7 comments

[ 3.3 ms ] story [ 28.2 ms ] thread
Maybe steve should just start twittering with a verified account. Also, in my day we didn't get so mad at rumor sites for being right or wrong. If these guys want to be journalists rather than muckrakers thats fine. But if you're whole business is dealing with dirt, gotta get used to getting dirty (the readers and the writers).
tl;dr: Some email was sent by Steve Jobs, but the "It's just a phone...Retire" comment was incorrectly attributed to SJ.
Regardless of whether the exchange happened or not, the claim that "[the email headers] were legitimate, and that the entire thread would be extremely hard to fake, if not impossible" is an exaggeration. For reference, open up the headers of an email you've recently received from a Gmail address. Notice the DomainKey-Signature field?

  DomainKey-Signature: a=rsa-sha1; c=nofws;
          d=gmail.com; s=gamma;
          h=mime-version:in-reply-to:references:date:message-id:subject:from:to
           :content-type;
          b=IBLt9oYlFSwflVBrLP4Rq64gpUeIHJMkvAjbVoYin9vugJBa4E4hxqfKeFLp/Gw3XT
         2V/PR4M4M/Kz9CU8n7poGJ+JUBcxyT4LZc4SYNHTV1TD6nmk77Pvl7E7f8uY1sAMrR9c
         F+2HiY9MMKgb0SlPdRVqUUF0QX9XoQRzA3jFs=
That's there because Gmail (along with a few other providers such as Fastmail) implement what's called DomainKeys Identified Mail (http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail). It can provide cryptographic assurance that the domain name associated with an email is valid. So using the DNS records on the Gmail domain, I can pull the public key and verify the cyptographic signature.

  mil:~ tim$ host -t txt gamma._domainkey.gmail.com
  gamma._domainkey.gmail.com descriptive text "k=rsa\; t=y\;   

  p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIhyR3oItOy22ZOaBrIVe9m/iME3RqOJeasANSpg2YTHTYV+Xtp4xwf5gTjCmHQEMOs0qYu0FYiNQPQo
  gJ2t0Mfx9zNu06rfRBDjiIU9tpx2T+NGlWZ8qhbiLo5By8apJavLyqTLavyP  
  Srvsx0B3YzC63T4Age2CDqZYA+OwSMWQIDAQAB"
If the signature is valid, I can be reasonably confident that the email is valid. (Note that some sort of DNS compromise or attack would allow an attacker to pass me a fake public key)

Now take a look back at the email headers in the article. There is no cryptographic signature that you can verify. Note that if these headers are made up, the forgery is quite good. There's even some nice SPF authentication going on in there. But it's not impossible to forge these headers. In a targeted attack, I could do just that. Depending on how much the guy got paid for the story, it might even be worth the time.

(If there's someone with domain knowledge/experience etc. in this area and has an addition or correction, I'd love to hear it)

There's a simple way around all of this, and it doesn't require a lot of in depth knowledge. Notice that DomainKeys says nothing about the content of the email. It's only a tool for preventing false relay (spam), not content forgery.

Let's say I email you with a simple question, you reply, and we trade emails three or four times. Gmail supports IMAP, which lets me move emails to and from my Gmail inbox without much trouble. So, all I need to do is move the mail to a server where I can alter the content (I can leave the headers intact), then copy the email back over to my Gmail inbox using an IMAP client.

I just did this using Mail.app on my Mac. It wasn't even all that time consuming. The hardest (maybe most time consuming) part would be getting a reply from Steve Jobs. I'm sure he doesn't reply to everyone.

The bottom line is that unless the mail was signed using something like PGP, it can be forged using trivial methods.

The email exchange was never that interesting to begin with. But if this is true then it means Apple PR lied on the record about the story, which would be significant.
Is this content really within HN's bailiwick?
The Burford guy starts out hysterical and continues hysterical.

I think it's bad policy for the CEO to respond personally to the most crazy and unreasonable of customers. Much better to just let them rant on the web rather than giving them a big platform and bringing yourself down to their level.