"Call her the Mata Hari of cyberspace," Shaun Waterman reported in his July 18, 2010 Washington Times article "Fictitious femme fatale fooled cybersecurity."
"Robin Sage, according to her profiles on Facebook and other social-networking websites, was an attractive, flirtatious 25-year-old woman working as a 'cyber threat analyst' at the U.S. Navy's Network Warfare Command. Within less than a month, she amassed nearly 300 social-network connections among security specialists, military personnel and staff at intelligence agencies and defense contractors.
A handful of pictures on her Facebook page included one of her at a party posing in thigh-high knee socks and a skull-and-crossbones bikini captioned, 'doing what I do best.'"
"'Sorry to say, I’m not a Green Beret! Just a cute girl stopping by to say hey!' she rhymingly proclaimed on her Twitter page, concluding, 'My life is about info sec [information security] all the way!'DEFCON's Black Hat Technical Security Conference - held in Las Vegas during July of 2010 - Ryan gave a presentation called "Getting in bed with Robin Sage."
And so it apparently was. She was an avid user of LinkedIn - a social-networking site for professionals sometimes described as 'Facebook for grown-ups.' Her connections on it included men working for the nation’s most senior military officer, the chairman of the Joint Chiefs of Staff, and for one of the most secret government agencies of all, the National Reconnaissance Office (NRO), which builds, launches and runs U.S. spy satellites. Others included a senior intelligence official in the U.S. Marine Corps, the chief of staff for a U.S. congressman, and several senior executives at defense contractors, including Lockheed Martin Corp. and Northrop Grumman Corp. Almost all were seasoned security professionals.
But Robin Sage did not exist.
Her profile was a ruse set up by security consultant Thomas Ryan as part of an effort to expose weaknesses in the nation’s defense and intelligence communities - what Mr. Ryan calls 'an independent ‘red team’ exercise'."
His bio at the Black Hat website claims,
"Thomas Ryan: A 20-year security veteran, Thomas Ryan is the co-founder and Managing Partner of Cyber Operations and Threat Intelligence for Provide Security. The company was formed with the concept of the convergence of both physical and cyber techniques for Executive Protection, Advanced Red Teaming, Crisis Management, Threat Profiling, Threat Assessments and Penetration Testing. In his role, Mr. Ryan leads a team called Black Cell, a team of the most-highly trained and capable physical, threat and cyber security professionals in the world. Prior to founding Provide Security, Mr. Ryan had functioned as a security instructor for US Army INSCOM, USNORTHCOM, USSOUTHCOM and several other military and government agencies. His corporate experience has evolved from working at numerous security consulting companies. Mr. Ryan's passion for information security had him elected as the Chapter Vice President for OWASP NY in 2004, Board Member for NJ Chapter in 2005, then merging the two chapters in 2007 while still retaining his Board Member role in 2010. His contributions include participating as a co-author's of the OWASP Test Guide v2, and speaking at several industry events including the OWASP, INFRAGARD, ICCS, and ISSA."The briefing for Ryan's July presentation states,
Given the vast number of security breaches via the internet, the experiment seeks to exploit the fundamental levels of information leakage—the outflow of information as a result of people’s hap-hazard and unquestioned trust. The experiment was conducted by creating a blatantly false identity and enrolling on various social networking websites. By joining networks, registering on mailing lists, and listing false credentials, the conditions were then set to research people’s decisions to trust and share information with the false identity. The main factors observed were: the exploitation of trust based on gender, occupation, education/credentials, and friends (connections).Video of the hour-long presentation:
By the end of this Experiment, Robin finished the month having accumulated 100’s connections through various social networking sites. Contacts included executives at government entities such as the NSA, DOD and Military Intelligence groups. Other friends came from Global 500 corporations. Throughout the experiment Robin was offered gifts, government and corporate jobs, and options to speak at a variety of security conferences.
Through this 28 day experiment, it became evident that the propagation of a false identity via social networking websites is rampant and viral. Much of the information revealed to Robin Sage violated OPSEC procedures. The deliberate choice of an attractive young female exposed the role that sex and appearance plays in trust and people’s eagerness to connect with someone. In conjunction with her look, Robin Sage’s credentials listed on her profile resulted in selection perception; people’s tendency to draw unwarranted conclusions in their attempt to make a quick decision. By acquiring a large number of connections, Robin had the ability to identify the individual who was positioned to provide the most intelligence based on their involvement in multiple government agencies. The false identity combined with carefully chosen false credentials led to a false trust that could have resulted in the breach of multiple security protocols.
In July of 2010, Kelly Jackson Higgins reported at Dark Reading,
"Meanwhile, the real woman in the Robin Sage LinkedIn, Facebook, and Twitter profile photos has agreed to show up at Black Hat USA later this month to introduce Ryan for his presentation. Ryan says he confirmed that using her photo for the social network accounts was legal, as long as none of her personally identifiable information was used, and it was not. The woman apparently posed for photo shoots for a pornographic site, according to Ryan. He found the woman's photo by searching 'emo chick' via Google, a reference to the punk/indie style and music."Ryan told a slightly different version of how he found the photos to Forbes reporter Kashmir Hill, who reported in November of 2011 that he "grabbed photos of a Lisbeth Salander-type from a pornography site after a Google image search for 'Goth girl.'"
In another article for Dark Reading - "Would 'Robin Sage' Have Made So Many Friends Without The Hot Pics?" - Higgins wrote, "In reality, the pictures were actually of a woman who posed on pornographic websites (but those who fell for her didn't know that part)."
Highlights [or high lowlights] from Old ReaperSec log /w Tom Ryan Lulz Nov 2011, posted on pastebin by former or still-current Project Vigilant "volunteer"/"hypertroll" Neal Rauhauser:
Ryan posted a link to a profile of "Katya" at an alt porn site called Gods Girls. The @robinsage avatar can be found on her Personal Photos page.
Nov 21 21:01 Only drug I have ever done was Ecstacy when going to raves
Nov 21 21:03 X is the shit !! A Few lady Gs , hot russian girls, some Deadmau5 or Armin Van Buuren
Nov 21 21:03 end up in numerous 3somes and 4somes
Nov 30 22:22 chif I feel like I need some drugs of somesort
Nov 30 22:24 we need them at a BlackHat Party
Nov 30 22:28 sleep 14 hours
Nov 30 22:28 I ended up in several 3somes and 4somes on MDMA
Nov 30 22:30 it's weird cause it takes like an hour to blow your load
Nov 30 22:31 One year at the DEFCON CDC Ninja Strike Force party they had nude hookers going around and these geeks paid them $20 to eat out hookers
Nov 30 22:32 I almost puked"
I tried contacting the real "Robin Sage" on her real social media accounts, but she didn't respond. This is a more current photo of what she looks like today:
"Can you email me so I can ask you questions about Tom Ryan from Provide Security and your portrayal of Robin Sage for article that I'm working on?" I wrote the real Robin Sage, who never responded after I tried contacting her via Facebook and Twitter. "It's strange that no one seems to have actually reported on the woman whose photos were used to allegedly hoax Dept. of Defense and NSA employees...and I was surprised to see you protested Prop. 8 and would love to hear more about you."
In July of 2010, the pornographic model was asked, "[H]ow does it feel to be Robin Sage's alter-ego?"
"[T]otally kick ass! :)", Kat Karver aka "meeeowkat" responded in the July 7, 2010 formspring chat which linked to a myspace account called teez_bunny.
Kat Karver's real name is Katharine Cole, and her Facebook account claims she was born in Chiang Mai, Thailand. The infamous Robin Sage avatar can also be seen on her Facebook account [Editor's Note: I removed the link because my blog post was mysteriously scrubbed. Mike Stack tweeted that Tom Ryan "reported" me. I also removed a picture taken from a public site of Jen Emick, since she might have "reported" me, too] and Cole wrote that it was from her "dready days...", and one of her friends implies it was taken when she attended the Fashion Institute of Design & Merchandising. Cole's resume indicates that - when she's not posing - she currently works in retail, and volunteers at a homeless shelter.
A few weeks ago, Ryan "disappeared" from Twitter @tomryanblog, but his @providesecurity and @robinsage accounts - which are mostly automated - are still active.
"@LeidermanDevine sometimes I think a witch cast a drama spell on me @backtracesec," was Ryan's penultimate tweet which was sent to a law firm known for representing hackers and a sketchy security firm that Jennifer Emick @AsherahResearch worked with to out Anonymous hacktivists. Emick is an aficiando on Paganism and calls herself an "occultist." Ryan, Emick and a woman known as Mi-chelle - who used to tweet @ZAPEM - all appear to be "working" together to "social engineer" and chase Anonymous activists, but they spread "convolution" and many Twitterers believe they engage in fake feuds.
In August of 2012, Emick sent a tweet to blogger Seth Allen aka "Socrates" @Prepostericity claiming she had filed a personal protection order against Ryan, but then deleted it. She has referred to the PPO on other occasions, but gave strange reasons, at the time, for why she scrubbed it, and then she made her public @asherahresearch Twitter account private for a few months. Emick was with Anonymous in the early Scientology battles before seemingly turning against them; Ryan "infiltrated" an Occupy Wall Street mail archive, but now is friendly with many OWS activists; Mi-chelle allegedly told Andrew Breitbart in an email dated February 29, 2012 hours after his fatal collapse that she wanted to infiltrate Anonymous and "cause a rift" by "provid[ing] them with enough information to ultimately attack the left," and may be a source for the emails and phone calls regarding InfraGard leaked to http://par-anoia.net.
A few days before his last tweets, @TomRyanBlog cryptically tweeted, "I wonder what the record is for the most amount of people and most amount of women trying to SE a person at one time."
Avatar for alleged Provide Security Senior Research Analyst was taken from porn site
According to her Linked In profile - which was just recently scrubbed but can still be viewed at this cache link - "Senior Research Analyst" Anna Ferreira began working at Tom Ryan's Provide Security in June of 2012.
Ferreira's profile claims she was a Crypto Tech - short for Cryptologic Technician - in the US Navy for 6 years and 1 month from May of 2006 to May of 2012, and attended the American Public University System. According to its website, APUS is a private online university, which "consists of two online universities: American Public University (APU) and American Military University (AMU)."
"APUS’ origins reach back to 1991, when James P. Etter, a Marine Corps officer who taught at Marine Corps Base Quantico, retired from active service and launched one of the first 100% online universities, American Military University. AMU was designed to meet the unique educational needs of the military – transient, working adults needing a range of program offerings from traditional courses such as criminal justice to unique courses such as counterterrorism and military intelligence, which are not readily available at most institutions.Ferreira's LinkedIn profile also claimed that Anna spoke four other languages: Spanish, Portuguese, Persian and Russian.
In 2002, after ten years of growth and service to thousands of students and hundreds of graduates, AMU expanded into the American Public University System, adding American Public University. APU is designed to extend the system’s outreach to better meet the needs of those interested in public service related programs, such as criminal justice, public safety, national security and other adult learners seeking to advance their education through a robust, online curriculum."
According to a January 2008 European Union brochure, Anna Ferreira was a member of the Portuguese Permanent Representation or Portuguese Presidency, but it most probably is not the same Anna Ferreira, provided the one at Tom Ryan's security firm even exists.
"Cryptologic Technician (CT) is a United States Navy enlisted rating or job specialty," an article at Wikipedia notes. "he CT community performs a wide range of tasks in support of the national intelligence effort, with an emphasis on cryptology and signal intelligence related products."
"Most CT personnel are required to obtain and maintain security clearances. Due to the highly classified work environment, it is not always possible to share resources with other commands, leading to their shipboard nickname, 'spooks'. Almost every detail surrounding the CT world from administration to operations to repair requires dedicated technicians with appropriate security clearances"The LinkedIn profile also claimed that Anna Ferreira resided in McLean, Virginia, and a search on Google turned up a document posted under that name and location called "The Queen v. Julian Paul Assange," which was posted on July 7, 2012. Assange is the founder and editor-in-chief for the whisteblower website WikiLeaks, and Ryan frequently bashed both at his Twitter account.
The document is the transcript of a December of 1996 Melbourne, Australia hearing where Assange pleaded guilty to 24 computer-related hacking charges. "Justice Ross said he was satisfied Mr Assange had not used his skills for personal gain and so he would not hand down a jail sentence, instead ordering him to pay a reparation order of $2100," the Herald Sun reported in January of 2011.
A Google image search on the avatar on Ferreira's scrubbed LinkedIn profile reveals that it belongs to another porn model who calls herself "Bashful Brittany."
The photo was a crop of this picture of "Bashful Brittany" taken from the adult website hottystop.com or from her eponymous website:
The short bio for "Bashful Brittany" says nothing about working for Provide Security or serving as a Crypto Tech in the US Navy:
"Hey guys, glad you found me! Let me tell you a little about myself. I turned 18 six months ago, i'm only 5 feet tall and weigh 97 pounds!! I'm a true socal girl who loves the sun, shopping, hiking, and partying with my friends whenever I get the chance. I also LOVE modeling, it's fun to get dressed up, dressed down, and as you can see not dressed at all!"More risque photos of "Bashful Brittany" can be viewed at her website - where she claims to be 19 years old - provided you become a member and trust her security enough to pay with a credit card.
at this link. This "Anna Ferreira" also appears to be wearing the same top, same earrings and posing in front of the same colored background.
The second "Anna Ferreira" LinkedIn page claims she currently works as a recruiter at Express Employment Professionals in the London, Canada area, and that she was formerly the Website and Social Media Manager for London Therapeutic Massage Clinic, but the only language she speaks is English. This profile is more detailed than the scrubbed one for Provide Security, and doesn't include anything that matches it.
Perhaps if Tom Ryan returns to Twitter under his name, he can provide a reasonable explanation for why the "Senior Research Analyst" for his security firm filched her photo from a pornographic website.