

The entire Steve Jobs email story... It's real - glhaynes
http://www.boygeniusreport.com/2010/07/03/the-entire-steve-jobs-email-story-its-real/

======
tsally
Regardless of whether the exchange happened or not, the claim that "[the email
headers] were legitimate, and that the entire thread would be extremely hard
to fake, if not impossible" is an exaggeration. For reference, open up the
headers of an email you've recently received from a Gmail address. Notice the
DomainKey-Signature field?

    
    
      DomainKey-Signature: a=rsa-sha1; c=nofws;
              d=gmail.com; s=gamma;
              h=mime-version:in-reply-to:references:date:message-id:subject:from:to
               :content-type;
              b=IBLt9oYlFSwflVBrLP4Rq64gpUeIHJMkvAjbVoYin9vugJBa4E4hxqfKeFLp/Gw3XT
             2V/PR4M4M/Kz9CU8n7poGJ+JUBcxyT4LZc4SYNHTV1TD6nmk77Pvl7E7f8uY1sAMrR9c
             F+2HiY9MMKgb0SlPdRVqUUF0QX9XoQRzA3jFs=
    

That's there because Gmail (along with a few other providers such as Fastmail)
implement what's called DomainKeys Identified Mail
(<http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail>). It can provide
cryptographic assurance that the domain name associated with an email is
valid. So using the DNS records on the Gmail domain, I can pull the public key
and verify the cyptographic signature.

    
    
      mil:~ tim$ host -t txt gamma._domainkey.gmail.com
      gamma._domainkey.gmail.com descriptive text "k=rsa\; t=y\;   
    
      p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIhyR3oItOy22ZOaBrIVe9m/iME3RqOJeasANSpg2YTHTYV+Xtp4xwf5gTjCmHQEMOs0qYu0FYiNQPQo
      gJ2t0Mfx9zNu06rfRBDjiIU9tpx2T+NGlWZ8qhbiLo5By8apJavLyqTLavyP  
      Srvsx0B3YzC63T4Age2CDqZYA+OwSMWQIDAQAB"
    

If the signature is valid, I can be reasonably confident that the email is
valid. (Note that some sort of DNS compromise or attack would allow an
attacker to pass me a fake public key)

Now take a look back at the email headers in the article. There is no
cryptographic signature that you can verify. Note that if these headers are
made up, the forgery is quite good. There's even some nice SPF authentication
going on in there. But it's not impossible to forge these headers. In a
targeted attack, I could do just that. Depending on how much the guy got paid
for the story, it might even be worth the time.

(If there's someone with domain knowledge/experience etc. in this area and has
an addition or correction, I'd love to hear it)

~~~
bradleyland
There's a simple way around all of this, and it doesn't require a lot of in
depth knowledge. Notice that DomainKeys says nothing about the content of the
email. It's only a tool for preventing false relay (spam), not content
forgery.

Let's say I email you with a simple question, you reply, and we trade emails
three or four times. Gmail supports IMAP, which lets me move emails to and
from my Gmail inbox without much trouble. So, all I need to do is move the
mail to a server where I can alter the content (I can leave the headers
intact), then copy the email back over to my Gmail inbox using an IMAP client.

I just did this using Mail.app on my Mac. It wasn't even all that time
consuming. The hardest (maybe most time consuming) part would be getting a
reply from Steve Jobs. I'm sure he doesn't reply to everyone.

The bottom line is that unless the mail was signed using something like PGP,
it can be forged using trivial methods.

------
ziadbc
Maybe steve should just start twittering with a verified account. Also, in my
day we didn't get so mad at rumor sites for being right or wrong. If these
guys want to be journalists rather than muckrakers thats fine. But if you're
whole business is dealing with dirt, gotta get used to getting dirty (the
readers and the writers).

------
ghshephard
tl;dr: Some email was sent by Steve Jobs, but the "It's just a phone...Retire"
comment was incorrectly attributed to SJ.

------
jkincaid
The email exchange was never that interesting to begin with. But if this is
true then it means Apple PR lied on the record about the story, which would be
significant.

------
temphn
The Burford guy starts out hysterical and continues hysterical.

I think it's bad policy for the CEO to respond personally to the most crazy
and unreasonable of customers. Much better to just let them rant on the web
rather than giving them a big platform and bringing yourself down to their
level.

------
bonsaitree
Is this content really within HN's bailiwick?

