Da: Rich Kulawiec <rsk(_at_)gsp(_dot_)org>
(a) How would your friends know?
They too get spam with my tokens, unless the spammer decided to just target the
mailing list. Each of them will receive spam messages carrying the token they
provided (just) to me
and
(b) What stops an attacker who has compromised Fred *and* Barney's
computer from using Barney's tokens from Fred's computer? Keep in
mind that since the attacker has full control over both systems,
he/she also has, or can have, all of Fred and Barney's email
credentials -- login names, passwords, etc.
Hmm, Maybe I don't understand the scenario. If the spammer uses the tokens he
found on Barney's computer, he will be able to send spam to Barney's contacts,
no matter from which computer. And, Barney's contact will know that Barney's
computer has been compromised, since they gave that token to Barney, no matter
where the message comes from.
and
(c) I get the sense that this will scale as N^2, which doesn't bode well.
I considered this issue, but I think it doesn't apply. It would be a problem if
some part of the system would need to deal with all of the tokens. However,
each user will deal win N tokens, no matter if they are equal or different from
the tokens others use. To be clear: each will have N addresses of their
correspondents, which scale with N. Each will have N (well, 2N) tokens for
their correspondents, even if they are different for each couple and scale with
N^2. They won't see the difference, nor will any part of the system.
So you want me to stop using the mail client I've used for years --
which I've deliberately chosen because of its simplicity, speed,
features, and most importantly, security?
Not a chance.
:) Each tool has some drawbacks. As we (almost) switched from telnet to ssh,
people started to need keyrings, which are very similar in terms of usability.
There was a good reason for this, which had to be evaluated by each person vs.
the convenience of telnet.
However, if you won't adopt the consent framework, you may still be required to
insert tokens if your correspondents adopt the framework. But, if most (of your
correspondents) agree with you and don't see a benefit from the framework, they
won't adopt it either and you won't be required to put tokens in your messages.
Moreover, even if I had a mail client with an address book, why would
I want to put 11,500 people in it? Especially since the overwhelming
majority of those communications are one-time?
If a communication is one-time, you don't need to add the address to an address
book, since you won't need to keep any token for future contacts. BTW, this may
increase the use of short text-only messages for fast email exchanges, instead
of html or similar. This kind of messages would fit the constraints of consent
requests, and wouldn't require to actually manage tokens.
I'm already way too busy to even try to answer most of my email; where
am I going to get all the extra time needed to do this task?
The goal is to have less useless messages to deal with. If you have a very low
noise/signal in your messages, then the framework probably wouldn't fit your
need. I see it somehow as to publish the cell number and spend the time
answering the (few?) undesired calls, instead of spending time giving the
number only to people you want to talk with.
However, I would avoid any evaluation based on personal taste (mine or yours),
that's why I asked if there are available statistics on how many correspondents
people have.
Especially
given that there is no meaningful anti-spam value: if today I approve
a token from Fred, that doesn't help me at all if Fred's computer
is compromised tomorrow night and delivers 50 spam messages to me before
I wake up the next morning. I could have done *nothing* and done just
as well.
So you don't think that being able to tell Fred that he, and not "the
Internet", is the reason why you receive spam, would not help convincing Fred
to keep his computer clean? I mean, if Fred cares about your opinion, which
usually happens with at least some of our correspondents (and usually happens
much less if the communication comes from some unknown person).
Do you feel that the same would be true if the communication were not an
automated communication but a communication from correspondents, not by
email, and maybe implying the (temporary) inability to communicate with
some of them? This would actually severely limit the usability of the
scheme.
Two points; first:
If it's not automated, it won't scale.
It will, in my opinion, since it is distributed among the same people that
increase the number. Saying that anything that is not automated won't scale is
a bit too generic.
Second: how am I going to communicate with correspondents "not by email"
when that's the only way I *have* to communicate with them? You can't
seriously expect me or anyone else to spend out time IM'ing or phoning
or otherwise trying to convince people that their system is compromised.
Well, I do :) Either you are interested into communicating with them, or you're
not. If you're not, just invalidate their token and avoid providing a new one.
If you are interested, and you know that their system is compromised (don't
think at the consent framework, it doesn't matter in this), wouldn't you search
a mean to tell them? If someone I want to send mail to has some consistent
delivery error, so that I cannot contact him by email, I usually manage to
inform him through some other channel.
For what I understand and hear about social networks (actual social networks,
not the services that support some), they are very effective in forcing people
to a behaviour that is accepted by their peers. BTW, this is how the Internet
managed to have a "netiquette" in the beginning.
This interest in not having our peers as our main source of spam, is the
"social" base for the whole framework, be it because you tell them, or because
you invalidate their token.
I see several thousand attempts per day on this address alone that
are obviously from compromised end-user systems.
These thousands of attempts are due to thousands of compromised systems, not to
thousands of compromised correspondents of yours. The number of systems the
spammer would use with the same token is not relevant, since they would all be
blocked by invalidating that token.
Yet there has been no mass migration
away from these insecure and insecurable systems -- just a little bit
of movement here and there. Your approach won't get them to change either.
Why should they? People is used to these problems, which to them seem to be
part of ICT. However, I don't agree that a properly configured Windows system
is that undefendable these days.
(b) run some anti-malware tool
on their compromised system and believe what it says (c) get someone
else to do (b) or (d) in rare cases, get the system detoxed using
known-clean boot media or by starting over...but will then get it
re-infested a month later the same way they got it infested the first time.
Well, they will do what they can. Which, in my opinion, would take us anyway to
a much cleaner Internet than it is now.
---
---
Claudio Telmon
claudio(_at_)telmon(_dot_)org
http://www.telmon.org
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg