“So, why are you in Vegas if you don’t gamble?”
Reuben had forgotten why most people came to Las Vegas, until the stranger (who called himself “Jack”) sitting next to him at the bar asked this. “Well, there’s this conference in town…two of them, actually.The first one is the ‘Black Hat Briefings,’ which are basically for computer security professionals, the good guys.The second one is a bit less cut-and-dried, and it’s going on right now. It’s called DefCon, and it’s attended by people on both sides of the equation.That’s why I’m here.”
Jack looked at Reuben warily now, but was clearly more drawn than repelled by the possibility that Reuben was a hacker of the bad type. “Who’s side are you on?”
Reuben laughed a bit.“Don’t worry, I’m a good guy. I get asked that a lot though; the bad guys and good guys look a lot alike.” He always found it so funny how back at home, he was the only guy with long hair and a goatee that he knew…but at the Briefings and DefCon, he was practically a
conformist. In any event, he was not unaccustomed to being treated like a scumbag by the Washington D.C. police, whose professionalism left some- thing to be desired, in the same way that a total vacuum leaves something to be desired when breathing.
Jack relaxed, now apparently feeling unfettered to be intrigued without fear. “So you’re like a hacker, but a good one? That’s got to be so cool! What do you do, break into networks to see how safe they are? That sort of thing?”
“Yeah, that’s a part of it, but in truth there’s a much wider range of things that I do. How much do you know about computers and net- working?”
“Not much. I can do e-mail and the web, but I don’t use the computer more than that.You should ask my kid if you want to meet the real techie in my family. At home I have AOL. Hey, do you know how to stop spam?”
Reuben inwardly cringed at the request for one of several holy grails of the industry. “Ah, spam. Everyone’s trying to find the solution, trust me, but nobody really has it yet.There are a few things that work OK, but the problem is that the better solutions require geeks to maintain them.The spammers keep changing the verbiage they use, so the means of identifying spam keeps changing also. Hell, even the geek community has a hard time coming up with an exact definition for ‘spam’.Think of it like this…you use AOL, and they have partnerships with other companies. Let’s say AOL decides to make your e-mail address available to them, but first they ask all their subscribers for permission. Only, what they do to go about it is tell everyone that the privacy policy has changed, and that if they want they can change their settings in this new web page that controls whether they can share your e-mail address with others. If you go to this web page, you see that the default answer for every question is ‘yes’. But if you don’t go looking for and check those settings, and start getting e-mails from all these legitimate companies that want to sell you things, is that spam? You weren’t expecting it, but in a legally-binding sense of the word, you gave permission for them to send it to you, basically. It bothers you just as much as the totally unsolicited e-mails pushing penis enlargement… whatever… but in legal terms it’s a completely different animal. Is it spam or not?”
Jack thought about that for a minute, clearly not expecting there to be a shade of gray in the world of technology. “I never thought about that, in fact I think I’m a bit confused now. I’d still call it spam, though.”
“Okay, but then what do you do when you consider that spam, but someone else actually wanted to get them, or at least some of them, because they did go to that web page and decided that they were interested in the ‘special offers’ in question? How do you write a program that knows what the user wants, when two people get the exact same e-mail but one wel- comes it while the other hates it?”
Jack didn’t like this answer. Nobody liked finding out that technology wasn’t a magic wand that could make all their problems go away. Reuben never got over how many people who thought that geeks were some kind of hit men who could whack the difficulties of life for the right price, and how these same people expected that they could somehow remain at arm’s length from the dirty work that would be done on their behalf, wistfully as “ignorant” as a mafia Don.Technology didn’t change the facts of life, and it never would, but this was not a view of the world supported by the sales literature of many tech companies.Too bad people weren’t less willing to buy into the sales pitch. “There’s one thing more I should say; in reality, for the most part it’s been figured out how to define spam. It’s best-described in an acronym…‘UCE’…meaning ‘unsolicited commercial e-mail.’
Basically, spam almost always contains those three characteristics, and the amount that doesn’t fit that definition is so small as to be inconsequential. But still, the problem exists that anti-spam software can’t tell if a person wants the e-mail or not.”
“I see your point. I never thought of that. So what do you do?” Now Jack was thinking right, starting to catch on and get the hang of it.
“Well, you have to think about it in terms of a threat model. It also helps to think in terms of the real world, which the Internet is part of, believe it or not. It used to be traveling salesmen, then it was telemarketers, and now it’s spam. Of course, each version is more annoying and less trust- worthy than the one before, but that’s not important, the key is that it’s something that we know in multiple forms already.Traveling salesmen were less like spammers than telemarketers are, so let’s talk about telemar- keting.The telemarketer needs a phone number to call you, and he also
needs you to answer the phone, which is why they block caller ID and call when you’re sure to be home.Then, there’s the spammer, who wants to send you e-mail, and there’s you, who doesn’t want to get it. What’s the first thing he needs?”
“Uh. My e-mail address?”
“Right! But how do you think he gets it?” “I dunno.”
“There are a few ways. Do you shop online?” “Oh, no, I knew it! I told her that it wasn’t safe…”
Reuben wasn’t prepared for this reaction. “No, no, relax, it’s fine to shop online.That’s not what I was getting at. My point is, some of these places ask for your e-mail address. Some of them do share that with other people.”
“But don’t you need to give them that to buy from them?”
“Yes, but you can have more than one address, right? Create one for just that sort of purpose, and use it just for that. Any e-mail that goes to that address is suspect then, unless you’re expecting something like a
receipt or a quote, right? And in the meanwhile, your normal e-mail is left clean from spam that would come from that method.”
Jack paused for a second, seemingly remembering what options he had that were underused. “Yes, I get you…makes sense.There’s more, yeah?”
“Yes, and good thinking to guess that.You’re getting the hang of this! Do you have a website?”
“No, why?”
“Because a lot of people who set up websites create a kind of link, called a ‘mailto’ link, that enables people to e-mail them.The problem is, spammers search through websites en masse, harvesting e-mail addresses from these links. It’s one more way to get your address out there where people can see it without you knowing it, and therefore spam you.”
“Got you so far, OK. But I don’t have a website. What else do they do to get e-mail names?”
“A lot of people are on mailing lists, which are kind of like e-mail turned into a common forum of communication. If you’re on one, you know what I mean, but it’s easier to demonstrate in use than it is to explain. Most of these are archived in some way, and those archives are
available on the web. Spammers harvest e-mail addresses from these archives, or if the list has enough members, they’ll even join it just to be able to snag addresses if there’s no archive.”
“So what do you do about that?” Jack was really into this now, but seemed to feel like a lost babe in the woods.
“Well, it depends a bit.That’s a hard problem to deal with; my solution has been to create yet another e-mail address to use for lists like that. I par- ticipate in about, oh…I think six at the moment, and they’re all archived. But each of the lists has something unique about their traffic, whether it’s a special word that gets added to the subject line to demonstrate which list it’s from, or the address from which it originates. I have all e-mail that goes to that address pass through a set of rules…if the e-mail doesn’t turn out to be from one of the six lists, it gets treated as spam.The problem is that sometimes people respond directly to one another regarding list content, without going through the list, in which case I’ll get a legitimate e-mail that doesn’t match any of the rules. I don’t have a better solution for that one yet.”
“Alright, but I see your point. So you use one e-mail address that you tell only your friends about, yeah? And the rest of everyone gets something else because you don’t know if spammers will get it from them or not.”
“Exactly.You’ve got it! When you really think about it, what you’re looking to do is defend that primary e-mail address. And the first step in the whole chain of security is prevention. Unfortunately, with regard to spam, it’s also your best step, as you can’t get spammers to stop knowing the address when they get it, and there are still a lot of problems with the means to mitigate the impact when they start to spam you.”
“I have no idea what that last part was about, but OK!”
“Alright, I can put it another way then. Look at it like us versus them. We know who ‘us’ is, but who’s the enemy?”
“The spammers?”
“Right. What do they want?”
“Uh…for me to have a big dick?” Jack laughed.
Reuben smiled in response, “Basically, yeah…to spam you. And you can’t control the actions of other people directly; all you can do is make it
infeasible for them to act on their intentions.The spammers need some- thing first.”
“My e-mail address.”
“Right. So that’s something that you can control; it’s like an asset you can defend. Er…it’s like a prison in a certain sort of way.”
Jack was totally taken off guard by this. “What??”
Reuben laughed at the reaction, “Relax, it’s not like what you’re prob- ably thinking, whatever that is. What I mean is, you’ve got all these pris- oners, who obviously would do bad things if they could. If you’ve ever been inside a prison, or seen a scene like that on TV or in a movie, you notice how there are no guns inside the prison itself, even in the hands of many of the guards, right?”
“Yeah…so that the prisoners can’t use them if there’s an uprising.” “Exactly. If there’s an uprising, you can’t control the prisoners, but you can still limit the harm they can do by keeping them from getting what they need to do that much harm.You can’t keep spammers from spam- ming, but you can prevent them from getting what they need to spam you. In every prison, there’s an armory I think, in case of an uprising, but it’s kept out of reach and wellprotected.That way, if there is a prison break, the prisoners cannot become dangerous enough to actually leave the prison itself, and they are still contained.”
Jack seemed to get it now, “Ohhhh…so what you’re saying is that I need to think of spammers as like prisoners who are doing a prison break, and my e-mail address as the guns. Don’t let the prisoners get them, and they can’t do too much.”
“Right.The key here is like lots of other things in security.You figure out what your opponent is trying to get to, and keep them from getting it. The basic principle is old and universal, really…it applies to protecting servers on a network from hackers just as it applied to protecting the guns of Navarone from attack by commandos in World War II. Except, of course, we hope to do a better job of it than the Nazis did.” Reuben smiled.
“Got ya. But how do I do that? It’s not a thing, you can’t touch it.You can’t lock it up and keep the key!”
“Yes, that’s why things are a little different in my world. If someone steals a diamond or money, you can get it back. If someone steals informa- tion, you’re screwed; there is absolutely no way to put the genie back in the bottle with absolute certainty.That’s why spam only seems to get worse. When you start out, your e-mail address is known only to you. Eventually, though, a spammer gets it, and then he starts spamming.Then, another does, and he joins in. After time, more and more of them join in, and in the meanwhile very few of them ever stop. So, the number of spam e-mails you get only goes up as time passes. Unlike a diamond or a specific dollar bill, the same bit of information can be held by more than one person at one time.”
“Good point. But what do I do?”
“Start off with a new e-mail address. If you’re feeling brave, you can even get your own domain; that way you can basically keep the same address, even if you change ISPs.”
“I‘m not that kind of brave. “
“Okay, that’s fine. But you need to start anew, anyways. Spammers trade e-mail lists.Then you start protecting that one address, the way I said. Use it only with people you know, and have other addresses for use when shopping online, or posting to websites or mailing lists. Oh yeah, if you use instant messaging, make sure the e-mail address isn’t in your profile either. Spammers look there too.”
“So that’s it, basically?”
“Yeah, that’s it. And use anti-spam software too. A lot of it isn’t too good yet, but it’s going to get better. Some very talented minds are working hard to make them better, and it’s only a matter of time.”
“After all that, the answer seems too simple.That’s it? Just kind of divide up the world and trust the pieces differently?”
“Well, yes. OK, think of it like this. What does the CIA do with their information?”
Jack finally got it. “Oh, I get it! So my main address is ‘Top Secret,’ and the other ones are less classified.”
“Exactly! And as for it being simple, any good solution is simple. Complexity always brings problems.”
“Sure, if you want. I’ll let you in on a secret. Beer is like currency with geeks. We all drink it, we all love it, and we all have good taste in it.You can usually tell how seasoned a geek is by how much of a beer snob they are. Me, my favorite kind of beer is something in the style of a Belgian ale, typically a Trappist ale,” he grinned.
“Uh…OK, you’ve lost me again.You guys must get out a lot more than I thought!”
Reuben laughed, “Not all of us, I like to think I’m a bit better about that than most. I live in the fun part of D.C…kind of like Greenwich Village, or at least as close to it as there could be in Washington.The city is kind of stiff.”
Jack’s eyes widened a bit. “Do you do anything for the CIA? Anything like that?”
Reuben waved his hand, “No, no…I only work in the commercial realm. I don’t have a clearance or anything like that, and I’ve never done work for the federal government.They don’t trust guys like me, usually. I don’t blame them; a lot of people who do what I do used to be hackers on the wrong side of the law, and some of them still have a foot in each