Internet providers test ways to outsmart spam

2004-07-25 Thread R. A. Hettinga 
"A whitelist for my friends..."

..which, in the meantime, will probably suffice for the time being, at
least as far as Mr. Pareto is concerned.


Cheers,
RAH
"...all others pay cash."
When that 20% becomes 80% again, anyway...







Internet providers test ways to outsmart spam

Sunday, July 25, 2004
 By Chris Gaither, Los Angeles Times


 Be liberal in what you accept and conservative in what you send.

 That was the philosophy when computer scientists sent the first
electronic-mail messages over the Internet more than 30 years ago.

 At the time, the Internet was in its infancy, used by a few hundred
researchers at universities, government labs and high-tech companies.

 Today, hundreds of millions of people have e-mail addresses, and junk
e-mailers send out billions of messages every day. And Internet service
providers are racing to figure out how to force spammers to abide by that
old golden rule.

 Microsoft Corp., Yahoo Inc. and other companies are taking different
approaches, but they all have the same objective: finding a way to verify
that people who send e-mail are who they say they are.

 That would plug the biggest hole in Simple Mail Transfer Protocol, the
system that has been shuttling messages around the Net since 1983.

 The designers of SMTP knew their protocol didn't have a built-in
authentication system. But they saw no reason to worry.

 "There was very little attention paid to nasty people because we all knew
and trusted each other," said David Farber, an Internet pioneer who is now
a Carnegie Mellon University professor of computer science and public
policy. "It was understood that it was easy to forge mail, but who would
forge mail among your friends?"

 Spammers have taken full advantage of that oversight. They falsify their
names and reply-to addresses to bypass junk e-mail filters and trick
recipients into opening messages. They copy corporate logos to send fake
messages purporting to be from companies such as eBay and Citibank to fool
people into handing over their credit card numbers and other personal
information in so-called "phishing" attacks.

 "Accountability is really the missing link for many of the problems we
have on the Internet," said Phillip Hallam-Baker, principal scientist for
VeriSign Inc., the company that maintains the master list of commercial
Internet addresses.

 The Federal Trade Commission last month cited the lack of authentication
standards when it declined to create a "do-not-e-mail" registry modeled
after the "do-not-call" list for telemarketers. Without knowing for sure
who is sending a message, the FTC said, Internet service providers and
other spam fighters wouldn't be able to punish violators.

 The big Internet service providers don't agree on how to best fix the
authentication problem. Two systems being tested now are Yahoo's DomainKeys
standard and Sender ID, which is backed by Microsoft and the Pobox.com
e-mail service.

 Sender ID has attracted the most interest. It counts on the fact that
although e-mail headers are easy to forge, IP addresses -- the unique set
of numbers attached to every Internet domain -- are not.

 Here's how it works: A company like Amazon.com Inc. publishes its IP
address in a public database. When a message arrives that claims to be from
the online retailer, the recipient's e-mail program automatically checks
the information in the header and compares it with the information in the
database. If it matches, the message goes through. If it doesn't match, the
message is quarantined or blocked.

 ISPs including EarthLink Inc. and Time Warner Inc.'s America Online are
testing a component of Sender ID called SPF, or Sender Policy Framework.
AOL has started publishing the list of IP addresses from which it sends its
members' e-mail, so that other e-mail service providers can block messages
from spoofed AOL addresses.

 By the end of the summer, the country's biggest ISP hopes to begin
blocking e-mail that purports to come from companies often impersonated in
phishing attacks -- such as eBay's PayPal division -- but that can't be
verified as legitimate.

 Authenticating e-mail "is the single most important thing we can do to
enhance the SMTP," said Carl Hutzler, AOL's director of anti-spam
operations.

 DomainKeys takes an approach that is based on public-private key cryptography.

 Sent messages include an encrypted digital signature created by the e-mail
provider's private key. When the message arrives at the recipient's e-mail
server, the server checks a database for the sender's public key. If the
public and private keys match up, the signature can be decrypted, and the
sender's identity validated. If not, the message can be blocked by spam
filters.

 Yahoo began testing DomainKeys in March. The company said it planned to
implement it for outbound messages from its Yahoo Mail customers and at
least some incoming messages by the end of the year.

 If the ISPs succ

Re: Email tapping by ISPs, forwarder addresses, and crypto proxies

2004-07-25 Thread J.A. Terranson 

On Sun, 25 Jul 2004, Declan McCullagh wrote:

> On Sun, Jul 18, 2004 at 10:35:19PM -0700, Major Variola (ret) wrote:
> > You don't know about tape robots, or offline indexing, eh?
>
> FYI from a recent trip to the NSA crypto museum:
> http://www.mccullagh.org/image/10d-15/storagetek-automated-cartridge-system.html
> http://www.mccullagh.org/image/10d-15/robot-arm-tape-cartridge.html
>
> I think that was circa 1994 (I'd have to look at the high-res image
> to see the date on the brass plaque to be sure).
>
> -Declan

I've actually worked with slightly more recent tech from the same company.
Note the limited size of the library (300tb), and also note that seek time
to any one sector on any one tape is *incredibly* long.  This is strictly
a near-line bulk solution - useless for anything but permanent archives
with an occasional pull.

-- 
Yours,

J.A. Terranson
[EMAIL PROTECTED]
0xBD4A95BF

  "...justice is a duty towards those whom you love and those whom you do
  not.  And people's rights will not be harmed if the opponent speaks out
  about them."  Osama Bin Laden
- - -

  "There aught to be limits to freedom!"George Bush
- - -

Which one scares you more?

Re: Email tapping by ISPs, forwarder addresses, and crypto proxies

2004-07-25 Thread Declan McCullagh 
On Sun, Jul 18, 2004 at 10:35:19PM -0700, Major Variola (ret) wrote:
> You don't know about tape robots, or offline indexing, eh?

FYI from a recent trip to the NSA crypto museum:
http://www.mccullagh.org/image/10d-15/storagetek-automated-cartridge-system.html
http://www.mccullagh.org/image/10d-15/robot-arm-tape-cartridge.html

I think that was circa 1994 (I'd have to look at the high-res image
to see the date on the brass plaque to be sure).

-Declan

Re: Email tapping by ISPs, forwarder addresses, and crypto proxies

2004-07-25 Thread Declan McCullagh 
On Wed, Jul 07, 2004 at 01:11:58AM -0700, Bill Stewart wrote:
> Google's Gmail is an interesting case.
> Unlike Councilman's ISP, who were sneaky greedy wiretapping bums,
> Google tells you that they'll grep your mail for advertising material,
> and tells you how much of that they'll leak to the advertisers
> and makes you some promises not to leak more.
> The data's just sitting there waiting for a subpoena,
> and there's not much point in having it all encrypted because
> the cool features of Gmail aren't much use on cyphertext.

FYI here's something I wrote in April... --Declan



http://news.com.com/Is+Google+the+future+of+e-mail%3F/2010-1032_3-5187543.html

If Google wanted to veer in a more privacy-protective direction, it
could look to the intriguing model of Vancouver, Canada-based Hush
Communications, which runs the Hushmail Web mail system. Unlike
rivals, Hush encrypts mail sent between Hush users. It uses a
Java-based technique that allows for only its intended recipient--and
not Hush employees--to decrypt a scrambled e-mail message. If a
subpoena arrives, or if a security breach ever happens, disclosure
would be limited.

Hush offers 2-megabyte-limit free accounts and pay accounts, and it
said 900,000 accounts have been created since its May 1999 launch. The
company also lets users store files in an encrypted volume and this
week plans to announce a feature that permits encrypted volumes to be
shared among multiple users.

Hush's patent No. 6,154,543 covers some aspects of encrypted
e-mail. The company said it'd happy to license it to
Google. Originally, Hush Chief Technology Officer Brian Smith said,
the patent was quite broad, but "we have narrowed the patent to apply
only to e-mail and messaging systems. The modifications were accepted
but don't yet appear" on the U.S. Patent and Trademark Office's Web
site.

True, if the archived e-mail is encrypted, Gmail won't be able to
search message bodies very efficiently, but users might be willing to
give up that feature and even pay a monthly charge in exchange for
additional security.

"We'll think about it," said Google's Rosing. "We don't have any
explicit plans right now...If someone really needs to encrypt a lot of
e-mail, maybe they should be putting that on their laptop. We're
trying to provide a service that offers some utility to our users. If
you change the service to take away all the value of the service,
you're back where you started."

Maybe. But until that happens, would-be users of Gmail or any similar
service should recognize that their so-called free e-mail comes at a
price.

Re: Mexico Atty. General gets microchipped (fwd)

2004-07-25 Thread Declan McCullagh 
On Tue, Jul 13, 2004 at 10:20:44PM -0700, Major Variola (ret) wrote:
> "No, I don't know that Atheists should be considered as
> citizens, nor should they be considered patriots. This is one nation
> under
> God." -GW Bush

Do you have a good cite for that? One source attributes it to George
Bush I, not Bush II.

http://www.calpundit.com/archives/001626.html

-Declan

Feds and Yahoo Muzzle DNC Security Whistleblower

2004-07-25 Thread John Young 
It appears that the Feds and LEA at the DNC Convention
have ordered Yahoo to axe the mail list TSCM-L run by James
Atkinson for his blistering attack on security at the convention.

  http://cryptome.org/dncsec-yahoo.htm

Jim's reports on the inferior security:

  http://cryptome.org/dnc-insec.htm

  http://cryptome.org/dnc-dauphine.htm

The mail list had nothing to do with these reports, and the
gag appears to be spite against Atkinson for whistleblowing.

However, the mail list purpose is likely to have scared them 
more than his insecurity reports:


http://finance.groups.yahoo.com/group/TSCM-L/

TSCM-L Technical Security Mailing List

Dedicated to TSCM specialists engaging in expert technical 
and analytical research for the detection, nullification, and 
isolation of eavesdropping devices, wiretaps, bugging devices, 
technical surveillance penetrations, technical surveillance 
hazards, and physical security weaknesses. This also includes 
bug detection, bug sweep, and wiretap detection services.

Special emphasis is given to detecting and countering 
espionage and other threats and activities directed by foreign 
intelligence services against the United States Government, 
United States corporations, establishments, and citizens.

The list includes technical discussion regarding the design and 
construction of SCIF facilities, Black Chambers, and Screen 
Rooms. This list is also for discussing DIAM 50-3, NSA-65, 
and DCID 1/21, 1/22 compliance.

The primary goal and mission of this list is to "raise the bar" 
and increase the level of professionalism present within the 
TSCM business.

The secondary goal of this list is and increase the quality and 
effectiveness of our efforts so that we give spies and 
eavesdroppers no quarter, and to neutralize all of their espionage 
efforts.

This mailing list is moderated by James M. Atkinson and 
sponsored by Granite Island Group as a public service to the 
TSCM, Counter Intelligence, and technical security community.

--

Re: Email tapping by ISPs, forwarder addresses, and crypto proxies

2004-07-25 Thread James A. Donald 
--
On 23 Jul 2004 at 12:40, Thomas Shaddack wrote:
> Depends on whom. Often the money are the main motivation. Of
> course, your own country won't pay you as well as the other
> one, and will try to appeal to your "patriotism" like a bunch
> of cheapskates - it's better to be a contractor.

The Soviet Union was notorious for absurdly low pay, yet had no
difficulty getting lots of servants.

It cultivated a sense of identification.   The CIA would give
you a crate of money, a crate of guns, and some say a crate of
cocaine.   but the KGB would ask about your dental problems and
arrange for a free dental appointment.  If you were a key
scientist or something, rather than just some regular guy, they
would discover your sexual tastes or your tastes in art and
send around a girl or boy to suite, or some art that probably
could not be obtained by mere money, or perhaps a boy carrying
some art.  To the best of my knowledge no one EVER got any
decent sized cash payment from the Soviet Union for any act of
treason, no matter how crucial. 

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 TKc9QQNccF421kjpfih8YdB96RpYw17p3sjofelQ
 4yBG3NNFrBGZu5Zy/GwjHsjbhkfnJhmOU2OYDAyFn

Re: Texas oil refineries, a White Van, and Al Qaeda

2004-07-25 Thread Declan McCullagh 
On Tue, Jul 20, 2004 at 05:10:12PM -0500, J.A. Terranson wrote:
> The "parking lot" (read: makeout spot/planespotter parking, etc.) abut a
> half mile from the end of the main runways at Lambert are now permanently
> closed, and trying to pull over is an open invite for immediate attention.

A similar parking lot about the same distance north of the runway
of Washington Reagan National (and very close to the Pentagon) along
the Potomac River off the parkway is sitll open.

It's also used for a boat launch by politically influential
Washingtonians, which might explain why it hasn't been closed. No
double standards here, of course...

-Declan

More American vigilantes may be in Afghanistan, U.S. military says

2004-07-25 Thread R. A. Hettinga 

BillingsGazette.com printable article


More American vigilantes may be in Afghanistan, U.S. military says

 Associated Press


KABUL, Afghanistan - The U.S. military said Saturday there could be more
vigilantes hunting terror suspects here after a group of Americans were
arrested for allegedly abusing Afghans in a private jail.




The U.S. government is offering big rewards for the capture of top
terrorist suspects, including a US$50 million bounty on al-Qaida leader
Osama bin Laden.




It remains unclear if the three Americans who went on trial in the Afghan
capital on Wednesday charged with hostage-taking and torture were hoping to
cash in _ or if they were the only such group in the country.




"It is entirely possible that there are others acting independently,"
military spokesman Maj. Jon Siepmann said.




Afghanistan is awash with shadowy foreign security operatives. Some work
for private contractors protecting reconstruction workers, others
apparently with the military or secret services.




The U.S. military has tried to distance itself from the three detained
Americans, led by a former U.S. soldier on a self-appointed
counter-terrorism mission.




But both the Americans and NATO peacekeepers acknowledge contact with the
group, which dressed in army fatigues and wore the beards and dark glasses
favored by special forces soldiers.




NATO troops helped the trio with three raids in the capital last month,
while the U.S. military gratefully accepted a detainee at Bagram Air Field,
north of Kabul, in May.




Afghan authorities, who also mistook the men for U.S. special forces,
arrested them only in July after NATO troops and the U.S. military
denounced them as impostors and raised the alarm.




Siepmann didn't say whether the military knew of any other freelancers or
bounty-hunters in Afghanistan.




"However, I think the issue of Mr. Idema has brought a heightened awareness
to everyone involved ... to be on the lookout for this kind of behavior,"
Siepmann said.




"I think Mr. Idema's arrest and current judicial process will serve as a
warning to others who will attempt to do this in Afghanistan," he said.




The three face up to 20 years in jail if convicted.




Afghan security forces freed eight prisoners from the group's makeshift
jail in a house in downtown Kabul. Firearms were also seized in the house.




Idema, who claims to have fought with Afghan forces against the Taliban in
2001-2002, says the men were arrested to avert an al-Qaida plot to attack
foreign troops and assassinate a string of Afghan political leaders.




He told reporters in court on Wednesday that he had support from within the
U.S. Department of Defense and that he could produce evidence to prove it _
a claim Pentagon officials dispute.




The trial is expected to resume early next month.


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'