Is it spam if I keep saying it?
By davebirch posted May 10 2007 at 6:23 AM[Dave Birch] I was in a conversation about spam yesterday and it made me reflect on my friend Peter Cochrane's observations about the economics of spam. These are sophisticated: as Peter points out, there are already wholesalers of botnets. You can actually buy the capability to become a total pain in the bum to millions of people. The spammers have realised they can get through even multiple filters through sheer volume. If your filter is 97 per cent efficient, then the volume that gets through is still huge enough to fill your inbox with tripe. And it is that volume is a problem - it is jamming the net and as a result we are all losing efficiency. Filters, no matter how good, cannot be the answer because they can always be defeated by volume.
Technorati Tags: identity, internet, management
Spam and the related problem of phishing seem to me to be an example of low-hanging fruit that digital identity ought to be able to grab easily. I hate to say it yet again, but there is no reason that commnications between two virtual identities (in this case, virtual me and virtual my bank) should not be encrypted and signed. It's impossible to find a web browser that doesn't implement SSL just as most mail packages implement S/MIME.
One of the ironies of the current situation is that people who ought to be part of the solution -- banks -- are actually part of the problem. The phishers are so sophisticated that is it very difficult for customers to distinguish real from fake e-mails: so while the security department advises that a bank tell customers it will never ever send them an e-mail, the marketing department always wins and the e-mails continue. At the same time, I read things like "I am optimistic that email can still be effective if financial institutions clearly personalise their message". No! This is not the solution: it's not about personalising messages it's about signing them and making clients e-mail services that will discard all unsigned e-mail by default. And if a bank can do this for its customers, then it can do it for other service providers as well so that the provision and management of digital identities because a line of business instead of a cost of being in business.
My opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public.
[posted with ecto]
The problem is well stated, email turns to spam because anyone can send to anyone and it is free. Change one of those assumptions and spam dies, but so does email.
Identity cannot really solve spam in the sense of One True Identity, because that form of identity is too expensive. Unfortunately, it carries too much baggage, too high costs, all wrapped up in too low security. We've already seen how True Identity doesn't scale in S/MIME.
Nymous identity on the other hand scales nicely. It doesn't have the costs, nor the baggage, so people are willing to risk the loss of a nym to a spammer in ways they would never risk their "one true identity."
The solution is fairly well established: create the nym on the fly and email the public key to all recipients automatically. Encrypt to those you can, and add digsig message authentication as well if anti-spam is desired.
(Disclosure: I audit a CA, independently...)
Posted by: Iang | 27/05/2007 at 11:42 AM