http://mysite.verizon.net/frautsch/conundrum.txt http://www.bfndevelopment.com/cgi-bin/home/Members/fMail/Contacts/134/ Abstract for these working notes The broad adoption of electronic mail affords the informal exchange of incidental information through loose social networks. Typically, a node in the social network is an individual with access to the Internet, a computer, a list of e-mail addresses and an e-mail client. These networks are self-organized and self-managed. Mechanisms of social normalization and control presently lag the adoption of the technology. The sophistication of e-mail clients has long matured to the point where no technical understanding of the means through which e-mail communication is accomplished is required by the user. Similarly, the behavioral dimensions of information security practices are largely absent, unconscious, ignored or misunderstood since this knowledge in generally unnecessary for participation and their are few, if any behavioral norms available to be passed down from previous generations. As a result, loose social networks offer virus writers, Spam (unsolicited bulk commercial e-mail) mailers and identity thieves a rich source of fresh e-mail addresses which have been individually verified as syntactically valid and actively attended, by their members. Unless there is an increase in awareness of the vulnerabilities loose social networks provide, and a collective shift in behavior, loose social networks will become an increasingly important source of freshly validated e-mail addresses for thieves as other avenues of theft are curtailed through technology, regulation and economics. This social problem will have a social solution in the form of new normative behaviors whereby early adopters of security-rational behavior can offer feedback, raise awareness and alter the behavior of the late adopters with whom they network. One form of this social control will be the emergence of a communication style that early adopters employ that raises the awareness and alters the behavior of late adopters, preserving and strengthening relationships through a shared sense of empowerment. Notes. In no particular order. The group of interest is "Internet Dilettantes Interacting Online Transacting Socially". This is a letter I wrote to Randy Cohen, the New York Times/NPR ethicist, seeking help with my conundrum. mailto:ethicist@nytimes.com mailto:watc@npr.org Subject: Ethics and Internet SPAM - how do we address the human factors with respect and dignity? 14 March 2004 Dear Randy Cohen, I have seen many changes come to e-mail since I sent my first message in the late 1970's. Among my favorites are all the myriad ways for staying connected and reconnecting, sometimes after decades. The worst has been Internet Spam. I have already lost my previous primary e-mail address to the Spammers, despite taking all available precautions, and endured the transition to a new address. Recovering from this digital identity theft is an ongoing process I would prefer never to repeat. I look at Spam as an autoimmune disease of the Internet, much as one might view terrorism as an autoimmune disease of global society. As we make progress fighting Spam on technological, economic and now legislative fronts, I believe that the war will be won or lost on the social front. Today I am losing this battle, one friendship at a time. Several times a month I face a conundrum. With the best of intentions, one of my friends will forward something to me as a member of a list of their contacts, often the entire contents of their address book. The message could be almost anything - from a hoax "virus warning" for an operating system I rarely use, to the poetry of Rumi, or the latest joke. Often they are re-forwarding content they appreciated receiving through one of their friends' lists, material one would only naturally want to share. Usually, the e-mail addresses of everyone on my friend's list are fully disclosed to everyone else on the list - to no advantage that I can see. My sense is that my friends' intentions are always of the highest nature and that their awareness of any risks associated with this practice is low. I usually respond to the entire list, with a polite request to be removed from all future mailings of forwarded material, not written by my friend the sender. (If the forwarded material is a hoax, I identify it and provide links to authoritative material.) I make this request to reduce the risk that my e-mail address will, again, be lost to the spammers who can harvest the addresses from these lists. Since I know that none of my friends intend this to happen, I provide some background information about the link between these forwardings and spam. It goes something like this: spammers, cyberterrorists and virus writers can follow and/or generate mass forwardings in order to profuse the public Internet with searchable material attached to lists of validated e-mail addresses. The sender has, in effect, personally vouched for these addresses - both in terms of their validity and that they are regularly read by a human. This is the spammer's primary audience. Further, by sending the e-mail addresses to everyone on the list, these e-mail addresses may - in some cases automatically - be added to the address books of everyone on that list. When a virus or worm infects just one one person's computer, every address - including any added through mass forwardings - is attacked. The larger the list, the greater the likelihood that someone on the list will not have kept current on their antivirus definitions, spyware removal and security patches; after all, this is not what most of us use our computers for. Whether we like it or not, by openly sharing these addresses we have all, in effect, become our brother's and sister's keeper. I switched to writing more detailed messages after my first, polite "Thanks for thinking of me; please just take me off your list." attempts simply had no discernible result. My friends would continue to forward material to me. So, I added more technical detail and reference links. Unfortunately, these more evolved messages are hardly much better. About two thirds of my responses are ineffective. By that I mean that I seem to produce only embarrassment, shame, hurt or anger, without raising much awareness. While there is little objection to my content, my tone is another matter. I am told that I come across as arrogant, hypocritical, patronizing, disrespectful and mean spirited, as if I had attacked a beautiful poetry reading as a suicide bomber. Since all of us value dignity and respect and relatively few of us pay attention to cybersecurity, this is an understandable conundrum. Is it an avoidable one? I feel an enormous loss when I harm a single friendship, and yet I seem to be doing damage with some regularity. Yet, I find it difficult to remain passive on this issue since it threatens my electronic connection to my friends. I would welcome any advice you may have, from ethics and other perspectives. In particular, if you have any suggestions for designing a better communication than I have managed thus far, a communication that places dignity, respect and the preciousness of the relationship first, without losing my request to opt out, would be greatly appreciated: How can I nurture my friendships and protect my e-mail box from the Spammers? Sincerely, Mark Frautschi, Ph.D. (Pronounced "Frau-chee") 213 Highland Avenue Rockville, MD 20850 301-294-4072 http://mysite.verizon.NOSPAMnet/frautsch/ NPR Station: WETA http://www.weta.org/ P.S. WHAT YOU CAN DO: I am experimenting with appending a request as an e-mail signature file. The signature file will appear at the bottom of every message you send. It may appear in a special format, depending on the program you use to send e-mail, and how you have chosen to configure it. It could look something like the following, with a link providing somewhat greater depth in the request. I value being in contact with you, and, to guard against identify theft, I respectfully request... 1. That you send only content that you write for me. Please do not include or forward other content. 2. That you not add me to any electronic list or give my e-mail address to others. If you would like more information about the social and technical reasons behind my requests or about identity protection, please click on http://mysite.verizon.net/frautsch/e-mail_request.html . Notes: DO NOT COPY THIS TEXT AND USE IT IN YOUR OWN E-MAILS. YOU ARE HARMING YOURSELF AND THOSE WITH WHOM YOU COMMUNICATE IF YOU DO. Instead, write your own message, in your own words: 1.) You will be heard in your own voice, which is always more effective. 2.) You will reduce the likelihood that this text, itself, will become a "key" identity thieves use to track messages in flight or on stored on hard drives and harvest fresh e-mail addresses. If a thief chooses my words for the key, his searches will not find messages with your words in them. Having a diversity of expression of this message is the key to its effectiveness. If you simply copy it and use it, you are actually working against yourself and the communities with whom you communicate. We are dealing with an adaptive enemy. Once the spammers realize that a social response, a collective defense, is rising, they will change their tactics. Diversity of expression is one of the most powerful defenses against such an enemy. If we make our requests of each other each in our own voices, we present no single clear target for the spammers to key in on. I caution you against using any URLs (web addresses) in your messages, since these are also simply text that spammers can also track. The fact that the solutions can make the problem worse is evidence that is a "Wicked Problem". http://en.wikipedia.org/wiki/Wicked_problem Beware of unintended consequences with every solution you try. =========================================================================== To protect your own system as well as your own digital identity, including your e-mail address(s) and those of your friends and associates, I recommend that you consult a professional source and exercise your own good common sense. You may wish to consider the following, largely rhetorical, questions: o Are you willing to abandon the idea that because there is nothing particularly important, or private, about your message that you are entitled to remain unconscious of the security and privacy of those you e-mail? o Does the fact that you have the power to place information in the form of e-mail messages in large numbers of e-mail boxes without permission entitle you to do so based solely on your own considerations and not on the recipients? o Do you really need to send this content, especially content which you did not write, to a list of people who did not ask you for it? What would be lost if you waited one day, and thought it over, instead of forwarding it the moment you received it? Will it seem so urgent tomorrow? If not, why bother at all? o Does everyone on this list need to have the e-mail addresses of everyone else on this list placed on their computer's hard drive, in their e-mail software or their address book? Ask yourself "What is the advantage in doing this?" "For whom is this an advantage?" "For whom might this cause problems?" "Who might want to steal these addresses, and how might I be helping them?" o Did you ask anyone on the list for permission to do this? o Did anyone on the list ask you to distribute their e-mail address to that list? o Did you insure that everyone on your list is and will always remain current on their spyware (http://security.kolla.de/) antivirus, and vulnerability patches for all of their applications and operating system(s)? If you can imagine that for whatever reason, someone on your list might not have kept up, and could therefore be highly vulnerable to attack by viruses, trojan horses, worms and spyware, why would you place the e-mail addresses of everyone on your list on that person's computer where they could similarly be exploited; allowing the same risks to be directed to everyone on your list? o Did you receive the content that you wish to forward from a friend or associate whom you trust? Do you know whether that person actually sent the message, perhaps from the details of the message or the mention of all or part of your name not discernible from your e-mail address, or could the message have been sent automatically by an automatic agent, virus or worm that has hijacked their computer? o If you are positive that someone you trust, not some automatic agent, sent the material that you, in turn, would like to forward to others, do you know whether the message itself is legitimate? If, for example, it is a virus warning, does it contain recent dates, deep links to authoritative sources? If not, what steps have you taken to insure the legitimacy of the message? Have you searched any of the online hoax databases maintained by antivirus service providers, for example? o Do you think it's better to issue a false warning than to fail to issue a legitimate one? How much work would be involved to actually determine the legitimacy of a warning someone forwarded to you? o Have you considered any of the risk that are associated with forwarding on hoax messages? Do you assume that these risks are low or negligible? o Has anyone you know asked you to send antivirus and security warnings to them? If not, how did you come to this role? o Do you honestly consider yourself to be an expert in cybersecurity in any of a wide variety of operating systems available today (Windows, Unix, BeOS, Linux, Lindows, MacOS ...)? What makes it your business to forward a security warning you have received to people whose e-mail addresses you have? What makes it urgent? o Why would you send an antivirus warning for one operating system, for example Windows, to users of other operating systems? o You may wish to use simple ways to avoid the risk of abusing others in this way. Use a listserv service and invite your group to "opt in" to it. That way, everyone who participates, participates by their own choice, openly or anonymously, again by their own choice. You may wish to investigate hiring a listserv from your Internet Service Provider or using an advertising based but otherwise free service such as http://groups.yahoo.com/ P.P.S. 1 April 2004 Selected technical details for one mode of attack: SENDMAIL is a UNIX/Linux/BSD program responsible for sending approximately 90% of all Internet e-mail traffic. SENDMAIL is often cited as among the most frequently hacked programs, which has driven the expert open source community toward adoption of secure replacements, such as Postfix. Appropriately hacked, SENDMAIL becomes a "packet sniffer" and can capture packet streams in a FIFO (First In, First Out) buffer. The contents of the Internet Protocol packets captured in this buffer can be searched - for a string of known text, much as one would use a search engine to look something up on the Internet. Spammers choose content that unsuspecting victims would like to forward to their friends. The search text is normally taken from the body of the forwarded message. Once that search text is detected, the contents of the FIFO buffer may be downloaded. Subsequently, packets upstream and downstream of the chosen text may be searched for text strings following the formatting rules for an e-mail address. This yields the list of addresses, every TO:, CC: and even BCC: address - often the forwarder's entire address book. The sender has, in effect, vouched to the spammer that each of these addresses is both valid and attended by a person. There is no higher quality e-mail address from the spammer's perspective. This method reduces wasteful re-acquisition of addresses that were previously stolen by the spammers. This is important to the spammers since over three quarters of all Internet e-mail traffic is now Spam (http://www.gcn.com/vol1_no1/daily-updates/25510-1.html, http://www.gcn.com/vol1_no1/daily-updates/26459-1.html) and their schemes have adapted accordingly. Not only is the purity of the addresses gathered improved, the efficiency of the harvesting process gains as well. Reducing the computing resources required to gather the addresses helps the spammer in several ways. First, he can gather more e-mail messages in less time, before the altered SENDMAIL program is eventually detected. Second, the fewer packets the hacked SENDMAIL must sniff, the more effective it is at forwarding mail - its main job - and thus the less likely it is to attract the attention of an administrator who will replace it with an uncorrupted version. Spammers can develop distributed, replicating, multi-tiered attacks that compromise thousands of mail servers all in a short time coopting the work of cyberterrorists: http://staff.washington.edu/dittrich/misc/stacheldraht.analysis DISCLAIMER: Nothing in this postscript is news to spammers. It is intended to illustrate, in broad terms, only two from an ensemble of scenarios through which the social use of mass forwarding of e-mails may be exploited by spammers. It is not a technical recipe. No new tools are bring provided to spammers. Further, "security through obscurity", i.e. "let's not talk about this" in the hopes that adversaries will not think of it themselves and that it will therefore "just go away" - has never been shown to be an effective basis for a security policy. Indeed, just the opposite: openly and cooperatively sharing information, for example the detection of new viruses in the wild, security vulnerabilities and exploits, has been shown to be highly effective. Any references to persons, organizations, web pages, etc., made here are for reference purposes only and do not confer any statement of suitability or other endorsement. To protect your own systems, identity and privacy, as well as that of your friends and associates, I recommend that you consult professional sources and exercise common sense. http://www.eff.org//Privacy/eff_privacy_top_12.html ABSOLUTELY NO PERMISSION IS GRANTED TO COPY, EDIT OR FORWARD THIS DOCUMENT IN WHOLE OR IN PART. With the author's written permission, brief passages may be quoted for journalistic and academic purposes, according to the doctrine of fair use. FORWARDING OF THIS MATERIAL USING E-MAIL OR OTHER DISTRIBUTION MECHANISMS IS STRICTLY PROHIBITED. This prohibition is intended to prevent this document, in whole or in part, from becoming the basis for the social collection of e-mail addresses by spammers encouraging its dissemination, using techniques similar or different from those described in its body. If after reading this document, you have a desire to forward it to others, please consider that you may have utterly missed its major points. IF YOU HAVE BEEN FORWARDED THIS MESSAGE, inform the forwarder (not this author) that it has been sent illegitimately and against the express instructions of its author and in all likelihood has been exploited by spammers for harvesting e-mail addresses or by hoaxers pretending the same. PERMISSION IS GRANTED to link to this site's URL. I answer questions and welcome corrections and other improvements and feedback from friends, clients, associates, information technology professionals, journalists, academics, etc., however I do not in general dispense computer advice and consultation to the public. This is simply a matter of economic necessity and time management discipline. Copyright 2004 by Mark A. Frautschi Reference: http://www.templetons.com/brad/spamreact.html (1st SPAM from 1978) http://www.dwheeler.com/essays/stopspam.html (general) http://www.gcn.com/vol1_no1/daily-updates/25510-1.html (% of SPAM) http://www.gcn.com/vol1_no1/daily-updates/26459-1.html (% of SPAM) http://www.gcn.com/vol1_no1/daily-updates/26069-1.html (Opt-outs) http://www.gcn.com/vol1_no1/daily-updates/26907-1.html (FTC defines SPAM) http://www.gcn.com/vol1_no1/daily-updates/26967-1.html (Mean time between attacks) http://www.gcn.com/vol1_no1/daily-updates/27124-1.html (SPF, Caller-ID) http://www.gcn.com/23_27/tech-report/27224-1.html (Anti-Spyware legislation) http://www.gcn.com/23_29/tech-report/27397-1.html (Steganography) http://www.gcn.com/vol1_no1/daily-updates/27777-1.html (worm attacks increase) http://www.gcn.com/vol1_no1/daily-updates/34815-1.html (pharming & phishing) http://www.gcn.com/vol1_no1/daily-updates/35067-1.html (Microsoft's Anti-Spyware) http://www.gcn.com/vol1_no1/daily-updates/36234-1.html (Trojan horses) http://www.gcn.com/online/vol1_no1/40943-1.html (stealthier spyware) http://www.gcn.com/print/26_2/42957-1.html (botnets light footprints) http://www.gcn.com/print/26_2/42969-1.html (increases, botnets) http://www.gcn.com/print/26_2/42983-1.html (NY tests employees) http://www.businessweek.com/bwdaily/dnflash/jun2005/nf20050610_8382_db008.htm? http://www.businessweek.com/magazine/content/06_29/b3993001.htm Direct Revenue http://www.securityfocus.com/news/11222 (Trojan Horse Attacks) http://en.wikipedia.org/wiki/Direct_Revenue http://news.com.com/Online+scammers+go+spear-phishin/2100-1029_3-5981917.html http://news.bbc.co.uk/1/hi/technology/5399534.stm (Vista security monoculture) http://www.spamdailynews.com/publish/Spam_zombies_from_outer_space.asp (next gen spam) Resources: http://labs.zarate.org/passwd_new/ (Javascript password generator) http://law.spamcon.org/ http://tor.eff.org/ (Privacy & anonymity enhancement) http://www.aerotags.com/ protect web pages from e-mail extractors http://www.antispam.org/ http://www.antispywarecoalition.org/ http://www.benedelman.org/ http://www.bfndevelopment.com/cgi-bin/home/Members/fMail/Contacts/134/ http://www.cauce.org/ http://www.cdt.org/privacy/spyware/ Center for Democracy and Technology http://www.cert.org/ http://www.ciddac.org/ http://www.cj.msu.edu/~outreach/identity/prevent_id_theft_page.pd http://csrc.nist.gov/index.html http://www.eff.org/ http://www.mailutilities.com/aee/ Advanced E-mail extractor http://www.ftc.gov/bcp/conline/edcams/spam/report.html (to report SPAM) http://www.ftc.gov/idtheft http://www.getnetwise.org/ http://www.identitytheft911.org/ http://www.idtheft.gov/ http://www.infotoday.com/searcher/jul00/duberman&beaudet.htm (Privacy, circa 2000) http://www.lavasoft.de/news/20050712.shtml Antispyware Coalition http://www.osvdb.org/ http://www.megaproxy.com/ commercial proxy server for privacy protection. http://www.mi2g.com/ http://cve.mitre.org/ http://www.packet-level.com/ http://www.privacyrights.org/ar/ChronDataBreaches.htm Clearinghouse of breaches http://www.privoxy.org/ web proxy privacy protection http://www.projecthoneypot.org/ http://www.spamdailynews.com http://www.toastedspam.com http://www.us-cert.gov/ http://www.vmyths.com/ http://www.sans.org/ http://www.safer-networking.org/ http://www.spamhaus.org/rokso/ Register of Known Spam Organizations http://www.spamlaws.com/ http://spam.abuse.net/ fight spam http://www.spamsaver.com/index.asp/ http://securityresponse.symantec.com/ http://intranet.uml.edu/IT/itsecurity/Spam_Info_Main.htm U. Mass Lowell SPAM prevention http://us.mcafee.com/fightspam/ http://us.mcafee.com/virusInfo/ http://www.willempen.org/spam-preventie/ (In Dutch)