At 01:43 PM 12/29/03 -0500, Eric S. Johansson wrote:
>Bill Stewart wrote:
>> At 09:37 PM 12/26/2003 -0500, Adam Back wrote:
>>> The 2nd memory [3] bound paper (by Dwork, Goldber and Naor) finds a
>>> flaw in in the first memory-bound function paper (by Adabi, Burrows,
>>> Manasse, and Wobber) which admits a time-space trade-off, proposes an
>>> improved memory-bound function and also in the conclusion suggests
>>> that memory bound functions may be more vulnerable to hardware attack
>>> than computationally bound functions.  Their argument on that latter
>>> point is that the hardware attack is an economic attack and it may be
>>> that memory-bound functions are more vulnerable to hardware attack
>>> because you could in their view build cheaper hardware more [....]
>> Once nice thing about memory-bound functions is that,
>> while spammers could build custom hardware farms in Florida or China,
>> a large amount of spam is delivered by hijacked PCs or abused 
>> relays/proxies,
>> which run on standard PC hardware, not custom, so it'll still be slow.

The Microsoft Penny Black system (not to be confused with the 
IBM Penny Black paper) is supposedly limited by memory /speed/ not 
memory size.  The only nice thing about that is that memory speed
doesn't vary as much between machines.  About 5 to 1 vs. 100 to 1.

>do the math.
>  s
>where: d = stamp delay in seconds
>        s = spam size in bytes
>        b = bandwidth in bytes per second

I don't understand this equation at all.

It's the rate limiting factor that counts, not a combination of
stamp speed + bandwidth.

Assuming 128Kbps up, without a stamp it takes about .6 seconds to
send a typical 10K spam.

If it takes 15 seconds to generate the stamp, then it will take
15 seconds to send a stamped spam.  It won't even take 15.6 seconds,
because the calculation can be done in parallel with the sending.

>assuming unlimited bandwidth, if a stamp spammer compromises roughly the 
>same number of PCs as were compromised during the last worm attack 
>(350,000) at 15 seconds per stamp, you end up with 1.4 million stamps 
>per minute or 2 billion stamps per day.  When you compare that to the 
>amount of spam generated per day (high hundred billion to low trillion), 

Not according to the best estimates I have.
The average email address receives 20-30 spams a day (almost twice 
what it was last year) and there are only 200-400 million 
email addresses, which works out to less than 10 billion spams per day.

But there's a much easier way to do the math.

If 1% of the machines on the internet are compromised,
and a stamp takes 15 seconds to generate, then spammers can send
50-60 spams to each person.

(86400 seconds per day / 15 seconds per stamp * 1% of everybody = 57.6)

You can reduce that by factoring in the average amount of time
that a compromised machine is on per day.

I fully expect that stamps will rise in "price" to several minutes,
if camram actually gets any traction.

>they are still a few machine short of what is necessary to totally 
>render stamps useless.  Yes, maybe one spammer could muster a few 
>machines to be a nuisance but that's the extent of it.
>When dealing with hardware acceleration, it becomes a hardware war.  If 
>they can make a custom hardware, Taiwan can make us USB stamp 
>generators, postage goes to a period of rapid inflation, and the world 
>goes back to where was before with no advantage to spammer's.

Custom hardware?
I can buy a network ready PC at Fry's for $199.

If it takes that machine 30 seconds to generate a stamp, and I leave
it running 24/7, and replace it after 5 months, then the cost
of a hashstamp is still less than 1/500 of a snail-mail stamp.
Granted it's a significant increase in costs over current email,
and therefore potentially a vast improvement, 
but it's still not expensive.

Scott Nelson <[EMAIL PROTECTED]>

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to