Re: Remailers an unsolveable paradox?
This is a Type III anonymous message, sent to you by the Mixminion server at mercurio.mixmaster.it. If you do not want to receive anonymous messages, please contact [EMAIL PROTECTED] -BEGIN TYPE III ANONYMOUS MESSAGE- Message-type: plaintext Nomen Nescio [EMAIL PROTECTED] wrote: The ratio of remailer use to abuse is painfully low because there's no way to actually communicate. You can broadcast but not recieve, because no system exists to receive mail psuedononymously. This is not communication. Mixminion (http://www.mixminion.net) supports secure two way communication. The current release uses an insecure mix algorithm which facilitates debugging. This will change. -END TYPE III ANONYMOUS MESSAGE-
Re: Remailers an unsolveable paradox?
Tyler Durden wrote: The hascash idea is OK, and obviously will work (as of now...the dividing line between human and machine is clearly not static, and smarter spam operations will start doing some segmentation analysis and then find it worthwhile to pay up). But the kind of person that may have legitimate need of a remailer may not understand and/or trust what would probably be necessary to use hashcash. And OK that's their tough luck, but then I always feel there's safety in numbers. Since you already have to use a special client to inject email to the remailer network, they would have no need to understand hashcash. It would just happen. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff
Re: Vote for nobody
Justin wrote: On 2004-09-06T06:22:29-0700, Sarad AV wrote: the election commision of india had a proposal to the govt. that the voter should be able to vote for 'none of the above'. Though one can predict that such a proposal will never be approved by the government, it makes a lot of sense. Is any other democratic country seriously thinking of implementing such an option? If someone would vote for none of the above rather than write in his/her ideal candidate, that someone is a lazy oaf. Everyone who writes in a candidate is voting none of the above. The 50% of the U.S. population which doesn't vote is also voting none of the above in a way. There's a difference in that some non-voters may slightly prefer one candidate over another, but _assuming that everyone has an ideal candidate_ they'd be willing to go to the polls for, not voting is the same as saying all the candidates are significantly less than the ideal. The difference being that in a system such as Sarad describes, if 'None of the above' gets more votes than any candidate, the election is declared void and a re-election is called (possibly excluding any of the candidates from the first round, depending on the details); hence, the 50% of the population who think 'they're all fvckers' have a reason to go to the polls. I've experienced such a system in action (within a student body) and it works well, provided you like your democracy to be loud and participatory. For this reason it's unlikely to be implemented by an incumbent government, though I guess it's possible an uber-populist like Chavez or Lula might consider it. W
Vote for nobody
hello, the election commision of india had a proposal to the govt. that the voter should be able to vote for 'none of the above'. Though one can predict that such a proposal will never be approved by the government, it makes a lot of sense. Is any other democratic country seriously thinking of implementing such an option? Sarath. __ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail
Maths holy grail could bring disaster for internet
http://www.guardian.co.uk/print/0,3858,5009766-103690,00.html The Guardian Maths holy grail could bring disaster for internet Two of the seven million dollar challenges that have baffled for more than a century may be close to being solved Tim Radford, science editor Tuesday September 7, 2004 The Guardian Mathematicians could be on the verge of solving two separate million dollar problems. If they are right - still a big if - and somebody really has cracked the so-called Riemann hypothesis, financial disaster might follow. Suddenly all cryptic codes could be breakable. No internet transaction would be safe. On the other hand, if somebody has already sorted out the so-called Poincaré conjecture, then scientists will understand something profound about the nature of spacetime, experts told the British Association science festival in Exeter yesterday. Both problems have stood for a century or more. Each is almost dizzyingly arcane: the problems themselves are beyond simple explanation, and the candidate answers published on the internet are so intractable that they could baffle the biggest brains in the business for many months. They are two of the seven millennium problems and four years ago the Clay Mathematics Institute in the US offered $1m (£563,000) to anyone who could solve even one of these seven. The hypothesis formulated by Georg Friedrich Bernhard Riemann in 1859, according to Marcus du Sautoy of Oxford University, is the holy grail of mathematics. Most mathematicians would trade their soul with Mephistopheles for a proof, he said. The Riemann hypothesis would explain the apparently random pattern of prime numbers - numbers such as 3, 17 and 31, for instance, are all prime numbers: they are divisible only by themselves and one. Prime numbers are the atoms of arithmetic. They are also the key to internet cryptography: in effect they keep banks safe and credit cards secure. This year Louis de Branges, a French-born mathematician now at Purdue University in the US, claimed a proof of the Riemann hypothesis. So far, his colleagues are not convinced. They were not convinced, years ago, when de Branges produced an answer to another famous mathematical challenge, but in time they accepted his reasoning. This time, the mathematical community remains even more sceptical. The proof he has announced is rather incomprehensible. Now mathematicians are less sure that the million has been won, Prof du Sautoy said. The whole of e-commerce depends on prime numbers. I have described the primes as atoms: what mathematicians are missing is a kind of mathematical prime spectrometer. Chemists have a machine that, if you give it a molecule, will tell you the atoms that it is built from. Mathematicians haven't invented a mathematical version of this. That is what we are after. If the Riemann hypothesis is true, it won't produce a prime number spectrometer. But the proof should give us more understanding of how the primes work, and therefore the proof might be translated into something that might produce this prime spectrometer. If it does, it will bring the whole of e-commerce to its knees, overnight. So there are very big implications. The Poincaré conjecture depends on the almost mind-numbing problem of understanding the shapes of spaces: mathematicians call it topology. Bernhard Riemann and other 19th century scholars wrapped up the mathematical problems of two-dimensional surfaces of three dimensional objects - the leather around a football, for instance, or the distortions of a rubber sheet. But Henri Poincaré raised the awkward question of objects with three dimensions, existing in the fourth dimension of time. He had already done groundbreaking work in optics, thermodynamics, celestial mechanics, quantum theory and even special relativity and he almost anticipated Einstein. And then in 1904 he asked the most fundamental question of all: what is the shape of the space in which we live? It turned out to be possible to prove the Poincaré conjecture in unimaginable worlds, where objects have four or five or more dimensions, but not with three. The one case that is really of interest because it connects with physics, is the one case where the Poincaré conjecture hasn't been solved, said Keith Devlin, of Stanford University in California. In 2002 a Russian mathematician called Grigori Perelman posted the first of a series of internet papers. He had worked in the US, and was known to American mathematicians before he returned to St Petersburg. His proof - he called it only a sketch of a proof - was very similar in some ways to that of Fermat's last theorem, cracked by the Briton Andrew Wiles in the last decade. Like Wiles, Perelman is claiming to have proved a much more complicated general problem and in the course of it may have solved a special one that has tantalised mathematicians for a century. But his papers made not a single reference to Poincaré or his conjecture. Even so, mathematicians
Re: Vote for nobody
I think the US state of Nevada has None of the above as an option, though I'm not sure the implementation of it. The Libertarian Party in the US always has NOTA as a candidate in internal elections, and sometimes NOTA wins and the job goes unfilled until either there's a new election with new candidates or some executive committee appoints somebody. At 09:57 AM 9/6/2004, Justin wrote: If someone would vote for none of the above rather than write in his/her ideal candidate, that someone is a lazy oaf. Everyone who writes in a candidate is voting none of the above. NOTA's a bit different - there may be a large plurality of voters who don't like the major candidates, even if they don't agree on who else they want. In a election where you're voting for a party, like most parliamentary governments use, voting NOTA is telling the parties to run different candidates, so for instance you might want the Labour Party to win but you don't like Tony Blair so you vote NOTA in his home district. In candidate-based elections, you're telling the individual candidates that you don't like them. Bill Stewart [EMAIL PROTECTED]
Re: Spam Spotlight on Reputation
On Mon, Sep 06, 2004 at 11:52:03AM -0600, R. A. Hettinga wrote: E-mail security company MX Logic Inc. will report this week that 10 percent of all spam includes such SPF records, I have mentioned this problem more than a year ago in context of my RMX draft (SPF, CallerID and SenderID are based on RMX). Interestingly, nobody really cared about this major security problem. All RMX-derivatives block forged messages (more or less). But what happens if the attacker doesn't forge? That's a hard problem. And a problem known from the very beginning of the sender verifikation discussion. The last 17 month of work in ASRG (Anti Spam Research Group, IRTF) and MARID (Mail authorization records in DNS, IETF) are an excellent example of how to not design security protocols. This was all about marketing, commercial interests, patent claims, giving interviews, spreading wrong informations, underminding development, propaganda. It completely lacked proper protocol design, a precise specification of the attack to defend against, engineering of security mechanisms. It was a kind of religious war. And while people were busy with religious wars, spammers silently realized that this is not a real threat to spam. Actually, it sometimes was quite the opposite: I was told of some cases where MTAs were configured to run every mail through spam assassin. Spam assassin assigns a message a higher score if the sender had a valid SPF record. Since most senders with valid recors were the spammers, spam received a higher score than plain mail, which is obviously the opposite of security. People spent more time in marketing and public relations than in problem analysis and verifikation of the solution. That's the result. What can we learn from this? Designing security protocols requires a certain level of security skills and discipline in what you want to achieve. Although RMX/SPF/CallerID/SenderID does not make use of cryptography, similar problems can be sometimes found in context of cryptography. Knowing security primitives is not enough, you need to know how to assemble them to a security mechanism. Good lectures are given about the mathematical aspects of cryptography. But are there lectures about designing security protocols? I don't know of any yet. And there is a new kind of attack: Security protocols themselves can be hijacked and raped by patent claims. regards Hadmut
Spam Spotlight on Reputation
http://www.eweek.com/print_article/0,1761,a=134748,00.asp EWeek Spam Spotlight on Reputation Spam Spotlight on Reputation September 6, 2004 By Dennis Callaghan As enterprises continue to register Sender Protection Framework records, hoping to thwart spam and phishing attacks, spammers are upping the ante in the war on spam and registering their own SPF records. E-mail security company MX Logic Inc. will report this week that 10 percent of all spam includes such SPF records, which are used to authenticate IP addresses of e-mail senders and stop spammers from forging return e-mail addresses. As a result, enterprises will need to increase their reliance on a form of white-listing called reputation analysis as a chief method of blocking spam. E-mail security appliance developer CipherTrust Inc., of Alpharetta, Ga., also last week released a study indicating that spammers are supporting SPF faster than legitimate e-mail senders, with 38 percent more spam messages registering SPF records than legitimate e-mail. The embrace of SPF by spammers means enterprises' adoption of the framework alone will not stop spam, which developers of the framework have long maintained. Enter reputation analysis. With the technology, authenticated spammers whose messages get through content filters would have reputation scores assigned to them based on the messages they send. Only senders with established reputations would be allowed to send mail to a user's in-box. Many anti-spam software developers already provide such automated reputation analysis services. MX Logic announced last week support for such services. There's no question SPF is being deployed by spammers, said Dave Anderson, CEO of messaging technology developer Sendmail Inc., in Emeryville, Calif. Companies have to stop making decisions about what to filter out and start making decisions about what to filter in based on who sent it, Anderson said. The success of reputation lists in organizations will ultimately depend on end users' reporting senders as spammers, Anderson said. In the system we're building, the end user has the ultimate control, he said. Scott Chasin, chief technology officer of MX Logic, cautioned that authentication combined with reputation analysis services still won't be enough to stop spam. Chasin said anti-spam software vendors need to work together to form a reputation clearinghouse of good sending IP addresses, including those that have paid to be accredited as such. There is no central clearinghouse at this point to pull all the data that anti-spam vendors have together, said Chasin in Denver. We're moving toward this central clearinghouse but have to get through authentication first. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Remailers an unsolvable paradox?
There are several different types of problem messages, and some are easier to avoid than others. - Spam - Harassing messages sent to remailer users - Harassing messages sent to mundanes to annoy the mundane - Harassing messages sent to mundanes to get the remailer in trouble - Harassing messages sent to third-parties (e.g. sending Bob slander about Alice.) - Forged messages - Usenet flamebait Two of the things I never built back when I was running a remailer could have helped this problem - Encrypted-sending only. Sure, you want to only accept encrypted messages to preserve privacy, but if you require outgoing messages to be encrypted, you not only protect privacy, you eliminate most of the spam, except for spam that's sent to people with easily-located public keys. Sadly, that's a small set of people, but it's also tougher for harvester programs, and it's a set of people less likely to buy from spammers. This also significantly reduces harassment potential. Most crypto users are more likely to understand remailers, or at least to read the this is a remailer headers. It's possible for harassers to work around this, if you're verifying encryption just by syntax, but it's a good start: - BEGIN PGP ENCRYPTED STUFF Alice - your mother was a hamster and your father smells of elderberries. And your hovercraft is full of eels. Bob - END PGP ENCRYPTED STUFF --- - Recipient permission for outbound remailers - have the remailer ask for permission before sending somebody mail, and optionally store addresses (or hashes of addresses) of people who want to accept remailed messages in the future (obviously including other remailers in that list.) So instead of sending the message directly, you send Subject: You've received an anonymous message #1234567 You've received an anonymous message at (foo-remailer) It may be from someone you know, or may be a forgery or spam (explain remailers blah blah blah) If you'd like to pick up the message, reply to this message. If you don't want it, just ignore this message. If you'd like us to never bother you again, reply with Subject: BLOCK If you'd like to automatically receive all remailer messages in the future, reply with Subject: SUBSCRIBE (and/or provide web URL interfaces for these functions.) Even if the remailed mail is spam or harassment, it starts out with getting permission from the recipient and building a positive relationship and some understanding of what's going on. It also means that if somebody who doesn't care about remailers gets spam or harassing mail, they don't have to get it more than once. Bill Stewart [EMAIL PROTECTED]