On Mon, 2021-12-27 at 02:44 +0100, Ángel via mailop wrote: > On 2021-12-23 at 21:02 -0700, Dave Warren via mailop wrote: > > Even just verifying a phone number adds a real world cost to > > switching identities which makes blocking far more effective. > > There is certainly a cost for casual users wishing to switch > identities.
[...] > I wonder however if that's still the case for "professional" > spammers, Barriers to entry are indeed one of the weaknesses of internet email when compared to closed systems like the single-entity controlled messaging tools (iMessage, Telegram, Whatsapp, and their likes). Desirable: a clearly defined perimeter that is easy to protect. Any entry-level military strategist can tell you that the lines of defense of internet email are a nightmare. In traditional warfare, strategists seek to establish a perimeter: what is inside is friendly, what is outside is not. The longer and more convoluted the line of the perimeter, the more difficult it is to defend. In the physical world, strategists try to make use of natural barriers such as rivers and mountains to make perimeter defense easier. And in the world of email? There is no clearly delineated perimeter. The telcos are happy to give a subscriber line and an IP address to anyone with a modem. On that free for all infrastructure, spammers can operate domains and SMTP servers with impunity. They can prey on legitimate SMTP businessess and create accounts to abuse them, circumventing all forms of often ridiculous abuse prevention. As is too often the case, the industry gets it wrong (from an efficiency perspective. of course it gets it right from a revenue generation perspective) and its solutions leave programmatic malware indifferent while making it more nightmarish to the human user. Typical example: requiring passwords with upper/lower case and all sorts of special characters and numbers, instead of using much longer passphrases that achieve the same entropy in a form that is easier for humans to process. The verification via text messages (SMS) is one of those ultra-stupid solutions whose real benefit is, arguably, to the surveillance economy only. Garden varieties of SIM swap scams abounds and trusting the telecoms with identification and authorization when they are not even able to filter bad packets at the IP level is questionable. Any authorization system that depend on a token transmitted at the time and place of authorization is faulty by design and ready to be hacked. It is inferior to TOTP or other designs where communication/synchronisation has happened in a distant past. In advanced economies, banks are now forbidden from using SMS as 2FA token. Here in Canada, they are just introducing it (sigh). Speaking of the requirement of a phone number: Google has been particularly insistent, even on my existing account. Possibly because I do not let any requests to Google server's out unless vetted, because the webbugs on so many websites. I don't care if there is a Google Analytics opt-out extension. My opt-out of Google Analytics and its other data-syphons is not to allow for a communication from my network to them. The worse requirements I have seen so far, however, was Instagram. Network effects have it that my child is the only kid in the classroom without an Instagram account. I tried the process of opening one, using a burner phone / pre-paid SIM card, and Instagram comes back at me with the requirement for a picture of me, my face and my hands clearly visible, holding an handwritten note with an authorization code. Seriously? handwriting recognition, facial recognition? How about fingerprints? And the conspiracy theorist still believe that it is government that is after us? No way that a corporation whose sole purpose is to spew evil and misinformation in the world will get anything but anonymous access from my end. Or no access at all. The day that proper safeguards will be in place, that I will be able to control my information the same way Hollywood or Netflix can control theirs, I may consider lowering the defences a bit. Internet email could learn a page or two from the Swift manual. Swift moves $200 billions / day. What works for banks and their customers can surely work for internet email operators and their users, especially those parts that are pure protocol, pure IT, no physical cost. The first thing to make internet email viable for the future is to establish a defensible perimeter and keep bad actors out. Easier said than done. The problem does not affect email only. It affects anything internet. Lacking a proper perimeter, my network is my perimeter and the default rule at my router is nothing in, nothing out, until an exception is added. I am not there yet, but nearly. Maintaining lists of allowed IP addresses is not as difficult as it sounds. There will be pain along the way, but if service providers are not able to federate around clear rules to establish a defensible perimeter and keep out the bad actors, I have no other choices. Enough is enough. It is time to make operators liable for what emanates from their IP addresses, and until that liability is in place, filter them out, cost what it cost. Enjoy the holidays break (kiddo was too tired for the ski slopes, which is why you had to suffer my rant). -- Yuval Levy, JD, MBA, CFA Ontario-licensed lawyer _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop