On Feb 28, 2010, at 11:54 PM, Robert J. Hansen wrote:
> David and I apparently had a bit of a misunderstanding. I thought he was
> going to attempt to figure out information based solely on the key material:
> he was using it as a springboard for other research. I think that both of us
> are correct, given the assumptions we were making. If you have an email
> address and a name for someone, OSINT ("open source intelligence) is a
> hellishly powerful research tool -- especially when applied against people
> who have a substantial presence on the net. However, the keyserver material
> *by itself, only referencing other keys* is not very useful and proves very
> little.
>
> David did not give confidence assessments for his statements. I have no way
> of knowing which ones he suspected, versus which ones he felt were proven.
> Some of them would be quite easy to prove (or, at least, have very high
> confidence). Others would be much more difficult.
>
> * My father's name
> * My father's military history (in broad strokes)
> * My father's current occupation
> * He was within 7 years of my father's age
> * My mother's name
> * My parents' location
> * My brother's name and relative age to me
> * The age of my parents' house
> * My age, accurate to several years
> * I was in Las Vegas in 2005
> * I was at a keysigning in Portland in July 2006
> * My educational background
> * My ham radio license, and that it was issued west of the Mississippi
> * That I'm a fairly advanced OpenPGP user
> * The color of a vehicle owned by my parents
>
> Things that he was wrong about:
> * My religious upbringing
> * My religious affiliation
> * That I use GnuPG rather than PGP [1]
> * That I'm a fan of Bungie Software's "Halo" games
>
>
>
> ... This may sound impressive, but most of it could have been more easily
> developed via Google.
>
> Googling for "Robert J. Hansen" (with quotes) gives you my homepage as the
> first hit. That tells you I graduated from Cornell College, gives you my
> exact birthdate, that I have three nephews, an awful dot-bomb experience, and
> that I maintain a software project called Djinni.
>
> Googling for "Robert J. Hansen Cornell College" (without quotes) gives you
> all kinds of information about my father, along with my mother's name and the
> fact I have an older brother. Once you have my father's name and the fact
> he's a federal judge, you just have to visit Wikipedia in order to get Dad's
> biography: his full name, his military history, his current position, his
> age, and so forth.
>
> When you Google for "Robert J. Hansen Cornell College", you'll discover the
> third link down tells you I was in Las Vegas in 2005, delivering a talk to
> Black Hat.
>
> Googling for "Robert J. Hansen Djinni" tells you that I spoke at CodeCon 2006
> (in San Francisco) and at OSCON 2006 (in Portland). Given that I have a
> cluster of signatures on one of my keys, all issued during the same time
> CodeCon 2006 was going on, it's a pretty easy guess that I attended a
> keysigning in Portland in July 2006.
>
> The only things that I do not believe he could have discovered in a
> five-minute Google search were (a) my ham radio license, (b) that I'm a
> fairly advanced OpenPGP user, and (c) that I attended a keysigning in
> Portland in 2006. Everything else could have been found more easily with
> basic Google searches.
>
> So, the overall score: developing OSINT with Google, really cool. Developing
> OSINT by studying key material, not as productive.
>
> I would like to thank David for taking the time to do this test. The
> conclusions that I've drawn are my own: I do not speak for him. I'm certain
> he'll give his own conclusions.
Thanks, Rob, for being such a good sport about this test.
If I had known I was being scored on number of 'hits', I'd have given more of
them. :) There were more items I could have given, but they would have
revealed the source I used, so I did not list them. I found most of the hits
in around 20 minutes, and then things dried up for another 10 (I was hunting
for high school information and it went nowhere), so I stopped, as 30 minutes
seemed like a good stopping point. I never actually looked at your home page
(it felt a bit like cheating, somehow).
In terms of confidence, I had fairly high confidence in most of the answers,
except for (perhaps not surprisingly) the ones that turned out I was wrong
about (i.e. in retrospect, I shouldn't have guessed). Both the religion (not
sure why this was counted as two 'misses') and Halo were guesses based on not
much evidence. I'd call the GnuPG/PGP one (high confidence) a draw - I said
"GnuPG rather than PGP", but the answer was "GnuPG and PGP" (as the key was
generated with one, but actually used with both). I was only medium confident
about the vehicle color (an educated guess), but ended up getting that one
right.
In any event, I - partially - agree with your comments in that I'm quite sure
that a private investigator, or someone with actual training in this sort of
research, would have been able to find everything I found without looking at
keys at all. Without knowing the key information or even what OpenPGP was,
most likely. What struck me was that I was able to find all that in around
*20 minutes*, after being prompted by information on the keys. It's not just
about getting the data. It's also about getting it as quickly and as easily as
possible, and the key data made my job dramatically easier. It means the
attacker can attack more people, pay less for each attack, and be less trained.
A piece of information that can be reached via multiple different paths is
also more likely to be found than information that can only be reached via one.
I don't believe I would have been able to find out the vehicle color, age of
the house, or one of the names without the hints provided by the key data, or
at least not within the 30 minute window. You mention a name above as
something available from Google, but I actually found two different names from
two different sources for this individual. I listed them both in my mail to
you, but the one that turned out to be right was not the one reachable from a
Google search.
> Please be very careful when using this to support broad, general statements.
> This is only one test, it was informal and very quick-and-dirty.
Perhaps I got lucky. I do think it is safe to say that access to the key gave
me more (in both quantity and speed) than I would have been able to get
otherwise, which is what I was trying to show, so I'm content to leave it there.
I don't want to give the impression that OpenPGP keys, signatures, or
keyservers are somehow evil here. They're not. It's just that, like any
number of other things on the net, keys and their contents can serve as a
channel for information leakage. This shouldn't be news to anyone on this list.
David
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
