David's findings

Robert J. Hansen rjh at sixdemonbag.org
Mon Mar 1 05:54:46 CET 2010


David and I apparently had a bit of a misunderstanding.  I thought he was going to attempt to figure out information based solely on the key material: he was using it as a springboard for other research.  I think that both of us are correct, given the assumptions we were making.  If you have an email address and a name for someone, OSINT ("open source intelligence) is a hellishly powerful research tool -- especially when applied against people who have a substantial presence on the net.  However, the keyserver material *by itself, only referencing other keys* is not very useful and proves very little.

David did not give confidence assessments for his statements.  I have no way of knowing which ones he suspected, versus which ones he felt were proven.  Some of them would be quite easy to prove (or, at least, have very high confidence).  Others would be much more difficult.

* My father's name
* My father's military history (in broad strokes)
* My father's current occupation
* He was within 7 years of my father's age
* My mother's name
* My parents' location
* My brother's name and relative age to me
* The age of my parents' house
* My age, accurate to several years
* I was in Las Vegas in 2005
* I was at a keysigning in Portland in July 2006
* My educational background
* My ham radio license, and that it was issued west of the Mississippi
* That I'm a fairly advanced OpenPGP user
* The color of a vehicle owned by my parents

Things that he was wrong about:
* My religious upbringing
* My religious affiliation
* That I use GnuPG rather than PGP [1]
* That I'm a fan of Bungie Software's "Halo" games



... This may sound impressive, but most of it could have been more easily developed via Google.

Googling for "Robert J. Hansen" (with quotes) gives you my homepage as the first hit.  That tells you I graduated from Cornell College, gives you my exact birthdate, that I have three nephews, an awful dot-bomb experience, and that I maintain a software project called Djinni.

Googling for "Robert J. Hansen Cornell College" (without quotes) gives you all kinds of information about my father, along with my mother's name and the fact I have an older brother.  Once you have my father's name and the fact he's a federal judge, you just have to visit Wikipedia in order to get Dad's biography: his full name, his military history, his current position, his age, and so forth.

When you Google for "Robert J. Hansen Cornell College", you'll discover the third link down tells you I was in Las Vegas in 2005, delivering a talk to Black Hat.

Googling for "Robert J. Hansen Djinni" tells you that I spoke at CodeCon 2006 (in San Francisco) and at OSCON 2006 (in Portland).  Given that I have a cluster of signatures on one of my keys, all issued during the same time CodeCon 2006 was going on, it's a pretty easy guess that I attended a keysigning in Portland in July 2006.

The only things that I do not believe he could have discovered in a five-minute Google search were (a) my ham radio license, (b) that I'm a fairly advanced OpenPGP user, and (c) that I attended a keysigning in Portland in 2006.  Everything else could have been found more easily with basic Google searches.

So, the overall score: developing OSINT with Google, really cool.  Developing OSINT by studying key material, not as productive.

I would like to thank David for taking the time to do this test.  The conclusions that I've drawn are my own: I do not speak for him.  I'm certain he'll give his own conclusions.

Please be very careful when using this to support broad, general statements.  This is only one test, it was informal and very quick-and-dirty.



[1] I use both PGP and GnuPG.  I'm ecumenical.  Most of my emails are sent via Enigmail+GnuPG, but I've paid for PGP releases ever since 5.0.  The only major version I've skipped was 9.




More information about the Gnupg-users mailing list