RE: [Asrg] seeking comments on new RMX article

"Eric D. Williams" <eric@infobro.com> Wed, 07 May 2003 01:19 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA16380 for <asrg-archive@odin.ietf.org>; Tue, 6 May 2003 21:19:06 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h471Rp715803 for asrg-archive@odin.ietf.org; Tue, 6 May 2003 21:27:51 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h471Rp815800 for <asrg-web-archive@optimus.ietf.org>; Tue, 6 May 2003 21:27:51 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA16371; Tue, 6 May 2003 21:18:35 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19DDbt-00045S-00; Tue, 06 May 2003 21:20:41 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19DDbs-00045P-00; Tue, 06 May 2003 21:20:40 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h471Q6815721; Tue, 6 May 2003 21:26:06 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h471P9815682 for <asrg@optimus.ietf.org>; Tue, 6 May 2003 21:25:09 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA16327 for <asrg@ietf.org>; Tue, 6 May 2003 21:15:54 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19DDZH-00044b-00 for asrg@ietf.org; Tue, 06 May 2003 21:17:59 -0400
Received: from black.infobro.com ([63.71.25.39] helo=infobro.com) by ietf-mx with smtp (Exim 4.12) id 19DDZG-000445-00 for asrg@ietf.org; Tue, 06 May 2003 21:17:59 -0400
Received: from red (unverified [207.199.136.153]) by infobro.com (EMWAC SMTPRS 0.83) with SMTP id <B0002399782@infobro.com>; Tue, 06 May 2003 21:17:13 -0400
Received: by localhost with Microsoft MAPI; Tue, 6 May 2003 21:17:20 -0400
Message-ID: <01C31414.E0DB0F60.eric@infobro.com>
From: "Eric D. Williams" <eric@infobro.com>
To: 'J C Lawrence' <claw@kanga.nu>, Michael Rubel <asrg@mikerubel.org>
Cc: "asrg@ietf.org" <asrg@ietf.org>
Subject: RE: [Asrg] seeking comments on new RMX article
Organization: Information Brokers, Inc.
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Tue, 06 May 2003 20:50:50 -0400
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit

On Tuesday, May 06, 2003 7:50 PM, J C Lawrence [SMTP:claw@kanga.nu] wrote:
> On Tue, 6 May 2003 12:10:21 -0700 (PDT)
> Michael Rubel <asrg@mikerubel.org> wrote:
>
> >> BoxA is compromised.
>
> >> The zombie code sucks in a spamming engine (SE).
>
> >> The SE determines the mail configuration of BoxA in terms of
> >> appropriate SMTP envelope etc from the registry.
>
> >> BoxA spams away using the stolen credentials from its registry.
>
> > Thank you--you've raised a reasonable, cogent objection.
>
> Nope, there's nothing in there specific to RMX, RMX just prompted some
> mental noodling which ended up with me doing some arm waving at future
> attack vectors.  RMX is broken for simpler reasons, which have been well
> covered without my help.

Please explain.  I do not think that your example has shown a flaw in RMX.  As 
I stated in my message on this point the attack scenario you describe is a 
security concern primarily and a spam issue secondarily.  In fact if a system 
is compromised spamming would be a minimal concern as compared to eliminating 
the vulnerability.  Please give an example of how RMX is fundamentally broken. 
 I have heard that opinion several times today, could you provide an example 
(especially since it is so trivial - I have not been able to come up with one)?

> > As you note, RMX would not help against this kind of attack, and
> > frankly neither would any other proposal I'm aware of.  If I can trick
> > your machine into thinking I'm you, then I can do bad things in your
> > name and thus make you look bad.
>
> Quite.  As I noted at the time, this is a core problem with edge
> authentication schema, and isn't necessarily resolvable.

I am not sure of what you are saying are you referring to systems commonly 
known as user desktops?  I did not recognize the attack vector in your example 
or a description of what part of RMX introduced a flaw/vulnerability into the 
compromised system.

> > I submit that RMX gives a significant improvement, and it's just
> > simple/easy enough that people might start using it!
>
> Deployment expenses with RMX are a significant problem, as are the ROI
> curves related to percentage deployments and fundamental email use
> costs.  You can arm-wave technical solutions at them, but they merely
> increase the deployment, support, and maintenance costs for a negative
> ROI on the part of the deployer.  You are attempting to recreate
> top-down authority structures when the natural (and proper?) tendency of
> the field in normal legitimate use is for
> self-authenticating/identifying nodes, not external nomination systems.

From where does this analysis stem.  Please cite examples of how you determined 
the deployment costs and ROI on RMX.  I am interested in reproducing your 
results for validation.

> <shrug>
>
> Now, can we move on to digging out a proposal which has a chance of
> being useful instead of beating dead horses?

I think it's still twitching.

-e

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg