Re: Problems sending mail to yahoo?

[Greg Skinner <gds () gds best vwh net>]

On Sun, Apr 13, 2008 at 11:48:31PM -0400, Rich Kulawiec wrote:
> On Sun, Apr 13, 2008 at 08:04:12PM -0400, Barry Shein wrote:
> A number of things that are true, including:
>
> > I say the core problem in spam are the botnets capable of delivering
> > on the order of 100 billion msgs/day.
>
> But I say the core problem is deeper.  Spam is merely a symptom of an
> underlying problem.  (I'll admit that I often use the phrase "spam
> problem" but that's somewhat misleading.)
>
> The problem is pervasive poor security.  Those botnets would not exist
> were it not for nearly-ubiquitous deployment of an operating system that
> cannot be secured -- and we know this because we've seen its own vendor
> repeatedly try and repeatedly fail.  But a miserable excuse for an OS is
> just one of the causes; others have been covered by essays like Marcus
> Ranum's "Six Dumbest Ideas in Security", so I won't attempt to enumerate
> them all.

Is there a (nontrivial) OS that can be secured inexpensively, ie. for
the price that is paid for by shoppers at your local big box outlet?
To me, that's as much the problem as anything else that's been written
so far.  The Internet is what it is largely because that is what the
users (collectively) will pay for.  Furthermore, it's not so much the
OS as it is the applications, which arguably might be more securable
if Joe and Jane User took the time to enable the security features
that are available for the OSes they buy.  But that doesn't happen.  I
don't blame Joe and Jane User; most nontechnical people do not view
their home or work systems as something more than an appliance for
getting work done or personal entertainment.

> A secondary point that actually might be more important:
>
> We (and I really do mean 'we" because I've had a hand in this too)
> have compounded our problems by our collective response -- summed up
> beautifully on this very mailing list a while back thusly:
>
>       If you give people the means to hurt you, and they do it, and
>       you take no action except to continue giving them the means to
>       hurt you, and they take no action except to keep hurting you,
>       then one of the ways you can describe the situation is "it isn't
>       scaling well".
>               --- Paul Vixie on NANOG
>
> We need to hold ourselves accountable for the security problems in
> our own operations, and then we need to hold each other accountable.
> This is very different from our strategy to date -- which, I submit,
> has thoroughly proven itself to be a colossal failure.

One of the things I like about this list is that it consists of people
and organizations who DO hold themselves accountable.  But as long as
it's not the collective will of the Internet to operate securely, not
much will change.

--gregbo