Re: Verifying E-Mail Addresses

["Jeffrey F. Bloss" <jbloss () tampabay rr com>]

Isaac Van Name wrote:

> Actually, that's a very good point, and one that I missed myself when
> replying to this thread.  You can't check your email without internet
> access... duh.  :-)  I'm a bit daft sometimes... bear with me.

Sometimes the most obvious things are the easiest to overlook. ;)

> Another approach might be to disallow email addresses that are of the
> "free and anonymous" nature like Yahoo, Hotmail, Gmail, etc. and
> require an email address that is actually tied to some type of
> verifiable personal information.  The chess server I play on does
> this, believe it or not... they require a "real" email address to

You talking about FICS? I have an account there too. I set one up for a
customer last week whose only usable email was a Yahoo account (they'd
long since forgotten their ISP account password *sigh*). It's not the
first time I've had this problem either. I usually solve it by finding
a web based account the service doesn't know about. There's a ton of
them out there, but this person was adamant about not having to use
another account. So this time I just set up a forward from an account on
my own personal server. This "customer" happened to be a next door
neighbor and a friend. ;)

The point is, these methods don't work. The only one you're blocking is
the innocent person who lacks some pretty basic skills and knowledge. A
gear head like me or some kid looking to play adolescent games with
impunity will find a way through or around any challenge/response setup
like this on their worst day. It simply doesn't address the problem,
and hurts your legitimate customers.

> create an account.  By "real", it could be a person's work email,
> their AO_Hell account, etc.  ... Of course, this wouldn't really work
> if the person worked at Yahoo... :-)

There's so many free, disposable, or insecure web/email providers out
there who don't validate their users it would be impossible to know
them all. 

> Or you could try catching the MAC address when the person connects
> successfully and track their activity.  Of course, anyone that's smart
> enough to do anything REALLY bad is going to know how to change their
> MAC address.  Hopefully, your IDS would pick up the activity and
> alert you in time for something to be done.

MAC addresses are trivial to spoof. Some hardware allows them to be
configured, and there exists dozens of software solutions from special
"drivers" to live CD distributions that do it by default. Again, you're
really only keeping out innocent users who don't know how to jump
through your hoops. Anyone with a modicum of experience or
determination will find a way, be they good guys or bad.

> Really, all it boils down to is what I saw someone else say, and I'm
> going to have to agree:  Maybe the question should be why your
> company wants/needs such a resource, instead of how to secure it.  If

I agree too. This really shouldn't be an issue because it's an
essentially unsolvable problem. If you're loosing sleep over keeping
the bad guys off your public access network, you really need to take a
long, hard look at whether you should be running one or not. 

> your company doesn't need that resource, then you're looking at
> investing a lot of time and work for nothing.
>
> I would like to see more ideas on how this could be secured, though
> it seems impractical.  This is turning into an interesting thread.

There's only two sides to the issue. You're either running a secure
network, or you're running an open one. If you're running an open one
it's not secure. Simple math. You'll never secure it without making it
a closed network. You can do this in a "public access" scenario by
personally validating each user in some way that has nothing to do with
the network. Like photo ID. A quick Driver's license check or what not.
Physically secure it this way, and deal with the abuse problems you'll
*still* have quickly and decisively. Your keen eye and reputation will
server you better than any "challenge/response" gimmick you'll ever
devise.

-- 
Hand crafted on 16 November, 2006 at 22:06:11 EST using
only the finest domestic and imported ASCII.

Please don't make me angry, I'm running out 
of places to hide the bodies.

Attachment: signature.asc
Description: