Anonymous Ready To Dump More HBGary E-mails, Launch AnonLeaks

One of the technical issues that seems to be consistently
overlooked in the HBGary saga is important because it confirms
the authenticity of the emails acquired by Anonymous. After
the hack by Anonymous, the HBGary website contained the
following notice: 



[div class="excerpt"] "Meanwhile, please be
aware that any information currently in the public domain is
not reliable because the perpetrators of this offense, or
people working closely with them, have intentionally falsified
certain data...." 

http://dagblog.com/reader-blogs/hb-gary-federal-anonymous-and-wikileaks-8912

[/div]  


HBGary's statement regarding the intentional falsification of
data is what appears to have resulted in the decision to
release an additional 27,000-odd messages belonging to Greg
Hoglund, founder of HBGary, Inc. 

Now, despite Mr. Hoglund's statement, if you download and
examine the emails, specifically those authored by Aaron Barr,
you will notice that many of them are digitally-signed with a
VeriSign Class 1 Individual Subscriber certificate. (Details
of which can be seen below). 

The majority of Aaron's emails (except those sent from his
IPad) sport a cryptographically-secure digital signature and
can thus be demonstrated to be untampered with. Each such
signed email has an icon that resembles an envelope with a
little red wax seal on it. When you click on this icon, a
pop-up comes up which reads as follows: 

Message Security
Message is Signed
This message includes a valid digital signature. The message
has not been altered since it was sent.

Signed by: Aaron Barr
Email address: aaron@hbgary.com
Certificate issued by: VeriSign Class 1 Individual Subscriber
CA - G2
[View Signature Certificate] (button)

Message Not Encrypted
This message was not encrypted before it was sent, information
sent over the Internet without encryption can be seen by other
people while in transit. 

If you click on the [View Signature Certificate] button you
can see the following: 

This certificate has been verified for the following uses: 
Email Signer Certificate
Email Recipient Certificate

Issued To
Common Name (CN):           Aaron Barr
Organization (O):           VeriSign, Inc.
Organizational Unit (OU):   VeriSign Trust Network

Issued By
Common Name (CN):           VeriSign Class 1 Individual
Subscriber CA - G2
Organization (O):           VeriSign, Inc.
Organizational Unit (OU):   VeriSign Trust Network

Validity
Issued On:                  4/28/2010
Expires On:                 4/28/2011

Fingerprints
SHA1 Fingerprint
32:54:31:25:F6:4D:8C:E4:9E:90:2E:A7:E4:51:CF:A5:F2:7E:C3:11
MD5 Fingerprint 
E3:63:31:3B:AE:20:61:59:C5:0F:A8:54:F1:5D:66:38

Whats is particularly important about these digital signatures
is that they are not only proof of authenticity, they also are
non-repudiable, meaning they cannot later be disavowed as
forgeries.  (I suspect that, right about now, Mr. Barr may be
kicking himself for ever purchasing that VeriSign signing
certificate.) 

Digital signatures are every bit as valid as the signature on
a contract. 

If memory serves, I believe it was President Clinton who first
used a digital signature on the text of a bill to sign it into
law. In other words, these digital signatures would stand-up
in a court of law as valid. 

The upshot here is that neither HBGary nor Mr. Barr simply
CANNOT  disavow these email by dismissing them as forgeries. 

Snagglepuss2