Modernizing Authentication — What It Takes to Transform Secure Access
The two days of presentations can largely be boiled down to the following bullets:
Spam volumes continue to increase, being driven by the growth of botnets networks of hijacked computers run by hackers and rented out to spammers.
Spam is one of many high-tech tools being used by organized crime, international terrorist organizations, and can be expected to play a major role in future conflicts between nations.
Oh, and the spam wars are a lot less exciting than they used to be. Case in point: unlike last time, there were no fist-fights at this years shindig.
As the federal governments premiere consumer protection regulatory agency, the FTC has been keeping an eye on the issue of unsolicited commercial email since 1997, when they held the first ever governmental hearings on the topic.
I was honored to have been invited as a participant on two of the spam discussion panels at that event in 1997, and as I look back across those ten years, it all seems so quaint.
On that first panel, my fellow panelists and I spent half the time explaining to the regulators and the audience what spam was, why it was bad, and why they should care about something that was so seemingly insignificant.
In those days, spam was a very novel concept, because email itself was still pretty novel for the average user. Several members of the FTC admitted to having email accounts, but given the number of blank stares, the experience of receiving any email much less spam was pretty daunting for most of that august assemblage.
The FTC revisited the issue of spam again in 2003, where things got so heated that then-Commissioner Orson Swindle (a former Marine and Hanoi Hilton survivor) had to physically separate two attendees who nearly came to blows.
The tensions that were so evident in 2003 were no where to be seen in 2007. Even the appearance of the notorious Scott Richter, who once famously described himself in an interview on The Daily Show with Jon Stewart as a not a spammer but rather a high volume email deployer, was met with yawns. What became quite clear during the course of the two-day event was that not a lot of progress has been made in the intervening four years since the last spam event. Proposals for increasing the security of email against forgeries and phishing, some of which were first debuted in 2003 (and at a subsequent event devoted to email authentication issues in 2004) are still being hotly debated instead of deployed.
Indeed, if there was any point of tension and conflict at the event, it was that advocates for one particular method of email authentication have been lobbying hard to get law makers and regulators to urge its adoption over other competing solutions.
The pressure seems to be enough that one representative of a major Internet service provider felt compelled to note publicly that those pressures were actually getting in the way of progress on improving email security.
While it was good to see a lot of old friends, colleagues, and all the other usual suspects from these anti-spam community functions, I came away from Washington D.C. scratching my head and wondering what it would take to make another Spam Summit worthwhile.
The sad truth is that I just dont see the need for another high-level spam confab unless and until some major changes are made in how email is sent and received. As was made clear by many of the conferences presenters, if we are to see any major progress in the fight, it will come from changing the ways in which legitimate email senders will be able to meaningfully differentiate their messages from the ever-growing floods of fraudulent and deceptive junk.