Calling all DU computer wizards! Re: Rove e-mail to Hadley

Hey Wizards!

Is it possible to gin up an email with a date, and if investigated, also assign it a fake cookie to "document" the validity of that email?

I find it sooooooo hard to believe that at this juncture in the Plame investigation that there is a "convenient" email from Rove to Hadley that serves to validate and paint Rove as "upright, forthcoming person who acted properly".
(End quote is me being facetious and completely disbelieving of anything Rove says or comes up with, documented or not.)

on edit: Want to add the Yahoo story re: Rove/Hadley email
http://news.yahoo.com/s/ap/20050715/ap_on_go_pr_wh/cia_leak_rove

Message removed by moderator. Click here to review the message board rules.

...common email system knowlege doesn't apply here.

Personally I think that the email is more an indication that Rove was acting out part of a detailed plan to keep his ass clean while he, in cahoots with others in the WH, betrayed our country's security interests, more than anything else.

He knew what he was doing was wrong, and he was walking the tightrope with great finesse to put as many technicalities and misdirections between him and the evidence as possible.

Yet, I still find it too damn convenient that NOW there's "email proof". The WH has sat on so much re: Plame for so long...many denials, much flaming/discrediting of anyone who counters their doublespeak.

So, I still have to wonder that should this particular "email" be introduced as evidence in an attempt to exonerate Rove et al., would it be possible to create such a fake email that has "validity" through attachment of a fake cookie?

That when we the public get it, is not necessarily when Fitz and the GJ got it. The convenient timing is easily explained... the email existed, Fitz and the GJ knew about it, and when Rove needed help in the media, he arranged for the information about the email to get leaked to the press.

email from.... ANYWHERE... we sent each other emails from.... the Whitehouse.... true that.

...I bet you couldn't use that old trick from a Whitehouse desktop.

them already compromised.

but my husband thinks it is possible. He said, that even though he wouldn't know exactly how to do it right now; given enough time, he could figure it out.

This comes from a guy who use to work for Ross Perot's company, EDS, and also Diebold. By the way, he says the theory of Diebold helping fix the election is not only possible, but most likely impossible to prove, since you can program a computer to "forget".

Am impressed with your husband's input on this :) Thanks!
...and am still in a PO'd political mental state coupled with the usual WASFBF (We Are So Far Beyond Fucked) feeling that has been in my life ever since December 2000.

My personal aside note in trying to find daily humor, no matter how small, when it comes to current political climate:
(LOL Test taste saying WASFBF aloud. It comes out as something * would say in stumbling to say any word beyond two syllables.)

just like the dead... even after the particular part of the hard drive has been written to repeatedly. If they wanted to know... they would find out... and the mystery would be over.

http://www.ontrack.com/

Ontrack News and Information

6/28/2005 – EasyRecovery 6.10 Now Available - Ontrack Data Recovery has launched a new version of its EasyRecovery™ family of “do-it-yourself” data recovery and file repair software. Ontrack® EasyRecovery version 6.10 enhances support to include the latest file types and improves functionality for newer hardware configurations, helping users find the recovery solution most suitable for their specific needs. Buy Now

6/14/2005 – Ontrack Launches VeriFile - Establishing a new standard for data recovery evaluations, Ontrack Data Recovery™ introduces VeriFile™ Online Data Reports, part of the fastest, most comprehensive pre-service evaluation package in the industry. VeriFile allows customers to view a complete listing of their recoverable and non-recoverable files in an organized, easily searchable format before committing to additional charges and proceeding with an actual recovery. Press Release

self-deleting malicious routines. Nice, huh?

The e-mail will inevitably touch servers in between source and destination. All this is recorded in the e-mail's header as "Received" records. The logs of those servers, and they could be anywhere along the path, would have to be consistent with the headers on the e-mail as received.

But if the WH is using a virtual private network as an e-mail infrastructure, it could go point-to-point, in which case there would be no logs on intervening servers. I would think they have something like that for security.

If that is the case, and am thinking it may well be, how would validity of the date and source of that email be proved?

The e-mail system (should) log all transactions separately. These must be consistent with the entries on the headers of the e-mail. Even if the e-mail went point-to-point on a VPN, the e-mail server will record the receipt in both its log and in the e-mail header. It's possible to spoof headers, SPAMMERs do it every day. But the spoofed headers are not consistent with log entries.

The SP will have his experts analyze these things. When they subpoena the e-mails they will have also subpoenaed the logs at both ends.

The easiest way would be to use a real message and alter the content.
Then all the logs would be correct.

If they control the mail servers (which they obviously do), they can
also edit the log files.

means that the email should not be used as "documented evidence" in front of the GJ as it can be shown that true validity of same can be comepletely discredited. However, the argument can be raised that ANYTHING from the WH is "absolutely true and without prejudice", and must be assumed to be so as the WH is the ultimate custodian of our laws.

WASFBF!

Except if the e-mail touched an independent server, which is highly unlikely.

Maybe he outed his own WH system.

...it would be so riduculously easy a child could do it. The White House would have it's own email servers that pull incoming mail from the internet - the White House would have full control to hack away on the servers and get the right fake. And let's not forget that classified email systems (given the WH lack of concern with classified materials, I have no way of knowing if the system they used was classified) are totally separate from any other email servers, and the White House could do just about anything to them without anyone being the wiser. Heck, I could probably hoke the email date by having the wrong date on my computer (depending on what email appy I use).

One of the things I used to get called about endlessly as a network admin was emails with the wrong date and time because it would screw up calendar synchronization and appointment setting. We had to synchronize the server with atomic clocks. Gives you an idea of how easy it is for the date to get screwed up, doesn't it?

An email date isn't as good as the paper it's written on. Any techie worth their salt could fake an email to the point of total indetectability in about an hour, given access to the equipment and an admin account.

It's what hackers do, too.

I figured as much. The spin from the Rove/Hadley email is more smoke and mirrors. WASFBF!

If you were investigating the email date, there would of course be a few things to check with to verify whether the date was correct and if settings had been messed with on the dates by analyzing server logs..and depending on how the email is generated, whether the logs on the email server would jive with the investigated email and its date.

I'd check the logs and any backup programs first before verifying the email date.

If Rove decided to change the date on his computer and then send an email, the email server he was sending to would have a log that could be checked. I'm sure the White House uses servers that are redundant and have logs outside the White House net admins.

Make sense?

been syncronized onto the network. Send and receive times are set on the
(time syncronized) mail server with exchange 2000 and higher. The stuff you are talking about sounds like 10 to 15 years ago, Mr. Expert.

These are all plain files (mail folders, mail logs, system logs), if you have proper access you can edit them to your hearts content, and you can also reset the file properties to make it impossible to detect that you did that. It is possible that one could compare with archival copies, assuming such existed and cover the requisite dates, but archives dates spread out rapidly as one recedes into the past, and given sufficient motivation one can go "fix" the archival copies too,
in some ways that's less hassle because you can do it offline.

that a Special Prosecutor was going to be appointed? This would have given WH staff the opportunity to clean files of damaging info or salt them with exculpatory material before subpoenas could be issued.

Granted, as people have mentioned, the White House could mess with the email server logs that Rove's computer send an email after he and they change the date/time the email is sent.

The email could be sent from the White House with the altered date (and no one else could send emails at the time) and have the altered email logs show the receipt of the email sent. Surely, the log would have to be pretty surgically changed and emails within that period of time would have to jive with the other emails sent. You could grab the logs and see if Mary Q. sent an email about the subject line by cracking her computer and verifying that it happened.

Then, the logs from the email server sent to Hadley (and any other server bounces to its path) would have to jive with the White House email server logs.

Those logs would have to have the same date/time/size/header info that was on the Rove email.

It would take a lot of work to cover their tracks. And if there is any backup system that can be viewed, the email transaction and log would have to be tampered wth as well.

Rove email ------> WH email server -----> Logs =====> Hadley's Email server ----> Logs--->Hadley

for sure obviously, but the creep would have been very aware that he just made a mistake ... and would start running the 'alibi' that second. Remember Rove not only has to convince the public that he is not breaking the law, he also had to convince Rice & Bush.

And you can fix the mail transfer agent to say anything you like.

.... needs to be made.

Yes, it is easy to fake "headers" on an email to change the date or the sender or whatever.

But, and this is a BIG but, if you are going to do something like that you need one of these two things to be true:

1) the investigators are rubes who are simply going to take your email at face value

or

2) you've covered every base - which means that if there are backup tapes/media of servers involved ANYWHERE you have eliminated them, backup tapes/media of sending/receiving computers ANYWHERE you have elminiated them, you have cleaned up all server logs, etc, etc, etc/.

When you send an email it leaves an electronic trail all over the place. It really is not easy to clean that trail up if an investigator is suspicious of the email evidence.

Not really. How much logging is done is a setting, and by default the answer is not much, certainly not every email. Most Sysadmins will leave it that way, the last thing they want to do is be in the position of groveling over huge mail logs. For most emails the only traceback is in the incorporated headers.

... would be that that depends on whether the email is delivered internally on an "intranet", or goes out over the "internet".

If it goes out over the internet, I stand by everything I have said.

It is not even possible (in general) to trace the route of an email, or to specify that it travelled any single route, out there in the big wide world, and no sysadmin in his right mind would try to log all the packets and how they were re-assembled.

No offense, that's how IP works.

In terms of traceablity and archival and so on.
But you also then have the complete sort of control to do really effective fake emails.
This is not to say it might not be a bit of work.

I'm not going to use DU to help Rove slither away, though. I'll just say that, if (BIG if) properly investigated, such fakeries can be exposed. Or at the very least thrown out as no evidence at all.

this would be child's play, or in some way a trivial thing to do, are talking out your asses.

If the criteria is to fake an email such that it would be difficult to detect by an expert then, in my view, this would be non-trivial. It seems to me that it would require the collusion of Cooper, and it would require unfettered access to all systems involved in sending the email---both the government's systems, and Time Magazine's systems---and would probably require collusion on the part of persons that are in charge of those systems.

Even if such conditions could be arranged, there is still a major problem with this scenario: it all would've had to have been arranged two years ago, because that's when Rove's email was seized by the FBI.

I make no claims WRT being an "expert."

I got so fired up I forgot we weren't talking about Rove <--> Cooper!

The gist of what I said still holds, I think. It would certainly be easier, though, to fake something like this if the system requirements didn't involve another organization. Nonetheless, I think this is a very unlikely scenario.

We know just how easy it is to fake that kind of thing.

Keep in mind that most admins turn logging off because it takes up too much drive space and slows the server down. Email runs much better when there's no logging going on.

Intra-Whitehouse email could even be sent on a dummy setup. 2 computers and a server on it's own small network is all it would take. The server mirrored to the 'real' White House system, then broken off into it's own network to do the dirty deal, then wiped after the fact to conceal it. It doesn't have to include the 'real' White House email system. Network Admins have these kinds of set ups all the time to investigate network problems in system software before they roll them out to everybody else. They often have a hot server set up mirrored to the live one, as well.

Faking an email when you have the resources of the White House and boatloads of lock-stepping zombies is a walk in the park.

by Karl Rove and Hadley while they were under orders not to mess with evidence, and the FBI was investigating. Again, the FBI seized WH records and email two years ago. Either the "deed" was done back then, or it would be quite obviously not part of the records originally confiscated by the FBI; a bit of a red flag, yes?

As far as system administration goes, I don't claim to be an expert on that, but I did program email software for a number of years with a major corporation. I've no idea if this company turned off logging or not, but the email servers were mirrored and the mirrors were archived. That way when someone calls IT and says, "Help me, I lost all the messages on my laptop," the IT guy says "No problem, how far back do you want to go?", as opposed to "Sorry boss, you're completely fucked."

I have no way of knowing what WH IT policy is regarding this stuff, and, I'm assuming, neither do you. But, one thing I am fairly certain of: the scenario you detail above is not something that children are typically capable of doing; it falls under my admittedly very general category of "non-trivial." Nonetheless, since this email didn't go between two organizations as I assumed (erroneously) in my original post, it is perhaps somewhat more plausible that it could be faked.

Anyway, this conversation is following what I find to be the typical course. Some tech-savvy person makes a hyperbolic statement about how anybody could hack this thing, even a child could do it---or other such declarations. Then, when you call 'em on it, they tell you how all you have to do is... inventing a scenario which usually turns out to be nothing even remotely like child's-play. In this case it would require a high degree of technical expertise, access to the email servers, and the willingness to commit a crime in order to help Rove fake an email.

I still consider this idea to be highly unlikely, and really not worth the trouble in any case.