ietf-asrg
[Top] [All Lists]

RE: [Asrg] RE:ASGR 8a Use of certificates

2003-04-08 12:00:43
From: "Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com>

...
Have you never received a junk fax with a bogus banner, without
a knowable source telephone number, and advertising a web page?
I have.  How would I trace the junk faxer?

You get a court order. All the information is kept for a
minimum of 30 days under CALEA by the telco.

...
The issue is cost. It costs $350 retail to get your identity 
authenticated. An investigation costs thousands. Just pulling
the telco records costs thousands, Internet investigations 
cost dramatically more.

Versign demonstrated the low value of affordable authentication when
it sold the identity "Microsoft Corporation" for about $350 to to an
individual who fraudulently claimed to be a Microsoft employee.  
( http://www.cert.org/advisories/CA-2001-04.html ) On the other hand,
$350 can rent a little space and a phone line on which you can install
a PC with software to send junk faxes or makes pre-recorded calls and
collects the numbers of interested consumers.  It is easy for the bad
guys to disappear in either case.  In both cases, court orders, credit
card trails, other standard tools can often find the bad guys.


...
 - it is easy as to identify spammers as is to identify junk faxers
      and pre-recorded phone callers

Actually this is empirically not the case. There is no analogue 
of CALEA and the spam senders have the ability to hide behind
offshore machines. Junk fax senders typically do not have that
type of option on the telco network which is highly regulated.

Empirically that's not the case.  America Blastfax's Denver satellite
could have been as anonymous and slippery as any spam amplifier.  ABF
evidently rented local space to plaster the local calling area with
junk faxes from their Texas offices.  They could have paid cash for
the space and the phone lines and moved to new space and phone lines
once a month or before things got hot.

The importance of the TCPA, junk faxes, and junk pre-recorded phone
calls is not that dealing with them is easy.  That world illuminates
the nature of the unsolicited, objectionable advertising problem, and
shows that finding spammers is not now and never will be either
impossible or trivial.


...
My vendetta against authentication snake oil is my main point.  

Good to see you admit that is what you are up to. I think your 
main point is that you really can't stand all the people who 
have come late to the net and don't give the old timers the
respect and privilleges they feel their seniority is due.

You make idiotic statements like 80% of spam comes from free 
email providers yet you never answer the point that free email
providers will in almost all circumstances have rate restrictions
in place so what you are really up against is spam that attributes
itself to free providers.

This has a simple answer, authentication. So why are you against
the idea? I suspect it is because you dont want a solution, you
really want to be able to turn back the clock to the 1980s before
all the unworthy unwashed hordes came to the Internet and there
were businesses and such.

As Phillip Hallam-Baker knows, I have never said "80% of spam comes
from free email providers," because we both know that is not true.
We both know that rate limiting by free providers is irrelevant.

If certs were required for mail, then free providers would issue certs
along with usernames and passwords, and for the same price and with
the same due diligence in checking that the applicant is not really
Alan Ralsky that they now excerise.


Vernon Schryver    vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg