On 05/27/2010 07:05 AM, Barry Leiba wrote:
do you believe John, who never believed in ADSP and has repeatedly said
that he hope it fails, and who has a microscopic amount of deployment
experience if any at all. Or do we believe Brett/paypal that ADSP is
providing benefit *today* in the form of 100's of millions of thwarted
phishes, and that ADSP is the only way he can get things to scale
beyond handshakes in the Valley.
Indeed. Only, I think it's a little more complicated than that.
PayPal has good experience with independent arrangements that behave
like ADSP, and they expect it to translate to good and broader
experience with ADSP. On the other hand, they have some bad
experience with ADSP, which they expect to meliorate with a change
that Brett hasn't described yet.
On the other hand, John and Steve expect that the benefits PayPal is
seeing in thwarted phishing messages will be short-lived, as phishers
just change domain names, and send out just as many messages as
before, fooling just as many recipients into thinking they're from
PayPal.
We will certainly need data collected over time to determine whether
there's any long-term reduction in unblocked phishing messages as a
result of ADSP. I'm eager to get that data. We'll also need some
analysis of whether (and why) PayPal sees some real value in ensuring
that successful "PayPal" phishing messages do not actually have
"paypal.com" in the "from" field. I'm eager to see that, too.
The problem with the cross examination that John and Steve are trying
to perform is that the witnesses are under no obligation to respond. And,
quite reasonably, they don't. I have absolutely no doubt in my mind that
paypal, for example, has a huge amount of infrastructure and practical
knowledge about the lookalike domain problem. I'm also completely unsurprised
that they aren't leaping out into the fray in a public forum to tell us how
they deal with it, and how exactly ADSP fits into their plans. I am happy
that they have told us that ADSP is instrumental to their plans even if
out of necessity they need to leave it at face value. I'm sorry that John
and Steve aren't satisfied with a company keeping their secret sauce... secret,
but that's just how these things work. Especially for security procedures.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html