[hashcash] Re: zombie calculator, messaging without SMTP using identity brokers (Re: response to "proof of work proves not to work"?)
- From: "Eric S. Johansson" <esj@xxxxxxxxxx>
- To: hashcash@xxxxxxxxxxxxx
- Date: Tue, 18 Jul 2006 10:44:27 -0400
Simon Bohlin wrote:
Thank you Eric for the compliment :).
I've now completed a version 2.2 with some economics and an option to
calculate with the same numbers as those "anti-hashcash researchers"
used, see attachment.
good. I like. I might change the wording slightly on the economic
calculations. Something like:
for a given spam campaign, assume a [ ] response rate. Using the
pass-through traffic volume calculated above ([ ]), there will be [ ]
responses. if the profit from each response is [ ] dollars (or any
currency unit), the [[spammer revenue]] will be [ ]
if I can get a long overdue project done today, I will take a stab at
making the changes.
I must say I disagree with a bunch of points. But operating on the
principle that you never kill someone on your own side, I will be as
kind as I possibly can. :-)
Eric S. Johansson wrote:
The _only_ difference to current SMTP is the _traceability_ of all
messages.
the problem here is similar to that of money stamps. Anytime you have
any "currency" that requires a broker, you have a system that can be
overwhelmed or corrupted. Centralized authority
(aha, identity brokerS provide a multitude of authorities -- easing but
not eliminating your mentioned problem points)
I am confused by this assertion. If you have multiple identity
brokers/authorities, you do or can reduce the overwhelm factor. But
what if a spammer is able to launch a denial of service attack against
an identity broker to either give them reputation for bad service or
somehow sully their identity. I mean, if you have 3 million machines,
what kind of mischief can you do to an identity broker? If you have
enough money, can you corrupt an employee to reveal internal secrets or
somehow help them gain access to certain keys internally.
Never forget that organized crime has far more money than it knows what
to do with and they are always looking for "interesting business
opportunities" as a laundering vehicle. After all, it wasn't for money
laundering, where would places like ADM, Nestlé, and other major
multinationals be?
but more seriously, there is a problem with "transient" identity
brokers. Spammers can own identity houses and they have a dirty
identity stream which reduces the value of the reputation and they can
"appear" to cooperate but just turn around a new identity to the
spammer. Also, what's to stop a spammer from buying lots of identities
and the liberally trashing the reputation of an identity broker.
I can think of more scenarios some more probable than others on how to
ruin reputation independent of the number of brokers around.
Based on what we have all seen in the certificate business, identity
brokerage business will quickly become owned by VeriSign and shrink down
from hundreds or thousands of brokers to maybe 10 worldwide. Reason
being is only very large identity brokers can handle the liability
issues associated with issuing identity.
means you need to have an evidentiary process for proving someone is a
spammer, the judicial process to evaluate the evidence and make a
decision whether or not they are spammer, and you need and authority
to enforce the devaluing of a currency or currency source. You also
have issues of fundability end reach of an authority.
Each one of the stages are corruptible. Some very poor countries may
be tempted to sell their ID issuers to an external source for
management. if ID issuers can be private rather than publicly managed
authorities, then nothing will stop spammers from owning their own ID
issuer, selling a bunch to the real public and then slipping in their
own spammer IDs.
From what I understood of my email contact with Netmesh, the difference
to current SMTP is only the _traceability_ of all messages. This can
bring many brokers with different levels of connection person --
internet identity, and according levels of reputation, with
free+anonymous brokers at the low end, just like what we have today!
Those people are very into the "social software" ideas and it seems
trust will be linked with friend and friend-of-a-friend relations to
regulate the value of one's trust "currency". Spammers will surely
hi-jack more zombies and owners of zombie-computers will complain to
their ISP about their messages being bounced.
Hm, so where's the news, what difference from the current situation? Ah,
_traceability_! (Which also cuts down on phishing for login accounts to
Paypal and banks) (And maybe ISPs and end-users will get stronger
incentives to clear up the _traced_ and thus proved-to-be-infected
zombies.)
okay, this is one aspect that is good. we also can provide similar
zombie tracing through a human mediated feedback mechanism. Also, I
wouldn't be surprised if spam that is "clearly spam through the content
filter could also be used to trace zombie sources.
Surely many will send all email with their government-granted identity
out of habit because it works best, and ignore if the government profile
your probable voting preferences. Real identity + end-to-end encryption
(_without_ key escrow, if you are a privacy activist or a dissident)
would serve most users well, but it would be nice to also have anonymity.
And also consider what could happen if a government wanted to silence
dissenters inside or outside of the country. Either they could tie up
the IDs in court or just get them revoked without question depending
on the process.
The usage of a broker adds one more layer (on top of DNS on top of
IP-adresses) where legal regulations and (color)-listing can be applied,
so let's assume legal attacks will also go for the lower layers, to
cover all types of messaging at once. As long as you can publish on some
URL, that URL can be your identity and if you can run software on the
server, you can be your own broker. Otherwise dissenters would go for
the free+anonymous servers + stamp their messages! :-)
I'm having two problems with this first is the assumption that on
anonymity means you'll be heard. It's entirely possible for people to
structure the network so that if the messages "anonymous" it will be
rejected with or without stamp. It's not like the legally protected
anonymous pamphlet distribution on political issues here in the states.
I can see people rejecting anonymous communications. After all, I
frequently do not answer the phone if caller ID doesn't reveal who it's
from.
the second problem is reliability. For me, DNS fails about 10% of the
time (thank you Comcast). what a guarantee do I have that I will be
able to reach my identity broker in order to resolve and identity. If I
can't reach the identity broker, or they can't resolve the ID, what do I do?
this is a small but significant advantage the stamps have over any
centralized infrastructure. They are completely independent of any
resources except those you provide it. No servers, no certificates,
just a simple calculation.
so this is why we like stamps. Nondiscriminatory, decentralized, and
annoyingly flexible.
I only dislike the waste of electrical power and that it discriminates
mobile devices. I think stamps are excellently used in Camram, since as
I understand one stamp (low power waste :-)) gets you on the white list,
and one user-report of spam gets you from the white to the black list.
This gives the majority of legitimate email users a strong factor
advantage against spammers, and I think it should be more widely adopted.
on the power issue, most machines start using about 30% more power when
generating stamps so it's not a huge differential. If on the other hand
people start getting smarter about power and are able to cycle the power
down to 10% of maximum, then it's a bigger issue. :-)
as for making it more widely adopted, well, I could use some help.
darcs archive can be made readily available at any time. it's
relatively close to being ready to stuff into a VM Ware bubble which
means deployment would be a snap for most people.
Trying to remember some situations when someone would need to send email
to large amounts of previously unknown recipients, I only come up with
NGOs who collect emails for a new mailing list, or researchers who send
coupons or other feedback to many of their interviewees. Since this is
opt-in situations, simplest (but still not simple enough) solution is
that you must remember to white-list them before they start mailing.
this is a royal pain in the ass. What I get to putting the audio track
to my presentation, you will see that there is a few scenarios a Web 2.0
type applications with proof of work stamps can be used to reduce the
value of an attack by a spammer. one thought was to use the captive
zombie to generate such as stamp. But the same server could send a note
to the local machine (how?) Indicating that the stamp generator really
wants them to respond to this message to get on their mailing list.
Maybe do a pop up with mail to URL or something.
Yes, it's an ugly hack, it's just an initial thought so feel free to
abuse me for it.
(Spammers could gather intelligence on current events to figure out
white-listed senders to impersonate (Paypal scammers comes to mind...)
but both researchers and list servers would have nothing against using a
proven identity (either issued by government, ISP, or some group of
officially known members of the NGO/research lab). Maybe the only
argument against verified/guaranteed identity of sender is the loss of
anonymity (where, as I suggested in my previous mail, hashcash-type
stamps should be an excellent way to get your messages stick up above
the seas of spam).
you still having convinced me that if I say "the King is a fink" that
King George couldn't call in his buddies and have them stomp on my
identity broker and make my electronic identity and therefore my ability
to speak, go away.
if I switch to another identity broker, then I need to reestablishment
bona fides with all the other people I deal with and there's still no
guarantee that my identity still won't go away. And if it goes away
enough times, I self censor which is what the
First-Amendment-over-everything folks call the chilling effect.
I still haven't been convinced that there isn't a chilling effect
property with IDs. unfortunately, it will take arguments from the ACLU
to make me most comfortable. I know how altogether to well how the
government can make your life a living hell was they know how you
identify yourself to the world.
About "good zombies" -- isn't it quite impossible to prevent spammers
from (ab)using the "good zombies" or the ISPs stamp minting resources,
since legitimate ISP-customers can be converted to bad zombies
(traceable or not!)? (And ISPs are scared of loose customers so they
don't shut off zombies.) I think it still boils down to _tracing_ the
senders, (color)-listing them, and debating when to list or unlist.
it depends. If you use an authenticated zombie or a poorly
authenticating zombie, then yes, spammers can take over and make our
lives not very pleasant. On the other hand, if you use something like
your authentication system (which is used infrequently enough that
network reliability issues is not as much of a problem) then zombie
should be relatively secure. But that's why I'm raising it to this
group. Can we come up with a good authentication system (existing or
invented) which will allow a zombie engine to be used by any service
provider or Web 2.0 application supplier to generate stamps on behalf of
the user.
maybe the answers we need to use proxies and look at slightly modified
protocols to signal "I need a stamp" and then the local host generates
the stamp based on that interaction. Again, we are a bunch of smart
people, we can come up with something good.
In conclusion, I believe we will soon enough get to think more about how
and where hashcash fits into a system of traceable messaging.
could be. But you know, I think camram could deploy faster than the
traceable messaging system and would-be overall more reliable because of
it's near endpoint distributed nature. But I am willing to be
convinced, it just may take more work than the list can tolerate.
I will ask for help to finish up camram and get it into a vmware bubble.
Nothing says that we can't add the traceable messaging system to
camram at a later point if it should prove worthwhile. After all,
camram is proving itself to be a rather flexible framework for
experimenting with anti-spam techniques.
---eric
Other related posts:
