Jon Callas: NSA Exploit Isn't Crypto, It's SMTP

Donate for the Cryptome archive of files from June 1996 to the present

31 August 2013. More on this topic: http://cpunks.org/pipermail/cypherpunks/

30 August 2013

Jon Callas: NSA Exploit Isn't Crypto, It's SMTP

Subject: Re: Who bought off Zimmermann?
From: Jon Callas <jon[at]callas.org>
Date: Fri, 30 Aug 2013 16:12:41 -0700
To: John Young <jya[at]pipeline.com>
Cc: cpunks <cypherpunks[at]cpunks.org>

On Aug 25, 2013, at 5:36 PM, John Young <jya[at]pipeline.com> wrote:

> Phil probably means the infrastructure of email is the vul not the
> crypto. Crypto alone is sterile, a boy in a bubble which requires
> life support which can be assaulted.

That's precisely what we mean.

The crypto is the easy part. The hard part is the traffic analysis, of which the worst part is the Received headers. Everyone should look at their own headers -- especially people on this list and at least comprehend that your email geotracks you forever, as it's all in the Mailman archive.

There are plenty of other leaks like Message-ID, Mime-Version, X-Mailer, the actual separators in MIME part breaks, and so on.

It's absolutely correct that some combination of VPNs, Tor, remailers of whatever stripe, and so on can help with this, but we're all lazy and we don't do it all the time.

What we're learning from Snowden is that they're doing traffic analysis -- analyzing movements, social graphs, and so on and so forth. The irony here is that this tells us that the crypto works. That's where I've been thinking for quite some time.

Imagine that you're a SIGINT group trying to deal with the inevitability of crypto that works being deployed everywhere. What do you do? You just be patient and start filling in scatter plots of traffic analysis.

The problem isn't the crypto, it's SMTP.

Jon

Cryptome: For example, the email headers of Jon Callas's message to Cypherpunks subscriber <jya[at]cryptome.net>:

Status:  U
Return-Path: <cypherpunks-bounces[at]cpunks.org>
Received: from samuel.mail.atl.earthlink.net ([207.69.200.65])
	by mdl-absent.atl.sa.earthlink.net (EarthLink SMTP Server) with 
SMTP id 1vfxTG78i3Nl36W0; Fri, 30 Aug 2013 19:14:32 -0400 (EDT)
Received: from fbr04.mfg.siteprotect.com ([64.26.60.139])
	by samuel.mail.atl.earthlink.net (EarthLink SMTP Server) with 
ESMTP id 1vfxTG24C3Nl3pv0
	for <jya[at]pipeline.com>; Fri, 30 Aug 2013 19:14:32 -0400 (EDT)
Received: from mf23.mfg.siteprotect.com (mf23-mf.mfg.chicago.hostway [192.168.33.170])
	by fbr04.mfg.siteprotect.com (Postfix) with ESMTP id DB00A9C452
	for <jya[at]pipeline.com>; Fri, 30 Aug 2013 18:14:31 -0500 (CDT)
Received: from mx.siteprotect.com (unknown [192.168.33.225])
	by mf23.mfg.siteprotect.com (Postfix) with ESMTP id 5878E980009
	for <jya[at]cryptome.net>; Fri, 30 Aug 2013 18:14:31 -0500 (CDT)
Received: from antiproton.jfet.org (antiproton.jfet.org [209.141.47.85])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx.siteprotect.com (Postfix) with ESMTPS id 3859A20B4054
	for <jya[at]cryptome.net>; Fri, 30 Aug 2013 18:14:31 -0500 (CDT)
Received: from antiproton.jfet.org (localhost.localdomain [127.0.0.1])
	by antiproton.jfet.org (8.14.4/8.14.4/Debian-4) with ESMTP id r7UND0xV010572;
	Fri, 30 Aug 2013 19:13:07 -0400
Received: from mail.merrymeet.com (merrymeet.com [173.164.244.100])
 by antiproton.jfet.org (8.14.4/8.14.4/Debian-4) with ESMTP id r7UNCvLm010568
 for <cypherpunks[at]cpunks.org>; Fri, 30 Aug 2013 19:12:58 -0400
Received: from localhost (localhost [127.0.0.1])
 by mail.merrymeet.com (Postfix) with ESMTP id 520BF3FD8A75;
 Fri, 30 Aug 2013 16:12:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at merrymeet.com
Received: from mail.merrymeet.com ([127.0.0.1])
 by localhost (merrymeet.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id FH-djjRD4cSn; Fri, 30 Aug 2013 16:12:46 -0700 (PDT)
Received: from keys.merrymeet.com (keys.merrymeet.com [173.164.244.97])
 by mail.merrymeet.com (Postfix) with ESMTPSA id 0C9213FD8A54;
 Fri, 30 Aug 2013 16:12:46 -0700 (PDT)
Received: from [10.119.8.3] ([69.46.78.148])
 by keys.merrymeet.com (PGP Universal service);
 Fri, 30 Aug 2013 16:12:46 -0700
X-PGP-Universal: processed;
 by keys.merrymeet.com on Fri, 30 Aug 2013 16:12:46 -0700
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
Subject: Re: Who bought off Zimmermann?
From: Jon Callas <jon[at]callas.org>
In-Reply-To: <E1VDkki-00033w-Hj@elasmtp-curtail.atl.sa.earthlink.net>
Date: Fri, 30 Aug 2013 16:12:41 -0700
Message-Id: <B17A972C-221C-46D6-826E-2C1EC92F8160[at]callas.org>
References: <20130825235403.BDDC4EAABC@snorky.mixmin.net>
 <E1VDkki-00033w-Hj@elasmtp-curtail.atl.sa.earthlink.net>
To: John Young <jya[at]pipeline.com>
X-Mailer: Apple Mail (2.1508)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by antiproton.jfet.org id
 r7UNCvLm010568
Cc: cpunks <cypherpunks[at]cpunks.org>
X-BeenThere: cypherpunks[at]cpunks.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: The Cypherpunks Mailing List <cypherpunks.cpunks.org>
List-Unsubscribe: <https://cpunks.org/mailman/options/cypherpunks>,
 <mailto:cypherpunks-request[at]cpunks.org?subject=unsubscribe>
List-Archive: <http://cpunks.org/pipermail/cypherpunks/>
List-Post: <mailto:cypherpunks[at]cpunks.org>
List-Help: <mailto:cypherpunks-request[at]cpunks.org?subject=help>
List-Subscribe: <https://cpunks.org/mailman/listinfo/cypherpunks>,
 <mailto:cypherpunks-request[at]cpunks.org?subject=subscribe>
Errors-To: cypherpunks-bounces[at]cpunks.org
Sender: "cypherpunks" <cypherpunks-bounces[at]cpunks.org>
X-CTCH-RefID: str=0001.0A020202.52212757.0090,ss=1,re=0.000,fgs=0
X-Mail-Filter-Gateway-ID: 5878E980009.A8CB1
Mail-Filter-Gateway: Scanned OK
X-Mail-Filter-Gateway-SpamDetectionEngine: NOT SPAM,
	MailFilterGateway Engine (score=-1, required 3, autolearn=disabled,
	CTASD_SPAM_UNKNOWN -1.00)
X-Mail-Filter-Gateway-From: cypherpunks-bounces[at]cpunks.org
X-Mail-Filter-Gateway-To: jya[at]cryptome.net
X-Spam-Status: No
X-ELNK-Received-Info: spv=0;
X-ELNK-AV: 0
X-ELNK-Info: sbv=0; sbrc=.0; sbf=bb; sbw=000;
X-Brightmail-Tracker: AAAAAA==
X-Brightmail-Tracker: AAAAAA==

Cryptome: And the headers of the same message encrypted with PGP to <jya[at]pipeline.com>:

Status:  U
Return-Path: <jon[at]callas.org>
Received: from pickering.mail.mindspring.net ([207.69.200.36])
	by mdl-absent.atl.sa.earthlink.net (EarthLink SMTP Server) with 
SMTP id 1vfxS96VO3Nl36W0; Fri, 30 Aug 2013 19:12:57 -0400 (EDT)
Received: from mail.merrymeet.com ([173.164.244.100])
	by pickering.mail.mindspring.net (EarthLink SMTP Server) with 
ESMTP id 1vfxS83B3Nl3p20
	for <jya[at]pipeline.com>; Fri, 30 Aug 2013 19:12:56 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1])
	by mail.merrymeet.com (Postfix) with ESMTP id 305C73FD8A72
	for <jya[at]pipeline.com>; Fri, 30 Aug 2013 16:12:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at merrymeet.com
Received: from mail.merrymeet.com ([127.0.0.1])
	by localhost (merrymeet.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id ezghF13obMY4 for <jya[at]pipeline.com>;
	Fri, 30 Aug 2013 16:12:46 -0700 (PDT)
Received: from keys.merrymeet.com (keys.merrymeet.com [173.164.244.97])
	by mail.merrymeet.com (Postfix) with ESMTPSA id 0B41D3FD8A53
	for <jya[at]pipeline.com>; Fri, 30 Aug 2013 16:12:46 -0700 (PDT)
Received: from [10.119.8.3] ([69.46.78.148])
  by keys.merrymeet.com (PGP Universal service);
  Fri, 30 Aug 2013 16:12:46 -0700
X-PGP-Universal: processed;
	by keys.merrymeet.com on Fri, 30 Aug 2013 16:12:46 -0700
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
Subject: Re: Who bought off Zimmermann?
From: Jon Callas <jon[at]callas.org>
In-Reply-To: <E1VDkki-00033w-Hj@elasmtp-curtail.atl.sa.earthlink.net>
Date: Fri, 30 Aug 2013 16:12:41 -0700
Cc: Jon Callas <jon[at]callas.org>,
 cpunks <cypherpunks[at]cpunks.org>
Message-Id: <B17A972C-221C-46D6-826E-2C1EC92F8160[at]callas.org>
References: <20130825235403.BDDC4EAABC@snorky.mixmin.net> 
<E1VDkki-00033w-Hj@elasmtp-curtail.atl.sa.earthlink.net>
To: John Young <jya[at]pipeline.com>
X-Mailer: Apple Mail (2.1508)
X-PGP-Encoding-Format: MIME
X-PGP-Encoding-Version: 2.0.2
Content-Type: multipart/encrypted;
	boundary="PGP_Universal_0C124B82_4D8D1EBC_DD87EC6F_EE65876D";
	protocol="application/pgp-encrypted"
X-ELNK-Received-Info: spv=0;
X-ELNK-AV: 0
X-ELNK-Info: sbv=0; sbrc=.0; sbf=bb; sbw=000;
X-Brightmail-Tracker: AAAAAR5IRSw=
X-Brightmail-Tracker: AAAAAA==