January 15, 2006

Is the NSA snooping your email? Wanna find out?

Have you ever wanted to know if the NSA is spying on your email? How about a co-worker? I learned an interesting technique from Richard M. Smith on how you can easily find out.

If you have access to a website server logs, and can create new content, then it is rather simple to do.

  • Create a UNIQUE URL that is not linked from ANYWHERE that only you know. Or better yet, DON'T create it and let a 404 be generated. (Thats what I do)
  • Place it in an email, making it interesting enough that a person may go look at it.
  • Write a quick script or filter that will search the access and/or error logs for this unique URL and schedule it to run every hour/day etc. In a worst case scenario just do a grep against the log for the URL.
  • Have the script email you if it ever finds a match, including the SourceIP of the connection so you can backtrace it to see WHO is snooping YOU.

Now that you know your wife is reading your email, you can worry about black helicopters and the supression of freedoms in your country. The NSA has billions of dollars of computers searching through transmissions looking for key words, patterns etc through their old Echelon systems. If you want to see if you can trigger it, take the above steps but add a few before that:

  • Create a web account with Microsoft Hotmail or Google gmail. (Or some other US based server)
  • Set up a second account with an email server with a non-USA provider. Richard recommended Rediffmail.com
  • Have your email include some various terrorist triggers (keywords) or content that may seem harmful the the USA. You can google for "NSA Echelon keywords" for some examples of keywords the NSA has used in the past. Use your imagination to think about what would interest the NSA these days. You know... phrases like "Bin Laden wants to kill the imperialist pig-dog George W. Bush with a dirty bomb of VX gas". (p.s. Hello NSA op who has been forced to read my blog entry today. Nice to see you too.)

Now, in case you don't realize this, you may be playing with fire. I HIGHLY suggest you don't use your own production servers for these tests, unless you would like men in black suits with sunglasses and Glock specials knocking on your door. But you can have some fun with this. A few of us have been running a little contest since the beginning of the New Year. I am currently in second place with 3 hits so far. I have an unfair advantage though. The NSA servers have spiders that have been going through my blog, rss feeds and personal servers for years :)

YMMV. Have fun with it.

Posted by SilverStr at January 15, 2006 07:57 AM | TrackBack

Nice one :)
Anyway, isn't there a possibility that web crawlers/spiders/bots access this unique URL/404 page randomly during their passes? In this scenario, many false positives are possible...

Posted by: Anonymous at January 15, 2006 11:08 AM

Crawlers, spiders and bots won't go LOOKING for a url weird URLS that aren't linked to anything. And if there is no URL actually linkable (in my case I wrote emails with a complex URL that doesn't exist) it is EXTREMELY unlikely to have false positives.

Posted by: Dana Epp at January 15, 2006 12:29 PM

It might be easier to get on the terrorist watch list, than getting off it.. Though even if you do get hits on web server it there’s a big chance that it isn’t NSA who’s reading the mails, it could just be a bored mail/isp admin.

Dan Brown (the author of The Da Vinci Code), based his book Digital Fortress on an event like this, you can read about it here: http://www.danbrown.com/novels/digital_fortress/interview.html

Posted by: Patrick Ogenstad at January 16, 2006 11:22 AM