Slashdot Mirror
'Robin Sage' Social Hoax Duped Military, Security Pros
ancientribe writes "A social networking experiment of a phony female military security professional known as 'Robin Sage' (named after a US Army Special Forces training exercise) worked way too well, fooling even the most security-savvy professionals on LinkedIn, Facebook, and Twitter. It also led to the leakage of sensitive military information after an Army Ranger accepted 'Robin's' friend request on Facebook and his photos from Afghanistan exposed geolocation information accessible to 'Robin.' The researcher who conducted the experiment will show off his findings at the upcoming Black Hat USA conference in Las Vegas, where the real woman pictured in the profiles is scheduled to introduce him for his presentation."
Is the fake facebook profile: http://www.facebook.com/robin.sage.641a
Posts not to be taken literally. Almost everything is sarcasm.
Cool!
...but anyone who has ever thought about going for the long tab would catch that name. Robin Sage, really? Come on!
THL phish sticks
that anyone in Iraq and Afghanistan could tell you where the soldiers are. It's not like they're hiding or something. The "geolocation" stuff is just silly.
Don't take life so seriously. No one makes it out alive.
If there is sensitive military information on twitter, facebook, or linkedin, its already compromised, and badly. I mean come on, this is a non story.
What he can't kill, he has sex on. Trent.
"And we will see this pattern occur again, and again, and again, until we learn that the most effective form of military action is motivated people defending their own land against a foreign invader."
Your military illiteracy is showing. That stuff only works against "foreign invaders" who follow the post-Nuremburg laws that outlaw effective war methods against unconventional opponents. It may help, in concert with other means, tire out an opponent in a non-existential police action, but an opponent who is powerful and free of restraint can make a desolation and call it peace.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
I have no idea how this is relevant, and you're probably trolling, but seriously... the 2006 Lebanon war was NOT the first time a guerrilla army turned back regular forces. Look at the Anglo-Irish war from 1918-1921 for an example, or friggin' Vietnam. Or Afghanistan... every time anyone has ever tried to invade Afghanistan (the British twice, the Soviets, Alexander the Great, even). As to the rest of your post, your UID is low enough that you should be old enough to know better. Quit being 16, it's not becoming.
If someone is putting up classified information in a publicly accessible location (even if it's restricted by the user giving explicit permission), isn't that the source of the information leak? Hasn't it already escaped the secure environment? Jeremiah Grossman even points this out. (I do like how they indicate he was duped, when he indicates that it's an automatic facebook bot that runs on his behalf that accepts all requests automatically - that isn't 'his' account.)
Of course, this assumes that the information was considered secure in the first place. I'm not sure you'd call it a security leak if the policy is to allow that information to be accessible to the public.
That aside, isn't this just an online-only update of the standard telephony scam that the military actually sponsored and publicized back in the late 60's/early 70's? To show how social engineering worked, they sat a woman down in a room with a phonebook and a phone, and asked her to get some general's schedule or something, and it took about 40 minutes?
We are already aware of the fact that organizations have social structures which allow for manipulation. Was there anything constructive about this, like a 'policies to avoid this' list? Or was this just another fluff piece, reiterating what was already well established?
An apparent gorgeous, six-pack stomached, bikini wearing, beauty queen interested in bi-sexual encounters.
Fuck, I knew what this was and I almost clicked "Add as Friend" too.
I thought Facebook sanitized uploaded photos of their metadata in the process of resizing them for display on the internet?
I just checked an uploaded JPG against an original, and yes indeed Facebook does sanitize the metadata. I wonder where the geolocation info came from?
We were actually not doing too very well before regular military discipline was brought in by Von Stueben and some other European career officers who came over to help their Freemason brothers further the Enlightenment. The French naval blockade of the Chesapeake Bay and some bad weather up the York River didn't hurt either.
Most people are aware that high explosives generate powerful and destructive shockwaves, and can fling shrapnel for startling distances at frightening velocities. However, they'll still watch Mythbusters, because actually seeing high explosives demonstrated is cool.
Anyone who doesn't find a real-world demonstration of social engineering fascinating and instructive is either waaaay too jaded, or is trying waaaay too hard to pose as being jaded because of a mistaken association between cynicism and cool.
Besides, a reminder of the ongoing effectiveness of social engineering is always good, especially in light of all the interesting vectors now available.
Welcome to the Panopticon. Used to be a prison, now it's your home.
There could definitely be a reorganization of forces that the country could benefit from, but as attractive as the proposition of some sort of Libertarian Socialist (aka Anarchist) society devoid of central authority is, the chances of that being able to function for any length of time before faltering itself is pretty low. Catalonia when held by FAI/CNT in the Spanish Revolution (concurrent with the Spanish Civil War) is a prime example.
Well obviously, they are keeping it. It's a lot of good information to target you with specific ads, or sell it to other people. They can extrapolate a lot of information from exif meta-data, Geolocation is one of them, but there's a lot more to it.
Yeah, if it weren't for the French, Americans would be speaking English today.
I have to take issue with this. Just because you play loose with your "personal" life does not mean you play loose with your security or your privacy. Perhaps you only happen to value privacy in a more limited sphere.
DRM: Terminator crops for your mind!
Not Fucking Up 101 incorporates not believing some random person on the Internet (or in real life) who says they have a particular position. It would also encompass not posting pictures of your location to the Internet.
So the question we really need to ask is not, "How could the military/government be so dumb?" but, "What connections do these researchers have with the government, and what are they actually trying to achieve with this theatre?"
It would be so enticing for the "hacker community" to believe the story because it inflates their already unwarrantedly large egos: we're just so much smarter than the average person at solving puzzles, right? The government surely only employs easily duped idiots - even in significant security positions - whereas we are geniuses operating from our basements.
Bullshit.
All we've learnt from this is that Robin isn't what Robin's page initially claimed she is. As for what's actually going on, independent evidence is appropriately lacking.
Use the hormone appeal weapon of mass population. Works really well with isolated soldiers.
This isn't really surprising, nor do I think it's worthy of time at Black Hat, IMHO. The U.S. Military set themselves up for failure already a couple months back by allowing soldiers to openly use Twit-Face-book and any other blogging/social-network internet-enabled apparatus on their NIPRNET network and not enforcing any, for a lack of better terms, real punishment for being stupid and giving away whatever the military defines as OPSEC-level information.
I was surprised myself, being a Iraqi war veteran when I got back home that all the time I was told to be very illusive when talking about where you are located overseas was a joke. Giving up that information, like geo-location, really isn't something to piss your pants over considering all the local middle easterners already know where the hell all our camps/FOBs/bases are at and the fact that it's online already. Just another case of a lonely horn-dog Army bush-wacker, flexing his muscles and telling his war stories online, looking to get some 'tang.
Keep your troll comments to yourself, I did my time in the military (and was deployed to Iraq), I know, as well as anyone with any amount of common sense, that this is plausible truth.
Security Nerds 0 Fake Pussy 1
EGOTIST, n. A person of low taste, more interested in himself than in me.
I think you have to allow him some latitude to form his own opinions.
Yes, and for that I'm eternally grateful, in much the same way my mother once got free dental work in France because her father had fought in the war (though mainly in Belgium and the Netherlands, then into Germany) and the dentist thought it was the least he could do to repay the debt he felt he owed to America. I know its fashionable to make fun of France and whatnot, but they're not bad people, and they are America's oldest friend.
No, Libertarian Socialism is the technical term for Anarchism. One of the founding intellectuals of the movement, Mikhail Bakunin, was an outspoken opponent of Marx in the First International, saying that Marxist Communism would lead to a "Red Bureaucracy" and was a betrayal of Socialist principles.
Basically, the idea in Libertarian Socialism is for free individuals to group themselves on direct democratic principles along lines of free association, rather than submitting to a State that is purely an exercise of force. The Libertarian party in the US was infested by Randism and combines the anti-authoritarian aspect of libertarianism with unfettered capitalistic greed. Libertarian Socialism/Anarchism requires that people act in the group interest for the common good, but getting people to do that isn't exactly easy, which is why it wouldn't work on large scale.
Modern Left-Center type of "Social Democrats" were always viewed by both Anarchists and Communists as "counter-revolutionary," but that's the model that won out in most of Europe and which the US Democratic Party tends to lean as well. It's relatively benign, but seems to scare people on the economic right and let down people on the economic and social left quite often for not going "too far enough"
Back when I used to work for the central network operations group on campus, we had a couple of guys on our newly formed security team (this was like 2000, network security was still something we were coming to terms with) who loved to go to all the conferences like Blackhat. Well any time they came back it was with stories of doom and gloom. They talk about the presentations by these people who could do these truly amazing hacks. When this was investigated further, said people turned out to be full of shit.
The one I remember best was a "security company" who talked about their amazing exploit tool for Windows. They could break in to any Windows domain just with a click. It was all they used anymore when clients needed access to something and had forgot the password. They couldn't release it because MS would sue them, etc, etc. I questioned them more about this and got some sketchy details relating to NT4 and so on. I then went and asked the guy who headed up operations (one of the smartest people I've ever known) if he'd heard about this. He said "Oh ya, it is this old NT4 exploit that only works in certain situation. I've got the tool right here." the security guys were just floored because, indeed it was what had been talked about and it wasn't nearly so cool (more or less you had to have an NT4 domain and not have fixed a problem with it, wouldn't work in our 2k domain).
As a more publicly known example, take Joanna Rutkowska who claimed to have invented amazing undetectable malware using virtualization. Slashdot and so on were all a tizzy about it, and people who are actually VM professionals like VMWare said "No, this won't work like you think it will and could be detected even if you could make it work." Here we are years later and what do you know, there are not all sorts of undetectable VM based malwares running around. She vastly oversold the whole thing.
Shit like this happened all the time, near as I could tell from the stories (I didn't go to the conferences). The haxs0r types going up and crowing about how l33t they are to others and drastically overselling what they were capable of doing. So I am very skeptical. I need to see proof, and not some half-assed presentation where details are kept secret, I mean real proof.
Generally it is not forthcoming.
In what way would mere "drunk photos" be a threat to my job security? And, if something was a direct threat to my job security why on earth would I put it on facebook? The greater risk would be that "friends" uploaded embarrasing photos, but it would take something like me dual-swilling crack and vodka while fucking a pig for it to affect me so much as to be blackmail material. Lastly, do you really think that I would be so inane as to use passwords that could be reasonably predicted from knowing such things? Even more lastly, how do you know that I don't use subtly false information on social networks in order to both defend and keep track of if someone tries to use that information against me in an attack?
Emotions! In your brain!
...yes, Mohammed?
"I am sitting here in my mud hut and checking facebook, and son of a pig! Did you know we have infidels sneaking around our territory"?
"No way"!
"Way! Praise be Allah we have facebook to tell us these things, else, we would not know"!