Maybe steve should just start twittering with a verified account. Also, in my day we didn't get so mad at rumor sites for being right or wrong. If these guys want to be journalists rather than muckrakers thats fine. But if you're whole business is dealing with dirt, gotta get used to getting dirty (the readers and the writers).
Regardless of whether the exchange happened or not, the claim that "[the email headers] were legitimate, and that the entire thread would be extremely hard to fake, if not impossible" is an exaggeration. For reference, open up the headers of an email you've recently received from a Gmail address. Notice the DomainKey-Signature field?
That's there because Gmail (along with a few other providers such as Fastmail) implement what's called DomainKeys Identified Mail (http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail). It can provide cryptographic assurance that the domain name associated with an email is valid. So using the DNS records on the Gmail domain, I can pull the public key and verify the cyptographic signature.
If the signature is valid, I can be reasonably confident that the email is valid. (Note that some sort of DNS compromise or attack would allow an attacker to pass me a fake public key)
Now take a look back at the email headers in the article. There is no cryptographic signature that you can verify. Note that if these headers are made up, the forgery is quite good. There's even some nice SPF authentication going on in there. But it's not impossible to forge these headers. In a targeted attack, I could do just that. Depending on how much the guy got paid for the story, it might even be worth the time.
(If there's someone with domain knowledge/experience etc. in this area and has an addition or correction, I'd love to hear it)
There's a simple way around all of this, and it doesn't require a lot of in depth knowledge. Notice that DomainKeys says nothing about the content of the email. It's only a tool for preventing false relay (spam), not content forgery.
Let's say I email you with a simple question, you reply, and we trade emails three or four times. Gmail supports IMAP, which lets me move emails to and from my Gmail inbox without much trouble. So, all I need to do is move the mail to a server where I can alter the content (I can leave the headers intact), then copy the email back over to my Gmail inbox using an IMAP client.
I just did this using Mail.app on my Mac. It wasn't even all that time consuming. The hardest (maybe most time consuming) part would be getting a reply from Steve Jobs. I'm sure he doesn't reply to everyone.
The bottom line is that unless the mail was signed using something like PGP, it can be forged using trivial methods.
The email exchange was never that interesting to begin with. But if this is true then it means Apple PR lied on the record about the story, which would be significant.
The Burford guy starts out hysterical and continues hysterical.
I think it's bad policy for the CEO to respond personally to the most crazy and unreasonable of customers. Much better to just let them rant on the web rather than giving them a big platform and bringing yourself down to their level.
7 comments
[ 3.3 ms ] story [ 28.2 ms ] threadNow take a look back at the email headers in the article. There is no cryptographic signature that you can verify. Note that if these headers are made up, the forgery is quite good. There's even some nice SPF authentication going on in there. But it's not impossible to forge these headers. In a targeted attack, I could do just that. Depending on how much the guy got paid for the story, it might even be worth the time.
(If there's someone with domain knowledge/experience etc. in this area and has an addition or correction, I'd love to hear it)
Let's say I email you with a simple question, you reply, and we trade emails three or four times. Gmail supports IMAP, which lets me move emails to and from my Gmail inbox without much trouble. So, all I need to do is move the mail to a server where I can alter the content (I can leave the headers intact), then copy the email back over to my Gmail inbox using an IMAP client.
I just did this using Mail.app on my Mac. It wasn't even all that time consuming. The hardest (maybe most time consuming) part would be getting a reply from Steve Jobs. I'm sure he doesn't reply to everyone.
The bottom line is that unless the mail was signed using something like PGP, it can be forged using trivial methods.
I think it's bad policy for the CEO to respond personally to the most crazy and unreasonable of customers. Much better to just let them rant on the web rather than giving them a big platform and bringing yourself down to their level.