Re: [camram-spam] Re: Microsoft publicly announces Penny Black PoW postage project

2004-01-02 Thread Alan Brown
On Tue, 30 Dec 2003, Bill Stewart wrote:

 The reason it's partly a cryptographic problem is forgeries.
 Once everybody starts whitelisting, spammers are going to
 start forging headers to pretend to come from big mailing lists
 and popular machines and authors, so now you'll not only
 need to whitelist Dave Farber or Declan McCullough if you read their lists,
 or Bob Hettinga if you're Tim (:-), you'll need to verify the
 signature so that you can discard the forgeries that
 pretend to be from them.

 You'll also see spammers increasingly _joining_ large mailing lists,
 so that they can get around members-only features.

This has already happened:

Krazy Kevin pulled this stunt 5 years ago on at least one list I was on,
joining the list to harvest the most common posters, then spamming using
them as sender envelopes after he'd been kicked off.

 At least one large mailing list farm on which I've joined a list
 used a Turing-test GIF to make automated list joining difficult,

...discrimination against blind users - this is legally actionable in
several countries. There is a blind group in the UK taking action
against a number of companies for this and the Australian Olympic
committee ended up being fined several million AU$ for the same offence
in 1999.

 and Yahoo limits the number of Yahoogroups you can join in a day,
 but that's the kind of job which you hire groups of Indians
 or other English-speaking third-world-wagers to do for you.

To underscore that point, I've _watched_ cybercafes full of SE asians(*)
doing exactly this kind of thing for the princely sum of US$5/day -
twice the average wage of the area, even after the cafe fees were
deducted.

(*) Philippines and east Malaysia.

AB

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [camram-spam] Re: Microsoft publicly announces Penny Black PoW postage project

2003-12-31 Thread R. A. Hettinga
At 7:46 PM + 12/30/03, Richard Clayton wrote:
where does our esteemed moderator get _his_ stamps
from ?

A whitelist for my friends, etc...

Whitelist [EMAIL PROTECTED]

Cheers,
RAH

-- 
-
R. A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [camram-spam] Re: Microsoft publicly announces Penny Black PoW postage project

2003-12-31 Thread Bill Stewart
At 07:46 PM 12/30/2003 +, Richard Clayton [EMAIL PROTECTED] wrote:
 [what about mailing lists]
Obviously you'd have to whitelist anybody's list you're joining
if you don't want your spam filters to robo-discard it.
moan
I never understand why people think spam is a technical problem :( let
alone a cryptographic one :-(
/moan
The reason it's partly a cryptographic problem is forgeries.
Once everybody starts whitelisting, spammers are going to
start forging headers to pretend to come from big mailing lists
and popular machines and authors, so now you'll not only
need to whitelist Dave Farber or Declan McCullough if you read their lists,
or Bob Hettinga if you're Tim (:-), you'll need to verify the
signature so that you can discard the forgeries that
pretend to be from them.
You'll also see spammers increasingly _joining_ large mailing lists,
so that they can get around members-only features.
At least one large mailing list farm on which I've joined a list
used a Turing-test GIF to make automated list joining difficult,
and Yahoo limits the number of Yahoogroups you can join in a day,
but that's the kind of job which you hire groups of Indians
or other English-speaking third-world-wagers to do for you.






-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [camram-spam] Re: Microsoft publicly announces Penny Black PoW postage project

2003-12-31 Thread jal
On Tue, 30 Dec 2003, Bill Stewart wrote:

 At 07:46 PM 12/30/2003 +, Richard Clayton [EMAIL PROTECTED] 
 wrote:
  [what about mailing lists]
 Obviously you'd have to whitelist anybody's list you're joining
 if you don't want your spam filters to robo-discard it.
 
 moan
 I never understand why people think spam is a technical problem :( let
 alone a cryptographic one :-(
 /moan

It has always been mostly a technical problem, and only partially a
social problem. 

 The reason it's partly a cryptographic problem is forgeries.
 Once everybody starts whitelisting, spammers are going to
 start forging headers to pretend to come from big mailing lists
 and popular machines and authors, so now you'll not only
 need to whitelist Dave Farber or Declan McCullough if you read their lists,
 or Bob Hettinga if you're Tim (:-), you'll need to verify the
 signature so that you can discard the forgeries that
 pretend to be from them.

I had to change my (admittedly simple) whitelisting recently, when
spammers started using the same domain name we do business under, or the
name of partners.

 You'll also see spammers increasingly _joining_ large mailing lists,
 so that they can get around members-only features.
 At least one large mailing list farm on which I've joined a list
 used a Turing-test GIF to make automated list joining difficult,
 and Yahoo limits the number of Yahoogroups you can join in a day,
 but that's the kind of job which you hire groups of Indians
 or other English-speaking third-world-wagers to do for you.

Yep. Spam rates have been creeping up on Debian lists, lately.
Another list I'm on having to do with Oracle has been having similar
problems. 

Who is a meaningful member?

That's a tough question, if you don't charge, and if you do, you miss
quite a bit, thus lowering the value. Commons, tragedy, etc.

-j


-- 
Jamie Lawrence[EMAIL PROTECTED]
Those who make peaceful revolution impossible will make violent revolution
inevitable. 
   -John F. Kennedy


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [camram-spam] Re: Microsoft publicly announces Penny Black PoW postage project

2003-12-31 Thread Ben Laurie
Richard Clayton wrote:
and in these schemes, where does our esteemed moderator get _his_ stamps
from ? remember that not all bulk email is spam by any means...  or do
we end up with whitelists all over the place and the focus of attacks
moves to the ingress to the mailing lists :(
He uses the stamp that you generated. Each subscruber adds 
[EMAIL PROTECTED] as an address they receive mail at. Done. Trivial.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/
There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [camram-spam] Re: Microsoft publicly announces Penny Black PoW postage project

2003-12-30 Thread Eric S. Johansson
Scott Nelson wrote:

d*b
---
s
where: d = stamp delay in seconds
  s = spam size in bytes
  b = bandwidth in bytes per second


I don't understand this equation at all.

It's the rate limiting factor that counts, not a combination of
stamp speed + bandwidth.
well, stamp speed is method of rate limiting.  This equation/formula 
gives you the ratio of performance degradation.  So,

Given d=15, b=49152 (aka 384kbps) and s=1000

the slowdown ratio or factor is 737.28 times over what an unimpeded 
spammer can send.  But as you increase spam size, the slowdown factor 
declines.

Assuming 128Kbps up, without a stamp it takes about .6 seconds to
send a typical 10K spam.
If it takes 15 seconds to generate the stamp, then it will take
15 seconds to send a stamped spam.  It won't even take 15.6 seconds,
because the calculation can be done in parallel with the sending.
actually, it would take 15 but only because you can be sending one 
stamped piece of spam at the same time as you're generating the next 
stamp.  But using your spam size, , the slowdown factor becomes roughly 
73 times.  So they would need 73 machines running full tilt all the time 
to regain their old throughput.  It's entirely possible that one 
evolutionary response to stamps would be to generate larger pieces of 
spam but that would also slow them down so we still win, kind of, sort of...


assuming unlimited bandwidth, if a stamp spammer compromises roughly the 
same number of PCs as were compromised during the last worm attack 
(350,000) at 15 seconds per stamp, you end up with 1.4 million stamps 
per minute or 2 billion stamps per day.  When you compare that to the 
amount of spam generated per day (high hundred billion to low trillion), 



Not according to the best estimates I have.
The average email address receives 20-30 spams a day (almost twice 
what it was last year) and there are only 200-400 million 
email addresses, which works out to less than 10 billion spams per day.
actually, I'm hearing that there are roughly one billion addresses but 
unfortunately have lost the source.  The numbers for spam I'm hearing 
are on the order of 76 billion to 2 trillion
(
2 tril spams /day 
http://www.pacificresearch.org/press/clip/2003/clip_03-05-08.html
76 bil http://www.marketinglaw.co.uk/open.asp?A=703
)

If you have a better source (and I am sure there are some), I would like 
to hear it.


But there's a much easier way to do the math.

If 1% of the machines on the internet are compromised,
and a stamp takes 15 seconds to generate, then spammers can send
50-60 spams to each person.
(86400 seconds per day / 15 seconds per stamp * 1% of everybody = 57.6)
unfortunately, I think you making some assumptions that are not fully 
warranted.  I will try to do some research and figure out the number of 
machines compromised.  The best No. I had seen to date was about 350,000.

You can reduce that by factoring in the average amount of time
that a compromised machine is on per day.
I fully expect that stamps will rise in price to several minutes,
if camram actually gets any traction.
well, that might be the case but I must have a who cares attitude about 
that.  For the most part I rarely send mail to strangers and the stamp 
generation process is in background.  So if it take several minutes to 
queue up and send a piece of mail a few times a month.  What's the 
problem? (yes, I know I'm being cavalier)

Custom hardware?
I can buy a network ready PC at Fry's for $199.
If it takes that machine 30 seconds to generate a stamp, and I leave
it running 24/7, and replace it after 5 months, then the cost
of a hashstamp is still less than 1/500 of a snail-mail stamp.
Granted it's a significant increase in costs over current email,
and therefore potentially a vast improvement, 
but it's still not expensive.
wrong unit of costs.  The stamps still take 15 seconds (give or take) 
which means approximately 5760 stamps per day.  Hardware acceleration is 
an attack against stamps by using dedicated hardware to shrink the cost 
in time of a given size stamp.  so, if and evil someone can build an 
ASIC to shrink the cost of a stamped by 100 times, then mercenary 
somebody else can build the same functionality and performance as well. 
 Plop it onto a USB interface chip, sell for $15 and balance is restored

---eric

--
Speech recognition in use.  Incorrect endings, words, and case is
closer than it appears
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [camram-spam] Re: Microsoft publicly announces Penny Black PoW postage project

2003-12-30 Thread Alan Brown
On Tue, 30 Dec 2003, Eric S. Johansson wrote:

  But using your spam size, , the slowdown factor becomes roughly
 73 times.  So they would need 73 machines running full tilt all the time
 to regain their old throughput.

Believe me, the professionals have enough 0wned machines that this is
trivial.

On the flipside, it means the machines are burned faster.

 unfortunately, I think you making some assumptions that are not fully
 warranted.  I will try to do some research and figure out the number of
 machines compromised.  The best No. I had seen to date was about 350,000.

It's at least an order of magnitude higher than this, possibly 2 orders,
thanks to rampaging worms with spamware installation payloads
compromising cablemodem- and adsl- connected Windows machines worldwide.

AB




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [camram-spam] Re: Microsoft publicly announces Penny Black PoW postage project

2003-12-30 Thread Jerrold Leichter
(The use of memory speed leads to an interesting notion:  Functions that are
designed to be differentially expensive on different kinds of fielded hardware.
On a theoretical basis, of course, all hardware is interchangeable; but in
practice, something differentially expensive to calculate on an x86 will remain
expensive for many years to come.)

In fact, such things are probably pretty easy to do - as was determined during
arguments over the design of Java.  The original Java specs pinned down
floating point arithmetic exactly:  A conforming implementation was required
to use IEEE single- and double-precision arithmetic, and give answers
identical at the bit level to a reference implementation.  This is easy to do
on a SPARC.  It's extremely difficult to do on an x86, because x86 FP
arithmetic is done to a higher precision.  The hardware provides only one way
to round an intermediate result to true IEEE single or double precision:
Store to memory, then read back.  This imposes a huge cost.  No one could find
any significantly better way to get the bit-for-bit same results on an x86.
(The Java standards were ultimately loosened up.)

So one should be able to define an highly FP-intensive, highly numerically
unstable, calculation all of whose final bits were considered to be part of
the answer.  This would be extremely difficult to calculate rapidly on an
x86.

Conversely, one could define the answer - possibly to the same problem - as
that produced using the higher intermediate precision of the x86.  This would
be very hard to compute quickly on machines whose FP hardware doesn't provide
exactly the same length intermediate results as the x86.

One can probably find problems that are linked to other kinds of hardware. For
example, the IBM PowerPC chip doesn't have generic extended precision values,
but does have a fused multiply/add with extended intermediate values.

Some machines provide fast transfers between FP and integer registers; others
require you to go to memory.  Vector-like processing - often of a specialized,
limited sort intended for graphics - is available on some architectures and
not others.  Problems requiring more than 32 bits of address space will pick
out the 64-bit machines.  (Imagine requiring lookups in a table with 2^33
entries.  8 Gig of real memory isn't unreasonable today - a few thousand
dollars - and is becoming cheaper all the time.  But using it effectively on a
the 32-bit machines out there is very hard, typically requiring changes to
the memory mapping or segment registers and such, at a cost equivalent to
hundreds or even thousands of instructions.)

-- Jerry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [camram-spam] Re: Microsoft publicly announces Penny Black PoW postage project

2003-12-30 Thread Richard Clayton
On Tue, 30 Dec 2003, Eric S. Johansson wrote:

  But using your spam size, , the slowdown factor becomes roughly
 73 times.  So they would need 73 machines running full tilt all the time
 to regain their old throughput.

Believe me, the professionals have enough 0wned machines that this is
trivial.

On the flipside, it means the machines are burned faster.

only if the professionals are dumb enough to use the machines that are
making the stamps to actually send the email (since it is only the
latter which are, in practice, traceable)

 unfortunately, I think you making some assumptions that are not fully
 warranted.  I will try to do some research and figure out the number of
 machines compromised.  The best No. I had seen to date was about 350,000.

It's at least an order of magnitude higher than this, possibly 2 orders,
thanks to rampaging worms with spamware installation payloads
compromising cablemodem- and adsl- connected Windows machines worldwide.

the easynet.nl list (recently demised) listed nearly 700K machines that
had been detected (allegedly) sending spam... so since their detection
was not universal it would certainly be more than 700K :(

-
The Cryptography Mailing List

and in these schemes, where does our esteemed moderator get _his_ stamps
from ? remember that not all bulk email is spam by any means...  or do
we end up with whitelists all over the place and the focus of attacks
moves to the ingress to the mailing lists :(

moan
I never understand why people think spam is a technical problem :( let
alone a cryptographic one :-(
/moan

-- 
richard  Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]