Security Incidents mailing list archives

Re: Large quantity of traffic from amazon.com - source_port 3000

From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Wed, 19 Jan 2000 16:33:31 -0800


Um, PGP is essentially a self-signed certificate. Therefore, it can just as
easily be forged as the e-mail address. There is no more reason to trust a
signed message over an unsigned one. You only have cause to trust a signed
message if you can easily verify the signature. Right now, the easiest way
to do so would be to simply contact Amazon.com, which you could do anyway.

If a company wants to make an "official" statement, it really should be a
document on the website, or you you are going to sign something, point to
the public key info back on the website so that it can easily be checked.

Rob.

PS: Dominique is in a weird situation where his personal reputation is much
greater than Amazon's, and we could probably verify his signature simply by
comparing is public key with other e-mail he's posted.

PPS: In any event, I'm not quite sure if the original posting was
"official". Just because you fail to disguise you identity does not compell
you to prove your identity. It doesn't make sense that Amazon would hack
customers, and Dominique's explanation makes sense whether he is affiliated
with Amazon or not. An "official" pronouncement doesn't lend it increased
credibility because a company can also lie.

PPPS: "Increased comfort" is a dangerous concept because many security
products are more about increasing customer comfort rather than actual
security.

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On
Behalf Of Dominique Brezinski
Sent: Tuesday, January 18, 2000 10:11 AM
To: INCIDENTS () securityfocus com
Subject: Re: Large quantity of traffic from amazon.com - source_port
3000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 09:36 AM 1/18/00 -0600, Andrew Steingruebl wrote:

Thanks for the good response.  I'm cc'ing the whole list on this message.

I've seen several people respond with explanations of strange behavior

coming

from their sites.  Its nice to know that a good number of people are

reading

this list.  At the same time, without knowing exactly how the list is set

up,

and even if I did, its pretty easy to forge email.  I'd like to suggest

that

people, wherever possible, when making an quasi-official response to an
incident, PGP or S/MIME sign their email so as to give other people at

least

some comfort or verifiable information that the response is genuine.


Yes, you are right.  I ran in over the weekend to get a quick response out,
and I overlooked signing the mail.  Point well taken.
- ---
Dominique Brezinski             Amazon.com Security
office (206) 266-6900           pager (888) 916-2747
8312 ADAB C5B2 1916 CBD8  150E 37CE 044E F45F B5E4
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2

iQA/AwUBOISsyjfOBE70X7XkEQItwACeIGXfBrobGao1Pw4S0AurgATwL5QAoO+f
HKont96tX7Wtdf0FqRj+5J8M
=Y851
-----END PGP SIGNATURE-----

Current thread:

Re: Large quantity of traffic from amazon.com - source_port 3000 Chris (Jan 15)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Joseph Geyer (Jan 17)
- <Possible follow-ups>
- Re: Large quantity of traffic from amazon.com - source_port 3000 Dominique Brezinski (Jan 15)
  - Re: Large quantity of traffic from amazon.com - source_port 3000 Andrew Steingruebl (Jan 18)
    - Re: Large quantity of traffic from amazon.com - source_port 3000 Dominique Brezinski (Jan 18)
    - Re: Large quantity of traffic from amazon.com - source_port 3000 Robert Graham (Jan 19)
    - Socks port 1080 Heman Leopando (Jan 20)
    - Re: Socks port 1080 Russell Fulton (Jan 20)
    - I was scaned C. (Jan 20)
    - Re: I was scaned Robert Graham (Jan 22)
    - Re: I was scaned Jose Nazario (Jan 23)
    - Re: I was scaned Gene Harris (Jan 23)
    - Re: I was scaned Keith Owens (Jan 24)
    - Got scaned again C. (Jan 24)
    - ? C. (Jan 24)
    - Re: ? Mike Tancsa (Jan 24)

(Thread continues...)