Harris thought there was no way Google would be so careless, so he concluded it must be a sly recruiting test to see if job applicants would spot the vulnerability. But Google was using a 512-bit key – which could be easily cracked with a little cloud-computing help. When e-mail arrives at its destination, the receiving server can look up the public key through the sender’s DNS records and verify the validity of the signature.įor security reasons, the DKIM standard calls for using keys that are at least 1,024 bits in length. DKIM involves a cryptographic key that domains use to sign e-mail originating from them – or passing through them – to validate to a recipient that the domain in the header information on an e-mail is correct and that the correspondence indeed came from the stated domain.
The problem lay with the DKIM key ( DomainKeys Identified Mail) Google used for its e-mails. Anyone who cracked the key could use it to impersonate an e-mail sender from Google, including Google founders Sergey Brin and Larry Page.
Google was using a weak cryptographic key to certify to recipients that its correspondence came from a legitimate Google corporate domain. But when Harris examined the e-mail’s header information, it all seemed legitimate. So he wondered if the e-mail might have been spoofed – something sent from a scammer to appear to come from the search giant. The e-mail had come to him last December completely out of the blue, and as a mathematician, he didn’t seem the likeliest candidate for the job Google was pitching.
“I wanted to see if you are open to confidentially exploring opportunities with Google?” “You obviously have a passion for Linux and programming,” the e-mail from the Google recruiter read. It was a strange e-mail, coming from a job recruiter at Google, asking Zachary Harris if he was interested in a position as a site-reliability engineer. Mathematician Zach Harris, 35, of Jupiter, Fl., poses for a portrait on Tuesday.
0 kommentar(er)
