posted 11-14-2005 07:35 PM            

I think there might be a security problem.

After posting to this forum the login and pwd to the CM index on my site, my secure directory had several page requests from IP addresses in the Netherlands (Amsterdam).

So far, all I can tell is that there were page requests.

Someone else tried to ftp my site, which does not allow anonymous ftp - and the posted login is not ftp authorized.

I'm unable to determine yet if those requests are failed.

It could be some examiner is travelling. Or, it could be that someone is attempting a ftp directory list (which would be unsuccessful without an authorized login. Or, an authorized user of this forum. may have forwarded the login to a person in the Netherlands.

Ralph indicated through email that he is initially unaware of any authorized user in that area.

So, if anyone wants to access the confirmed CM index on my site just email me and convince me of your credentials, and I'll send you the new login.

Here are two IPs if anyone knows how to check them it would help.

82.94.251.206

82.156.33.125 - resolves to c529c217d.cable.wanadoo.nl

posted 11-14-2005 08:22 PM            

I can't answer your question, but I can tell you that georgie is a VERY smart boy and has a command of the electronic web and internet that would embarrassment any of us practitioners and more so than any programmer. How do you think he traverses the IP address as he does and identifies and traces posters on his site to expose them as polygraph examiners (or interrelated to each other) and therefore exposes them as non-credible on his site...? He is a smart boy!

While I can not speak to the security Ralph has on this site (which I would assume is pretty darn good), it would not surprise me if george had a back door into it (or through another), just to see what we talk about and what we're up to...

Remember, he has an idea about what we do, but anything he can use to improve his web site in CM detection would be priceless to him for credibility sake...

Be carefull, all!

posted 11-14-2005 11:22 PM            

I agree GM appears to be smart and resourceful.

So far I can tell 52 page requests from NL, and 3 page downloads. It may be difficult to detmine which pages, it might only be stuff from the unsecured area of the site.

No one has contacted me to advise that any legitimate examiner from the Netherlands has any authorized entry with this forum.

So there seem to be two concern. what is that person doing, and how did he learn of the secured area? There are no links or references to it outside this forum.

posted 11-14-2005 11:33 PM            

I agree GM appears to be smart and resourceful.

However finding IPs isn't difficult.
http://www.geobytes.com/

So far I can tell 52 page requests from NL, and 3 page downloads. It may be difficult to detmine which pages, it might only be stuff from the unsecured area of the site.

No one has contacted me to advise that any legitimate examiner from the Netherlands has any authorized entry with this forum.

So I have two concerns. What is that person doing, and how did he learn of the secured area? There are no links or references to it outside this forum.

Micro$oft Front Page Extensions is the same directory security that this site uses - its very common, and seems to be pretty good.

I don't know of a

posted 11-14-2005 11:34 PM            

I agree GM appears to be smart and resourceful.

However finding IPs isn't difficult.
http://www.geobytes.com/

So far I can tell 52 page requests from NL, and 3 page downloads. It may be difficult to detmine which pages, it might only be stuff from the unsecured area of the site.

No one has contacted me to advise that any legitimate examiner from the Netherlands has any authorized entry with this forum.

So I have two concerns. What is that person doing, and how did he learn of the secured area? There are no links or references to it outside this forum.

Micro$oft Front Page Extensions is the same directory security that this site uses - its very common, and seems to be pretty good.

Without anonymous access, people shouldn't be able to generate ftp directory lists.

posted 11-15-2005 01:26 AM         

I sent you an email regarding your post. I was not sure how to post the graphic here.

posted 11-15-2005 08:47 AM            

The little tag on the left of the (rediculously small) editing window indicates that Ralph does not allow [img] code in this forum.

I've posted it to the secured area of my site.
http://www.raymondnelson.us/c/82.156.33.125.jpg

Google searching IPs - whodathunkit.

So far I've determined that one of the IPs

- 82.156.33.125 -

belongs to a block of IPs owned by the RIPE network which assigns IPs to customers in the Netherlands. It resolves to Amsterdam (but my IP resolves to Aurora - and I'm 30 miles from there). It is probably a dynamic IP.

Your search reveals that the IP appears to have been assigned to a user from the anti site at one time.

That does it for me. It was most likely georgie-boy.

There were 25 page requests on Saturday and 27 on Sunday - 2 pages were served on Saturday, and 1 on Sunday. My domain host assures me that the Front Page Extensions is considered fairly secure - but it is M$oft.

Its possible those served pages were the default redirect to the index or some other unsecured pages.

I don't think anyone could ftp directory list my secured directory very easily. So, he'd be limited to page views of the unsecured area.

My site doesn't appear on Google, and that's fine with me. But its not that hard to find it.

I check the anti site about weekly - somtimes more. I've never posted, and georgie (and most others require registration to post). However, georgie is thorough, and straightforward, about his ability to log IPs. I don't know if he reviews IPs of non-registered users, but if he did he'd see a few of ours regularly. It wouldn't be hard to guess who the examiners are.

The material on my site, is not revolutionary - mostly just shameless self-promotion - and I've presented much of the material in trainings to therapists, POs, caseworkers, judges, attorneys (and today a victim's advocacy conference.)

Does anyone know about IE's page caching features? Is there a way to be notified in advance about changes to offline content? I don't think Firefox does this.

It seems like I heard about this feature, and if I'm correct it would alert the user or download a new page whenever changes are made to a site. I've made a few changes lately.

A while back georgie hadn't disabled anonymous ftp to his site... I found only the usual boring personal photos along with the material for the site.

posted 11-15-2005 08:58 AM            

82.94.251.206

Blacklist Status: Clear - Last blocked 2005-06-07 (history)
Cached Whois: Cached today
Whois History: 64 records stored
Oldest: 2005-01-20
Newest: 2005-11-15
Record Type: IP Address
IP Location: Netherlands - Noord-holland - Amsterdam - Colonah
Reverse IP: No websites hosted using this IP address
Reverse DNS: not set

--------------------------------------------------------------------------------
% Information related to '82.94.251.192 - 82.94.251.207'

inetnum: 82.94.251.192 - 82.94.251.207
netname: colonah6
descr: NAH6 BV
country: NL
admin-c: RG2248-RIPE
tech-c: RG2248-RIPE
tech-c: XS42-RIPE
status: ASSIGNED PA
mnt-by: XS4ALL-MNT
source: RIPE # Filtered

role: XS4ALL Internet NOC
address: XS4ALL Internet BV
address: Postbus 1848
address: 1000BV Amsterdam
address: The Netherlands
phone: +31 20 3987654
fax-no: +31 20 3987604
abuse-mailbox:
admin-c: CB127
tech-c: CB127
tech-c: OD45
tech-c: EB76-RIPE
tech-c: RZ2757-RIPE
tech-c: KAI11-RIPE
nic-hdl: XS42-RIPE
mnt-by: XS4ALL-MNT
source: RIPE # Filtered

person: R Gonggrijp
address: NAH6 BV
address: Linnaeusparkweg 98
address: 1098 EJ Amsterdam
address: The Netherlands
phone: +31 20 6638558
fax-no: +31 20 6638511
nic-hdl: RG2248-RIPE
source: RIPE # Filtered

% Information related to '82.92.0.0/14AS3265'

posted 11-15-2005 04:13 PM            

There is virtually no way for George to access this part of the forum unless someone gave it to him...and the truth is...that could happen.

My standard for allowing someone here was pretty much that they could convince me they were a practicing polygraph examiner with some piece of info I could verify. I did not discriminate on if they were a FOG or not, so it is possible that some examiner in here believes in what he is doing and is willing to share his login.

The only way I can think of to curtail this...and even that is not an absolute guarantee...would be to start with a few hand picked people who I personally know and then only allow people in through invites to examiners they 'personally' know. We could rebuild the membership here that way. In fact I could start it as an entirely different forum area.

I open to your suggestions, but of course realize the solutions need to be low or no cost...after all this is a free service.

------------------
Ralph Hilliard
PolygraphPlace Owner & Operator
http://www.polygraphplace.com

posted 11-15-2005 10:38 PM            

Thanks for the info.

I wouldn't suggest doing anything yet. I'm reasonably convinced that GM or some FOG was snooping my site, with 52 page requests and 3 fulfilled page serves. Its not yet clear whether those pages were from the secured area.

Its concerning to me that these requests occurred right after I put up the secured area.

However, I've been advised it is possible that someone could be notified automatically of site changes.
http://www.changedetection.com/monitor.html
http://www.timelyweb.com/

I think what might make sense is to start an introduction thread, in which forum users can introduce themselves. Then you, the forum owner, or moderators, could verify the credentials of others. Or perhaps the profiles section could be used or reviewed to do a quick review of credentials and then follow up on others.

That doesn't solve the problem of a leak to some FOG, so for now I won't post the login to the CM images.

Since I changed the login, there have been no page requests from NL yesterday or today - though I'm not sure if that's a weekday/weekend thing or what.

posted 11-16-2005 08:45 PM            

He also talks considerably about counter-countermeasures, most of which we talk about here. For example, time barring the neutrals and introducing neutrals as "controls" are some things he says to be aware we're doing.

posted 11-18-2005 09:29 AM            

Drew Richardson never actually gave any polygraph exams for the FBI. That's a myth he's trying to keep alive.

Lou

------------------
Louis Rovner, Ph.D.
Rovner & Associates
LouRovner@sbcglobal.net

posted 11-18-2005 01:02 PM            

I have personally spoken with Drew Richardson on more than one occasion and he advised me that he had in fact conducted a "handful" of field test for the FBI, some of which were screening exams.

I think the only myth is a play on words that George is using, "Dr. Richardson also worked in the FBI's polygraph research unit and conducted a modest number of polygraph examinations in criminal investigations." This does not actually give you a number but one might infer that he has run a modest number in comparison to an average polygraph examiner’s caseload (e.g. 100-300 exams annually).

posted 11-19-2005 12:37 AM         

You wrote that your site isn't listed in Google, but it turns out actually is. Do a search and you'll see. So it is possible that Georgie or some FOG found it that way.

------------------
John 8:32

posted 11-19-2005 01:17 AM            

After numerous private emails, and after reviewing numerous access logs, and learning more than I should have to know about computers and the Internet, I'm reasonably convinced that no serious security breach has occurred. There has been no page requests from the Netherlands since this past weekend. As I indicated previously, only three page requests appear to have been filled, though numerous requests were received. I'm a little unclear about this, but I think that the number of requests may be a reflection of the graphic items on the pages requested. I made a minor change to my index page over the weekend. As I indicated previously, automatic notification services would have allerted anyone interested, and they would have then requested the changed page/s. It was the timing of the the NL requests that got my attention, but I hadn't considered the index changes.

My 'pologies for the panic-button experience, but I'm sure you can imagine my concern at posting polygraph data demonstrating detected countermeasures and then learning that George had may have somehow accessed the data. So far, George seems to believe that we cannot reliably detect countermeasures, and I would hate to educate him about the fact that two of those cases (111105 and 040305) have confessed to reading his book and website extensively.

So, for now I'll re-authorize access to the Countermeasure data using the previous login

user: polybabble
password: exam

As for the ASTM criteria. See the footnote on page 146 of George's book.

Additionally, note on page 150, that he still thinks anal sphincter contractions cannot be detected even though data 090905 on my secured site clearly shows we can. Georgie also thinks that other techniques can't be detected - lets let him think so.

r

11-19-05 edit:

I neglected to include a link to the index of confirmed countermeasure cases. I'll put up some more cases when I have time.
http://www.raymondnelson.us/c/c_index.html

r

posted 11-20-2005 12:36 PM         

Also, a good friend, who presented at the APA in Orlando also mentioned to me about a 'strange' critque he received following his CM presentation. He knows of my interest in this regard and he sent me the comments which appeared to be negative regarding the subject matter...calling the presentation "more polygraph voodoo."

The 'leaks', if they are that, may not be from an examiner but a friend or acquaintance of an examiner who asks questions or inquires about technical issues. One poster on George's site, Fair Chance, intrigues me. This person is clearly a member of the FBI with friends who are polygraphers and whjo appears to be in at least mid-level management. Of course, that is if his postings are true.