Domain: pan-am.ca
Stories and comments across the archive that link to pan-am.ca.
Comments · 19
-
The Sims (2) was Badly Designed and Not Tested.
That's not Microsoft's fault that EA Games decided to use a broken copy protection scheme.
It took me two weeks off and on to fix an old Windows game (Quake II) to work as a limited user in XP. http://www.pan-am.ca/testing.html And I'm not a full time games programmer. What's EA's excuse? -
Limited Users in WinXP and Games That Need Admin2004 saw the release of many popular games that required the user to use Windows XP or Windows 2000 as an administrator user. The reasons for this vary wildly from "bad design" (laziness, lack of testing) to "bad design" (copy protection) to "bad design" (anti-cheat software) and "bad design" (everything in between). We're talking as recent as The Sims 2 released only this year, or Jedi Knight: Jedi Academy.
I'm a professional security consultant and my clients (including home clients) use their computers as limited users to protect against spyware and viruses before the fact. It pains me to explain to a client that they can't play the latest games they want to play without turning off all of the safety features their operating system provides for free. And it isn't hard to design for security either; I modified Quake II in two weeks off-and-on to work.
After four years of Windows 2000 and two years of Windows XP, why are we not seeing games that support the safety features included in these modern operating systems? Does City of Heroes even work properly with them turned on?
-
About other IT admins asking for help...
I've read a few posts saying they face similar problems. I'm going to brag, boast and strut some more but only to the extent that I can help you, the IT department in your company, stop these things before the fact.
Please read my journal for theory (limited users, current and patched versions of MS Office, etc). Please ask me directly for experience in this (making misbehaving apps work, recommending alternative apps, etc). I get paid to do this for a living, but I can help you keep your costs down by teaching you what I know. Do consider it. The website is http://www.pan-am.ca/ and you'll find a phone number and a contact address there. -
But Windows already HAS anti-spyware capability!
It's called "The Limited User."
At least current and supported versions of Windows have this. Even home users with XP Home can use this powerful safety guard built into Windows since Win2K effortlessly. It's all the other software vendors, who write apps not designed for current versions of Windows, I'm worried about!
http://www.pan-am.ca/newsletter/ -
Best Mod Ever: Make UT work as a Limited UserWindows game authors are the laziest when it comes to designing for security... ok, they're second only to travel software companies.
My vote for Best Mod would be the one that lets me play UT without requiring Power User or Administrator access on XP or Win2K. That way I could set up an internet cafe / LAN party place without having to worry if the customers wreck the machines.
I mean come on. If I can fix Quake II, then the makers of UT can fix UT. Or a talented mod author can.
-
No, this is a fault of Developers (Microsoft too!)
No, this is a fault of Windows.
No, this is a fault of the game authors. Windows supports gaming technologies for Limited Users just fine. See Pan-Am's testing page for an example.
One thing common of all those Microsoft games, was that Microsoft didn't develop them - they contracted a third party to do it. Check the credits and splash screens to see for yourself. OK, with the exception of Flight Simulator, and even that was done by someone else at one point. Fault Microsoft for not enforcing their own rules on their contractors, but fault the contractors too!
-
Homeland Security Threat? Mod this up +1 Funny!
So, what do you think will happen if it can be proven that the copy-protection methods the Content lobbies (RIAA/MPAA/BSA) are using are a threat to Homeland Security?
heh, beautiful. I've been looking for a good excuse to tell clients not to use Intuit Quickbooks - that thing requires Power User access just for its copy protection scheme. "It's a terrorist threat by Intuit to force you to compute insecurely!"
Their competition, Simply Accounting, works just fine as a limited user.
And DirectX, OpenGL work fine as a Restricted User. See Pan-Am's testing page for an example.
-
Games can run without Admin - Example hereQuake II XP? You better believe it.
All I did was change where Q2 stored its saved games, downloads and configs. The result not only works just fine as a non-admin, but supports different settings for each user.
Game developers, in fact all developers, have no excuses.
-
Political Filibuster. Move Along...Nothing's Changed since Seoul, I see... Nice to see everyone with their own Final Ultimate Solution to Spam come out of the woodwork fourteen months after the fact.
SEOUL - CRUCIAL TALKS here this week on Meng Weng Wong's SPF ambitions made modest progress but failed to bridge the divide on major issues concerning the 11-month tension.
Wrapping up their two hour negotiations Thursday, Wong, Danisch, Fecyk, Brand, Hardie and Fältström adopted a chairman's statement in which they agreed to set up a working group for detailed discussions and hold the next talks in August, at San Diego...
-
Political Filibuster. Move Along...Nothing's Changed since Seoul, I see... Nice to see everyone with their own Final Ultimate Solution to Spam come out of the woodwork fourteen months after the fact.
SEOUL - CRUCIAL TALKS here this week on Meng Weng Wong's SPF ambitions made modest progress but failed to bridge the divide on major issues concerning the 11-month tension.
Wrapping up their two hour negotiations Thursday, Wong, Danisch, Fecyk, Brand, Hardie and Fältström adopted a chairman's statement in which they agreed to set up a working group for detailed discussions and hold the next talks in August, at San Diego...
-
Blocking dynamic/dialup ranges is a solution
But could make a bit more sense to block dynamic IP ranges, or ip ranges where is not supposed to be mail servers (if IPs are fixed and source of spam, could be blocked individually or reported to their ISP).
Sure blocking dynamic IP blocks is a solution (I use the Pan-Am Dyanmic List (PDL) for this, but blocking an entire country?If they are blocking the entire Telefonica range, including their mail server or other "official" mail servers that are there, their users could lose not only mails with individuals there, but also more "automated" things like mailing lists, announcements from web sites, or things like that.
It should be interesting to see how this plays out -- I predict that the AHBL will discover that the number of sites using their block list drops precipitously... -
Worms seed proxy/relay farms
The worm/virus explosion is because RBLs are WORKING, and spammers are finding less IP space they can operate from. Their only alternative is to infect client PCs and turn them into proxies.
Most of the malware I run across, and many worms, include payloads to turn infected hosts into either an open proxy or more commonly a "bot" (IRC zombie).One (unfortunate) solution to spam from compromised workstations is for mail servers to refuse to accept SMTP messages from hosts in dialup and DHCP address ranges.
For this I use the Pan-Am Dynamic List (PDL).
-
Filters beaten because we accept spam by default
We accept everything by default. Important capabilities like mail forwarding rely on it. It's time to change that.
-
Re:How to stop SPAM at the source
I think that Sender Permitted From (SPF) and friends look to give us significant mileage on this.
Basically this means that when you set up a domain, you specify what the IP addresses are for the authorised mail-servers. Something like SpamAssassin can then add a "+2" it came from SPF listed address, or "-2" if it didn't.
Put that in the box with all the other heuristic techniques going on and it will make a suprisingly large difference to catching spam.
I, for one, really look forward to it's implementation for some very good reasons:
- It will completely stop "Joe Jobs".
- A domain with SPF can't usefully specify "every trojaned box on the internet"
- Software can look at the age of a domain
- It all becomes grist for heuristic systems like SpamAssassin
I've been joe-jobbed plenty of times. It is &^$%*& annoying, especially for a domain that's been in use for a long time.
-
Re:Back up a second, here....
No, dipshit, I'm not making this up. Here's a mental experiment, since you're obviously in denial. If you run a web site, and you accept sign-ups for a mailing list, then anyone can enter any email address. If you do not confirm that that person is in control of that email address and wants to receive your mailings, then you are sending UNSOLICITED BULK EMAIL to that person, which by anyone's definition is spam. If I enter your email address and the website doesn't confirm it, then they are spamming you. That is by definition, there is no wiggle room. If you did not ask for it, it's spam. And the question is not "Could this happen?" but "When will this happen?" If you do not practise confirmed-opt-in then you WILL have email addresses on your lists that did not want your mailings which means by definition you are a spammer.
Your complaint about "having to sign up multiple times" is complete bullshit. There is nothing about the process that would require you to sign up more than once. You enter your email, the site sends a confirmation email, you hit reply, and you are on the list. ANYTHING ELSE MAKES THAT SITE A SPAMMER.
http://www.pan-am.ca/spammyths/rants/27jul2002.htm l
http://www.cluelessmailers.org/glossary.html
http://www.spamfaq.net/spam-evils.shtml#opt_in
http://www.monkeys.com/spam-defined/
http://www.euro.cauce.org/en/optinvsoptout.html#do uble
http://www.spamresource.com/nadine/default.htm -
Spam throttling with Qmail: qmail-spamthrottle.
To protect both the ISP and the innocent, they could implement a feature where after 20 mails in 10 minutes, mails would only be processed at the speed of, say, one mail per 30 seconds, and maybe slowing progressively after each 100 mails. When the mail pipe has been silent for a given amout of time, say ten minutes, the "mail slower" would be reset.
See Spam throttling for qmail. The software is written specifically for qmail, but could be ported to Milter. Supports configurable rates based on source IP address and network ranges, and aggregation of multiple sources within a subnet (VLSM).By default, hosts exceeding permitted rates temporarily see answers to SMTP commands delayed. Mail gets through, but very slowly.
What happens when one ISP sends legit email to another ISP? It's very likely to have a sustained rate of 1 email per second. If you throttle the connection, email will take several days/weeks to arrrive.
Clearly the default rate needs to be somewhat higher than 1 recipient/second, and some sort of whitelist for legitimate ISP mail gateways would be appropriate.What I do is reformat the list of network blocks found on the PDL into the spamthrottle configuration file format.
For example, my mailserver is willing to accept no more than one message per second from the DSL dynamic
/17 address block used by Ameritech to serve all dynamic DSL customers in downtown Chicago.That works fine for the one or two DSL users who run their own mail servers and who need to send me mail, but stops bulk scan runs and dictionary attacks.
The same code can be used on an ISP "smarthost" to slow down relayed mail acceptance from their average end user.
-
Re:Adding info to DNS servers
There are quite a number of such proposals. For instance...
- Designated Senders Protocol: A Way to Identify Hosts Authorized to Send SMTP Traffic
- A DNS RR for simple SMTP sender authentication
- Repudiating MAIL FROM
...among others. The Internet Research Task Force Anti-Spam Research Group (IRTF ASRG) currently has a sub-group specifically dedicated to the unification of these proposals. This is a relatively recent initiative (only about a month old). You can find archives of the discussion at gmane.org.
-
Just because...you whitelist some servers does not have to mean that you have to blacklist all the others. If AT&T really means to do this, they will learn the hard way when their business suffers.
There are several initiatives underway to use DNS to authenticate SMTP transactions: this seems like a good way to avoid the nastiness described by the parent poster...
- http://spf.pobox.com/draft-mengwong-spf-01.txt
- http://www.pan-am.ca/draft-ietf-asrg-dsprotocol-0
0 .txt - http://www.ietf.org/internet-drafts/draft-danisch
- dns-rr-smtp-03.txt
Pixie
- http://spf.pobox.com/draft-mengwong-spf-01.txt
-
The "Designated Senders Protocol" augments SMTPThere is an Internet Draft protocol by G. Fecyk called the Designated Senders Protocol.
From the draft document:
Abstract
Big advantages of this proposal are
This document describes a proposed standard for identifying host computer systems designated as Simple Mail Transfer Protocol (SMTP) clients for an Internet domain or host through Domain Name System (DNS). This identification allows SMTP servers to verify if a connecting client is allowed to make outgoing SMTP connections on behalf of the client's domain.- the sender is authenticated by the owner of the "From:" domain name
- it can be implemented without changing any existing SMTP hosts and then phased in over time
- nobody will be forced to implement this protocol to receive mail but some SMTP hosts may (at their discretion) reject mail if the sending host doesn't have a "designated sender" DNS record