tr@wind.bellcore.com (tom reingold) (04/17/88)
In article <21660@bu-cs.BU.EDU> bzs@bu-cs.BU.EDU (Barry Shein) writes: $ [What would] $ prevent trivial fraud, such as my listing myself as Ronald Reagan and $ setting up an account rr@bu-cs.bu.edu (ok, that would be a little $ blatant, but you get the idea.) $ In article <2584@ihuxv.ATT.COM> tedk@ihuxv.UUCP (55624-Kekatos,T.G.) writes: $ How does anyone know that your name really isn't Ronald Reagan? $ There are hundreds of them in the US. If you listed your occupation $ as "President, United States of America", $ Then I would wonder if it was reallt you.. Ted, Barry said "you get the idea" but you don't. He used the most blatant example of forgery but it's a good question. Suppose I say I'm you because I want to misdirect any mail someone wants to send to you. I can give your email address with a phony machine or login name. I could even spell the machine or login name really closely to yours so it looks right. Or I could attach someone else's name and my email address in an entry. If it is NOT Ronald Reagan, the registry people would not notice. And suppose I am one of those hundreds of Americans named Ronald Reagan. Are the Registry people going to take my registration seriously? I called the Registry, registered myself, and don't remember giving my occupation. And even if I gave it, I would not expect it as a requirement for registration. And suppose ... The problem is that the registration method is totally electronic, making verification impossible. A signature and a photo ID held by someone with a matching face are still good methods. No one has come up with an analogous method that uses solely electronic media. Can you think of one? Here is a new question: Isn't this a little vulnerable? The Government can now look me up since I'm such a sucker, already signed up. Is this a new resource to build the Big Brother phenomenon? Comments, Barry? "Just say NO to empty, dogmatic slogans coined by Nancy Reagan!" Tom Reingold PAPERNET: |INTERNET: tr@bellcore.bellcore.com Bell Communications Research |UUCP-NET: bellcore!tr 445 South St room 2L350 |SOUNDNET: (201) 829-4622 [work], Morristown, NJ 07960-1910 | (201) 287-2345 [home]
bzs@bu-cs.BU.EDU (Barry Shein) (04/18/88)
>Here is a new question: Isn't this a little vulnerable? The >Government can now look me up since I'm such a sucker, already >signed up. Is this a new resource to build the Big Brother >phenomenon? Comments, Barry? First, here's an idea to help verification that is far from perfect (I'll describe it's worst problems) but is a lot better than nothing. The original problem was someone changing your entry, say the e-mail address, with malicious intent (eg. to receive your mail.) One possibility is to always e-mail a summary of changes (or the entry itself) whenever it is changed. If the mail address is changed you send to the old and new address. Problems remaining: This is, in OS parlance, known as detection (you'll know someone has changed something) but is neither avoidance nor prevention of the problem. For example, I could write a shell script changing your address every 30 seconds and all you will have is the knowledge that it is being done, there's still no mechanism to stop me or make it difficult for me to do this (difficult could be you only get to make 2 changes in a day/week whatever, or a cookie is stored like a password you must present to change the entry, even that has serious problems given the insecurity of the mail networks and the just plain nuisance of people forgetting their cookies over time.) This also does not address the problem of someone initially creating an entry with malicious intent, before you get a chance to create one for yourself they do. In fact, you may not have the slightest interest in using the service so don't even know I have created an entry which is telling people to send mail destined for you to me. Some of that is outside, but it could be quite a tool in the hands of a specific malicious prank. As to the "big brother" aspect, I don't know, is the telephone white pages a big brother problem? I think if anything I'd be more concerned with businesses using it to create junk mail lists (if for no other reason than you might at that point be interpreted, willingly or otherwise, as using the network to compete with commercial junk mail list compilers, something I know ARPA is very sensitive about, thou shalt not use govt subsidies to compete with equivalent commercial services.) Like I said, intention could be irrelevant if the harm exists anyhow. Anyhow, as to the mere ability to look you up, that's probably unavoidable, I would imagine it would take but a few hours to write a program to filter all USENET traffic and store the FROM: fields to create one's own list. You can't have it both ways. From: tr@wind.bellcore.com (tom reingold) If you get my drift... -Barry Shein, Boston University