Slashdot Mirror

Nope.
TCP: September 1981. Standard 7/RFC 793 (replaces RFC 761)
FTP: October 1985. Standard 9/RFC 959 (replaces RFC 765)

But, by writing off all of Internet Explorer's problems to the "installed base" scale factor is extremely dangerous to his readers.

The problem being, since MSIE is embedded into the OS, a flaw in MSIE can be exploited from any program which uses an HTML viewer, not only the "iexplore.exe" application itself. Firefox, even when it's your default browser, still pops up in full "visiting the Web" paranoia.

Another problem, of course, relates to MSIE's very strange handling of text/plain and application/octet-stream data types. (It will actually reject the Content-type: header from the server and make up a new one based on filename suffix and/or file content... imagine sending a text/plain file from a CGI URL that has ".doc" in it and it turning into a Word file. Note that the ".doc" is in the URL, not in the downloaded file name....) I've got a CGI I just can't make with MSIE properly because it rejects my server's claim that file "foo.log" with "inline" presentation is type "text/plain" and it can display it--it insists on saving to disk... only to find out that Notepad is the right application. To work around it, I'd have to change the extra path information fed to the CGI... and I can't do that--it means something, of course.

But that problem ("feature", if you read the MS knowledgebase) is one way how people are tricked into downloading seemingly "safe" content that turns dangerous.

Plus, he makes no assessment of the security problems. He doesn't mention ANY, from ANY browser, not even as illustration--he just leaves it to the reader to plow through pages of cryptic reports from Synamtec and CERT.

And he's got no analysis of the "trouble reports" he provides for Firefox. Missing images? 99 times out of 100, that's because the Web page has backslashes in the IMG URLs--which are not part of the hierarchical URI syntax. (They work only in MSIE on Windows. MSIE for Macintosh will not process them the same way.)

Plus... how do we really know what security problems are fixed in MSIE? On my XP box at home, and the W2K boxes I have to use at work, the Windows Updates just say things like, "A security problem could allow an attacker access to your computer." How am I to know what that security problem is, what part of the system it affects? I don't even know if it is function I use, or even have enabled--the update information is just too terse--at that's after clicking, "Show Details".

(My main systems are Linux and Mac, so there may be a way to get more information from Windows Update, but it isn't as obvious... unlike Mac OS X Software Update, where it lists the major components right there, and links that take you to the Apple web site for more information.)

Is this new morality routing framework require or supercede the TCP/IP header evil bit?

Anm

Isn't April Fools Day just the best? =] For a 'full' list of sites pulling pranks today check out this list here

Here is a sample:

dotget.net - Microsoft to put P2P software .GET into next version of Windows
kylewenda.com - the government records your phone calls... scary
rfc-editor.org - RFC for "Requirements for Morality Sections in Routing Area Drafts"
waferbaby.com - amusing php error
planet.gentoo.org - Various things, CFLAGS, etc
fark.com - Many Jokes (keep reloading): BOOBIES!, Logged in as admin, North-Central Kentucky Bunghole-Discharge, page from 1999, BEER
2600.com - Formal Attire required for 2600 meetings today
forumsector.com - Changed the name to Nascar Sector
wikipedia.org - Britannica taking over Wikimedia
google.com - Google releases Google Gulp
kellyosbourne.org - Sanctuary records group shut us down
nukefreezone.net - Making fun of atrios.blogspot.com
weebl.jolt.co.uk - Replaced with Cats-By-Mail
telecom.co.nz - Click 2 Brick
ytmnd.com - (NSFW) hacked by teens for christ
wingus.ampedhost.com - Site converted into Mingus' Gently-Used Furniture store. Oh dear. Why won't he be kind?
homestarrunner.com - Now a pay service.
whirlpool.net.au - Australia's biggest Luddite to head Australia's largest telco
thinkgeek.com - Fake product listings.
theregister.co.uk - Bush twins to join Air Force tech unit in Iraq
creativebits.org - Site purchased by Microsoft

Heh, you are so on topic, if this whould have been about the other rfc posted today...

For a full list of sites that pulled April Fools Day Pranks this year check out this list here -

Here is a sampling:

dotget.net - Microsoft to put P2P software .GET into next version of Windows
kylewenda.com - the government records your phone calls... scary
rfc-editor.org - RFC for "Requirements for Morality Sections in Routing Area Drafts"
planet.gentoo.org - Various things, CFLAGS, etc
fark.com - Many Jokes (keep reloading): BOOBIES!, Logged in as admin, North-Central Kentucky Bunghole-Discharge, page from 1999, BEER
2600.com - Formal Attire required for 2600 meetings today
forumsector.com - Changed the name to Nascar Sector
wikipedia.org - Britannica taking over Wikimedia
google.com - Google releases Google Gulp
kellyosbourne.org - Sanctuary records group shut us down
nukefreezone.net - Making fun of atrios.blogspot.com
weebl.jolt.co.uk - Replaced with Cats-By-Mail
wingus.ampedhost.com - Site converted into Mingus' Gently-Used Furniture store. Oh dear. Why won't he be kind?
homestarrunner.com - Now a pay service.
whirlpool.net.au - Australia's biggest Luddite to head Australia's largest telco
theregister.co.uk - Bush twins to join Air Force tech unit in Iraq
creativebits.org - Site purchased by Microsoft
ocremix.org - Now partnered with EA (or something like that). Called EA ReMix.
spacedaily.com - Bush Cancels Space Shuttle Program
planet.gnome.org - Switched sites with planet.kde.org
planet.kde.org - Switched sites with planet.gnome.org
ietf.org - RFC: Efficient Transformation Formats of Unicode
beejaysworld.de - Gentoo dropping livecds for x86
nature.com - Apollo bacteria spur lunar erosion
antwrp.gsfc.nasa.gov - Water On Mars

For a full list of sites that pulled April Fools Day Pranks this year check out this list here Here is a sampling: dotget.net - Microsoft to put P2P software .GET into next version of Windows
kylewenda.com - the government records your phone calls... scary
rfc-editor.org - RFC for "Requirements for Morality Sections in Routing Area Drafts"
waferbaby.com - amusing php error
planet.gentoo.org - Various things, CFLAGS, etc
fark.com - Many Jokes (keep reloading): BOOBIES!, Logged in as admin, North-Central Kentucky Bunghole-Discharge, page from 1999, BEER
2600.com - Formal Attire required for 2600 meetings today
forumsector.com - Changed the name to Nascar Sector
wikipedia.org - Britannica taking over Wikimedia
google.com - Google releases Google Gulp
kellyosbourne.org - Sanctuary records group shut us down
nukefreezone.net - Making fun of atrios.blogspot.com
weebl.jolt.co.uk - Replaced with Cats-By-Mail
telecom.co.nz - Click 2 Brick
ytmnd.com - (NSFW) hacked by teens for christ
wingus.ampedhost.com - Site converted into Mingus' Gently-Used Furniture store. Oh dear. Why won't he be kind?
homestarrunner.com - Now a pay service.
whirlpool.net.au - Australia's biggest Luddite to head Australia's largest telco
thinkgeek.com - Fake product listings.
theregister.co.uk - Bush twins to join Air Force tech unit in Iraq
creativebits.org - Site purchased by Microsoft
ocremix.org - Now partnered with EA (or something like that). Called EA ReMix.
spacedaily.com - Bush Cancels Space Shuttle Program
planet.gnome.org - Switched sites with planet.kde.org
planet.kde.org - Switched sites with planet.gnome.org
ietf.org - RFC: Efficient Transformation Formats of Unicode
beejaysworld.de - Gentoo dropping livecds for x86
nature.com - Apollo bacteria spur lunar erosion
antwrp.gsfc.nasa.gov - Water On Mars

Since they are the ones providing the pipes, they could really give a boost to the RFC 3514 a.k.a. Evil Bit for filtering out the unwanted packets ...

Structurally, the IP address is broken into a network identifying portion (also known as an IP network prefix), a host identifying portion, and some bits used to identify one of three different formats of the IP address.

Apparently, they missed the entire industry switching to classless inter-domain routing over 10 years ago. (Which is what freed up enough address space to let IPv4 survive as long as it has; the old class-based allocation was amazingly wasteful. Which 126 organizations really needed 16,777,214 hosts on the globally-routable network? More to the point, how many organizations needed 65,534 hosts globally-routable? Turned out, very few.)

Maybe they'll print out punch cards and hang them on posts when they pass by like what was done on old trains. It would probably get better throughput than RFC 1149

ISOC Official Page
IETF Official Page
IESG Official Page
IRTF Official Page
IAB Official Page
RFC Editor Official Page
ICANN Official Page
IANA Official Page
W3C Official Page
W3C encyclopedia article
ICANN encyclopedia article
IANA encyclopedia article

• ISOC Official Page
• IETF Official Page
• IESG Official Page
• IRTF Official Page
• IAB Official Page
• RFC Editor Official Page
• ICANN Official Page
• IANA Official Page
• W3C Official Page
• W3C encyclopedia article
• ICANN encyclopedia article
• IANA encyclopedia article

ISOC Official Web Page

IETF Official Web Page

IESG Official Web Page

IRTF Official Web Page

IAB Official Web Page

RFC Editor Official Web Page

ICANN Official Web Page

IANA Official Web Page

W3C Official Web Page

W3C encyclopedia article

ICANN encyclopedia article and IANA encyclopedia article

ISOC Official Page IETF Official Page IESG Official Page IRTF Official Page IAB Official Page RFC Editor Official Page ICANN Official Page IANA Official Page W3C Official Page W3C encyclopedia article ICANN encyclopedia article IANA encyclopedia article

SIP plays well enough with NAT as long as the user agent is NAT-aware. I've used several software and hardware ones that work just fine through NAT with no special configuration of either router or client.

It's completely false that VoIP using SIP can't be encrypted:
S/MIME Advanced Encryption Standard (AES)
Requirement for the Session Initiation Protocol (SIP)
http://www.rfc-editor.org/rfc/rfc3711.txt

SIP plays well enough with NAT as long as the user agent is NAT-aware. I've used several software and hardware ones that work just fine through NAT with no special configuration of either router or client.

It's completely false that VoIP using SIP can't be encrypted:
S/MIME Advanced Encryption Standard (AES)
Requirement for the Session Initiation Protocol (SIP)
http://www.rfc-editor.org/rfc/rfc3711.txt

Yes, it's surprising Jon Postel's name is still so rarely even mentioned.
In Vinton Cerf's words:
ftp://ftp.rfc-editor.org/in-notes/rfc2468.txt
http://www.usc.edu/dept/pubrel/trojan_family/sprin g99/Postel/postel.html

Don't use "Domain.dom". There are well-known domains that are reserved explicitly for this purpose.

Just to be complete was this your article, I think that you will find the complete publication more informative than the story based on the Press Release. I did a quick read of the material, and while the publication is really slick they don't do any footnoting, nor do they seem to tell you specificly where they got the figures or what those figures include and exclude (I might have missed it, I'll read the rest later). I wonder if it includes personal giving, or is some kind of 'net' figure (elimating say the amount payed to US farmers for grain). In fairness there is a list of unqualified references at the bottom of the report, which makes fact checking only marginally easier. Also, I find it interesting that they harp on the percentages, in the middle of the paper they say that the best way to improve the encomomy is an increase of the exports from the country (but that doesn't show up in the press report or the executive summary. Kinda like the old saying "give a man a fish...teach him to fish...". In that case you can consider our trade deficit as part of the aid!

All the whining aside, those poor people need our help today. Since you seem to be keeping track, right now, we (the U.S.) lead Japan by 5 million, Germany by more than $32 million, and that is jut what the Feds are putting up.

Actually it's longer. The minimum set in RFC 2821 with strong wording (SHOULD) but not as a strict requirement) is 5 minutes per required command on the server side. The client side is also specified with strong wording and is set at a minimum of 30 minutes and optionally much longer in 3 minute increments while waiting for the completion of each TCP SEND call. RFC 2821 talks about this at 4.5.3.2. "SHOULD" is defined in section 2.3 as:

"SHOULD -- This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course."

In plain english it says don't mess with these values unless you have a damned good reason and know what you're doing. Sendmail's default will cause Sendmail wait up to a minimum of 372 minutes.

180 seconds is nearly enough in many circumstances including when receiving a message from a lareg mailing list.

Actually it's longer. The minimum set in RFC 2821 with strong wording (SHOULD) but not as a strict requirement) is 5 minutes per required command on the server side. The client side is also specified with strong wording and is set at a minimum of 30 minutes and optionally much longer in 3 minute increments while waiting for the completion of each TCP SEND call. RFC 2821 talks about this at 4.5.3.2. "SHOULD" is defined in section 2.3 as:

"SHOULD -- This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course."

In plain english it says don't mess with these values unless you have a damned good reason and know what you're doing. Sendmail's default will cause Sendmail wait up to a minimum of 372 minutes.

180 seconds is nearly enough in many circumstances including when receiving a message from a lareg mailing list.

I have experience with doing something that was, in some sense, a DoS attack. Of course, I had forgotten to set the evil bit...

The professor of a class I'm taking recently told us to be careful about what screen-savers we download and run; appparently he'd seen some unusual ones in his lab, and he was worried about viruses. His advice might be relevant to the Lycos screensaver, too.

In particular, RFC-1149-compliant networks suffer from this problem, as do 747-based networks.

WiWith sufficient thrust, pigs fly just fine. However, this is not necessarily a
good idea. It is hard to be sure where they are going to land, and it could be
dangerous sitting under them as they fly overhead.

- Ross Callon, editor; RFC 1925

This is exactly why FTP uses UDP for its data transfer.

Actually FTP uses TCP port 21. TFTP (Trivial File Transfer Protocol) uses UDP, usually port 69.

This is exactly why FTP uses UDP for its data transfer.

Actually FTP uses TCP port 21. TFTP (Trivial File Transfer Protocol) uses UDP, usually port 69.

Since XMPP has been in development for a while, hopefully it shouldn't take too much time for it to climb the Standards Track to full Internet Standard. Right now, XMPP is in the Proposed Standard category, which is the first step (look at the bottom of the list).

The next level up is Draft Standard. To become a Draft Standard, the RFC has to be a Proposed Standard for at least six months, have two independently developed interoperable implementations, and have had "sufficient" successful use. I think that Jabber is pretty much a shoe-in for this category. Several servers been in operation for years from which a large amount of experience with the protocol has been gained, so there shouldn't be any contention about XMPP not being mature. There are many independent implementations, so that shouldn't be an issue either. I don't think there will be any problems getting to Draft Standard in six months.

The final step in the Standards Process is Internet Standard, where the RFC retains its RFC number, and gets the all important STD series number. A standard needs to be in the Draft Standard category at least four months (or until at least one IETF meeting has occurred, whichever comes later). On the technical side, there needs to be a significant implementation of the protocol and much more experience using it needs to be gained. The level of maturity for Standards is such that the protocol is believed to be beneficial to the community. Again, since XMPP has been in the works for over two years now and there are now commercial implementations, I don't think there is a problem with the usage requirements. Furthermore, as the only open messaging protocol, it has a large value to the Internet. Thus, I think getting Jabber to full standard easily is not out of the question.

In about a year, we'll have an Internet Standard for IM and prescence (and an open one, at that)!

Have you actually read the standard licensing information for RFCs? Once an RFC is published, it's pretty much set in stone. You need the permission of the author in order to reformat it, let alone make any substantial changes to it. The main difference between Java and RFCs is that people care about using the trademark "Java" for whatever they're doing, while "RFC 2068" isn't worth trademarking, let alone trying to apply to modified versions.

Really, standards should only be replaced and never modified. Now, it is true that the Java standards are set by a process inaccessible to just about anyone, but there's no reason that one has to affect the Java standard in order to develop software, any more than one has to be Linus in order to work on Linux. Sure, you can't affect the official version, but that only matters as far as users care what is official, which they clearly do not if they're using your patches.

What is more of a concern is whether Java will become fragmented due to Sun failing to include other people's good ideas.

So it started with technological innovation, and saw rapid development through the cooperation of governments and universities. It was refined and improved thanks to the effort of a bunch of awfully dedicated academics to the point where it could merge with mainstream technologies (talking PPP over analog phone modems). The new worldwide resource gave us the ability to communicate like never before.

Things were going so well, until the marketers came on board and started flooding people with ads and junk whatever way they could find. Spam was funny at first; now it's a serious waste of bandwidth and resources, with business people resorting to purely criminal activities in order to flood their advertising and harm benevolent volunteer organizations. Thanks to dirty business the Internet has become a battle ground. Spyware and even viruses are directly linked to immoral advertising/spam.

Now, I don't hate marketing people (I run a businses, and am a student in Management) but it's safe to say that immoral marketers are f*cking up the Internet.

How the heck do you jihad a router, anyway? Time to check for those evil bits.

1. Collect Underpants
2. ???
3. Jihad!!

Do you have any idea how very nearly impossibly difficult this sort of thing is? It makes The Theory of Relativity look like a stroll on the beach.

Indeed, the sorts of problems encountered [when concepts like "TRUE" and "FALSE" cease to have meanings independent of their times and places] bear more than a passing resemblance to The Theory of Relativity.

Think I'm kidding? Try reading the RFC for the Network Time Protocol:

ftp://ftp.rfc-editor.org/in-notes/rfc1305.txt
ftp://ftp.rfc-editor.org/in-notes/rfc1305.pdf

Do you have any idea how very nearly impossibly difficult this sort of thing is? It makes The Theory of Relativity look like a stroll on the beach.

Indeed, the sorts of problems encountered [when concepts like "TRUE" and "FALSE" cease to have meanings independent of their times and places] bear more than a passing resemblance to The Theory of Relativity.

Think I'm kidding? Try reading the RFC for the Network Time Protocol:

ftp://ftp.rfc-editor.org/in-notes/rfc1305.txt
ftp://ftp.rfc-editor.org/in-notes/rfc1305.pdf

Moderators, please moderate the parent down for being a fool giving fool's advice.

"You should start out by sending anything for 'sales@domain.com' or 'postmaster@domain.com' straight to bit bucket hell. I get plenty at those addresses, usually of the sort trying to sell me things to improve the visibility of my web business (I have no web business)."

You (and the others who advocate this) should be aware that you are violating several RFCs by breaking postmaster. See, in particular, RFC2142:

...if a given service is offerred, then the associated mailbox name(es) must be supported...

I'll bet that IANA are not going to be happy about having example.com slashdotted!

See rfc 2606 for more info on example.com

(For those who missed it, after coming up from maintenance, all links off the slashdot front page went to example.com instead of slashdot.org - ie http://example.com/comments.pl?sid=114762&threshol d=1&mode=thread&commentsort=0&op=Reply )

Someone apparently forgot to remove an "example.com" placeholder! It's good to see that slashdot hires people so well versed in RFC 2606!

( Read More... | science.example.com )

( Read More... | 91 comments | yro.example.com )

And so on...

- JoeShmoe
.

Indeed. Read RFC 2606

No, example.com is valid (or invalid, as it were). Review RFC 2606.

RFC 2606 reserves domain names like example.com, so you can safely use those without hitting existing email addresses.

This is not light reading, but I spent a few weeks reading the 1000 page ( +/- 100 pages depending on version) of the RFC2002, which outlines Mobile IP. I've been out of this for a couple years since Sprint laid me off, moved me to a hell hole named Kansas, and decided to ignore my last 4 years of network data and put me back in data transport...troubleshooting DS1/3s WOO HOO! (you'll notice I continue your sarcasm). The new replacement is RFC3220 which I have not read. The only way I made it through the first was to load it on my laptop, and read about 20 pages a day during the 60 minute train ride to work. I don't have that commute or time luxury anymore.

If you have specific, technical questions, feel free to shoot them here or via email. John at SCHUBE dot COM I have an MBA, so I'm willing to speculate with ya on target markets too. The best applications I saw were for traveling salespeople. It's really a lightly tapped market, as most people aren't technologically savy enough to realize they can run a light application on their Treo (or whatever) and use it with backend SQL servers (or whatever). Sprint tiers this service with dedicated VPNs for large business users. You can usually see very large companies (like IBM) trying out these services early on.

This is not light reading, but I spent a few weeks reading the 1000 page ( +/- 100 pages depending on version) of the RFC2002, which outlines Mobile IP. I've been out of this for a couple years since Sprint laid me off, moved me to a hell hole named Kansas, and decided to ignore my last 4 years of network data and put me back in data transport...troubleshooting DS1/3s WOO HOO! (you'll notice I continue your sarcasm). The new replacement is RFC3220 which I have not read. The only way I made it through the first was to load it on my laptop, and read about 20 pages a day during the 60 minute train ride to work. I don't have that commute or time luxury anymore.

If you have specific, technical questions, feel free to shoot them here or via email. John at SCHUBE dot COM I have an MBA, so I'm willing to speculate with ya on target markets too. The best applications I saw were for traveling salespeople. It's really a lightly tapped market, as most people aren't technologically savy enough to realize they can run a light application on their Treo (or whatever) and use it with backend SQL servers (or whatever). Sprint tiers this service with dedicated VPNs for large business users. You can usually see very large companies (like IBM) trying out these services early on.

Yes, according to RFC 3251.

I usually use example@example.com, because that domain is not available for registration .

That's why I use:
@example.com
@example.net
@example.org
(see http://www.rfc-editor.org/rfc/rfc2606.txt )

me@example.com works fine on most web pages :)

brgnever

If you want great sound quality and can live with a little delay, try straping a small HDD with your voice message to a carrier pigeon. It's wireless.

It's an interesting idea--and I applaud your dedication to finding a solution here--but the flaw in your design is that it essentially requires voluntary compliance on the part of the pirates. And, frankly, there's no reason to expect them to comply.

In fact, it's rather like the evil bit in TCP/IP packets, which is almost never used by viruses and worms. Yes, it's a GREAT idea, and would make firewalls a lot easier to maintain, but the criminals have no incentive to actually USE it.

SMTP has a security hole: any connecting client can assert any sender address. This flaw has been exploited by spammers to forge mail. The result: your mailbox fills up with bounces to messages that you didn't send. Close the hole, and we can easily block spammers by sender domain.

SPF closes the hole by using a DNS record that says which hosts can send email with a from address in the domain. The record is a simple TXT record that looks something like this:

<domain> IN TXT "v=spf1 ptr ip4:<address block> ~all"

What most of you don't know is that this is a Microsoft technology. Remember when Bill Gates said that he'd solve the spam problem in two years and you all laughed? Read this for the all the technical details. As it is an internet draft, this is completely patent free and anybody can use it.

SMTP has a security hole: any connecting client can assert any sender address. This flaw has been exploited by spammers to forge mail. The result: your mailbox fills up with bounces to messages that you didn't send. Close the hole, and we can easily block spammers by sender domain.

SPF closes the hole by using a DNS record that says which hosts can send email with a from address in the domain. The record is a simple TXT record that looks something like this:

<domain> IN TXT "v=spf1 ptr ip4:<address block> ~all"

What most of you don't know is that this is a Microsoft technology. Remember when Bill Gates said that he'd solve the spam problem in two years and you all laughed? Read this for the all the technical details. As it is an internet draft, this is completely patent free and anybody can use it.

Am i the only one who immediately thought of RFC1149?

Or you could simply read the RFC. Seems a lot less trouble than packet sniffing and reverse engineering.