Re: xgrid and john the ripper

• Subject: Re: xgrid and john the ripper
• From: Bob Kerstetter <email@hidden>
• Date: Tue, 27 Jul 2004 21:22:28 -0500

	From: 	  email@hidden
	Subject: 	Re: xgrid and john the ripper
	Date: 	July 27, 2004 9:15:15 PM CDT
	To: 	  email@hidden

On Jul 27, 2004, at 7:52 PM, james woodyatt wrote:

On 27 Jul 2004, at 4:39 PM, Don Thompson wrote:

The address looks good. What more would you suggest checking. The headers on the message will indicate that it came through the xgrid users list.

The address is easily forged. The "Received" headers are *much* harder to tickle. This is kinda off-topic, but I think I can finish it up with some Xgrid-related content. Scroll down if you want.

So here's something useful to know about the FBI that I just discovered looking into this. It turns out they *DON'T* have their own mail servers (or even DNS servers) for the fbi.gov domain. They rent access to the mail servers of AT&T Global Network Services. You can find them in the DNS the same way your mail server finds them: by querying for the MX records.

I'm not sure that makes me feel warm and fuzzy about the security of the FBI's mail transfer systems. Is this new? I don't remember this being the case the last time I had reason to correspond with an FBI agent.

Last login: Tue Jul 27 16:33:34 on console
Welcome to Darwin!
woodjam:~ jhw$ dig mx fbi.gov

; <<>> DiG 9.2.2 <<>> mx fbi.gov
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26709
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;fbi.gov.                       IN      MX

;; ANSWER SECTION:
fbi.gov.                300     IN      MX      0 mx2.prserv.net.
fbi.gov.                300     IN      MX      0 mx1.prserv.net.

;; AUTHORITY SECTION:
fbi.gov.                300     IN      NS      dns.sprintip.com.
fbi.gov.                300     IN      NS      dns2.sprintip.com.

;; Query time: 103 msec
;; SERVER: 17.206.12.12#53(17.206.12.12)
;; WHEN: Tue Jul 27 16:40:29 2004
;; MSG SIZE  rcvd: 131

The prserv.net domain is registered to AT&T Global Network Services.

Now, have a look at the raw source of the message from Eric Chapman, claiming to originate at the FBI. Specifically, check the "Received:" header fields which show a hop-by-hop record of the mail servers the message passes through...

[...]
Received: from lists.apple.com (lists.apple.com [17.254.0.151])
by mail-in5.apple.com (8.12.11/8.12.11) with ESMTP id i6RKgDYW023979 for
<email@hidden>; Tue, 27 Jul 2004 13:42:14 -0700 (PDT)
Received: from lists.apple.com (localhost [127.0.0.1])
by lists.apple.com (8.12.9/8.12.9) with ESMTP id i6RKbMWJ019859; Tue,
27 Jul 2004 13:37:22 -0700 (PDT)
Received: from prserv.net (asmtp1.prserv.net [32.97.166.51])
by lists.apple.com (8.12.9/8.12.9) with ESMTP id i6RKZc1D019800 for
<email@hidden>; Tue, 27 Jul 2004 13:35:39 -0700 (PDT)
Received: from [10.248.52.9] (<unknown.domain>[63.167.71.254])
by prserv.net (asmtp1) with SMTP id <2004072720355625100h8273e>
(Authid: wbt3p3t); Tue, 27 Jul 2004 20:35:57 +0000
[...]

The fields are prepended at each transfer agent, so the last one in the list is where the SMTP agent used by "Eric Chapman" announced that it was forwarding the message. It says that it was received from some user agent named (with a domain literal) [10.248.52.9] which connected from an address without any reverse DNS records, which probably corresponds to a NAT device with the address 63.167.71.254. This is an address currently allocated to Sprintlink (Sprint) according to the ARIN WHOIS database. The mail server is operated by AT&T Global Network Services, and the authoritative name server is a SprintLink server. I think AT&T may have purchased SprintLink assets and they haven't renamed. Furthermore, the address appears to be allocated to the block of SprintLink addresses used in Reston, VA so this message actually may have originated at the FBI.

It's annoying that the FBI is outsourcing its IT services like this, because it makes it harder to build confidence in the authenticity of their messages (among other good reasons to be annoyed). I think if the FBI has an ongoing investigation and would like to consult with Apple technical staff about potentially criminal applications for Xgrid, then a teleconference would be the appropriate thing to arrange.

-----

ObXGrid: issues related to message header forgery, user authentication and application-layer security on the global Internet are difficult to work. Xgrid isn't currently suitable for use on public networks for these reasons, but the good news is that its foundation in the BEEP protocol means that extending the application protocol so that it can be safely and securely used on the public Internet should be *possible* in the long term without having to make revolutionary changes to the session-layer protocol. BEEP was designed to be suitable for use on public networks with untrusted links and nodes. I'm not on the Xgrid team, though and I have no idea what their plans might be in this direction.

(Okay, I may be reaching to stay on topic, but don't say I didn't try.)

• Prev by Date: Difference Between Xgrid Cluser and a Beowulf
• Next by Date: Re: Difference Between Xgrid Cluser and a Beowulf
• Previous by thread: Re: Re(2): Difference Between Xgrid Cluser and a Beowulf
• Next by thread: Re: xgrid and john the ripper
• Index(es):
  • Date
  • Thread