Saturday, August 18, 2007

Why do you need PGP?

Lets answer a more basic question first: Why do you need any security constructs like AntiVirus, firewall, IDS etc? Maybe because:

  • You have secret/vital information to protect.
  • The exploit/attack is so easy that any casual user can do it.. for fun.

On my laptop running Linux I don't have an antivirus, firewall or IDS.. I don't have any critical information on my laptop (the critical information is encrypted using my DNA sequence, scrambled using my iris pattern as seed, divided into blocks and stored on NSA servers :P), nor does it run continuously to give the attacker any time to conduct the attack... It's a different story altogether for workstations running 24x7. That said, why do I need PGP to encrypt/authenticate my mails then? It's not that I need to protect my mails from the public eye or even a passive listener.. come on, what can a person get by reading the emails I write to my friends and family!!.. The problem arises when he can write emails to my friends and family using my email ID.. and be undetected. The point of concern is how much easier it is to do so.. let me show you how:

PLEASE NOTE: Doing this is illegal in US and EU unless you own the email addresses you are using. Posing as a third party is considered Identity theft and is a criminal offense. I am using the email address that belongs to me and this demonstration is only for the educational purposes. I am not responsible for anything you might do with the information provided here.

  • Cover your tracks: What better way to do that than tor+privoxy!! Since I will be using telnet for this exploit, I need a way to torrify telnet. torrify command does that but I was too lazy to figure out the syntax. I grabbed tor_aliases to do that. Its a small script that you add to your .bashrc , which automatically torrifies various net tools like telnet, scp etc.(Thanks t3rmin4t0r for pointing it out to me on #linux-india).
  • Find the smtp server of the victim: I am going to send a mail to testingusage@gmail.com(again the ID belongs to me and I use it for testing purposes). Lets figure out which smtp server gmail uses..


  • sridhar@pico:~$ dig mx gmail.com
    ; <<>> DiG 9.3.4 <<>> mx gmail.com
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8033
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 7

    ;; QUESTION SECTION:
    ;gmail.com. IN MX

    ;; ANSWER SECTION:
    gmail.com. 3534 IN MX 50 gsmtp183.google.com.
    gmail.com. 3534 IN MX 5 gmail-smtp-in.l.google.com.
    gmail.com. 3534 IN MX 10 alt1.gmail-smtp-in.l.google.com.
    gmail.com. 3534 IN MX 10 alt2.gmail-smtp-in.l.google.com.
    gmail.com. 3534 IN MX 50 gsmtp163.google.com.

    ;; ADDITIONAL SECTION:
    gmail-smtp-in.l.google.com. 214 IN A 209.85.199.114
    gmail-smtp-in.l.google.com. 214 IN A 209.85.199.27
    alt1.gmail-smtp-in.l.google.com. 237 IN A 64.233.167.114
    alt1.gmail-smtp-in.l.google.com. 237 IN A 64.233.167.27
    alt2.gmail-smtp-in.l.google.com. 285 IN A 66.249.91.27
    gsmtp163.google.com. 5883 IN A 64.233.163.27
    gsmtp183.google.com. 4017 IN A 64.233.183.27

    ;; Query time: 64 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Sun Jul 29 14:05:57 2007
    ;; MSG SIZE rcvd: 270


    MX points to the servers that receives email. The numbers 50,5,10,10,50 you see are preference numbers. Lower the number, the higher the preference.. for us it means that we have higher probability of a successful attack. which implies that we will be using gmail-smtp-in.l.google.com.

  • Speaking SMTP: The last step is to speak in SMTP to make the server to accept the mail. I am not going to teach you SMTP here. Check out RFC 821 for the details.
  • sridhar@pico:~/blog$ telnet gmail-smtp-in.l.google.com. 25
    Resolving gmail-smtp-in.l.google.com. through tor... 209.85.129.27
    Trying 209.85.129.27...
    Connected to 209.85.129.27.
    Escape character is '^]'.
    220 mx.google.com ESMTP o11si2850482fkf
    502 5.5.1 Unrecognized command o11si2850482fkf
    helo
    250 mx.google.com at your service
    mail from: <testingusage@gmail.com>
    250 2.1.0 OK
    rcpt to: <testingusage@gmail.com>
    250 2.1.5 OK
    data
    354 Go ahead
    From: Someone <someone@someone.com>
    Subject: Testing

    I see the light!!

    .
    250 2.0.0 OK 1187318464 o11si2850482fkf
    quit

Please do note that testingusage@gmail.com is my own ID, so no harm done. What have I just done? Sent an email to testingusage@gmail.com as someone@someone.com... I could have used any email address there and nothing will be traceable back to me. The following screenshot shows you the result:


As you can see that the message was marked as spam, that is because I did not create the mail properly and someone.com may be in its blacklist. It's fairly easy to fool those spam filters.

Infact the method just demonstrated is used alot by spammers.. just a bit more refined and automated. Nothing is stopping your mortal enemy from impersonating you and wreak a havoc in your life. Yes there are ways to detect a fake mail.. IP analysis, route it takes etc etc, but it all requires the receiver to be a paranoid geek. How many mails do you receive daily and how many times have you stopped to check the authenticity of the mail?

So what is the solution?.. PGP or it's free, open source implementation GPG(GNU Privacy Guard). There are millions of tutorials on the web so am not going to write another one here.

In a nutshell, it attaches a keyed hash to your mail. Since it uses DSA, only you posses the key to create the hash. All others users can only verify your hash using your public key (which has to be published on keyring servers e.g. http://pgp.mit.edu ). The email client takes care of the whole process so you don't have to do anything except the initial setup.

Is it fool proof? NO.. This will only stop casual attacks. The attacker may spoof your identity, create a public key with your credentials and ask the receiver to download his public key, so the receiver might consider your emails fake and the attacker's emails real, but of course this is not something your friend might do for fun.

Bottom line; if you are breaking up with someone on email, proposing someone or making a million dollar deal, use GPG to tell the receiver that it's really you :)
BTW my pgp key is this. That said I can always deny sending a mail which doesn't have my signature... which I might use to satisfy my evil ends ..Mwahahahaha.

PS: There are chances that the attack shown above might not work. This would happen if your IP is blacklisted.

Sunday, August 12, 2007

Software piracy.. we need to re-evaluate our definition.

Let me throw away my "Ms Universe" stance and admit that I am a hypocrite. I want to get stuff for free but I want others to pay for the things/softwares I create/produce. Apparently there are a lot of people who think like me, a lot of them do not produce/create anything.. they basically want stuffs for free.. which leads to piracy.

First of all, we need to assert the true meaning of the word Pirate; basically a thief/burglar working mostly off-shore. What do you need to do to be a pirate? umm... kill few people, take their belongings and perhaps wear an eye patch (Arrrrr..). Now how did the word piracy come to mean a guy sharing his music/software while still retaining the original copy of the music/software, I'll never know. The word coined by the likes of MPAA and RIAA (perhaps one of them but am not sure) totally defaces the normal norms required for the existence of a society.

By this time most of you anti-piracy advocates would be yelling : THERE SHOULD BE A REWARD FOR INNOVATION. Sure.. there should be one, but creating something does not justify being greedy. Apple developed iPOD in 6 months and as of April 2007 has sold 100 million copies.. isn't that a big enough reward. Harry Potter and the deathly hallows was the most preordered book in history and J.K.Rowling is a millionaire.. isn't that a big enough reward. Yes they are loosing couple of million dollars.. am sorry that they wont be able to buy the unicorn and a gold coated private jet.

Software Pirates are not kleptomaniacs who just download anything off the internet... just the stuff they dont want to pay for. E.g I will never download 300 or watch it on the television.. but I wont pay $10 to watch You, Me and Dupree in a theater. Being a movie junkie, I cant resist seeing the movie either.

Digital piracy is here to stay. Why? Because reverse engineering is always easier than engineering and the people who crack the DRMs and torrent the files are much more smarter than the people who put the DRM in the first place. Its a cold war thats going on between the sofware geeks and the stuffy corporate marketing managers on a turf where the geeks have spent their whole life... it's not too difficult to predict the outcome with most of the major players shunning DRM and MPAA/RIAA. Also the American law forbids the export/import of any strongly encrypted software (i.e. can't be cracked by NSA).. which means that the technology is always going to be crackable.

Lets do the math now.
US population: 301,139,947
Broadband Access: 40,876,000
Lets restrict our calculation to movies. Percentage of illegal movie downloads= 20%
Note that I am just considering broadband users so have accordingly bumped up the percentage by a conservative estimate of 2% (the source mentions 18% total).
=>Total number of Americans downloading movies= 8,175,200 (the real number is actually 25 million).
Number of cases filed= 87
Probability of getting caught = 87/8,175,200=.000001

Need I say more!!

Tuesday, August 07, 2007

He became a legend..

Dr Per Brinch Hansen, my compiler design professor, Chief architect of RC4000 minicomputer(That had the first real OS), inventor of monitors, author of first concurrent programming language:Concurrent Pascal, author of the first book on OS, a voracious reader and a drop dead geek(in a good way.. although he always said that the word was coined by Stupid Americans to pick on smart people, including Americans.. so don't take it personally guys :), because it's difficult for a dumb guy to rise up to the level of a smart person) died on July 31, 2007. He was 68 and was diagnosed with cancer in June.

This was his last email to me that I'll cherish forever:

Dear Sridhar,
Thanks for your kind email of June 1. I am still recuperating after my hip surgery.
I am happy to hear that you found an interesting job in Santa Clara. Everybody should live in California while they are young.
Keep in touch!

Per Brinch Hansen


It's hard to imagine him gone, partly because I never considered him a mortal being. Although he was suffering from senile decay, he had a really overpowering personality and you could really see the halo of knowledge. Frankly, he was seen as a really eccentric person by many of my friends, but since I tend to be eccentric at times, I was totally comfortable with him (Probably for the same reason I chose supposedly the most difficult professors as my advisors in undergrads).

May his soul rest in peace. I wouldn't say that he died.. but became a legend. His legend will inspire many future generations of Computer Scientists/Engineers.