Re: Stopping (https) phishing from Dave Crocker on 2018-07-13 (public-web-security@w3.org from July 2018)

From: Dave Crocker <dcrocker@gmail.com>
Date: Thu, 12 Jul 2018 18:54:44 -0700
To: Henry Story <henry.story@bblfish.net>
Cc: public-web-security@w3.org
Message-ID: <cdde4b10-2454-482b-2e7c-0c333465597c@gmail.com>

On 7/12/2018 11:09 AM, Henry Story wrote:
> I just said I have kicked the tires a bit, not that it has gone
> through a full review. The Spamsolution questionnaire would make
> sense as a first mail to send someone who had not thought about the
> problem at all, as an incentive to get them to kick the tires. Dave
> Crocker does not know me, nor if  I did some initial work on the
> topic, so I am ok that he sent it out. It's quite funny actually.

Henry,

The feedback I gave you was based on the topic you are pursuing and the 
tone with which you introduced it.  It doesn't much matter who you are 
or who I am.  What matters is the substance of the material you are 
presenting and the tone with which you are presenting it.

Online abuse has a long and painful history.  Spam is one aspect. 
Phishing another.  Email and the web are merely conduits.

When someone introduces yet-another purportedly-new proposal for 
'stopping' or 'preventing' abuse in general -- or abuse in specific -- 
they are typically ignoring a very long history of failing to achieve 
that goal.  By very long, I am measuring in millenia.  And if that seems 
too grandiose -- though I intend it quite seriously -- then consider 
decades.  Of extensive efforts.  By very bright, very dedicated people. 
Lots of them.

Those efforts achieved no reduction in abuse attempts.  And systems are 
constantly continuing to be compromised.  The successes there have been 
have mostly been with spam filtering, which is a barbarians-at-the-gates 
filtering of what users see, not what is showing up at those gates.

Added to this is that all indications -- and there are many -- are that 
typical end users are never going to be an essential component in 
preventing or detecting abuse.

It's fine to do research to try to develop schemes that prove such 
assessments wrong, but it is not fine to make claims prior to 
demonstrating efficacy.  And by demonstrating I mean in the field, with 
a representative sampling of real end users.

Rather than look for ways to casually discount critical feedback that 
you are getting, I encourage you to take it all far more seriouslyand 
thoughtfully and then to approach this topic far more modestly.

d/
-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net

Received on Friday, 13 July 2018 01:55:12 UTC