Yes, someone did figure out how to post to Dustin's site today. This security hole is now fixed.
We had a specific problem with the way we dealt with SPF records. Dustin didn't set any up, and there was a specific way that Robin Duckett's email server responded that caused us to flag it as a false negative for spoofing.
For the vast majority of users who use gmail, hotmail or other services, this was never an issue.
Since our launch on day one, we have taken email spoof detection very seriously. It's one of our core differentiators: to be able to securely post to your blog by emailing a single, easy to remember address. We don't want to do secret addresses or secret words.
Over the past 2 years, we've developed robust spoof detection ip and spend a ton of time trying to stay a step ahead of hackers. Fortunately, we've only had a few very specific, isolated cases where one of our sites was spoofed and each time we have improved our system.
Thanks for bringing this to our attention. We always need to be one step ahead of the hackers/spoofers, and we thank the Hacker News community for keeping us on our toes!
Most of the people here work in technology. Your response sounds a bit hand-wavy, as if you're alluding to some great complexity when the described "hack" is so incredibly rudimentary it would be the first thought of anyone making such a solution. The parts in this mechanism are trivial.
We've all done the "well...the packets they..uh...confluence of...ECC..."
>trying to stay a step ahead of hackers
Be wary of false confidence. I would wager that you've stayed a step ahead simply because you haven't gotten their attention yet. It's a classic "low security", non-scalable start-up approach. A "we'll deal with that once we're big enough that people notice it" approach.
>Over the past 2 years, we've developed robust spoof detection ip
Beyond using SPF and DomainKeys, I would be surprised if you have anything that could accurately get called "IP" in the realm of email. It's a long, long trodden ground.
So, for any unclaimed posterous you can programmatically go to the owner's email address. A nice hack would be to grab the email address of newly created posterous accounts, wait for them to be claimed (or not) and then started spamming them. Yay!
We have looked into this issue and have confirmed this is not a security hole. No personal information is revealed to users other than through obscure links that are only available to the true site owner.
This url is only available:
1. In the emails we send to users to claim their site. So only the true owner receives these
2. On the Posterous site itself but only when we know it's the site owner (based on cookies and other tests)
That Google search does include a bunch of unclaimed sites. However, none of those sites will include the secret hash, and therefore none will expose the email address.
The fact that we include the email address in the form is definitely odd, and we're removing that now. But nonetheless, it's only visible to the person who created that site, behind obscure URLs.
We're very confident in the system we have built. While making things super simple for the common user, we never forget that our users care a lot about keeping their information secure.
Thanks for bringing this to our attention. We always need to be one step ahead of the hackers/spoofers, and we thank the Hacker News community for keeping us on our toes!
Yikes. One of the top hits is for (what appears to be) Jamie Cullum's posterous. Can't tell if it's actually his or just a fan site. But your trick doesn't seem to work for it.
"As a user, I fully accept it. http://blog.dustincurtis.com has received almost a million pageviews in the past year, and this is the first time this has ever happened. And It happened because I provoked it in an extremely popular article was posted to a community of hackers. To be honest, I expected someone to try this."
as an EDUCATED user YOU accept it, i'm not sure most of the posterous users understand and would make the same decision to user posterous if they did.
this is like saying car companies could sell shitty locks on their cars because they mostly wont be tested anyway, and the driver will have an easier time getting into the car. it's VERY unlikely my mothers car will be broken into just statistically speaking, but hey even if it happens its just one person. not a big deal.
im pretty sure if posterous made it clear how easy this is many users would stay away, just like many people would not buy toyotas if they came with shitty locks, no matter how little they expected to be broken into.
Assuming that there's a trust being built between users, far more dangerous results can happen than 'nigerian scam' posts.
That's the problem with minimizing security: you're making it so that there can't (or shouldn't) be trust between users because there's no reliable way to know who is making the post.
"Hey, just a quick note to let you know I tried <apple app link> and I love it! Grab it now!"
Or, more dangerously, someone could post a phishing link and because the context is different, people's trained safeguards ("BE WARY OF E-MAIL!") aren't as wary to blog links.
So yes, there are sometimes tradeoffs between security and ease of use. But I think trust is more important to posterous than you credit.
maybe to you it doesn't matter, but these things can be intensely personal to people. it's still an issue of violating your space (to the layman end user, i know the technical definitions of "your space" are nebulous, im talking about the emotional ones that i think posterous is kind of violating).
and what happens when the idiot who posts the nigerian scam on your blog scams your mother who is reading your blog and assumes it's from you? no big deal? move on with your life? try and be a little imaginative with the things that could be done here...
if it's not a big deal, posterous should make it clear to users what they give up for convenience. again, i really don't think users would make the same choice they are to user posterous if they understood the implication. whether or not it matters to you.
and more importantly, there are a ton of people suggesting pretty viable alternatives that wouldn't make it harder to post and would still allow a lot more security.
Appreciate the concern, and we hear you. We're still investigating this particular case. Normally we'll catch these types of spoofed emails. What we need to do is refine our system.
To be honest, we haven't had many complaints about spam emails or spoofs -- it literally never happens, otherwise we would hear about it all the time. We answer every help email we get -- so we have a decent idea of what our users care about and what pains they really see.
Actually, since the internet never forgets, a hacked blog might cause much more severe damage than a stolen car. There are also other sorts of crimes besides Nigerian scams.
This is a pretty weak argument. Windows is notoriously insecure, but many people choose to use it everyday. Making decisions about tradeoffs between insecurity and convenience is part of life, and it's not for us to assume what most people would do.
Further, I think if you made the downsides of everything abundantly clear to people then they would just be really scared. Everything, including posting to hackernews, has horrific potential consequences. But generally as long as bad things don't happen, people don't pay much attention to them. Where there's no smoke, there's no fire.
Of course somebody is interested in spamming his mother's blog. A script doesn't care whose blog it spams. Now that the word is out, I expect it will only be a matter of time until such scripts emerge.
It's the typical false assumption non-technical users have about security: who would be interested in hacking me anyway? Automated scripts, that is who.
Also, how are the email posts interpreted by posterous - is it possible to post custom html snippets and javascripts via email? This would be scammer's heaven, as they could probably even hide that a blog has been spammed.
He says there is no interest to post to his moms posterous, but is that really true?
I can imagine quite a lot of spammers who would love to have a blog-post on an otherwise reputable blog. If spammers manage to abuse this system they could get their blogposts, filled with links and instructions to buy medication, all over all posterous blogs.
If spammers already have a list of "valid" email addresses, how long before they start randomly hitting post@postereous.com with spoofed headers on a regular basis?
I remember reading somewhere about the abysmal conversion rates that spammers get (it was something like 1 in 12 million or something like that).
So, you'd need some 12 million blog posts that look real enough to fool a user's reader to get one conversion.
And it's not like Posterous isn't aware of the insecure nature of email. As some have suggested, they can just turn on pre-approval of submissions and this whole thing would be moot.
Put it another way: if you were to compete against them, would you create a blog-by-email service that focuses on being secure? Or ease of use? I imagine the latter has a lot more value to users. As Schneier always says, security is all about trade-offs and choosing to handle "what-if" scenarios tend to be less nice than handling "this-is-what-is-going-on-for-real" scenarios
Regarding conversion rates, people have been trained to distrust email, but the same isn't necessarily true for blogs. If a spammer put together a well-worded "spam" message — especially if it's something people write about all of the time, like electronics, music or book reviews, etc. — it's not unreasonable to expect conversion rates would be much higher.
FWIW, anyone who hangs around blogs knows a spam comment when they see one. I'd imagine that it's even harder to make a fake blog post believable, since it's easier to wing something like: "yeah I agree [link to fishy site]" than it is to make a well-written post (especially if it needs to be generic enough to pass as legitimate in 12 million different blogs...)
E-mail spammers might need to send out millions of messages to get a conversion, but a more carefully crafted scam on a popular blog might be profitable with significantly less views.
How's it easier to make 12 million carefully crafted scams without raising anyone's suspicion that the posts aren't legitimate? I could see the scam working on a Viagra blog, but how is it useful to anyone to have copies of what clearly look like a fishy post all over the place, possibly followed up by the real authors calling you out and telling people NOT to buy from you?
Besides, if you're scamming, why not just create a free blog? There are tons of get-rich-quick schemes out there doing just that...
Simple. Create an email alias (spacemuffinftw) just for Posterous and post with that, making it your password in a way.
Edit: Seen in other comments -- cool thing would be for Posterous to support SPF. Definitely techie oriented and not for general folks, but in a system like Posterous, it should be baked in from day one. It would protect quite a bit of folks while majority of them not even realizing or even knowing what SPF is.
Nice to know Posterous checks SPF records amongst other checks! Do you also check IN SPF records or just IN TXT? From my experience, the actual SPF record type is seldom used. For my personal domain, I only use SPF and do not publish TXT at all -- dnscog.com thinks I don't have SPF record published, oh the irony of them (Dyn Inc) being the DNS force and all.
Here's the deal - as soon as your blog reaches any level of popularity, people are going to want to deface it / hack it any way they can just because it's that much bigger of a prize. If Posterous is this easy to hack, once you have a decent sized blog you're going to have a constant field day until they implement something better.
If you want to keep security simple enough that it doesn't strangle the service then hand out a unique email like post-45h231sxax23s1@posterous.com and have the user add that to their address book - viola, you've managed to add a layer of obscurity to posterous' posting mechanism at least, even though it's still not really a strong one.
Apparently not, because his blog had "any level of popularity" long before it was hacked. Since this is the first I've ever heard of a Posterous hack, clearly it's not true that all decent sized blogs are being hacked constantly.
On the surface, what you say makes sense, but the real life data doesn't back it up.
Way to totally put up a strawman argument. I did not argue that all popular blogs are ALWAYS being hacked constantly - I just said that it's that much bigger of a prize and people are going to give it a shot, and if the blog system is this easy to hack, you're going to have to regularly (perhaps I should have used regularly instead of constantly, given that a lot of people on this board, like you I suspect, have a bad habit of taking things too literally) deal with hacks.
I think his argument comes off as too utopian for me to accept. Like everyone else has said, of course people will want to exploit an easy loophole on someone who has a bit of exposure.
I think Posterous hasn't grown to a point where they have to worry about it yet, but look at the exploits on Wordpress. They're much more advanced and hackers continually attempt to break in for fun or for abusive reasons. It's naive to assume that you can simply keep this convenience as a security trade off as the product gains the attention of the world.
That's the thing -- it's not an "easy" loophole. Like any arms race, every website is in competition with its foils -- scammers, phishers, spammers and their ilk.
I disagree that it's not possible to stay ahead of them. That's our job.
1) Why can I not comment on the actual post? That's a little disconcerting.
2) I don't understand the need to post by e-mail. What does that gain me? Is there any use in that other than gimmick? Wouldn't a nice site offer me more chances for formatting, etc? What is the difference between typing info into a site and into an e-mail? What is the benefit? Can't a site be easier to use than e-mail?
3) Security is not a concern? I hope you are happy with the size of your company since it can not grow, because once you become any kind of force in the market, you will have to deal with things that you may not have to deal with now.
If you can't think of any scenarios in which this is a problem, let me enlighten you:
- Lawsuits because an angry ex/employee/anyone posts items on a blog. (Yes, this can happen with other systems, but a lack of security is different from being hacked/people stealing passwords, etc).
- Competitors who want to cause you problems.
- Unhappy customers who find their site "hacked" including support time and money.
Now that the "hack" is discovered, expect more. Security through ignorance is gone once the ignorance is gone.
When you ignore warning signs because nothing bad has happened YET, get ready. Look at BP. Over 700 violations they shrugged off because it didn't affect them. Now it does and their stock, company name, and the well-being of many they affected is in the toilet.
This is your wake up call. Listen to it: don't ignore it. Security matters.
We hear you. Listen, security is a super important piece of our product. And we wake up in the morning and go to sleep at night thinking about product.
Posterous could offer a really simple, and optional, security option by disabling auto-posting unless your email includes a secret key. E.g. you would have to write 'passkey=tomato' somewhere in your email.
If the email doesn't include the passkey, the user would receive a "click link to publish" email.
My email address is of the form firstname@lastname.com, and I got around this issue by creating an alias for sending in Gmail that's firstname+randomstring@lastname.com. As a security measure it's not perfect, but it's not something someone's just going to be able to guess.
That solves the issue for me, but not for most (less tech-savvy) people. I think what Posterous needs is the ability to require confirmation by email when a post is made by email. I get that you can do this by setting your blog to 'anyone can post', but that seems counterintuitive, and most people don't understand how easy it is to spoof emails. As long as the confirmation can be done by email, I don't think it'd be much of an inconvenience.
I care about my reputation, therefore I would not use Posterous.
There's nothing stopping Posterous keeping it working exactly the same way, but providing an additional layer of protection for users who want to lock down their blog.
1.) Don't publish emails unless they passed DKIM
2.) Don't publish emails unless they passed SPF
3.) Don't publish emails unless they contain a secret password
4.) Don't publish emails unless they're signed with my PGP key.
Any of the above would be enough. It's all about choice.
Cool. Would it be possible for me as a user to specify that only PGP signed emails should be auto-posted, and everything else should be subject to a confirmation email?
That would be the ideal scenario for me personally...
That's a good idea. What I want is some end-user-friendly PGP-like solution. If it existed in a form that we knew millions of users already were used to using, or that we could roll out -- we would do it in a heartbeat.
Have to think about normals on it though. It's not good enough to think about tech savvy people like us.
But for those who care, it might be the best way. Thanks.
An interesting thing posterous could to is send the user a (daily? weekly?) email "reminding" him of the blog, and making it so that just replies to that email count as posts. This lets them even change the GUID for each user if they think it has been compromised.
couldn't they do something like the email address is yourusernameatyourdomain.comandanextrabityoutset@posterous.com which would be an id you could remember?
or both... assign a random GUID, and then allow the user to set it something they want if they choose. That's probably the simplest way, and of course the simpler the better for both development and security.
Uhm you don't have to have an epic GUID e-mail address. Just pair it with your e-mail. So let the user set it to whatever they can remember (their name backwards and ROT13'd, whatever, so long as it's unique) and only accept posts to that address from their verified e-mail. That would at least curb some of the danger of this setup.
Or you could make high-security posting optional, for users who get a lot of traffic; much like how E-trade will give you a two-factor authentication fob if you've got enough money invested with them.
There's an even easier solution... require confirmation via email. You send the post as an email, you get an email back immediately asking for post confirmation.
edit:
It looks like this is already standard functionality (if turned on, and even if not there is still an email sent with a delete link).
I don't think dustin does a good job explaining why "It is OK" in this blog post, but I think I agree with his conclusion, this doesn't seem like a big deal if a user has opted for the more optimistic workflow rather than the more precautionary one.
I see this argument all the time. "Oh, Joe Schmo won't know how to do this! It'll frighten them!".
And this happens absolutely everywhere. And it's true. But this problem won't go away until we start FORCING people to adapt, by adopting stricter measures everywhere.
Yes, someone did figure out how to post to Dustin's site today. This security hole is now fixed.
We had a specific problem with the way we dealt with SPF records. Dustin didn't set any up, and there was a specific way that Robin Duckett's email server responded that caused us to flag it as a false negative for spoofing.
For the vast majority of users who use gmail, hotmail or other services, this was never an issue.
Since our launch on day one, we have taken email spoof detection very seriously. It's one of our core differentiators: to be able to securely post to your blog by emailing a single, easy to remember address. We don't want to do secret addresses or secret words.
Over the past 2 years, we've developed robust spoof detection ip and spend a ton of time trying to stay a step ahead of hackers. Fortunately, we've only had a few very specific, isolated cases where one of our sites was spoofed and each time we have improved our system.
Thanks for bringing this to our attention. We always need to be one step ahead of the hackers/spoofers, and we thank the Hacker News community for keeping us on our toes!