|
[Asrg] Re: Asrg digest, Vol 1 #296 - 37 msgs
2003-07-02 19:56:39
Thankyou for your comments. My responses are in the body of the message
below. This post related to the 'GIEIS' system currently at Version 0.002.
Another update is coming soon adding financial justifications, and
statistics. Also, details of the new 'Common Authentication Architecture'
(CAA) will be released to. The 'CAA' will be designed for businesses and
developing online credibility.
'GIEIS' - 'Global ISP Email Identity System' may be viewed here:
http://homepage.ntlworld.com/giza.necropolis
Mark McCarron.
Message: 1
From: "Hondin de Goot" <hondin(_dot_)degoot(_at_)programmer(_dot_)net>
To: asrg(_at_)ietf(_dot_)org
Date: Wed, 02 Jul 2003 15:02:19 -0500
Subject: [Asrg] As requested
Mark Carron wrote:
> Why not actually join the debate on 'GIEIS' instead of posting
> subject matters that have nothing to do with this group?
OK:
Mark's Response:
Thankyou.
The only reason why "spam" is a TECHNICAL NETWORKING
problem is because it is almost cost-free to the SENDER.
Mark's Response:
This is not entirely accurate. Spam is the direct result in failures of
design in the SMTP protocol. The SMTP protocol has very little ability to
confirm any details other than packet checks. All filtration there must be
done at a higher level. People have demonstrated concerns about 'GIEIS'
using heuristics to analyse email, however, I would like to point out, how
do they think it is currently done?
Also, a protocol is only a set of rules for transmission. No protocol on
its own could ever ever secure SMTP or SMTP like communications. Such a
system would always have to based on good will. In an ideal world that
would be nice, as we can see on the internet with 40% of emails being spam
and a further 20% being virus', trojans, etc. goodwill has limits.
In order to secure communications, an additional layer must be the added to
the internet that establishes a coherent architecture for all communication
protocols (examples would be SMTP, NNTP, and chat protocols). This coherent
architecture prevents those flooding the internet with terrabytes of
unsolicited emails and 'bot spam' from being able to do so.
(1) In the short to medium term
Devise a method of reasonably reliably identifying bulk spam,
UCE or UBE and levying a charge on the senders (via any of their
upstream carriers, financial pain having the properties that it
does) which approaches that of any other method of commercial
or non-private bulk message delivery and most of the TECHNICAL
NETWORKING problems associated with spam - which are almost
entirely due intractable volumes of traffic - would rapidly
disappear.
Mark's Response:
The problem with this suggestion is that spammers are difficult to trace and
even when traced there lacks the proper legal frameworks to do much about
it. A typical spammer will connect a chain of up to 20 proxies before
launching an email flood. By altering the IP addresses of the the proxies
at a random based on a large list (of possibly tens of thousands) he can
make it appear that these machines are the offenders and not him. Also, a
lot of spammers use HTTP tunneling across socks proxies which leaves an
anonymous connection. Spam is a direct result of a basic topology flaw of
the internet.
Furthermore, the relatively small community subsumed under the
identity "upstream carriers" and its heavy dependence on an even
smaller number of common interconnects and transit agreements
essential to maintaining the quality/marketability of its product
(not excluding the attractiveness of its product to spammers)
would greatly reduce the difficulty of reaching, the task of
implementing and the central cost of policing any agreement:
most dispute resolution would tend to move towards end users and
"leaf AS"s on the one hand, less towards established *IX or their
fora on the other. The politically difficult part - arriving at
basic definitions and a workable system of collections - which
would be simplified by being largely effected at industry rather
than governmental level, though some arm twisting by legislators
might well be required, would best be progressed through those
fora or some especially constituted offshoots of them, while
the technically difficult part, appropriate for discussion here,
would lie in the automation of identification and settlements.
(2) In the longer term
Reformulate the basics of the mail transport protocol. That,
however, is a MUCH longer term project than is evident to any
but a few of those who do not have to wrestle daily with keeping
even reasonably loaded current systems financed and running, let
alone implementing and installing major upgrades, or those who
have little idea of the vast amount of installed infrastructure
that would have to be replaced or accommodated. Furthermore, it
is an extremely rigorous field only peripherally amenable to inputs
from here. SMTP may be unequal to the UNRESTRAINED stresses of
a primarily commercial Internet, but it is by no means a simple
minded mail transport protocol and it is not at all obvious that
it would so urgently need significant overhaul in an environment
where some reasonable degree of financial regulation replaced
the original institutional regulation. In fact, like many of
the basic Internet services, not excluding post-CIDR IPv4, it
has scaled extraordinarily well.
Mark's Response:
A reformulation of the SMTP protocol and implementation to the market place
could be completed within 3 years. The industry is losing to much money as
it stands and this is only set to increase. If they bite-the-bullet now, it
will save them hundreds of billions in the long term and generate twice as
much in new business. Once the main architecture is designed, moving to a
real world platform is a relatively easy process. You practically have a
step by step guide with 'GIEIS'.
That's it.
ANY concern with content or personal identification of the
senders of email that is not, outside of the envelope, a
TECHNICAL problem is no part of an appropriate TECHNICAL
solution to the NETWORKING problems of bulk spam/UCE/UBE.
With a sheet of paper, a pen, a postage stamp, an envelope
and a public mail box it is possible to send an anonymous
letter, lawful or otherwise, on any subject, to any person,
institution or business behind a physical mail box. Any
solution to the TECHNICAL NETWORKING problems of spam, etc,
which renders Internet email - already inherently much more
traceable than most postal mail - even less able to handle
securely the communications of whistle blowers, or political
or social dissidents in Western or other jurisdictions, or
criminals, or little old grannies sending unattributed uplift
to psychiatric outpatients, whatever, as well as the mundane,
everyday drivel of normal communication, is a solution which
injects political and social considerations to the relative
detriment of electronic mail vis-a-vis the traditional mail
it is rapidly supplanting. And is therefore unacceptable.
Mark's Response:
I think you are forgeting another aspect of email, that is, it can be
encrypted. Just because they can identfy which account the information came
from, does not mean they can read its contents. Also, the costs involved in
trying to break something like a Twofish ciper would far outway the value of
the message and with a decent alphanumeric passphrase, it is unlikely they
would access it within your life-time. People's privacy would be
unaffected.
And any solution which involves analysis of message headers
or bodies beyond that required by legislation enacted in the
specific originating, transit or destination jurisdictions
involved represents a gross invasion of personal privacy or
commercial confidence (and I'm doubtful of granting authority
to mere transit jurisdictions). The proper place to impose
political, social or commercial control on the contents of
either postal mail or electronic mail is not from within
some demented center of globalized electronic surveillance.
Mark's Response:
This is how current anti-spam systems work and I do not see any mass public
outcry about it. Also, as I have pointed out before, governments across the
world have super-computers dedicated to surveillance. They also have
billion dallar budgets to support dedicated infrastructures for surveillance
and follow-up surveillance. 'GIEIS' would be redundant in such a role.
It is not worth addressing any even more bizarrely ignorant
proposals which put forward tecnhical abuse of the network,
from port scanning on up, as some kind valid control system.
Mark's Response:
It is worth addressing. A port scan only tests for basic security and
access to a system. It is hardly a physical assault, also, coming from a
trusted domain everyone would be quite aware it was not a breach attempt on
their systems. Since these scans would be sent clear text across the web
anyone with a little knowledge could analyse them. If there was anything
suspisious it would be repoted instantly all over the world.
Although Usenet is now largely (but, even yet, by any means
entirely) transported via NNTP, it is no part of the remit
of a TECHNICAL NETWORKING group, only loosely associated with
only one of its transmission protocols, to attempt to control
its content in any way other than from within Usenet's own
already well-established and effective control structures.
It is not encumbent on any ISP/IAP to provide a full (or any)
net news feed to its subscribers, and UDP is readily available
to any subset of news administrators who wish to apply it as
an ultimate remedy for the perceived transgressions of others.
Mark's Response:
It is part of this remit. The remit of this group relates to spam, not
specific protocols. Spam is an issue that affects the NNTP protocol s well.
NNTP has the same flaws in security as SMTP. The GSMTP protocol behind
'GIEIS' will be a hybrid protocol that will standardize a single
transmission protocol between all internet based communication systems.
Newsgroups are flooded with spam, Usenet's current procedures have proved
ineffective. Also, we are only eliminating fraudulent emails.
.
The only politically mandated form of legal tender is currency
and while numerous commercial enterprises, each with their own
private, non-social agendas, offer alternatives - often, and
probably not without some foundation in fact, rumoured to have
significant to massive internal problems with security, fraud
and identity theft - in view of their fundamental opacity in
those regards they comprise no valid basis of any sort for any
mandatory access system within the public Internet at any level.
Mark's Response:
I disagree with this point. 'GIEIS' would only assist with companies
establsihing credibility on the internet. All companys would have to be
'GIEIS' registered and that requires being a legitimate registered company.
'GIEIS' under the 'CAA' system (details will be released in the next few
days) would be able to retrieve company information, past complaints, and a
complaints procedure system. Another feature of the system, is that it
would be able to confirm emails were sent by employees from any company.
'CAA' will be part of the 'Internet Better Business Guild' that will be lead
by 'GIEIS'. All companies that pass 'GIEIS' checks will be awarded a
reference number. This will also take the form of a link that will appear
in a small graphic on their website. This will lead directly to 'GIEIS'
online reporting system and list extensive details on the company including
previous complaints and resolutions with customers.
This would virtually eliminate fraudulent business on the Internet.
I am not a fully-combined brain surgeon+architect, accountant
registered in the British Isles (sic) + renowned egyptologist,
theoretical physicist, etc, and, although I have forgotten more
about networking than - I am sorry to say - it is obvious that
some of those poncing^h^h^h^htificating about in this list have
yet learned, or probably ever will learn, neither do I have,
anymore, the energy to input the sort of technical diligence
and effort that most technical networking problems, not least
this one, require. However, that is no great loss as many
absolutely better technical brains that could, hopefully will,
find viable TECHNICAL solutions to the TECHNICAL components of
the problem at hand, without imposing spurious limitations or
introducing intrusive socio-political constraints, also subscribe
here and in other equally competent mileau. Which is why I have
left it to them both until now and from now on.
Mark's Response:
That's ok, you can't all be like me, then everything would work and there
would be nothing to do. :) Only 'GIEIS' or one based on it could secure the
Internet. A protocol alone cannot secure the Internet. A protocol only
tells data how to transmit itself, not if it should be transmitted or not.
No constraints are being introduced other than that which to protect
networks, children, etc. Uncensored access will still remain and will be
one of the mandates behind 'GIEIS'. The instrusion that 'GIEIS' would make
would mostly be of the automated variety. Nothing more than is currently
being done.
As an aside, some of the more mouthily ignorant reading here
undoubtedly already knew, in an a priori kind of way associated
with a prescient understanding of all technologies unto all
(wo)men, that an SMTP server is that process in an SMTP
transaction which receives mail and an SMTP client is that
process which sends it. And that POP3/IMAP mail queues are,
for the most part, fed with messages received by SMTP servers
acting in their usual role of MTAs. They just briefly forgot it.
Finally, although I'm not a polymathic genius, even of the
psychiatric recidivist sort, nevertheless I do know a vapid
wannabe-Mr-Big timewaster trying to pass off a lazy streak of
intellectual self indulgence with an unjustifiable illusion
of superiority under the cover of a fraudulent facility with
undigested concepts when I see one, and I also know how subtly
but basically destructive of constructive group effort -
particularly the inputs of the socially naive, which are
thereby wasted beyond measure and excuse - such posturing
almost inevitably is, however beneficent it appears to be
en passant. And, even for a dog, it's a relatively trivial
exercise in network forensics to establish with near certainty
that the previous deranged postings of a technical incompetent
did indeed originate with the same, in exactly the form they
currently have, thus casting (to use a technical term) denials
as self serving lies, aimed at asserting unquestioned "authority"
in a field where it has not earned, through the sheer, hard work
of researching the systems involved, the right to be asserted.
Nothing wrong with learning on the job, provided it is from
an attitude of supplication.
Now, where's that unsubscribe button? Ah, here i
Mark's Response:
That is one way of putting it, but I don't see anything here that
demonstrates that you are able to bypass my system.
Mark McCarron.
_________________________________________________________________
Tired of 56k? Get a FREE BT Broadband connection
http://www.msn.co.uk/specials/btbroadband
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
| <Prev in Thread] |
Current Thread |
[Next in Thread> |
- [Asrg] Re: Asrg digest, Vol 1 #296 - 37 msgs,
Mark McCarron <=
|
|
|