Re: Off Topic: When Did LinkedIn Start Sucking So Bad?

[Rich Kulawiec <rsk () gsp org>]

On Wed, Mar 12, 2008 at 05:41:03PM -0400, cracker () gmail com wrote:
> seeing as we were talking about LinkedIn and all, I thought it appropriate
> to toss this conversational hand grenade...
>
> Six Degrees of E-Separation
> http://blog.washingtonpost.com/securityfix/2008/03/six_degrees_of_eseparation_1.html

This same effect shows up in other places as well.  Some of us suspect
that spammers have been quietly busy over the past decade building
databases encapsulating the same sort of relationship information.  Reason?
People are much more likely to accept and read messages from people
they know, so if it's possible to forge mail from a given sender to a
given recipient, (or better yet, hijack their system or the mail server
they use so that it's undetectable as a forgery) then there's a high
probability the payload will reach its destination.  Analysis of mailing
list traffic, newsgroup traffic, blogs, and mailboxes/address books on
already-hijacked systems all yield data useful for such an exercise.

This would not only be handy for keeping pace with the myriad defenses
we've deployed, but when it comes to highly targeted phishing runs,
it'd be truly useful.

I have no proof of this, only circumstantial evidence, so this may simply
be so much drivel.  On the other hand: anyone with the expertise to code
this graph theory exercise and run it on a very large dataset may also
have the expertise to avoid being detected.  And we already know that
[some] spammers have expended considerable resources on a similar
exercise: list-washing/complainer avoidance/spamtrap identification.
So I don't think it's much of a leap of the imagination.

---Rsk

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.