You don't need to send 32GB of emails, you only need to send 32GB of traffic. Setting up a TLS connection and sending EHLOs ad infinitum can generate traffic without hitting any "message size < 8MiB" filters.
What's the threat model here? A scenario where the attacker controls the plaintext being sent but doesn't know what the plaintext is seems quite unlikely.
Search for 'sweet32 attack' . it's pretty much this technique - i think.
The CVE mentions that attack type atleast, and it has its own .info site to explain what it is...
The message type jeroenhd mentioned is useful here, as it generates a predictable response from the server, without having to sent actual email over it or authenticate against it. (so an external attacker can generate the needed encrypted traffic, with predictable / known plaintext). They dont know emails being sent, but they do know the response to EHLO. once the attack is acheived, they have a key, and can decrypt also other traffic sent by the service if you manage to capture it.
I'd say the thread-model or whatever is thus, someone who can sniff your email traffic and can speak to your smtp server. (if they can do the first, certainly they can do the second.)
its much harder to get to the email traffic outside of your network, but not impossible. (ISP for example can grab it easily.... - so in certain regions this might be a big risk - nasty governemnts etc..)
In your example, the attacker already has the session key for the TLS connection, so they don't need to run this attack to decrypt the traffic on that connection. And running the attack does not help them decrypt any other connections.
Sweet32 depended on the attacker being able to send an arbitrary amount of traffic over a connection where they did not control either of the endpoints, and with that connection also carrying the data they wanted to steal. That doesn't map at all to the proposed "infinite stream of EHLOs" attack.
The suggested attack was the attacker writing an infinite stream of EHLOs on a connection. What's the scenario where an attacker has full control of the SMTP control framing, but doesn't have attack to the payloads?
This pearl clutching is ridiculous.
The harm caused by this is not even at the level of harm regular advertising causes on a daily basis.
We blast people with ads for "food" that we know causes obesity and diabetes. As others have mentioned, the horse had well and truly bolted on psyops on internet boards. All this does is bring it into the open.
I ran labs in my university in Europe, in the early 2000s, and I'd like to think this would not have happened. We were selected as tutors due to our proficiency and dedication to the subject. Maybe it was a fluke, I've heard similar stories recently about local Unis.
Been using it for a year or two, but recently I've been making heavy use of LLM results using the ? character. I actually discovered this by accident while searching. Even though I have a ChatGPT subscription, the Kagi interface is faster to use for simple questions and I have web results underneath as a backup if the LLM answer isn't good enough. I agree with another poster that being able to test ultimate would be nice before I shell out more money.
Far more serious is that these disposable vapes are easily accessible to kids as young as 12. Literally one third of the kids in my child's secondary school are vaping in the toilets between classes. It would be much harder to do this if they had to pay for and use a large permanent vape . It's an epidemic and that is not hyperbole. The environmental gains of this ban are just icing on the cake.
Yes I enjoyed and used the ads in print computer magazines in the 90s.
I think having highly relevant, content based static inline first party ads is tolerable and occasionally useful. Especially for specialist hardware / software. 3rd party ads that track you across the Internet are just evil and I will block them forever. As others have said, I would probably pay €50 per month for news, but not to a handful of mainstream sites. I need broad diverse coverage. Some micro transaction system is needed.
People advocate for micro-transactions as an alternative to the current system of funding content with invasive, data-collecting advertising. I just don't see it working the way proponents say it would, even if micropayments were technically feasible, which they are not.
I wrote a short post on the topic[0] but to save you a click here is the main point: We all complain about advertising that tracks users now. Imagine how valuable the data would be for paying customers now consider which micropayment provider you would trust with that information.
+1 on this. Number one source of bugs at a recent job was a homebrew TLS / HTTP load balancer. First chance I got I replaced it with nginx and bugs shot down immediately. With tools like apache, nginx, haproxy and caddy available, it was pure madness to reinvent that wheel... But the dev wanted open source CV padding...
I have no affiliation.