And to continue the brain fart, I completely missed that we should generate the header's "key" entry using a private key and some data in the header, like the SMTP id or similar ilk.
Browsers should make this distinction. You never want to enter a credit card number into a site that only has a class 3 cert. You have no idea where your money is going.
Perish the thought. You realize how much that would run up the operational costs of fly-by-night hosting services? They might just switch to self-signed certificates (those drive me nuts.)
I believe that helps to illustrate one of my points, that the creation of the "instant SSL" certificates and subsequent proliferation did dilute the value of an SSL certificate as an implement of secure identification. And lumping the second category in with the third then would definitely push the higher-end EV SSL agenda.
Yeah, that is about right. For the most part your server's Received header is the most trustworthy. In fact, some automatic blocking systems which scan through the Received headers to extract lists of "bad" servers could be tricked into blocked legit servers by way of forged headers. Nasty affair. I am waiting until we see the advent of a header verification system which would use something like domain keys to validate Received headers.
Something along the line of
Received: from user (isp-user-dynamic-ip.isp.com [224.167.1.89])
by outbound.isp.com (8.14.1/8.14.1) key=BBehiuo18aXo with SMTP id...
or similar. A quick check of the TXT record for outbound.isp.com returns the complement key so the header validates.
So, in the end the end user's IP address from his or her email headers is as useless as the IP address given by whatismyip.com. My point was just one less step to confuse the potential victim, because then all you get is emails asking for help going to whatismyip?.com and you waste your time supporting rather than scamming.
I see your point, and I disagree with the basis of the argument.
Before any of what you mention there was the telephone, mail, fax machines, and more. Fraud schemes abounded long before phishing as we know it today, but the principles were the same: find some way to extract enough useful information from the mark. Phishing is the technological evolution of social engineering, and on a grand scale.
Additionally, in the past when scam spam was rampant, the thought of a botnet was just barely formulated. Such emails were blasted out via open relay mail servers, poorly programed web forms, free email services, off-shore hosting, and the like. I will not argue that the botnets have not made sending the emails exceptionally easy and avoiding them exceptionally difficult, not for a second, and will cede that without the botnets the flood would be a lot more shallow. I simply cannot subscribe to the notion that Windows botnets are completely to blame for Internet fraud.
Until I see reliable data which breaks down phishing victims based on operating system and browser, I reject the notion that any one group is responsible for the existence of the phishing problem. Except for the criminals who have mastered and continue to develop its attacks.
And thusly, we purchase a service from PayPal MegaCorp and expect them to take measures it deems necessary to protect the service it provides. The bottom line is simple: this is PayPal's business, it is PayPal's right to choose how to operate it, and we can take our ball and go home. And considering how many people think PayPal is evil, anyway, this should come as a neither surprise nor disappointment.
But I still stand firm that people are to blame for the lack of security on the Internet. The telephone, the radio, the television, the tabloids, the newspapers, books, and so on were all considered at one time a method of mass disinformation, and some still are to a lesser extent. Why else would we have phrases in our lexicon like "you can't believe everything you read/see on TV/hear on the radio"? Because people are willing to throw caution to the wind. We are more apt to scrutinize and discriminate against information people may throw at us in person, face-to-face, but as soon as the information is put into some form of communication medium, we lose our senses.
We know the guy on the street corner in New York is not selling real Rolex watches; we know the fella that chats you up on the bus is not legitimately selling prescription medications. Even so, we are more apt to believe that these things are available on web sites, because we have it drilled into us that the world is at our finger tips, every thing can be found on the Internet.
If you want to get down to brass tacks and point fingers, WE are to blame for the folly of those who surround us. Yes, WE are to blame. Because WE chose to learn and understand and ignore the plight of those who have not. WE are the shop class instructors letting the uninformed use the table saw without proper instruction and then blaming them when they lose fingers. It is our responsibility to educate and inform others why what they are doing is wrong -- and in many cases we even get paid for doing so.
And I do not mean that using Windows is wrong, but that clicking on email links without thorough scrutiny -- or even at all -- is wrong; that blast-forwarding unconfirmed rumors is wrong; that not understanding that the bank will never send an email and tell you to go to a site and enter all of your vital statistics (and if it does, then you should run like hell, anyway.); that the use of semicolons is ill-advised.
I find it amusing that some of us will take the "duty" to throw out Mom and Dad's Windows PC and replace it with a Linux or Mac box, then walk away pleased with ourselves over the "service" we have just done. When, in fact, the "service" we should be providing is education. It does not matter in front of what box Mom and Dad sit, without the proper knowledge, they are still vulnerable to phishing schemes and exploits.
Really, these so-called idiots out there are mostly just uninformed. Some non-BOFH-type PFY handed them a computer at the WorstBuy, CompUSELESS, or Radio Shanty, without taking the short amount of time it takes to instill a small bit of cynicism over unsolicited or unexpected information and requests. There were no pamphlets at the store explaining how email can be as dangerous as a phone call from "your phone company" or "your bank." Most of these people CAN be taught and guided.
And the ones that cannot will be eliminated one way or another, but of course not before making complete and utter asses of themselves.
No more than we walked away from the telephone, fax machine, and postal mail. I simply found folly in your statement that the whole phishing thing was Microsoft's fault. Put blame where responsibility falls, on people who manage important data.
If you want to try a new conspiracy on for size, maybe this is also a chance to try to push the use of EV SSL certificates.
I have attended several of the webinars and read a number of the white papers on EV SSL certificates, and I am not completely sold on the usefulness.
Sure, thorough validation of a requester's right to purchase an SSL certificate is a good idea. That should be done already for any SSL purchase, but it is and will not be done because it makes the process too difficult, time consuming, and expensive. Well, too expensive for GoDaddy to sell a $20 certificate and thoroughly validate it, but for the $350+ Verisign certificates? Please...
More to the point, older browser showed a lock icon which indicated the site was secure. With the ease of SSL certificate purchases that quickly became less important because even phishing sites can have valid certificates. The EV SLL scheme is to put up a BIG GREEN BAR with the issued company's name in it. Why not just do that anyway? Those notification bars that come up when a pop-up is blocked, or an ActiveX control wants to install, or a file wants to download; how about use that to show critical information in the certificate, like the CN?
Sure, the URL says www.paypal.com, but the certificate CN says "www.phishingurinfoz.ru".
But then, I suppose a little Java and no protection of that particular window element could lead to a phalse display.
Windows is not to blame for the phishing problem, PEOPLE are. Phishing has been around a lot longer than Windows and Internet Explorer, it was just a lot lower-tech and could not be perpetrated quite as fast.
That *is* funny. Though I have never had this experience with Exchange 2003 at any site I've managed over the past five plus years. In fact, our Exchange 2003 installations have remained rock-solid and stable. These installations range from five people to over 50. Very happy with the performance and stability.
That is not to say that I have not seen Exchange 2003 tank. It happened recently to a colleague running on Windows 2000 Server. Lost his mail store.
But there are arguments on both ways of doing things: separate databases or files for mailboxes, or one monolithic mail store. I have seen uw-imap and QPopper eat mailboxes -- stuff happens sometimes.::shrugs::
But that is why we are administrators, because the technology is not flawless.
You are a lot of fun. I appreciate you pulling out the quarter words. I really feel more inferior than before, and now have a touch of intimated as well.
How do you expect to educate others to properly sway them to your side and to understand your perspective? Crack-pots like you are the most harmful to your cause because all you do is scream and froth at the mouth. But thanks anyway.
Can you tell me exactly of which wrongs you speak? Please, you present an interesting argument but have not provided any examples or facts to support it. If not, then please go troll somewhere else.
Frankly I've never used a "search" I just fire up my Intarweb close out a couple of advertisements and today's news then a couple more advertisements then another then spend some time changing my passwords on my bank accounts because my bank says they had to lock my account (thank goodness they're looking out for me because I didn't even remember about my account with the National Bank of Zimbabwe and I know its really secure because they ask for so much of my personal information to prove its me) and I am also lucky enough to get most of the shopping I need done from the mail in my Inbox (I haven't had to go to the store for medicine or vitamins or butt paste in ages) then type something into the "keyword" box and I get what I need but if it doesn't show anything then I figure it doesn't exist or I really didn't need it anyway.
It could be that, but none-the-less she is not going to have sex with you for one of two reasons: either you called her out and now she is angry because she was so easily outed and it makes her seem like a whore, or that she was trying to leverage sex against you somehow and you called her bluff.
Either way, you go home alone.
Of course, that is assuming that she was trying to conceal intent. We know there are plenty of women out there who mince absolutely no words on their intent to drag you back to their lairs, hang you upside down, and deposit eggs in your abdomen. (Where is that from, anybody?)
This will be very satisfying. I've had so many people tell me they absolutely HATE Vista, but they're stuck with it when they bought their new computer. They frequently ask me to put XP on, no matter what it takes (buy it, hack it, put their mothers key on). This is a very good point, and I am sacrificing my mod points by commenting here:(
Anyway, I see this happen with Windows 98SE quite a bit. Some old machines run perfectly well; for example, a 233MMX system with 128MB RAM with plenty of longevity cannot run Vista, let alone XP SP2. When this machine is relegated to nothing more than print server, POS, or work which would not take it onto the Internet, I will see Windows 98SE installed with a hacked or "borrowed" key, and it runs perfectly and does everything the user needs. And no body gives it a second look because Windows 98SE is perceived as perfectly functional in the context of what the user wants out of it. More staunch security advocates would prefer to pirate Windows 2000 on a such a box, and again the perception of the situation is dead-on. But whichever gets used, updates are no problem since the unofficial Windows 98SE Service Pack is available, as well as several similar post-SP4 Roll-up cluster updates for 2000.
Just a thought, my first Windows XP machine back at release was a 233MMX with 192MB RAM, and it ran surprisingly well. Those specs would not cut it today.
The same will happen with Windows XP once it leaves the market place. Although then it will not be as easy to "borrow" a Windows XP key since it requires online activation. Then an installer will have to hack the activation but, from what I understand, this is a trivial process. SP3 might change the game a little, but negligibly.
And talking about old operating systems, I took a moment this weekend to have a laugh while I was working on my internal network server upgrading the tape drive. It is an AMD K6-III/400 with 128MB RAM and 20GB IDE drive, and provides DNS, DHCP, and outbound SMTP for my home network. I built this as a study in small network management and it became permanent after I just could not kill the bugger, even with the now defunct experimentation installs of Apache and MySQL. Here is the startup banner:
Sun Microsystems Inc. SunOS 5.8 Generic February 2000
Eight years later and still rockin' strong. And I can still get cluster patches from Sun. Had I invested money in this box, I would definitely feel I saw a return on the investment over the past eight years, and I certainly would not feel like I am getting monkey-fondled to have to retire the hardware in favor of a new operating system (I drool over Solaris 10 x64.)
Not like a machine which is only two to three years old and have to be massively over-hauled or replaced just to run Vista.
I think I have said this before on/., and I feel compelled to say it again. With Windows XP and Windows Server 2003, there was more of a cozy, fuzzy feeling with Microsoft. It was like they listened to us. Server 2003 was touted as being more legacy capable to appease those not yet ready to lose on hardware investments, and I proved this by running it on a customer's 200MHz Pentium Pro with 128MB to support a five workstation office. Windows XP initially was very similar in its legacy machine support, driver issues aside.
Vista feels like Microsoft just told us to go phuq ourselves.
I am in the process of completing my migration to Windows XP x64 now that I have a 64-bit capable dual-core machine. I love it. Every piece of hardware has a driver and it is peppy and responsive, seemingly more so than XP 32-bit. I believe we should have been at 64-bit computing a decade ago, but Intel has kept beating the 25 year-old 32-bit horse well beyond death. Given both, I take a moment to ponder on how Vista x64 performance compares to Vista 32-bit, and think that perhaps I can give it a try sometime.
Of course, all things considered, Vista is still the desktop equivalent of the phone tree, and still frustrating to navigate and get things done. I hope for better from Windows 7.
Slashdot Mirror
And to continue the brain fart, I completely missed that we should generate the header's "key" entry using a private key and some data in the header, like the SMTP id or similar ilk.
Ugh, more painful thinking.
Perish the thought. You realize how much that would run up the operational costs of fly-by-night hosting services? They might just switch to self-signed certificates (those drive me nuts.)Browsers should make this distinction. You never want to enter a credit card number into a site that only has a class 3 cert. You have no idea where your money is going.
I believe that helps to illustrate one of my points, that the creation of the "instant SSL" certificates and subsequent proliferation did dilute the value of an SSL certificate as an implement of secure identification. And lumping the second category in with the third then would definitely push the higher-end EV SSL agenda.
Rise up machines, because humans are the weakest link! heheheh
No, good point. And the idea would need to be refined even more.
You know, maybe we can sue the font-setters who made courier new l look like 1.
Now I have to think of a better way, and I have a headache already. Thanks!
Yeah, that is about right. For the most part your server's Received header is the most trustworthy. In fact, some automatic blocking systems which scan through the Received headers to extract lists of "bad" servers could be tricked into blocked legit servers by way of forged headers. Nasty affair. I am waiting until we see the advent of a header verification system which would use something like domain keys to validate Received headers.
Something along the line of
Received: from user (isp-user-dynamic-ip.isp.com [224.167.1.89])
by outbound.isp.com (8.14.1/8.14.1) key=BBehiuo18aXo with SMTP id...
or similar. A quick check of the TXT record for outbound.isp.com returns the complement key so the header validates.
Just a quick brain-fart.
Excellent point. Keep collecting mod points...
So, in the end the end user's IP address from his or her email headers is as useless as the IP address given by whatismyip.com. My point was just one less step to confuse the potential victim, because then all you get is emails asking for help going to whatismyip?.com and you waste your time supporting rather than scamming.
I see your point, and I disagree with the basis of the argument.
Before any of what you mention there was the telephone, mail, fax machines, and more. Fraud schemes abounded long before phishing as we know it today, but the principles were the same: find some way to extract enough useful information from the mark. Phishing is the technological evolution of social engineering, and on a grand scale.
Additionally, in the past when scam spam was rampant, the thought of a botnet was just barely formulated. Such emails were blasted out via open relay mail servers, poorly programed web forms, free email services, off-shore hosting, and the like. I will not argue that the botnets have not made sending the emails exceptionally easy and avoiding them exceptionally difficult, not for a second, and will cede that without the botnets the flood would be a lot more shallow. I simply cannot subscribe to the notion that Windows botnets are completely to blame for Internet fraud.
Until I see reliable data which breaks down phishing victims based on operating system and browser, I reject the notion that any one group is responsible for the existence of the phishing problem. Except for the criminals who have mastered and continue to develop its attacks.
And thusly, we purchase a service from PayPal MegaCorp and expect them to take measures it deems necessary to protect the service it provides. The bottom line is simple: this is PayPal's business, it is PayPal's right to choose how to operate it, and we can take our ball and go home. And considering how many people think PayPal is evil, anyway, this should come as a neither surprise nor disappointment.
But I still stand firm that people are to blame for the lack of security on the Internet. The telephone, the radio, the television, the tabloids, the newspapers, books, and so on were all considered at one time a method of mass disinformation, and some still are to a lesser extent. Why else would we have phrases in our lexicon like "you can't believe everything you read/see on TV/hear on the radio"? Because people are willing to throw caution to the wind. We are more apt to scrutinize and discriminate against information people may throw at us in person, face-to-face, but as soon as the information is put into some form of communication medium, we lose our senses.
We know the guy on the street corner in New York is not selling real Rolex watches; we know the fella that chats you up on the bus is not legitimately selling prescription medications. Even so, we are more apt to believe that these things are available on web sites, because we have it drilled into us that the world is at our finger tips, every thing can be found on the Internet.
If you want to get down to brass tacks and point fingers, WE are to blame for the folly of those who surround us. Yes, WE are to blame. Because WE chose to learn and understand and ignore the plight of those who have not. WE are the shop class instructors letting the uninformed use the table saw without proper instruction and then blaming them when they lose fingers. It is our responsibility to educate and inform others why what they are doing is wrong -- and in many cases we even get paid for doing so.
And I do not mean that using Windows is wrong, but that clicking on email links without thorough scrutiny -- or even at all -- is wrong; that blast-forwarding unconfirmed rumors is wrong; that not understanding that the bank will never send an email and tell you to go to a site and enter all of your vital statistics (and if it does, then you should run like hell, anyway.); that the use of semicolons is ill-advised.
I find it amusing that some of us will take the "duty" to throw out Mom and Dad's Windows PC and replace it with a Linux or Mac box, then walk away pleased with ourselves over the "service" we have just done. When, in fact, the "service" we should be providing is education. It does not matter in front of what box Mom and Dad sit, without the proper knowledge, they are still vulnerable to phishing schemes and exploits.
Really, these so-called idiots out there are mostly just uninformed. Some non-BOFH-type PFY handed them a computer at the WorstBuy, CompUSELESS, or Radio Shanty, without taking the short amount of time it takes to instill a small bit of cynicism over unsolicited or unexpected information and requests. There were no pamphlets at the store explaining how email can be as dangerous as a phone call from "your phone company" or "your bank." Most of these people CAN be taught and guided.
And the ones that cannot will be eliminated one way or another, but of course not before making complete and utter asses of themselves.
Obviously IQ tests are not required to use the Internet, nor have children, nor drive, etc.
No more than we walked away from the telephone, fax machine, and postal mail. I simply found folly in your statement that the whole phishing thing was Microsoft's fault. Put blame where responsibility falls, on people who manage important data.
If you want to try a new conspiracy on for size, maybe this is also a chance to try to push the use of EV SSL certificates.
I have attended several of the webinars and read a number of the white papers on EV SSL certificates, and I am not completely sold on the usefulness.
Sure, thorough validation of a requester's right to purchase an SSL certificate is a good idea. That should be done already for any SSL purchase, but it is and will not be done because it makes the process too difficult, time consuming, and expensive. Well, too expensive for GoDaddy to sell a $20 certificate and thoroughly validate it, but for the $350+ Verisign certificates? Please...
More to the point, older browser showed a lock icon which indicated the site was secure. With the ease of SSL certificate purchases that quickly became less important because even phishing sites can have valid certificates. The EV SLL scheme is to put up a BIG GREEN BAR with the issued company's name in it. Why not just do that anyway? Those notification bars that come up when a pop-up is blocked, or an ActiveX control wants to install, or a file wants to download; how about use that to show critical information in the certificate, like the CN?
Sure, the URL says www.paypal.com, but the certificate CN says "www.phishingurinfoz.ru".
But then, I suppose a little Java and no protection of that particular window element could lead to a phalse display.
Or just send a reply email and we can dig it out of your headers.
Windows is not to blame for the phishing problem, PEOPLE are. Phishing has been around a lot longer than Windows and Internet Explorer, it was just a lot lower-tech and could not be perpetrated quite as fast.
That *is* funny. Though I have never had this experience with Exchange 2003 at any site I've managed over the past five plus years. In fact, our Exchange 2003 installations have remained rock-solid and stable. These installations range from five people to over 50. Very happy with the performance and stability.
::shrugs::
That is not to say that I have not seen Exchange 2003 tank. It happened recently to a colleague running on Windows 2000 Server. Lost his mail store.
But there are arguments on both ways of doing things: separate databases or files for mailboxes, or one monolithic mail store. I have seen uw-imap and QPopper eat mailboxes -- stuff happens sometimes.
But that is why we are administrators, because the technology is not flawless.
You are a lot of fun. I appreciate you pulling out the quarter words. I really feel more inferior than before, and now have a touch of intimated as well.
Official Doc Ruby Comment Response Generator(tm). Pick one from below and press Submit:
() I know you are, but what am I?
() I'm rubber and you're glue...
() Your mom!
[SUBMIT]
How do you expect to educate others to properly sway them to your side and to understand your perspective? Crack-pots like you are the most harmful to your cause because all you do is scream and froth at the mouth. But thanks anyway.
Can you tell me exactly of which wrongs you speak? Please, you present an interesting argument but have not provided any examples or facts to support it. If not, then please go troll somewhere else.
I have no blood on my hands.
I'm fine with oil companies making big margins. A good bit of my retirement is invested in them.
And you are?
Frankly I've never used a "search" I just fire up my Intarweb close out a couple of advertisements and today's news then a couple more advertisements then another then spend some time changing my passwords on my bank accounts because my bank says they had to lock my account (thank goodness they're looking out for me because I didn't even remember about my account with the National Bank of Zimbabwe and I know its really secure because they ask for so much of my personal information to prove its me) and I am also lucky enough to get most of the shopping I need done from the mail in my Inbox (I haven't had to go to the store for medicine or vitamins or butt paste in ages) then type something into the "keyword" box and I get what I need but if it doesn't show anything then I figure it doesn't exist or I really didn't need it anyway.
LOLZ
Bah. In the words of Bill the Cat, thppppppppppptd.
That was a good episode, BTW.
It could be that, but none-the-less she is not going to have sex with you for one of two reasons: either you called her out and now she is angry because she was so easily outed and it makes her seem like a whore, or that she was trying to leverage sex against you somehow and you called her bluff.
Either way, you go home alone.
Of course, that is assuming that she was trying to conceal intent. We know there are plenty of women out there who mince absolutely no words on their intent to drag you back to their lairs, hang you upside down, and deposit eggs in your abdomen. (Where is that from, anybody?)
Anyway, I see this happen with Windows 98SE quite a bit. Some old machines run perfectly well; for example, a 233MMX system with 128MB RAM with plenty of longevity cannot run Vista, let alone XP SP2. When this machine is relegated to nothing more than print server, POS, or work which would not take it onto the Internet, I will see Windows 98SE installed with a hacked or "borrowed" key, and it runs perfectly and does everything the user needs. And no body gives it a second look because Windows 98SE is perceived as perfectly functional in the context of what the user wants out of it. More staunch security advocates would prefer to pirate Windows 2000 on a such a box, and again the perception of the situation is dead-on. But whichever gets used, updates are no problem since the unofficial Windows 98SE Service Pack is available, as well as several similar post-SP4 Roll-up cluster updates for 2000.
Just a thought, my first Windows XP machine back at release was a 233MMX with 192MB RAM, and it ran surprisingly well. Those specs would not cut it today.
The same will happen with Windows XP once it leaves the market place. Although then it will not be as easy to "borrow" a Windows XP key since it requires online activation. Then an installer will have to hack the activation but, from what I understand, this is a trivial process. SP3 might change the game a little, but negligibly.
And talking about old operating systems, I took a moment this weekend to have a laugh while I was working on my internal network server upgrading the tape drive. It is an AMD K6-III/400 with 128MB RAM and 20GB IDE drive, and provides DNS, DHCP, and outbound SMTP for my home network. I built this as a study in small network management and it became permanent after I just could not kill the bugger, even with the now defunct experimentation installs of Apache and MySQL. Here is the startup banner:
Sun Microsystems Inc. SunOS 5.8 Generic February 2000
Eight years later and still rockin' strong. And I can still get cluster patches from Sun. Had I invested money in this box, I would definitely feel I saw a return on the investment over the past eight years, and I certainly would not feel like I am getting monkey-fondled to have to retire the hardware in favor of a new operating system (I drool over Solaris 10 x64.)
Not like a machine which is only two to three years old and have to be massively over-hauled or replaced just to run Vista.
I think I have said this before on
Vista feels like Microsoft just told us to go phuq ourselves.
I am in the process of completing my migration to Windows XP x64 now that I have a 64-bit capable dual-core machine. I love it. Every piece of hardware has a driver and it is peppy and responsive, seemingly more so than XP 32-bit. I believe we should have been at 64-bit computing a decade ago, but Intel has kept beating the 25 year-old 32-bit horse well beyond death. Given both, I take a moment to ponder on how Vista x64 performance compares to Vista 32-bit, and think that perhaps I can give it a try sometime.
Of course, all things considered, Vista is still the desktop equivalent of the phone tree, and still frustrating to navigate and get things done. I hope for better from Windows 7.