To the left we see part of a malicious email. The author brags about how the From address is the same as the To address. This is supposed to mean that the author has broken into my email account.
I have been waiting patiently for someone to mail one of these to me. Now I can use it as an example. I’ll show you how to uncover it as a fraud.
I received an impressive email scam recently. My response was to forward it to the email provider’s abuse contact (abuse@outlook.com) and file a complaint with the Internet Crime Complaint Center (ic3.gov). I’ll include the whole email later. The bottom line: Scammer has my password and will humiliate me if I don’t pay $1900 in bitcoin.
The scammer’s email landed in my spam folder. I was given a deadline of July 11. I didn’t clean out my spam folder till today (July 15).
In fact, the scammer does have one of my passwords: a throwaway password I use with throwaway accounts. When a web site makes me “register for an account” to retrieve information I want, this is the type of password I used to use. Now that I use password manager software (Lastpass specifically) I choose passwords more randomly and let the manager remember them.
There is no way to verify an email’s contents except through cryptography. Until every email client includes encryption and reliable authentication, we should always doubt an email’s source.
We can increase our confidence in an email a little, though, by tracing its path through the mail system. I use this technique more-or-less daily to look at potential phishing emails. If the final Received header didn’t come from my bank, then I know it’s fake.
As I said in an earlier post, no crime is committed if the appropriate official leaks sensitive classified information. This applies to both Secretary Clinton’s email server and President Trump’s unfortunate meeting with Russian diplomats. Both carried the authority to disclose what they disclosed. One question remains: what damage might have ensued from each leak?
I would argue that in both cases the initial lapse of judgement did not explicitly damage the United States. In both cases, however, the subsequent brouhaha may have leaked classified information. I personally doubt that the country will suffer much from either leak, though that is based on my own assessment of national threats (a political opinion).
Emails are notoriously hard to validate. Emails are like typed, signed contracts with no section or page numbers: you can take out or add whatever pages you want as long as you keep the signatures.
Intelligence expert Malcom Nance has tweeted that Wikileaks’ recent collection of Podesta emails contain “obvious forgeries.” It is hard to detect emails forgeries in general, but easy to find obvious forgeries. For details, check out Chapter 15 of Elementary Information Security, my textbook.
I searched recent news reports highlighting specific Podesta emails. I looked at about a dozen of those emails, plus similar “unimportant” emails. I checked the email delivery data for tampering or forgery. The email headers look correct. Thus there are no “obvious forgeries.”
I’m not often a fan of conspiracy theories, except for entertainment value. This one is interesting because it combines international intrigue, the elections, and our world of notoriously poor email security.
The conspiracy arises from foreigners trying to influence the United States election. They spy on unprotected emails and leak the contents to influence US public opinion. This isn’t limited to attacks on the Democratic candidate Hillary Clinton. Some suggest that Fox News and the Trump campaign have also been attacked this way.
We could be blocking this threat, except that pressure groups within the government want to leave as much information unprotected as possible, notably law enforcement and intelligence agencies. I think we face a greater threat from foreign exploitation of our unprotected emails than we face from impeded investigations or even a few terrorist bombs.
Early last month, Edward Snowden criticized former Secretary of State Hillary Clinton for obviously and intentionally mishandling classified information by using a private email server. A recent Huffington post argues that, if true, Snowden’s comments could cost Clinton the Democratic Presidential nomination.
This rests on technical questions of security and classified information. Based on the information I have seen, Clinton committed no crime. Her security mistakes are typical of politicians of her (my) generation. She was exercising the authority and discretion (or lack thereof) belonging to her role as Secretary of State. I will explain why.
DISCLAIMER: I personally neither support nor oppose Hillary Clinton’s bid for a Presidential nomination.
UPDATE (March 22, 16): Richard Lempert, a professor of law and sociology, has posted a more detailed parsing of the laws and regulations to come to the same conclusion.
The text attached to this post was submitted as a web site comment. No doubt some spambot was supposed to select randomly from the text to produce a unique-looking spam message. I know I’ve received lots of spam comments that this script might have generated: personal-sounding messages that are content-free.
I’ve used similar scripts to show how one could generate several different texts that all mean the same thing but contain different digital content.
