The techniques discussed in this article are widely-known in security circles, and have been public for years. I talked about something similar in my 2014 article, Troll Hunter.
In Part 1, I mentioned that I had uncovered someone with a forum name of “julio schwartz” (as far as I know not a real name) with 100 other sock puppets at Birther Report. Birthers make claims about sock puppets but usually they don’t know what they are talking about. I do.
Birther Report is a Blogger blog with the Intense Debate commenting plug-in. If I recall correctly, when a comment goes into moderation, the site administrator is informed in an email of the email and IP address of the commenter in moderation and in this case there is a chance the admin might see an email address initially (but can’t go back and look at historical information). The Intense Debate admin information is not a general solution to identifying sock puppets, and its use is restricted to site administrators.
The typical post of “julio schwartz” is a short comment under a name one has never seen before. Here’s an example:
At first glance, there’s not much here. The avatar is generic, but looks can be deceiving. A right-click on the avatar using the Chrome browser gives a “Copy image location” option, a link to a generic avatar image, only it’s not a generic URL:
The interesting bit is “00b80594cd9c492a6af64b238119fea9.” Let’s examine another BR sock puppet candidate:
The URL for that avatar is identical to the one before. What’s going on?
Intense Debate and a lot of other web sites, including this one, manage avatars through a service called Gravatar. The blog or forum creates an encrypted hash (or digest) that it embeds in its comment pages. The URL goes to Gravatar and Gravatar sends the image to the web browser.
If you have an email address registered with Gravatar, as I do, then the avatar returned is one selected by the email owner. In other cases Gravatar makes one up or sometimes the “mystery man” image is returned.
What we are seeing in these URLs is an encrypted hash of the email address that “julio schwartz” gave Birther Report when posting comments, an address constant across all of the hundred or more sock puppets. Not only is the cryptographic hash constant across comments at Birther Report; it is constant across all web sites where the same avatar system and email address is used. (Not all avatars at Birther Report have MD5 hashes, in particular not those using Facebook logins.)
The hashing algorithm is called MD5. Because the email address is encrypted, you can’t see the actual email address itself, but you do know when two are the same.
In the end, after removing “julio schwartz,” I had 225 forum names with internal matches. It looks like the vast majority of those are just people using parts of their real name and switching to an alias later. I have since deleted my “julio schwartz” sock puppet list, and I had to scramble to find the examples for this article, but at one time I spent quite a lot of time right-clicking on avatars at Birther Report.
Our Dr. Conspiracy is certainly a much better investigator than Mike Zullo.
Thumbs up on that!
Yeah but “much better” than “not much” isn’t really saying very much. 🙂
More seriously, thanks Doc for the explanation. I had no idea that was possible.
That’s like saying Sandy Koufax was a better baseball pitcher than Howie Koplitz.
I have a big advantage over Zullo–Zullo is trying to prove a false proposition.
While I believed that I took care to see all pages of the Orly Taitz Super PAC stored in the Web Archive, a few pages were not. One of the pages that didn’t get saved was the one showing photos of cars sporting the Orly Taitz Super PAC bumper sticker. One of those images appeared on this blog:
http://www.obamaconspiracy.org/2014/05/image-without-comment-from-the-orly-taitz-super-pac/
Some folks thought that photo was Photoshopped, but the person I got it from says those are real bumper stickers on his truck (photographed and then removed).
There’s more.
You possess great curiosity , to you not?
I have though of investigating the avatars, or even the names of the posters on any site.
Irrationality has always fascinated me.
And it was really ingenious. 😉
Just nitpicking here, but hashing is not an encryption as it’s a strictly one-way function.
MD5 hashes can be reversed using rainbow tables (huge lists of known hashes) if no salt is used (i.e. if the algorithm simply uses md5(string) instead of md5(‘a_very_long_random_almalgamation_of_characters’ || string)).
So with a huge list of email addresses, it would be possible to reverse the process.
Or, alternatively, with a lucky combination of guesswork (assume the part after the “@” is from a list of the dozen biggest email providers) and brute force (assume the part before the “@” is not overly long). This would identify addresses like “jones73@hotmail.xy”.
Why so it would! See part 3 of the Confession of Dr. Conspiracy.