Wednesday, October 14, 2020

Yes, we can validate leaked emails

When emails leak, we can know whether they are authenticate or forged. It's the first question we should ask of today's leak of emails of Hunter Biden. It has a definitive answer.

Today's emails have "cryptographic signatures" inside the metadata. Such signatures have been common for the past decade as one way of controlling spam, to verify the sender is who they claim to be. These signatures verify not only the sender, but also that the contents have not been altered. In other words, it authenticates the document, who sent it, and when it was sent.

Crypto works. The only way to bypass these signatures is to hack into the servers. In other words, when we see a 6 year old message with a valid Gmail signature, we know either (a) it's valid or (b) they hacked into Gmail to steal the signing key. Since (b) is extremely unlikely, and if they could hack Google, they could a ton more important stuff with the information, we have to assume (a).

Your email client normally hides this metadata from you, because it's boring and humans rarely want to see it. But it's still there in the original email document. An email message is simply a text document consisting of metadata followed by the message contents.

It takes no special skills to see metadata. If the person has enough skill to export the email to a PDF document, they have enough skill to export the email source. If they can upload the PDF to Scribd (as in the story), they can upload the email source. I show how to below.

To show how this works, I send an email using Gmail to my private email server (from gmail.com to robertgraham.com).

The NYPost story shows the email printed as a PDF document. Thus, I do the same thing when the email arrives on my MacBook, using the Apple "Mail" app. It looks like the following:

The "raw" form originally sent from my Gmail account is simply a text document that looked like the following:

This is rather simple. Client's insert details like a "Message-ID" that humans don't care about. There's also internal formatting details, like the fact that this is a "plain text" message rather than an "HTML" email.

But this raw document was the one sent by the Gmail web client. It then passed through Gmail's servers, then was passed across the Internet to my private server, where I finally retrieved it using my MacBook.

As email messages pass through servers, the servers add their own metadata.

When it arrived, the "raw" document looked like the following. None of the important bits changed, but a lot more metadata was added:
The bit you care about here is the "DKIM-Signature:" metadata.
This is added by Gmail's servers, for anything sent from gmail.com. It "authenticates" or "verifies" that this email actually did come from those servers, and that the essential content hasn't been altered. The long strings of random-looking characters are the "cryptographic signature". That's what all crypto is based upon -- long chunks of random-looking data.

To extract this document, I used Apple's "Mail" client program and selected "Save As..." from the "File" menu, saving as "Raw Message Source".




I uploaded this this document to Scrib so that anybody can download and play with it, such as verifying the signature.

To verify the email signature, I simply open the email document using Thunderbird (Firefox's email client) with the "DKIM Verifier" extension, which validates that the signature is indeed correct. Thus we see it's a valid email sent by Gmail and that the key headers have not been changed:
The same could be done with those emails from the purported Hunter Biden laptop. If they can be printed as a PDF (as in the news story) then they can also be saved in raw form and have their DKIM signatures verified.

This sort of thing is extraordinarily easy, something anybody with minimal computer expertise can accomplish. It would go a long way to establishing the credibility of the story, proving that the emails were not forged. The lack leads me to believe that nobody with minimal computer expertise was involved in the story.

The story contains the following paragraph about one of the emails recovered from the drive (the smoking gun claiming Pozharskyi met Joe Biden), claiming how it was "allegedly sent". Who alleges this? If they have the email with a verifiable DKIM signature, no "alleging" is needed -- it's confirmed. Since Pozharskyi used Gmail, we know the original would have had a valid signature.


The lack of unconfirmed allegations that could be confirmed seems odd for a story of this magnitude.

Note that the NYPost claims to have a copy of the original, so they should be able to do this sort of verification:

However, while they could in theory, it appears they didn't in practice. The PDF displayed in the story is up on Scribd, allowing anybody to download it. PDF's, like email, also have metadata, which most PDF viewers will show you. It appears this PDF was not created after Sunday when the NYPost got the hard drive, but back in September when Trump's allies got the hard drive.





Conclusion

It takes no special skills to do any of this. If the person has enough skill to export the email to a PDF document, they have enough skill to export the email source. Instead of "Export to PDF", select "Save As ... Raw Message Source". Instead of uploading the .pdf file, upload the resulting .txt to Scribd.

At this point, a journalist wouldn't need to verify DKIM, or consult an expert: anybody could verify it. There a ton of tools out there that can simply load that raw source email and verify it, such as the Thunderbird example I did above.










32 comments:

Robert Earl said...

HAVE YOU LOST YOUR HARD EARNED FUNDS TO THE WRONG HANDS?
MEET THE PROFESSIONAL HACKERS FOR HIRE TODAY.
⏱️ 3min Read
�� Hiring a professional hacker has been one of the world's most technical valued navigating information.
Regarding:
•Recovery Of Lost Funds,
•Mobile Phone Hack.(Catching A Cheating Spouse).
•Credit Score Upgrade,
VARIOUS HACKTIVITIES via the encrypted mail at
leroysteckler@gmail.com
High prolific information and Priviledges comes rare as it's been understood that what people do not see, they will never know. The affirmative ability to convey a profitable information Systematically is the majoy factor to success.
Welcome to the Global KOS hacking agency where every request on hacking related issues are fixed within a short period of time.
When you wonder “which hacking company should I hire, the first aspect that should concern you is Sincerity. Secondly, Rapid response. Clearly, you want to embark for services that povides swift response, With our astonishing Hackers, you will be glad to find out that our services Implies precision and action.
This post is definitely for those who are willing to turn their lives around for the better, either financial-wise, relationship-wise or businesses.
The manual Operation of this hackers is to potentially deploy a distinguished hacking techniques to penetrating computers.
If your shoe fits in any of the services below, you will be assigned to a designated professional hacker who is systematically known for operating on a dark web V-link protocol.
Providing value added services to clients as a hacker has been our sustaining goal.
Are you faced with cyber challenges like
��Recovery of lost funds:✅(BITCOIN INVESTMENTS, BINARY OPTIONS, LOAN AND TRADING FOREX WITH FORGERY BROKERS.) ��️I would try my possible best to shortly explain this in particular.
This shocking study points to one harsh reality we all face today. It saddens our mind when client expresses annoyance or dissatisfaction of unethical behaviours of scammers. We have striven to make tenacious efforts to help those who are victims of this flees get off their traumatic feeling of loss. The cyber security technique used to retrieving back the victims stolen funds is the application of a diverse intercall XX breacher software enables you track the data location of a scammer. Extracting every informations on the con database. Every information required by the Global KOS would be used to tracking every transaction, time and location of the scammer. This is acheived using the systematic courier tracking base method•
However, there are secret cyber infiltrators called brokers and doom. The particular system used by this scammers permeates them to manupulate targets digital trading system or monetary fund based accounts. Strictly using a dark web rob to diverting successful trades into a negative outcome. This process bends to thier advantage while investors results to losing massive amount of money. An act of gaining access to an organization or databased system to cause damages. We have worked so hard to ensure our services gives you a 100% trading success to recover all your losses•
�� HACKING A MOBILE PHONE:.✅ Do you think you are being cheated on? Curious to know what your lover is up to online? This type of hack helps you track every movement of your cheater as we are bent on helping you gain full remote access into the cheater's mobile phone using a Trojan breach cracking system to penetrate their social media platforms like Facebook, whatsapp, snapchat etc.
The company is large enough to provide comprehensive range of services such as•
• Email hacks��
• Hacking of websites.��
• Uber free payment hacks.��
Our strength is based on the ability to help fix cyber problems by bringing together active cyber hacking professionals in the GlobalkOS to work with.
Contact:
✉️Email: theglobalkos@gmail.com
Leroysteckler@gmail.com
®Global KOS™
2020.

Nicholai said...

I don't really like the fact that they didn't release the email as like an eml file or the raw source in general, shouldn't they bone up on more technology oriented stuff in Jschool

MGren said...

So the timeline here is:
April 2019: Hunter Biden allegedly drops off unsecured, unencrypted laptop full of personal info to strip mall Mac store
July 2019: Hunter Biden doesn’t pick up alleged laptop
September 2019: John Paul Mac Isaac goes through files, searches through HBiden’s emails, screenshots emails
JPMI makes copy of hard drive because he fears for his life
December 2019: FBI seizes laptop
Sometime in 2020: JPMI gets hard drive to Costello/Ghouliani
October 2020: Despite access to actual files, Giuliano/NYP uses Sept. 2019 screenshots

???

MGren said...

Looks like the PDF was created in September 2019? So more than a year ago? Months before the laptop was seized by the FBI and a year before the hard drive was supposedly given to Costello/Giuliani. If they have the harder/emails, why are they using a September 2019 screenshot?

MGren said...

Looks like the PDF was created in September 2019? So more than a year ago? Months before the laptop was seized by the FBI and a year before the hard drive was supposedly given to Costello/Giuliani. If they have the harder/emails, why are they using a September 2019 screenshot?

Unknown said...

Do you have the meta? No? I thought not. You make a lot of assumption here that cannot be proven or disproven.

I agree with one thing, without the full meta data and routing within these emails it cannot be proven that they are authentic. That is what everyone should be asking for.

I have yet to see anyone on the left take issue with the NYT for publishing a story about the Presidents taxes without providing the supporting documentation and evidence as to how they were obtained.

Unknown said...

I have a computing degree and could easily follow the reasoning in this article.
Apart from accepting that the metadata would be useful you have said nothing that addresses the arguments laid out here.
Of course they don't have the meta - it hasn't been released - and that in itself is suspicious.
And easily rectified if the email is koshe.

And - yes - my politics is to the left and I freely admit that I wouldn't p.ss on Trump if he was on fire.

That doesn't stop me from putting forward a coherent argument

Yoyoyo said...

How do you explain that a recipient of the email verified its authenticity? One so far.

Unknown said...

If they are using webmail how can they see the DKIM data? I can't find the option in gmail or outlook to do so.

Life With said...

> If they are using webmail how can they see the DKIM data?
> I can't find the option in gmail or outlook to do so.

Here you go, my slow witted friend https://is.gd/jjt9Br

Asore Corp said...

HAVE YOU BEEN IN SEARCH FOR GENUINE HACKER'S ONLINE?. HAVE YOU LOST YOUR MONEY TO BINARY OPTION SCAM OR ANY ONLINE SCAM WHATSOEVER?. WELL, YOU HAVE FOUND REDEMPTION IN ASORE CORP.
asorehackcorp@gmail.com

Asore Corp is a Russian based group of multinational Hacker's, an affiliate of Evil Corp. We have mutual interests obliged to fight online scam and scammers in general. In doing this, we make sure by all means necessary that our clients get the best of services on a🔐PAYMENT AFTER JOB IS DONE BASIS✔️. Rather than send money and trust a criminal to fulfill your deal, you can make sure the job is done before WORKMANSHIP is paid for. You'll get excellent customer service.
That's a 100% guarantee.

⚠️ BEWARE OF FRAUDSTARS
if you have been a VICTIM, contact :
✅ mercurycrimewatch@gmail.com for directives.
Here, it's always a win for you.

Having been on various headlines since 2004 hitherto, Asore Corp hosted a conference in August 2006 tagged "The Hacker's profile", which was anchored by Morgan Marquis Boire a then Hacker at Microsoft. Also, Asore Corp have acquired a hall of fame well deserved for solving tedious puzzles shocking the internet countless times. We possess highly qualified hackers recruited and registered under the right agencies. 
Without any reasonable doubts, it is no news that Asore Corp offer one of the best Hacking services world wide. 
Amongst others, services we offer are listed 📌as follows :
[ ] BinaryOption funds recovery
[ ] Social media hack
[ ] Recovery of loan scam
[ ] Recovery of dating scam
[ ] E mail hack
[ ] College score upgrade
[ ] Android & iPhone Hack
[ ] Website design
[ ] Website hack
etc.

CONTACT:
🤳asorehackcorp@gmail.com
▪︎︎ WHATSAPP: +1 (512) 601-0445

Copyright ©️
Asore Cyber Corp 2020.
All rights reserved.

Attila Mate said...
This comment has been removed by the author.
Attila Mate said...

My understanding is that the email in question was sent from a gmail account, and gmail does indeed use DKIM signatures.

My previous comment that I deleted said: "Not all email servers use DKIM signatures." The reason I deleted it was that on its own it was misleading, and I was not able to edit it.

Unknown said...

WELCOME TO THE GREAT TEMPLE OF RICHES,FAME AND POWERS.
Have you been longing for power, fame, riches and lot more?, then you don't have to because the BROTHERHOOD offers it all be it business success, political positions, fame, power to be untouchable, and lot more you can think of, you can achieve your dreams by being a member of the Great BROTHERHOOD. With this all your dreams and heart desire can be fully accomplish, if you really want to be a member of the great BROTHERHOOD, Note: new members are entitled to 600,000 US Dollars, brotherhood ring for protection and recognition, opportunity to meet to celebrity and other members of the brotherhood, and a free holiday to any country of your choice and lot more, sacrifice required both not human , for those who might be interested in changing his/her life should kindly Email on: the666brotherhood@gmail.com or WhatsApp us on +1(319)246-2035.....

efren said...

Do you need to hack into any, databaseserver spy on Facebook,Emails, Whatsapp, Viber, Snapchat, Instagram and many more.
I urge you to get in touch with the best people for the job, i have confirm the service when i need to spy on my spouse phone. They are good at Phone Cloning and Bitcoin/binary minning and any other hack job.
Thanks guys for the team work HACKINTECHNOLOGYATGMAILDOTCOM

+12132951376(WHATSAPP)

WENDY CUTRONA said...
This comment has been removed by a blog administrator.
Unknown said...

Hi Rob,

You were quoted as verifying one email's DKIM signature. Have you verified multiple emails or just this one?
https://dailycaller.com/2020/10/29/cybersecurity-expert-authenticates-hunter-biden-burisma-email/

Unknown said...

Hi Rob,

You were cited as verifying a DKIM signature from an email sent to Hunter Biden. Have you verified just one or multiple?
https://dailycaller.com/2020/10/29/cybersecurity-expert-authenticates-hunter-biden-burisma-email/

PROF.LUCIOUS HAWARD said...
This comment has been removed by a blog administrator.
PROF.LUCIOUS HAWARD said...
This comment has been removed by a blog administrator.
asda services said...
This comment has been removed by a blog administrator.
asda services said...
This comment has been removed by a blog administrator.
Ross said...

Just want to let you know that an idiot Trumpist lawyer is claiming you have in fact validated the emails

https://www.youtube.com/watch?v=K_iD_Z6qt0Q

You may want to address this propaganda.

Rubbertoe said...
This comment has been removed by a blog administrator.
doron said...
This comment has been removed by a blog administrator.
UplayOnline said...
This comment has been removed by a blog administrator.
UplayOnline said...
This comment has been removed by a blog administrator.
WENDY CUTRONA said...
This comment has been removed by a blog administrator.
UplayOnline said...
This comment has been removed by a blog administrator.
KYLE said...
This comment has been removed by a blog administrator.
Asore Corp said...
This comment has been removed by a blog administrator.
UplayOnline said...
This comment has been removed by a blog administrator.