back to article US-CERT warns DKIM email open to spoofing

US-CERT has issued a warning that DomainKeys Identified Mail (DKIM) verifiers that use low-grade encryption are open to being spoofed and need to be upgraded to combat attackers wielding contemporary quantities of computing power. You might think this is no big deal – after all the value of strong cryptography has been …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    So...

    Did he get the job?

    1. Anonymous Coward
      Anonymous Coward

      Re: So...

      No, but as a consolation prize, he can look forward to a subpoena.

      1. Dave 126 Silver badge

        Re: So...

        Peter Sellers got his first BBC job by impersonating one senior producer on a telephone call to another:

        "I've heard of the great young man called Peter... he could be jolly good in our new line of programmes..."

        1. Robert Helpmann??
          Childcatcher

          Re: So...

          "Peter Sellers got his first BBC job by impersonating one senior producer on a telephone call to another..."

          Pointing to the vulnerability least likely to be patched: the end user.

          Thinking on that, how could one patch an entire user base? Boot to the head?

      2. Anonymous Coward
        Anonymous Coward

        A subpoena for what?

        It's not against the law to spoof an e-mail

        ...and it's not like he was linking them to a site hosting exploit code designed to compromise their machines.

        1. NumptyScrub

          Re: A subpoena for what?

          quote: "It's not against the law to spoof an e-mail"

          Arguably fraud? Also, I am unsure where the varous computer misuse type legislation stands regarding deliberately factoring Google's 512-bit key, when the content is "just" an email, but the intent is to enable spoofing of a "secured" email domain.

          I can see an unlucky person facing criminal charges, given just how far-reaching some of the computer misuse legislation can be :(

          1. Tom 13

            Re: A subpoena for what?

            Fraud subpoena maybe, court trial doubtful.

            Given his field, his reasons, and his actions, I don't think it rises to the level of "meant to deceive" required by fraud. He does appear to have been wrong in his initial assumption that it was a creative recruiting technique, but given that assumption, his response seems reasonable if unorthodox. Of course his biggest protection is that he performed other research and reported it to CERT.

            Absent those, yeah, subpoena and time in the pokey would likely be in order.

            DCMA angle is a tough call. It would certainly be easy enough to file the charges. But in this case because of the way the fraud charges would work, I think there would be as much risk to DCMA as there is to him. Oh, the initial trial might be a slam dunk for the prosecution, but the inevitable appeal might get DCMA declared unconstitutional.

            1. Anonymous Coward
              Anonymous Coward

              Re: A subpoena for what?

              Fraud - in the US at least - is an intentional deception made for gain or to damage someone else. Self promotion could, on a stretch, be seen as an attempt for gain but that argument is, IMHO, a stretch. According to the Wikipedia definition I think this would be categorized as a hoax.

              DMCA *should* be limited to DRM cryptography used to protect copyrighted material. I'm not sure I can see any copyright angle here, and I am not aware of any cases where DMCA has been used with no copyright angle whatsoever... which would make this, IMHO, also a stretch.

              I do seem to recall a case of Facebook impersonation (person X logged in as person Y and did bad things) being pursued as ID Theft... and I'm not sure how it ended up. Maybe that one?

  2. ratfox
    Pint

    Sickest job interview I heard of

    Congrats to the man!

  3. mhenriday
    Big Brother

    « "... But the government of Iran probably could,

    or a large group with sufficient computing resources could pull it off," he warned.» Not to mention the government of the country in which Mr (Dr ?) Harris resides....

    Henri

This topic is closed for new posts.

Other stories you might like