A report penned by two current and one former University of Cape Town students illustrates the alleged involvement of a current UCT student in the publishing of the now infamous UCT Exposed blog and Facebook page.

UCT Exposed made a name for itself over the course of the last month by publishing the private correspondence and data of UCT students, including grades. The blog has caused severe emotional stress to a number of its targets.

The report was researched and compiled by Kieran Duggan, David Horscroft, and Ben Steenhuisen. Duggan and Horscroft are current students of UCT, while Steenhuisen is a former employee of the Department of Computer Science at UCT.

The report (which you can  read, below) details the methodology employed by Duggan, Horscroft and Steenhuisen to determine that the someone accessed private links provided to the UCT Exposed administrator via UCT student Qamran ‘Pabie’ Tabo’s UCT login profile.

Duggan, Horscroft and Steenhuisen contacted the anonymous administrator of UCT Exposed, and shared a link hosted on a server of their own. This allowed the authors to capture the geographical IP data of the computer on which the link was accessed. The authors traced the accessing of the link back to a computer in UCT’s Computer Sciences building. They noted that during the time of access, the UCT profile of student Qamran Tabo was logged in on the computer.

Tabo alleges that a third party accessed her UCT login profile, and denies any association with UCT Exposed.

It will be relatively easy for UCT investigators to confirm or deny whether or not it was Tabo who accessed her UCT profile from the computer lab in question by reviewing security camera footage.

UCT, Tabo and the three authors have been contacted for comment. We will update the story as more information comes to light.

THE FULL REPORT

Prelude

UCT student secrets are the new hot thing on Facebook. It started with personal revelations — UCT Confessions is a Facebook page that allows UCT students (or for that matter, anyone) to anonymously submit their secret stories. The page’s administrators do some mild editorial on the submissions and post them, anonymized, on their page. Of course, they don’t publish hate-speech, or personal information. This page has been very popular. At the time of writing, UCT Confessions has 26,379 followers.

UCT Confessions: https://www.facebook.com/express.uct

More recently, another, far more extreme page has appeared — UCT Exposed. Its Facebook “About Us” reads “Who wants to read silly confessions about getting friendzoned when you can get real hardcore and saucy scandal?”. The Facebook Page linked to a blog, which went on to publicly name and shame people based on their marks or dress sense; accused UCT members of racism, and sexually objectified other UCT students.

UCT Exposed: https://www.facebook.com/pages/UCT-Exposed/545828072138572
(https://i.imgur.com/3Wb66Adh.png, https://i.imgur.com/jnbhydvh.jpg)

The UCT Exposed blog: https://uctexposed.blogspot.com/

As reasonable people (students and alumni), we were appalled by UCT Exposed behaviour and took it upon ourselves to investigate who was behind these malicious character assassinations.

All information gathered is from publicly available information.

Preliminary Search

To find some background on UCT Exposed, the obvious starting point was the blog. We saw that the blog administrator’s username was “John Smith” (presumably a pseudonym) (https://i.imgur.com/UbsMOZyh.png). We then found a Facebook “John Smith”, whose Facebook username is registered as “uctconfessionssux” (https://i.imgur.com/DDwPHQkh.png, https://i.imgur.com/R0oc88Wh.png). The profile photo is the UCT Exposed logo. It is just a shell of an account, with only one friend, and not much to see in the timeline. This user also likes both UCT Exposed and UCT Confessions Facebook Pages, and links to the UCT Exposed website in the Facebook “About me” section. We can see that this link was created around the time that UCT Exposed started blogging.

It seems reasonable to assume that the person controlling this Facebook account is the same “John Smith” writing the blog posts, and that this account is used to post to the UCT Confessions Facebook Page. But there isn’t anything personally identifying about the account.

https://www.facebook.com/uctconfessionssux/info

https://www.facebook.com/pages/UCT-Exposed/545828072138572

https://plus.google.com/104176887273157583348

Honeypot

Given that the Facebook account said almost nothing about its owner, our best shot at finding out more about the people behind it was to have them accidentally tell us. We can’t see which person or computer is accessing a Facebook account —  Facebook is a 3rd party service run outside of UCT. But we can see which computer is communicating with our own servers, the trick is to have them interact with a honeypot on a server we control.

https://en.wikipedia.org/wiki/Honeypot_(computing)

“A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems …”

In this case, we gave them a unique and private link (that nobody else would ever stumble upon) to one of our servers. To make it easier to link this with a person on campus, this server would always reply with the following message:

This site is only accessible from within the Computer Science building, UCT. last updated 2011;

We hoped that they’d follow the hint, and access it from UCT campus, where we can fairly easily link computers with students.

So, we sent “John Smith” a private message on Facebook, that said:

“hey dude, ignore the haters. thank fucking god you exposed that fucking racist vianello. seen him posting in src, disgusting shit

anyway, if you want more juice, i know the guy who used to run DC++ at uct kept a page full of links to all the homemade porn people accidentally shared. it’s at[LINK REDACTED]. enjoy! ”

(https://i.imgur.com/7nBPrLbh.png)

When someone clicked on this link, their web browser would send our server a request for the page. From this request, we can determine the IP address (a computer), and the version of the web browser (https://en.wikipedia.org/wiki/User_agent). The server would record this in a log, together with a timestamp.

We saw a hit on the honeypot at 09:01:45 pm Thursday, September 12, 2013 (local time, 07:01:45 UTC). This user-agent string suggests that it was accessed using a 32-bit version of the Google Chrome browser on a 64-bit Windows 7 machine (which matches the screenshots released by UCT Exposed). We traced this IP address back to  197.229.91.109, which is an 8ta account. Without a court order we can’t legally find out the identity of the user.

More details on this IP: https://whois.net/ip-address-lookup/197.229.91.109

Initial hit

ip : 197.229.91.109 — time : 1379012505 — user agent :Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36

At approximately the same time, we received a reply on Facebook from “John Smith” saying

9:01pm
John Smith

Thank you your support is greatly appreciated and your anonymity is guaranteed.

This was followed soon afterwards with:

9:26pm
John Smith

Question: the site can only be accessed from the CS Building, are login details required?

If they are, is it possible for you to send us a link to where they can be access without having to use one of the university’s computers?

(https://i.imgur.com/7nBPrLbh.png)

We didn’t reply to this message, leaving them curious about the supposed ‘juicy’ content. The following day, we received another hit on the honeypot, this time from within the Computer Science Building.

Secondary hit

ip : 137.158.63.52 — time : 1379055798 — user agent :Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0

This IP address belongs to a machine in the Shuttleworth Lab in the CS building. (Confusingly, from DNS entry, pc22.tsl.uct.ac.za, it appears to be machine 22, but it is actually machine 7. This is normal for the Shuttleworth Lab, machines change IP address occasionally. We have verified that the machine we examined is the same machine that had this IP address at that time.)

https://www.dnswatch.info/dns/dnslookup?host=137.158.63.52

Linking the Honeypot

So, we now know that the link was accessed by someone related to UCT Exposed, at 9:03:18 am, Friday, September 13, 2013, on a specific PC, in a specific lab. We were able to cross-reference the time of the user-logins of the machine with the access time of the honeypot. This is outlined in the technical appendage (command #3 & #4). We now have a timeline of a user logging in, accessing the honeypot, and then logging out. We further verified our information by confirming that the user-agent (that hit the honeypot) matched the IP address, the Operating System family as well as the browser version.

All of this information points to a single user – TBXPAB001, one Pabie Tabo, also known as Qamran Tabo (https://www.facebook.com/pqtabo, https://i.imgur.com/6iXLZQPh.jpg)

Corroborating Evidence

• Facebook privacy

  • Stuart Hadfield, one of the first mentioned people on the UCT Exposed Blog has “Friends only” privacy settings on his photos, indicating that whoever posted them is one of his Facebook friends. Qamran is (at the time of writing) one of the few people to have liked more than one of the three photos.
    https://i.imgur.com/sSR21vXh.png, https://i.imgur.com/2zBZtzih.png

• Writing history

  • Qamran has a history of creating unrest through her writing. In her article ‘Is love colour-blind?’ (https://varsitynewspaper.co.za/opinions/1468-is-love-colour-blind) she created a huge amount of controversy.

Further Evidence

ICTS are able to provide even more corroborating evidence if they should feel so inclined. They merely have to check their web proxy logs for a user on the TSL IP address stated above, at the time the honeypot was accessed. Users have to log into the proxy to access the Internet (such as Facebook).

Release of Information

We’ve approached Pabie Tabo for comment. This article is also linked on Facebook:
https://www.facebook.com/notes/david-horscroft/uct-exposed-exposed/10151886514077847.

Her comment:

“I deny the allegations until I see this supposed evidence.”

She released further comment after release. (This section will be updated as information comes in)

I left someone use my PC in the lab on friday

It was after a Maths test and I even have an alibi

She then went on to allege that “John Smith” had sent her a message on Thursday, with the following content:

Hey, we want a writer for a new post

It’s for our section slet appiel

[HONEYPOT URL HERE]

Full image gallery: https://imgur.com/a/UoH8I

We’ve released this information to a variety of newspapers, as well as UCT administration.

We are contactable at uctexposedexposed@gmail.com.

Summary and Thanks

We don’t condone hate-speech, public shaming and libel; especially not when from behind the facade of anonymity.

A special thanks to everyone who helped throughout the investigation, especially the editorial and technical team. Crowdsourcing justice.

Technical appendage:

1. pc07:~# ip addr show eth0
   2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
   link/ether 38:60:77:a3:97:e6 brd ff:ff:ff:ff:ff:ff
   inet 137.158.63.52/27 brd 137.158.63.63 scope global eth0
   inet6 fe80::3a60:77ff:fea3:97e6/64 scope link
   valid_lft forever preferred_lft forever

2. pc07:~# dpkg -l firefox
   Desired=Unknown/Install/Remove/Purge/Hold| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
   |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
   ||/ Name                          Version                       Description
   +++-=============================-=============================-==========================================================================
   ii  firefox                       11.0+build1-0ubuntu1          Safe and easy web browser from Mozilla

3. pc07:~# zegrep -h ‘(dhclient|ntp)’ /var/log/syslog.3.gz  /var/log/syslog.2.gz > pc07-dhclient.log
   Snippet:
   /var/log/syslog.3.gz:Sep 13 09:31:40 localhost dhclient: bound to 137.158.63.52 — renewal in 762 seconds.
   /var/log/syslog.3.gz:Sep 13 09:31:41 localhost ntpd[1320]: ntp engine ready
   /var/log/syslog.3.gz:Sep 13 07:31:49 localhost ntpdate[1032]: step time server 137.158.128.4 offset -7200.112606 sec

4. pc07:~# egrep ‘session (opened|closed)’ /var/log/auth.log.1 | grep -v cron.session > pc07-logins.log
   Snippet:
   Sep 13 08:50:55 localhost lightdm: pam_unix(lightdm:session): session opened for user tbxpab001 by (uid=0)
   Sep 13 09:27:49 localhost lightdm: pam_unix(lightdm:session): session closed for user tbxpab001

5. pc07:~# grep -A10 sshd /var/log/auth.log.1 > pc07-auth-time-discontinuity.log

6. pc07:~# getent passwd tbxpab001
   tbxpab001:*:8673:8673:Pabie Tabo:/home/t/bx/t/bxpab001:/bin/bash

Non-technical Commentary:

The full logs aren’t included, nor are all the sections selected with grep, but the important entries are. No lines (of grep output) were removed between the first and last line of each snippet above.

TSL pc07 runs ntpdate during bootup, which results in the clock going back 2 hours (presumably the BIOS time is local, rather than UTC). This happens before anyone has logged in, but just after the DHCP lease was taken. So add 2 hours to the timestamp of the DHCP lease acquisition.

At 08:50:55 (UTC+2), we see tbxpab001 login. The user logs out at 09:27:49. Nobody else logs in during that time.

The access to [LINK REDACTED] occurs between login and logout. The installed version of Firefox matches the User-Agent we saw on the server. The referrer is Facebook, as we expect (the message was sent via Facebook).

Check out this link for the technical data of the investigation, and running updates by the authors to their report.