Hacking Web Services 228
siduri writes "Udi Manber, chief scientist at Yahoo!, gave a great talk on the kinds of hacks that Yahoo sees at the IEEE's Symposium on Security and Privacy. I wrote an overview of his talk for Dr. Dobb's Journal. While some of the message is well-known stuff (like that people will spend a lot of time hacking the most trivial things), the details of what Yahoo has to deal with are really pretty interesting."
Google Hackers (Score:5, Funny)
Re:Google Hackers (Score:2, Funny)
Google Hacked by Dilbert! [google.com]. They've upped their attacks to daily!
Re:Google Hackers (Score:2)
sounds like.... (Score:3, Funny)
hmm. sounds like they're describing karma whores
Terminology (Score:3, Insightful)
Re:Terminology (Score:3, Informative)
Because it's so much easier than actually fixing anything.
i am a penny-stealer (Score:3, Insightful)
my personal site (which is [pbump.net]) grabs headlines and quotes from yahoo for my personal use using a perl script. solution? simple.
yahoo (like the record companies) should provide a resource for me to get this text cheaply (and quickly), and i'll pay them for it. the demand is there. basic economics dictates that people provide a supply.
now, i understand they are talking about thieves, on the whole, but it seems easy enough to track massive hits from another server and then to block it. i mean, it's 2002. let's fix these problems.
Re:i am a penny-stealer (Score:2)
No you're not (Score:2)
Yes (Score:2)
Re:i am a penny-stealer (Score:1)
The example he used was screen scraping a map of yahoo.
It's nice to see google embrace this concept [google.com].
Re:i am a penny-stealer (Score:5, Insightful)
Often, it's not a matter of restricting access. The description of the E-Bay situation where other people would generate bad logins as a competitor to lock them out is a good example. You need to provide this functionality, to keep from having your client's accounts broken into. Yet, that very policy can be used effectively as a denial of service against your clients.
I run into sysadmins who assume that issues are binary--something is bad, cut it off; something is good, allow it. Usually more complex applications require much more of an understanding of a balance between business functionality and security. In the case of E-Bay and user lockout, there is no exact solution--you need to satisfy two opposing interests--so you make a compromise between the two and try to forge a workable solution.
I think the biggest challenge for the security community will be how to modify their practices (and others') to be able to quantify risk in applications so that businesses can make good functional decisions. Security teams have largely focused on perimeter security and things like web parameter checking, but they don't usually stray into the gray area of functional requirements--or if they do, usually only to, as some have put it, cut the wings off flies.
So, to get back to the original point of the post--it's not so easy to solve as just blocking traffic. Nope, sorry, it's a lot more work than that.
Re:i am a penny-stealer (Score:2)
but that negates my whole argument! be compassionate!
Re:i am a penny-stealer (Score:4, Informative)
In the case of E-Bay and user lockout, there is no exact solution
In this case, a lockout that is specific to remote address or address block might be useful. Add in some checks for stuff like AOL (different IP each connect and a pile of users) and dialup blocks (lockout a class C network for that login to frustrate redial attempts) and keep stats on where a user comes from (repeated attempts from a commonly used net block may be treated more leniently and trigger an email to the user's registered address, whereas an unusual address generates a longer lockout and no email to the user).
Re:i am a penny-stealer (Score:2)
However, that means that anyone can lock the account after n tries
Anyone can lock an account from their source IP block. You can make things more interesting by trying to block their IP block maliciously, but this works only if you know where they live and they use some national ISP (unless you want to spend $20 to lock them out for 30 minutes). It won't work at all for me unless you manage to hack my home box.
The point being, if you lock based on the source IP of failed attempts, you will pay more in resources to handle logins, but you will gain more ability to shut out malicious people while not affecting the legitimate users.
Re:i am a penny-stealer (Score:2, Interesting)
Re:i am a penny-stealer (Score:1)
I'll provide you access to my yahoo headline-grabbing service for $10/day... what a deal!
Access To Manber's Paper...And More (Score:4, Informative)
Yahoo's problems... (Score:5, Informative)
After all, if you chat with Yahoo's service, you're eventually going to be booted off by another user. Some of the methods users use to exploit the system and kick off other users are clever, some are not so clever.
One method involves running a program easily downloaded off of the internet and typing in the desired victims name. It's your basic "Punter". Some of the programs available are effective at removing users of Yahoo's Messenger, while a few of the more recent ones do a good job taking out users who use 3rd party Yahoo clients, or even Yahoo's web-based Java client.
These methods of exploitation are half-way understandable, though I don't see why Yahoo hasn't worked to block the attacks in the same way that AOL has with AIM.
The other method, plain old boot-text, is simply unacceptable.
If I were chatting with someone using Yahoo Messenger and they annoyed me, all I would have to do is send them a single URL with an unrealistically long domain name in it, and their Yahoo Messenger will crash. A URL such as www.xxxxx.com with about 400 to 500 X's in the name will work nicely.
It's a relatively simple matter for the end user to set up a personal word-filter on their messenger and block out all occurences of "www." which effectively makes them invulnerable to this attack, but that is not the issue. The issue is, that if Yahoo has such easily exploitable end-user software, I'm very worried about the quality of their security as a whole.
Think about it.
Read the article (was: Re:Yahoo's problems...) (Score:2, Informative)
The article is not about (security related to) instant messaging, but e.g. bots signing up for a dozen Yahoo E-mail accounts, which use them for spam, people grabbing their stock quotes every fifth minute and re-publish them on their own site, people who do password attacks on auction accounts to trigger a lock-out, so that the bidder can't place any new bids during the last hour of the action etc.
Cyberspace will never be secure...EVER (Score:3, Insightful)
"Oh! somebody stole your credit card number from our database...Sorry...we've been trying to fix that. In the meantime, here's a coupon for a free CD."
The only way to secure a transaction/service is to use physical ID/presense. So go shopping at the mall, and share ideas online. Simple solution to a complex problem.
"Make it by hand, break it by hand"
Re:Cyberspace will never be secure...EVER (Score:2, Insightful)
Re:Cyberspace will never be secure...EVER (Score:2)
Without doors, they get in real easy, almost as easy as broken windows;)
Re:Cyberspace will never be secure...EVER (Score:2)
You had a great post up until you started advocating shopping at the mall. That doesn't solve anything. It just makes your credit card number a tiny bit harder to steal.
Why should I really care if someone steals my credit card number anyways? It's not my problem. It's the credit card company's problem. If someone charges hundreds of dollars of merchandise on my card without my authorization, I call the credit card company and the police, report it to both of them, then go on my merry way without another thought. Yes, this did happen to me. Yes, this is exactly what I did. No, I wasn't lucky. Yes, it really is this simple, and, no, there is no such thing as "identity theft".
I never even understood where this whole "identity theft" thing came from. I don't lose anything. I still have my identity, regardless of how many other people have fake ID's that share my name. For a bunch of people who cry foul at the word "piracy", I'd expect the same outcry over "identity theft".
Oh well. The real problem here is that people are cheating. They cheat at games, they cheat at auctions, they cheat at score rankings, and they cheat on their taxes. The solution is get people to stop cheating. Good luck... it's not a technological problem; it's a problem with society.
I don't believe in a person with a problem
If there's a problem, it's a problem with society
- KMFDM
Re:Cyberspace will never be secure...EVER (Score:2)
and, no, there is no such thing as "identity theft".
From that ignorant statement right there, I can tell you have no idea what "identity theft" is.
Tell me what you call it then, when somebody very expertly gains illegal access to every important piece of personal information that you have, and then make enormous fraudlent loans, purchases, and applications for credit cards whilst assuming your identity.
This exact thing happened to a very close friend of mine and it turned her life into a living hell. She has paid thousands of dollars in lawyers fees trying to get her financial status back on track and it's looking like it will never return to 100% normal.
A stolen credit card number is not identify theft. Identity theft occurs when a criminal assumes your whole identity: social security number, credit background, you name it. With that kind of information, they can apply for loans and open various types of accounts. It's not a simple matter of calling the credit card company and having them do all the work for you while you sit on your couch and sip lemonade as you apparently did.
And you can't just call up each company where the criminal did his business under your identity... First off, you have no idea which companies were involved until (for example) you get a bill collector calling you asking why you haven't yet paid the full balance for that $80,000 sports car.
You have absolutely no idea how well-connected businesses are when it comes to money... The aforementioned friend is still getting refusals from businesses and the occasional bank because of the identity theft. It's a lot easier for companies to mark a particular name and SSN down as an abuser of finances than it is to remove them from the same files.
My friend is not the only one. While there is all kinds of advice out there on the prevention of identity theft, there are no organizations that will help you recover after the damage has been done.
Trying to equate identity theft with piracy is almost the most absurd, stupid, and asinine things I've ever read on this website. Piracy (almost always) hurts no one whereas identity theft is impossible to totally recover from.
Re:Identity Theft (Score:2)
There is pretty much nothing stopping me from getting cards in her name, if I had her SSN and mother's maiden name. I could put any phone number and address I wanted on the app, and she'd never hear anything about it until I ran up the super-platinum card to 40 grand or so and split.
They wouldn't go calling her house or mailing anything there, they'd only have the info I gave them.
This doesn't raise red flags, for a while, I had two sets of contact info I used for my own cards, and my creditors never questioned it. They didn't know that I had other cards with a different address.
Re:Identity Theft (Score:2)
I'm really just not that impressed with any argument I've heard for the existence of "identity theft". I think it's amusing that I get moderated down as a troll or for flamebaiting, really. It just goes to show that most people on Slashdot can't formulate an argument or rebuttal -- they resort to moderating you down when they disagree.
Re:Identity Theft (Score:2)
Maybe you'd like a testimonial [privacyrights.org]
Re:Cyberspace will never be secure...EVER (Score:3, Funny)
Re:Cyberspace will never be secure...EVER (Score:2)
The only way to secure a transaction/service is to use physical ID/presense. So go shopping at the mall, and share ideas online. Simple solution to a complex problem.
Sorry, but I trust 128-bit SSL encryption about 1000 times more than I trust the Pimply-Faced Human Sales Proxy at Babbages or Sam Goody. I absolutely hate using my credit card at physical stores because I know how easy it is for them to jot down the number & expiration date or take home copies of the reciepts and trade the numbers online. (Hint: I know, because I once knew a person who did this several times. No, he didn't get caught because he wisely decided not to make a living out of it.)
Yes, even the most wired online store has humans somewhere behind it, but many online stores never keep a copy of your credit card number anywhere... Once the number is validated and your account charged, the purchasing server forgets about it. This is the way it should be for physical stores as well, but I have yet to see one operate in this manner.
I only use my credit card at retail locations if the bill is going to be over $60. 90% of the time I know what I'm going to be buying and how much it will cost before I go into a store. It's a trivial excercise to stop by the ATM and get whatever I need before doing my shopping.
What really pisses me off is restaurants that print your friggen credit card number right on the damned receipt! Reason #1 that I pay cash at all restaurants now too.
distributed computing (Score:2)
people are still registering for massive numbers of accounts. "As far as I can tell, they're just doing it by hand. They're sitting there all day doing it by hand," he said. So he's considering changing the registration test to a simple arithmetic problem. It won't stop the mass registrations, but he might be able to get the abusers to perform distributed computing tasks for him.
HAH! That is really clever. Of course there isn't much computing power there, and if Yahoo! did harness it they would resell it and/or generally become sleazy about it, but at first blush, that's pretty funny. He should patent it (ha ha).
Better (distributed) idea (Score:2, Interesting)
A simple "Tell me about this picture" and an associated image and a text box would do. If the text submitted does not match a previously stored description well enough, no deal.
Every one in five or so, put out a new, previously un-cataloged, image and log the description...That would also be an easy way to beef up their image search engine.
Re:distributed computing (Score:2)
There are a lot of tasks that humans can do quicker and more accurately than computers. Image and voice recognition is one of those things.
For example: let's imagine a situation where you're signing up for an account and I flash 9 images on the screen with an empty text box beneath each. The user identifies each image with one word and then the server checks the text against a word list. If the response is not a valid word, the user is prompted for a word..
The trick would be verifying that the responses are not automated. This might not work very well, but it's an example of a distributed task that would work well..
Re:distributed computing (Score:2)
Sort of the net equivalent of generating electricity by damming a large river, with the added bonus of improving the environment!
hm (Score:1)
The last quote interests me... (Score:4, Insightful)
I am unsure if here he is saying that anti-spam legislation will be ineffective, or if the "right to spam" should not be outlawed by lawmakers. I would imagine the former is what he meant, since obviously, having the U.S. outlaw spam will do nothing to stop spammers in other countries, and probably do little to stop spammers here in the states either....
Solving the spam problem technically seems to be impossible though. People have been trying to do that forever. I find it very poignant that in the same passage he says that spam could kill off services if it continues to be unstoppable.
---------------rhad
Re:The last quote interests me... (Score:2, Insightful)
Let's count them:
1 spam from the US, 9 spams from taiwan, 1 real email. 1 spam from the US, 9 spams from china, 1 real email. 1 spam from the US, 9 spams from korea, 2 real emails.
Banning US spam is not going to help much
Re:The last quote interests me... (Score:2)
Re:The last quote interests me... (Score:5, Interesting)
The solution exists, it's just that the transition to the solution will be painful, so we're desperately trying to avoid it.
The solution is whitelists and "postage".
Put all your friends in a whitelist. Main from them is delivered instantly.
Anyone else who emails you gets an autoreponse, "I don't know you. To ensure that you're a real human being, you'll to need to run the postage program to get the result for the code ABAASDFFEFEF". The program needs to be open source and easily verifyable for security reasons. The program solves some problems that is hard to compute (say 60 seconds), but easy to verify. One example would be a brute for cypher break on a simple cypher. The senders email client can handle this autoreponse automatically, shielding the sender from needing to deal with it (Gee, my computer gets slow for a bit when I email someone new). Spammers, on the other hand, would need to either limit their spamming so they have time to generate valid responses, or would need to invest in expensive hardware to generate the responses fast enough. End result: It's no longer cheap and easy spam.
There are a few other details to make mailing lists feasible, but it's doable.
However, this effort would require everyone to upgrade their mail clients or to use external programs to manage this. Given that extremely slow adaptation of other email security features, I'm not optimistic.[B
Re:The last quote interests me... (Score:2)
Yes, this is what I was getting at in my original post. The transition could have been done years ago, but getting a switch to take place is not easy to do. Another post addressed this as well.
Or we could just nuke all the spammers :)
----------rhad
Re:The last quote interests me... (Score:2)
Re:The last quote interests me... (Score:2, Interesting)
I was a bit hand-wavy. (Ooh, look at me, I'm a futurist!)
The key is to just add a very small cost. The advantage using CPU time as the cost is that it's easy to automate. However you have a good point.
If we don't change anything else, yes, mail from slower machines will take longer to be delivered. A problem that takes my computer a minute might take a lesser machine ten minutes. However, it's not that terrible, you should be adding friends, coworkers and other people you want to get email from to your whitelist, so they'll be paying the penalty only once. In fact, this can be automated as well: anyone who answers the question one can either be added to your whitelist (and if you later decide you change your mind, moved to a blacklist). Or your mail reader could return a ticket to avoid the answer after answering the question once. Again, you could revoke a ticket if you determined someone was harassing you.
The other solution is to skip computers and force human interaction. Each user would generate a simple puzzle that is hard for computers to parse. The sender will get the puzzle back and his email won't go though until he answers it. You would only need one puzzle, the key is that it needs to be hard to parse with a computer. For example "What is 6 times seven? Add one to the result. Subtract three. Repeat the second step with a tenfold larger number."
Re:The last quote interests me... (Score:3, Informative)
Yesterday I was on the wrong end of such a bot myself. I emailed the owner of some linux-related site, and got back an autoresponse that informed me I had to reply with a certain string in the subject to get past the spam killer. So I did -- and got an automated "rejection" message. Will I try again? No. If the guy is that friggin' paranoid, to hell with his product.
Re:The last quote interests me... (Score:2)
I usually come to the same conclusion myself when it comes to various barriers to web-shopping (e.g. excessive registration/requirement to use java(script)/doesn't work with any browser I use on Linux/etc.)
However, depending on the product, you could look at it this way: if the guy is that careful about his email, perhaps that reflects well on how careful he is with his product. I know it works the other way - when I see a site that looks shoddily constructed or where the mailto links are to aol/hotmail/whatever domains, I get leery.
Re:The last quote interests me... (Score:2)
As to individuals, I've had enough firsthand experience with that sort of paranoia (particularly among coders) that I've learned it means the person is going to be too much hassle to deal with, no matter how wonderful his product.
(Gotta run, the Edison guy is here to fix the power pole..)
Re:The last quote interests me... (Score:2)
I have a rather loud "STOP! This is only for subscribing, not for inquiries!!" page that comes up before people can sign up for my mailing list, yet I still get otherwise-intelligent people trying to email me by way of the list signup. Shows you the value of instructions.
Personally, I am not so sure that spam ever *will* get bad enough (barring ISP-sponsored spam like we now get at Hotmail -- BTW I assure you, you'll get it from M$'s partners even if your "options" boxes remained unchecked after their latest changes). I've had my main ISP account 5.5 years and I get less spam here today than I did when it was new -- even tho my email address has been plastered all over my website for almost 4 years (and has occasionally seen a newsgroup or two), and I use no filtering whatsoever. What am I doing wrong?
Seriously, I would rather spend 15 seconds a day hitting the DEL key than potentially miss a $600 sale. Your economics may vary.
maybe the problem is the business model? (Score:5, Insightful)
Yahoo!'s problems are no different from those brick-and-mortar retailers have with loss leaders and promotions: if you give something away at a loss, there is a good chance that others will find it profitable to get lots of it and resell it. It's not a security problem, it's a problem with the business model. Welcome to the real world.
Yahoo! may want to continue to bask in the glory of having many millions of users, but if they want stop these problems, all they have to do is charge for all of their services. The choice is really theirs.
Don't get me wrong: I like Yahoo! services and I think it would be great if they continue to be free. But I really worry when Manber uses terms like "theft" and "security" for a problem that has very little to do with "theft" and "security". Fortunately, Manber himself isn't calling for a legal solution, but management and lawmakers may be less understanding of the issues involved.
Re:maybe the problem is the business model? (Score:3, Interesting)
As for "theft," whether you like it or not, taking my data and selling it without permission is theft. Yes, spyware is theft; reposting NYT articles on
Re:maybe the problem is the business model? (Score:2)
Your definition if "theft" is lacking, at least under TX law. In particular, Penal Code 31.04 and 31.05 represent cases where the "theft" is not of chattels, but of nontangibles.
Lockout of accounts... (Score:5, Insightful)
During hotly contested auctions, some users will mount password attacks on other bidder's accounts an hour before the end of the auction -- not to actually gain access, but merely to trigger a security lockout, thereby ensuring that the legitimate user cannot place last-minute bids.
I realize how ridiculously easy it is to get a new IP address on a dialup system or in a facility where someone has access to many addresses but wouldn't a simple IP block after so many attempts help discourage the casual DoS but still allow the legitimate user access when they come to make their last minute bid?
If not this then what about using a login name which is different then the displayed account name? This way the login name is not available to people viewing a particular account's public details for their use in a DoS. I know this is an added step of complication but may be necessary to eliminate bad side effects.
Lockout of accounts... (Score:1)
Re:Lockout of accounts... (Score:2)
Sniping software is part of the problem (of why web auctions suck), not part of the solution.
Re:Lockout of accounts... (Score:4, Insightful)
There are a lot of solutions that seem great at first, but encounter difficulties once you try to execute them. In this instance, you're totally forgetting about a couple of factors.
1) Scalability - how do keep this IP list? How do you search it quickly? How do store the data? Expire it? Compute your run time for values of N > 100,000,000. Does it still work?
2) Proxy servers & routers/ip masquerading. While a lot of slashdotter's don't live behind them, a lot of Internet users, including those using very popular providers, such as AOL, do. If you block based upon IP, you still allow AOL users to block one other. A step up from nothing, perhaps, but far from a complete solution.
There's probably more, but those are two off the top of my head.
-Bill
Re:Lockout of accounts... (Score:2)
I would imagine if you're dealing with an authentication system the size of Yahoo's that you're already dealing with large data sets that need searched quickly. IP address and number of failures from taht address could simply be an additional token checked when the authentication occurs.
You're right tho, even the simplest solutions would require an elaborate implementation, both in terms of coding it in efficiently and equipment to supply the data quickly.
2) Proxy servers & routers/ip masquerading. While a lot of slashdotter's don't live behind them, a lot of Internet users, including those using very popular providers, such as AOL, do. If you block based upon IP, you still allow AOL users to block one other. A step up from nothing, perhaps, but far from a complete solution.
This is a complicated problem... Does the proxy include some sort of unique identifier in its request? Filtering based on that, however, would introduce the same type of horsepower problems you mention... I am split, however, on simply saying that the losers should get a better ISP but at the same time I like proxies because they typically make a network more efficient. AGH!
I have a solution (Score:1, Funny)
I only use the account for testing mail from the *outside* world. If they shutoff that account, I will get one from somewhere else. God, I may even break down and open an account on Hotmail...
Quick, help, I may be slipping into the clutches of the M$ beast....
And now for something completely different...
Re:I have a solution (Score:2)
I sometimes wonder whether some people get spam on such services because their username is easily "guessable" by a spambot. I mean something like dude666 is going to be much easier to guess than hwklnmd!
This story has shown (Score:2, Funny)
Sleezy Yahoo Business Practices (Score:2, Interesting)
The two most important techniques were what we called the "Visual Turing Test" and a reapplication of a cypherpunk scheme called HashCash.
The Visual Turing Test is widely used today, it's the image generated with a code that you have to type in. Our technique started with that, but went much further to defeat OCRs by including AI-level questions, such as displaying an image with a dog, a cat, and a horse, with instructions in the image that say "click on the one that is not a house hold pet."
Back then, we ran a free webmail service for people, without adds, using these techniques to stop email spam.
We were a very poor start up, working over a year with no pay. We went to Yahoo and had a meeting with their engineers and biz-dev people, under a *nondisclosure agreement*, we demoed all this anti-spam, anti-fraud technology. We were looking to sell them the scalable image generation server software we wrote, statistical analysis software, and our services, and potentially our patent on these techniques.
Yahoo basically said "not interested" after several meetings, and one yahoo engineer basically said "We could implement this all myself, why do we need you?" We never heard from yahoo again, didn't get any more meetings. But magically, about a year later, we noticed yahoo using our techniques.
Our company was eventually bought by one of those "pay to watch ads" companies, because they had massive fraud of people installing fake clients, and signing up for hundreds of accounts. Unlike Yahoo's fraud problem, these companies were paying out tens of millions of dollars in cash to people who were signing up bogus accounts.
But it still doesn't take away from the fact that Yahoo is a dishonest shark. If it wasn't for the fact that I am morally opposed to using software patents against people (only had one to make our biz plan look good for investors), I would have sued them.
Word to the wise. Don't present your ideas to yahoo as a small startup and expect they will abide by an NDA.
Re:Sleezy Yahoo Business Practices (Score:4, Informative)
For one, it looks like Yahoo did not even implement their own system. If you look right below the word prompt, you can see they're basically using Captcha [captcha.net] developed at Carnegie Mellon [cmu.edu].
Are you saying CMU stole for you as well?
Is it possible that others came up with similar, if not better, systems, and they used them instead?
Re:Sleezy Yahoo Business Practices (Score:2)
You need to have filed a patent application before you talk to Yahoo. That's what patents are for. But I forgot, you people understand patents very well, and hate them.
Reverse authentication (Score:4, Informative)
So it would be a great boon to web services if there were a way to somehow have a way of confirming that a person hasn't already signed up for a service. It'd allow many boards to weed-out their troll population while maintaining an open sign-up. On one forum I was on, the problem was so bad that registration was completely closed then later moved to a pay-only model.
The problem is that I can't see any way to do it without compromising the identities of the people. For example, I don't see a problem with Slashdot knowing that 'Erasmus Darwin' is my only Slashdot account, but I don't want to create a system where they could theoretically share records with another entity and use that to determine my identity there. Perhaps the identity token I provide to Slashdot could be some sort of one-way hash of my identity combined with '@slashdot.org', thereby limiting it to a single area.
One downside of this system is that a government-type institution with a search warrant could use my secret identity information to reproduce my Slashdot token and verify my identity. I don't see any way to prevent the identification from somehow serving to find-out who I am. Still, that theoretically pushes the identification process off to a similar level of difficulty to tracing the user's IP (i.e. Slashdot couldn't do it on its own). Thus, if we pretend that no one uses anonymizing web proxies, it's the same level of anonymity.
Also, there'd be a problem of issuing the secret identity keys. Presumably, this would be handled by the companies that already do encryption/security certificates. That means there'd be a cost associated with such keys, which would turn away a number of people. If only a small percentage of people fork over the $XX/year for a personal identity certificate, most sites won't be able to require their use for signup. Furthermore, it'd be difficult for the issuing agency to verify the uniqueness of each request, especially when we consider that this would have an international audience. I also wouldn't be surprised if some of the countries that have whored out their ccTLDs decided to also start selling their equivilent of SSNs to people interested in extra identities.
Finally, there'd be the issue of identity theft. Having a single, computer-based identity key would be a very tempting target for various malicious programs. If I were an evil spammer type and such an identity system were in place, I'd definitely try and steal as many identities as possible for sign up use.
... you ain't never caught a rabbit... (Score:1)
I wouldn't get my hopes up. If the calculation he needs is really complex, he should get himself a pocket calculator. I suspect that would be one hell of a lot faster.
Besides, I wouldn't want a bunch of pr0n hounds working out the reentry trajectory of the next-gen space shuttle.
obfustacated code (Score:2, Interesting)
Obfuscated code makes this type of activity less useful. The trouble is that most of the services are tied to an archaic, and annoying advertising based model. Sherlock gets around this problem by actually parsing the ads and displaying them to a mac user. But most clients are built not to avoid ads so much as increasing the usability of the data. For some things, web browser interfaces leave a lot to be desired.
Why are you doing this? (Score:2, Informative)
If Dr Dobbs was slashdotted, it might be understandable. As it is, you're just being an asshole.
Re:Why are you doing this? (Score:1, Funny)
Re: (Score:1)
Re:Why are you doing this? (Score:1)
Re:Why are you doing this? (Score:1)
See the bottom of the page:
"Comments are owned by the Poster"
Ah, the Irony! (Score:4, Interesting)
Congratulations for illustrating his points so directly.
--Mid
Re:Ah, the Irony! (Score:2)
For those of you who didn't see it, my original post here was a response to someone who had copied & pasted the article verbatim here.
--Mid
Re:Full Text (Score:4, Interesting)
If anonymity disappeared from the web, "a lot of the problems would go away," he said.
That's especially true if you equate users with problems ;-)
But he dismissed legal solutions altogether, saying that measures like anti-spam legislation are completely ineffective. "This has to be solved technically, not legally," he warned. "If we can't solve these problems, we'll see less and less services."
That's a point that is occasionally debated in anti-spam circles. The problem there is that the Internet mail delivery system was designed for the kinds of users we had 25 years ago. Heck, it wasn't until somewhat over 5 years ago that all the MTAs [that mattered] would ship with relaying turned off by default. Looked at from that perspective, it seems like a technical problem... change the delivery system and you make the abuse irrelevant. The problem is, how do you implement such a change? It's not so much a question of designing a new system... I've seen a number of proposals that looked fine. The problem is, how do you get all the mail servers on the net to switch over?
At that point in the debate is where the division usually comes in. Some folks will propose various systems for gradual adoption of new systems (essentially having two delivery systems in place until the new one is widely adopted enough to drop the old), while others pull back at that point. They'll say that spam is a social problem and, as a result, it can't be solved technically. Usually those folks will go on to pursue legislative attempts at a solution. The problem is, the track record of using legislation to solve social problems is nothing to write home about.
If he can come up with a technical solution for Yahoo!, of course, then he is all set. The problem, as he said, was that you only have so much identification information available to you at the server end. That makes it nontrivial to reliably separate the valid users from the rest. The thing is, just how much personal identification information are you comfortable giving to Yahoo! to get a mailbox...?
Technical Solution to Spam (Score:1)
And of course a legal solution can work...to the extent that other laws work and are enforceable. Many forms of mail fraud are illegal, but that doesn't mean you won't get mail scams and such sent to you. However it severely reduces the amount that you receive and also determines a path for you or the goverment to prosecute offenders.
Re:Technical Solution to Spam (Score:2, Informative)
I think it's pretty silly to imagine that the solution to spam will be through technology. It would be very hard to differentiate spam and legitimate mailing lists.
The point of redesigning the delivery system is to make that question irrelevant. For instance, some proposals try to add a concept of trust between mail servers. Under the current model, every mail server trusts every other mail server by default. Admins at sites will occasionally block mail from certain sites, or from all dialups, or from all dynamic IP addresses. That is a very crude form of a trust system. In the first case, the lack of trust is based on some evidence of abuse. In the latter two cases it isn't based on actual abuse so much as a history of abuse. Some have proposed more precise trust mechanisms that would be used between mail servers (using signatures, etc. for the identification). The default case could either be trust or no trust (depending on whether the solution uses whitelists or blacklists)... the point is that abuse from a site that isn't dealt with would cost you the status of a trusted server. That essentially moves you away from the whole per-message differentiation problem. The end user, after all, can tell the difference between spam and legitimate mailing lists. The devil in the details in this case is who maintains the lists and what sort of mechanism is involved in getting on and off them. Presumably there would be many (much like the choice you have in NoCeM lists for Usenet) and, if so, that might make the question less critical.
And of course a legal solution can work...to the extent that other laws work and are enforceable. Many forms of mail fraud are illegal, but that doesn't mean you won't get mail scams and such sent to you. However it severely reduces the amount that you receive and also determines a path for you or the goverment to prosecute offenders.
Unfortunately, the legal approach has it's own pitfalls. For one thing, there is a big question of jurisdiction. We sort of wink at the question when it is used to go after spammers because we don't like spam, but do we really want to establish the idea that a local gov't can impose it's particular laws and mores on the net? There are also technical problems. It's easy to identify the relay that the spam was sent through. If they provide contact information in the spam (kind of useless without it, unless it's one of those advocacy spams) you have that, as well. But that, in just about every case, doesn't identify an individual. Let's say they used a throwaway Yahoo! account. Well, we just read that Yahoo! doesn't have any way of identifying who the account holder is. As for the relay, I don't know how common my case is, but most of the spam I get is relayed from foreign countries.
So does the actual payoff of a legislative solution in terms of spam reduction make up for the precedence it establishes for local gov'ts to legislate net activities? FWIW, I get more spam than ever now (although, thanks to SpamAssassin [spamassassin.org], I don't see as much of it as I used to).
What should they do? (Score:2)
It's easy to raise complaints (though I'm not sure I agree with you on 1 & 2). Unless we can come up with better solutions, we will have to live with the solutions you complain about...
Re:The guy sounds like a world-class sleazeball. (Score:3, Insightful)
Passwords are "security through obscurity" (Score:2)
And it's one I'll bet most systems use somewhere in the process. If you have a password, the security is based on the assumption that only you know it. Once it is publicized -- no longer "obscure" -- it is no longer effective. As long as the obscurity you're relying on is sufficiently difficult to guess, it's effective.
Re:The guy sounds like a world-class sleazeball. (Score:2, Insightful)
As for point 2, I'm quite certain that his quip about distributed computing was in jest.
Finally, regarding your third point, why shouldn't he attempt to protect Yahoo's content? I'm certainly not going to give you root access to my server; does this mean I'm attempting to "Balkanize the web"?
Re:The guy sounds like a world-class sleazeball. (Score:1)
Re:The guy sounds like a world-class sleazeball. (Score:3, Funny)
1. He said that he knows "security through obscurity" isn't the answer, but that his methods are so weak that he *knows* they won't stand under scrutiny; they just happen to be the best he's got at the moment. That's called good judgement.
2. You have no sense of humor.
3. His concerns are legitamite; Yahoo! is trying to provide services on the web, and people are *stealing* them. Yahoo! isn't screwing artists out of money, or exploiting third-world children, or screwing their customers; they just want people to engage in reputable transactions. That's how businesses make their money, and why you can spew crap from your personal computer.
Sheesh.
Re:The guy sounds like a world-class sleazeball. (Score:3, Insightful)
1) Yes, this is a form of security through obscurity. However, the methods they use to counter attacks are not intended to make the system more secure, but hopefully to identify those that are abusing it. The actual problems are much more fundamental in nature. You have to weigh the user friendliness of a free and open network, with the fact that a significant number of people would destroy the network if they had a chance. The alternatives were stated in the article. Require actual names and credit card #'s from everyone. However, they don't want to take it to that extreme, so they're forced to use clever tricks to counter the malicious actions of those who only seek to abuse.
2) The distributed computing comment was a joke. The point of asking a user to compute a simple math problem is to trump the bots, not to accomplish any task of economic significance.
3) Obfuscated HTML is possible now, and not too difficult to implement. He could do it if he wanted to, and it would at least slow down the bots. Why not do it? Well, it slows down the connections, and it will break some browsers. So they continue in the name of greater compatibility rather than some locked down browser specific html coding nightmare that creates more problems than it solves. And no, he's not suggesting packetflooding the offender, even if he jokingly implied it. He's looking for a defense that does not involve governmental regulation and does not involve decreasing the openness of the internet.
-Restil
Re:The guy sounds like a world-class sleazeball. (Score:5, Insightful)
he talked about countermeasures instituted against hackers, but doesn't want them openly published (security through obscurity, anyone?)
I'm quite tired of hearing statements like 'company X won't reveal Y; this demonstrates security though obscurity which everyone knows is bad.' Well, it's not! Your statement demonstates that you can echo the slogans but don't understand what security really means. I strongly encourage you to read a recent Crypto-gram [counterpane.com] by Bruce Schneier. You cannot apply the principles used for analyzing a mathematical system to all real world security issues.
Re:The guy sounds like a world-class sleazeball. (Score:2)
I don't get it. Exactly what are we protecting here?
In order to get the full story, you have to hang out with the people who commit the crimes, hack the servers, or whatever else people are trying to hide from you. They are very free with their information, unlike the supposed "good guys", who want to make it all proprietary.
Sometimes I truly do wonder who the "black hats" are.
Re:The guy sounds like a world-class sleazeball. (Score:3, Insightful)
First, security through obscurity is only dangerous if it is the main line of security. Obscurity can be an important and necessary part of security. For instance, it not wise to publish the exact configuration of every computer on a network, even though, conceivable, such information might allow some help in keeping the computers secure.
Second, I think the registration procedure for Yahoo! is quite clever. I am much more likely to get crap from a Hotmail account than a Yahoo! account. The use of people to do distributed computing(as was done 200 years ago) is clearly so unreliable that such a statement must be a joke. However, the intent to increase the time necessary to create an account is valid.
The third point is of concern for all of us who wish to have free and unrestricted flow of imformation. On the ohter hand, the balkanization of the web is already here, with the help of Microsoft and Macromedia. For instance, bus schedules in houston are provided on the web with flash introductions and PDF only formats. Why is this neccesary for someone who just want to catch a bus? Yahoo would likely add just a few more useless plugins and extensions to a web already rampant with useless plugins and extensions. To Yahoo's credit, it is one the few sites that reliable, effectively, and quickly works with all the browsers I have tried(Netscape, opera, mozilla, and IE.
Re:The guy sounds like a world-class sleazeball. (Score:1)
As for being part of the problem: would he have publicly spoken about security measures that they are taking, sharing and collaborating with the community if he was not trying to be part of the solution? Yes he asked that those in attendance not repeat in open forums these solutions, as that would make them obsolete.
The more we involve the courts in settling our problems, the less individual freedom we have.
Re:Hrm (Score:1)
Re:Hrm (Score:2)
Spammers are evil, and lie whenever they can. Esp. in the client-provided "From:" header.
Re:Ph.D. level cleverness? (Score:3, Interesting)
For what it's worth, however, I totally failed his class. Way over my head.
Re:Ph.D. level cleverness? (Score:3, Insightful)
Re:Ph.D. level cleverness? (Score:1, Interesting)
Why stop there? (Score:2)
So why not include non-degreed individuals in your rankings as well? If the primary difference between B.S. and Ph.D. computer science people is some combination of time, money and determination acting independently of intelligence and/or cleverness, then those same differences would apply to non-degreed and B.S people as well, right? It would then similarly apply between B.S. and B.A. folks, or those having an M.S and an B.F.A.
I don't mean to be obtuse (or a troll), but I have to ask: Is a Bachelor's the point at which you begin ranking intelligence? Why not start at a high school diploma? Why not eighth grade (US)? Kindergarten? At which level can one finally claim the title of a "superior being"? Should society be a meritocracy? Can I be a Webelo without all my badges? If not, am I as smart as a Boy Scout or doomed to be labeled simple for all time?
Not that it matters much to anyone, but I never made it out of Cub Scouts and it's far too late in the game to start caring what everyone else in the den thinks...
-B
I think merit should be earned, like anything else (Score:2)
Subject pretty much says it all. I don't think any wise person would disagree if you were to say that the most heinous intellectual crime is one of unfulfilled potential. Whether fulfilling that potential necessarily means a degree or just living a fruitful life is the sticky bit. I know a lot of people that have the societal measure of success yet haven't stretched themselves mentally in the slightest. I know a lot of people that have the piece (or pieces, in at least one case) of paper, but had to work very hard at it because they aren't that bright. I know some who excelled at rote learning, but failed awfully when asked to integrate two concepts into a novel whole. And I know a lot of very bright, certifiably genius-level people who have decided to do and make stuff instead of spend time learning about other stuff that was done and made. If one is lucky, one gets the choice which road to take.
Sad part is, hard economic times bring out the great equalizer: management knows that individuals who have graduated from a certain institution at a certain level have demonstrably performed to a level which guarantees they themselves cannot be faulted for "taking a chance" on a new hire. It's the way things are always going to be, unless you know people. You either have a degree and hotjobs/monster/dice, or no degree but people who you and know you've done excellent work in the past. Official references don't count, either. I'm talking about people that know you and will hire you because they know what you can do. If you don't fit into neither camp, you stand a hard chance of finding a decent job in today's economy.
And BTW, I was agreeing with your earlier post. I currently work at a university. Before that I worked at a high-dollar startup, before that a Fortune 100 company, and before that a university. I don't have a degree, and that is by choice. I've faced a lot of discrimination because of it. However, I've never had trouble finding a good job at any time in the past 13 years largely because I know people who know me and know what I can do. I know I'm smart, because I'm smart enough to recognize where I fit in what I can do. I'm also smart enough not to care about the ArsDigitia's [fuckedcompany.com] of the world. I guess I have a self-worth that doesn't depend on other people. Which is probably not healthy....
-B
It does if you think it does... (Score:1)
Re:Ph.D. level cleverness? (Score:3, Funny)
Re:Ph.D. level cleverness? (Score:2)
The sad thing is that it isn't babble. All the words were real.
The sadder thing is that I understood it.
I didn't take enough complex analysis to verify that it's accurate though.
Re:My yahoo account is great! (Score:2)
You must really lucky. I get like 40 spams a week. No joke.
Re:My yahoo account is great! (Score:2)
YMMV, but most of my yahoo spam came from 2 allegedly opt-in email promotion companies. following the links at the bottom of the messages stopped the spam.
Re:Is your trash still being emptied? (Score:1)
I wondered if it was a push for the paid extra space because it increases the likelyhood of someone seeing the 'Your mailbox is almost full' message.
In general, I think the Yahoo free stuff is a pretty good service.
Re:Is your trash still being emptied? (Score:2)
Re:more hacks (Score:1)
I almost went to the site (not because I have any interest in hacking Hotmail) until I saw this post.
dalamcd
Re:We steal more than pennies (Score:2, Interesting)
you lying sack of shit how can you track your competitors shipments. you need tracking numbers.