Limited Email Surveillance Approved

MrNougat writes "CNet reports that some surveillance of your email has been permitted by U.S. District Judge Thomas Hogan in Washington, D.C., without first requiring any evidence of wrongdoing. Curiously: 'instead of asking to eavesdrop on the contents of the e-mail messages, which would require some evidence of wrongdoing, prosecutors [of the US Justice Dept.] instead requested the identities of the correspondents. Also included in the request was header information like date and time and Internet address--but not subject lines.'"

Re:So use encryption!

[forgotten_my_nick]

TBH the whole system is pointless. Lets say Joe Terrorist wants to pass a message to another cell.

Does he fire up his hotmail account and send an email to durkadurka@hotmail.com?

Of course he doesn't. TBH the easiest way would be to post on a webboard that has a lot of innocent traffic, or on the USENET. Heck even just play an online game (MMORPG) and say something like your looking for +3 Orc slaying knife for two gold pieces.

This method of scanning email headers doesn't solve the issue. All combatants must realise they are being spied on.

Re:So use encryption!

[DavidTC]

There are actually Usenet groups for posting unlabeled encrypted messages in. People receive messages by merely downloading each article and trying to decrypt it. While you can figure out who is communicating using that method, you can't figure out who they are comunicating with, except it has to be someone else in that group.

Thanks to spammers, you can buy lists of 'open proxies' that will let you hide your IP and access the person with the owned computer's ISP's usenet server, which you really only need to do when sending messages. Thus rendering any sort of traffic analysis of the group completely useless.

But the best method of sending data on the internet is hiding it in, say, a GIF. You don't even need to use stenography, you can just take an encrypted binary file, put a GIF header at the start of it, and put it in a 1x1 image link somewhere on a web page between two specific times, and have any receipient 'innocently' surf past your page, and then go get it out of their cache. Bonus points if you manage to write bad HTML so that only one specific browser will go and get the 'image', like IE 4 or Firefox 0.7, although you shouldn't make that obvious or people might get curious. Be sure to put a real image up there the rest of the time, and reset the date back whenever you make changes.

And you can trivially think of a way to have two people do this to each other so they can talk back and forth. They just each have pages on somewhat related things, and browse a bunch of pages on that topic, always making sure to go past each other's.

The great thing about this is that the receiving end can defeat a keylogger. Just make sure the 'check the cache for encrypted files' is a program that they won't notice when installing the keylogger, for example a solitaire game, and it pops up the decoded message when you start it between exactly 32 minutes and 37 minutes after adding the image to your cache, or something. Most software keyloggers do not include any sort of screen capturing, because that would require a lot of space, and hardware ones cannot do it at all, or at least not reasonably. (And see Cryptonomicron for how to defeat this, although note the method of communication in that can be logged also.)

Although obviously if you send messages, a keylogger will catch them. In theory, you could click on the letter via your mouse, but a lot of software keyloggers are including mouse clicks exactly because of that. Although the message can be hidden via moving buttons around and renaming them, that is incredibly annoying for any message over two sentences, and it doesn't hide the fact you were doing something very suspicious, which, if they've bugged your machine, they were already pretty sure of.