taint.org: Justin Mason’s Weblog

The combined DKIM standard, mixing Yahoo!’s DomainKeys and Cisco’s IIM, has been submitted to the IETF as a candidate spec by the MASS ‘pre-working group effort’. I like the idea behind both (a few years back, I, a few other SpamAssassin developers, and several others came up with the roots of a message-signature anti-forgery scheme we called ‘porkhash’, but never really went anywhere with it), so I’m glad to see this one progressing nicely.

Seeing as I never seem to write much about anti-spam here any more, I might as well remedy that now with some comments on the new DKIM draft. ;)

It’s a very good synthesis of the two previous drafts, DomainKeys and IIM, more DK-ish, but taking the nice features from IIM.

The ‘h=’ tag is now listed as REQUIRED. This specifies the list of headers that are to be signed. If I recall correctly, this was added in IIM, modifies the behaviour of DK, and is a good feature — it protects against in-transit corruption by, (a) specifying an order of the headers, to protect against MTAs that reorder them; and (b) allowing sites to protect the ‘important’ headers (From, To, Subject etc.) and ignore possible additions by MTAs down the line (scanner additions, mailing list munging and additions, and so on).

A list of recommended headers to sign is included, with From as a MUST and Subject, Date, Content-Type and Content-Transfer-Encoding as a SHOULD.

Forwarding is, of course, just fine. This one doesn’t suffer from the SPF failure mode, whereby a forwarder will break a signature if it doesn’t rewrite the SMTP MAIL FROM sender address. (Of course, it now has its own new failure modes — the message must be forwarded in a nearly-pristine state.)

The message length to sign can be specified with ‘l=’. This may be useful to protect against the issue where mailing list managers add a footer to a signed message. It recommends that verifiers remove text after the ‘l’ length, if it appears, since that offers a way for spammers to reuse existing signatures. I still have to think about this, but I suspect SpamAssassin could give points for additional text beyond the ‘l=’ point that doesn’t match mailing list footer profiles.

The IIM HTTP-based public-key infrastructure is gone; it’s all DNS, as it was in DK.

The ‘z=’ field, which contains copies of the original headers, is a great feature for filters — we can now pragmatically detect ‘acceptable’ header rewriting if necessary, and handle recovery at the receiver end.

Multiple signatures, unfortunately, couldn’t be supported. I can see why, though, it’s a very hard problem.

The ‘Security Considerations’ section is excellent — 9.1.2 uses a very clever HTML attack.

Looks like development of DKIM-Milter, and an associated library, libdkim, are underway.

Given all that, it looks good. It’s not clear how much we can do with DK, and now DKIM, in SpamAssassin, however — it’s very important in these schemes that the message be entirely unmunged, and in most SpamAssassin installs, the filter doesn’t get to see the message until after the delivering MTA, or the MDA (Message Delivery Agent), has performed some rewriting. This would cause FPs if we’re not very, very careful.

I hope though, that we can find a useful way to trust DKIM results. It appears likely that they’d make an excellent way to provide trustworthy whitelisting — ‘whitelist_from_dkim’ rules, similarly to our new whitelist_from_spf support. (In fact, we could probably just merge both into some new ‘whitelist_from_authenticated’ setting.)

Tags: course, dkim, domainkeys, failure, iim, list, message, mtas, subject, the

Security: Adam Shostack has been tracking the immense volume of recent bank disclosures of compromised customer data. Bruce Schneier has also commented, and an interesting question arose in his posting’s comments — why are there seemingly no similar problems with European banks?

One responder points to a WSJ article which broadly misses the point. It discusses the additional layers of security imposed by European banks above the usual username/password combo. This is true — Eurobanks generally have higher security at the ‘front gate’; for example, I recall Bank of Ireland even issued SecurID-type tokens in its earliest online banking system. However, that misses the ‘insider’ attack, as in the most recent case of these 676,000 accounts, so I think it misses the point.

Bruce Schneier’s take:

Personal data is 1) not collected as widely, and 2) much less valuable as a tool to commit fraud. The second reason is far more important.

I think he’s partially right. Access to new and existing accounts in the US often requires little more than an SSN or similar trivial, easily-discoverable, data which is used in common across multiple institutions, and can be performed online; whereas in Europe, one requires documentary proof of address, ID, and the act must be performed in person at a bank branch. (This is often exceedingly annoying, of course. ;) In general, identity theft seems to be at a greater level in the US, and this is one reason why, I’d guess.

Adam Shostack has another take: these disclosures have all arrived on the heels of California’s SB 1386. It’s very unlikely that these kind of breaches never occurred before this, and suddenly began recently — it’s more likely that they’ve always gone on, but are unreported in Europe (and of course were unreported in the US, pre-SB 1386).

I’d add another point — the US has a large population of targets, with banks sharing financial systems across the entire country. Europe, by contrast, has many individual countries which each have their own set of banks and banking systems, and less interoperability and cross-state data flow. The potential return from ID theft fraud is increased by the larger pool of candidate victims in the US, compared to what an attacker could achieve in each individual European country. This means both that (a) an attack will affect a smaller number of victims in Europe than the US, and (b) widening the scale of an attack becomes significantly harder when the attacker must deal with new systems. It’s the ’security monoculture’ issue again, applied to banking instead of operating systems.

Tags: bank, course, customer, online, point, reason, security, take, the, volume

Life: Luke writes:

Lean and I were joined by Lara at 6.10pm on Saturday 28th September. Lara is a little (8lb 7oz, so not _that_ little) girl. And she is gorgeous. Of course.

Congrats! I’ll be dropping in on the three of them next week, looking forward to it…

Tags: congrats, course, girl, life, saturday, september, week

Television: Tony Bowden: BBCtorrent? ‘Later this month, the BBC will launch a pilot project that could lead to all television programmes being made available on the internet.’ I have my fingers firmly crossed here. This could be really excellent news. Of course, not being located in the UK could make it not-so-easy to actually watch them from here, but the underlying thinking is really cool.

Tech: LayerOne. Weekend conf in LA, with Danny O’Brien — think I might just tag along!

Patents: Posting this here so I can find it in future. Here’s a /. comment saying ‘if it becomes impossible to safely develop software in the US and EU due to patents, innovation will move to India and China’. This isn’t quite true anymore — my response, noting the Brazil/Glaxo/AZT case.

Tags: bbc, bbctorrent, course, internet, month, news, pilot, project, television, thinking

Spam: Ever seen this in referrer logs, and wondered if the International Atomic Energy Agency really had linked to your site? Sourcefrog has.

Of course, it isn’t them. In reality, it’s a spambot called Atomic Harvester 2000. This is how spammers get ‘targeted lists of email addresses’; they throw a couple of search terms into this, it hits Google, and scrapes all email addresses from the pages found. More info:

• ‘A creepy faked referrer’
• ‘user agent is … NS4 on Mac’
• WebMasterWorld forum

Tags: agency, atomic, course, email, energy, international, reality, referrer, site, sourcefrog, spam

Web: Google Labs has a nifty toy called Google Sets; name a few items, and it’ll tell you what other items have been seen in conjunction with it.

Of course, the only use I know for it is this search for Blonde and Brunette, which says more about the modern web than we really need to know.

Tags: blonde, conjunction, course, google, name, search, sets, toy, use, web

(of the phone variety). I’ve been driven mad by telemarketers; one of the more irritating local innovations (thankfully ’sales cold calls’ are pretty hard to operate with European privacy laws, so it wasn’t a problem back home).

Well, Congress over here recently passed a ‘do not call’ list, so you could ring up the maintainers and ask for your number to be added, and hey presto, no more phone spam. Well, CalPundit writes:

The federal law doesn’t cover banks, airlines or phone companies or calls made within a state.

Wow. That’s like saying ‘the law doesn’t cover calls made on a day ending in ‘y’.’ In my experience, those companies make 95% of the calls. Great.

Think I’ll stick with the tried-and-trusted ‘ring through to answerphone during the afternoon and early evening’ filter…

DMCA: IP: Using treaties to lock in DMCA enforcement:

On May 6, President Bush and Prime Minister Goh of Singapore signed the U.S.-Singapore Free Trade Agreement (the ‘FTA’). President Bush has termed the FTA ‘the first of its kind’ - apparently meaning that it is the first free trade agreement between the United States and an Asian nation.

But the FTA is also the first of its kind in another sense, as well. It is the first international trade agreement to demand that the signatories implement anti-circumvention provisions similar to those of the hotly controversial Digital Millennium Copyright Act (’DMCA’).

It’s Naomi Klein meets Slashdot ;) Hopefully it’ll be blocked though, since it has serious domestic results too:

This step will have international, as well as domestic consequences: If Congress approves the FTA, it will not able to alter the DMCA without violating its obligations to Singapore.

Of course, according to some correspondents, Ireland’s copyright regime (reformed in 2000) quietly inserted its own DMCA provisions. Of course, nobody noticed, except for the legal lobbyists who were hoping this would happen. Doh. Is nowhere safe for freedom-to-tinker these days?

Tags: agreement, congress, copyright, course, dmca, fta, kind, law, phone, trade

the blogs near me. This will, of course, change once I get to the US ;)

Tags: change, course

A bit of black humour for you, from the IrelandOffline forums. This is a true story.

“This chap explained to my Dad that one of the main reasons for the slowness of technologies like ADSL getting rolled out in Ireland was because of (hinderances) like the weather … My dad went on to tell him about Canada. …”

“Yer man of course had no answer to this and eventually he gave in and admitted that Eircom are failing in so many areas that he’s actively seeking employment elsewhere. He’s had his fill of being managed by so many different managers and being told different things from different people every day and and (every) time he’s tried to be helpful to a customer by bringing the matter up with someone senior he gets fobbed off to some other manager and so on and so forth until in the end he has no option but to give up and just tell the customer there is nothing he can do even though he can do it but not without permission and this permission is impossible to get.”

There’s plenty more like this. “The bad weather in Ireland prevents Eircom from rolling out DSL”. You can only laugh. The best bit is, of course, that DSL is basically a modem and a few DSLAMs installed in the exchange.

Maybe that’s why it’s a problem? Could be Eircom forgot to install a roof on their exchanges — and telco equipment typically is not at its best when fully exposed to the elements. sounds likely enough to me…

Tags: bit, course, customer, dad, dsl, eircom, humour, irelandoffline, permission, weather

While trekking in Nepal, I had a copy of the Lonely Planet Guide to Trekking in the Himalayas, borrowed from our mates Caolan and Barbara. It was especially notable for its incredible medical section, which contained lots of info on what drugs to use to treat various diseases, described symptomatically (of course, in most of the world, most of the common illnesses boast symptoms similar to “I have greenish foul-smelling gravy squirting from both ends of my body”. But it’s good to be able to tell them apart).

It was also notable, because anyone who had a copy knew all about altitude sickness, and were indescribably paranoid. The ones who were charging up the trails as fast as they could generally did not have a copy, and no doubt half of them came back down again in slightly nasty circumstances.

Anyway, it was the best medical info I’ve ever read. Reading the paper today, I came across a reference to e-med.co.uk, which claims to be medical info, including treatment details, for people who might be far away from a doctor. The perfect resource for a know-it-all who doesn’t want to spend money and time on a doctor, just to be told to go home and take an aspirin! Unfortunately it seems to be a “consultation by email” service, rather than “look it all up” one. Ah well.

Caolan and Barbara should be somewhere around Oz by now. I must see if I can dig up the URL of their travelogue site, it’s great fun.

Tags: caolan, copy, course, doctor, guide, info, lonely, planet, section, trekking

looks like some spammer has read the FormMail advisory I co-wrote with Ronald F. Guilmette; expect to see more spam where the spam message appears before the “Below are the results of your feedback form” line.

Of course, SpamAssassin catches this anyway. ;)

Tags: below, course, feedback, form, formmail, line, message, spam, spamassassin, spammer

Checking out the logs and stats for this site, I notice that a google search for “jennifer aniston nipples” is one of the main referrers. It is, of course, a hit to this page, the fake-nipples story. Sex (or nipples, at least) brings hits!

Tags: aniston, checking, course, google, page, search, sex, site, story