On Wed, 31 Dec 2003, Arnold G. Reinhold wrote:

> Legitimate stamp generation would have to be distinguished, perhaps
> by code signing or some Touring test.  A sufficiently clever virus
> writer with root access might be able commandeer the legitimate stamp
> generator. If this happens, periodic required updates of the hashcash
> software can be issued that thwart viruses in the field. Also a large
> number of countermeasure variants can be generated, making it hard
> for the virus to recognize them all. This reverses the tactical
> advantage normally enjoyed by virus writers. Illegitimate stamp
> generators are forced to present a fixed target while legitimate
> programs and counter measures can continuously morpf.

Wildly unrealistic IMHO. I would predict that email transmission *will*
remain essentially free.  Spam detection software will be deployed more
broadly, and spammers who use trojaned machines will at some point in the
not too distant future (when the DAs wake up to this widespread criminal
activity) be successfully prosecuted.

Of the ~750000 messages inbound message recipients a day on the gateways I
manage, 40% are rejected by RBL lists and private blacklists/content
checks. 5% of the remainder is caught as spam by a commercial anti-spam
content filter. The filter's detection rate against this RBL pre-screened
sample is ~90%, the false positive rate is less than 0.01%. So we get rid
of ~99.5% of spam with no hash-cash. This is good enough. I am not about
to implement any CPU burning stamp generators any time soon.

The recent Microsoft and Yahoo announcements get a lot of publicity, but I
am skeptical that they will ever be widely adopted.

It is reasonable to note that Microsoft sells a lot of the clients
(Outlook & OE), so they have a better chance of getting their technology
adopted, but even Microsoft has a hard time getting users to upgrade from
Windows 98/Office 97 which continue to perform well enough for most users
(security flaws and all).

        Victor Duchovni
        IT Security,
        Morgan Stanley

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to