Hallam-Baker, Phillip wrote:
The report hit this morning. Until the exploit was announced in
slashdot it could be ignored. The whole Turing thing is a progressive
response strategy, you do not lay out your defense in full for the
attacker to analyze.
It is security through obscurity - just like a lot of real world security.
Which is precisely why real word security often is not as secure as it
could and should, be.
All of those can be defeated. The Referer field is not secured. It is also
spelt with a single r. I thought we could save some bandwidth. Actually
its because I am dyslexic that I did not spot the mis-spelling. But neither
did Tim come to that.
I beg to differ: http://dictionary.reference.com/search?q=referrer ;)
But alas, it's really a web authentication problem which makes it
their problem, not ours. If they'd like to solicit advice from us I
would tell them to invent something better than laying one insecure
system (HTTP) on top of another (SMTP/POP3).
That is a viable attack, no question, do me a favor, don't mention
it on the front page of slashy.
The way Slashdot tends to regurgitate whatever comes their way without
an ounce of journalistic integrity, I wouldn't send anything to that
place with my name on it while I still value my reputation, however
small it may be.
Nah, pay them $10 an hour, or get slave labour for $2/hr in India.
I thought about that but based on some things I've seen a month or so
ago, I get the feeling OCR is about to catchup and make this entire
discussion irrelavant.
The C/R schemes are an abomination and should be killed, its the signups
for Yahoo accounts that are the problem.
I'm not sure they have to be killed. As long as they all _basicly_ do
the same thing no one will prevail over the other, and with no
prevailing technology it will never take hold. Earthlink may be
testing it but as an Earthlink user I'm not being forced to use it and
neither is anyone else, which makes it pretty flat.
I still believe that dancing around the existing system will only
result in a system of spit and duct tape.
Spam is a psychological problem, people don't do it because it makes money,
they do it because they think it makes money. There is no point in spending
money persecuting the blighters if they think they are keeping the upper
hand.
Unless we find a few of them and torture them I doubt we'll ever get a
solid estimate, but I have heard that a decent amount of them make a
decent living.
This is a war, you win a war when the other side decides that they are
beaten.
I thought you won by killing everybody? :)
P.S. Sorry for sending the last one directly to you, I wasn't paying
attention.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg