weigh in with
> possible explanations I may have missed, rational
> analysis of my comments below, or any other reasoned
> discussion. I would very much welcome anyone blowing
> holes in my reasoning.

Boring.

































































































































































































  
Date: 11 Mar 2008 05:03:16
From: Guy Macon
Subject: Re: Revision two: Analysis of Mottershead / Jones / Ulevitch reports



genuine expert unlike Mooterhead Ulevitch Jones wrote:
>
>"Guy Macon" offered:
>
>>Here are all of the explanations that I can think of,
>
>>Can anyone think of another possibility, no matter how remote?
>
>Of course anyone can, e.g.
>
>Possible explanation 1a:
>Someone living near but not in Truong's homes hacked into and
>used his broadband wireless home network, which I know for a fact
>was not secured with either WAP, WEP or better, and used just the
>standard "admin" password (admin) password, and such person/s
>generated those particular fakes.
>
>This is not at all the same as your explanation 4, since Paul's
>PC was not being remotely controlled (as via BOv3 or better).
>
>Paul has since learned better and has secured his network. Note
>the user-agent strings are trivial to spoof and also trivial to
>legitimately duplicate by using a similar windoze and browser
>environment.
>
>Denzil

An *excellent* addition to the analysis, genuine! Makes me glad
I have supported anonymous remailers for all these years. This
is a great example of why such servies are needed; the above
should be evaluated based on its own merits, not based on who
wrote it, and indeed it does stand on its own merits. Good work!

I will revise my analysis later, but before I do, a few questions:

Assuming that a determined adversary also checked into the same
hotel in Mexico City and tried to access that network, I would
assume he wouldn't be able to hack into that wireless system and
would have to get his own account, but if the hotel used NAT (very
likely to be true) the IP addresses would still match. Any flaws in
this reasoning?

Would any of his neighbors have a motive for posting fake posts
about various Chess personalities? Would any of them have a motive
strong enough to move to Tevxas when he moved to Texas and vacation
in Mexico City when he vacationed in Mexico City? Or are we
envisioning someone parked in a van outside night after night?

{I should have thought of this one myself, but it simply did not
occur to me. Thanks!)



   
Date: 14 Mar 2008 10:21:31
From: David Richerby
Subject: Re: Revision two: Analysis of Mottershead / Jones / Ulevitch reports
Guy Macon <http://www.guymacon.com/ > wrote:
> genuine expert unlike Mooterhead Ulevitch Jones wrote:
>> Possible explanation 1a:
>> Someone living near but not in Truong's homes hacked into and
>> used his broadband wireless home network, which I know for a fact
>> was not secured with either WAP, WEP or better, and used just the
>> standard "admin" password (admin) password, and such person/s
>> generated those particular fakes.
>
> An *excellent* addition to the analysis, genuine! Makes me glad
> I have supported anonymous remailers for all these years. This
> is a great example of why such servies are needed; the above
> should be evaluated based on its own merits, not based on who
> wrote it, and indeed it does stand on its own merits. Good work!

No it doesn't. An unsubstantiated, anonymous claim that Truong's
wireless network was open for all means nothing.

Yes, it's a possibility that somebody gained access to Truong's
wireless network and followed him to Texas and the hotel in Mexico.
But nobody needs an anonymous remailer to point that out. Rather, the
anonymous remailer is needed in order to make scurrilous allegations
masquerading as fact, without revealing whose agenda is advanced by
introducing the idea that Truong was lax about network security.


Dave.

--
David Richerby Aquatic Erotic Chicken (TM): it's
www.chiark.greenend.org.uk/~davidr/ like a farm animal but it's genuinely
erotic and it lives in the sea!


    
Date: 14 Mar 2008 19:59:59
From: Guy Macon
Subject: Re: Revision two: Analysis of Mottershead / Jones / Ulevitch reports



David Richerby wrote:
>
>Guy Macon <http://www.guymacon.com/> wrote:

>> genuine expert unlike Mooterhead Ulevitch Jones wrote:
>>> Possible explanation 1a:
>>> Someone living near but not in Truong's homes hacked into and
>>> used his broadband wireless home network, which I know for a fact
>>> was not secured with either WAP, WEP or better, and used just the
>>> standard "admin" password (admin) password, and such person/s
>>> generated those particular fakes.
>>
>> An *excellent* addition to the analysis, genuine! Makes me glad
>> I have supported anonymous remailers for all these years. This
>> is a great example of why such servies are needed; the above
>> should be evaluated based on its own merits, not based on who
>> wrote it, and indeed it does stand on its own merits. Good work!
>
>No it doesn't. An unsubstantiated, anonymous claim that Truong's
>wireless network was open for all means nothing.

I didn't ask for substantiated claims. I asked for all possible
explanations, no matter how unlikely.

>Yes, it's a possibility that somebody gained access to Truong's
>wireless network and followed him to Texas and the hotel in Mexico.

That's what I asked for. My analysis will give my opinion as
to how likely it is that one of Truong's immediate neighbors
faked a bunch of USCH posts, followed him to a hotel in Mexico
and somehow knew that he had changed operating systems. I will
then ask the reader to draw his own conclusions.

>But nobody needs an anonymous remailer to point that out. Rather, the
>anonymous remailer is needed in order to make scurrilous allegations
>masquerading as fact, without revealing whose agenda is advanced by
>introducing the idea that Truong was lax about network security.

I don't care whose agenda is advanced. I do technical analysis,
not politics. I don't want to know who wrote it. I asked for
possible explanations that I may have missed, and the anonymous
poster came up with one. (thanks, anon!)

I do not agree with your opinion about anonymous remailers.
There are many reasons why one might use one. What if a
celebrity wishes to weigh in on this issue? Imagine someone
tracing an IP address and finding that Brittany Spears or
OJ Simpson answered my question. Unlikely, but would you
deny them the ability to answer my question if they wanted to?
What if it was someone who feared retribution or someone who
is hiding from a stalker, someone suing them, or the police?
Would you deny them the right to answer my question as well?

The United states was founded upon anonymous pamphlets that
made what many considered to be scurrilous allegations against
the King of England. The answer to falsehood is truth, not
supression.



    
Date: 14 Mar 2008 07:26:54
From: Mike Murray
Subject: Re: Revision two: Analysis of Mottershead / Jones / Ulevitch reports
On 14 2008 10:21:31 +0000 (GMT), David Richerby
<[email protected] > wrote:

>Guy Macon <http://www.guymacon.com/> wrote:
>> genuine expert unlike Mooterhead Ulevitch Jones wrote:

>>> Someone living near but not in Truong's homes hacked into and
>>> used his broadband wireless home network, which I know for a fact
>>> was not secured with either WAP, WEP or better,

>No it doesn't. An unsubstantiated, anonymous claim that Truong's
>wireless network was open for all means nothing.

>Yes, it's a possibility that somebody gained access to Truong's
>wireless network and followed him to Texas and the hotel in Mexico.
>But nobody needs an anonymous remailer to point that out.

Exactly. While conceding that someone may have good reasons for
posting anonymously, claims of personal witness by an anonymouse
usually should be disregarded.


 
Date: 09 Mar 2008 04:17:49
From: Brian Lafferty
Subject: Re: Revision two: Analysis of Mottershead / Jones / Ulevitch reports
When will revision #3 be available? Thanks for sharing your "analysis"
with us.

Guy Macon wrote:
> For the record, here is my analysis. I have some degree
> of expertise in this area; I estimate my own skills to
> be roughly equal to those of Mottershead, and I estimate
> both of us to have skills well below those of Robert
> Jones and David Ulevitch, both of whom are well-known
> experts.
>
> (2nd revision reflects the possibility that someone else
> had physical access to at least two of Truong's computers.)
>
>
> My analysis:
>
> I have based this analysis on the information found at
> the following URLs:
>
> http://rs235.rapidshare.com/files/62649719/mottershead.zip
> http://craic.com/forensics/uscf_usenet_analysis/USCF_Usenet_Abuse_Report_20071206.pdf
> http://chessusa.blogspot.com/2008/01/expert-opinion-mottershead-report.html
>
>
> After examining the above, I conclude:
>
> The mottershead.zip files show that when Truong moved
> to Lubbock, the author of some or all of the fake posts
> moved to Lubbock. When Truong visited Mexico City, the
> author of some or all of the fake posts visited Mexico City.
>
> The report from Robert Jones of Craic Computing concludes
> that the data he examined shows that some or all of the
> fake Usenet posts were sent from the IP address as USCF
> user "chesspromotion" (Truong), and that the IP addresses
> moved together as Mottershead described.
>
> The reports from David Ulevitch concludes that some or
> all of the fake posts were posted from the same physical
> locations that Truong was in at the time of the posts,
> and that the posts to the USCF forums by chesspromotion
> / Truong, were also made from those same physical locations.
>
>
>
> Here are all of the explanations that I can think of,
> some far more likely than others. My comments on each
> follow:
>
>
> Possible explanation #1:
> Truong or someone living in his house generated those
> particular fakes.
>
> Possible explanation #2:
> Mottershead fabricated the data that his report was based upon.
>
> Possible explanation #3:
> Someone else fabricated the logs Mottershead relied upon.
>
> Possible explanation #4:
> Someone controls Truong's PC remotely.
>
> Possible explanation #5:
> IP address spoofing
>
> Possible explanation #6:
> Identity theft.
>
> Can anyone think of another possibility, no matter how remote?
>
>
>
> Here is my analysis of each possible explanation, in reverse order:
>
> Possible explanation #6:
> Identity theft -- someone else was logging on to the USCF forums,
> posting some or all of the fakes, going to Mexico, etc.
>
> Not a reasonable explanation. Too many people saw Truong in the
> cities mentioned, and he has never reported being the victim of
> such a comprehensive identity theft
>
>
> Possible explanation #5:
> IP address spoofing -- the IP addresses themselves are faked.
>
> This is not possible from the user's location. See the Ulevitch
> report for an explanation as to why this is true.
>
> It *is* possible if the ISP itself is under control from someone
> who can change logs, etc., but that is not a reasonable
> explanation -- it would requite compromising multiple servers
> at multiple ISPs.
>
>
> Possible explanation #4:
> Someone controls Truong's PC remotely
>
> Not a reasonable explanation. To produce the timing shown in
> the logs, this controlling would pretty much have to happen
> while Truong was at the keyboard, Also, the person doing the
> controlling would have had to take control of Truong's new
> computer (a PC running the Tablet PC version of Vista) as
> soon as he got it.
>
>
> Possible explanation #3:
> Someone fabricated the logs Mottershead relied upon.
>
> Not a reasonable explanation. This would require the USCF servers
> to have been taken over remotely, the USCF sysadmins to be
> incompetent, and no other crackers or botnet operators using
> yhe same backdoor to take over and cause ill effects other than
> a few logs being changed. It would also require evading all
> malware scans since then.
>
>
> Possible explanation #2:
> Mottershead fabricated the data that his report was based upon.
>
> I cannot evaluate whether this is a reasonable explanation.
> Clearly, if the data that I and the two independent experts
> examined was a clever fake, we would all come to the same wrong
> conclusion. Is there any reason to believe that Mottershead
> might have motive as well as opportunity? Has anyone else
> examined the actual servers just in case such a fabrication
> was done through post editing? Or checked the timestamps and
> backups of the server data to see if the supposed fabrication
> missed a backup or two? I personally don't buy this as an
> explanation, yet I cannot say that it is impossible.
>
>
> Possible explanation #1:
> Truong or someone living in his house generated those
> particular fakes.
>
> We have not narrowed the author of these particular fakes
> down to Paul Truong himself. It could be someone who
> travels with him and uses his computer. We have, however
> narrowed it down to the physical location, a physical
> location that moves whenever Paul Truong moves.
>
> We also have not analysed all the fake posts, just a large
> number of them. Some of the unexamined fake posts may have
> come from some other source. Most of them, however appear
> to have come Paul Truong's physical location.
>
> Unless someone can show me another possible explanation or
> convince me that one of the above possible explanation's
> holds water, I can only conclude that the evidence presented
> so far points to Truong or someone living in his house
> generating the fakes analysed by Mottershead.
>
> Truong has repeatedly claimed to have evidence that he is
> withholding that proves his innocence. I cannot evaluate
> that claim without seeing that alleged evidence. Thus my
> final conclusion is still open to revision based on new
> evidence.
>
> Again I invite those who think that Truong did not
> generate any of the fake posts to please weigh in with
> possible explanations I may have missed, rational
> analysis of my comments below, or any other reasoned
> discussion. I would very much welcome anyone blowing
> holes in my reasoning.
>
>
>