[3294] in WWW Security List Archive
Longish tangent to Re: you creeps
daemon@ATHENA.MIT.EDU (Ray Kaplan)
Fri Oct 18 12:19:09 1996
Date: Fri, 18 Oct 1996 08:44:25 -0500
From: Ray Kaplan <ray@rayk.com>
In-reply-to: <9610161812.AA8611@moe.iris.com>
To: Www-Security@ns2.rutgers.edu
Cc: Charlie_Kaufman/Iris.IRIS@iris.com, jms@Opus1.COM, sales@innosoft.com
Errors-To: owner-www-security@ns2.rutgers.edu
On Date: Wed, 16 Oct 1996 10:46:07 -0400 (EDT)
Charlie_Kaufman/Iris.IRIS@iris.com writes:
>>Is there *anything* that can be done about this? This list has been
>>helpful for me and I'd hate to have to unsub, but I'm real tired of
>>wasting time and bandwidth on this infantile nonsense.
>
>In the long run, the solution is an intelligent mailbox and mail
>signing (ala PGP). If signed mail became nearly universal, you
>could instruct your mailbox to silently discard unsigned mail, and
>even figure out ways to choose to screen advertising and perhaps
>dirty words. Hopefully, this could be integrated in a way that makes
>filtering take place upstream so as not to waste expensive
>bandwidth.
Yep - using the tools and disiplines of security and meeting business goals
as guidance. While I have never seen a commercial mail system with all of
these bells and whistles, I do know people who survive several hundres
mailing lists by using a fairly simple set of programs / scripts to do this
work in lieu of a robust, commercial product. My fav example is a friend
who used the API to VMS mail to build a configurable set of tools that ran
against received mail - sorting everything as needed... Imagine a context
sensitive, content filter... In my experience, a traditional CEO (from the
old guard) is a perfect example. Some of them would'nt touch a key board
if their life depended on it. Instead, their "executive secretary" reads
their mail and filters it.
Maybe we could marry mail, news, web stuff, some programs, and a script or
two in a way that could be an "executive secretary." Sophisticated user
mail agents / mailers (such as PMDF by Innosoft @ http://www.innosoft.com/)
have mechanisms to build most everything you need if you have a mail host
that can offer the flexibility of appropriate support mechanisms. I keep
hope'n and dream'n, but it looks like this will only get solved if someone
takes some "solve the security and business problems" into the mail space
in a serious way.
As a for instance, consider that http://www.opus1.com has the seeds of such
a capability in their anti-mail spam tool. When I asked them about the
ability to make it a whoop-te-do "executive secretary", the response was:
"please bring a customer with money, as we are busy payning the bills..."
On the "ultimate tool" edge, if you give me a reasonable system, some AI
tools, a good relational DB, a competent team, and some money... - I could
even get something built ;)
As always, we (as computer nerds) don't seem to have much influence on what
products are built by our companies - else, we'd 'a had this "executive
secretary" a long time ago -- just so we could keep our own sanity. If top
management would just stop pretending that they are "having a nice day in
the neighborhood" (a la the Mr. Roger's Neighberhood TV show) here in
global villageland, this would have already happened. As it is, we have a
real mess. They are not paying attention to the costs associated with
things like the serious business and security issues -- never mind the ugly
stuff that clutters our lives (as their techies.) Someone needs to tell
them "HEY! You want the wonders of the global village - you gotta pay to
build the support for it so you business / security needs are met - end of
story."
>In the short run, partial solutions include hunting down the
>perpetrators (who often aren't clever enough to hide their
>tracks even though it isn't hard).
Indeed, but only the pedestrians get stopped - not that anyone can *really*
hide, its just that this is only a partial solution as you said.
For those who don't know, Charlie is quite a famous fellow in the land
where attention to serious business and security is the rule. For a look
at the security side of this mail mess (and its peripheral issues /
tangents / underlying principals), consider adding his book to your shelf:
Network Security - Private Communication in a Public World. Charlie
Jaufman, Radia Pearlman, Mike Speciner - Prentice Hall, 1995, ISBN
0-13-061466-1.
While not an easy read (due to the detail they painstakingly present), it
is one of the more witty, fun, accurate, complete, detailed treatments out
there.
>A painful partial solution is
>to have a moderated list so such messages only annoy
>the moderator.
I think that I could even build something that identified and dealt with
falme wars - consider a configurable filter that identified the thread and
kept it out of your way unless you wated to read it. Might not even want
to throw it away since such threads often (although not as often as might
be the case with good tools) contain kernels of golden stuff. I think the
hard part is codifying the mail / news / wwww cultures in a configurable
way -- NOT the actual building or implementation of it all. Adding the
reality that mailing lists need to be added to this mess somehow, makes it
an interesting problem - eh? Yep.
As an example, try writing even a little psuedo code to detect and handle
the spoofing thread and the other noise on this list. Ugly.
>It's a partial solution because the spammer
>can always assemble his own list.
Indeed - however, as a mailing list reader, I'd like the option to go
somewhere and look at the stuff that the moderator (or a filter) did not
send to the list at large. Wouldn't you like to see the pile of "letters
to the editor" that were rejected for publication by your local newspaper?
At least, I'd like the option to see "rejected posts" as I was interested,
from time to time.
Also, consider the ugly problems in the directory world. I've lost the
battle for access control in that arena many times. In my perfect world,
posters even have the option of annomity while being formally held to the
rules that the list's "owner" (moderator...) dictates. That way, even a
spammer who wants to build their own list has an onerous task = defeat the
controls on an anomity mechanism that is properly designed and implemented.
Finally, I think that browser and tool suppliers (such as MS, Netscape...)
are on the right track with their global architecture for the "browser as
the desk top." In my perfect world, they sell me a $100 browser that
offers built-in capabilities to accomidate any tools you want to plug in.
Yes, between MS and Netscape - there are the seeds of this. However, no
one (that I know of) has taken this back up into an over-all architecture
for dealing with the information age -- although the low-level stuff does
exist in spades. However, its ugly. Consider that while idioms such as
DCE, SESAME... have the required, basic architectural framework - their
implementation and deployment make even the most disiplined business and
security goal directed people pull their hair out and give up to save their
sanity / cash... Mind expanding reads are found in the depths of the rich
collection of many threads (objects, the original SESAME stuff...) I can't
find it on my shelf, but some of the SESAME work even includes a
multi-volume set of small books that show you how to rengineer a business
so that you have the business and security basics needed to build and
support something like an electronic "executive secretary."
>Personally, I'd happily put up with a few infantile messages if I
>could figure out a way to screen out the much larger earnest well
>meaning discussion that inevitably follows
'Zackly - but, as an option, right?
>(like this message
>-- sorry).
This message fits in that category as well - however, your appology is not
accepted ;)
... Now, where exactly IS the top of my desk.... We now return you to your
regularly scheduled programing ;)
RayK
