Reality: Casual forgery is pretty easy. Forgery that will stand up to expert examination is very hard. And impossible if you're a bungling incompetent, as this guy seems to be.
A thing to keep in mind is that many of these forgeries Wright has successfully been using for a number of years. They fooled people! "If it's stupid but it works, it's not stupid".
One thing I've realized during the case is that the kind of scrutiny people apply when they get handed a document as "proof" is not the same as the scrutiny they'd apply if handed a document they know is fake and they simply need to find proof.
In the former case people just tend to confirmation bias themselves, they check a few things and say "yep checks out". While in the latter case, they'll much more quickly say "well if it's authentic, then all the version numbers should check out, lemme go check those".
The former kind of check is almost completely ineffective against an intentional forgery unless it was made by someone dramatically less competent that you. Validation for "proof" sake must use the second process of assuming it false and looking for the evidence of it.
There is nothing fundamentally wrong with accepting a document on its face, but you shouldn't deceive yourself that you've validated something. If someone is giving you a document to prove something then you have to accept a serious possibility that it was fake, otherwise why bother looking at the document at all?
IIRC the fishing link used for the hack pointed to a mainstream URL shortener; and the account that owned that shortened URL used in the fishing op was associated with other URLs dating years back used for fishing campaigns against russian journalists and dissidents.
Hence, pretty strong reasons to suspect Russian state involvment.
I was thinking about another case around the same time where a DNC member had his gmail account compromised by a spearfishing attack (which IIUC is also different from the "DNC leak"). The broad strokes are similar though.
I wonder why we don't have better (widely trusted and used) timestamping services. It has always been easy to prove that something happened after a certain time: take a photo of today's newspaper, mention stock prices, etc.
But proving that an event happened before a certain time, like in the article, is a lot harder. You can send someone an email through a trusted gateway, but people can only check by having access to that mailbox, or trusting the person who has access. And I know about PKI timestamping, but I've never seen them used for legal cases, maybe because the complexity erodes trust.
Are there any good solutions that would convince a non-technical judge?
Edit: I remember Twitter[1] being used for this purpose, but I don't know if today I'd trust a hash dropped there, given how much it's evolving and/or struggling.
Don’t know how convincing it’d be in court, but Open Timestamps[1], a free service that operates by publishing Merkle tree hashes to the Bitcoin ledger and can give you independently-verifiable proofs after a while, still exists even if it doesn’t seem to be under active development. (I think Keybase tried something like that some time ago as well, they already had most of the parts in place, but then they decided to use their own something-or-other-coin and I stopped paying attention.)
A good example of using bitcoin for something that was entirely possible with regular old public key cryptography. Matthew Richardson's Stamper has been running since 1995.
In the end both are just digital signatures, and so are "entirely possible with regular old public key cryptography" as you say. You can achieve a similar effect by sending a gmail message to yourself with an sha256 of the document in the subject. The subject and date are included in the gmail DKIM signature. The cryptographic primitives used by Stamper, gmail DKIM and bitcoin are equally secure as a first approximation.
That means the security ultimately rests on the security of the key used to sign it. So do you trust Matthew Richardson to keep is gpg key secure, or Google to keep their DKIM secure, or the difficulty imposed by a proof of work where the amount of work is equal to a nation states electricity supply? I know which I'd choose out of those three, and that's the key differentiator of bitcoin. It is not the cryptographic primitives used.
Stamper signs and automatically publishes hashes of its history. It is a "block chain" in that sense: If Richardson decided to use the keys to backdate something to two years ago, he would have to fake two years of history, and risk being exposed if even one person came forward with a hash he'd signed contradicting his new fake history.
That is presumably one of the reasons that hasn't happened in the roughly 30 years the service has been ticking along.
> Are there any good solutions that would convince a non-technical judge?
I feel like the best you can do is either to publish a cryptographically secure hash or to publish something encrypted and share the key/password when you want to reveal the secret.
- Immutable (or at least with edits marked as such).
- Widely trusted (or too big to be bribed in small cases, e.g., Google).
- And keep those features for many years.
Twitter was surprisingly good at that in the past, but no more. Blockchains, as mentioned in other comments, give excellent immutability; but the field is such a minefield that I'd struggle to find a trustworthy blockchain explorer.
Why would you trust only one Blockchain explorer? You'd trust the blockchain by using several explorers, and by confirming that they all agree on the same value, to assuage any fears you have about any one particular blockchain explorer lying to you. Write your own, even, if your level of confidence needs to be that high.
I'm repeating what I said above, but just send yourself an gmail with the hash in the Subject. Gmail will kindly timestamp it and provide a DKIM signature. Publish the mail headers gmail includes in the signature (which includes the timestamp and subject, but not the contents), the signature itself, and a link to hashed the document and you're done.
This is only true if Google never release old private keys for DKIM signatures, which various people have been campaigning for them to do in order to provide long-term deniability around DKIM-signed mails.
> This is only true if Google never release old private keys for DKIM signatures, which various people have been campaigning for them to do in order to provide long-term deniability around DKIM-signed mails.
> Are there any good solutions that would convince a non-technical judge?
Judges can be aided by expert reports.
And not all judges are non-technical.
The fact that you can defend your documents with timestamps is often enough: the other side won't challenge them knowing that they are likely to lose the challenge.
If you can prove the existence of the encrypted thing before some point in time than you could prove the existence of the unencrypted thing before some point in time.
There isn't any way to do this without one or more trusted third parties. Traditionally that would involve someone like a public notary or a lawyer.
I was amused to find that there is a service that cryptographically timestamps things over email via PGP that has been running since 1995:
For most purposes, mailing something to yourself for the postmark and keeping the envelope sealed would probably be adequate. It's possible to forge, but tricky enough.
You put postage on the letter, and the post office stamps the postage (to invalidate the postage). The stamp contains a date. You can't stamp something after having mailed it, that happens as part of the mail submission.
OK, I suppose this could be arranged. The seal has to be over the whole of the "back side" of the envelope, where the flap is. Then put the address and the postage over that, and the post office stamps it.
What confused me was how you would achieve post office stamping over a seal that's on the wrong side of the envelope, where the flap is.
There used to be a service that published your hashes in the New York Times. Satoshi must have known about it because it is mentioned in the Bitcoin paper.
> Are there any good solutions that would convince a non-technical judge?
The judge in this case is actually very technical so that's not a problem.
Regardless, the easiest and most direct way to timestamp something is to use the standard RFC 3161 timestamping servers. There are many, located in different countries and run by different people, and the format is straightforward and standardized. Support is built in to products like Acrobat. You can attach multiple timestamps from different sources to a single file. They are free. It can be explained to non-technical people in a not extreme amount of time, and courts / law firms in any country can easily find expert witnesses who can verify such timestamps and testify to the court as to their veracity.
For emails there's also DKIM, which signs email including the date header. Again, plenty of people who can verify those signatures, so emailing something to someone else and then getting a copy of the raw email will do it (don't email to yourself, that skips the signing process).
Disclosure: I took part in this trial as a witness and testified against Wright.
Note that DKIM does not necessarily sign the message contents. [1] DKIM is only really (in a general sense) intended to provide cryptographic proof that the originating server is permitted to send it. If you need a non-reputable, dated message, you really should use time stamping servers.
Yeah it's odd to see a bunch of people proposing ideas for cryptographic timestamps (on the blockchain!) when anyone who has worked with digital signatures should know about RFC3161.
Of course for verification it's important that the timestamp countersignature comes from a reputable CA and not some random server you set up.
We would need to admit no such thing. In fact, it's possible that it's simultaneously not a scam, not practically useful, and also suitable for this purpose.
Stuff on the block chain has a problem asserting anything that's not on the block chain, which is what a lot of people want to use it for. In this case, it's a bitcoin solution to a bitcoin problem. It's all in-universe so to speak.
I always wonder about people like Wright... how does such a brain work? Why would one invest so much of his life and reputation on brazen lies and forgeries? He's been caught so many times, surely nobody can take him seriously anymore, it's over, time to move on - but here he is, forging emails and logs, digging deeper and deeper, turning his life more and more into a farce. Why?
There's pretty broad consensus that Craig Wright is a pathological liar. And I'm not using that as an idiom for "dishonest person", I mean it in the psychiatric term of art sense [0]: he probably has an actual compulsion to lie stemming from some kind of psychological damage, which doesn't stop even when he's caught red-handed (he just invents new even more outrageous lies, even when that's nakedly against his own self-interest). This is confirmed not just by all his behavior re: Bitcoin, but his own mother said at one point he has been like this his whole life. It's. In earlier days of Bitcoin it was causing actual problems, but these days everyone treats him as a carnival amusement and nothing more.
A bunch of bitcoin developers are still facing lawsuits from him, and it still requires a ton of attention from them and is causing them anguish. He may not keep launching lawsuits against random community members, but one of them still has one appeal case and one separate lawsuit against him, for having been mean to him on Twitter.
It's true that most people consider Wright a silly clown these days, but the chilling effect against Bitcoin development is hard to quantify and, I think, wholly real. This is why his latest loss makes today a good day.
From watching the trial, it does seem to be an innate behavior for him, effortlessly spinning "plausible" stories to account for everything he's challenged on, that would sound convincing to somebody without the technical knowledge to understand what he's talking about.
I haven't watched it but surely, hopefully pathological lying in court can get someone in real trouble regarding perjury instead of just the case being lost
I've known a pathological liar. The thing is because people tend to default to trusting, especially because pathological liars will lie about things most reasonable people would not expect anyone to lie about, they will get away with it for a good amount of time (varying by how good they are at it). But their credibility in a given group quickly crumbles once one or two lies are exposed. Often they will then move on somewhere else where they repeat the progress.
The active steps to disguise the truth are hard to understand. Maybe some sort of brain damage? Or maybe a pathological disorder that I don't understand.
However, if I try to assume a good intent, here's what I come up with:
CW knows he is not Satoshi and his case is laughable. However, by chance he happens to be in a unique position (relative to everyone else) where as long as he pushes his case, he keeps attention on the mystery of Satoshi . Maybe that is his goal all along, and his calculations show that he increases the odds of the true creator being revealed by pushing his false claims.
I mean, the anonymity of Satoshi is puzzling. BitCoin is the only major modern invention with an anonymous creator, AFAIK. I guess the most bothering aspect of the whole thing is not that I don't know who Satoshi is, it's that I know there are people out there who do know (maybe in the dozens, hundreds, or low thousands). It's annoying that there are state secrets like that. So if that is CW's intent behind all his puzzling immature actions, then there's an interesting argument to consider that his actions might have a positive ends.
I am continually amazed when I see some large scam unravel and lo and behold the perpetrators were the same people from a previous scam of recent memory. They do it over and over because for a time it works. My current favorite and possibly all time best is the guys behind tether. Every single one of them with a dubious past linked to scams.
"He's been caught so many times, surely nobody can take him seriously anymore, it's over, time to move on..."
Ha, wouldn't it be funny if Wright actually had the last laugh and that his claim that he's Satoshi Nakamoto was meant to have holes so that he would be discredited.
The whole saga of Satoshi Nakamoto and Bitcoin is so odd and unbelievable and fraught with so many open-ended questions one has to wonder what's true and what's not. The only thing for certain is that Bitcoin is real and that someone actually invented it.
Why would Satoshi Nakamoto bother obfuscate facts and hide himself, what would be his motive and what would he achieve by so acting? Even if unlikely it's completely plausible that Wright is Satoshi Nakamoto and that his seemingly shoddy claims about being him is actually part two of some strange hoax that he's cooked up.
Unlikely for sure, but if he is Satoshi Nakamoto then his place in history will be assured for certain, he'll be remembered for a double whammy that'll never be forgotten: the genius of Bitcoin and block chain cryptocurrency, and the biggest king-sized hoax/con job of all time.
Clearly Wright is smart but he could be smarter than we give him credit for. Wright's ego may be such that he wants an assured high place in history, if so then what better way to achieve that than to act as he has done?
Eventually the true identity of Satoshi Nakamoto will be revealed and someone will have that last laugh.
He left court on a Friday, did the email forgery in the article over the weekend, and was back in court on Monday. Forging evidence is always bad, but doing it during the trial in response to something he was cross-examined on? That has to be particularly bad.
Wouldn't it be trivially easy to prove that oneself is Satoshi Nakamoto? Just signing arbitrary messages with one of the many wallet addresses from the first Bitcoins mined? Assuming of course, that those early keys didn't end up like so many: on a hard drive, in a land fill.
It's unfortunate that this is annoying to read with having to expand each entry and then the content popping back up to the top. Annoying enough that I lost interest in reading it. YMMV.
Thanks for the writeup by the way. I kept finding HN posts about the Sartre post and how the signature came from the blockchain, but nothing to explain why the Sartre file hashed the way it did. Thanks for reconstructing it, it really helped me understand the crux of the deception.
In my opinion, he's a conman, as in confidence man. His lies aren't high quality, but he tells them with great confidence, which sadly is appealing to many people. He can answer any accusation on the spot without hesitation. He's vague, so you kind of feel like what he just said contradicted something he said earlier, but most people's reaction is that they must have misunderstood him earlier. He's very good at technobabble; if you don't know that much about technical stuff, he can come off as highly knowledgeable. He will use emotion as necessary.
Over the eight years he's been at this, he has built up a cult following of people who worship the ground he walks on and will defend him ferociously at every opportunity.
Yes, he's a bad liar, but very few people can do what he does.
You likely haven't witnessed him in person. For subjects he is expecting his lies are delivered with perfect fluidity and almost messianic confidence. He easily slips into raw belligerence that absolutely shuts down most people.
He is an expert at statements that brim with sound and fury but which signify nothing, and so although they covey some impression their content leaves nothing to falsify.
He immediately deceives many people. Some of his approach is polarizing, particularly the technobabbling-- people either fall hard for him or see right through him-- but generally a conman only needs to fool some people, not everyone.
The technobabbling even sometimes works on technical people, particularly when they go in pre-awed by him, they assume that misunderstandings are errors on their part.
Like if you met Knuth and asked him a question and he replied with a bunch of jargon you've barely heard about but it doesn't really sound right... you're not going to suddenly start thinking he's a big fake, right? you're going to assume you're the clueless one.
This reminds me of a paper[0] whose thesis is "We enumerate the requirements that a censorship-resistant system must satisfy to successfully mimic another protocol and conclude that “unobservability by imitation” is a fundamentally flawed approach." It relates to censorship-resistant communication systems such as SkypeMorph, StegoTorus, and CensorSpoofer which aim to evade censors’ observations by imitating common protocols like Skype and HTTP.
This is essentially "digital forgery" at the protocol level. I wonder if the thesis could be shown to be generalizable to most digital forgery, or even forgery in general.
This is a great point that hasn't been aired enough. I'm thrilled to see outsiders reading the expert reports-- which are themselves fascinating reading.
I'm one of Wright's defendants and have spent the last several years of my life trapped in this involuntary puzzle hunt.
Often people read the conclusions on the documents and say "man this guy Wright is a total idiot"-- and while I don't disagree with the sentiment, it's the wrong conclusion to draw from the documents.
These debunks seem simple once they've been pointed out to you. But the problem that a forger has is that they must get EVERYTHING exactly right. The anti-forger, on the other hand, need only identify one solid flaw.
Wright's stupidity wasn't so much in any particular error (okay, well a couple were kinda dumb: like backdating documents by robotically replacing all past tense with future tense, turning him into nostradumbass.)-- but the scale meant that it was inevitable the he would make errors.
Unfortunately he's been learning and for the most part his later forgeries had a lot less metadata to go on. If he gets too many more tries he may be able to start producing unfalsifiable forgeries. I'm really homing the judgement is forceful enough to meaningfully shut him down.
Thanks! The quality of the expert witness statements is astonishing, and the sheer scale of the work carried out in a relatively short period of time is something I just can't imagine. Do you know if there's any likelihood of the opposition's expert witness statements (or Craig's remaining witness statements) being made public?
They'll be made public. They're also good, though I think you'll agree ours are more interesting-- as our side found close to a strict superset of issues.
I think in particular the Lynch (one of Wright's expert) report on the LaTeX files is interesting because it took a different approach than Rosendahl -- so it wasn't as duplicative: Rosendahl tried using legacy tools against the files, Lynch used current tools the combination was particularly fatal to Wright because if only one approach had been used Wright would have claimed that the other approach would have produced results that supported his case.
(Rosendahls' report itself is a great work in its own right, in spite of being a LaTeX user for >20 years I learned quite a few things from it).
I wish we'd gotten access to Wright's 22 million lines of chatgpt traffic since September, that might have been particularly interesting! -- the abuse of LLM's in the case is itself something of public interest that sadly wasn't adequately ventilated in the trial because we weren't able to get the relevant records. But there were pretty good indications that Wright used ChatGPT directly to create forgeries, aid in the construction of other forgeries, and to pad out his witness statements in a bit of a volumetric attack.
The Bitcoin legal defense fund has tried to get out most of what it could lawfully put out, -- skipping a few things with privacy issues-- but once the trial started the priority shifted to managing the case.
The default openness of the US courts may well have been the real hero in all this: documents and statements made public in the kleiman case boxed wright in from every angle. Its important that materials from this case are made public because it may not, unfortunately, be the last we hear from wright. Even where the US case didn't make some things public, it make their existence public which in some cases enabled us to obtain them: e.g. we were able to get all of Gavin's communications with Satoshi which had previously been provided to Wright and whose existence Wright tried desperately and ultimately unsuccessfully to deny.
The UK court openness is less by default, but the parties have a substantial ability to publish things-- allowing the parties to get things much closer to US practices.
Did you get to see any of Ramona's box of last-minute handwritten evidence? While I'm glad you didn't have to deal with it and drag things out further, I'd love to see more entertainingly obvious forgeries, like the notepad dated '07 that wasn't printed until 2012.
Yes. hehe. Mixed feelings on that. It's fun to dunk on his forgeries, but they all have risk.
I very much did not enjoy having to read a large amount of handwritten nonsense on a short fuse during the trial... and in some sense he was successful with them in that he wasted an enormous amount of time that could have been spent on something else, an they likely won't weigh against him substantially if at all since they didn't get used.
A more serious case of this took place in Turkey two decades ago, and involved the jailing of a significant fraction of the military leadership. So it amounted to a judicial coup against the military. The son-in-law of one of the generals (Cetin Dogan) analyzed a piece of the evidence, a Word document ostensibly dated 2003, and proved that it contained anachronisms dating it to at least 2007.
You'd think by now that everyone—especially those who'd intend forging documents—would be aware of the 'mismatched' font problem but it appears not because it's happened in significant numbers of high profile cases in the past. Simply, these forgers haven't done their necessary homework.
Even with homework done I'd never attempt it for the same reasons that Matthew Garrett outlined in his article.
However, assume a hypothetical case where I had to forge a document what would I do? My first thought would be to obtain a pensioned-off PC complete with operating system, user apps such as MS Office/Word and standard default fonts that was last used a little before the date of my intended forgery.
Obtaining such a PC may seem like a tall order but it might not be as difficult as it seems, but it certainly won't be easy. I say that it's possible by just looking at my own situation. In my shed I have a stack of old PCs gathering dust that haven't been switched on in several decades, no doubt there are many similar piles of junk out there in user-land that can be tapped for a suitable PC.
Next, I'd ensure the PC was not switched on until I'd removed the hard disk and forensically mirrored it to a backup on another PC. The mirrored disk image can then be examined to determine the exact date when it was last used, etc., etc.
Without reinstalling the hard disk and before switching it on I'd disconnect the PC's clock battery and or short out the clock operation so the clock was set to the factory default time (I.e. not set). I'd then switch on and set the date in the BIOS slightly ahead of the last date the PC was last switched on (that date I'll have already determined from my forensic analysis of the mirrored image).
After reinstalling the HD I'd switch on and hopefully I'd have functional PC whose date and time would indicate that it was switched on shortly after the actual time it was last used.
At this point and before proceeding further I'd take another mirror image of the HD and compare it with the original for any gotchas. Unless something goes awry I'll use this second mirror for all future installations and any necessary tweaks.
My next step would be to draft out the forged text by hand on paper. I'd study this text with great care to ensure that I've the precise wording and that there are no references to forward dates or events that could not have happened by the date of the forgery. I'll then sit on the text for 24 hours or more to think about it just to make sure that everything I've written is as 'faultless' as is possible.
Assuming all's well and only then will I switch on the PC and use the installed copy of MSO/Word with one of the common already-installed typefaces such as Ariel or Times New Roman to type my text.
Even then, with all that done, I'd still be shitting myself that I'd not fully covered my tracks!
Note: that's the short version, there are many other intermediate checks too detailed to mention here. Some of these steps may require minor tweaks to the second mirror (metadata changes, etc.) before it's mirrored back to the original HD. Any edits to the second mirror should only be done after it's been backed up.
Doing these checks and ensuring that one's covered one's tracks isn't for the feinthearted. Right, the stakes have to be extraordinarily high to even bother attempting such a job.
_
Edit: if the forgery is to appear in printed form then it should be printed on old stock paper with a printer of the same era, say a HP LaserJet III for instance. Even with expertise, artificially aging such a document is a complicated process and even then it's unlikely to pass muster with a basic forensic analysis.
Another approach is to do the above then photocopy the original then 'lose' it and only use the copy. Recopying the copy on multiple machines of different brands will make tracing the original photocopier more difficult as each machine will have optics with minor distortions that are different to one another. Faxing the document sans headers will further obfuscate where the copy originated as faxes are of low resolution and introduce artifacts noise, but keep in mind that the mechanics and optics of fax machines introduce the same type of distortions as photocopiers.
Again, don't bet your chances, if you use these methods then smart forensics are still likely to nab you.
>You'd think by now that everyone—especially those who'd intend forging documents—would be aware of the 'mismatched' font problem but it appears not because it's happened in significant numbers of high profile cases in the past.
I'm reminded of that scene in mindhunter where the detectives go to Kemper something like "this theory is unsupported by the data we've collected on serial killers." And kemper calmly responds "Seems to me all of the data you've gathered is from serial killers you're caught."
Kemper believes there are many serial killers undiscovered, and more importantly easily able to avoid detection (as he did) unless they turn themselves in. This is while the fbi is speculating profiles of an active serial killer.
Interesting article, but the headline seems dubious. What's the opposite of survivorship bias? Because it seems like the population of good forgeries would be hard to quantify.
I don't think the premise that digital forgeries are hard is invalidated by the possibility that there might be a good number of undetected forgeries out there. Things can be hard to do, but still done in decent quantities.
You do make a good general point, though! Good forgeries are by their nature not known to be forgeries.
Surprised that noone mentioned Barely Sociable video on Satoshi Nakamoto[1] (last of a 3-part series). Pretty strong arguments as to why Adam Back is Satoshi, the amount of coincidences is just way too many IMO.
Craig Wright is definitely not Satoshi, the guy has some issues and so keeps claiming that he is.
reply