lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <21bcc0400711020803s5a42a5afjcbb8f328f3fcfbaa@mail.gmail.com>
Date: Fri, 2 Nov 2007 11:03:18 -0400
From: "Aaron Katz" <atkatz@...il.com>
To: stuart@...erdelix.net
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: spammer wades into US Presidential race

On 11/2/07, lsi <stuart@...erdelix.net> wrote:
> > > Actually, it would hurt my wallet, and waste my time, compounding the
> > > loss
> > > already incurred by receiving the spam in the first place.
> >
> > But it's worth your time to forward spam to everyone on the
>
> Simply put, it's evidence of a crime. The mail was forwarded in its
> entirety to provide the group with the fullest amount of evidence
> possible.

But, as you analyzed it, yourself, it's not much in the way of
evidence.  You are correct in that it's wrong to send spam, and that
whoever did it (candidate, candidate's employee, other candidate,
other candidate's employee, supporter of candidate, supporter of other
candidate, spammer who happens to support candidate, spammer who
happens to support other candidate, etc) should be punished.


> 1. The public interest is served in debating whether it's appropriate
> that presidential campaigns are spamvertised.  Spam is unethical, is
> it appropriate that potential presidents are potentially unethical?


1a) I don't expect that anyone on this list believes that spam is
good, as evidenced by the fact that nobody has argued such, during
this discussion.

1b) It's often believed that politicians are corrupt.  It seems to me
that forwarding the spam may have been an attempt (if not by you, then
(as you point out) by the original spammer) to discredit Ron Paul.


> 2. The public interest is served in locating the source of the spam.

As you pointed out in your analysis, the source of the spam will not
be located by this message.  How, exactly, does your sending the
message help to locate the source of the spammer?


> 3. Focusing the group mind on the case and thus maximising possible
> lines of inquiry.

I can accept this argument, as answer to my question for (2).


> 4. Analysis of spam for the benefit of the group.

You have made a logical leap that I do not follow.  How does it
benefit the group?


> 5. Opportunity to forward an anti-war message globally.

That statement reads, to me, as, "the spam says something I like, so
I'll forward it to everyone (thereby engaging in spamming, myself)."
Please correct me if I misinterpret.


> 6. Scooping wired.com by a whole 3 days.

Again, big difference between sending an uncorroborated email with no
analysis and no investigation, and Wired's story.  At least Wired
tired to investigate.

> > I'd rather wait for some form of evidence.  Right now all that is
> > available is gossip.
> I forwarded all the evidence I had, the fulltext as well, with
> headers, much better than the snippet in wired.

Yes, but you already analyzed your evidence and showed that it's
really nothing.  It's proof that someone sent spam (once corroborated
with wired, that is - before it was corroborated, for all anyone on
this list knew, that someone could easily have been you).

Crimes happen all the time.  Spam happens all the time.  In the grand
scheme of things, it just seems so minor to announce, "Hey world!
Look at this!  I got spam!".  It seems to me that, if you really
wanted to have a positive effect, it would have been better for you to
contact your upstream provider, and ask them to perform an
investigation, such as monitoring their network for the source of the
spam (who knows, maybe they were capturing logs when it happened, and
can identify the machine that sent it to them).  And then help follow
that investigation back to whoever really sent the message.

You mentioned before that it would have been a waste of your money,
but you're perfectly happy to debate the issue with me, which means
that you're spending the same money reading my responses and sending
yours as you would have spent to contact someone who can actually do
some real investigation.

And, if the investigation turned out to be fruitless, you would have
looked more like someone who tries to have a positive effect on an
issue, rather than just someone who can raise an alarm.


> > If you read the article from Wired, *they* contacted Paul's campaign,
> > and performed some basic investigation.  That's rather different from
> > forwarding a spam message on to a mailing list.
> They are a news service, that's what they do.  My role, as a
> recipient of the mail, is to report it, that's what I did.

But, spam is a crime.  You reported the issue to a semi-anonymous list
of people on the internet.  You didn't report it to anyone who will
actually do anything to stop the crime, and you didn't report it to a
news service.  How is this an appropriate avenue to report a crime?

> Repeat,
> it is not just spam, it is evidence that, in all likelihood, one of
> the presidential campaigns...

In your opinion.  There is no evidence in that regard, and it is
illogical and inappropriate to make such a leap.  The Wired article
indicates that it is unlikely that Paul's campaign is the one behind
it, and didn't implicate anyone else.  It is just as possible that:
a) Paul's campaign sent it with Paul's consent
b) Paul's campaign sent it without Paul's consent
c) Paul's opponent's campaign sent it with the candidate's consent
d) Paul's opponent's campaign sent it without the candidate's consent
e) A supporter of Paul sent it (including the possibility that the
originator of the spam is a supporter of Paul)
f) A supporter of Paul's opponent sent it (including the possibility
that the originator of the spam is a supporter of Paul's opponent)
g) An overseas agent, interested in US politics sent it
h) An overseas agent, uninterested in US politics, but who thinks this
is a good way to accomplish some goal, sent it.

> ...the guilty party is unlikely to admit their guilt,
> so there is no point asking them.

Unless the party truly didn't believe that there was anything immoral
or unethical about their actions.

> I also doubt his voting record is
> much use.

It would at least indicate if he seemed to understand the concept.  If
Paul always voted against making spamming illegal, then he might not
understand the problem.  If he always voted for making it illegal,
then he might understand the problem.  It goes towards the likelihood
of him, personally, being involved, and is, therefore, appropriate in
a conversation that implicates him in spamming.



> By your logic, I should never have received the mail in the first place.
Please identify exactly what logic I provided that indicates you
should never have received the email in the first place?  Where did I
ever say such a thing?  Where did I ever indicate that spamming
doesn't happen?  Where did I ever make such a leap?

I have consistently argued toward a single point: your forwarding this
to full-disclosure is at best of minimal benefit to the community.  I
have yet to see you perform any significant investigation, or to state
anything that either isn't obvious, or that isn't an assumption.

> Finally, I have no idea who you are, asking me to run down blind
> alleys is a good way to get me to think you are working for the same
> people I am complaining about.

I ask for proof, and you complain about it.  Isn't that a mark of a troll?

> I have no intention of doing any further research.  That is a job for
> the police and the appropriate federal electoral authorities.

So, I again ask, why mail full-disclosure if it's a job for the
police?  What job did you think that full-disclosure would perform?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ