Thursday, February 05, 2004

Spam Conference I wasn't able to attend the Spam Conference over at MIT, but I did catch the webcast. I found most of it quite interesting. It was great to hear from Yahoo, Microsoft and Brightmail about the scaling issues (and opportunities) that come with having billions of attacks/day. They're all beginning to leverage Cloudmark's collaborative filtering to some degree, but all hit the same issue that what people consider spam varies quite a bit. The Microsoftie also noted that 60% of spam offers require a domestic presense (i.e. financial services) These cannot be off-shored and are therefore vulnerable to legal remedies. The rest is (software, porn, nigerian 411, etc). The first lawyer to present, last year's "Hi I'm Jon Praed, and I sue spammers", came across with: Spam laws _could be_ good start Identity, jurisdiction required to pursue legal cases Important provision of CAN-SPAM attaches liability to businesses profiting from spam. He thinks this is greatly under-appreciated. The Tar Proxy talk wasn't all that interesting, but clearly making them pay (in CPU time at least) was gratifying to the author. The Brightmail speaker mentioned that they're implementing Paul Graham's filters that fight back, sort of. He didn't use that phrase, but his company is following links in email to see what is on the other side, and using factors from that to determine spaminess. They can leverage this inspection over a huge user base, so they don't risk slashdotting innocent joe-job victims. One challenge to identifying just URLs for spammers just by domain is the number of open redirect scripts web-wide (rd.yahoo.com being the most often abused) to disguise the ultimate destination of a spam offer. I winced when I realized that I've probably contributed two or three to the pool spammers can use. Also, I had a thought that 'Boy it'd be great if they shared the list of spam URLs' and shortly after he mentioned that they were considering some way of sharing. Eric Kidd spoke on sender-pays/e-postage real world experience with the camram project. Although folks like me ( and Matts) often dismiss the sender pays idea because of either joe-jobs launched from virus-compromised computers, or the fact that you typically have to upgrade the whole internet at once to make them work, none of these concerns was news to Eric and his presentation did not sidestep these issues. His points were: Sender-pays works great if you redesign the entire internet. Obviously not practical. Hybrid sender-pays works well, with filtering s/w accomodating the metric for postage What can be used as a stamp? This is a big issue. Money stamps don't work (centralization, theft, regulation) Hash collision is very popular now, but memory-based problems are probably more appropriate than anything CPU based because of Moore's law. Whitelist someone who sends you stamped mail so future correspondence can be verified w/ signatures. "Strangers cost, friends fly free." The best presentation was on Titan Key - http://titankey.com/mit/ . The technology was an elegant combination of simple concepts, but I liked it most because the speaker ( a chicago-born Hawaiian transplant ) was by far the most dynamic. Though admittedly this isn't saying too much for a spam conference. He described his company's product called KeyMail. Instead of disposal email addresses (accountimostlyignore@hotmail.com), you have programmable addresses -- ones that auto whitelist in various ways (based on domain, exact email address etc). So you give out address 'johnseq-UNIQUEID@mymail.com' to each person, company or mailing list that you want to correspond with. One typical rule would be that the email or domain that first responds to the email address is whitelisted for it. All subsequent use of that email would be put in a challenge response queue. One key differentiator for KeyMail is that it's implemented at the SMTP level. The whitelisting rules that it implements are simple enough that you can reject spam before it is delivered, saving a lot of CPU and disk space. Titan Key's Peter Kay mentioned that there's always a need for a general purpose email address (like addresses put on a web site), so filters don't really go away. I see that user retraining issues ( having to pre-generate an email address for folks you meet on the street seems a drag ) and ISP lock-in are the two biggest problems with KeyMail. For the latter, there are a couple solutions. The rules seem simple enough that they could be as portable as mail filtering rules - http://www.cyrusoft.com/sieve/ ). Also, the IETF is working on making challenge/response interactions automated, so that you never feel that particular pain. Of course, if you had interoperable C/R, KeyMail's raison d' etre might largely disappear. [Aside: I would love it if my email forwarding service pobox.com implemented this. I'm pretty locked into them anyway, and it doesn't bind me to an ISP.] In summary, from the keymail talk and the spam conference in general I think two themes came through: any spam solution needs to painless interoperate with the situation we have today ( duh ), and no single solution will really solve the problem. The 'drug cocktail' metaphor was used more than once, and I think appropriate on more than one level. [update: I see that Zoemail et al has launched a pr blitz over their patented clone of keymail. ] 4:59:29 PM      comment []  trackback []

coLinux As seen on slashdot, and all over the blogoshere, coLinux, which is something like User-Mode-Linux for Windows, looks very cool. There are many ways to do the same thing, but it's the first I'm aware of that both performs well and is free. I would like to suggest that instead of the current LiveCD trend for trying out free software, someone work on a coLinux instance containing all the fun desktop software a typical computer user could want, build an installer that sets up this coLinux instance to run as a headless Windows service, and configure some type of remote access so that applications running on coLinux are launched as though they were native applications (rdp, x, vnc etc.) drive mounting and single-sign-on issues would be resolved on install The free Linux desktop apps are so much more approachable if you subtract hardware configuration and system administration from the learning curve. One way to think of this is like running a linux terminal server project (LTSP) client and server on the same box. It's definitely not a thin client, but it's the next best thing in simple home environments where running a server is not really an option (and securing and maintaining it is not possible). Virtualization + Faceted Wiki = ? Also, I set up a wiki for virtualization software/projects (Viki?) because I wanted to play with Kim Burchett's cool and subversive diamond wiki. Be sure to click the "diamond logo" to test drive the facet-based navigation. It's more than just a bunch of bookmarks. Really. 12:48:59 PM      comment []  trackback []