Letters to the Editor

Letters posted here are associated with the following Salon Premium Member:

Christopher Michael Neill

Published Letters: 679     Editor's Choice: 9

  • So, I'm an "expert"

    [Read the article: The case of the angry colonel]
    [Read more letters about this article: Here]

    I've been reading this whole sordid affair with some bemusement, having both faked and investigated fake messages quite extensively over the last 10 years in various roles related to providing internet service.

    It is not a trivial matter to, using normal methods, mask or obfuscate the Received: lines in an email, but it is not impossible, and it does not require that the apparent sender be compromised in any way. But there are a variety of methods at your disposal to create or inject a convincing looking header to a mail system, and it is far easier to do this on an unprotected client computer, which we have to assume Glenn Greenwald has.

    For instance, one method would be to inject fake DNS somewhere between centcom and salon.com's mail, or between the internet at large and Greenwald's computer (there are literally dozens of hacks that do this currently, often with the goal of phishing passwords by redirecting the victims computer to a fake site using bogus DNS). Another still would be to simply gain access to either Greenwald's computer or salon's mail servers and place the mail into the queue manually. Many, many many MTAs (Mail Transport Agents) are configured with what would be considered loose or promiscuous permissions for clients connecting from what the server considers to be a trusted host -- a machine on the VPN or LAN local to the mailer, with reverse-DNS credentials (*.in-addr.arpa) that can be, as stated above, faked.

    Finally, and I certainly doubt this, but there is nothing stopping Greenwald from simply constructing a fake email, headers and all, based on headers he received earlier.

    For example, if I received a message with headers like:

    From blah de blah () date, message ID

    Received: from internal-1.mta.local. (internal-1 [192.168.1.7])

    Received: from big-mta.external. (big-mta [24.1.1.89])

    Received: from mail.salon.com (mail [10.27.27.69])

    Sender: sldgjahsfg

    X-UID: lkjashfgsalfjg

    Message-ID: 20985324t5lksadglkasfg094

    Date: Dec 25, 1973, 13:45 PDT (-0800)

    From: user

    To: Glenn Greenwald (ggreenwald@salon.com)

    Subject: boo

    [body.. ]

    You can just change the timestamps and the message ID and have a convincing looking letter that matches the headers previously received. The only way to truly tell is to match the Message-IDs and various other identifying strings on the server that sent the mail (the most common, as I implied, being the message-ID, but there are also various fingerprinting headers that can get injected either by the senders client, or the MTA).

    There are endless other ways to fake messages, but these are the three that came immediately to mind that no one seemed to acknowledge.

    The way to end this debacle once and for all is to insist that the Army match up any message IDs and timestamps with their internal server logs (if they have not ended up in the e-shedder, so to speak) and verify that the message was or was't sent within centcom.

    I do want to add, finally, that anyone on the planet is free to use the addresses 10.70.20.whateveritwas, or anything else in 10. The netblocks are reserved for internal-only use and are not routable (normally). These blocks are:

    10/8, 10.0.0.0/255.0.0.0

    172.12/12 172.16.0.0/172.31.255.255

    192.168/16 192.168.0.0/192.168.255.255

    A vast majority of off-the-shelf wireless hubs, for instance, come preconfigured with the internal address of 192.168.1.1 or 192.168.0.1.

    -Christopher

    Wednesday, October 31, 2007 01:32 PM

  • @semiodd

    [Read the article: The case of the angry colonel]
    [Read more letters about this article: Here]

    No, Semo-english-as-a-second-language, I am not suggesting that he did, I am simply suggesting it is possible.

    It is my opinion (albeit unscientific) that the good Colonel had a few too many Jim Beams on the rocks and fired off the letter as other comments have suggested. I also happen to agree with Greenwald's (albeit unscientific) forensic assessment of the Colonel's writing style and grammatical tics.

    However, the only people who have the ability to put this issue to rest are the very ones who have most to stake if, indeed, there was wrongdoing on the part of the military -- the US Army. The chances of that ever happening are slim, so we will never know.

    Wednesday, October 31, 2007 02:30 PM

  • @RMP

    [Read the article: The case of the angry colonel]
    [Read more letters about this article: Here]

    I should say, "the guy(s) that run CENTCOM's mail server(s)". Eg, postmaster@centcom.mil, as it were.

    Wednesday, October 31, 2007 02:40 PM

  • On Email Forgery, and RFC1918..

    [Read the article: Col. Boylan's implosion accelerates]
    [Read more letters about this article: Here]

    I made a comment here:

    http://letters.salon.com/news/feature/2007/10/31/boylan/permalink/64847d110102b42b1dea648d6c2a2d85.html

    And there are a couple clarifications later. Basically, I put forth three ways the letter could have been forged.

    I do not, as I later stated, think that the letter was forged; I think it was probably a case of "drunk emailing."

    But none of the experts Glenn quoted seemed to go into those kind of details, which to me were glaringly obvious, about how someone can at once forge an email and not have penetrated the senders' network (forgery, OTOH, is a serious issue that I think the DoD would be particularly interested in -- again, agreeing with everything Glenn pointed out).

    $0.02, tally-ho!

    Wednesday, October 31, 2007 07:00 PM

Letters Help