Webmail as Dead Drop

I noticed this amongst the details of the Petraeus scandal:

Petraeus and Broadwell apparently used a trick, known to terrorists and teenagers alike, to conceal their email traffic, one of the law enforcement officials said.

Rather than transmitting emails to the other's inbox, they composed at least some messages and instead of transmitting them, left them in a draft folder or in an electronic "dropbox," the official said. Then the other person could log onto the same account and read the draft emails there. This avoids creating an email trail that is easier to trace.

I remember that the 9/11 terrorists did this.

Posted on November 14, 2012 at 12:28 PM • 68 Comments


BryanNovember 14, 2012 12:52 PM

email is one thing... if a recipient complains, you can trace to the sender's account, and with a "writ", see all other msgs sent/received if it's a public email service like gmail. From there, you can go further, perhaps, but...

I'm curious about the dead drop. How was it discovered if the protagonists didn't disclose it? If no email was ever sent or received from the dead drop, how was it discovered?

Does google have a gmail team that monitors for dead drops and reports them to the FBI?

wiredogNovember 14, 2012 12:55 PM

The Gmail interface has a "Drafts" folder. So I imagine it's fairly easy to find them.

Anonymous CowardNovember 14, 2012 1:04 PM

Calling it a dead drop is giving the poor tradecraft these two practiced way too much credit. You'd think the head of the CIA would at least use TOR.

LenNovember 14, 2012 1:06 PM

I use DeadDropbox.

Seriously, it avoids traffic analysis of SMTP, which we can safely assume the Feds have complete information on--but it replaces that attack with traffic analysis of http(s), which we should assume they have equally complete knowledge of.

Somehow it seems on par with locking the back door (with a crappy hardware-store lock), and going in and out of the window instead. Or something.

charlieNovember 14, 2012 1:08 PM

I think the point Bryan is making is absent a court order, Google shouldn't be giving out passwords to emails accounts.

The 180 day rule (and that drafts/sent) mails are protected is probably the key factor here.

Which also means it is very possible they haven't found all the emails/communications -- just the easy ones. Given the nature of their relationship, I hope we have some good pictures coming up.

ShialNovember 14, 2012 1:10 PM

Gmail records the IPs used for access.

In the very bottom of the inbox it shows last activity and a details link in small text that shows from where the account was accessed along with the IP address used.

AlanSNovember 14, 2012 1:32 PM

Politico on the Deaddrop:
"Petraeus sends Broadwell sexually explicit messages through his Gmail account, messages so explicit that they leave no doubt in the minds of FBI investigators that the two are having an affair. Got that? The head of the Central Intelligence Agency thinks Gmail accounts are secure and untraceable. What, he couldn’t have checked with a tech-savvy 12-year-old first? (Which is about every 12-year-old in America.)"

InfoWorld on the real scandal:
"The irony, says Greenwald [in the Guardian], is that in this instance the spy state managed to bring down the world's No. 1 spook. Surveillance run amok is the real scandal. But you're not likely to see much coverage of that amongst the flowcharts, the snarky headlines, and the sex."

Guardian commentary on having a friend in the FBI (who also, as it happens, needs to think twice before using e-mail):
"So all based on a handful of rather unremarkable emails sent to a woman fortunate enough to have a friend at the FBI, the FBI traced all of Broadwell's physical locations, learned of all the accounts she uses, ended up reading all of her emails, investigated the identity of her anonymous lover (who turned out to be Petraeus), and then possibly read his emails as well. They dug around in all of this without any evidence of any real crime - at most, they had a case of "cyber-harassment" more benign than what regularly appears in my email inbox and that of countless of other people - and, in large part, without the need for any warrant from a court."

BrettNovember 14, 2012 1:35 PM


I think the main thing to take away from this is that the FBI will launch an investigation, get a list of IPs that have accessed an address, read all emails that those IPs have ever sent/received, and investigate other people they've contacted, all without a court order. And all based on a few vaguely (but not really) threatening emails sent to a friend of an agent, too.

Atanas EntchevNovember 14, 2012 1:43 PM

The "Webmail as Dead Drop" method is repeatedly discussed on the British TV series MI-5 (known in the UK as "Spooks", running since 2002), and thus known to its millions of users worldwide. It can hardly be considered "secret".

Rather embarrassing that this is the best the CIA director could come up with.

Rob GravesNovember 14, 2012 2:04 PM

Without having read much detail, it seems to me that what Pertraeus was trying to hide was an affair and not major espionage activity. I doubt he thought he was hiding it from the FBI, just his wife.

FigureitoutNovember 14, 2012 2:57 PM

I remember the 9/11 terrorists did this
--Maybe the FBI has one of those "lists of suspicious behavior". Demand records from google on gmail acct's that get log-ins and store but never send.

@Brett and @Atanas Entchev pretty much sum up my take aways. He's a general too. Got caught up w/ the thrill of risky sex and chances of being caught (been there done that); just like the teens in a car right outside my home who got to meet Mr. Policeman.

And the age-old spy tactic of "sexual agents" remains. And I guess I can air my joke about social engineers having "physical access" to a machine and you're "screwed".

Clive RobinsonNovember 14, 2012 3:07 PM

@ David Cooke,

This is the same trick that the recently-convicted Canadian Navy spy used

Hmm Navy spies are thick on the ground at the moment...

In the UK a Navy Petty Officer on Nuc Subs was broadcasting all sorts of secrets via his almost continual tweeting...

Sadly he's pleeded guilty yesterday so the interesting bits will probably not get out...


zNovember 14, 2012 3:09 PM

For years people have been saying your steganographic messages (in never-seen photos) should come with a mildly awkward cover story.

But I still lean toward the simple and stupid explanation.

BenNovember 14, 2012 3:17 PM

It strikes me as odd that they were paranoid enough to want to cover up a potential email trail and not paranoid enough to do it properly. If they'd used basic encryption and deleted the things after reading, they wouldn't be in this pickle.

Brandioch ConnerNovember 14, 2012 3:18 PM

@Rob Graves
"I doubt he thought he was hiding it from the FBI, just his wife."

The problem is that he WAS hiding it from his wife.

Which means that it could, potentially, be used to blackmail him. Him being the head of the CIA.

karrdeNovember 14, 2012 3:20 PM


from my meandering wander through the news stories, it appears that Ms. Broadwell used the 'secret' gmail account as a source for a threatening message to another woman.

That other woman happened to have a friend who was in FBI agent.

Once the FBI agent got the investigation rolling, the FBI discovered that Petraeus was involved.

yunoencrypt?November 14, 2012 3:26 PM

Google uses IMAP, which automatically stores drafts. If there's a newspaper story about convicted spies and disgraced DCIs using the exact same stupid method, that's the definition of amateur hour. (@Bryan @wiredog @David Cooke @Figureitout)

Petraeus wasn't even using SMIME, PGP, VPN, Tor, VPN over Tor, or even a separate IM account. Any of these would have stopped the FBI investigation cold or at least severely hampered it.

Is this the event that causes a shitstorm over the lack of privacy in the cloud? If this doesn't make people^H^H^H^H sheeple wake up, nothing will.

phil-62November 14, 2012 3:38 PM

Our country's top spy apparently is too clueless to use encryption. That alone should cost him his job.

DavidNovember 14, 2012 4:21 PM

For those suggesting that Petraeus use some kind of encryption think about the ****-storm that would have been kicked up if someone found TOR on his computer, or found that he was sending PGP encrypted emails to another individual.

Much better that he wasn't using encryption so that we know he was only sending dirty picture and not nuclear secrets.

iNovember 14, 2012 4:36 PM

At first I thought the FBI investigating based on a few emails was overreaching, but then I heard a news report that did change my mind.

The anonymous threatening emails apparently had some references to places or events that Petraeus had been at particular times ... now consider you're an agent looking at these emails and you validate those references.

You've got an anonymous person who doesn't seem to be fully stable sending threatening emails and who seems to have very specific details about the movements of the director of the CIA -- you can't just brush that off.

That it turns out to be a jealous lover is no surprise, of course, but I think it is too far to go to say that it should not have been investigated to find the source of the emails.

Legitimate questions can be asked about how the whole thing became so public and if it renders him unfit to serve. But in this case, I would not really blame the investigation

RobertTNovember 14, 2012 4:42 PM

what disturbs me about this is that there is no reference to them having used a sanitized access PC and untraceable IP.
Are they really that clueless?
We are talking about the head of the CIA here. Surely every 15 yearold knows that Google logs the MAC address and IP address of ALL accesses to ALL gmail accounts. It is a very simple step for Google, or anyone with access to the data base, to determine which gmail accounts are "Drop boxes". And furthermore they know exactly who the parties are that communicate through these "drop-boxes" by just listing the other gmail accounts accessed with this MAC address.

It's just really poor trade craft. Think of it this way, if the FBI can discover this communication then so can every other state security organization in the world.

GodelNovember 14, 2012 4:51 PM


But if he'd been using Tor properly (in a secret volume within a Truecrypt disk) then maybe they wouldn't have found out.

It still amazes me that highly intelligent, high achievers with lots to lose can still get caught up in this stuff. Makes me feel better about myself. :)

And it's just as often the women who are the crazies; remember the female astronaut with the pepper spray, the restraints and the adult diapers who went on that field trip?

Clive RobinsonNovember 14, 2012 4:51 PM


As a mater of interest has any one here actualy tried to use TOR with GMail?

The last time I looked into it GMail was not playing nicely with known TOR exit nodes and back in 2006 they appeared to be bugging the users webbrowser in various ways...

SVLNovember 14, 2012 4:57 PM

Rob Graves on the money.

Do you suppose the FBI has now caught every U.S. official with security clearance that is having an affair?

If this guy had used real security it would have made things far worse. He made no attempt to seriously conceal his activities from his government, and rightly so.

They don't need to care if he is having an affair, and rightly so. That's a matter between him and his wife, not a matter of national security.

And because he was sensible enough to not seriously conceal his correspondence, they didn't need to worry about national security.

BenNovember 14, 2012 5:58 PM

For those suggesting that Petraeus use some kind of encryption think about the ****-storm that would have been kicked up if someone found TOR on his computer, or found that he was sending PGP encrypted emails to another individual.

I think it'd just have been dropped. If they'd kicked up a storm about it, then they'd have had to admit to what they were doing, and the rather shaky grounds for it, before they had any blackmail material.

I don't think they'd get authorisation to push the issue to get to read the files just on the pretext that they can't. Too many people in power who stand to lose if there's a precedent for some random FBI tech reading their emails on little more than a whim and a dare.

MichaelNovember 14, 2012 6:02 PM

Petreus is notoriously detail-oriented and cares deeply about his image.

Yet in this case he was careless.


Possible cause of security failure: Arrogance. Or shame.

AlanSNovember 14, 2012 6:10 PM

EFF has posted an "An Email Privacy Primer in Light of the Petraeus Saga" that covers the legal aspects:

@SVL "Do you suppose the FBI has now caught every U.S. official with security clearance that is having an affair?

Don't know but it is amusing that the surveillance state is now catching the people who are in charge of running it.

EFF's hope is that the scandal will prompt Congress to get serious about updating privacy law as it did after Bork etc. Wishful thinking?

AlanSNovember 14, 2012 6:19 PM

EFF also has interesting details on the 'harassing' e-mails:

"While Paula Broadwell reportedly created a new, pseudonymous account for the allegedly harassing emails to Jill Kelley, she apparently did not take steps to disguise the IP number her messages were coming from. The FBI could have obtained this information with just a subpoena to the service provider. But obtaining the account's IP address alone does not establish the identity of the emails' sender. Broadwell apparently accessed the emails from hotels and other locations, not her home. So the FBI cross-referenced the IP addresses of these Wi-Fi hotspots “against guest lists from other cities and hotels, looking for common names.”"

Dirk PraetNovember 14, 2012 6:46 PM

Even if Petraeus knew how to use encryption, anonymous remailers, OTR chat or darknets, surely he must have realised that this would have drawn someone's attention at some point, especially in a country where terrorist paranoia has been ruling supreme for the last decade.

This thing could probably have gone on for years if it wouldn't have been for the email threats sent to the third party, who happened to know someone at the FBI. What I'm having a bit of an issue with is who in the bureau authorised an agent to pursue something as ordinary as email threats, and for what particular reason ? I've got a relative in law enforcement too, but I can tell you that he would be sacked on the spot if anyone found out he had violated a citizen's mail privacy without the proper authorisations, whatever came out of it.

The most hypocrit side to this story to me however is that US authorities and general public alike seem to be more concerned about a former general's private life than about the countless casualties their wars on foreign soil are making on a daily basis. If indeed all the FBI investigation found was proof of an extramarital affair, they could just have well have kept this behind closed doors as it is nobody's business other than that of the parties directly involved anyway. Petraeus could then have stepped down for "health reasons", end of story. From a national security angle, the only thing that could have been held against him is exposing himself to possible blackmail by state or other actors.

As usual, I suspect there's more to this story than what we are being told. I find it hard to believe that a person with such a distinguished career as Petraeus is being publicly crucified instead of being granted an honourable way out over something as ridiculous than this. Then again, I found the same thing about the Clinton/Lewinsky affair, which almost had a president impeached.

TorstenNovember 14, 2012 7:13 PM

As a mater of interest has any one here actualy tried to use TOR with GMail?

Yes. It works fine unless Google has blocked that particular exit node. But then you just have to click a new identity. And more often than not it works.

Better that Tor alone, as Lulzsec discovered, is VPN over Tor. Even if compromised, the VPN server cannot identify you, there is no leakage over Tor, and no issues with Tor exit nodes.

And the idea that Petraeus cannot have private encrypted communications is absurd. Everyone, including CIA staff, gets secure comms (almost) every time we hit a https link.

Shawn SmithNovember 14, 2012 7:16 PM

Dirk Praet,

... Then again, I found the same thing about the Clinton/Lewinsky affair, which almost had a president impeached.

Ummm, Clinton was impeached (indicted and tried) just not convicted. Andrew Johnson was impeached (indicted and tried) and missed conviction by one vote. Nixon was probably about to get impeached, but he resigned before the articles could be finished and the Ford pardon prevented it from happening later.

Peter MaxwellNovember 14, 2012 8:01 PM

As folk have mentioned, if he used "proper" tools then it would have been quickly noticed. Most mid-sized companies notice/stop unapproved software. Langley would surely notice a rouge tool on one of their systems/devices very quickly.

Again, email traffic to strange people starts becoming obvious after a while. So the idea of using the account itself to send messages is probably the best of a bad bunch.

Although quite why the US government have hung him out to dry is the real question. If marital infidelity is running at around 25%, surely the common practice will be to carefully look the other way; if it weren't, there would be far, far more influential figures resigning. This sounds more like a hatchet-job.

Nick PNovember 14, 2012 10:41 PM

I thought the email drop thing was a bit clever when I first heard of it. I regretted that I hadn't thought of it first. Later on, I decided differently. My covert communications schemes assumed any overt messages via untrusted third parties would be intercepted. This proved to be true over time. My designs worked around that, sometimes through it.

Out of band, old school methods are still the best for spies. There's still too many ways for a digital system to be subverted for it to be trusted if physical security fails. That said, my favorite communication method is sending encrypted info over covert storage channels that are themselves random-looking. This can be peer to peer over innocent-looking communications or through a seemingly neutral third party service. Clients on each end extract the info piece by piece, apply error correcting codes, & decrypt the result.

A carefully subverted server in between both parties can help TREMENDOUSLY by (1) allowing use of standard, high volume protocols like HTTP/TCP & (2) moving the information between sessions. Like most good subversions, it should be hidden away from common forensic methods & only activate upon receiving a trigger.

A good out of band method is having a separate network. Years ago, some locals into darknets wanted a dedicated network for us. I settled on a WiFi network with directional routers. I wanted one of the Free Space Optics links (ideal) or WiMax, but they were beyond out of budget. The group often used LiveCD's for private comms & strangers would be noticed in their area. So, directional antennas + secure tunneling made for a very private network.

So, this leads me to think a private network is a possible solution to covert comms for some people. The idea just needs to be improved upon. A TSCM team will find bugs. However, many basic checks look for common spectrum. So, it seems that point-to-point comms with infrared or 10GHz spectrum might have advantages. That CodedTCP scheme might even help on the low bandwidth versions. I've also suggested running TEMPEST in reverse: intentionally leaking information in a highly recoverable way to a Receiver nearby. Doubt most TSCM guys look for that. Anyone with any other ideas that might evade govt nets & audits?

Tyler ThompsonNovember 14, 2012 11:50 PM

You do have to realize that this evolved rather quickly from a cyber crime investigation to a counterintelligence investigation. They are treated substantially differently by the FBI, both in terms of priority and scope.

Reports show the harassing emails came from 5 different accounts, and the agents discovered potentially classified details of D/CIA's travel schedule in making the connection from "fake accounts" to "real account" - at which point it would be perfectly reasonable to expand the scope to CI. Obviously the integrity (I know, I know) of D/CIA's operations would indicate a much higher national security priority for the bureau to look into.

Also, because both individuals had SECRET or higher clearances, they likely consented at some point to possible CI investigations, making the 4th amendment argument less applicable.

VlesNovember 15, 2012 1:32 AM

I always like to compare the American Empire with the Roman and am surprised she wasn't smuggled in, "dead-dropped"-rolled up-in-a-carpet like Cleopatra ;)

EncryptionAin'tEasyNovember 15, 2012 6:21 AM

People make fun of Petraeus for being careless, but you have to understand that the DCIA has his hand held when it comes to electronic security. All that stuff is done by others for him at the CIA. He just points and clicks since there's no need for him to understand the low-level details of it. And even if he was technical, it isn't easy teaching someone else (Broadwell) how to use encryption.

But I don't think the FBI should have been investigating this in the first place. Harassing e-mail is *not* something they would waste time on. If this is the real story of how the FBI got involved, then the agent "friend" of Jill Kelley should be fired immediately.

j4m3s b0ndNovember 15, 2012 6:44 AM

"A TSCM team will find bugs"

maybe, maybe not. but you can bet these few well known, on the web anyway, teams have ties to LE/TLA and if you dont have a bug now, you might soon enough!!!!!!!

OnionNovember 15, 2012 8:29 AM

the DCIA has his hand held when it comes to electronic security

At work sure, but not in private. It's doubly bad if Petraeus was using government computers to conduct personal affair. But you can't simultaneously argue that DCIA has a right to privacy and that he can't use encryption in private. That he didn't is really dumb. It's not that fricken' hard.


RookieNovember 15, 2012 8:58 AM

@ Dirk Praet - While having Europeans voice their disdain at American social mores, morals, politics, and viewpoints is always refreshing, enlightening, and so very welcome, the fact that the married and respected head of the CIA was in an illicit extramarital affair is not a benign event. There are many careers that allow your professional life and your personal proclivities to remain separate, but running the CIA is not one of them.

The intersection of sex and spying has a long and illustrious history that goes back a lot farther than Mati Hari.

TualhaNovember 15, 2012 9:24 AM

I remember a character in a Spider Robinson novel describing this method, and her interlocutor being totally amazed at the brilliant idea - because no data moves between computers, so it's foolproof! DUH! Spider's a good writer but he is SO clueless about computers.

derpNovember 15, 2012 9:28 AM

SVL said:

They don't need to care if he is having an affair, and rightly so. That's a matter between him and his wife, not a matter of national security.

Anything that can lead to you being blackmailed will put your security clearance in jeopardy. The government does not smile upon risky behavior.

Rathernot todayNovember 15, 2012 9:54 AM

From a military secret viewpoint, I would be very concerned about Jill Kelley and her sister. Both of them solicited high ranking army officers, used their influence to get access to the normally restricted areas of the military base as well as the officers, and both seem to like living well over their income. If I was looking for a source of military information, the sisters had access and could be bought off.

AdamNovember 15, 2012 10:19 AM

I don't think it would be hard for Google in cooperation with the CIA to develop tools that monitor for suspicious activity in a webmail app - users who appear to ping pong between IP addresses, or who appear to have a disproportionately high amount of activity in that folder.

Any wannbe spy should probably pick out somewhere else to do their business, preferably a host in another country for starts.

vasiliy pupkinNovember 15, 2012 12:13 PM

'Don't know but it is amusing that the surveillance state is now catching the people who are in charge of running it.'
In surveilance state everyone is object and subject of surveilance at the same time. The latter applies to those who conduct surveilance as well. They are subjects of legitimate surveilance within their own structure (horizontally), by other agencies (xref: horizontally - same level of the government, vertically - higher level of the government). That is how separation of powers working in alphabetic soup environment. Usaully they provide consent upfront for such surveilance as the condition of employment including personal time or just aware of such possibility as common knowledge .

DilbertNovember 15, 2012 1:10 PM


I ping-pong between IP addresses all day long on my gmail. I'm on my laptop/desktop either at home or work, and my phone is constantly switching IP addresses among various cell towers and open wifi hotspots (McDonalds, Starbucks, etc).

cluelessNovember 15, 2012 2:24 PM

could the reason that Petraeus used such an amateur-hour method (jointly-accessed draft email) be that he's a military man and not a spook?

RSaundersNovember 15, 2012 2:28 PM

Yes, it troubles me that the DCIA didn't encrypt his drop box. At least he was practicing a minimum of routine OPSEC in his daily life. I'm sure she saw it as paranoia, a side effect of him being in too many meetings discussing other gentlemen's email.

Suppose he gives her a Droid with a burn phone SIM in it and starts explaining how to use Droid Crypt to encrypt messages before putting them in the shared Google Drive dead drop. Maybe it's a turn on because she feels like she's in a spy thriller. More likely she thinks he's a paranoid nut.

Can you imagine the heat generated by the headline "CIA Head Encrypting Messages to Paramour"? It would be like a blast back to the cold war.

Anybody else think there is a tie into the debut of the new 007 movie Skyfall?

Nacnud NosmohtNovember 15, 2012 2:36 PM

RobertT wrote: "Surely every 15 yearold knows that Google logs the MAC address and IP address of ALL accesses to ALL gmail accounts."

Well, maybe every 15 year old knows it, but that doesn't mean it's true. :-) Yes, I'm sure they do log IP addresses. But the MAC address is gone after the first IP router hop, isn't it? (The source MAC address is carried in the ethernet (or other link layer) header, not in the IP header.) So there's no way for Google to log it, because they only see the MAC address of the last device that forwarded them the IP packet. The only way Google would see your MAC address is if you were on the same LAN as the Google server. (If I'm wrong about that, could someone please explain how Google gets the source MAC address?)

Regarding the questions about "why didn't he use tor" or other solutions that would have been more effective:

- I agree with the point others have made that, as a director, he wouldn't necessarily have had any real hands-on expertise. (I wouldn't expect the CEO of an auto manufacturer to know how to fix my car.)

- Also agree partly that he was just trying to keep this a secret from his wife, not trying to keep it secret from the govt., so strong security measures were not called for. But obviously it's more complicated than that. Because if others in the government know, it's going to create a scandal, and then his wife is going to find out, so he's forced to try to keep it a secret from his employer (the CIA) and the counterintelligence folks (the FBI). So, should he have really tried hard to do that? Probably a very bad idea.

So, he cheated on his wife, tried (but not very hard) to hide it, and got caught. I feel bad for his wife, and think he has to answer to her and, unless she had agreed to an open marriage, he has to answer to his own conscience for cheating on her. In my personal opinion, I don't think this should be grounds for his resignation, as long as he didn't do anything illegal and there was no release of classified information. But... as a practical matter, given the world we live in, this was bound to end his career.

He had an affair, tried to keep it secret, it came out, he resigned. End of story, really.

Doug CoulterNovember 15, 2012 2:50 PM

Anytime something like this happens, my other BS alarm goes off. Knowing how things work, a little, this looks to me more like "hey, look at this shiny thing" just like a magician does to distract you while the real trick takes place.

What is this the cover distraction for? That should be the real question. Yes, we know a ton of bad news was "postponed" till after the election - politics as usual. But that's done now, so why this?

And yes, the FBI agent who used gov resources to check on something for his "girlfriend" should be brought up on charges - and stop charging me for his salary. It was only luck he found something "interesting" after all - he was guilty malfeasance in his duty to stick to his real job - and last I heard, it's a crime to use government resources for private use, at least if you're a little guy.

ZaphodNovember 15, 2012 3:43 PM

@Doug Coulter. -- word on the street, at least in the UK, is that it was done to prevent the General appearing before and providing testimony to the congressional hearing into the unfortunate events in Benghazi.


chris lNovember 15, 2012 4:24 PM

What Tyler Thompson pointed out in his last sentence:

"because both individuals had SECRET or higher clearances, they likely consented at some point to possible CI investigations, making the 4th amendment argument less applicable."

is true for virtually any government employee or contractor these days, whether they have a clearance or handle sensitive information or not. In order to get a PIV-II badge you have to sign an essentially unlimited release authorizing third parties (regardless of any prior privacy agreement) to provide any information about you or that they hold on your behalf. It likely won't get them medical records (due to HIPAA) but when you sign, they also tell you that they can come back and demand a HIPAA release and if you don't agree to it, you're out.

SpiesOhNozNovember 15, 2012 4:44 PM

Pretty sure this kind of insecure behaviour is par for all spy orgs worldwide. Remember the Russian spies that were caught embedding msgs in images and then wirelessly transmitting to each other at cafes? Feds simply intercepted the open wifi and decoded it easily. Nobody seems to be using real encryption unless its already set up for them foolproof like how the NSA secures phones.

The Cdn col that turned out to be a serial killer didn't encrypt his drive either. The Israeili spies who assassinated that guy in Dubai just reused other peoples passports and the quality was slipshod, your amateur cyber criminal peddling fake IDs on darkmarkets does a better job.

A Chinese spy they nabbed in Canada was just plain text emailing the embassy stolen corporate intellectual property from an internet cafe.

Seems the military and intel agencies are useless at security if it weren't for agencies like the NSA or FBI handing them easy to use comsec

BongPatrolNovember 15, 2012 7:31 PM

You'll never know. The fact that insecure behaviour exposes some spies doesn't imply that many, many other spies don't properly use security to remain hidden. ie. We only hear about the failures and cannot infer how many are successful.

Nick PNovember 15, 2012 10:31 PM

@ BongPatrol

"You'll never know. The fact that insecure behaviour exposes some spies doesn't imply that many, many other spies don't properly use security to remain hidden. ie. We only hear about the failures and cannot infer how many are successful."

I agree. You already see examples in surveys & observational studies on bad behavior. From lying to stealing, people successfully do it way more often than they're caught or punished. You see this with the hackers too. How many people reading this blog or attending DEFCON have hacked into a system they didn't own? Or supplied false information to companies or web sites? And how many were even investigated? I rest my case.

Certain obscurity techniques work pretty well until they look at you closely. Then, fewer such techniques work. Then, as you're put under a microscope, security by obscurity starts to fail & whatever you're using better be well-thought out. I like to combine sound security engineering techniques with obfuscation & a bit of creativity. Comes with risk if the best are after you, but stops most of the rest.

FigureitoutNovember 16, 2012 12:27 AM

The most hypocrit side to this story to me however is...
@Dirk Praet
--Have you ever had basically all your networks probed and all your rights violated? Do you understand what we in the 'States are dealing with? Merely speak out, see what happens; I know. The world should know that we Americans aren't as "dumb" as we are made out to be; that is quite the false stereotype, the smart ones you won't hear about and they may be working in your country. I give 2 sh*ts about what this guy does with his...or him to be honest.

AutolykosNovember 16, 2012 5:19 AM

@Dirk Praet: I can't see how using OTR messaging makes him look especially suspicious. People use it all the time, and he above all has good reason to keep private conversations private (risk of blackmail, kidnapping and whatnot).
Any other kludges (like his one, or using Tor, VPN-Tunnels, etc) are a lot more suspicious, and not even designed for what he did with them (and this is why he fails).

Clive RobinsonNovember 16, 2012 7:13 AM

@ SpiesOhNoz,

Pretty sure this kind of insecure behaviour is par for all spy orgs worldwide.

Close but no cigar as they say, you should have left out the word "spy".

Communications confidentiality in it's many guises is "hard" and getting harder on an almost daily basis.

Whilst we may have moderately secure encryption algorithms we still cannot build them into systems that are even remotely secure on commodity equipment such as PC's and have them be usable in any way that most people would regard as usable and still be secure.

For instance take AES, whilst the algorithm is secure in theory... in practice actually building a system around it, that does not open up side channels whilst it is being used is very very hard.

It requires specialised hardware if it is to be used in any kind of "online" mode [1], and most people have no idea of how to use electronic equipment such as a PC in what is in effect an "offline" mode iin a way that would be secure [2].

Then there is the issue of having such equipment in your possession is a dead give away that you have the desire or need to hide information. In some countries possession of such equipment is illegal and operating it could well involve the user in a whole world of pain.

In times past this problem was solved by not using crypto equipment and instead relying on the user being able to carry out a series of steps with pencil and paper in a reliable manner. Almost invariably this gave rise to problems with either the process being of a complexity where mistakes almost always happened or the user had to carry around a large amount of Key Material (KeyMat) which would if found on the user or amongst their possessions be as daming as having cipher equipment. In the case of some Russian Spies their One Time Pad KeyMat was printed up on cigarette paper soaked in potash or other oxidizing solution such that once lit it would burn beyond ash in just a second or less.

So the problem with using encryption is the ordinary human one of poor memory and other human failings limiting or compramising security.

One such human failing is using pencil and paper on an "impresionable surface" which most people have seen demonstrated by lightly rubing a pencil across the next blank sheet of paper in a pad to reveal what had been written on the sheet above. What most people don't realise is few surfaces are sufficiently hard, wood and many metals will hold an impression. Even some sufficiently hard surfaces such as glass will hold disturbances in a thin layer of grease or cigarette smoke or other deposit on them so need to be properly cleaned before and after use.

Thus the chance a person under stress or other emotion will make a mistake that can be picked up is quite high.

Some while ago I posted a link on this blog (for @ Nick P's and others ammusment) to a story from a journalist on a major UK newspaper that had reason to set up secure(ish) communications, and they failed miserably. Now I know journos are often considered in a poor light, but in general they are reasonably intelligent people who have to take security precautions on a regular basis to protect themselves and their sources. If they cann't get secure comms right what hope for the rest of us mortal humans?

I can tell you from practical experiance with having to set up and maintain secure comms across open channels and generate and maintain KeyMat for organisations with a need for very high levels of confidentiality even with the best of training and high calibre operators mistakes are made more often than I or the organisations would like. Generaly most people get the hang of operating encryption systems be they devices or pencil and paper and OTPs, what they usually fail misserably on is the use and handeling of KeyMat especialy it's secure destruction.

[1] The meaning of "online" and "offline" modes in communications confidentiality has a defined meaning that predates WWII let alone the Internet. It dates back to the times of teleprinter trafic and punched paper tape. The number of symbols that could be sent down a telex line pair (physically the same as a telephone) was measured in baud (not bits because one baud could represent multiple bits) and it was easily greater than most typists could manage, thus several typists would type messages "offline" to punch tape which would then be sent by a reader that was attached to the line in "online" mode.

[2] Even when equipment is used "offline" it uses energy some of which will unless suitable precautions are taken will be radiated from the equipment via any available channel. To be secure in TEMPEST usage it basicaly means that "no compromising eminations are detectable whilst the equipment is in use". This does not mean that energy is not radiated, jusst that which is radiated does not convey any information other than the equipment is on. In more modern EmSec usage it additionally means "whilst the equipment is in use it is not susceptible to radiation that would cause a compromise of function or security". In both cases the transfer of energy to (susceptibility) and from (eminations) the equipment means all energy that is measurable so not just electromagnetic but acoustic, mechanical etc and in all channels.

Dirk PraetNovember 16, 2012 7:19 AM

@ Rookie

There are many careers that allow your professional life and your personal proclivities to remain separate, but running the CIA is not one of them.

There are plenty of cases where folks got away with much worse than Petraeus. From the top of my head, the private life of one J. Edgar Hoover comes to mind ( recommended reading: "Official and Confidential" by Anthony Summers)

I appreciate (many) Americans having a different view on certain moral issues than us Europeans, but what keeps surprising me is the double morale that often goes with it. The best way I've ever heard anyone sum it up is that for an alien it would be kinda mindboggling that you can get millions to cheer in extacy when two men are beating the crap out of each other in a boxing ring, but that the same audience would be utterly disgusted if they were to make out. Not to say that this is an American thing only.

@ Figureitout

No one is implying that all Americans are dumb. Quite to the contrary, I'd say. Many Europeans just don't understand what all the fuss is about and why people are getting so worked up about it. I remember former French president Mitterand's famous reply "Et alors ?" (So what ?) when some idiot journalist at the time tried to grill him over a daugher born out of wedlock. If I were Petraeus, I wouldn't have stepped down and instead have told everybody to go *bleep* themselves. Then order an investigation on who saw fit to violate my privacy in absence of any indication I was doing something wrong like compromising national security.

@ Autolykos

I can't see how using OTR messaging makes him look especially suspicious

If you're not doing anything wrong, you've got nothing to hide, right ? Another fine example of double standards, where this is the attitude that is being expected of every good citizen, while governments and their minions are going to great lengths to do exactly the opposite where what they're doing is concerned.

JasonNovember 16, 2012 5:31 PM

I've always felt that IF they can crack RSA1024, they may go for it and let it out. If they can go higher than that, they'd probably let simple murder charges go even if they have to admit they can. Needless to say, AES goes with that too. Not saying they can, but if there's some quantum breakthrough out there that can do it they won't make it public over anything less than a major WMD issue. That's how I'd do it at least.

RobertTNovember 16, 2012 7:53 PM

@Nacnud Nosmoht

"The only way Google would see your MAC address is if you were on the same LAN as the Google server. (If I'm wrong about that, could someone please explain how Google gets the source MAC address?)"

I'm not sure about the mechanics of obtaining the source MAC address BUT I'd suggest you go and read the details of a very unusual extortion case that occurred in Sydney about a year ago.

The perp setup the gmail account using a publicly accessible computer a Chicago airport. This was done about 3 months before the email address was used as part of a blackmail scheme.

The case was very unusual because the perp put what he claimed to be a collar bomb around the neck of an 18 year old girl.

Well to cut a long story short the Australian police identified the perp quickly (presumably with the help of the FBI). The technical details of how the police linked this fake Gmail account to the perp VERY quickly were published in the days following the event. I've searched for the link but so far I'm unable to find it, I believe it was a report in "Sydney Morning Herald" probably between Aug 4th and 16th 2011. Now I could be wrong about the MAC address portion but I concluded that there was definitely a lot of PC specific information being stored with every gmail account access.

Here is another link unfortunately with no details as to how the email accounts were linked directly to the perp.


The story that I'm looking for, was a detailed how they linked this email account to other accounts that were clearly associated with the perp.

fireflyNovember 16, 2012 11:21 PM

"The only way Google would see your MAC address is if you were on the same LAN as the Google server. (If I'm wrong about that, could someone please explain how Google gets the source MAC address?)"

Windows and Mac users blindly download install and trust proprietary software all of the time, and it all starts with their Operating System! Any of these programs could report MAC addresses back to the mother ship, whether the data in transit is encrypted or not. Hell, your ISP could have shipped and/or installed proprietary software on your LAN, firmware on your modem and/or router (did you buy your modem/router from your ISP?).

Maybe they have a 'special deal' on an Antivirus product they want you to install, or some type of monitoring software under the guise of benevolence.

Do you really know what's in all of those Windows Updates, which, most of them claim to be fixing one remote exploit after another? (Read the descriptions of the patches - most of them are for exploits which could lead to a SYSTEM WIDE TAKE OVER OF THE SYSTEM! How long have they been in the wild prior to patching?)

Various proprietary and free bug/crash report programs send back information, often without informing you or by doing so in a way which resembles an annoying TOS agreement click through on most Windows Programs Installations. Why read through it when you can get rid of the window by clicking OK, SEND, or what not? Besides, you may be helping someone! More often than not, you aren't, but you're sending a lot of private information about your system, programs, memory, etc. to people you'll probably never meet and never know how your information is being used.

Some software for multi player games [may] record hardware information per user, per install - indie developed MODs they call them, or the game itself may have issues. Google for Blizzard WoW and trojan or rootkit for example.

Have we forgotten the Sony BMG Rootkit, which, at the time, only one experimental program detected and was bought out by Microsoft and is included, though dated, in the SysInternals Suite? None of the antivirus and other malware programs detected it at that time. And that lovely payload rode in on Audio CDs!

And what else is floating around on our proprietary systems and proprietary hardware, some of the malware being shadowy TLA or rogue cracker teams in origin?

There are many hot - in the moment - must apply/install Alpha/Beta games installed which are proprietary and because they're in sensitive testing phases, often automatically report back to the mother ship with your system's information.

Using a testing version of software which will quickly fade away without much security auditing and be replaced by a stable version? Avoid testing versions.

So, fellas, proprietary software and MAC address snitching? Not a stretch by anyone's imagination.

But chances are if you run on proprietary OS, your head is already so far up your ass or in the sand you'll close your eyes tight and bite the pillow - taking it all in trade for the sweet bliss of ignorance.

Linux/BSD users aren't always exempt, either, how many of them install crap like proprietary Flash and proprietary drivers for ATI/NVidia?

Never follow the white rabbit.

omglolNovember 18, 2012 6:31 PM


And the idea that Petraeus cannot have private encrypted communications is absurd. Everyone, including CIA staff, gets secure comms (almost) every time we hit a https link.

Unless someone has the private key of the SSL provider :)

If it really comes down to it, aside from the obvious US-based businesses such as Verisign, I'm sure NSA have "discovered" PKs for the rest of them (or can do so if really needed)

Mark JDecember 3, 2012 2:17 PM

Actually as a dead drop for casual infidelity, this wouldn't bee to bad. The problem is that Paula Broadwell sent harassing emails from that account which got the FBI's interest. It was the illegal activity that tipped them off. But it's good that Petraeus is gone. Anybody that poor at hiding his tracks sucks as head of US intelligence.

mlibloverDecember 7, 2012 7:38 PM

I don't buy it. Petraeus should not, and would not be using Gmail at all. I do not believe he would use it for any form of communication benign or private. This is not messaging hidden in plain sight, this just nonsense. It seems much more likely that this was manufactured as some kind of distraction. What next a "rouge" army ranger captured in theater after checking in with Foursquare? Pfffft.

Ron HinchleyJanuary 6, 2013 4:53 PM

Is there no chain of command? Isn't there something seriously wrong when the FBI investigates and outs an affair involving the head of the CIA? Especially when the women had a security clearance.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..