Skip to content

Justin's Linklog Posts

Control your life support via the Internet!

Published October 20, 2003

Romania Emerges As Nexus of Cybercrime (AP). Contains this glorious nightmare scenario:

BUCHAREST, Romania – It was nearly 70 degrees below zero outside, but the e-mail on a computer at the South Pole Research Center sent a different kind of chill through the scientists inside.

‘I’ve hacked into the server. Pay me off or I’ll sell the station’s data to another country and tell the world how vulnerable you are,’ the message warned.

Proving it was no hoax, the message included scientific data showing the extortionist had roamed freely around the server, which controlled the 50 researchers’ life-support systems.

One question: why was an internet-connected computer controlling the life support systems? eeek.

‘Don’t eat slugs’

Published October 20, 2003

Funny: The Medical Journal of Australia has issued a warning: Australians, don’t eat slugs. ‘The warning came after a Sydney student contracted a potentially deadly form of meningitis after eating a slug for a $20 bet.’

Secsed-up

Published October 20, 2003

Humour: Data::Secs2 — canoncial string for nested data. A format for representing nested data structures in accordance with SEMI E5-94, Semiconductor Equipment Communications Standard 2 (SECS-II), apparently pronounced “‘sex two’ with gusto and a perverted smile.”

Using a Web of Trust to stop spam

Published October 20, 2003

Been thinking about a distributed ‘web of trust’ approach to fighting spam.

Combine those with another key point — that we do not need PKI, crypto, or any other changes to identify senders in current SMTP — and it could be done today, I think.

Why we don’t need crypto to identify an SMTP sender

Every email message delivered via SMTP across the internet will contain these headers:

  • the From line
  • one or more Received headers

Traditionally, whitelisting uses just the From line, which is vulnerable to spoofing. SpamAssassin used this up to version 2.3x. Spammers started spoofing mails where ‘From’ was the same as ‘To’, and since most people had themselves in the whitelist, that worked. boo.

In 2.3x or 2.4x, we added code to extract the IP addresses from the Received headers, and use a combined token — ( from_address, ip_address ) — as the sender’s address.

(In fact, we use just the top 24 bits of each IP to deal with situations like DHCP or dialup pools, where a relay may get a different IP every now and again. That’s close enough, at least.)

This is much harder to forge without doing a full-scale TCP spoofing attack; which is why the SpamAssassin auto-whitelist generally works well.

So basically, to identify someone strongly enough to provide a spam fix in plain old vanilla current SMTP, gen up a string containing their ‘From’ address, along with all the /24 masks of the IP addresses found in the ‘Received’ headers.

Remove your relays’ IP addresses, and you have an unspoofable ID for that person’s SMTP traffic. Any spammer who wants to spoof that, will have to compromise their mail server (or a server in the same /24). That’s not cost-effective for spamming.

Note that whitelisting based on that is effectively what the SpamAssassin auto-whitelist does. But for that to be more useful than the AWL, it has to extend over the internet to those people your friends haven’t corresponded with yet; ie. it’s got to be distributed.

(If you would like to comment on this scheme, I’d prefer if you could post comments at this QuickTopic forum.)

MS on Choice

Published October 18, 2003

Music: This is great. Microsoft’s general manager for the Windows Digital Media division, Dave Fester, on iTunes for Windows:

AdvogatoDay

Published October 17, 2003

Tech: So, I just looked at NTK; it has a brief bit about Bram Cohen ‘having solved content distribution, (announcing) he was now tackling other simple problems: reputation systems, version control and perhaps after lunch the NP-complete set.’

Spamcop and ‘Al-Quada’, sitting in a tree

Published October 17, 2003

The null device reports a spam entitled, ‘julian haight funds terrorists b alqoswmw l lgng’.

Julian haight spamcops CEO is rumoured to have conections with Al-Quada, one of the most disruptive terrorist orginisations on earth. hes specialty is cyber terrorism. which disperses highly needed homeland security funds by rendering multi million dollar industrys unprofitable.

haights main motive is the perversion of American free enterprise.

Oh, the poor spammers! One comment quotes Samuel Johnson: ‘patriotism is the last refuge of a scoundrel’.

Also present is some lovely pictures of Carlton, with trams, greenery, grey skies, and that distinctive turn-of-the-century Aussie architectural style. A couple of years ago, I lived just around the corner in North Melbourne; looking at those photos, it seems like I could just pop out the front door and walk through it all on the way down to the Vic market. They thoroughly evoke day-to-day just-outside-the-CBD Melbourne.

The Bin Tax

Published October 15, 2003

Over the past few months, Dublin has seen increasing resistance to newly-introduced rubbish-removal charges, or as they’re being called, ‘the bin tax’.

Snippets

Published October 15, 2003

Bits: BarbieOS, a cutdown version of Debian from Mattel. Really. ‘BarbieOS 1.0 is the result of almost a year’s worth of marketing research into what pre-adolescent girls want in a mobile Linux solution aimed at being a desktop replacement.’ (via Ben)

The Funniest Thing I’ve Read

Published October 15, 2003

Guardian Talk: The Barefoot Doctor, live online. This is the funniest thing I’ve read in months — thanks Tom!

(Background: ‘The Barefoot Doctor’ is the ‘healer’ who writes for The Observer Magazine on ‘wellbeing, alternative therapies and medicines and ways to cope with modern life’. Everything can apparently be healed through kidney massage and a few essential oils.)

Q: A case study, Mr Barefoot: my bus has crashed – I’ve got a compound fracture in my right leg, the bone is sticking out from under the skin and is wedged into the ‘Used Tickets’ receptacle, my skull has had a good old thump against the seat in front and is impersonating a boiled egg after the first thump with the teaspoon, and my ribs have been broken into bits like a packet of smokey bacon crisps someone has stood on.

What herbs and aromatic oils would you recommend?

Doc: you may jest – however, aromatic oils or potions can be extremely effective in speeding the healing process eg – manuka honey,lavender, marigold etc – thanks for bringing it up

Q: oooh good answer. yes i’m going out to buy some manuka honey right away. what do you do with it, is it nice on toast?

lavender, marigolds? is he opening a kitchen department?

Q: My unfortunate friend received a quite severe beating in the street a few days ago and has since been passing blood in his urine, in copius amounts.

Can recomend any effective massage oils for my friend? Its quite urgent because he’s beginning to talk incoherently about bright lights, can’t move and fainting.

Thank you, 3000

(… snip several hundred similar hilariously bitchy ‘questions’… Barefoot Doctor disappears for a while…)

Q: Where is he? Maybe the Barefoot Cab Driver who learnt to drive by karmic chanting has driven into a tree — or can’t find first gear?

(BTW the real ‘barefoot doctors’ were a different kettle of fish entirely; ‘part-peasant, part-doctor’ commune-level health workers in revolutionary China.)

For Reference: Why Greylisting Sucks

Published October 14, 2003

I’ve been meaning to collate a page about why I don’t like greylisting. My previous posting is relatively useful, but it needs an update, so here it is:

First off, every single message is delayed until a database match is found for the combination of sending IP, envelope-from and envelope-to. As Alan Leghart pointed out, ‘So…we punish everyone in the world, and hope that a delay of one or more hours is considered ‘acceptable’? Maybe some people already expect a mail to take several hours to reach a recipient. In that case, you need to fix your mail server.’

Secondly, large mailing lists that use VERP (generating keyed From addresses for each mail for good bounce-handling) will require manual whitelisting for each list, or each host.

Yahoo! Groups, for example,
uses VERP for all its lists, and also will not retry delivery if the first attempt fails.

There’s even buggy SMTP servers that do not support retrying, believe it or not.

(Once again, as for many spamfilter designs, the unusual SMTP clients are the ‘edge cases’ that cause the most trouble.)

Manual whitelisting == work == what spam filtering is trying to reduce == bad.

Thirdly, and most seriously, it assumes spammers would never introduce retries into their spam-tools if it took off. Tempfailing, what this is based on, is effective right now because spamtools don’t retry. But every proposed spam solution has to consider what would happen if every server admin in the world implements it, and spammers then want to subvert it.

For a spamtool to retry, it just needs to track 4xx responses, and if it encounters one, save these items of data:

  • From, To addrs and HELO string used
  • proxy IP used (btw proxies are almost never shut down successfully, so the spammer can generally assume this can be reused next time)
  • random seed used to generate random hashbuster tokens etc., so the body text matches

That’s really not a lot of data — 64 bytes per address that requires a retry. Then, an hour or more later, do the retry.

So, IMO, ‘greylisting‘ will work fine in the short term, until it becomes reasonably common — then the spamtool developers will start adding retry code.

Then we’re back to square one — except some legit mail takes much longer to get delivered, and the bandwidth wasted by spam has doubled, due to all those retrying spams. That’s not really progress.

KDE patch, and my cat

Published October 14, 2003

Linux: So, I like being able to move windows around using the keyboard very quickly. In particular, one nifty feature of Sawfish was corner.jl, a Sawfish lisp snippet which ‘provides functions to move a window into a screen corner.’

Getting Postfix to use an SSH tunnel for outgoing SMTP

Published October 14, 2003

Given all the fuss over blocking dynamic IPs due to spam, I’ve long sent outgoing SMTP via my server (which lives on a static IP). I download my mail from that using fetchmail over an SSH tunnel, and have done for a while. It’s very reliable, and that way it really doesn’t matter where I download from — quite neat. Also means I don’t have to futz with SMTP AUTH, IMAP/SSL, Certifying Authorities, or any of the other hand-configured complex PKI machinery required to use SSL for authentication.

SPF again

Published October 13, 2003

Spam: Craig is publishing SPF records. Worth noting that I’ve been publishing SPF records for jmason.org for a month or two, even though the protocol hasn’t even stabilised yet — working on the ‘if you build it, they will come’ approach ;)

‘It will solve starvation among shareholders, but not the developing world’

Published October 13, 2003

EU broadside at GM firms’ ‘lies’ (Ananova):

‘They tried to lie to people, they tried to force it upon people … it is the wrong approach and we simply have not accepted that and European citizens have not accepted it. You simply cannot force it upon Europe.

‘So I hope they have definitely learned a lesson from it and especially when they now try to argue that this will try to solve the problems of starvation in the world. After all, why didn’t they start with such products, so they could prove to the world that this was exactly what they were interested in doing?

‘It will solve starvation among shareholders, but not the developing world unfortunately.

That’s the EU Environment Commissioner, Margot Wallstrom, launching a broadside against ‘US biotech companies’, accusing them of ‘forcing’ unsuitable GM technology onto Europe.

Ouch.

It’s interesting to note that much of their biotech companies’ tactics seem to work well in the US, but overseas, the tactics play out predominantly as blatant strong-arming, astroturfing support, and being ‘economical with the truth’, as the phrase goes.

Some rethinking of their strategy might be helpful — although really, IMO, some thought as to how to make their products relevant to consumers, instead of money-spinning for their shareholders, might work best of all. Making some moves towards the much-vaunted ‘solving starvation in the developing world’ might just be the best way to that.

BitTorrent and Google’s IP

Published October 13, 2003

Tech: Sam Ruby on Foo Camp. Foo camp sounds cool; a little bit circle-jerky, but still interesting. But that’s not what I wanted to write about — the thing I wanted to mention was BitTorrent; it just struck me recently — one key thing about BT that makes it great is that it’s designed by the UNIX philosophy — make one tool that does one thing very well, and make it pluggable, so it can be used by other things easily.

SMTP Sender Authentication

Published October 10, 2003

SMTP Sender Authentication, by David Jeske of Y! Groups (pointer from Jeremy.

Schemes similar to this — calling back to a sending server to verify that a mail was really sent via that host — have been proposed before in several venues, the most high-profile and public being the ASRG list. Here is a message I sent to that list in April 2003 discussing a few of those schemes:

  • J C Lawrence’s ‘forward chained digital signatures’ on Received headers
  • William at elan.net’s ‘complex callback verification requirying full message tracking server functionality with dns extensions’
  • Russ Nelson’s Q249
  • Our own ‘porkhash’

I still like this style of system, I think, but in terms of deployability and simplicity, I’m supporting Sender-Permitted From for now — which similarly forces senders to use registered relays for a given SPF-supporting domain, but using DNS as the protocol and IP addresses as the hard-to-forge identity component.

Another bonus of SPF is that it’s simple, easy to implement, has *running code* out there now, and is being pushed strongly by a pragmatic and sane driving person (in the form of Meng Weng Wong). It’s not always easy in the anti-spam field to find a solution like that ;)

BTW, SPF also, similarly, breaks envelope sender forging. However, I agree, this is one egg that has to be broken to help stop spam (or at least force spammers to use their own domains and IPs.)

Iraq: guerrilla tactics planned from the start?

Published October 10, 2003

Parallels with Vietnam becoming ominous for US commanders (Irish Times, subscriber-only). An interesting view on the situation Iraq:

US commanders in Iraq now believe that during the invasion, lower-echelon Iraqi troops mounted a token defence against US armour and air power while thousands of Republican Guard members went to ground in order to wage a prolonged guerrilla war during the subsequent occupation.

As the current attacks evolve in sophistication and momentum, US troops believe that the current phase of the war is not an ad-hoc development, but part of a pre-planned strategy designed to frustrate US plans to rebuild Iraq.

Further indicators as to the source of the insurgency lie in the weaponry and tactics employed. US convoys and patrols are repeatedly attacked with IEDs configured as roadside bombs along with RPG strikes. … It is believed that the plastic explosives and RPGs were released from military stores in the run-up to the invasion and pre-deployed among the population for a war of attrition.

Wounding rather than killing the enemy is a classic feature of this type of war of attrition. By wounding as many enemy troops as possible, the guerrilla army ties up the resources of the occupying force as it seeks to evacuate and treat its personnel.

The architects of the current attacks recognise that it is far more expensive for the US to medically evacuate and treat injured soldiers than to simply process them for burial. For the insurgents, the psychological effect of their attacks is greatly enhanced with families and politicians in the US confronted with mutilated and disfigured soldiers returning from Iraq.

It would appear that the war in Iraq did not end on May 1st. It simply entered a new phase designed to render Iraq ungovernable.

No ‘US commanders’ are named, so it’s all off-the-record.

Humour: on a lighter note, BBC Radio 4’s Loose Ends, recorded in the Spiegeltent in Dublin last weekend, featuring ‘writers Anne Enright and John Arden, Desmond Guinness of the Irish Georgian Society, comedian Dara O’Briain, Chieftain Paddy Moloney and Loose Ends regular Emma Freud.’

Happiness measured

Published October 9, 2003

Science: Fantastic article in New Scientist volume 180 (4 Oct 2003), covering how science is beginning to identify the keys to a happy life, and perform studies measuring people’s happiness.

EMusic is dead

Published October 9, 2003

Music: All good things must come to an end. EMusic has been bought out by some bunch called ‘Dimensional Associates’, and will no longer offer its excellent download service; instead you’re limited to a measly 40 MP3s per month. (For context — last time I downloaded some listening material was on Monday, and I picked up about 80 MP3s in a single sitting.)

Whoops

Published October 9, 2003

Funny: So, I guess this is the Korean equivalent of Dublin’s Mao restaurant? Hitler Bar. (thx Eoin)