Brad Ideas - Spam - Comments

Repurposing Sigint

Anonymous — Fri, 16 May 2008 14:05:12 -0700

I guess, this revolves around whether you're really interested in economic, social, or military issues. Former Home Secretary David Blunkett observed that corporate collections of personal data were bigger and less well regulated than the governments. Private companies are fuzzier and less lethal than terrorists but they still have a potential to damage people and society. Sometimes, you could argue, big transnational companies are the cause of terrorism. I'll admit that's going way off topic but it sparked another thought. Instead of sending a cruise missile through someone's letterbox, how might the same intelligence be used to flag people and places where better or more sensitive trade and industry could take off?

Pharm

brad — Thu, 15 May 2008 17:57:00 -0700

Oh, I don’t need to go beyond commercial motives to find a reason for Pharm. But more to the point, Pharm is domestic.

The hallmark of a signals intelligence espionage program would be intrusion into foreign computers, ideally non-allied computers or targeted computers, which is within the balliwick of most of these organizations.

Indeed, there might be a desire to simply scan lots of hard drives in rural Pakistan and Afghanistan. And North Korea (the few that are on the internet) and other places, staying away from spying on computers belonging to allies and domestic parties. They could write code to examine machines and determine if they are domestic, or owned by domestic companies. Or even code to say, “Does this computer look like it might be owned by a jihadi?” — and then start spying on just those computers.

The recent trend in intelligence has been to look for ways to do blanket basic surveillance and then isolate the few actual targets they want to put human beings on. Of course, in the domestic case, such as AT&T, the law says they can’t do this. But they want to do it, and in fact we allege in our lawsuit that they did do this — put in a splitter to divert all data into NSA systems. If they are doing that in the domestic arena, seems likely they are doing it overseas where there is less control.

Targetted Advertisers?

Anonymous — Thu, 15 May 2008 17:08:01 -0700

Who is behind the so-called targetted advertising systems companies like Phorm are trying to get installed on ISP internal networks? Being able to snoop 70% of the UK's clickstream is an intelligence tool worth billions. Putting aside the fact that Phorm's system breaks a dozen laws, who quality assures or positive vets companies like this? I would've thought allowing a known spyware company that games the legal system and employs foreign nationals to code its software would be a red flag for someone.

It gets worse, what if it

fnord — Thu, 15 May 2008 02:26:16 -0700

It gets worse, what if it was organized crime, instead of or in addition to spy agencies, engaging in such activities, which of course they are. Spy agencies are normally engaged in criminal activity too, so that's not what makes it worse.

What makes it worse is that ICANN has allowed itself on various levels including registrars and the DNS itself to be increasingly co-opted by organized crime. ICANN's insatiable hunger for money is largely to blame, and criminals have long known how to exploit such a weakness. Read this current article on ICANNWatch.org and follow the link in Fergie's subsequent comment, or my more accurate link to RBNBlog which follows.

The US Government has always been ICANN's overseer, have they just been asleep at the switch? Isn't it ironic that the organized crime Russian Business Network, with likely ties to the Russian government (and they have recently moved some of their activities to mainland China), is co-opting various critical levels of the internet? This is going to turn out badly. -g

The three lies

brad — Wed, 14 May 2008 11:13:25 -0700

The three lies is a well known joke. You start with 2 standard lies and the 3rd is a punchline lie like the ones you name above.

The main two are usually “The cheque is in the mail” and “I’m from the Government, I’m here to help you.”

What are the other two?

Phillip Helbig — Wed, 14 May 2008 04:28:38 -0700

“The Cheque is in the Mail” became known as one of the 3 great lies.

OK, what are the other two. I seem to recall a documentary about a
hard-rock or heavy-metal group, perhaps Krokus, which mentioned the
other two being "We'll fix it in the mix" and "I won't come in your
mouth". At least in the rock'n'roll world, I guess those are the
other two.

data can go both ways

Anon Y. Mouse — Tue, 13 May 2008 23:48:44 -0700

First, I think it's much more likely the NSA has already
compromised one or more existing botnets, as opposed to
screwing up Windows. That's Microsoft's job!

Try this on for size. Everybody's heard about the
secret room(s) at AT&T et. al. run by the NSA and supposedly
designed to slurp up all the internet packets, telco phone
meta-data, etc. Perhaps they are covertly working with
the backbone operators to provide peering points where
they can *inject* massive amounts of traffic generated
by their own custom dedicated servers. It's more reliable
if you have your own botnet.

This is possible

brad — Tue, 13 May 2008 21:02:42 -0700

But in fact it might be simpler to just assure there are security flaws, and then build the botnets, or have them built by your front organizations, which are of course not in the USA. Or just exploiting those that are already there.

Directly compromising Windows is a dangerous thing for the NSA to do. Aside from the fact it is still not supposed to operate inside the USA at all, this could hurt the security of Americans against foreign spies. In fact, the NSA is supposed to be helping to make U.S. computers more secure, it is part of their mission. To go directly against that mission is not beyond them but scandalous if discovered.

Of course this does not apply to foreign spy agencies, they could compromise Windows without breaking their rules. But since Windows is run in so many countries, again this has the risk of scandal.

On the other hand, paying botnet rings to run secret code on non-domestic computers to spy on the owners of those computers would not be the same sort of major scandal. (Creation of the botnets directly would be a scandal, but one they can hide much more easily.) They would mostly get an “attaboy” for spying on foreign computers. They might create a problem with allies if they spied on the computers of allied governments if they were caught, but frankly everybody knows that each spy agency spies on its allies. It’s part of the game, though still not something to be caught at.

To do this, they would want to build a system that can identify honeypots and make sure never to put spy code into them. That’s hard to do for a criminal hacker ring but easily within the abilities of a big spy agency. Ideally they would use other methods to determine the IP blocks or other attributes of “computers of interest” they wish to spy on, confirm that they really have these computers, and then briefly load spy code in them to rootkit the systems and look for interesting files.

Detection of this would require a very clever honeypot that knows how to look like a “computer of interest” — once we define what a computer of interest is. I would bet that computers in rural Pakistan, for example, and Iraq, are commonly computers of interest.

Spy agencies & software

Anonymous — Tue, 13 May 2008 19:58:11 -0700

There is one other thing that would be too easy for a spy agency to buy off that it is hard to fathom that it hasn't happened: adding some kind of hook to popular closed-source operating systems to leak confidential information into covert channels. The effort required to modify kernel source code so that e.g., passwords or something are encoded into the output of some pseudorandom number generator used for picking e.g., TCP sequence numbers is low enough that a competent coder involved in the process between when the source code is checked out to do the production build and executing the makefile could slip it in with very low probability of detection and nobody would be any the wiser. If spy agencies can spend billions on covert spy satellite programs, surely they can spend a couple million to buy off a programmer involved in production builds to slip in carefully chosen patches. The presence of spy agencies in the world today with these kind of budgets almost guarantees that closed source products (and pre-built open source products) have backdoors. They would be stupid not to.

It follows that if you don't compile your own stuff, you're stuff is probably backdoored. On the positive side, keeping this stuff secret is almost certainly enough of a priority that the spy agencies will probably be keeping your secrets (unless you are doing something they are directly interested in) and third party crackers will probably not be any the wiser.

SPAM's birthday

Denis Campbell — Sun, 04 May 2008 15:04:06 -0700

Was unaware of the pending birthday. Worked many years ago on The Clipper Chip lobbying Capitol Hill on releasing DoD encryption technology.

Who termed the coin SPAM? I know I should know this. It just feels like one of those terms that's been out there forever and falsely maligning the food product, cannot even type that with a straight face, but you know what I mean....

Plan to publish an article next week on the big event. Keep up the good work!

Denis Campbell
Managing Editor
http://www.vadimuspost.com

bizarre

Kaleberg — Mon, 10 Sep 2007 09:06:58 -0700

I was tempted to respond with my own satire:

"As president of Murder, Incorporated, the largest murder for hire organization in the world, I agree that business must be protected from unwarranted government regulation. If someone really wants to live, all they need do is buy a firearm, give up sleep, stay in a safe location, and protect himself."

It would go on in that vein.

The typical burdensome regulation that is invariably considered intolerable to business is something like:

- don't kill your employees, which is right out of the ten commandments which shows that God is anti-business
- compete with the Japanese, which is why Detroit is still making cars despite their 1970s suicide attempts
- keep track of where the money is coming from and going to, which is the outrageous demand of Sarbanes Oxley

No one whines like a business man. No one demands bigger handouts with fewer strings.

The railroads did not have network neutrality until after World War II. It was cheaper to ship raw materials east and north than south or west, and it was cheaper to ship manufactured goods west and south than north and east. When the government told the railroads to stopping peeking into packets, in this case rail cars, the south and west finally started to develop industrially. The interstate highways copied this model. The New York Thruway could have had differential tolls based on cargo and direction, but they didn't, nor did any other interstate highway, and we have more rational industrial distribution nowadays.

Whenever you hear talk about the new south or rising west, remember, that was nasty, evil government regulation of good, honest, benevolent private industry.

AOL has horrible practices

Anonymous — Mon, 21 May 2007 10:06:27 -0700

AOL has horrible practices for E-Mail.

Not only have we been blocked for people who were forwarding E-Mail to their AOL E-Mail accounts from their hosted E-Mail Addresses but we have also been blocked by AOL for bouncing messages back to them!

To fix both we filled out and had ourselves added to AOLs White List.

But now there's another problem from AOL. Not only must the IP Address of the server the E-Mail is coming from match the IP Address shown in the DNS for the same server name, but now that reverse address must map to the server name shown from the E-Mail Server as well! Not only that but there was NO WARNING that they would be making such a major change.

Main reason

brad — Mon, 26 Feb 2007 11:05:21 -0800

I don't do that is I want to keep the blog posting rate to just a few a week. Many people think a good blog has many postings a day, but I prefer lower volumes.

Ask Brad?!

Anonymous — Mon, 26 Feb 2007 02:41:05 -0800

Why don't you set up an "Ask Brad" feature, either here or elsewhere.
The idea would be that instead of only you initiating threads in your
blog, i.e. blog entry, comments and responses, readers could ask for
your advice, and your answer could be handled like a normal blog entry,
i.e. spawn comments and responses etc.

Of course, you could screen the entries before posting the questions and/or
your responses, require registration for those asking questions etc.

The idea is that many readers of your blog have common interests and often
readers ask questions in the comments to your blog entries. The only difference
is that the readers (with your screening and approval) could start a new blog
thread.

Let me start (in this thread since it has to do with spam): Most people don't
have time to manually screen their spam. What do you recommend: using SpamAssassin
or something similar to mark messages as potential spam, so that the user can then
take whatever action he wants (delete them all, screen all by hand, apply additional
processing (semi)automatically (perhaps dependent on the score) but otherwise ACCEPTING
all spam messages, or, on the other hand, rejecting spam messages above a certain
spam threshold?

With some sort of automatic rejection (which I would like to implement for spams with
a score so high that I can be sure that I am not rejecting any non-spam messages), do
you recommend sending an email to the (perhaps forged) sender, saying that the message
could not be delivered because it is suspected of being spam? The reason I ask is that
my provider can let me have all incoming mail scanned by SpamAssassin before it is
delivered to me. (More precisely, all mail using a particular set of MX records. My port
25 is still open so that other email addresses are possbile which can be delivered bypassing
the spam screening.) Above a certain score set by him (5 SpamAssassin points at the moment),
it is tagged as spam. If I want, I can reject mail above a certain threshold. If this happens,
the (perhaps forged) sender will get an email saying that the mail couldn't be delivered because
it is suspected of being spam. I have no control over this.

I see two potential problems. One is backscatter spam. A spammer uses the addresses he wants
to spam to as the forged senders, sends to an address known to be screened for spam, and thus
has the spam assassin forward the message to his recipients. My provider doesn't seem worried
by this. Should I be worried, since my address might appear in the spam? That is, a spammer
sends me an email with your address as the sender. My provider sends a message to you (perhaps
including the original message) saying it is spam, and you see me as the original recipient and
suspect I might have something to do with the spam.) (If you do similar spam screening, then
one email might start a vicious circle and multiply until the systems are overloaded!) In other
words, is sending an email to the apparent sender a good idea (maybe the message was mistakenly
tagged etc)? (My provider should perhaps be concerned with all these informational emails and/or
with being tagged as a spam relay because of backscatter himself.)

The other problem would occur if, instead of sending information emails, the provider would send
some sort of error code during the SMTP dialog. This is OK for real spammers, but might be a problem
for people which forward email to me---they shouldn't get any error codes which indicate that they
might be sending spam. (For example, I moderate a newsgroup, and posts to the newsgroup go to another
site which emails them to the active moderators. If spam comes in, the relay site should not experience
any problems.)

I apologize

brad — Wed, 14 Feb 2007 16:42:55 -0800

You can have more than one PTR record. As noted, PTR records must be re-verified with a lookup. However, they actually serve no purpose. When you get your HELO/EHLO, you should just look up that address and see if it gives you the same IP you're receiving the connection from. No need to look at the reverse DNS.