[Spooks] Thank you from the Project Evil team

J. Random Entity jrandomentity at gmail.com
Tue Aug 8 12:35:47 EDT 2006 

> Wow. I got pwned by a 2600 guy. hat's off sir!

Sort of... :)  I just organise the L.A. meeting, and the other folks
who worked on this are regular attendees.  It's probably worth
mentioning that we've got no direct connection with the magazine or
its other outlets beyond that.

> As far as the shared login to a hotmail type account- I think I
> remember reading that al queda or the like have used that method to
> coordinate and communicate. I thought it was safer since there's no
> SMTP server involved, it's just data stored on a hard drive on a
> server somewhere transmitted through http to the viewer's screen. The
> user simply pulls up the draft message from the other guy.

Sure, but there are two problems with that: 1) the communications
channel is known, and 2) the data in transit between <insert webmail
service here> and the sender or recipient isn't encrypted, at least
for the services we've been talking about.  With respect to 1), it was
probably relatively easy to passively monitor and investigate once the
channel was discovered; with respect to 2), they only encrypt the
session while you log in - not while you're actually reading, sending,
or composing email, so the data in transit (bear in mind that even if
you're not sending or receiving email, there's still a connection
between the browser and the service) would be trivial to monitor
assuming it's not already being watched directly on the servers.  In
fact, I wouldn't be at all surprised to learn that 2) was responsible
for 1).

> It's all become way more complicated. The NSA guys must be going nuts,
> especially with the rise of Craigslist, MySpace, forums, you tube, and
> other web 2.0 apps that allow virtually anything to be posted.

Selectivity is one of the biggest problems in monitoring, that's for
sure.  My day job is as a network security engineer, and I can tell
you that sorting the wheat from the chaff in situations where you only
have a vague idea of what you're looking for but don't know who's
responsible for it is almost an even bigger PITA than figuring out
what that data represents once you've got it.

- skroo.

More information about the Spooks mailing list