Re: Good work by FBI and SEC on Emulex fraud case
Tim May wrote: At 11:44 AM -0700 9/6/00, Bill Stewart wrote: How often do people check signatures? If they check them, and they pass, how often do they check keys? doesn't matter. it's POSSIBLE, that's what is important. the first time you lose a million bucks at the exchange because you didn't check the sig and someone else did, you'll start doing it. Sounds fair to me. Sounds like evolution in action. definitely. I already suggested that my company sign PRs.
Re: Good work by FBI and SEC on Emulex fraud case
At 1:12 PM -0700 8/31/00, Eric Murray wrote:
A small note: IW digitally-signing the releases would not
have made a difference in this case-- the guy used his knowledge
of IW's procedures to social-engineer IW into accepting the
fake release without doing their usual checking procedures.
At 01:22 PM 8/31/00 -0700, Tim May wrote:
The system I envision would mean each chunk of text ("press release")
would carry a digital sig, which could be checked multiple times.
Hard for social engineering to get past the fact that Emulex, say,
had not digitally signed their own alleged press release.
How often do people check signatures?
If they check them, and they pass, how often do they check keys?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Subject: Microsoft Press Release On Digital Signatures
Date:September 6, 2001
Microsoft announced today that all future press releases will
be signed with PGP digital signatures so that readers can verify
that they're reading genuine Microsoft press releases,
not forgeries from hackers trying to manipulate the stock price.
Microsoft's corporate PGP key 0xB9C8B513 is on the Network Associates
keyservers, and you can verify the signatures there.
Microsoft's public relations department also announced that
plans for World Domination 2.0 are ahead of schedule,
and declined to comment on Bill Gates's muttered reference to the
antitrust prosecutors as a major-league %^%*@.
-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com
iQA/AwUBObaOltwjGL65yLUTEQIfNACgrmbcIwqX+u3wWmDRAShF+ydjpiYAoLwS
WZoHfvvlHEd2/0rCVSrXL60G
=g+G7
-END PGP SIGNATURE-
Re: Good work by FBI and SEC on Emulex fraud case
At 11:44 AM -0700 9/6/00, Bill Stewart wrote:
At 1:12 PM -0700 8/31/00, Eric Murray wrote:
A small note: IW digitally-signing the releases would not
have made a difference in this case-- the guy used his knowledge
of IW's procedures to social-engineer IW into accepting the
fake release without doing their usual checking procedures.
At 01:22 PM 8/31/00 -0700, Tim May wrote:
The system I envision would mean each chunk of text ("press release")
would carry a digital sig, which could be checked multiple times.
Hard for social engineering to get past the fact that Emulex, say,
had not digitally signed their own alleged press release.
How often do people check signatures?
If they check them, and they pass, how often do they check keys?
Don't know. But not the problem of those issuing press releases. That
_some_ people check signatures, whether electronic or inked, and
_other_ people _don't_ doesn't lessen the significance of signing.
Those who bother to check a putative press release and find the
attached signature doesn't match what they have seen from Web sites
(and related "widely witnessed events," including hashes published in
the company's financial documents, etc.) will have competitive
advantages over those who don't bother to check and just hit the
panic button.
Sounds fair to me. Sounds like evolution in action.
--Tim May
--
-:-:-:-:-:-:-:
Timothy C. May | Crypto Anarchy: encryption, digital money,
ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets,
"Cyphernomicon" | black markets, collapse of governments.
Re: Good work by FBI and SEC on Emulex fraud case
On Thu, 31 Aug 2000, Eric Murray wrote: A small note: IW digitally-signing the releases would not have made a difference in this case-- the guy used his knowledge of IW's procedures to social-engineer IW into accepting the fake release without doing their usual checking procedures. So essentially what you are saying is that this was not computer crime. We do not need a Big Brotherish society to thwart computer crime, especially if it's not computer crime in the first place. When/if we do ever have the common use of digitally-signed PR, documents etc, I wonder how much people will be fooled into thinking that the contents must be correct, because after all, they're signed? Well at least in that case, assuming those holding the authentication keys know what they're doing and guard their bits, the source of the information is attributable to someone, which enormously facilitates plain old police work. Sampo Syreeni [EMAIL PROTECTED], aka decoy, student/math/Helsinki university
Re: Good work by FBI and SEC on Emulex fraud case
Mr. May said: (News services still have some role, of course.) Of course, one of there roles could be "verification" of the press release, i.e. Emulex signs it, and rather than having to have 985,234,003 keys on my key ring to verify every press release I read, the News Service can sign the whole thing saying "we witness that this press release was signed with the proper key".. -- A quote from Petro's Archives: *** Today good taste is often erroneously rejected as old-fashioned because ordinary man, seeking approval of his so-called personality, prefers to follow the dictates of his own peculiar style rather than submit to any objective criterion of taste.--Jan Tschichold
Good work by FBI and SEC on Emulex fraud case
I just watched the live press conference by the FBI, District Attorney's Office, and SEC folks. The full story should be on Yahoo and other news sites. The gist is that an arrest was made this morning. A former Internet Wire employee, who left in early August, was the arrestee. Internet Wire was of course the service which passed on the false press release. The e-mail was traced back to a public access computer at El Camino Community College, in the LA area. The arrestee was enrolled during the summer at this college, was known to use these computers, and in fact was seen last Thursday night using the public computers, at the time when the e-mail was sent from one of these computers (in a media lab of some sort). The cops apparently correlated former and current Internet Wire (and probably other companies, like Emulex, Bloomberg, PR Newswire, etc.) with employees and students at El Camino. The FBI/SEC obtained his stock trading records, determined that he had shorted Emulex at around $70, had then lost a lot of money as Emulex went up above $100, and then had bought stock in Emulex as the stock fell to $45 after the hoax. (There may have been various put and call trades...consult the detailed stories.) In short, this was classic FBI and law enforcement legwork: correlations, subpoenas, and, as appropriate and with warrants, searches and arrests. Kudos. I mention this here on Cypherpunks because this is an example of how law enforcement should work. By contrast, imagine the enforcement protocol in a Big Brotherish world of intercepts, escrow, bans on encryption, etc. There _was_ some rhetoric at the press conference about "hiding behind the Internet." Of course, this message was not "strongly untraceable." It was almost trivially traceable. And traced to a former employee (probably disgruntled, but I am only speculating) of Internet Wire who had specific knowledge of how press releases were handled, how the authentication could be spoofed, etc. Now, what if the perp had used "Cypherpunks technologies"? Aside from the likely subpoenas of Anonymizer, Inc., and varous remailers, the cops could have sought search warrants of the employees who departed, obtained records of their stock trades, etc. Someday, truly strong methods will be more widespread. Along with trading accounts unlinkable to meatspace names. Will this thwart such efforts to catch fraudsters? To some extent, yes. However, such a world will produce other changes which work in the other direction. Digitally-signed press releases, for example, are easy to do. (And I expect them to start happening Real Soon Now. Possibly with the strong urging of the SEC and others.) So, kudos to the FBI and SEC for their detective work. And let it be a lesson that we don't need a Big Brother world to stop computer crime. --Tim May -- -:-:-:-:-:-:-: Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, "Cyphernomicon" | black markets, collapse of governments.
Re: Good work by FBI and SEC on Emulex fraud case
On Thu, Aug 31, 2000 at 12:50:58PM -0700, Tim May wrote: I just watched the live press conference by the FBI, District Attorney's Office, and SEC folks. The full story should be on Yahoo and other news sites. The gist is that an arrest was made this morning. A former Internet Wire employee, who left in early August, was the arrestee. Internet Wire was of course the service which passed on the false press release. [...] However, such a world will produce other changes which work in the other direction. Digitally-signed press releases, for example, are easy to do. (And I expect them to start happening Real Soon Now. Possibly with the strong urging of the SEC and others.) A small note: IW digitally-signing the releases would not have made a difference in this case-- the guy used his knowledge of IW's procedures to social-engineer IW into accepting the fake release without doing their usual checking procedures. The story last saturday in the Merc about this said something to the effect that he'd fooled the "day staff" into beleiving that the "night staff" had already approved the release, and thus the "day staff" didn't need to do any fact checking. If they did digitally sign the releases, this one would have been so signed. Of course that doesn't make it any less untrue. The signature just protects it from detectable modification _after_ it's been sent. When/if we do ever have the common use of digitally-signed PR, documents etc, I wonder how much people will be fooled into thinking that the contents must be correct, because after all, they're signed? -- Eric Murray http://www.lne.com/ericm ericm at lne.com PGP keyid:E03F65E5 Consulting Security Architect
