Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Giant Octopus |
| The Topology of Covert Conflict »
February 4, 2006
Cartoon on Spamming
User Friendly on the topic.
Posted on February 4, 2006 at 10:04 AM
• 11 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
When my customers ask me how to keep viruses/ spyware/ spam from messing up their machine, they look at me funny when I tell them it's because of the loose nut behind the keyboard.
yes, but some people say it's our job to make the systems nut-proof. But of course that mostly includes a one-for-all care-free package, which usually doesn't work without a smart userbase (and sometimes even doesn't work with)...
PS: User Friendly got on the topic earlier... (and, its a one-for-all care-free solution to spam :) )
I always thought spam was a problem to do with anonymity. Give all people the electronic signature so that we can all block all email at the pop server level that is not signed by at least a class 2 certificate.
Security technick is not with the Web log particularly importantly only most Shop owner (where data are exchanged) to take that so seriously "unfortunately!" I have data with my Shop where to be exchanged a SSL line. The remainder is normal. Which is however new is a barrier-free Web entrance for blind humans. beautiful greets from Austria Manuel
We can, of course, already do this quite easily (except for the fact that the stupid CA industry has made certificates unaffordable for most people .)
The question is, will this achieve much? Most spam is already being sent from compromised home PCs with permanent connections. In that case, the cert might help you identify the victim PC a little quicker, but the problem is not finding infected machines, it's keeping up with new infections!
Further, obtaining a class 2 certificate on-line requires only matching submitted data against commercial databases. We already know how easy it is for an attacker to get information that will match that commercial database; that's how he got the credit card data he's using to pay for the cert! Some individual CAs have slightly stricter requirements, but not much stricter, and many don't do anything else at all; the attacker will go for the "lowest common denominator", which means that class 2 certificates in practice are not reliable.
Finally, it stops me from sending my PGP signed email to a friend with an efficient client based filter, a _more_ secure process but one which doesn't give any money to Verisign....
1. I just finished reading a proposal for Australian banks to issue digital certificates to their customers. The analysis comes up with $100 as a reasonable price to charge for this service -- but almost every step of the calculation is wildly exaggerated, from the ridiculous arguments for valuing a bank clerk's time at $100/hr ex profits (a more realistic rate is about $40/hr, including wages, office rental, power etc.), through to charging $2.50/ea. for a floppy disk (about 5 times the retail price for small quantities) or $5/page for laser printer printouts (about 50 times the real cost, including printer depreciation).
Banks are about the last place to look for the provision of services to customers at a good value for their money. More fundamentally, however, what business does a bank (or a CA, for that matter) have issuing identification documents? None.
The private sector really has no more business providing electronic ID than it has business providing physical identity documents. Just as it's the government's job to issue birth certificates, passports, identity cards, and driver's licences, it should be the government's responsibility to issue certificates. This is especially true given that certificates are increasingly used in online transactions that have the same degree of gravitas that identity documents are used in the physical world.
> Give all people the electronic signature so that we can all block all email
> at the pop server level that is not signed by at least a class 2 certificate.
This is not necessarily a bad idea (email, on the whole, needs a serious redesign given the changes in use case over the last 30 years), but the solution isn't that simple. Are you talking about issuing a cert to just mail servers (only signed SMTP servers can send mail) or issuing certs to all accounts (only email signed by a user can be accepted)?
If you're talking about signing at the user level, you basically lose all anonymous email (and yahoo, gmail, hotmail, etc. will all fight to keep their market presence). If you can't get everyone to adopt it, then nobody can send you mail, and that sort of defeats the purpose of having a mail service. You become the one early adopter of the fax machine.
Even for legitimate mail... can you imagine the logistics of certificate management in your average 1,000 plus member organization? Out of 1000 users, you're going to have a percentage who at any given time have forgotten the passphrase to their key. You need to have a procedure in place to revoke their old certificate (and unfortunately most client software has little or no ability to check for revoked certificates) and issue them a new certificate, and that procedure has to be essentially instantaneous. If it's not, the first time a salesman loses a big client because they can't send mail for approval to the CEO your certificate plan is going to die beneath the wheels of business pressure.
It's really easy to issue certificates, but it's a giant pain to revoke/reissue them.
If you're talking about signing at the server level, any organization with enough mail servers (and this again includes all of the free mail services) is going to have problems with their certificate management.
We once tried to force FQDN name checking during the HELO exchange on our mail cluster, since 99.99% of spam comes from machines that aren't listed as an MX somewhere. It was effective (our mail cluster immediately starting rejecting over 90% of our incoming mail, 99.999% of which was spam), but crippling in other ways. First, Outlook won't provide a FQDN during HELO - it gives the NetBIOS name of the host (so some users couldn't send mail). Second most Exchange servers aren't configured properly to give a FQDN in the HELO (another NetBIOS naming issue), so a lot of people sending legitimate mail were denied. Finally, large mail clusters (like yahoo's free mail) occasionally had a server with a bad DNS entry, so they were denied.
It only took a few instances of users not getting mail they were expecting for the word to come down that the check had to be removed.
Pat Cahalan made good points about why certificates won't necessarily eliminate spam. I'll add one other factor: compromised machines or users with valid certificates.
Yes, emails senders could be made to authenticate themselves each time they send a message. Pins, passphrases, biometrics, etc. and each one of these could be co-opted.
Moving onto something else about spam, there are interesting economic factors. Most spam exists because the profits are there. The costs to the spammers are relatively low and even if a tiny percentage or recipients buy, a profit can be made. Part of this is the sender pays little but the recipients, at least in the aggregate, pay more. (e.g;.; dial-up fees, value of time, etc.)
Remind me of the British postal system in the earlier parts of the 19th Century where the sender paid nothing and the recipient paid for the postage. One could go broke by being popular.
(Historian Paul Johnson described this in one section of "The Birth of the Modern".)
> It only took a few instances of users not getting mail they were expecting
> for the word to come down that the check had to be removed.
It's a shame you had to remove the check, and not just the denial. I've worked many a place where checks of this nature are applied, but mail isn't rejected -- rather, a header or two are added with a representation of which checks fail. These messages are then delivered to the users' SPAM folders in IMAP. When an expected mail isn't found in a user's inbox, they are instructed to look throug the SPAM folder.
The SPAM folder expunges messages over a few days old (15 in the last place I worked that did this).
This makes sure users can always get mail they need, with two bonuses:
1. Users have a better idea of the rarity of false positives,
2. and a better idea of how much spam they don't have to deal with because of the filtering.
After my previous comment about economic factors, especially "recipient pays", for email and spam, I found this BBC news item:
E-mail charging plan to beat spam
Big net firms are trying to stop spammers by charging to deliver e-mail messages.
AOL and Yahoo plan to charge fees of up to one cent (US) per message to those that sign up for the service.
Paying the fees means that messages will not go through spam filters, are guaranteed to arrive and will bear a stamp of authenticity.
Both AOL and Yahoo said they would start offering the service within the next few months.
"Stamp of authenticity"? No, no, I won't venture into comments on that.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.