Wednesday, November 4, 2015

Teenage script kiddies "Armada Collective" exposes the problems with Privacy, Security, and openness.

So at VFEmail we've received this nice bit of extortion from some script kiddies:

Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on spam100.vfemail.net
X-Spam-Level: 
X-Spam-Status: No, score=0.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
 DKIM_VALID_AU,FROM_LOCAL_NOVOWEL,T_RP_MATCHES_RCVD,URIBL_BLOCKED
 autolearn=disabled version=3.3.2
Delivered-To: havokmon.com-rick@havokmon.com
Received: (qmail 28848 invoked by uid 89); 4 Nov 2015 01:02:28 -0000
Delivered-To: vfemail.net-postmaster@vfemail.net
Received: (qmail 28846 invoked by uid 89); 4 Nov 2015 01:02:28 -0000
Delivered-To: vfemail.net-admin@vfemail.net
Received: (qmail 28844 invoked by uid 89); 4 Nov 2015 01:02:28 -0000
Received: by simscan 1.4.0 ppid: 28791, pid: 28819, t: 1.0843s
         scanners: clamav: 0.95.2/m:51/d:9604
Received: from unknown (HELO mail.bitmessage.ch) (bmE=@172.16.100.34)
  by mx3.vfemail.net with SMTP; 4 Nov 2015 01:02:27 -0000
Received: from mail.bitmessage.ch ([146.228.112.252] helo=mail.bitmessage.ch)
 by assp102.vfemail.net with SMTPS(TLSv1_2 DHE-RSA-AES256-GCM-SHA384) (2.4.1); 3 Nov 2015 19:02:25 -0600
dkim-signature: v=1; a=rsa-sha256; d=bitmessage.ch; s=mail;
 c=relaxed/relaxed; q=dns/txt; h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type:Content-Transfer-Encoding;
 bh=UjLFuJr9ZzE0RQuG7BJAwaVuMh0Nk6D70JnTVkYpBLo=;
 b=llMH7yYVuMqMr48O2/L9TU5QWYyNsKyHCIu6gLvj7u+PQ7HUY/9LhRIl/kLAADDT8B1hsSTTaA4qll5zwKWcNfzG/8uM08OH4bNgJQzVYbwT3VdU3TiJBB3+vcdeYKmHhUF+67175LkMWNVh+WC3FE3D/yv6CXCrqNkeRuQ7+NI=
Received: from www.bitmessage.ch (BITMESSAGE [127.0.0.1])
 by mail.bitmessage.ch with ESMTPA
 ; Wed, 4 Nov 2015 02:02:19 +0100
X-Squirrel-UserHash:
 BiRDVQY6MhhgXHsMACNYHlcqAGh+dGV2KlBbCgcKHW9Efl5HfCkMDhEDFl1DWVZQagoG
X-Squirrel-FromHash: cV1fVAcLRU8=
Message-ID: <7ca346ad05d1c5851004beb98d913125 .squirrel="" www.bitmessage.ch="">
Date: Tue, 3 Nov 2015 17:02:19 -0800
Subject: Ransom request: DDOS ATTACK!
From: "Armada Collective" 
To: admin@vfemail.net
User-Agent: SquirrelMail/1.4.22
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Assp-ID: assp102.vfemail.net m1-98947-08027
X-Assp-Session: 8C5D5AD8 (mail 1)
X-Assp-Envelope-From: BM-2cTA6PdJ9DJ6y2DsFNLTCn95mbdnAtFor8@bitmessage.ch
X-Assp-Intended-For: admin@vfemail.net
X-Assp-Version: 2.4.1(14200) on assp102.vfemail.net
X-Assp-Client-TLS: yes
X-Assp-Message-Score: -10 (SSL-TLS-connection-OK)
X-Assp-IP-Score: -10 (SSL-TLS-connection-OK)
X-Assp-Delay: not delayed (auto accepted); 3 Nov 2015 19:02:27 -0600
X-Original-Authentication-Results: assp102.vfemail.net; dkim=pass spf=pass
X-Assp-Message-Score: -10 (SPF pass)
X-Assp-IP-Score: -10 (SPF pass)
X-Assp-Message-Score: 10 (Foreign Country CH (GREEN.CH AG))
X-Assp-Message-Score: 20 (Regex:BombRe 'PB 20: for cheap'  bombRe: 'cheap')
X-Assp-IP-Score: 20 (Regex:BombRe 'PB 20: for cheap'  bombRe: 'cheap')
X-Assp-Spam-Level: ***
X-Assp-DKIM: verified-OK

We are Armada Collective.

All your servers will be DDoS-ed starting Friday if you don't pay 5
Bitcoins @ 1C71QxTfzVVBJnkRg2cJpFXLALwDkfvNTz within 24 hours

When we say all, we mean all - users will not be able to access their
email at all.

Right now we will start 15 minutes attack on one of your IPs
(96.30.253.182). It will not be hard, we will not crash it at the moment
to try to minimize eventual damage, which we want to avoid at this moment.
It's just to prove that this is not a hoax. Check your logs!

If you don't pay by Friday , attack will start, price to stop will
increase to 410 BTC and will go up 5 BTC for every day of attack.
In addition, we will go publicly on social networks and recommend your
users to switch to more secure providers like Tutanota and ProtonMail.

If you report this to media and try to get some free publicity by using
our name, instead of paying, attack will start permanently and will last
for a long time.

This is not a joke.

Our attacks are extremely powerful - sometimes over 1 Tbps per second. So,
no cheap protection will help.

Prevent it all with just 5 BTC @ 1C71QxTfzVVBJnkRg2cJpFXLALwDkfvNTz

Do not reply, we will not read. Pay and we will know its you. AND YOU WILL
NEVER AGAIN HEAR FROM US!

Bitcoin is anonymous, nobody will ever know you cooperated.

So if you can't reach VFEmail - this is why.  Who are this little daisies?  It makes you wonder.  They tried to extort banks in Taiwan last month.  

Are they out for themselves, or working for Tutanota (who?) or Protonmail (I can't connect, maybe they're being DOSd)?   Why would they think we'd believe that they're honest enough to only perform illegal acts once or twice?  These can't be adults - maybe Nigeran scammers?  Though Tor and Bitmessage are a bit more advanced than the Nigerian scammers I've had to shut off.

Unfortunately this is the cost of privacy and security.  This is why the EU wants to ban 'strong encryption'.  Is your Gmail Calendar still down?  Who's running the botnet that is hampering your workday?
How do we infiltrate, and where do we begin?

Are you prepared to accept these costs?  The costs of downtime?  The costs of being 'disconnected'?
Personally,  I don't mind - I can live without this stuff for days.  But I've accepted responsibility for ensuring my users can get their mail - and frankly this is just out of my hands.

Much like main street, the Internet Tubes are filled with small businesses.  We can make laws in one country to help secure end-user systems (which are the likely source), but that doesn't cover other countries.  Non-first world countries where they are lucky to be online.

Who can see this bandwidth? Who can stop this?  I once had an argument with a nice German fellow - they have very strict privacy laws - about what the ISP can block.  You can't block anything in the EU.  In the US we're fighting for open access, and for good reason - but we still have to be responsible netizens. I think the ISP should have the flexibility to block potentially harmful traffic - whether it be email spam, fraud, or denial of service attacks.

This is the threat to the internet as we know it.  These DDOS extortionists.  Not only do they threaten the existence of your favorite online service, they threaten the Internet as a whole.  End users will want access.  Business will want reparations.  How can these guys be caught? Weak Encryption laws like those recently suggested in the EU.  Bandwidth throttling.  ISP service proxying and filtering.  We REALLY don't want these, but unless the black and grey hats put a stop to the worst offenders, we'll all suffer.

Any thoughts?  I'd love to hear them.  What's really bad is that they're not just affecting VFEmail and our silly little 10Mb line - I'm a local guy who supports a local ISP, not some global conglomerate buying from a Tier 1 provider with thousands of peers.  So when they attack, they're affecting a LOT of customers. Here's to hoping the Milwaukee FBI is a customer.

Friday, March 20, 2015

Why I think most 'email metadata privacy' issues are Sales FUD.

I run an email service. In fact I've run VFEmail.net since 2001 - that's before Gmail. There's been a lot of talk about privacy and re-writing SMTP to provide more encryption and 'mask' metadata.  Long articles about email headers and how correlation of To/From/Subject can lead to a 'highly accurate guess' without any actual content.  This is definitely a concern, especially because correlation only provides a guess. Let's take a look at what's really happening, from the ESP (Email Service Provider) side to the LEO (Law Enforcement Organization) side to better understand the problem.

So let's start with an email's structure. Email's are designed to be like letters. There is an envelope, and content. Take a closer look at this LaTeX Template for the content part:

As you can see - it has what's referred to as 'metadata'. There is 
To: "Prof. Jones".
From: "John Smith"
and various other address info.

Remember though - this is a letter.  It's enclosed inside an envelope.  This is the content of an email that you would see. The only way to retrieve the content or the metadata contained in this email, is to open the email itself.

The envelope, on the other hand, has similar data. It has a 'To', a 'From', and a 'Date' in the form of a Postmark. This is also metadata.

So what is the difference?  It's all the same you say?

IMHO, LEGALLY, there is a world of difference.
In addition, you can leave out the From address on the envelope - so keep that in mind. Also keep in mind - LEO are building a case.
An ESP isn't required by law to provide Inbox content because the target looked at a cop funny. To get that, an investigator must investigate. There must be evidence first, and a judge must sign off on that warrant. That's the point of checks and balances in our system (Of course, in regards to NSA vacuuming up data - we're no longer talking about legal activity).

Here's the confusion - As an email provider, I receive legal requests for metadata. That metadata is gathered from the SMTP logs - not the email contents. Those logs, in my opinion, likely also exist at the Post Office. I find it highly unlikely that all the automation in the USPS (including automated scanning of hand-written envelopes), doesn't get logged somewhere. In any case, if the investigator wanted INBOX CONTENT, they MUST request INBOX content.  Therefore, if the warrant does not include mailbox contents, I can only provide log data.

This is a VFEmail log:
2015-03-24 07:58:43.155818500 CHKUSER accepted rcpt: from [win-lotto dabspalsy.com::] remote [kit.dabspalsy.com:unknown:antispamip] rcpt [rick@havokmon.com] : found existing recipient

That log data comes from two places - the knowledge of the connection (Remote IP address, local time) and two commands - MAIL FROM and RCPT TO.  Those are pretty obvious.  Technically there is also HELO, which is a text identifier of the remote server.

As you can see - the recipient is there, me, and the sender is win-lotto@dabspalsy.com. Obviously Spam.  That's the envelope data.

Another point of confusion - Unlike USPS mail, Emails are processed in their entirety as they're passed through the system. That is, all the 'header' info (on the left, everything above 'deekayen,') is visible to the SMTP server during transmission. This is true everywhere, no matter what Lavabit claims.

What does that mean? It means that we can help stop Spam by checking the IPs of all the previous servers in the header to look for points of abuse. It means we can find delivery delays by checking the timestamps of each server in the header.  It does also mean that sometimes the Subject may be added to a log file - or any of the other header info. BUT, doing so is ENTIRELY up to the ESP.
Technically, during this processing, an ESP could easily write out an entire copy of this email for nefarious or legal purposes. This is also true everywhere, no matter what Lavabit claims - but in this post we're concentrating on the Metadata scare.

Any provider, unless requested to examine full email contents, should only be providing the ENVELOPE data. That's it.

"I just read half this post, I don't want my emails correlated and a profile built of me, and you haven't told me anything yet!", you say. Not true, we've whittled down perception to reality. Unless the government is requesting a wiretap, they'll simply get MAIL FROM, RCPT TO, and REMOTE IP (at least from an ESP who is privacy conscious).

So let's look at the envelope again. Just like USPS mail, the MAIL FROM can be forged. But, if you forge the From on an envelope - returned mail won't be able to reach you.  At least not directly..

VFEmail provides what we call the 'Metadata Mitigator'.  It re-writes the MAIL FROM so both the local logs and the recipient servers logs show a unique MAIL FROM address. This address is parsed at VFEmail (if the email is returned), so a bounce doesn't get lost. Most importantly though, the log data on the recipients server only shows that an email was delivered to 'Prof  Jones' from 'Random account at VFEmail'.  This method has existed for decades and is known as VERP.  Though historically it's been used for managing mailing list member bounces, not for privacy.

Wait - what?  Yes, simply mask the MAIL FROM - and there will be nothing to correlate.  The recipient's log metadata, even if they only receive email from YOU - will simply show a single email from 'anyone and everyone' - no duplicates.  The recipient would need to be specifically monitored via a wiretap order to see that you had sent them more than one email.

So why would we want to re-write the entire Email ecosystem?
We don't. It's a pointless exercise. It would remove many features we take for granted (Spam blocking, forwarding, queuing), and make things more difficult for users (No debugging info available ANYWHERE).

"But a rewrite fixes other issues too!" - so do the hundreds of alternate ways to handle email in it's current form:  
- By using PGP (see above full email example), the 'user viewable' content of an email, everything under 'Date', is encrypted at rest and in transit.
- Using TLS will encrypt everything including the MAIL FROM and RCPT TO during transit - to prevent snooping, assuming you're not rewriting your MAIL FROM. Sure, the headers are available at rest, while the email is sitting in your INBOX. But no respectable mail system uses headers for log data. And again, in order to read those headers, the ESP should have a subpoena for full mailbox content.
- Worried about the ESP reading the mail headers in your INBOX? POP and delete your mail.
- Don't trust that a provider follows their policies? They claim they can't read your INBOX, but copy it's contents to the FBI anyways? Run your own server - with SMTP being an open standard, you can choose from any number of packages and personally remove the last link in the metadata debate.

Done. You've just created 'DarkMail'.




Sunday, March 15, 2015

Why I will no longer use Chase bank

Once upon a time I had awesome credit - not anymore. Mostly due to Chase.
Sometime in 2006 Chase sent me a credit card offer - $20,000 credit, 0% until paid off. I should have saved the document. There was no '0% for 24 months' or 18 months or whatever. It was just straight up '0% until paid off'. I even called them to confirm. I should have recorded the call. I already had 3 other credit cards with them - totaling at least $15,000.
Looking back, I believe they intended it to be used for debt consolidation - I bought a motorcycle on it. A 'cash' purchase made negotiation easy, and with it being a credit card, if something were to occur I wouldn't need to meet potentially high monthly payments. I paid off about $10,000 before Chase revoked their offer and started charging me 12% interest.
That was problem #1 - and while it's MOST DEFINITELY their fault for straight up lying about their offer, I should have kept the offer and recorded the verification call.
Problem #2 came when they called me about fraud on a credit card. At this point I was no longer using Chase credit cards, and what I did have was kept in my safe. There was about $50 in iTunes charges. I asked the rep for all the info she could give me in regards to the charges (basically nothing, just 'iTunes' and the dates, no IP Address) - but I scoured my devices and accounts for an indication that possibly I left a credit card active on an account and one of my kid's used it. Nothing. I found no receipts, no purchases, no additional software or music anywhere.
This rep practically accused me of committing fraud. She didn't believe I didn't spend $50 on iTunes. I don't buy music online. I don't buy anything through iTunes because of previous DRM issues. Fortunately it didn't matter - Visa regulations say the customer is always right if there is no receipt.
That's when Chase exacted their revenge. They took all 4 of my Credit Card accounts and 'reviewed' them. They decided my $20,000 credit limit was a 'threat' to them, and dropped it down to $6000. They made similar claims and changes on each of my credit cards. They knocked at least $30,000 from my available credit.
Not a big deal, as I don't use it - right? Wrong. Your debt/credit ratio has a huge impact on your credit rating. These changes knocked 25points of my credit rating. They got their revenge.
In addition - this 'review' is now a yearly occurrence. Every year, as I pay off credit cards that I used to be 'responsbile for myself' (rather than file for bankruptcy) they drop my available credit to just above the current balance.  Lesson learned.

Don't use Chase bank. Go with a local bank/lender that doesn't have a record of lying and crashing the economy.





Wednesday, February 11, 2015

How Wyndham double dips and fucks over their 'owners'


So I'm a 'vacation owner'.  Yeah, I was stupid and bought this almost 15 years ago.  I fell for the lines and the empty promises.

They tell you things like "It's a real-estate investment", and "You get priority booking at your 'home base'".  It's all bullshit.  After dropping something like $6k on it, I now spend $30/month on Maintenance.  I get 120k points to 'spend' every other year.  So those cost me $720.
Common complaints:
  • That the timeshare interest purchased would appreciate and increase resale price and value over time.
  • That the timeshare interest purchased could be freely exchanged, transferred and sold.
  • That the timeshare interest purchased was a financial investment.
  • That the timeshare interest purchased would result in the purchaser receiving booking priority over non – purchasing vacationers wishing to stay at one or more of the properties owned and/or maintained by the defendant. 

What can I get for $720 every two years?  Well, I knowingly bought a single room for 5 days.  But it's a nice place, and I supposedly have priority booking.  In addition, those points can be used anywhere.

Using them is the problem. I tried to book my wife a weekend, and what did I find?
No Vacancy.  (Now this is after bitching to them after 2 weeks of their website not reporting inventory correctly).



So I started looking at Expeda for alternatives and come across the Wyndham Grand Desert, and what do I see?  Availability.
Not only that, but it's cheaper than WHAT I'VE ALREADY PAID.  Fuckers.
So I call Wyndham.  I knew I should have hit record on my phone.  The lady actually told me that it was a 3RD PARTY that was reselling their inventory.  Like I don't know what Sabre is.  Worse, after asking to speak with a manager, she put me on foreverhold.
Now, they'll argue they don't use Sabre, that's fine - you can find the Grand Desert GDS codes here:
http://www.travelweekly.com/Hotels/Las-Vegas/Wyndham-Grand-Desert-Resort-p3630422
You'll note their 'WorldSpan' GDS number - Expedia will get their inventory via WorldSpan:
http://www.expedia.com/daily/home/vendor/gds.asp



Just for fun, I decided to also check out Hotels.com.  Yep - Inventory:

Still cheaper than what I paid, and I chose the 'free to cancel' option.  Hotels.com use Sabre.
http://www.myeres.com/GDS.php

This is the norm.  I haven't used this timeshare in years because of awful availability and shitty customer service.