The Australian press have been trying to fill the news cycle in recent weeks with allegations of nefarious political machinations pertaining to a "fake email" in the OzCar affair (known by most as Utegate and, thanks to
![[info]](http://l-stat.livejournal.com/img/userinfo.gif)
lokicarbis, to some as Email Overboard). While there has been a great deal on the accusations made by various politicians against each other, there is very little on the nature of the email such as whether it was made out of whole cloth (i.e. something that looks like an email in an inbox, but was never sent) or whether it is a spoofed email (i.e. an email that was sent with a fraudulent From header).
Anyone familiar with installing or operating mail server knows how incredibly easy it is to spoof an email address. I could send an email to anyone which appears to come from president@whitehouse.gov, but I know that anyone looking at the headers would be able to determine the true source and that it never passed through any of the whitehouse.gov servers. While most of the rest of the online world is aware that spam is hardly ever from the email address it appears to come from. So spoofed email is not really a new concept to anyone these days.
As common and fairly easy as it is to spoof an email, it is also fairly easy to employ methods to counter this through the use of
digital signatures. While a digital signature does not prevent someone from spoofing an email which appears to come from another party, if that other party is using a digital signature it is easy to determined that an unsigned or badly signed message may be faked. Using myself as an example again, this is why I use an
OpenPGP compliant digital signature with my email.
The advantage of using an OpenPGP (usually
PGP or
GPG) key rather than the type of signature built into different email clients is the existing interoperability between operating systems and email clients. With plugins for Firefox it is also easy to use it with web based email systems. The other obvious advantage is that the same system includes encryption for those who want or need it.
When I first started using PGP in 1995, with version 2.3a for DOS, it was understandable that not everyone would have been happy to use it. In the intervening years there have been enough improvements with GUIs and alternate interfaces for the software that there is no real reason to prevent people from adopting it. Especially if there is any concern regarding email spoofing or identity theft in either their public or private communications.
Which brings me to my obvious question: why doesn't the Australian public service employ a method of digitally signing email?
If there were a policy of digitally signing messages sent by public servants and political staff it would not have been possible for this current issue to even occur. Well, a fake email could be created or sent, but it would be very simple to identify that it was fake.
I can see that there might be a reason for all email in the public service being sent in the clear or, if encrypted, always copied to a master key in addition to the recipient(s) for the sake of transparency of government - which is an important aspect of the democratic process. Aside from this issue, which is easily addressed, there is no reason why the public service and politicians can't adopt OpenPGP compliant software.
As it happens, some people at Parliament House have used OpenPGP, as
this list shows. No doubt most of them are public servants and staffers, but there are two Senators, one current MP and one former MP on that list, including the current Minister for Foreign Affairs.
I can, of course, guess at the probable answers to my question: ignorance and apathy.
Tags: comms, politics
Current Music: One Of These Days [Live]-Pink Floyd-Delicate Sound Of Thunder [Disc 2]
Previous 
