Identity Theft on the Job Market

Identity theft is getting more subtle: "My job application was withdrawn by someone pretending to be me":

When Mr Fearn applied for a job at the company he didn't hear back.

He said the recruitment team said they'd get back to him by Friday, but they never did.

At first, he assumed he was unsuccessful, but after emailing his contact there, it turned out someone had created a Gmail account in his name and asked the company to withdraw his application.

Mr Fearn said the talent assistant told him they were confused because he had apparently emailed them to withdraw his application on Wednesday.

"They forwarded the email, which was sent from an account using my name."

He said he felt "really shocked and violated" to find out that someone had created an email account in his name just to tarnish his chances of getting a role.

This is about as low-tech as it gets. It's trivially simple for me to open a new Gmail account using a random first and last name. But because people innately trust email, it works.

Posted on July 18, 2019 at 8:21 AM • 52 Comments

Comments

RealFakeNewsJuly 18, 2019 8:38 AM

I'm not sure which is worse: the procedures at the hiring company, or the actions of the attacker.

At the very least, they should have telephoned (different channel and using information already on file) to confirm.

Hugh SaundersJuly 18, 2019 8:53 AM

The real problem here is that the candidates could view each other's submissions. Without that, how would you know who to impersonate?

SlagJuly 18, 2019 9:03 AM

It was almost certainly someone known to him, who knew he had applied. Personally I'm going to be getting my name and common variations on my name in gmail and any other messaging service that becomes widely accepted.

Petre Peter July 18, 2019 9:39 AM

I wonder if one of the other candidates decided to increase his chance of getting hired by withdrawing other applications. Beware of the 'now accepting applications sign. They might in reality be a data harvesting company.

K.S.July 18, 2019 9:59 AM

It is likely an inside job, otherwise how would a potential attacker know that this person applied for that position?

dragonfrogJuly 18, 2019 10:02 AM

@Slag

You can't block someone from doing this attack by registering "slag@gmail.com". Someone else could register "scammer@gmail.com" and set the name in their profile to "Slag" - then their emails could present as being From: "Slag ".

Clive RobinsonJuly 18, 2019 10:06 AM

@ Bruce,

As you note the most simplistic or moronic of attacks worked,

... because people innately trust email...

Like most Internet protocols that started befor 1990/2000 the level of security in them is realisticaly to small to be of any real use.

Worse any attempt to add either Confidentiality, Integrity or Authentication almost always ends up being usless or again to little to be of any realistic use.

For some reason we get hung up on attacks that are at best some years in the furure (Quantum Computers) and fail miserably on those we use currently.

As I've mentioned before with messaging apps, we appear to laud some archaine new security feature and just ignore the fact it's entirely irrelevant to overall security and thus of no use to man nor beast. Simply because everything else is a compleate security fail in the design. Especially quite simple well understood security fundementals are very stupidly ignored, especially by the designers of such systems.

To mix up two jokes from last century and a parable[1], it appears we want to set up a strongroom door in the middle of nowhere and then have our secrets stored openly in a tent with the back flaps tied back and just ignore the two humped camel that has wandered in the back and is making free with everything inside the tent.

This sort of thing is going to continue to happen and eveb get worse a lot worse as long as we don't take security more seriously.

And yes before people ask I don't do social media, secure messaging or email. Because not only are they all hopelessly insecure, way to many idiots want to force others to use such totally insecure junk because they are either way to lazy, or have ulterior motives to make everybody insecure.

[1] (A) The strongroom door where the room is a tent with the back flapps open. (B) The fifty foot high security pole in the desert that anyone can walk around. (C) The curious camel and the tent flap.

Simon BrunningJuly 18, 2019 10:18 AM

@K.S.

how would a potential attacker know that this person applied for that position?

According to the article:

When Mr Fearn completed his written assessment, he said he had to save the Word document under his full name to a particular file. In that file, he could see the names and assessments of other candidates.

TatütataJuly 18, 2019 10:26 AM

I'm quite sure I could find comparable examples from snail mail days.

I'm more worried about the proliferation of "reputation" peddling internet middlemen (home improvement, dog walkers, real estate, etc.), which increasingly look to me like barnacles. Hotel and restaurant sites already led the way with fake reviews, and payola rackets.

Job recruiting sites with candidates pictures are an invitation to discrimination. And some of these "pre-select" candidates before presenting results to customers. How exactly? This is more worrying than the occasional impersonation.

Fifteen years ago I was looking for a more comfortable apartment. On a Sunday morning I responded to a new ad with an incomplete address, but from the photograph I could deduce which building that was, at a desirable price and location. During the day I stopped by and looked at the building from across the street, and eventually noticed a couple buzzing in each other's ear, and who were looking in the same direction as I. Hours later I got a reply that the flat had already been rented, even though it wasn't a working day. Weird.


Gunter KönigsmannJuly 18, 2019 10:33 AM

My question would be: Why would someone withdraw another person's job application? In order to go both Highlander and Mary Poppins and to be the only one?

Sheilagh WongJuly 18, 2019 11:42 AM

This is an old Nixonian dirty trick. I had a friend who had all of her medical school applications withdrawn by snail mail back in the early 90s. Someone, who had her address and student number, sent fake letters withdrawing her applications with a Microsoft Word letter template of the day. All of the institutions withdrew her applications without questioning the letter's authenticity. She only found out about it when she followed up because she never even got rejection letters. She did not get into medical school that year.

WaelJuly 18, 2019 12:00 PM

@Gunter Königsmann,

Why would someone withdraw another person's job application?

Few countable possibilities! Not too hard to enumerate possible adversaries and their motives. A current manager who's trying to curtail skillset attrition, a hiring manager who wants to tilt the balance, a competitor who aims to gain an advantage, a prankster,...

TheoJuly 18, 2019 12:09 PM

It would appear that this was caught by the normal social convention of following up when you don't hear from somebody as expected. (Assuming the employer followed the normal social convention of fixing errors when you learn of them.)

There is little need for elaborate technical countermeasures when the tried and true countermeasures work so well.

JonKnowsNothingJuly 18, 2019 12:13 PM

It doesn't have to have been an "outsider" or "anti-friend", it could have been "undisclosed policy".

Recently all the medical schools in Japan were caught downgrading the entrance exam results of all women applicants. This was to prevent them from being accepted by the medical schools themselves. It had been going on for decades.

Prejudice takes many forms and it is not beyond credibility that this applicant was targeted for such reasons. It's been done before and will be done again.

No Irish, No Blacks, No Women, there is a long list of No No No No No No....

ArclightJuly 18, 2019 12:52 PM

Major companies still get taken by scammers who send an official-looking letter to their accounting department asking for a vendor's automatic deposit account numbers to be updated.

All this requires is a bank account in a hostile jurisdiction and a FAX machine.

AdrianJuly 18, 2019 1:13 PM

I wonder if it was an independent recruiter who wanted the candidate out of the system so that they could submit them and earn a commission.

I've had my identity faked by such a recruiter in the past. In 1992ish, I got a call out of the blue from a hiring manager wanting to set up an interview. I was confused because I hadn't applied for a new job.

The hiring manager said he really liked my résumé. I asked how he had gotten my it since I hadn't sent one out in years. He said he got it from a recruiter with a name I'd never heard before.

I asked him what was on the résumé. It was about 50% correct and 50% pure fiction. I told him he'd been conned by an unscrupulous recruiter.

Minutes later, I got a call from the aforementioned unscrupulous recruiter who tried to chew me out for ratting him out. I threatened to contact a lawyer for fraudulently misrepresenting me to potential employers, which shut him up pretty quickly.

DanJuly 18, 2019 3:18 PM

This reminds me of a similar case of a less sophisticated attack which had big consequences for the victim and the attacker:

University student awarded $265,000 after his girlfriend deleted an email awarding him a scholarship

In 2013, a musician applied for and won a scholarship to study clarinet under a particular professor. His girlfriend allegedly deleted the award email from the school, impersonated him to decline the scholarship to the school, and created a Gmail account using the professor's name to send the boyfriend a rejection email. This was apparently possible because he had allowed her to use his laptop and had shared passwords with her. The musician discovered this 2 years later and never got to attend that school but did study under the same professor at a different school. This made headlines when the musician sued his (now-ex) girlfriend.

lurkerJuly 18, 2019 3:46 PM

But because people innately trust email, it works.

This is a large part of the problem. I've recently been dealing with the fallout of a case where someone used the name of an executive to forge invoices so money was sent to a different account. The fraud accounts weren't in the same country (or even within the EU), but the scam worked because people just assumed the emails and the attached invoices were legit - no one even thought to call (or make other out of channel communication) to verify that the emails were legitimate, because why wouldn't they be?

IsmarJuly 18, 2019 4:12 PM

Imagine what damage someone with unfettered access to all of your digital communications can do to you in this (and many other) regards.
I am thinking of hackers for hire as well as of any of the government agency rogue employee having a personal grudge against you or just doing something they consider to be fun.
It may destroy your life as you know it !

SevesteenJuly 18, 2019 4:53 PM

Another possibility is that Mr. Fearn got his email address wrong, and had applied using the address of a legitimate gmail user. I've got an address in the format of (first initial)(common last name)(2 digit birth year)@gmail.com. I've lost track of how many people with the same first initial and last name have used that address for job applications among other things. Had to tell a tax service to stop sending me someone else's tax return...two years in a row.

Clive RobinsonJuly 18, 2019 5:16 PM

@ Theo,

There is little need for elaborate technical countermeasures when the tried and true countermeasures work so well.

The problem is the "tried and true countermeasure" does not work in time sensitive cases as job hiring, course applications and even legal action.

Once a relatively small time window is closed there is often no going back, no reconsideration etc, you are the looser.

That's why a proper method of authentication should be used at all stages. That way such tricks either don't work, have way to high a risk of getting caught or need to be way more complicated than most people are capable of.

Lets say a simple all be it unreliable "call back" system was put in place. Then should a letter or email arive withdrawing an application the recipient of the letter/email phones the person back on their phone number. For the person doing the act would have to either provide a new probably tracable back to them phone number or somehow have to subvert the existing number. The latter is possible and is done but it also alerts the victim something is wrong fairly quickly.

However what is better is a proper form of Forward Authentication by Crypto Secure Algorithm or Present With Message Computer Secure Algorithm. Whilst the former is rare in normal communications (think banking TANs etc) the latter is quite common as a CS-MAC in many modern protocols.

As I noted earlier above it's the old Internet Protocols that fail as do the supposadly "tried and true countermeasures" due to the likes of not being included in the protocols automatically or by the laziness of those operating the system "tried and true" or not.

As our host @Bruce has noted in the past, most see "security protocols" as a hinderence to them getting their job done, so except for a few exceptions the majority won't follow them as the path of least resistance is not to do so. That's why the authentication needs to be not just very robust to avoid it being attacked, it needs to be built in as a fully automatic part of the process so it has to be in the path of least resistance for the operator. Nothing else will work to prevent somebody with sufficient technical skill.

Sadly the path of least resistance issue applies at both ends of the communications channel. Which means that if the victim is "sloppy" with their security an attacker can still find a way in. Such as through the victim via social engineering, the hardware because the victim leaves it unattended or due to faults in the victims OS and Applications. The latter being the biggest security fail of all "secure messaging Apps" etc, after all why attack the victim by social engineering or getting access to the computer even though they are "low tec" they are "high risk". Likewise why attack the crypto, if properly designed there will not be the time in our lifetimes to do it. No it's way easier to do an "end run attack" on the Human Computer Interface. This can be done by hacking into the computer from it's communications connection, or by the equivalent of "shoulder surfing" using telephoto lenses or shotgun microphones to determin paswwords or paraphrases.

Eventually people will learn to take security more seriously, the question in the mean time is, "How much pain will be inflicted before the learning process takes root?".

The Wrong ManJuly 18, 2019 6:20 PM

I'm having the opposite problem today. Someone entered my email address when completing a job application form. Now I'm getting the interview invitation that should be going to them. I feel bad for their missed opportunity, but I have no idea who would apply for a Club Med job in my name, so I can't contact them. I did inform the hiring person, but it seems they have only the email contact information. Sigh.

Signed,
The Wrong Man

Impossibly StupidJuly 18, 2019 7:00 PM

@RealFakeNews

I'm not sure which is worse: the procedures at the hiring company, or the actions of the attacker.

It's hardly the only kind of employment fraud someone in HR should be prepared for. They're paid to act in the best interests of the company, and they clearly didn't do that. The biggest problem is that things like this usually get swept under the rug, so we don't know how often it occurs, who the attackers are likely to be, or how many employees get hired under fraudulent circumstances. HR is usually a company's most vulnerable department/process.

@Clive Robinson

Like most Internet protocols that started befor 1990/2000 the level of security in them is realisticaly to small to be of any real use.

Nah, the fact that email is involved is a red herring. This was basic social engineering, plain and simple. There's just nothing new out there that does a universal job establishing identity/trust between two random online parties. If there were, we wouldn't have all these 2FA, security questions, and password reset procedures.

@Tatütata

Job recruiting sites with candidates pictures are an invitation to discrimination.

I've had one recruiting agency (Robert Half) insist on doing a video chat before they would even add me to their system. Most places these days just ask for a link to a social media account (that includes sites like LinkedIn and GitHub) where they can mine all sorts of discriminatory info without much fuss.

And some of these "pre-select" candidates before presenting results to customers. How exactly? This is more worrying than the occasional impersonation.

It seems to be based on trivial keyword matching. Even claims of machine learning by places like ZipRecruiter are essentially lies; they say they "find candidates", but I don't know anyone who has been proactively contacted by them. The modern HR process is so unscientific that it's surprising that companies are only as bad as they are these days.

@Theo

It would appear that this was caught by the normal social convention of following up when you don't hear from somebody as expected. (Assuming the employer followed the normal social convention of fixing errors when you learn of them.)

You clearly haven't dealt with the open hiring process in a long time. Companies regularly treat candidates poorly, and are downright unprofessional when that person is determined not to be a fit. This is even true for recruiters, who should realize that they might have a different job you're perfect for next week. Heck, I've even had experiences where I was getting jerked around when I tried to volunteer at a local organization. Don't underestimate how poorly people can behave when the "social convention" is based on their power to rule over a tiny kingdom.

TatütataJuly 18, 2019 7:16 PM

The modern HR process is so unscientific that it's surprising that companies are only as bad as they are these days.

Many French employers still demand a handwritten cover letter ("lettre de motivation manuscrite"), and employ graphologists...

Sheilagh WongJuly 18, 2019 9:40 PM

It seems plausible to me that it would be possible to find the computer that sent the bogus message and maybe even who was logged on. But perhaps law enforcement has better things to do than track down someone’s jilted job application.

NotWorriedJuly 18, 2019 11:39 PM

If the person whose job application was withdrawn by another person had applied, the application usually includes sufficient personal information such as
Full Name, Address, E-mail address, Telephone number(s) and more.
If someone writes from a different email address claiming to be an applicant, the company should at least question if this email is really from the applicant, or not, by at least using the applicant's phone number.

lurkerJuly 19, 2019 1:01 AM

email per se might not be wholly to blame here: victim was given a Word template, which had all candidates names, presumably some "feature" of the function File> Mail to…
I'm old enough to remember when Word didn't have that, and when it did appear it was obvious that here be dragons.

GeorgeJuly 19, 2019 1:23 AM

Could this be a victimless crime? When applying for jobs, always follow up with phone calls.

Clive RobinsonJuly 19, 2019 5:09 AM

@ Sancho_P,

Please don‘t blame email!

Why not?

Look at it this way, back in the early days of putting electrical wiring into property they put two or three bare metal conductors on porcelain insulators mounted on a hardwood board mounted on the wall.

Obviously this was quite effective at carrying electrical power to where it was needed, and adding new circuits was fairly easy. So it could be described as functional.

However what it did not do was protect people from harm, that required other things that in turn had their own failings which required other protection. The result is modern electricity cables that are "double insulated" in various ways including physical barriers such as steel or armoured conduits.

Email is those bare copper wires, it needs all sorts of extra protection mechanisms it currently does not have, but are essential for user safety...

So although the old power system was functional, it was very far from "fit for purpose". Email is just like that... So do you want functional without safety or fit for purpose where people don't get so easily hurt?

Peter A.July 19, 2019 5:35 AM

I see so many cases of 'wrong contact' because of flattening/limiting identifier space. This stupidity never ends. Be it usernames @gmail, Twitter handles, .com domains, large company logins, whatever. That's why hierarchical naming systems were invented. If you have a few thousands users it may not be a problem, but if you're striving to be a worldwide monopoly, it WILL.

For those annoyed by 'not my email' problems, stop using that johnsmith69@gmail.com address and register your own domain, so your email is much less likely to be mistaken for someone else's. If you want to keep using Gmail (which is quite good at protecting your account from unauthorized access and hacking, keeping spam levels low, helping your emails get delivered and not discarded etc.) you may connect your domain with your Gmail account.
Of course, Gmail will scan all your email to profile you for ads etc. but even if you opt out of Gmail, the people you exchange emails with won't - so most of your email will either originate from or end up in Gmail anyway, so there's (sadly) not much sense in getting out.

NateJuly 19, 2019 8:13 AM

As much as it pains me to admit, I did this once.

Someone from the other side of the Atlantic had an email address almost identical to mine (name@site), in a similar line of work. We were off by a couple of characters. Misspellings would land his email in my account.

I would politely forward them to him, and ask he have them correct the typo. The responses were angry replies and repeated attempts to hijack my account. After several months of this, I replied to a couple of emails instead. After turning down a job I hadn't applied for, the issue of misrouted email never occurred again for me.

You would think they'd at least confirm the email address matched the one on the CV. I guess this is one way to take out competition for a post.

Clive RobinsonJuly 19, 2019 8:56 AM

@ Peter A.,

That's why hierarchical naming systems were invented. If you have a few thousands users it may not be a problem, but if you're striving to be a worldwide monopoly, it WILL.

You are conflating two different authentication issues. In most cases hierarchical systems are prone to security failures, and they are frequently little more than "slapping a band aid on a broken bone". It's not just the concentrating of power at the top of the hierarchy that is problematic, they suffer from other problems as you traverse downwards.

However as an example, using your own email domain does not solve the authentication issue as it has no inherent security of authentication other than the very weak "name" that can be easily faked along a delivery path. So your MTA relies on the honesty of all preceading MTA's and the originators MUA, that is there is no securiry of authentication along the path. If people want to implement that level of security they use either another hierarchy or an end to end authentication protocol, both of which generaly rely on Certificate Authorities. But as repeated experience tells us security wise the CA hierarchy is a bit of a bust security wise due to "lazy humans" or worse "humans looking for a "competitive edge". The result is as I noted above security takes at best a back seat to the drivers motivating the humanbeings at either end of the communications link.

Which means in the case of CA's the worst of "Unregulated freemarket behaviours" which give rise to a "race to the bottom" on cost cutting to maintain some semblence of profit. Thus security gets cut out of the loop in oh so many ways and access to the signing keys becomes all to easy for an attacker to achieve. Thus as we have seen phoney certificates can be created thus security gets thrown out of the window.

So we need authentication methods not just in depth from different hierarchical structures that are properly verifiable to set up a secure communications channel, we also need one time type authentication for each effective transactional step in a communication channel. Importantly it all needs to be as automatic as possible so it gets used all the time to avoide the "lazy human" issue. With it also being as transparent as required so that users can understand when authentication fails, why it has failed, and thus determin which course of action to take for any particular failure.

At the end of the day, the authentication required on very high value financial transactions should be the minimum for all communications because the systems have no notion of the value of any communication. It's a leason the military had to learn the hard way with WWII and later, which is why we ended up with SigInt agencies. Unfortunatly security has a price and politicians would rather use tax dollars they have today for short term vote buying rather than longterm security. Thus security gets downgraded just as it does where short term profit is a motive.

As the old saying has it "You get what you pay for" which with the likes of Google and Co is a price that may well be to high with them feeding data into the likes of Palantir.

There is the old CIA triad of Confidentiality, Integrity and Availability Currently email offers nothing of note in any one of those three domains. All you ever realy hear is "it's too difficult to do" pushed by people that realy don't want you to have any real kind of privacy this the security required for a minimally functional society.

Look at it this way, I send an email from my PC to my colleagues PC a few yards away in the office, just how many people can get access to it and over what period of time, worse how an admin on the mail server can delay, deleate, edit or other wise change the email or in effect send a compleatly fake email to my colleague pretending it originated from me. So no confidentiality, no integrity and no availability. However if I keep my eye open to spot my colleague on the way to the coffee machine I can pop over and chat to them. That means I get a high level of authentication and integrity, and under normal circumstances if we keep our voices low and avoid others a reasonable level of confidentiality. Availability is the minor problem area but that can be mitigated with a little forward planning.

Importantly though is unlike email and most other electronic communications a chat at the coffee machine is usually ephemeral. That is what is said is not recorded thus available at a later date.

On of the reasons the SigInt agencies practice "collect it all" on electronic communications is it enables them to "wind back time" because all communications are recorded and are thus not ephemeral so they can in effect "wind back time" to see who you were talking to and about what at any point well into the distant future. Unless you or your colleague are already "persons of interest" under surveillance normally a quiet chat over the coffee stays quiet and lost to time so it can not come back to haunt you in the future days, months, years or decades.

VinnyGJuly 19, 2019 9:09 AM

@nate re: "You would think they'd at least confirm the email address matched the one on the CV."
That would require at least minimal competence and motivation. At the companies I worked for, HR was staffed largely by employees who lack one or both of those traits, but whom the officers wanted to keep on payroll for any of a variety of reasons unrelated to adequate discharge of position description responsibilities...

Peter A.July 19, 2019 10:27 AM

@Clive Robinson: thank you for the extensive and interesting (as usual) comment.

However I was only referring to a common nuisance of using someone else's identifier (email address etc.) by mistake because the identifier space is so densely packed and how to try to avoid it and the resulting misery for both the intended and not intended person. I wasn't considering authentication of a person using such an identifier at all.

TRXJuly 19, 2019 12:44 PM

> Wael • July 19, 2019 12:12 AM
> Made up my mind: story doesn't add up. Fictitious journalism

I'm more than halfway in agreement.

If someone uses wael@dreamhost.com to submit an application and puts it down as his return address, I would question a message from wael44@gmail.com amending or withdrawing the application.

Of course, the default action of HR departments is to deny applicants; they sort out all the undesirables and forward what's left to department managers for interviewing. For almost any position, there are so many applicants losing some is not seen as a problem.

Gerard van VoorenJuly 19, 2019 2:07 PM

"This is about as low-tech as it gets. It's trivially simple for me to open a new Gmail account using a random first and last name. But because people innately trust email, it works."

Which shows that the current infrastructure just isn't working correctly. And when things aren't working correctly then you get lots of people that are working on a solution that doesn't work, or maybe poorly.

What the proper solution is, I don't know, but it isn't designed by a GAFAM corp because then it has to be tied up.

Gerard van VoorenJuly 19, 2019 2:13 PM

continue

The problem however is that today GAFAM is so powerful and do so much that it's pretty hard to think of a solution that isn't GAFAM based, which is bad if you ask me.

WaelJuly 19, 2019 7:00 PM

someone created a Gmail account in his name, and withdrew his job application.

Like what? Nicholas.Fearn@gmail.com ?

was selected for a written assessment at its office.

So he took a test.

A screenshot of the email sent to the company

Seriously? There! An iron clad proof!

as the email I had apparently sent was so impersonal and from a completely different Gmail account.

A Gmail account, too. See what @TRX said about that.

They agreed to take a look at it and assess his work.

And the result is?

the company's recruitment team who said that they would be investigating the situation.

Get to it. Can't trace headers on a gmail account is the result?

he said he had to save the Word document under his full name to a particular file.

A file in a file? A folder perhaps?

In that file, he could see the names and assessments of other candidates.

Hmm. Folder? Saw names and assessments: Shakespeare, Keats, and George Bernard Shaw? And they suck? goddamn, I have no chance in hell! Better withdraw my pathetic peace of "work".

He also has a Twitter account and had tweeted the company to say he had applied for the role.

Big mistake!

Could it have been another candidate? Or was it someone else who saw Mr Fearn's tweet?

Ughhh

The company has agreed to take a look at my assessment.

What's the outcome? Now that they got the story and hadn't selected a candidate as of that time?

"They forwarded the email, which was sent from an account using my name."

They claim that an email was sent to them. Perhaps they forged it. Remarkable!

WaelJuly 19, 2019 7:24 PM

Amazing!

Made up my mind: story doesn't add up.

Was deleted! I guess the filter says my opinion is persona non grata.

justinacolmenaJuly 19, 2019 9:12 PM

No employer will seriously risk hiring a victim of identity theft or a relative or person with a similar name to someone with a questionable reputation.

Risk-on, risk-off, get off the property before you get arrested if you're looking for work in this day and age.

Fake wanted posters, false criminal charges, hackers SWATting your home and workplace, it goes on and on, and it will get much, much worse before it gets better.

Is there a wayJuly 19, 2019 10:22 PM

@ Clive

>And yes before people ask I don't do social media, secure messaging or email. Because not only are they all hopelessly insecure, way to many idiots want to force others to use such totally insecure junk because they are either way to lazy, or have ulterior motives to make everybody insecure.


What do you do, then, to communicate at a distance? Or is the only secure protocol silence?

Clive RobinsonJuly 20, 2019 1:50 AM

@ Wael,

Was deleted! I guess the filter says my opinion is persona non grata.

I remember reading it, but did not comment on it, however others did, so it existed for a while.

Can you remember what comments were either side of it? I'm just thinking the wrong one got cleaned up in a manual deleation of "unsolicited advertising".

WaelJuly 20, 2019 2:05 AM

@Clive Robinson,

It had nothing bad really. Just an embedded long like to a meter - a bovine excrement meter. That's probably the reason. Perhaps the rules changed a bit.

WaelJuly 20, 2019 2:23 AM

@Clive Robinson,

Can you remember what comments were either side of it?

There were a couple of spam pieces around it, I think. It didn't make it to archive.org

Clive RobinsonJuly 20, 2019 4:24 AM

@ Is there a way,

What do you do, then, to communicate at a distance?

Amongst other things I still use Snail Mail, and whilst I don't use email when the need arises I do use other insecure digital comms as a carrier for more secure communications protocols on top. If you look back on this blog I've explained non technical ways people can do the same.

But your question of,

Or is the only secure protocol silence?

Is one that if thought about in the right way does give rise to interesting thoughts about how to communicate in nonstandard and to many quite suprising ways. Which takes you into the more technical way to do covert / anonymous communications.

The first thing that many have trouble getting their heads around in this respect is that "not communicating" is also "sending a message" so can be communications. That is silence at a time information is expected is communicating information, at the very least that there is some kind of problem.

But noncommunication is also expected in any "reliable" communications protocol. To see why you have to understand that at the lowest level all communications are inherently "unreliable", so as engineers we add protocols to make them "reliable" and this adds extra normally considered 'redundant" communications.

To see why at the base level all communications systems are "unreliable" you need to know that all electronic inputs have noise on them, and it's dictated by the laws of physics as we currently know them. Likewise all transducers pick up what is sometimes called "random noise" at their inputs that then appears at their outputs for the same reasons. Thus you have two or more noise sources coexisting on those electronic inputs. For most purposes noise is considered "random and addative" over time (lookup AWGN "Additive white Gaussian noise"). The easy example to see this years ago was the old analog TV when not tuned into a signal giving "snow" on the screen, or older analog radios or audio amplifiers and the background hiss heard if the volume was turned up with no valid input signal.

Thus one of the major problems security wise with digital systems is the reliability protocols stop the user seeing signals other than the types they are specifically designed to work with. Which means they "blind the user" to all sorts of information with "silence". And where a system hides other signals a lot can be communicated without people being aware of it unless they are sufficiently suspicious.

Lets say I send you valid packets at the IP level of the protocol stack, then your computer will process them to a limited extent. What happens next depends on if those valid IP packets contain a payload that has a protocol that is recognised at the next level on the protocol stack be it UDP, TCP, or something else and so on up the stack as long as it is valid at the previous layer.

But ask yourself what happens when the packet reaches some point in the stack it is not recognised or fails for some reason. Clearly communications of some form has happened, but the user does not see it as such, all they see is silence.

Thinking along these lines has given rise to all sorts of malware attacks, but there is more, because such protocols are layered. That is when a packet is "dropped" an error protocol is usually carried out such that a "technician" can diagnose and fix the fault. Thus this error handeling becomes a further continuance of the communications, that can in various ways send a message through a system in the reverse direction to the normal communications direction.

But few actually think about the fact that exception and error handeling in such protocols is usually bidirectional. That is you can as a "third party" send a communication of errors and exceptions back up what is otherwise a TX channel from the "first party" transmitter whilst also communicating errors to the "second party" receiver. Nor do most people realise just how transparent computing systems are to exceptions and errors. Knowing this you can send signals back through the likes of Data Diodes, firewalls and other security mechanisms, right back to the application layer at either end as well as leaking information to other users on those systems...

If you want an example from the earliest days of computer networking look at the original Ethernet protocols and how packet collisions were handeled. Noise on the line could be seen back at the application layer as time delays on data transmission buffering[1]. If you've ever read "The Cuckoo's Egg" you will have read how Clifford Stoll used a bunch of keys to in effect send the German hacker a message of "no luck today" by making the "line noise" slow the connection down via the reliability protocols such that it was too slow to be usable.

Due to the use of more elaborate buffering we call "CPU Caching" various attacks were and still are possible this way, as the "Xmas gift that keeps giving" of Meltdown and Spector and other attacks they have spawned show.

As a simple rule anywhere you find redundancy in a communications system you find the potential for "covert communications in plain sight". Using the protocols required to make communications reliable as the transport mechanism, makes such covert communications always possible when "reliable" or "lossless" communications are required by the system designers. Programmers almost always go for "lossless" communications because it makes their task considerably easier. Thus the odds are very high that in non broadcast[2] or point to point communications "Eve" will have a covert communications channel to play with, and that provided care is taken the users Alice and Bob will not see it.

So whilst you see silence at one level others at different levels see what appears to be "noise" but without other knowledge they treat it as silence. Yet it can quite easily be information communicated if you have the right information to decode it...

[1] What people often don't realise is that the data buffering is also used to make multitasking operating systems "more efficient". That is "on an I/O block" rather than spin wasted CPU cycles, the OS kernel would task switch. Such switching can be seen by all users of the system by comparing their various in U / K space timings with "wall time" of the system clock. Whilst it is a quite low "signal to noise ratio" modern techniques from amongst other places astrophysics has given us protocols that will pull signals as much as one thousand times smaller than the noise level, out from that noise.

[2] Broadcast systems generally because they are for more than one user and often thousands if not millions can not use the "reliable" communications protocols used for two party communications, because that use "feed back" mechanisms. Instead they use "feed forward" mechanisms such as checksums and duplicated data, the normal example given is Reed-Solomon coding on CDs. Whilst forward error correction (FEC) does not alow Eve to attack Alice at that level, Eve can get communications through to some or all the Bobs. Which as I've mentioned before on this blog can be used to provide better anonymity systems than the likes of Tor (search for "Fleet Broadcast").

Clive RobinsonJuly 20, 2019 9:16 AM

@ Sancho_P,

Beauty lies in simplicity.

Whilst that is true and I've said both "beauty" and "simplicity" are essebtial to good design, we have to be cognizant that they are also both "relative points of view".

The problem with Privacy, and the security required to establish it in todays world is the level of complexity required. You have literally thousands of attack vector classes to consider, with unknown numbers of instances in each. You can not treat each class or instance as seperate entities there are to many. Further as they potentially have as many commonalities as they do differences, it makes sense to analyse them in a way whereby they interlock in a way that helps improve mutual protection.

This can not help but be complex, thus the question arises can "complexity" be both "simple" and "beautiful" as well?

And the answer from nature is yes, at each level from the atomic up. But we also know that below certain levels they can not protect themselves from risk. That is molecules can be attacked by other molecules to protect the simple molecules more complex molecules are required.

It is much the same with electronics, basic components can only protect against basic risks. That is a capacitor can block a high voltage DC signal, spark gaps can when used correctly can clamp high voltages down to earth. Thus you would use a spark gap directly to ground on a long wire antenna. You would then use a band pass filter to block all but frequencies of interest at the receiver front end with series parallel diodes to make a low voltage clamp on either side. But this leaves open other high energy sources such as charge build up from wind and rain. A high value resistor across the spark gap helps prevent slow charge build up, but faster charge build up that produces low frequency AC signals can be dealt with by a fairly high value of inductance across the spark gap. It is also desirable to galvanically issolate the antenna from the feed to the radio to reduce common mode effects thus two close coupled inductors in various configurations do this. Thus what started of as a simple risk that could be dealt with by a single component, quickly became much more complex. Whilst not as simple it still possess beauty if you draw the circuit correctly, and likrwise build it correctly. As most radio engineers will tell you if it looks right it probably is and likewise if it looks wrong it probably is.

Similarly a few lines of code is most likely vulnerable, but as you build up the complexity you remove the easy vulnerabilities as risks leaving the more complex risks to be managed by more complex code. Can code be written that looks right as both a functional/flow diagram and sequential code? Yes, but like simple components to deal with more complex risks you need more complex code.

The thing about email is it is basically a series of simple protocols runing under a simple state machine. It was never designed to deal with risk above simple faliures. It can be shown that the protocols are actually incompleate and not all states can be accounted for. Thus it is not proof against sinple risks that can be used as attack vectors.

Back some years ago quite a few people thought that designing with "Abstract Syntax Notation" (ASN.1) would solve the risk problem. It was later found that ASN.1 like all logics above a certain level had significant issues. One of the largest projects to be implimented in ASN.1 which needed security was the "SET" system. At well over a thousand pages of very tightly typed ASN.1 it was discovered that the design was not fit for purpose and it effectively went nowhere.

Our knowledge of security is far from what it could be and we know that the issues range from simple to highly complex as do the risks thus attack vectors.

Email is clearly not upto much with regards security, and probably will never be so in our current methods of use. Which are to be honest a process of piling more complex risk on by the bucket load rather than fix the basic risks. On the basic principle that breaks camels backs. Email is at best a fairly primitive protocol that sits on other primitive protocols, all of which have had and are expected to have more failures to what are simple to moderate risks that were not even thought of when those protocols were developed. Thus at best it should be viewed as a fairly basic component part that needs much more extensive work and components around it.

Perhaps think of it like the old single wire "phantom circuit" telegraph systems of a century or so ago. Email does after all fail to the same basic risks as the early telegraph networks did, and for almost the same reasons we still see used as a basic design methodology in software these days, of "Get basic function up, and think about fixing it's failing in the future maybe, but importantly don't stop piling on the features untill you break something...".

Clive RobinsonJuly 20, 2019 9:19 AM

@ Wael,

There were a couple of spam pieces around it,

Which is why I suspect it might be a manual process error.

Sancho_PJuly 21, 2019 5:26 AM

@Clive Robinson

„Thus at best [email] should be viewed as a fairly basic component part ...“
- Right, this is the beauty!

„... that needs much more extensive work and components around it.“

OK, just 2 points:

a)
Always use the right tool, fit for the particular job.
A spoon is great to eat soup, but not to repair SMD solder points.

b)
Outsourcing is good for profit, but not for security.
Whom can we trust? The authorities, the powers, big business, the Indians, the ...?

You have mentioned both points many times here in the past, but now you seem to to propose the swiss army knife for communication security?
One solution for all and everything would constitute a monopoly, a single point of failure.
To have security you‘d have to add a homebrew anyway on top of „their solution“.

A90210July 21, 2019 3:44 PM

@Gunter Königsmann, Wael, Sancho_P, TRX, Clive Robinson

TRX wrote:

"> Wael • July 19, 2019 12:12 AM
> Made up my mind: story doesn't add up. Fictitious journalism"

Late to the thread the above led to confusion, since I couldn't find the relevant Wael post.

I imagine that Bruce and the Moderator might have to put up with a lot running this blog (bots, random noise posts, whiners, opinionated individuals, voter suppression attempts, etc., and US, Israeli, Russian, etc., Internet Research Agency (IRA) type organizations, and so on).


Regarding this thread:

1) It seemed odd that submitting a resume, or whatever, the person could see other resumes.

2) It is good to be reminded that, in general, people trust email too much.


Finally, if posters don't push the security boundaries of this blog, including political security boundaries, perhaps we might end up with blended baby food or not be able to see "the forest for the trees."

https://idioms.thefreedictionary.com/not+see+the+forest+for+the+trees

https://grammarist.com/usage/cannot-see-the-forest-for-the-trees/

TRXJuly 22, 2019 4:14 PM

From memory, Wael's post was short and said he didn't believe the story. I don't remember anything contentious about it.

If it had been deleted due to content my reply would almost certainly have been deleted as well. So I'll go along with the "accidental" theory...


Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.