It occurs to me that while my junk email headers may not reliably indicate their country of origin, the telecommunications infrastructure must know where the equipment is that's connected to the other end of their pipes. Does that equipment tag geographic (or more practically, political country) packet origin to be used (or not) by equipment further down the line?
Surely the various parts of the government charged with security and safety want to be able to shut off traffic coming from selected inlets in times of crisis. On a more personal level, I sure wouldn't mind dropping packets on the floor from various spam-producing countries (or even better, specific ISPs). Of the infrastucture needed to allow this, how much is in place and is [it] reliable?
***** Moderator's Note *****
Of course, anything that can be done to block email can be done to block VoIP, so I declare this post "relevant".
Seriously, while the Digest isn't a spam-fighting venue, I'm allowing this post because traffic is low right now, and I'm curious how much this subject resonates with the readership.
Bill Horne Temporary Moderator
Please put [Telecom] at the end of your subject line, or I may never see your post! Thanks!
We have a new address for email submissions: telecomdigestmoderator atsign telecom-digest.org. This is only for those who submit posts via email: if you use a newsreader or a web interface to contribute to the digest, you don't need to change anything.
The only way to stop or slow the spam is to get the countries that these come from to take action against the spammers. Teeth have to be put in the law, like loss of all the property of the spammer, long prison time, like 50 years or more for just one violation an 1000 years for more then one.
I have been around since the early days of the net, with the old address naming, [and] I'm not sure if they could be forged. I have also seen the Next generation: many companies are using it [only] as their intranet. I know GTE was updating before the merger [with] Verizon, [and] I believe they continued the upgrade, and from my understanding on how it worked, if the sending ID did not match it would never make it through the system. That is what has to be done here, [and] I'm sure there would be [little or no] disruption.
The email comes across a TCP connection, so the IP addresses of the end points need to be accessible, and not spoofed.
So - [the answer is] "yes", the end point is known, but that may well be a "zombie" remote controlled PC acting as a relay. Since the [TCP] connection doesn't go thru the relay, the ability to directly trace the email traffic flow for the actual spam message you get stops at that point.
In turn, those PCs are unlikely to be controlled directly, and the control connections may only occur occasionally so you would have to trace a chain of devices and connections.
[One] thing to remember is [that] the Internet was designed to be resilient.
There is a famous quote that it treats censorship as damage and reroutes around it. And unfortunately "good" censorship is just the same as any other from this perspective.
Voip can be harder because the signalling and sound streams don't have to go between the same [two] devices (and you can receive voice from a completely different address [than that] to [which] you send your output).
This makes for a whole new class of wierd faults in VoIP - but also suggests some denial of service attacks that conventional voice systems dont need to worry about.
My ATT Yahoo e-mail will not allow me to send private e-mail without it being verified. I can still post with it, [but] it really makes me mad. Once in a while I'll get a scammer and I used to load a couple thousand e-mails and mail it to him, [but] now I can't do that since he will know who sent it. Now if other [victims] used the same method that would slow down the spam a bit. I agree with you, with all the bot nets from infected computers it is hard to stop. I use a Mac so as of now I have not had any problems, but I have been poked at from the outside a few times, [and] my Firewall keeps me clean.
Actually, a moderate penalty but strictly enforced with certainty, will be more effective than a big threat with little risk of enforcement.
Unfortunately, this is true. Petty corruption flourishes in such places, which would make enforcement difficult.
One contributing factor to this fraud, and other frauds as well, is the ease of acceptance of credit cards overseas. This is vital for global trade. But perhaps the credit card service bureaus need to be more restrictive on this type of thing, even if there is a slight inconvenience to legitimate Internet purchases.
However, I get the impression that plenty of spam comes from right here but only the worst of the worst spammers get prosecuted or sued, and it's a very difficult process. That is, the spammers are able to fight off legal attacks.
***** Moderator's Note *****
The Credit Card issuers are bankers, not cops, and so long as losses are within their insurance underwriters' limits, they don't care about fraud. The root of the problem is the gullibility of the average internet user, and that's not something that governments can change. As my brother is fond of saying, "The job of The State is to protect you from your neighbors' folly, not your own".
BTW, I agree that the vast majority of spam comes from "right here": I had to pull the plug on one of my customer's machines yesterday. It was a Windows 2003 Basic Server box, which had a rootkit in it, and was spewing "419 scam" come-ons via Advanced Mass Sender, which is one of the better known pieces of vileware. The spammers are doing the same thing rumrunners did during prohibition: they're offloading their wares from larger, more easily traced sites, onto botnets that distribute the traffic enough that it's not effective to stop any single machine.
Bill Horne Temporary Moderator
Please put [Telecom] at the end of your subject line, or I may never see your post! Thanks!
We have a new address for email submissions: telecomdigestmoderator atsign telecom-digest.org. This is only for those who submit posts via email: if you use a newsreader or a web interface to contribute to the digest, you don't need to change anything.
But what happened subsequently was avoidable. As the Internet expanded beyond the controlled academic world into the hands of the general public, many advocates were extremely emphatic about retaining the 'open' policy; they didn't want any rules or restrictive structures (beyond technical needs). (Go back to early issues of "Wired" or BBS magazines). When the first spam and abuses came out they had the attitude 'the answer to free speech is more free speech"; that "good" posters would outdo the "bad" posters. But what happened was "bad money drives good money out of circulation".
On Wed, 17 Dec 2008 22:05:15 -0500, hancock4 wrote: .......
....... These days too many people expect "someone" to protect them from their own folly or pay them compensation for it - and that "someone" is usually "someone else" like government.
Outsourcing responsibility in the Western world has reached the level where the whole planet will be half-dead in a century and it will always be the responsibility of "someone else" to do anything about it.
Thank you for posting my OP. It occurs to me that I didn't originally draw a distinction between VOIP and internet data, since my (unstated) interest was in the copper/fiber lines between countries, and I assumed that when it comes to these wires, it's "all the same," anyway.
I also agree that the basic protocols need to be redesigned to eliminate all of the (many) kinds of illegal traffic possible right now. My OP was the beginning of me trying to self-educate about what the current technical and political condition is in moving toward a new set of protocols.
It is interesting that there is such a strong pro-anonymity movement (euphamistically called an "open Internet"). I doubt many law-abiding citizens are in favor of terrorists having the same access to our "open Internet" as we do, but that is currently the case. The anarchic design of the Internet is untenable in the long-term due to the need we have already seen in enacting laws to control human behavior in the real world. We won't be able to sustain the double standard of "it's OK to do xxx" in a virtual world, but not in real life.
I read in the news that people in China are attacking United States computer systems, something that would be an act of war if we actually were able to trace the attacker back to a Chinese citizen that works for their government. As it stands, the public tends to assume such attacks are by kids or people who aren't really trying to do harm, or at worst, are people spamming for economic benefit. My thought is that in time of war, the U.S. Defense Department would like to be able to throw a switch to halt all incoming traffic from the offending country. In fact, I find it hard to believe that they can't currently do this somehow.
The overly simplistic design I am imagining for the purpose of studying the subject right now is that the telecom hardware in the U.S. that is connected to the international pipes should have a switch on it. We set that switch to "yes" if we believe the political entity at the other end will only send "yes"-marked data down the pipe from identifiable people, otherwise we set the switch to "no." The "yes"/"no" status is added to the header packet to be used as ISPs/ people inside the country see fit. If my ISP was one that wants to be "open" and passes both kinds of traffic on, this would allow _me_ to reject all data carrying a "no" if I want to. This overall design would be encouragement around the world to tighten up Internet accountability. It would be to every country's advantage to be validated as a "yes" country, otherwise their influence of the Internet world outside their country would be limited (less and less over time).
This leaves the responsibility of accountability with the countries from which the data originates as well as the countries through which the data passes. If one is realistic about the long-term, the power must be in the hands of the countries, because that is where the political lines are drawn, where the elected leaders are, and where laws are enacted.
the underlying mantra of the Internet is really "backward compatibility".
Now if you invent a secure email scheme where you can authenticate sources and make it interwork with all the old stuff then great.
but it still will not prevent your authenticated end point having a trojan program take over and generate lots of email from that "authentic" source - and in a sense this would be worse because of the implied trust from your new better protocol.
the old telecomms joke is "God could not have made the world in 7 days if he had an installed base".
First off, the people's expectation to be protected from fraud dates back 100 years, it is certainly not something new from "these days". Thanks to expanded travel and communication available back then, products and services were coming from distant manufacturers vendors, not the historical local town craftsman or homemade. Laws like the pure food and drug act were passed back then to protect the public from things they had no control over or could reasonably check out for themselves.
Secondly, the Internet has brought far more anonymity to the business transaction. In the past, usually there was a hard source address associated with every vendor that could provide accountability. Most goods were bought in a store, and the storekeeper acted as a middleman to protect the public. Good reliable merchants prospered and grew. (Yes, the system wasn't perfect and there was some fraud, but it generally worked well.)
But with the Internet there is no store or human shopkeeper. There is no hard actual mailing address. There is merely a very easily developed web page, with no guarantee of anything real behind it. The Internet also encouraged unsigned credit card acceptance-- there is no hardprinted signed credit slip of the transaction. So the result is that there are far more opportunities for easy fraud than there were in the past. Today's technology allows for easy fraud and identity theft and doesn't have the necessary protections in it. For example, we have "Phishing" where thieves copy a legitimate company's logo and create a fake website to steal information and money.
It is very difficult for an individual citizen to know what is true and what is fraud. Those of us who work with computers or used old BBS's have some inkling of suspicious activity. But many lay people have no idea of those things and respond to Phishing because they simply have no way of knowing what's real and what's not. It's no different than a consumer depending on the FDA to evaluate whether a drug is safe to take and effective against a disease, or their state medical and law boards to kick out unethical or incompetent professionals. (Again, yes, the system isn't perfect, but it's there.)
So, yes, the government certainly does have a role to play in protecting consumers from fraud, including both education and enforcement of the new Internet world of commerce. It is perfectly reasonable for people to expect this role.
You are correct in outlining what the current state of things is, but I don't think it is healthy for people in the "Developed" world to be so dependant on others for making life safe for them.
The Internet is just another environment, and if it is a new environment to some people then there is still some personal responsibility into finding out what this environment actually is before becoming involved with it.
If people travel outside of their own familiar, comfortable environment they (usually) do a bit of research to ensure their own safety and learn what they are likely to expect once they get to where they are going, the Internet should be no different.
There comes a point where individuals are so disconnected and insulated from anything undesirable that they lose the skills to handle any sort of unexpected situation, and that does not bode well for the survival of the individual (or the species, eventually). Let some learn a lesson in this area by being stung while using the Internet, it should end up being a nett benefit to their life.
Basically you're correct, but the Internet is different and creates different problems. More below.
This is where I disagree. The Internet is vastly different in that it's a "soft non physical" environment. It's like going to the movies, a movie may be intense, but we're not _physically_ in the scene shown on the screen. With the Internet, we explore from the comfort--and security--of our living room. This leads to a totally different mindset.
With the Internet, people of all ages are much more free to share personal information about themselves, often when they shouldn't. The very same people (again of all ages) in real life would never share such info if a stranger engaged them in conversation on a park bench, bus, or in a store.
Another issue is that anyone, of any age, is free to get onto the Internet without any restrictions or training whatsoever. Further once on, there are no warnings or restrictions. In contrast, one cannot buy an automobile without a driver's license, which issued only after passing a test and meeting other critieria. While driving there are speed limit signs and cops along the way to enforce them, something we all know about. If one drives their car recklessly, they have the unusual feeling of high speed and risk. (Yes, I know the system isn't perfect and we have crashes). But on the net, one can do harm to themselves without realizing it, there are no warning signs, no sensation of dangerous speed or loss of control.
Many other things of potential physical harm in society are restricted. One can't walk into a store and buy heroin or high explosives. If someone seeks liquor, they must be of a certain age and not already drunk.
Another problem is that the Internet is so new that parents and schools are weak in teaching the dangers and responsibilities of using it. Indeed, some efforts at safety run into barriers when schoolkids do harm outside of the school on their own computers; is that an area schools can touch? Further, as the Internet and computers evolve, new problems come up not seen ten years ago, and it takes time for new frauds to become known and dealt with.
In contrast, widespread use of automobiles has existed for 50 years and the dangers of a car haven't changed since then. All parents and schools know about them and teach them to their kids at a young age.
When it comes to children this is a very debatable issue. Do we let our children be physically scarred from burning themselves on the stove so they learn not to do it in the future? To break their arm from climbing a tree irresponsibility? Maybe so, but other risks are simply intolerable because their injury is too severe.
Likewise with adults. Perhaps accidently sending out a risque photo along with a business email would result in some teasing and embarassment. But losing a job or even getting unexpectedly criminally prosecuted sounds like a lesson that is too severe to be a "benefit to life".
On Sat, 20 Dec 2008 17:24:08 -0500, hancock4 wrote: ........
It is always going to be a balance between protecting those who are unable to protect themselves versus those who *should* take the responsibility for protecting themselves. It is my opinion that the way things are going that too many don't want to educate themselves so they are able to protect themselves rather they expect the proverbial "someone else" to protect them and the Internet seems a perfect example of this.
The federal government in my country is currently determined to implement compulsory web filtering despite every single technical expert saying that it won't achieve its aims (of "protecting" families) and civil libertarians up in arms about the ambiguous "undesirable content" definition in the legislation.
If it goes ahead the end result will probably be some people believing that the Internet is "safe", where that couldn't be further from the truth. Education would probably provide a better outcome, but that isn't the current fashion.....
How is a lay Internet user supposed to "educate" himself?
As I explained before, you buy a car, you gotta learn how to drive and pass a test to drive it. Other dangers of life are taught to us by our parents. But the Internet is so new--and constantly changing-- that the traditional ways of "education" simply don't work or don't even exist.
Let's remember that the general public is not using the Internet as a toy or an end to itself. Techies enjoy reading technical magazines, trading information, tinkering with software, frequently upgrading, etc. The public is using the Internet as a means to an end--to order airline tickets, get movie reviews, emails, etc. The computer industry automated the Internet interface to make it as easy as possible for lay people to use it, without needing any special training. (I am no expert, but when I help friends I see how little they know.)
My point is that a great many lay users out there are not even AWARE of the risks and dangers they face. Today's users get a bottled generic virus package and think they're safe. How are they supposed to find out about pfishing?
Indeed, none of us are even aware since saboteurs are busy dreaming up new scams and malicious attacks all the time. Many organizations, despite having first-rate virus protection, still lose their computer networks to a virus attack that slipped through. If an organization with a computer staff can't protect itself, how is a lay person supposed to protect themselves?
Several yeras ago, one parent thought it was wonderful that her son spent so much time on the computer, she figured her son was 'learning'. A perfectly reasonable and understandable position--hey, after all, the kid wasn't hanging on the street corner or running around with bad kids, coming home late at night, smelling of booze or drugs, etc. But sadly it turned out her son was involved in some really nasty stuff on-line. As a result of that publicized bad experience many parents are more aware, but that mother had no idea, nor could've been expected to as a lay person.
There was no 'education' available to her. If she had been fortunate enough to know a computer geek, he might have taken a look and raised a red flag.
Unfortunately, in some places merely accessing certain sites will result in harsh criminal prosecution. Other sites will wreck havoc on your machine. Under this reality the web filtering is a necessity. Keep in mind many malicious sites purposely have a name that is a common mispelling of a legitimate site so as to sucker in access.
In highways, there are the three E's: education, enforcement, and engineering. They realize driver education simply isn't enough for traffic safety. Enforcement and engineering are also necessary.
I suggest that is the same for the Internet. Right now we have no education at all. But enforcement (going after malicious sites) and engineering (protection from malicious sites) are important as well.
The test I took before I was allowed to drive was intended to protect other drivers, not me. Of course, cars are inherently dangerous when driven by untrained or impaired drivers, so The State has an interest in taking steps to reduce that risk to a reasonable level. As my brother has said, "The State's job is to protect you from your neighbors' follow, not your own".
The Internet is a different issue: let's face it, someone who loses their life savings trying to expedite the transfer of US 6.47 Billion dollars for the daughter of the late President of Zaire is nonetheless still alive and able to conduct their affairs. "419" scams are painful, especially when they involve people we know personally, but they do not endanger life or limb.
The "General Public" is, IMNSHO, using the Internet as an entertainment venue. Users purchase machines with the same intent as they buy a television: they expect to use it so that someone else can provide them entertainment. While blogs and social networking sites have showed _some_ of the net's potential, it will take a generation or two before their users stop trying to look like a pale imitation of Hollywood and start creating original works that reflect individual capabilities and talents, but I digress.
Users are not aware of the risks they face because they're incapable of seeing the net as a two-way mediaum; because they're locked in a mindset that "someone else" always decides what they see and hear. A bottled AV package is not the solution: what's needed is the habit of critical thought.
Read a book, newspaper, ask someone who knows about the subject, the usual things people should do to find out about things they are unfamiliar with - the Internet is no different from most other things in life.
Yep, that's how it is.
If you are referring to being conned into giving away information by going to bogus websites, I have seen that addressed by legitimate banks as they try to educate their customers to *never* use these bogus e-mails to go to websites.
Banning/shutting down these sites is always a dog chasing its tail situation, as new ones pop-up as soon as one is found, so relying on that sort of solution just doesn't work.
......... Well, virtually *all* of the attacks that I am aware of relate to one specific family of operating systems and applications, so to any lay person I basically tell them "DON'T USE WINDOWS".
It's not a total answer, but it's a good start for those who want to get out of the firing line of most threats out there.
My point is that the current situation is not good enough, and people relying on "someone else" to always fix things/make the (current) Internet safe is not just unrealistic but an abject failure of personal responsibility.
No, you don't digress, but raise a critical point.
Correct.
For 75 years people have been entertained by radios and movies, and TV for the last 50. Aside from some programs that may be very frightening or disturbing, it has always been a one-way interaction.
People take in Internet delivered entertainment with the same mindset, that it is one way. But the Internet is different. Undesirable behavior on the Internet, such as falsely claiming to be something, shifting to other sites, etc., would not be tolerated in the movies. (That is, if a movie theatre promised a popular film to attract viewers and showed a long series of commercials instead would invoke a customer outrage ending the practice.)
Sure someone can send me a fraudulent fake letter demanding back taxes or advertising a legitimate department store sale. But it takes considerable work and effort to set up such a scam, and the risks of capture are high. One print up quality documents (expensive), mail them out en masse (expensive), set up a real physical address, then be around long enough to get return letters. With the Internet NONE of that is necessary.
Part of the danger of the Internet is that electronic fraud is so easy to do, and I'm not talking about Nigerian oil princes. It's very easy for someone to spoof a legitimate site to collect info, or sneak in a snooping virus on your machine to trap your keystrokes, or just some malicious virus just for the heck of it. If a pickpocket was working a theatre to steal wallets when the show was on, the theatre mgmt would quickly take steps to block it or that theatre would be out of business. But the online world has no such police or controls, the laws are vague, the enforcement even less, and technology more advanced than people can keep up with.
This is why I disagree with the concept that people are solely responsible to protect themselves. Sure, the old rules of fraud still apply and people have to use common sense, but on the Internet it's much much easier to perpetrate a fraud so more of it goes on. This could be fraud to steal money or attack someone.
But parts of the Internet are so new and evolving so rapidly that there is no easy "book or newspaper" that can explain the latest craze or risks thereof. As noted, even professional organizations get hit with destructive virus sabotage that catches them offguard. If professionals can't protect themselves, how are individuals?
People see the Internet as an entertainment medium. Most of us, when we watch movies, do not keep up with the technical advances made in filming, sound recording, finances, lighting, special effects, or other aspects of the movie we watch. We watch the movie and are content to let the director work his 'magic' to take us to the place he wants for his film.
Since the Internet, and its hazards, are constantly changing, it would require lay users to keep up with a continuing education program. It would be as if we movie viewers had to learn about the newest cameras, etc. It would be as if we had to be careful since that new film could physically jump off the screen and grab us, so we must be careful.
. . .
I agree that individuals have a responsibility to protect themselves. But I also feel that individuals can only do so much. We're not living on an isolated rural farm totally self sufficient, our lives today are dependent on things we has individuals have very little control over and we need external protection.
When I get a prescription, I try to learn about it in adance. But still I've relied on "someone else" (the govt) to have tested the medicine to ensure its safety; that is something I simply cannot do for myself, no matter how much I educate myself.
When I get on the road I watch for bad drivers to steer clear of them. But I still rely on the govt to enforce highway laws in the hopes people won't run red lights or drive drunk. I am glad the govt has determined and mandated safety devices for my car to protect me in case of a crash. No matter how careful I drive, I can't check every other driver on the road for drunk driving; the govt's laws keep many of them off the road.
[As an aside, while I don't care for certain kinds of DWI law enforcement, I do know the fear of arrest has made many people either not drink or designate a safe driver, so it has kept some drunks off the road.]
........ I think we are just debating where the line is, I am saying that people should do *some* research rather than (as it seems) totally relying on the proverbial "someone else" to keep them safe on the Internet (or in any unfamiliar environment).
Yes, you can make some assumption in a lot of cases that indeed "someone else" has tried to make things that much safer, but no one should ever make the assumption that it applies to places that they are not familiar with - because the world keeps teaching us that it isn't so.
The modern capitalist world would love everybody to just be dependant, unassuming consumers who don't ask questions and just accept what "someone else" has told them to do, but as recent financial events (should now) have taught us, sometimes a little questioning and research is necessary for personal survival.
Just because the Internet allows age-old scams to reach millions of more people along with the new technology based scams threatening all and sundry, the lack of any really effective technological or regulatory solutions means that education may be the most effective counter-measure
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.