On Mon, Jan 2, 2023 at 12:20 AM Christian Huitema <huitema@xxxxxxxxxxx> wrote:
On 1/1/2023 7:11 PM, John R Levine wrote:
>> The exception to that in my current code is that there is one message, a
>> contact request message that is authorized by default. So, if I have your
>> contact address (john@xxxxxxxxxxx, @john_levine, whatever) and I don't
>> already have you in my contacts, the first message I send, is a contact
>> exchange request saying 'Hi I am PHB, can I send you messages'.
>
> The introduction problem is very hard. Speaking as a spammer, I plan to
> buy lists of millions of addresses (which are widely and cheaply
> available) and send introduction requests to all of them. If they don't
> say yes, I'll do it over and over, maybe with slightly different
> identities and requests, and we've just moved the spam into the
> introductions. The only way I know of to prevent that is to add
> friction to limit the number of requests you can send, but now you have
> to figure out how to tell that requests from many different addresses go
> into the same friction bucket because they are from the same sender, for
> some version of "same".
Yes indeed. If the system cam say "Joe Example wants to connect with
you", it can also say "Joe Example who has access to a pharmacy selling
cheap and exciting meds wants to connect to you". I saw exactly that
kind of scenario playing out on Skype. And then we also see the "attack
of the clones" on Facebook, "Your buddy Joe Example, same name, same
picture, wants to be your friend." Etc., etc.
-- Christian Huitema
True. But the rate of that spam isn't close to being a problem to me. I get less than one of those a year.
You are both falling into the perfection fallacy. A security control doesn't need to be perfect to be a major improvement. And again, instead of actually reading any of my documents and seeing that I have developed a completely different approach, you immediately assume that if you couldn't think of an answer, nobody can ever solve this problem.
Of course this is a hard problem, I wouldn't be working on it if it wasn't.
Going back to our original issue of the ability to run your own service, running your own SMTP service is no longer viable because every other service will assume you are a spammer. Separating out the hailing channel from the communication channel and limiting the spam to hailing is still a major win.
The way to defeat spam in the hailing channel is through social work factor, a concept I developed a decade back. This is basically an elaboration of the principles behind the WebPKI of incentive denial.
Social work factor is denominated in US dollars. The WebPKI was designed to make shopping online as safe (NOT COMPLETELY SAFE) as shopping in stores by addressing the fake merchant problem. If it costs the fake merchant $1000 to get a certificate and they can only use it for three days before it is revoked, they have to make a lot of money very quickly.
Of that $1000, only a small part was the CA fee. The bulk of the cost went into registering a company in a fashion that is repeatable but doesn't lead to the criminals being caught. Setting up one fake merchant and getting away with it was one thing, anyone trying to do it repeatedly would be caught pretty quickly.
These days of course, people have convinced themselves that all the original controls in the system are bogus and have dismantled them all and now complain that it doesn't work. Fortunately all the really bad guys are busy running ransomware attacks, selling NFTs, running BitCoin exchanges and supplying criminals with VC. The Internet crime spree probably won't hit till a couple of years after the criminal currencies have been shuttered just like spam hit in the wake of the dotcom crash.
OK so social work factor for introductions, how do we establish it? One way is to simply checkpoint the account in a notarized log. If I have someone asking to exchanged contacts whose profile was notarized ten years ago, that is something a spammer cannot easily create in bulk. The social work factor for creating them by the billion post facto is infinite.
So my first control here is time. Next control is endorsement. Remember here that the only thing we are trying to do is to prevent pure spam notifications. Imagine if each time I attend an IETF meeting in person, I notarize my Mesh profile against the IETF notary service as part of the on-site enrollment. This would then automatically clear me to post to all IETF mailing lists as a proven actual person.
So we have just collected a $800+ social work factor for impersonating me as a person. Now imagine I do that for a dozen IETFs. Without me having to engage in any silly key ceremonies etc. I have built up a $10,000 social work factor. Same would work pretty well for any sort of professional.
[This is one of the reasons for charging $0.10 for registering Mesh Callsigns. While a criminal organization could in theory spend $100K registering a million callsigns to allow them to mature for a few years, most criminal organizations don't last long enough for that to work. Most criminal individuals would spend the money on drugs etc. rather than go for a long term investment.]
Now before folk start banging the keyboard accusing me of not understanding the privacy implications, yadda yadda (OK, you started replying several paragraphs ago,...) Yes, I totally get the need for translucent security and the ability to have limited proofs for limited purposes which is why I have built a completely new PKI and not tried to simply extend X.509 again. For the purposes of proving I am not a spammy spammer, I don't have to prove I am PHB, I just have to prove that I have a sufficiently high social work factor and that is a thing that a Trustworthy Third Party can provide.
So what we have done so far is to reduce the spam message problem to the spam contact request problem to the spam new account contact request problem. If that proves to be a problem, we can make use of accreditation. So as a person with a high social work factor value on my profile, I can endorse some number of newly created profiles per month. And that gives people a certain degree of confidence when accepting contact requests from those people while they build up their own social work factor.
Based on past experience, I think this approach should give us 20-30 years of service before people start deciding there is no need for any anti-spam security controls because it obviously isn't a problem.