18 comments

[ 2.4 ms ] story [ 37.6 ms ] thread
Sounds like there's pretty clear evidence present on the RightSignature site, but they really need to provide a way to verify a document without the site being up and intact. That certification page is basically worthless otherwise.
I so wish there was a conclusion on what happened with the leasing agency
It feels like you need to sue them for scamming you with fake documents. Their attempts didn't work on you, but it might've scammed many others.
Funny, I remember Gwern asking why people don't do this more often: https://gwern.net/blog/2022/pdf-forgery
I think OP is an instance that proves the point

this is a lazy, clumsy editing attempt, done through a document registration service which exists to prevent exactly this and yet, you have to be an experienced nerd (eg https://en.wikipedia.org/wiki/Matthew_Garrett has a doctorate and decades of software development experience) who will jump through a bunch of hoops to even begin to build a case beyond he-said-she-said. And he still doesn't have a settlement or criminal conviction in hand, so he's not even half done... Or look at the extensive forensics in the Craig Wright case just to establish simple things like that they were edited or backdated to a legally acceptable level.

Meanwhile, the original PDF edit in question took maybe 5 minutes with entry-level PDF tools.

> Because there’s no Photoshop for PDFs, maybe?

Xournal++

Please refer this to California's High Technology Theft Apprehension and Prosecution Program [1] and the FBI's Internet Crime Complaint Center [2]. San Francisco's Financial Crimes Unit [3] may also take interest. (Given RightSignature is owned by Citrix [4], I'd also consider flagging this to their GC [5].)

The facts of the case are also so plainly in your favour that you should be able to get a lawyer on contingency to go after the agency and potentially also landlord for damages.

[1] https://oag.ca.gov/ecrime/httap

[2] https://www.ic3.gov

[3] https://www.sanfranciscopolice.org/stay-safe/crime-preventio...

[4] https://www.zdnet.com/article/citrix-acquires-rightsignature...

[5] https://www.bu.edu/alumni/profile/antonio-g-gomes-esq tony.gomes@citrix.com

Wouldn't a sha256 collision be impractical? Like wouldn't it be more compute than the couple grand a security deposit would be? SHAttered was in 2017 with SHA-1 and took 110 years of GPU equivalent compute.

It feels like just a mistake or an error with RightSignature? Like they uploaded the wrong doc, clicked the wrong button, and were confused on their side because the version they meant to send was at the top of the page?

It's notable PDF has built-in mechanism for certified signing and signatures.

Yes it's very convoluted, as everything with PDFs, but it's there.

At this stage, agency must either:

Option A: Return the deposit themselves immediately (since they claim to be mere intermediaries, surely they can recoup from their client)

Option B: Provide full landlord details AND actively facilitate the return by compelling their client to comply with the law

The pdf-forgery and the back and forth with the agency is huge shaming fun, but the deposit is the goal.

Something similar happened to me recently. I was in Portugal for a year and a guy from the agency gave me fake electricity and water bills (he modified the bill PDFs). I found it out by using the pdf metadata too, but didn't go any further tha n that. We were able to make him pay back our money, but we didn't sue him.

I also found out that metadata can be overwritten. What is the best possible way to save yourself from these kinds of problems I wonder?

That's why important stuff is done in three copies -- one to each party and the third to a notary. Here the document signing service acts as such third party and it's the rare case where they have to show up and say which copy is legit.

It's also very rare -- I worked in a similar company for years and only heard of one case of disputed signing and none of disputed contents.

I would not count on a judge to read through technical mumbo-jumbo even if it's completely obvious to you how hashes work, it's probably not for them, so the company has to put a statement.

This is exactly why RightSignature is an expensive SaaS contract and not just something you can self host for cheap: providing somebody credible to testify which document was actually signed.
Finally an explanation for the three copies. Always wondered about this, but somehow was too busy to look it up.
does printing to PDF solve this problem, i wonder?
The problem of getting two contracts with different content and identically claimed hashes? Not sure I follow.
im wondering if printing to PDF basically just makes a PDF that is a screenshot of the original, and removes any sort of existing meta data or formatting