Monday, June 27, 2011

.

Premier[e]

At Westchester County Airport (HPN), there are (among others) the following two ads:

Tranquility Spa
Westchester’s premiere day spa.

Dominican Sisters Family Health Service
New York’s premier visiting nurse service.

Never mind, for the moment, the pretentious use of premier — we’re talking about (mostly) affluent Westchester County, NY, after all. But note that the Dominican Sisters got it right, and the day-spa folks blew it:

Premier refers to the best of something, the leading example.

Premiere refers to the first, not the best. And even if premiere were what they meant, its use in this context would be odd. One might refer to a premiere offer for their opening day, but this just doesn’t work.

Someone obviously did not use the premier advertising agency.

Saturday, June 25, 2011

.

New York Allows Same-Sex Marriage, Becoming Largest State to Pass Law

Yesterday, the New York State Senate approved the bill, 33 to 29.

ALBANY — Lawmakers voted late Friday to legalize same-sex marriage, making New York the largest state where gay and lesbian couples will be able to wed and giving the national gay-rights movement new momentum from the state where it was born.

It’s about time!

Tuesday, June 21, 2011

.

Misconceptions about DKIM

I chair the DKIM working group in the IETF. The working group is finishing up its work, about ready to publish an update to the DKIM protocol, which moves DomainKeys Identified Mail up the standards track to Draft Standard.

DKIM is a protocol that uses digital signatures to attach a confirmed domain name to an email message (see part 7, in particular). DKIM started from a simple place, with a simple problem statement and a simple goal:

  • Email messages have many addresses associated with them, but none are authenticated, so none can be relied on.
  • Bad actors — spammers and phishers — take advantage of that to pretend they are sending mail from a place (a domain name) the recipient might trust, in an attempt to fool the recipient.
  • If we can provide an authenticated domain name, something that’s confirmed and that a sender can’t fake, then that information can be used as part of the delivery system, as part of deciding how to handle incoming mail.

It’s important to note that mail signed with DKIM isn’t necessarily good mail, nor even mail from a good place. All we know is that mail signed with DKIM was digitally signed by a specified domain. We can then use other information we have about that domain as part of the decision to deliver the message to the user’s inbox, to put it in junk mail, to subject it to further analysis or to skip that analysis, and so on.

Domain example.com signed this message, is just one of many pieces of information that might help decide what to do.

But some people — even some who have worked on the development of the DKIM protocol — miss the point, and put DKIM in a higher position than it should be. Or, perhaps more accurately, they give it a different place in the email delivery system than it should have.

Consider this severely flawed blog post from Trend Micro, a computer security company that should know better, but doesn’t:

In a recently concluded discussion by the [DKIM Working Group], some of those involved have decided to disregard phishing-related threats common in today’s effective social engineering attacks. Rather than validating DKIM’s input and not relying upon specialized handling of DKIM results, some members deemed it a protocol layer violation to examine elements that may result in highly deceptive messages when accepted on the basis of DKIM signatures.

The blog post describes an attack that takes a legitimately signed message, alters it in a way that does not invalidate the DKIM signature (taking advantage of some intentional flexibility in DKIM), and re-sends the message as spam or phishing. The attacker can add a second from address, and appear to the user to be from a trusted domain, though the DKIM signature is not.

The attack sounds bad, but it really isn’t, and the Trend Micro blog’s conclusion that failure to absolutely block this makes DKIM an EVIL protocol (their words) is not just overstated, but laughable and ridiculous. It completely undermines Trend Micro’s credibility.

Here’s why the attack is overstated:

  1. It relies on the sender’s ability to get a DKIM signature on a phishing message, and assumes the message will be treated as credible by the delivery system.
  2. It ignores the facts that delivery systems use other factors in deciding how to handle incoming messages and that they will downgrade the reputation score of a domain that’s seen to sign these sorts of things.
  3. It ignores the fact that high-value domains, with strong reputations, will not allow the attackers to use them for signing.
  4. The attack creates a message with two from lines, and such messages are not valid. It ignores the fact that delivery systems will take that into account as they score the message and make their decisions.

Apart from that, the blog insists that the right way to handle this attack would be to have DKIM go far beyond what it’s designed to do. Rather than just attaching a confirmed domain name to the message, DKIM would, Trend Micro says, now have to check the validity of messages during signature validation. Yes, that is a layer violation. Validity checking is an important part of the analysis of incoming email, but it is a separate function that’s not a part of DKIM. All messages, whether DKIM is in use or not, should be checked for being well-formed, and deviations from correct form should increase the spam score of a message. That has nothing to do with DKIM.

In fact, the updated DKIM specification does address this attack, and suggests things that delivery systems might do in light of it. But however good that advice might be, it’s not mandated by the DKIM protocol, because it belongs in a separate part of the analysis of the message.


Others have also posted rebuttals of the Trend Micro blog post. You can find one here, at CircleID, and look in the comments there for pointers to others.

Friday, June 03, 2011

.

Trusted identities

The U.S. Postal Service (USPS) now has a way to do a change of address online, on their web site. Nicely, it’s even all using https (SSL/TLS), keeping it encrypted, which is good.

On the first page, you select whether it’s a permanent change or a temporary one, and specify the dates.

On the second page, you select whether the change is for an individual or a whole family.

On the third page, you give the old and new addresses.

On the fourth page, you get this:

For your security, please verify your identity using a credit card or debit card. We’ll need to charge your card $1.00.
[? Help]

To prevent Fraud, we need to verify your identity by charging your card a $1.00 fee. The card’s billing address must match your current address or the address you’re moving to.

If you click the ? Help link, here’s what it tells you:

Identity Verification — Credit/Debit Card

In order to verify your identity, we process a $1 fee to your credit/debit card. The card’s billing address must match either the old or new address entered on the address entry page. This is to prevent fraudulent Change of Address requests.

Please note that the Internet Change of Address Service uses a high level of security on a secure server.

I have a few problems with this:

  1. They’re asking for credit card information in a transaction where no one expects it. They’re assuring you that it’s secure, but how does one know? This is a classic phishing tactic.
  2. They’re assuming you have a credit card to give them. Lots of people don’t have credit cards. I know some.
  3. They’re charging you a dollar to change your address online, a mechanism that’s surely cheaper for them than to have you walk into the post office to do it. That’s nuts.

To be sure, they do have to do something to make sure that people don’t change each other’s addresses as pranks, or worse. But do they really need to charge you a dollar for it? They could make a charge and then rescind it. They could give you an alternative to use a bank account, and verify it the way PayPal does, by making a withdrawal of a few cents and then depositing it back. That would also help for people who have no credit cards, but do have bank accounts — still not everyone, but it’s something.

Or you can just say, Eff this; I’m not giving the post office my credit-card information and paying them a dollar for what I can do for free, and then go into the office and waste a clerk’s time on it.

This is why there are proposals for secure identity verification. The U.S. National Institute of Standards and Technology (NIST) has an initiative called National Strategy for Trusted Identities in Cyberspace (NSTIC) that covers this sort of thing. Whether or not NSTIC is the right answer, we need to get to where we have this kind of verification available, without having to hack the credit-card system for it.

Thursday, June 02, 2011

.

What are people searching for?

I had a conversation with a friend the other day, a piece of which went like this:

Friend: Do you know who Contessa Brewer is?

Me: Is Contessa her name, or is she some kind of royalty?

Friend: She’s a news anchor on MSNBC.

Me: No, never heard of her.

I don’t watch MSNBC, you see. I don’t eschew it purposefully, but I just don’t happen to watch it. So later, when I had a chance, I did a Google image search to see what she looks like, and whether I might have seen her after all. I haven’t.

But here: Google image search shows me, at the top of the search results, some related searches to the one I made. I’d searched just for the name. Here were the related searches, which I presume are ordered by popularity:

contessa brewer legs
contessa brewer msnbc
contessa brewer cleavage
contessa brewer bikini
contessa brewer body

She’s a news anchor, but all most men want to do is see her legs and cleavage.

Men are such pigs. Damn, but it makes me embarrassed to be one.