Computer security veteran Dr Alan Solomon shares his reflections on the NSA electronic snooping debacle that has been dominating the headlines. If you have an article that you’d like to share on grahamcluley.com, please do get in touch.
Hey, hey, NSA, did you read my blog today?
I don’t think so. Not because it’s encrypted, it isn’t. Not because they can’t, because they could read it as easily as you can. But …
It’s like this.
During World War II, the British set up a huge organisation at Bletchley Park to read the German Enigma traffic. It was worth doing, because all of the communications were between military units, and many of the communications have valuable intelligence. It was even more worth while to crack Tunny, because that was the most secret communications between OKW (armed forces HQ) and the generals in the field. Hence Colossus; indeed, hence ten Colossuses.
You can see one of them in action at the National Computer Museum in Bletchly Park - recommended.
The point is, a large percentage of what was intercepted, was useful.
Now consider the internet. Quigglebytes of information every day, mostly pictures of kittens doing cute things and teenagers sending each other pictures of what they did at the party. Millions of bloggers blurting unconfirmed guesses to each other, endless Facebook posts about outings to Disneyworld and a flood of tweets about what I just had for breakfast.
Somewhere in that lot, there’s maybe a few people plotting to do something bad.
The problem is, there’s only going to be a few such things. And some of them will be in an unbreakable code.
Many people think that there’s no such thing as an unbreakable code. To them, I have the following message:
You can subject the “G” above to as powerful a computer as you like, and you won’t be able to decide whether the cleartext is “Buy another cabbage” or “Please send me two dollars” or any other of an unlimited number of possible messages. That’s just one example of an unbreakable code. There’s lots of others.
If you were, for example, wanting to discuss the planning of something very naughty, you’d talk about a “stag party”. Or a barmitzvah. Or lunch. And the recipient would know what you were actually meaning.
Bad guys probably know this already. And so that reduces even more the number of messages that you might intercept that lead to bad things for bad guys. Oh, and the other thing that most bad guys probably know is that if you use the internet, or the phone system, for plotting to do bad things, you’re barmy.
So, we’re looking for a needle in a very large haystack. That’s bad enough, but one of the big rules for searching for a needle in a haystack is, “don’t start off by making the haystack a lot bigger”.
So that’s why I don’t believe the stories that are going round about the NSA reading and analysing all internet communications. It fails a test that is commonly not applied - “does this actually make sense?”
If I were the NSA, which thank the lord I’m not, sir, then what I’d do is analyse email headers. Email headers tell you who the email came from, and who it’s destined for. And those cannot be encrypted, because email works by being stored and forwarded from server to server, and that can only work if each server in the chain knows where the email is trying to get to.
Here’s a typical chain of servers that handled one of the emails I received recently:
internal.ip.redacted (the IP is 126.96.36.199 which actually turns out to be telstraclear.net, which is Vodafone new Zealand, which fits in with what I already knew about where my correspondent lives)
That’s a list of the servers that handled the email as an email. So from this, I know who sent the email (my pal Nick), and who it was for (me). And all the servers in between also know this. But there’s more servers in the chain, those that just store-and-forward packets, not caring whether it’s an email or a web access. So I did a traceroute to virus-l.demon.co.uk, and here’s a list of the servers that it passed through:
cw.net is Cable and Wireless, a very big noise in the internet packet transit business. So if you can persuade them to give you a copy of all their traffic, you have a copy of my emails to
And you could do the same with the other big packet transiters, there’s not a great many that you’d have to talk to. And the info in that header isn’t encrypted (it can’t be if you want your email to arrive) and it’s public, in the sense that it’s read by every server in the chain.
So, given that information, what I’d do is make a map of who is communicating with who.
And if I had someone who I knew was a major bad person (because some reliable source gave me that info) I’d be able to easily see who he was communicating with, and who they were communicatiing with, and so on, and maybe match that up with other known-bad-people. So you could build a map of bad-guy clusters.
And to do that wouldn’t be an awfully big job; it wouldn’t need the ridiculous amount of storage and processing power that you’d need if you tried to embrace the full haystack.
But, given the email address, how do you get the street address? Because the email is delivered to a particular IP address, and with a suitable court order, you can get an ISP to give you the real-world details of who was using that IP address at that time. Tough luck if that turns out to be an internet cafe, or a public Wi-Fi access point, but you could always do a stake-out and hope to scoop them up later.
So I don’t think that the NSA, or GCHQ are reading the unconfirmed guesses in this blog, even though I used the word “lunch”.