Hack To The Future
July 10, 2012 10:02 AM Subscribe
Hackerfilter: How difficult would it be for a government agency to forge a data trail that goes back several years? Specific (fictional) example inside.
Remember when Julian Assange's OkCupid profile turned up? I've been curious whether a third party could fake something like that. I assume getting into OkCupid's system would be easy enough if one had the resources, but what about creating a convincing data trail that goes back several years?
Think of all the data that OkCupid collects: a user's login, IP address, his quiz answers, his likes/dislikes, his conversations with other members.
Could a fabricated version of that data be placed on OkCupid's servers in such a way that a forensic investigator checking it out would believe that it had been there for several years?
This is purely speculative. I don't have any reason to believe the Assange profile was faked.
Remember when Julian Assange's OkCupid profile turned up? I've been curious whether a third party could fake something like that. I assume getting into OkCupid's system would be easy enough if one had the resources, but what about creating a convincing data trail that goes back several years?
Think of all the data that OkCupid collects: a user's login, IP address, his quiz answers, his likes/dislikes, his conversations with other members.
Could a fabricated version of that data be placed on OkCupid's servers in such a way that a forensic investigator checking it out would believe that it had been there for several years?
This is purely speculative. I don't have any reason to believe the Assange profile was faked.
I don't know.
However, I am reminded of a remark I saw in a forum once. Someone discovered they knew a forum member in person through work. Their job was really conservative. On the forum, they were fairly open about their alternative sexual life. The coworker said something stupid, suggesting they could out this at work. A moderator stepped in and said if they did that, he could and would dummy up multiple posts under said offenders account id that would smear their reputation.
I later saw that technical ability actually used, though not for nefarious purposes. I was given attribution under my account for doing something I had no actual ability (technically) to do in order to give me due credit for something. So, yes, the moderators could, in fact, create posts under any user profile they so chose.
posted by Michele in California at 10:29 AM on July 10, 2012 [2 favorites]
However, I am reminded of a remark I saw in a forum once. Someone discovered they knew a forum member in person through work. Their job was really conservative. On the forum, they were fairly open about their alternative sexual life. The coworker said something stupid, suggesting they could out this at work. A moderator stepped in and said if they did that, he could and would dummy up multiple posts under said offenders account id that would smear their reputation.
I later saw that technical ability actually used, though not for nefarious purposes. I was given attribution under my account for doing something I had no actual ability (technically) to do in order to give me due credit for something. So, yes, the moderators could, in fact, create posts under any user profile they so chose.
posted by Michele in California at 10:29 AM on July 10, 2012 [2 favorites]
It's possible, but would be less efficient than other means.
posted by corb at 10:39 AM on July 10, 2012
posted by corb at 10:39 AM on July 10, 2012
Hacking an on-line database is often doable, and altering a database for which you have admin rights is usually entirely doable.
Where you may run into trouble is when someone checks the system log files, or someone compares your 'rewritten history' to what's in off-line back-up copies of the database and figures out that something unusual is going on.
(I don't have any specific information about OKCupid.)
posted by rjs at 10:50 AM on July 10, 2012 [1 favorite]
Where you may run into trouble is when someone checks the system log files, or someone compares your 'rewritten history' to what's in off-line back-up copies of the database and figures out that something unusual is going on.
(I don't have any specific information about OKCupid.)
posted by rjs at 10:50 AM on July 10, 2012 [1 favorite]
Best answer: If a forensic investigator had carte blanche to subpoena any system involved? This is really difficult if you have a high quality forensic investigator. Any forensic investigator is going to place limited value on logs in this situation because they may have been tampered with.
If I was investigating this, I'd be much more interested in things like backups -- is Assange's profile in that production extract that Developer Dave has had sitting on his desktop from 2 years ago? How about that backup tape in the bottom of the filing cabinet containing old software? Was the profile indexed by search engines? Does assange's mailserver have records of receiving notifications from the site?
There are a ton of gotchas like this in the case of fabricating 4 years. I'm an amateur compared to a lot of the practitioners in the field, and I'm reasonably certain, given what I know of Stuxnet, that I could shoot holes in a government attempt to fabricate something like this.
Personally, I think people both outside and inside information security underestimate the amount of digital residue created by even the most miniscule action. A talented forensic analyst would tear this apart very quickly.
posted by bfranklin at 11:13 AM on July 10, 2012 [2 favorites]
If I was investigating this, I'd be much more interested in things like backups -- is Assange's profile in that production extract that Developer Dave has had sitting on his desktop from 2 years ago? How about that backup tape in the bottom of the filing cabinet containing old software? Was the profile indexed by search engines? Does assange's mailserver have records of receiving notifications from the site?
There are a ton of gotchas like this in the case of fabricating 4 years. I'm an amateur compared to a lot of the practitioners in the field, and I'm reasonably certain, given what I know of Stuxnet, that I could shoot holes in a government attempt to fabricate something like this.
Personally, I think people both outside and inside information security underestimate the amount of digital residue created by even the most miniscule action. A talented forensic analyst would tear this apart very quickly.
posted by bfranklin at 11:13 AM on July 10, 2012 [2 favorites]
Best answer: It would be somewhere between really, really difficult and actively impossible, depending on how the site takes and stores backups. If any longterm backups are maintained offline and thus unhackable, totally impossible, because comparing the live data and the backups would make it clear that the live data had been tampered with.
Assuming no backups, you'd still have to not only fake the actual data in the tables, but also the data in all of the access logs, the update logs maintained by the database software, etc. For example, say it's possible to see how long someone has been a member of the site, based on when their profile was created.
There's probably a field that stores the information that's displayed publicly. But it's probably not the same field that stores the full time stamp for when the record was first inserted and when it was last updated, and that field may not be admin editable. Plus, there's probably another place that logs the fact that the record was inserted into the database at a given time and again, not normally editable. And a place that logs the fact that the user was logged in at the time and did an action on the site. The latter logs may be harder to match to the former logs, since they may not include something as simple as a username to do the match with, as well as to match the real world user -- a plausible IP address, for the time and place the real world person was in at the time, for example. And I'm probably wildly underestimating the sheer number of event logs that are kept by a major software stack -- pretty much every level is going to track each event and they'd all need to match.
And you'd have to make all the changes in such a way that any system logs of edits done to the log files themselves would not reflect the wrong edit dates/times.
So: making a profile show up on the public site as created in 2007? Fairly easy database update, could be done by anyone with admin access to the database, employee or hacker.
Making the actual private records appear to have been created in 2007 to someone with access to everything? Tremendously difficult.
posted by jacquilynne at 11:18 AM on July 10, 2012 [1 favorite]
Assuming no backups, you'd still have to not only fake the actual data in the tables, but also the data in all of the access logs, the update logs maintained by the database software, etc. For example, say it's possible to see how long someone has been a member of the site, based on when their profile was created.
There's probably a field that stores the information that's displayed publicly. But it's probably not the same field that stores the full time stamp for when the record was first inserted and when it was last updated, and that field may not be admin editable. Plus, there's probably another place that logs the fact that the record was inserted into the database at a given time and again, not normally editable. And a place that logs the fact that the user was logged in at the time and did an action on the site. The latter logs may be harder to match to the former logs, since they may not include something as simple as a username to do the match with, as well as to match the real world user -- a plausible IP address, for the time and place the real world person was in at the time, for example. And I'm probably wildly underestimating the sheer number of event logs that are kept by a major software stack -- pretty much every level is going to track each event and they'd all need to match.
And you'd have to make all the changes in such a way that any system logs of edits done to the log files themselves would not reflect the wrong edit dates/times.
So: making a profile show up on the public site as created in 2007? Fairly easy database update, could be done by anyone with admin access to the database, employee or hacker.
Making the actual private records appear to have been created in 2007 to someone with access to everything? Tremendously difficult.
posted by jacquilynne at 11:18 AM on July 10, 2012 [1 favorite]
Faking it to what standard? One issue is that what is stored now may be different than what was stored two years ago, and one would have to have a level of unusually detailed, historical knowledge, possibly beyond that of any current employee, to fake things 100%.
But then, what forensic investigator would put months into verifying things at that level of detail? They would have to be particularly motivated and suspicious and observant, as well as have the time to do real digital archaeology, a deep understanding of the particular site-specific processes being analyzed.
posted by zippy at 11:28 AM on July 10, 2012
But then, what forensic investigator would put months into verifying things at that level of detail? They would have to be particularly motivated and suspicious and observant, as well as have the time to do real digital archaeology, a deep understanding of the particular site-specific processes being analyzed.
posted by zippy at 11:28 AM on July 10, 2012
It depends on the intent of the forgery.
For something like a smear campaign, I agree with the other posters, that it would be hard to fool an investigator with complete access. However, often the mere suggestion of certain activities can tarnish a public figure’s image. The reporters who follow up on a story aren’t going to have this deep level of access and so might believe the fabrication and continue to propagate the story. If the smear was in any way close to the truth additional data will surface from other sources and the target will be so buried that they won’t have a chance to try to clear their name.
On the other hand, if you were building profiles to back up the story for undercover agents you would probably have multiple long-time active profiles developed and maintained over time. These profiles could be assigned, with minor changes, to agents as needed. These sorts of profiles would probably not be detectable even by a complete access forensic examination.
posted by TeknoKid at 1:29 PM on July 10, 2012 [1 favorite]
For something like a smear campaign, I agree with the other posters, that it would be hard to fool an investigator with complete access. However, often the mere suggestion of certain activities can tarnish a public figure’s image. The reporters who follow up on a story aren’t going to have this deep level of access and so might believe the fabrication and continue to propagate the story. If the smear was in any way close to the truth additional data will surface from other sources and the target will be so buried that they won’t have a chance to try to clear their name.
On the other hand, if you were building profiles to back up the story for undercover agents you would probably have multiple long-time active profiles developed and maintained over time. These profiles could be assigned, with minor changes, to agents as needed. These sorts of profiles would probably not be detectable even by a complete access forensic examination.
posted by TeknoKid at 1:29 PM on July 10, 2012 [1 favorite]
This thread is closed to new comments.
I think people who work outside of this industry (I don't work for OKCupid, but do work for another company that is in many ways comparable), both over and under estimate what logs are kept. For instance, we have HTTP access logs going back forever that include the URL you accessed and the IP address and user-agent from which you accessed it, but not your *username*, so these are pretty useless for trying to identify which user might have accessed what, when.
We have other bits of information stored in other places that may or may not include your IP address next to your username, and may or may not include a date stamp along with it. Access to user data is also *very* tightly controlled. I once asked for a representative list of "tags" (the sort of tags you'd use to tag a metafilter post or flickr image, but ours are private) to use to determine how much space to allocate in a UI for a tag (I wanted to know how long people generally made them), and could not get the list, because people might have used their bank account number as a tag (or whatever).
Could the NSA get that list of tags? Maybe, but I honestly doubt it. The easiest way would be to subpoena us for it.
posted by tylerkaraszewski at 10:23 AM on July 10, 2012 [1 favorite]