Slashdot Mirror
US Military Looks For Massive Spam Solution
Several users have pointed out a recent request to technology companies from the Defense Information System Agency for ideas on how to build an e-mail defense system to catch spam. The solution would have to scan about 50 million inbound messages a day across some 700 unclassified network domains. "Defense currently scans e-mails for viruses and spam coming into systems serving the military services, commands or units. DISA wants to extend the protection to the interface between the Internet and its unclassified network, the Non-classified Internet Protocol Router Network. The agency also wants the ability to scan all outbound e-mails from the 5 million users. [...] DISA's request ties in with recommendations that the Defense Science Board issued in April that said Defense is more vulnerable to cyberattacks because of its decentralized networks and systems. The board envisioned a major role for DISA in developing the architecture for enterprise-wide systems."
Nuke spammers from orbit.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Seriously, it's less than two dozen guys pumping out 90% of the spam in the world. I would guess that the law enforcements and militaries of the world should just do their jobs and apprehend these criminals.
I'd certainly appreciate real action like getting rid of spam than for the CIA/US Military to spend time chasing down far fetched terrorist plots. I'm constantly stunned that given the damage spam creates, special branches aren't more active in tracking and _eliminating_ the sources of these things.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
That's because you want a router to do something it doesn't care about. That would require full layer 7 visibility on the router - then it wouldn't be nearly as good at doing what its supposed to: routing.
Most routers rarely look above layer 3. Occasionally they'll do some layer 4 stuff, but that is best left to firewalls or load balancers.
Also, routers aren't programmed to ignore DOS attacks. They're programmed to ignore very specific types of DOS attacks, sometimes.
.
For this rare instance I would certainly condone a few black ops. Find the people who are responsible, capture them, torture them and if they are bad enough, kill them. When there is money involved, it should be trivial to follow that money back to the people who collect it.
This also gives me a great idea for a movie sequel to "Taken." '...I have a very special set of skills... I will find you and I will kill you.' '//good luck//'
Yeah, I would totally watch that...
The Defense Information Systems Agency advocates a
(X) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. The idea will not work. Here is why it won't work. (One or more of the following may apply to this particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(X) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(X) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
(X) Susceptibility of protocols other than SMTP to attack
(X) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
(X) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(X) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(X) Ideas similar to this are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(X) Blacklists suck
( ) Whitelists suck
(X) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(X) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(X) Why should we have to trust you and your servers?
( ) Incompatibility with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(X) I don't want the government reading my email
(X) Killing them that way is not slow and painful enough
Furthermore, this is what I think about them:
( ) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and they're stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
I am officially gone from
Change the word table from:
"Bomb", "Terrorist", etc...
to
"Penis", "Pen1s", etc...
then
Give Chuck Norris a call.
The only solution is to make a system that uses a whitelist. But whitelists suck. So we need a whitelist that doesn't suck.
The first step is to have all the email clients start digitally signing emails. It is trivially easy to forge the headers on an email, so it would be stupid to trust them for identity information.
The second step is to have email servers check the identity against the whitelist. If the digital signature is invalid, or the credentials are forged (message was digitally signed, but the announced public key of the sender doesn't match) the message is trashed, with no error message sent. If the signature checks out, but the sender was not on the whitelist, the message bounces back to the sender, with an explanation ("you weren't on the whitelist, sorry").
Okay, but whitelists suck. If my best friend from college wants to track me down and send me an email, I want him to be able to do that; but I don't know his email so he's not on my whitelist. So, we need a solution to this problem.
My proposed solution is that your email server should advertise a list of ways that you will accept to bypass your whitelist for a message. One possible way: attach a micropayment of five cents. Another way: attach a certificate showing that your computer worked for an hour on some worthy problem like protein folding at home or something. Another way: here's a URL of a web page; it contains some riddle... attach the answer to your email. I'm sure you can think of other schemes to make it possible for a friend to bypass your whitelist while not enabling zombie Windows clusters to spray spam into your inbox.
There are other refinements possible. Your whitelist can accept, not just individual signatures, but "badges" from some organization. So, anyone from Mozilla.org can attach a Mozilla.org badge to their emails, and I can allow all Mozilla.org emails through. IEEE member badge, SourceForge.net badge, Apple.com badge, go nuts. Even an organization of "I Swear I Will Never Send Out Spam". The key with the badges is that, if you get kicked out of an organization, you have to lose access to the badge. One simple way would be for the check to be live: if you attach a Mozilla.org badge, the Mozilla.org server had better agree that your identity is one known to it.
The current email system is a "Default Permit" system (the #1 dumbest idea on this list). It has to change.
This system would run on the infrastructure we already have, with a few additions. You could have one account with the whitelist, and another account without... but the one with the whitelist is the only one that pages you, or whatever. The important thing is that this doesn't require everyone in the whole world to adopt it before it starts to become useful. Mailing lists would still work, because when you sign up for a mailing list you would add that mailing list identity to your whitelist (probably a badge, such that members of the mailing list are then cleared to email you directly, through the badge).
Someone may claim that validating public key signatures is computationally expensive. No, not compared to running complicated heuristics over the content of a message, trying to guess whether it's spam or not (SpamAssassin and other systems). With this system, the server doesn't attempt to classify a message. Either it passes the whitelist, it's bounced back to the sender, or it's deleted. Done.
Now, if you have found a hole in this idea, you will score bonus points by explaining how to fix it, not merely pointing out that I am an idiot.
steveha
lf(1): it's like ls(1) but sorts filenames by extension, tersely
9 servers. 50 million messages a week. Those 9 servers cost maybe $3,000 each. We have 9 servers because we want some redundancy. So let say you multiply that by 7. So you get ~50 machines to handle the army's volume. $150,000. Plus all the extras, so multiply that by 6. That's about a million dollars.
Seriously? From the article they say it would cost $100 million. Do you really think that is going to cost $100 million dollars? Seriously?
WTF. I need to become a DoD contractor.