Re: Stopping (https) phishing from Henry Story on 2018-07-13 (public-web-security@w3.org from July 2018)

From: Henry Story <henry.story@bblfish.net>
Date: Fri, 13 Jul 2018 10:49:33 +0200
To: Dave Crocker <dcrocker@gmail.com>
Cc: public-web-security@w3.org
Message-Id: <42F68510-D0BF-4985-BD4C-3FA9FCE5A768@bblfish.net>
> On 13 Jul 2018, at 03:54, Dave Crocker <dcrocker@gmail.com> wrote:
> 
> On 7/12/2018 11:09 AM, Henry Story wrote:
>> I just said I have kicked the tires a bit, not that it has gone
>> through a full review. The Spamsolution questionnaire would make
>> sense as a first mail to send someone who had not thought about the
>> problem at all, as an incentive to get them to kick the tires. Dave
>> Crocker does not know me, nor if  I did some initial work on the
>> topic, so I am ok that he sent it out. It's quite funny actually.
> 
> 
> Henry,
> 
> The feedback I gave you was based on the topic you are pursuing and the tone with which you introduced it.  It doesn't much matter who you are or who I am.  What matters is the substance of the material you are presenting and the tone with which you are presenting it.

Ah well, on the blog I have a funny picture of a Phish to go with the post, which I hoped would give a lighter
tone to the post. It's difficult to choose the right title. Here is the picture of a Phish tempted by https.




I was looking to make the worms more real, but can't find a LD-Wormy font that works on OSX.
Most of the font repositories have one that OSX refuses to install. (it is corrupted somehow. Is it a virus?
https://www.fontyukle.net/en/LD+Wormy.ttf

> 
> Online abuse has a long and painful history.  Spam is one aspect. Phishing another.  Email and the web are merely conduits.
> 
> When someone introduces yet-another purportedly-new proposal for 'stopping' or 'preventing' abuse in general -- or abuse in specific -- they are typically ignoring a very long history of failing to achieve that goal.  By very long, I am measuring in millenia.  And if that seems too grandiose -- though I intend it quite seriously -- then consider decades.  Of extensive efforts.  By very bright, very dedicated people. Lots of them.

Yes, and I have been in contact with a few very knowledgeable people on this. For example 

• Prof David Chadwick left a couple of questions on the blog directly relevant to the proposal
   https://medium.com/@d.w.chadwick/hi-henry-using-official-company-registration-schemes-such-as-uk-companies-house-is-only-a-partial-8a3b10551b17 <https://medium.com/@d.w.chadwick/hi-henry-using-official-company-registration-schemes-such-as-uk-companies-house-is-only-a-partial-8a3b10551b17>
• And I answered to him, and to a point made by Ben Laurie too
  https://medium.com/@bblfish/prof-david-chadwick-who-has-written-a-considerable-amount-on-x509-access-control-and-security-ffd5e5b1f228 <https://medium.com/@bblfish/prof-david-chadwick-who-has-written-a-considerable-amount-on-x509-access-control-and-security-ffd5e5b1f228>

Both of them are very knowledgeable people.

E-mail is different enough that it would take some effort see how an institutional web of trust based on 
a web of nations would be of use there. I can see some ways it would be, but that would take me 
in a very different research direction. But I'll think about it.

> 
> Those efforts achieved no reduction in abuse attempts.  And systems are constantly continuing to be compromised.  The successes there have been have mostly been with spam filtering, which is a barbarians-at-the-gates filtering of what users see, not what is showing up at those gates.
> 
> Added to this is that all indications -- and there are many -- are that typical end users are never going to be an essential component in preventing or detecting abuse.

But they have to be a component. It's a socio technical system. I actually have a socio-technical
stack diagram showing that in a paper I presented at The Web Conf called 

"Epistemology in the Cloud: On Fake News and Digital Sovereignty"
https://bblfish.net/blog/2018/04/21/ <https://bblfish.net/blog/2018/04/21/>

I start there with a mathematical logical philosophical analysis of knowledge
(a concept closely related to security), using counterfactual modal logic. It can be 
shown that certainty is impossible to achieve and so is as you point out full security. 
We will always be open to new attacks. But that does not mean we cannot know 
anything, nor that we cannot protect ourselves. To think so is the skeptical fallacy. 
But many have fallen on that logical spot. I show how to avoid the Gorgon's snaky
stare.

> 
> It's fine to do research to try to develop schemes that prove such assessments wrong, but it is not fine to make claims prior to demonstrating efficacy.  And by demonstrating I mean in the field, with a representative sampling of real end users.

yes. I need to work out how to prove that this extra information about the web sites can solve 
problems that have beset us. This means that I will need to study some UX theory.

> Rather than look for ways to casually discount critical feedback that you are getting, I encourage you to take it all far more seriously and thoughtfully and then to approach this topic far more modestly.

Thanks. I will present this email to my PhD supervisors as proof that I need to prove what I am saying.
I started with an attempt to give a mathematical description of the web last year, but could not get round
in the space allotted to me to the reason why I needed that proof. Now I have the reason (phishing) and
I need to get back to the proof. :-)


> 
> d/
> -- 
> Dave Crocker
> Brandenburg InternetWorking
> bbiw.net
Attachments

text/html attachment: stored
image/png attachment: PhishBackground-small.png
Received on Friday, 13 July 2018 08:50:02 UTC