David's findings

[David Shaw]

On Feb 28, 2010, at 11:54 PM, Robert J. Hansen wrote:

> David and I apparently had a bit of a misunderstanding.  I thought he was going to attempt to figure out information based solely on the key material: he was using it as a springboard for other research.  I think that both of us are correct, given the assumptions we were making.  If you have an email address and a name for someone, OSINT ("open source intelligence) is a hellishly powerful research tool -- especially when applied against people who have a substantial presence on the net.  However, the keyserver material *by itself, only referencing other keys* is not very useful and proves very little.
> 
> David did not give confidence assessments for his statements.  I have no way of knowing which ones he suspected, versus which ones he felt were proven.  Some of them would be quite easy to prove (or, at least, have very high confidence).  Others would be much more difficult.
> 
> * My father's name
> * My father's military history (in broad strokes)
> * My father's current occupation
> * He was within 7 years of my father's age
> * My mother's name
> * My parents' location
> * My brother's name and relative age to me
> * The age of my parents' house
> * My age, accurate to several years
> * I was in Las Vegas in 2005
> * I was at a keysigning in Portland in July 2006
> * My educational background
> * My ham radio license, and that it was issued west of the Mississippi
> * That I'm a fairly advanced OpenPGP user
> * The color of a vehicle owned by my parents
> 
> Things that he was wrong about:
> * My religious upbringing
> * My religious affiliation
> * That I use GnuPG rather than PGP [1]
> * That I'm a fan of Bungie Software's "Halo" games
> 
> 
> 
> ... This may sound impressive, but most of it could have been more easily developed via Google.
> 
> Googling for "Robert J. Hansen" (with quotes) gives you my homepage as the first hit.  That tells you I graduated from Cornell College, gives you my exact birthdate, that I have three nephews, an awful dot-bomb experience, and that I maintain a software project called Djinni.
> 
> Googling for "Robert J. Hansen Cornell College" (without quotes) gives you all kinds of information about my father, along with my mother's name and the fact I have an older brother.  Once you have my father's name and the fact he's a federal judge, you just have to visit Wikipedia in order to get Dad's biography: his full name, his military history, his current position, his age, and so forth.
> 
> When you Google for "Robert J. Hansen Cornell College", you'll discover the third link down tells you I was in Las Vegas in 2005, delivering a talk to Black Hat.
> 
> Googling for "Robert J. Hansen Djinni" tells you that I spoke at CodeCon 2006 (in San Francisco) and at OSCON 2006 (in Portland).  Given that I have a cluster of signatures on one of my keys, all issued during the same time CodeCon 2006 was going on, it's a pretty easy guess that I attended a keysigning in Portland in July 2006.
> 
> The only things that I do not believe he could have discovered in a five-minute Google search were (a) my ham radio license, (b) that I'm a fairly advanced OpenPGP user, and (c) that I attended a keysigning in Portland in 2006.  Everything else could have been found more easily with basic Google searches.
> 
> So, the overall score: developing OSINT with Google, really cool.  Developing OSINT by studying key material, not as productive.
> 
> I would like to thank David for taking the time to do this test.  The conclusions that I've drawn are my own: I do not speak for him.  I'm certain he'll give his own conclusions.

Thanks, Rob, for being such a good sport about this test.

If I had known I was being scored on number of 'hits', I'd have given more of them.  :)  There were more items I could have given, but they would have revealed the source I used, so I did not list them.  I found most of the hits in around 20 minutes, and then things dried up for another 10 (I was hunting for high school information and it went nowhere), so I stopped, as 30 minutes seemed like a good stopping point.  I never actually looked at your home page (it felt a bit like cheating, somehow).

In terms of confidence, I had fairly high confidence in most of the answers, except for (perhaps not surprisingly) the ones that turned out I was wrong about (i.e. in retrospect, I shouldn't have guessed).  Both the religion (not sure why this was counted as two 'misses') and Halo were guesses based on not much evidence.  I'd call the GnuPG/PGP one (high confidence) a draw - I said "GnuPG rather than PGP", but the answer was "GnuPG and PGP" (as the key was generated with one, but actually used with both).  I was only medium confident about the vehicle color (an educated guess), but ended up getting that one right.

In any event, I - partially - agree with your comments in that I'm quite sure that a private investigator, or someone with actual training in this sort of research, would have been able to find everything I found without looking at keys at all.  Without knowing the key information or even what OpenPGP was, most likely.   What struck me was that I was able to find all that in around *20 minutes*, after being prompted by information on the keys.  It's not just about getting the data.  It's also about getting it as quickly and as easily as possible, and the key data made my job dramatically easier.  It means the attacker can attack more people, pay less for each attack, and be less trained.  A piece of information that can be reached via multiple different paths is also more likely to be found than information that can only be reached via one.

I don't believe I would have been able to find out the vehicle color, age of the house, or one of the names without the hints provided by the key data, or at least not within the 30 minute window.  You mention a name above as something available from Google, but I actually found two different names from two different sources for this individual.  I listed them both in my mail to you, but the one that turned out to be right was not the one reachable from a Google search.

> Please be very careful when using this to support broad, general statements.  This is only one test, it was informal and very quick-and-dirty.

Perhaps I got lucky.  I do think it is safe to say that access to the key gave me more (in both quantity and speed) than I would have been able to get otherwise, which is what I was trying to show, so I'm content to leave it there.

I don't want to give the impression that OpenPGP keys, signatures, or keyservers are somehow evil here.  They're not.  It's just that, like any number of other things on the net, keys and their contents can serve as a channel for information leakage.  This shouldn't be news to anyone on this list.

David