It's precisely the false positives that prevent spammers from harvesting valid e-mails by diff'ing. And no, it's not practical for OTHER uses. But in this case, there's only ONE use: Remove (at least) all the known entries in the e-mail list.
IMHO I'd boost the hash size to 40 or 48 bits to reduce the unintended false positives, but the false positives only affect the spammers, not us.
Blurry hash was developed by Blue Security to safeguard the content of the Registry from being jeopardized by malicious hackers. It is an evolution of traditional hashing methods that ensures that even brute force attacks are futile.
Traditional hashing solutions use one-way encryption methods that transform clear-text data into a pseudo-random bit sequence. For example, hashing each Do Not Intrude Registry entry transforms the e-mail address into a 128-bit string.
The idea behind Blue Security's blurry hash is simple. The process starts by using a standard hash function to calculate the 128-bit hash values of the e-mail addresses in the Registry. The output is then trimmed to a shorter sequence (e.g., 30-bits). A large number of random 30-bit values are then added to the list to create the Do Not Intrude Registry.
Blurry Hash mitigates the privacy risks associated with publishing the Registry;
* Using addresses removed from the spammer's original mailing list.
When a spammer notices that an e-mail address has been deleted from his list, he has no way of knowing if it was filtered because it was a legitimate user's e-mail address, a honeypot address or a random entry in the hashed Registry.
* Dictionary Attacks
A spammer may also attempt to uncover the registry's content using dictionary attacks. These attempts are worthless due to the random information in the Registry that ensures that some percentage of e-mail addresses enumerated by the spammer will match hashed registry entries, even though they are not actually listed in the Registry. Hence, a spammer will not be able to tell whether the matches are valid e-mails addresses.
I find this very interesting. If an e-mail has one (and only one) MD5 hash, it also has one and only one 30-bits prefix of an MD5 hash. For practical purposes, it's equivalent.
This Blurry Hashing was reviewed in the Spam Kings blog, and it appears to have a 1/1000 probability of false positives, but who cares? It works!:)
Regarding submitting the e-mail list, apparently the entire hashed list is downloaded (a few megs) and processed locally via software. I haven't checked if the "do not intrude" checking tool is published in the source code. But just knowing that Blue Frog is open source, is a relief.
Blue Security sends an ANONYMOUS request to the spammer and give him instructions to download SOFTWARE that will clean up their e-mail lists. What it does is hashing each e-mail and checking the database.
This way, no e-mail address is being released to the spammers. They could as well diff the lists to see which addresses were removed, but they won't get NEW e-mail addresses that way.
One thing is safe to know: At least the spammers are now PAYING ATTENTION to us. A year ago they didn't even know we exist. Then they tried to give bad publicity to Blue Security in anti-spam websites (they said bluefrog was a botnet).
Later, SendSafe included an option to use bluefrog's list to NOT send spam to those addresses.
Finally, they're targeting us directly. You know what that means B-)
Also, I doubt the database's been compromised. I'm sure they only diffed the original and the filtered e-mail list. This means that only a small percentage of e-mail targets has been truly released.
If spammers begin writing to us, they'll only increase the form spam they receive.
PLUS! The blue security e-mail database contains a bogus honeypot address per each valid e-mail address.
If this rumour is true, it will be a fatal mistake for the spammers. Because the blue community are ALREADY fighting back. Not only with form complaints on the spammers' websites, but with FORMAL complaints to the FCC, geocities, Microsoft,the MPAA and the FDA about illegal offers.
I joined Blue Security because I already receive 100 spam mails PER DAY. Do you think it'll make a difference whether I receive 100 or 500 e-mails a-day? (99.9% of it is sent to my junk-mail, where it's fed back automatically to Blue Frog)
I feel no mercy for spammers. That's right, you're messing with the wrong guys. The release of this list will only make us MORE POWERFUL.
Do you feel lucky? PUNKS?
P.S. Interesting - the captcha for this post was "predate". I like it. B-)
All I read about Web 2.0 is that it's a bubble, a new name for already working technologies... but with all this new publicity I ended up knowing nothing.
Can anybody tell me WTF Web 2.0 is (supposed to be)?
For whatever reason, most/.'ers seem to be under the impression that somehow, Intel is inexorably related to an evil scheme by Microsoft/SomeCorporation, Inc. to consistently screw over the consumer.
And artifically doubling the prices of their CPUs isn't?
Has anybody seen that movie? It's a classic. Passwords for data stored into your brain implants were pictures.
In the case of our hero, the password was the picture of a specific woman. Unfortunately the overload corrupted half of the image. With the help of a dolphin (whose intelligence was better than a genius') in a VR world, Johnny managed to get the missing half by mirroring the good half. After the password was obtained, the data could be released and they saved the world.
I loved this movie (despite the primitive graphics). It's a cyberpunk classic.
The way I see this working is having the micropump embedded INSIDE the chip so the surface can be attached to a heatsink and dissipate heat more efficiently.
Is this sad, but I consider that comment more insightfull than funny. Actually I thought of my post weeks ago as a parody to the "freedom" that Linux zealots preach so much about. Why do they insist on KEEPING everything low-level and chaotic?
And they forget that it's the LACK OF STANDARDS that got us aberrations like ActiveX and ugly html.
"Thank you for trying out this free beta version of Microsoft Windows XP 0.91B (TM). Please register soon and get 1.0, with all the vulnerability bugs fixed!"
Slashdot Mirror
It's precisely the false positives that prevent spammers from harvesting valid e-mails by diff'ing. And no, it's not practical for OTHER uses. But in this case, there's only ONE use: Remove (at least) all the known entries in the e-mail list.
IMHO I'd boost the hash size to 40 or 48 bits to reduce the unintended false positives, but the false positives only affect the spammers, not us.
Bubble.
Apparently they're using MD5 hashes truncated to 30 bits.
From http://www.bluesecurity.com/technology/registry.a
I find this very interesting. If an e-mail has one (and only one) MD5 hash, it also has one and only one 30-bits prefix of an MD5 hash. For practical purposes, it's equivalent.
This Blurry Hashing was reviewed in the Spam Kings blog, and it appears to have a 1/1000 probability of false positives, but who cares? It works!
Regarding submitting the e-mail list, apparently the entire hashed list is downloaded (a few megs) and processed locally via software. I haven't checked if the "do not intrude" checking tool is published in the source code. But just knowing that Blue Frog is open source, is a relief.
Why not just sign spam@uce.gov up?
But they're ALREADY doing that! With fake e-mail addresses called honeypots.
Blue Security sends an ANONYMOUS request to the spammer and give him instructions to download SOFTWARE that will clean up their e-mail lists. What it does is hashing each e-mail and checking the database.
This way, no e-mail address is being released to the spammers. They could as well diff the lists to see which addresses were removed, but they won't get NEW e-mail addresses that way.
then they laugh at you...
:D
then they fight you...
then you win
One thing is safe to know: At least the spammers are now PAYING ATTENTION to us. A year ago they didn't even know we exist. Then they tried to give bad publicity to Blue Security in anti-spam websites (they said bluefrog was a botnet).
Later, SendSafe included an option to use bluefrog's list to NOT send spam to those addresses.
Finally, they're targeting us directly. You know what that means B-)
Also, I doubt the database's been compromised. I'm sure they only diffed the original and the filtered e-mail list. This means that only a small percentage of e-mail targets has been truly released.
If spammers begin writing to us, they'll only increase the form spam they receive.
PLUS! The blue security e-mail database contains a bogus honeypot address per each valid e-mail address.
If this rumour is true, it will be a fatal mistake for the spammers. Because the blue community are ALREADY fighting back. Not only with form complaints on the spammers' websites, but with FORMAL complaints to the FCC, geocities, Microsoft,the MPAA and the FDA about illegal offers.
I joined Blue Security because I already receive 100 spam mails PER DAY. Do you think it'll make a difference whether I receive 100 or 500 e-mails a-day? (99.9% of it is sent to my junk-mail, where it's fed back automatically to Blue Frog)
I feel no mercy for spammers. That's right, you're messing with the wrong guys. The release of this list will only make us MORE POWERFUL.
Do you feel lucky? PUNKS?
P.S. Interesting - the captcha for this post was "predate". I like it. B-)
I think Parent was talking about Stallman, who wears sandals in his famous "St. Ignutius" picture.
Are they blessed? :P
I remember how SARS almost killed of the human race too.
Sorry, biology is WAY OFF TOPIC and doesn't apply here. Perhaps you'd like calling the people who DID die of SARS "just statistics".
Go find out for your fucking self
That'd be OK for me, if there wasn't a sea of DISINFORMATION around.
(BTW, thanks to the guy who provided the link to wikipedia)
All I read about Web 2.0 is that it's a bubble, a new name for already working technologies... but with all this new publicity I ended up knowing nothing.
Can anybody tell me WTF Web 2.0 is (supposed to be)?
For whatever reason, most /.'ers seem to be under the impression that somehow, Intel is inexorably related to an evil scheme by Microsoft/SomeCorporation, Inc. to consistently screw over the consumer.
And artifically doubling the prices of their CPUs isn't?
Good point.
Is there a market out there full of people who want to use their portable devices in the least portable way possible?
The Castlevania: Aria of Sorrow for the GBA looked MUCH BETTER in a TV Set (or emulated in your PC) than in the GBA itself.
Has anybody seen that movie? It's a classic. Passwords for data stored into your brain implants were pictures.
In the case of our hero, the password was the picture of a specific woman. Unfortunately the overload corrupted half of the image. With the help of a dolphin (whose intelligence was better than a genius') in a VR world, Johnny managed to get the missing half by mirroring the good half. After the password was obtained, the data could be released and they saved the world.
I loved this movie (despite the primitive graphics). It's a cyberpunk classic.
Yeah, you heard me right.
Yeah, but that other headline was so dull. "EA settles overtime lawsuit". Big deal.
How about this:
// You're putting all of us to shame
Stop_showing_off_your_geekness("This is a politics article, dammit");
Glad to see the doctors are finally putting away their butcher knives! :P
The coolant is supposed to be built in, doh.
The way I see this working is having the micropump embedded INSIDE the chip so the surface can be attached to a heatsink and dissipate heat more efficiently.
Well, their webserver seems like it's been smoked
I really hope they have a backup handy.
Is this sad, but I consider that comment more insightfull than funny.
Actually I thought of my post weeks ago as a parody to the "freedom" that Linux zealots preach so much about. Why do they insist on KEEPING everything low-level and chaotic?
And they forget that it's the LACK OF STANDARDS that got us aberrations like ActiveX and ugly html.
XP is very stable.
:)
I agree, the botnet running on my cousin's PC hasn't crashed in months. Go, Microsoft!
"Thank you for trying out this free beta version of Microsoft Windows XP 0.91B (TM). Please register soon and get 1.0, with all the vulnerability bugs fixed!"