| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 2 Nov 2007 11:03:18 -0400 From: "Aaron Katz" <atkatz@...il.com> To: stuart@...erdelix.net Cc: full-disclosure@...ts.grok.org.uk Subject: Re: spammer wades into US Presidential race On 11/2/07, lsi <stuart@...erdelix.net> wrote: > > > Actually, it would hurt my wallet, and waste my time, compounding the > > > loss > > > already incurred by receiving the spam in the first place. > > > > But it's worth your time to forward spam to everyone on the > > Simply put, it's evidence of a crime. The mail was forwarded in its > entirety to provide the group with the fullest amount of evidence > possible. But, as you analyzed it, yourself, it's not much in the way of evidence. You are correct in that it's wrong to send spam, and that whoever did it (candidate, candidate's employee, other candidate, other candidate's employee, supporter of candidate, supporter of other candidate, spammer who happens to support candidate, spammer who happens to support other candidate, etc) should be punished. > 1. The public interest is served in debating whether it's appropriate > that presidential campaigns are spamvertised. Spam is unethical, is > it appropriate that potential presidents are potentially unethical? 1a) I don't expect that anyone on this list believes that spam is good, as evidenced by the fact that nobody has argued such, during this discussion. 1b) It's often believed that politicians are corrupt. It seems to me that forwarding the spam may have been an attempt (if not by you, then (as you point out) by the original spammer) to discredit Ron Paul. > 2. The public interest is served in locating the source of the spam. As you pointed out in your analysis, the source of the spam will not be located by this message. How, exactly, does your sending the message help to locate the source of the spammer? > 3. Focusing the group mind on the case and thus maximising possible > lines of inquiry. I can accept this argument, as answer to my question for (2). > 4. Analysis of spam for the benefit of the group. You have made a logical leap that I do not follow. How does it benefit the group? > 5. Opportunity to forward an anti-war message globally. That statement reads, to me, as, "the spam says something I like, so I'll forward it to everyone (thereby engaging in spamming, myself)." Please correct me if I misinterpret. > 6. Scooping wired.com by a whole 3 days. Again, big difference between sending an uncorroborated email with no analysis and no investigation, and Wired's story. At least Wired tired to investigate. > > I'd rather wait for some form of evidence. Right now all that is > > available is gossip. > I forwarded all the evidence I had, the fulltext as well, with > headers, much better than the snippet in wired. Yes, but you already analyzed your evidence and showed that it's really nothing. It's proof that someone sent spam (once corroborated with wired, that is - before it was corroborated, for all anyone on this list knew, that someone could easily have been you). Crimes happen all the time. Spam happens all the time. In the grand scheme of things, it just seems so minor to announce, "Hey world! Look at this! I got spam!". It seems to me that, if you really wanted to have a positive effect, it would have been better for you to contact your upstream provider, and ask them to perform an investigation, such as monitoring their network for the source of the spam (who knows, maybe they were capturing logs when it happened, and can identify the machine that sent it to them). And then help follow that investigation back to whoever really sent the message. You mentioned before that it would have been a waste of your money, but you're perfectly happy to debate the issue with me, which means that you're spending the same money reading my responses and sending yours as you would have spent to contact someone who can actually do some real investigation. And, if the investigation turned out to be fruitless, you would have looked more like someone who tries to have a positive effect on an issue, rather than just someone who can raise an alarm. > > If you read the article from Wired, *they* contacted Paul's campaign, > > and performed some basic investigation. That's rather different from > > forwarding a spam message on to a mailing list. > They are a news service, that's what they do. My role, as a > recipient of the mail, is to report it, that's what I did. But, spam is a crime. You reported the issue to a semi-anonymous list of people on the internet. You didn't report it to anyone who will actually do anything to stop the crime, and you didn't report it to a news service. How is this an appropriate avenue to report a crime? > Repeat, > it is not just spam, it is evidence that, in all likelihood, one of > the presidential campaigns... In your opinion. There is no evidence in that regard, and it is illogical and inappropriate to make such a leap. The Wired article indicates that it is unlikely that Paul's campaign is the one behind it, and didn't implicate anyone else. It is just as possible that: a) Paul's campaign sent it with Paul's consent b) Paul's campaign sent it without Paul's consent c) Paul's opponent's campaign sent it with the candidate's consent d) Paul's opponent's campaign sent it without the candidate's consent e) A supporter of Paul sent it (including the possibility that the originator of the spam is a supporter of Paul) f) A supporter of Paul's opponent sent it (including the possibility that the originator of the spam is a supporter of Paul's opponent) g) An overseas agent, interested in US politics sent it h) An overseas agent, uninterested in US politics, but who thinks this is a good way to accomplish some goal, sent it. > ...the guilty party is unlikely to admit their guilt, > so there is no point asking them. Unless the party truly didn't believe that there was anything immoral or unethical about their actions. > I also doubt his voting record is > much use. It would at least indicate if he seemed to understand the concept. If Paul always voted against making spamming illegal, then he might not understand the problem. If he always voted for making it illegal, then he might understand the problem. It goes towards the likelihood of him, personally, being involved, and is, therefore, appropriate in a conversation that implicates him in spamming. > By your logic, I should never have received the mail in the first place. Please identify exactly what logic I provided that indicates you should never have received the email in the first place? Where did I ever say such a thing? Where did I ever indicate that spamming doesn't happen? Where did I ever make such a leap? I have consistently argued toward a single point: your forwarding this to full-disclosure is at best of minimal benefit to the community. I have yet to see you perform any significant investigation, or to state anything that either isn't obvious, or that isn't an assumption. > Finally, I have no idea who you are, asking me to run down blind > alleys is a good way to get me to think you are working for the same > people I am complaining about. I ask for proof, and you complain about it. Isn't that a mark of a troll? > I have no intention of doing any further research. That is a job for > the police and the appropriate federal electoral authorities. So, I again ask, why mail full-disclosure if it's a job for the police? What job did you think that full-disclosure would perform? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists