The future of security
Steven M. Bellovin
smb at research.att.com
Wed May 26 17:33:36 EDT 2004
In message <40B512F0.4090405 at algroup.co.uk>, Ben Laurie writes:
>Steven M. Bellovin wrote:
>> In message <010501c44325$a6d62700$4900a8c0 at okiok.com>, "Anton Stiglic" write
>>>----- Original Message -----
>>>From: "Steven M. Bellovin" <smb at research.att.com>
>>>>>j. a cryptographic solution for spam and
>>>>>viruses won't be found.
>>>>This ties into the same thing: spam is *unwanted* email, but it's not
>>>>*unauthorized*. Crypto can help with the latter, but only if you can
>>>>define who is in the authorized set of senders. That's not feasible
>>>>for most people.
>>>Something like hashcash / client puzzles / Penny Black define a set
>>>of authorized email (emails that come with a proof-of-work), and then
>>>provide a cryptographic solution. This is not a full-proof solution (as
>>>described in the paper Proof-of-Work Proves Not to Work),
>>>but a good partial solution that is probably best used in combination
>>>with other techniques such as white-lists, Bayesian spam filters , etc...
>>>I think cryptography techniques can provide a partial solution to spam.
>> The spammers are playing with other people's money, cycles, etc. They
>> don't care.
>We took that into account in the paper. Perhaps you should read it?
We're saying something different. If I understood your paper
correctly, it says, more or less, that setting the cost high enough to
reduce spam will make the cost too high for legitimate users. My point
is that even if you do raise the cost high enough, they'll become more
aggressive at "0wning" machine so that they can throw more (stolen)
cylces or (stolen) zorkmids at the problem. The economic question,
then, is what is the cost of compromising enough new machines. Given
the code base and the user behavior that we see in the field, my answer
is "pretty low". The consequence, in your metric, would be an increase
in C, which would further inconvenience legitimate users, thus creating
a feedback loop.
--Steve Bellovin, http://www.research.att.com/~smb
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography