October 18, 2006

Tracking email - the disappearing myth, the #1 threat, versus ultra rare sighting of eavesdropping attack

Shades of OTR -- off-the-record -- a protocol that claims to provide plausible deniability.

A START-UP communications outfit is flogging a web-based email system that destroys the message after it has been read.

VaporStream system from Void Communications, which apparently is not a euphemism for VapourWare, works from an encrypted webpage. A punter visits the site, lists the person they want to talk too and chats away.

The names of the parties, or their messages are not stored anywhere and details can't be cut and pasted. Instead it is held on a temporary memory segment in a VaporStream server. When it is delivered, the server forgets that it ever existed.

The big problem is that these approaches completely fail to understand the real threat models for real people, and arguably make matters worse by creating a false sense of security, and encouraging people to deny the truths that can be proved in other ways.

The non-sexy #1 threat to email is breach of the node, and that threat breaches both of those approaches. Here's a reminder:

Last fall, agents on the FBI's public corruption squad faced a problem: They couldn't read encrypted e-mail seized from State Sen. Vincent J. Fumo's offices.

On Oct. 18, they got a break. Donald Wilson, a state Senate computer technician who had been granted immunity, suddenly remembered something, according to a newly unsealed FBI affidavit. He still had two portable data cards - with all the passwords to open the e-mail.

Wilson's lawyer called authorities and turned over the passwords. The feds were in.

With that breakthrough, the affidavit said, agents were able to read more Fumo office e-mails talking about destroying records and fretting about the FBI - a trail that helped lead to obstruction-of-justice charges against two other Fumo computer technicians, Leonard Luchko and Mark Eister.

An actual eavesdropping attack on "aircraft email" spotted by Steve Bellovin:

... ACARS is like an automated email system used by aircraft and ground control. An ACARS-enabled plane will transmit all kinds of information about what the plane is doing: where it is and where it's going, how much fuel it has, what the weather is like, and so on. These automated "emails" between aircraft and their ground controllers are encoded into radio signals clustered around the 131 megahertz and 136 megahertz frequencies.

A good scanner can receive these radio signals. To the ear, the transmissions sound like noise, but when filtered through a computer equipped with a software-based decoder the information contained in the airplanes' messages becomes comprehensible. Like notebooks filled with tail numbers and landing times, ACARS monitoring produces an endless stream of ridiculously detailed information, which ACARS enthusiasts from around the world dutifully post online.

The "open source" attack (c.f. John Robb) on the CIA's illegal renditions -- known as the torture taxi -- makes for fascinating reading. How relevant is such a threat model to general FC? In the past I would have said not relevant due to the context, but the recent open source work on the AOL privacy breach makes me think it is a valid threat, and the article is therefore valid case material.

It is curious to see how they would solve the ACARS problem. The only way that I can see is to use open source techniques of opportunistic cryptography, something that obviously has been fought against by the CIA and others. So the eavesdropping attack on plane traffic can be considered to be yet another example of how the USG's policy of low Internet security bites back. Chalk up another "Own Goal" like the Israeli "Defence" Force (IDF) results of last month (1, 2).

Posted by iang at October 18, 2006 03:31 PM | TrackBack

Vapourstream sounds like they're just doing what ZixMail did in 1999.

What rank would you give the discovery process in civil lawsuits? If it's not #1, surely it's near the top. All cases of it put the email into the hands of someone hostile. It's an easy attack to mount, though by no means a cheap one. It's a common attack, which has put much damaging email into the press. Vapourstream offers a measure of lawyer-proofing.

Posted by: Fred Wamsley at October 18, 2006 10:38 AM

Discovery is a big issue. Yes, this is an attempt to limit discovery, and on the face of it, it might have some effect. But it fails to address several consequences.

1. the usage people put on email -- most people want to keep their emails around for longer simply because they might have to refer to them again. A large proportion of users keep all their chat for ever, belieing the very term!

2. if you encourage your partner to use this system, you are already signalling something suspicious ... so it won't be much use for business negotiations, and ordinary users don't like to pay for security of this or any other nature.

3. if it is really important, the temptation is there for your partner to take screen shots ... So in the event of discovery, you may actually be setting yourself up for trouble down the track.

Certainly the need is there. However I think a more likely direction is to use contract provisions between consenting parties to *not* use discovery on certain conversations. E.g., signal in advance that this is OTR in writing in the message. That won't stop criminal investigations, but that's a different area again.

Posted by: Iang at October 18, 2006 11:41 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.