Many of you might be aware, but my academic background and passion have always been in Computing and I have a Bachelor of Sciences degree in the field that is almost two decades old. While I might not have worked extensively in the field after graduating I have kept up to date in the field as a hobby especially as IT has grown exponentially during that time both in scope and its influence in everyday life.
As such, when I saw the release put out by the Police Service regarding their investigation into the bomb threats at fifty schools last week, the language that was used in communicating their findings stood out as perplexing to me in a way that it might not to an average individual. And here’s the thing, from the very beginning of this investigation, it was obvious that using the tools available to everyone on the internet if the perpetrator used even the most basic measures to keep their identity secret it would have been difficult for the police to identify the person responsible. Honestly, there are too many avenues available to mischief makers on the internet that allows them to keep their personal identity hidden from law-enforcement personnel across the globe. This is to say that I don’t think that anyone was really expecting the police to be successful in identifying the person who sent out the emails unless they were a rank amateur in using a computer and the internet. And by that I mean, the culprits would have had to have sent the emails from an account that is either known or registered to their legal identity in order to be caught immediately.
So my issue isn’t with the lack of results by the police in this matter, but rather with the way in which the Police Service reported on those results, as the language used either suggests that they have absolutely no idea what they’re talking about, or they are being dishonest to hide said incompetence.
The thing that first alerted me to this fact, because I was initially just skimming the information, was towards the end of the press release where they mention the use of “Dark web tools.” Now, if you consume a lot of American media through tv shows and movies, if you encounter a character who identifies as a “hacker” at some point you can be sure that they will mention the “dark web” and it is almost always followed by complete fantasy.
Yes, the dark web exists, and yes it is a part of the internet that deals in a lot of shady business, however, it really is the equivalent of a back alley where individuals meet to share and exchange information and services. That is to say that, if you need to buy or sell someone’s private data, hire a hitman, or hack into someone’s computer, you can go onto the dark web and find someone willing to assist you in accomplishing those tasks.
Sending an anonymous email though… really doesn’t require all the trouble and hassle.
But this is what made me take a deeper look at the information being presented by the Police Service and where I came about the most egregious errors. Because the key findings of the investigations were presented as follows:
“The TTPS was able to identify that the server used is based in Germany and the ‘resolve host’ of the email is situated in Cyprus. Additionally, two Virtual Private Networks (VPN), located in Switzerland and Panama were used to further mask the identity of the origin of the email.
Investigations also indicate that the email came from an anonymous mail service provider.
Locating the anonymous email service provider is key to this investigation. However, this is a complex process and the anonymous email and anonymous email server can remain hidden by utilizing a number of Dark web tools.”
Now while this string of words might appear to make sense to the uninitiated, I can guarantee you that with the highest level of expert analysis, this is complete and utter gibberish.
First of all, the one that is most obvious, is that if “the email came from an anonymous mail service provider” as stated, how are you “able to identify that the server used is based in Germany”? Either the email server is hidden behind a proxy which bounces around its IP address to maintain its anonymity or you were able to identify the actual IP address of the server, in which case you actually found the service provider and they are no longer anonymous.
Second, it states that “two Virtual Private Networks (VPN), located in Switzerland and Panama were used to further mask the identity of the origin of the email” which isn’t as absurd as the rest, as it could merely be poor wording, but I think what they were trying to say is that the person who sent the email routed their IP through a VPN and when the investigation team tried to ping it they were directed to two locations, one in Panama and the other in Switzerland. But this is just my interpretation of what would otherwise be nonsense.
But it is the final error that caused me to pen this because it is inexcusable and it is so utterly atrocious that it caused me to wonder if either the investigator or the investigation as a whole was a complete and utter fake. And that is not hyperbole, because absolutely nobody with an understanding of IT language would ever script the following words in this order: “the ‘resolve host’ of the email is situated in Cyprus.” That means nothing… absolutely nothing.
More specifically, the words in a single apostrophe ‘resolve host’ means nothing. There is no such thing as a resolve host. In networking, ‘resolution’ is a process which enables a host to be recognized by either its hostname or IP address, which in layman’s terms is the equivalent of attaching a physical address to your name so when someone wants to mail you a letter they send it to the address and the mail courier knows where to deliver it. Resolving a host is a process within networking of attaching a username to an IP address and nothing more, however, when you are trying to conduct a DNS search for an email server the term might appear if the host cannot be reached or identified. And this is where the person “investigating” the matter might have encountered the words and chosen to include them in their report to make it sound more legitimate.
As such, if someone says to you that they have found a ‘resolve host’ for an email, either they are being deceitful in the information they are presenting or in their own qualifications to conduct the task at hand. Because by including this term in their findings, it demonstrates that they have absolutely no understanding of the language they are using.
Having no insight into the details of the investigation, I can tell you that if someone wanted to send an anonymous email, as I alluded to earlier, the process is quite easy for even the most novice of internet users. A simple Google search for an anonymous email would provide results simple enough for a child to use, such as can be found here: https://nordvpn.com/blog/free-anonymous-email-account/ (No dark web tools required).
This being said the only best and most efficient way to trace the individual account would be to identify the mail service provider and get a subpoena to force them to provide any information they might have on the owner of the email address used. If that is impossible, however, then any further investigation into the matter would not even be feasible as they would not be able to gather any digital evidence to file an effective prosecution.
Of course, with this new understanding that the Police Service is completely unequipped to deal with these types of cyber crimes the real question is why they were ever put in charge of this investigation to begin with. Because if criminals are recorded committing crimes on camera and haven’t been caught, what makes anyone think that the Police would be able to capture an anonymous criminal online?
Ravi Balgobin Maharaj
Mob: +1 868 476-6181