[This is just a repository for comments to other blogs, as described here.]

Tuesday, December 7, 2010

Barackryphal - commentary regarding Techdude

[This comment is responding to this post and thread.]
Thought it might be good to provide a bit more info.

When Neal Krawetz discovered Adam Fink's claimed credentials matched those of Techdude, and posted this online (August 4, 2008), Fink contacted him claiming libel and that this was a case of identity theft – that he wasn't Techdude.  Neal gave him benefit of the doubt and posted an update to this effect on August 6.

Shortly thereafter (August 9) Koyaan posted updates to a post, noting comments by TexasDarlin in which TexasDarlin effectively appeared to be claiming that Techdude indeed was Adam Fink.

It seems that immediately thereafter both "Techdude" and Adam Fink went silent – Fink stopped responding to phone calls and e-mails about this matter (i.e. I know of two bloggers who were attempting to communicate with him about this – in one of these cases, he stopped in mid-correspondence at this point, though just prior to this he had been loquacious in denying the identity and had been corresponding in a "friendly" tone). Thereafter, TexasDarlin and Polarik both distanced from the Techdude material (with TexasDarlin pulling the Techdude posts).

Meanwhile, I’d been digging around for weeks, and (by late July) had come up with other material. This included an import company using a webmaster who I thought was probably Adam Fink and who used the e-mail address Techdude@yahoo.com. There were also a series of postings from 2006-2007 under the handle techdude at Computer Forensics World: Forums.

The material in these posts (e.g. "Digital Forensics Examiner" in mid-Missouri location, etc.) provided sufficient information to identify the poster as Adam Fink. There was also a false lead – someone posting under the handle Techdude at Stormfront (this ultimately turned out to be a different person). There were also a few others using this handle online, but they all could be readily excluded based on information in their posts and obvious linguistic differences.

I contacted the owners of the import company and was told that Techdude@yahoo.com was indeed Adam Fink. I was also corresponding with someone else who asked me to keep certain information confidential. I was also conducting linguistic analysis (I have a stats background and some experience with machine learning, but prior to this had not worked on authorship attribution).

I'd also been corresponding with blogger Joseph Cannon. On August 31, he posted the information directly tying the handle "Techdude" to Adam Fink (via the Yahoo e-mail account).

This posting occurred a bit earlier than I would have liked (though it's understandable, since interest in Techdude had begun to wane – and it’s preferable for a blogger to strike while the iron is hot). I'd wanted to complete the linguistic analysis I was performing, and I was still hoping to resolve things with the person who had provided me with confidential information (i.e. so that everything could be made public).

I subsequently completed the linguistic analysis, and posted a brief comment on the outcome - see penultimate comment in this thread.

The upshot was that the analysis confirmed that Adam Fink was the author of the TexasDarlin Techdude postings (and also clearly showed that the person at Stormfront was someone else).

To provide a bit more detail – there were three relevant bodies of textual information: 1. the Techdude postings regarding the COLB, 2. material I’d obtained from various sources that had definitively been written by Adam Fink, and 3. postings under the techdude handle at the computer forensics forum, where information in the postings appeared to identify the author as Adam Fink.

[Brief tangent: There's a lot of information within the computer forum posts that indicate the poster to be Adam Fink. For example, the poster identifies himself to be a "Digital Forensic Investigator" who runs a private computer forensics business in the mid-Missouri area. Adam Fink’s company advertised as "The only privately run Computer Forensic Science Laboratory in the Mid-Missouri area". In addition there are many matching details. E.g.
From a posting by techdude at the computer forum:  "I am all too familiar with the bug you picked up. To make a long story short you can not remove it except by wiping out and reformatting the drive....A few months ago I was hired to clean an entire office infected with this malware – after a week of searching the entire NTFS structure, logs, cookies, and trial and error....You will most likely see a new application called something like Spyware Sheriff (I forget the exact name) which pretends to be an anti-malware application."
From a posting by Adam Fink in an online chat:
"Comment From Biggs: The worst virus I've ever come across is the one that looks like it's spyware ...it pretends to be a 'virus scanner' but it will screw up your life
Adam Fink, CrLI CCE: Biggs - I know that one well. I spent 2 weeks trying to fix a client's entire office network with that one. Sadly there is no fix..just a reformat/reinstall. They should find the guy who wrote that one and have them force fed hot sauce."]

I analyzed the three bodies of text mentioned above, along with many other sources of online text, as noted in the Cannonfire comment I linked. After a lot of experimentation (using material of known authorship), I concluded that the most reliable method for correctly concluding authorship (in my hands) was to use a very large set of random alternative authors, to extract appropriate linguistic features (e.g. these can be function words, parts of speech, so called "unstable words" that have many synonyms, etc.), then to use statistical or machine learning methods (on the feature set) to do the ascription. So there's information on textual features from documents known to be produced by each of the authors, and there's information for these same features for the document or corpus of unknown authorship. Basically, which known author is the document (of unknown authorship) closest to.  If a particular person is suspected to be the author, and the document ends up being ascribed to the suspected author rather than any of a large set (e.g. 100) of random alternative authors, then there’s pretty strong evidence that the suspected author is indeed the actual author.

Insofar as possible, it’s preferable to keep the genre similar (to exclude genre effects). I ended up finding that the statistical authorship attribution tool JGAAP was a quite useful. There are different statistical or machine learning approaches for doing the ascription, but I found that in this case they basically all gave the same result. As an aside, I’ll mention that after posting the Cannonfire comment, and having done a lot of experimentation on other cases,  I’ve concluded that Support Vector Machine (available within JGAAP) seems to have the highest accuracy – and in this case (i.e. Techdude), the results of SVM match those using other methods (e.g. cross-entropy, etc.).

Basically, the Techdude COLB material, the computer forensics techdude comments, and the Adam Fink documents were found to have the same author (i.e. Adam Fink).

As another aside, I'll mention that the same approach also further confirmed the identity of Polarik and Polland (though his style tends to drift more over time and genre than Fink's does), and it also verified that Obama was clearly the author of Dreams (and Ayers was not). Indeed, with Dreams it even excludes Ayers as the author of the specific short segments that Cashill claimed were most likely to have been authored by Ayers. It also identified "Spengler" as David P. Goldman (prior to his inadvertent self-outting).

Aside from the formal analysis (which I put the most faith in), there are a lot of unique matching word strings tying together the three bodies of material by Fink. For example:
COLB Techdude: It does not generally take a fully equipped computer forensics lab to
Computer forensics forum Techdude (Adam Fink): nor a fully equipped computer forensics lab so

A few other examples:
COLB Techdude: call the good folks over at Vital Records
Adam Fink: We are looking forward to see what the good folks over at DC3
COLB Techdude: I enjoy forensic challenges such as the Department of Defense's DC3 Forensic Challenge which this year (and last) just so happen to
Adam Fink: The results of the 2007 Department of Defense's Cyber Crime Center (DC3) Digital Forensics Challenge are in.
COLB Techdude: Just more food for thought.
Computer forensics forum Techdude (Adam Fink): Just some food for thought.

There are many many more such matched phrases.

Also, the corpora share the same "jokey" language in places (e.g. from the postings at the computer forum: "At least with your minor in possession charge you know how the court system works – just kidding.";"All I can say is YIKES!";etc.), both COLB Techdude and Computer Forensics Techdude (Adam Fink) ridicule PhD's, etc.

Also, at the computer forensics forum, Techdude (Adam Fink) comments: "finding embedded graphics that were steganographicly hidden" (i.e. this refers to finding a hidden message within an image - the word "steganographic" specifically means "concealed writing"). This was in essence what he was claiming to do with the COLB and Maya’s "hidden" name.

I'll also mention that there are questions of exaggeration and competence that arise with Fink (separate from the COLB case). Adam Fink's claim to have worked on 7000 forensic cases appears unrealistic and inflated.

Also, in the afore noted KRCG sponsored "Chat with forensic computer expert Adam Fink"
In response to someone saying "The worst virus I've ever come across is the one that looks like it's spyware ...it pretends to be a 'virus scanner' but it will screw up your life"
Fink replies "I know that one well. I spent 2 weeks trying to fix a client's entire office network with that one. Sadly there is no fix..just a reformat/reinstall. They should find the guy who wrote that one and have them force fed hot sauce."

"I know that one well"??? There isn't "one" such type of malware – there are hundreds of different malware programs that masquerade as anti-malware "virus scanners". The "Sadly there is no fix..just a reformat/reinstall." (which is what he apparently actually did when hired to deal with malware problems at an office – he reformatted all their computers) also indicates ignorance.  I’ve removed fake "virus scanner" malware (multiple different forms) from many computers – a reformat is essentially never required if you know what you’re doing.

This past year, a client who hired him to deal with cyberstalking was murdered, apparently by her ex-husband. Fink told the local newspaper that he had communicated information about the cyberstalking to the DA's office, which set off a bit of a brouhaha when the DA's office noted that he had never actually communicated such information to them (and they also noted that if he actually had such information to report at the time, he should have contacted the police rather than the DA's office).

A Scratchpad


This is not an actual blog. It’s simply a scratchpad – a repository for my comments on other blogs. I’ve occasionally found myself frustrated by technical problems in adding a comment to a blog post – some sequence of characters in the comment, or the length of the comment, or the presence of too many hyperlinks, or some other feature interferes with publication.  The cause of the problem is often unclear and not readily resolved. This “blog” is a kludge – an inelegant workaround.  I can place the actual content of the comment here, and merely submit a hyperlink at the blog to which I am commenting.

Since this is simply a repository for my comments on other blogs, I’ve disabled commenting at this site. Comments responding to anything posted here should be published on the primary blog to which my comment was originally directed.