You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Now, the fun thing is they are using Horde IMP, a webmail program. And it records the browser's IP address as a Received header. So the e-mail was sent from 80.38.105.203. That's a typical static IP address range for Spain's largest (ex-national) ISP, Telefonica. Think AT&T.
At the time, Googling this IP address yielded a web forum with public poster IPs... and a user posted from that IP to sell firearms. Yes, really. I neglected to screenshot it at the time and the forum is gone, but that was pretty hilarious. Remember, that was a static IP.
So now let's look at software versions. The e-mail is from 2012. Surely a CERT agency would be running up to date server software, right? Horde 4.1.4, was released on 2007-03-14. Exim 4.63 was released on 2006-07-31. That's 5 year old software.
So now, onto the message itself. They used PGP and I guess pulled my public key from my website or keyservers. However, instead of using in-line PGP, or PGP/MIME, they just attached a separately encrypted message as an attachment. That's... odd.
The message itself decrypted properly, but just asked for an interview with only the vaguest of hints of what this was about. The message was unsigned. No public key was provided to reply, none existed in the keyservers for this address, nor on their website.
They also sent it to my old 1024-bit ELG public key, which by then was superseded and obsoleted, and I was using a new 4096-bit RSA key which had been published to the keyservers and my website in 2011.
So I had no way to send an encrypted reply, and no way to verify that the message really came from them (in particular, given the horrible SMTP server config, this is literally indistinguishable from a spoofed e-mail anyone could send).
So I replied in cleartext, asking for a key, *explicitly* asked for a signed message and a verbatim public key for me to use. They replied in the same style, just with the public key pasted into the encrypted message, but no signature.
But now I have their key, in ASCII armored format, and it starts like this. Yes, they were using a non-commercial freeware version of PGP Desktop for commercial purposes. Version 9.10.0 has a code exec CVE from 2010. https://nvd.nist.gov/vuln/detail/CVE-2010-3397/ …pic.twitter.com/ghfwxEHBjN
So let's recap: 5 year old webmail, 6 year old e-mail server, >2 year old PGP with an arbitrary code exec CVE. The key itself? The userid was "CCN-CERT.PublicKey <CCN-CERT.PublicKey.Depart@CCN.es>", which does not match the sender of the e-mail either.
Not that this was going to go anywhere by now, but I replied with inline PGP, and sent them my phone number to see what their story was. I didn't hear back for two weeks. Apparently they had gone on vacation.
At least they managed to sign their message when they finally replied? Still using attachments though. I figured this wasn't worth wasting any more of my time on by then, didn't reply and never heard back.
So there you go, that was my recruiting experience from a branch of Spain's NSA. Not exactly a shining example of competence.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
