Mark Seiden: > i think we are having a misunderstanding here. > > any sort of opt-in or opt out doesn't work in the account takeover scenario, > which is > very common these days. > > the bad guy will always have a relationship through the buddy list, which is > exactly > why they are using taken over accounts. > > the situation you are "imagining" is the way it was prior to the rash of > account takeovers, > and they way it might be if accounts could not be taken over easily (e.g. if > they used > 2 factor or some other way of knowing the customer was authentic). >
Indeed. It also depends entirely on the end user software. Often it is possible that there are two users with the same name but with different identifiers. This also doesn't stop people from registering domains that look-alike, I might add. We already see this kind of behavior with phishing and we have continued to see it for the better part of a decade. There are obviously smart heuristics for ways to flag a message - however, if I was pwning such a system, I would just own the content inspection system at a different level - say, by fingerprinting the first request and not returning malware. Only when the user, who is easy to distinguish from Microsoft, visits the site will they get the actual targeted malware. This is also what we see with web pages that provide browser specific exploits on a per user basis. The other reason to get the buddy list is that the social graph is almost as important as the content, if not more important for some groups. All the best, Jacob _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
