The next instalment in this exciting saga of family feuds and cyberwarfare. Tybalt has sent an invitation email to Romeo, impersonating Juliet in order to tempt Romeo to reveal himself.

Romeo opens his mail and finds this message waiting for him:

From: “Juliet” juliet@capulet.net
To: “Romeo” romeo@montague.net
Subject: secret meeting

Come to the town square at midnight, behind the clock.
Come alone and make sure you’re not followed.

J. xxx

If he takes the bait and travels to meet his love, who knows what terrible fate will befall him?

Luckily, we don’t have to worry, because Romeo and Juliet have been smart. They’ve taken precautions.

( Click to read more... )

Forging an email is the easiest thing in the world. Once you see how easy it is then I think you’ll understand why you should never trust the From header in an email.

A while ago I used the Montagues and Capulets to explain how the domain name system worked. I’ll do the same again to show how easy it is for anyone to spoof your email address.

The plot thickens!

As per the story, Romeo and Juliet are separated after the party. Tybalt wants to kill Romeo and knows he can use the lure of Juliet to trap him. Tybalt’s email address is tybalt@capulet.net but he wants to email romeo@montague.net as Juliet.

Ordinary email programs don‘t allow you to pretend to be someone else (though they could if they wanted). But when a program sends an email it is just having a very simple conversation with a mail server using a predefined protocol. So all Tybalt needs to do is have that same ’conversation’ with the mail server.

A program called telnet lets you get down to the gritty details. You can pretend you’re an email program, a web browser or anything else, as long as you give the correct response to the questions you receive from the other computer.

Tybalt gets started

First, he has to log in to the Capulet family mail server using telnet. The line with the dollar sign is where he runs it from the command line. You can easily try this at home if you know the name of your mail server.

$ telnet mail.capulet.net 25
Trying 192.168.2.14...
Connected to mail.capulet.net (192.168.2.14).
Escape character is '^]'.

The mail server sends messages prefixed with a number. This is the status code which your email program would recognise and respond to. The words on the rest of the line are put there for the benefit of people who want to test the system at this low level (or subvert it). Any line which doesn’t begin with a number is written by Tybalt.

First, the mail server identifies itself and then Tybalt does likewise—and pretends to be Juliet’s laptop.

220 mail.capulet.net ESMTP
HELO julietslaptop

The mail server then shows that it’s ready to take commands. This is where Tybalt pretends the email is coming from Juliet’s address and going to Romeo:

235 Nice to meet you julietslaptop
MAIL from: juliet@capulet.net
250 OK ... Sender accepted.
RCPT to: romeo@montague.net
250 OK ... Recipient accepted.

Then Tybalt has to tell the mail server to receive the content of the email, using the DATA command. Notice that he puts To and From information in this part of the message too. If he omitted these then Romeo would still get the message but the To and From headers in his email program would appear blank. This is like putting ‘Dear Romeo’ and ‘from Juliet’ inside the letter—the bit above is just the address on the envelope.

DATA
354 Ready for message. Enter "." on its own line to finish.
From: "Juliet" juliet@capulet.net
To: "Romeo" romeo@montague.net
Subject: secret meeting

Come to the town square at midnight, behind the clock.
Come alone and make sure you're not followed.

J. xxx
.
250 OK Message transmitted ID 82679401

The dirty deed is done. Tybalt can log off and head out to capture Romeo unawares.

Or will he?! Find out next time…

All software of sufficient complexity to do something useful (and even some that don’t do anything interesting at all) will contain bugs. This is a fact of life.

It’s the job of the programmer to find and remove these bugs. There are many ways of going about this but the most interesting, I think, is using a tool called a debugger.

If you’re a doctor, probably the best diagnostic tool you could imagine is to take a patient and cut them open and watch their innards move around, undisturbed, as they go about their daily lives. Imagine you could puncture a huge hole in someone’s chest to examine their heart and lungs while they sit there in the consulting room, chatting away amiably.

Unfortunately for the medical profession, people tend to cry out in great torment, flop on the floor and bleed everywhere if you do all that. (Though something very similar does come up in Use of Weapons by Iain M Banks, where it’s used as a party gimmick!) But programmers can get away with it.

A debugger is a tool that lets us run programs with their innards on display to the world. If something bad happens we can rewind to see what conditions caused it. We can see the last actions of the program before it did something stupid. Why did the user’s high score suddenly change to -2147483648? Why does it crash every time I click Save?

The debugger will even let you ‘run’ the program in discrete steps, like advancing a frame at a time. Or you can pause the program whenever you need — on every autosave, or every new wave of aliens, or just as the whim takes you.

If you see a problem you can tinker with the program as it runs. It would be like your doctor reaching in to ‘fix’ up your plaque-hardened arteries while you are in suspended animation, then releasing you to see how you feel. Pretty neat.

Debuggers are not much use outside the programming field. In fact, they’re one of these specialised tools that people can’t even imagine until they’ve seen one. But they’re also extremely cool, which is what counts.

Computers in the movies are always capable of the most absurd things. They all seem to be connected to everything. The strategic defence computer in War Games was connected to the public telephone service, for no readily explained reason.

It’s apparently undisputed that shop ordering systems, airline booking databases and school grades are all directly accessible from the outside. So I’d like to dispute this. No They’re Not.

Now that I’ve got that off my chest we can move onto something less obvious.

( Silly passwords and cryptography in movies )

I'm looking for advice here. I want access to a proper web host with enough space and reliability to do whatever comes to mind. I find the idea of a virtual server quite appealing. That would give me significant freedom in setting up my system or choosing the specific server configuration I want.

What do other people recommend? Ideally I would like:

• Space to store big files (movies, music) should I want to transfer them elsewhere.
• The bandwidth/transfer quota to do that if I need to. I don't want to pay through the nose for thousands of gigabytes transfer that I'm not using, but if I want to boost it for particular occasions that would be good.
• Remote login for multiple users, so I can give limited accounts to family members for their own use.
• Nippy access. I would prefer something local (to me) so Scotland-based, or UK-based, would be better than California.
• Ability to install what I want: so my own IRC or jabber daemon, Darcs, and so on. Whatever takes my fancy, rather than something from a limited set of 'approved' programs.

What have you used in the past, and who do you find to be reliable? I'm not going to rush in to this but I'm getting pretty fed up of consumer-broadband upload and consumer-grade routers. Something with the flexibility of my own machine but the reliability of a hosting service. For the price of a small bag of chips and an Irn Bru, if possible. ;-)