Slashdot Mirror
The Time Has Come to Ditch Email?
Krishna Dagli writes to mention an article at The Register claiming that it's time we stop using email to communicate. From the article: "The problem is, email is now integral to the lives of perhaps a billion people, businesses, and critical applications around the world. It's a victim of its own success. It's a giant ship on a dangerous collision course. All sorts of brilliant, talented people today put far more work into fixing SMTP in various ways (with anti-virus, anti-phishing technologies, anti-spam, anti-spoofing cumbersome encryption technologies, and much more) than could have ever been foreseen in 1981. But it's all for naught."
Short version of story:
E-mail shouldn't really go away, we need to recreate it from scratch with builtin security, authentication, encryption, etc, and those mechanisms need to be as transparent as today's e-mail.
EOF
E-mail will probably go that way, but I don't see it being recreated from scratch. Postfix evolved out of perceived difficulties with sendmail (still one of my favorite packages... obtuse, obtuse, obtuse, but lots of fun.) while in-flight.
The fixes for e-mail likely will also occur in-flight... there's too much momentum, and too many transactions dependent on e-mail for it to stop, then go.
The single most important step for me would be transparent authentication, via certs, whatever. As phishing becomes more insidious and the stakes go up, someday someone (or a bunch of someones) will be phished severely, escalating the urgency of authentication. It may start out clunky (ever tried to get friends and family to do PGP handshakes?), but as with other technology I think it can be done with transparency.
E-mail stays... (btw, if you want to send e-mail feedback to the author, this is the link.
They can take my email when they pry it from my cold dead hands!
Philosophy.
Yeah, right.
http://slashdot.org/~ellem/journal/104280
Mail really is broken. It does not work as expected or as wanted by users.
This
It's time to ditch reality. It's fundamentally broken and inherently insecure. We should have predicted that 13 billion years ago.
Whatever works!
In conclusion, bite me, it's friday.
This article has recently been linked from Slashdot. Please keep an eye on the page history for errors or vandalism.
"Imminent death of the Net predicted. Film at 11."
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
FTP Dead? Riiight. Just like BSD.
It is not a god that would do evil biddings, but only a mortal and its limited knowledge would let such atrocities exist
Sorry, but to be taken seriously, you'd at least have to have a basic framework already thought out. Just claiming that it's broken and maybe one of these TLA's that you've heard of might be used to fix it
Go back, think about it and then write a real article.
I realize basic language skills are a difficult thing for a slashdot editor to grasp, but come on! Rather than taking the title of the Register article and slapping a question mark on it, it makes a whole lot more sense to actually rearrange the words into the form of a question: "Has the Time Come to Ditch Email?" or even "Is it Time to Ditch Email?"
This guy's the limit!
From TFA: "Use existing, proven technologies and a few new and novel ideas - starting with the latest encoding mechanisms, a reliable hashing algorithm, fast compression, strong encryption and signatures. "
So in 25 years time today's technology will stop 90% of communication being spam? Spam exists in the spite of the best efforts to stamp it out. Whatever we do it'll be the same. Writing an article full of buzzwords and hypothesis doesn't really help a lot.
It look like the author of the artical should look at getting his friends to use PGP and then filter out all messages that aren't signed with known signitures.
Unless your friends are terrorists that's going to be easier said than done.
thank God the internet isn't a human right.
Heard of that cool new things Segway?
The author of the article isn't planning on ditching the e-mail anytime soon. A fact.
At best he might not subscribe to any new pop3 accounts or actually read them, but he WILL be writing email.
It doesn't take a genious to notice that there is a lot of spam moving around, if this is news I got some news of my own to report: water is most of the time wet.
Wow news flash email is dead, but wasnt the news also saying that they think they found Jimmy Hoffa, oh wait they've been searching for him for years....So i guess email is dead but will live on for at least another 30 years.....
...you've got a better option. If we get rid of e-mail, what will take its place? What protocol will be written? What standards will be created? What specs should be mandatory and what bells-and-whistles are desired? Like we've all heard from our bosses, "thanks for pointing out this problem, now give me a solution by next week." Otherwise, we're just whining about what is without substituting what should be.
This kind of finger-pointing happens every day: think about the problems with current automobile technology. Pollution, energy problems, petroleum issues, prohibitive costs. And we hear about all the evils of the internal combustion gasoline engine every day. But people who show us all the problems without giving us the solution(s) are *gasp* politicians. TFA offers precious little in the way of solutions, and has a very political air about it.
The better question is: if we wrote the standards for the new e-mail today, what would it be? The sky's the limit, but we need engineers to actually make it happen.
I'm sorry, but that's an inane premise. That's like saying that cars are broken because there's so much traffic.
Don't forget computers, they're on the way out, antiquated beasts.
I recently had an opportunity to meet Eric Allman. He had people in his office, so I did not get to say hi. Afterward, I thought if I met him, what would I even say? I figured there would be an equal number of praises and complaints.
For the record: smtp rules.
Click here or here.
I express myself verbally when "talking" to the other developers:
FIX YOUR FUCKING CRAPPY CODE!
I also use sign language, but I don't have much of a grasp of it and stick to the usual middle digit up in the air.
Summation 2
Put another way, if you run your own mailserver and still get spam and viruses, it's because you haven't chosen to address the problem. If you use someone else's mailserver and still get spam and viruses, it's because they haven't chosen to address the problem. Nothing stands between you and a clean inbox but motivation, whether your own or your ISP's.
And no, broken hacks like DJB's "Internet Mail 2000" will never get real-world acceptance as they make it as difficult for legitimate bulk senders to broadcast as for spammers. SMTP is here to stay as the standard method for (somewhat) reliably routing messages between people on unaffiliated networks. Replacing it with a similar system with new pitfalls isn't the answer we're looking for.
Dewey, what part of this looks like authorities should be involved?
The solution to most phishing scams is to use a text-based e-mail client. No click-thru links means you can see the end URL and disbelieve it if it isn't the actual bank site. If it *is* the actual bank site, the bank has got bigger problems than you :(. Actually, HTML e-mail is generally annoying - e-mail should be restricted to straight ASCII or Unicode text whenever possible.
Large attachments would actually be better off being replaced with a Web-based system (i.e. paste this text into your browser and enter this password), since that would minimize transfer time of the e-mail itself.
-b.
The only "extra" layer on SMTP is anti-spam technologies.
Fixing the e-mail protocol does little if anything for anti-virus, anti-phishing, anti-spoofing cumbersome encryption technologies, etc as they are not solely e-mail targets. For example, there's nothing specific to e-mail which invented viruses. Thus, there's nothing to fix in e-mail for viruses.
On a computer or under a hood.
In this time of hackers and coders there is only one real solution to any mass communications system that is based via the net. Security issues in communications systems are basically at the descripcincy of the user. If you have an email, im, or anything of that manner that you seem to be suspicious dont read it, dont download attachments, dont follow the damn link. I mean really, its not like email is secure, but its not like someone can give you virus in the email without you ever opening it. Its a plan line, and poeple just can get it through their head that the internet is no different from the world when it comes to the users. Also on a side note, maybe if the whole damn world wasnt reliant on one single security flawed OS this wouldnt happen, as i always say windows based malicious code most likely wont ever effect me, i use FreeBSD. Long live UNIX and all things good that come from it. "Some people think these questions are hard, I don't... ... These questions all have answers."
"Some people think these questions are hard...
"ever tried to get friends and family to do PGP handshakes?"
Yes, I've tried... and I've been and am quite successfull with it. Using GPG to send/receive encrypted mail and check signatures with a good plugin isn't rocket science.
Agreed, setting up keys and such is hard, but with friends and familiy we geeks can help. We do that with E-Mail, Games, Wordprocessors, why not with PGP?
My experiences with PGP with friends and family: Do You Use PGP? - Encryption is not just for techies any more.
And replaced it with Slashdot! Anonymous Cowards of the world rejoice!
Kind of like telling the world we need to ditch cars as our primary mode of transportation because of the evils of pollution...
Well, one surefire way to lock it down would be to make it a closed system... (waits for incoming fire)
End of Line.
...in that email is terribly insecure and easy to fake, it's all to easy to forget that there is no such thing as a perfect system. Someone will always find a way around no matter what you do.
I think fundamentally, the biggest problem is how easy it is to fake - you just put false headers in the message and most people will believe it's from who it claims to be from. I'm no security expert - anybody care to suggest how this could be done?
Don't you just hate it when people reply to your signature?
Who's the first one who wants to actually do it?! Go ahead, ditch e-mail! Yeah sure, I'm sure that will happen! I wish I could go back to the eighties when doing IT jobs was still fun. We had no e-mail back then. No cell phones either. You could read the newspaper and smoke a cigar on your lunch break. We used to go to the restaurant in downtown and eat lunch there. There was no hurry and we fucking knew every single piece of our systems we administrated back then. Now it's impossible to know everything and now it's constant fucking rush every single moment!
As much as I hate to admit it, copyright treaties have been extremely successful in perpetuating the DMCA.
why not use it for something beneficial for a change, and introduce treaties to the UN for the harsh enforcement of anti-spam measures.
Once the international safe havens are removed or severely curtailed, there will be less of it, and everyone but the ad nazis and the "big data" industry which has arisen to serve them will be better off.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
And of course, the NEW system won't be vulnerable to ANYTHING - right?
No, wait, let's think that through. Let's take video games as the paradigm. Every year companies spend upwards of 20 million per video game. Every year, they come out with the newest, latest, greatest in copy protection. This copy protection is only limited by their imaginations (and the hardware). And yet days after release, and sometimes prior to release, their code is hacked, cracked, and distributed.
This author somehow thinks that going back and redoing everything will fix it. The author is naive.
Call my analogy a bad one if you will, but the SECOND you put ANY type of system into the hands of the criminals / spammers, they will find ways to exploit it. This is proven time and again.
How exactly does this new email system stop phishing? Oh, right, it can't. Have a link, go to a malicious website, etc. How exactly does this new email system stop users from clicking executables thinking that they are going to see nudie pictures of Katie Holmes? They don't. How does this new email stop virii? It won't.
Encrypt your email if you want security. Password protect your account. Use filtering to dump spam before you read it.
OH, and I forgot to mention - I'll be sending you a snail mail letter that looks completely official. It's about a man I met in Nigeria, who has some money he'd like to give you.
Since we're thinking about ditching email, when are we going to ditch snail mail?
Anyways, these suggestions for improving email are full of fancy features (hashing and compression!) but all they really serve to do is complicate the protocol. Right now, SMTP is so simple that it can be implemented by the tiniest of embedded systems. Take that away and whatever protocol you come up with probably will never be as popular SMTP.
Besides, most of these proposed changes don't do too much to prevent spam without any of the questionable side-effects encountered with the current proposals to counter spam (ex., lost of anonymity, cost, proving identity a la SSL certs)...
I'm Trappped at Berkeley.
Most of the "problems" associated with email either aren't really problems, or are easily avoided.
When it comes to spyware, viruses, etc., the easiest way to eliminate such problems is to not use Windows. Between Solaris, Linux, BSD, Mac OS X, and any number of alternative systems, one can surely have a system that isn't vulnerable to such problems (and likely never will be).
Of course, there is much in the way of filtering systems that will eliminate the vast majority of such malicious software.
To prevent phishing and obscene images, use mutt or pine, or disable HTML and the loading of images in your graphical email client. With some added care (ie. looking at URLs before blindly clicking) and thinking twice before giving over sensitive data, an issue such as phishing is rendered irrelevant.
As for spam, it's easily combatted using one of the many (and often open-source) filtering systems out there. You can even chain several filters to ensure the quality of the mail you receive.
Email works great. With some care and understanding, anyone can have a great email experience. You just have to make sure you use a decent client, proper filtering, and suitable behavior.
It's really not much different from driving; use some simple, sensible precautions, and you'll avoid basically all problems. And remember, almost everyone can drive.
> but perhaps yEnc, MD5, AES, H.264, and GPG are some potential technologies that could be used together.
> So, he doesn't know how to fix email, but here is a list of acronyms to get you excited about it.
It's quite blatant he doesn't know what he is talking about when you know H.264 is a video codec.
Oh, and yEnc is a binary to text encoder, like uuencode, so it hasn't its place here either.
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
ya know, In Korea, only old people use email.
Don't Tread on Me
Agreed, setting up keys and such is hard, but with friends and familiy we geeks can help. We do that with E-Mail, Games, Wordprocessors, why not with PGP?
Because we're looking for a long term, widespread, permanent solution. There aren't enough of us geeks to hold the hand of every user in the world.
"The legitimate powers of government extend only to such acts as are injurious to others." Thomas Jefferson.
If I'm to apply the same logic to regular mail, well, regular mail is doomed too; it's full of phishing, spam, and spoofing. I guess I'm not sending anything by mail from now on!! Duh!
If you get a letter from a car dealer stating that you won $3000 in credit if you buy one of his cars, do you automatically go and buy one? NO. Same thing goes for email, you don't open all emails and follow all links blindly.
The problem is with educating people how to use email and the Internet as a whole. When enough people stop being click-happy... spamers will lose interest as no one will be paying for such a service, and phishers/spoofers won't find enough people to fall for their tricks.
Simply, educate people about this powerful tool before you through them in! this is not only for email, it goes for anything to do with the internet and any form of communication as a whole.
Just my $0.02.
I find that the people who gripe loudest about the problems with e-mail are the ones who have poor or no spam filtering.
I guess I'm lucky that I have an ISP who takes spam blocking seriously, using a combination of Brightmail and a user configuarable Spam-Assassin install that seems to block 98% of spam and which has virtually no false positives. On the weeks when I monitor it, they may mis-label one in several tens of thousands of messages, usually from mailing list or other source that just barely triggers the filter.
Most people assume that the lousy, error prone spam blocking offered by many ISPs is the best than can be acomplished. That's simply not true.
Unlike the article author, I still find e-mail a reliable and essential tool, and can't see a need to make significant changes at this time.
Three Squirrels
The article says that email is a problem because you can't take an inscure, open form of communication and use it for secure, private stuff. How insightful.
I must have 6 email accounts. What's wrong with adding a secure, whitelist-only account that I use for all communication involving banking, law, etc? Secure mail protocols already exist. This could be a value-add service for ISPs to do the hard parts. All it needs is an extra step when I want to add allow a new sender, that they provide their mail server. SPF could be used to automate that.
Intron: the portion of DNA which expresses nothing useful.
...about the US Mail and look how well it... never mind...
Seriously, this is old news. Very old news. What is everyone waiting for? If someone were to lob a few million USD my way I'd put together a legion of highly-talented programmers and we'd go out, write some new, more secure protocol and be done with it. Anyone got some venture capital lying around they're not using? It's all fine to argue that there are more secure email systems and talk about signing emails to make them more trustworthy, but it's all basically an outgrowth of the current system. Email needs to take that next leap, like computers did when they went from being the size of rooms to fitting on your desktop.
GetOuttaMySpace - The Anti-Social Network
It's funny how many of these problems would be at least partially solved by proper DNS.
Postfix, for example, can be configured to be varyingly anal about how closely the reverse lookup matches HELO, the MAIL FROM domain, etc. SPF extends the concept.
Please help metamoderate.
They spread because of e-mail clients that are designed by people who shouldn't even be designing a Big Mac behind the counter of McDonald's. Attachments shouldn't be automatically decoded/downloaded/executed/read. Period. End of story.
And people who execute attachments from people whom they don't know or trust, or which are obviously automated get what they deserve, I guess. They'll probably learn the second time 'round, anyway.
Anyway, there are far more efficient mechanisms to spread viruses and worms, like for example using known, unrepaired vulnerabilities in services running on ports exposed to the Internet. (Cue story of unpatched SBS 2003 box getting Sassered within 2 min of being plugged in.)
-b.
The author speaks about the staggering amount of criminal activity to which email (synonomously linked to the SMTP protocol) is susceptible. Rather, I'd say, those perpetrating the criminal activity are using the means of email. Sadly (or maybe hopefully!), those that wish to do a thing can always find a way. Seep in through the cracks, right? Go ahead, find a way to create a thing with no gaps, with no discontinuities to exploit, and then find me. I have a wonderful job for you.
A peak of ~75 messages a minute?
Me thinks you need several zeros on the end of that to get to a medium to large installation....
And email is a terrible mess. It's dangerous, insecure, unreliable, mostly unwanted, and out-of-control.
e mail.htm there are an estimated 1.1 BILLION email users world-wide. That's an average of 1 out of every 6 people.
How the hell does he come to this conclusion?
According to http://email.about.com/od/emailtrivia/f/how_many_
Cruising the internet on my TI-99/4A @ a whopping 300 baud!
Perhaps there are enough of us geeks to code up the proper secure behavior for the various email clients that people use, make it the default behavior, and make it easy enough to use that people won't bother to try and disable it?
Then it's just a matter of waiting for everybody to update their email client (i.e. 5-10 years, but that's better than never), and we're done
I don't care if it's 90,000 hectares. That lake was not my doing.
... all the people who have no experience with programming are going to jump into this saying how they would do it much better. "SMTP needs to be rewritten!!", is the rallying cry. I've seen it before when spam first started making an appearance and now we're going to see it with a vengeance. The worst thing is that most users think of e-mail as JUST e-mail. They have no idea that their inboxes are held on a POP3, IMAP or possibly other proprietary server. So when they start crying out about spam they want it taken care of at their inboxes and that's what we're going to hear about here on /. This is quite typical. The truth is that there is NO answer to this problem anymore than there was an answer to telemarketing. Short of getting a private number, you can't keep tlemarketers from calling you without getting into legislation (the Do Not Call list). So you could get an "unlisted" e-mail address concept going so that only your family and friends would mail you... but that STILL wouldn't work. Want to know why? Because e-mail addresses are NOT telephone numbers. When was the last time you wanted to let a bunch of people know about something by phone? You called all of them and told them what you wanted them to hear and THEN you gave them a list of everyone else's phone numbers you were going to call or had already called. Did you ever do that? I'm guessing the answer is no. Well, with e-mail that's what a lot of people do each day when they forward on those jokes, or interesting blog links, or news articles. And all it takes is for one of those people to get their machine infected with something that harvests their address book. Bam! Your private e-mail address is no longer private. Short of running your own e-mail service on your own darknet via VPN that only your relatives and friends have access to, there is NO solution to this problem. Only a set of workarounds that have a fair amount of success. I'm not kidding.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
...and postfix checks, blah blah. The reason these CAN'T be enabled, and I have tried on a volunteer site I help run- is because many major internet service providers don't have proper forward and reverse DNS set up for their mail clusters. A certain major cable company in Florida comes to mind; a list member spent 2 hours trying to explain to the tech support grunts that the problem was that a machine in their outgoing mail server cluster didn't have a reverse IP address. They kept trying to troubleshoot DNS on HIS computer, despite his pleas for them to just forward his report to the infrastructure guys- that they would understand. We kept running across these bozo internet service providers, and had to give up.
Aside from that...when I enabled just "HELO domain must match the domain of the hostname found by reverse lookup", spam volume dropped by over half. Enabling "MAIL FROM must match" cut it even further, since almost all spam claims to be from something else.
Please help metamoderate.
The number one issue I have at work with e-mail is spam. You can easily knock out 75% of it by simply requiring the remote SMTP server to have a PTR record. You can eliminate the remainder by collecting samples of spam messages, and doing a domain record look-up on the IP of the last relay. If it belongs to a spam company (come on, their names just stand out), then block their whole allocation range with your firewall. Filters are silicon snake-oil, and they result in a lot of frustration from my staff.
The problems I see with e-mail are that people treat it like a formal communication, equivalent to a written memo, for example. Bzzzt! Wrong! It fits in the same category as a phone call. I can see why people misuse it, since sometimes it makes a better fax than a fax. Also, a mail spool is also NOT a permanent document archive.
I've given a lot of thought to e-mail issues this past year, since spam volume went up about 3000%. (It tapered off? Yeah right!) My experience with other users' "spam filters" has lead me to believe that an open system is the only one that's going to work. The combination of lookups and firewall rules has helped tremendously, and if things somehow get worse, I can always split usage between an internal-only and external-only server.
Maybe a seperate email system could be phased in over 10 years that does not connect to the original that where participaints are certified and heavily fined for not controlling spam. I would make space on the business card for this second address. This would prevent gateways but I bet our company would switch over if the cost was right.
However, I can see from the PKI movement that changing email is a very slow process and friction is easily dismissed and disguarded. I am a PKI user/nut myself and the mailers and standards are still a bit of a problem.
Magic Eight Ball: Outlook not so good., Hmmm, how about Excel and Word?
Time has come to stop using automobiles... Gosh.. so many accidents happen every day.. so many criminals use cars... so many people are run over by speeding cars... man we shouuld ditch automobiles now... yeah right.
I've had people get pissed at me when I don't respond to their email. Reason I didn't respond is that it was sitting in a queue somewhere and I hadn't gotten it yet. Plenty of other examples I can think of but that'll do for now.
What we need is a locked out system. Something that doesn't interact with SMTP at all. True, people using that system could only email people in that system, but that wouldn't be a problem once it caught on. If you could guarantee delivery and zero spam, people would flock to it. Google could adapt Gmail to be that system inside of a half a year if they wanted to.
I know people would initially say "No way! How will I communicate with everyone I normally have to email?" Well...it'd be like when my friends discovered ICQ back in the late 90's. Everyone said "Hey...download ICQ and we can talk in real time." And eventually I did. And for a few years, I didn't do email at all (until ICQ died from bloat anyways). This new email system would be adopted just like that. "Hey, I know a messaging system that'll give you something like email, but zero spam and a guaranteed delivery time. Just download the client and make an account. It's great."
Wouldn't be hard to make, either. Just fix things so that you have to log in to send a message, and put something in your TOS that you cannot spam people. Also have an active admin system. Someone does something against the TOS, you yank their account. Maybe have a "report abuse" function built in to the client, or some such. Maybe something like Slashdot Karma. Enough complaints and your account gets locked for admin review.
And ditch relays - they're too hackable. Make each server isolated. We don't need to do the relay thing anymore. It was important "way back then" when you could only send email by queueing them up to transmit at 3am when the grad students finally get off the mainframe, but it's not like that anymore. Make the new system isolated. If you want to send email to someone@someserver.com, you have to have an account on someserver.com. And if you spam someone@someserver.com, they report you and you get locked out.
You could implement all sorts of good ideas into a system like this. Don't allow people to send more than 1 email every minute or two. Don't let people automatically get an account you the system - let them apply and then wait for verification to stop bots from making accounts.
It'd take more thinking and planning than what I've got here, but the point is that something more safe and secure could easily be made. I'd love to see it.
Weaselmancer
rediculous.
What somebody needs to do is curb the fucking spammers!
And I don't mean "curb" as in curtail their activity, I mean "curb" as in stick their fucking heads on a curb and stomp on them!
You're using her as bait, Master!
Your sig shows well why e-mail is dead: it tried to mess with Chuck Norris.
So it'd be quite hard to avoid spam, phishing and other nasty stuff.
Because it's not supposed to be based on invitations or similar constraints.
Better protocols and implementations are welcome, of course.
But changing the email system is quite likely to kill it.
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
I mean, someone with the right knowledge can break into your car and steal it before you even know it's gone! And then we have drunk drivers, car accidents, and loads of other problems. Never mind that not everyone can take public transportation, AWAY WITH CARS.
Not to mention that the majority of so-called "noobs" use Webmail services, who could use GPG/PGP 'wizards' that would automagically setup up signed e-mail.
Setting up GPG/PGP e-mail is not a technical or knowledge problem, its an implementation problem, in terms of e-mail client design.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
Suggestion:
Create an easily configurable mail password system, where you click on a menu item in your mail client to enter a new antispam password, and your client sends the change transparently to everyone in your addressbook. Also there could be a password server running somewhere on the net, maybe at the user's ISP. Messages from friends would include a "Password:" header. Anyone attempting to mail you without using your current password might have a Dialog Box appear that asks if the sender wants the passwd to be looked up on a server. The server could add a several second delay before its answer to thwart spammers.
As spam does begin to appear, you would just click on "Change Password" again.
Your ISP could either return messages that don't contain the user's current passwd, or allow the user to delete unwanted messages before downloading the entire message, by downloading the header (or parts of it).
Everyone get on Myspace and we shall communicate through funny comments and posting videos from YouTube. Business can dump the emails and just create Myspace.com/businessname and communicate with employees and clients that way. ;)
Can I bum a sig?
FTP is not dead. Usenet is not dead. Nothing is dead, it just falls out of common use. AFAIK, you can still use Gopher if you want to.
Fact is, as different protocols fall out of favor, they can be used with more impunity by people who would avoid the eye of law enforcement and morality enforcement.
Example: When you hear about "crackdowns on child porn" in the media, the agencies doing the crackdowns are invariably described as "going after websites." Never is there any mention of Usenet, IRC. Just "websites," because that's what the general public thinks the internet consists wholly of.
Maybe those agencies are also tracking down offenders on Usenet, IRC, P2P, etc., and just not telling the media because reporters and consumers of mass media wouldn't understand.
Somehow I doubt it. If law enforcement reported that they were going after Usenet and IRC, the people who pay taxes would think, "Huh? What? What are we paying for?" Gotta keep those customers happy by focusing primarily on the things they understand.
Tangentially, this is the same reason many small businesses have such sloppy security. It costs money to implement security, and they don't understand it, so they don't want to spend any money on it, so it doesn't get done.
Web 2.0 == Giant Blogspam Circle Jerk
As a systems administrator working on a few large scale mail servers the 'investment' required to cut spam and virus emails is very low if the system has been designed properly. I use open source tools on a system with in excess of 150,000 active users and it costs nothing in licenses and its on four servers and a central NetAPP filer for the mailstore. Realistically if we distribute the total cost over the user count and support issues are very low. its simple design the system. Our email service uses the following
-Qmail, vpopmail, simscan, spamassassin and clamav. On a userbase with the amount of users we have its very easy to distribute, its easy to scale and the performance is great.
This is pretty rediculous, to say the least. G-mail won't dissapear, it will evolve. Gmail is a great example of how great the convergence of e-mail and instant messaging can be. I'll be the first to admit that the combination of Gmail and Gtalk have changed how I communicate on a daily basis with friends and family.
Wise men say, "Forgiveness is divine, but never pay full price for late pizza."
Seriously. We need to ditch email instead for MySpace style blogs and instant messages for our communication. For reals.
The main reason we will never win the email war against the spammers-phishers-scammers-botnets and their assorted ilk is we're bound by legal standards that limit the ways we can combat email abuse...
Legal, shmegal! Nuke the bastards!Ya, replace e-mail and the bad guys will just "stay away". Oooo, security measures like compression (huh?), encryption and signatures, will save the day - please. A new transport protocol will befuddle them for sure!
Oh ya, make it simple and transparent to use as well.
If there's money or havoc to be made, people will find a way to scam any system -- especially if they believe they won't get caught, or the penalties are naught.
It must have been something you assimilated. . . .
spam, viruses, all that aside, I think email needs to be revamped. Heres why: I write out an email to my coworkers about a certain topic, lets say a bug in my code and an escalation to get support from microsoft ( which in itself, raises issues, but thats another story. ). I send that to 5 people. 5 people recieve it. 5 people then comment on what they think is the problem and reply to all. I get 5 emails back, and 5 other people get 5 emails back. the one conversation is broken into 5 different emails now. Take it further? I make some comments inline to one of the emails I get back, and hit replay all. 2 other people do this. 2 of us make the same comment on the same issue, and not one of us is wasting our time and not being productive because we are duplicating efforts. the 3 of us hit reply all. now 5 people have duplicate info in their emails by 2 different people and are wasting their time. can someone do the math and figure out with these 2 replies by 5 people on one email, exactly how many threads are going on? Convoluted mess. I can deal with spam, i can deal with viruses, I can deal with exchange server madness ( well, our exchange guy can anyway ) but this convolusion of important information is the exact reason why we've been working on a real time collaboration application to replace email for uses like this. I saw this coming, Ive been bitching about it for a while now. Yes, email needs a serious revamp.
At work we use SMS and IM increasingly to communicate. For larger objects we point people to places to pick or leave large files. We increasingly use webconferences/netmeetings where the material is shared but not sent at all. Because I for one am sick of being on the receiving end of a threaded series of emails that consist of "Read This!" or "Me Too!!!" and at the bottom is giant 10Mb blob of something. I really don't need 10 copies of that, thanks.
At home, most email is garbage anyway. Moreover most of the younger people I know (under 25, say) don't read their email often or often enough to be useful. It's like voicemail to them - but less so. (Yes young people don't use voicemail, don't bother leaving a message they never check it). So already the next generation is abandoning email. They use it because it's the defacto ID of the internet - please give us your email address so we can confirm our transaction....etc. but for the most part email is unimportant to them. If you sent confirmations to SMS it would do as much.
FTFA: "Kelly Martin has been working with networks and security since 1986, and he's editor for SecurityFocus, Symantec's online magazine."
This is someone who is a supposed security expert, and all they can do is throw out acronym soup, in the hopes that when someone with an actual working brain comes up with something, they can say, "See?! I thought of that way back in 2006! I'm teh genius, gimme a raise."
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
The problem with E-mail is the store and forward model of the servers, which allows people to inject spam, remain unaccountable, and impose the costs on others. That design made sense 20 years ago, but it doesn't today.
The solution is fairly simple: change to a different E-mail protocol; one simple approach is to have a protocol in which the sender stores the message until deliver and the only thing that gets delivered to the recipient is a small notification.
On a related note, it really is pretty silly as well that there is SMTP in addition to IMAP; in the future, the client-to-server protocol might well just be simple IMAP (with an "outgoing" folder), and there can be a separate server-to-server protocol like the one described above.
From the blurb: " All sorts of brilliant, talented people today put far more work into fixing SMTP in various ways (with anti-virus, anti-phishing technologies, anti-spam, anti-spoofing cumbersome encryption technologies, and much more) than could have ever been foreseen in 1981. But it's all for naught"
I think that the problem is user education instead of new technology. E-mail is a fine medium for what it does and the "failings" of e-mail, for the most part, lay squarly on the shoulders of the users not the e-mail itself.
We need to get out of this trend of "The user can't use the technology thus it's broken" into the concept of "Give a man a fish and feed him for a day, teach him to fish and he'll feed himself for a lifetime".
That attitude of constantly making things more user friendly is probably a bigger black hole to developement funding than what trainging is. An educated user is your best bet when it comes to being a productive (and safe) user.
Dedicated Cthulhu Cultist since 4523 BC.
I can see everything moving to P2P or something similar. FTP, by nature, has flaws. I believe it was originally written so the longer you are on a connection, the slower it gets, to prevent bandwidth hogging.
Right, using PGP the way it's traditionally done would be no good. But if PGP were built into popular e-mail clients instead of having to be slapped on after the fact with some sort of third-party tool, it wouldn't take nearly so much hand-holding. I don't see any reason why managing PGP keys should be any more complicated than managing an address book, and everyone I know already does that.
I'll put it on the list- right after my loved ones master numlock and capitalization. I'm not making any timeline promises though, as my familial help desk still responds to users mired in to-click or double-click conundrums. Or the old quick launch vs. task list quagmire. Outlook isn't the most stable piece of s/w to begin with but it really gets cranky when you open 8 copies of it by double clicking the quick launch instead of single clicking the active windows region of the task bar.
XMPP does a lot better than SMTP! Sooner or later it'll be the winner. It supports dns authentication for _BOTH_ parties, and certs can be added easily too.
...is that there are enough people out there who actually do buy from spam emails that don't even spell "valium" correctly.
Who are these people? Why do they do it? Who would trust an "online pharmacy" that has to mis-spell every word to get it into your mailbox? Don't they know that if nobody gave money to spammers, they'd eventually go away?
Do any of you know someone who actually buys from spam? Seriously, I'd like to know who these people are.
One of the many things I hate. thingsihate.org
You can prevent forgery now with SPF (v1, "classic" - forget that stupid broken patent-encumbered Microsoft SenderID that claims to be SPF v2). There's obviously a problem with sites that refuse to participate still being easily forged, but since the biggies (Gmail, AOL, etc.) are using it already the number of forgeable sites is shrinking.
DKIM (successor to Yahoo's DomainKeys) will do even better when it gets more traction in the MTA and MUA segment, but for right now do SPFv1 and get the issues with forwarding worked out (if you have any - many sites won't) before DKIM arrives.
Anti-forgery is only part of the solution, though - it just forces the spammers to register real domains (throwaway domains, granted) or use exclusively cracked hosts and botnets. The other parts of the solution are 1) heavy punishments for crackbot spammers (yay AOL and Microsoft for pushing this!) instead of law enforcement looking the other way as they have in the past and 2) consumer reaction against domain registrars that knowingly support spam gangs.
The key thing to understand about anti-forgery measures is they allow other techniques (like blackholing and legal prosecution) to work. If your mail administrator isn't implementing at least the publishing side of SPFv1, that person is not doing his or her job properly.
Geez, I said "Yay AOL and Microsoft". You don't see that on Slashdot much!
All you people who think we need to build better clients are crazy. It is the mail servers that need to do the job.
Every mailserver should require authentication to send. It should then do the correct encryption, sending, etc. The receiving mail server should do the correct decrypting, etc. All of this should happen WITHOUT the dumb user having to know about it (but let the geeks at it if they like).
Sigh.
If we just used authenticated SMTP we wouldn't have the problems we have now.
First set it up so that users on your network can only send via your SMTP host. Any other SMTP mail outbound would be blocked at the periphery of your network.
Then make each use authenticate with the SMTP server to send email.
As far as I know, these features have been built into firewalls and SMTP daemons for quite some time. I realize that rouge hosts out there would exploit that because you need a mechanism to pass mail from domain to domain. But if ISP's really gave a crap that wouldn't be a problem because they'd be AUTHENTICATING their own users.
Email isn't dead yet. It just needs a sanity check.
Why not, that is pretty much how it is today?
The phrase "more better" is acceptable English. suck it grammar Nazis
Today I plugged BBDB into Gnus (yes I use Gnus for my emails) and I also started to use emails as my TODO list. I used the emacs' todoo-mode before but it sucks. Not, I just love emails even more than before. When I receive an email that requires action, I copy or move it to my "todo" folder. When I can't proceed with action because the ball is in someone else hand, I move it to the "waiting" folder. I also have a simple rule to move all the mails with TODO in the subject to the todo folder.
With Gnus I can assign score to mark priority but a simple scheme like making the tasks that I want to perform today as unread is really efficient.
I loved emails before but now I love them even more. The fact that I can use emails for plenty of stuff that the original creators did not plan but didn't restrict either (remote backups anyone?) is what makes email so great.
The spam isn't a problem either, I plugged Spam Orable into Gnus and it let really few ones go in and I haven't seen a false positive in months.
A really big thank to the creators of emails, I love it!
Instead of throwing out unrelated acronyms, why not start where all such projects are supposed to start?
... the only thing you can really verify is the IP address of both machines (if you have pipelining turned off). Everything else can be faked (although faking the RCPT is kind of silly).
Step #1. Define the requirements.
What do you want to transmit?
How do you want to transmit it?
Do you need guaranteed delivery?
Do you need authentication?
Do you need encryption?
Do you need anonymity?
Do you need X?
Do you need Y?
Do you need Z?
Right now, SMTP over port 25
So, most of the spam defenses right now are based around IP addresses. Other than that, it's some sort of content check.
If we're looking at the next-gen email system, do we even need it to be tied to specific outbound email servers? Would a requirement be that I could send email from any server, anywhere and the verification would be my public/private key or some such? Would we want to have the server check a public key server before accepting email that it would then deliver to another server?
THAT is how to go about this discussion. Not spewing random terms in the hopes that something you've said accidentally gets incorporated into whatever the new model is.
There's a reason I use E-mail, and not IM, or voice chat, or video chat, or message boards, or Skype, or whatever to communicate with customers & vendors. It works. It's reliable. It's battle tested.
Spam is a nuisance, but it is manageable with the right tools.
E-mail lets me be about five times as productive as I would be if I just relied on phone calls & voicemail.
It will probably evolve to be more secure, yes, but it'll never get the rip&replace treatment. It's like the power grid.
1) Automatic and very secure encryption.
2) You should be able to set the date and time for every transmission.
3) Much better accessibility over multiple devices (i e, the death of POP).
4) File transfers by way of attachments should preferably be avoided.
5) Mechanisms to effectively kill spam and the spread of computer virii for good.
Beauty is in the beholder of the eye.
All the good tricks are basically conjuring tricks or confidence tricks. E-mail and webpages ought to be safe. You should have to actually click on something to get something nasty to happen. The art is to get the mail to look like something friendly; to make the attachment look like an image file; to stick a transparent border on the window so what looks like the X button on a pop-up is part of the window. I remember someone back in the seventies logging on to a terminal, only to have it give him a rude message and make off with his password: the terminal had been left with a running program that looked like the login. Easy when you see it done, surprising when you have never met it. I remember last year someone clicking on a .jpg file only to have it do something because the name had a lot of spaces followed by .exe in the name, and you didn't see it in the window. They are basically the same trick, thirty years apart. If you want to stop the tricks, you get in a scam expert, not a programmer. or maybe a scam expert and a programmer.
You can get a long way with an old school mail reader. You can peek at the headers if you know. You can look at the attachments and see whether the file names look okay. You can turn off the HTML. If you add all sorts of automatic checks and filters, then this just adds extra levels of complexity in which you can hide scams, exploit programming errors, hide stuff where it might get clicked on by accident.
We have McAffee filtering our computer. Somehow, one of the games manages to turn it off when the kids use it. This ought not to be possible. I am sure something is somehow suckering us into turning it off, or has somehow suckered us into giving something the priveleges to do this. Can we fix it? Nope. What do we do? We take the plug from the hub when we are not wanting an outside connection. Don't get me wrong - I am not saying we do not need security systems. I know some clown in China is trying to find a port on my computer every 30 seconds or so, day and night, rot him/her. However, to continue the automotive parallel of other posts, the faulty component is still the well-oiled nut behind the wheel nine times out of ten.
Not to sound pedantic, but "on a collision course" with what?
Perhaps the computer literate of the world should regress back to text only email. That would solve a lot of the worlds email problems.
Most of these problems could be fixed with a simple nationally maintained LDAP ssystem where email users can set up who is allowed to send email to them. We could put an end to spam and sending of viruses very quickly.
Yep. Talking. Face-to-Face. Or Phone-to-Phone. It's ancient. Obsolete. And talking is a terrible mess. It's dangerous, insecure, unreliable, mostly unwanted, and out-of-control. It's the starting point for a myriad of criminal activity, banking scams, virus outbreaks (colds, flu), identity theft (my name's Clint Eastwood), extortion, stock promotion scams, and of course, the giant iceberg of unsolicited sales-pitches.
The problem is, talking is now integral to the lives of several billion people, businesses, and critical discussions around the world. It's a victim of its own success. It's a giant ship on a dangerous collision course. All sorts of brilliant, talented people today put far more work into fixing talking in various ways - with anti-virus (cold medicines), anti-fish-breath technologies, anti-spam (gives me stinky burps), anti-schmoozing cumbersome bull-shit detection technologies, and much more - than could have ever been foreseen in 1981 BC. But it's all for naught.
All the work spent fixing talking is like rearranging the deck chairs on the Titanic. Talking is a sinking ship - she'll never listen to you and you'll never listen to her. The trash will never get taken out because you decided not to hear the request to take out the trash. Bush actually said "Saddam, you have 48 hours to open your birthday present or the cake will go flat" but what did we hear? I think I heard "Saddam, you have 48 seconds to leave the room because I have really stinky gas!", but you never know - it is talking after all.
I suggest that we ditch talking altogether and recreate it from scratch. Perhaps we can use that hole on the other end of our body to talk out of...
Hey, check out the ironically apropos fortune at the bottom of the page...
:)
inbox, n.: A catch basin for everything you don't want to deal with, but are afraid to throw away.
*That's* why email is here to stay...
Shameless plug for my photos on Flickr
Each of the items I listed are too large and complex, and are beyond repair, but in the same respect could NEVER be recreated in a reasonable time frame.
Two questions:
1) By suggesting email "could NEVER be recreated in a reasonable timeframe" you are inferring that a reinvented email system must be complex. Why would that be? We don't have to re-invent security, authentication, encryption from scratch for use especially for email--we already have the technology and use it extensively (HTTP(S), LDAP, Kerberos, SSH, etc). What is missing in email is an elegant integration of these technologies.
2) Even if architecting a next-generation email system would take a long time, why would that be a problem? What would be a "reasonable" timeframe? Personally I don't think that a W3C-like standards body would take more than 5 years to craft a usable standard, and by the time it hit 1.0 there would already be a lot of early implementations. Sure it would take a long time to adopt, but there could be email gateways like there was between the internet and old-school nets like Fidonet, and those gateways can handle the spam and other crap before they hit any "new and improved" email servers.
When something gets as broken as email people are more motivated to fix it. There are already some interesting ideas out there that could catch on...
http://freshmeat.net/projects/fortune-discworld/
my password really is 'stinkypants'
> There aren't enough of us geeks to hold the hand of every user in the world.
:)
Who exactly wrote all the software we have now that the non-technical users rely on every day? Geeks. There are plenty of us around
My other car is first.
I don't give my phone number just because someone/somebody/something asks me to... :)
There, simple solution. And it works. Never had spam in my "real" e-mail account.
E-mail's fine.
(Yeah, gotta have one just for those nice websites requiring an e-mail for registration...
"integral to the lives of a billion people" != naught
--
make install -not war
They've got this wonderful new technology; it's called a PHONE!
Yeah! You can actually HEAR the other person and talk to them in realtime!
Wow!
Forget e-mail!
But the zombies are vulnerable. The lamest Windows OSs, the DOS/Win95/98/ME family, are slowly dying off. XP is at least potentially fixable, and Vista is much tighter.
We've made real progress. It's tough to send spam today without committing a felony. Spammers are routinely going to jail. Spam as a means of even vaguely legitimate marketing is dead. Spam-friendly hosting is getting harder to find. Ironport gave up selling its "spam cannon" rackmount spam sender. Spam filtering is better than ever. Spammers have been reduced to using zombies because anything more direct gets them hammered.
Now that I think about it, Zonk may actually be an AIM bot....
Zonk: Zonk may actually be an AIM bot?
All you need to do is create a world standard that enjoys massive popularity and works on all platforms and doesn't get clobbered by some submarine patent owned by a bunch of land sharks.
Easy really.
E-mail is as likely to go away as package shipping and breathing. Yes, e-mail as it exists now has problems, but the concept of e-mail, is far too valuable to "go away." Of course, with a title like "E-mail problems need to be fixed" everyone would respond "No shit, Sherlock" and not read the article because it will tell us nothing we didn't already know.
Problem is that everyone I know uses webmail (either gmail or *shudder* yahoo). I could imagine gmail putting some kind of PGP feature in, but not Yahoo.
Your company advocates a
(X) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(X) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(X) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(X) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Extreme stupidity on the part of people who do business with Microsoft
( ) Extreme stupidity on the part of people who do business with Yahoo
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(X) Outlook
and the following philosophical objections may also apply:
(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(X) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid company for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
If I were going to throw something out because marketers found a way to exploit it, my phone and irl mailbox would be gone long before my email box. Email is free (after any isp charges incurred), allows you to filter out certain parties without jumping through hoops (spam filters), is sortable, allows you to easily identify whitelist folks, can be sent to multiple parties (group distributions), and maintains a record of it's sending (proof of sending, and read receipts if you use them).
Yet both of these technologies are still around (the phone and mailbox).
Email has many, many, many years of life left.
You can get 15 minutes of fame, but you can go down in history for infamy.
Oh, and if they did put the feature in, would you want to store such a sensitive thing on their server?
Plain text. There's really nothing in Rich Text or HTML emails that cannot be communicated in plain text. Documents currently being attached to emails can be sent via web services or through online file-sharing sites now popping up.
Take away attachments, bye bye viruses. Take away Rich Text and HTML, bye bye more viruses and most phishing schemes.
It will not get rid of spam, unfortunately. People not responding to it will.
It's a very dark ride.
[T]here are enough of us geeks to code up the proper secure behavior ... Then it's just a matter of waiting for everybody to update their email client (i.e. 5-10 years, ...)
;-)
Actually, some of us geeks did a lot of it 15 or 20 years ago. Lotta good it did us all. Most of the email users are using Microsoft email software, and clearly will never upgrade to anything without the MS imprimatur, so our work was pretty much in vain.
So how about some of the geeks here mention the more-secure email packages you've worked on, and when. This should give us a good idea of just how hopeless it is to expect everybody to adopt it.
(Either that or nobody will ever notice this message or reply to it.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
grossout factor, for example, say you have an individual who needs some help setting up their next gen email, and this geek runs up to help, his mouth still dripping blood from the chickenhead he just bit off, the poor email using individual is going to just freak out and run away.
Everyone needs an End-Times Apocalyptic scenario, even techies.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
The article starts out detailing the alleged history of RFC822 and how it "laid the foundation of SMTP". Problem is, 822 doesn't have anything to do with SMTP. That's covered in RFC821. It's downhill from there. Pseudo-technical details that lack even the most basic understanding of fundamental technologies. Please take away these people's word processors (and their MUAs too, I bet they do most of their damage via email)... maybe they can still be trusted with crayons (though in Dvorak's case, I don't think he should be given that either).
Buy Text Processing in Python
This is probably the most rational explanation I've seen for his behavior. : p
This guy's the limit!
"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning." - Rick Cook, The Wizardry Compiled --- This says it all, to be blunt. Spammers and phishers are programmers, however, who RELY on the idiots out there clicking on anything that SEEMS interesting enough for them to bite on. Bait the hook and wait for the fish to bite - and let's face it, most users don't WANT to be educated, they want the software to do everything FOR them --- DUH! Lee Darrow, C.H.
What makes Spam and Malware unmanagable is the sheer number of vulnerable and hacked systems.
When vulnerable boxes disappear, the bad guys would have little ammunition. My guess is that over
time, as computing matures and our OSes stabilize, security holes will be plugged faster than they
are created. When that happens, vulnerable boxen will become rare, and the bad guys will find it
harder and harder to send Spam and Malware with impunity.
And then the rainbows will soar and unicorns will return.
Is something similar going to happen to today's email? Hey, why not?
Breakfast served all day!
Yah, the most amazing part is the attitudes of the humans involved.
Listen up, peeps, if anybody calls you up or emails you and says "your DNS is not set up properly in accordance with the RFCs governing such-and-such could you please fix it" and you don't thank the person politely and IMMEDIATELY get to work on figuring out what you need to do, YOU ARE A DICKHEAD.
If somebody calls or emails you and says "You are my ISP and I need such and such type of DNS records associated with my domain in order to do business" and you don't IMMEDIATELY get to work on satisfying the customer, YOU ARE A DICKHEAD.
If somebody calls or emails you and says "Your DNS records break the requirements of RFCs such-and-such and require people to accept spam in order to get mail from your users" and you reply "it works fine for me, so there's no need to change anything" then YOU ARE A SUPER ULTRA SANTORUM-ENCRUSTED DICKHEAD!!!
Bad DNS can hose things up worse than any other major protocol. The Intarnets run on DNS! Yet horribly incompetent DNS admins (aka DICKHEADS) are a commonplace.
I love it when I get fake e-mails from people who pretend to need me to take their money for them. It's fun the play with their minds and make them think I believe them. It's also fun to e-mail them back a crazy mess to make it look like I'm insane.
I usually answer their questions about my name and address and the like, by making up things. Then, at the bottom of the e-mail, I sign it with "Elvis G. Presley".
I'm just waiting for someone to reply thinking that I really am the King.
"In a world that exists without walls and fences, who needs Windows and Gates?"
so every couple of months I donate $100 or so in buying products being spammed just to piss off all those anti spam activists. its my way of making the world just a little bit better.
..but email could be made WAY closer to perfect than it is now.
Let's take video games as the paradigm.
Let's not. Email communication is not in any way like some new PC or console game. The videogames of which you speak are like DVDs--they are published and distributed using archaic methods (boxing and shipping silver plastic discs to stores and homes all over the place) by companies that are propping up an obsolete business model with artificial barriers like copy protection and overzealous copyright laws. Email communication is about electronic distribution and the content is not what is being sold. In a sense, if the videogame industry was email then business would be trying to make money by selling email messages themselves rather than email accounts/mailbox space/connectivity. The two aren't really comparable.
And yet days after release, and sometimes prior to release, their code is hacked, cracked, and distributed.
Perhaps you should compare with ecommerce or banking sites instead of videogames. SSL/TLS encrypted and authenticated communication has been used on secure sites for ages, and it has NEVER been completely compromised. Yes, people have demonstrated that it is crackable with massive computing power, and in response all we had to do was use a larger key. Sure we hear about how people had their credit card numbers stolen from some ecommerce or web banking site, but it has NEVER been because someone defeated the security technology--it has ALWAYS been human error or incompetence (like useing real card info as "test data" or storing the info unencrypted on a database server exposed to the 'net, all the way to banks leaving unshredded sensitive documents in dumpsters or hackers putting keyloggers on cruddy Windows boxes to transmit the info in the clear to their own servers.
How exactly does this new email system stop phishing? Oh, right, it can't.
Well, make sure the certificate is legitimate--those are much harder to spoof than the URL or "from" address. With smart design of the email client (ie an alert written in plain english for the "severely normal" user) we can drastically reduce the problem. Right now people have to fiddle with PGP or GPG and add-on plugins and crap. A new system could have encryption and authentication built into the standard such that every single email could have a signature.
How exactly does this new email system stop users from clicking executables thinking that they are going to see nudie pictures of Katie Holmes?
Ultimately it can't, but it CAN use mimetypes more effectively/be smarter about analysing file content/have integrated support for digitally signed attachments. If someone is such a jello-head that they would get an attachment marked "Executable program, no digital signature" in an email marked as "message not signed, origin unknown" and STILL think they're going to see Katie's titties then they are too f*cking stupid to be online.
How does this new email stop virii?
The problem with *viruses* (people, please stop referring to more than one virus as virii, that's a made up word) is at a lower level than email. The problem is that the most predominant operating system is severely flawed architecturally. There are more viruses discovered in a day for Windows than have been for Linux in the entire history of Linux, and Linux people send and receive plenty of email. Even factoring in the big difference in market share the difference is staggering.
Email can be made virtually virus proof--the problem is that there is no officially standardised way of verifying/signing/managing security of attachments in today's email. Any tools that exist are one-off bolt-ons and are not seamless. An email message is not an executable and any data in the body of a message should not be executable binary code. If an executable is attached it should not be executable until it is decoded and detached, and there should be safeguards to alert the user to fake "katie'
...make email a pull instead of a push system.
If you make it a pull system:
1) there is no spoofing issue (you always have the real IP address of te sender, becuase you have to connect to get the message contents).
2) spam costs move from the receiver to the sender, becuase the spam sender now has to bear the brunt of the bandwidth traffic hit.
3) finally, recalling a mail message would work.
There are more benefits to that "small" switch, but I'm far too lazy to lay them all out here.
Tom Caudron
http://tom.digitalelite.com/
-Tom
I once used the CERT stuff part of Apple Mail (signed and/or encrypted), but to my surprise, MS Outlook had problems displaying the email. I think that it was a error message, or something strange in the body. I actually think that MS makes it hard on everyone to use security. So after all the complaints from my MS friends and co-workers, I removed the CERT. I even tried to get co-workers to install PGP, but even if it was installed they wouldn't use it.
It needs to be transparent!
The above is not worth reading.
I call dibs on writing next month's "The Death of Email" article that doesn't say, do, or suggest anything new. Dibs dibs dibs!
The problem is, you need a new system that does all the things that he says, but at the same time, the new system needs to be compatible with the old, at least the client does. People aren't going to run two completely incompatible mail programs if they can help it, and that poses a block to adoption of a new system. On the other hand, by allowing compatibility, you're simply allowing the old problems through (spam, phishing, etc).
One way I've considered this is the whitelist system. Someone who's never sent me an e-mail before, sends me an e-mail. The e-mail gets held on my server for a X days. The sender then gets a reply from the e-mail server saying something along the lines of: "This person has never received mail from you. Reply to this message with the word 'authorize'" in the subject to confirm sending." Upon doing so, the mail would then be sent to me.
This accomplishes a few things: First of all, a spammer can't send me spam unless they're using a valid e-mail address that can be contacted back. Otherwise, the spam will eventually be flushed off the server after X days. As an additional feature, if I decide the mail that did get sent through was SPAM, I can permanently block that address (or site) by adding it to a block-list.
This makes sending 10 million spams a real problem because you then have to have all 10 million come back to you and then send an authorize reply, before your spam will go through. Since the spammer has to be contactible, it then makes them MUCH more vulnerable to being tracked.
Once an initial authorization has been done, the user would then receive a second mail from the server. This would contain a unique key for that sender to continue communicating, that would be attached to each e-mail. With a new e-mail clients and servers, this part could be automated.
This makes initial communication with someone a bit more trouble, but I think (unless I'm missing something) that this might go a long way towards handling spam. And of course, there'd always be the ability to pre-authorize someone if you know their e-mail address.
And you can be sure Microsoft wouldn't be one of them, or, if they did, they'd do it all wrong.
.net FrontPage and ASP development tools spewed out atrocious, non-compliant code and ActiveX has been a sourge on the Web. In the early days on Vista development MS boldly declared teh web browser as a distinct application obsolete and abandoned new IE development. Microsoft has, as a result, suffered the consequenses (buggy, insecure software, backlash from users and web developers for its inconsistent rendering behaviour, resurgence of Mozilla browsers, etc).
Well, we have lived through this with the WWW and we still have standards. Yes, Microsoft was involved. Yes, Microsoft did it all wrong and yes, many IE quirks became defacto standards. However, there is still a standard and at a fundamental level it is still adhered to by all imporatant players. And guess what? Microsoft is being forced to step in line, albeit slowly. Pre
Now, MS has had to admit they still need a browser and are readying a long-overdue major release of IE and with every version of Visual Studio.Net the HTML generated by ASP.Net apps is more compliant and cross-browser compatible. Standards DO have an effect and given the climate MS is now in (with extra regulatory scruitiny and a slowly but surely growing competition) they may still botch the implementation, but they wouldn't blatanly flout standards like they have in years past.
"Reality is that which, when you stop believing in it, doesn't go away." - Philip K. Dick
"Reality is what you can get away with." - Robert Anton Wilson
It doesn't mean much now, it's built for the future.
On a more serious note, as an admin I'd like to be able to legally persue anybody misusing or attempting to misuse our MTA's to route spam to company employees. I'd also like to be able to lighten our IP filtering rules because y'know... somebody may want to email us from China sometime. Spammers are sociopaths and they need to be dealt with.
Email exists since before the Internet. That's nearly 40 years. There is no other protocol in existance that is so hard to use in an effective manner, because in these decades tons of features have been bolten left right and center. I could've been done right, but effectively in the end Outlook killed of all hope of getting Email to become something halfway usefull at hand.
... Absolutely unbelievable.
Transfer sucks, I18n sucks big time, seperation of content and metadata sucks, attachments suck, the somewhere between 5 and 10 encryption standards suck, hashing, threading and signatures suck. User Agents suck. Quoting is so silly it's beyond bizar. Even Crosspoint and the Fidonet was better at that, and that's about 15 years ago. MTAs and Mailservers are so crappy that experts in the field actually consider setups with Exim and Postfix the more usefull ones. Think about that for a minute and tell me how sick is that?
Apache is only about a decade old and it's quirkyness is easy dealt with with a little patience. I've done a lot of things in IT in the last 20 years, including setting up an entire Typo3 enviroment yesterday - and that's a real PITA for a PHP CMS. Yet nothing is on par with suckyness than setting up an email enviroment.
The simple truth is that, for the better of humanity, email has to die. Quickly.
A complete redo is what we need. Compulsive hashing with reciepient-keys with asymetric encryption that takes up to half a minute per mail to zero out spam. XML all the way through. Zero hassle standardised encryption. Total seperation of metadata, content and optional design. ONE transfer protocol. ONE encryption standard. ONE full-blown OSS MTA and a fitting OSS recepient-hashkey standard that's easy transferable over the web and human-readable. Non-user-level unique identification of content for indestructable threading and commenting - could be combined with IP6 or something. Merciless enforcement of standards at MTA level. A x-plattform client that makes use of all the goodies in the new standard.
If that would be done - and if it where 'just' by an open source group of enthusiasts - the difference would be so extreme the people would start using it *fast*. And the world would be a measurably better place.
Until then Email will remain so crappy that - believe it or not - a thing like Mutt is considered one of the better ways of using it.
My 2 cents.
We suffer more in our imagination than in reality. - Seneca
What we really need is a widely-accepted system for micropayments. Then we could impose a small (say $.0001 per email) charge for sending messages. This would be small enough so that it would be of no consequence to legitimate users and big enough to stop spammers dead in their tracks. The revenue could go to support the Internet.
It could be made compatible with the existing system by allowing a header to indicate that the postage had been paid. Then all you'd have to do is to filter out the junk (unpaid) messages.
for an open solution. lets face it, it'd be better if we start now. SMTp is unusable now.
I may have gotten this wrong, but to me it seems simple to secure E-mail without changing the current method drastically.
... Well, tough luck, unless you are of category 1 through 4, of course.
... well, if you want new customers, you should probably expect a certain amount of spam, shouldn't you?
First I must look at the types of E-mail I receive (more precisely, who I receive E-mail from):
1. Friends and family
2. Friends of friends and family
3. Businesses I know
4. Mailing lists
5. Spammers
For businesses there are another two categories:
6. Customers
7. Potential customers
It must be possible to find a simple way to create a digital signature without making it rocket science, which is an underlying assumption of my suggestion.
Similarly, it must be possible to disseminate a digital signature to potential recipients in an easy way, a scheme like tinyurl springs to mind -- or any of the other publicly available, free "certificate authorities" (CAs). I submit the public part of my signature to tinysig or whatever it is called and tell my friends and family about it.
Businesses would probably register their signatures with the "official" CAs (but could use tinysig as well) and display proper links to them on their websites -- as could plain people with homepages. I would suggest something on the form of pubsig://tinysig.com/al1ga2r and pubsig://thawte.com/BigCorporation/12437265190. Those links would return a public signature id, which would go directly to the E-mail program for storage, much like the mailto: does for automatically opening a new E-mail.
1. Friends and family would give you their tinysig signature, which you quickly incorporated into your E-mail program. The E-mail program disseminates it to whatever server(s) it collects mail from.
2. Friends of friends and family would ask your common connection to forward their tinysig signature.
3. Businesses I know would either provide me with links directly (i.e. by phone or mail) or through their websites.
4. Mailing lists would provide their signature ID when you subscribe to the list.
5. Spammers
6. Customers of businesses should probably provide their public signature ID to the business if they want them to receive their mail, but otherwise the business could open for specific E-mail adresses like current whitelists in current spam filters.
7. Potential customers
This suggestion could easily be grafted on to current, prevalent E-mail protocols, i.e. SMTP/ESMTP, POP and IMAP, and I am sure it would reduce the problem quite substantially and (provided the signatures are properly generated) be rather safe from crackers/hackers and spammers.
Big E-mail providers like Yahoo, Hotmail, G-mail and the like, would certainly have to incorporate it into their systems for this to work properly, but again, it is not too difficult.
Please bear with me if this is not thought through properly, but I have a plane to catch.
when we adopt DVORAK keyboards and Microsoft has less than 80% market share. It's called lock-in. Academically, it's called path dependency. Optimistically it's network effects. Sigh deeply and continue on.
Returned Peace Corps IT Volunteer
Your post advocates a
(*) technical ( ) legislative (*) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(*) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(*) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
(*) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(*) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(*) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
(*) This is a stupid idea, and you're a stupid person for suggesting it. (Again!)
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
Wouldn't it make sense to start using some kind of public key infrastructure to keep spam zombies at bay? For example, if I have a business email server, I likely already have SSL certificates on it for SMTPS and IMAPS, next I would had a policy to accept emails from servers signed by Verisign, et al, and quarantine those emails that came from unverified signers. It doesn't cost much to create an SSL certificate and anyone who's got a secure website has already been thru the process.
This also extends to multiple levels of authentication:
- Residential customers could purchase a certificate if they wanted to operate email from their own residential gateway.
- Residential customers using their ISPs gateway would be sending thru the ISPs certificate, and possibly their own GPG key|MIME cert as well.
- Compromized certificates have revocation certificates published promptly by ISPs or Customers that get rooted.
- Abused certificates that don't get revocations published can get blacklisted with existing blacklist infrastructure
If ISPs start blocking emails that aren't signed or don't come from a signed server, then people will start getting their servers signed.
Of course, the same amount of security precautions you'd take with your existing digital identities would have to be put towards your email certificates. If someone steals your websites SSL certificate, or your GPG keys, or your SSH keys, you better hope that they've been password protected!
You may argue this doesn't make sense for grandma and grandpa, but for a business setting, maybe it should be SOP. Many businesses already manage public keys for employees, and the number is growing.
You may flame now....
# for x in `find '.' -name "*.c" -print`; # do perl -pie "s/==/=/ig" $x; done
What about simply using IM instead of Email? It supports just about everything we need (i.e. file transfers), and follows more of a "telephone" model, with an answering machine if you are not there. The telephone system seems to work rather well.
"You cannot find out which view is the right one by science in the ordinary sense." - C.S. Lewis on Intelligent Design
> No technological solution will ever fix the problem so long as it remains profitable ..
There is a great deal of truth in your position. But it does miss the part tech can play. Current email on all platforms is as spammer friendly as Windows is zombie/virus friendly. Almost every MUA has features explicitly enabled by default that make the spammer's job easier than it should be. Making a better breed of user would certainly solve the spam problem, but short of a harsh program of forced eugenics over several generations and the destruction of every government school, a user smart enough to be a total solution is as mythical as 'honest politicians'. So lets look first at what we can actually do.
Change the default behaviour of MUAs so that external content is NOT retrieved without explicit action from the user. This eliminates the webbugs that allow the spammers to blast out a billion pieces of mail to randomly generated mail addresses and see which ones are live. It also stops them from keeping track of which spams make it through the filters on various sites. So called 'rich media' could still be easilly sent via email but it would all have to be inlined via the magic of MIME.
Forbid ANY 'active' content in email. Yes this might stifle the 'creativity' of a few lame ad agencies but the security implications of email are totally different from web pages. You GO to webpages, email comes TO you. Accepting executable content from random strangers is a recipe for infection. This means NO Javascript, JAVA, Flash, etc. And just to be safe you should probably stop DOM and all the other shiny new Web 2.0 things that blur the line between static HTML or plain text and executable content. At a bare minumum a new email should be presented as a static page and if it contains 'dynamic content' add a bar at the top stating "This email wants to use dynamic content that is dangerous. Allow [Yes] [No] [Always for this sender]?"
The current practice of embedding IE or Gecko to render html in email must be stopped. A reduced rendering engine capable of only the most simple static html needs to be created, preferrably in a safe language like Python, Java or C#. If the user opts to rerender in full html unmap the window with the simple html and THEN embed Gecko or IE for that one email.
It of course goes without stating that ActiveX should NEVER be permitted anywhere for any reason.
Mail clients need to be simplified to the point their operation can be VERIFIED to be safe.
Crypto could be as ubiquitious for email as it is currently for the web. I suspect the only reason it isn't is fear of the US Government. Even with the relaxation of the ITAR regs everybody seems to be acting under an unwritten agreement that crypto can only be used to secure ecommerce, not the private communications of individuals. I can see MS/Outlook making some under the table deal to ease the paperwork but why hasn't Thunderbird or Eudora stepped up to the plate and built in seamless GPG support? For that matter why not Evolution, Pine or Mutt? Or why isn't it commonplace for emails from major corp senders to be crypographically signed and major mail clients already verifying them? Sure would stop almost all phishing attacks now wouldn't it? A big red banner atop that mail perporting to be from Paypal saying "WARNING, the signature on this mail doesn't match previous mail from paypal.com" instead of a green one saying "Signature verified: paypal.com" would put a fast stop to those scams now wouldn't it? Since I can't be the only one to see such an obvious solution I have to ask "Who is stopping it?"
Or how about programming some very simple sanity checks on the mail path and adding a warning banner when one comes via a strange path along with some whitelisting based on previous history. I'm not talking full Bayesian filtering here, but something a wet behind the ears incompetent asshat at Microsoft could even manage to implement right in only a few years.
If
Democrat delenda est
Spoofing is simply a result of people not demanding openpgp signatures. Phishing and viruses are a combination of that problem, plus people using poorly-designed client software that tries to render content too richly (e.g. rendering html as web pages, with clickable links and everything). The solution to viruses and phishing is absolutely trivial (don't use bad software; people who use good software simply never have these problems, because they can't) and the solution to spoofing is to remember that if your client doesn't say it's authenticated, then it's not authenticated. (And remember that an email client is something you run on your machine. You can't trust someone else's computer (at Google or Yahoo or whereever) to authenticate for you.)
On the client side, spam is fixed by demanding authentication -- automatically rejecting stuff that you don't know is from someone accountable. That is a drastic step right now, since so few people authenticate, but if you work on the spoofing problem, then you'll be setting yourself up for the day you can solve spam too.
The time has come to ditch crappy client software, which is responsible for almost all of these problems (even partially responsible for the retardation of the adoption of encryption and signatures).
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
say, what else do we have?
- most instant messengers are as insecure as email (no encryption, maybe unknown security holes)
- many of them (MSN, ICQ, Yahoo) have at least a term in their EULA that gives them the rights to use your personal data and chatlogs in ANY WAY THAT THEY WANT! thats right! they are allowed to sell your cyber-sex with your girlfriend including your names to TV stations or porn sites... AOL doesn't even tell you how they handle this... they just say "we follow the local laws in your country..." (at least in the german EULA)
- advertisements
- spam & phishing is also an issue in ICQ today - in yahoo maybe (I don't know, I don't use yahoo) spam is a bigger issue since yahoo was at least planning some weeks ago, just like AOL, to sell rights to send spam to their users which won't be filtered by their spamfilter
- several services (MSN, iirc Yahoo) don't allow you to connect to their servers with any other client than the one they give you
or shall we start using VoIP? why do you think SMS is so successful? because people don't WANT to talk to each other... writing an SMS or any other form of text message doesn't show your emotions as much... it's more anonymous and that seems to be what people want
the only real alternative to me is jabber... you can use PGP/GPG keys, but tell people how to get it to use PGP/GPG key or how to create a PGP/GPG key in the first place... its open source and there are many personal servers already, but this also means servers can go off service... besides that - the jabber server I use is kinda instable... although I WOULDN'T SAY ICQ servers were MUCH more reliable...
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
I'm all with you about needing a secure alternative, but then I hear stuff about mandatory ID, etc.
Corporate whistleblowers, Chinese democracy activists, union organizers, etc. all have a legitimate reason to want to be able to send an email without it being traced back to them. How do we support that without opening the floodgates for spam/phishing/etc?
Essentially, I should be able to somehow generate an ID, where I am the only one that can connect the ID to my person. At the same time, if I send an email, my recipient will receive it - they will be aware of the fact that the email is from someone who is hiding their personal identity, but some other form of information will be connected with that ID that shows that the email can be trusted more than some bulk-mailed viagra ad. Ideally the system would not require human intervention to screen. For example, maybe the ID is such that it requires 1 week of CPU-time to generate, and the encryption method has a secure method for storing the total number of emails sent using the ID.
This way, a spammer would have to have acess to a million machines for a week to be able to send 10 million emails with a ID that has a count of less than 10.
On the receiver end, they would get the email, and it would be flagged as unsolicited and anonymous, but they would know that I've only sent 5 other emails with the same ID and that the ID was difficult to obtain.
The basic idea is that with each email you receive, there would be a set of information that you are guaranteed to know about the sender, with some of it optional. The email reader would only accept mass emails from trusted known IDs, but non-mass emails could come from anonymous IDs.
Another possibility would be some form of trusted anonymous emails. Without further external knowledge, a single message from that ID would not be trusted, but it would be possible for an ID to create some form of trust structure. For example, imagine you anonymously donate $100 to some charity, using the ID. Then you send an email using that ID to people who respect that charity. The message header would include information that would allow automatic verification that the same ID was used for the donation and the email. The receiver would then be fairly certain that the message was not spam, but they couldn't trust it enough to give out their credit card number or other info.
Anyway, this is the sort of thing I'm thinking of - decentralized, and secure in the sense that the sender and receiver can in some secure way communicate a level of trust to each other without outside interference or exposure.
Dude, your web page is so bad, I uninstalled my browser.
[To moderators: before modding me down, please visit it first]
Phishing and viruses are a combination of that problem, plus people using poorly-designed client software that tries to render content too richly (e.g. rendering html as web pages, with clickable links and everything).
You cannot control the world by saying things like that. We all know that ActiveX is a stupid idea, but that did not keep Microsoft from creating it and showing the advantages (and not the disadvantages) to their corporate customers.
We know that sending an executable via mail and having it run when the user clicks on the attachment icon is dumb, but Microsoft created a mailer that did this, users loved it (because they could send programs that displayed a nice christmas tree to eachother) and other companies copied it because they did not want to release software that could not do things the customer liked and the competitor had.
Similarly, people liked the idea of having nice wallpapers and background sounds with their mail, and even accept the fact that they get spyware and spam on their system as a side-effect of installing something like smileycentral or incredimail.
Just restricting the client to do things that are wise will not keep the competition from releasing software that includes options that are dumb.
Not much after I became an antispam activist and joined the Okopipi project, i've realized that the SPAM problem is a symptom of a much worse problem: Botnets.
Let's suppose we kill spam for good. The botnets, hidden with rootkit techniques, can still spy on you, keylog on you and transmit your information to the crime syndicates. They'll wait, and when they have enough information about everybody, they'll steal your money, blackmail you for your cheating, etc.
If you thought the US government was Big Brother, you haven't seen the dark side of it.
SPAM needs an integral solution. Cutting spammers' income via spamvertised websites is one part. But we can't ignore the botnet problem. Whatever means you have to communicate with your friends, the botnets will learn, and use them to spam on them.
If the US passes a law that makes ISPs responsible for bots running on their clients' machines, you'd see tech support helping users and cleaning/patching their machines for FREE.
I think the way to get PKI going would be to have various makers of email software integrate it and include it in the account settings by default. A key pair could be created as the email account is created. At a minimal level of security, this could be made very easy to use. You could even make it completely transparent if you reuse the same password as for authentication to the email server.
I realize that this isn't the most robust PKI setup but it would be a lot better than nothing and it could be made tighter as time goes along. Anyone who would go to the extent of downloading the source code for GPG, checksumming it and compiling a clean copy could still do so.
I really wonder why this hasn't been done yet. Why haven't email software makers bundled in GPG or something like it, even if it's turned off by default.
just use instant messaging. just take jabber, and add the ability of the server to store messages till the user logs back in. bam email replaced. now everyone should just use it.
I think it's going to be considerably less costly to rework email a little in order to stop spammers, than it is going to be to throw out the whole kit and kaboodle and start over.
I am very nervous when someone starts talking about reimplenting something that's one of the core parts of the Internet. To me that sounds like a golden opportunity for privatization and control of the network. We would give up more than we would receive in that scenario.
Your right to not believe: Americans United for Separation of Church and
It seems we all agree that we'll never outright abandon SMTP, but that doesn't mean we can't replace it incrementally.
How about this:
* We draft a replacement for SMTP that includes authentication, public key encryption, whatever. Make it an RFC standard.
* We write BSD-licensed server and client programs (or plugins to existing clients) to process it. (Nothing against the GPL, but we -want- this to be ripped off by businesses to make the idea spread.)
* The server program (or a concurrent program also run by the mail exchanger) manages the public keys of its users. User keys are tied to the domain, meaning that you cannot send an email with no domain name or only a subdomain. This should prevent spam from bot nets, and slow spam from spam domains (since they have to pay a new $10 every time people block their domain for spamming).
* The new protocol will use a different port than SMTP. Whenever someone using the new protocol sends an email, the destination server is polled on the new port. If it's running a server capable of receiving email through the new protocol, it gets sent that way. Otherwise it sends it via old SMTP (possibly warning the sender that encryption and authentication are not available for this recipient).
* The benefit to the sender is that the recipient knows they are who they say they are, that their message won't have to go through a big anti-spam filter and possibly be mis-marked as spam, and that nobody can eavesdrop on them.
* The benefit to the receiver is less spam, fewer legit messages mis-marked spam, and authentication/encryption.
* The benefit to the sysadmin is that they please their users (ha) and after a few years may be able to turn off SMTP and process less spam.
* Mail to or from ISPs that have not upgraded degrade gracefully, and people don't have to change all at once.
Bored With ProgressQuest?
There are always different markets. There's a market for email client software that deliberately sucks, and yes, there's a market for email client software that tries to not suck. The producers of the sucky software can confuse things, but they can't actually destroy the creators in the other market, because they don't compete. No matter how many people use MS Outlook, the Sylpheed team will never be threatened.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
"Who exactly wrote all the software we have now that the non-technical users rely on every day? Geeks. There are plenty of us around :)"
And some of them are even alive.
Let's just rewrite all our operating systems to prevent any possible viruses from affecting the system. SPAM is an arms race, so every time an anti-SPAM solution is created, it is circumvented. You have to remember that spammers make a lot of money from their "profession" and they are going to find a way to keep that money coming in. Remember, email is not the only way we are bombarded with unwanted advertising. TV (commercials, informercial scams), Snail Mail (junk mail), Phones (Salesmen). If there is a way to communicate to a large audience quickly and easily, people are always going to find ways to abuse it. My question is this: What can we really do to make sure that spammers are unable to send their email? Although current mail protocols were not built with security in mind, they have been built upon with mail server applications that handle spam filtering, blocking, etc... And every one of these features can be bypassed. I'm not saying that we should just give up. I've been researching anti-spam solutions for over a year now, but we have to understand that people are smart, no matter what side they are on (spammer or anti-spammer) and they will find a way around one another.
No it's not, it's like rearranging the chairs on the Hindenberg. Thanks to Colbert for that one.
"I don't need drugs to enjoy this, just to enhance it" - Otto
You forget that the vast majority of the users does not have enough clue to realize why the client they use sucks, and thus will not switch to an alternative unless a miracle happens. Look at MSIE, Outlook Express. They have the vast majority of the market because people cannot really be explained that switching to another client is better for them. A couple of months a lot of noise was made about Firefox and some people reluctantly tried to install and use it, but when looking at a non-techie website at work the wave is mostly over and nearly everyone is back to MSIE.
Even while you can keep a development team that maintains a better client and gets a couple of thousand users to install it and be very happy, that does not mean you have done something "for email", when 99.99% of the users is mailing using other clients, that suck.
Viewed this way, there really is competition. Only clients that have a respectable market share have the possibility of changing anything to "email". When I mail using mutt or pine, I can flame people sending me HTML messages whatever I like, that won't change the fact that the world mails in HTML, even when I would want to see this changed.
Well, yes, that's the point. The solution needs to be integrated into the software so that the users need no hand holding. I was replying to a post asking why third-party, after-the-fact solutions that require extra configuring wouldn't work.
"The legitimate powers of government extend only to such acts as are injurious to others." Thomas Jefferson.
Two protocols which have grown beyond their initial specifications. SMTP was never meant to be any of the following: 1) Secure 2) Secure 3) Secure HTTP was never meant to do anything but display documents. Look at the both of them today. To try to implement security into a technology that was never meant to secure transmitted data and defeat spoofing is the same problem with implementing executable script and code-behind technologies into documents. Both were ideas which predate their abuses, when the 'net was more populated with people who benefitted from a general white-hat attitude and at the time had no need for rigorous secure technologies. That's no longer the case, and any technology which assumes it is technically out-of-date.
The first part of the solution is that the legacy Email isnt thrown out, just upgraded. The Pop server should be able to receive both Email and EmailVersion2 (EV2), and post them into the same box. The SMTP server for EV2 could be build from scratch, and probably should be.
Guts for EV2 system
The pop server could request server message authentication, in multiple forms, it could request a work unit (ugly math function) to be completed of a specific size that should have a solid expected run time. The acceptable function types could be administered at the pop server (as some functions get cracked or too easy).. The SMTP server could reject the request for work as too hard, allowing the email to fall into the "unconfirmed" bin. The pop server could also request other types of authentication, to allow inter office email to move without extra costs. This would allow user keys to be used instead of "proof of work" for some EV2's..
The pop admin or possibly the user could place a threshold for deliverability, allowing them to turn the threshold abouve what spammers are willing to send to. So the idea is to have a negotiator whitelist emails, and drop the other emails into the greylist. Allowing the greylist to gradually become the spam folder of the next generation.
Storm P.S. By all means If I havent thought this idea through enough, please knock it down....
IM seems a likely possibility. If the IM networks simply saved messages received while people were offline and delivered them later when the people came online, probably 90% of the legitimate email I receive could go away. I get a huge amount of email that says "Can you send me file X?", which could be done in an IM, and I would make the same response. But if your IM simply doesn't arrive when I'm offline, you get the pattern I actually see (and use) everyday: send the IM, get told the person is not online, and go write the same message in an email.
We would, of course, need to resolve the problem of file attachments.
Microsoft cheerleader, blue flag waving, you got a problem with that?
He probably already applied for a so called patent on this new technology. He posts it, then waits for some sucker to do the R&D then sue that poor shmoe for all they are worth!
I need to start writing these columns then I could walk away with millions!
MS, and a great number of others, embraced S/MIME over PGP for email encryption many years ago. And you know what? S/MIME just works in Outlook, and certificate management is about as easy as it can get with a PKI.
Now, why did Microsoft (and Netscape, Lotus, Novell, etc.) pick S/MIME over PGP?
Likely because the PGP web-of-trust model is impossible for non-technical users to understand. The WoT is still quite disconnected after all these years of PGP use. While in theory it scales infintely, in practice it doesn't work out so well. S/MIME works just like SSL, meaning the user doesn't have to worry too much about trust, the computer handles the PKI work.
Also, at the time S/MIME was integrated into Outlook, PGP was text-only, while S/MIME offered HTML and attachment support. Very few programs supported PGP/MIME in any reasonable fashion back in the late 90s, and from what I can see the majority of PGP email use still seems to be text-only to this day.
I think it's been done. If you look at Off The Record encryption, it's almost as good as PGP and Just Works. I've gotten most of my Mac-using contacts to use it since it's bundled inside Adium. (I myself use gaim on Linux.)
PGP is a huge pain, but it does really neat stuff. Off The Record is easy to use, but not quite as powerful. (No web-of-trust, no "key generation", etc.)
My other car is first.
All you people who think we need to build better clients are crazy. It is the mail servers that need to do the job.
Making the mailservers enforce authentication of messages has its appeal but
I disagree, I don't want the mailservers restricting in that way what I can send.
What is needed is for mail clients to authenticate sent mail, and filter out
unauthenticated incoming mail BY DEFAULT.
Provide a traceable starter key with every operating system installation,
allow the user to opt out of using it if they wish, or change it.
There are free traceable keys available from several reputable sources,
and it would be difficult for spammers to obtain them in bulk.
Online databases could easily list spam source keys, and one could chose
a database to use depending upon what you want treated as spam.
A key would rapidly become useless as it is listed in such databases.
It would certainly still be possible to send spam, but it would become much less
economic to do it. The volume would collapse.
This can all be done within the current state of technology, and with minimum
pain to Joe Public. People are getting used to fase positives in their email
filtering, and they would soon be telling their friends "Sign the thing and
it will get through'.
Regular as clockwork, every couple of years, it seems someone has to wail "this can't keep going on!", as far back as the 80's when it was "USENET's saturating my modem link!" Then they'd double or quadruple the speed of the modems.
Humans adapt. That's why we're here. However they don't like to throw things out and start from scratch. Email's evolved considerably since the first messages were typed over arpanet, and it will keep evolving. That's the way things work.
(strongly resisting the urge to insert a creationism comment. Sit on your hands... Sit on your hands...)
The proponents of evolution must obey the laws of physics, while the proponents of intelligent design are no so constrained. You can't blame email for the crazy ideas, scams, belief systems foisted by one party upon another. It seems to be endemic wherever humans gather to communicate.
Email has no end of faults that could have been mitigated in some measure by a superior design. All the same, the battle has hardly been lost. Email bears no responsibility for the emergence of botfarms, it's just the unlucky target. If the argument is that we'll never eliminate botfarms, that the botfarms will always be with us, then I think we have far bigger fish to fry.
After we win the battle against the botfarms, perhaps our problems with email will no longer appear quite so dire.
Cities of significance emerged three or four thousand years ago. It wasn't until circa 1850 that sanitation and clean water were fully addressed, and even that victory has many loose ends remaining.
I was wondering why email could not sit on the sending parties server until I respond to a set of headers telling me I have a message to be picked up....
An incoming message to me would be a small set of headers telling me who sent the message and what the subject is, along with size, the location of the server, and authorization code so my client can grab the message if I tell it to do so. There would be settings in my client to always download from certain people so I really only need to review the unknown stuff.
This should cut down on traffic as I'm never going to pick up the body of a message I don't want, and that's 80% of the junk I get. A rejection function would make a nice option (for when you care enough to say "Bite Me") but for spam just let it sit on their server till they do something about it.
It should cut down on spam because the spammer becomes a sitting target with a ton of headers all pointing to the location of the offending server.
Same for phishing, send out the headers and hope someone bites all while you are sitting exposed at a known address? I don't think they would like that.
Very easy to report offending accounts or servers, if the message is to get through then the path pointing to it has to be valid.
For those doing legit mass mailing this should save bandwidth, one message on the server, many small headers sent. Only those truly interested pick up the message.
For legit mail providers the outgoing message could have an expiration time/date and that should save on the amount of "undeliverable" messages that ping pong around from spam and auto responders interacting. The users client can clean up expired messages and inform the sender of the failure to deliver, more saved bandwidth.
Are there details to work out? Yup, tons of them. But I for one would love the fact that I don't have to download what I don't want... Kinda like having a trashcan next to my mailbox at home.
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
Nice. You get major props for use of the word "santorum-encrusted." Bravo.
You can't fight spam with heuristic filters. The only way to go is to use collaborative filtering, where millions of users participate in the filtering process and the outbreaks of spam, virus or phishing are detected and caught in a matter of minutes. Companies like Cloudmark provide this solution for free to end users, and several open source efforts are available as well.
its called v-mail for short. you use this high tech device called a "phone". with the "phone" you call a number which represents an "address" for another "phone". if the person operating the other "phone" doesn't answer, you can leave a message called a "voice mail" or "v-mail" for short.
The unique part of this new technology is, anyone can use the "phone" device and many types of "phone" devices can be used because they all follow the same standards.
If that isn't enough please note that "phone" devices can be installed in other devices. Cars, computers, business', and even homes can have "phones" installed in them.
Having to work for a living is the root of all evil.
I believe that Jabber is the alternative. It is much like email in how messages are routed and it is not only presence and chat, you can also send messages much like email, the fact that the big majority of Jabber clients don't offer that feature is just a problem with those clients; not the protocol.
This idea grew in my mind when I saw an outlook-like jabber client.
Pupeno
But I think there are better things to do. For instance, setting up an international task force that does nothing but go after these bastards. Sort of a Jack Bower / CTU kind of organization that tracks the sales these sites make and goes after them.
I agree with those who suggest that as long as there's email, there will be spam. Therefore, the only real option here is to make it not so profitable.
"...Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam..."
Software adjustments can be made, but with so many million domains run by so many admins, there's no-one who CAN keep tabs on abusers and do much about them. Back when the internet was mostly .edu .gov and .mil, each sysadmin would be responsible for his local users and abuse could be dealt with. Nowdays the worst an ISP does is close down an account that can quickly be replaced by another one for $25 or so.
.com = "on the internet" reflects a shift in the way DNS is managed?
The telephone comparison is interesting, as there are far fewer telephone carriers than email hosts. Phones are still subject to cold-callers, but where there are laws and do-not-call lists at least abusers can be traced.
Some have come to hate DNS Blacklist operators because it's often hard to get removed from a list, but if we really want secure email it will require a smallish network of trusted authorities with the power and willingness to investigate abuse and punish or restrict their clients. They also need to know that THEY will become untrusted if they don't.
Obtaining addresses and domains is too quick and too easy for DNS to be the key.
A certificate hierarchy can be superimposed and could be effective, but only if abuse is detectable, traceable, and known to be punished.
That is very different to what the Internet is today, but is not so different from where it started. Ever wonder why DNS is a hierarchy? Do you think the way everyone assumes
-- All your bass are below two Hz
Texting is replacing email for a lot of people, they already have cell phones and it is quick and easy and much less spam and works about the same way *and* das authorities will lay the hammer down hard if the actual phone service starts to become a corrupt anarchists playground like email has become. Phone service is just too important to the suits now, and texting runs off the phone services. More laws, more interest, and unlike email where any fool can have a thousand throw away email addresses (which is the main problem with email by far), a phone number costs real money to maintain. If an email addy cost you ten bucks an addy a year to hold and use, you wouldn't be so tempted to ignore it and treat it as a throw away. If emails addys had to be registered like a domain name in other words, we wouldn't have near as much trouble with them, as no spammer in the world would be able to come up with ten dollars an address to use for spam, and the addresses to be sent to would only be sent to a ten dollar a year address, no more dictionary crap addys sent out at random or created at random. this is what is wrong with email it is too cheap and easy to get addresses. I know around three years or so I just stopped using email as much as possible, because it had gotten so wretchedly bogus, it is limited now to sites that demand "email verification" for registration, such as this site, and that's about it. I use chat to gab with friends online, no need for slow email there.I do my netshopping over the phone after making my selections online, I don't email it in, because email sucks so why should I keep justifying it? If it is more than chump change, I still use postal mail,with a postal money order, because they have real federal cops who get real annoyed with any fraud action going on through the mails, much moreso than with the other shippers or scamsters like paypal. Same reason I don't use web forms either unless forced to, no need, too insecure, I don't care if it has the letter s next to the http part, there's no cops or laws associated with it near as good as the old fashioned snail mail. I don't do casual conversations with people over email, I use my extremely cheap cell minutes or the chat.
Chat is morphing into the "phone call", with the ability to speak, see and be seen, and transfer files easily. Those two above technologies will be replacing conventional email and the traditional audio only phone call. Texting for quick and fast and cheap, the other because it is all encompassing in functionality.
I know this (well, I am confident in predicting it) because I study current/recent history and trends,a general rule of thumb is, what the young people adopt eventually becomes mainstream, because THEY become the accepted mainstream due to getting older. That's why I knew several years ago that linux would eventually supplant windows and mac, because the younger thinkers and doers were going to it, and the main reason I switched myself. I learned my lesson before, and can see from history that this is true more than not, abandon buggywhips at the first sign of the horseless carriage.
No one in 1986, before, during, or after has given much thought to, not only email, but the web and the internet as a whole. I'm sure many of you mishmash web sites together with the "help" of a dozen different and differing languages, methods, procedures and magic charms.
What a godawful mess it is to get anything to another user's computer in the same shape and form that you intended when you sent it to them. I'm talking either directly or through a server.
In reference to the web, there should be only one language needed. Instead we've got to use three or four crap-filled "languages" that all differ in syntax, keywords and grammar.
Puh-leez.
Programming under QNX has led me to consider writing a utility called "god.exe". It will do anything you want as long as you can remember the parameters to pass to it on the command line.
Fata viam invenient.
Nobody can h4x0r carrier pigeons so we should use them!
I am OUTRAGED by the FILTH I find on your webpage! This is NOT a good site for CHRIST it is EVIL and you should NOT HIJACK OUR RELIGON because YOU PROBABLY LOVE FAGS AND BLACKS!!! A GOOD CHRISTIAN is NOT OBSESSED with SEX and HORRIBLE SEX PRACTICES!!!!!
There are some brilliant tools available -- My way of thinking is, that there will be better tools available for use to cover those burning issues of clutter, speed and security. Small business has yet to really come to grips with the full array of IT opportunity available to them, such as the ability use email as a valuable communication tool with clients and suppliers without massive attachments that really upset recipients, I have come across a very good and very inexpensive PDF suite of programs that will not only allow the obvious reduction in attached file size but completely outstrips Acrobat at all levels. It is worth a look the link is www.pdfaction.com I forgot to mention their creator program has a password secutiy feature as well. I hope this is of some help Tony
The only acceptable number of false positives when filtering spam is zero. Email is a reliable protocol.
Unsolicited email can be avoided by establishing addressability on a per-relationship basis, with each party given a unique address to reach you. Any relationship that becomes abused can be easily identified and destroyed without affecting future correspondance from others. New relationships can replace old relationships. As long as unknown addresses remain free of spam, this continues to work.
We have all these various spam filters, right? Ones that are run by large providers (hotmail, gmail, yahoo), ones that are run by ISPs that do filtering, and ones run at the client level (the spam filtration on my Outlook). Now, if I am not mistaken, these all use some sort of probablistic AI that "learns" over time how to recognize spam. The idea is that the more data you feed them, the more they fine-tune their filter until they become "well-trained" to recognize spam.
How about we get all of these individual filters to work together? They can feed their "observations" about how to recognize spam to some sort of Big MotherBrain AI. The MotherBrain will then update all the little clients periodically with its meta-observations.
I'm sure someone's thought of it before.
Are you on Windows and want email spam relief now?...
Start reading here.
I get no 'standard' spam now at iamcf13@hotpop.com, just an occasional 'bozo spam' (3-4 at the time of this post).
Kelly Martin, the article writer, 'gave up' on attacking the email spam problem at a fundamental level without having to change/overhaul the current email system.
I solved my spam problem with my program and offer my program free of charge to anyone else on the internet who wants to use it.
There are problems with email so we should stop using it? Isn't that like saying scrap all cars because there are potholes?
I'm a SYSADMIN and I'll tell you like I tell my users. 1 more time for the retarded:
DO NOT GIVE YOUR EMAIL ADDRESS TO PORN SITES ADVERTISING FREE ACCESS FOR YOUR EMAIL. IF YOU DO, THEN DON'T YOU F-ing DARE ACT SURPRISED WHEN YOU GET SPAMMED YOU WANKER.
DO NOT DOWNLOAD "FREE" SOFTWARE! IT IS SPYWARE, IT IS ALWAYS SPYWARE AND IT WILL ALWAYS BE SPYWARE- UNLESS ITS FROM SOURCEFORGE.
DO NOT DO THESE THINGS AND CRY TO YOUR SYSADMIN! I'm SORRY BUT I JUST CAN'T FIX IDIOCY. BOTHER ME ABOUT IT ONE MORE TIME AND I'LL SEND YOUR ADULT-BABY PORNO COLLECTION TO OUR COMPANY, BOARD AND PARTNERS MAILing LISTS.
Users really shouldn't be allowed to use my bandwidth. Hump!
Obnoxious sysadmin Bastard from hell
Is that a SCSI connector or are you just glad to see me?
>When enough people stop being click-happy... spamers will lose interest as no one will be paying for such a service, and phishers/spoofers won't find enough people to fall for their tricks.
That "enough" is a very large number. Spam is *cheap* to send. Spammers who rent botnets aren't even paying for the CPU and bandwidth. Until their average return per victim drops into thousandths of a cent (millicents?) they'll keep going. Then, once the economics don't work, we'll be treated to spam from political advocated and religious proselytizers who aren't in it for the money.
>Simply, educate people about this powerful tool before you through them in!
Insightful. Why is that true of every powerful tool?
I was just curious: do you know where exactly that Thomas Jefferson quote comes from? A specific letter he wrote, or an essay, etc.? Thanks!
The reason that nobody has come up with a viable solution to SPAM (and on a derivative, viruses) is well summed up here: http://www.rhyolite.com/anti-spam/you-might-be.htm l
The main problem is that NO ONE wants to replace email with something closed, that will necessarily require putting power in the hands of either governments (X.509 certificates need to be associated to identities, meaning passport / ID card validation, etc...) or private companies (I'm sure verisign would love to do this. Or Microsoft with Passport, etc...). Secondly it's hell: managing large trust hierarchies (PKIs for example) are difficult and cumbersome: they are administrative burdens that will need to be regulated. Otherwise, yes, it's easy to start from scratch. Everyone will have to go to their local town hall / post office / verisign representant / Microsoft Identity Office, present a valid passport, and voila, you've got a certificate (valid 1 year!) allowing you to send mail. Email systems won't receive anything else than known senders (validated through a hierarchical directory system -- maybe LDAP if we're lucky, or the DNS), and only if the signature on your cert. says you've agreed to the terms and conditions of using the Great World Email system (you wish, there will never be that level of cooperation).
So yes, it will be a process run by the private sector. And we all know that spammers will never be able to buy valid certificates, right ?
BULLSHIT.
From the article:
The only solution is to start from scratch. Develop a new email system and make it secure. Use existing, proven technologies and a few new and novel ideas ? starting with the latest encoding mechanisms, a reliable hashing algorithm, fast compression, strong encryption and signatures. Build an electronic identity. Encode, hash, encrypt, compress, sign, and provide a novel way to share keys when needed, for example. I don't know how this will all turn out, but perhaps yEnc, MD5, AES, H.264, and GPG are some potential technologies that could be used together
Well, just for the record, the PGP was used years and years ago. When it first came out.
I think that the Apple mail uses S/MIME, but I'm not sure. I had to buy a cert for it, just like I do with SSL on web sites. It Outlook uses had a hell of a time reading my email, and encryption didn't work at all for them. This was just last year.
The above is not worth reading.