Slashdot Mirror


Hacking Web Services

siduri writes "Udi Manber, chief scientist at Yahoo!, gave a great talk on the kinds of hacks that Yahoo sees at the IEEE's Symposium on Security and Privacy. I wrote an overview of his talk for Dr. Dobb's Journal. While some of the message is well-known stuff (like that people will spend a lot of time hacking the most trivial things), the details of what Yahoo has to deal with are really pretty interesting."

1 of 226 comments (clear)

  1. Re:The last quote interests me... by ChaosDiscordSimple · · Score: 5, Interesting
    Solving the spam problem technically seems to be impossible though. People have been trying to do that forever.

    The solution exists, it's just that the transition to the solution will be painful, so we're desperately trying to avoid it.

    The solution is whitelists and "postage".

    Put all your friends in a whitelist. Main from them is delivered instantly.

    Anyone else who emails you gets an autoreponse, "I don't know you. To ensure that you're a real human being, you'll to need to run the postage program to get the result for the code ABAASDFFEFEF". The program needs to be open source and easily verifyable for security reasons. The program solves some problems that is hard to compute (say 60 seconds), but easy to verify. One example would be a brute for cypher break on a simple cypher. The senders email client can handle this autoreponse automatically, shielding the sender from needing to deal with it (Gee, my computer gets slow for a bit when I email someone new). Spammers, on the other hand, would need to either limit their spamming so they have time to generate valid responses, or would need to invest in expensive hardware to generate the responses fast enough. End result: It's no longer cheap and easy spam.

    There are a few other details to make mailing lists feasible, but it's doable.

    However, this effort would require everyone to upgrade their mail clients or to use external programs to manage this. Given that extremely slow adaptation of other email security features, I'm not optimistic.[B