'Robin Sage' Social Hoax Duped Military, Security Pros

ancientribe writes "A social networking experiment of a phony female military security professional known as 'Robin Sage' (named after a US Army Special Forces training exercise) worked way too well, fooling even the most security-savvy professionals on LinkedIn, Facebook, and Twitter. It also led to the leakage of sensitive military information after an Army Ranger accepted 'Robin's' friend request on Facebook and his photos from Afghanistan exposed geolocation information accessible to 'Robin.' The researcher who conducted the experiment will show off his findings at the upcoming Black Hat USA conference in Las Vegas, where the real woman pictured in the profiles is scheduled to introduce him for his presentation."

what kind of geolocation information?

[Michael Kristopeit]

i thought that facebook resized all uploaded photos... i don't have a facebook account to test... is facebook purposefully copying over the geolocation information from camera-phones into the resized images, or was location determined by surrounding land features?

Geolocation?

[pgn674]

I thought Facebook sanitized uploaded photos of their metadata in the process of resizing them for display on the internet?

I just checked an uploaded JPG against an original, and yes indeed Facebook does sanitize the metadata. I wonder where the geolocation info came from?

Re:what kind of geolocation information?

[sadness203]

Well obviously, they are keeping it. It's a lot of good information to target you with specific ads, or sell it to other people. They can extrapolate a lot of information from exif meta-data, Geolocation is one of them, but there's a lot more to it.

I simply do not believe any of this

[FuckingNickName]

Not Fucking Up 101 incorporates not believing some random person on the Internet (or in real life) who says they have a particular position. It would also encompass not posting pictures of your location to the Internet.

So the question we really need to ask is not, "How could the military/government be so dumb?" but, "What connections do these researchers have with the government, and what are they actually trying to achieve with this theatre?"

It would be so enticing for the "hacker community" to believe the story because it inflates their already unwarrantedly large egos: we're just so much smarter than the average person at solving puzzles, right? The government surely only employs easily duped idiots - even in significant security positions - whereas we are geniuses operating from our basements.

Bullshit.

All we've learnt from this is that Robin isn't what Robin's page initially claimed she is. As for what's actually going on, independent evidence is appropriately lacking.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:I simply do not believe any of this

[John Hasler]

> "How could the military/government be so dumb?"

By consisting of normal human beings.

> It would be so enticing for the "hacker community" to believe the story
> because it inflates their already unwarrantedly large egos: we're just so
> much smarter than the average person at solving puzzles, right?

The "hacker community" also consists of normal human beings. People outsmart each other all the time. It's what they do.

> The government surely only employs easily duped idiots - even in
> significant security positions...

No, the government employs people. People are often gullible. Especially when they have led each other to believe that they are not.

> ...whereas we are geniuses operating from our basements.

No, you are also people. The fact that you tolerate and even support the government (any government) in its "security" operations is proof that you are also gullible.

I take anything from the haxs0r types with salt

[Sycraft-fu]

Back when I used to work for the central network operations group on campus, we had a couple of guys on our newly formed security team (this was like 2000, network security was still something we were coming to terms with) who loved to go to all the conferences like Blackhat. Well any time they came back it was with stories of doom and gloom. They talk about the presentations by these people who could do these truly amazing hacks. When this was investigated further, said people turned out to be full of shit.

The one I remember best was a "security company" who talked about their amazing exploit tool for Windows. They could break in to any Windows domain just with a click. It was all they used anymore when clients needed access to something and had forgot the password. They couldn't release it because MS would sue them, etc, etc. I questioned them more about this and got some sketchy details relating to NT4 and so on. I then went and asked the guy who headed up operations (one of the smartest people I've ever known) if he'd heard about this. He said "Oh ya, it is this old NT4 exploit that only works in certain situation. I've got the tool right here." the security guys were just floored because, indeed it was what had been talked about and it wasn't nearly so cool (more or less you had to have an NT4 domain and not have fixed a problem with it, wouldn't work in our 2k domain).

As a more publicly known example, take Joanna Rutkowska who claimed to have invented amazing undetectable malware using virtualization. Slashdot and so on were all a tizzy about it, and people who are actually VM professionals like VMWare said "No, this won't work like you think it will and could be detected even if you could make it work." Here we are years later and what do you know, there are not all sorts of undetectable VM based malwares running around. She vastly oversold the whole thing.

Shit like this happened all the time, near as I could tell from the stories (I didn't go to the conferences). The haxs0r types going up and crowing about how l33t they are to others and drastically overselling what they were capable of doing. So I am very skeptical. I need to see proof, and not some half-assed presentation where details are kept secret, I mean real proof.

Generally it is not forthcoming.

Re:Only link that matters

[Anonymous Coward]

If I only added my close friends to facebook, I wouldn't use it. I call my close friends personally if I want to talk and I can't see them. Or if I'm just bored.
Facebook is useful when meeting new people, you can meet up with people you might never have seen again. In fact a few of my now-close friends I might not have continued seeing if it wasn't for facebook.

Re:the army is obselete

[easterberry]

Wow. So ignoring the attempt to start a political flame war...

It's not laziness at all. If someone says they want "a well regulated free market" I'm not going to run to Google. I'm going to point out that, by definition, a free market lacks regulation. Same as if they say "a communist class structure". Through my understanding of the terms "libertarian socialist" was an intrinsic contradiction so the logical conclusion was that either (A) the OP did not understand one of the terms (B) the OP wrote the wrong word (ie libertarian instead of liberal or some such) or (C) the OP had no idea what he was talking about or (D) the OP was wording his argument poorly. Therefore I asked my question in such a way to cover these options.

Re:Savvy?

[Securityemo]

In what way would mere "drunk photos" be a threat to my job security? And, if something was a direct threat to my job security why on earth would I put it on facebook? The greater risk would be that "friends" uploaded embarrasing photos, but it would take something like me dual-swilling crack and vodka while fucking a pig for it to affect me so much as to be blackmail material. Lastly, do you really think that I would be so inane as to use passwords that could be reasonably predicted from knowing such things? Even more lastly, how do you know that I don't use subtly false information on social networks in order to both defend and keep track of if someone tries to use that information against me in an attack?