Slashdot Mirror
The Case for Rebuilding The Internet From Scratch
dotnothing writes "I just caught a column on a security site advocating for a total start from scratch as far as certain internet protocols like SMTP. It's an interesting idea and there are some ideas on how to conduct the transition... if everyone would agree on something like this it would definitely reduce the spam (among other things)."
We can't even roll out IPV6. Even Internet2 has some basis in existing standards.
There are some very powerful entities that have a vested interest in keeping things they way they are today. I agree that many of these protocols are being used in ways and volumes never intended by their creators, and a redesign would be highly desirable. But with so many interests involved, how would such an endeavor ever get off the ground???
Stop by my site where I write about ERP systems & more
IPv6, replacement for SMTP, Slashdot style moderation on USENET, default encryption on all data transfers, DHCP configures EVERYTHING (like mail server, news server, etc), and more naked women. That would be perfect.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Will they make use of the new 'Evil' IP bit?
Sometimes I doubt your commitment to Sparkle Motion.
Alright, we can do this, but this time around I've got dibs on "business.com."
You could have a new version of SMTP, maybe called SMTP2 that would refuse connections from an SMTP1 server. That would cause most people to change rather quickly, and might even be workable.
Something like IP, otoh, would be best if the new version could coexist with the old version.
If I have nothing to hide, don't search me
spam can not be stopped. period. if you believe otherwise you are misguided. the protocol does its jobs, and the verification of the headers and contect are to be done on the end systems. a challenge system at the backbone level is ignorant.
the only update the internet needs is more IP space and faster connections and Internet2 is already doing that.
MARIJUANA, SHROOMS, X: ONLINE?! - E
redesigning the internet would take away everything that makes it good.
A redesign would be forceed to the best interests of conducting business, not sharing information.
It would not cut down spam, only change the form it takes. SPAM can only be slowed via eduacation. People must learn that SPAM is not the way to buy things.
If business don't like the way the internet works, then they can get together and build there own, down to, and including, laying there own backbone.
The Kruger Dunning explains most post on
... sorry, not happening. Hell, we can't even push out v6, let alone start from scratch. Sure, these organic growths (i'm talking bout the internet) may seem inefficient and disorderly, but anyone in theorectical math knows that such systems have an awkard effecientcy. Similar to the buses in Mexico (they don't have a single entity controling them, like the US does), the internet grows from several competing interests, and often seems chaotic and ineffective. Yet, studies show that the buses in mexico are several fold more effecient than the regulated from the start ones here in the states. Just some food for thought.
(someday, i will make FP)
YOU SUCK BALLS!
not to tell AOL? Lets just not mention anything to them, and suddently we have two seperate networks...
The old network only consisting of AOlers.
The new network consisting of everyone else.
If this isn't acceptable, could we try just not telling Microsoft?
You can't get 3 people to agree on where to eat. How does anyone expect to reach a worldwide agreement on how to redesign something that's become such a huge part of our lives.
The only way we ended up with something as good as we have was due to the fact that it was created by a small group of very intelligent men with much foresight.
With that in mind I suggest we form a task force to look into this matter. That way we can sleep soundly at night knowing nothing will ever actually happen.
"If you limited normal users to 100 messages per second and major companies to 10,000 messages a second it would be hard for legitimate users to complain, but spamming would be much harder."
Hm... At a limit of 100 per second that only means I can send out 100x60x60x24 = 8,640,000 e-mails per day. How am I going to be able to talk to all of my friends now?
Sticks and Stones may break my bones, but copyright will always protect me.
A subjective summary of the column:
- Scrapping the Internet is a good idea because spammers have used email to annoy everyone.
- Under this new, hypothetical email system, Verisign would require everyone to buy a secure ID to ensure they are who their messages say they are.
- The columnist is willing to spend more money and lose his privacy in exchange for these conveniences, so we should be, too.
Please. The problem with spammers isn't because SMTP is so weak. The primary cause of the modern deluge of spam is unsecured email servers around the world, allowing senders to spoof their identity and auto-email anyone they happen to have an address for. And no new system, no matter how rigidly secured, will make up for admins who don't do their job; if it did, it would be prohibitively expensive or complicated and thus be impossible to implement as widely as email is now.
The writer, Larry Seltzer, complains about spammers abusing his account, and yet his online publisher sticks a link to his email address right at the bottom of everything he writes. I would suggest that if he wants to reduce the flow of junk to his inbox, he start with his own managers.
This happens to all projects, irregardless of size. Developers will eventually believe that a total restart is the only way to fix problems. It's kinda sad, but I'm as guilty of it as anyone. I don't know how many times I've rewritten a project cuz I didn't like how it turned out, or couldn't fix a bug in the system quite right.
Same thing here.
The fallacy comes in the notion that something can be perfectly engineered. Nature teaches us that a vulnerability will be found, the weakest link will break, and that the internet will have problems in it.
Just cuz you don't like SMTP doesn't mean you should try to take it away from everybody.
And to test your IPv6 connectivity - http://ipv6.umtstrial.co.uk/
Get your own free personal location tracker
I can understand the author's frusteration with the current infrastructure, and it might be nice if we could chuck all of the bad at once.
BUT, this is completely impractical and would never happen. The current installed base and backwards compatibility always have and always will act as insurmountable intertia to sudden and drastic changes. The innovators will keep on innovating while the rest of user base slowly upgrades their most woefully inadequate equipment/software to the new standards.
Let's face it: once the internet moved out of the realm of hobbyists and academia and into the commercial sphere it lost the willingness to accept drastic changes. While it continually evolves (the emergence of ipv6, internet2, etc), I don't think we will be seeing a real, identifiable revolution anytime soon.
-bcollier06
Try SMTP AUTH. Any respectable MTA implements it.
This would take a centralized authority -- without one, enforcement is left to the commons, and we all know what happens then.
I'm sure we'd have no trouble finding a decent, well-respected, centralized authority to control all of the world's email. After all, no one has any cause to complain about the Internet's existing centralized authorities!
Seems like every implementation I've seen first hand of "let's rebuild this super humoungous system from scratch" never goes as planned. Inevitably, there are many unforseen problems with the new system. Some of these problems are due to poor planning. Some are not. Some of these problems will be a tremendous pain to fix. Some will be discovered immediately while others will be discovered months or years down the road. In the end, you may wind up with more problems than the old system and you wonder if it was really worth it. Just my $0.02.
Seriously, we could talk about what if's all day long, whether about the internet, global politics, the SARS virus, or even the DH rule (I'm against it) but it won't change a damn thing.
Last time I checked, actions speak louder than words.
I'd love to see some action to seriously combat spam because, frankly, I think it's going to do some serious damage over the next few years if the current situation is allowed to continue unchecked.
When people stop checking their inboxes because finding genuine messages is like finding a needle in a haystack, and when 25 or even 50 percent of all internet traffic becomes spam, thus slowing down the entire system for everyone and (more importantly) costing infrastructure providers, ISPs and ultimately the end-user serious money, it'll be a bit late to address the problem.
Better that it's done today - I'd rather deal with the disease now rather than treat the symptoms later.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
"The Internet was designed to be secure from nuclear attack, not its own users."
The problem is, it's very difficult to protect all of a technology's users from harming themselves with the technology or destroying it all together. Just look at virtually all of our inventions and discoveries: nuclear reactions, cars, CFCs, weapons...you can't generally save people from a technology if a substantial proportion of its users are hellbent on using it to annoy everybody else. I think even an "Internet2" would be unsuccessful unless it was so advanced it could somehow protect itself from its own administrators. But even that has its problems. (Insert Terminator reference here.)
Note to M1-ers: a curt but otherwise insightful message is not "Flamebait" or "Troll".
I can see IPv6 being phased in in the next couple of years as the IP problem becomes more intense and NAT becomes even more of a royal pain in the backside. What I don't see happening is twenty years of maturity (in some form) being tossed out the window. It would be a shame to see existing protocols being dumped because they arn't secure - most of the time it is the IMPLEMENTATION that doesnt work or has flaws. Many software packages should be scrapped altogether and rewritten and designed from the top - sendmail is the example that comes straight to mind. So many flaws have come out over time it is silly. I'm not saying SMTP itself isn't flawed though, it most certainly is.
The people at PlanetJailbreak have designed, from scratch, on paper, the UT2003 version and the work has appeared to have paid off - an incredibly low number of bugs from their alpha testers have been reported. Where there have been many flaws in a package based on a fundamentally old codebase it should be rewritten totally, regardless of it being server or client software. The problem would be getting people to adopt - many people never patch a thing.
This is an interesting mental game but nothing more. Pick any complex system that has evolved like the Internet and you will find valiant efforts going into total redesign. Off the top of my head, look at how long Microsoft has been carrying along legacy code, or look at how Intel is trying to make a clean break from x86. In the non-computer realm, our legal system is so snarled sometimes the police just stop enforcing certain laws. How about gridlock in a developing city? Would sure be nice to just start over with new roads where and how we would like them to be, but fat chance.
I would even go far to say that even if you COULD rebuild the Internet from scratch, the effort would be useless. The Internet has been an evolutionary system, adapting to the demands users place on it with ever changing requirements. The changes you would make would be accurate for 0.001 seconds, then would start on its own road to obsolesence. You would see this very same article posted on Slashdot about Re-Redesigning the Internet in 2008.
So have fun with the mental exercise, but this beast will always grow on its own.
I've been arguing for years that the only way to fix the spam problem is with some kind of certified-user infrastructure. And I doubt that I'm the first person to see this. Filtering simply does not work, as the current volume of spam (60% of all mail traffic, I'm told) indicates. The only question is, how do you make everybody switch over?
Seltzer's idea of SMTP gateways is ridiculous. Its just another filtering solution. Nor does it make sense to wait for Internet2 to roll out -- that technology will probably exist side-by-side with the current Internet for decades.
Not that I have any better ideas. Perhaps users who go to the new protocol could bounce SMTP email with the appropriate "please change" message. Whatever.
In any case, I don't think the answer will come from the standards wonks. More likely the major ISPs will get together and invent something.
I don't think the problem is with your system. :-)
Note to M1-ers: a curt but otherwise insightful message is not "Flamebait" or "Troll".
Yet rejoice ye not, rather saddend be
for 'tis Windows running, on every damned PC
It seems that while the web was down
MS finished buying off Washing-town.
Sigs are bad for your health.
here's my list:
.com, .org, maybe even .edu and .net. use the ccTLD with other localizations below that.
1) let's clean up ftp. real security options, performance options, etc.
2) smtp. as in the article, smtp needs work, at the protocol level and implementation of mail programs and their handing of information. i really believe that a little key management at the isp level (if enough isp participated) could really make a difference.
3) dns. i would drop
4) more ip addresses. ip6 would be nice, but if i'm starting over from scratch, just increasing the ip address from 32 to 48 or to 64 would help.
5) the ability to do a number of things in a slow, throttled-back fashion to run nicely in the background.
6) better printing protocols. lpd is a mess and the other printing protocols seem to problematic.
7) snmp. this seems to be getting better via v3. the real problem seems to be the software, not the protocol.
just my $0.02
eric
The author isn't very knowledgable. Quota's for email can be implemented without breaking existng email clients. SMTP allows Authentication via certificates to be layered on top or, most email clients allow SMTP send with authentication.
asked a few people involved in solving the problems of e-mail what would be involved in fixing it. This put them in an awkward position of conflict; after all, spam-filtering vendors and other security companies make their living because these problems exist
Bollocks - the mail guru's who maintain this stuff are mostly volunteers and are not interested in making money off spam/protection. Thats an insult to them.
Nice article. I've had similar thoughts, but it's possible to do what this guy suggests using existing, off-the-shelf, technology (and it can all be done open source too).
The argument in a nutshell is that if everybody were using authentication (and encryption would be nice), then everybody could filter spam at the gateway by simply saying, "I don't want to see any un-authenticated mail".
Ok, fine then. Let's all authenticate our email. There are loads of PKI based SMTP gateways. If you're an MS shop, you could even implement this on a per-user basis. There's a lot of security technology out there that isn't being used.
Ask your favourite Win2K network admin this: do they use L2TP and IPSec on all connections between all machines on their network? Probably not. It's kinda crazy that nobody does since this has got to be one of the most sure fire way to improve your security posture because it prevents all passive network scanning from seeing any data of importance.
Similarly, why aren't we all using PKI to sign and encrypt our email. It's nuts that confidential legal and personal messages are sent around the 'net everyday with no encryption whatsoever. When was the last time your mailclient had to use it's S/MIME capability to decrypt a message from anyone? Would your lawyer send you those important documents on the back of a postcard? How about that multi-million dollar deal your company is working on? Would your CEO be happy mailing the paperwork in a clear-plastic envelope that anyone could see?
Seems to me that we need to be smarter and more consistent in using the technology that we have today before we rush out and architect a new solution that will no doubt be full of holes that we can't forsee at the moment. The open standards of the Internet make it both strong and weak. But as they say, "guns don't kill people, I kill people."
Yet another call to hand off the net to some mythical central authority which'll be able to monitor everything we say and do, then use it against us should we ever complain about what the powers that be are up to.
I'll take a pass on this 'solution', thanks. I'd rather deal with spam than make it any easier for anyone to track every single thing I do on the net. Hell, it's too easy as it is, hence the development of things like Freenet....
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
Before running off to change everything how about just getting people to follow the rules we have.
For example one requirement of the SMTP RFCs is that everywhere a domain appears in an SMTP conversation it must be fully qualified AND it must resolve. Unfortunately that requirement is rather widely ignored. Just set your mailserver to reject EHLO/HELO greetings that don't conform and you will bounce lots of spam as well as tons of legit email.
Like the cockroaches they are, spammers rely on hiding in shadows. If legit mail-server operators stuck to the RFCs detecting, filtering and tracking the shady ones out would be easier.
No, it's not perfect, but at least I could do things like check the EHLO against the connecting IP to see if the other server is lying.
I would be absolutely delighted if AOL, Earthlink, Hotmail, Yahoo, MSN and other large mail handlers started being very RFC picky in what they allow. This would force a mass cleanup of non-compliant servers and would make my job a lot easier.
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
The internet is as flexible and free today as it is simply because it grew up before it was on the radar of the marketing and legal arms of corporate America, and the legislators they send campaign donations to. We're very fortunate about this; an open architecture is what the Internet is "stuck" with, and it's proving difficult for those who would replace it with a closed arcitecture to work against that history.
You had better believe that if we rebuilt the information superhighway from scratch, it would have in place all the controls and restrictions that the various entertainment industry wants, and would be run on standards and protocols which are closed and proprietary. (Many likely from Microsoft, but they would probably be "magnanimous" and licence other proprietary protocols from other companies who have influence with legislators from other states.) In the end, you would not have nearly the flexible and open Internet we have today, but rather something much closer to the one-way "content delivery" system that the entertainment first thought the Internet was, and is now trying to legislate the Internet to be (once they realized that it wasn't naturally that).
-Rob
I've already written my own protocol to replace SMTP. I set up three servers to send mail to each other. They've been busy at it all weekend testing it out. It looks like a great success. There's been no spam at all :-)
now we need to go OSS in diesel cars
Of course, copyright proponents would love to inspect the contents of Internet traffic as well, and they would put huge money into getting these provisions into the specs.
Unfortunately the things I mention are not the stuff of crappy science fiction, but rather what has been going on so far wherever certain interests can have an influence. Thanks but no thanks. I'd rather keep hitting the delete key more than a hundred times a day and keep my spam and my privacy wherever I can.
Of course, it was never really supposed to be anonymous, and real e-mail anonymity is only possible if you forge headers and if your mail-server admin doesn't care. Speaking of not caring, I don't care about the anonymity problem.
Sure, your IP address may be in the headers, but to resolve it to an identity still takes the cooperation of your ISP. People use webmail accounts all the time with the expectation of anonymity. People use email to leak rumors and expose secrets, like with the Halloween documents. A friend of mine uses her Hotmail account on a mailing list for domestic abuse victims. There's lots of good reasons to hide your identity online, and I won't give them up just as a quick fix to the spam problem.
SMTP means "*Simple* Mail Transfer Protocol". It's the equivalence of a letterbox - simple and efficient. Of course it can be abused for spamming, but so is any successor of SMTP and any different messaging service. As long as it is possible for anyone to send email, it will be possible for anyone to send spam.
The main problem does not consist in trying to stop spam in general (that would be impossible), but in making *anonymous* spamming *very* difficult. Standards are there - but many legitimate operators don't care about a standards-compliant infrastructure, stifling security efforts that would be good enough to keep a lot of spam out.
For example, each IP address should have a DNS reverse record pointing to a valid hostname, which resolves to the same IP address. HELO strings and message ID domainparts should be FQDN and not only "office" or "workstation", the sender's host should be an official Mail Exchange (MX) for the envelope-from domainpart, and so on. This way you could easily - using *existing* standards - make sure that the sender is authentic. Anonymous spamming via open proxies or open relays would be impossible, and spammers using their own infrastructure can be RBLd.
So why invent new standards with millions of people having to switch on, which would take 10 or 20 years? Why not use and push existing standards not only as "nice option" for email communication, but as requirements?
Register your own domain or get an address like blah.ath.cx. Then host an SMTP server. You will get email addressed to anything under that domain.
If you need to give a site your email addy, leave in a reference to that site. eg slashdot@myname.ath.cx. That way if someone sells your address, an address leaks, or whatver, you know EXACTLY who is responsible, and you can block junk mail without affecting legitimate email.
Ive been using this technique for quite a while. I can check my email and be confident I have no spam whatsoever. At times when I got spam, it always turned out it was a single site that leaked my addy, and I easilly identified and blocked it.
Yes, just like what Verisign would want: $100/year from anybody who wants to send or receive mail. Thanks, but I'll stick with unauthenticated mail and spam.
If that's the sort of thing you want, you can already run SMTP over SSL--you don't need a new protocol for that. Operating systems terminally incapable of building services out of modular building blocks can hard-code SSL into their mail servers. Reasonable operating systems can use something like stunnel for wrapping SMTP. Either way, you get authentication. There doesn't even need to be any complex interaction between the SSL authentication and the SMTP server because SSL can simply verify the identity of the connecting host, and SMTP can continue to use its regular host-based identification.
The other important requirement, according to Yu, is a system for tracking resource usage per sender. Basically this means that profiles should be established for normal amounts of mail sending from different types of users. If you limited normal users to 100 messages per second and major companies to 10,000 messages a second it would be hard for legitimate users to complain, but spamming would be much harder.
We don't need a new protocol for this. Per-user throttling of outgoing SMTP connections could be implemented by ISPs at the TCP level, and per-user throttling of incoming SMTP connections can be implemented by the SMTP server. The reason why this isn't done is because it's largely ineffective: many spammers are beyond such controls for outgoing connections anyway, and limits on incoming connections can be circumvented simply by posing as hundreds of different users.
Solutions to the spam problem are things like CAPTCHAs, intelligent text analysis, and communications pattern analysis. Restrictions on who can send what to whom at the ISP level, or the imposition of authentication fees by ISPs or companies like Verisign, however, are thinly disguised attempts at squeezing money out of users. In addition to being ineffective and increasing the cost of E-mail, they also just threaten the openness of the Internet that has made it so successful in the first place.
SMTP being replace, that's a possibility. But with "trusted authorities" such as Verisign? Never. Those of us already having to deal with Verisign (or Microsoft or whoever) do NOT want something as important as email to be completely in someone else's hands.
SMTP should be replaced by a protocol that requires authentication. That's the biggest probley (open relays) really. Going any further than that will be more of a pain than its worth.
As for everything else (including IPv4), there are too many old clients out there (old meaning unsupported by the vendor). There are enough Windows 95 clients out there, not to mention other systems where upgrades are simply unnecessary otherwise, to where changing the underlying protocol simply won't happen.
Incremental upgrates, sure. We'll probably end up replacing SMTP -- or updating it -- to support, or even require, authentication. In a few years. We may even supplant FTP with SFTP or some other more secure variant.
But to try and simply replace a major, established protocol -- with no backward compatibility -- simply will not happen. There will be enough resistance and reluctance to make it infeasible; then the upgraders will have to begin supporting both "legacy" and new protocols, and we'll be in a bigger mess than before.
So, my opinion is this: we'll slowly, with full backward compatibility, supplant older protocols with updated ones -- perhaps via adding extensions to them (like SMTP Authentication), allowing slow upgraders to catch up as needed. No revolutionary changes will happen, no forced upgrades...
NGWave - Fast Sound Editor for Windows
-
In order to send mail as "foo@bar.com" and get it delivered, there must be a mail agent for "bar.com" that knows enough about you to answer an SMTP VRFY.
-
Each message sent contains some random ID or digital signature, chosen by the sender.
-
Any mail agent wishing to verify the source of a message can query the senders's mail agent with SMTP and a VRFY, and obtain a reply that verifies the message, using a challenge/response or digital signature system.
-
Ultimately, mail messages that cannot be verified are bounced. During a transition period, some manual authentication scheme involving replying to a message is used.
This is backwards-compatible, easy to implement, and implementable in stages. It would be implemeted primarily in ISP mail transfer agents, so deployment doesn't require end user software.Spammers can still spam, but at least they have to have a real domain name to send from.
Every time I watch the news, I see another story about all the wonderful things NASA is doing in outer space. I know, I know, it's all supposed to be very impressive and exciting. But to be honest, it just boils my blood. I mean, the federal government can put a man on the moon, but it can't build a killer robot police force to hunt down and execute all the spammers? What kind of priorities do we have in this country?
Just the other day, there was a big article on the Security Supersite about how the internet might have to be rebuilt to save our children from pornographic spam. And then I read in USA Today how the government is spending $40 billion on outer-space surveillance satellites. Couldn't they put some of that satellite money to better use by constructing space-based laser cannons in geocentric orbit above all the ISPs to make sure our children are safe?
And for a fraction of what NASA spends on all that Mars rover monkey business, I could have a radio-wave-controlled stun gun that would finally stop anyone I thought might be spamming from ever thinking about looking at me wrong again.
It is painfully obvious that the government has the money and resources to build a high-energy force field around every single American, yet it doesn't. I mean, when I'm chasing after spammers with my stun gun it's darn near impossible to ensure my personal safety. Are a few measly cameras in the corners of the Foodland really going to deter an angry man who looks sort of like Alan Ralsky? What about my laptop? The pictures on my screen saver of little Kevin and Annie are irreplaceable! (I'm only going to be a grandmother once, you know! Unless, of course, the government finally gets on the ball with those cryogenic pods.)
And that Hubble telescope, there's a real beaut. Who needs to know if there's life out in space trillions of light years away, anyway? As long as the spacemen don't start sending me special business deals, making me wonder when they will deposit the gold bars in my savings account like that nice man Chavez from Boca Raton, I don't care who they are! If only NASA had aimed that telescope at Boca Raton instead of Pluto, you can bet I'd know what Chavez had for breakfast this morning.
It's shameful the way the internet has been allowed to degenerate, what with unsecure servers and protocols strewn everywhere. Just thinking about all the millions spent on that Mir station gets me in a dither when I check my e-mail and see donkey porn everywhere, with no donkey-porn-sensitive sunglasses to save my poor eyes.
And it sure would cut down on those ill-mannered spammers who keep on spamming despite the ISP's strict anti-spam terms of service if their computers were destroyed by spam-sensitive cybernetic space bees. I only have time to write so many complaints, you know!
If I can't demand killer robot police, then the least I can expect is a laser-powered servo-motored patrol-bot for my yard. How else will I know if it's a that Ralsky look-alike's lawyer trying to serve me court documents or just a raccoon rustling around out there late at night? I understand that in Sweden, every citizen is guaranteed a patrol-bot. But here in the world's richest nation, we go without! The sheer wastefulness of our government makes me sick!