Re: An overview of cryptographic protocols to prevent spam
John Gilmore wrote: I wrote an overview of Cryptographic Protocols to Prevent Spam, I stopped reading on page V -- it was too painfully obvious that Amir has bought into the whole censorship-list based anti-spam mentality. John, I'm disappointed; I expected you to be more tolerant. You got mad at me at page V which is still just reviewing the basic e-mail architecture related to spam. In this part, I explained what open-relays are and why people may try to disconnect from them, and described port-25 blocking which is common practice and necessary to protect domains from being blacklisted. I discuss blacklisting techniques and their problems much later, in section 5.5 (page XXV). I discuss there, albeit briefly, false positives, abuse, and collateral damage. I agree about the importance of clarifying these concerns, and will try to improve this. Frankly, however, I think you were a bit trigger-happy to conclude that I `bought-into` the censorship, black list approach. May I recommend that you ask first, shoot later? We had some discussions on this and while we may have differences, I thought you know I care a lot about freedom of speech. And btw, yes, as users of some (legitimate!) mail services, both me and several family memebers (e.g. children) were blocked by domain blacklists... When this happened to my 7 year old child, I had to forward his answers to a magazine for him. I once almost lost a consulting engagement to blocked email. And Ross Anderson once had to resort to asking Adi to call me on the phone to deliver a message, since a crazy mail filter here (Bar Ilan Univ.) blocked his messages for weeks... And more incidents. So believe me I'm well aware of this problem. -- Best regards, Amir Herzberg Associate Professor Department of Computer Science Bar Ilan University http://AmirHerzberg.com Try TrustBar - improved browser security UI: http://AmirHerzberg.com/TrustBar Visit my Hall Of Shame of Unprotected Login pages: http://AmirHerzberg.com/shame - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
German CA TrustCenter insolvent
Original article at http://www.heise.de/security/news/meldung/64224 It seems that the German TC TrustCenter GmbH (formerly TC TrustCenter AG) is now insolvent. TrustCenter was accredited to issue qualified signatures, which is what you need in Germany if you want your digital signature to be as binding as your handwritten one. It is as yet unclear why TrustCenter ran out of money, but the fact that German banks sold their TrustCenter stocks to BeTrusted (now part of Cybertrust) in 2004 shows that the banks had lost their confidence in PKI. An interesting question is of course what happens with TrustCenter's private keys. Are they being auctioned off to the highest bidder? Fun, Stephan begin:vcard fn:Stephan Neuhaus n:Neuhaus;Stephan org;quoted-printable:Universit=C3=A4t des Saarlandes;Department of Informatics adr;quoted-printable:;;Postfach 15 11 50;Saarbr=C3=BCcken;;66041;Germany email;internet:[EMAIL PROTECTED] title:Researcher tel;work:+49-681/302-64018 tel;fax:+49-681/302-64012 x-mozilla-html:FALSE url:http://www.st.cs.uni-sb.de/~neuhaus version:2.1 end:vcard
Re: An overview of cryptographic protocols to prevent spam
I wrote an overview of Cryptographic Protocols to Prevent Spam, I stopped reading on page V -- it was too painfully obvious that Amir has bought into the whole censorship-list based anti-spam mentality. It was hard to get from paragraph to paragraph without finding approving mentions of blacklists. I am a victim of many such blacklists. May Amir never appear on one, or his unthinking acceptance of blacklisting might change. His analysis made me think of clinical reviews of experiments done on human subjects in prison camps -- careful to focus on the facts while ignoring the obvious moral problems. Interspersed were discussions of various kinds of port blocking. The Internet is too good for people who'd censor other peoples' communications, whether by port number (application) or by IP address (person). It saddens me to see many of my friends among that lot. John Gilmore - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: An overview of cryptographic protocols to prevent spam
On Mon, Sep 26, 2005 at 09:28:19AM +0200, Amir Herzberg wrote: | John Gilmore wrote: | I wrote an overview of Cryptographic Protocols to Prevent Spam, | | I stopped reading on page V -- it was too painfully obvious that Amir | has bought into the whole censorship-list based anti-spam mentality. | John, I'm disappointed; I expected you to be more tolerant. You got mad | at me at page V which is still just reviewing the basic e-mail | architecture related to spam. In this part, I explained what open-relays | are and why people may try to disconnect from them, and described | port-25 blocking which is common practice and necessary to protect | domains from being blacklisted. necessary to protect domains from being blacklisted.? How about the more factual: Is used as a decision factor by many of the programmers who create blacklist-creation tools? Blacklists are not like blackholes, a natural result of laws of nature. They are the product of human action, and the people who made decisions around them ought to own up to the fact that they are making decisions. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: An overview of cryptographic protocols to prevent spam
One more comment note on spam... Perry E. Metzger [EMAIL PROTECTED] writes: I'm afraid that I use blacklists. My servers get about 30,000 spams and virii directed at me (that is me, Perry Metzger, personally) every night that are blocked by blacklists. I would be unable to write you this email if I didn't use blacklists, because I'd have no working email at all. (To be fair, the onslaught has diminished recently -- I'm now down to perhaps 20k a night. There is no functional difference.) My mother in law recently got rid of the email address she had been using for many years. Why? She was getting so much spam that the address was effectively useless. To find the one real message she had to wade through a metric ton of porn, medical fraud, bank fraud and ads for fake rolexes. Her anti-spam facilities in her mail reader were pretty good but kept putting real messages into the spam folder, so after a while it became obvious that they weren't helping since she had to parse all the spam by hand anyway. In short, she was forced to surrender. She abandoned the account. She's not the only person I know who's done things like this. Spam is not a harmless annoyance any more than insect bites are once you start getting enough. It threatens the ability to actually use email for communication. In a normal society, by now people would have email directories online where you could look up the email addresses of friends and loved ones. Why don't we have those? Spammers. People actually go through a whole lot of trouble NOT to have their email online. They do things like turning their email addresses into images on their web sites so automated harvesters can't read them. They post from throwaway accounts assuring that no one who wants to reply will ever be able to do so. They bend over backwards trying to avoid the spammers. ISPs have to spend vast amounts of money one extra bandwidth to carry this garbage -- it costs real money. Companies have large staffs of people who work full time to ameliorate (not eliminate) their spam problems. It costs them real money. People like my mother in law abandon email addresses (and make it impossible for old friends to find them) because they're scared that if too many people know their email address it will become flooded with garbage. By the way, the criminals now do stuff like using spyware to steal people's addresses so it is literally the case that you have to worry that too many people know your address. This is not a normal situation any longer. Spam has distorted people's behavior beyond all recognition. You can pretend that hasn't happened and that really all that is needed is heavier use of the d key or perhaps slightly better Bayesian filters, but in fact that's not the situation any more. We're beyond that. You can argue that we're wrecking the internet to save it, but what is, realistically, the alternative? If you say just ignore the spam then I'll have to politely ignore *you* -- I cannot try to find the 50 real messages inside of the 30,000 garbage ones addressed to me without the evil blacklists, and you wouldn't be able to either. We either make the internet somewhat less of what it was so that we can continue using it at all, or we keep it pure and cease to use it altogether. Given the choice, I'll compromise on purity. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: PKI too confusing to prevent phishing, part 28
At 8:53 AM +0200 9/26/05, Amir Herzberg wrote: Is PKI the cause of this? I think not. This is a usability problem. We try to fix this problem (and similar problems) with TrustBar. Indeed we even had incidents where people on the TrustBar team itself, and some security experts using TrustBar, thought there is a bug - why does TrustBar display `Bad Certificate` warning, when FireFox says the site is protected fine? But then we found out it was simply a self-signed site, or a site signed by a CA not in the list of the browser, or the most hard-for-users: a site with a certificate whose issuer is specified as Verisign (say), but with a wrong public key... this last one is really tricky; even expert users get confused in identifying this, even when using the certificate details dialogs (I checked for FireFox and IE). To me, the first paragraph contradicts the second paragraph. Actually, the third sentence of the first paragraph contradicts the first two sentences of that paragraph. A technology that cannot be made usable, but is widely used anyway, is the cause of its own problems. There are many problems with PKI, and certainly with its implementation in browsers. But secure usability problems are worse. I think our community should try to be constructive. I definitely try myself, hence TrustBar. Please help me: try it and give me feedback, if you are a good programmer, lend a hand improving it; or find other ideas and implement them. Looking at decades of experience with PC software, it seems unlikely that TrustBar or anything like it will be deployed and understood by typical users. It is fine to help increase the security for a small (possibly tiny) audience, but please do not conflate that with making the whole market more noticeably secure. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]