

How a Google Headhunter’s E-Mail Unraveled a Massive Net Security Hole - trendspotter
http://www.wired.com/threatlevel/2012/10/dkim-vulnerability-widespread/
"Harris wasn’t interested in the job at Google, but he decided to crack the key and send an e-mail to Google founders Brin and Page, as each other, just to show them that he was onto their game."
======
Cogito
Full article: [http://www.wired.com/threatlevel/2012/10/dkim-
vulnerability-...](http://www.wired.com/threatlevel/2012/10/dkim-
vulnerability-widespread/all/)

------
wia
Sloppy work by affected companies since RFC was unambiguous. But why didn't
RFC keep it consistent by requiring verifiers to only work with the same
minimum key length?

RFC 4871 (sorry for formatting but ipad issue) " signers MUST use RSA keys of
at least 1024 bits for long-lived keys. Verifiers MUST be able to validate
signatures with keys ranging from 512 bits to 2048 bits, and they MAY be able
to validate signatures with larger keys. Verifier policies may use the length
of the signing key as one metric for determining whether a signature is
acceptable.

    
    
       Factors that should influence the key size choice include the
       following:
    
       o  The practical constraint that large (e.g., 4096 bit) keys may not
          fit within a 512-byte DNS UDP response packet
    
       o  The security constraint that keys smaller than 1024 bits are subjec to offline attacks..."

------
seacond
Seems to be some conflation in this thread. Are DKIM and authentication (PGP)
really comparable in practice?

Here's my take: DKIM is an attempt by _third parties_ (i.e. "email providers",
not the author or the recipient of the message) to control who can send email
(but guess what? anyone can send email, go figure). On the other hand,
authentication (PGP) is an attempt to allow senders to sign messages and
receivers to verify signatures (no third parties needed).

Bob printed his PGP public key on a card and gave it to Alice when they had
lunch. He then signed an email message the following week using PGP and sent
it to Alice. But Bob's "email provider" decided to block Bob's message because
Bob didn't pay money to someone for the use of a "domain name" and Bob's
"email provider" thought his email was "spam" because he hadn't been
"authorized" (by paying money for use of a domain name) to send email.

------
meshko
I find it cute how clueless mathematicians and physicists are about how
clueless we (programmers) are. Weak crypto? Assume it is a puzzle!

------
eranation
Ok, this got me scared, checked with Sendgrid support,of course they use 1024,
back to breathing again.

------
tolos
What a happy ending, no threats of jail or lawsuits.

~~~
scotty79
It's still bit of a let down that they didn't contacted him in any way. They
could at least track him and since he is a well meaning guy they could send
him something funny.

------
suyash
What is the Direct Link to this guy's website?

------
jere
>But the government of Iran probably could, or a large group with sufficient
computing resources could pull it off.

Yes, I can see it now: _Iran endures crushing sanctions in order to pursue
spam email program._

~~~
jlgreco
The rule of thumb that I have heard, and seen played out, is that there are
basically 3 tiers of who can factor what. governments or government sized
companies (upper millions, or billions sized budgets), modestly sized
companies / research projects (millions), or hobbyists. Each can handle about
256 bits more than the next, and the time for one to reach the capabilities of
the other is somewhere between 5 to 10 years.

Hobbyists have been factoring 512bit keys on a whim for a few years now,
so....

------
snowwrestler
DKIM is not the only tool for catching spoofed emails; to my knowledge SPF is
more widely used because it is much easier to set up. I'd be shocked if the
little Larry/Sergei joke email made it to their inbox since it would fail the
SPF lookup.

~~~
samuellb
Yes lots of sites have SPF, but what I've seen most sites set it to soft-fail
mode.

I think this is because SPF is still sometimes broken in practice. For
example, it can fail when there are misconfigured e-mail forwarding (e.g. mail
aliases) at _other_ peoples servers[1]. Or with web forms that set the
envelope sender to the "From" field in web page...

[http://en.wikipedia.org/wiki/Email_forwarding#Forwarding_ver...](http://en.wikipedia.org/wiki/Email_forwarding#Forwarding_versus_remailing)

------
Evbn
Props to Wired for disclosing that their silly phony photo setups are phony. I
found that comforting.

Props to Google for fixing the problem instantly.

Weird that he thought the email was phony based on content. Who wouldn't want
a computer savvy math genius on their team? Google has lots.

~~~
meshko
Google very rarely hires pure mathematicians AFAIK.

------
pgsandstrom
Dangerous move, other companies have would set the police on him for that
stunt.

~~~
alexchamberlain
There are a lot of stories of people getting jobs by disclosing security holes
like this.

------
jgrahamc
Seriously old news... I attacked Facebook's 512 bit DKIM key back in 2010:
[http://blog.jgc.org/2010/06/facebooks-dkim-rsa-key-should-
be...](http://blog.jgc.org/2010/06/facebooks-dkim-rsa-key-should-be.html)

~~~
tptacek
I'm curious to hear what you think about DKIM in general.

~~~
jgrahamc
At one time DKIM and SPF were good indicators that an email was spam because
spammers adopted it so that their mail looked more legit.

I never look at DKIM or SPF. If I really care about who a message comes from I
use PGP. It's a handy input for learning spam filters that use it as one piece
of information, but it has about a 10% failure rate (legit mail where the
signature fails to verify because of message manipulation in transit). It's
most useful if the domain it's matching against is also trusted in some way.
For example, a good signature against google.com is likely to mean the mail is
good; a good signature against frohfuwehfwo.biz is not very helpful unless we
know that that domain always sends spam.

Also, the most important piece of mail I ever received (from the Prime
Minister's office) came without SPF or DKIM and I authenticated it by calling
the office. In general, external authentication like that tends to reassure
me.

------
Kliment
I got one of those emails too once. I still can't figure out why. I did post
to LKML a couple times in the past, but I haven't done anything kernel in over
a decade. And a random Google recruiter emails me to congratulate me on my
experience and offer me an unspecified position as a SRE. Not only do I have
zero experience or interest in sysadmin and large server type stuff, they
don't even have any facilities within 400km of me. What the fuck, Google?

~~~
HerraBRE
In my experience (ex-Googler here), recruiters tend to be contractors who work
off a script and get bonuses proportionate to how many people end up in the
hiring pipeline. There are checks and balances to prevent outright spam, but
the motivations are aligned in such a way that a pretty wide net is cast.

Also, until you have interviewed, all positions are "unspecified". Many
positions need to be filled and they don't pick one for you until they know
what you can do.

Geography is not really considered to be an issue. Once SRE finds someone they
really want they will help with relocation.

~~~
cyber
Also an ex-Googler here, they cast the net far and wide trying to pick up SRE.
When I was there they were offering significant bounties for submitting
recommendations that only had to make it pass the resume screen. Want a brand
new shiny PS3? Less than 10* that made it past the resume screen, and it was
yours.

I has additionally heard rumors that recruiters were so silo'ed that they
would actually just throw away a resume rather than route it. Reason being
that they were in a competition with all recruiters, and worst performers
(based strictly on a numbers game) didn't get their contracts renewed.

*May have been as low as less than 5, its been a few years, and I never really took to memorize what was posted on the wall while I was at the urinal.

------
Sami_Lehtinen
Well, afaik key length isn't the problem. Weak algo is. I assume they use RSA,
they should use ECC. 512 bits is more than enough.

<https://www.nsa.gov/business/programs/elliptic_curve.shtml>

~~~
mikeash
That doesn't make much sense. There are key lengths for which RSA is strong,
and key lengths for which ECC is weak.

ECC keys may be stronger at shorter lengths, but that hardly means that key
length isn't the problem. After all, using a longer key would fix this
problem.

~~~
dfox
Using ECC would solve this particular problem, because in both DKIM and DNSSEC
usage of key lengths of 512 to 768 bits and not more are motivated by what can
fit into one UDP DNS reply packet. Also for RSA signature size is equal to key
length, and not some small multiple of security parameter and you don't want
to expand messages by including large signature that might well be larger than
actual payload.

~~~
mikeash
Right. Either expanding the key length or using ECC would fix it. So saying
the problem isn't one of those, but is only the other, doesn't make much sense
to me.

ECC may even be a better solution, as you say, but that doesn't mean that the
problem isn't also one of an insufficiently long key.

------
jfc
I hope this guy's inbox is full of job offers. That's a heck of a find.

~~~
clicks
<http://www.linkedin.com/in/drzacharyharris>

Wow, the guy's a monster. Fluent in classical (and Levantine) Arabic, Chinese,
Greek; Top Putnam score (twice), teacher, Christian missionary. Sounds like
he's got drive.

~~~
jnhnum1
Nit-picky corrections:

1\. Top Putnam score _in Colorado_. There's a pretty big difference between
that, and say, top Putnam score in Massachusetts (which is more likely the
same as top overall due to many Putnam Fellows coming from Harvard or MIT).

2\. _Elementary proficiency_ in Classical and Leventine Arabic, Mandarin
Chinese, and Koine Greek

~~~
jacquesm
Can you beat any of it?

~~~
jnhnum1
Sure, I may have actually done better on the Putnam than he has. I've gotten
top 100 and top 200 before... but that really wasn't the point I was trying to
make. I was just making the correction because the original claim is, at least
to me, much more impressive than what is actually stated on his resume.

------
DanBC
> _Harris thought there was no way Google would be so careless, so he
> concluded it must be a sly recruiting test to see if job applicants would
> spot the vulnerability. Perhaps the recruiter was in on the game; or perhaps
> it was set up by Google’s tech team behind the scenes, with recruiters as
> unwitting accomplices._

Ha! That's optimistic.

~~~
Xion
Or paranoid. Or naive. Or narcissistic.

It _might_ be somewhat feasible if they wanted him to be security engineer,
not a devop. Still, he expected they have set up what essentially is an
elaborate prank just to send a cold-call email to just one of probably
numerous potential candidates.

How likely this is? What would be the risk-to-reward ratio for doing that,
considering that many of unsolicited recruiting mails are not even read? Isn't
it more feasible for it to be a genuine mistake on their part? Google's not
infallible, omnipotent being after all.

~~~
rachelbythebay
Back when I believed the hype, I made the same mistake with materials from
Google's recruiters. They gave me driving instructions from SJC which left me
in the wrong part of the valley on a Friday night during rush hour (this was
before smartphone navigation). I figured it was some kind of test. It wasn't.

I called it my "cleverness attribution error" and wrote about it this summer:
<http://rachelbythebay.com/w/2012/06/19/attrib/>

I've run into it in a few other places, too.

~~~
zwischenzug
The chess champion Capablanca said that he was protected from losing games due
to minor blunders because his opponents assumed he was so brilliant that he
saw something they didn't, so they played safe and avoided taking advantage.

~~~
binxbolling
I think I read an article recently (probably highlighted on HN) that talked
about how Deep Blue did exactly this versus Kasparov. A bug caused it to make
a sub-optimal move, and it's quite likely Garry misinterpreted it as genius
and psyched himself out going forward.

~~~
zwischenzug
Yeah I'd read that. Kasparov was pretty freaked out by Deep Blue. He wrote
this:

"I got my first glimpse of artificial intelligence on Feb. 10, 1996, at 4:45
p.m. EST, when in the first game of my match with Deep Blue, the computer
nudged a pawn forward to a square where it could easily be captured. It was a
wonderful and extremely human move. If I had been playing White, I might have
offered this pawn sacrifice. It fractured Black's pawn structure and opened up
the board. Although there did not appear to be a forced line of play that
would allow recovery of the pawn, my instincts told me that with so many
"loose" Black pawns and a somewhat exposed Black king, White could probably
recover the material, with a better overall position to boot. "

about a move most computers of the time would find pretty quickly, and most
decent human players would intuitively have thought OK at first glance.

<http://www.azillionmonkeys.com/qed/chess.html>

My theory is that a significant part of his game was based around human
psychology, so he found it hard to grasp computers. He played computer-
friendly risky openings as if to taunt the machine, and heavily talked up the
influence of the programmers on Deep Blue to an almost paranoid extent.

The result was that he lost against Deep Blue when he should have won fairly
easily if he'd been more disciplined.

------
seanica
“A 384-bit key I can factor on my laptop in 24 hours,” he says. “The 512-bit
keys I can factor in about 72 hours using Amazon Web Services for $75. And I
did do a number of those. Then there are the 768-bit keys. Those are not
factorable by a normal person like me with my resources alone. But the
government of Iran probably could, or a large group with sufficient computing
resources could pull it off.”

"But the government of Iran probably could"...At this point I stopped reading,
as this article became propaganda.

Did you know this month is National Cyber Security Awareness Month, as
advertized by the DHS?

<http://www.dhs.gov/national-cyber-security-awareness-month>

~~~
philh
> At this point I stopped reading, as this article became propaganda.

Even if that was true (it's not), how could you know it without reading
further?

~~~
seanica
What's not true? (what's 'it' that you talk about)

~~~
philh
The article did not become propaganda.

~~~
seanica
The article up to that point was great.

However, that sentence "But the government of Iran probably could" made the
preceding paragraphs appear to be a vehicle to deliver a meme (like a shaggy-
dog story). The rest of the article could have been great, I just stopped
reading.

The journalist _could_ have made a neutral statement about what entities have
the resources to crack a 768-bit key. But they or their editor chose not to.

Instead, everyone that reads the article will go away with the meme "Iran, if
they wanted to, could crack 768-bit keys". Which is, by common definition,
propaganda.

It might be unintentional, i.e. the journalist is riding a wave of popular
opinion, which they should not do; or it might be an attempt to load the
article with link bait.

~~~
stanleydrew
I don't understand. That statement was part of a quote during the interview. A
single, continuous quote. Do you consider reporting what someone said to be
propaganda. Should the journalist have left out that part of the quote?

~~~
seanica
Good observation. I stand corrected. I wonder how Zachary Harris would defend
the lack of neutrality of that quote, if he was asked to do so.

------
tptacek
DKIM is an anti-spam mechanism. It does _not_ authenticate the sender of an
email message; to do that, use something like PGP. This is an interesting
story, but it's not a story about a "massive net security hole". Mail on the
Internet has always been spoofable.

~~~
Erwin
Gmail (possibly Hotmail) put a little lock icon next to DKIM authenticated
email from some senders, such as eBay & PayPal and outright reject
unauthenticated emails from such domains. They've flaunted this feature in the
past

So if an authenticated PayPal email pops up in your Gmail inbox saying you
must do this and that to unlock your account, you may be more likely to do so
due to the legitimacy of DKIM.

~~~
tptacek
The reality is that people will act on "Paypal" mail that comes from
"Payapal.ng". Let's not pretend that DKIM has much to do with that decision. I
agree, though, that the little lock in the Gmail UI is misleading.

~~~
downandout
Just register serverX-paypal.com (where x is a number) ftw. People in general
are stupid. When asked what browser they use, the overwhelming majority
respond by saying "Google". That says all that needs to be said about the
general public.

~~~
onthedole
Quite a sad view of humanity. I don't think people are stupid, I think they
just don't care and shouldn't care about the browser. It's a tool used to get
access to the information they need.

I am reading HN on chrome, but unless I go looking for what browser I use, I
wouldn't know.

~~~
shinratdr
Decoupling the concept of "you don't intimately know what I have spent my
entire life playing with" from "stupidity" seems to be really difficult for
the tech crowd.

Always sad. People willing to discount countless hours of expertise and
knowledge because a user doesn't know what the name of their browser is. As if
that means anything.

For example, I really don't give a shit if my neurosurgeon is aware of what
his browser is named. Nor would I dream of calling him stupid if he didn't.
Chances are he knows leaps and bounds more about me on most topics, just not
casual desktop computing.

Likewise, discounting someone entirely because they're uncomfortable with or
uninterested in computers is one of the most ridiculous, ignorant, and self-
absorbed things you can do.

~~~
001sky
This is a useful consideration. It Appears to be an affliction of many (if not
all "experts") of various stripes.

~~~
drivebyacct2
I'm immediately tempted to apply it to politics. I won't, or at least
certainly not here, but it's interesting to think about.

