12 posts • joined 9 Apr 2012
It's good for people to realize what is actually happening with their mail. Most don't and tech companies abuse this by giving us half solutions. Anyway, in my opinion, using TLS on all connections will at least make it much harder to do wholesale mass surveillance. It's pretty cheap to implement and pretty expensive to crack.
Anyway, meanwhile, people think of new alternatives such as Mailpile. Check it out.
SMTP connections are (often) still unencrypted
Lately I have been trying to figure out whether the connection between Yahoo's mail servers and the recipient's mail server is encrypted. It seems that most of the cases it is not using TLS thus unencrypted a.k.a. plain text. I'm not quite sure what causes it to sometimes use TLS and sometimes not. It might be that no common cipher can be negotiated. Or that Yahoo has many servers which are not all configured in the same way.
You can test yourself by sending email to/from your Yahoo mail with another email account and then check the mail headers. How to view those depends on your mail client. In Yahoo mail you can do it by clicking on "More" below the email and then choose "View Full Header". In Outlook view the Message Options box. In Thunderbird press ctrl-U. Google for others.
You will see several "Received:" headers which will show the path of the nodes your email passed by (in reverse order). Now look for the top most (usually) "Received:" header where the mail is handed over from the Yahoo mail server to your ISP's mail server (or vice versa). There is will something like "with ESMTPS" or "with SMTP". The second S stands for secure. So ESMTP is good, SMTP is bad.
First he wanted to double the number to sys admins to make it more secure. Now he wants to get rid of 90% of them. I guess someone whispered in his ear that is would be cheaper.
Well, I have a even better solution: why don't you decrease your world-wide data vacuuming by 90% (and actually do what your agency is supposed to do). This has several advantages:
- cuts costs
- you don't break the law
- 90% less chance less of leaks
- you don't piss every on Earth off so much
It's beyond me why companies involved in top secret research and military don't update software that is used throughout all of their offices and has vulnerabilities that are rated "critical" or "severe" and contain words like "remote code execution".
So yeah, let's continue building multi-billion dollar/euro cyber armies and buy multi billion dollar/euro cyber security products, while all we need to do is:
- right click blinking icon in bottom right corner
- press Update Now
- press Next
- press Finish.
These 20 controls are common sense and obvious and should be required for ANY company or government to implement that is in any way connection to the internet. It worries me these telcos can't or won't implement it. Most likely it was just the legal department talking, to prevent litigation by customers for not implementing it. Anyway, they suck.
Re: super-phishing emails threatens biz
All the scary security news of last few years comes from marketing departments of security firms. Firms like Symantec and McAfee pump out these things on a daily basis. I think news sites should start to filter this kind of "news".
Doesn't spearfishing imply it's a very targeted attack with personalised emails? Sending so many messages to so many companies sounds more like regular phishing.
Since we will never solve the problem of users being misled and tricked to click a link, when will there be software that doesn't cause your computer to be p0wned only by clicking on a link?
More critical reading is needed
The evidence linking hackers to a government or to a certain group is very thin or non-existent. What seems to be happening is that all of the thousands of hacks that happen every day are grouped into categories, then labeled as being from a common source.
All this is being done by governments with political agendas, soon-to-be-unemployed army generals looking for the next war and security vendors with gear/services to sell.
I take all this with a grain of salt. Meanwhile, all these companies moaning about being attacked are wise to teach their employees not to get caught in phishing attempts, install the latest patches on *all* of their equipment and start using encryption a little bit more (anyone using S/MIME or PGP?).
Not hard evidence
I have read the report and I don't see much hard evidence. There are a lot of facts in the report, but how they are linked together or where the facts come from stays a mystery. Not much substance and some dubious assumptions, in my humble opinion.
For example, how do they link the attacks to PLA's Unit 61398?
- They found that all attacks come from 4 /16 IPv4 net blocks (a total of 262k addresses), all owned by China Unicom. China Unicom is the 3rd largest telco in the world, with 273 million (!) customers in 2008.
- Then they link the netblocks to a city, Shanghai (the largest city in China, population of 23 million).
- Next they conclude that because the office of the Unicom engineer listed as contact person for the netblock is in the Pudong area
- The PLA Unit 61398 is also in the Pudong area
- Hence the IP addresses must belong to the PLA and is the source of the attack
Let me translate this into English:
- Suspect IP address belongs to a netblock owned by BT and is used in greater London area
- The BT engineer's office is in the centre of London according to whois
- MI6 is in the centre of London
- Hence the attack came from MI6.
I had the same question
I have often wondered why there aren't any big sites using DNSSEC. Sure, it's a little complicated for the average Joe. But it's must be a piece of cake for big banks and e-tailer that already have large IT-departments and millions worth of infrastructure. They have the resources to have a guy or 2 or 3 devote themselves to DNSSEC and just implement it.
Why don't we just take Iran's IPv4 addresses?
An American lobby group, United Against Nuclear Iran (UANI), is seriously pressuring RIPE (and ICANN) into cutting Iran off the internet. That's also a way to get some more IPv4 addresses...
P.S. Cutting a whole country off internet because their government supposedly does naughty things, is a very bad idea in my humble opinion.
The End Of Owning
This UV is the mother of all DRM. It's it's meant to be the end of piracy for once and for all. You will have no more freedom. Want to watch a movie? Want to listen to music? Want to watch a tv show? Come to the content companies who thought of this and be their slave. You will never own any content again. You will rent rent rent, even though they make it sound otherwise. This is bad and must be stopped.
- Does Apple's iOS 7 make you physically SICK? Try swallowing version 7.1
- Fee fie Firefox: Mozilla's lawyers probe Dell over browser install charge
- Pics Indestructible Death Stars blow up planets with glowing KILL RAY
- Video Snowden: You can't trust SPOOKS with your DATA
- Hands on Satisfy my scroll: El Reg gets claws on Windows 8.1 spring update