I've already run into several situations where email delivery was compromised due to spam / graylist filtering. IMO: it's a no-win arms race that can only lead to further dissolution of the communications channel. Attempting to filter out the noise only leads to filtering out some of the signal in the process.
Can you think up an RFC that could solve the problem without some physical mechanism to track messages and owners of systems? I can't. This is not a purely technical problem, it is a problem of human behavior. For thousands of years laws and legal enforcement have been the only meaningful check against antisocial behavior. Can you write code (or propose an RFC protocol) that would do the same?
Yes, that would be another solution. If a public/private keypair were automatically generated from the OS authentication system, and then the email client automatically handled say an X509 exchange, one could certify that a specific human being sent a specific message. However, that would still be open to abuse for those with root privs. Such a system would require implementation everywhere - though I suppose so would a DRM like hardware standard as well.
I agree with everything you wrote, other than the value judgment on whether a hardware or OS level encryption system is a necessity. Whatever happens, the current system is broken and cannot be fixed without some enforcement mechanism. Also, I would argue that encryption is just one piece of the solution, legal enforcement has to come next. IOW: throw the assholes in the slammer. --M
That's a value question. Do you value anonymity more than security from criminals? Each person must make their own choice, I suppose. There are many who would argue that the destruction of anonymity will badly impact the right of political dissent. Just as there are others who argue that the right of dissent is of less importance than a functional email channel. It's a thorny issue. At the moment I fall in with the law and order crowd, if only because email is so dysfunctional now that it is straining under the load from SPAM. Why worry about the right to dissent when the very functionality of the system is under threat?
Who verifies the validity of that signature?
on
Spam Gets Personal
·
· Score: 1
That's really the question at the heart of all these smtp-auth schemes. At the hardware level you have an individual computer tied to a serial number and sales receipt. Once one can verify who owns the computer and that a message was sent from *that* computer and not some other computer, it then becomes possible for law enforcement to track down and stop specific systems from sending SPAM. It also becomes possible to track a variety of other illegal activities. Plus many legal ones.
Like I said, choose one: anonymity or protection from criminals. You can't have both.
yeah, those standards are badly broken
on
Spam Gets Personal
·
· Score: 1
That's the point. They don't deal with policing bad behavior during envelope exchange. And the only way to do this is to verify hostIDs in order to track the system to its owner. In the end, the only system that can possibly work will be one that forces people to be legally responsible for the traffic sent from their systems, with an enforcement mechanism.
My only problem with smtp-auth is that it represent a key validation mechanism and not a host validation mechanism. That is, one can assert that a sysadmin built a version of sendmail and generated a key for smtp-auth, but one cannot assert that a particular host *used* that key - only that a specific key was used in generating the authentication header. That's why I think it needs to be tied into a hardware level DRM or hostID mechanism.
As for delivery authentication, that's a another kettle of fish. Two systems point to point using host authentication could allow for a delivery authentication system though. It would simply be a matter of using each system's public keys to generate and exchange cryptographic signatures during envelope exchange. That is - one can verify delivery to a host using such a system, but not delivery to a user.
"The Inducement to Read Act" because I know they have already exceeded my threshold for expropriating money from my wallet. One could also try writing congress, but I've yet to receive a reply when doing so, even from a staff flack.
It's interesting that illegal immigrants have better organizational skills than US citizens. Actually, it's more pathetic than interesting. We have lost our republic.
to keep buying congresspeople off. If they keep trying one day they will win.
When dealing in huge volumes of humans
on
Spam Gets Personal
·
· Score: 2, Interesting
there will always be a relatively small percentage of people who show maladaptive behavior. Just as there is a much larger percentage of people willing to take advantage of those unable to control themselves. It's criminals and their victims vs. everyone else.
The solution is not to be found in expecting *everyone* to change their behavior, because such an expectation is bound to fail. The solution is to be found in tightening up the mechanism behind data authentication and transport, both with technology and laws. Just like as was one with snail mail in the past. At one point the government realized that mail needed to be stamped, tracked from post office to post office, and then hand delivered by someone responsible. Well, we needn't charge to stamp email - but we certainly need to stamp it with an immutable ID, track its movements from host to host with immutable ID stamps, and then authenticate delivery at a specific host.
This can only be done with cryptographic hardware installed on every machine, and a new SMTP protocol. Sucks, doesn't it. Bye bye anonymity, but at least it would get rid of spam. Pick your poison.
1) I'm talking about a work server which managed email for many hundreds of users, not my personal vanity domain.
2) It shouldn't matter. Though I do ask slashdot to bogusfy my email addy and right now they aren't doing a very good job of it.
USian snail mail: return receipt requested
on
Spam Gets Personal
·
· Score: 2, Insightful
I can't speak for UKian snail mail, but here in the US critically important mail -- usually legal mail -- is sent return receipt requested. Meaning that someone has to sign for the mail, and if no one is available to sign one must go to the post office to sign and pick up the letter.
There is nothing analogous to that in email. Primarily because there is no mechanism to first ensure authenticity and then ensure delivery. A public-key cryptographic system that used hardware level keys (or key generation) could at least ensure authenticity point to point during envelope exchange. Knowing for certain exactly which host sent a message would mean being able to track down hosts sending spam. It would also mean being able to reject mail from specific hosts, rather than ever shifting IP addresses.
I'm ready to give up on email because of the spam load. At this point I'm seeing mail servers with significant load simply for spamchecking, graylisting, and hanging up on bogus inbound connections. Face it, smtp doesn't work. It's a tragedy of the commons happening right in front of all of us.
We need something different that focuses on point to point authentication of hosts and users. Frankly, hardware DRM or immutable hostids build-on to motherboards might offer at least a host authentication solution. Not a popular suggestion, I know...
'cause I was led to believe you were a spiteful God, beholden to your followers, yet willing to wipe everything from the face of the earth when the Wickedness of Man triumphs. Could you, perhaps, square the Wickedness of Man stuff with that whole Internet Quality of Service regulatatory proposal crap?
just asking, God (please don't stike me down with a bolt of lightning!)
with the marketing of the 360? Curious, because based on the way I read your words you appear to have been privy to the actual decision-making within MS. Were you?
Why not just price the system dynamically. Shift prices once a week or once a month as the market demands? There's no hard and fast rule that MS (or anyone else) need to establish an MSRP and hold it for six months to a year.
Yeah. Mistake? Had they upped the price by $200, they probably could have gained several hundred million over that span of time. They could also have shifted the entire Japanese supply to the US, which would have alleviated the supply shortage here. What one could say is that they did not make best use of their supply and pricing potential. *shrug*
See this article which quotes Ebay CEO Meg Whitman, who claimed that as of Dec-12-05 of the 400,000 units sold at that time 10% had been resold though ebay. Pretty significant numbers, I'd say. If ebay is good for anything, it is to track current market rates for just about anything. The average pre-xmas price for a 360 was $718.00. That's several hundred dollars lost to MS per unit (or gained by the reseller, if you prefer).
Re:I think that's what they wanted
on
The 360 Is Too Cheap?
·
· Score: 3, Insightful
There was a fixed number of consoles manufactured prior to the Xmas season. By increasing price to the level of demand they would have upped their margin, which they might have liked. Or, perhaps unlike every other for-profit company, the simply don't care about such business-wonk stuff.
The original author claimed MS could have raised prices. The top-level comment poster disagreed. I argued back that high ebay prices showed what the market was willing to bear at that time. Your reply to me that they needed 'to get more consoles out there' is both true and irrelevant given what was available in the channel at that time. Are you arguing that MS could not have lowered the price once production increased to the point where the supply shortage ended?
Slashdot Mirror
was just fucking with him - trolling a hacker for laughs. Then it hits the press and NASA has a public relations problem on its hands. whoops.
D'OH!
Perhaps he should fix that by demanding CPU producers remove the NOOP instruction. That'll fix things!
I heard Katz is off writing about dogs and dog ownership these days. What a fall, eh?
Wasn't Dvorak predicting Apple would use Itanic and not X86? Was Dvorak really correct? Only insofar as that Apple chose the same supplier.
1) my points are baseless
2) flamebait!
3) hey, I might not be right but at least I'm fun to read...
4) M$ $uck3rz!!1!!
5) Hey, I own a Mac too!
6) Did I mention my employers advertisements? Could you buy something please?
7) I'm too old to find a real tech job. Thanks for the "work"!
8) Hey, Slashdot linked to me! Again and again and again! I must be doing something right!!!
I've already run into several situations where email delivery was compromised due to spam / graylist filtering. IMO: it's a no-win arms race that can only lead to further dissolution of the communications channel. Attempting to filter out the noise only leads to filtering out some of the signal in the process.
Can you think up an RFC that could solve the problem without some physical mechanism to track messages and owners of systems? I can't. This is not a purely technical problem, it is a problem of human behavior. For thousands of years laws and legal enforcement have been the only meaningful check against antisocial behavior. Can you write code (or propose an RFC protocol) that would do the same?
Yes, that would be another solution. If a public/private keypair were automatically generated from the OS authentication system, and then the email client automatically handled say an X509 exchange, one could certify that a specific human being sent a specific message. However, that would still be open to abuse for those with root privs. Such a system would require implementation everywhere - though I suppose so would a DRM like hardware standard as well.
I agree with everything you wrote, other than the value judgment on whether a hardware or OS level encryption system is a necessity. Whatever happens, the current system is broken and cannot be fixed without some enforcement mechanism. Also, I would argue that encryption is just one piece of the solution, legal enforcement has to come next. IOW: throw the assholes in the slammer. --M
That's a value question. Do you value anonymity more than security from criminals? Each person must make their own choice, I suppose. There are many who would argue that the destruction of anonymity will badly impact the right of political dissent. Just as there are others who argue that the right of dissent is of less importance than a functional email channel. It's a thorny issue. At the moment I fall in with the law and order crowd, if only because email is so dysfunctional now that it is straining under the load from SPAM. Why worry about the right to dissent when the very functionality of the system is under threat?
That's really the question at the heart of all these smtp-auth schemes. At the hardware level you have an individual computer tied to a serial number and sales receipt. Once one can verify who owns the computer and that a message was sent from *that* computer and not some other computer, it then becomes possible for law enforcement to track down and stop specific systems from sending SPAM. It also becomes possible to track a variety of other illegal activities. Plus many legal ones.
Like I said, choose one: anonymity or protection from criminals. You can't have both.
That's the point. They don't deal with policing bad behavior during envelope exchange. And the only way to do this is to verify hostIDs in order to track the system to its owner. In the end, the only system that can possibly work will be one that forces people to be legally responsible for the traffic sent from their systems, with an enforcement mechanism.
My only problem with smtp-auth is that it represent a key validation mechanism and not a host validation mechanism. That is, one can assert that a sysadmin built a version of sendmail and generated a key for smtp-auth, but one cannot assert that a particular host *used* that key - only that a specific key was used in generating the authentication header. That's why I think it needs to be tied into a hardware level DRM or hostID mechanism.
As for delivery authentication, that's a another kettle of fish. Two systems point to point using host authentication could allow for a delivery authentication system though. It would simply be a matter of using each system's public keys to generate and exchange cryptographic signatures during envelope exchange. That is - one can verify delivery to a host using such a system, but not delivery to a user.
Excellent reply, BTW. Thanks a bunch,
--M
"The Inducement to Read Act" because I know they have already exceeded my threshold for expropriating money from my wallet. One could also try writing congress, but I've yet to receive a reply when doing so, even from a staff flack.
It's interesting that illegal immigrants have better organizational skills than US citizens. Actually, it's more pathetic than interesting. We have lost our republic.
to keep buying congresspeople off. If they keep trying one day they will win.
there will always be a relatively small percentage of people who show maladaptive behavior. Just as there is a much larger percentage of people willing to take advantage of those unable to control themselves. It's criminals and their victims vs. everyone else.
The solution is not to be found in expecting *everyone* to change their behavior, because such an expectation is bound to fail. The solution is to be found in tightening up the mechanism behind data authentication and transport, both with technology and laws. Just like as was one with snail mail in the past. At one point the government realized that mail needed to be stamped, tracked from post office to post office, and then hand delivered by someone responsible. Well, we needn't charge to stamp email - but we certainly need to stamp it with an immutable ID, track its movements from host to host with immutable ID stamps, and then authenticate delivery at a specific host.
This can only be done with cryptographic hardware installed on every machine, and a new SMTP protocol. Sucks, doesn't it. Bye bye anonymity, but at least it would get rid of spam. Pick your poison.
Two reasons why that isn't a relevant point
1) I'm talking about a work server which managed email for many hundreds of users, not my personal vanity domain.
2) It shouldn't matter. Though I do ask slashdot to bogusfy my email addy and right now they aren't doing a very good job of it.
I can't speak for UKian snail mail, but here in the US critically important mail -- usually legal mail -- is sent return receipt requested. Meaning that someone has to sign for the mail, and if no one is available to sign one must go to the post office to sign and pick up the letter.
There is nothing analogous to that in email. Primarily because there is no mechanism to first ensure authenticity and then ensure delivery. A public-key cryptographic system that used hardware level keys (or key generation) could at least ensure authenticity point to point during envelope exchange. Knowing for certain exactly which host sent a message would mean being able to track down hosts sending spam. It would also mean being able to reject mail from specific hosts, rather than ever shifting IP addresses.
I'm ready to give up on email because of the spam load. At this point I'm seeing mail servers with significant load simply for spamchecking, graylisting, and hanging up on bogus inbound connections. Face it, smtp doesn't work. It's a tragedy of the commons happening right in front of all of us.
We need something different that focuses on point to point authentication of hosts and users. Frankly, hardware DRM or immutable hostids build-on to motherboards might offer at least a host authentication solution. Not a popular suggestion, I know...
'cause I was led to believe you were a spiteful God, beholden to your followers, yet willing to wipe everything from the face of the earth when the Wickedness of Man triumphs. Could you, perhaps, square the Wickedness of Man stuff with that whole Internet Quality of Service regulatatory proposal crap?
just asking, God (please don't stike me down with a bolt of lightning!)
with the marketing of the 360? Curious, because based on the way I read your words you appear to have been privy to the actual decision-making within MS. Were you?
Why not just price the system dynamically. Shift prices once a week or once a month as the market demands? There's no hard and fast rule that MS (or anyone else) need to establish an MSRP and hold it for six months to a year.
Yeah. Mistake? Had they upped the price by $200, they probably could have gained several hundred million over that span of time. They could also have shifted the entire Japanese supply to the US, which would have alleviated the supply shortage here. What one could say is that they did not make best use of their supply and pricing potential. *shrug*
See this article which quotes Ebay CEO Meg Whitman, who claimed that as of Dec-12-05 of the 400,000 units sold at that time 10% had been resold though ebay. Pretty significant numbers, I'd say. If ebay is good for anything, it is to track current market rates for just about anything. The average pre-xmas price for a 360 was $718.00. That's several hundred dollars lost to MS per unit (or gained by the reseller, if you prefer).
There was a fixed number of consoles manufactured prior to the Xmas season. By increasing price to the level of demand they would have upped their margin, which they might have liked. Or, perhaps unlike every other for-profit company, the simply don't care about such business-wonk stuff.
The original author claimed MS could have raised prices. The top-level comment poster disagreed. I argued back that high ebay prices showed what the market was willing to bear at that time. Your reply to me that they needed 'to get more consoles out there' is both true and irrelevant given what was available in the channel at that time. Are you arguing that MS could not have lowered the price once production increased to the point where the supply shortage ended?