Valdis Kletnieks wrote:
<<snip good stuff>>
> As has been pointed out, there's around 100M compromised boxes with
> credentials
> waiting to be abused. Anything that fails to account for that is simply
> not worth the effort, as it's broken as designed.
...and, as this was all obvious _before_ the "solutions" we have been
talking about were designed, I'd argue that saying they were "broken as
designed" is a tad too polite to their designers.
Anyone who knew anything about the problem reputedly being addressed
should have been well aware of these limitations, so these things were
actually "broken _by_ design". Any of the "designers" of these reputed
solutions who says otherwise, or who allowed these suggested
"solutions" to progress to RFC stage, is admitting their lack of
expertise and knowledge of the actual problem set and therefore is
admitting to being _incompetent_ to have been involved in said
designing, etc...
If you agree at all with "der Mouse's" view of the sad state of the
separation of authority and responsibility in the "Internet governance"
sphere, the above result ("fixing the SMTP spam problem" was run by a
bunch of essential incompetents and/or had to progress through a
process that imposed incompetence on the results), you wouldn't be at
all surprised by the outcome.
Regards,
Nick FitzGerald
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
