Skip to content
 
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Krebs On Security)   With all due respect to world-renowned security expert, Brian Krebs, submitter is pretty sure that spit is not the bodily fluid that holds the internet together   (krebsonsecurity.com) divider line
    More: Interesting, IP address, E-mail, Fraud, Internet addresses, phone call, 38-year-old Amir Golestan, following message, security researcher  
•       •       •

910 clicks; posted to STEM » on 28 Nov 2021 at 7:53 PM (25 weeks ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook



Voting Results (Smartest)
View Voting Results: Smartest and Funniest

 
2021-11-28 9:43:59 PM  
15 votes:
imgs.xkcd.comView Full Size
 
2021-11-28 9:14:21 PM  
10 votes:
Maybe he meant 'Spite'.  The Internet is held together by spite.
 
2021-11-28 11:28:36 PM  
8 votes:
I'm reminded of an old Usenet meme about trying to fix email. It has always been known it was never going to be practically fixed:

--

Your post advocates a 

( X ) technical ( ) legislative ( ) market-based ( ) vigilante 

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.) 

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected 
( ) No one will be able to find the guy or collect the money 
( ) It is defenseless against brute force attacks 
( X ) It will stop spam for two weeks and then we'll be stuck with it 
( ) Users of email will not put up with it 
( ) Microsoft will not put up with it 
( ) The police will not put up with it 
( ) Requires too much cooperation from spammers 
( ) Requires immediate total cooperation from everybody at once 
( ) Many email users cannot afford to lose business or alienate potential employers 
( ) Spammers don't care about invalid addresses in their lists 
( ) Anyone could anonymously destroy anyone else's career or business 

Specifically, your plan fails to account for 

( ) Laws expressly prohibiting it 
( ) Lack of centrally controlling authority for email 
( ) Open relays in foreign countries 
( ) Ease of searching tiny alphanumeric address space of all email addresses 
( X ) Asshats 
( ) Jurisdictional problems 
( ) Unpopularity of weird new taxes 
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP 
( ) Susceptibility of protocols other than SMTP to attack 
( ) Willingness of users to install OS patches received by email 
( ) Armies of worm riddled broadband-connected Windows boxes 
( X ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam 
( ) Joe jobs and/or identity theft 
( ) Technically illiterate politicians 
( ) Extreme stupidity on the part of people who do business with spammers 
( X ) Dishonesty on the part of spammers themselves 
( ) Bandwidth costs that are unaffected by client filtering 
( ) Outlook 

and the following philosophical objections may also apply: 

( X ) Ideas similar to yours are easy to come up with, yet none have ever 
been shown practical 
( ) Any scheme based on opt-out is unacceptable 
( ) SMTP headers should not be the subject of legislation 
( ) Blacklists suck 
( ) Whitelists suck 
( ) We should be able to talk about Viagra without being censored 
( ) Countermeasures should not involve wire fraud or credit card fraud 
( ) Countermeasures should not involve sabotage of public networks 
( ) Countermeasures must work if phased in gradually 
( ) Sending email should be free 
( ) Why should we have to trust you and your servers? 
( ) Incompatiblity with open source or open source licenses 
( ) Feel-good measures do nothing to solve the problem 
( ) Temporary/one-time email addresses are cumbersome 
( ) I don't want the government reading my email ( X ) Killing them that way is not slow and painful enough Furthermore, this is what I think about you: ( X ) Sorry dude, but I don't think it would work. ( ) This is a stupid idea, and you're a stupid person for suggesting it. ( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
 
2021-11-28 8:57:13 PM  
7 votes:
 
2021-11-28 8:41:43 PM  
4 votes:
No, I think he nailed it.  What the hell is wrong with Level 3?  Wait, I don't think I have enough time to listen to the full explanation.
 
2021-11-28 8:57:55 PM  
4 votes:

HeadbangerSmurf: No, I think he nailed it.  What the hell is wrong with Level 3?  Wait, I don't think I have enough time to listen to the full explanation.


Why the fark are we still using SMTP? We've known it's an insecure piece of filth for at least 30 years.

This isn't on Lumen so much as the entire industry still using still standards developed in a time when developers assumed everyone would be a good actor, and everyone would be using the net in a collaborative uptopia.

We need to replace some of the oldest, foundational technologies that make up the internet. Email should have been revamped decades ago. Can we finally do something about it?
 
2021-11-28 9:51:23 PM  
4 votes:

FormlessOne: [imgs.xkcd.com image 385x489]


This is Pure Quill Truth except for one thing. There are dozens of those critical pieces any one of which could bring it all crashing down
 
2021-11-28 9:34:57 PM  
3 votes:

Quantumbunny: HeadbangerSmurf: No, I think he nailed it.  What the hell is wrong with Level 3?  Wait, I don't think I have enough time to listen to the full explanation.

Why the fark are we still using SMTP? We've known it's an insecure piece of filth for at least 30 years.

This isn't on Lumen so much as the entire industry still using still standards developed in a time when developers assumed everyone would be a good actor, and everyone would be using the net in a collaborative uptopia.

We need to replace some of the oldest, foundational technologies that make up the internet. Email should have been revamped decades ago. Can we finally do something about it?


Isn't the whole point of SPF - which I hope everyone is using by this point -  to prevent mail-from spoofing? It certainly means you can't spoof the domain name. Theoretically another employee could spoof the user portion, but that would be preventable with proper configuration of the mail server itself.
 
2021-11-29 4:09:08 AM  
2 votes:

mononymous: spit is not the bodily fluid that holds the internet together

[Youtube-video https://www.youtube.com/embed/zBDCq6Q8k2E]


Done in one.  Turn off the lights and lock up.
This was my first thought as well.
 
2021-11-29 6:38:56 AM  
2 votes:

trialpha: Quantumbunny: HeadbangerSmurf: No, I think he nailed it.  What the hell is wrong with Level 3?  Wait, I don't think I have enough time to listen to the full explanation.

Why the fark are we still using SMTP? We've known it's an insecure piece of filth for at least 30 years.

This isn't on Lumen so much as the entire industry still using still standards developed in a time when developers assumed everyone would be a good actor, and everyone would be using the net in a collaborative uptopia.

We need to replace some of the oldest, foundational technologies that make up the internet. Email should have been revamped decades ago. Can we finally do something about it?

Isn't the whole point of SPF - which I hope everyone is using by this point -  to prevent mail-from spoofing? It certainly means you can't spoof the domain name. Theoretically another employee could spoof the user portion, but that would be preventable with proper configuration of the mail server itself.


SPF just requires you to spoof DNS before you spoof the SMTP.

So the question becomes how easy it is to corrupt / spoof Level3's DNS before you send the mail with the BGP update

/the spit is in the chewing gum holding it all together
//where 'chewing gum' is a euphemism for shell scripts
 
2021-11-29 9:10:18 AM  
2 votes:

Oneiros: SPF just requires you to spoof DNS before you spoof the SMTP.

So the question becomes how easy it is to corrupt / spoof Level3's DNS before you send the mail with the BGP update


This would be the DNS that Level3's email server was using. Which would presumably be Level3's own DNS cache, inside Level3's network, connecting to the root servers/etc. Spoofing that would require either breaking into Level3's network, or the DNS server that's responsible for the network you're trying to screw with. That's several orders of magnitude harder than spoofing email. If you're capable of that, you probably wouldn't even need to bother with spoofing and could just edit things directly.
 
2021-11-28 9:41:02 PM  
1 vote:

HeadbangerSmurf: No, I think he nailed it.  What the hell is wrong with Level 3?  Wait, I don't think I have enough time to listen to the full explanation.


You really really don't.
 
2021-11-28 9:43:06 PM  
1 vote:
Contracting with my old employer, spit ABSOLUTELY holds its software together.

As a result, on a summer day it dries and breaks, on a winter day it freezes and breaks. And during spring and autumn days it just breaks because spit isn't very good at holding software together.
 
2021-11-29 10:34:58 AM  
1 vote:

trialpha: Oneiros: SPF just requires you to spoof DNS before you spoof the SMTP.

So the question becomes how easy it is to corrupt / spoof Level3's DNS before you send the mail with the BGP update

This would be the DNS that Level3's email server was using. Which would presumably be Level3's own DNS cache, inside Level3's network, connecting to the root servers/etc. Spoofing that would require either breaking into Level3's network, or the DNS server that's responsible for the network you're trying to screw with. That's several orders of magnitude harder than spoofing email. If you're capable of that, you probably wouldn't even need to bother with spoofing and could just edit things directly.


Correct.  If Level3 had assigned the email addresses in use, so it's a domain that's under their control, it's likely near impossible.

If it's in a domain that was since bought by a larger party who forgot to renew it and got snatched up by a third party, it's going to be a bit easier.

But that would never happen to a large company after Microsoft screwed up with Hotmail, right?  It's not like Microsoft screwed up again with CheckPoint or anything like that.

I'm not saying it's going to be easy... just don't trust third parties and you'll have fewer security incidents
 
Displayed 14 of 14 comments

View Voting Results: Smartest and Funniest

This thread is closed to new comments.

Continue Farking




On Twitter


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.