Stop Phishing - My Christmas Present & Simple Envelope Transfer Protocol Student Project Proposal

ceo@secureplay.com (SecurePlay) — Fri, 26 Dec 2008 08:00:44 -0800

I don't know about you, but I received a ton of Christmas spam and phishing attempts this year.

I'm tired of it.

An awful lot of spam and phishing attacks are based on a very simple form of email fraud - the crooks spoof email content & source addresses to convince readers to open, read, and act on email.

This actually works with "snail mail" as well:

I create a pretty envelope that looks official and "FROM" whomever I want, send it to you... you read it because it looks credible (my latest such junk mail has been a wave of "GE Warranty" offers for my appliances and car).

There are a lot of anti-phishing proposals out there. The key to almost all of the proposals is that they have a business model tied to them:

1. Charge people for "junk" email.
2. Digital certificates of some sort (see previous article on why PKI is worthless from a security perspective).

Now, I'm not going to stop all spam and phishing, but my goal is to raise the bar a good bit...

and (unfortunately), I'm not going to make a dime (I think there are a number of Internet security problems that are in this category which is why they are lingering)... at least not directly.

Basically, my proposal is to make the "return address" (the sender) meaningful by tying the mail message to the return address.

I do this by mailing an "envelope" rather than the mail body (or multiple body parts). The envelope includes the "From Line": sender@itglobalsecure.com.

I call it the Simple Envelope Transfer Protocol.

All of the message body (including any plaintext) is indicated by a Relative URL to that person:

http://itglobalsecure.com/sender/[uniquemessageID]/body.txt

which is included in the message envelope as:

../[uniquemessageID]/body.txt

for each message body part and attachment.

So, if you want to send a message and make it appear to be from me, you have to have access to my web/mail server or spoof DNS (hey, I didn't say I was solving every problem).

There are a large number of advantages to a mail system that sends envelopes and not messages (and some disadvantages)....

but it makes the "Stupid Spoofs" of email for spam and phishing a good bit more difficult.

.. and its free.

I wrote a white paper on this a while back, so check it out at IT GlobalSecure

Merry Christmas.

Any Angels? Web Sites or Services? Portable Online Identity Service to Protect Privacy and Outsource Identity and Access Control Coming Soon

ceo@secureplay.com (SecurePlay) — Mon, 14 Jan 2008 08:53:18 -0800

I have been writing more and more about identity issues lately. It is an important issue for online gaming, but it much, much more than that. First of all, I think it is a profoundly important issue online and something that has not been handled well. Numbers like $49 Billion in Identity Theft in the US in 2006 should be unacceptable to us all.

And I'm doing something about it.

Continue reading "Any Angels? Web Sites or Services? Portable Online Identity Service to Protect Privacy and Outsource Identity and Access Control Coming Soon"

Designers Notes - Boroco - Multi-Player Sudoku Variant

ceo@secureplay.com (SecurePlay) — Sun, 13 Jan 2008 08:13:03 -0800

I've been mulling over a multi-player Sudoku variant for quite a while. I've not been happy with the attempts that I've seen to take this amazingly popular puzzle and turn it into an online, multiplayer game.

Rather than whining about it, I've built my own version.
Continue reading "Designers Notes - Boroco - Multi-Player Sudoku Variant"

PlayNoEvil - Game Security, IT Security, and Secure Game Design Services - Contact Us at ceo@secureplay.com - Projects

Stop Phishing - My Christmas Present & Simple Envelope Transfer Protocol Student Project Proposal

Any Angels? Web Sites or Services? Portable Online Identity Service to Protect Privacy and Outsource Identity and Access Control Coming Soon

Designers Notes - Boroco - Multi-Player Sudoku Variant