The Technology Corner

Coming out of the store into the mall, Aunt Minnie was met by a handsome young man, accompanied by an attractive woman of about the same age. It seemed OK to stop and visit for a minute; they both seemed so nice and clean-cut. After the usual pleasantries, Aunt Minnie was asked if she would like to register for a chance drawing on a new car. Just answer a few questions, fill out the entry form and she would be on her way. Oh, and by the way, since she had been so nice to stop and speak with them and had answered the poll questions so well, would she like to submit entries for her closest family members and friends? After all, if they won the car, she would have been responsible, and surely would never be refused a ride if one were needed.

The following month, Aunt Minnie received a strange long distance bill in the mail. In addition, her usual telephone bill arrived a couple of days late, with a notation that the long distance service had been prorated to the date of termination. Soon, Aunt Minnie's friends and family members whom she had so wanted to help win the new car, received similar bills from the same carrier, and now had two bills with which to deal. Aunt Minnie had just been slammed . Slamming is the practice of unauthorized transfer of long distance services from one carrier to another. Aunt Minnie's innocent looking contest entry forms had some very small print on the back that told one of the conditions for entry into the contest was to change long distance carrier. All perfectly legal – then.

Slamming is now against the law. Federal regulators can levy fines against the long distance companies that employ such tactics.

Everywhere you look today, someone is asking for your e-mail address. In a manner similar to the form used for phone service slamming, the chance to obtain something of value in exchange for your e-mail address is now commonplace, and even the most vigilant technologist is tempted by some offer or another to supply that precious e-mail address. Newsletters, such as the Techexchange newsletter live or die on the number of readers, and without addresses to which e-mail can be sent, newsletters will wither with loss of readership. That's why it's important to gather the e-mail addresses of those who really want to have the content of a publication pushed out to them on a regular basis. If the content has value, the reader will continue to accept, read, and act on the information. If the reader's interests change, or if the publication has changed focus, the reader may wish to opt-out. That's why the Techexchange newsletter provides the chance to opt-out with a link at the bottom of the page. Conversely, the ability for a first time reader to opt-in, and to receive regular postings is just as easy. All we need is your e-mail address, and your permission to send the e-mailing to you.

So far, so good, right? Yes, if all publishers of information operated like we in the reputable sector do. It is the publishers of UBE that are causing heartburn now. U nsolicited B ulk E -mail, otherwise known as Spam, is clogging the in-boxes of the business and personal user, and consuming massive amounts of bandwidth of the public Internet. The Internet is used to transport more than 95% of electronic mail today, with private networks making up the balance.

Aunt Minnie is safe from slamming now, except from those willing to risk steep fines and discipline from the FCC. With the new anti-spam law that just took effect, our e-mail should now be protected from spammers too, right? Sorry, but not so fast.

On December 16, 2003 , President Bush signed into law the CAN-SPAM Act. The law provides for both civil and criminal penalties for those who send UBE. So, when can we see those fines levied, and when will all this spam end? Not soon, I'm afraid. There are two major sources of spam, one is from spammers who are outside the international boundaries of the United States , and those who send spam from their homes and offices every day, and who may not even know that they are doing so. As you might imagine, those who are outside the US , and thus outside the arm of the law, will continue to bombard the in-boxes of those to whom they mail daily, or even several times a day. Ads to improve your manhood, lose weight, increase libido, or attract members of the opposite sex abound in spam. Then there is the old spam staple, pornography. It seems the pornographers all have superior means to send spam.

In previous newsletters I have written about the need to secure your computers if they are connected to a persistent connection. This means that if you have a cable modem, a DSL line of any type, or a local area network connection, you are susceptible to being hacked unless you have a firewall and security monitoring software installed to prevent someone with malicious intent from taking over your machine. Unless you have your guard up, someone can probe for open ports on unprotected machines, find your machine on the web, and install a “back-door” through which your e-mail account can be used to send hundreds of thousands of e-mails daily, and you will be none the wiser. Much spam is sent at night. People sleep at night, so it is less likely that any slowdown of the computer will be noticed while the spammer's application runs in the background. After you sign off and go to bed, your machine can be fully utilized by the malevolent cretins. This is not intended to be a scare piece . I want everyone to fully understand the potential for participating as an unknowing member of the spamming community. I also want you to understand that it is socially responsible to protect your machine, and any machines used by others in your home of business that are connected to the internet. Can you imagine the dismay and personal stress when innocent people are arrested and charged with spamming? The CAN-SPAM law will do little to slow down the determined spammers, but may result in unexpected visits from Federal officers seeking the spammer at your house.

What then, can be done? First close up all security holes, from operating system and application patches to hardware and software firewalls, use the tools that are available to you to secure your own machines. Then proactively apply anti-spam tools to deflect the spam that will continue to flow to your e-mail address. Your ISP can only do so much. The level of spam blocking by Internet Service Providers must tread a fine line. If they are too aggressive, good e-mails will be quarantined, along with the spam. If they are relaxed enough to allow some of the questionable mail through, parents and responsible adults will register complaints in regard to either too much or too little spam filtering. My suggestion is that you do it yourself. Only you know what your tolerance is for false positives, as the tossing of good e-mails is called. Likewise, only you know how much spam you are willing to accept to be sure that good e-mails are not lost.

The future look and feel of e-mail is very uncertain. Yes, we will have e-mail. It may have a small fee attached for every e-mail sent. The thought is to make it economically unviable for a spammer to send out millions of e-mails, even if the cost is only a fraction of a cent. The basic flaw that I see in this approach is that legitimate ISP 's must pass the mail through their servers, and collect the postage, but with spammers operating from outside the country, and from within the US through open mail relay servers, the ability to bypass the toll-taker is more than just a possibility.

Another means to deflect spam and other UBE is to install a challenge/response system on e-mail clients. To see what a challenge looks like, click on this link, www.networksolutions.com and when the page loads, click on “whois”. Under the “Search all whois records, enter your web site address or that of someone you know. The next page to appear will show a whois code. The code is readable by a human, and is on a background that makes optical recognition more difficult. You are required to enter the code in the blank box below the code shown.

You have been challenged, and after entering the code, you have responded. This challenge/response is to limit access by robots to information contained in the whois database. The future e-mail client will have a similar mode to identify and connect the legitimate sender with the receiver of e-mail. You may ask “Am I going to have to do this for every e-mail that I send?”. At this time, the design of challenge/response mail clients is not sufficiently developed to know exactly how each will work. The conventional thought regarding challenge/response is that when you send an e-mail to a recipient for the first time, they will have to enter a code. At the same time, a flag is set in the recipient's machine that will recognize e-mail from you the next time, and will allow it into the in-box without challenge. You may fear someone obtaining the code or other element that provides the handshake with the intended recipient. This will likely be a single use code, so that the sending and receiving e-mail clients will be able to recognize each other, but the spammer will not be able to guess the “secret handshake” that has been agreed on for use the next time.

The challenge/response that you experienced at network solutions is on a public web site. The reason that this type of filter is more likely to be successful is that the processing time required by the spammer's mail server to optically recognize and enter the characters into the entry field would require so much more time to get each e-mail through the filter that the computer time at the server farm would be prohibitively costly. The code above, while adequate for the purpose, could be enhanced by altering the characters, sub or superscripting and font or italics on individual characters. Each level of complexity would add to the time it would take to capture the image, recognize it and enter it. There will be a tipping point that will break the backs of the spammers if this technique is used. Just how much inconvenience we as users of e-mail are willing to accept is an open question. I have heard dire predictions that e-mail will die and will be another technical flash in the pan. I do not endorse such thought, and am convinced that we will, within the next two years, have commercial solutions to the e-mail spamming problem that exists today.

In my January column, I mentioned that I would keep you abreast of our fight to end spam at [TC]². The following is to describe our efforts, and is not a commercial endorsement for any product that is mentioned. It is intended to be informative, and to allow our readers to avoid some of the pitfalls of a quick solution.

As an organization that has the highest standards for service to members and visitors, our web site had for years listed the e-mail address of each person. That was not seen to be a mistake at the time, but as robots began to harvest e-mail addresses for sale to bulk e-mailers, it was too late. Until recently, we would receive e-mail addressed to or from someone who had not worked at the company for years. By the middle of 2003, the amount of spam entering our network had risen to an unacceptable level. In addition to the network bandwidth that was being consumed, and the distraction that can be caused by e-mail subject lines that contain interesting matter, the single biggest reason to eradicate spam is to pro-actively avoid the incidence of a hostile work environment. A spam message that despite warnings to never open them, can be opened by one who is curious, at just the time that a co-worker comes into the cubicle or office where a totally objectionable image is displayed. This not only creates an environment where colleagues are embarrassed or put off by the viewing tastes of another, but in an extreme situation, can result in legal action. We wanted to eliminate this possibility and at the same time, allow everyone with an e-mail account to be secure in getting only legitimate e-mail.

Coincidentally, at about that time, Amazon.com ran a special on the anti-spam application “I Hate Spam”. It sold for about $20, and had a mail-in rebate for $19.99. For the cost of a postage stamp, and a little patience, each person could have his or her own anti-spam application running on the local machine, and could control the spam, but still allow newsletters and desired e-mail to get through. The price was right, just what a not-for-profit company needed to be fiscally responsible, and morally responsible too! Or, so we thought.

As the software boxes began to arrive, each user's machine in turn was installed with a licensed copy of the anti-spam application. At first, the decline in spam was dramatic, and it appeared that this was going to be a good solution. It didn't have the stamp of Big Brother all over it, but allowed each person to manage his or her own spam. As more machines had the application installed, small things began to occur. In some instances, but not all, multiple tool bars would load into the Outlook toolbar area, sometimes as many as four or five. Sometimes the mail client would hang, and have to be closed and re-started. Nuisances, but with such an improvement, were nothing that couldn't be lived with. Within the next few months, as the spammers became more sophisticated, the application seemed to let more and more undesired content through. Some of the senior executives, decided that it was better to have a switch that could turn the application on or off, and just manage the spam by deleting it in blocks. It was time for an enterprise solution.

Reviews of anti-spam tools were in all the IT journals and public technology magazines, and one that had high marks was Brightmail. Previously available only for large organizations, it was too big (read costly) to fit our needs. When a small business version was offered, we jumped at the chance to install a thirty day trial for all network users. The difference was immediate and dramatic. False positives were not even found, and the amount of e-mail traffic was reduced by 92%. Still, there was the fear that a rogue virus or worm could ride into the network in an unrecognized e-mail, so a means to stop undesirable mail outside our network was needed. An appliance for handling e-mail which also had a resident version of Brightmail seemed to be the best solution. The Mxtreme appliance will stop rogue e-mail before it can get past our firewall, and with Brightmail, will shield us from spam to the extent that such an application can. With Kaspersky Anti-virus running on the appliance, and Symantec Anti-virus on the network servers and each user's desk, we have redundant virus and worm protection too. This solution was not inexpensive, but we believe we have created an environment of low tolerance to objectionable material entering our systems, and the ability to prevent wasted time from not having to deal with undesirable content or situations that might arise from the uncontrolled entry of same. Stay tuned, I'll be reporting on any good or not-so-good things that occur. So far, it's great!

NTC Forum

Before signing off, I want to report on the National Textile Center Forum that was held at Hilton Head South Carolina. Each year in February, (not a great time for the beach), the Forum is held to showcase the research work of students and graduate students at eight NTC member universities, and a number of collaborating universities that have needed expertise in specific fields. This year is the first Forum for new Director Marty Jacobs. The event went off flawlessly, and everyone who attended seemed to enjoy the collegial environment and the opportunity to see large informative posters describing the current projects. In addition, “Corner Speakers” presented topics on research and science that drew good crowds. These “corner” events are informal and allow for interaction with the distinguished presenters. The presenters are selected for scientific topics, or research that has relevance to the NTC mission, but are not connected with NTC sponsored projects. The final morning of the Forum is devoted to presentations from one student at each of the participating schools. As is the usual case, each student delivered a strong presentation on the subject of his or her research. I'm convinced that the textile and apparel industry will be well staffed with bright graduates, many with Master's or PhD degree assisted in part by research sponsored by the NTC. For descriptions of projects current and past, visit www.ntcresearch.org .

The projects are grouped into four major competency areas; Chemical Systems, Fabrication, Intelligent Systems and Material Science. The first letter of the project name is the competency area, and the first letter following the hyphen is the school that has primary responsibility for the research. Clicking on one of the project descriptions will display a .pdf file that lists the names of principle investigator, and collaborators, often from other schools. The range of projects is broad, and the students all have a passion for the research subject.

Joe Cunning, who has served as Director for the past twelve years remains involved as an advisor. The technical and support team that has been assembled over the years does a great job of keeping the Forum on track and all attendees well fed. Preparing packages for the review teams for each competency area, the technical support people make the work of the reviewers less daunting. The project review and evaluation process that precede the funding ensure that the projects all embrace good science, and the industry involvement provides a connection to the end user's world. If you are not familiar with the NTC, I suggest that you review the web site, and contact Marty Jacobs to see how you can get involved.

Next month: No clue! Search engines and ethics…