There is a glitch in the timing on two of the scans. I noted this in my email to CalPoly (which is on Paul's site). Most of the entries are offset by 8 hours. i.e. the BlackICE event viewer shows the correct time which is calculated from the log time. I'm assuming it's GMT but, being rather lazy, I haven't checked this out. Two entries, however, appear to off by much more than 8 hours. This could be the result of having two instances of the event viewer running and/or an incorrect clock setting on one of my other machines (I occasionally run the viewer on other machines on the network). Here's a breakdown of the times after subtracting 8 hours. I've put an asterisk by the times that I believe are incorrect in the log. log date/time adjusted date/time 2000-02-02 01:25:58 2-1 17:25:58 2000-02-02 01:25:58 2-1 17:25:58 2000-02-03 04:14:11 2-2 20:14:11* 2000-02-03 04:17:26 2-2 20:17:26* 2000-02-03 04:30:11 2-2 20:30:11 2000-02-03 06:08:37 2-2 22:08:37 2000-02-03 09:08:37 2-3 01:08:37 2000-02-03 09:27:08 2-3 01:27:08 2000-02-03 09:40:31 2-3 01:40:31 *These two scans had already taken place when I first sent a message to abuse@calpoly.edu. There had been a total of four scans at that time. I received an automated response from abuse@calpoly.edu at 11:10pm on 2-1 and, as you can see by the copy of my complaint on Paul's website, the fourth scan actually took place at around 19:05 on 2-1. The rest of the times in the event log appear to correspond with what happened. When I remembered to send the log on 2-2, I saw that the network had been scanned again which made a total of five scans (two simultaneous). There was another scan just minutes after I'd sent the log to CalPoly and, the next morning, I saw that several more scans had been made. I did not officially report the last four scans because I did not see any additional activity after the morning of 2-3 and I considered the matter closed. As for calling it four scans, it is _my_ theory that Paul tailored his story to match the original log that I sent. It had 5 scans but two were simultaneous, thereby making it a total of 4 scanning events. After sending him the log, he still claims that it is 4 events and claims that his math (subtracting 8 hours from each log entry) only shows activity during 2-3 and 2-4. His math doesn't work. Every time he tries to explain what he was doing, there are new holes. Also, my original complaint was clearly sent on 2-1. You can see this on his website at http://www.freepaul.org/evidence.shtml (search for "Date: Tue, 01 Feb 2000 23:09:29 -0800"). Is he now saying I'm psychic and sent advance notice of his scan to CalPoly? That'd be a neat trick. Too many things don't add up and each of his explanations just brings up more questions. When all is said and done, I've got no hard feelings. Paul and I have exchanged several messages during the last week and he has appolgised profusely for any trouble he has caused in every one of his messages. I just want to make sure people know he's not being falsely accused. He definately did something that was unethical and I don't believe that his explanation tells the whole story. Jamie ------------------ Here's the log from the beginning to end of Paul's activity. There are two other scans in there as well which are, obviously, unrelated. 59, 2000-02-02 01:25:58, 2000314, NMAP OS fingerprint, 207.62.153.112, p100-26-w.shasta.reshall.calpoly.edu, 24.216.193.171, , port=34257|38010|44227|44441, 4 59, 2000-02-02 01:25:58, 2000313, TCP OS fingerprint, 207.62.153.112, p100-26-w.shasta.reshall.calpoly.edu, 24.216.193.171, , port=34257|38010|44227|44441&flags=41, 4 59, 2000-02-02 06:56:09, 2003102, TCP port probe, 194.251.242.34, ftp.inet.fi, 24.216.193.171, , port=43916, 1 59, 2000-02-03 04:14:11, 2000310, TCP ACK ping, 207.62.153.112, p100-26-w.shasta.reshall.calpoly.edu, 24.216.193.171, , port=80|34257|38010|44227|44441, 15 59, 2000-02-03 04:17:26, 2000301, TCP port scan, 207.62.153.112, p100-26-w.shasta.reshall.calpoly.edu, 24.216.193.171, , port=22|80|34257|38010|44441, 46 59, 2000-02-03 04:30:11, 2000310, TCP ACK ping, 207.62.153.112, p100-26-w.shasta.reshall.calpoly.edu, 24.216.193.171, , port=80, 1 59, 2000-02-03 06:08:37, 2000310, TCP ACK ping, 207.62.153.112, p100-26-w.shasta.reshall.calpoly.edu, 24.216.193.171, , port=80, 1 59, 2000-02-03 06:11:42, 2000301, TCP port scan, 207.71.92.221, shieldsup.grc.com, 24.216.193.171, , port=21|23|25|79-80|139|161|443, 9 39, 2000-02-03 09:08:37, 2003006, TELNET port probe, 207.62.153.112, p100-26-w.shasta.reshall.calpoly.edu, 24.216.193.171, , port=23, 6 59, 2000-02-03 09:27:08, 2000310, TCP ACK ping, 207.62.153.112, p100-26-w.shasta.reshall.calpoly.edu, 24.216.193.171, , port=80, 4 59, 2000-02-03 09:40:31, 2003102, TCP port probe, 207.62.153.112, p100-26-w.shasta.reshall.calpoly.edu, 24.216.193.171, , port=22, 12