User talk:Hflw27

Blocking of IP addresses from the University of South Florida
Thanks very much for your message! Unfortunately, I'm not particularly sure how to answer you in a helpful manner — while I implemented the block that you've read about, I did it purely on the recommendations of others. I don't know much about networking or IP ranges (I couldn't even implement the block until other people explained how to do it!), and other than the discussion that led to this block (you can find it under the title "DragoLink08 Returns; Request for range blocks" at this page), I know nothing about the behavior of the person whose actions prompted this block. Accordingly, I've found several people who appear to be more familiar than I with the situation, and I've asked them to work with you by leaving messages here at your talk page. Nyttend (talk) 02:27, 7 February 2013 (UTC)

Listed IPs linked to disruption

 * 131.204.254.72
 * 131.247.24.12
 * 131.247.25.132
 * 131.247.25.193
 * 131.247.26.27
 * 131.247.26.178
 * 131.247.27.197
 * 131.247.37.75
 * 131.247.38.231
 * 131.247.102.208
 * 131.247.224.56
 * 131.247.229.72
 * 131.247.231.99
 * 131.247.231.135
 * 131.247.244.20
 * 131.247.244.21
 * 131.247.244.22
 * 131.247.244.23

The above IPs, among others I assume, were all linked to the USF student or faculty member who has been disrupting this project for a number of years. Clicking on each of the above links will take you to a list of the contributions along with the times they were made. What information would be most helpful to you? If you have the means to find the specific troublemaker, I'm happy to provide what information I can. -- auburn pilot  talk  02:54, 7 February 2013 (UTC)
 * Check out Administrators' noticeboard/IncidentArchive783; based on the IPs there, I'm not sure exactly if you made a typo in your comment; you say that (at least some part of) 131.247.0.0/16 is insecure, and then you say it isn't. Looks to me like at least 131.247.{2,3}* and 131.247.2[2-4]* are randomly assigned; there's also a 131.247.102.208 not in that set though. What exactly are the ranges (preferably in CIDR) so that we can more finely tune the block? We don't mind too much if a few bad edits slip through (see WP:PC etc), but it's kind of a pain to sift through hundreds or even, in some cases (not sure in this case), thousands of edits to figure out which ones need to be reverted. ⁓ Hello  71  02:56, 7 February 2013 (UTC)
 * (Commenting per Nyttend's invite) Hflw27 remarked that 131.247.2.* and 131.247.3.0–64 (maybe meaning –63 or "and 64") are static. These are not addresses involved in the disruption. It looks like the ranges that would cover most of the undesired activity are:
 * 131.247.24.0/21 (131.247.24.0–131.247.31.255)
 * 131.247.32.0/21 (131.247.32.0–131.247.39.255)
 * 131.247.224.0/19 (131.247.224.0–131.247.255.255)
 * This is a total of 48 class-C blocks – certainly preferable to blocking the entire 256 blocks represented by 131.247.0.0/16.
 * These ranges do not cover the addresses:
 * 131.204.254.72
 * 131.247.102.208
 * Perhaps Hflw27 can comment on which ranges are used for what. If the latter two are static, and logged, perhaps they can be used to track down the culprit and "correct" them, which would be ideal. If there are other addresses used by DragoLink08 and sock accounts (when logged in) that are not in these ranges, perhaps an admin can comment (I don't have access to this info as a non-admin). —&#91;  Alan M 1  (talk) &#93;— 07:28, 7 February 2013 (UTC)
 * Need to confirm: What time zone is used for the IP Log timestamps?Hflw27 (talk) 19:22, 7 February 2013 (UTC)
 * Timestamps are in UTC. -- auburn pilot  talk  19:25, 7 February 2013 (UTC)
 * How can we tell if a listed contribution from an IP link above is vandalism or a legitimate change? Or are they pretty much all vandalism? We're trying to narrow it down. Hflw27 (talk) 19:28, 7 February 2013 (UTC)
 * That's a bit tricky. While most of the edits do not meet Wikipedia's definition of vandalism, they are part of a larger disruptive pattern. As an example, made an edit at 20:46, 14 January 2013 that is part of the person's pattern but is not vandalism. -- auburn pilot   talk  19:32, 7 February 2013 (UTC)

I think the other editors have done a good job of identifying the IP addresses in question, and I have nothing to offer from a technical standpoint. I have previously reviewed every edit made from the listed IP addresses, and the overwhelming majority (if not every last one of them) fit the pattern of demonstrated interests of DragoLink08 and his various sock puppets. For purposes of identifying the individual responsible, I would use every edit to see if a pattern of use can be established to identify the individual who was logged in at a particular time at a particular terminal. If, as I suspect, a single individual is identified as being responsible for the overwhelming majority of these edits, I will gladly review all of the edits again, and identify those that constitute vandalism, disruptive changes contrary to established consensus, or were made by sock puppets of a previously blocked user. As you know, all of these behaviors are blockable, and actual vandalism is not required, even otherwise constructive edits that were made by a blocked/banned user. Dirtlawyer1 (talk) 19:43, 7 February 2013 (UTC)
 * Thanks for the help! We are looking into the activity now. I'll keep this page updated as I get new information. Hflw27 (talk) 20:55, 7 February 2013 (UTC)
 * Our network admins are aware of the situation and are investigating the user, but I do not know any more than that at the moment. From what I have been told, our network gurus are looking to "correct" the problem at the source. I'm pretty sure it violates our access policy, since bypassing an implemented block is considered "unauthorized access." But, not being a network guru myself, I'm not kept in the loop. I pointed them here though, so they might give an update (assuming they're registered...)
 * To clarify: all of the 131.247.0.0/16 network is secured, I just worded it poorly - I meant to indicate that there are various levels of authentication requirements. We have a few layers of security on all parts of our network. (Again, networking isn't my department, so I don't have first-hand knowledge of the network structure or security - this is just what I have observed as a user.) The wired network is restricted to authorized machines only, and access to those machines requires network authentication. Our wireless networks are all secure, they just use different types of security. One is an encrypted network that requires active credentials to connect to at all, and the credentials are actively enforced. These are (or used to be, at least) assigned IP addresses from the public range. No unauthorized computer can gain access. There is also an open wifi network, without encryption - a "general use" network, if you will. It uses NAT to translate to a handful of the IP addresses in the public range. Most of the wireless traffic on campus uses this network, and it does not require authentication to connect to. The first time a computer connects, it is put into quarantine, isolating it from the network until it is registered by a user. This registration requires active credentials, and associates the hardware with the user. The dorm rooms have wired connections that use the same NAT network, with the same authentication requirements. The entire network actively monitored for intrusion or unauthorized access. So any traffic originating from a USF IP is from an active, registered user.
 * I have no idea what is logged, or how long any logs are kept, but I have a feeling that they pretty much just log everything and keep it forever. It's just easier and safer that way. I also do not know the exact distribution of our public addresses, but only a small range covers general-use addresses. Again not a network expert, but here's what I can deduce from experience and 'ping -a':


 * 131.247.24.0/21 - Various labs and classrooms
 * 131.247.32.0/21 - Direct (non-NAT) wifi (via encrypted network)
 * 131.247.224.0/19 - From what I can tell, covers all student-accessible "general use" NAT networks
 * 131.247.102.208 - I don't have a clue, it might have been a temporary 'placeholder' IP used for something?
 * 131.204.254.72 - Isn't one of ours
 * Hopefully this will allow you to refine the block while we look into it. Traffic from a USF IP not in the above ranges require access to secured systems, and that access is logged and directly traceable. Hflw27 (talk) 03:08, 9 February 2013 (UTC)


 * Hflw27, thank you very much for your assistance. The technical stuff is over my head but as an admin, I can tell you that no one relishes a range block, especially not involving IPs from a large public university; there's just so much collateral damage. Unfortunately, DragoLink08's disruption has risen to a level that it's more or less necessary. Please keep us posted and we'll adjust accordingly.--Cúchullain t/ c 05:54, 9 February 2013 (UTC)
 * I'd also like to add to what Auburn and Dirtlawyer have said about the problematic edits. Specifically, DragoLink's MO is to mess with formatting that changes how certain things appear. they do this not only to articles, but also to templates used across several articles, thereby spreading their disruption. Taken all together, these undiscussed and unwanted changes have been very disruptive. Basically, if you examine these IPs' edits and they just look like a bunch of code, and the account hasn't made any edits to that article or template's Talk page explaining what they're doing and why, it can be assumed the edits are disruptive.--Cúchullain t/ c 06:07, 9 February 2013 (UTC)


 * Perhaps someone can point to a specific list of IP edits that are disruptive and/or vandalism and thought to be from the user in question. Some from each of the IP subnets mentioned above would be good. —&#91;  Alan M 1  (talk) &#93;— 02:02, 15 February 2013 (UTC)

Contact
We have made a bit of progress. I'm not sure I can go into detail, but suffice it to say that it is being handled by the top men. Our network guys were wondering if there were some (non-public) channel of communication with the admins - Email or phone. We should have a resolution for this in the near future. Hflw27 (talk) 15:19, 21 February 2013 (UTC)


 * BTW, the efforts of this individual to edit Wikipedia are on-going. A registered user account (User:Djangoruled) and a non-USF IP address (User:108.33.96.224) have been blocked in the last two weeks.  No doubt there are others that we have not detected yet.  Dirtlawyer1 (talk) 15:53, 21 February 2013 (UTC)


 * Hflw27, any editor or admin who has an email saved in his/her preferences can be contacted using Special:Emailuser. Simply enter the username of the person you wish to contact on that page. You can also create and click a direct link such as Special:Emailuser/AuburnPilot. Keep in mind that usernames are case sensitive. -- auburn pilot  talk  22:28, 21 February 2013 (UTC)

Another USF IP address to be blocked
AuburnPilot & Cucchullain, here's another USF IP address from which Drago continues to edit: User:2607:FE50:0:8104:9A0C:82FF:FE6E:57C4. He edited one of the templates for which he is famous in the past 24 hours, one which was previously edited by one of his several blocked socks. Hflw, you may want to add this your list of USF IP addresses to be checked by the "best minds." Dirtlawyer1 (talk) 07:28, 22 February 2013 (UTC)


 * Blocked. I note that IP gives the orgname as "University of South Florida Board of Trustees" rather than simply "University of South Florida" like all of the rest. No idea if that's relevant for the search. -- auburn pilot  talk  22:04, 22 February 2013 (UTC)


 * Newly registered User:Louis-B Oh The U is reinstating the previously deleted/reverted edits of the last banned DragoLink08 sock at Florida Gators football. Looks like another probable DragoLink sock -- unless you believe that there is a random, newly registered account searching the article diffs page for old edits to revert.  Not bloody likely.


 * Hflw, how is the internal USF computer services investigation going? This guy is not going away.  Dirtlawyer1 (talk) 17:58, 26 February 2013 (UTC)


 * At the moment, I'm just waiting to hear back from a Wikipedia Admin via Email before progressing. Hflw27 (talk) 16:48, 5 March 2013 (UTC)


 * Hflw, I just wanted to make sure we're all on the same page here . . . are you waiting to hear from a particular admin? Or from any admin generally?  Have you already contacted particular admins through their email links under "toolbox" on the lefthand side of their talk pages?  Having progressed this far, I would hate for this to fall through the cracks because of miscommunication or lack of follow-up.  Dirtlawyer1 (talk) 22:13, 5 March 2013 (UTC)


 * Yes, sorry. Should have probably made that more clear. I am waiting to hear back from an admin that I initiated contact with. I don't intend to let it fall through the cracks. Once I can establish a dialog, I expect that we can finally wrap this up. Hflw27 (talk) 23:50, 5 March 2013 (UTC)


 * Good deal, Hflw. I will fade back into the woodwork and wait for the results.  Dirtlawyer1 (talk) 00:12, 6 March 2013 (UTC)

Yet another Drago sock
Here's another comfirmed sock of DragoLink08: User:NetRoot7. Check out the reopened SPI for details. Dirtlawyer1 (talk) 07:37, 2 April 2013 (UTC)