Slashdot Mirror

So THAT explains why my connection always gets so laggy when there's construction on the roads!

http://www.faqs.org/rfcs/rfc1149.html

Using the soc.culture.thai transcription:

maai^ mai' mai" mai" - new wood doesn't burn.
maai^ mai' mai" mai+(often pronounced mai^) - does new wood burn?
mai+ mai' mai" mai" - new silk doesn't burn.
mai+ mai' mai" mai+(or mai^) - does new silk burn?

It does have an open port. The client connects, and gets 16 bytes (sizeof(md5 hash)) as a salt. It then hashes this using HMAC-MD5 with a secret password, and sends the result (16 bytes) back. Fixed-length data all the way, essentially zero chance of buffer overruns. Essentially impossible to crack, except for dictionary attacks. So low-resource it runs fine on my Mac SE/30 webserver.

I call it Ostiary (mirror here) and I think it's damn secure.

There'll be a Linux Gazette article about it this month (Feb) when it comes out.

That's annoying. Apparently you can't access their web site with ECN turned on. In case it's causing problems for anyone else who turned on ECN in their kernel config, you can turn it off with 'echo 0 > /proc/sys/net/ipv4/tcp_ecn'. And yes, that does mean they are violating RFC 793. Anyway, if you're getting a connection refused error, and are using ECN, that's probably why. You can, as always, send complaints to webmaster@rochester.edu.

My digital cable box doesn't have an upstream link? Care to explain how I can order pay per view, watch video on demand, and various other two way activities via my remote control?

Simple, RFC1149.

link

Actually, RFC 1738 has been superceded by RFC 2396, which does include the user:password construct (refer to section 3.2.2)

• This document defines the generic syntax of URI, including both absolute and relative forms, and guidelines for their use; it revises and replaces the generic definitions in RFC 1738 and RFC 1808.

RFC 2396, though I still doubt it's mandatory. They don't mention http specifically regarding user/passwords, and they can't mandate it across all URLs (eg. specifying a password in a finger://... URI wouldn't make much sense). Also, HTTP has multiple ways to specify a HTTP user/pass (eg. basic, digest, basic+SSL, method=get, method=post), so that further confuses the idea of a universal way to specify usernames in addresses.

Actually yes, It's RFC 2396.

Mozilla and I'm assuming Firebird do have this functionality.

It's not hip anymore, unless you work for a company that is still in the pre-dot-com-hype-cycle, but there used to be a time when putting an @ (at) sign in a name or a brand would create this e-internet feeling. corry even started the //dont abuse the at sign compaign somewhere in 2000.

During the rise of this @buse (atbuse?), a Dutch TV show for kids called z@ppelin started out. It's primary a TV show, but like any multi-channel-format thingy, they ought to have a website as well.

When they first aired their commercials with the URL in it, i felt sorry for all the kids. They url was z@ppelin.nl and I know most RFC's by heart so I //knew at-signs are not allowed in hostnames or domainnames. So typing in this URL would lead the kid towards a friendly IE page cannot be found. And even dad -who works as an IT consultant- couldnt solve it because they never teached him anything about open standards during his elite MCSE training of 4 days.

Or so I thought...

And then the commercial aired again. And again. And I started wondering, they are not that stupid at our national broadcast organisation. And then it hit me, the use the user:password@fullyqualifieddomainname trick; where the user is z, the password is empty which leads to user z @ host ppelin.nl.

So all usering logged in are the user Z and the domainname is ppelin.nl! Neat I thought, cool trick! (See for your self by going to //ppelin.nl)

Years passed... And then... Microsoft f*cked up again, a huge //hole -big enough to drive a truck through- showed up in Internet Exploiter. One can misuse the user:password@fqdn in a bad way. Microso~1 promissed there won't be any hotfixes during the month December 2003. So they ignored this bug. And they ignored... up to the point that banks took down their online service because of the risk of URL spoofing

So micoshaft //wrote an entry in their kbase, asking endusers ... to stop clicking on the blue underline things (we like to call them links) in the browser and type the full URL -including javascript!- in the browser. Well, that didnt do the trick Redmond!

Once their usability is a mousepointer department heared about this -days later- they decided there must be another way. Stop support of putting userid, password in a URL;

Microsoft will soon release a software update for IE that will end that browser's ability to accept Web URLs (Uniform Resource Locators) that hide the address of the Web page being displayed using the @ symbol. The update will remove a feature that is being exploited in scams that use spoof Web sites to harvest personal information from unsuspecting Internet users, Microsoft said in a note posted on its Web page Tuesday.

(source: //infoworld)

This will not only break the //HTTP standard (now that would be a primer) but also the hearts of thousends of young childeren trying to access http://www.z@ppelin.nl. And not seeing a cute site but a friendly IE page cannot be found error on a saterday morning. I can feel the pain..

It's not hip anymore, unless you work for a company that is still in the pre-dot-com-hype-cycle, but there used to be a time when putting an @ (at) sign in a name or a brand would create this e-internet feeling. corry even started the //dont abuse the at sign compaign somewhere in 2000.

During the rise of this @buse (atbuse?), a Dutch TV show for kids called z@ppelin started out. It's primary a TV show, but like any multi-channel-format thingy, they ought to have a website as well.

When they first aired their commercials with the URL in it, i felt sorry for all the kids. They url was z@ppelin.nl and I know most RFC's by heart so I //knew at-signs are not allowed in hostnames or domainnames. So typing in this URL would lead the kid towards a friendly IE page cannot be found. And even dad -who works as an IT consultant- couldnt solve it because they never teached him anything about open standards during his elite MCSE training of 4 days.

Or so I thought...

And then the commercial aired again. And again. And I started wondering, they are not that stupid at our national broadcast organisation. And then it hit me, the use the user:password@fullyqualifieddomainname trick; where the user is z, the password is empty which leads to user z @ host ppelin.nl.

So all usering logged in are the user Z and the domainname is ppelin.nl! Neat I thought, cool trick! (See for your self by going to //ppelin.nl)

Years passed... And then... Microsoft f*cked up again, a huge //hole -big enough to drive a truck through- showed up in Internet Exploiter. One can misuse the user:password@fqdn in a bad way. Microso~1 promissed there won't be any hotfixes during the month December 2003. So they ignored this bug. And they ignored... up to the point that banks took down their online service because of the risk of URL spoofing

So micoshaft //wrote an entry in their kbase, asking endusers ... to stop clicking on the blue underline things (we like to call them links) in the browser and type the full URL -including javascript!- in the browser. Well, that didnt do the trick Redmond!

Once their usability is a mousepointer department heared about this -days later- they decided there must be another way. Stop support of putting userid, password in a URL;

Microsoft will soon release a software update for IE that will end that browser's ability to accept Web URLs (Uniform Resource Locators) that hide the address of the Web page being displayed using the @ symbol. The update will remove a feature that is being exploited in scams that use spoof Web sites to harvest personal information from unsuspecting Internet users, Microsoft said in a note posted on its Web page Tuesday.

(source: //infoworld)

This will not only break the //HTTP standard (now that would be a primer) but also the hearts of thousends of young childeren trying to access http://www.z@ppelin.nl. And not seeing a cute site but a friendly IE page cannot be found error on a saterday morning. I can feel the pain..

Pigeons were used instead of email in India until 2002.

Avian carriers are used commercially even today to deliver digital photographs.

Pigeons were used instead of email in India until 2002.

Avian carriers are used commercially even today to deliver digital photographs.

On the other hand, NASA has developed a new space telescope with a better mirror that is scheduled to be launched in 2011.

It is very important for NASA to do valuable science, but why not do it cost effectively? The cost of a shuttle mission, estimated at about $400m - $500m, is almost half of the whole budget for the next generation space telescope ($825m).

Actually RFC 1738 is supersceded by RFC 2396 which specifically does away with that artificial limitation, however it DOES warn against doing so as it is a security concern. So they removed the limitation but told you not to do it becuase they knew from experience that it would lead to problems. Sounds like a much better standard to me, let you shoot yourself in the foot if you want to =)

Which would be correct, except that RFC1738 is obsoleted by RFC2396, which does allow for user names.

(There's an interesting "discussion" over on Mozilla's bug id 122445 - regarding this, too)

3.3. HTTP

The HTTP URL scheme is used to designate Internet resources accessible using HTTP (HyperText Transfer Protocol).

The HTTP protocol is specified elsewhere. This specification only describes the syntax of HTTP URLs.

An HTTP URL takes the form:

http://<host>:<port>/<path>?<searchpar t >

where and are as described in Section 3.1. If : is omitted, the port defaults to 80. No user name or password is allowed. is an HTTP selector, and is a query string. The is optional, as is the and its preceding "?". If neither nor is present, the "/" may also be omitted.

Within the and components, "/", ";", "?" are reserved. The "/" character may be used within HTTP to designate a hierarchical structure.

I declare the OS war over with all OS's being shit!

Also known as the Vulcan Nerve Pinch

in the absense of a standardized remote-access protocol for SMTP

Where did you get this idea? SMTP AUTH has been around for a long time. Go read rfc 2554.

Even outlook and outlook express have supported smtp auth for quite some time.

No, that's part of RFC 1738 (as linked to above). Look at section 3.1 for that exact scheme. This is a case where they are (soon: were) standards compliant.

-- MarkusQ

3.1. Common Internet Scheme Syntax While the syntax for the rest of the URL may vary depending on the particular scheme selected, URL schemes that involve the direct use of an IP-based protocol to a specified host on the Internet use a common syntax for the scheme-specific data:

//<user>:<password>@<host>:<port>/<url-path>

...and so on. The RFC seems to allow indicate this indeed is a valid URL contruction.

Here ya go:

rfc3271
rfc1607

Could be others...

Here ya go:

rfc3271
rfc1607

Could be others...

A large proportion of DNS traffic on the Internet could be eliminated if all resolvers implemented negative caching. With this in mind negative caching should no longer be seen as an optional part of a DNS resolver.

Be careful to follow the MS standard when sending UserAgents:
Name/#.# (xxx; xxx #.#; xxx)

At least one major webmail program insists on the semicolons. It returns a VB error if it cannot find a semicolon. (Yes, this has more to do with poor programming than the VB language.) This mail program is either used by many websites, or they all hired incompetent programmers.

I discovered this when testing a Java program that retrieves webpages. The UserAgent was originally "Java1.3.1", and kept returning error pages. I knew the error was not in my program since my code was not VB.

The RFC1945 section 3.7 says the product tokens should be "Name#.#". User-Agent is specifically detailed in section 10.15. RFC2068 is the update in sections 3.8 and 14.42. Neither mentions using semicolons, or even using parantheses for additional comments. Just that the product should be a name with an optional "/" and a version number.

NOTE: Java is missing the slash in its product name. Since the slash is to precede the version, "Java1.3.1" is just a product name, and there is no version number. Is this what Sun meant? (This also happened with the IBM JVM, so I assume it is in the specification.)

Since MS started it, most browsers add a paranthesized section to identify their true name, since they all claim to be Mozilla. At least one VB programmer thinks this is the true specification. I wonder what he thinks Mozilla is. (Oops, sexist. Any female want to argue that they can program that poorly too?)

---
If you want to see the error, send a UserAgent without semicolons to "webmail4.mail1.com".

Their homepage says:
Univeral Access: Use any software like Outlook

I wonder if they know there is no other software as bad as Outlook, or that Outlook is far from Universal. Or did they mean that using software like Outlook guarantees Universal Access, meaning everybody has access to your data?

Be careful to follow the MS standard when sending UserAgents:
Name/#.# (xxx; xxx #.#; xxx)

At least one major webmail program insists on the semicolons. It returns a VB error if it cannot find a semicolon. (Yes, this has more to do with poor programming than the VB language.) This mail program is either used by many websites, or they all hired incompetent programmers.

I discovered this when testing a Java program that retrieves webpages. The UserAgent was originally "Java1.3.1", and kept returning error pages. I knew the error was not in my program since my code was not VB.

The RFC1945 section 3.7 says the product tokens should be "Name#.#". User-Agent is specifically detailed in section 10.15. RFC2068 is the update in sections 3.8 and 14.42. Neither mentions using semicolons, or even using parantheses for additional comments. Just that the product should be a name with an optional "/" and a version number.

NOTE: Java is missing the slash in its product name. Since the slash is to precede the version, "Java1.3.1" is just a product name, and there is no version number. Is this what Sun meant? (This also happened with the IBM JVM, so I assume it is in the specification.)

Since MS started it, most browsers add a paranthesized section to identify their true name, since they all claim to be Mozilla. At least one VB programmer thinks this is the true specification. I wonder what he thinks Mozilla is. (Oops, sexist. Any female want to argue that they can program that poorly too?)

---
If you want to see the error, send a UserAgent without semicolons to "webmail4.mail1.com".

Their homepage says:
Univeral Access: Use any software like Outlook

I wonder if they know there is no other software as bad as Outlook, or that Outlook is far from Universal. Or did they mean that using software like Outlook guarantees Universal Access, meaning everybody has access to your data?

...IP over avian carrier!

...deleting all of the capitol letters...

Isn't the local-part of an email address case-sensitive? At least, that's how I read the spec.

I don't think you know what UTF-7 is. It's not a character set; it's an encoding of the Unicode character set. All Unicode characters can be represented in UTF-7; the copyright symbol is +AKk.

making bloated .config files that just take up more room.

And I bet parsing XML is a bit slower (at least) then just parsing these easy .config files

For all you that think MS coders are idiots, no, they're not. Look, from a programming standpoint, wouldn't you rather be calling an API from a controller environment that you *know* works that hoping a third-party library works the way it's "supposed to"? You'd better. One might nearly rightly complain I'm showing some of the "ferocious Not Invented Here complex", but there's some reasoning behind the madness. If you want your program to work right, you use what is, in your opinion, the most reliable means to make that happen.

But before you rightfully flame me out of existence, what MS has to understand is that they're not in a position to "do things right" here. There are cultural reasons -- not programming/techincal ones -- that they have to keep in mind. They've been, with reason, found to have leveraged their vast dominance over the desktop OS market into the Internet browser market as well. That's unfair. MS *has* to open up their apps to allow a user's choice or they're, once again, arguably illegally abusing monopoly status.

The lesson here, and it's what most everyone not calling MS hackers a bunch of idiots (which they obviously aren't. I've never seen a better set of ideas come from one company -- at least before they're run though the MS Profit Maximization Machine, (c) 198x) is arguing, whether they know it or not: These cultural lessons aren't being taught to their programmers. Here, MS is culpable, and the people responsible should be held accountable.

Actually, there's an even older RPC (dated August 13, 1982) which describes the e-mail address layout (in addition to lots of others), RFC 822 - Standard for the format of ARPA Internet text messages, which describes the layout of an e-mail address of the form 'local-part "@" domain', as well as a domain as 'sub-domain *("." sub-domain)'.

I think there's obvious prior art here.

From the patent documentation:

1. A method for assigning URL's and e-mail addresses to members of a group comprising the steps of:

assigning each member of said group a URL of the form "name.subdomain.domain"; and

assigning each member of said group an e-mail address of the form "name@subdomain.domain;"

wherein the "name" portion of said URL and said e-mail address is the same and unique for each particular one of said members such that an only difference between said URL and said e-mail address for said member is that in said URL the "@" symbol of the e-mail address is replaced with a "." and wherein said "subdomain" portion of said URL and said e-mail address is the same for all members of said group.

This is the precice format for e-mail addresses in DNS zone file, for the SOA record. See RFC 1034, section 3.3. Date of prior art, 1987.

I don't think this author understands the Internet architecture, nor IPv6's design goals. Perhaps he should before he critiques it.

Here are the essential URLs :

RFC 1958 - Architectural Principles of the Internet The end-to-end argument demands that all communicating devices each have a unique network layer address.

RFC 1752 - The Recommendation for the IP Next Generation Protocol The design goals of IPv6, including a critque of the proposals for it, including TUBA - TCP and UDP with Bigger Addresses.

He may also be interested in learning why NAT is not so "perfect" or even "good enough" solution :

RFC 2993 - Architectural Implications of NAT

Things that NATs break

Some people say there is nothing wrong with NAT. To them, I'd propose the following analogy.

Imagine you had only ever seen the world through empty toilet rolls - ie. without your peripheral vision. If that is all you knew, that is as good as you'd think the world was. IPv6, restoring full and unique device addressing, restores the Internet's "peripheral vision" - it removes the Internet's empty toilet rolls.

We may have already missed out on the next "killer app" after the WWW, as it required unique, end-to-end addressing, and the prevalance of NAT prevented it from being deployed.

I don't think this author understands the Internet architecture, nor IPv6's design goals. Perhaps he should before he critiques it.

Here are the essential URLs :

RFC 1958 - Architectural Principles of the Internet The end-to-end argument demands that all communicating devices each have a unique network layer address.

RFC 1752 - The Recommendation for the IP Next Generation Protocol The design goals of IPv6, including a critque of the proposals for it, including TUBA - TCP and UDP with Bigger Addresses.

He may also be interested in learning why NAT is not so "perfect" or even "good enough" solution :

RFC 2993 - Architectural Implications of NAT

Things that NATs break

Some people say there is nothing wrong with NAT. To them, I'd propose the following analogy.

Imagine you had only ever seen the world through empty toilet rolls - ie. without your peripheral vision. If that is all you knew, that is as good as you'd think the world was. IPv6, restoring full and unique device addressing, restores the Internet's "peripheral vision" - it removes the Internet's empty toilet rolls.

We may have already missed out on the next "killer app" after the WWW, as it required unique, end-to-end addressing, and the prevalance of NAT prevented it from being deployed.

I don't think this author understands the Internet architecture, nor IPv6's design goals. Perhaps he should before he critiques it.

Here are the essential URLs :

RFC 1958 - Architectural Principles of the Internet The end-to-end argument demands that all communicating devices each have a unique network layer address.

RFC 1752 - The Recommendation for the IP Next Generation Protocol The design goals of IPv6, including a critque of the proposals for it, including TUBA - TCP and UDP with Bigger Addresses.

He may also be interested in learning why NAT is not so "perfect" or even "good enough" solution :

RFC 2993 - Architectural Implications of NAT

Things that NATs break

Some people say there is nothing wrong with NAT. To them, I'd propose the following analogy.

Imagine you had only ever seen the world through empty toilet rolls - ie. without your peripheral vision. If that is all you knew, that is as good as you'd think the world was. IPv6, restoring full and unique device addressing, restores the Internet's "peripheral vision" - it removes the Internet's empty toilet rolls.

We may have already missed out on the next "killer app" after the WWW, as it required unique, end-to-end addressing, and the prevalance of NAT prevented it from being deployed.

My experience of SFU was that it was much more reliable than Hummingbird's implementation of NFS client.

Almost anything is more reliable than Hummingbird's NFS.

Viewing the file in hex and yelling it out across the room to somebody else who types it back in is more reliable than Hummingbird's NFS.

Because it doesn't need to query for an address like DHCP. It first of all makes up its own address using a defined prefix and a MAC address, and then asks the router (using a method in the protocol, not something bolted on like DHCP) what network it is in. Combines the network address and the MAC address to have a unique network address.

Explain this. Quote from the FAQ: 'Auto-configuration does not cover information about further services in the network.'. I still don't see how you'll get the same services than DHCP without using DHCPv6.

In some cases, the memory used will be less as the routing tables are smaller. You don't need to have nearly so many special cases cause in IPv4 due to a lack of address space (i.e. no routing entry for that little /28 network). All you need is the route to the larger network (/80 or larger), which is split up into parts at the appropriate place.

And what about the network at the top of everything ? Sorry, doesn't work like that you don't just 'need the route to the larger network'. For explanation read the RFCs (this one is a good beginning).

IPv6 is MUCH more complex than IPv4 in every aspect. Even routing.

Besides that, there were severe graphics issues, you had to have them in the arcane .wpg format.

Actually .wpg is a well-documented format.

About 14 years ago I remember writing a library for outputting charts in .wpg format. It wasn't too difficult because the docs were quite good. This was for vector graphics, though, which probably isn't what you want. There are free (as in beer) Windows programs which convert other formats to wpg; a quick Google turned up Paint Shop Pro, there must be others. On Linux there is ImageMagick which is also downloadable at no charge.

Me Too!

The best way to do this would have been to use anonymous remailers and a nym address. Then you are protected from ISPs subpoenaing logs, as well as the email being encrypted and bounced around the net before it ends up in your inbox.

Those interested in finding out more about anonymous remailers should take a look at the APAS FAQ

However, were he to have the final email arriving in his Outlook, and he decrypted it with the PGP plugin, then a web bug could well have taken effect.

More likely they used some unpublished vulnerability in Outlook, possibly even one that the FBI found themselves...?

It's not exactly C, IMHO, but it is C-plus-Unix. Since programmers make these sorts of "all-the-world's-a-VAX" assumptions depressingly often, hardware manufacturers are forced to cater to their idiocy, even if C itself doesn't technically require it, C-as-typically-programmed does.

Linux, BeOS, an Entertainment Center PC, etc. aren't exactly mainstream, ya know?

This product is for the uncles, parents and other people out there who had you install Ethernet for. Yes, it's spendy but it is still something to consider (or reverse engineer) because you can do the whole backup thing via "set it and forget it" applications (for Windows 2000/XP).

For those of us who just need (expandable) network storage, I'm buying one of these bad boys. It's cheaper, expandable and can be plugged into my server closet.

For those of you who have this thing about off-site storage, let me know if your ISP minds you using GBs of data on a regular basis and if it's worth the time to push that much data to an FTP site (like this). You might as well use RFC1149 if broadband isn't available to you!

In summary, buy an external HDD and a fire-proof safe. Backup your data regularly. And don't accept candy from strangers.

Zounds. Can we expand Godwin's law to Al Queda?

If you want to have two completely anonymous, very large systems talk to each other, SOAP isn't a bad way to go. But how many of us are working for giant firms that require building hooks into our system for a completely anonymous client?

Do note that you can also substitute "anonymous client" with "corporation with a heck of a lot of red tape".

As another post in this thread has already well put, SOAP is the compromise product of a number of these giant corporations. It doesn't do nearly so well when you've got two reasonably-sized *partners* (much less something in-house) working on a very specific product.

Because so many practical implementations don't need all the overhead of SOAP, you see tons of much easier implementations, like XML-RPC, that don't get the same press. This lack of press (so lack of manager buy-in) combined with the one-shot nature taken by so many coding projects, with a bit of the "Not Invented Here complex" thrown in, and I think we begin to see why so many people are scratching the same itch.

RPC causes untold security/authentication headaches and is often hard to program with besides.

See ESR

It's easily capable of representing objects, platform independent, encryptable (via SSL), compressable (via gzip [and probably SSL as well]), and textual.

The advantages of being textual in your protocols is well laid out in Eric Raymond's book The Art of Unix Programming. He even treats it as a case study.

It's easily capable of representing objects, platform independent, encryptable (via SSL), compressable (via gzip [and probably SSL as well]), and textual.

The advantages of being textual in your protocols is well laid out in Eric Raymond's book The Art of Unix Programming. He even treats it as a case study.