Byung Kyu Park's Personal Website

Still fairly obvious, but it looks like phishers are getting better. Below is the email with full-headers (headers revealing my secret email server setup redacted):

Return-path: xxxx...@berkeley.edu
Envelope-to: xxx...@xxxxxx.xxx
Delivery-date: Sat, 20 Feb 2010 21:19:26 -0800
Received: from xxxxxxxx.berkeley.edu ([128.32.xxx.xxx])
        by xxxxx.xxxxxxxxxxxx.xxx with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
        (Exim 4.69)
        (envelope-from <xxxx...@berkeley.edu>)
        id 1Nj4E2-0003HR-Mg
        for xxx...@xxxxxx.xxx; Sat, 20 Feb 2010 21:19:26 -0800
Received: from xxxxxxx by xxxxxxxx.Berkeley.EDU with local (Exim 4.69)
        (envelope-from <xxxx...@berkeley.edu>)
        id 1Nj4E2-0004s1-Bl
        for xxx...@xxxxxx.xxx; Sat, 20 Feb 2010 21:19:26 -0800
Received: from cm03fe.ist.berkeley.edu ([169.229.218.144])
        by xxxxxxxxx.Berkeley.EDU with esmtp (Exim 4.69)
        (envelope-from <webm...@berkeley.edu>)
        id 1Nj4E2-0004rv-9i
        for xxx...@xxxxxxxxxxxx.xxx; Sat, 20 Feb 2010 21:19:26 -0800
Received: from cm09be.ist.berkeley.edu ([169.229.218.182])
        by cm03fe.ist.berkeley.edu with esmtps (TLSv1:AES256-SHA:256)
        (Exim 4.69)
        (envelope-from <webm...@berkeley.edu>)
        id 1Nj4E1-0005NQ-Cn
        for xxx...@xxxxxxxxxxxx.xxx; Sat, 20 Feb 2010 21:19:25 -0800
Received: from cyrus by cm09be.ist.berkeley.edu with local (Exim 4.69)
        (envelope-from <webm...@berkeley.edu>)
        id 1Nj4E1-0002WX-Ra
        for xxx...@xxxxxxxxxxxx.xxx; Sat, 20 Feb 2010 21:19:25 -0800
Received: from cm01fe.ist.berkeley.edu (cm01fe.IST.Berkeley.EDU [169.229.218.142])
        by cm09ms.ist.berkeley.edu (Cyrus v2.3.13-CalMail-v2.3) with LMTPA;
        Sat, 20 Feb 2010 21:19:25 -0800
X-Sieve: CMU Sieve 2.3
Received: from persius.rz.uni-potsdam.de ([141.89.68.1])
        by cm01fe.ist.berkeley.edu with esmtp (Exim 4.69)
        (envelope-from <webm...@berkeley.edu>)
        id 1Nj4Dy-0007hK-52; Sat, 20 Feb 2010 21:19:24 -0800
Received: from arnim.rz.uni-potsdam.de (arnim.rz.uni-potsdam.de [141.89.68.11])
        by persius.rz.uni-potsdam.de (8.12.11/8.12.11) with ESMTP id o1L50smS001879;
        Sun, 21 Feb 2010 06:00:54 +0100 (CET)
Received: from uni-potsdam.de (localhost.localdomain [127.0.0.1])
        by arnim.rz.uni-potsdam.de (8.13.8/8.13.8) with ESMTP id o1L50qp1025812;
        Sun, 21 Feb 2010 06:00:52 +0100
Received: from 41.138.182.176 ([41.138.182.176]) by webmail.uni-potsdam.de
        (Horde MIME library) with HTTP; Sun, 21 Feb 2010 06:00:52 +0100
Message-ID: <2010...@webmail.uni-potsdam.de>
Date: Sun, 21 Feb 2010 06:00:52 +0100
From: "Berkeley.edu Web-Administration" <webm...@berkeley.edu>
Reply-to: supp...@live.com
To: undisclosed-recipients: ;
Subject: Alert: Update your CalMail  account
MIME-Version: 1.0
Content-Type: text/plain;
        charset=ISO-8859-1;
        DelSp="Yes";
        format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Internet Messaging Program (IMP) H3 (4.1.6)
X-Virus-Scanned: clamav-milter 0.95.3 at arnim.rz.uni-potsdam.de
X-Virus-Status: Clean
X-j-chkmail-Score: MSGID : 4B80BE06.000 on persius : j-chkmail score : X : 5/50 0
X-Miltered: at persius with ID 4B80BE06.000 by Joe's j-chkmail (http://j-chkmail.ensmp.fr)!
X-Ucb-Scan-Signature: 606d01dea56a423fb13a5c3f55ff5ffa3eae29a5
X-Ucb-Spam: Gauge=IIIIIII, Probability=7%, Report=''
X-Ucb-Notice: This message has been processed by a spam tagging system.
        See http://mailinfo.berkeley.edu/ for more information.

--

Dear CalMail User,

Your email account needs to be upgraded with our new F-Secure® HTK4S
anti-virus/anti-spam 2010 version.
Fill the columns below and click reply to send back or your account will be
suspended temporary from our services.

CalNet ID:
Passphrase:
Phone Number:

Berkeley.edu Web-Administration
Greg Silva

https://calmail.berkeley.edu/

----©2010, University Of California.

Note the fairly convincing From: address. A lot of the suspicious routing information will be hidden by most email clients, however, the Reply-to: header (which would route the email to supp...@live.com and which the phishing relies on) should be set to visible by most email clients, which means, yet again, people who pay attention to details shouldn’t be taken in by this rather amateurish phishing attempt.

Not to mention one should never send passphrases over email—even if you know the recipient; email is transmitted in clear text between servers and is inherently insecure.

A post at LewRockwell.com is worrying whether U.S. army will have a new enemy: American citizens:

Members of all branches of the United States Military will soon be facing a most critical decision. The European Union Times is reporting here that Obama is using the deployment of additional troops to Afghanistan to cover for the movement of some 200,000 troops, presently on duty in countries other than Iraq and Afghanistan, to USNORTHCOM to prepare for the “expected outbreak of Civil War within the United States before the end of winter.”

The claim is just so out there, I don’t know how to take it. Is this one of those truther or birther type conspiracy theories (or, say, DHS report on right-wing domestic terrorism) that have no legs to stand on? Or does this have some basis on facts?

In the end, even if the worst fears (about the ruling elite’s intentions) of Mr. Gaddy come true, I wouldn’t worry about it. Men and women of American military have been one of the most fiercest defenders of individual freedom—including the individual right to own and carry firearm—I have ever known. If orders were to come down for these patriotic men and women to trample on the constitutionally protected individual rights of Americans, I have every confidence that they will mutiny before following those orders—after all, Nuremberg tribunals proved that “just following orders” wasn’t an excuse for ignoring one’s conscience, and if I had to put my trust in anyone else’s conscience, I would put it in the conscience of American volunteer army.

If I am betrayed by this trust, well, the world as I know has come to an end and my most deeply held beliefs might as well break.

For regular visitors of my blog from UCB, here’s an early holiday Christmas present to you: Calmail leaks IP addresses! Here’s a quick demonstration (I’ve seen similar headers on emails from friends and colleagues, but I didn’t want to expose their info; I’ve redacted some info here as I didn’t want to expose my … secret email server scheme, or my real username for Calmail):

Return-path: xxxx...@visitor3.berkeley.edu
Envelope-to: bkp...@xxxxxx.xxx
Delivery-date: Sun, 29 Nov 2009 01:32:12 -0800
Received: from visitor3.berkeley.edu ([128.32.124.159])
        by helen.byungkyupark.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
        (Exim 4.69)
        (envelope-from <xxxx...@visitor3.berkeley.edu>)
        id 1NEg8a-0000jX-J7
        for bkp...@xxxxxx.xxx; Sun, 29 Nov 2009 01:32:12 -0800
Received: from xxxxxxx by visitor3.Berkeley.EDU with local (Exim 4.69)
        (envelope-from <xxxx...@visitor3.berkeley.edu>)
        id 1NEg8a-0001rk-4v
        for bkp...@xxxxxx.xxx; Sun, 29 Nov 2009 01:32:12 -0800
Received: from smtp-out1.berkeley.edu ([128.32.61.106])
        by visitor3.Berkeley.EDU with esmtp (Exim 4.69)
        (envelope-from <xxxx...@berkeley.edu>)
        id 1NEg8a-0001rW-2q
        for bkp...@byungkyupark.com; Sun, 29 Nov 2009 01:32:12 -0800
Received: from arsenic.calmail ([192.168.1.2] helo=calmail.berkeley.edu)
        by fe2.calmail with esmtpsa (TLSv1:AES256-SHA:256)
        (Exim 4.69)
        (auth plain:xxxx...@berkeley.edu)
        (envelope-from <xxxx...@berkeley.edu>)
        id 1NEg8T-0000qs-8R
        for bkp...@byungkyupark.com; Sun, 29 Nov 2009 01:32:06 -0800
MIME-Version: 1.0
Received: from visitor3.Berkeley.EDU [128.32.124.159]
        with HTTP/1.1 (POST); Sun, 29 Nov 2009 01:32:05 -0800
Date: Sun, 29 Nov 2009 01:32:05 -0800
From: "Byung Kyu Park, BA" <xxxx...@berkeley.edu>
To: bkp...@byungkyupark.com
Subject: This will demonstrate how Calmail leaks IP addresses
Message-ID: <7272...@berkeley.edu>
X-Sender: xxxx...@berkeley.edu
User-Agent: RoundCube Webmail/0.3-RC1.UCB3
Content-Type: multipart/alternative;
        boundary="=_ad4b95d1d25a334cada12ae4c3335783"

Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"

And this email was composed on the RoundCube webmail client.

Andrew

You will see that the detailed email header (which most email clients hide, but there is always an option to show full headers) reveals the IP from which I was accessing Calmail’s webmail interface (no, I’m not in the lab right now; but I am proxying through one of my servers, because I consider my current IP address a confidential, personal, private information). Similar headers show if you use SMTP protocol or if you use the other webmail.

I am not entirely sure if this is a feature or bug—embedding IP information in headers will help with legitimate activities of law enforcement authorities, as well as illegitimate (is there any other kind?) squelching of dissenting voices—so I haven’t reported it to abu...@berkeley.edu or, I don’t know, h...@berkeley.edu? secu...@berkeley.edu?

In any case, now that you know, now you can avoid using Calmail—if you value your privacy.

Ironically, GMail may be one of the most secure email system to use, as far as privacy goes, because headers from GMail is fairly clean from any private information. Or, I guess if you are like me, you run a computer server at work, on which you run a bunch of things like websites and email servers so whose IP address isn’t exactly a state secret. You can proxy everything through that server (like I did here) or run your mail clients and what-not on that server.

No matter what you do, just remember: when you send an email through Calmail, you announce to your recipient what your IP address is at that moment. Don’t send that email if you are not comfortable with that.

This is why I am determined and resolved to learn how to use a gun (and get a carry permit):

That is a good lesson to remember. The attacker in this case gave little consideration to his personal security, by all accounts, and was not going to stop until someone stopped him. Munley understood this and went against every human survival instinct to pursue a confrontation with a murderous lunatic — and nearly got killed for her efforts. Her heroism saved lives at Fort Hood.

I refuse to be a victim. Because we do not live in an ideal world, there will always be those who want to victimize us, be it a madman or the government (but I repeat myself), and I need to make sure that I can win—if it ever comes down to the contest of brute force.

Update (12/26, h/t: Elliott): my point exactly. Americans are not born victims—that’s why Founders enshrined the right to defend oneself in the Second Amendment. Absent statist drive for power, I don’t see why anyone would strive to make any place (airports, airplane, etc.) constitution-free zone and designate everyone in that area victim. Regulations—after all, for something as potentially dangerous as guns and cars, we do want to make sure that people using them are properly trained and do not intend to harm others—I can understand. Blanket bans, I cannot.

There is a slight improvement to TSA’s search and seizure of electronic devices:

“The US Government has updated its policy on the search and seizure of laptops at border crossing. ‘The long-criticized practice of searching travelers’ electronic devices will continue, but a supervisor now would need to approve holding a device for more than five days. Any copies of information taken from travelers’ machines would be destroyed within days if there were no legal reason to hold the information.’”

If I take this at the face value (so many things promised by this administration didn’t come to be, so I don’t know if I can), then it means if they search and seize my laptop (after finding the encrypted data, if they do), they will have to return the laptop to me in less than one week. I don’t really care if they destroy their copy of my encrypted data (because, barring breakthroughs in attacks against encryption algorithms in use today, they won’t be able to do anything with it; and it’s at least 5 years or so that I can sleep soundly).

This is a small “improvement”, if that at all, but I will take what I can get. Ideally, I want TSA and its … ineffectual, draconian security theater gone, but some among us do like the pretension of security better than actual security, which I don’t think the government (or maybe even private enterprises) can achieve at all.

Cory Doctorow writes for Guardian,

More specifically, what about the secrets that protect our data? Like an increasing number of people who care about the security and integrity of their data, I have encrypted all my hard-drives – the ones in my laptops and the backup drives, using 128-bit AES – the Advanced Encryption Standard. Without the passphrase that unlocks my key, the data on those drives is unrecoverable, barring major, seismic advances in quantum computing, or a fundamental revolution in computing.

After considering a few options that most people who think about this particular problem would, including an option I might have considered adequate, a safebox containing the passphrase (or an unencrypted private key which can be used to similar effect), and rejecting them, he concludes,

Finally, I hit on a simple solution: I’d split the passphrase in two, and give half of it to my wife, and the other half to my parents’ lawyer in Toronto. The lawyer is out of reach of a British court order, and my wife’s half of the passphrase is useless without the lawyer’s half (and she’s out of reach of a Canadian court order).

Obviously this makes the attack on the passphrase slightly easier: if it was originally 10-characters long, then now the attacker needs to consider only 5-character passphrase, once he gets the control of one. But it’s probably easy enough to make your passphrase long enough to minimize this problem, i.e. make your passphrases 40-chars long instead of the recommended 20-chars (for my full hard drive encryption, I use a 26-char password and it’s probably not too difficult for me to memorize one that’s twice as long).

And if you don’t mind a little bit of technical complexity, you can split the key mathematically rather than as a string: i.e. for each character, take its ASCII code, and split it, randomly, into two numbers (running both positively and negatively, say from -255 to 255; it wouldn’t be possible to split them into another sets of printable ASCII codes, as lowest 32 numbers aren’t printable, so may as well just turn each character into numbers) so that when they are added together, you get the correct character back, and store information about these two sets of numbers separately—and either of these two sets by itself is literally nothing but a random set of numbers, betraying no information about the actual passphrase.

Overall, I think this is a good scheme, except, well, it only works for people with connections in two countries (and if the liberals have their way, we will have the One World Government pretty soon, so splitting jurisdiction may not be an option soon).

It seems like, at least in any scenarios I can think of, if you want to share a secret with someone else and wants to keep it secret (between the two of you), then the only way to do it is under some subterfuge—either regarding the fact that you have a secret, or that the other person shares it (so that you can prevent the person from getting subpoenaed).

Professor griping about RateMyProfessor.com says:

This is the time of year when Lucy the Dog must decide whether to dip her paws back into the world of academia.

For two years, I’ve spent September through December teaching Intro to College Writing to incoming freshmen who are none too interested in my thoughts on E.B. White’s “Once More to the Lake” or the differences between there, their, and they’re.

And responding to one of the comments …

And yet one student who was in attendance for those statements turned in a stack of unstapled pages. I did not fail her, but I made her take the paper back and get it stapled. I also told her it was ridiculous that she didn’t follow such a basic, clearly-stated instruction.

In her course evaluation, she complained that I’d threatened to fail her just because she didn’t staple a paper.

This is why you write your evaluations in nice, nondescript block letters, preferably written with your nondominant hand (but usually you don’t get enough time to use your nondominant hand, unless you are quite ambidextrous; so, in this case, just use block letters and in the months before, make sure never to use block-letter writing in any of the class work).

Even though your evaluations are supposed to be anonymous, the instructors can tell each student’s handwriting.

Also, leave out any personal details. I’ve been a TA and a tutor, and believe me, when the evaluation gets into enough details, I can guess very easily who wrote it.