[Spooks] Thank you from the Project Evil team

Jeff Wilson jeff.wilson at gmail.com
Tue Aug 8 02:53:00 EDT 2006 

Wow. I got pwned by a 2600 guy. hat's off sir!

As far as the shared login to a hotmail type account- I think I
remember reading that al queda or the like have used that method to
coordinate and communicate. I thought it was safer since there's no
SMTP server involved, it's just data stored on a hard drive on a
server somewhere transmitted through http to the viewer's screen. The
user simply pulls up the draft message from the other guy.

It's all become way more complicated. The NSA guys must be going nuts,
especially with the rise of Craigslist, MySpace, forums, you tube, and
other web 2.0 apps that allow virtually anything to be posted.

On 8/7/06, J. Random Entity <jrandomentity at gmail.com> wrote:
> Visit http://mailman.qth.net/mailman/listinfo/spooks to unsubscribe from this list
>
> > Well, while it may be easy to DF a shortwave signal if you have
> > adequate resources (like the government's), it's nearly impossible to
> > tell who is receiving that transmission.
>
> Point taken, but DFing a signal doesn't require government-level
> resources.  I've participated in a few DF events before, none of them
> using anything much more complex than a directional antenna for the
> band we're working and the signal meter built in to the radio.
> Granted, there's much better hardware out there to do it with - but
> remember that it was a couple of hams who found Yosemite Sam, not the
> FCC (although that's likely another story in and of itself).
>
> > In the web world- however, there's a log for everything.
>
> Yes and no.  Things get logged, assuming that:
>
> a) Logging is enabled.
> b) There's space to store the logs.
> c) The logs aren't rotated and written over.
>
> > Every person
> > who visited that Craigslist link is logged.
>
> We can't say that for certain because we don't know Craigslist's
> logging policies.  More:
>
> > The poster himself was
> > logged.
>
> While this is likely the case, again, we don't know their policies on
> logging.  And, of course, that doesn't cover the logs the VoIP
> providers have, or any of the other websites that were following the
> experiment.  Further, just because logs exist doesn't mean that access
> to them by third parties (such as law enforcement, or the intelligence
> community) is automatic.
>
> Following on from that, though, we can probably *assume* (note the
> emphasis) that people from the original poster on down were logged.
> However, it's important to remember that there are any number of ways
> to obfuscate an IP address: use a public access terminal such as in an
> Internet cafe or library; use a proxy or similar anonymizing service;
> route your traffic through compromised machines.  There are others,
> but that should serve to demonstrate the less-than-useful nature of
> relying on an IP address when attempting to physically locate someone.
>
> Also, there's one other thing that's probably worth pointing out: in a
> real-world scenario, this likely would've been an overly-complex way
> of communicating with an agent.  There are two sides to the
> communication - one on Craigslist telling the agent to call a
> particular number, then the actual communication to the agent recorded
> on the VoIP station.  Using Craigslist alone probably would've
> sufficed; the messages could've been encrypted steganographically
> within posts to, say, the rants & raves section.  I'm specifically
> picking rants & raves here because it's a) not uncommon to see long
> messages posted there, allowing for a longer encrypted message to be
> hidden, and b) there are literally hundreds of posts there on any
> given day for any given city, which would again have made finding the
> intended recipient extremely difficult.
>
> With respect to the VoIP station, it worked fine as a transmission
> medium both from the standpoints of availability and obfuscation:
> people recorded it and made it available in many formats from MP3 to
> text to radio broadcasts, so knowing the intended recipient .
> However, the downfall is that it provides a second level of logging
> and if you're trying to avoid leaving an audit trail, multiple levels
> of logging can either work in your favour or against you - they can
> either serve to baffle an investigator by overwhelming them with data,
> or enable correlation of events allowing a list of suspects to be
> drawn up and chased down.
>
> > And thanks to a powerful search engine like Google, one could
> > search a large chunk of the internet for places where "MEIN FREULEIN"
> > exists.
>
> Sure.  But remember that we were never intending from the get-go for
> this to be clandestine; the idea was to put a high level of
> signal-to-noise around the stations by having their content spread for
> us by unwitting third parties.  In a sense, this is some of the best
> obfuscation you could hope for.  People already listen to shortwave
> transmissions and discuss them openly; that doesn't necessarily mean
> that their intended recipients are any more or less secure in their
> comings and goings than if nobody had heard them in the first place.
> As long as the message itself remains uncrackable and can't be tied to
> a particular individual, then all it is is a bit of spurious - but
> nonetheless interesting - data.
>
> > From there, it's just a matter of filtering the data, then a
> > quick subpeona of the telco's records for users from a certain area.
>
> Believe me, this is nowhere near as easy as it sounds.
>
> > Posting at an internet cafe with an anonymous account isn't safe
> > either, due to the prevalence of cameras in such places.
>
> Sure.  But, as mentioned earlier, that's not the only option.  And
> even if one were posting from a location such as an Internet cafe,
> there are steps that can be taken to very effectively make it appear
> as though this is not the case.
>
> > No the best way to covertly communicate online is to open an anonymous
> > email account with Gmail or hotmail or something...then share the
> > login/password with the person you intend to communicate with.
>
> No.  Absolutely not.  This would be about the *worst* way you could do
> it.  Gmail archives *everything* and is highly-searchable; ditto
> Hotmail.  Even if you're emailing encrypted content between two
> parties, you've still got an established link between them, and the
> email itself is in plaintext - so it's trivial to look at a message,
> say, 'yup, that's encrypted traffic', and then start watching for
> communication between the sender and recipient.  Decrypting the
> transmitted content would be an entirely more complex matter, but at
> least it'd be possible to infer that a channel of communication exists
> between the two parties.  Further, working in the shared-login
> scenario that you suggest, that effectively compromises the login and
> exponentially widens the chances of it falling into the wrong hands.
>
> > Simply
> > leave messages for each other from within the same account; voila, you
> > avoid a lot of the risk online. You could even rot13 your one time
> > number pad :)
>
> I just want to know why nobody's done rot26 yet - I mean, it should be
> twice as secure, right? ;)
>
> - skroo.
> ______________________________________________________________
> Spooks mailing list
> Home: http://mailman.qth.net/mailman/listinfo/spooks
> Help: http://mailman.qth.net/faq.htm
> Post: mailto:Spooks at mailman.qth.net
> -
> Visit http://www.spynumbers.com/ for complete information about Spy Numbers Stations
>


-- 
-------------------------
Jeff Wilson

More information about the Spooks mailing list