Re: Earthlink to Test Caller ID for E-Mail
Eugen* Leitl a href=http://leitl.org;leitl/a writes: The passphrase locking idear won't fly, but a biometrics-lockable wallet could. Isn't part of Pd envelope goal establishing a tamper-proof compartment? We know Pd is evil, but once hardware support is everywhere, one can as well use it for something positive, for a change. Well, you're preaching to the choir now, son. Of course, it's a choir of one, but c'est la vie. The idea of finding good uses for Trusted Computing has not exactly been gushingly popular around here. In fact, you yourself have been one of the harshest critics of its pseudonymous proponent (intelligent idiot sound familiar?). The problem with Palladium as a solution to spam is first, that it is many years away, being part of the Longhorn OS release. The latest official estimates are 2006, rumors are that 2007 is the internal date, and whispers of 2008 exist. Then, it will take years before such systems become widely enough used that spammers can no longer find pre-Palladium systems to serve as a basis for attacks. We're probably talking 2011 at the earliest. We'll need adequate solutions to spam long before then. Secondly, you could use Palladium to arrange that it was impossible to send mail from your computer except via human interaction with your authorized email program. You'd have to set your outgoing mail server to require a password (such auth systems are already in widespread use) and you'd use Pd to lock up the password so that only the mail client could get at it (using the application-specific sealed storage feature). The user wouldn't have to type the password, in fact he wouldn't even have to know there was a password, but he'd have to click the send button himself. (Secure user I/O paths are a Palladium feature.) However, in doing this you give up the ability for ANY other program to send email, at least without the user jumping through a lot of hoops to authorize it. Maybe that's an inherently necessary feature, but there are arguably some good programs which can usefully send email, and you'll be tossing out those babies with the spam bathwater. Bye bye MAPI. Further, there's always the risk that the email program itself will be buggy and be able to be tricked into sending something without user authorization. Fortunately, the number of such bugs is likely to be few and confined to just one program, so those can probably be fixed relatively quickly. In short, Trusted Computing could in theory make a computer much more resistant to being used to send spam. It could still be taken over, but the malware wouldn't be able to get to the password necessary for sending mail. You'd need some help from the ISP to require the password and possibly block attempts to use remote mail servers. Of course, if the ISP is this clueful and cooperative, you'd think maybe it could stop you from sending a zillion messages per hour in the first place. The big problem is that TC is many years away. But now that you know how good it will be, I hope you will join me in my never ending battle to bring some perspective to the one-sided debate over this technology. There are good uses of TC, and maybe if people weren't so determined to oppose it with their last breath, we might see the technology becoming available a little sooner.
Re: Earthlink to Test Caller ID for E-Mail
On Mon, Mar 08, 2004 at 09:19:23AM +, Ben Laurie wrote: And it doesn't even work in theory - once your PC is hacked, the passphrase would be known the first time you used it. True, but in the current threat model passphrase snarfing is yet negligible (keyloggers look for credit card info, etc.). Also, the fraction of 0wn3d to pristine machines is low, and likely go become lower in future. So the egress points of spam remain few, and if they come with signatures, so much better for us. If they don't come with signatures, or use variable signatures (if you disregard entropy pool issues, how many signatures/min can you churn out on a desktop PC?), ditto (if you compute spam score by signed, and know signed vs unsigned). *BSD and Linux penetration rate (desktop, not server) is low, Redmondware is about to become similiarly hardened at the network layer. Things are still a bit dismal at the userland executable level, but security has become a selling argument. So, sooner or later, they will have to start selling something palpably more secure, instead of just waffling about it. The passphrase locking idear won't fly, but a biometrics-lockable wallet could. Isn't part of Pd envelope goal establishing a tamper-proof compartment? We know Pd is evil, but once hardware support is everywhere, one can as well use it for something positive, for a change. -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07078, 11.61144http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net pgp0.pgp Description: PGP signature
Re: Earthlink to Test Caller ID for E-Mail
Peter Gutmann wrote: Eugen Leitl [EMAIL PROTECTED] writes: A way that works would involve passphrase-locked keyrings, and forgetful MUAs (this mutt only caches the passphrase for a preset time). A way that works *in theory* would involve The chances of any vendor of mass-market software shipping an MUA where the user has to enter a password just to send mail are approximately... zero. And it doesn't even work in theory - once your PC is hacked, the passphrase would be known the first time you used it. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff
Re: Earthlink to Test Caller ID for E-Mail
At 2:21 PM +0100 3/6/04, Eugen Leitl wrote: Facultative strong authentication doesn't nuke anonynimity. Perfect pseudonymity is functional anonymity, in my book... Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Earthlink to Test Caller ID for E-Mail
Eugen Leitl [EMAIL PROTECTED] writes: A way that works would involve passphrase-locked keyrings, and forgetful MUAs (this mutt only caches the passphrase for a preset time). A way that works *in theory* would involve The chances of any vendor of mass-market software shipping an MUA where the user has to enter a password just to send mail are approximately... zero. Filtering for signed/vs. unsigned mail doesn't make sense, authenticating and whitelisting known senders by digital signature makes very good sense. In that case you can just filter by sender IP address or something (anything) that's simpler than requiring a PKI. Again though, that's just another variant of the Build a big wall dream. In order to have perimeter security you first need a perimeter. If the spammer you're trying to defend against is your own mother (because she clicked on an attachment you sent her, it says so in the From: address, that's actually a spam-bot), you don't have a perimeter. All you have is a big pile of Manchurian candidates waiting to bite you. Peter.
Re: Earthlink to Test Caller ID for E-Mail
On Sun, Mar 07, 2004 at 01:26:47AM +1300, Peter Gutmann wrote: Eugen Leitl [EMAIL PROTECTED] writes: A way that works would involve passphrase-locked keyrings, and forgetful MUAs (this mutt only caches the passphrase for a preset time). A way that works *in theory* would involve The chances of any vendor No, that was a definition. I made no statement about how users take to passphrases, and vendors implementing this unwelcome feature. Works well for me, though. of mass-market software shipping an MUA where the user has to enter a password just to send mail are approximately... zero. I agree. It doesn't mean signing (whether in MUA or MTA level) is useless. Only a tiny fraction of all systems is compromised, and if those systems use signed mail blocking them is actually easier (generating new keys on an 0wn3d machine introduces extra degrees of complication, and limits the rate of mail sent). If this is adopted on a large scale, nonsigned mail would automatically increase the spam scoring function, further speeding adoption. Filtering for signed/vs. unsigned mail doesn't make sense, authenticating and whitelisting known senders by digital signature makes very good sense. In that case you can just filter by sender IP address or something (anything) that's simpler than requiring a PKI. Again though, that's just another Parsing headers is problematic, and signatures work at user, not at IP level (there are public mail services which serve millions of users with just a few IPs). You can as well sign at MTA level, if users are authenticated, and each of them has a signature. variant of the Build a big wall dream. In order to have perimeter security Every exploitable system will be exploited, if a sufficient incentive is present. You can't get around the fact that we need to modify the infrastructure. Specifically for spam, facultative strong authentication is a part of a solution (there is no single solution, because it's a complex, adaptive problem). you first need a perimeter. If the spammer you're trying to defend against is your own mother (because she clicked on an attachment you sent her, it says so in the From: address, that's actually a spam-bot), you don't have a perimeter. All you have is a big pile of Manchurian candidates waiting to bite you. When I get virus mail from someone who has my email in my address book, it would be nice if that mail was signed, so I could contact her, and tell her she has a problem. Facultative strong authentication doesn't nuke anonynimity. It does shift it into darker, seedier corners of communication, though. Which is only natural: trolls thrive on anonymity, giving it a bad rap. Which is why we need a nym supporting infrastructure. -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07078, 11.61144http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net pgp0.pgp Description: PGP signature
Re: Earthlink to Test Caller ID for E-Mail
At 1:14 PM +0100 3/6/04, Eugen Leitl wrote: Filtering for signed/vs. unsigned mail doesn't make sense, authenticating and whitelisting known senders by digital signature makes very good sense. Right. A whitelist for my friends. Of course, this doesn't help with people you don't yet know. All others pay cash. Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Earthlink to Test Caller ID for E-Mail
R. A. Hettinga [EMAIL PROTECTED] writes: If we really do get cryptographic signatures on email in a way that works, expect 80% of all spam to be blown away as a matter of course. I think you mean: If we really do get cryptographic signatures on email in a way that works, expect 80% of all spam to contain legit signatures from hacked PCs. This is just another variation of the To secure the Internet, build a big wall around it and only let the good guys in idea. Peter.
Re: Earthlink to Test Caller ID for E-Mail
At 8:56 AM -0800 3/7/04, Major Variola (ret) wrote: Sure you will, if the groceries are in front of you, and the purchase or possession of some of them you don't want associated with anything. In this case the reputation of the grocer and/or your ability to assay the groceries (in meatspace) suffice. Right. More to the point, the only person you trust in a bearer transaction is the underwriter, who, of course, can be a persistent pseudonym. Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Earthlink to Test Caller ID for E-Mail
At 10:56 AM 3/6/04 -0500, Steve Furlong wrote: No, pseudonymity lets others identify messages on, say c-punks, as coming from a particular sender. Reputation can work here, even with no meat-space identity attached. Anonymity means reputation can't work, so each message has to be taken on its own, with no history to give clues as to bias or reliability. Correct. Think of pseudonymity as a persistant endpoint of a communication, which thanks to (PK-verifiable) persistance can accrue reputation. An anonymous endpoint is necessarily ephemeral. I realize that your, RAH's, book mostly deals with financial transactions. In the very narrow domain of transactions which don't require any trust, anonymity should be as useful as pseudonymity. In the more general case, I'd think true anonymity would be a handicap. eg, I'm certainly not going to send my hard-earned e-money to the account of some untraceable joker in exchange for his promise to deliver me a week's worth of groceries. Sure you will, if the groceries are in front of you, and the purchase or possession of some of them you don't want associated with anything. In this case the reputation of the grocer and/or your ability to assay the groceries (in meatspace) suffice.
Re: Earthlink to Test Caller ID for E-Mail
On Sat, 2004-03-06 at 10:32, R. A. Hettinga wrote: At 2:21 PM +0100 3/6/04, Eugen Leitl wrote: Facultative strong authentication doesn't nuke anonynimity. Perfect pseudonymity is functional anonymity, in my book... No, pseudonymity lets others identify messages on, say c-punks, as coming from a particular sender. Reputation can work here, even with no meat-space identity attached. Anonymity means reputation can't work, so each message has to be taken on its own, with no history to give clues as to bias or reliability. I certainly wouldn't want to have to wade through all the traffic, wondering which from Eugen and which from the Australian-shithead-who-shall-not-be-named. Yah, it's easy enough to tell once you've read the message, but I'd rather filter it out on the From: level. I realize that your, RAH's, book mostly deals with financial transactions. In the very narrow domain of transactions which don't require any trust, anonymity should be as useful as pseudonymity. In the more general case, I'd think true anonymity would be a handicap. eg, I'm certainly not going to send my hard-earned e-money to the account of some untraceable joker in exchange for his promise to deliver me a week's worth of groceries.
Earthlink to Test Caller ID for E-Mail
The whitelist for my friends part of a whitelist for my friends, all others pay cash seems to be underway... If we really do get cryptographic signatures on email in a way that works, expect 80% of all spam to be blown away as a matter of course. Cheers, RAH --- http://www.pcworld.com/resource/printable/article/0,aid,115094,00.asp PCWorld.com Earthlink to Test Caller ID for E-Mail New systems could fight spam and Internet scams, company says. Paul Roberts, IDG News Service Friday, March 05, 2004 ISP Earthlink will soon begin testing new e-mail security technology, including Microsoft's recently released Caller ID technology, a company executive says. AdvertisementEarthlink will be experimenting very soon, with sender authentication technology including Caller ID and a similar plan called Sender Policy Framework (SPF). The Atlanta-based ISP will be evaluating other e-mail security proposals as well, but is not backing any specific technology, says Robert Sanders, chief architect at Earthlink. Plans to secure e-mail by verifying the source of e-mail messages have garnered much attention in recent months, as the volume of spam has swelled and the number of Internet scams has increased. Spammers and Internet-based criminals often fake, or spoof, the origin of e-mail messages to trick recipients into opening them and trusting their content. Sender authentication technologies attempt to stop spoofing by matching the source of e-mail messages with a specific user or an approved e-mail server for the Internet domain that the message purports to come from. Different Strategies So far, Earthlink has stayed out of the sender authentication fray while Web-based e-mail services, including Yahoo and Hotmail, and major ISP America Online, have all backed slightly different sender authentication proposals. Yahoo is promoting an internally developed technology called DomainKeys, that uses public key cryptography to sign e-mail messages. AOL said in January that it is testing SPF for outgoing mail, publishing the IP (Internet protocol) addresses of its e-mail servers in an SPF record in the DNS (Domain Name System). Finally, Microsoft-owned Hotmail is publishing the addresses of its e-mail servers using that company's recently announced Caller ID standard. Earthlink believes that sender authentication is necessary, and is prepared to support multiple sender authentication standards if necessary. However, the company hopes that one clear winner emerges from the field of competing proposals, Sanders says. I don't think it's unlikely that we'll see two or three coexisting proposals go into production. We had hopes that they would be able to merge, but I think at this point each standard adds a different function, and we're unlikely to see a merger, he says. Coming Soon? For now, Caller ID and SPF will probably make it into production first, because neither require companies to deploy new software to participate in the sender authentication system, he says. Earthlink is also interested in proposals like Yahoo's DomainKeys, which allows e-mail authors to cryptographically sign messages, enabling recipients to verify both the content of a message and its author. However, DomainKeys is more complicated to deploy than either Caller ID or SPF and requires software changes that will slow implementation, he says. Earthlink is not backing any proposal but is interested in looking at the results of its trial deployments, and those of other organizations. We have to get real world data from people who have deployed SPF or Caller ID, he says. The company is also a member of the Anti-Spam Technical Alliance, an industry group that includes Microsoft, AOL, Yahoo, Comcast, and British Telecommunications, and continues to participate in meetings and initiatives through that organization, he says. Microsoft's backing of Caller ID and its plans to use that technology for Hotmail tips the scales in favor of that technology, he says. One factor that determines what you, as an e-mail sender, deploy is the important question of 'Who am I sending mail to?' What the larger [e-mail] receivers deploy is what you're going to support, he says. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'