Patented Spam Fighting? Hands Off the Infrastructure, Please
Network News Break: We love SPF and believe it will do a lot to push back the spam tide, but we don't love Microsoft's patent-encumbered contributions to it. Also: Checkpoint patches a critical VPN bug, DES is on the way out, Microsoft fixes some bugs in IE ahead of schedule, and now might be the time to push for security upgrades with the boss.
|Main||Elsewhere||The Week in CrossNodes|
In keeping with our recent tradition of making blanket assertions then pulling back after having a week to think about them, we should revisit last week's break, wherein we opined that if Microsoft was behind Sender Policy Framework (SPF), everyone else probably ought to go ahead and get behind it, too. Not, mind you, because Microsoft's behind it so much as "Microsoft's a heavyweight that's finally joined many other heavyweights," (like Google, Earthlink, and AOL).
A lot of our enthusiasm for SPF comes from the fact that there are freely available tools that will allow developers to adapt popular MTAs like sendmail, exim, postfix, and others to the technology: It's a protocol that's not without its problems, but it's widely adopted and there's room for everyone.
What we didn't stop to think about was what, exactly, SPF has become since Microsoft embraced and extended it with its own "Caller ID for E-Mail." The new dual specification introduced technologies from Microsoft that are encumbered by a license agreement that would harm the ability of Open Source and Free Software developers to implement the new dual specification. Those developers write software that drives a lot of organizations using Linux and other Unix variants for infrastructure. The net result of endorsing a loaded standard like that would be to disenfranchise a prominent proportion of the software that drives e-mail infrastructure where an important new spam-fighting technology is concerned.
Fortunately, the IETF working group dealing with the matter is currently engaged with Microsoft in the process of coming up with a more palatable license. A resolution is due in the next week or so. But on the chance Microsoft fails to come through with something that lets everyone sit at the table, our enthusiasm for the dual specification will wane considerably.
What's the solution?
For one, the specification Microsoft is endorsing has two components: SPF was created independently of Microsoft, is an open specification, and has freely available, unencumbered tools to develop apps that can utilize it. It is widely adopted and it is relatively trivial to implement. "Caller ID for E-Mail," Microsoft's patented contribution, is less benign, but it's not necessary to make SPF work. It can be safely set aside, as we're sure it will be by many developers if Microsoft doesn't back down from its unfortunate restrictiveness, and its absence won't harm SPF's ability to verify the legitimacy of e-mail claiming to originate from a particular domain.
Two weeks ago we argued that standards are what holds the commons that is the 'net together, and that honoring them when possible is a key responsibility to administering a network or a piece of Internet infrastructure. Like the Internet itself, the standards that drive it are a commons, too: They shouldn't be manipulated to the exclusion of legitimate and vital projects that don't happen to be Microsoft, epsecially something as critical as e-mail. The Internet grew up on open standards, and it will continue to thrive well after short-term business considerations are forgotten (or lost with the companies that held them) provided we stick to that spirit of openness.
We've seen the way customers are poorly served by protocol balkanization in the instant messaging world, we should stay away from it by voting with our implementations elsewhere.
» We're always relieved when we hear about people pushing technology over legislation to solve spam problems. From a recent anti-spam conference:
"The best anti-spam legislation can stop no more than 5 percent of spam, while the worst spam-blocking technology stops at least 80 percent."
» Strike at the pointy haired boss while the iron is hot: Security has overtaken cost cutting as the top concern of IT managers with more than 75 percent of those polled in a new IDC study rating security as a very or extremely significant challenge."
» A buffer overflow vulnerability in Check Point's virtual private network (VPN) products could put users at risk of network takeover. Patches are available.
» If you've spent much time worrying about encrypting traffic, you've probably been in contact with DES. You might be interested to note that the National Institute of Standards and Technology says the encryption standard is old and needs to be retired. The net result of such a retirement? Potential mass-obsolescence of apps that depend on it.
» Microsoft has released a massive out-of-cycle patch to numerous Internet Explorer vulnerabilities.
» And if the whole "must switch from Internet Explorer" moment stayed with your organization, it appears Netscape will be releasing a new version of its adaptation of the Mozilla browser. Netscape 7.2, which is Mozilla with some AOL-driven additions and a lot of marketing goop will be available in August. We'd recommend figuring out if Mozilla or Firefox aren't best for your users: They tend to have a faster development cycle, and bugs get patched more quickly.
Transition to next generation protocol may be slowed by reluctance to part with network address translation devices.
Its name might be 'ethereal,' but you'll find this tool a solid performer when it comes to monitoring network traffic. It'll probably teach you a little about TCP/IP along the way, too.
The third time around promises to be the charm for DNSSEC: An enhancement to the Internet name service protocols that blocks spoofing attacks, and promises to help clean up the spam problem, too.
Network News Break is CrossNodes' weekly summary of networking news and opinion. Please send your comments and suggestions to the editor.