Re: [camram-spam] Re: Microsoft publicly announces Penny Black PoW postage project
On Tue, 30 Dec 2003, Bill Stewart wrote: The reason it's partly a cryptographic problem is forgeries. Once everybody starts whitelisting, spammers are going to start forging headers to pretend to come from big mailing lists and popular machines and authors, so now you'll not only need to whitelist Dave Farber or Declan McCullough if you read their lists, or Bob Hettinga if you're Tim (:-), you'll need to verify the signature so that you can discard the forgeries that pretend to be from them. You'll also see spammers increasingly _joining_ large mailing lists, so that they can get around members-only features. This has already happened: Krazy Kevin pulled this stunt 5 years ago on at least one list I was on, joining the list to harvest the most common posters, then spamming using them as sender envelopes after he'd been kicked off. At least one large mailing list farm on which I've joined a list used a Turing-test GIF to make automated list joining difficult, ...discrimination against blind users - this is legally actionable in several countries. There is a blind group in the UK taking action against a number of companies for this and the Australian Olympic committee ended up being fined several million AU$ for the same offence in 1999. and Yahoo limits the number of Yahoogroups you can join in a day, but that's the kind of job which you hire groups of Indians or other English-speaking third-world-wagers to do for you. To underscore that point, I've _watched_ cybercafes full of SE asians(*) doing exactly this kind of thing for the princely sum of US$5/day - twice the average wage of the area, even after the cafe fees were deducted. (*) Philippines and east Malaysia. AB - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [camram-spam] Re: Microsoft publicly announces Penny Black PoW postage project
At 7:46 PM + 12/30/03, Richard Clayton wrote: where does our esteemed moderator get _his_ stamps from ? A whitelist for my friends, etc... Whitelist [EMAIL PROTECTED] Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [camram-spam] Re: Microsoft publicly announces Penny Black PoW postage project
At 07:46 PM 12/30/2003 +, Richard Clayton [EMAIL PROTECTED] wrote: [what about mailing lists] Obviously you'd have to whitelist anybody's list you're joining if you don't want your spam filters to robo-discard it. moan I never understand why people think spam is a technical problem :( let alone a cryptographic one :-( /moan The reason it's partly a cryptographic problem is forgeries. Once everybody starts whitelisting, spammers are going to start forging headers to pretend to come from big mailing lists and popular machines and authors, so now you'll not only need to whitelist Dave Farber or Declan McCullough if you read their lists, or Bob Hettinga if you're Tim (:-), you'll need to verify the signature so that you can discard the forgeries that pretend to be from them. You'll also see spammers increasingly _joining_ large mailing lists, so that they can get around members-only features. At least one large mailing list farm on which I've joined a list used a Turing-test GIF to make automated list joining difficult, and Yahoo limits the number of Yahoogroups you can join in a day, but that's the kind of job which you hire groups of Indians or other English-speaking third-world-wagers to do for you. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [camram-spam] Re: Microsoft publicly announces Penny Black PoW postage project
On Tue, 30 Dec 2003, Bill Stewart wrote: At 07:46 PM 12/30/2003 +, Richard Clayton [EMAIL PROTECTED] wrote: [what about mailing lists] Obviously you'd have to whitelist anybody's list you're joining if you don't want your spam filters to robo-discard it. moan I never understand why people think spam is a technical problem :( let alone a cryptographic one :-( /moan It has always been mostly a technical problem, and only partially a social problem. The reason it's partly a cryptographic problem is forgeries. Once everybody starts whitelisting, spammers are going to start forging headers to pretend to come from big mailing lists and popular machines and authors, so now you'll not only need to whitelist Dave Farber or Declan McCullough if you read their lists, or Bob Hettinga if you're Tim (:-), you'll need to verify the signature so that you can discard the forgeries that pretend to be from them. I had to change my (admittedly simple) whitelisting recently, when spammers started using the same domain name we do business under, or the name of partners. You'll also see spammers increasingly _joining_ large mailing lists, so that they can get around members-only features. At least one large mailing list farm on which I've joined a list used a Turing-test GIF to make automated list joining difficult, and Yahoo limits the number of Yahoogroups you can join in a day, but that's the kind of job which you hire groups of Indians or other English-speaking third-world-wagers to do for you. Yep. Spam rates have been creeping up on Debian lists, lately. Another list I'm on having to do with Oracle has been having similar problems. Who is a meaningful member? That's a tough question, if you don't charge, and if you do, you miss quite a bit, thus lowering the value. Commons, tragedy, etc. -j -- Jamie Lawrence[EMAIL PROTECTED] Those who make peaceful revolution impossible will make violent revolution inevitable. -John F. Kennedy - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [camram-spam] Re: Microsoft publicly announces Penny Black PoW postage project
Richard Clayton wrote: and in these schemes, where does our esteemed moderator get _his_ stamps from ? remember that not all bulk email is spam by any means... or do we end up with whitelists all over the place and the focus of attacks moves to the ingress to the mailing lists :( He uses the stamp that you generated. Each subscruber adds [EMAIL PROTECTED] as an address they receive mail at. Done. Trivial. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [camram-spam] Re: Microsoft publicly announces Penny Black PoW postage project
Scott Nelson wrote: d*b --- s where: d = stamp delay in seconds s = spam size in bytes b = bandwidth in bytes per second I don't understand this equation at all. It's the rate limiting factor that counts, not a combination of stamp speed + bandwidth. well, stamp speed is method of rate limiting. This equation/formula gives you the ratio of performance degradation. So, Given d=15, b=49152 (aka 384kbps) and s=1000 the slowdown ratio or factor is 737.28 times over what an unimpeded spammer can send. But as you increase spam size, the slowdown factor declines. Assuming 128Kbps up, without a stamp it takes about .6 seconds to send a typical 10K spam. If it takes 15 seconds to generate the stamp, then it will take 15 seconds to send a stamped spam. It won't even take 15.6 seconds, because the calculation can be done in parallel with the sending. actually, it would take 15 but only because you can be sending one stamped piece of spam at the same time as you're generating the next stamp. But using your spam size, , the slowdown factor becomes roughly 73 times. So they would need 73 machines running full tilt all the time to regain their old throughput. It's entirely possible that one evolutionary response to stamps would be to generate larger pieces of spam but that would also slow them down so we still win, kind of, sort of... assuming unlimited bandwidth, if a stamp spammer compromises roughly the same number of PCs as were compromised during the last worm attack (350,000) at 15 seconds per stamp, you end up with 1.4 million stamps per minute or 2 billion stamps per day. When you compare that to the amount of spam generated per day (high hundred billion to low trillion), Not according to the best estimates I have. The average email address receives 20-30 spams a day (almost twice what it was last year) and there are only 200-400 million email addresses, which works out to less than 10 billion spams per day. actually, I'm hearing that there are roughly one billion addresses but unfortunately have lost the source. The numbers for spam I'm hearing are on the order of 76 billion to 2 trillion ( 2 tril spams /day http://www.pacificresearch.org/press/clip/2003/clip_03-05-08.html 76 bil http://www.marketinglaw.co.uk/open.asp?A=703 ) If you have a better source (and I am sure there are some), I would like to hear it. But there's a much easier way to do the math. If 1% of the machines on the internet are compromised, and a stamp takes 15 seconds to generate, then spammers can send 50-60 spams to each person. (86400 seconds per day / 15 seconds per stamp * 1% of everybody = 57.6) unfortunately, I think you making some assumptions that are not fully warranted. I will try to do some research and figure out the number of machines compromised. The best No. I had seen to date was about 350,000. You can reduce that by factoring in the average amount of time that a compromised machine is on per day. I fully expect that stamps will rise in price to several minutes, if camram actually gets any traction. well, that might be the case but I must have a who cares attitude about that. For the most part I rarely send mail to strangers and the stamp generation process is in background. So if it take several minutes to queue up and send a piece of mail a few times a month. What's the problem? (yes, I know I'm being cavalier) Custom hardware? I can buy a network ready PC at Fry's for $199. If it takes that machine 30 seconds to generate a stamp, and I leave it running 24/7, and replace it after 5 months, then the cost of a hashstamp is still less than 1/500 of a snail-mail stamp. Granted it's a significant increase in costs over current email, and therefore potentially a vast improvement, but it's still not expensive. wrong unit of costs. The stamps still take 15 seconds (give or take) which means approximately 5760 stamps per day. Hardware acceleration is an attack against stamps by using dedicated hardware to shrink the cost in time of a given size stamp. so, if and evil someone can build an ASIC to shrink the cost of a stamped by 100 times, then mercenary somebody else can build the same functionality and performance as well. Plop it onto a USB interface chip, sell for $15 and balance is restored ---eric -- Speech recognition in use. Incorrect endings, words, and case is closer than it appears - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [camram-spam] Re: Microsoft publicly announces Penny Black PoW postage project
On Tue, 30 Dec 2003, Eric S. Johansson wrote: But using your spam size, , the slowdown factor becomes roughly 73 times. So they would need 73 machines running full tilt all the time to regain their old throughput. Believe me, the professionals have enough 0wned machines that this is trivial. On the flipside, it means the machines are burned faster. unfortunately, I think you making some assumptions that are not fully warranted. I will try to do some research and figure out the number of machines compromised. The best No. I had seen to date was about 350,000. It's at least an order of magnitude higher than this, possibly 2 orders, thanks to rampaging worms with spamware installation payloads compromising cablemodem- and adsl- connected Windows machines worldwide. AB - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [camram-spam] Re: Microsoft publicly announces Penny Black PoW postage project
(The use of memory speed leads to an interesting notion: Functions that are designed to be differentially expensive on different kinds of fielded hardware. On a theoretical basis, of course, all hardware is interchangeable; but in practice, something differentially expensive to calculate on an x86 will remain expensive for many years to come.) In fact, such things are probably pretty easy to do - as was determined during arguments over the design of Java. The original Java specs pinned down floating point arithmetic exactly: A conforming implementation was required to use IEEE single- and double-precision arithmetic, and give answers identical at the bit level to a reference implementation. This is easy to do on a SPARC. It's extremely difficult to do on an x86, because x86 FP arithmetic is done to a higher precision. The hardware provides only one way to round an intermediate result to true IEEE single or double precision: Store to memory, then read back. This imposes a huge cost. No one could find any significantly better way to get the bit-for-bit same results on an x86. (The Java standards were ultimately loosened up.) So one should be able to define an highly FP-intensive, highly numerically unstable, calculation all of whose final bits were considered to be part of the answer. This would be extremely difficult to calculate rapidly on an x86. Conversely, one could define the answer - possibly to the same problem - as that produced using the higher intermediate precision of the x86. This would be very hard to compute quickly on machines whose FP hardware doesn't provide exactly the same length intermediate results as the x86. One can probably find problems that are linked to other kinds of hardware. For example, the IBM PowerPC chip doesn't have generic extended precision values, but does have a fused multiply/add with extended intermediate values. Some machines provide fast transfers between FP and integer registers; others require you to go to memory. Vector-like processing - often of a specialized, limited sort intended for graphics - is available on some architectures and not others. Problems requiring more than 32 bits of address space will pick out the 64-bit machines. (Imagine requiring lookups in a table with 2^33 entries. 8 Gig of real memory isn't unreasonable today - a few thousand dollars - and is becoming cheaper all the time. But using it effectively on a the 32-bit machines out there is very hard, typically requiring changes to the memory mapping or segment registers and such, at a cost equivalent to hundreds or even thousands of instructions.) -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [camram-spam] Re: Microsoft publicly announces Penny Black PoW postage project
On Tue, 30 Dec 2003, Eric S. Johansson wrote: But using your spam size, , the slowdown factor becomes roughly 73 times. So they would need 73 machines running full tilt all the time to regain their old throughput. Believe me, the professionals have enough 0wned machines that this is trivial. On the flipside, it means the machines are burned faster. only if the professionals are dumb enough to use the machines that are making the stamps to actually send the email (since it is only the latter which are, in practice, traceable) unfortunately, I think you making some assumptions that are not fully warranted. I will try to do some research and figure out the number of machines compromised. The best No. I had seen to date was about 350,000. It's at least an order of magnitude higher than this, possibly 2 orders, thanks to rampaging worms with spamware installation payloads compromising cablemodem- and adsl- connected Windows machines worldwide. the easynet.nl list (recently demised) listed nearly 700K machines that had been detected (allegedly) sending spam... so since their detection was not universal it would certainly be more than 700K :( - The Cryptography Mailing List and in these schemes, where does our esteemed moderator get _his_ stamps from ? remember that not all bulk email is spam by any means... or do we end up with whitelists all over the place and the focus of attacks moves to the ingress to the mailing lists :( moan I never understand why people think spam is a technical problem :( let alone a cryptographic one :-( /moan -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]