Security Incidents mailing list archives
Re: Large quantity of traffic from amazon.com - source_port 3000
From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Wed, 19 Jan 2000 16:33:31 -0800
Um, PGP is essentially a self-signed certificate. Therefore, it can just as easily be forged as the e-mail address. There is no more reason to trust a signed message over an unsigned one. You only have cause to trust a signed message if you can easily verify the signature. Right now, the easiest way to do so would be to simply contact Amazon.com, which you could do anyway. If a company wants to make an "official" statement, it really should be a document on the website, or you you are going to sign something, point to the public key info back on the website so that it can easily be checked. Rob. PS: Dominique is in a weird situation where his personal reputation is much greater than Amazon's, and we could probably verify his signature simply by comparing is public key with other e-mail he's posted. PPS: In any event, I'm not quite sure if the original posting was "official". Just because you fail to disguise you identity does not compell you to prove your identity. It doesn't make sense that Amazon would hack customers, and Dominique's explanation makes sense whether he is affiliated with Amazon or not. An "official" pronouncement doesn't lend it increased credibility because a company can also lie. PPPS: "Increased comfort" is a dangerous concept because many security products are more about increasing customer comfort rather than actual security. -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On Behalf Of Dominique Brezinski Sent: Tuesday, January 18, 2000 10:11 AM To: INCIDENTS () securityfocus com Subject: Re: Large quantity of traffic from amazon.com - source_port 3000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 09:36 AM 1/18/00 -0600, Andrew Steingruebl wrote:
Thanks for the good response. I'm cc'ing the whole list on this message. I've seen several people respond with explanations of strange behavior
coming
from their sites. Its nice to know that a good number of people are
reading
this list. At the same time, without knowing exactly how the list is set
up,
and even if I did, its pretty easy to forge email. I'd like to suggest
that
people, wherever possible, when making an quasi-official response to an incident, PGP or S/MIME sign their email so as to give other people at
least
some comfort or verifiable information that the response is genuine.
Yes, you are right. I ran in over the weekend to get a quick response out, and I overlooked signing the mail. Point well taken. - --- Dominique Brezinski Amazon.com Security office (206) 266-6900 pager (888) 916-2747 8312 ADAB C5B2 1916 CBD8 150E 37CE 044E F45F B5E4 -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 iQA/AwUBOISsyjfOBE70X7XkEQItwACeIGXfBrobGao1Pw4S0AurgATwL5QAoO+f HKont96tX7Wtdf0FqRj+5J8M =Y851 -----END PGP SIGNATURE-----
Current thread:
- Re: Large quantity of traffic from amazon.com - source_port 3000 Chris (Jan 15)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Joseph Geyer (Jan 17)
- <Possible follow-ups>
- Re: Large quantity of traffic from amazon.com - source_port 3000 Dominique Brezinski (Jan 15)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Andrew Steingruebl (Jan 18)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Dominique Brezinski (Jan 18)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Robert Graham (Jan 19)
- Socks port 1080 Heman Leopando (Jan 20)
- Re: Socks port 1080 Russell Fulton (Jan 20)
- I was scaned C. (Jan 20)
- Re: I was scaned Robert Graham (Jan 22)
- Re: I was scaned Jose Nazario (Jan 23)
- Re: I was scaned Gene Harris (Jan 23)
- Re: I was scaned Keith Owens (Jan 24)
- Got scaned again C. (Jan 24)
- ? C. (Jan 24)
- Re: ? Mike Tancsa (Jan 24)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Andrew Steingruebl (Jan 18)