Monday, November 19, 2012

ePillow talk: clandestine communications

General David Petraeus and Paula Broadwell exchanged their secret love-letters in the following way.

They set up an email account, for example a hotmail account in the name of Paula David, and wrote notes to each other which they saved in a 'drafts' folder. Only the two of them had password access to the account.

A security commentator was openly contemptuous - he's the head of the CIA and he's using a method commonly exercised by teenagers.

Actually, the problem of secret communication with your mistress is harder than you might think. It is not sufficient to be secret; the fact of communication itself must also be kept secret.

This second condition pretty much rules out keeping encrypted letters on the General's or Paula's hard drive for emailing as an attachment: it will be picked up in a minute by the forensic team .. "What's this then? Can we take a look? Why not?"

This could suggest that everything should be in the cloud. A hosted, web-based email account isn't bad although using it leaves cookies and browser history lying around - difficult to get rid of. The necessary cleansing is tedious and error-prone, and once the secret is out communications are not secure, as the couple discovered.

I once had a senior executive job with Cable & Wireless and retained a Yahoo mail account. C&W security gave me print-outs of my private emails within the week: a little social-engineering had got them the password.

I would recommend the General to have used a Cloud-based storage account (e.g. Amazon's facility) and upload TrueCrypt containers with a hidden partition, which allow deniable encryption*.

But it's cumbersome.
---
* Here's how it works. TrueCrypt has a facility to create a special partitioned volume. The volume looks like a normal encrypted folder, which under protest you can show to the FBI and which contains innocuous stuff. The General could have  kept a daily diary to 'share securely with his biographer'.

But there is a hidden second level of encryption hiding in the randomised spare space of the volume. That's where the true secrets reside.