Eliot Lear's Ramblings

WSJ: Let’s Differentiate!

As some may recall, I have had a love-hate relationship with the Wall Street Journal. Over the years they have had some great news, but their editorials have often been nothing short of ridiculous. I threatened some time ago to part ways with them, taking my money with me. Three changes make me think I should go ahead and cancel. First, there are videos now on the Journal home page. Here’s some news for the newspaper: if I wanted to watch the news, I could turn on CNN.

Today, however, the headline reads, “Dow Jones to Launch ‘Professional Edition’ of Wall Street Journal”. That’s right, for $45 per month, one can get news for professionals. To quote the article:

The targeted users are businesses and individuals who need more specialized information about energy or corporate bonds, for example, than is available from WSJ.com, but aren’t the large companies targeted for costlier services by Dow Jones Newswires or Bloomberg L.P.

That all sounds great, except isn’t that why I was already paying $149 per year? While the reporting on the Journal is good, it’s certainly not as good as it used to be. And indeed the New York Times has been doing a better job for all but financial news. I wonder where all the money to start up the new service is coming from? Might some of it be some of my subscription dues? Why should I believe this is anything other than a clumsy attempt to create differentiation? Sort of like when airlines added Business Class.

What’s your source for financial news? Maybe I should move my money.

Ole asks a great question

[not unusual for Ole, by the way.]

Why does security have to be so complicated?

Now knowing Ole as I do, this is of course rhetorical, but it does remind me of two conversations I’ve had. One was a long time ago. A friend of mine was part of a cable start-up team. Some of you will know who this was. He showed up at a conference with his big financial backer, and then told me, “Eliot, I’ve created the perfect parental control system.”

My response was simply, “Are you now – are you now or have you ever a child?” Nearly any child who is motivated enough will get around just about any parental block. Kids are smart.

The same is largely true with security. A former boss of mine once put it succinctly, that it’s either sex or money that motivate people, and that bad guys tend to use the former to get the latter. A great example are the miscreants who give away free porn by typing in CAPTCHA text, so they can get around some site’s security. I think it’s a little more than just those two motivations, but the point is that computers didn’t create crime. Crime has existed since Eve gave Adam the apple. The FaceBook scam occurs every day in the physical world without computers when eldery are taken advantage of in person. Computers simply provide a new attack vector for the same types of crimes.

Bad guys are as smart as good guys, but their best is probably no better than our best.

Paypal follow-up

Some people wonder whether the situation with PayPal is that bad. Well, at least the phishing part is. Today’s mail included this little gem from points unknown pretending to be PayPal:

Attention! Your PayPal account has been limited!

[…]

[Link to a phishing site]

This is the Last reminder to log in to PayPal as soon as possible. Once you log in, you will be provided with steps to restore your account access.

[…]

How did I know this was a forgery? Let’s take a look at the email headers:

Return-Path: <paypal@service.com>
Received: from mail.realinterface.com (mail.cecreal.com [66.101.212.157])
	by upstairs.ofcourseimright.com with ESMTP id n9GAJ9h3022332
	for <lear@ofcourseimright.com>; Fri, 16 Oct 2009 12:19:31 +0200
Received: from dynamic.casa1-15-233-12-196.wanamaroc.com ([196.12.233.14]) by
         mail.realinterface.com with Microsoft SMTPSVC(5.0.2195.6713);
	 Fri, 16 Oct 2009 06:32:45 -0400
From: "PayPal Services" <paypal@service.com>
To: "lear" <lear@ofcourseimright.com>
Subject: Your PayPal account has been Limited
Date: Fri, 16 Oct 2009 10:18:53 +0000
Organization: PayPal
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0000_01C6527E.AE8904D0"
Message-ID: <RI1BvDvIMYk5XYA4IyF00002a42@mail.realinterface.com>
X-OriginalArrivalTime: 16 Oct 2009 10:32:45.0859 (UTC) FILETIME=[00099730:01CA4E4C]

The first thing we note is the From: line. While this line can be easily forged, in this case, the miscreant forged not paypal’s domain but service.com‘s. Well, that’s not PayPal. This one was easy to establish as a fraud. But had we any doubts we would need look no further than the previous two lines (the last Received: header). If we look at the address 196.12.233.14, which is claimed to be dynamic.casa1-15-233-12-196.wanamaroc.com, we note that the name it has begins with “dynamic”. That name, and the numbers that follow in it, indicate that this is probably someone’s house or office PC, and not paypal’s email server. Note I’ve highlighted to “To” line, with the address lear@ofcourseimright.com. But that is not the address I’ve given PayPal.

What’s more, I happen to have an actual paypal.com set of headers to compare against. Here is what it looks like:

Return-Path: <payment@paypal.com>
Received: from mx1.phx.paypal.com (mx1.phx.paypal.com [66.211.168.231])
	by upstairs.ofcourseimright.com (8.14.3/8.14.3/Debian-6) with ESMTP id n9E8KIwI026171
	for <xxx@ofcourseimright.com>; Wed, 14 Oct 2009 10:20:39 +0200
Authentication-Results: upstairs.ofcourseimright.com; dkim=pass
	(1024-bit key; insecure key) header.i=service@paypal.ch;
	dkim-adsp=none (insecure policy)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=paypal.ch; i=service@paypal.ch; q=dns/txt; s=dkim;
  t=1255508439; x=1287044439;
  h=from:sender:reply-to:subject:date:message-id:to:cc:
   mime-version:content-transfer-encoding:content-id:
   content-description:resent-date:resent-from:resent-sender:
   resent-to:resent-cc:resent-message-id:in-reply-to:
   references:list-id:list-help:list-unsubscribe:
   list-subscribe:list-post:list-owner:list-archive;
  z=From:=20"service@paypal.ch"=20<service@paypal.ch>
   |Subject:=20Receipt=20for=20Your=20Payment=20to=XXX
   |Date:=20Wed,=2014=20Oct=202009=2001:20:17=20-0700|
   |Message-Id:=20<1255508417.22290@paypal.co
   m>|To:=20Eliot=20Lear=20<paypal@ofcourseimright.com>
   |MIME-Version:=201.0;
  bh=q82fwVBPBq26WHflKsNcdbCIf3Vcc5wRznZ9tfI8+8k=;
  b=OPyR7evc/VcnTZyDZSlYCh9oLm+vmKt8qsocqMrAr7y/kg3P5+DhO3mB
   UDbhkCvqu+owm45X1te+PxoREXR9aMEuuD20ltP2B5f5JWf/MjICk6zc6
   gYv6pY6ZRFKclXFGvtViJwv0LsW8N7uaoiZCAh5mxrjfuJaF+SmNyX23c
   I=;
Received: (qmail 22290 invoked by uid 99); 14 Oct 2009 08:20:17 -0000
Date: Wed, 14 Oct 2009 01:20:17 -0700
Message-Id: <1255508417.22290@paypal.com>
Subject: Receipt for Your Payment to XXXX
X-MaxCode-Template: email-receipt-xclick-payment
To: Eliot Lear <xxx@ofcourseimright.com>
From: "service@paypal.ch" <service@paypal.ch>
X-Email-Type-Id: PP120
X-XPT-XSL-Name: email_pimp/CH/en_US/xclick/ReceiptXClickPayment.xsl
Content-Type: multipart/alternative;
  boundary=--NextPart_048F8BC8A2197DE2036A
MIME-Version: 1.0

A few things to note: first, there my own mailer adds an Authentication-Results header, and in this case you see dkim=pass. It’s done that by looking at the DKIM-Signature header to determine if Paypal really did send the email. This is a strong authoritative check. Knowing that PayPal does this makes me feel comfortable to discard just about any email from paypal.com that lacks this header. Also, this email was addressed to the correct address (I’m not actually showing the address that I use). Not every site uses dkim and that’s a pity. One has to know in advance when to expect dkim=pass and one has to look at the headers to check.

Just by comparing email headers we can see that this is a poor forgery. And yet it takes time and effort for people to determine just that. And this is the risk that we consumers face. If one decides that any email one wasn’t expecting from PayPal is in fact a forgery, then should someone break into one’s account, one may not notice that there is a problem.

Summarizing, here are the things that I’ve done to limit the chances of something bad happening:

I use a single email address for PayPal that forgers are unlikely to know about.
I look for the Authentication-Results header.
Even if I think this is an authentic email, I will not click on links, but instead go to PayPal.com.

But it’s not all that easy for me. It certainly isn’t easy for those who haven’t been paying attention to all of this stuff as part of their job.

The Saudis would like some handouts, please.

Oil Here’s a rich idea reported by the New York Times: Pay oil producers for not producing oil. That’s right. Saudi Arabia wants “rich nations” to pay oil producers to help wean themselves from their dependency on oil. That is- oil exports. It’s just like paying farmers not to plant, right? Wrong. In this case, oil producers still sell what the market demands, it’s just that since the market will be demanding less, OPEC and the like will get less. According to the article, the Saudis have in the past gummed up the works on climate change protocols because of other nations’ refusal to accede to this sort of extortion.

Do the Saudis have a real problem? Yes. They and other large oil producers like Libya lack a sufficiently diversified economy, such that when oil prices dip, everyone suffers. This is known as Dutch Disease, and oil exports are right to be worried about it. Dutch disease happens because the demand of oil alone drives up national currencies, making all other industries in that country uncompetitive by price.

So here are a few questions:

Can oil producers wean themselves off of oil without economic assistance? After all, they’re taking in all of this money. Can’t they use some of it to develop other industries? It seems Dubai has been somewhat successful at this.
Would economic assistance actually help? If consuming countries gave them more money to compensate for losses of oil revenue, would producers just become dependent on the subsidy?
Isn’t there a broader picture here surrounding to the West’s relationship to the Middle East? Doesn’t good will count for anything? And don’t we need some of that good will in that part of the world?

Dutch Disease requires complex solutions. Simply providing a subsidy won’t do the job. In fact, providing a subsidy could in fact prop up the national currency and compound problems.

And then there’s the fact that most of us feel as though we’ve been held over a barrel by some of the countries in question, and would like to have done with entanglements in the middle east. Oil or no, however, the people in those countries are not going away. They and we need an equitable way to live together in the future.

Financial Institutions and Passwords

You would think that financial institutions would want individuals to choose really strong passwords that are difficult to guess. But in at least one very big case, you would be wrong. What makes a strong password? Several things:

A lot of characters. The more the merrier. The only limitation on this is that you have to remember All of That.
A lot of randomness. That is, words in a dictionary are bad, because attackers will often go through dictionaries to attempt to guess passwords.
Characters that are not letters or numbers. This increases the search space, given a certain sized password.

Now let’s review the actual guidance given by a very popular broker:

Your new password must:

Include 6-8 characters AND numbers

Include at least one number BETWEEN the first and last characters

Contain no symbols (!,%,# etc.)

Cannot match or be a subset of your Login ID

Examples of valid passwords: kev6in, 2be111, wil1iam

In other words, they’re violating two very big rules. The 6-8 character rule means that they are limiting the search space, and people cannot put together phrases, which are actually easier to remember than passwords. Removal of symbols from the search space makes it easier for attackers to perform a dictionary attack.

This site is not alone. Many sites have the same problem, and it is likely a problem with what their security professionals think is the industry standard. Well it’s a bad standard. Who takes on the risk? In the brokerage world, the chances are that you are assuming at least some risk.