OT: mailbox generator

OT: mailbox generator

Oleg Goldshmidt pub at goldshmidt.org
Thu Apr 25 19:47:42 IDT 2013 

On 04/25/2013 04:23 PM, Tzafrir Cohen wrote:

>     Off topic, but may be interesting:

I'll re-order the quoted excerpts to put the technical/on-topic part of
the response first. The non-technical/off-topic considerations may be
skipped, unless you are inerested in my opinions.

> Any existing software to automatically (and periodically) generate email
> on a mailbox which will appear to be used, so if anybody wants a casual
> look at my mailbox, I don't have to provide any real email
> credentials?

Since this is not endemic to Israel (see the OT part below), even if the
media think it is (all that happened was that the Attorney General
confirmed that the security services are not prevented by law from
asking to access your email, and may even have the option written in
their procedures), generating a fake email account is a valid idea.

Many years ago, when communication was a lot more difficult than now (no
mobile phones or Skype, very expensive long distance land line calls,
etc.), a friend of mine - American, observant - faced a problem of
reporting daily (well, frequently...) on the well-being of his 4
daughters to his parents. He created an awk script that generated an
email describing numerous routine occurrences such as success at school
in one subject or another, a new best friend, a minor illness,
whatever. The script randomly rotated his daughters' names so different
sentences referred to different child each time. The phrases and the
vocabularly also varied slightly. The script ran through cron. From time
to time he wrote real emails, of course.

One can set up several mail accounts, devise such a script (my friend's
story proves it is possible), generate a random delay and run it off
at(1) [rather than cron, to avoid regularity], rotating sender addresses
in the process. Then fetchmail from a designated account, procmail to a
script that sometimes generates a reply...

In particular, I have just verified that when I use mail(1) to send an
email to one of my web accounts with a Bcc to another one (the latter is
on GMail, and I have the appropriate MASQUERADE_AS in sendmail.mc), the
email properly appears under the Sent label in GMail. If your GMail is
set up to "archive" certail emails (maybe all) then it will not appear
in the Inbox, removing the tell-tale sign. If the security agent knows
what to look for he/she will notice that the mail does not have a
"mailed-by" header. This may look suspicious if the security personnel
assume that you use GMail from the web. If, however, you first show them
your local mailbox and explain that you POP/IMAP and don't use the web
interface, this will reduce suspicion. If they hunt down your procmailrc
or other scripts they'll find out you are up to no good, but that
requires a different level of sophistication. You can camouflage your
deviousness pretty thoroughly, if not perfectly. You will have a good
chance to fool an interactive and not very technically adept observer.

If you are caught you are on your own though... ;-)

> I heard recently that it is now legal for the security checks in the Ben
> Gurion airport to require that I show my mail account.

When I read about it I tried to think it over (I consider myself
very privacy-conscious). IANAL and OT disclaimers apply to what
follows. 
  
a) Your computer may be accessed, impounded, whatever at any border in
   the world. Large (non-Israeli) companies whose employees travel, and
   who have policies for everything, usualy have a policy that instructs
   employees to always allow border/security/customs authorities to
   access the work laptop, provide passwords, surrender the laptop on
   demand, etc. This is with full realization that classified corporate
   secrects may be accessed, and even in cases where reasonable
   suspicion a priori exists that (business/technological) intelligence
   may be gathered (obvious examples: China, Russia, etc.). IBM had such
   a policy when I worked there.

   Access to a laptop is, strictly speaking, different from access to
   (presumably cloudy) email, which often requires separate
   credentials. Not sure if there is much difference really, given that
   a business laptop has several levels of security: bootloader
   password, disk encryption, login, etc. The polciies I mentioned above
   said, give up everything, just don't get into trouble.

b) None of us Israelis will be denied entry if we refuse, and I very
   much doubt any of us will ever be asked for access to our mailbox
   (unless some foundations of our society change very significantly, in
   which case we'll have bigger problems). We face, in principle, the
   same situation when we travel to other countries, even thoroughly
   democtratic ones. Besides, how is it different from invasive search
   of your personal belongings or a body search which are routine in
   every airport everywhere? And some countries actually have laws
   against search and seizure, while denying reasonable expectation of
   privacy for internet communications.

   Having said that, I'd be very troubled indeed if this were applied
   more frequently than in very rare cases where serious suspicion
   exists. I'd want to to be a tool to maybe reconsider an almost-made
   decision to deny entry. The recent "flytilla" would be fair game in
   my mind, maybe.

c) This may look troubling. However, it does not violate anyone's
   privacy by itself. Before raising a "human rights" ruckus one should
   remember that this does not give the security services a right to
   access your email. It is not that there is a law that mandates that
   you give up your email password on demand. The issue is that there is
   no law that explicitly forbids the security services to ask for
   permission to access a suspect's email. In my mind, it's quite a
   different kettle of fish.

   They may ask you to let them into you mailbox, and you may
   refuse. You may or may not be denied entry then. However, if you are
   not a citizen of a sovereign country X, in general country X can deny
   you entry without reasons or explanations - there is no "right" to
   travel to X, anywhere in the world. The argument that you will gladly
   provide an email password because you are under duress since you've
   paid for the ticket is bull***t. You may even be refused boarding by
   the airline (the recent "racism" case that Air France recently lost
   notwithstanding) if they have a reasonable expectation that you would
   be denied entry - this is because they will have to fly you back at
   their expense. This is why airlines verify at check-in that you have
   a visa, when applicable.

Shachar Shemesh <shachar at shemesh.biz> writes:

> While I am the first to admit that there is a propaganda war going on
> against Israel, I feel this is the wrong method (and the wrong agents)
> to collect intelligence.

I actually thought that if this is applied to persons who are already
under a serious suspicion then it is a perfectly valid method to *try*
to obtain intelligence. I assume that web mail may be accessed from a
security service computer rather than from the traveller's
laptop/tablet/phone, and an unseen program may slurp quite a bit of
information from the suspect's account, e.g., whom he/she communicates
with. Consider the "flytilla" again.

Yes, it would lack any judicial supervision or sanction, but if the
account owner gives permission...

As for "wrong agents", I suspect that this is carried out by security
services rather than by El Al "selectors", and at this stage
well-trained personnel may well be involved. I do not know though.
  
-- 
Oleg Goldshmidt | pub at goldshmidt.org

More information about the Linux-il mailing list