Wednesday, November 14, 2012

the real lesson boys and girls, is, if you're sketchy, use Tor and PGP

slate | Using the dead-drop tactic can certainly reduce the chances that sweeping surveillance dragnets will gobble up your communications—but it is not exactly secure. The method was used by the planners of the Madrid train bombings in 2004, which killed 191 people, helping them to operate below the radar of Big Brother. However, law enforcement agencies over the years have grown accustomed to terrorists using the dead drop, and technologies have been developed to help counter it.

An interception tool developed by the networking company Zimbra, for instance, was specifically designed to help combat email dead drops. Zimbra’s “legal Intercept” technology allows law enforcement agencies to obtain “copies of email messages that are sent, received, or saved as drafts from targeted accounts.” An account that is under surveillance, with the help of Zimbra’s technology, will secretly forward all of its messages, including drafts, to a “shadow account” used by law enforcement. This may have been how the FBI was able to keep track of all correspondence being exchanged between Petraeus and Broadwell.

(It’s also worth noting that archived draft emails stored alongside sent and received messages on Google’s servers can actually be obtained by law enforcement with very little effort. Due to the outdated Electronic and Communications and Privacy Act, any content stored in the cloud can be obtained by the government without a warrant if it’s older than six months, as Wired reported last year.)

What this means is that if Petraeus and Broadwell had been savvy enough to use encryption and anonymity tools, their affair would probably never have been exposed. If they had taken advantage of PGP encryption, the FBI would have been able to decipher their randy interactions only after deploying Trojan-style spyware onto Broadwell’s computer. Further still, if the lovers had only ever logged into their pseudonymous Gmail accounts using anonymity tools like Tor, their real IP addresses would have been masked and their identities extremely difficult to uncover.

But then it is unlikely that they ever expected to come under FBI surveillance. Their crime was a moral one, not a felony, so there was no real reason to take extra precautions. In any other adulterous relationship a pseudonym and a dead drop would be more than enough to keep it clandestine, as my Slate colleague Farhad Manjoo noted in an email.

Broadwell slipped up when she sent the harassing emails—as that, as far as we know, is what ended up exposing her and Petraeus to surveillance. Whether the harassment was serious enough to merit email monitoring is still to be established, as Emily Bazelon writes on “XX Factor.” It goes without saying, however, that the real error here was ultimately made by Petraeus. If he had stayed faithful to his wife of 38 years in the first place, he’d still be in charge at the CIA—and I wouldn’t be writing about how he could have kept his adultery secret more effectively by using encryption.

18 comments:

arnach said...

Why stop at TOR & PGP when you could cover all your bases?
https://silentcircle.com/

DD said...

I think Denninger has a more apt and less polite take:

http://market-ticker.org/akcs-www?post=213878

CNu said...

Methinkst the primary security vulnerabilities exploited to great good effect in all of this were of the seven deadly variety. http://2.bp.blogspot.com/-XVYKe1pI6NE/T7uWg9AH6oI/AAAAAAAABXI/Vx0rXcCOj7g/s1600/35-Seven-deadly-sins.jpg

Ed Dunn said...

Noticed they didn't explain how the "dead drop" was ineffective and provided a general statement. Dead drop is the most effective and more effective than both PGP and tor because all it takes is time to decrypt any digital message. In fact, I'm not going to say how ignorant the writer is thinking to believe someone sending an encrypted transmission over monitored networks is more secure than dead drops...incredible..

CNu said...

geolocation codes in gmail metadata is what doomed petraeus and his groupie. the moral of this story is DONT GO WITHIN A COUNTRY MILE OF A GOOGLE PRODUCT if you want to have any prayer of anonymity.

makheru bradley said...

This lady had classified files on her hard drive. What if she's telling the truth here?

http://dai.ly/UG9vEu

CNu said...

I'm on pins and needles Bro. Makheru, what.if.she.is?!?!

Ryan Crocker said this morning that foreign service officers must take big risks to be useful, it comes with the job - contrary to the notion of croissant eating dilletentes on the left bank in Paris. http://www.npr.org/2012/11/15/165186976/we-didnt-know-how-well-al-qaida-was-organized-in-libya

makheru bradley said...

If she is then "Mr. We Don't Do Rendition and Torture" has lied again. At some point the chinks in the armor will become cracks in the wall. Congress needs to call Broadwell to testify. Petraeus claims he did not leak classified info to her. Somebody did.

CNu said...

Preznitial plausible deniability seems rock solid and iron-clad at this juncture Bro. Makheru. That too, goes with the foreign service officer's job imoho..., bottomline in this case, tea and douchebaggery have so categorically overshadowed any other consideration that the Hon.Bro.Preznit ain't even have to flick a single ash off his shoulder.

arnach said...

What do you suggest that someone who is about to connect to Google at the curb should do? Besides "straight and narrow," of course.

makheru bradley said...

Plausible deniability--like Sgt. Schultz--LOL
http://www.youtube.com/watch?v=UgcxGFmYyPs

arnach said...

The Real Scandal Surrounding the Petraeus Resignation: the Utah Data Center

CNu said...

Here's the money shot http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/all/


Getting at the stored encrypted data is key, i.e., decrypting decades worth of gathered - but here to date - indecipherable sigint.



Looking forward, why do you suppose that's important? What contingency is this behemoth being built for?


On a related note, have you ever examined the history of the global opium trade from its inception up through today?

CNu said...

The more I know about the Googleplex, the more I encourage others to embrace it, stare deeply, long, and lovingly into that abyss. Exploring the intimate details of how it works, its various and sundry EULA's, etc..., will have significant value a couple of years hence.

Big Don said...

BD feels safer already....

arnach said...

"Getting at the stored encrypted data..." is likely moot, particularly for data more than a few years old, given that particular 3-letter agency's penchant for operating beyond the state of the art. IOW, I'd bet there's plenty of liquid He already in B-dale.

As far as "Why?," well I think that there's already sufficient answer to that question, between what has been discussed on the interwebs and your fertile imagination. C3I, baby...C3I.

CNu said...

That would account for them calling it Stellar Wind http://en.wikipedia.org/wiki/Stellar_Wind_%28code_name%29

C4ISTAR is the British acronym used to represent the group of the military functions designated by C4 (command, control, communications, computers), I (military intelligence), and STAR (surveillance, target acquisition, and reconnaissance) in order to enable the coordination of operations.[1]

C4ISR is the similar term used by the U.S. military
(command, control, communications, computers, intelligence,
surveillance, and reconnaissance).[2]

C4ISTAR and its related terms can be used to refer to infrastructure, a role of military units or individuals, or procedures employed.

CNu said...

The General cops a misdemeanor plea and goes scott free http://www.washingtonpost.com/world/national-security/petraeus-pleads-guilty-to-misdemeanor-but-will-likely-not-face-prison-time/2015/03/03/13824f2a-c1bc-11e4-9271-610273846239_story.html