Slashback: Spambots, Retroism, VoIPhooey

Slashback -- another round of updates and errata for your reading pleasure follows. So read on for more information on spambots, Flash memory for your slightly-outdated Apple systems, Linux (not quite) running on the GP32, publicity (including a security problem) from Mozilla, and more.

Let's find the spamsters and turn them over to Hormel. Neil Gunton writes: "Further to my previous article about stopping Spambots with Apache, Perl, MySQL and ipchains, it appears that the spambots have evolved somewhat. They seem to come in using a search engine to find promising pages, and then spoof the User-Agent field and generally try to behave as much like a real person as possible. Here is an update to my original article. This is something that anyone who runs a website and dislikes spambots should be aware of..."

If I ever have children I might let it go at that. jamie writes: "'If I ever have children,' says Rich Dreher, 'I would want them to see and touch one of the very first 'real' personal computers, not some simulation of an Apple in a window on a Pentium VIII running Windows 2012.' Over the last few months he's put together a CompactFlash/IDE adapter card for the Apple //e and IIgs, and now he's taking orders. The largest hard drive that ProDOS supports, as flash RAM, costs $14! Seeing the card really brought back memories..."

We mentioned this a while ago, before the pressing need of Apple ][ owners was quite so evident.

What's a little $80 million mistake among friends? Sinjun writes: "In what is believed to be one of the first prison sentences given to the creator of a virus, David L. Smith of the infamous Melissa plague recieves 20 months in federal lockup. I would have thought he would recieve more, seeing the massive amount of money lost by corporate America resulting from Melissa. Oh well, this is the precedent that has been set."

Smith should be grateful that his victims weren't allowed to each pluck one hair from his body per Melissa message received.

But what about the GBA? bobbydigitales writes: "A while back someone suggested porting linux to Samsungs GP32 handheld games console. As I own one, I did a bit of 'googling' and found a post from a guy at Samsung about a problem he was having with his linux port to the s3c2400x chip (this constitutes most of the GP32's hardware). It seems he finished his port as he sent me all the patches and instructions needed to compile the kernal for the s3c2400x.

As I dont have any experience porting linux i thought I'd share this information with the world and see if anyone could offer help and/or suggestions on how to proceed. Here are the files and info.

Samsung have completed the following drivers:

• LCD
• Serial
• USB Host (with mouse driver),
• Sound
• Keyboard
• Network (not actually on the GP32 chip)

Things that are missing:

• bootloader,
• SmartMedia Card driver"

I knew I should have ordered a few. Alex Law writes "Only days after Slashdot's article about Creative Labs great deal on VoIP Blasters, it appears that they are no longer in production or available from Creative's web site. Shame; mine arrived yesterday, and we were all quite impressed."

From the Mozilla front: Lots of good reports and an oops. The good stuff -- reaper20 writes "With 1.0 around the corner, it seems like the folks over at Mozilla.org have their hands full. Between interviews and last minute security bug fixes, it seems like the Mozilla is poised for the big push to 1.0. David Hyatt brings up the IE Advantage, and the death of user-experince based browsers. Mozilla.org itself has stood firm on some of these marketing driven issues - yet some changes have caused some interesting developments in the Mozilla community. The recent context menu revisions and personal toolbar recommendations by Netscape have caused a bit of controversy. (Bugzilla entries ommitted for obvious reasons)

Recently, the mozilla/browser and Chimera projects have been started to address certain usability problems and the desire for OS X native widgets. With Galeon and other Mozilla derivatives getting better and better, it seems that Mozilla 'proper' will serve as a platform for derivative browsers customized for the target platform. Lots of standards-compliant clients each tailored to user needs, sounds like what web was originally designed for."

And the oops -- An Anonymous Coward writes: "An Israeli software firm has discovered a flaw in Netscape and Mozilla software that allows code hidden in a Web page to read files from the user's PC. The bug is a more serious variant of one patched in Microsoft's Internet Explorer in February."

Re:Great ...

[WIAKywbfatw]

Silly boy, haven't you learnt yet that Microsoft software never contain bugs, only "undocumented features".

Re:Great ...

[Reality+Master+101]

So what does that make bugs in open source software, "documented features" since the source is open?

Mozilla bug

[falser]

The flaw doesn't affect Mozilla 1.0 release candidate 1 because XMLHttpRequest appears to be broken in that release

Hehe, I find that kinda funny ;)

Re:Mozilla bug

[psaltes]

It works for me in rc1. However, I'm not actually convinced that this bug really allows someone to read files remotely. Perhaps I'm misunderstanding, but how is this any different than just typing in the file's URL? Analysis with ethereal did not show any data going across the network other than filenames, as I looked around my filesystem using their demonstration.

Galeon is apparently a "better performing, less buggy browser", since it isn't affected by this :-).

Re:Mozilla bug

[rabidcow]

As I understand it, the bug allows local files to be read into JavaScript variables, which can then be sent to the server.

Also, it has been fixed so future builds will not have this problem. (#141061: added to bugzilla on the 29th, fixed on the 30th, marked as fixed on the 1st)

What's the Mozilla-Netscape flap?

[ewhac]

The recent context menu revisions and personal toolbar recommendations by Netscape have caused a bit of controversy.

Could someone summarize what the story is here? About the only thing that annoys me about the current crop of fresh Mozilla installs is that it keeps changing my default search engine away from Google and back to Netscape.

Schwab

Re:What's the Mozilla-Netscape flap?

[JanusFury]

Back and Forward were removed from most context menus, except the one for the page itself, slowing down navigation.

Of course, this was to simplify and shorten the menus, so there are valid arguments for both sides, but personally I like having Back and Forward on all the menus.

Re:What's the Mozilla-Netscape flap?

[Com2Kid]

Indeed, especialy when some dipshod webdesigner desides that you do not need a toolbar. . . .

Ugh, I hate that. . . .

I have neglected to visit any violating sites with Mozilla so I do not now if this is a IE only 'MS-HTML' command or what.

Either way it is annoying.

My mouse actualy supports back and forward with two side buttons, bound by default to, err, back and forward, in IE5.x+ in Windows2K+, no need for drivers.

Nifty that, I get to laugh at Opera users with their 'gesture' systems, hehe. Buttons kick gestures asses, and my 9 button mouse rocks. :)

Re:What's the Mozilla-Netscape flap?

[edrugtrader]

why would they do that? i wonder what the people who are financing the project feel about this....

Re:What's the Mozilla-Netscape flap?

[fanatic]

Back and Forward were removed from most context menus

This sounds idiotic. Hopefully, Galeon will fix this.

Re:Great ...

[zmooc]

No OSS dropped nothing; the bug was/will be fixed before Mozilla 1.0 will be released. So the OSS-idea worked quite well once again.

Collecting spam...

[killthiskid]

Why not pay users to collect e-mail addresses? Just create a 'plugin' (not unlike the google tool bar) so that where ever users go, the plugin automatically collects the e-mail addresses on the page. The user could get paid in some way (money? otherwise?), and there could even be a space in the tool bar to enter e-mail addresses obscured, as in an email addresses displayed as an image, as to avoid detection.

It would be almost perfectly undetectable.

Re:Collecting spam...

Why not pay users to collect e-mail addresses? Just create a 'plugin' (not unlike the google tool bar) so that where ever users go, the plugin automatically collects the e-mail addresses on the page. The user could get paid in some way (money? otherwise?), and there could even be a space in the tool bar to enter e-mail addresses obscured, as in an email addresses displayed as an image, as to avoid detection.

you should be drug out into the street and shot...

Re:Collecting spam...

[schnitzi]

I was going to rate this posting, but I couldn't find "Evil" in the dropdown.

Re:Collecting spam...

[JanusFury]

Further proof that Slashdot is the root of all evil. Well, maybe not the root, but at least a subfolder. :P

Re:Collecting spam...

[Oliver+Wendell+Jones]

Further proof that Slashdot is the root of all evil.

Wrong.

Money is root of all evil.

Send me $9.95 for additional information.

The thing with spambots..

[iONiUM]

is someone, from the human race mind you, creating these bloody things. I mean, how could you do that? Didn't they realize what they were doing, the annoying havoc that they were about to unleash upon the world? It's like setting off a nuke, only the nuke just sits there poking you incessantly until you click on their goddamn wares.

Re:The thing with spambots..

[NineNine]

It's real simple. If you know what you're doing with spam, you can make a fucking fortune. What would *you* do for $2K/day?

Re:The thing with spambots..

[The+Last+Post]

You are equating creating a spambot with detonating a nuclear weapon?

This, coming from someone posting on a site who's members frequently bitch about copyright infringement being called "piracy", because downloading an mp3 shouldn't be likened to raping and murdering on the high seas.

Sometimes, I think this site is filled with self-contradicting, self-righteous, narrow minded, socially inept individuals. Other times, I'm offered proof that it is. I'll leave it as an exercise to the reader to determine which of those times this is.

Re:The thing with spambots..

[JPriest]

I sense a disturbance in the force.

Re:The thing with spambots..

[NineNine]

Proof?

One thing that I learned about people who make real money. They don't talk about it.
Unfortunately, I can't point to the place where the big boys hang out. I'd be crucified.
So, I can't offer any proof other than I personally know people who make that much doing it.

Re:The thing with spambots..

[timster]

I swear, no matter how illogical it is, there will always be people who expect everyone on Slashdot to comment as if they were all the same person, just because they're all on the same website.

Repeat after me: "Slashdot comment posters are all different people... Slashdot comment posters are all different people..."

VoIP Blaster (and InfoAccel USB) Discontinued

[pbryan]

The VoIP Blaster had huge potential, IMHO, because it was easy for non-internet-telephony-experts to plug in their POTS telephones and place a call. I was preparing to buy more when I discovered there were no more available.

In a desperate effort to find out how to buy more VoIP Blasters, I called Creative Labs. Yes, it's official, they have discontinued sales of this product. That explains why they were blowing them out at $10 a pop. But, it goes deeper than this.

I discovered that Creative Labs didn't manufacturer the VoIP Blaster. They were value added resellers of the InnoMedia InfoAccel USB. I decided to send a message to InnoMedia to find out who else resold their units.

My Question to InnoMedia, made through their "contact us" page:

"Creative Labs has now officially discontinued the VoIP Blaster (the repackaged InfoAccel USB). Are there other OEM partners who are repackaging the InfoAccel USB I can purchase from? Is InnoMedia considering releasing a consumer version of the InfoAccel USB?"

Short yet concise response from Kelly Zhang, Director of Sales, InnoMedia:

"We do not intend to release any more version of InfoAccel USB."

Now that the VoIP Blaster party is officially over, what other inexpensive hardware platforms look promising to allow Grandma to pick up a phone and place a call without a Ph.D in Internet Telephony?

Re:VoIP Blaster (and InfoAccel USB) Discontinued

[vrmlguy]

How about Vonage DigitalVoice? They are selling a service for $39.99/month whereby you plug an ordinary analog phone into a "multimedia terminal adaptor", which in turn plugs into your cable/DSL modem (or a router plugged into same). Their service drops the call off at the local telco of the person you are calling, and gives you a phone number that people can use to call you.

The service is cheap and easy enough for Grandma to use. Or you might could buy the MTA directly (Cisco ATA-186) and start hacking.

Re:VoIP Blaster (and InfoAccel USB) Discontinued

[Polo]

I tried a couple of times to sign up, but their site always breaks...

sigh.

Re:VoIP Blaster (and InfoAccel USB) Discontinued

[smnolde]

That's a bummer. I ordered two yesterday for US$20 + shipping and handling.

For that price they were a steal and with fobbit software I might be able to have some real fun.

I think the product was discontinued because of one of two things: a) they were selling them at a loss and hoped to reap benefits from the call software, or, b) creative had better marketing to deplete the devices from inventory and make a few bucks on the service.

As far as I'm concerned, it's a neat toy to play with. And with tcp/ip tunneling, you can basically encapsulate the udp to tcp and run it over a openssh encrypted session, much like Speak Freely.

Re:VoIP Blaster (and InfoAccel USB) Discontinued

[gad_zuki!]

From what I've read about the VoIP Blaster, its demise is probably based on how horrible the internet to phone call resellers were. I'm too lazy to look up the company's name but according to some of their customers it was a real mickey mouse operation and the servers have been known to go out for an entire weekend until someone comes back on monday to reboot them.

Lesson to be learned here is do not pair up with a crappy company. The VoIP blaster is a nice product by any internet telephone standards but Creative really dropped the ball by going with these guys.

Imagine if someone could pair this product up with a cell-phone service like Sprint. Your PC's phone number can also be your Cell phone number and your minutes (for phone use) will be deducted from your cellular plan.

Re:VoIP Blaster (and InfoAccel USB) Discontinued

[kesuki]

Why should it deduct minutes? Why not just add VoIP service for an extra flat monthly charge?
The only cost to cellular carrier is network bandwith/server costs, and that is far cheaper than wireless spectrum. They already have the telephone side of the network in place. They can have your local phone ring at the same time as your cell phone, and you can just answer on whichever is easier for you.

Re:VoIP Blaster (and InfoAccel USB) Discontinued

[DragonWyatt]

I am in the process of moving, and for the potential of ditching HellSouth, considered Vonage. I had several issues with them:

1. Their notion of "regional" calling is fairly "interesting" (read: vague!)- it's not clear what constitutes a local call (except for their list of area codes, none of which seem to correspond to geographical locations...)
2. When people geographically near to me call me, do they pay long distance tolls? (it sure seems that way, since you are assigned a "Vonage" area code...)
3. They require a 12-month contract
4. No 911 service...

[3] wouldn't be so bad, except for [1] and [2]. I'm certainly willing to forgive [4] considering availability of my cell phone.

I would love to hear any reports from current customers...

Not exactly...

[Daniel+Wood]

I think by undocumented they mean code that some MSCE certified programmer wrote in a MS product that they strangely left uncommented. So in a sense, they both have undocumented features left by MSCE-ish programming professionals.

robots.txt?

[douglips]

For the latest evolution of spambots, Neil quoth:

[Spambots are now] Using Google to find pages.
...
[Spambots are now] Following no links within the target site.

One of the complaints about spambots was that they either ignored, or read and then flouted, robots.txt. But, Google is well behaved - so won't the new generation of spambots implicitly obey robots.txt?

Seems you could use robots.txt to keep Google out of your email address pages, and still keep your other spambot defenses.

Re:robots.txt?

[Arrgh]

Nope. The whole point of robots.txt is to ask search engines to refrain from spidering parts of your site that they normally would because they're linked to.

A non-robots.txt-respecting spider will simply follow all the links on every page. Once they somehow find some way onto your site (perhaps via Google), they can harvest whatever they want.

Re:robots.txt?

[douglips]

Dude, you totally agree with me.

Every other effort he's taken involves dealing with such ill-behaved spiders as you mention.

This Slashback has to do with new spiders which do not follow any links on your page, and which use google to find all of your pages.

Any robot that follows links on the site falls prey to his other spambot attacks, so he only has to worry about the new breed that comes through google.

Re:robots.txt?

[po_boy]

My understanding (and the way my bottrap works) is that because some spambots use robots.txt as a list of places to search and not ignore, you can use robots.txt to point them to a trap, allowing you to identify them and treat them differently. Since the new behavior is to not fall into this trap it makes it more difficult to discriminate them.

Not abiding by the rules of robots.txt was an identifying characteristic of old spambots which was used against them.

Re:robots.txt?

[Arrgh]

My post was in answer to someone's idea that to avoid being spidered by spambots, one could simply remove the pages on one's site which contain email addresses from the Google index by means of a robots.txt file.

My point (perhaps not articulated clearly enough) was that this wouldn't help if those pages were linked from any other part of your site, because the spambots, once they found their way to the "public" part of your site, would quickly spider the non-Googled part, and with it your email addresses.

The only reliable solution, aside from joining the email-address-spamproofing arms race, would be to completely exclude one's site from search engines.

Immensly Confusing

[unicron]

I really don't understand the levels spammers goe to. I'm an intelligent person, and if I want something, I know where to go to get it. I've been around on the net long enough to know where the best sites are, be they news, computer sales, money matters, or even porn. It's gotten[sic] so ridiculous that I often want to scream. On a technology forum I post on(very private, mostly real life friends, but still public THCNET)about once a week someone will come in a make a damn spam post on the board. This is utterly pathetic. For one, if I know you circumvented security features for your email to get through, I'm going to be so angry I would never, ever desire to give you one red cent. Most likely, I would find some way of retribution, be it legal avenues or guerilla tactics on your servers.

This has got to stop. It's been proven time and time again that if you want consumers money make the best product/offer the best service, and do it in a helpful, non-pushy way.

Mozilla not ready for ecommerce

A major problem with mozilla is their "improved" handling (i.e. hiding) of referers in certain new situations, like from one HTTPS page to another accross domains. This is preventing people from placing orders with websites that use at least one major credit card processing service. We've been getting lots of complaints because mozilla/netscape users cannot place orders and have to tell these customers to use IE, as much as we hate doing that!

And, yes, I know it's easy to fake referers, but it's just one of a variety of checks the credit card processing company uses and if any of them fail - no order!

I'm guessing that they feel that this is a browser security issue, but it is really a website security issue. Any website that has critical info in the URL is itself a security hazard...someone could just walk by the system to oggle that info directly. Hiding the referer isn't going to fix the site. For the browser to cripple its ecommerce applications for this is a truly bad decision.

Re:Mozilla not ready for ecommerce

For someone to rely on the completely optional (and forgeable) referer field is truly a bad decision, even if it is only one part of a check.

Re:Mozilla not ready for ecommerce

[cduffy]

Oh, bah. There are plenty of ways to pass data around securely. Here's one suggestion:

Both you and your CC handler agree on a shared secret and a shared PRNG seed. Every time you refer a customer to them, you pull a bunch of random data out of the PRNG, and create an address from which the CC provider (and nobody else -- use SSL client certificates to authenticate them, as well as IP address checks) can pull data. Every time a customer puts in their data, you make it available under /cc-handler-private/{OneWayHash($SHARED_SECR ET, $NEXT_RANDOM_VALUE)}, and put $NEXT_RANDOM_VALUE in the URL you give the customer. Wallah! You're now putting a handle to the info you need to pass out in plain sight -- but they can't do anything useful modifying it; and even someone who knows the requests customers are making (their pseudorandom values) and who can circumvent your authentication checks on the retrieval side *still* can't get to the customer data unless they know the shared secret.

And that's something I just made up on the spur of the moment. If your credit card handling service can't hire someone actually competant (read: better than me) to come up with a system for doing this, they shouldn't be in the business.

Re:Mozilla not ready for ecommerce

[poot_rootbeer]

The old joke about the manager in a hot air balloon and the technician on a mountaintop comes to mind, only in this case the manager is right.

Your solution does nothing to solve the immediate problem, which is that existing CC validation software is now broken because the Mozilla developers have pulled a Microsoft on the HTTPS protocol and extended it with a non-standard behavior.

Whether or not the the validation software is 'truly' secure or not is irrelevant to the point; the reason this particular system work with other browsers but not with Mozilla is because Mozilla's broken.

Re:Mozilla not ready for ecommerce

[cduffy]

Okay, yes, I'm not solving the immediate problem -- because the immediate problem isn't a problem, it's a symptom; the problem is that the existing CC validation software breaks with standards-compliant browsers (being that providing the referrer tag is explicitly optional behaviour). If Mozilla complies with the standard, and the validation software breaks with it, then it isn't Mozilla that's broken -- it's the validation software.

More jail time? uh..no....

[cdf12345]

What's a little $80 million mistake among friends? Sinjun writes: "In what is believed to be one of the first prison sentences given to the creator of a virus, David L. Smith of the infamous Melissa plague recieves 20 months in federal lockup. I would have thought he would recieve more, seeing the massive amount of money lost by corporate America resulting from Melissa. Oh well, this is the precedent that has been set."

The massive amount of money lost by corporate America?!?!

First of all, since when do we start supporting corporate america?

Second, were do "they" get damage figures from? Probably the same accountant that say software firms lose "billions and billions" to piracy although many people would never buy the software anyways.

Also, if corporate america didn't have their heads up their asses, they could have avoided all the "damage" the melissa virus did. In fact many companies who know what their doing were completely unaffected.

By the way, why not jail the programmers at Microsoft for writing an e-mail client that allows "billions and billions of damage"

simple fact is this, It's well known that outlook is not secure. If companies have not taken steps to protect themselfs, I can hardly agree with jailing someone who wrote a program (and I believe didn't distribute).

Re:More jail time? uh..no....

[fean]

The massive amount of money lost by corporate America?!?!

First of all, since when do we start supporting corporate america?

since when do you use plastic? oil? drive a car? eat something produced by Kraft (and subsidies)

I don't think you understand... these companies lost money due to this virus, the money figures come from when an email server goes down because it's been innundated with email, taking out the company's resources... imagine... an office full of salaried workers doing absolutely nothing because their email/file server is dead...

and who pays for it? we do... we pay $.02 more for a box of mac & cheese... $.05 more for a gallon of oil because Texaco's cross-country communications were taken down, and a couple freighters had to stop in the middle of the pacific.

We shouldn't blame the guy who wrote the virus, right? just like we shouldn't blame the script kiddies that DDoS our web sites...

Re:More jail time? uh..no....

[JanusFury]

By the way, why not jail the programmers at microsoft for writing an e-mail client that allows "billions and billions of damage"

Ooh! Let's jail Linus Torvalds for writing an OS that allows people to hack! And Bill Gates for creating an OS that allows viruses to be spread. And CmdrTaco for creating slashdot, because people can post flames and trolls, and links to illegal material.

Let's not be stupid, okay, buddy? The rest of your post is quite excellent, but stupid remarks like that one invalidate the whole thing.

Re:More jail time? uh..no....

[daniel2000]

I *think* that what cdf12345 is getting at by saying:

"By the way, why not jail the programmers at Microsoft for writing an e-mail client that allows "billions and billions of damage""

Is that money losses are being caused by Microsoft as they are also caused by the email virus, AND maybe just as intentially- just phrased better: It isn't cost effective to [make the computer crash less] [provide better secturity] [etc] so we wont do it, this sounds reasonable to everyone but it is just as intentially causing loss money as someone who writes the virus.

Re:More jail time? uh..no....

[nathanh]

By the way, why not jail the programmers at microsoft for writing an e-mail client that allows "billions and billions of damage"

Ooh! Let's jail Linus Torvalds for writing an OS that allows people to hack! And Bill Gates for creating an OS that allows viruses to be spread. And CmdrTaco for creating slashdot, because people can post flames and trolls, and links to illegal material.

Or fine Ford for not fixing the Pinto. Or fine Philip Morris for making people sick.

Let's not be stupid, okay, buddy? The rest of your post is quite excellent, but stupid remarks like that one invalidate the whole thing.

Sometimes companies are held responsible if their product causes damage. The situations where this is legal are beyond me but I know one of them is gross negligence. Whether Microsoft was negligent with Outlook isn't a question I can answer, but the original poster wasn't being stupid.

Re:More jail time? uh..no....

[cduffy]

Or fine Ford for not fixing the Pinto.

*ahem*. Even the early Pintos were much safer vehicles than average for their day, even when one only looks at deaths by fire. The entire scandal was (for the most part) manufactured by the irresponsible, scaremongering, muckraking anticorporate press -- noticed how Mother Jones's headline on their anniversary issue was "25 Years of Raising Hell"? [background: Mother Jones published the article "Pinto Madness", by Mark Doughie, which brought the Pinto's gas tank design into public view]. Even Doughie admits (based on more recent statistics from the NTSB) that the numbers he cited were severely inflated.

So... when you suggest that Ford should be taken to task for not modifying the Pinto, what you're really suggesting is that even a producer who makes a safer-than-average product should rightfully be watching their backs lest they be driven off the market by lying, scaremongering bastards looking to get some quick popularity. And remember: When a safer-than-average product gets driven off the market, what replaces it? A product only as safe as average! At least in the short term, the persecution of the Pinto harmed automotive safety, rather than helping it.

Okay, I'll admit: I went a bit over the top on this one -- but the main point of what I'm saying holds: The Pinto was a safer-than-average vehicle (with a gas tank design which was arguably safer than that which several safety "experts" proposed replacing it with), and was in no way deserving of what it got -- and if people like Mark Doughie actually cared about public safety, they'd have found worthier prey.

(And I wouldn't fine Phillip Morris for making people sick -- I'd fine them for lying about the safety of their products. If people know something might make them sick, it's their problem; if they're told by the manufacturer it's safe, then that's the manufacturer's problem).

Re:More jail time? uh..no....

[nathanh]

Choose your own examples. The point was that companies can be held responsible for their products.

Re:More jail time? uh..no....

[prizog]

But Ford knew about the specific problem before the Pinto was released. They did crash tests which all showed this problem. They could have fixed it, but they didn't. The part would have cost a buck per car. And it was installed in Canadian Pintos anyway (their stricter safety standards required it). Ford's behavior was clearly unethical.

And you couldn't even bother to read _Pinto Madness_, where you would have learned to spell Mark Dowie's name right.

Re:More jail time? uh..no....

[cduffy]

I not only read Pinto Madness, but did a paper analysing it -- but this was some time ago, and remembering names has never been my strong point.

Dowie contradicts himself repeatedly -- first claiming that Ford's production schedule shows how they "put profits ahead of safety" (and thus inferring that the vehicle could not have been made safe with such a short schedule) and quoting experts saying that the position of the gas tank is inherently unsafe (and that it could not have been made safe without retooling), and only when it supported the particular point he wished to make in saying that a much cheaper fix would work. He vastly overstates the risks involved in the Pinto (statistically speaking, it was much safer than other cars produced at the same time), and one of the major reasons it didn't get fixed before production was simply miscommunication. Remember, there's no one "Ford" entity; rather, there are a whole lot of separate people. The Ford engineers who did the later crash tests with additional safety measures installed clearly intended and expected to have their modifications produced -- but these expectations simply didn't make it up the line. (One of the good things to come out of the incident is a great deal of research with regard to the necessity of formal process in ensuring product safety, presently championed by a fellow who was the recall coordinator at Ford at the time and saw the incident from the inside; his view was that it was not any willful decisision on the part of upper management but rather a failure to have process for communicating and responding to such issues).

However... Any product has known bugs. In a product like a car, those bugs can kill. If the product is safer than average as a whole, however, it's still a safe product, and while taking measures to make it still safer is most certainly a Good Thing to do (so long as those measures are cost-effective), its producer should not be subject to such as Ford received for failing to do so.

Re:More jail time? uh..no....

[prizog]

If the product is safer than average as a whole, however, it's still a safe product, and while taking measures to make it still safer is most certainly a Good Thing to do (so long as those measures are cost-effective), its producer should not be subject to such as Ford received for failing to do so.

But if there is a deadly flaw, and a $1 part can fix the problem, and the fix is not applied, then the company in question *should* be in deep trouble. The engineers should have gone to management (Boisjoly did in the Challenger case, and that was only 7 lives on the line), and they shuold have gotten the problem fixed. The managers should have known about the crash tests, and should have refused to release.

Certainly, if Dowie is to be believed, the Ford execs are culpable -- they campaigned for years against safety standards. The NHTSB is culpable too -- despite the thousands of people a year killed in rear-end collisions (far less than side or front, but still lots), they still don't require rear-end crash tests.

Sure, not that many people died in Pinto rear-end crashes, but those deaths were trivially preventable. And there are no good stats on the number of injuries caused by these crashes.

Re:More jail time? uh..no....

[cduffy]

I'm not so sure. Let's say that "deadly flaw" kills only one person (who was aware that the product, like others of its type, had risks associated) of the millions of purchasers, and that adding that $1 part (which, IIRC, was closer to $6 or $12 -- much more in today's currency) would have required several million dollars worth of retooling -- is it worth the price? If not for one person, then how many? Where do you draw that line? (Seriously... give me a figure and I'll go see if I still have the statistics to compare it against). Asking several million people to pay $1 each to save someone else's life (or to make themselves 0.0001% safer when driving) isn't something I'm entirely comfortable doing.

Dowie attacks Ford for "putting a price tag on human life" -- but I don't think those who performed this analysis were wrong at all to do so; such cost/benefit analyses *do* need to be done -- I wouldn't agree with millions of tax dollars being spent to save one life, or even five or ten; why is it more imperitive that private spending occur with a similar cost/return (or, worse, without any regard at all to the same)?

Without considering the full price to be paid (by not only Ford but by their investors and the car-buying public) and finding accurate statistics on the number of deaths being considered, I don't think one can come to a conclusion regarding whether Ford was in the right or in the wrong.

Only 64MB? I don't think so...

[ncc74656]

Over the last few months he's put together a CompactFlash/IDE adapter card for the Apple //e and IIgs, and now he's taking orders. The largest hard drive that ProDOS supports, as flash RAM, costs $14!

I have a 1GB hard drive hooked up to my IIGS right now...and all the space can be used. ProDOS 8 only allows 32MB partitions, but RamFAST and Apple rev. D SCSI cards provide various methods for mapping more than two drives to a physical slot. (ProDOS 8 itself allows for four drives if the controller is in particular slots.) The number of slot/drive combinations limits you to somewhere around 300-350MB maximum online storage with ProDOS 8 (the RamFAST will let you mark partitions active or inactive). If you're using a IIGS and its GS/OS, though, you just create a couple of 32MB ProDOS partitions (to boot and to run your 8-bit apps) and one big HFS partition to use up the entire drive. (The only downside to HFS is that you'll need a Mac to fix the partition if it's corrupted.)

this flaw will crash Mozilla under Linux

[molo]

That web page linked to has a demo of their security flaw. It appears to be targeted at Windows users, trying to read from c:\.. but if you try to read this file under the Linux build, it crashes Mozilla.

Re:this flaw will crash Mozilla under Linux

[Resist148]

This bug was fixed yesterday, the day that it was known by the mozilla developers. The crash is fixed, the bug is fixed, it's all fixed. You can see the bugzilla entry here.

Re:this flaw will crash Mozilla under Linux

[moncyb]

Maybe that example will, but not others. I'm using Mozilla under Linux too, and their other example allows me to browse my harddrive and look at files (the full page one--link is near the bottom of their page). I would assume that this technique can be used to send the contents of files to some server...this is bad.

I don't know much about XMLHTTP. I suppose you still have to go to and evil site to be exploited, but still.

I just want a browser that supports the more basic stuff HTTP, SSL, HTML, images, CSS, cookies, and simple javascript. Maybe I should just go back to Lynx--no images or javascript which means some sites don't work, however I'd rather be inconvienced than hacked.

Re:this flaw will crash Mozilla under Linux

[autechre]

If you're thinking of going back to a text mode browser, you might try w3m. A few of the freshmeat.net staff use it for daily work (hey, there are only really a few of us anyway), and although I use mozilla most of the time, w3m is a fine browser that works great. SSL, frames, tables, and nice default key bindings (except under SuSE, who decided to change them. Bad! But I don't use SuSE, so...oh, well).

Melissa and David L. Smith

[hypnotik]

Interestingly enough, one of my former roommates went to college with David Smith, when he was at UNC. She said he was a quiet, but rather odd man. She was very adamant about her impression that he wasn't really a bad guy.

On a related note, how many people actually picked apart one of their copies of Melissa? The really nasty bit of code was only maybe 10 lines long. Doesn't seem like he had to go through all that much trouble to write the thing. For years I've been thinking that Microsoft should really be held accountable for building that capability into Outlook in the first place. Then just a couple weeks ago someone said that is like holding gun makers accountable for murders. Now I'm not so sure that MS is to blame - they had their reasons for building it in, dubious as they may be, and I'm sure people besides the virus writers have made use of this feature. Would calling for Microsoft to remove it be the same as calling for file sharing networks to be torn down just because people use them illegally?

It's funny that I didn't notice how much of a hypocrite I was until it was pointed out to me.

Re:Melissa and David L. Smith

[pete-classic]

You weren't a hypocrite. But you have allowed rotten (neo-liberal?) thinking to cause you to be ashamed of you opinion.

If a gun manufacture made a gun that could be caused to fire by someone who isn't even in the same room as the gun, AND the manufacture was aware of it, AND they did nothing (or touted it as a feature), AND consumers generally didn't understand the implications of this mis-feature THEN there would be a parallel here.

I'm not saying Smith isn't culpable (that's D. Smith, not Smith & W. ;-) , I'm just saying that there is a difference between holding a company accountable for a product that is dangerous (and obviously so) when misused for the misuse and holding a company accountable for knowingly creating a shoddy product.

Let's face it. Outlook is unsafe at any bitrate.

-Peter

Re:Melissa and David L. Smith

[ekidder]

Bah. I've been using Outlook for.. well.. a few years now and I've never had any problems with it. Even the viruses I've received have been nothing more than minor annoyances. Outlook never automatically started scripts, opened files, or killed JFK.

Re:Melissa and David L. Smith

[moncyb]

For years I've been thinking that Microsoft should really be held accountable for building that capability into Outlook in the first place. Then just a couple weeks ago someone said that is like holding gun makers accountable for murders. ... It's funny that I didn't notice how much of a hypocrite I was until it was pointed out to me.

No, that person was wrong. Let's say there is a popular gun manufacturer called Smallnlimp. This is like if smallnlimp put in a "feature" that caused the weapon to go off anytime it detected a certain audio pattern. Then some whacko discovers if a specific other signal is sent immediately after, the guns will repeat both signals loudly--thereby causing other guns to go off too. The result? Millions of Smallnlimp's guns fire unexpectedly injuring and killing people as this signal is spread over open air and through telephone lines. Is Smallnlimp responsible for the guns going off? Maybe not directly...

IIRC Microsoft patched this problem by not allowing Outlook Express to run executables directly, however IMO they have been very careless and irresponsible in how they've produced software--their whole objective seems to be to take over the world instead of producing quality software. The types of "viri" that require opening an attachment are only the tip of the iceburg. Code Red and Nimda are just two examples of real worms/viri that Microsoft has allowed to spawn. I dare someone to show me a security exploit in Apache/NFS/etc that would allow such a program to spread. In additon to bugs, their default settings and all the stuff they try to hide from the user (such as file extentions and the network settings) have allowed script kiddies to go freestyle on Winboxen. Between Microsoft and Redhat, more internet worms are probably on the way...

The moderators can mod this as flamebait all they want, however it doesn't change the fact that this is an honest assessment of the MS by a person who has used their software for at least a decade.

Re:Melissa and David L. Smith

[pete-classic]

$80,000,000 US. I don't believe this number, but holy shit.

Anyway, you are over-generalizing your personal experience.

Everyone has heard someone say something along the lines of "I don't wear seat belts, because my uncle was in a car accident and was thrown free. If he had his seat belt on he would have been killed in the fire." Even if we assume this anecdote to be true it in no way controverts the statistical fact that a seat belt is far more likely to save the life of an adult than to end it.

So, without regard to your personal experience cigarettes cause cancer, seat belts save lives, and Outlook is a security risk.

-Peter

Re:Less buggy browser?

[ragnarok]

Internet Explorer.

prodos

[seanadams.com]

I could well be wrong about this - it's been many years since I've used a ][... I seem to remember that very little of the early Apple software would work with ProDOS. All the little BASIC games were no problem, but most of the commercial titles would boot directly from the floppy (not the System Master disk with DOS 3.3 or whatever it was). I don't recall having a way to save them to my hard disk.

So anyway, if I get this card and put ProDos on the drive, is there some way I can just load all my floppies onto there as images, and run them after booting into ProDos?

Re:Less buggy browser?

[Servo5678]

Anyone want to tell me a less buggy browser?

I've heard good things about something called Internet Explorer. Why not give that a try?

Re:Great ...

[zCyl]

So what does that make bugs in open source software, "documented features" since the source is open?

I would say they are "obfuscated features", since yeah, it's there, but if anybody could read the source they would see the bug. :)

Creative VoIP

[cfreeze]

buy.com has them still, though not for the price listed on the creative.com website. buy.com

I'm just glad mine came in via fedex today.

Another idea for the Spambot trap

[Software]

IIRC, IE always looks for a "favicon.ico" file. If the browser has a User-Agent corresponding to IE, but doesn't request favicon.ico, it's a spambot. This is easy for the spambot to defeat, but it's one more step.

Re:Another idea for the Spambot trap

[wadetemp]

No, that's not true. IE6 only looks for favicon.ico when a user bookmarks or creates a shortcut to a URL, or uses a bookmark/shortcut. I just tested this to be sure. As far as I know this is also the case with IE5 and IE4.

Mozilla bug already fixed

[davie]

I won't post the bug number (bugzilla won't allow links from slashdot anyway), but it's already been fixed as of tonights builds, if I remember correctly.

Re:Mozilla bug already fixed

[davie]

mozilla is for developers, not "average users".

If you want hand-holding, use Netscape's release.

hm... yes... no...

[Error27]

I have to admit that I'm impressed with the little file browser that they wrote for mozilla. It's pretty intuitive, it looks nice and it simply worked.

On the other hand, I have to think the greymagic guys could have found more productive ways to spend their time. For example, it would have taken 5 minutes to emaile the mozilla secur... well...

Wait, what am I thinking? Writing a file browser is definately the most productive thing to do...

I hate when people criticize Opera

[inerte]

Opera and Omniweb are funded by smaller companies, companies that don't have deep pockets like AOL or Microsoft, so in some small way they can be forgiven for the steps that they take to make money to support themselves. These browsers at least offset their nagging with the ability to block popups and images.

Now, how about saving sets of opened page to continue browsing them anytime. I have several of them, one for each subject I commonly browse for. And continue to browse the last opened pages if your browser/operating system crashes. Import and Export bookmarks and email contacts. Browse offline content, delete every personal info left on your computer by your browser with two clicks (for the privacy freaks), multiple languages supported, pre defined texts to fills forms, 13 search engines available in a tab. Skins, layout customization, modify settings of html text and link tags, load your own css, zoom, block frames, load only cached images, report Javascript errors. Identify the browser as being another (right, "you must use IE to view this page" crap). Full control over cache and cookies. And password protection. Not to mention fully functionals email and newsgroup clients, low comsumption of computer resources, all in 3.2 megas.

And if everything here didn't catch your attention, two words:

"Mouse gestures".

That alone is worth a thousand dollars. Hover a link, right click and up+down with mouse. Page loads at the background. Open 25 links this way, hold mouse button, down+right, close current window. Do it for every page you have found. Hold mouse button and press another, back to pages you previously visited. Another way of buttons, forward the pages.

Opera was worth every cent I paid for. With it, my productivity raised so much I can't live without anymore. I do programming for living, and if having +20 windows opened at the same time, searching for information with Google, discussing at newsgroups, and reading mailing lists, weren't delivered so fast and nice over the last years that I am using Opera, I know a lot of work would not have been done.

VoIP

[JDizzy]

Nothing wrong with the linkage to the VoIP, it has not been removed from their production web site. I ordered my 4 units days after the initial /. post!

http://www.americas.creative.com/products/produc t. asp?maincategory=7&category=&product=203&nav=spec

So if you can see that link then it proves them wrong! Unless they have run out of stock, they seem to be still selling units.

Re:VoIP

[Jester998]

Going to that link,

"Our apologies...

The document you requested does not exist on this server or cannot be served.

It is possible you typed the address incorrectly, or that the page no longer exists.
"

- Jester

Re:VoIP

[pbryan]

Did you notice that the "Buy Now" button, which was on the page when they were selling it, and is present for virtually every other product on their site, is now gone?

Re:VoIP

[JDizzy]

actually... now that I take the time to spider their site.. I can find many things having issue, not just this product. It appears that the Creative web team must be messing with the image path, or system there in. It seems to mainly be the images.

For some reason the link I posted above doesn't work for me now, but when I click here I get to the site. But it doesn't have the "buy now" button, and the drop-down menu for the single or two-fer deal. However, many other pages don't have that image, and the ones that do have it all seem to have a different face to the image... like the price is $99, or $45 on others. So my guess is they ahve to recreate the button whent he price changes... however, that does't explain the other issues the site is having with the other images on the site.

Anyways, I'm glad that I got to purchase mine, and that I can confirm they are in transite. I did get mine after, like two days, the slashdot article. I got 2 kits of 2 each, 4 in all for under $40 USD.

A solution

Please note, this is intended as a joke. It has been done before, but it is intended as a joke.

If you get a spam from China, reply with a message (in Chinese if possible) stating :
Thank you for your continued support of the Falun Gong movement. It's great to see that people even in China understand the horrible oppression under which members of Falun Gong live. I look forward to your future e-mails on this issue.

A friend of a friend did this (and now if you tell the story, you can say it was a friend of a friend of an anonymous guy posting on a weblog :), after reporting the spam numerous times to abuse@domain. This was the only one to elicit a response, which followed the lines of "What are you trying to do? Get me killed?"

The spammer had to call his local government agency as soon as he received the e-mail to let them know that it did *not* reflect his opinion.

Bugzilla Bug 141061

[DVega]

Bug 141061 - XMLHttpRequest allows reading of local files

When an http server redirects the user to a local file, XMLHttpRequest gets tricked into thinking the page came from the http server.

Bug Reported on 2002-04-29 17:46
Bug Fixed on 2002-05-01 09:11

I can out-evil this.

[Wntrmute]

Think spyware which harvests every single email address that crosses your computer. Everything from web pages you visit to emails you send and recieve. Viruses have used this technique, why not spy/marketingware?

Of course, I do concider this evil, and would rather beat my head into a brick wall than code something like that.

My SPAMBOT defense

[toupsie]

Instead of an active SPAMBOT defense as mentioned in this post, I use a passive system. I might have mentioned this in the orginal story but I think it bears repeating.

What I do is include on every web page I produce an invisible 1x1 gif with a mailto: to a special e-mail address. My goal is not to prevent SPAMBOTS or even try to confuse them. I want them to scarf up the special e-mail address. When SPAM is sent to this address, I have scripts on my Mac OS X system that downloads the e-mail and scans it for headers, subject and body message. Once it collects this information, it sends a copy to SpamCop and then it sends the info to my postfix e-mail server to scan other accounts for the same message and then updates my postfix configuration to block further e-mails. I give my "special e-mail address" a name that will alphabetically sort before any other e-mail addresses in my domain. I have noticed SPAMMERS tend to send SPAMs out in alphabetical order to my domain so this works fairly well. I have never had a false positive with this method.

The great thing about this system is that 90% of the time I report SPAM to SpamCop, it says its a fresh SPAM. So not only am I helping to prevent SPAM to my users, I am hopefully helping others that are using SpamCop's RBL.

Re:My SPAMBOT defense

[pnatural]

The great thing about this system is that 90% of the time I report SPAM to SpamCop, it says its a fresh SPAM. So not only am I helping to prevent SPAM to my users, I am hopefully helping others that are using SpamCop's RBL.

How certain are you that they are unique spammers, and not just the same spammers with new tricks?

Re:My SPAMBOT defense

[toupsie]

How certain are you that they are unique spammers, and not just the same spammers with new tricks?

With my system, I am expecting to receive SPAM not stop it at the source. So I do not care if the SPAMMER is unique or not. What matters to me is the SPAM itself. With that, I can check out my users mailbox to see if it has gotten to them yet and update my mail server to block the SPAM based of its characteristics. I send the info over to SpamCop in hopes that it helps out others. Don't cost me nuttin' to do it.

Re:My SPAMBOT defense

[toupsie]

Please try! It only makes my system better. The more is sent, the better it gets at preventing it. Feed the "special e-mail address" with more SPAM!!!

Re:My SPAMBOT defense

[mblase]

You should publish this little trick as a script tool for Apache or other web servers, or encourage SpamCop to make it available for them -- it may not last, surely the popular SpamBots will figure a way around it eventually -- but it's clever and clearly effective.

Re:My SPAMBOT defense

[toupsie]

No need for Apache or web server scripts. Its as simple as this:

<A HREF="mailto:special.email@mydomain.com"> <IMG SRC="invisible.gif" width="1" height="1" border="0" alt="Don't Send E-Mail To This Address"> </A>

Re:My SPAMBOT defense

[Mike+Schiraldi]

Where is this image? I can't find it on your web site.

Re:My SPAMBOT defense

[mblase]

Yes, but I meant the server-scripts that capture the requests to that email address and send them to SpamCop auto-magically. 'Twould be nice to automate that all over the WWW.

Re:My SPAMBOT defense

[toupsie]

Sorry. You are going to have to buy a Mac and Microsoft Office v.X. That part runs under AppleScript. Entourage downloads the e-mail for the SPAM catching account which triggers a rule that activates the AppleScript which relays a copy of the SPAM to SpamCop before sending it over to my perl scripts for scanning the SPAM for my postfix servers.

Re:My SPAMBOT defense

[asackett]

I do a very similar thing, (local rbldns instead of postfix, ORDB instead of SpamCop, Debian instead of OS-X) and it works very well. I have also got a local address that I can bounce mail to for reporting and inclusion in my local (self-maintaining) blocklist. My system was more effective before ORBZ got Cindied, but it still catches 90% or more of the spam that would have been delivered here.

On average, I block 72 deliveries per day, and five or six spam messages get through; each of those five or six gets manually bounced to my local reporting address.

My slashdot@ address gets the stuffing spammed out of it -- it's a spamtrap address, also, feeding right into my local reporting system. Of all of my spamtrap addresses, it's the most effective. But of all of my in-house methods, the most effective, hands-down, is the blocking of all of Asia.

Re:My SPAMBOT defense

[toupsie]

On average, I block 72 deliveries per day, and five or six spam messages get through; each of those five or six gets manually bounced to my local reporting address.

That sounds very close to my success. As much as I try and no matter how I try, 5 to 6 slip through every day to my normal e-mail address. Those are usually one-off SPAMs generally selling SPAMMER CDs. :)

My slashdot@ address gets the stuffing spammed out of it -- it's a spamtrap address, also, feeding right into my local reporting system. Of all of my spamtrap addresses, it's the most effective.

Damn good idea. Time to post a fake e-mail address to Slashdot. Thanks!

But of all of my in-house methods, the most effective, hands-down, is the blocking of all of Asia.

Yep, same here. I hate doing it though but it is super effective.

Re:My SPAMBOT defense

[toupsie]

Thanks for the info. I will research this option and see if I can integrate it into my system.

Just curious. What is your e-mail plant to first SPAM timeframe? I average about 1 1/2 weeks before I receive SPAM on a seeded address.

An interesting side to planting e-mail addresses is the random Outlook based viruses that arrive in the mailbox. A part of my script is to segregate "SPAMs" w/ Windows executable attachments from those without once I discovered this side effect. I manually process SPAM with executables. Since I run Mac OS X, I don't fear dealing with these buggers. :) Have you seen the same thing with your SPAM plants?

Re:Less buggy browser?

[smartin]

Nope, sorry I tried that one it sucked. All I got was this: chdir /root/.wine : No such file or directory

Re:Less buggy browser?

[kableh]

Liar.

This got modded Insightful? What I wouldn't give for mod points right about now. IE is the slowest, buggiest browser I've used, second only to Netscape 4.x.

Mozilla RC1, on the other hand, renders pages almost as quick as Opera, starts up instantly if you enable QuickStart, and is more standards compliant than just about anything out there.

If you find browsing in anything than IE a pain, blame Microsoft for breaking the web.

Virus Writer Prison Precedent

[xee]

This does not just set the precedent that virus writers can be put in prison for their code, this sets precedent that writing software can land you in prison. This is a very bad thing no matter how you slice it. This precedent flies in the face of the "Software as Free Speech" argument favored by most slashdotters. I, as a long-time slashdot reader, am appalled at the support for this judgement. A man has been imprisoned for writing software. Not killing, raping, or even dealing drugs. No, just writing software. What will it come to next? Will I be imprisoned for describing a virus in public where anyone could put my ideas to code? Will they be imprisoned for putting my ideas to code?

SOFTWARE IS FREE SPEECH!!!

And what of a writer whose essay starts riots? Will we as slashdotters stand behind the writer voicing his opinion or will we say that his speech caused riots in which people died? Don't we, as slashdotters, support free speech in all its forms regardless of the harm it may cause? DeCSS could cause as much damage to the MPAA as Melissa did to the rest of the corporate world. Why do we stand behind DeCSS and its authors and not the poor MPAA victims? Because DeCSS is protected speech, that's why!

I'm not arguing that what the guy did was right or wrong. That's a matter of opinion. I am arguing that Melissa was free speech. It was exploit code demonstrating a security hole in Microsoft Outlook. Was it irresponsible of someone to spread it in the wild? Hell yes. But it was just plain old exploit code nonetheless.

Re:Virus Writer Prison Precedent

[Leeji]

Yes, I agree that software is free speech -- just as I agree that designing firearms is free (innovation / art / somethingorother.)

However, (releasing this software and causing damage) / (pulling the trigger and maiming somebody) is not.

Re:Virus Writer Prison Precedent

[sheldon]

Let me see if I understand you. Basically you are saying that writing words is free speech.

Ok, granted.

But if I spray paint a "LOVE THE WORLD!" on the side of your car is that protected by the 1st amendment?

Re:Virus Writer Prison Precedent

[commodoresloat]

To be fair, Schenck is only cited these days for its elaboration of the "clear and present danger" doctrine, which it really didn't follow (at least, to my knowledge, most constitutional scholars agree that the Court has implicitly acknowledged this). But you're right that national security has always (and will, at least for the foreseeable future, given the current Court) trumped the right to publish and the right to know. Even when the government has been blatantly wrong the Court has been wishy washy at best about protecting speech (see the Pentagon Papers case).

But that does not mean that writing viruses should be considered incitement
a priori, especially if there is a good spokesperson for open security models in front of the Court ... writing and distributing viruses in order to better understand them is likely to be considered protected speech, whereas distributing viruses in order to cause damage to computers you have no right to access is likely to be considered conduct outside the protection of the First Amendment. And I don't think it is that hard to draw the line, and while I think this Court has done some outrageous things, I think they are bright enough to draw such a line. At least I hope so.

By the way, the comment that "The Court has upheld several times since then (especially in obscenity cases) the idea that speech is only protected when it is meaningful" is not backed up by anything I have seen in obscenity law. Or any other First Amendment law. Who decides what is meaningful?

Re:Virus Writer Prison Precedent

[weave]

He not only wrote it, he also used a hacked AOL account to deliver it.

I think it's the difference between posession (of a firearm) and the use of one in a crime.

-- weave, Law and Order syndicated rerun graduate of 2002

Re:Virus Writer Prison Precedent

[Sloppy]

What he really did was more like writing, "WRITE THIS SENTENCE ON CARS!" on the side of a small number of cars. Now, that is a bad thing to do. (But jail? Depends on how many cars he vandalized, I guess.) The sick thing is that other people saw the vandalized cars, and did what they were told. If I write "WRITE THIS SENTENCE ON CARS!" and you obey, then you're responsible for the cars you spraypaint, not me.

Personal computers are agents of their owners or users. People will say that computers are too complicated and that it's not reasonable to hold people accountable for what their computers do. Yet if I were to harm someone else with a car or a gun and then blame it on the equipment, I would be laughing all the way to jail. And if I deploy such equipment in a manner where it acts independent of my control (let my cat Toonces drive my car, let my chimp play with my gun) the words "criminal negligence" would come up a lot at my trial.

But when we're talking about computers, suddenly all the rules are different?

People need to ask themselves when they deploy a certain products, "Am I taking reasonable precautions and due dilligence?" And unless they bury their head in the sand and put their hands over their ears childishly yelling, "la la la I am not listening" then they damned well know they are being negligent and irresponsible. This isn't 1977 anymore, and that certain company's reputation is well-established. I mean, when I say, "Dangerous Active Content" everybody knows who I'm talking about. And yet people still deploy this company's products. Fool me a hundred times, shame on me.

Anyway, that's why I think the responsibility, the blame, the fines, the jail time, the karma loss, should all be distributed -- not just dumped on this one guy who wrote "WRITE THIS SENTENCE ON CARS" on a few cars.

Re:Virus Writer Prison Precedent

[poot_rootbeer]

Oh shit! I forgot to click "Post Anonymously"...

You also forgot to click "Make sure I know what the hell I'm talking about".

It startles me that anyone would wave their flag and cry "freedom of speech!" without the very simple understanding that the right to freedom of speech is NOT unlimited.

You've heard of shouting "Fire!" in a crowded movie theater, right? If speech convinces people to behave unlawfully or with disregard for safety, it is not protected.

Re:Virus Writer Prison Precedent

[sheldon]

That's not entirely accurate, since the programmer also put a mechanism in there to force unsuspecting users into writing on the cars.

The point is, as far as the law is concerned, there was damage done, but more importantly there was intent to commit the damage. There was no accident here, he wrote the virus knowing the entire time what the impact would be.

Re:Virus Writer Prison Precedent

[xee]

Slashdot has some STUPID moderators. :D

Yeah, my post was bullshit, but it got a +4 Insightful. So i'm ROFLMFAO.

about time..

[Suppafly]

Its about time the mozilla mongers got put in there place.. On the plus side, I guess this means mozilla is getting popular enough now that people bother to find exploits.

That's a lot of hair...

[Craig+Ringer]

Smith should be grateful that his victims weren't allowed to each pluck one hair from his body per Melissa message received.

Heh. The guy would have to be a 500 foot tall gorilla covered with soft down if the number of copies we got is any indication...

your right to swing your fist (free speech)...

[metalhed77]

ends at my nose.

it roughly means that your right to free speech is allowed until it hurts someone else.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:$14 is for the flash, not the interface card

[zeno_2]

Here is a pic

Its a 64mb flash card

Re:Share!

[toupsie]

Have you considered making this script publicly available? If you're generating so many new records, just imagine the good it could do if it spread.

My system is very tuned to the systems I have available to me. Disclosing my rag-tag collection of Perl scripts, AppleScripts, postfix configurations and e-mail programs that I have cobbled together would compromise my security and most likely would never work on anyone else's setup.

However, take the concept and run with it. If I can do it, most sysadmins could figure it out -- I am a hack programmer. I find that Postfix is a great alternative to Sendmail and makes SPAM killing a snap.

I also cheat by blocking China, Korea and Taiwan off from my mail server. My company is USA focused and never does business with non-English speaking countries. No offense folks in Asia, I lived and worked there for 3 years and enjoyed my time. Its just an easy way to whack 1/2 the SPAM sent to my servers.

I know what ya mean...

[cduffy]

Mouse gestures do indeed kick ass, and sessions do indeed come in damn useful, and zooming is downright essential at some sites -- after using new releases of Galeon for a while (with mouse gestures and tabbed browsing turned on), I wouldn't ditch it for the world... well, at least not for Minnesota. If it were, say, northern California on the table, I'd have to think...

Opera's a nice browser -- but it's not the only one out there. And given the choice between using a nice browser that's commercial software or one I can put on every machine I own (and my work boxen, and my friend's boxen, &c) for free... well, let's say it ain't Opera I use.

You Say You Want Porn?

[krmt]

Now, I know that if you are looking at porn or whatever, IE is a very tightly integrated multimedia device.

Everyone uses IE not because it is easy to use, or easy to setup, but because it is the default in windows, and as stated above, is critical for viewing porn.

You must be new around here if you haven't heard about the mighty pornzilla. Check out the modifications section to improve both your porn and general websurfing experience.

Virus Actions and Warnings

[_Sprocket_]

A man has been imprisoned for writing software. Not killing, raping, or even dealing drugs. No, just writing software. What will it come to next? Will I be imprisoned for describing a virus in public where anyone could put my ideas to code? Will they be imprisoned for putting my ideas to code?

SOFTWARE IS FREE SPEECH!!!

I follow what you're saying here. And I generally agree. But in this case, the author is being imprisoned for not just writing code but using it.

This is a really important distinction. In most cases, potentially destructive tools are generally legal as long as they are not used for illegally destructive acts (your local laws my varry). Some examples include firearms, knives, hammers... and exploit code.

But, unless I am mistaken, Smith did not simply post the code on a site warning the world of the vulnerability he found. He released it. He used it. He put in motion the events that lead to infamy.

Because of this act, I can understand the conviction. Although, I don't find myself as thrilled as some here seem to be.

Virus writers seem to be, for the most part, an annoying messanger. A vandalistic Paul Revere. Damages accredited to these outbreaks seem to be mostly the man hours billed in detecting, stopping, and removing the malicious code. Yet these worms and virii ("viruses" my be correct, but its clumsy) could very well have done MUCH more damage if their writers were so inclined. Instead, they propogate and (again - for the most part) leave their host systems' valuable data intact.

Yea, its a pain in the butt to deal with these things. Especially when an outbreak blossoms within a client's or employer's environment. But the ugly truth is that these malicious agents take advantage of completely insecure environments organizations insist on using. And I have come to realize that many managers and IT reps will not pay attention to infosec issues unless they directly experience the consequences to these issues.

That's right. Virus writers are doing us a favor. Sofar. Its when an individual or organization with a much more malicious intent (damage, espionage, etc) begins to employ these methods that we should REALLY be worried.

One additional technique to defeat the spambots

Filling their database by hundreds of false email :
Just add an hidden link (for example a 1x1 image)
to a page where there is hundreds of random-generated emails. If many sites use this most of their database will be filled with noise, and may be unusable.

wanna know what spam companies say?

[4444444]

If your interested in what the scum that sell spam software have to say check this out

Umm, if you show this to kids...

[gosand]

jamie writes: "'If I ever have children,' says Rich Dreher, 'I would want them to see and touch one of the very first 'real' personal computers, not some simulation of an Apple in a window on a Pentium VIII running Windows 2012.'

And they would probably find that as interesting as a parent today showing their kid an old black and white TV with no remote control.

I am getting old. I find myself saying "I remember when there was no internet!" to people.

The exploit crashes my Mozilla 1.0RC1 build

[tdye]

Fun fun fun! I suppose you could call that 'fixed'...

Re:Share!

[toupsie]

When you are as good looking as me, it only looks like I am posing to you fugly anons.

Keyboard equivalents

[Fencepost]

Consider using Alt-LeftArrow and Alt-RightArrow instead.

The spammers' response ...

[Ungrounded+Lightning]

If you get a spam from China, reply with a message (in Chinese if possible) stating:

Thank you for your continued support of the Falun Gong movement. It's great to see that people even in China understand the horribleoppression under which members of Falun Gong live. I look forward to your future e-mails on this issue.

Of course the spammers' response will be to provide return addresses pointing to their enemies (such as chinese anti-spammers, sysadmins, etc.) or other innocent parties.

The Red Hat

[moncyb]

Well I suppose there are other bad Linux distros out there, but RedHat is quite popular and it is bad. Maybe you don't think so, however, from all that I've read and seen, their distro seems pretty bad--using releases of programs from the unstable branches, they used to have insecure default settings, apparently they even have their own people add patches and modify the kernel. (I believe the "pure" Torvalds kernel is the best choice)

I haven't ever used their distro just because by the time I may have considered trying it, I already knew about the stupid things they do (I only listed what relates to security above). I have read a lot about them and have helped some people that use their distro, so I do know about the subject. Yes, they fixed the default settings on their systems and I haven't been keeping track of them recently, however the way they do things in terms of software quality, security and "usability" seems to be exactly the same as Microsoft. Therefore I have zero confidence in RedHat.

I don't remember saying they're evil, however it does seem they are becoming the mark of the beast for Linux. Why else would everyone insist upon using their packaging format to distribute binaries (now official in the Linux Standard Base) when tar is good enough? It's fine that they use their own internal packaging system, however it's annoying to have that forced upon me when I don't use their distro.

Re:The Red Hat

[moncyb]

I said: I haven't ever used their distro

the response: So how could you possibly have a valid opinion on the subject?

More of what I said that you conveniently left off: I have read a lot about them and have helped some people that use their distro, so I do know about the subject.

If I read from countless sources that Ford Explorers with Firestone tires are dangerous to drive, hear countless stories about how accidents have been caused by such a combination, and know a friend who was in a car wreck because his Firestone tires fell apart on his Ford Explorer, then I think I would know a bit about the subject. I suppose according to you I should start driving Ford Explorers with Firestone tires just to see if I can get in an accident.

what insecurities are you talking about? I mean -- find me a Linux distro that has no exploits.

Obviously you are clueless. Read the SecurityFocus Vulns Stats note the table marked "Number of OS Vulnerabilities by Year". Now lets see you tell me that RedHat's distro is just as secure as other Linux distros. Compare the figures with MS NT/2000--they look close to me...

Qualify that. How do they do things the same way as Microsoft?

Geee...so many choices--where to begin. How about their "configurator" program. I only had to deal with it once--but it was a nasty experience. For one, everytime it was run it would reset the real settings (edited by me in the /etc directory) to whatever it's internal system said they should be--apparently from some other RedHat config file--they made it so that anyone who learned on a normal Linux system would have their settings clobbered as soon as RedHat's program started up.

How about the fact that they use a single script file for every service run at startup? This makes booting any RedHat system painfully-ass slow. That's just like when Microsoft uses single files per item for their "favorites" and cheap symbolic link substitutes.

What about the whole gcc 2.96 mess? Read about it here and here and here

Have you ever used Linux in a professional setting? Package management is essential.

Do you know anything? Slackware uses tar files for their packages--I've never seen any problem with Slackware's package management system.

It doesn't keep track of dependencies, however I usually have to do nodeps with rpms because the program only checks what it has installed--not anything compiled from source or installed through other packaging systems. However, tar could contain a package dependency file inside if it was necessary.

They don't have an apt-get, however that just checks dependencies and downloads files--it could be done using tar files if need be.

A really great packaging system would check the binaries to see what libraries they required and go from there. "This executable requires libuberssl.so.2--not present on system, but found in package ubernetlibs. Do you wish to download and install?" Unfortunately I haven't seen a packaging system like this, and I know the rpm program doesn't do this--it uses the files in /var/lib/rpm and complains if the dependencies aren't listed there.

Does this mean that you resent .debs too?

I would if nearly every Linux developer insisted on using .debs to distribute their binaries, therefore requiring me to install the packaging system on every Linux computer I use, just for the ability of installing binaries.

You can build and install tar'ed & gziped source just like with any other *nix.

Obviously you haven't tried to compile many programs from source. Not only does it take lots more time (try installing XFree86, Mozilla, or GIMP this way), there are also quite a few programs that take much time dicking around with them to even get them to compile. They'll be written for every OS under the sun and very tempormental. Or they'll have stupidly written makefiles. Or they'll have straight out errors in the makefiles/compile scripts/code that takes an hour to correct the problem. Etc. etc. etc... "./configure; make; make install" doesn't always work!

I can go on and on about how dumb your post is, and how unsubstantiated your opinion on RedHat seems to be, but its pretty clear that you're a troll and trying to get a rise out of me.

The same can be said about you. I could go on and on about how idiotic your ideas about what a decent distro is and how to run it. Like how it is bad to just add patches to the kernel for some newfangled gee-whiz buzzword and put it in a major distro. Those patches should only be added by people who really need them--everyone else can wait until the patch goes through the review process and is confirmed stable.