Bah, I'm going to get in on this too.
----
[Arbcom-l] Admin Od Mishehu and serious BLP vandalism
Thatcher131 Wikipedia <thatcher131@gmail.com> Mon, Apr 14, 2008 at 2:30 PM
Reply-To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
In January, the Office received a complaint from [[Greg Ryan
(soccer)]] that his bio had been vandalized with a claim that he was
fired for being caught wearing women's underwear, and as a result he
had lost a job that he was interviewing for. At that time the vandal
edit was too old to checkuser. However it has just been reinstated:
http://en.wikipedia.org/w/index.php?title=...oldid=201216572Checkuser shows the IP is currently used by Admin:Od Mishehu and the
user agents are a spot-on match.
Thatcher
_______________________________________________
Arbcom-l mailing list
Arbcom-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/arbcom-lJosh Gordon <user.jpgordon@gmail.com> Mon, Apr 14, 2008 at 2:48 PM
Reply-To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
It might be a lot worse than that. A checkuser on the offending editor reveals what really seems to be two dozen throwaway accounts, some blocked already, some not -- and they're all carefully interleaved with [[User:Od Mishehu]]. (OM edits, then creates a new account, does a bit of stuff, and then starts working as OM again.)
Obviously Thatcher & I think something is up here; I'd venture it's real quick to deadmin first, ask questions later, but perhaps I'm missing some subtlety.
--
--jpgordon ∇∆∇∆
_______________________________________________
Arbcom-l mailing list
Arbcom-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/arbcom-lDavid Gerard <dgerard@gmail.com> Mon, Apr 14, 2008 at 2:53 PM
Reply-To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>, thatcher131@gmail.com
On 14/04/2008, Thatcher131 Wikipedia <thatcher131@gmail.com> wrote:
> In January, the Office received a complaint from [[Greg Ryan
> (soccer)]] that his bio had been vandalized with a claim that he was
> fired for being caught wearing women's underwear, and as a result he
> had lost a job that he was interviewing for. At that time the vandal
> edit was too old to checkuser. However it has just been reinstated:
>
>
http://en.wikipedia.org/w/index.php?title=...oldid=201216572>
> Checkuser shows the IP is currently used by Admin:Od Mishehu and the
> user agents are a spot-on match.
I just had a look as well. The user agent is the fairly distinctive:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1) Gecko/20061205
Iceweasel/2.0.0.1 (Debian-2.0.0.1+dfsg-2)
The editing times show fairly clearly (to me) that User:Drhhdxhfstru
was created and used for these edits in the middle of a User:Od
Mishehu editing session.
I think he's nailed. The question is then what the AC consider
appropriate - e.g. "we saw these edits from your IP in the middle of
one of your editing sessions. I hope you can have a word with whoever
did this and make sure it *never happens again*." Without revealing
the user agent aspect. Up to you.
- d.
Thatcher131 Wikipedia <thatcher131@gmail.com> Mon, Apr 14, 2008 at 2:55 PM
Reply-To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
There are 20+ vandal accounts on that IP, not just the Greg Ryan
business. It does not look shared; all the edits are the same unusual
user agent.
David Gerard <dgerard@gmail.com> Mon, Apr 14, 2008 at 2:55 PM
Reply-To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
On 14/04/2008, Josh Gordon <user.jpgordon@gmail.com> wrote:
> It might be a lot worse than that. A checkuser on the offending editor
> reveals what really seems to be two dozen throwaway accounts, some blocked
> already, some not -- and they're all carefully interleaved with [[User:Od
> Mishehu]]. (OM edits, then creates a new account, does a bit of stuff, and
> then starts working as OM again.)
eek - I looked again and you are of course quite correct. He's playing
silly buggers big time. (All on the same distinctive useragent too.)
- d.
Thatcher131 Wikipedia <thatcher131@gmail.com> Mon, Apr 14, 2008 at 2:57 PM
Reply-To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: David Gerard <dgerard@gmail.com>
Cc: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
I hope this is not overlooked. This is not like the admin I caught
making a one-off silly buggers vandalism to Newyorkbrad's talk page
(which could even have been a school chum or something). This is a
long-term problem, and unless he was trolling the histories of BLPs
looking for bad stuff to reinstate, he must have been the original
vandal as well.
T.
David Gerard <dgerard@gmail.com> Mon, Apr 14, 2008 at 2:57 PM
Reply-To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>, Thatcher131 Wikipedia <thatcher131@gmail.com>
On 14/04/2008, Thatcher131 Wikipedia <thatcher131@gmail.com> wrote:
> There are 20+ vandal accounts on that IP, not just the Greg Ryan
> business. It does not look shared; all the edits are the same unusual
> user agent.
Concur. He's playing silly buggers routinely.
To what extent is this of serious consequence? Certainly adding
dubious material to BLPs that he obviously doesn't stand by is pretty
serious.
- d.
Josh Gordon <user.jpgordon@gmail.com> Mon, Apr 14, 2008 at 3:15 PM
Reply-To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
I'm dropping him a polite note, just to be nice; I suspect we'll end up in an emergency deadmin situation.
--
--jpgordon ∇∆∇∆
_______________________________________________
Arbcom-l mailing list
Arbcom-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/arbcom-lThatcher131 Wikipedia <thatcher131@gmail.com> Mon, Apr 14, 2008 at 3:18 PM
Reply-To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: David Gerard <dgerard@gmail.com>
Cc: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
Mike_lifeguard ran an nmap scan (from #wikimedia-checkuser), the
results are here
http://pastey.net/85777It looks like port 80 and 8080 are open, but he could not actually connect.
This could be a parallel to a recent case I investigated where the
proxy replace the user agent of whomever connected with its own user
agent. However, that was a closed proxy that only the authorized
user(s) could access.
His time of day editing shows a very narrow window on
Sunday--Thursday. If this was a real proxy I would expect to see
edits at other times of day. I think this is a work IP address. I
wonder if he edits from home under a different account(s).
If it is a work IP it could be a shared IP or firewall but the user
agent would need to be explained, also the timing. Do any of the
vandal accounts occur on days when Od does not work, or at times when
he is not active at all?
T.
Josh Gordon <user.jpgordon@gmail.com> Mon, Apr 14, 2008 at 3:27 PM
Reply-To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
Cc: thatcher131@gmail.com
By the way, the name means something like "another one".
--
--jpgordon ∇∆∇∆
_______________________________________________
Arbcom-l mailing list
Arbcom-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/arbcom-lSam Blacketer <sam.blacketer@googlemail.com> Mon, Apr 14, 2008 at 3:30 PM
Reply-To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
On Mon, Apr 14, 2008 at 9:15 PM, Josh Gordon <user.jpgordon@gmail.com> wrote:
I'm dropping him a polite note, just to be nice; I suspect we'll end up in an emergency deadmin situation
I'm afraid it looks so, but let's hear from him first.
There's no doubt that the IP is him given that he edited his user talk page while logged out once:
http://en.wikipedia.org/w/index.php?title=...oldid=183208748Inspired by the odd wording of the vandal edit which drew attention to this in the first place (including the spelling mistake "bizzarre") I've been looking at some of his contributions. Very interested in Harry Potter, but one distinct thing is overuse of the letter 'z' - he invariably uses the '-ize' spelling even in words like 'advertise' for which it is not an accepted alternative to '-ise'.
--
Sam Blacketer
_______________________________________________
Arbcom-l mailing list
Arbcom-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/arbcom-ljayjg <jayjg99@gmail.com> Mon, Apr 14, 2008 at 4:14 PM
Reply-To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
On Mon, Apr 14, 2008 at 3:48 PM, Josh Gordon <user.jpgordon@gmail.com> wrote:
> It might be a lot worse than that. A checkuser on the offending editor
> reveals what really seems to be two dozen throwaway accounts, some blocked
> already, some not -- and they're all carefully interleaved with [[User:Od
> Mishehu]]. (OM edits, then creates a new account, does a bit of stuff, and
> then starts working as OM again.)
He's blocked some of them himself - "Ata tipesh", for example, one of
the earliest. Perhaps he was testing to see how a block of one of the
accounts would affect him.
FT2 <ft2.wiki@gmail.com> Mon, Apr 14, 2008 at 6:09 PM
Reply-To: FT2.wiki@gmail.com, Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
I've done a dump of the edits for the last 3 months, and a few points where
I find myself wondering what's up.
For example, 09 Mar 2008 13:44 has 3 edits, one by Od, one by a junk account
(also linux, different agent), then one by Od, all in the space of 60
seconds. Two separate computers on one LAN? One computer two browsers?
Ditto
09 Mar 2008 13:21-35 (same agent)
09 Mar 2008 09:13-16 (same agent)
25 Feb 2008 14:15-21 (same agent)
23 Jan 2008 06:57-07:03 (same agent)
23 Jan 2008 06:55-57 (same agent)
Etc
It's reasonable that a person or office with multiple computers often keeps
the same system and browser on each - I know I do. What do people read into
the sheer rapidity of change of account? Take a look at the login repeated
rapid changes between 23 Jan 2008 06:46-07:05.
My question is, is this Od, or is this someone else on his LAN? I don't know
how to answer that, but it's worth considering. Either way it's a problem.
One other thing:
Jayjg notes that Od blocked one of these other accounts on his own IP. I
looked into that a bit, because that's usually a big warning light.
Specifically, on Jan 15, Od blocked "Ata tipesh" for bad username (insulting
in Hebrew per block log). Interestingly, he disabled autoblock for it.
However further checking indicates that Od is a regular and heavy duty
username patroller, so he does a lot of these, and /all/ his username blocks
are autoblock-disabled, so this probably means little to nothing. Noted "in
case useful".
Paul.
On Behalf Of Sam Blacketer
Sent: Monday, April 14, 2008 9:31 PM
To: Arbitration Committee mailing list
Subject: Re: [Arbcom-l] Admin Od Mishehu and serious BLP vandalism
_______________________________________________
Arbcom-l mailing list
Arbcom-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/arbcom-l Od Mishehu.xls
1832K
Sam Blacketer <sam.blacketer@googlemail.com> Mon, Apr 14, 2008 at 6:22 PM
Reply-To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: FT2.wiki@gmail.com, Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
On Tue, Apr 15, 2008 at 12:09 AM, FT2 <ft2.wiki@gmail.com> wrote:
It's reasonable that a person or office with multiple computers often keeps
the same system and browser on each - I know I do. What do people read into
the sheer rapidity of change of account?
I'm wondering whether Od has work colleagues who have spotted him editing Wikipedia and like to wind him up.
--
Sam Blacketer
_______________________________________________
Arbcom-l mailing list
Arbcom-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/arbcom-lFloNight <sydney.poore@gmail.com> Mon, Apr 14, 2008 at 6:24 PM
Reply-To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
Rapidly changing accounts seems to link him to the accounts not the reverse.
Sydney
FT2 <ft2.wiki@gmail.com> Mon, Apr 14, 2008 at 6:31 PM
Reply-To: FT2.wiki@gmail.com, Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
Is there a point where such rapid change is less likely to be one person,
not more? 3 edits separated by 2 name changes, all within 60 seconds? I'm
wondering if that might sound more like 2 computers, in which case - who's
at the second one?
-----Original Message-----
On Behalf Of FloNight
Sent: Tuesday, April 15, 2008 12:25 AM
To: Arbitration Committee mailing list
Subject: Re: [Arbcom-l] Admin Od Mishehu and serious BLP vandalism
Jimmy Wales <jwales@wikia.com> Mon, Apr 14, 2008 at 9:03 PM
Reply-To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: FT2.wiki@gmail.com, Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
It is always *theoretically* possible that a case of what looks like
clear sockpuppeting is a roommate or office mate who is trying to "wind
someone up" by laying a trap taking months, matching an obscure browser
string, vandalizing at precise times to make it look like... blah blah blah.
But it is also quite unlikely.
One thing that would be nice: if checkuser could see "logout" actions.
In a case like the present case, that would be pretty conclusive.
--Jimbo
Stephen Bain <stephen.bain@gmail.com> Mon, Apr 14, 2008 at 10:04 PM
Reply-To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
On Tue, Apr 15, 2008 at 5:53 AM, David Gerard <dgerard@gmail.com> wrote:
>
> I just had a look as well. The user agent is the fairly distinctive:
>
> Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1) Gecko/20061205
> Iceweasel/2.0.0.1 (Debian-2.0.0.1+dfsg-2)
Iceweasel is the branded name for Firefox packaged with the Debian
distribution, if anyone didn't know, and using bundled software is not
terribly distinctive. However, we can also see that it's version
2.0.0.1 of Firefox, the December 2006 build. He's running Debian with
the X window system on a Pentium Pro computer.
As FT2 says, it's not uncommon for people in an office or on a home
LAN to run the same software setup, but each computer would have to be
using a Pentium Pro processor too, and all running that same old
version of Firefox, and I know that Firefox is constantly bugging me
to download the newest version.
--
Stephen Bain
stephen.bain@gmail.com
Theresa Knott <theresaknott@gmail.com> Tue, Apr 15, 2008 at 3:05 AM
Reply-To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
In the school where I work, only one person is authorised to add new
software, all computers run the same operating system and have the
same browser, most of the computers are exactly the same in every way
having been brought as a job lot and set up once and not updated much
at all (if ever).
Just playing devil's advocate.
Theresa
--
http://theresaknott.googlepages.com/homehttp://en.wikipedia.org/wiki/User:Theresa_knottStephen Bain <stephen.bain@gmail.com> Tue, Apr 15, 2008 at 4:08 AM
Reply-To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
On Tue, Apr 15, 2008 at 6:05 PM, Theresa Knott <theresaknott@gmail.com> wrote:
> In the school where I work, only one person is authorised to add new
> software, all computers run the same operating system and have the
> same browser, most of the computers are exactly the same in every way
> having been brought as a job lot and set up once and not updated much
> at all (if ever).
>
> Just playing devil's advocate.
Yes, an important point to observe. But how many businesses or schools
run Debian on all their machines? My guess would be not many.
--
FT2 <ft2.wiki@gmail.com> Tue, Apr 15, 2008 at 4:17 AM
Reply-To: FT2.wiki@gmail.com, Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
-----Original Message-----
On Behalf Of Stephen Bain
Sent: Tuesday, April 15, 2008 10:08 AM
To: Arbitration Committee mailing list
Subject: Re: [Arbcom-l] Admin Od Mishehu and serious BLP vandalism
On Tue, Apr 15, 2008 at 6:05 PM, Theresa Knott <theresaknott@gmail.com>
wrote:
> In the school where I work, only one person is authorised to add new
> software, all computers run the same operating system and have the
> same browser, most of the computers are exactly the same in every way
> having been brought as a job lot and set up once and not updated much
> at all (if ever).
>
> Just playing devil's advocate.
Yes, an important point to observe. But how many businesses or schools
run Debian on all their machines? My guess would be not many.
--
Stephen Bain
stephen.bain@gmail.com
If there's one knowledgable person running a LAN, they'll often set up all
systems as they see fit. Example, I do the "sysadmin" for my parents PC's at
their home, and I configure them all the same way, because basically, that's
the setup I think's best for them and I wouldn't set up two different kinds.
Likewise most homes with multiple PCs and one person managing them all.
If Od lives with others or at home (quite likely) then its quite likely he
(or some person) manages the different PCs -- his, his dads, his kid
brothers, whatever -- and they'll all have debian + firefox or whatever it
is.
Hence my question, given rapidity of change of user and edits, is it more
likely this is two computers on a LAN, or one? And if two, same person at
both, or two different people?
Paul.
Josh Gordon <user.jpgordon@gmail.com> Tue, Apr 15, 2008 at 4:00 PM
Reply-To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
He denies any knowledge of this, of course. He does say he's editing at his workplace and that he knows his IP has been used for vandalism.
On Mon, Apr 14, 2008 at 1:15 PM, Josh Gordon <user.jpgordon@gmail.com> wrote:
--
--jpgordon ∇∆∇∆
_______________________________________________
Arbcom-l mailing list
Arbcom-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/arbcom-lJosh Gordon <user.jpgordon@gmail.com> Tue, Apr 15, 2008 at 11:36 PM
Reply-To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
The more I look at the evidence the less confident am I that wrongdoing has occurred. The intervals are too short; either he's a totally bent admin, working with two computers side-by-side, or there's some other shit at the company and he's not involved at all.
I'd suggest anon-only, no account creation blocking of the IP, and see what happens next.
--
--jpgordon ∇∆∇∆
_______________________________________________
Arbcom-l mailing list
Arbcom-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/arbcom-lFT2 <ft2.wiki@gmail.com> Wed, Apr 16, 2008 at 5:01 AM
Reply-To: FT2.wiki@gmail.com, Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
On Behalf Of Josh Gordon
Sent: Wednesday, April 16, 2008 5:37 AM
To: Arbitration Committee mailing list
Subject: Re: [Arbcom-l] Admin Od Mishehu and serious BLP vandalism
The more I look at the evidence the less confident am I that wrongdoing has occurred. The intervals are too short; either he's a totally bent admin, working with two computers side-by-side, or there's some other shit at the company and he's not involved at all.
I'd suggest anon-only, no account creation blocking of the IP, and see what happens next.
I was thinking likewise. Given that as an admin he can edit through a hard IP block, I was thinking of hard-blocking the IP rather than soft-blocking. Same rationale though.
Thoughts?
Newyorkbrad (Wikipedia) <newyorkbrad@gmail.com> Wed, Apr 16, 2008 at 6:33 AM
Reply-To: Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
To: FT2.wiki@gmail.com, Arbitration Committee mailing list <arbcom-l@lists.wikimedia.org>
I will certainly trust Josh and FT2's recommendations on this, but
could one of you please give Thatcher an update and keep him in the
loop.
Newyorkbrad
Admin Od Mishehu and serious BLP vandalism
Wikileaker Admin Od Mishehu and serious BLP vandalism 
