Technometria

Home
Why Technometria?
RSS
Atom
Podcast Feed
Add to Google

Recommend This Site

About Phil

Brief Bio
Contact Info
Phil on Twitter
Speaking
InfoWorld
Photo Albums
Video Favorites
CTO Breakfast

Essays

2006
2005
2004
2003
CIO White Papers

Visit Count

Software

Packages

Topic Guides

Digital ID Policies
Internet Application Performance
Setting Up a Linux Server
Public Service Tips

Categories

Blog TagCloud

Archives

February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002

Utah Tech Organizations

BYU Unix User's Group
Provo Linux User's Group
Utah Valley Linux User's Group
Ubuntu Utah
Salt Lake LUG
USU Free Software and Linux Club
Greater Utah BSD User Group
Utah PHP Users Group
Utah Python User Group
Utah Ruby Users Group
Ogden Area LUG
Southern Utah Unix Users Group
UtahSAINT

Copyright

Copyright © 2002-2012 PJW LC. Some rights reserved. Technometria is a trademark of PJW LC in the United States and other countries.

« October 04, 2003 | Main | October 07, 2003 »

October 06, 2003

Using Identity to Fight Spam

An article in today's NY Times (free registration required) discussed the use of identity in fighting spam. It seems that companies that send out lots of legitimate email are increasingly getting caught in SPAM filters and the mail is not getting delivered. I can sympathize with that. This last month, I did not receive a prescription renewal notification from MedCo Health because their reminder was filtered out. I also nearly missed an invitation to speak (part of my livelihood) because the email seemed like SPAM, even though it was legitimate. I control my own SPAM filter, so fixing these was easy, but what about the person who's at the mercy of their ISP?

The basic idea is that it might be easier to identify legitimate emails that the SPAM. This is something like Called-ID for email. What's required is a way to identify the sender of the email. There are several ways to do this:

  1. Use some kind of email client certificate that has been identity proofed. I wrote about such a scheme in August.
  2. The second is to create a registry for email servers themselves and only identify the email servers.

The choice is between comprehensive and quick. The second choice would increase the burden on people who operate their own mail servers (like me), but it wouldn't be such a big deal, i suppose. Having certificates for every email user would be a bigger cost and more difficult to implement, but allow finer-grained control.

DNSSEC is a related solution. Knowing the domain with a degree of assurance cuts down on the effectiveness of worms, viruses, and so on. It also makes it easier to hold SPAMmers accountable.

Accountability is a more effective means to deal with SPAM than enforcement. Ultimately, what makes society work is that we're free to do what we want, but when we screw up, someone finds us and holds accountable. Enforcement requires larger infrastructure than accountability is. As Dan Geer says, "accountability is a log processing problem."

That raises an important issue: trust. From the Time article:

There is also a growing agreement that it is not enough for an e-mail sender to identify itself. The sender must also earn the trust of e-mail recipients, by promising to follow certain standards and having violations tallied and published. That would let people choose to discard mail from senders with high complaint rates. "Just because we can verify your identity doesn't mean you send good email," said Miles Libbey, the manager for antispam products at Yahoo. "You absolutely need identity and you also need reputation."

The problem with reputation is that it can be unfairly sullied. There's a system like this already called SPEWS (recently shut down) that keeps a blacklist of mail servers that have been used for SPAM. I host at Verio and someone on the same virtual server I use apparently did something to get on the SPEWS list. This meant that my mail server was on the list as well (since virtual servers share IP addresses). A number of emails I sent got bounced before the problem was resolved. Any system that does this needs to be based on identity as well as reputation. The problem with SPEWS is no identity. I can't uniquely identify my server from the problem server. There's no one to vouch for me in the SPEWS world.

02:33 PM | Recommend This | Print This

ICANN Calls Verisign on the Carpet

Numerous people reacted with outrage over Verisign's DNS wildcard scheme. Apparently ICANN did too. Friday, Verisign announced that it will suspend the service so both sides can discuss it. From the InfoWorld story:

The controversial Site Finder service unveiled on the Internet last month by VeriSign Inc. was temporarily suspended by the company late Friday after the Internet Corporation for Assigned Names and Numbers (ICANN) demanded that the feature be halted immediately due to concerns about its effects on the Internet. In an announcement late Friday afternoon, Mountain View, Calif.-based VeriSign, which oversees the main Internet database of .com and .net domain names, said it will suspend the service to provide time for both sides to discuss and resolve the matter.

When no one's in charge, this sort of thing is bound to be a problem. Mind you, I'm not advocating that someone should be in charge, but its interesting that even though there was general outrage within the tech community about this, there was little anyone could do. ICANN is well positioned to force a change. I'm glad they stepped in.

01:50 PM | Recommend This | Print This

Share Documents Safely

Information security has traditionally been handled at the network perimeter, its focus on defending the edge of the organization with firewalls and hardened servers. Cyber-Ark's Inter-Business Vault takes an alternative approach, storing sensitive data in digital vaults that -- by limiting data access channels and encrypting data on disk and in transit -- provide extraordinary security.

A bank, for example, could use Inter-Business Vault to share lock-box, automated clearing house, and account reconcilement processing records with its commercial customers. These processes have traditionally been done using homegrown applications that integrate FTP with encryption, couriers, faxes, VPNs, and leased lines. Not only are such solutions difficult to deploy and hard to automate, but they're also difficult to analyze and, hence, to trust. [Full story at InfoWorld...]

This is not the usual kind of product I review. Wayne Rash asked me to do it and it sounded interesting. What I got was an education in Windows security and that was well worth the price of admission. The first part of the installation, and indeed the part that consumes 90% of getting the product running, consists of updating Windows, uninstalling things from Windows, turning off services, and making registry changes. When you're done, you've got a very locked-down box. Installing the Inter-Business Vault adds just those services that the vault controls.

A word of warning: this product takes a dedicated machine. Nothing else runs and any network communication with the machine other than that supplied by the vault is verboten. Even the CD is disabled. In a production environment, this is exactly what you want, but it had some unintended consequences for me. First, I started working on this review in July and then got interrupted by some other things. As a result, the laptop I used for the testing was completely unavailable to me for the better part of six weeks. The other problem I had to solve was getting the screen shots off the machine. I had to stick the JPEGs in the vault and use the vault's Web interface to transfer them to my Ti-book.

Of course, security comes through process, not products:

With so many ways to access and modify files in the Vault, and the ability to delegate authorizations, Inter-Business Vault makes file sharing much easier. In fact, the hardest part of using Inter-Business Vault isn't deploying and operating the product -- it's creating an identity management strategy that correctly accounts for documents and other resources in need of protection, for the people who will access them, and for the authorizations that each person has with respect to the resources. Installing the Vault will only make data more secure if the right data is kept in the vault and users are permitted access only to the data they need. If an enterprise understands how it will manage resources and users, and puts useful policies in place, Inter-Business Vault can be a critical piece of infrastructure for securely sharing files with employees, customers, and partners.

07:31 AM | Recommend This | Print This