There’s some interesting stuff out regarding the Heartland Institute document dump. Megan McArdle has a detailed analysis of one fake (obviously fake) document, but I want to emphasize something she kind of downplays: the security and forensic aspect here.
The original breach was a classic social engineering maneuver: convince the person on the other end that you’re someone else, and gain access or information that you otherwise would not be privileged to have. The general answer to this particular type of attack is to have a level of confirmation involved. In a small enough organization, you have the “everyone knows everybody else” advantage, but in a larger and potentially more disparate organization—particularly, an organization with board members who are not day-to-day participants in regular activities—you need something else. That something else could be a key phrase, an identification number, driver’s license, or some other form of positive identification. People can still get around this (for example, by pretending to be Heartland and extracting the passphrase or identification number from a board member, or making a false license), but the level of difficulty is a bit higher.
Finding out about the phony document took a bit of forensic investigation. McArdle did her own sleuthing, which provided rather strong circumstantial evidence in favor of the hypothesis that one particular document was a fake. Combine that with reading PDF metadata and you can see that the person who pulled this off was good enough to avoid leaving incriminating metadata, but not good enough to cover all of his tracks. McArdle ends her second post by thinking about who potentially could be the culprit, given what we know. She draws a number of quality inferences (being a reporter helps a lot in sleuthing), and other investigators could follow up on these clues to try to get to the bottom of the story.
Incidentally, the next day, Peter Gleick admitted to stealing documents (and thereby fraud). He denies having created the forged document, however.
