Friday, May 23, 2014

Experts Exchange - worst 'web' site in the world.


Ugh.  I signed up for Experts Exchange to ask a single question, then didn't cancel like I should have.  They require a PHONE CALL to cancel a web membership. Now they've gotten a good 6 months of dues out of me.

So I finally did it.  I called.  The following hilarity ensued :

MAY 22, 2014  |  10:34AM PDT
Charles Nickerson replied:

Hello Mr. Romero,
Thank you for your voice mail message. I apologize you were not able to reach a representative.
All cancellation requests must be handled by phone, or live chat and processed by a live agent, I attempted to return your phone call message to make it as easy as possible, but was unable to get through and did not want to disrupt you at work, so I will make an exception in your case and help you cancel via email.
In order for me to process your cancellation, I will need some details regarding your experience. Can you tell me:
  • What led you to want to terminate your membership with Experts Exchange?
  • Was there anything about our service that didn’t meet or exceed your expectations?
  • Do you have any suggestions for what resources we could add to make Experts Exchange more valuable?
In addition, I’d like to tell you about some of our newest resources for networking with other IT professionals, and learning new skills on top of the great options we already provide for solving every day problems. I can also work with you on the price of your membership by adjusting your subscription plan to $9.95 or discounting your membership for 6 months to $5.95 if this would interest you to keep the resource available to you and keep Experts Exchange on retainer for your IT solution, Learning and Professional Networking needs.
Please email me back at your earliest convenience so that I may assist you further.
Regards,
Charles Nickerson
Customer Retention Specialist | Experts Exchange
Customer_Service@experts-exchange.com
p: (805) 787-0603 ext. 401 | f: (805) 593-0275
http://www.experts-exchange.com

This message was sent to rick@havokmon.com in reference to Case #: 195189.


So even though I called and cancelled, I can't cancel until I answer THEIR questions. Rather bemusing for a Q/A site.
Fine.

MAY 22, 2014  |  10:57AM PDT
Rick replied:
I asked a single question, and forgot to cancel - likely, the awful
requirement of calling customer service to be hassled to buy more products
is why I didn't call in the first place.

So now you can cancel, or I can submit a chargeback.

Rick


Now - I've clearly complained about the cancellation process, and the fact they've attempted to sell me, IMHO, 'additional product'.  It's additional because I'm cancelling, I don't want to continue.
I've also clearly told him to cancel the account.


MAY 22, 2014  |  11:30AM PDT
Charles Nickerson replied:
Hello Mr. Romero,
Thank you for your email,
I again apologize for the cancellation policy, it is not intended to sell you a product or more products or to even frustrate you. We maintain a community of IT users, professionals and experts. We only wish an opportunity to get any feedback regarding using the service, providing assistance to get better solutions, or offering you a discount to get more value from your membership and to ease the cost while you get more familiar with the site- we sell a membership to implementing better technology solutions, learning new technologies, and building professional networks to advance your career.
If this does not interest you at all I am happy to cancel your account and confirm the cancellation through email like I offered.If you are interested in trying the membership a little longer I can offer you discounted renewals for the next 6 months at $5.95 to make the membership more affordable and give you more value.
Please respond to this email with your answer and I will honor your request. Or, you can call me at P#877-211-8911 ext#231 ( my personal extension) and I can offer some assistance in getting better results from your questions with the “request attention” system- used when your question goes unanswered, or unresolved, for more than 24 hours, amd many other features the membership already offers you that you might not be aware of.
Thank you for your membership, we do appreciate it very much.
Regards.
Charles Nickerson
Customer Retention Specialist | Experts Exchange
Customer_Service@experts-exchange.com
p: (805) 787-0603 ext. 401 | f: (805) 593-0275
http://www.experts-exchange.com


So he ignored my 2nd cancel request, and continued to try and sell more products.

MAY 22, 2014  |  11:44AM PDT
Rick replied:
CANCEL!!!!!




Maybe that'll do it.
 

MAY 22, 2014  |  01:22PM PDT
Charles Nickerson replied:
Hello Mr. Romero,
Thank you for taking the time to contact us with your cancellation request.
Your Experts Exchange subscription has been cancelled as you requested to prevent future billing. A cancellation confirmation email has been sent to your email address rick@havokmon.com. Your cancellation confirmation number is 787758. You will continue to have access to your account until the paid time runs out on 06/09/2014.
Thank you for your membership with Experts Exchange and have a great day!
Regards.
Charles Nickerson
Customer Retention Specialist | Experts Exchange
Customer_Service@experts-exchange.com
p: (805) 787-0603 ext. 401 | f: (805) 593-0275
http://www.experts-exchange.com
 
Avoid signing up at this place like the plague.

Monday, March 3, 2014

SSL certificates for Tor Hidden Services

I know I'm going to get hit from the security community for this, but there's no good reason for a CA to not sign certificates for Tor sites.

Why?  The premise of signing a certificate is that the browser manufacturer has verified CAs (Certificate Authorities) as 'noble'.  By doing so, they include these CA's so users can establish secure connections with websites who are 'known' to be the correct owners. This is, ultimately, nothing more than a UI enhancement - keeping ignorant end users from seeing a scary warning page.

Unfortunately this trust breaks down very quickly.  Many SSL certs are issued via email to an address on the domain's whois record, and then signed for up to FOUR years.  It's a one-time spot check, which has and will fail, and does not ensure the validity of the site beyond that point in time.  In addition, the CAs have gone all out marketing the implied security of SSL certificates as ensuring the website is secure.

That's as far from the truth as you can get. SSL only encrypts the CONNECTION. Signing the certificate just says someone made an effort to ensure the person who requested the certificate is truly affiliated with that domain/host.  Using an unsigned certificate still encrypts the connection, but browsers will throw an error because the 'CA' (you) that signed it has not been verified as trustworthy.
When you are looking for a 'green bar' in your web browser, all it means is some big company dished out a ton of money to be personally contacted by the CA to ensure they (at that moment) own the domain/host the certificate is being signed for.  That's it.

So how does this apply to Tor?  How do you verify a site owner for a TLD that doesn't have any registration whatsoever? 
Tor hidden service names use PKI to ensure the clients are talking to the correct endpoint.  This is EXACTLY what CAs sign certificates for. The only difference is that Tor does it for EVERY CONNECTION, while a CA does it once every FOUR YEARS.
An enterprising CA would just need to modify their verification system to connect to a specific page on a .onion hidden service, verify a pre-shared key, and you'd be set.  There's no purpose to EV certificates.  There's no need for 'wildcard' certificates. What's needed is a realization and end to the false advertising that CA signed certificates 'secure' websites - rather than scaring end-users into thinking a site is not secure merely because some CA didn't sign that site's certificate.


Users don't change their ways, I think we should send the following to CAs:
I want to put an SSL cert on a Tor .onion site. Apparently this goes against your method of verifying 'domain ownership' by using whois data. I disagree with your methods - they're flawed and inconsistent. SSL signing is to verify the owner of the HOST (hence your wildcard certs costing more) and not the domain name - yet it's the domain contact that is used to verify a hostname 'owner'.

Tor hostnames, TLDs for a better name, appear random but are based on PKI.  In fact, the destination host (hidden service) name is verified using PKI for EVERY CONNECTION - as opposed to a CA who sends an email once every FOUR YEARS or so.

So I'm asking for a change.  An option.  I'd like my Tor users (who are more advanced, but may still be ignorant of SSL) to not get that pesky "This site is not secure" warning - when it reality it's more secure than a signed SSL cert.  Why do I use SSL if Tor is more secure?  The hidden service is an endpoint within my network, and doesn't REQUIRE SSL, but I would still like to use it. It's convenience.
Your process would simply allow the CSR submitter to also submit a domain name matching URL, where they would post your PSK - instead of emailing the PSK to them as part of a link to click on. At that point, the rest of your process is the same.

Why would you want to do this?  As we move to a more privacy-based infrastructure, I don't believe you will want to get cut-out as Tor (and other alternate 'Internet' services) are integrated into browsers and the CAs relevance begin to diminish - each participant is cryptographically doing your job - https is technically not necessary. The best solution for you to stay viable and grow your business is to participate and make it pointless to ignore your services.

Thanks,







Friday, January 24, 2014

Spam via Google? Apparently Google has been hacked by the Chinese for months now


So, much like many other email providers, Spammers try and abuse VFEmail servers by creating thousands of account to use for SMTP sending.  We set daily limits per account, which forces this 'many accounts' issue - but we also have other throttling in place that prevents the Spam from actually leaving our systems.

What's odd is that Chinese spammers have lately been coming FROM GOOGLE.  Now, it's not uncommon for ASPs and other hosting environments to be the source of Spam - just like any email provider, we have no idea what the account holder will do until they've done it. But in this case, the Spam is coming from Google, using the VFEmail accounts for SMTP Auth.  That's really odd, because I wasn't aware of Google allowing that sort of hosting or sending with a remote sites credentials. 

[edit 3/3/14] Upon closer inspection, the DKIM header shows a Gmail hosted domain, 1e100.net as the source.  Google, fix it already.

Here's the relevant line -
Received: from unknown (HELO mail-ie0-f178.google.com) (YXNkLmxva0B2ZmVtYWlsLm5ldA==@209.85.223.178)
  by mail.vfemail.net with ESMTPA; 24 Jan 2014 02:42:16 -0000


According to whois, 209.85.223.178 is a Google IP.  Unfortunately, I'm only getting automated replies to my abuse emails.  So we'll see if this info gets their attention.

Here are the full headers -

Received: (qmail 88632 invoked by uid 89); 24 Jan 2014 15:18:43 -0000
Received: from localhost (HELO freequeue.vfemail.net) (127.0.0.1)
  by localhost with SMTP; 24 Jan 2014 15:18:41 -0000
Received: (qmail 35975 invoked by uid 89); 24 Jan 2014 02:42:17 -0000
Received: by simscan 1.3.1 ppid: 35953, pid: 35972, t: 0.0210s
         scanners:none
Received: from unknown (HELO smtp102-2.vfemail.net) (172.16.100.62)
  by FreeQueue with SMTP; 24 Jan 2014 02:42:17 -0000
Received-SPF: softfail (FreeQueue: transitioning SPF record at vfemail.net does not designate 172.16.100.62 as permitted sender)
Received: (qmail 631 invoked by uid 89); 24 Jan 2014 02:42:16 -0000
Received: by simscan 1.4.0 ppid: 625, pid: 628, t: 0.0694s
         scanners:none
Received: from unknown (HELO mail-ie0-f178.google.com) (SMTPAuthName@209.85.223.178)
  by mail.vfemail.net with ESMTPA; 24 Jan 2014 02:42:16 -0000
Received: by mail-ie0-f178.google.com with SMTP id x13so2137073ief.23
        for ; Thu, 23 Jan 2014 18:42:16 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=f5GsZjfdse0Y8c+H8IzzmEM6HLaZXgOiXDMgsohQc54=;
        b=aR7dijI0xORpdCVjWz5/mWPYv4B7zAXZdZfhRqrvDU0NhN0x0if/xgms8NOKgwLBiS
         iaygwYd8yTE0RXg2TX0HMarSsNwpe1LtAJtETILK5dgdu+f9QhUsKEnfmph986EWNCja
         zah5hWJLOD59MzqyIL8xvRAaw7Yav473gnjn2/pVs+8MZfa5iMy+LxV15hgczNjQ/TbG
         ZeBKbydJVYFy6yRMA8+l2P5bcqk3S29oQMDD2Bt7M2h9Hynk8K+Qzy1W1SwO2qpMI8qS
         B+nb//gPGvGACtlCy3O2KZrmtJSLaS/2RwSdbtMmiKx6tHkycwY+XjQi4Hqk61lyhfcc
         +IcA==
MIME-Version: 1.0
X-Received: by 10.42.64.17 with SMTP id e17mr8876684ici.26.1390531336210; Thu,
23 Jan 2014 18:42:16 -0800 (PST)
Received: by 10.64.229.8 with HTTP; Thu, 23 Jan 2014 18:42:16 -0800 (PST)
Date: Fri, 24 Jan 2014 10:42:16 +0800
Message-ID:
Subject:
From: chang chun
To: uxnr@email.com.cn, v6@email.com.cn, vacancy@email.com.cn,
        vagabond@email.com.cn, vagrant@email.com.cn, vance@email.com.cn,
        vanquish@email.com.cn, variation@email.com.cn
Content-Type: multipart/alternative; boundary=90e6ba3fcdab58111304f0ae4e1c


Update 2/1/14 - still nothign from Google.  They're totally hacked.

 --------------
MESSAGE NUMBER 4875719
 --------------
Received: (qmail 80547 invoked by uid 89); 1 Feb 2014 16:41:32 -0000
Received: from localhost (HELO freequeue.vfemail.net) (127.0.0.1)
  by localhost with SMTP; 1 Feb 2014 16:41:32 -0000
Received: (qmail 80286 invoked by uid 89); 1 Feb 2014 16:41:15 -0000
Received: by simscan 1.3.1 ppid: 80273, pid: 80280, t: 0.0295s
         scanners:none
Received: from unknown (HELO smtp102-2.vfemail.net) (172.16.100.62)
  by FreeQueue with SMTP; 1 Feb 2014 16:41:15 -0000
Received-SPF: softfail (FreeQueue: transitioning SPF record at vfemail.net does not designate 172.16.100.62 as permitted sender)
Received: (qmail 6407 invoked by uid 89); 1 Feb 2014 16:41:15 -0000
Received: by simscan 1.4.0 ppid: 6398, pid: 6402, t: 0.0851s
         scanners:none
Received: from unknown (HELO mail-vb0-f43.google.com) (
SMTPAuthName@209.85.212.43)
  by mail.vfemail.net with ESMTPA; 1 Feb 2014 16:41:15 -0000
Received: by mail-vb0-f43.google.com with SMTP id p5so3789171vbn.30
        for ; Sat, 01 Feb 2014 08:41:14 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=7u8pwYRxgVJr58KdRsQpYbJ+VS6xSKmQescj2zcM4WY=;
        b=QEfLb4w2QT9/jNotKqT7WDvrFCMzLQiM96WprG3LDnAULvMbg2R98yVzC8At9Pomf3
         3rNoWLNp+XOy358ul8IvQsloHDCCUvmMDNiNC8A/G6rlzUA63y2qWiKTs98ALoV0PTZv
         GmNW+xR9fowGnQE/q59J64OXH8JoTKBGe9SUyMyZGsK0qo3LJ7DJc2PHgucLIGDOV81s
         uRO57Jbv4BYlv0BeG6e2WNo0PxmIWqrJ65DwFXRqOotTVyn8QwIFeaqfcbCSjdu74nWm
         FLRgmDvSUVUYtIXPimp1LidLTCmeMulp/YqBxPb9XhibpitT7l4UI4nVJI+L+PEsnCCl
         xvQA==
MIME-Version: 1.0
X-Received: by 10.52.61.168 with SMTP id q8mr6816vdr.40.1391272874597; Sat, 01
 Feb 2014 08:41:14 -0800 (PST)
Received: by 10.58.65.69 with HTTP; Sat, 1 Feb 2014 08:41:14 -0800 (PST)
Date: Sun, 2 Feb 2014 00:41:14 +0800
Message-ID:
Subject:
From: chang chun
To: xiaoyaojian@email.com.cn, xiaoyaoke@email.com.cn, xiaoyaoxu@email.com.cn,
        xiaoyaoye@email.com.cn, xiaoyaozi@email.com.cn, xiaoye@email.com.cn
Content-Type: multipart/alternative; boundary=001a1136b37479e2f104f15af5fa

--001a1136b37479e2f104f15af5fa
Content-Type: text/plain; charset=GB2312
Content-Transfer-Encoding: base64

xPq6w6OhDQoNCsfrz8LU2Li9vP61vcT6tcS158TUo6wNCg0Ky6u796Osv8m/tLLY19bKr8PFxrHN
vMaso7sNCg0K1NrOxLz+w/vJz7XjyvOx6iDT0rz8o6y14yDW2MP8w/sgo6wNCr2rzsS8/rXEwKnV
ucP7o6guanBno6m4/LjEzqogLnJhciC686OsDQrU2dPDw9zC66O6dG16ZyC08r+qo6wNCr/J1MS2
wdPrxPrPos+iz+C52LXEusPOxNXCoaMNCg0KDQogMTGhomN6c3RtemctcGRmLmpwZzxodHRwczov
L2RvY3MuZ29vZ2xlLmNvbS9maWxlL2QvMEI1R2dSOF93M3AyOFZqTjJjbFpYVTNoc2QyOC9lZGl0
P3VzcD1kcml2ZV93ZWI+DQoNCiC547SrzfgucmFyPGh0dHBzOi8vZG9jcy5nb29nbGUuY29tL2Zp
bGUvZC8wQjVHZ1I4X3czcDI4Tmxkdk9VSkxPUzF2UXpnL2VkaXQ/dXNwPWRyaXZlX3dlYj4NCg0K
--001a1136b37479e2f104f15af5fa
Content-Type: text/html; charset=GB2312
Content-Transfer-Encoding: quoted-printable

=C4=FA=BA=C3=A3=A1

=C7=EB=CF=C2=D4=D8=B8=BD=BC=FE=
=B5=BD=C4=FA=B5=C4=B5=E7=C4=D4=A3=AC

=CB=AB=BB=F7=A3=AC=BF=C9=BF=B4=
=B2=D8=D7=D6=CA=AF=C3=C5=C6=B1=CD=BC=C6=AC=A3=BB

=D4=DA=CE=C4=BC=FE=
=C3=FB=C9=CF=B5=E3=CA=F3=B1=EA =D3=D2=BC=FC=A3=AC=B5=E3 =D6=D8=C3=FC=C3=FB =
=A3=AC
=BD=AB=CE=C4=BC=FE=B5=C4=C0=A9=D5=B9=C3=FB=A3=A8.jpg=A3=A9=B8=FC=
=B8=C4=CE=AA .rar =BA=F3=A3=AC
=D4=D9=D3=C3=C3=DC=C2=EB=A3=BAtmzg =B4=F2=
=BF=AA=A3=AC
=BF=C9=D4=C4=B6=C1=D3=EB=C4=FA=CF=A2=CF=A2=CF=E0=B9=D8=B5=
=C4=BA=C3=CE=C4=D5=C2=A1=A3









--001a1136b37479e2f104f15af5fa--
 


NetRange:       209.85.128.0 - 209.85.255.255
CIDR:           209.85.128.0/17
OriginAS:
NetName:        GOOGLE
 


Ok does this really mean Google is hacked?  No, it shows there's at least one system at Google that is a spam source, but it could just be a few botnet members. I understand this sort of thing happens to everyone, but frankly, I'm sick and tired of cleaning this shit up.


Update - 3/3/14.   After blocking the above CIDR for a month, the spammers are now using a new one -

Received: (qmail 76016 invoked by uid 89); 3 Mar 2014 03:02:15 -0000
Received: by simscan 1.3.1 ppid: 75998, pid: 76006, t: 0.2433s
         scanners:none
Received: from unknown (HELO smtp101-2.vfemail.net) (172.16.100.61)
  by FreeQueue with SMTP; 3 Mar 2014 03:02:15 -0000
Received: (qmail 26663 invoked by uid 89); 3 Mar 2014 03:02:15 -0000
Received: by simscan 1.4.0 ppid: 26615, pid: 26641, t: 0.1460s
         scanners:none
Received: from unknown (HELO mail-we0-f179.google.com) (aThqN2subWZndEB2ZmVtYWlsLm5ldA==@74.125.82.179)
  by mail.vfemail.net with ESMTPA; 3 Mar 2014 03:02:15 -0000
Received: by mail-we0-f179.google.com with SMTP id x48so2491161wes.38
        for <817 qq.com="">; Sun, 02 Mar 2014 19:02:14 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=pEGGLF9NMqHn49abWF4r9h3T2oZ2p/fE63y4TvKB2o0=;
        b=F5wEnRP4ZwkQgcMtnxzyAGW6Xim0JmOhGBYLBbMVaL3IbmAqmmOjI3ibYcIb+duG7m
         PAq2uyFKKBUcgPTYb9cCLDbBw0pU7ShZsFrpHFm6PrMpfXgxN8CPsoXp2zu7T8Klm7MH
         QVAz+shWX1yHMRyxiIJEK3YHOZud+DrBqSYyRS5w4gLNFJM1VWg1ITu8sqirrvkiAkZL
         GR0VXgIOb0US6hmjW2HA32GaijeoReXpKwt1cm86ugc3F2MSDOYDNuV0G0B1w2ax/aW8
         GilCb0FUImZDKuW0mMr+DPFLLQgk6psYu8ZgRYBJA7A4V1pbq8PyvI9YJKqKo0O/6w/l
         qVdg==
MIME-Version: 1.0
X-Received: by 10.194.2.70 with SMTP id 6mr13500638wjs.25.1393815732134; Sun,
 02 Mar 2014 19:02:12 -0800 (PST)
Received: by 10.216.9.1 with HTTP; Sun, 2 Mar 2014 19:02:12 -0800 (PST)
Date: Mon, 3 Mar 2014 11:02:12 +0800
Message-ID:
Subject: =?GB2312?B?19TTycPFIM7evec=?=
From: tryu werd
To: undisclosed-recipients:;
Content-Type: multipart/alternative; boundary=047d7b3a817498a7dd04f3ab0383
Bcc: 817@qq.com

--047d7b3a817498a7dd04f3ab0383
Content-Type: text/plain; charset=GB2312
Content-Transfer-Encoding: base64

zbvGxs34wue34sv4tcTGxs34yO28/tfU08nDxSDO3r3ntcTPwtTYtdjWt6GjDQoNCrXnxNSw5iBo
dHRwOi8vd3d3Lndpa2lmb3J0aW8uY29tLzY5NjUzMy8NCrCy17+w5iBodHRwOi8vd3d3Lndpa2lm
b3J0aW8uY29tLzgxODYwOC8NCg0K08PT2rCy17/K1rv6u/LN+MLnu/q2pbrQOg0KaHR0cHM6Ly9n
b28uZ2wvbVpNR3E5DQpodHRwczovL2dvby5nbC9yc05UMUYNCg0K08PT2rXnxNQ6DQpodHRwczov
L2dvby5nbC8zSlRYZw0KaHR0cHM6Ly9nb28uZ2wvMHZLcjMNCg==
--047d7b3a817498a7dd04f3ab0383
Content-Type: text/html; charset=GB2312
Content-Transfer-Encoding: quoted-printable



--047d7b3a817498a7dd04f3ab0383--

NetRange:       74.125.0.0 - 74.125.255.255
CIDR:           74.125.0.0/16
OriginAS:
NetName:        GOOGLE

Apologies to users are Google.