spf-discuss
[Top] [All Lists]

Re: SPF is not usable as legal measure against spammers.

2004-07-19 13:07:52
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 16 July 2004 02:56 pm, Nico Kadel-Garcia wrote:
From: "Jonathan Gardner" <jonagard(_at_)amazon(_dot_)com>
Jonathan, I'm afraid that your understanding of both the difficulty of
properly securing a DNS server and of the consequences is not that of
harsh experience. In a modest environment, with only a few cycles
available to the admins in the face of the rest of their workload, truly
robust securing of the DNS servers is simply not a high enough priority
over convenience of administration or limitation of hardware resources
and the need to keep such a core service stable to justify itself. Sad,
but true.


I said nothing of what it takes to properly secure your services. That isn't 
what is important. What is important is that you take responsibility in 
securing your services. You get a level of security that you are 
comfortable with.

Second, the odds of your average script kiddie or spam-zombie-vendor
being visited by police authorities is about the chance of kittens
floating out of their ears due to quantum tunneling. The federal
authorities refuse to get involved in small cases, the local authorities
defer to the federal authorities and are generally unwilling to go across
state lines or other jurisdictional lines on their own, getting the
subpoenas to trace the cracker's dialup records is legally difficult and
quite expensive in court costs and lawyer time, etc.


The recent international crackdowns on the 419 scammers has shown that the 
authorities are able to bite back now. Very shortly now, script kiddies 
will get caught just like vandalists, shoplifters, and drug dealers get 
caught.

I think this is coming a lot sooner than later.

I suggest you take a look at the actual results of raids on crackers: The
Steven LaMacchia case at MIT where a student was running a pirate
bulletin board and the Robert Morris worm of the late 1980's are
instructive, and typical, of law enforcement screwing up.


And 20 years out of date. We might as well be citing law enforcement 
practices from the 1200's. They have just as much relevance.

Last: I've dealt with a few physical attacks in my time, including
weapons. Your enthusiasm and confidence and "everybody should just carry
a gun" approach to security hints that you've never actually faced a
deadly weapon and had to deal with the repercussions.


I am not saying that you have to carry a gun to be secure. I am saying that 
you have to be responsible for your own security.

After you were physically attacked, what was your response? Did you see a 
doctor? Did you take classes on self-defense? Did you carry a personal 
weapon? Did you change your daily routine? I am sure you realized that the 
only one who can make yourself more secure was you, and you acted 
accordingly.

Not just security, but also the prosecution is your responsibility. Did you 
cooperate with police? Did you testify in court? Again, if you don't take 
responsibility for the bad guy getting punished, you have no one but 
yourself to blame for not getting him punished.

If the hacker can get a hold of one of
those routers, we have bigger problems than spam.

Well, yes. And they already have repeatedly demonstrated such power. In
this case, with some money involved, it becomes even more likely.


So if we can't even secure our email servers, why are we even discussing 
SPF? Isn't priority 1 personal security?

I think you are overestimating the threat, or you are still using 
network-facing windows OS. Bottom line: Machines are securable. If yours 
aren't, it's your fault.


There have been plenty of large scale attacks: I suggest you take a look
at the recent Akamai/Google/Hotmail failures and what little has gotten
into the news about them.


That Akamai could suffer these effects from attackers is still enlightening, 
but irrelevant.

Akamai took responsibility. They had already prepared for this kind of 
thing. When it hit, it wasn't that bad. They quickly recovered. It was 
barely a blip in the news because it wasn't newsworthy.

- -- 
Jonathan M. Gardner
Mass Mail Systems Developer, Amazon.com
jonagard(_at_)amazon(_dot_)com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFA/CoYBFeYcclU5Q0RAvOMAKCAnVBkjbNmQesC29ZgpDjHMFlGCwCfSw/H
F3lr3vVUxloTv37Ck1Xv7lg=
=MspW
-----END PGP SIGNATURE-----


<Prev in Thread] Current Thread [Next in Thread>