…and around it goes

One of their drivers hit it while it was parked in my deeded parking space.  Destroyed the front bumper cover and right headlight.  They did leave a note and phone number to call.  Verizon’s insurance will also pick up the damages.  Unfortunately, only the factory can make paint stick to a plastic bumper cover for any amount of time.  Once replaced and repainted, it will be flaking within two years.

Anyway, I don’t mention this solely because my truck was hit, I mention this mainly for our long term customers who are aware of our repeated issues with Verizon.  For those unaware, they cut our lines once and ripped out all the copper to our building another time (just to mention two issues, there have been more).  We are not even a Verizon customer.  Verizon seems to cross my path every spring.  It’s getting comical.  At least this time it it wasn’t the service.   Too bad for my truck, though.

This is covered completely on our VPN pages, but I want stress it clearly that PPTP should only be used as a last resort.  Even then, it should be used in conjunction with SSH tunneling as additional protection.

PPTP has major flaws.  It’s encryption uses the password as the key and it’s datastream carries a retrievable password hash.  To make that perfectly clear, someone can take your password out of the datastream  and decrypt your traffic.

Granted, there is more to it than that.  They must somehow intercept your traffic, but while complicated, it is not impossible (we have seen and stopped attempts at arp poisoning attacks).   They also must be able to crack the encrypted password hash.

There are tools to crack this.  However, a very complex password will take eons to brute force.  A common word, even if you replace vowels with numbers (this is too common people), may be cracked in minutes.

OpenVPN is subject to none of these weaknesses.  It uses very strong certificate based encryption (blowfish).  Even if someone does intercept your traffic, they can gain nothing from it.   Use OpenVPN over PPTP.

By Stephen K. Gielda (sorry search engine seeding)

The web never forgets, however the big problem with this lies in the fact that everyone gets to record their voice on it.   I suppose it was inevitable, my daughter running a web search on my name. She quickly stumbled upon some of the pages and posts made by a few of the more unstable individuals who’s path I crossed.

I hear my mother even fell for some forgeries pretending to be me.  Anyway, such is life in my chosen field.  I seem to have a small (very small) celebrity status in certain circles, and as with any (very small) celebrity I have my detractors as well,  The yang must balance the ying, I guess.  Unfortunately, the yang can be very loud.

A little history may be required. Back in 1998 through 2001 Cotse ran a free web interface that posted directly through the then replay, now dizum, mail2news gateway. It wasn’t anonymous, but it was private.  In addition we provided some cypherpunk resources.

In order to be responsible and address any real abuse that happened, we included our contact information in the headers of messages posted through our interface, so as to handle our own abuse issues so they would not be a load on alex (who ran replay/dizum in the NL). This was my introduction into the deep bowels of a thing called Usenet.

Usenet is a discussion forum. Many today think of it as Google Groups, because Google bought the Deja News archives, but Usenet is it’s own entity. Google is merely displaying an archive, making it searchable, and providing a NNTP web interface, allowing the masses to post through pretty web forms instead of a usenet client.  Kind of like what we did on a much smaller scale (ours, not theirs).

Usenet is full of sociopaths. Forum kings and queens. If you have ever seen a craigslist rants and raves forum for any city, you know how it gets when you add a little anonymity. People are vulgar, scathing, insipid, beasts when they can hide. So it is inevitable that egos will clash and insults fly.

The name of the game is to seriously muddy your opponents name and if possible win your argument by account term.   It includes forgeries and then complaining about the forgeries as if their opponent posted them.  The game is still being played across many forums on the Internet today.  It was one of the original reasons I began Cotse (Cotse’s privacy side began as a free web to news interface)

People were and are still losing their Internet access based upon exaggerated lies from someone they crossed online who knows how to play the game.   They are also ending up with their name returning 72,000+ hits due to some lunatic.  It still happens.  If the claims sound real, the forged headers look real, the forged “evidence” looks real enough…

So I created a web to news poster, to add a shield between them and their ISP and their identity.  Naturally this was going to place me (Stephen K. Gielda (more search engine seeding)) at odds with some of the most unstable of individuals when they had no one to attack personally but me.

In addition, that abuse info in the headers along with replay info also caused another problem.  It made some people assume that everything that came out of the mixmaster and cypherpunk remailers came from us.  There was no convincing them this was not the case.  It was also easily to forge, (anyone could post directly to replay mail2new just like my form did).

When some did did not get their way they came after me personally and my service.  There were many, but there were a few that really brought that little bit extra to the party. One example was an individual who contacted me demanding that I terminate the account of a user of ours who called him a liar.

He claimed that this was criminal libel and I was aiding and abetting a known criminal if I did not act and remove the account (there were no accounts at this stage). That his notice was enough to prove that I was complicit if I did not remove the account. He had entire volumes full of why it was my responsibility to silence my user.  I investigated, our user was not abusing our service in any way, it was a standard forum flamefest with both posters arguing heatedly.

So I (Stephen K. Gielda) informed him that we were not a court of law and could not determine if him being called a liar was libel and that he would need to file suit against our user if he believed it to be. That once we were notified of a subpoena for information, we would comply. Well, he went off the deep end.

The emails became more demanding, more threatening, more vulgarity laced.  He was going to make sure the entire Internet knew how evil a person I was if I did not terminate this account. He followed me wherever I went, attacking everything I posted anywhere.  He started forging me and my service.

Now here is where I made a mistake, being new to all this, I got fed up with him and his threats and said “Yes, I think it is perfectly ok that he called you a liar, I can certainly think of far more apt things to call you.  Now ___ off with all the threats and sue us if you have a case.  We are accepting no more email from you.”  And I blocked his mail.

He really went ballistic.  He started posting web pages dedicated to me. He called me every name in the book. He appeared in other forums and posted pretending to be different people making allegations about me. He posted that my business was a scam in may different web forums.  He started small, but rapidly moved to more serious allegations. He seeded search engines to make good on his promise that all would know.  He even found my address and called my local police and my neighbors.  I even received a visit from the FBI.

This continued for years.  Sometimes he’d taper off for a little, then come back form a different angle.  I finally had enough and shut down the web2new interface in favor of just mixmaster (because they can’t be traced back to us).

He eventually peaked in a flurry of anonymous posts asking for a contract killing for me (Stephen K. Gielda) (see the links here).  In fact one of those was printed out and stuck under my windshield wiper by someone who must have seen me and opted for the flyer instead.  Funny how he thought he should be able to post that all against me and keep his account, but I need to silence anyone using our web form for calling him a liar.

Yet the damage he did to my name (Stephen K. Gielda), sorry, I know it’s annoying) still remains, some of his pages return high in searches because of his search engine seeding.   Some of his forgeries do as well.  I never paid it much accord, because I figured anyone reading it all would see it was the work of someone unstable and easily see through it, but every once in a while I find myself explaining.  Something out of context appears in a search.

Unfortunately, the screams of the insane echo for quite some time on the Internet.  Perhaps this post will appear equally high in the search now and I won’t have to explain so many times. .  I think he was committed somewhere.

Thanks,
Stephen K. Gielda

I frequently receive questions similar to the following:

“I came across this link (http://cryptogon.com/?p=877), and was wondering if you folks were aware of this type of activity; also, can your Proxy/Tunnel service help to mitigate my exposure.”

Some questions also mention Tor and ask which is better protection.  I recently answered another of these and thought the (now slightly edited)  answer was a good entry for this blog.

The answer:

No proxy service can guarantee to hide you from governments or guarantee flawless anonymity, there are too many areas of potential compromise in every one of them.  The closest to anonymity out there is Tor, due to it’s design, but because it still has to be as real time as possible to be functional it is subject to traffic analysis (an entity who sees both sides can time your packets going in and match them to packets coming out by factoring in the delay it takes to pass through.  In an overly simplistic analogy, cars maintaining the same steady rate of speed enter a tunnel staggered, you know that they will slow down in the tunnel and by how much, you can calculate when each one of those cars will exit that tunnel even if they change lanes inside).

One must also assume a large number of hostile exits with Tor (a researcher recently set up Tor exit nodes and published captured passwords and usernames (PDF), I have to believe that he’s not the only one who ever thought of this).  Yet even given these pitfalls, Tor is still the closest you can get to anonymity because of its decentralized approach and onion encryption.  That makes it the best protection from an entity who can only see the exit, which is most.  Unfortunately given the nature of it’s setup (untrusted and potentially hostile end users running servers), it’s going to be slow and you should probably never use it to log into bank accounts, etc.  Even though many of those are end to end encryption you place yourself at a greater risk of man-in-the-middle attacks.  Your safest bet with those types of accounts is direct access, you lose little as theoretically they already have your personal information.

Paid services and single hop proxies are even more vulnerable to traffic analysis because they are more centralized, strive for as little delay as possible (speed is everything to them), and pass through fewer hops.  Its much easier to match the packets going in to those coming out (the faster the proxy the easier the traffic analysis).  They suffer somewhat like Tor in the way that you must trust that the service you are using is not capturing your login and passwords or compromising you itself (ie. maliciously being a man-in-the-middle), which you can trust most well known paid services in this manner (I would not easily trust free single hop proxies, I have to wonder what they get in return for the cost).  Where paid services really fall behind Tor is back tracing from an entity that can only see the exit.  Tor is going to provide you with better anonymity there.

Both Tor and paid services/single hop proxies can protect you from the unwashed masses as well as snooping ISPs.  Both can also provide you ways of accessing data you might not otherwise be able to access.  Tor will provide you with better anonymity than a paid service/single hop proxy will for an entity that only sees the exit, at the cost of speed.  But neither can protect you from a government that wants to get you.  To be honest, they likely wouldn’t even need traffic analysis in either case.  Their preferred mode of intercept for proxy users appears to be to trojan their machine via a vulnerability in either the browser software and/or plugins and through email or messaging client vulnerabilities (see: http://blog.wired.com/27bstroke6/2009/04/fbi-spyware-pro.html)

It all means that if you want to hide from a government focused on catching you, it’s going to take a lot more than just a proxy.

For those unaware of CIPAV, you can get details here and here.  It’s really not a new concept but it does bring up a point I’d like to make again for the novices.  If the FBI can do it, malicious people or oppressive governments can do it too (and actually have been for some time).

It’s extremely important that you choose the software you use carefully and that you stay current with patches.  Many of your favorite applications have had serious vulnerabilities in the past and may so again in the future.  Only you can protect yourself from what is allowed to run on your machine.

Things running on your machine are your greatest risk.  They can get any information that is available to them and send it anywhere, negating any proxy or vpn, even Tor.  There is nothing automated that will secure everything for you and keep it all updated properly.  You will need to learn about your system and it’s configuration, pay attention to what runs on it, watch for reported vulnerabilities, and patch them.

Each system is different so I won’t try to go into details, but favor peer reviewed open source to closed source whenever possible and get it from jurisdictions that have no issues with how you intend to use it (helps minimize prospect of source tampering).  In other words, don’t download from any entity software you may be using to report abuses by that entity (this should be common sense).

Those of you in serious situations should lose the “cool things” on the net, like video, flash, java, and other plugins, or at least run something that makes them unavailable to untrusted sites.  Participation in Facebook, Myspace, and other large social networks should probably be avoided where possible in favor of a blog you fully control (users may request our web hosting, which allows even a novice to easily install and run things like this blog).

Try to remain as text based as possible on the Net.  Run antispyware, antitrojan, and antivirus software and frequently scan.  Don’t open unknown attachments and don’t follow unknown links sent by mail or message.  Don’t leave your computer on or able to be woken up when you are not at it.  And as always, stay up to date with security patches (not enough of you do this).

Google and ask what you do not know and investigate anomalies.  Everything mentioned is especially important for those of you reporting on abuses or accessing forbidden information from behind a wall of information blackout.

I’ve been fighting spam zombies most of the winter.  We are currently hosting over 25,000 mail domains.  Some of these domains come from hosts that simply could not handle the volume of zombies and backscatter, or just dumped it all at the end user, some being hit with 30k bounces an hour backscatter.  Others are our own domains, some of which spammers seem to love.  All of which need some protection where turning off the catchall just won’t do, that’s where my milter comes into play.

This milter was started when sendmail first started featuring milters (we’ve been seeing zombies hit us hard for years and without the protection it would be nearly impossible to offer our service).  Since then it has evolved quite a bit.   The idea behind it is to dynamically identify infected end user machines spewing spam and block those while allowing all validly sent mail, including valid mail servers spewing spam, to still get through (the milter, anyway, then it’s user filters that will block).

It accomplishes this by evaluating a number of items: the helo, the host and number of other related hosts that hit and were identified as a zombie (ie. how many other 123-123-123-123.example.coms have attacked), how it hit the server (ie. slamming, number of concurrent attempted deliveries, etc), number of unknown users it attempted to mail, spamtraps of ours it hit, and more.  Using all of these variables it creates a profile and matches against it.

At first it just dynamically managed a blocklist.  This got cumbersome fast as we grew.  The blocklist had to move to a db and I had to learn to be a better and more efficient programmer.  It now utilizes a few databases, incorporates dynamic blocking, backscatter protection per account or domain, and more.  It also creates a profile of valid mail servers and matches against those as well so that they don’t get caught even if they match the rest of the zombie profile (ie. the server got infected).  The target is only zombies.  We’ve slowed on the number of zombies added, but still pump in a fair amount of new ones every day.  I do expect this to slow again, but I’ve zeroed the dynamic db a couple of times both to redesign it and to test it’s autolearning as I tweaked, so it’s still a rather large amount.

Perhaps one day I’ll write a web interface to the db.  It’s contents paint a very interesting map of infected end user machines, or spam zombies.  I’ve also been able to identify individual botnets by things as simple as the way they helo (type server40.welcometelecom.ru into Google and see what I mean, you’ll see it show up as the helo for a lot of spam with hostnames around the globe). Others are slightly more complex, being fed a list of helo values along with the standard list of from addresses to use or using the machine name, but they form a pattern in other ways over time and become identifiable as well.

My mind is already running with ways to query this data and provide live statistics (number of zombies per botnet, domain, etc) that can be drilled down all the way to the list of machines and date last seen.  Unfortunately that is side work, which takes a back seat to the day to day running of the service so I have no idea when, or really even if, it will end up searchable like that.  Right now I have perl scripts that do it and I use the results to further tweak the milter.

BTW: Greylisting is dead.  I declare so now.  Nearly all zombies I have identified return, even after getting 550 returns to their delivery attempts (I’d say all but don’t yet have positive proof of all, but I do have positive proof that those which return within a typical greylist period are well above 90%.  What I don’t know is if they are resending or sending a new blast).  So those 4xx errors you greylisters return will also have the same zombie return.  If you are greylisting you are likely now accomplishing little but delaying your mail.

Other Battles:

Been battling a rather serious (but not fatally serious) health issue this winter (stomach/bowel).  It’s had me bedridden a lot.  This put a delay in some new features that were planned (they are still planned, just delayed).  I did get a chance to improve a number of backbone things.  Added bandwidth and server power to the mail network, further improved automatic failover (finally addressing the issue of “what if Verizon comes and rips out all the copper to the building again?”), redesigned our DNS, and fixed a number of bugs, but nothing that can really be identified by users as “hey, here’s something new”.

It’s that time of season.  The time my family hates most.  The time I can go days without seeing the outside.  Life is boring for all who surround me as I bury myself in work.  It’s nearly winter.  Those of you who have been Cotse customers for some time have probably seen the pattern, summers we coast with only bug fixes, winters we buckle down for new development.  It’s a pattern that so far has worked well.

So far we have a few ideas for this winter, but no idea if any are the “one” you have been awaiting.  A new release to the webmail interface will happen and clean up some bugs as well as implement a few new features, but most of you use your own mail clients anyway.  There will probably be a redesign and consolidation of some milters, but that will be invisible to you (we hope), with the exception of some better filtering options.

We may offer an OpenVPN solution, perhaps in conjunction with a pptp vpn option for those who cannot get OpenVPN working.   Not yet sure on pricing, but probably $14.95 a mo.  This will oust Socks Plus as our new top service (Socks Plus will still be an available service) and will include all services below it in that price.  There has been some interest expressed in this.

We’ll also upgrade some hardware, both system and network (hopefully this will be invisible to you).  Other than that we’re not set, so if you have any suggestions feel free to offer them to suggestions (at) cotse.net.  Please understand that you will not receive any feedback and we do not guarantee that all suggestions will be implemented.

I do apologize for not providing feedback, but we have found that some people get very upset if we don’t see things their way and do exactly what they told us to do, so we avoid that whole situation by not responding on any, but we do implement many.

Until now I have been working with an ipaq hx4705 when away from my desk. I’ve loved it, but it has had it’s limitations. It’s ok for GPS, ebooks, music, contacts, a calculator, and basic PIM, but for remote work its not much good for anything beyond tethering to my phone for an emergency SSH session, which is doable, but really only for emergency use.

To work comfortably I need a little more than the ipaq can provide. So when traveling for any length if time I’ve carried an old 700 Mhz Celeron Thinkpad that I bought back when I first started Cotse. It’s been long due for an upgrade but it has been enough to do what I need to do, so I have not been able to justify the expense of an upgrade (you save a lot of money not upgrading just because something newer and better is out). To be honest, I don’t know if I can actually justify it now, but when I saw the latest umpcs, it made sense.

I splurged and bought an OQO. The OQO is a umpc, this was a new term for me. It means Ultra Mobile PC, the goal being a pc in your pocket. I have always called my ipaq my pocketpc. After all, Microsoft calls it that. But the OQO really is a pocket pc. The one I bought is 1.6 Ghz, 1 Gig RAM, 120 Gig drive with Sprint EVDO (I got Sprint to have access to both EVDO networks, Verizon via tethering to my cell if needed) with a 5″ LCD that runs at 800×480 and can zoom to 1,200×720 interpolated (which looks surprisingly good for interpolated).

I chose the OQO over the field of umpcs, some faster (read Sony UX), because of a few things. One was the integrated EVDO rev A, having that built in frees me quite a bit. The OQO also had the best fit and feel. It feels solid, it looks sleek, it is in outside design, near perfect. Nice screen, vivid, bright, and clear. It’s also an active digitiser, so inking is far better on it. The keyboard is very nice, far more usable than the others and it also has a few other desirable features, like hardware based crypto that I have yet to dig into.

I tried to take some pictures, but my camera seems to be having some difficulty, so no pictures. So far I love the OQO. I realize I’m taking a slight risk with a young upstart company (a group of Apple techs formed OQO in 2000. Apple Computer apparently wasn’t interested in developing the worlds smallest computer at that time so they struck out with their own company. Full story), but it’s a calculated risk.

OQO is US based, growing well, and seem to be getting rave reviews for their service, at least US based (foreign is a different story, very young and small, not many partnerships yet). I bought the accidental damage 3 year extended coverage because I know full well that being the smallest and so new a design/product means I’ll be using the coverage at some point.

I’ll try to keep this blog updated with my experiences. So far it’s an awesome device that gives me a fully functional, always with me, PC with broadband access (seeing 1 MBit plus speeds in all my tests so far) that I can keep in my pocket and whip out and use wherever I am. This is a first for me and I’m finding it very useful and freeing in using it to manage Packetderm/Cotse.

We are nearing three days of a massive bounce flood. During peaks we are seeing upwards of 1000 bounces a second in addition to our normal mail volume. Needless to say, we’re used to less and the new total of bounces plus normal traffic is three times our normal volume and choking the server periodically. Right now it occasionally stops accepting connections and sometimes it faults. It has to be babysat to keep going. To create the perfect storm for a bounce flood two things must be in place, complete idiots administering mail servers and one or more asshole spammers.

The idiot admins role is one of configuring their mail server to accept a message then reject it later for whatever reason. I’m going to say this only once, reject only at the connection, if you accept the message you keep it. Period. You do not accept then send a bounce. This is very poor etiquette and demonstrates a complete lack of knowledge about your subject. If you are running a mail server that you cannot configure in any other way, delete it. Don’t use it. It is broken. I don’t care if it has features you like, stop using it! Messages should either be rejected at the connection or accepted and if accepted you own them.

The asshole spammer’s role is simpler. He just configures his spamware to generate random names at some domain for the from line of his spam (because the from must contain a valid domain name to be delivered) and sends out 100 million messages utilizing some botnet. The end result is the forged domain gets hit with millions of connections from mail servers around the world delivering bounces to tens of thousands of non-existent accounts. A veritable flood of connections. This should be classified as a deliberate attack. The spammer has to know the result. This means he/she is doing it deliberately. Both the spammer and the product he is advertising should be held responsible for loss of business and damages. I also think the mail servers that accept then reject should also be financially responsible for the damages as their negligence played a big role.

Bounce floods suck. There is no way to stop them short of retiring the domain from e-mail by setting the MX to localhost. You can reject the bounces, but you are still getting pounded with connections, both to SMTP and DNS (all those millions of machines have to look up the MX record to deliver the bounce). It’s flat out a denial of service attack. Meanwhile all I can do is continue fighting to keep the server up, and hope it runs it’s course soon.

Oh, and don’t get me started on this Sender Address Verification (SAV) bullshit so many run. Besides the fact that it is impossible to tell the difference between you and a bounce, your servers are also slamming me and contributing to the connection flood. Also of notable mention are the morons running Challenge/Response (C/R), I’m getting hit with thousands of challenges too. You both control your spam by making it my problem.

So to those running SAV, C/R, or a poorly configured mail server I say: Very poor etiquette, you fail basic admin 101.  I don’t care if you justify it by thinking “mine only sent one”, fifty million other idiots just like you thought the same thing and now I’m dealing with fifty million of those “it’s only one” connections. You are all equally culpable. Get off the Internet until you learn how to properly behave in a cooperative society!

PS: I realize I haven’t written here in nearly a year, I have no excuses. I’ll try to update more regularly but make no promises.

The press is having a field day with this e-gold trouble. As you may be aware e-gold has been targeted by the US government because many child pornographers, stock scammers, and other fraudsters used it. As a result every article I have read makes it sound like everyone who used or accepted e-gold is a scammer. This is wrong.

E-Gold is a payment method we once accepted. We are definitely not a scam service, a child porn service, nor any of what the press is making out everyone who used or accepted e-gold to be. We are an advanced e-mail and web hosting service. To us it was just another method of online payment to accept, like credit cards and paypal. A way to pay online.  For years the press was favorable about e-gold.  We started accepting it as a payment method because the press was raving about it as the new digital currency.

E-Gold is not new, we’ve accepted it ever since we opened. We opened the account under our legitimate business name. We operated it just as we do paypal and our merchant account for credit cards. But now seven years later apparently everyone who used it is some type of scammer. That is an unfair characterization. Many legitimate businesses accepted e-gold for the same reasons we did.

Now because scammers liked that service it’s got a bad taint to it. Our account there has not been frozen but it may have well have been frozen. There is now no way to get at any of the payments our users made to us through e-gold because there are no longer any out exchanges as everyone runs from e-gold. The lost money isn’t the big deal here, it’s the broad labeling from the press.

Not everyone who used or accepted e-gold is a crook and I wish they’d stop alluding such. We are not the only legitimate business who accepted it as a payment method. Now I find myself worrying that paypal is next and wonder if we should stop accepting that ahead of time before all the headlines start saying “everyone who uses paypal is a child pornographer and crook”.