What is Digg?97 Comments
- lane.montgomery, on 10/12/2007, -5/+76The site is acting pretty slow so I'll just tell you what they did:
They just shared one online account and saved their emails as drafts on the account. Very clever (unfortunately). - jonrad, on 10/12/2007, -0/+31Thank you for this perfect example of hindsight bias
http://en.wikipedia.org/wiki/Hindsight_bias - laelfrog, on 10/12/2007, -5/+30Thank you for the short version, I thought thats what a short description was for...
- Hubris, on 10/12/2007, -0/+13Because e-mails can be scanned by watching as they pass through a network. Draft e-mails are only characters sent back and forth, or else files stored on the server hosting the webmail. They could setup something to be constantly checking all e-mails saved as drafts, but they would need the support and assistance of Hotmail or other web services to help implement it.
Without knowing the IP of suspects, there is no feasible way to keylog all keys being entered at webmail sites. - Otto, on 10/12/2007, -0/+10Scanning emails requires that the emails be sent through your scanning system. Assuming they locate the scanning points at the central points of the internet (the backbones) , then yeah, they can scan any email that crosses that point.
Problem with scanning draft emails like this are:
1. Email scanning relies on monitoring specific types of traffic, namely SMTP traffic. Easy to do. Saving drafts on webmail providers doesn't use SMTP, it's web traffic using different methods for each provider.
2. Lots of webmail providers use SSL (HTTPS) to encrypt the communications between your browser and the web server. These are basically unmonitorable. Yes, you could crack them. No, you can't crack them all. Too much power and time required to do it.
3. There's a LOT of webmail providers. While you might get some of them to let you stick scanners in their datacenters and thus get them at the source, a lot of them are going to give you the finger and there's not really anything that can be done about it.
In the end, more traditional intelligence gathering methods are going to work better than technical solutions, because technology has been working to prevent the governments of the world from doing exactly this sort of thing for decades. - boinko, on 10/12/2007, -0/+10The article calls this a 'virtual dead drop.' Interesting.
BTW -- all of this could have been summed up in the article blurb. No need to tease in these blurbs (or say something like 'title says it all' -- when it most always doesn't.) - Prophasi, on 10/12/2007, -2/+10"Since the governments scan emails, why can't they just start scanning draft emails?"
Please don't recommend any more ideas for what government can do. They can do anything they want to legislate, and each time all it'll cost is a little bit more in taxes and a lot more in freedom. And, of course, terrorists won't be using each method anymore, once the government is looking for it.
Government will always be three steps behind while thinking it's two ahead, using every tragedy as an example of its need for increased funds and more restrictions on citizens. The only thing worse than a terrorist attack is the government's ability to respond to it. - Xopl, on 10/12/2007, -0/+8The data is all decrypted on either end, it's only encrypted in transit. If the Government is listening on the Google Mail side of things, your secure connection does nothing for your privacy. And secure connections never do anything for your anonymity.
- utexaspunk, on 10/12/2007, -0/+8what's crazy is that the yahoo mail account still works with the name/pw mentioned in the article. I just tried it. it's empty, though. i'm sure the CIA will be knocking at my door any minute now... :)
- wonklit, on 10/12/2007, -1/+9Why not just create a 10 meg True Crypt (http://www.truecrypt.org/) file with a hidden partition encrypted with AES-Serpent-Twofish (yes, all 3 at once) and send it around?
Do you realize how damn near impossible it is to crack, let alone prove a hidden partition exists in the file? - Otto, on 10/12/2007, -1/+9It's not a completely foolproof solution. If the authorities happen to nab one of your conspirators and get the username and password out of him, then all your communications are 0wn3d. Nor can you change the password to prevent this without cutting off communications to your entire group.
Admittedly, it's super easy and anybody could therefore do it. No special software is required either. It's also free, there are absolutely no costs associated with it. But realistically, there's other ways of communication that are just as good and don't leave traces like this.
In the end, if the governments of the world are relying on email and other network traffic monitoring to catch terrorists, then we're all *****. - wadelindsey, on 10/12/2007, -2/+9critic, your tin foil hat is on crooked!
/i just browsed through your web history - does your mom know you're looking at those websites??? - Daychilde, on 10/12/2007, -0/+6Because that would draw attention, whereas a simple solution like logging into a mail account and saving files locally (i.e. draft emails) would not even attract any attention.
It's the difference between a sniper firing off rounds from a distance (you know you're being fired on, but you can't see where) vs. a special forces operative knifing your men and dragging them off -- in the latter case, you only notice a problem when you go to do a roll call...
...okay, crappy analogy, but I hope the point is made.. :-) - TheWalkingDude, on 10/12/2007, -0/+6It's called a Dead Letter Box or a Dead Drop: http://en.wikipedia.org/wiki/Dead_drop
"The September 11, 2001 attackers used a Hotmail account as a dead drop. One person would save an email as a draft, and another would retrieve the draft later."
It's also a tactic of Chinese dissidents: http://www.rsf.org/article.php3?id_article=17180
Its usefulness has been compromised. - Xopl, on 10/12/2007, -0/+6The point is, there is always a way for somebody to communicate under the radar. Giving up all of our privacy rights and 4th Amendment rights and 14th Amendment rights (look it up) isn't going to make us safe from every attack.
- Prophasi, on 10/12/2007, -0/+6I'd guess that's because you're simply reading words, rather than interpreting intent from human dialogue. There are two reasonable purposes for the question: either the author suspects/knows it's a technical problem, and is looking for a technical response as to why it can't be done; or the "why can't" is actually synonymous with "why don't."
The first possibility's technical problems include both technology and legality. Given that the author didn't provide any rationale for thinking there's a technical problem, and given that there's no clarification of the exact technical context s/he is speaking of, and given that it's a standalone sentence, it's not likely to be the first case. (Besides which, I doubt anyone thinks that if scanning SENT emails on a private email system is both technologically and legally feasible, scanning drafts would somehow be impossible.)
That leaves the second meaning, which is the one to which I responded. - dtfinch, on 10/12/2007, -0/+5Evidence that broad surveillance only invades the privacy of non-criminals, because criminals find ways around it.
- wadelindsey, on 10/12/2007, -1/+6Bingo - this is exactly why these bombers chose this approach. Currently many governments in Europe scan email transmissions - actual email data sent from one host to another. In this approach, the bombers simply logged in to their email accounts and saved a "draft" of a message - as far as the webmail application was concerned, it was simply to be stored on its server for later revision and transmission. Therefore, the only place this email was sent was for storage on the webmail's server for later use. This is as common as filling out a private (and often encrypted) form and saving some preferences on a website.
So, no email was ever "transmitted" for anyone to eavesdrop on. Hence the ingenuity.
So, maybe your question is, why can't the government (or anyone else for that matter) intercept webmail archiving. Well, that too presents many challenges. First off, that would be a technically intensive task as many webmail services offer ssl (https:// webmail_account) security, meaning that the information sent from your computer to the webmail server (and back again) is all encrypted, unlike most *regular* email traffic. This is for protection from http eavesdropping. This encryption is very strong.
Couple that fact with the notion that with many webmail service (i.e. gmail), drafts are automatically submitted to the webmail server, not only for EVERY email, but many times while you're writing your email. so, if you take 5 minutes to write an email, that means that a draft has been sent as many as 10~15~20 times!
Now it becomes evident why the MILLIONS of encrypted web-based email drafts logistically can't be scanned. Unfortunately for security purposes, this is a relatively untraceable way to communicate if no one suspects you. But then again, as far as personal privacy is concerned, this situation makes perfect sense! - mikebeauchamp, on 10/12/2007, -0/+5Get ready for new laws to allow gov't and law enforcement to not just read email, but to read any saved contents on any server... if they don't do that already.
I mean, "The terrorists" could be dropping .txt files into a geocities website account or something. - streetstealth, on 10/12/2007, -0/+5Next up:
Terrorists use World of Warcraft /tells to exchange information!
The CIA needs to work in tandem with Blizzard to ensure the monitoring of these channels! - osbjmg, on 10/12/2007, -4/+9So if all saved drafts are scanned (which of course they will be now), then it's actually a good thing this story came to light. Other ametuers may try to use it and get caught.
- gaberowe, on 10/12/2007, -0/+5This goes back to what people in the intel community who are worth their salt have been saying for years--human intelligence is the best kind of intelligence... getting one guy to betray another is way better intelligence than just eavesdropping.. smart and paranoid people will figure out ways to communicate without being tracked... like somebody already said, if you got one guy to give the password to authorities, they could just sit there and monitor them and watch every move... the key thing is to focus on how to get into an organization by using incentives to get people to betray each other.. the thought that law enforcement can just sit on their asses waiting for the bad guys to shoot emails to each other talking about bombing something is a pipe dream...
- Brigadier, on 10/12/2007, -0/+4Great, then I can get investigated when I go from Detroit to Cali and check my hotmail. Obviously I'm a criminal.
- Brigadier, on 10/12/2007, -3/+7And there should be someone looking in every window of my house. Someone did something wrong, therefore everyone should be spied on, good logic.
- dmorin74, on 10/12/2007, -1/+5Wow. .how low tech and smart at the same time.
- gohoos, on 10/12/2007, -0/+4This is what the dissidents in China were doing before Yahoo turned them in.
http://www.boingboing.net/2006/04/19/report_yahoo_implica.html
I've heard of this being done with PO boxes as well, in the physical world. - chicken101, on 10/12/2007, -1/+5And all your mail should be sent through the NSA too right?
I love people's logic sometimes. Why don't we concentrate more on making people in the Middle East hate us less, instead of offering a half-assed solution for something that isn't the problem. For example, we could offer a treatment for people who get cervical cancer after they get it, yet we have nothing to prevent them from getting the virus that causes most cervical cancer. - Beanlover, on 10/12/2007, -2/+6Google's e-mail service is ripe for this as well since you can connect to is using https and remaing secure the entire time.
- inactive, on 10/12/2007, -2/+6Stop believing the propaganda and start researching for yourself.
The Madrid bombings was found linked to the Spanish Security Service,
which in turn follow the orders of the Spanish government.
Spain suspects 'were informants'
http://news.bbc.co.uk/1/hi/world/europe/3670627.stm
Madrid Bombers Linked to Spanish Security Service
http://avantgo.thetimes.co.uk/services/avantgo/article/0,,1150429,00.html
Madrid 3/11 train bombing suspects linked to Spanish Security Services
http://globalresearch.ca/articles/OWE406A.html
THAT was not what Aznar wanted people to know though...
Aznar 'purged all records in Madrid bombings cover-up'
http://news.independent.co.uk/europe/article24669.ece
(original article)
http://www.w3ar.com/a.php?k=1801
(copy)
Then enter the make-believe-squads... - digitalgopher, on 10/12/2007, -1/+5I heard about something similar on the last twit episode this past weekend - Leo was talking about how the feds are aware of this problem and i'm sure are looking for ways to get at this.
- Cronus6, on 10/12/2007, -0/+3
thewalkingdude: "Its usefulness has been compromised."
Even now this method still works, you just add another step or two.
1) Type message in notepad
2) Encrypt .txt doc using PGP (or some other encryption app)
3) Copy/Paste encrypted contents into the draft
Of course all people using the "dead drop" will have to know the user name/password AND encryption key. - stan205, on 10/12/2007, -2/+5Since the governments in Europe scan emails, why can't they just start scanning draft emails?
- wmtrader, on 10/12/2007, -0/+3This is a very common technique and is why China wants/needs Yahoo and Google to assist them in arresting political dissidents.
If you force each and every mail service that is assessable in your country, with the threat of blocking them from your country’s network if they don’t cooperate, then you can have them search every mail account with various key words until they find what they are looking for or who they are looking for.
And I am sure that the various United States security agencies are doing this as well. - szelij, on 10/12/2007, -2/+5Well a bad thing is that when they connect to the account they can be traced...but given that the spanish government doesn't know which email address it is in the first place, it's like hiding a needle in a haystack.
- loveandrockets, on 10/12/2007, -1/+4They called it a "virtual dead drop". Pretty clever.
- JoshuaWood, on 10/12/2007, -0/+3This just shows the importance of human intelligence gathering vs. reliance on technology. Humans are cunning, creative and learn from past mistakes. We spend millions infringing on the privacy of innocent people, monitoring our own citizens, but something as simple as save to draft can foil our attempts. If the account never sent a single email, it's likely to be impossible to know about that particular account in order to monitor it, and with the availability of unsecured wifi, and internet cafes, the whole idea that we can foil well thought out plans by scanning billions of email messages is suspect. This method of communication was pure genius, simple, straightforward and unfortunately very effective. Hopefully we can emerge from these times a better, brighter world, but it certainly doesn't feel that way.
- aliengoods, on 10/12/2007, -0/+3Obviously the solution is cameras in our homes. That way the government can see what the terrorists are typing.
BTW, that was sarcasm. - gyrfalcon, on 10/12/2007, -0/+3Does anyone really think the goverment would have detected regular email communication between these terrorists? It's not like they would be dumb enough to say "attack whitehouse at 21:43:30 UTC Sun Apr 31 2006, cords 38.898648N 77.037692W" or whatever target they were going after.
- chicken101, on 10/12/2007, -3/+6"Gotta love 'em terrorists."
Terrorists aren't like pokemon. - groov, on 10/12/2007, -2/+5shhhhh this is exactly how I hide my supersecret ex-girlfriend porn. Don't blow it :-(
- jinexile, on 10/12/2007, -1/+3More like a needle in a giant stack of needles
- lnxaddct, on 10/12/2007, -0/+2Let us not forget classic Man in the Middle (MITM) attacks. With setups like the one the NSA had at AT&T, the thought of them using mitm attacks against suspected internet connections isn't too far fetched. (Yes, I know that the specific setup written about at AT&T was supposedly for listening only, but that doesn't rule out the possibility)
-Steve
http://krenzel.info - theoallardyce, on 10/12/2007, -0/+2Not really a 'trick' its really more the retarded leading the retarded.
- tzmguitarist, on 10/12/2007, -1/+3sweet AJAX-y thing that the news site uses to flip pages in the article. i heard this same story on NPR about 2 weeks ago regarding the chinese dissident that yahoo helped turn over to the government. he was using the very same method to communicate outside and yahoo allowed the goverment access to his drafts. pretty scary stuff.
- ZenKai, on 10/12/2007, -1/+3I'm totally using this trick the next time I need to set up international terrorist activities.
- inactive, on 10/12/2007, -1/+3So I guess that way they never actually sent the mails across a wire, they were just using the web-mail's storage space as a means to drop messages that were accessible from anywhere.
- locojones, on 10/12/2007, -0/+2Truer words were never spoken! Kudos Xopl!
Our government wants us to believe that "terrorists," (and I use that term loosely) are some cave-dwelling, third world rejects who's most advanced form of communication if chiseling stone tablets.
Once we realize that the people most intent on doing damage are technologically saavy people who aren't detailing their plains over plain e-mail, or unencrypted phone calls, then we can start taking steps to preventing further encroachments on the rights our forefathers put into the Constitution -- rights designed to safeguard exactly what is happening today. - angusm, on 10/12/2007, -0/+2Next up ... terrorists use Digg comment threads to exchange coded messages.
There are so many strategies that a spy or terrorist could use. The 'shared drafts' strategy would work with hosted blogs as well. If you are willing to use simple pre-agreed codewords, you could use any forum or website to carry your message. For bonus points, you could even code your message as 'hashbuster' text in a spam, then post it - with a distinctive subject line - to half the planet. The authorities would have an interesting time working out which of the twenty million recipients was actually your contact. In a more cunning version, the answer would be 'none of them': you'd make it egregious enough that some angry anti-spammer would copy it to 'news.admin.net-abuse.sightings', and your intended recipients would read it through Google Groups. - Quarks, on 10/12/2007, -0/+2I just send an email, check babana12002 account lol.
Edit: hmm allready deleted, looks like they autodelete them.
The fact that it's still active isn't really interesting, i was really surprised to see the username and password in the article for thousands to see. - crythias, on 10/12/2007, -0/+1Actually, I'd hope they're like pokemon. Gotta catch 'em all!
-
Show 51 - 95 of 95 discussions
The Digg Toolbar for Firefox lets you Digg, submit content, and keep track of Digg even when you're not on the Digg site. Download the official 
© Digg Inc. 2009
— Content created and posted by Digg users is