Xref: utzoo misc.consumers:4584 soc.misc:688 misc.misc:2670 comp.mail.misc:966 news.misc:1347 soc.net-people:714 Path: utzoo!mnetor!uunet!yale!husc6!bu-cs!bzs From: bzs@bu-cs.BU.EDU (Barry Shein) Newsgroups: misc.consumers,soc.misc,misc.misc,comp.mail.misc,news.misc,soc.net-people Subject: Re: On-line Email Registry Service Message-ID: <21746@bu-cs.BU.EDU> Date: 17 Apr 88 17:39:52 GMT References: <2575@ihuxv.ATT.COM> <21660@bu-cs.BU.EDU> <2584@ihuxv.ATT.COM> <6793@bellcore.bellcore.com> Distribution: na Organization: Boston U. Comp. Sci. Lines: 55 In-reply-to: tr@wind.bellcore.com's message of 17 Apr 88 10:06:19 GMT >Here is a new question: Isn't this a little vulnerable? The >Government can now look me up since I'm such a sucker, already >signed up. Is this a new resource to build the Big Brother >phenomenon? Comments, Barry? First, here's an idea to help verification that is far from perfect (I'll describe it's worst problems) but is a lot better than nothing. The original problem was someone changing your entry, say the e-mail address, with malicious intent (eg. to receive your mail.) One possibility is to always e-mail a summary of changes (or the entry itself) whenever it is changed. If the mail address is changed you send to the old and new address. Problems remaining: This is, in OS parlance, known as detection (you'll know someone has changed something) but is neither avoidance nor prevention of the problem. For example, I could write a shell script changing your address every 30 seconds and all you will have is the knowledge that it is being done, there's still no mechanism to stop me or make it difficult for me to do this (difficult could be you only get to make 2 changes in a day/week whatever, or a cookie is stored like a password you must present to change the entry, even that has serious problems given the insecurity of the mail networks and the just plain nuisance of people forgetting their cookies over time.) This also does not address the problem of someone initially creating an entry with malicious intent, before you get a chance to create one for yourself they do. In fact, you may not have the slightest interest in using the service so don't even know I have created an entry which is telling people to send mail destined for you to me. Some of that is outside, but it could be quite a tool in the hands of a specific malicious prank. As to the "big brother" aspect, I don't know, is the telephone white pages a big brother problem? I think if anything I'd be more concerned with businesses using it to create junk mail lists (if for no other reason than you might at that point be interpreted, willingly or otherwise, as using the network to compete with commercial junk mail list compilers, something I know ARPA is very sensitive about, thou shalt not use govt subsidies to compete with equivalent commercial services.) Like I said, intention could be irrelevant if the harm exists anyhow. Anyhow, as to the mere ability to look you up, that's probably unavoidable, I would imagine it would take but a few hours to write a program to filter all USENET traffic and store the FROM: fields to create one's own list. You can't have it both ways. From: tr@wind.bellcore.com (tom reingold) If you get my drift... -Barry Shein, Boston University