E-Mail Leaves an Evidence Trail

If you're going to commit an illegal act, it's best not to discuss it in e-mail. It's also best to Google tech instructions rather than asking someone else to do it:

One new detail from the indictment, however, points to just how unsophisticated Manafort seems to have been. Here's the relevant passage from the indictment. I've bolded the most important bits:

Manafort and Gates made numerous false and fraudulent representations to secure the loans. For example, Manafort provided the bank with doctored [profit and loss statements] for [Davis Manafort Inc.] for both 2015 and 2016, overstating its income by millions of dollars. The doctored 2015 DMI P&L submitted to Lender D was the same false statement previously submitted to Lender C, which overstated DMI's income by more than $4 million. The doctored 2016 DMI P&L was inflated by Manafort by more than $3.5 million. To create the false 2016 P&L, on or about October 21, 2016, Manafort emailed Gates a .pdf version of the real 2016 DMI P&L, which showed a loss of more than $600,000. Gates converted that .pdf into a "Word" document so that it could be edited, which Gates sent back to Manafort. Manafort altered that "Word" document by adding more than $3.5 million in income. He then sent this falsified P&L to Gates and asked that the "Word" document be converted back to a .pdf, which Gates did and returned to Manafort. Manafort then sent the falsified 2016 DMI P&L .pdf to Lender D.

So here's the essence of what went wrong for Manafort and Gates, according to Mueller's investigation: Manafort allegedly wanted to falsify his company's income, but he couldn't figure out how to edit the PDF. He therefore had Gates turn it into a Microsoft Word document for him, which led the two to bounce the documents back-and-forth over email. As attorney and blogger Susan Simpson notes on Twitter, Manafort's inability to complete a basic task on his own seems to have effectively "created an incriminating paper trail."

If there's a lesson here, it's that the Internet constantly generates data about what people are doing on it, and that data is all potential evidence. The FBI is 100% wrong that they're going dark; it's really the golden age of surveillance, and the FBI's panic is really just its own lack of technical sophistication.

Posted on February 26, 2018 at 3:39 PM • 43 Comments

Comments

Ben HigginsFebruary 26, 2018 4:12 PM

Why did the bank get an easy access to private mails? Is it because it is a bank and the laws are thus different? Can anybody use another person's mail as evidence?

Because of the states meddling in privacy the digital signature is about ten years behind it's normal development. Unsigned and unencrypted mail is also in favor of Google's business.

It should have been normal procedure in the first place that the original producer of the document had signed it. -- And particularly pdf file is an easy one to sign.

jimFebruary 26, 2018 4:37 PM

I can't believe the FBI lacks sophistication. Their claims about "going dark" is just to muddy to waters and provide a lever for pet projects - like sabotaging strong encryption and maybe to provide a convenient excuse when they fail.

ShavedMyWhiskersFebruary 26, 2018 4:44 PM

The word is that Word keeps a history as well. That history can show edit history with time stamps and more. Yes it can be purged but that may be the dirty sock inside the next shoe to drop. PDF to word conversions and back are notorious in their quirks as well.

Ben Higgins (Yes. It's me!)February 26, 2018 4:46 PM

@ Ben Higgins

From the very moment when the banks start demanding signed documents from their clients it takes about 5 minutes until signing is the industry standard.

Why do the banks not even themselves sign their documents online, e.g. account balance sheet? Is it because they reserve the right to cancel their statement any time they prefer? If so, what is the value of such a document?

If the bank reserves the right to cancel any time any document they have issued, they could still sign digitally. In signature there is the field for this purpose: Reason for signing. They could write that the contents of the document is only binding the client but the bank can cancel any time. -- This document is anyhow better than completely unsigned one. It proves the origin.

If the automatic signing is such a difficult task, the [banks] could at least publish a list of checksums of all the documents they have issued.

Anonymous2cFebruary 26, 2018 4:59 PM

Good luck following the dots in the Joseph Mifsud Map
https://jonworth.eu/joseph-mifsud-professor-papadopoulos-manafort-revelations/
From the above article

"The original blog entry:

I’m not really into United States politics, but that a Maltese professor by the name of Joseph Mifsud was somehow connected to the Papadopoulos/Manafort revelations caught my eye.

So who is this Joseph Mifsud guy?

The New York Times tried to find out – and did not get very far.

He’s a Professor, right. So he must at least be on Wikipedia? No. Nothing about him on Wikipedia. Just a Josef Mifsud… a football player!... "

tfbFebruary 26, 2018 5:10 PM

The banks don't digitally sign things because, like almost everyone else, they are not technically competent enough to do that. What they are emphatically not doing is avoiding signing things for some conspiratorial reason: if they were up to that then they would not get caught out fixing rates so often.

hmmFebruary 26, 2018 5:33 PM

"Siri, how do I launder Russian mob money?"

Even the FBI couldn't get access to this stuff without a warrant based on existing evidence of a crime, which Paul Manfort is basically made of on a molecular basis. He's been doing shady stuff for decades. That he would be so brazenly discussing his plans in unsecured emails just shows how little he anticipated anyone looking at him hard.

This from the guy who uses bond007 as his password. Gotta love it.

http://people.com/politics/paul-manafort-email-password-bond007-daughter-text-messages/

https://www.themaven.net/theintellectualist/news/in-series-of-text-messages-paul-manafort-s-daughter-implicates-her-father-in-mass-murder-3QYf7RjMh0a8yRWFEc-LsA

Tip : You don't need to hide what you don't say in the first place, criminal masterminds.

BF SkinnerFebruary 26, 2018 6:34 PM

Rich people are better than any of the rest of us 'cause they'er just so much darn SMARTER.

Jim JeffriesFebruary 27, 2018 12:03 AM

I feel we should pause on the discussion and hand this over to an airforce professional for some solid answers - maybe a guest op ed piece, even

aFebruary 27, 2018 12:55 AM

"The FBI is 100% wrong that they're going dark"

The task of the encryption advocate is to make the FBI go dark. How else will we know we've won?

David RudlingFebruary 27, 2018 4:20 AM

@BRUCE
"The FBI is 100% wrong that they're going dark; it's really the golden age of surveillance, and the FBI's panic is really just its own lack of technical sophistication."
Gee, you must have just finished reading Susan Landau's excellent "Listening In" the same as I just have.

echoFebruary 27, 2018 5:57 AM

How did somebody so dumb get to be so rich?

I don't know about this "going dark" thing (or "deep state"). I just think people like to repeat the meme because it sounds cool and everyone else is saying it and it makes them sound like they are "on the edge" and "in the know". It's the modern equivalent of busting down doors and paranoia movies from the 1970s. "Stay frosty" is the new "Go! Go! Go!" which has dated as well as sideburns and big belt buckles.

Pretty much every dodgy politician or civil, servant I have met have kept critical issues verbal and used paper trails to make anyone else but themselves look guility if an investigation happens. Investigating this is a lot more difficult and needs investigators to ask different questions. From my side of the fence I prefer more effort is made with this than low hanging fruitbut power never investigates power?

wumpusFebruary 27, 2018 9:48 AM

@Shavedmywhiskers

The "format" for a Word document is a dump of the C++ object used to define the Word document. This came up in one of various Microsoft lawsuits, probably over how OpenOffice could read/write a Word document. Don't expect any sane operation from Word.

It comes in handy to make it difficult for other word processors to clone Word, but it also makes it difficult for Word to deal with older Word documents, saving to older Word documents, and generally remaining stable. Of course, once a new Word comes out, Microsoft expects everyone to drop the old copy of Word and buy the new one.

DPFs are developed by Adobe which should be more than enough warning for this crowd. No idea what can be hidden (automatically) in .pdf conversion, but .pdfs are not to be trusted (presumably some readers can handle them sanely. Disabling any execution would be a good start).

watFebruary 27, 2018 10:07 AM

So Googling technical instructions how to commit a crime doesn't leave a paper trail too? wat...

Look... EVERYTHING YOU DO online creates a paper trail... it's just a matter of how deep and how well it will be used against you... If you must commit crimes, it's best to not use any modern tech in any part of that. Lest you say, "just don't commit crimes then," I dare you to Google "three felonies a day"... read and weep.

djFebruary 27, 2018 12:02 PM

The FBI has traditionally resisted change. That is, unless it controls the changes and they are for it's advantage. FBI is still a bureaucracy and bureaucracies always resist changes not to their benefit.

COINTELPRO_LivesFebruary 27, 2018 12:09 PM

Hi Bruce, thanks as usual. I just fixed the typo in your last sentence:

"...The FBI is 100% wrong that they're going dark; it's really the golden age of surveillance, and the FBI's panic is really just SOPHISTICATED DISINFORMATION & PROPAGANDA."

:-)

Alyer Babtu February 27, 2018 12:34 PM

@Grauhut

For neutron’s SMTP mode, how does it determine whether the public key is available ? Is there a hack where access to the keys is prevented and so the emails are sent in clear ?

justina colmena February 27, 2018 1:56 PM

Manafort's inability to complete a basic task on his own seems to have effectively "created an incriminating paper trail."

This is interesting. There is a certain serious organized criminal mentality to all this which is difficult to put my finger on precisely.

"I didn't want to be the fall guy."

It's almost like a religious awakening in a sense: these guys know what they are doing is wrong, and they know they will get caught, but they do not fear exactly eternal destruction and hellfire, but more the prospect of a long sentence in a federal penitentiary.

Sancho_PFebruary 27, 2018 2:37 PM


@Bruce’s headline ”E-Mail Leaves an Evidence Trail” is a click bait, obviously.

Unfortunately it is wrong in both aspects of the statement:

a) Email does not leave a trail, it is the user. Very likely Manafort and Gates do not know, but there is a difference if you POP or IMAP your emails, and of course it is different whether you keep them for file or delete them from both, server and local storage(s). Backup?

b) The part with the evidence hurts me most.
- Is email evidence?
Susan Simpson’s “incriminating” is much better, but not fully correct.
Imagine I’m a murder.
I send an email to a friend with a denial. He replies with a quote of it, and we exchange a lot of mails containing my denial.
Are these emails evidence? The more the better? Incriminating or absolving? Is there a dead body? Who is guilty of what?
- Would an email ever be accepted as “evidence” for not guilty?

What if Manafort has faked the pdf but never used it?
Only if the faked (paper?) document was used fraudulently used at the bank it is both, incriminating and evidence.

But another point from the headline is worth mentioning, too:
“E-Mail Leaves …” is shooting the messenger.
- The bad thing here is not email, or that the fraud came to light.
It is the fraud that should make us angry.
But the fraud itself is not newsworthy because we expect the 1% of the 1% to be crooks, we would be surprised if they’d be clean.
That’s the sad part.
Crooks defraud crooks: That's the good one.

However, what would be interesting here:
Did they find the email on their seized devices or at the provider?
Or were the emails captured on the fly because of a warrant or broad surveillance?
No chance we’d ever learn the truth, not with our media / journalism.
Sensationalism:
Granted, we love it when other computer user know less than we do.
We should feel bad about that.

But we should never accept “evidence” when we know it’s only bytes,
there is no evidence until there is a secure PC.

hmmFebruary 27, 2018 6:36 PM

"but they do not fear exactly eternal destruction and hellfire, but more the prospect of a long sentence in a federal penitentiary."

Simply put, there is H-e-double hockey sticks, an imaginary place, and there's Federal Prison.

I don't care which one Trump ends up in but he'll see the latter for sure now. Non-partisan analysis.

NickFebruary 28, 2018 5:21 AM

Note that Manafort would have been convicted of fraud even without all the Word/pdf stuff and without the emails. Indeed, they were irrelevant to the fraud charge. They were relevant only to the "conspiracy" charge.

Sancho_PFebruary 28, 2018 7:32 AM

@Nick

In case your post was in reply to mine:
I don’t think so.
Very likely no one would have found the fraudulent claim at the bank if there was no trace found in the emails.
Probably someone would have checked the credit application but not challenged the falsified number in it.

I guess the hook was found in the email exchange.
And a “conspiracy” charge, while an important pillar in the US plea games, makes me smile here (in the EU).

hmmFebruary 28, 2018 1:49 PM

A conspiracy charge is basically direct intimate knowledge of a crime you don't report.
Smile! It's a real crime in most places regardless of what they call it.

If Trump's treason crew were smarter about things it might have been a lot more difficult to unravel, but they were monitored the entire time and are apparently morons generally.

The hilarious part is they thought they were being so sneaky about it, like they were competent gangsters.

D. BronderFebruary 28, 2018 3:46 PM

Speaking of going dark: "Black inside Black."

"Going dark" has two meanings: first, being unable to collect, and secondly, to go deeper underground so that no one can see what you are doing.

This is indeed the Golden Age of Surveillance--not only because of computer networking, cellular communications, and the Internet of Things. It is also because of 9-11.

Of course the FBI is going to go deeper and hide more. The Deep State is going to get a lot deeper after the revelations of Mr. Snowden. The DS is vendor driven, and the money is astronomical. No one wants to end the party except the people who are not invited and who are footing the bill.

If you look at how power functions once it becomes corrupt, in the U.S. too, you see that they do not want to talk, discuss, have a give-and-take. They want your data--it is all take. Then decisions can be based upon facts, like in a court case. That seems reasonable because Manafort is clearly a criminal. There is no need to talk. But what happens when the government collects evidence on every single person all the time? People do not seem to mind--Diane Feinstein is a good example. It is fine to collect evidence on my neighbor, but just don't do it to me.

hmmFebruary 28, 2018 6:28 PM

"They want your data--it is all take."

Correct. The mandate is total information awareness.

Feinstein didn't get an as-expected bs-stamped endorsement though, she faces a challenge.

Feinstein is both an hawk and pusher of surveillance growth - but odd that you'd single her out,
she's not even the only 80-ish female Democratic info-hawk with major committee and political power..

And then you've got the hawkish anti-privacy Republican men you didn't mention for some reason?
To speak of specific 800-Billion gorillas in the room?

RatioFebruary 28, 2018 7:48 PM

@Sanco_P,

And a “conspiracy” charge [...] makes me smile here (in the EU).

¿Qué tal un cargo de “asociación ilícita”?

WrongMarch 1, 2018 5:10 AM

@rino19ny
ProtonMail is not a silver bullet. Even if we don't consider remote JavaScript and remote system security to be a problem, there's still a giant pitfall: End-to-End Encryption only works (by default) IF BOTH SIDES are using ProtonMail, since ProtonMail (or any other people) simply doesn't have the knowledge of 3rd-party's public keys. As a result, all ordinary mails are visible in cleartext for ProtonMail's SMTP server before it is stored encrypted at rest. And there's no way to prove if ProtonMail is logging all the traffic on its SMTP server (ProtonMail has received a few warrants and they have to as cooperative as possible in terms of cryptography, so logging SMTP traffic should have been done I guess).

I'm nothing against ProtonMail and I consider it to be one of the best choices for an online mail service and I strongly recommend ProtonMail provide you understand its limitations.

But actually I think ProtonMail can actually make it more secure, for example, it should be able to develop an authentication scheme to allow other people to register their public key to ProtonMail and enables encryption-by-default between you and any ProtonMail users. I wonder if they can work on it.

sch313r187March 1, 2018 6:23 PM

Let's sum this up.

It is impossible to prove that the currently available hardware or software works according to provided manual. However, it is not that difficult to prove that it is actually otherwise (please refer to the Common Vulnerabilities and Exposures entries). Every single bit of information can be accidentally swapped or deliberately forged. Sometimes, it is possible to detect the change, sometimes not. Except for specifically designed protocols (which run on untrustworthy hardware anyway), there is no way to be able to successfully challenge the authorship of the information or validity of an associated contract (non-repudiation). E-mails, log records, spoofed traffic flow, fingerprinting of browsers, operating systems etc. are no exceptions, since they are just text information stored as files or in databases.

Having an e-mail in one's mailbox has never been proof what-so-ever that a particular person created it. Having an IP address logged has never been proof what-so-ever that a connection was made by a particular machine having this IP assigned (or even a person made that connection, LOL). Yet for "some" reason, masses are being "massaged" almost everyday to believe otherwise...

Clive RobinsonMarch 2, 2018 9:35 AM

@ sch313r187,

Yet for "some" reason, masses are being "massaged" almost everyday to believe otherwise...

Congratulations unlike a lot od security firms you not only understand the lack of end point security, you are prepared to talk about it.

For twenty bonus points do you want to think about communications security and how it to can be fritzed?

It's kind of why I go one about the attribution game and why it is so hard to do, but oh so easy to fake...

sch313r187March 3, 2018 5:03 PM

@Clive Robinson

Thanks for the feedback. Try to read it once again. Should it not help, I am sorry for you...

Clive RobinsonMarch 4, 2018 3:07 AM

@ sch313r187,

Thanks for the feedback.

That's alright it's what some of us older contributors are here for.

However as I said, it's not just Email and IP addresses that have little or nothing to do with individuals, it's the whole digital attribution game that is badly flawed and easy to "fritz" for the likes of "false flag" attacks.

You might have read --because the US burned their "methods and sources"-- about both the Israeli and Dutch efforts to go from digital attribution to limited "Human Intelligence" (HumInt) attribution by exploiting parts of the Human Computer Interface (HCI) on suspected end point computers of attackers?

Well the reason that the Israeli and Dutch SigInt agencies went to the HCI was that they know that attribution by anything other than "HumInt" is pointless for the reasons you indicate.

The fact that the US Politicos and their Appointees chose to flap their gums about this HCI method of getting HumInt to the press is realy quite unforgivable for various reasons.

Not least of which it will mean that not very skilled or thoughtful / introspective attackers will now up their game and disable various parts of the HCI on computers or will resort to older methods such as a server with old fashioned terminals and command line working with the serial lines "instrumented" to detect intrusion attempts.

This will include not just idiots playing at being state level attackers such as those the US Special Investigator indicted, but terrorists and criminals from the serious organised crime level downwards. Thus the important "HumInt" will be lost and the likes of the real state level attackers will be able to get back to their "false flag" activities knowing that the likes of the "Security Companies" will get back to their far from reliable digital attribution methods that are so easy to copy/forge.

Oh and we know the US IC gets up to digital false flag activities because some of the tools the CIA used for such activities got "outed". Thus it's fairly safe to assume that other SigInt or IC entities not just in the US but other countries do the same. In fact we have good reason to believe from the Ed Snowden trove that the UK's GCHQ etc do it and by inference the other Five-Eyes and presumably the second tier Europe and Pacific groups as well.

Anyway as I said have a further think in these areas and you will be way ahead of most of the supposed proffessionals.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.