PC World's Steve Bass Repents?

Last week, I wrote about how PC World's Steve Bass was promoting those evil, evil challenge/response spam bouncing products. I pointed out in my blog post and also in private email to Steve that these things can get their users blacklisted, because misdirected challenges are as bad as the spam itself.

Today, Steve has a new post up, calling me a "Polite ... self-proclaimed spam expert." Errr, well, those who know me may not agree with the first bit. And I'm not sure the second bit is quite my choice of words, but my clients seem to think so. Never mind. Onwards...

Fortunately, Steve has first-hand experience of the problem:

I get a half-dozen or so of these misguided challenge/response e-mails every day

Unfortunately, Steve links to a Wikipedia explanation of something with a similar name but which is nothing to do with spam. Presumably he meant to link to Challenge-response spam filtering. Oopsy.

In fact, reading his explanation of C/R, I'm not sure he actually understands the problem. See if you agree:

You can set some programs to bounce messages back to spammers and make them think your address is no longer working. Quite often a message from a challenge/response system will get treated as spam and bounced back with the rest of the junk e-mail. And quite often these messages float around the Net when someone using challenge/response also has a computer virus.
...
The spamming part comes into play when the person sending the e-mail receives a reply from the challenge/response program, challenging the sender to prove he or she isn't a spambot.

Well I'd have put it a bit differently. How about this:

Q:You can set some programs to reply to spammers; great idea, right?
A: No, because the replies hardly ever go to spammers -- spammers forge the message's sender. So they don't work.

Q: But it's only spam and we don't care about those messages, so it's OK... right?
A: No, because the forged senders are often real email addresses, with real people at the end of them. So you're causing unwanted email to be sent to them.

In other words, Challenge/Response makes you a spammer.

Update: Steve posted more on this topic. Steve's right on when he says:

Challenge/response ... doesn't work. I'll give you an example. A PC World reader sends me an e-mail and I take a couple of minutes to respond. Then I get an e-mail challenging me, asking me to take an extra step -- click here, go to a Web site, or maybe stand in the corner and whistle a show tune.

Nope, not me, Pal. I've already been a good Netizen and responded to the reader's e-mail; and I'm not about to spend more time on this. If the person sending me the e-mail had a spark or two, they'd have added me to their whitelist before sending me a message. So I watched how I responded to getting a challenge e-mail, figured everyone else would do the same thing, and decided not to bother with it.

And if you're looking for the debate between me and Jeff Hendrickson, it's right here.

Skype 3.0 Beta is Up

Skype 3.0 is also today's IT Blogwatch topic, and on the Ferris Research blog.

PC World Offers Dangerous Spam Advice

Meet Steve Bass. Steve blogs at pcworld.com. Watch Steve blog. Blog, Steve, blog. Steve just blogged a bunch of spam filtering resources. Unfortunately, his list is heavy on the challenge/response FUSSP meme. Ooops!

For the record, Choicemail's "unknown-sender registration" and the "bounce" features of MailSnoop and MailWasher are really terrible ideas. (Don't forget that the "sender" of spam is almost always forged.)

I do wish consumer-focused journalists like Steve wouldn't promote these features -- he'll get his readers blacklisted, causing their email not to go through.

Update: Steve has responded. (If you're looking for the debate between me and Jeff Hendrickson, click here to read the latest discussion and follow the link at the end.)

For more background, see:

• Spamcop's backscatter page
• Why Challenge/Response Is Bad
• Here We Go Again
• Another Anti-Spam Tool To Avoid

IP over DAB Digital Radio

Speaking of DAB digital radio, Symantec's Ollie Whitehouse alerts us to the standard for tunneling IP over DAB, ETSI ES 201 735 [PDF]. This sounds extremely cool for broadcast or multicast data to inexpensive devices.

Looks like the HTC Monet uses this, not DVB-H (handheld DVB) to show TV. Virgin Mobile UK is branding it as the Lobster. El Reg has an interesting review.

Ollie is worried about the security aspects though:

Looking at this from a 30,000 ft viewpoint, a number of different and obvious attack surfaces appear to exist:
• The DAB protocol stack
• The IP stack
• Media codecs

Then, your mind starts to work:
• I wonder if they firewall the DAB connection on the device?
• Can I spoof content? If so, how hard is it to attack the media codec with this spoofed content?
• Is it possible to leverage that old IP stack DoS and take out every DAB-IP enabled mobile/cell phone in a 10-mile radius?

You end up with a situation where you could conceivably "broadcast" exploits to a geographic area if you were able to successfully attack any of the attack surfaces outlined above. It makes you think, doesn't it?

Update: also noted at...

• Geekzone
• The Smart PDA
• Reiter's Mobile TV Report

Woo and Yay for the BBC and the TV "Tax"

Snigger: UNEASYsilence discovers that the UK has a TV licensing regime. Way to go with the up-to-the-minute news, Dan.

Considering the quality of the programming on BBC TV and radio is consistently amongst best available, if not the best (IMHO), I’m really happy to contribute to the BBC this way. The moment “Aunty Beeb” stops giving value for money, that money’s going to be taken away from them. They know it, and the system works.

Also — “because of the unique way the BBC is funded” — the BBC has helped bring us technical leaps such as:

• PAL colour (when the US had the awful NTSC standard)
• 576 line TV (when the US had 480)
• Digital stereo TV sound (when the US was doing analog)
• RDS data over FM radio (which the US grudgingly picked up in half-hearted way recently)
• An open DAB digital radio standard (when the US was doing closed, incompatible digital radio)
• DVB-T digital television at no extra charge, using robust COFDM (while the US mess about with the quite dreadful 8-VSB)
• 16:9 widescreen TV broadcasts (when the US was still bickering about HD)

The regulatory regime means that the majority of the population have access to 20-30 TV channels, free of charge, from a relatively small antenna, which doesn’t need to be rotated when you change channels. Meanwhile in the US, TV antennae are butt-ugly and often need to be pointed at several different transmitters, hence the popularity of expensive cable TV.

Detector vans are rare anyway — they’re only used to gather evidence for prosecution. If your household doesn’t have a license, you’ll be “invited” to buy one. If you don’t get one, it’s up to TV Licensing to prove that you’re breaking the law.