NetWizard's OLD Blog
11/25/2003
RSS is great!
I recently took the plunge and tried out some RSS readers. I like the results - instead of checking websites for news, I can now work on things and have the headlines pop up in my systray or my phone. With a quick look I can see which headlines interest me, and which do not, saving on time and bandwidth.
I have tried out several RSS readers, and my current favorites are Nick Bradbury's FeedDemon for Windows ((in BETA), StandAlone's HandRSS for Palm OS and Sean Gallagher's News Spotter for Linux.
My current favorite feeds are: CNN, CNET News.com, GrokLaw, InfoWorld's top technology news, Kuro5hin.org, National Weather Service alerts, Microsoft Watch, Slashdot, The Register, Yahoo's Top Stories, and Wired News.
11/22/2003
Another Plan for Spam
There have been rumors for a few months about the secretive Microsoft / AOL alliance against spam. A recent story revealed some of those plans:
"One organization working on sender-authentication mechanism is a commercial alliance comprising the biggest consumer e-mail providers: Microsoft, Yahoo, America Online and Earthlink."
"Under the proposal, ISPs and any other organization with their own domain name system (DNS) would use a private key in their mail servers to place an encrypted code in the header of each piece of outgoing mail. When the mail arrived at its destination, the receiving mail server would get the sender's public key from its DNS server to decrypt the header, thus verifying the message's origin.
If the message is spam, or even a legitimate marketing message the receiver doesn't want, then email from that DNS can be blacklisted, or automatically blocked. "Once you have identity, then you can establish reputation and trust," Libbey said. "Those are really important concepts in e-mail."
Yahoo has done some proof-of-concept testing of the idea internally, but the technology is still at the early stages of development and no timetable for general release has been set."
11/18/2003
Comment on Mossberg's praise of C/R
This is written in response to a recent column by Walter Mossberg that was printed in the Wall Street Journal. In this column, Walter calls challenge/response technology "the only truly effective method for fighting spam". The following response from myself was sent to Walter.
It is hardly possible to call C/R "the only truly effective method". The more correct description would be "a rather effective method TODAY", as I am going to explain.
The basic C/R process has three different approaches[4]: (1) autheticating the sender, (2) making sure the same exact message originated from the sender, and (3) making sure the sender is human by presenting some graphic (Turing tests). There are numerous problems with these three approaches (see [4] section 2.2].
The first approach where a sender is being autheticated by sending an email to his address, puts an additional burden on the sender. The problem also is that many C/R systems are not implemented properly[2][5] and can end up challenging other machines or even each other[2]. Furthermore, nothing stops spammers from setting up automated systems which respond to such challenges[8]. Mailing lists are also affected by C/R systems to a degree where some list operators have refused to respond to C/R messages all together because of the burden[8]. Additionally, given enough incentive spammers can forge the return address of someone from the receiver's whitelist, granting them access[2]. There are also numerous privacy issues[8].
The second approach which asks the sender's server whether a specific message originated from that server, is not widely used today because of a lack of protocols to enable such transactions [1] (the ASRG is currently considering one such protocol called CRI [4]). The problems inherent with this approach is the lack of a standard protocol [1], inability to people who are travelling to send email from different servers[1], and the need to the sender's server to keep copies of all sent messages which raises significant privacy issues[1].
The third approach, being the most popular today, includes in the message a link to an image or an image that presents the sender with a puzzle, usually some letters or numbers, that cannot be readily recognized by a computer, but can be easily read by a human being. These are called "reverse Turing tests" [4]. There are numerous problems with these tests. First of all, they cannot be used by disabled users [4], which has been recently pointed out by the W3C in their draft on the issue [6]. Second, it has not been proven that these images cannot be recognized by a computer, and some approaches have been broken by spammers. Third, given enough incentive a spammer can hire people in developed countries to answer the challenges, still regaining the cost advantage[8].
However, the best example of spammers's innovation ability is the recent finding of a spammer who setup a free porn site which serves a Turing test challenge every five or ten images. People visiting the site, responded to the challenges solving spammer's problem[7]. While this particular case was not used to break C/R systems, but rather registration forms, the point is the same.
While challenge/response is an effective method of fighting spam today, with some anti-spam companies deploying the technology reporting over 99% block rates, nevertheless it is not the ultimate or the "only" solution to spam. Additionally, the percentage of deployed C/R systems is so low, that spammers do not have the incentive to break them[8]. This is akin to having a security product that has never been tested in public - until hackers actually start attacking, one cannot claim that it is effective. The real test of C/R will come once a significant number of C/R systems are deployed, and spammers will try to break them. It is then that the C/R technology will either win or fall by the wayside like many others.
Therefore, challenge / response is only one of the many tools used to fight spam, and cannot be called "the only truly effective method" by any strech of imagination. One thing must be kept in mind that C/R addresses the issue of forgery in email[1], something that is a general authetication problem which has many solutions. C/R is not the only solution for that problem out there, there are many others which may or may not operate better[1][2]. Putting things in perspective, the spam problem has many facets, and authetication vs. forgery is only one of them. An effective response to spam requires a combination of many efforts on many fronts including technical, legal, and social. Even within the technical realm, an effective solution requires an on-going, adaptive effort, with stochastic rather than complete results, utilizing multiple, adaptive techniques[3].
References:
1. Leibzon, W.; "Email Path Verification", ASRG,
http://www.elan.net/~william/asrg-emailpathverification-presentation.pdf
2. Levine, John R.; "Technical Responses to Spam", Taughannock Networks,
http://www.taugh.com/spamtech.pdf
3. Crocker, D., Levine, J., and Schryver, V.; "Technical Considerations for Spam Control Mechanisms", ASRG,
http://www.ietf.org/internet-drafts/draft-crocker-spam-techconsider-02.txt
4. Dean, E., and Shafranovich, Y.; " Challenge / Response Interworking (CRI) Framework for Challenge / Response Email Systems", ASRG,
http://www.ietf.org/internet-drafts/draft-irtf-asrg-cri-00.txt
5. Templenton, B.; "Proper principles for Challenge/Response anti-spam systems"
http://www.templetons.com/brad/spam/challengeresponse.html
6. May, M.; "Inaccessibility of Visually-Oriented Anti-Robot Tests: Problems and Alternatives"; W3C,
http://www.w3.org/TR/turingtest/
7.Spice, B,; "CMU student taps brain's game skills", Pittsburgh Post-Gazette,
http://www.post-gazette.com/pg/03278/228349.stm
[ALSO see: https://www1.ietf.org/mail-archive/working-groups/asrg/current/msg07899.html]
8. ASRG Mailing List,
https://www1.ietf.org/mail-archive/working-groups/asrg/current/maillist.html
http://news.gmane.org/gmane.ietf.asrg
11/14/2003
Added PGP key
I finally got around to installing GnuPG into my Mozilla client with EnigMail for Mozilla. Going over my ancient keys, I discovered one from back in 1995 when I used PGP 2.x. Well, I decided to get a new key, so here it is.
Changes at the ASRG
A leadership change took place today at the ASRG. My co-chair in the group, Dr. Paul Q. Judge of CipherTrust, stepped down today and was replaced by Dr. John R. Levine of I.E.C.C. (in case you are wondering it stands for "The Invincible Electric Calculator Company" according to the homepage :) ).
On a related note, my company's ISP had a DDOS attack. I wonder if this has any relevance to my work in the ASRG, especially considering recent attacks on SpamHaus.
P.S. I got linked from someone else's webpage, thanks katie-and-rob.org.
11/06/2003
SPEWS and CAPTCHAS
Well, it seems that SPEWS is back, no explanation on what happened of course.
Also, today I ran across an article about how a spammer was able to defeat the visual Turing tests used by some C/R systems:
But at least one potential spammer managed to crack the CAPTCHA test. Someone designed a software robot that would fill out a registration form and, when confronted with a CAPTCHA test, would post it on a free porn site. Visitors to the porn site would be asked to complete the test before they could view more pornography, and the software robot would use their answer to complete the e-mail registration.
This was originally posted on Matt McCay's weblog. There is also a weblog entry by Liudvikas Bukys asking for specific examples such as this one.
11/05/2003
SPEWS.ORG domain name has been killed
According to WHOIS records at PIR the domain name of SPEWS.ORG has been deactivated:
Domain ID: D74783489-LROR
Domain Name: SPEWS.ORG
Created On: 07-Jul-2001 19:50:12 UTC
Last Updated On: 03-Nov-2003 15:44:43 UTC
Expiration Date: 07-Jul-2008 19:50:12 UTC
Sponsoring Registrar: CSL Computer Service Langenbach GmbH (R25-LROR)
Status: INACTIVE
The name server is pointing to INVALID-ADDRESS.JOKER.COM. Looks like the spammers are at it again. For those folks that want to get to SPEWS, use SPEWS.US. There is also a Usenet thread on this.
11/03/2003
When Big Companies Send Spam - No one cares
Among the tons of spam that I usually receive, two particular pieces have caught my attention. One was an advertisement for some photo-mosaic thingy BUT it was sent to an email address at my domain that has only been used for one single company - Godiva Chocolate. Now their privacy policy OBVIOUSLY states that they WILL NEVER sell your information. Well guess what - they LIED!!!!! And to rub it in, they are even certified by the BBB. I have emailed them but so far - no response. If my second email does not get a response, it is time to go to the BBB and the FTC (yes, privacy policies can be enforced by the FTC).
Going to exhibit #2, is an email that was received today actually on behalf of Gartner, Inc. and sent by Exact Target, LLC of Indiana. OF COURSE they have a no-spam policy and a privacy policy TOO. Well guess what - the email address they emailed to, was the one used for my cell phone which I NEVER share with anyone since it sends messages DIRECTLY to my phone. Now suprise, suprise - so much for "opt-in" and "anti-spam policies".
To make things more interesting, they are based in Connecticut and the company that actually sent the email in Indiana. BOTH states have anti-spam laws (see SpamLaws.com). The Indiana one required "ADV" and an unsubscribe link BOTH of which were absent. So I FAXED them a letter with the original spam message (all 16 pages of it. he he), and we'll see what happens.
The lesson of this is that even the big guys endulge in spam no matter how they may scream that they don't. Perhaps the consent framework or a Federal Law is the only thing that can stop them...
For interested parties, I saved copies of both spam emails, contact me if you want to see them
11/02/2003
New Draft of the Consent Framework and Java Musings
Almost forgot to mention - a few days ago I posted a new draft of the consent framework. This draft (v0.03) has less insurance-policy language and more plain English, plus some pictures.
Another thought while I am at it - if you ever use Java Servlets, and wonder why everything stops working after switching to "multi-form" format - its not a bug but a feature. Pick up a copy of Apache Commons / File Upload package to fix the problem.
Some housekeeping
Its been a while since I updated my homepage so tonight I decided to do a little bit of housekeeping: just some links added and a copy (PDF / PPT) of my presentation from the Open Group meeting has been added.
I recently got the new Handspring Treo 600 with a camera and am currently experimenting with a picture moblog. So far the only thing that has made it there is the cat but I am hoping to find some more novel pictures to post.
This month I also switched hosting from my company to this weird new provider called "1 and 1" - they are offering FREE three years of hosting so I jumped at the deal. Considering that some of the stuff on my site might get SlashDoted due to the ASRG affiliation, I rather not take chances with my company's system but with someone else's - especially if its free!
Unfortunatly, in the process of switching a rather weird thing happened - all email to my domain bounced for about two days. That has been the longest amount of time either my personal or business email has been down, EVER. A very weird disconnected feeling occured to me when that happened.
Visit my homepage @ [ShafTek.org]