OK, I said I wasn’t going to do any more blog posts, but this subject is so compelling that I had to write just one last post about it before I shut up. It’s about the recent meme which has taken hold of the world’s media, that Vladimir Putin hacked into Hillary Clinton’s email server and published her emails in an attempt to influence the course of the recent US presidential election. American intelligence agencies have concluded with “high confidence” that Putin was behind the attacks.
They have presented their conclusions, which they expect us to believe, but not the evidence, which is secret. In response, President Obama expelled 35 Russian diplomats from the US on 29 December. Putin denied any involvement in the security breach and has declined to respond by expelling a similar number of US diplomats from Russia. The mainstream media seem to have mostly swallowed the story without question. Everyone knows that Putin did it.
All righty then. Let’s put all that on one side for a few minutes and look at how the Internet really works. Here’s a personal anecdote of my own. In 2002 I was the victim of an attack by a spammer in which about 10 million emails were sent out by the spammer with my name and email address on them. I received about 10,000 “replies” from recipients of the emails asking to be unsubscribed from my (non-existent) mailing list, as a result of which my email inbox was swamped and I couldn’t receive my own genuine emails for a few days until it was sorted out. This was a type of denial-of-service (DOS) attack and I learned a few valuable lessons from it:
- It’s very easy to “spoof” an email (make it appear as though it came from somebody else).
- It’s very difficult to identify the perpetrator. This one was never identified, although I had my suspicions who it might have been.
- The general public are very naïve about the way the internet works. Did 10,000 people really believe that a spammer would put his own genuine return address on an email? Apparently, yes.
- Once 10 million people are convinced that you sent an email, it’s pointless to deny it because nobody believes you. After all, your name and email address are on the email so that proves it, right? Case closed.
Next let’s look at the apparently unrelated topic of child pornography on the Internet. This is depressingly prevalent even on the Isle of Man, as this news item shows:
The way such people are normally prosecuted is as follows: The police set up a covert “sting” operation in which they pose online as people interested in downloading or distributing child pornography. When they have drawn a few suspects into the net, they monitor their activities online for a while, then perform a surprise dawn raid on their home, seize laptops and other electronic devices, and if these are found to contain child pornography, that’s enough evidence to secure a criminal conviction because it meets the legal standard of “beyond reasonable doubt.” That seems to have been what happened in the news item above.
Note, however, that the evidence gathered during the initial Internet surveillance is NOT the evidence which is used to convict, because it’s not strong or reliable enough. It is only used as a basis for forming a “reasonable suspicion” that the suspect may be engaging in criminal activity, which justifies further evidence gathering such as an arrest and questioning or dawn raid. That’s the main reason why the police are opposed to amateur internet paedophile vigilante groups: they may be able to entrap and “out” paedophiles and publish their details on social media, but by the time the police get involved, the suspect has destroyed the physical evidence so no conviction is possible.
Next let’s look at the phenomenon of “ransomware”:
This is where a criminal installs malware on your system which encrypts and locks all your files and you have to pay a “ransom” for the key to unlock the encryption. It is a billion dollar a year crime in which 65 percent of end users pay the ransom. It is almost impossible to trace and prosecute the perpetrators because they are so good at covering their Internet tracks.
And finally, let me tell you about the Tor browser. I am using it to publish this blog post right now, it is available for free download from https://www.torproject.org/ and its purpose is to “spoof” your location so that you appear to be in a different place from where you really are. As I write this in the Isle of Man, the browser’s control panel is telling me that to any outside observer who is trying to track my location, I will appear to be in Norway (and the spoof location changes at random). Try this for yourselves if you don’t believe me.
The point of all these examples is to show you that things on the Internet are rarely what they seem, identities and locations are easily “spoofed” and information is unreliable. Therefore, for the US intelligence agencies to claim that they have concluded with “high confidence” that Putin was behind the recent security breaches is completely implausible. They can’t possibly know that without doing a dawn raid on Putin’s office and seizing his computer equipment, and as far as I am aware they haven’t done that. The most they can have is something less than “reasonable suspicion”, let’s say just “suspicion”, and that doesn’t seem enough to justify expelling 35 diplomats. There are numerous other suspects for the security breach, none of whom can be proven to have done it without physical evidence. I think it was more likely an inside job by one of Ms Clinton’s own staff, possibly with some help from outside, but my guess is as good as anyone else’s.
Repeatedly poking Mr Putin in the eye with a stick seems a dangerous game for the US to play, and I hope for all our sakes that Mr Trump is able to tone it down when he takes office.