Email and the Petraeus Affair

To be honest, I haven’t been following the Petraeus affair saga with a whole lot of interest. ISure, it’s interesting to some, but I would rather not separate the wheat from the chaff in terms of reporting. I simply don’t trust many news outlets to get the details right, and so I’d rather not get wrapped up in the nitty-gritty.

But I saw an interesting question on twitter – how exactly DOES the FBI go about reading people’s email? And, by extension – how do *I* go about reading others’ email? Well, the cold reality is that I’m not really interested in reading your email. I sometimes have to do it (as part of my job) and believe me, it’s boring, and I think most people who work in IT feel the same way.

The first thing to remember is that if the FBI wants to read any email of yours that is beyond six months old, it’s easy! A federal prosecutor needs to approve a subpoena, and that’s it. No, I did not substitute “prosecutor” for “judge” – it’s really a federal prosecutor. It’s kinda like having your own prescription pad and writing out what you want, without the hassle of going to the doctor!

Second, if you’re accessing your email from behind a corporate firewall, you may already be subject to monitoring! At many large organizations, all traffic may be filtered through a web proxy – these are often used for filtering content (like blocking Facebook at work), and can also be leveraged to perform Man-In-The-Middle attacks on other sites you visit, including your personal email or bank information.

See, normally when you go to your webmail or banking site and enter your credentials, you’re “safe” because the certificate presented by the site is also on a list of “approved” Trusted Certificate Issuers. While this is inherently insecure for many reasons (Google arbitrarily chooses whom to trust if you’re using Google Chrome, for example), the system can easily be manipulated by corporate IT departments by simply adding their own certificate to your browser’s Trusted Certificates list. This enables anyone with this certificate who is sitting between you and Gmail (for example) to decrypt information travelling between your computer and the email server.

Well I was going to write more, but I’m kinda busy today. Suffice to say, only check email on a device you can control and whose entry point to the internet is a gateway that you trust. But there’s not too much you can do about a subpoena (short of running your own mail server)…

Leave a Reply

Your email address will not be published. Required fields are marked *