Sunday, 13 April, 2003

Hiding in plain sight:  using spam as an encryption tool

When most people think of wiretaps or other means of surveillance (what people in the business like to call signals intelligence), they think of intercepting encrypted messages and decoding them to figure out what people are saying to each other.  Often, though, just learning who is talking to whom is sufficient to glean a lot of useful information.  Many a police investigation has been helped along by examining telephone records.

Every electronic mail message contains header information that says who sent it and who the intended recipient is.  It's easy enough to spoof the sender information and route the message through an anonymous relay, but the recipient has to be known.  And if you want two-way communication, then the sender has to be known as well.  With traditional email, it's child's play for somebody to figure out who you're talking to.  Or at least who's talking to you, which is almost as good.  How do you prevent that?

Imagine using spam as a method of passing short encoded messages while hiding the identity of both sender and receiver.  The sender spoofs the headers and uses an anonymous relay.  The message body is your typical spam and is sent to millions of people, most of whom utter a few choice words before consigning it to the bit bucket.  But in reality, the message is an encoded communication.  Perhaps those apparent garbage characters on the subject line are the message, or a one-time pad key.  Maybe the message contains certain key words or phrases.  The point is that it'd be very difficult to track the sender, and completely impossible to identify the intended recipient.  I don't know that it'd be possible even to identify suspect messages.