Slashdot Mirror

nazgul@somewhere.com asks: "There are a number of proposed instant messaging standards under development, but I haven't seen any articles discussing how these standards plan to avoid spam. AOL's IM protocol actually has what I consider to be a pretty useful feature. You can 'warn' anybody who sends you a message, once per message they send you. The more warnings they get, the slower their messages get sent, until they can't send anything at all. What are the new IM proposals planning to do about SPAM? Because if we switch to a standard that doesn't have builtin SPAM protection, that standard will be useless." What kinds of privacy features do you think should be built into chatting protocols and programs of tomorrow? What chatting services and programs suffer from a lack of protection from Messaging SPAM?

"On AIM, everyone can see somebody's warning level, and warnings gradually wear off. Of course the warning mechanism depends on several assumptions.

1. There are no rogue message servers.
2. Creating an account requires a valid mail address.

The latter could be fairly easily defeated by building a large enough cache of accounts, and then rotating through them, but it would be difficult. The former can be defeated if we move to a multi-server instant messaging network."

Most chat services have built in protections for annoying users. Chat programs also may have some way of dropping traffic from unwanted users. For example, most IRC clients can use the /IGNORE command to drop what traffic they don't want from specific users. I'm sure that such functionality will be built into future chatting systems.

An anonymous reader sends: "Here's an archived copy of an anonymously remailed report on a demonstration of two versions of Carnivore by an FBI agent, at the recent NANOG 20 meeting."

michael : People are really interested in the "inner workings" of Carnivore, as shown by the many submissions. I never thought it was anything special - from the start, when I first knew that the FBI had an Internet interception box, I just assumed that it would neatly sort and deliver all Internet traffic of a particular target. I can spec out how I would design such a box; and the FBI isn't stupid; so I assume they would do it in a similar fashion. I think there's still a lot of disbelief out there, though - "You mean the FBI can really track both Web access AND email? And IRC? And Usenet? ...." People just don't believe it, because they're used to thinking of Internet traffic in different terms than phone or whatever.

The only important design aspects of the carnivore box are things like "Can the FBI set it to snoop on traffic it isn't supposed to? Can I dial into the box and snoop on my neighbors?" and other questions like that, which we'll *never* find out from any powerpoint presentation.

So get used to it, people. Assume that Carnivore neatly captures, sorts, and delivers all traffic that passes through it, and that the FBI can just type in your name and plug it in. Assume that there's a user-friendly, point-and-click interface. Assume that it will pretty-print reports, ready for filing with the court if/when you are prosecuted. Assume that there's essentially no oversight of the FBI's use of this device - after all, judges exercise almost no oversight over wiretaps, there's no reason to believe that Internet-tapping will be overseen any more diligently. The FBI and police approach wiretapping requests in the same way that conniving children approach their parents - it only takes one judge to approve a request, and the FBI can approach as many different ones as needed until they find the one that just doesn't care and rubber-stamps everything.

Get used to it. Want more data about how Carnivore works? Push for the source code to be opened. Nothing else will provide any more information about the system. You can't tell how secure it is (against the FBI, or against anyone else) from a presentation.

As for me, I'm steadily moving toward encrypting as much of my traffic as possible. I set up ssh for my home network recently. I'm setting up SSL. I'm reading up on IPSEC. I guess I just don't have a very trusting nature. The way I figure it, the time to set up countermeasures is before you expect to need them.

Here's a really interesting story on The New Science of Character Assassination which lists a bunch of things gore said that the media has used regularly to misrepresent him. Very worthwhile reading to help remember how the press skews things (no, I'm not an exception to the rule: but at least you guys can disagree with me below). Its not exactly about the election, but Does the US Electoral College Still Work?. Lastly for now, the presidential debate commision is looking for feedback. I just personally wanted to note that the submissions are extremely lopsided; virtually nil for any 3rd party candidates (except a few Nader) and only a little more for Bush. We're trying to give the major candidates linkage, so if you find good sources on the net (or want to write one!) submit it!