This is my personal blog. Due to the fact that it’s a personal blog, I log all the IP addresses of every user that comes to this site, like almost every other site on the Internet. Occasionally, I’ll run analog against them on a box somewhere and see what the stats have. I wanted to know the following:
- How many people visited my site?</li>
- What was the most popular download?</li>
- Has the RCMP been here?</li>
- If the RCMP has been here, what the hell are they doing?</li> </ul> So, after running Analog, I saw that the Anarchist List, which is a rather boring document that has my name on it, and a bunch of redacted pages is the number one most popular document still. Also that over the last month, I managed to use up 10 GB of bandwidth in HTTP requests. That's kind of impressive, except for the fact that the PDF scans are huge. I also know roughly what people's IP addresses were. So, I decided to take a look and see what was happening with the logs, so because I was bored, I decided to use Google and I typed in RCMP IP address. This turned up an ugly webpage by some group called Fathers Canada</a> that's barely legible. Anyway, they had an article about the RCMP being spied upon by a "cyber-stalker"</a>. OK, I know what you're thinking. This looks like some crackpot conspiracy stuff and the average person is going to tune it out because it doesn't have rounded corners and fancy fonts. However, what it DOES have is an IP address. An IP address that I can grep for in my logs. For brevity, I'm going to only include the first line, which shows the link and the referrer: 188.8.131.52 - - [13/Feb/2011:18:02:56 +0000] "GET /2011/01/v2010isu/ HTTP/1.1" 200 28730 "http://www.google.ca/search?hl=en&q=el-azzi+olympics&aq=f&aqi=&aql=&oq=" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)" </em> So, from this log alone, we can see that IP 184.108.40.206 is most likely running Windows XP and he's using IE7. Furthermore, the person searching was looking for information on George's El-Azzi and the Olympics. This could have been Cst. El-Azzi himself, his superior or anyone at the RCMP. This computer also has .NET installed as well. This was found on the 13th of February, and it's entirely possible that the person was just El-Azzi talking about that time he compiled that list of Anarchists, or whatever. I'm not a fucking cop, so I don't know what the cops think, or what their technical capabilities are. I'm finding out a lot with this exercise, though. Let's keep looking through the log, here's an example of an earlier visit: 220.127.116.11 - - [19/Jan/2011:18:45:10 +0000] "GET / HTTP/1.1" 200 78282 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; INFOWEB-APPROVED; INFOWEB-APPROVED-IE6-EN; INFOWEB-APPROVED-IE6-FR; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" </em> This is FAR more interesting than last time. Instead of the boring IE7 agent, we see that this is running IE6, and that it's INFOWEB-APPROVED! Unfortunately, I'm not certain what INFOWEB-APPROVED means exactly, but I suspect it's a hardened version of IE6 that can go on their Intranet. Anyway, they visited it twice, and they know the blog exists. The thing with the RCMP is that they're not stealthy. Their User-Agent and their IP address scream out like a sore thumb. There's nothing covert about this and once I found out what the IP address of the Police was, it was trivial to see how often they visited my site. Now, I've blocked the RCMP's static IP address. This should now force them to use something like Tor to visit this site if they wish to get information on me. I did this to be a pain in the ass to the police, since I have proof that they're still keeping tabs. It'd be good to get access to the logs of other community sites and to grep them for the RCMP IP. It also looks like I'm going to be submitting another Privacy Act request to get the information regarding the RCMP visiting my site during these periods. The watched are clearly who are supposed to be watching the watchers in this case. BTW: If you operate a pr0n site, or a BitTorrent tracker, I would LOVE to hear from you how often the RCMP's IP address appears in your logs over the last 30 days. I have a feeling that many lulz are ahead!