I have no idea why Diallo Mamadou Oury, who lives in Dakar, Senegal, insists on using my email address to sign up for services and web sites all over the Internet (previous postings). But since he apparently feels entitled to share my personal information without my consent, I have no compunctions about sharing his. Here’s an email message that landed today in my inbox:
Archive for the ‘Computer Security’ Category
For some inexplicable reason, some guy who identifies himself as Mamadou Diallo, a.k.a. Bouba Diallo, has been creating accounts all over the internet using my email address for over two years now. I’ve written about this several times before.
It’s still going on… I just got email indicating that he created a Yahoo! account (“m.diallo76″) on May 6 using my email address. Needless to say, as has been my practice, I took over the account and closed it.
I wish I knew what the hell was going on here or what the perpetrator hopes to gain by doing this. I’ve wracked my brain but haven’t been able to come up with any ideas for how this might benefit him. Someone purporting to him posted a comment on my blog in November 2012, but it just made things weirder, without shedding any light on what’s going on. That comment probably really was posted by him, since the IP address it came from shows up as Dakar, Senegal in GeoIP lookups, and that’s where he claims to live in the accounts that he creates.
If anybody has any ideas about what might be going on here, I’m all ears.
The privacy of our email is protected by the Electronic Communications Privacy Act, passed in 1986, which requires law-enforcement officials to obtain a warrant to intercept and read private email.
However, the law has a critical flaw: it does not require a warrant for emails “left on servers” for more than 180 days. This made sense when people downloaded their email and deleted it from servers, but it’s completely obsolete in an era when email is left on servers so that people can access it from anywhere on any device.
A coalition of email service providers is seeking a revision of the law to treat email stored on servers the same as email stored on home computers. This revision should be written into law and signed by President Obama as quickly as possible to protect the privacy of American citizens’ email.
Please sign and pass on this petition to help convince President Obama and Congress to fix the ECPA!
For a while now, the web browser vendors and major purveyors of targeted internet advertising have been working on a proposal for allowing users to prevent web sites from tracking their online activity and using it to “customize their web browsing experience,” a.k.a., displaying targeted advertisements which are, theoretically, tailored to the person viewing them.
Web tracking and targeted advertising is big business. In fact, some would say that without it, most of the free web sites you visit every day simply couldn’t exist. Facebook, HuffPo, Reddit, Gawker, etc. all pay the bills by selling advertising that is carefully targeted to individual users based on their past web browsing activity.
“Do Not Track” advocates say that users should have the right to preserve their privacy. Opponents, on the other hand, say that it improves everyone’s web experience by making it more likely that the content and ads they see will be interesting to them, and that (as noted above) without targeted advertising, many web sites simply could not afford to continue offering free content. Advocates respond by saying that whether someone’s web experience is targeted should be their choice, and that if targeted advertising becomes less profitable, web sites will be able to find other successful monetization strategies.
A recent security breach exposed the plaintext usernames and passwords of almost 100,000 members of IEEE, the Institute of Electrical and Electronics Engineers. The usernames and passwords were discovered by a researcher in 100GB of log files inadvertently left open to the public on an IEEE FTP server.
Leaving aside for the moment how incredible it is that the IEEE would employ someone so incompetent as to think it’s OK to put passwords in a log file (well-known best practice in the industry is not only that you don’t log passwords, but you’re even discouraged from logging usernames on login forms, because people so frequently type their password accidentally into the username field), I want to instead comment on this graph that ArsTechnica published in their story about the breach:
(The graph was apparently published by Radu Dragusin, the researcher who discovered the breach.)
More accurately, I want to comment not on the graph itself, but rather on the caption which ArsTechnica published beneath it: “A breakdown of the 18 most common passwords exposed by IEEE suggest [sic] that engineers aren’t much better than lay people at choosing secure passcodes.”
In December 2010, the Wall Street Journal published a similar graph in an article about the breach of passwords for 188,279 users at Gawker. “123456″ was the most common password there as well. That graph showed that approximately 3,077, or 1.6% of the 188,279 Gawker users chose the password “123456″. In contrast, only 271 of the 99,979 IEEE users, or 0.3%, chose that password.
Contrary to ArsTechnica’s caption, it would seem that IEEE users are “much better than lay people at choosing secure passcodes.”
UPDATE [2013-02-13]: According to this article on Craigslist, as of February 10, 2013, they have implemented and are testing the idea I described below for fixing the problem described in this posting.
I recently placed a for-sale ad on Craigslist. I anonymized my email address in the ad, which means that the published email address was a random one at craigslist.org, and any responses sent to that address would be forwarded on to me.
Within 24 hours of placing the ad, someone responded to it, but the response contained nothing but the standard Craigslist boilerplate and a copy of the first line of the ad.
I thought perhaps the sender had made a mistake, or perhaps Craiglist’s mail gateway had corrupted the response, so I sent back a reply: “Are you interested in the [item]? You don’t seem to have said so in your email.”
Within 24 hours of sending my reply, I started to receive supposed responses to my ad, sent directly to my real email address, not through the anonymous address at craigslist.org. Some of these responses even used my real name in them. I received six such emails in three days. Yikes!
In the past, securing SSH on the public internet has been pretty much as easy as (a) keep your OS patched, (b) don’t let root log in with a password, and (c) run fail2ban to stop brute-force attacks.
Unfortunately, it looks like the bad guys have finally figured out how to put their bots to work running distributed SSH brute-force attacks. If so, then fail2ban is no longer going to be good enough, and more sophisticated (and inconvenient) measures are going to be needed.
Prior to December 1, the five machines I maintain with SSH servers accessible to the public have been probed by an average of 13 different IP addresses per day. On December 1, they were probed by 109 different IP addresses, a 738% increase over the prior average. On December 2 and 3, they were probed by 79 and 72 different IP addresses. Not as high as the first day, but still quite a jump!
I saw this increase across the board on five different machines on four distinct networks run by four different network service providers. I’ve been in correspondence with someone at the SANS Internet Storm Center who says he’s seen a similar spike on machines he maintains.
It seems clear to me that someone is engaging in a distributed brute-force attack trying to break into servers as root via ssh.
On the afternoon of September 15, I started getting some strange email messages from cron on my Linux server, which hosts my email, blog, DNS, and several web sites for various non-profit organizations I’m involved with.
(Background: One of the web sites, an old Drupal installation, handles scheduled tasks through a cron job that periodically fetches the URL /cron.php on the site. Each time /cron.php is fetched, Drupal checks if any scheduled tasks came due since the last time it was fetched, and executes the PHP code for those tasks. The scheduled tasks aren’t actually supposed to generate any output, so the cron job that fetches /cron.php shouldn’t generate any output and therefore shouldn’t cause cron to send email.)
I’ve reset the password on the account to prevent him from using it, but I can’t log into the account to see what profile information he specified or what he did on the site, because the site provides no way to recover a lost username. I’ve contacted email@example.com and asked them to provide me with the username as well as information from their logs about who created this account.
They’re a bit more likely to be willing to help then Skype, given that (a) they’re a collaborative, open-source organization and (b) I have an ongoing relationship with Mozilla, having submitted several core and Thunderbird patches and been nominated as a “Friend of the Tree”.
I’ve asked them at the very least, if they’re unwilling or unable to provide me with the username, to delete the account, since I don’t want accounts created by other people using my email address on sites all over the internet.
I wrote several days ago about spam I received from Nation of Change at an email address which had previously only been shared with Brave New Foundation. Earlier today, I wrote about Nation of Change apparently attempting to cover their tracks after their unauthorized use of email addresses was discovered and reported by me.
I have been in conversation about this with a high-level employee at Brave New Foundation, and I am now able to report the following important information:
- Brave New Foundation does not sell, share or rent their email lists.
- There is a Brave New Foundation employee with access to their lists who has a relative who works for Nation of Change.
- Brave New Foundation believes that this Nation of Change employee made unauthorized use of his/her relative’s access to copy an as yet undetermined subset of Brave New Foundation’s email lists for Nation of Change’s use.
- Brave New Foundation does not believe its employee was complicit in this unauthorized access. In fact, s/he was unaware that it had occurred until I brought it to Brave New Foundation’s attention.
- Brave New Foundation considers this breach of their data to be extremely serious, and they are actively investigating it.
- Brave New Foundation is considering legal action against Nation of Change both to prevent any further use of the copied email addresses and to obtain financial compensation for the damage to Brave New Foundation’s reputation and the time and resources spend investigating this incident.
All of this information, as well as some additional off-the-record supporting information that I cannot report here, was provided to me directly by an employee of Brave New Foundation. I have no reason to believe that employee is lying, and what s/he told me is consistent with my suspicions and impressions about Nation of Change. However, in the spirit of full disclosure, I want to be clear that I have not seen any hard evidence supporting any of Brave New Foundation’s allegations against Nation of Change.
When you combine these new allegations against Nation of Change with all the other issues I raised in my first posting about them, it seems doubtful that this is an organization which deserves anyone’s support.