Jargons of Info Tech industry

[Roedy Green]

HTML is a problem on *other* peoples crappy software as well. It
wasn't designed to carry code content, but has been hacked up to do
that.

It seems to me it goes without saying that you cannot trust code from
strangers, especially anonymous strangers. You simply don't run code
sent in email except from highly trusted individuals. If you do, that
is YOUR fault for being such a silly ass not the mail system's ability
to deliver code. It is as stupid as running code that came as an
attachment.

One of the ideas I play with in my essay is that you could insist
your correspondents have digital id certificate signed by Thawte or
other CA attesting to their identity, thus giving you legal recourse
against them if they send you spam, Trojans etc.

This would slow them down with requests for permission to send. they
could send only one per certificate. The cost and hassle of getting
the certificate could deter tem, and uniquely identify them for
blocking and public black lists.
..

 

[axel]

It seems to me it goes without saying that you cannot trust code from
strangers, especially anonymous strangers. You simply don't run code
sent in email except from highly trusted individuals. If you do, that
is YOUR fault for being such a silly ass not the mail system's ability
to deliver code. It is as stupid as running code that came as an
attachment.

One of the ideas I play with in my essay is that you could insist
your correspondents have digital id certificate signed by Thawte or
other CA attesting to their identity, thus giving you legal recourse
against them if they send you spam, Trojans etc.

This would slow them down with requests for permission to send. they
could send only one per certificate. The cost and hassle of getting
the certificate could deter tem, and uniquely identify them for
blocking and public black lists.

Plus being a total pain for legitimate correspondents and also expensive.

I don't know how much spam other people receive but on one account I
hardly receive any as I reserve it for friends and business. On another
I had about 40 spam messages which took all of ten seconds to delete.
Hardly a serious matter.

Axel

 

[Mike Meyer]

I don't know how much spam other people receive but on one account I
hardly receive any as I reserve it for friends and business. On another
I had about 40 spam messages which took all of ten seconds to delete.
Hardly a serious matter.

You don't have a spam problem. I get a few thousand spams a day -
which get filtered down to a handful. I don't have a spam problem.

Jeff Poskanzer, now *he* has a spam problem. He gets a few million
spams a day: <URL: http://www.acme.com/mail_filtering/ >.

For anyone who runs an ISP, spam is chewing up an ever-growing
percentage of their bandwidth, and a significant fraction of their
staff time. They have a spam problem.

But me and you, we don't have a spam problem. At most it's an
annoyance.

<mike

 

[Steven D'Aprano]

I don't know how much spam other people receive but on one account I
hardly receive any as I reserve it for friends and business. On another
I had about 40 spam messages which took all of ten seconds to delete.
Hardly a serious matter.

Can I remind you that spam is approximately 70% of all email traffic these
days? Most of that is blocked by the ISPs, but even so you are obviously
one of the lucky few.

My home address, which I cunningly will not give you, used to get about
fifty spams a day until I changed ISPs and email addresses. That would
quadruple for a week or so whenever one of my Windows-using friends would
get infected by a virus. My current home address only gets about one a
month, which is what I consider acceptable.

My work email address, on the other hand, is another story. We run a two
layer defence: blocking blacklisted addresses at our mail server, and spam
assassin at the individual user level. Even with that, I get about 100
spams a day delivered into my inbox, although many of those are addressed
to generic email addresses which are automatically forwarded to me.

Four years ago, one of our sys admins accidentally turned off the
blacklisting at the mail server. In the ten minutes it took to get it
turned back on, the CEO of our company received eight hundred spams.

 

[Roedy Green]

Plus being a total pain for legitimate correspondents and also expensive.

First understand that you only have to get permission to send once.
That carries on until revoked. Permission gives me an encryption key
and permission to send mail to you.

Also I envision by the time this comes into being most people will be
24-7 attached.

So let's say I decide to send an email to Donald Knuth. I compose my
one line introduction. I compose my email and walk away. Without
further hassle on my part, either my mail will be delivered, or will
be rejected or it will sit in limbo until Dr. Knuth gets time to
decide. If he rejects my plea, my mail will never arrive at his site.

Presumably Dr. Knuth would configure his software to accept only pleas
from people with digital ids, and further to accept at most one plea
from them and to remember his no for at least a year.

 

[John Bokma]

So let's say I decide to send an email to Donald Knuth.

 

[Paul Rubin]

So let's say I decide to send an email to Donald Knuth.

Good luck. Prof. Knuth stopped reading email years before there was a
big spam problem. He uses his own version of hashcash to cut down on
unimportant mail: if you want to write to him, you have to send him
snail mail, which means buying and using an actual postage stamp.

I do something like that, sort of. I no longer publish an email
address, including on business cards and so forth. I have a contact
url that I give out instead, which keeps me off mailing lists.

 

[John Bokma]

Good luck. Prof. Knuth stopped reading email years before there was a
big spam problem.

Not entirely true:
"My secretary prints out all messages addressed to taocp at cs.stanford.edu
or knuth-bug at cs.stanford.edu, so that I can reply with written comments
when I have a chance."
<http://www-cs-faculty.stanford.edu/~knuth/email.html>

And I am sure Roedy is aware of this, hence his example ;-)

 

[Casper H.S. Dik]

Can I remind you that spam is approximately 70% of all email traffic these
days? Most of that is blocked by the ISPs, but even so you are obviously
one of the lucky few.

95% - 99% of all email, not 70% (just ask your ISP).

A large percentage of the cost of email is the cost of getting
rid of SPAM; and that cannot happen without colleteral damage in the
form of lost valid email, not just because of improper filtering but
also because the more layers are there to touch the email the bigger
the chances that it does not arrive.

My work email address, on the other hand, is another story. We run a two
layer defence: blocking blacklisted addresses at our mail server, and spam
assassin at the individual user level. Even with that, I get about 100
spams a day delivered into my inbox, although many of those are addressed
to generic email addresses which are automatically forwarded to me.

Same here: Sun probably tosses 99% of the email directed at me, yet
I get well over 100 spams/day.

Casper

 

[Mike Meyer]

95% - 99% of all email, not 70% (just ask your ISP).

A large percentage of the cost of email is the cost of getting
rid of SPAM; and that cannot happen without colleteral damage in the
form of lost valid email, not just because of improper filtering but
also because the more layers are there to touch the email the bigger
the chances that it does not arrive.

I'd like to take this opportunity to correct myself. I said that I
(and another poster) "didn't have a spam problem". That's wrong. We
don't *appear* to have a spam problem, but that's just an
illusion. Our ISPs are spending money - as indicated by Mr. Dik - on
filtering spam. They're also spending money to deal with complaints
about spam from their customers - in both senses of the sentence, and
to pay for the bandwidth the spam is eating up. The bulk providers
they buy their bandwidth from also have higher costs to provide
bandwidth for spam.

These costs are passed on to us. So while we may not have an obvious
spam problem, we have one in the sense that spam takes money from our
pockets.

<mike

 

[Roedy Green]

Jeff Poskanzer, now *he* has a spam problem. He gets a few million
spams a day: <URL: http://www.acme.com/mail_filtering/ >.

It is a bit like termites. If we don't do something drastic to deal
with spam, the ruddy things will eventually make the entire Internet
unusable.

the three keys to me are:

1. flipping to a digital id based email system so that the sender of
any piece of mail can be legally identified and prosecuted.
If every piece of anonymous email disappeared that would go a long way
to clearing up spam. Let those sending ransom notes, death threats
and hate mail use snail mail. As a second best, correspondents are
identified by permission/identity/encryption keys given to them by
their recipients.

2. flipping to a sender pays system so that the Internet does not
subsidise spam.

3. Mail is not transported without prior permission. The receiver can
turn that permission on and off any time he chooses. This is
basically an automated version of what Zaep does where the sender is
not consciously aware of the permission-getting step.

 

[Roedy Green]

I did write him, snail mail, and he responded giving us permission to
rewrite any of the algorithms in his famous set of books in to Java.

 

[Roedy Green]

That's the worst of all. I certainly don't want my mail reader
opening network connections to arbitrary places when I read my mail.
I have no willingness at all to reveal my mail reading habits or IP
address to everyone who sends me email.

Obviously you can't trust anything code-like that arrives from
strangers. It is an extension of the law Mommy laid down not to take
candy from strangers.

However, formatted text is not code. Pictures are not code. It is
unfair to tar them with the brush of JavaScript or the goofy things
Outlook does with enclosures.

 

[Tim Tyler]

It's not confined to just people - software can do this as well. In
particular, you should expect that the users mail agent will have to
have access to the key, so it can automatically send out the change of
address notice when the user changes their address (it actually needs
it to send any mail). Viruses regularly make users mail agents do
thing. "Change my address" becomes much more entertaining when that
triggers sending out change of addresses notices to everyone in the
address book. More likely, though, there'll be an API for getting the
key so that users can change mail agents without invalidating the
public key that everyone they correspond with has for them, and the
virus will just use that API.

Viruses can mail out change of address messages to everyone in the
compromised machine's address book today.

Of course, viruses don't bother doing that - since it's stupid and
pointless.

If you've compromised someone's machine there are typically lots more
rewarding things to do with it than spoof change-of-address notices.

Top of the cracker's list seems to be:

* Attack organisations;
* Relay spam;
* Attempt to compromise other machines;

 

[Roedy Green]

Don't think that that is true for everybody. For example not for people
that are behind central filters that already cope with common spam.

The variants of the Nigerian spam are getting cleverer and cleverer to
get though the filters. I can't always immediately recognise them. No
wonder the spam filter gets fooled too.

We victims of spam collectively are about the silliest of victims
imaginable. We provide a FREE service to the spammers to torment us
with. WE SUBSIDISE THEM. It costs them almost nothing to send a spam,
and even at the weakest response percentages they still make money.

It is almost like providing ladders and setting out cookies and milk
for the burglars.

 

[Roedy Green]

Sheesh Roedy, to listen to you go anyone would think that human
communication was impossible before HTML email was invented.

People got along fine wearing untanned moosehides too. I don't see
any advantage in wearing a hair shirt. That is an unnatural way to
talk.

I know hundreds of people who would have not the tiniest clue what
that email meant. You are indeed fortunate to have landed such a
wife.

 

[Dave Hansen]

On Wed, 12 Oct 2005 21:44:22 GMT, Roedy Green

[...]

Obviously you can't trust anything code-like that arrives from
strangers. It is an extension of the law Mommy laid down not to take
candy from strangers.

However, formatted text is not code. Pictures are not code. It is
unfair to tar them with the brush of JavaScript or the goofy things
Outlook does with enclosures.

http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

Summary: a buffer overflow problem in Microsoft's JPEG redering
library, used my almost all Windoze email and web clients, would allow
an attacker to execute any arbitrary code he wished on your computer
simply by tricking you into viewing a doctored JPEG image. Since
solved (this problem is _so_ last year, dahling), but it belies your
assertion that "pictures are not code."

Regards,

-=Dave

 

[Roedy Green]

Oh gosh, pictures of a new house. Why didn't you say so??? If you're
sending pictures named "my_new_house1.jpg" etc then OF COURSE they have
to be imbedded in a HTML email, otherwise how could anyone know what they
were?

I suppose your subscribe to the shoebox theory of picture handling.
Just dump them in a box. It is OBVIOUS what they are. Go back to them
years later, and you would be surprised how baffling they can be, or
if the next generation wants to understand them.

You suggest there is something nefarious about wanting to caption and
share images by email. Why NOT?

 

[Roedy Green]

"I don't understand that attitude. Don't we want email that has dancing
bears, cute little videos, musical tunes, animated waving hands, sixty
fonts, and looks like it's been done with crayolas? Good grief, man,
think like a three year old!"

that excuse could also be used to explain why you have not cracked a
book since high school. The same tools that create dancing bears can
do a UML diagram.

 

[Roedy Green]

Nah, I've just know people who spend a lot of time - and money -
dealing with spam, and we've discussed these issues at great
length. You haven't proposed anything that hasn't been proposed
before, and rejected for various reasons.

As if what we are living with now were preferable to what I propose.
It is inertia. It is herd mentality that dare not leap out of the
current rut. It is not a particularly difficult technical problem. It
is figuring out how to get people to switch over.