Email Certification?

sunder sunder at sunder.net
Mon May 2 12:09:45 PDT 2005


Suggestion - you can do what advertisers do - encode a web bug image as 
part of some jucy html emails on a web server that you own and check 
your logs.  (not sure if hotmail or whatever allows this, as I don't use 
their cruft.)

Make sure that unlike a web bug you don't set the name so it looks like 
a web bug (i.e. don't call it 1x1.gif) and don't set the image size 
attributes on the IMG SRC tag to say 1x1.  Instead make the file name 
into something that looks like it came from a digital camera and put it 
in a path that matches that cover story.
ie: 
http://127.53.22.7/phightklub_files/2004-xmas-party-pix/JoeShmoeDrunkAndHigh/Kodak/DSC03284345.JPG


No guarantee that someone won't read the email as source and thus not 
grab the image too, but you can make it look like the content of the 
image is important to the message's content and jucy enough to make 
whomever you believe is spying on you want to fetch it.  i.e. "Here's a 
picture of the party, you can clearly see he's got a crack pipe in his 
hand and his eyes are dialated.  I'm thinkin' of reporting him to deh 
fedz, what do u think?"    (I'm assuming that the feds are your threat 
model here, but you can vary this up with whatever threat model you 
think is appropriate.  i.e. if you think your woman is spying on you, 
make it a fake email from your supposed mistress, something she'd want 
to open - i.e. subject "I'm gonna tell ur wife about us if you don't do X".)

I'd also make sure that nothing on the webserver itself points to the 
directory where this lives so it can't be picked up by the search 
spiders/bots accidentally, and make sure that you don't allow the 
directory it lives in to have an auto-index.

Then, watch the server logs like a paranoid hawk with a caffeine 
addiction problem and hope they bite, when they do, you know they've 
read the other emails.  You also have to make sure that you don't 
accidentally open these emails yourself, or leave an open web browser 
with your account where someone can randomly snoop.)

But of course, since you are using hotmail and you're about to receive 
this email, if your account is watched, guess what, you can no longer 
use this method.  Oh well.


Tyler Durden wrote:

>  Yes, but this almost misses the point.
>
>  Is it possible to detect ('for certain', within previously mentioned 
boundary conditions) that some has read it? This is a different problem 
from merely trying to retain secrecy.
>
>  Remember, my brain is a little punch-drunk from all the Fight Club 
fighting.
>  BUT, I believe that the fact that deeper TLAs desire to hide 
themselves from more run-of-the-mill operations might be exploited in an 
interesting way. Or at least force them to "commit" to officially 
surveiling you, thereby (one hopes) subjecting them to whatever frail 
tatters of the law still exist.
>
>  A better example may be home security systems. If they're going to 
tempest you, I'd bet they'd prefer not to inform your local security 
company. They'd rather just shut down your alarm system and I bet this 
is easy for them.
>
>  BUT, this fact may enable one to detect (with little doubt) such an 
intrusion, and about this I shall say no more...





More information about the cypherpunks-legacy mailing list