Sunday, October 28, 2007

Lt Col. Claims he is victim of spoof email

Glenn Greenwald reports receiving a bizare email message Col. Steven A. Boylan, the Public Affairs Officer and personal spokesman for Gen. David G. Petraeus.

The email message is the sort of thing you might expect Stephen Colbert to send if he was the press officer. Accusing a journalist of being 'lazy', 'providing purposeful misinformation', 'not a journalist' is exactly the wrong thing to do in that type of position.

So now the story gets intersting. When I pinged Boylan to ask him about this suprising email he responded claiming that he did not send it and that he is a victim of identity theft.

It must be pointed out at this point that Greenwald does not accept the claim and there is no inconsistency in the email headers that would conclusively demonstrate that it is a forgery. Unfortunately this proves only that the message was not forged by an incompetent.

Assuming that neither Greenwald or Boylan is lying, the only explanation is that someone forged the email. It is certainly not impossible that the email is a forgery, what is impossible at this stage is providing convincing proof that it is a forgery. The army can produce the server logs, but these could have been modified. We are back at accepting someone's word.

The worst case here is that the message is a forgery. Getting inside the communications loop of the enemy is something any intelligence service would like to achieve. Spreading fear and distrust between the military and reporters that cover them would certainly be counted as a major achievement by some.

We know that email is insecure, we know that we rely on email for sensitive communications. We have the technology to fix it. Why do we continue to allow this vulnerability to remain?

The military should sign all their email. They have certainly spent enough on email security infrastructure. Using S/MIME on every message creates compatibility issues but DKIM can certainly be used.

No comments: