Sunday, October 23, 2016

Politifact: Yes we can fact check Kaine's email

This Politifact post muddles over whether the Wikileaks leaked emails have been doctored, specifically the one about Tim Kaine being picked a year ago. The post is wrong -- we can verify this email and most of the rest.

In order to bloc spam, emails nowadays contain a form of digital signatures that verify their authenticity. This is automatic, it happens on most modern email systems, without users being aware of it.

This means we can indeed validate most of the Wikileaks leaked DNC/Clinton/Podesta emails. There are many ways to do this, but the easiest is to install the popular Thunderbird email app along with the DKIM Verifier addon. Then go to the Wikileaks site and download the raw source of the email https://wikileaks.org/podesta-emails/emailid/2986.

As you see in the screenshot below, the DKIM signature verifies as true.


If somebody doctored the email, such as changing the date, then the signature would not verify. I try this in the email below, changing the date from 2015 to 2016. This causes the signature to fail.




There are some ways to forge DKIM-signed emails, specifically if the sender uses short keys. When short keys are used, hackers can "crack" them, and sign fraudulent emails. This doesn't apply to GMail, which uses strong 2048 bit keys, as demonstrated in the following screenshot. (No, the average person isn't supposed to understand this screen shot, but experts can).



What this means is that the only way this email could've been doctored is if there has been an enormous, nation-state level hack of Google to steal their signing key. It's possible, of course, but extraordinarily improbable. It's conspiracy-theory level thinking. Google GMail has logs of which emails went through its systems -- if there was a nation-state attack able to forge them, Google would know, and they'd be telling us. (For one thing, they'd be forcing password resets on all our accounts).

Since DKIM verifies this email and most of the others, we conclude that Kaine is "pants on fire" lying about this specific email, and "mostly untrue" in his claim that the Wikileaks emails have been doctored.



On the other hand, Wikileaks only shows us some of the emails. We don't see context. We don't see other staffers certain it's going to be somebody else for VP. We don't see related email discusses that cast this one in a different light. So of course whether this (verified) email means they'd firmly chosen Kaine is "mostly unproven". The purpose of this document isn't diagnosing what the emails mean, only the claims by Hillary's people that these emails have been "doctored".



As a side note, I offer a 1-BTC (one bit coin, ~$600 at today's exchange rate) bounty to anybody who can prove me wrong. If you can doctor the above email, then you win the bounty. Some rules apply (i.e. it needs to be a real doctored email, not a trick). I offer this bounty because already people are trying to cast doubt on whether DKIM works, without offering any evidence. Put up or shut up. Lamers aren't welcome.


12 comments:

Kevin Christopher Henry said...

Your technical analysis is of course correct, but you're mischaracterizing Kaine's claim. According to the PolitiFact article you cited, he says: "I don't know whether it was doctored or whether the person sending it didn't know what they were talking about." He's not saying the email was forged, he's saying the information in the email is wrong, and he doesn't know why.

The article would certainly be improved by including the DKIM analysis, but they're right to say that there's not enough evidence to evaluate the actual claim that he made.

Rei said...

"What this means is that the only way this email could've been doctored is if there has been an enormous, nation-state level hack of Google to steal their signing key."

Yeah, if only some entity had been alleging that this was a nation-state conducted hacking spree. You know, some entity like the entire US federal government's intelligence services.

Unknown said...

Do you typically accept everything your government says without question? This is one of those times that it seems very stupid to do so. Especially since you just took their claim of hacking by Russia, and stretched it to assume that somehow they accomplished the insane task of hacking Google l

Dreamweaver5 said...

Might be worth adding that we can also authenticate e-mails that don't have DKIM keys if an e-mail later in the chain did include a DKIM key.

Rei said...

Right. Because Russia totally couldn't hack a server by virtue of the fact that it's owned by Google - and if they had, certainly wouldn't use the key if they thought they could flip a US election to a more favorable candidate, right? And Russia totally wouldn't have conducted research, same as the NSA, into finding weaknesses in common cryptographic algorithms to avoid the need for private keys in the first place. Because Russia is run by total morons who have no interest or skill in information warfare, right?

Josh R said...

@rei Yes, if somebody had access the the private keys they could forge some of the emails. They likely couldn't forge the forwards, replies etc that they may or may not even know about. If a massive foreign nation where to invest in trying to get such keys from all of the servers in all of the dialog, it would be a massive undertaking. There is very little way to know who forwarded what to whom, and what servers all over the planet might also be providing corroborating Dkim sigs.

Why would they expend the energy on something that may or may not work? The proportionality of likelihood of success to likelihood of failure is too small to make such an undertaking worth while. Like Framing Donna Brazile for leaking questions is going to make an ounce of difference?? It is all silly on the face of it unless you really want to believe what you really want to believe...

It's called Stockholm syndrome. "Our enemies stole our ability to lie to you, so please do the patriotic thing and keep believing our lies anyway."

Blaming Russia for altering emails in order to cover their own political butts shows a very ugly flavor of people who will by putting our son's and daughter's lives on the line... Based on everything I have seen the cryptography exonerates wikileaks and Russia of modifying the emails. (they may have stolen them, but that is another issue.) If a foreign power can ruin us with the truth, we where living a lie in the first place.


25thHOUND said...

Assange has a system of accuracy verification, which he says, shows his leaks at 100% correct. In 10 years no one has proven him wrong. Besides that, Hillary's just too stupid! And too vain. Also, to think Russia wouldn't jump at the chance, when the U S has never looked more inept, AT EVERYTHING, is ludicrous as well !

rchandan said...

Indian Super League
Indian Super League Live Stream
ISL 2016 Ranking
Advance Happy Diwali Images
happy diwali greeting cards
vdiwali images hd 2016
diwali sms messages in hindi tamil english punjabi

anon said...

Nice. So, after looking at the actually signed header fields, we see:

h=from:content-type:content-transfer-encoding:mime-version:subject:message-id:date:to;

This immediately yields the question:

1. Does gmail validate the "from:" header field against ecmullen's credentials used for SMTP? I'd guess so, because this is one of the main points of DKIM.

2. Does gmail check the SMTP "RCPT TO:" against the "to:" header field? Obviously not every recipicient needs to be part of the "to:" header, this is how bcc (blind carbon copy) works. I would guess that google does not attempt to verify anything here. Then, we could not disprove that ecmullen sent (RCPT TO:) the offending email to somebody else, and only put john.podesta into the "to:" field.

3. Most importantly, how does gmail validate the "date:" field against their own clock? Obviously, gmail must deal with user agents that have clock drift, or bad time zones, or generally bad config. Gmail's policy is important here. Otherwise we cannot exclude that ecmullen got hacked months later, and the hackers collected the dkim signature from gmail for a backdated email, and then invented all the (unsigned) "Received:" fields.

If gmail included the RECOMMENDED "t= Signature Timestamp" into their dkim, then the question of the date would be answered.

Thomas L. Knapp said...

"Yeah, if only some entity had been alleging that this was a nation-state conducted hacking spree. You know, some entity like the entire US federal government's intelligence services."

Well, yes, that would be interesting.

Unfortunately for the implied argument, Clinton CLAIMING that the entire US federal government's intelligence services said X isn't the same thing as the entire US federal government's intelligence services ACTUALLY saying X. The former has occurred. the latter has not.

Unknown said...

Hi. I downloaded Thuderbird and the DKIM add-on so I could check the signature of the below e-mail, and nothing is coming back. Not a positive or negative result. Can you help?

https://www.wikileaks.org/podesta-emails/emailid/4433

Jim said...

You seem to fail to understand the depth of impossibility here. So, as an expert (software engineer), let me explain to you, as technically dumbed down for the layman as possible.

Anything encrypted with that many bits would take literally CENTURIES for even a series of modern computer systems to decrypt, if they worked in tandem non-stop. So, theoretically possible, just that the Russians, if responsible, would still be waiting on results while our great grandkids were being buried by our great great grandkids.

The other possibility is that Google was hacked. Not saying that's impossible, because it's certainly not impossible. However, as the author states, if they were so, such a security breach would have been catastrophic, and Google would have already administered a public statement about it, warning everyone about the potential for the security of their emails being compromised. And by everyone, that means everyone who uses Gmail. I use Gmail. And I've not had any such warning, or have I seen it publicly announced. Therefore, it's pretty safe to say that the emails are authentic... Unless people want to tighten their tin foil hats even more and allege that Google is in kahoots with Russia, etc... And good luck with that. Lol.