S.U.: Email messages sent from a single machine can be identified?

[habilis]

Security Update states a vulnerability within Apple Mail:

Component: Mail
Available for: Mac OS X v10.3.7 Client, Mac OS X Server v10.3.7
CVE-ID: CAN-2005-0127
Impact: Email messages sent from a single machine can be identified
Description: A GUUID containing an identifier associated with the Ethernet networking hardware was used in the construction of an RFC-822 required Message-ID header. Mail now hides this information by computing the Message-ID using a cryptographic hash of the GUUID concatenated with data from /dev/random. Credit to Carl Purvis for reporting this issue.


How can this be used against me? Just wondering since I send and receive roughly 1,000 emails a month through my online business.

 

[cfleck]

my guess is that this gives out your ip. at which point i guess the evils have an address and can go knocking on your system's front door.

 

[habilis]

that makes sense, but they won't be comming anywhere near my knocker even if they tried.

cryptographic hash - nice lingo.

 

[lurk]

It also provides a unique ID for your machine. Now anonymity may not be important to you but people tend to get cranky if they have it surreptitiously usurped. Using a cryptographic hash they are able to guarantee the unique identifier property wile preventing the leakage of any personal info.

 

[fryke]

Are you suggesting you're a spammer of some kind and you don't want 'them' (whatever kind of police) to reach you? If so, _should_ we help you identifying the problem and what exactly you can do against it...? If your business is nothing illegal, I don't see how identifying your person/computer could be any problem at all... :/

 

[ElDiabloConCaca]

A GUUID containing an identifier associated with the Ethernet networking hardware was used in the construction of an RFC-822 required Message-ID header.

That sounds to me like your MAC address (http://www.webopedia.com/TERM/M/MAC_address.html -- not Macintosh -- all network-ready machines have 'em) could be identified through some kind of header. Since the MAC address of the machine never changes and is unique for every computer, you could potentially track a single computer on a network despite changing IP addresses.

 

[Darkshadow]

Yeah, this is the MAC address (the physical device address of the ethernet port). You can *potentially* identify the machine the mail was sent from, but you would have to be on the same physical network as that machine is to get the MAC address from it (that would include nodes in cable and DSL networks, if you aren't behind a router).

 

[lurk]

Are you suggesting you're a spammer of some kind and you don't want 'them' (whatever kind of police) to reach you? If so, _should_ we help you identifying the problem and what exactly you can do against it...? If your business is nothing illegal, I don't see how identifying your person/computer could be any problem at all... :/

Nope, I have nothing to hide and live in a country that is decent to its citizens most of the time. I am not worried about being identified myself but that does not mean that I should not worry about information leakage. In the context of email this is somewhat of a silly argument in that I will have signed the email so any extra information will be of little benefit. The real issue is that this is an instance of a greater problem of globally unique identifiers.

Now there are lots of tinfoil hat scenarios where "the man" is able to track you down and do nasty things to you but there are other more mundane issues. For instance, when I worked at HP one thing that struck me as odd was that the phone list and company hierarchy were very protected. In retrospect it makes sense because that information can be used to reconstruct the manpower allotments in the company. A smart competitor could use that information to figure out lots of things that they would not like to be public until after the products are announced. Something as simple as looking at how many different people reviewed various public documents can reveal this sort of info. This kind of information is easily captured by globally unique identifier that are imbedded in those documents.

I can go on but it is not really the place, my point is that this is not just a paranoid raving like you insinuated. It is a real concern in the business world, with governments, and for dissidents (people with real fears). It also has a trivial fix, which Apple has applied, of always running the guid through a cryptographic hash.

 

[andychrist]

lurk, I think fryke's post was addressed not to you but to habilis.

On a brighter note, this last Security Update actually resolved an issue for me wherein CandyBar was failing to replace the toolbar icons I had set it to in Mail. Much more important to have nice icons than to be free from eavesdroppers, don't you think?

 

[habilis]

fryke, I can understand where you gather that I'm spammer but I'm an importer of eastern religious items from Southeast Asia and therabouts, on Ebay as a powerseller and I also sell from catalog and have a very large customer email database that gets sent email newletters, etc. http://www.stores.ebay.com/incense-asia-imports/

Between the newsletters, online invoices, Ebay mails to customers, etc. it's upwards of 1,500 emails a month.

I'm behind a very secure system so I'm not worried about getting hacked but I do use Apple Mail to manage my emails. Good to know they fixed this one.