On Wed, Jun 24, 2009 at 09:36:14AM +0200, Claudio Telmon wrote:
I don't think that much action would be needed. If my system is
compromised, the tokens I have were compromised. My friends would
complain (the "local" blame that works), and the spammer would have a
token for the mailing list, the one I use, so it would be able to send
spam to the list.
(a) How would your friends know?
and
(b) What stops an attacker who has compromised Fred *and* Barney's
computer from using Barney's tokens from Fred's computer? Keep in
mind that since the attacker has full control over both systems,
he/she also has, or can have, all of Fred and Barney's email
credentials -- login names, passwords, etc.
and
(c) I get the sense that this will scale as N^2, which doesn't bode well.
Dealing with the framework without an address book would be actually
impossible.
So you want me to stop using the mail client I've used for years --
which I've deliberately chosen because of its simplicity, speed,
features, and most importantly, security?
Not a chance.
Moreover, even if I had a mail client with an address book, why would
I want to put 11,500 people in it? Especially since the overwhelming
majority of those communications are one-time?
With respect to numbers, I cannot answer. People and
software explicitly dealing with large lists of addresses/subscribers
would usually need to deal with an equal (well, double) number of
tokens. People like you, dealing, if I understand correctly, with a
large number of occasional correspondents, would need to do the same.
I'm already way too busy to even try to answer most of my email; where
am I going to get all the extra time needed to do this task? Especially
given that there is no meaningful anti-spam value: if today I approve
a token from Fred, that doesn't help me at all if Fred's computer
is compromised tomorrow night and delivers 50 spam messages to me before
I wake up the next morning. I could have done *nothing* and done just
as well.
Moreover, "informing the owners" has already proven to be a badly-losing
strategy. *If* the owners actually receive such communication
(telling them their system is probably compromised), they tend to
either disbelieve it, ignore it, classify it as a phish--often correct,
deny it, or act ineffectively to remedy the situation.
Do you feel that the same would be true if the communication were not an
automated communication but a communication from correspondents, not by
email, and maybe implying the (temporary) inability to communicate with
some of them? This would actually severely limit the usability of the
scheme.
Two points; first:
If it's not automated, it won't scale.
If it's automated, then it will be faked billions of times and people
will quickly learn not to pay any attention to it.
Second: how am I going to communicate with correspondents "not by email"
when that's the only way I *have* to communicate with them? You can't
seriously expect me or anyone else to spend out time IM'ing or phoning
or otherwise trying to convince people that their system is compromised.
I see several thousand attempts per day on this address alone that
are obviously from compromised end-user systems.
No anti-spam
scheme which requires effective, clueful participation by end-users has
any chance of working: if they existed (in very large numbers) then we
wouldn't have such a large spam problem because (a) their systems would
be compromised in huge numbers and (b) they would have learned by
now to never respond to any spam.
I don't know. Me, as probably each of us, I'm often asked by friends to
"reinstall" their systems because they are full of garbage. [...]
Should I receive spam using their token, I could be much more aggressive
than I've been until now, and maybe others would do the same. This kind
of blame usually works with other communication channels (again, people
disseminating phone numbers), why shouldn't it work with email? People
usually don't care of ineffective blame, but don't like to be considered
stupid by their friends.
We're now 6-7 years into the period when Windows systems are compromised
at will by attackers and used not just for spam, but for DoS attacks
and all kinds of other mischief. Yet there has been no mass migration
away from these insecure and insecurable systems -- just a little bit
of movement here and there. Your approach won't get them to change either.
They'll either (a) deny there's a problem (b) run some anti-malware tool
on their compromised system and believe what it says (c) get someone
else to do (b) or (d) in rare cases, get the system detoxed using
known-clean boot media or by starting over...but will then get it
re-infested a month later the same way they got it infested the first time.
---Rsk
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg