Re: Yahoo breaks every mailing list in the world including the IETF's

Eric Dynamic <ecsd@transbay.net> Tue, 20 May 2014 01:42 UTC

Return-Path: <ecsd@transbay.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FD7F1A0239 for <ietf@ietfa.amsl.com>; Mon, 19 May 2014 18:42:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.326
X-Spam-Level:
X-Spam-Status: No, score=0.326 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, US_DOLLARS_3=1.754] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KMcjMoFvIABO for <ietf@ietfa.amsl.com>; Mon, 19 May 2014 18:42:45 -0700 (PDT)
Received: from transbay.net (transbay.net [208.184.217.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A8F41A0229 for <ietf@ietf.org>; Mon, 19 May 2014 18:42:45 -0700 (PDT)
Received: from [10.10.10.176] (ecsd.transbay.net [208.76.28.94]) (authenticated bits=0) by transbay.net (8.14.7/8.14.7) with ESMTP id s4K1SW9U029730 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 19 May 2014 18:28:37 -0700 (PDT)
Message-ID: <537AAB5A.10504@transbay.net>
Date: Mon, 19 May 2014 18:09:46 -0700
From: Eric Dynamic <ecsd@transbay.net>
User-Agent: Thunderbird 2.0.0.24 (X11/20100623)
MIME-Version: 1.0
To: Yoav Nir <ynir.ietf@gmail.com>, ietf@ietf.org
Subject: Re: Yahoo breaks every mailing list in the world including the IETF's
References: <53752DAC.4090305@transbay.net> <6.2.5.6.2.20140516234651.0b808458@resistor.net> <CAMm+Lwi=eKby_7erZ6=MrwfSAJwt7HewALKHz38dWGp7gvGv+A@mail.gmail.com> <6.2.5.6.2.20140517225044.0bb15010@elandnews.com> <53799704.9070002@transbay.net> <54B6E91E-C033-4B1C-8A3F-0DAAD85D6FC0@gmail.com>
In-Reply-To: <54B6E91E-C033-4B1C-8A3F-0DAAD85D6FC0@gmail.com>
Content-Type: text/html; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
X-UCTC: processed through sdmilter
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/9BZvcmqQS8YoqOyK_jIagAJ3AxY
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 May 2014 01:42:46 -0000

Yoav Nir wrote:
There are billions of hosts connected to the Internet and they’re running whatever they feel like,
being //totally familiar with the alternatives//, of course ...
People use Windows because it works for them.
People used to believe the Earth was flat and that worked for them then, too.
Unix and Linux don’t unless you layer a huge layer of GUI makeup to hide the ugliness away, as in Mac OS, iOS and Android.
You have apparently not used Ubuntu Linux, which is similar enough to Apple to overcome your objections.
I’ve been using Unix with makeup since 2000 BTW, but Windows bashing is so 2006.
  
I see. Windows sucks dead turkey buzzards because 13-year-old Bulgarian hackers can crack it, but
objecting to it is "out of style", so the objections no longer hold water and suddenly, all is now good
and Windows is now secure.

Or something like that. Akin to "Polio is no longer infectious" and "Lead is now safe to drink", as long
as someone can make the right fun of the people who keep warning us about those things.
Your argument does not hold water. Spam existed long before botnets.
Yeah, and it came from criminals using identifiable sources (call them ISPs) that stomped the
spammers once the ISPs were notified. We ISPs had spam on a //definite retreat// in early 1998(*);
and //then// the bot-nets arrived to rescue it (mid-1998 and after.) After that, the "senders" of spam
became millions of innocent people across the world, and the work to track down the originator
became too great to pursue.

(*) I personally chased the infamous Robert Soloway off five consecutive //Chinese// (PRC) servers
by showing them what the guy was all about. That was when the PRC still gave a damn (they no longer
seem to.) Soloway owes me $37,500 and Robert Braverman of Oklahoma $10,050,000, not that either
of us will collect. The DOJ contacted me for feedback on Soloway's sentence and I told them to throw
the book at him, especially considering he continued to spam after losing to Braverman and being
enjoined by the court from ever spamming again. I hope they gave him the full five years; and we
haven't heard from him again, so his jail time seems to have convinced him to do something else
for a living.
It’s the anti-spam measures that those IT professionals have been using that have forced spammers to seek other means of distribution such as botnets.
No. It was //enforcement and accountability//. Virus authors saw a use for invading machines
more lucrative than putting up messages on the user's screen saying "F4 says it's groovie."
Anti-spam tools came AFTER that.
If they didn’t use that, they’d use something else,
Prove it. Show me. Show us what that would be. Because it would already exist, if "it" were so easy
to come up with. There is no next step (see "prove otherwise" above.) Once the bot-nets are gone,
we (ISPs) will once again be able to track down the original source of spam. Whether we can put our
legal fingers on them is another matter, but if it is widely recognized that country X refuses to deal
with its spammers and the worldwide ISP community begins en masse to quit accepting mail from
country X, country X will get the message. This is how it used to work (in respect to ISPs more so
than countries) up til early 1998. There was a worldwide informal community of ISPs at that time
and that community was AGGRESSIVELY anti-spam.

Japan used to be awful. By 1998 I blocked all of 210/8 because they were so bad. They being
presentation-sensitive and otherwise upright people, appear to have issued a national policy
statement that things needed to be cleaned up, because they are now some of the most
proactive people on the net, combating spam. One rarely gets a spam from a Japanese network.
So very, very good for them and they are no longer persona non-grata on my networks.
or else we’d see more things like Flashback or that Java botnet that runs everywhere.
distributed = bot
bots die, distributed dies.
media-company subpoenas to ISPs concerning "shared" pirated media content show
what can be done when there is //a will to act//.
I get tons of span because my email address is posted in a lot of places on the Internet: IETF mailing lists, I-Ds and RFCs.
You get lots of spam because the US Government doesn't take the problem seriously enough.
It is a lot more concerned with protecting gray-mail spammers making money, than it is in
protecting the general public. The proof is the 2003 "CAN-SPAM" law which means what it says -
because there was No Accountability for the fact that the politicians did not complete the
homework they gave themselves, which was to define how unsolicited commercial email
was to be legally required to label to itself as such. That law needs to be repealed so suing
spammers becomes self-financing again. BushCo passed CAN-SPAM in an emergency to head
off California's aggressive anti-span laws due to take effect 1 January 2004.

And you get lots of spam because 95% of people still use Microsoft's swiss-cheese software -
one new exploit every 15 days - and don't use unix / linux / mac osx = mach + bsd unix,
for one new exploit every 7.5 years. BushCo also let Microsoft of the hook for having LOST
a major antitrust suit and facing what could have been a useful dismemberment: the applications
company would have written for Linux and the OS side would have failed and gone out of business,
as was warranted. Now it all gets to go down the tubes at once.

I did say that the "everything is pervious" argument is just silly, when the question is
how EASILY can a system be hacked to suborn its use and the answer is that
unix is orders (plural) of magnitude harder to get into than Windows.
It makes economic sense to send spam to people like me (some of us take the bait), so the spammers will do it one way or another.
Yes, we understand WHY they do it. The sad fact is that 1/7 of the human population has an IQ
that subjects them to tests that they fail (like "you won the UK lottery that you never entered,
so send me (a person you never heard of) money to get hold of your winnings.")
Unpatched Windows systems are an easy target for them,
If Windows needed a patch, then it was broken. If it needs 24 patches per year, it is very seriously
broken. So thank you for admitting my claims about the defects of Microsoft's software to be valid.

Curiously, patched Windows systems are an easy target too. You patched against a virus that was
detected because it already got out into the public (causing damage) and was picked up by e.g.
Symantec and McAfee to write a patch for. But what about the next virus concerning the very same
otherwise unpatched-as-yet code? Microsoft simply doesn't know how to fix the issue - or does know
and simply doesn't want to bite the bullet. Same outcome: using Microsoft software on the open Internet
is a manifest threat to the user and all victims of that user's will-one-day-inevitably-be-broken-into PC.

MTBRNI (mean time before risk of next infection) = 15 days. Sorry, but that gets a deserved frowny face :(
I usually say that unix is four orders of magnitude more secure than Windows, but if we compare the
MTBRNI we get log10(2700/15) ~= 2.26 orders of magnitude; so I apologize for my exaggeration.
I'll keep 2.25 orders of magnitude in mind.
but eliminating those will not solve the spam problem.
  
I'll take the 98% worldwide cleanup my solution offers - gladly.

And you're right: I don't control what people may do. I can say "please don't step in that hole and risk
serious injury to yourself and others", and they're entitled to ignore my advice, step in the hole, incur
serious injury to themselves and others and then even go so far as to say that they should be excused
because they were only doing what everyone like them does blindly, fecklessly and unconsciously.

I'm banking on virality: the more people who migrate to something Unix-based - e.g. Ubuntu (free of charge),
and never suffer viruses or spyware again, the more people will have "free of worry" solutions to offer
those around them, and we may get (one can always hope) a hysteresis curve of adoption of Open Source
systems and rejection of the pervious Microsoft world - and another epochal computer revolution worth
writing up in the History books. Believing Copernicus and Galileo only took having open eyes and an open mind
to accomplish in a relatively short time despite the desperate and bitter opposition of the Church -- here used
as a symbol for "Received Wisdom", such as "people use what they want to." People use what they were
taught to use and what other people use. People can always learn to use better software when the //institutions
they depend on for knowledge of these things// abandon beliefs of former centuries - perhaps "Windows" itself
is "so 1990s" that we'll begin en-masse asking ourselves why we still use it.