From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/45428
Path: main.gmane.org!not-for-mail
From: Stainless Steel Rat <ratinox@peorth.gweep.net>
Newsgroups: gmane.emacs.gnus.general
Subject: Re: [ANNOUNCE] contrib/hashcash.el spam fighter
Date: Fri, 28 Jun 2002 17:30:03 -0400
Organization: The Happy Fun Ball Brigade
Sender: owner-ding@hpc.uh.edu
Message-ID: <02Jun28.172137edt.119392@gateway.intersystems.com>
References: <Pine.LNX.4.44.0206241356360.29624-100000@yxa.extundo.com>
	<02Jun24.115740edt.119250@gateway.intersystems.com>
	<iluit48y6gj.fsf@extundo.com>
	<02Jun24.151839edt.119751@gateway.intersystems.com>
	<ilu1yawxtu1.fsf@extundo.com> <m3elewm7dk.fsf@peorth.gweep.net>
	<iluvg87wxbn.fsf@extundo.com>
	<02Jun25.104630edt.119271@gateway.intersystems.com>
	<s5gvg834fxr.fsf@egghead.curl.com>
	<02Jun28.122222edt.119118@gateway.intersystems.com>
	<s5gptybb16a.fsf@egghead.curl.com>
NNTP-Posting-Host: localhost.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: main.gmane.org 1025299899 3574 127.0.0.1 (28 Jun 2002 21:31:39 GMT)
X-Complaints-To: usenet@main.gmane.org
NNTP-Posting-Date: Fri, 28 Jun 2002 21:31:39 +0000 (UTC)
Return-path: <owner-ding@hpc.uh.edu>
Original-Received: from malifon.math.uh.edu ([129.7.128.13])
	by main.gmane.org with esmtp (Exim 3.33 #1 (Debian))
	id 17O3L8-0000vX-00
	for <ding-account@gmane.org>; Fri, 28 Jun 2002 23:31:38 +0200
Original-Received: from sina.hpc.uh.edu ([129.7.128.10] ident=lists)
	by malifon.math.uh.edu with esmtp (Exim 3.20 #1)
	id 17O3Kb-0007NI-00; Fri, 28 Jun 2002 16:31:05 -0500
Original-Received: by sina.hpc.uh.edu (TLB v0.09a (1.20 tibbs 1996/10/09 22:03:07)); Fri, 28 Jun 2002 16:31:25 -0500 (CDT)
Original-Received: from sclp3.sclp.com (qmailr@sclp3.sclp.com [209.196.61.66])
	by sina.hpc.uh.edu (8.9.3/8.9.3) with SMTP id QAA29968
	for <ding@hpc.uh.edu>; Fri, 28 Jun 2002 16:31:13 -0500 (CDT)
Original-Received: (qmail 27050 invoked by alias); 28 Jun 2002 21:30:43 -0000
Original-Received: (qmail 27045 invoked from network); 28 Jun 2002 21:30:42 -0000
Original-Received: from gateway.intersys.com (HELO intersystems.com) (198.133.74.253)
  by gnus.org with SMTP; 28 Jun 2002 21:30:42 -0000
Original-Received: by gateway.intersystems.com id <119392>; Fri, 28 Jun 2002 17:21:37 -0400
Original-To: "(ding)" <ding@gnus.org>
X-Attribution: Rat
In-Reply-To: <s5gptybb16a.fsf@egghead.curl.com> ("Patrick J. LoPresti"'s
 message of "28 Jun 2002 16:25:49 -0400")
Original-Lines: 62
User-Agent: Gnus/5.090006 (Oort Gnus v0.06) XEmacs/21.1 (Cuyahoga Valley,
 i686-pc-linux)
Precedence: list
X-Majordomo: 1.94.jlt7
Xref: main.gmane.org gmane.emacs.gnus.general:45428
X-Report-Spam: http://spam.gmane.org/gmane.emacs.gnus.general:45428

* "Patrick J. LoPresti" <patl@curl.com>  on Fri, 28 Jun 2002
| Right, so you have to try them all.  Checking the validity of a coin
| is "fast", so this is OK, in theory.

Not even in theory.  It is a linear problem, and linear problems do not
scale.

[...]

| Then again, it is not disastrous if you miss a message.

And if that lost message is the job offer I am expecting?  -Anything- that
causes loss of legitimate mail is BAD.  Really bad.  Unacceptably bad, in
my opinion and that of the 350 employees in my company who expect mail not
to be lost.

[...]
| Well, you get to decide how many bits you require the sender to match,
| so you can make it one out of however many you like.

| Or am I misunderstanding what you mean?

You are misunderstanding.  Say that you (not necessarilly "you" personally,
but anyone or thing that relies on X-Hashcash headers) want 20 bits
collision (that is a 1:2^20 probability of any two hashes of the same total
length meeting the criteria, or approximately 1 in 1 million, just so you
know).  And say that I use something like Sub7 to distribute my X-Hashcash
DoS system to a mere five thousand machines, which can calculate hashes at
a rate of 1 every 10 seconds, just to pull some numbers out of my behind
(10 seconds is rather slow by today's standards, anyway).  That is 1.8
million hashes per hour.

All those hashes being dumped into your spent coin database.  And five
thousand Sub7 variant infections is a very conservative number.

Do you begin to see the vulnerabilities in X-Hashcash?

| I think X-hashcash is a creative attempt at a technological solution
| to spam.

It is an attempt at blocking or preventing spam from being sent to
mail2news gateways.  It has a -very- narrow focus.

| And for some applications, like a public mailing list, it might even be
| practical.  Who cares whether you can BCC ding@gnus.org, for instance?

Ask the spammers who's mail has recently been sent here. :)

BCC has legitimate uses for legitimate mail.  Today I used it to inform a
number of people who were using excessvie ammounts of disk space on one of
my machines without embarrassing them by revealing their identities.

| It seems unlikely to catch on as a user-to-user filtering scheme;
| digital signatures are probably a better approach for that.

Or a real hashcash system.

-- 
Rat <ratinox@peorth.gweep.net>    \ When not in use, Happy Fun Ball should be
Minion of Nathan - Nathan says Hi! \ returned to its special container and
PGP Key: at a key server near you!  \ kept under refrigeration.
       That and five bucks will get you a small coffee at Starbucks.