debora111 | 60 points
How Could a Pizzagate Hacker Prove She's Not Full of Shit? (and actually convince us she found evidence)
I'm posting this as future reference, in case we get new cases like this one. http://archive.is/917qa (2GB hacker OP).
Edit: context, the original 2Gb hacker OP posted child porn as evidence and many fell for it, including moderators who thought that verified the hacker's claims.
Digital forensics is my profession; there's no way I can prove it without proving my identity, but hopefully the following speaks for itself and you can disregard the author. If redditors think this post is useful, I'd be happy to expand on the topic or try to answer questions. English is not my mother tongue but I'll do my best.
TLDR: It would be nearly impossible for a hacker having discovered evidence to prove she's the real deal, that she's sharing genuine evidence of what she claims (esp. the origin of the data). Unless the data speaks for itself (and its provenance is thus less relevant), the only way to do it in a satisfactory enough (albeit non-absolute) manner would be to publish all the logs (and config data) on the server itself and if possible elsewhere on the LAN in addition to whatever actually incriminating material was uncovered. Said logs/config files would likely reference the data being presented, and forging the logs would be very difficult (we would be very likely to find some incoherence somewhere if they were fake).
The quickest way to look at this is through a set of Claims / Counter-Claims :
CLAIM : Here is the data I found on this server
CC : There's no proof you found that data where you say you found it
CLAIM : Here is a screenshot of the directory listing on the server, with the data I'm providing being listed on it
CC : You could've faked the screenshot, and if it's real, there's no proof the files you gave us are the same ones as in the screenshot (file names/sizes/timestamps don't prove anything)
CLAIM : Here is an uncut video of me displaying/signing the material directly on the server I hacked
CC : There's no proof in the video you're actually on the server you say you hacked
CLAIM : Here is an uncut video of me connecting to the server and displaying/signing the material from there
CC : There's no proof in the video you're connecting to the server you said you hacked, you could have tampered your resolv.conf to connect to your own server somewhere, or if you used an IP you could have tampered your routing, or redirected the connection with iptables; or the whole thing could be fake, the remote shell video could just be a trivial script, just replace the ssh binary with a bash script that displays whatever you want it to display; your hashing of the ssh binary could similarly be a bash script outputing whatever you told it to.
CLAIM : Here is an uncut video of me hacking into the server and displaying/signing the material from there
CC : See above, there's no proof you're hacking into the server you say you hacked
CLAIM : Here is an uncut video of me hacking into the server, changing the Web page for you to see (or the banner of whatever service, or pinging many trusted witnesses from that server, or whatever other proof of intrusion), and displaying/signing the material from there
CC : You could have hacked into the server, found nothing, uploaded the material, changed its timestamp, shot the video and prove your intrusion
You see the problem? Digital forensics is a very tricky issue if the data is not seized by a "trustworthy" source (e.g. the police). No computer is trustworthy, i.e. data in itself usually means nothing if it cannot be corroborated by a digital signature or by other circumstances/evidence/context. Furthermore no software can ever vouch for its own integrity (as the portion of it doing that vouching can similarly be tampered). (Don't nag me with Trusted Computing and hardware-based roots of trust - that's not what we're dealing with here - and even with trusted hardware if you get trusted/signed software to execute your own code e.g. through a heap/stack overflow your shellcode is by definition trusted too, that's how you jailbreak a playstation without opening it up btw).
Remember, the authenticity of the Guccifer/Guccifer2/Wikileaks/DNCLeaks data is mostly proven by digital signatures, or context, or because the hacked party doesn't deny it. In the case of our Pizzagate investigation, unless you've got CP with clearly visible perpetrator faces or explicit (and signed) correspondence between culprits (in which case the data speaks for itself), it'd be hard to prove anything. If you're a legitimate hacker and find CP somewhere and wish to bust the pedophiles hosting/making that content, your work would be unlikely to bring about a formal conviction (by reddit or otherwise) if you don't do it right (and a trusted party can't corroborate your findings, which is likely the case if you share them publicly with us beforehand, which you should do (disclaimer: don't share anything illegal) as we need to follow the leads and bust as many of those criminals as possible and can't fully trust the authorities).
So there are two solutions: either the data speaks for itself (i.e. it can be corroborated / verified through other means), meaning its origin loses relevance, OR you provide so much data that the forgery would have been too expensive to be realistic. In that case, you should provide as much directly incriminating material as possible AND as many logs (and config files) as possible (on the system and if possible the LAN). The more we have of the latter, the better we can corroborate the former.
The best (if you're root) is to mirror the full hard drives sector by sector (we'd be able to look at the whole partitions, not merely the addressed/allocated part); if you're an unpriviledged user and found the mother load, parse the filesystem for any file you can read (and that isn't obviously useless, such as common dependencies/binaries) and copy that. Then by all means try to escalate your privileges and do what was said before.
Explanation in a nutshell: a computer can be told to record virtually any action it takes. Some computers/servers by default log more than others. On a *nix server, chances are there are A LOT of logs (and archives of logs) - from system/kernel actions to services sollicited, from failed logins to detailed incoming http requests. Furthermore, the incriminating data (or the directory/tree in which it's located, etc.) typically needs to be made accessible somehow through the config files.
For example, the incriminating data would have had to be uploaded onto the server at some point (we'd have a trace of that e.g. in the FTP logs); or renamed, moved, searched for, etc. (e.g. .bash_history); or downloaded (e.g. http logs); or archived (e.g. backup logs); or periodically processed for some reason (e.g. /etc/crontab). Indeed the presence/absence of that data would very likely be recorded at many places in the logs and config files. And that stuff is pretty difficult to forge, especially if you have lots (all) of it, because it is very expensive to make sure you haven't forgotten a trace/incoherence somewhere (and you can never be 100% sure even if you wrote the fucking kernel).
Next time there is such a hoax/honeypot expect it to be less blatantly weak. Keep in mind people whoever did this went through the trouble of procuring not only CP but child snuff pictures (torture). This suggests a very determined OP.
This experience needs to make our investigation stronger, more resilient to disinformation.
That's it for now, thank you for your attention, I hope this helps.
_PizzaGate_ | 9 points
I agree. if the videos show recognized politicians with naked children, there's no need to be sure they got them from wethepizza site... who cares where they found them ? but this is only if recognizable people are there... if it's just a bunch of naked children or masked people raping them... then... yeah... she can be accused of making those vidoes in the first place :(
irufema | 8 points
Just stop with this "I will be uploading this and that within x hours" bullshit and show everything you have right now. If you don't have it, don't fucking say "I'm sure it's this or that." No, you know nothing and you're obviously trolling. Encryption my ass. Nothing to do here.
PraiseBeKEK | 2 points
They can create encrypt 2gbs and release it. How long would that take us to brute force or any other method. These mods are pushing this bullshit.
Duderino732 | 3 points
How about just post the information. I don't get the need for the encryption or whatever they're doing.
debora111 | 5 points
Still one could say "this is fake because ..." or "this doesn't come from where you say it comes because ...". I try to describe the best way for the data's origin to be as irrefutable as possible. It thought it may be useful in the future given how many "just shoot a video of your hacking to prove you're not full of shit" comments happened in the original 2Gb hacker thread.
Duderino732 | 3 points
nvm I got you. A list of names would at least allow an investigation though.
debora111 | 4 points
Yep. I must admit when I saw the "verified" tag i got very very excited. Even archived it before reading it, for posterity. https://archive.is/CPTqp
Xenepa | 19 points | Nov 20 2016 22:34:21
For starters, someone who can hack a server surely knows how gpg works. The poster doesn't.
permalink
debora111 | 3 points | Nov 20 2016 22:46:54
~~Explain yourself otherwise your comment is useless~~
permalink
Xenepa | 11 points | Nov 20 2016 22:49:09
By poster I meant the guy who pasted gpg message, not you obviously. I hope I didn't come around as other way.
In the other topic she demonstrated complete lack of any sort of knowledge about how gpg works, and then claimed she managed to decrypt the key after all. This is bullshit on so many levels.
permalink
debora111 | 11 points | Nov 20 2016 23:00:22
Yeah, that 2Gb OP was full of shit, I could smell it from the start (although later I found it weird WePizza changed its homepage). The tell for me was her purpose, i.e. "help me figure out how to leak it".
So we can better address these scenarios in the future (which I'm sure we will have to, because of trolls or criminal agents alike), it's good we have a reference, that we know having a "video of the hacking" doesn't prove the hacking in any way.
permalink
digera | 2 points | Nov 21 2016 13:43:22
I think the WeThePizza site going down kinda proves this to be a honeypot/falseflag... Incredibly weak evidence of the hack, with the site going down being the only real evidence... Slightly possible that the webserver was used to store/distribute sick shit, but more likely that it wasn't and this was all a big red herring, planned and executed by the cabals involved, which would include the WTP guys (who are totally free and clear of implication at this point, so long as they put a stop to the investigations, which is where this whole mess comes in)
also: distribution of incredibly gross shit (I knew not to click since even if it were the real deal, I knew it wouldn't prove anything) and then distributing some sketchy executable... It just stinks... "Here's some really dirty shit, and here's a trojan that will help us find you and end your investigation."
This whole thing may have worked to build a list of weaker contributors to the investigation... I'm such a non-issue to these people, I hope that I've kept off their radar... I'm just an observer, not an autist.
permalink
PraiseBeKEK | 2 points | Nov 20 2016 23:00:09
Thank you. Have an upvote. This sub is just getting filled with nonsense now.
permalink
sheik_yerbouti_jr | 1 points | Nov 21 2016 00:51:04
Moreover, whet does the website (its server being physically in Texas) displaying "coming soon" have to do with the hacking of an xp machine in DC?
permalink