https://mjg59.dreamwidth.org/69507.html
Account name: [ ] Password [ ] [Log in]
(OpenID?) (Forgot it?) [ ] Remember Me
You're viewing [personal profile] mjg59's journal
Create a Dreamwidth Account Learn More
[ ] [Interest ] [Go]
Reload page in style: site light
Matthew Garrett
Digital forgeries are hard
Digital forgeries are hard
Mar. 14th, 2024 12:30 am
[personal profile] mjg59
Closing arguments in the trial between various people and Craig
Wright over whether he's Satoshi Nakamoto are wrapping up today,
amongst a bewildering array of presented evidence. But one utterly
astonishing aspect of this lawsuit is that expert witnesses for both
sides agreed that much of the digital evidence provided by Craig
Wright was unreliable in one way or another, generally including
indications that it wasn't produced at the point in time it claimed
to be. And it's fascinating reading through the subtle (and, in some
cases, not so subtle) ways that that's revealed.
One of the pieces of evidence entered is screenshots of data from
Mind Your Own Business, a business management product that's been
around for some time. Craig Wright relied on screenshots of various
entries from this product to support his claims around having
controlled meaningful number of bitcoin before he was publicly linked
to being Satoshi. If these were authentic then they'd be strong
evidence linking him to the mining of coins before Bitcoin's public
availability. Unfortunately the screenshots themselves weren't
contemporary - the metadata shows them being created in 2020. This
wouldn't fundamentally be a problem (it's entirely reasonable to
create new screenshots of old material), as long as it's possible to
establish that the material shown in the screenshots was created at
that point. Sadly, well.
One part of the disclosed information was an email that contained a
zip file that contained a raw database in the format used by MYOB.
Importing that into the tool allowed an audit record to be extracted
- this record showed that the relevant entries had been added to the
database in 2020, shortly before the screenshots were created. This
was, obviously, not strong evidence that Craig had held Bitcoin in
2009. This evidence was reported, and was responded to with a couple
of additional databases that had an audit trail that was consistent
with the dates in the records in question. Well, partially. The audit
record included session data, showing an administrator logging into
the data base in 2011 and then, uh, logging out in 2023, which is
rather more consistent with someone changing their system clock to
2011 to create an entry, and switching it back to present day before
logging out. In addition, the audit log included fields that didn't
exist in versions of the product released before 2016, strongly
suggesting that the entries dated 2009-2011 were created in software
released after 2016. And even worse, the order of insertions into the
database didn't line up with calendar time - an entry dated before
another entry may appear in the database afterwards, indicating that
it was created later. But even more obvious? The database schema used
for these old entries corresponded to a version of the software
released in 2023.
This is all consistent with the idea that these records were created
after the fact and backdated to 2009-2011, and that after this
evidence was made available further evidence was created and
backdated to obfuscate that. In an unusual turn of events, during the
trial Craig Wright introduced further evidence in the form of a chain
of emails to his former lawyers that indicated he had provided them
with login details to his MYOB instance in 2019 - before the metadata
associated with the screenshots. The implication isn't entirely
clear, but it suggests that either they had an opportunity to examine
this data before the metadata suggests it was created, or that they
faked the data? So, well, the obvious thing happened, and his former
lawyers were asked whether they received these emails. The chain
consisted of three emails, two of which they confirmed they'd
received. And they received a third email in the chain, but it was
different to the one entered in evidence. And, uh, weirdly, they'd
received a copy of the email that was submitted - but they'd received
it a few days earlier. In 2024.
And again, the forensic evidence is helpful here! It turns out that
the email client used associates a timestamp with any attachments,
which in this case included an image in the email footer - and the
mysterious time travelling email had a timestamp in 2024, not 2019.
This was created by the client, so was consistent with the email
having been sent in 2024, not being sent in 2019 and somehow getting
stuck somewhere before delivery. The date header indicates 2019, as
do encoded timestamps in the MIME headers - consistent with the mail
being sent by a computer with the clock set to 2019.
But there's a very weird difference between the copy of the email
that was submitted in evidence and the copy that was located
afterwards! The first included a header inserted by gmail that
included a 2019 timestamp, while the latter had a 2024 timestamp. Is
there a way to determine which of these could be the truth? It turns
out there is! The format of that header changed in 2022, and the
version in the email is the new version. The version with the 2019
timestamp is anachronistic - the format simply doesn't match the
header that gmail would have introduced in 2019, suggesting that an
email sent in 2022 or later was modified to include a timestamp of
2019.
This is by no means the only indication that Craig Wright's evidence
may be misleading (there's the whole argument that the Bitcoin white
paper was written in LaTeX when general consensus is that it's
written in OpenOffice, given that's what the metadata claims), but
it's a lovely example of a more general issue.
Our technology chains are complicated. So many moving parts end up
influencing the content of the data we generate, and those parts
develop over time. It's fantastically difficult to generate an
artifact now that precisely corresponds to how it would look in the
past, even if we go to the effort of installing an old OS on an old
PC and setting the clock appropriately (are you sure you're going to
be able to mimic an entirely period appropriate patch level?). Even
the version of the font you use in a document may indicate it's
anachronistic. I'm pretty good at computers and I no longer have any
belief I could fake an old document.
(References: this Dropbox, under "Expert reports", "Patrick Madden".
Initial MYOB data is in "Appendix PM7", further analysis is in
"Appendix PM42", email analysis is "Sixth Expert Report of Mr Patrick
Madden")
Tags:
* advogato,
* fedora
* Previous Entry
* Add Memory
* Share This Entry
* Next Entry
---------------------------------------------------------------------
* 8 comments
* Reply
---------------------------------------------------------------------
Flat | Top-Level Comments Only
makingnold document
Date: 2024-03-14 01:36 pm (UTC)
From: (Anonymous)
I am over 40 and remember Word 97 and Star Office 5.2 pretty well.
Including all space intended, georgia-times new roman mixed, wordart
nonsense.
I think I could make some old looking .doc files for a coin.
* Link
* Reply
* Thread
* Hide 5 comments
* Show 5 comments
Re: makingnold document
Date: 2024-03-14 03:17 pm (UTC)
From: (Anonymous)
But could you be certain that you'd caught everything anyone might
check, when a lot of people are motivated to catch you out? It's
happened enough times that I have to say that although I'm also
fairly confident of being able to fool a lay-person, I'm not entirely
sure I'd be able to make a forgery that I couldn't detect, let alone
fool someone with experience in such things.
Are you sure that the copies of the fonts that you're using have the
same kerning as the originals? That no-one will use radiocarbon
dating to discover that your old printed copies aren't so old? That
your digital copies have enough metadata to be convincing, but none
that's anachronistic?
* Link
* Reply
* Thread from start
* Parent
* Thread
* Hide 4 comments
* Show 4 comments
Re: makingnold document
Date: 2024-03-14 06:45 pm (UTC)
From: (Anonymous)
Yeah. If the opposing party is just a dupe in a scam, and there are
many other fish in the sea to target, that's one thing. If the
opposing party has incentive to do a deep dive on authenticity...
that's a lot harder.
* Link
* Reply
* Thread from start
* Parent
Re: makingnold document
Date: 2024-03-14 06:51 pm (UTC)
From: (Anonymous)
Email may be tricky, since it is intrinsically networked, but for
documents it should be fairly easy to forge:
1. You go to a fleamarket, pick up an Intel 486 PC.
2. Set the date to what you want in BIOS. (The real-time clock's
battery will likely have died so it won't know the current date)
3. Install Windows 98. It will have original fonts etc. No networking
ofc.
4. Reproduce your document...
* Link
* Reply
* Thread from start
* Parent
* Thread
* Hide 2 comments
* Show 2 comments
Re: makingnold document
Date: 2024-03-14 09:41 pm (UTC)
From: (Anonymous)
I'm with you. With the (obectively delusional, of course) prospect of
billions of dollars on the line, it would certainly be /possible/ to
put in enough effort to create an at least /much more/ waterproof
forgery, even if it's hardly going to be a sufficiently convincing
argument to actually achieve his goal.
That's what I find so funny about Craig's clownish efforts, right
from the very start: in retrospective, all his supposed proofs are
kinda low-effort, consistent with him ofc being literate with
computers, but in the end just being a pathological liar that can't
help but /just never/ going all the way. Time and again he's
expecting everybody to be stupid enough to fall for his charades.
By now the sheer balls of it have become his legacy, and I expect one
day all of this will make for a great movie.
* Link
* Reply
* Thread from start
* Parent
Re: makingnold document
Date: 2024-03-14 09:46 pm (UTC)
From: [personal profile] mjg59
Whoops! You missed the bit where you forensically wipe the hard drive
to ensure that there's no data on there that contradicts your
timeline (such as timestamps that indicate the machine was booted
after your supposed install time), because in this sort of case
you're going to need to provide some sort of chain of explanations
for how you came into possession of this document and that's going to
include disclosing images of all your hard drives to the other side.
* Link
* Reply
* Thread from start
* Parent
there is only 1 source of truth.
Date: 2024-03-14 08:34 pm (UTC)
From: (Anonymous)
the earliest blocks > move coins. ;)
* Link
* Reply
no subject
Date: 2024-03-14 08:36 pm (UTC)
From: (Anonymous)
`Even the version of the font you use in a document may indicate it's
anachronistic.'
Quick link to one of the more prominent cases:
https://slate.com/technology/2017/07/
the-font-calibri-is-playing-a-surprising-role-in-a-pakistani-scandal.html
(https://slate.com/technology/2017/07/
the-font-calibri-is-playing-a-surprising-role-in-a-pakistani-scandal.html)
* Link
* Reply
* Previous Entry
* Add Memory
* Share This Entry
* Next Entry
* 8 comments
* Reply
Flat | Top-Level Comments Only
Profile
Matthew Garrett
About Matthew
Power management, mobile and firmware developer on Linux. Security
developer at Aurora. Ex-biologist. [personal profile] mjg59 on
Twitter. Content here should not be interpreted as the opinion of my
employer. Also on Mastodon.
Page Summary
* (Anonymous) - makingnold document
* (Anonymous) - there is only 1 source of truth.
* (Anonymous) - (no subject)
Expand Cut Tags
No cut tags
Top of page