Copyright © 2010 What The Hell? Security
San Francisco, Calif. — A man who spent the last 9 years in a phishing-induced coma awoke today — only to relapse minutes later upon learning that absolutely no progress had been made on the anti-phishing scene since 2001.
In an exclusive interview held at Sanford Wallace Memorial Hospital, Dr. Hormel Aspic told this reporter that his patient, whose family wishes anonymity, first collapsed during the 2001 RSA Conference, apparently while observing a panel discussion on phishing. Witnesses independently confirmed that the man lost consciousness “as if choreographed” after a unanimous agreement by panel members that authenticated email would stop phishing.
“Our secure hospital records (© 2001-2010 Google) indicate that upon the patient’s admittance to our emergency room, the physician in charge undertook our standard procedure of comparing the man’s vitals against every entry in Black’s List of Universally Recognized iLlnesses,” a.k.a. Black’s List of URLs, said Aspic. “Unfortunately this procedure dramatically slowed rendering of his EKG monitor. So the physician abandoned it in favor of a detailed examination of the markup.” The results were stunning: The patient had contracted a new strain of the Hepatitis virus, since dubbed Hepatitis P, most likely from a nearby cyber cafe known to serve contaminated shellscript.
Aspic says that nine uneventful years passed for the patient (and anti-phishing solutions), until he was making this morning’s rounds. “The patient’s eyes suddenly snapped open. After affirming his right to anonymity, and verifying that he knew his name was Henry Limpett, I explained that he’d been comatose for 9 years. I then urged him to try to recall the events immediately preceding his blackout. He appeared to recount the phishing panel discussion with such clarity, that I felt moved to hand my HIPAA-compliant laptop to an outsourced orderly wearing a DEFCON t-shirt, asking him to locate some quotes from the 2001 panel. After kindly upgrading my browser to IE 2.0, he found some [here], and sure enough, the patient had nailed every one of them verbatim.”
What happened next is a matter for debate, but the end result is not: Ninety seconds later the patient relapsed into coma. Aspic asserts that the injection he administered of Canadian Imported Career Advancing Acai-flavored Vi@gra 80% OFF re-triggered the Hepatitis P virus. But the patient’s celebrated shift nurse, speaking under condition of anonymity, claims otherwise. “The patient asked if he could borrow Aspic’s laptop to altavisa how phishing had eventually been eliminated during his nine years in coma. After clarifying his request by conjugating ‘to altavista‘, the patient glanced at the still open story [here]. The last thing he said before his head thudded on the pillow was “What the hell? This story is dated 2010 not 2001!”
Editor’s Note: Since ALL of the links in this story are phishing links, do not click on any of them until applying this important anti-phishing procedure:
1. copy-and-paste this story into an email message
2. digitally sign the message
3. send it to yourself
4. locate the message in your inbox
5. verify its digital signature
The links in THAT copy of the story, being contained within an authenticated email message, will no longer be phishing links. Click here for more details.
Filed under: phishing, security, security humor, security sense
I like your sense of dark humor and mockery here, but isn’t the real lesson here is that if you have an insecure protocol without authentication, it is difficult or impossible to use it to communicate in an authoritative and dependable way?
Solutions to the whole email issue have come and gone without success.
Whitelisting hasn’t worked.
Signatures haven’t worked.
Blacklisting hasn’t worked.
Greylisting has had some success, but not much.
All that these have accomplished is increasing the amount of bandwidth consumed in the sending of mail and gains in abusing related systems and infrastructure to keep the low % of success revenue stream to scammers churning.
Sure. You can blame the ease of credit card fraud and abuse of SSNs and other identity numbers. Those should be fixed as well.
The practice of building infrastructure on frameworks, languages, and systems that are inherently insecure and stopgap measures that are highly complex are doomed to fail even before they are birthed. SPF is the kind of thing that Vixie, I believe, was talking about in his last manifesto.
It would be nice, as email continues to collapse into the Google/Hotmail/Yahoo clouds, if one of them would pick a solution for MTAs and make it mandatory to play. Implement something like the concept of Twitter Verified or some other rigorous human approval process (a couple of years ago X.509 might have been mentioned here). Remove the direct revenue stream from it, build in a web of trust if you want to distribute it, and it will be done.
Until then, it’s still a scammers paradise as you have to be an information security expert to go on the internet with any degree of safety.
Even World of Warcraft found a decent way to authenticate their users with greater success. Why? Because when Blizzard has a loss of assets and pissing off their userbase, they can’t pass the losses on to someone else.
So unless everyone wants to go to a secure platform with limited ability to run only vetted and pre-approved software (Android and iPhone/iPad seem to be closing in, but are not there yet), we’ll have to have a plan for improving the whole threat landscape and not just passing the buck.
No one wants to stop passing the buck, thus phishing will be around and healthy until they do.
Doesn’t it make you sad? :(