The main evidence for my story is as follows:
0) I've been involved with Wikipedia for over two years and been involved
with many other Wikimedia projects. The idea that I would risk this sort of
thing is a bit absurd.
1) The sockpuppeting if it had been done would have been grotesquely stupid;
no attempt was made to hide the IP addresses at all. It would be easy to use
a different browser along with AOL, or dual boot and use a distinct machine
or something like that.
2) The accounts in question did not edit the Seth Finkelstein DRV despite
editing almost every BLP DRV I was involved in. By all accounts there are
two
articles that I think we really screwed up on and should be restored;
Finkelstein and Brandt. Now, if I we're going to sock, why wouldn't I edit
the Seth article? Especially in contrast to the Barbara Schwartz article
where in my comment I explicitly said that I thought that this might be one
where deletion wouldn't be unreasonable and only called for overturning
weakly. On that article, not one but both the accounts in question -Gothnic
and Miles Naismith voted to overturn. However, if there was a rootkit on my
machine then there's a good explanation for what happened: I was away from
home at the time of the most recent Finkelstein DRV. Although I brought my
laptop with me, I had minimal internet access at the time and when I did
have access I generally edited using other computers. So whoever was running
the rootkit did not have the opportunity to edit from my machine there.
(Checkuser confirms that I was away during that DRV).
3) I've been told that none of these accounts edited from a Yale IP address
as far back as the checkuser data goes. Now, given that I frequently edit
from Yale IP addresses why wouldn't these accounts do so as well if they
edited from all other locations that I edit from? There's a simple answer to
this and I'm glad that whoever was doing this overlooked this issue; my
laptop hasn't connected to the Yale network for over a semester. [He
provided a good, extremely plausible reason for this] This detail should be confirmable both by checkuser data looking at user-agent strings.
4) Checkuser has confirmed that all the edits made by these two accounts appear to be coming from a single machine (unfortunately they haven't given me the user-agent data other than to say it was consistent with a single machine using firefox that updated more or less regularly. However, given the times of some of these edits and some of the overlapping IP addresses the only possible machine these could have come from is my laptop.
5) Checkuser has confirmed (I think. They still aren't be very cooperative
in letting me know what they know which hasn't helped in trying to figure
out what happened) that at some of these locations that overlap I've used
other computers as well. The socks haven't.
2,3,4 and 5 are the really important points. They are only reasonably
explainable by the hypothesis that we're dealing with a rootkit on the
laptop, not by sockpuppetry. 2 in particular has a very good explanation
consistent with the rootkit hypothesis and with checkuser data (and if
necessary, credit cards and other receipts that I could supply demonstrating
that I was away). 2 is not easily explainable by the sockpuppetry
hypothesis.
6) Some of the edits made by the alledged socks don't fit my editing
patterns. For example see
http://en.wikipedia.org/w/index.php?title=...ldid=183006529Ialways make edits adding in refs to in two steps first adding
<ref>http//whatever. </ref> and then adding a template (this can be easily
verified by looking at my history of edits).
Some fairly private info that confirms point no. 3 has been removed... make of it what you will.