Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fighting Abuse with Trust: Enhancing the paradigm Dave Crocker Trusted Domain Project (trusteddomain.org) Brandenburg InternetWorking (bbiw.net) FCC ~

Published byTristan Harte Modified over 10 years ago

Similar presentations

Presentation on theme: "Fighting Abuse with Trust: Enhancing the paradigm Dave Crocker Trusted Domain Project (trusteddomain.org) Brandenburg InternetWorking (bbiw.net) FCC ~"— Presentation transcript:

1 Fighting Abuse with Trust: Enhancing the paradigm Dave Crocker Trusted Domain Project (trusteddomain.org) Brandenburg InternetWorking (bbiw.net) FCC ~ 2 Feb 12 Dave Crocker Trusted Domain Project (trusteddomain.org) Brandenburg InternetWorking (bbiw.net) FCC ~ 2 Feb 12

2 2 2 Abuse and TrustFCC / 2 Feb 12 Internet Abuse Advertising (spam) – Aggressive, legimitate companies – Deceptive, criminal-like organizations Fraud – Phishing – Illegal purchases Destruction (DDOS) – Extortion – Anger Well-organized – Extensive, hierarchical underground economy – Trans-national "The Net is too Open" – Or, "an error in Internet design is a failure to authenticate users" – Just like the real world... Abuse is a social problem – Social problems are not amenable to technical solutions

3 3 3 Abuse and TrustFCC / 2 Feb 12 It's Persistent and Spreading 20 years of: Look for bad actors, using IP Address of neighbor Looking for bad content Progress? Excellent filtering engines protect receivers No significant change across open Internet Victories are ephemeral This is an arms race and the enemy is well-funded, bright and aggressive Abuse will end on the Internet when it ends on the streets... Email Web IM Blogs VOIP mobile…

4 4 4 Abuse and TrustFCC / 2 Feb 12 Mistrust vs. Trust MistrustMistrust Receiver is on their own: Forced to make guesses Sender/Receiver collaboration TrustTrust MistrustMistrust

5 5 5 Abuse and TrustFCC / 2 Feb 12 Different and Complementary Mistrust Sender actively trying to trick receiver Content is usually spoofed Heuristics (Bayes, Blacklists, etc.) to distinguish valid from spoofed … Look for content to reject Trust Sender is collaborating, at least for identifier With valid identifier can be an assessment (reputation) not confused by noise of bad actors DKIM, SPF, DMARC, Whitelists, DNSSec, DANE, Repute, OpenDKIM … Look for content to accept

6 6 6 Abuse and TrustFCC / 2 Feb 12 Trust is Becoming Fashionable This week's announcement of DMARC: Google, Microsoft, PayPal, Facebook and other big names have announced a new anti-spam and phishing project, [that] will use 'a feedback loop between legitimate email senders and receivers to make impersonation more difficult' -- Slashgear 30jan12 Forthcoming Book: Liars and Outliers: Enabling the Trust that Society Needs to Thrive, Bruce Schneier

7 7 7 Abuse and TrustFCC / 2 Feb 12 Roles & Responsibilities, Tussles & Trust Actors People, organizations and processes that are responsible for sets of actions Examples: Author, Recipient, Mailing list, Operator Administrative [Management] Domains (ADMD) Components organized under an integrated span of control, with common, internal trust Example: Within organization, versus between

8 8 8 Abuse and TrustFCC / 2 Feb 12 A Negotiation View of Send/Receive or Pub/Sub Sending Operator Receiving Operator AuthorRecipient Publish Assurance ProtectUser

9 9 9 Abuse and TrustFCC / 2 Feb 12 Trust Begins with Authenticated Names Domain Name Organizational boundary Organizational boundary, not network topology More stable and reliable than IP Address Easier to manage than personal identifiers Sub-domain names permit added flexibility Personal name Necessary only when the trust is independent of a larger organization

10 10 Abuse and TrustFCC / 2 Feb 12 Identifying Content Streams Multiple types of content Corporate Transactions (purchase order, order confirmation...) Proposals Marketing mass mailings Customer Support Label them with subdomains sales.bbiw.net newsletter.bbiw.net personal.bbiw.net Allow different reputations to develop

11 11 Abuse and TrustFCC / 2 Feb 12 Warning: Naming is Confusing (Even Email From: Field is Complex) Dave Crocker "Display Name" never validated! Mailbox controlled by ADMD System or Organization (ADMD) Users only see the Display Name... Trust mechanisms are (mostly) for operators, not users! Human factors issues make end-users poor enforcers of security Saying that better security requires better user training is dereliction of duty...

12 12 Abuse and TrustFCC / 2 Feb 12 Naming and Other Applications Some are like email – IM, VOIP Some have no visible naming (Web) – But the structure of data permits adding attributes – So add one with a name Popular Web security – TLS s – TLS (https) channel object – Protects channel, not "object" – Really only privacy and a bit of server Active IETF efforts – SPF, DKIM – SPF, DKIM for mail – DANE – DANE for better channel (TLS) certification – Websec – Websec for better Web content (object) certification – OAuth – OAuth for Web authorization (login) – Repute – Repute to query reputation information – draft-dispatch-ono: – draft-dispatch-ono: Referencing and Validating User Attributes

13 13 Abuse and TrustFCC / 2 Feb 12 An Amateur's View of Security Ambiguous uses of terminology Security, authentication, validation, certification, privacy Very high barriers to entry Administration, operations, end-user usability For example: certificates... Authentication/Validation of... Actor – author vs. recipient vs. handler Content validity – content is truthful vs. accurate vs....? Compare precision and implications: XML Signatures provide integrity, message authentication, and/or signer authentication DKIM... permit[s] verification of the source and message contents DKIM permits a person, role, or organization to claim some responsibility for a message

14 14 Abuse and TrustFCC / 2 Feb 12 Trust Service Architecture AssessmentDatabase IdentifierValidatorIdentifierValidator Identifier Signer IdentityAssessorIdentityAssessor HandlingFilter ResponsibleIdentity RecipientRecipient Author TrustService DKIM Problem Reports (ARF) Auth-Results

15 15 Abuse and TrustFCC / 2 Feb 12 Authentication as a Part of… Identity Who does this purport to be? (IP Address or Domain Name) Authentication Is it really them? Authorization What are they allowed to do? Assessment (Reputation) What do I think of the agency giving them that permission? (eg, History or Accreditation) Scope of DKIM Certification Link identifier to identity

16 16 Abuse and TrustFCC / 2 Feb 12 Assessment History (statistical reputation) Past performance is indicator of future behavior But what if there is no history (eg, new name)? Affiliation (objective information) Membership in recognized group is a good sign eg, fcc.gov, "member FDIC", 501(3)(c) Vouching/Reputation service (opinion) Trust those who you trust say are trustworthy...

17 17 Abuse and TrustFCC / 2 Feb 12 Challenges Complexity and usability Additional layer of service and operations Requires excellent quality control Subjet to social engineering Funding Standalone reputation services have failed Reduced functionality Every packet is patted down when crossing administrative domain boundary? Functional fixedness bad Trust mechanisms primarily being considered for finding bad actors!

18 18 Abuse and TrustFCC / 2 Feb 12 Thank you...

Download ppt "Fighting Abuse with Trust: Enhancing the paradigm Dave Crocker Trusted Domain Project (trusteddomain.org) Brandenburg InternetWorking (bbiw.net) FCC ~"

Similar presentations

Yahoo! OpenID and OAuth 1 Allen Tom Yahoo! Membership Architect OpenID Foundation Board

Yahoo! OpenID and OAuth 1 Allen Tom Yahoo! Membership Architect OpenID Foundation Board
11/2/2013 2:02:38 AM 5864_ER_FED 1 Importing Certificates into Lotus Notes R6.

11/2/2013 2:02:38 AM 5864_ER_FED 1 Importing Certificates into Lotus Notes R6.
Unified Communications Bill Palmer ADNET Technologies, Inc.

Unified Communications Bill Palmer ADNET Technologies, Inc.
Chapter 14 Intranets & Extranets. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Introduction Technical Infrastructure Planning an Intranet.

Chapter 14 Intranets & Extranets. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Introduction Technical Infrastructure Planning an Intranet.
1 Eloqua Providing Industry-Leading Management Tools May 2009.

1 Eloqua Providing Industry-Leading Management Tools May 2009.
Email Deliverability @ Eloqua Providing Industry-Leading Email Management Tools.

Eloqua Providing Industry-Leading Management Tools.
1 An Update on Multihoming in IPv6 Report on IETF Activity IPv6 Technical SIG 1 Sept 2004 APNIC18, Nadi, Fiji Geoff Huston.

1 An Update on Multihoming in IPv6 Report on IETF Activity IPv6 Technical SIG 1 Sept 2004 APNIC18, Nadi, Fiji Geoff Huston.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
1 Network-Level Spam Detection Nick Feamster Georgia Tech.

1 Network-Level Spam Detection Nick Feamster Georgia Tech.
Cyber Defence Data Exchange and Collaboration Infrastructure (CDXI)

Cyber Defence Data Exchange and Collaboration Infrastructure (CDXI)
© 1998-2003 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.

© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
0 - 0.

0 - 0.
B-CERB complete protection against phishing copyright 2008 by Wheel.

B-CERB complete protection against phishing copyright 2008 by Wheel.
Introduction Lesson 1 Microsoft Office 2010 and the Internet

Introduction Lesson 1 Microsoft Office 2010 and the Internet
Proposal for a Pilot Project: Using DKIM to Create a Email Trust Channel Dave Crocker Brandenburg InternetWorking bbiw.net Dave Crocker Brandenburg InternetWorking.

Proposal for a Pilot Project: Using DKIM to Create a Trust Channel Dave Crocker Brandenburg InternetWorking bbiw.net Dave Crocker Brandenburg InternetWorking.
Why Eve & Mallory Love Android

Why Eve & Mallory Love Android
1 Mailing list software in the war against spam May 2005 Serge Aumont serge.aumont cru.fr.

1 Mailing list software in the war against spam May 2005 Serge Aumont serge.aumont cru.fr.
Location Based Services and Privacy Issues

Location Based Services and Privacy Issues
© 2012 Eloqua, Inc. Confidential 1 Deliverability and IP Warming Overview and Implementation Using Eloqua.

© 2012 Eloqua, Inc. Confidential 1 Deliverability and IP Warming Overview and Implementation Using Eloqua.

Similar presentations

Ads by Google