Wired Magazine's Bruce Schneier has posted on how a classic man-in-the-middle attack saved Colombian hostages this week and discusses how the Colombian military successfully used the same basic strategy that has been adopted by online identity thieves and hackers.

A man-in-the-middle attack (MITM) is where the attacker inserts himself into the middle of a conversation without being recognized by either of the communicating parties. Both believe and trust that they're talking to each other, but the attacker in the middle can delete or change the communication without their knowledge.

This is a common hacker attack against online financial institutions, where it's used to exploit and gain access to online bank accounts by mimicking a trusted site and fooling users into entering their login information. A bank or financial service demands authentication from the user (typically a login and password) and the attacker sitting in the middle passes that information to the user. When the user responds, the hackers pass this information back to the bank but they now know how to mimic the real user and can then use this information to trick the bank by using a users real login and password to gain access to an account.

The Wall Street Journal reported how this gambit played out in Colombia.

"The plan had a chance of working because, for months, in an operation one army officer likened to a "broken telephone," military intelligence had been able to convince Ms. Betancourt's captor, Gerardo Aguilar, a guerrilla known as "Cesar," that he was communicating with his top bosses in the guerrillas' seven-man secretariat. Army intelligence convinced top guerrilla leaders that they were talking to Cesar. In reality, both were talking to army intelligence."

As Bruce Schnider says, ' Man-in-the-middle is defeated by context, and the FARC guerillas didn't have any...

In the real world, you can easily tell a branch of your bank from a money changer on a streetcorner. But on the internet, a phishing site can be easily made to look like your bank's legitimate website. Any method of telling the two apart takes work. And that's the first step to fooling you with a MITM attack. Man-in-the-middle isn't new, and it doesn't have to be technological. But the internet makes the attacks easier and more powerful, and that's not going to change anytime soon."

Bruce is right of course, context is the only real way to thwart man-in-the-middle attacks. Identity based systems are needed. Unfortunately, this is exactly where email can't work, It wasn't designed to be identity based, but address based. It's the anonymous nature of the communication stream through email that makes man-in-the-middle attacks so effective.

The identity based nature of Sendside is one of the myriad of reasons that it would be incredibly difficult for any attacker to utilize this strategy through Sendside. There's simply no way for an attacker to insinuate themselves in the conversation stream since the communication is direct.