Come on - people here should know better. It's 2015 and the "Oooh! Linux sounds cool, so let's use that word for everything!" fad should be over now.
Everything open source is NOT Linux. Linux is a friggin' kernel. This is open source software. It coincidentally gets used with GNU/Linux often. BUT IT'S OPEN SOURCE SOFTWARE.
Repeat after me: open source does not mean Linux. Linux does not mean open source.
Assume that everything MIGHT be insecure. Your Internet connection is wide open. Your upstream routers may be controlled by governments. Hard drives might have malicious firmware payloads. Typical PC hardware might have a BIOS that does nefarious things and may have intentional back doors. Your OS and the software you run might have had backdoors introduced.
I personally don't trust anything with the word "cloud". It just means that a ton of people are responsible for it, so if anything goes wrong, there's no specific person to blame. The NSA could and probably does have people working at any given "cloud" provider.
Virtual server hosting is also completely insecure. Hypervisors can be manipulated without you knowing, so even if your OS is 100% secure (obviously nothing is, but for argument's sake), people can read your OS' memory and access your data without you knowing.
If you want to try to keep your data secure, you need your own hardware. Using something completely different helps - a hard drive infected with some form of firmware Trojan won't do any harm to an UltraSPARC or PowerPC machine, for instance. Next, you need to use a minimal OS without the proverbial kitchen sink, which rules out most GNU/Linux distros since they want to include everything. Try a nice BSD where you can compile the entire OS yourself from a local copy of the source tree. Then, compile the OS itself again on the newly compiled and running OS. This reduces the chance that any given toolchain has been compromised. Make sure it's stable and colocate it somewhere that has excellent privacy laws.
Encrypt everything.
While someone could pull a drive (or drives) from your machine and can image them, it's hard to fake uptime on non-mainstream machines, so you'll definitely notice if someone is playing with the hardware.
Don't log in to it from a Windows machine or from any machines you don't control.
If some state actor wanted to spend virtually limitless resources, there's nothing they can't fake, but you can feel pretty secure knowing that your data is most likely safe unless someone cares so much about your data that they're willing to spend a heck of a lot of money and resources.
Perhaps some people here wanted to see the movie without knowing what it's about ahead of time. We're not all Americans with zero attention span, after all.
Next tiime, DON'T put a major plot point in the introductory paragraph, please.
It would be nice if phone vendors didn't treat old phones as if only good for landfills. I know I'll never go back to Android because there's no assurance that even a brand new phone will be upgradable to the latest software even a month later (it's already happened to me). So the idea of just installing the latest OS and installing some specific apps doesn't seem doable.
The inability to upgrade Android phones is a HUGE problem.
Perhaps some enterprising people will create dedicated OS images for various hardware that remove all the cruft and just run specific things. For instance, I'd love to use an old phone as just a navigation system for my car - nothing else. I'd pay for that software if it existed.
Now only if Android vendors and developers knew about software portability...
This seems to be a big problem - large companies seem to be completely unaware of how to hire people to do technical work. Instead, some dumb admin who's been doing Windows for ages said, "Hey! Let's use Windows in our new iSafe!", and this is why they have the worst example of problematic code running in something that's supposed to keep belongings safe.
I don't care how many people claim Windows can be made secure. It simply should not be used for anything sensitive.
I get it - when someone knows some of your secrets and many of your weaknesses, you "keep" that someone indefinitely.
But Geek Squad? That's the most ridiculous comparison ever - no organization would keep around a bumbling wanna-be IT person who could just barely install Windows and would be lucky to finish a new installation without also installing a Trojan. No, if this guy were like the Geek Squad for a cartel, they'd have killed him pretty quickly when they realized he was completely useless.
Uber has got to have a LOT of drivers if 50,000 of them are also licensed DIVERS. What're they going to do - launch an amphibious assault with 50,000 divers?
Seriously, people have got to start proofreading their posts. Come on - it's not that hard.
How about no extra browser extensions? Or even an extension or two which limits the other browser extensions?
Browser plugins have the WORST security surface. If you want to do something, do it outside of a browser so that you're not giving every and any site you visit the opportunity to exploit something you only run once in a great while.
Netflix no longer requires Silverlight, so we can remove that. Once Hulu moves away from the crapstorm which is Adobe Flash, it'll be more realistic to completely trash that forever (I will have a party when that happens!) Don't get me started on Adobe Acrobat and PDFs in browsers... Java - shit - what a MESS! Who the hell wants to run Java in a browser anyway? There has to be a better way. Keep around an old Windows machine if you want to feel dirty by trolling around for the latest disease and let Java die.
It'd be nice if something like ClickToPlugin were available for all the browsers (it's for Safari), but I learned from The Register how to make plugins click-to-play on Firefox and Chrome. See the bottom of this article:
Ignore the idiots who are dismissive. Just because someone is highly technical in one area doesn't mean there's something wrong if they're not very technical in others.
I personally use NetBSD because I use different hardware in different places for NAT / IPv6 routing / DNS / all that. In homes I use a PogoPlug or Seagate Dockstar with a USB flash or SD card and a USB-ethernet and / or USB-wireless. In businesses I use amd64, sparc64 and powerpc systems. NetBSD uses the same configurations regardless of the architecture.
OpenBSD and FreeBSD are just as good, and, as I'm sure you're realizing while you learn BSD, all three BSDs are much cleaner and better organized, generally speaking, than GNU/Linux distros. The other thing that keeps me using them is that they don't try to be like Windows, so there aren't a zillion extra packages and gratuitous changes from one version to the next.
A BSD NAT router / firewall / IPv6 router / DNS / Samba / web / whatever server can be set up pretty quickly and easily, and keeping track of the configuration files and reproducing a running system is very straightforward.
That's not true. The sources for hpcarm (the port for ARM-based handheld PCs) compile and run just fine. Every version of NetBSD has hpcarm binaries (6.1.5, NetBSD-7_BETA, sources compiled from -current). I think you just don't understand how NetBSD works.
It's simple. C is self hosting and extremely portable, and the amount of extra stuff needed to run C can be none (in the case of kernels, everything can come with the binary), little (shared libraries) or lots (a whole OS). There aren't many other languages which can self-host and can create binaries which can run on bare metal.
Other supposedly portable languages like Java, Perl and PHP require an OS and environment to do anything, which makes them unsuitable for running on small embedded systems, for high performance applications, or for talking intimately to hardware.
The languages also change too much over time. You can't just take old code and run it in a new interpreter. If Java wasn't in the hands of a megacompany, it MIGHT be more portable and less bug-ridden, but right now it's write once, run only in certain places, deal with a zillion security issues. Many companies I support have to keep around a VM or an older machine to run an older JVM because new Java is not compatible with old Java.
C has changed, but not so much that K&R C is unrecognizable to someone learning C now. A program written in the 1970s can be compiled by a CS student today without much more than, perhaps, changing a few #includes. This is what makes it lasting and worth learning.
I don't cling to the old because I'm unafraid of change - I keep using it because nothing better has come along.
Shell-based email is still the quickest and easiest way to keep email in one place and have it be accessible even if I'm on a connection the speed of dialup. No matter how many times I try email clients, nothing works as quickly and as seamlessly. The same goes for ytalk instead of IM programs (luckily, many of the people with whom I want to chat have shell accounts, too).
Until someone comes up with something better, like a protocol which allows for downloading just the text of what I want to see, I'll happily ssh and do email on the server, like I've been doing for twenty years.
Sun's slogan for Java used to be, "Write once, run anywhere." Remember that? Sun didn't make JVMs for many platforms, and didn't even have an official JVM for GNU/Linux for ages. Add to that the fact that each major version of the JVM deprecated features and introduced incompatible ways to do things previously done other ways, and it's no wonder it has become the case that we (meaning IT folks) have to keep around an older (perhaps virtual) machine which has an older and certainly insecure JVM to talk to some hardware device or application which requires older Java. Qlogic switches come to mind.
Since the JVM isn't portable, Java isn't portable. Since software written for one JVM version can't necessarily run on another version, it's not very backwards compatible. Since it has so many security issues, you either have to hope that whoever makes your JVM keeps it up to date or that you're very careful about how it's deployed.
I can't personally think of anything more precarious than trying to deploy real software using Java.
I have long advocated for separating everything - the cable modem / DSL modem should JUST be an interface to the upstream provider, with no NAT and DEFINITELY with no wireless. See the issues with Xfinity and other providers who are now piggybacking their "free" Wifi on customers' connections - I bet it'll be shown in the near future that the already existing NAT table size issues, which already cause many consumer devices to be problematic, are being exacerbated by trying to maintain state entries for the "free" wireless, too.
So you have a cable / DSL modem which is in bridge mode. Then you have some sort of NAT device. If you like running your own OS, a Raspberry Pi or some other tiny StrongARM device is cheap and can run whatever GNU/Linux or BSD you like. Heck, you can even still use your WRT54GL if the CPU in it isn't limiting the speed of your upstream connection.
Then, you have your wireless device. Again, I strongly recommend something that just does bridging - you have the simplest setup because you're not using the wireless device for NAT or any other "features". With all the stories about consumer devices having poor security and intentional back doors, the less exposure, the better. Personally, I pay extra for Apple because the 802.11ac Airport Extreme does wonders with existing 802.11n clients.
The great thing about this is that you can have as many segments as you want without needing a switch which does VLANs. You can plug two USB-ethernets into a Raspberry Pi, for instance, and keep your wireless and wired networks on completely different segments. Or three, and you can have your old device provide a completely separate guest network.
The best thing about this setup is that if one device fails or is shown to be insecure and the manufacturers won't fix it, you can just replace that one device.
It's much better to assume that a server may be or is exposed to malicious traffic than it is to assume not. Even if there's only ever a direct ethernet connection between two machines, assume someone may compromise one of the machines and protect the other. Using a username and password is one thing; if you can filter based on IP address, use software firewall rules to only allow connections on certain interfaces and from certain addresses (or, better yet, localhost), et cetera, you're always better off.
People have been predicting the death of Unix and the command line for ages. Most people don't care about long term because they're accustomed to a constant cycle of upgrades to make money for large corporations - it's what they're conditioned to do. If we don't want to run browsers that can get infected, email clients that render whatever they're told to render and systems that have poorly written third party software (I'm talking about you, Flash and Java), then who's the smart one?
I keep wondering if I'm doing old school things just because, but every time I try something new, I find that there aren't enough compelling reasons to modernize and at the same time there are enough good reasons to use what works well.
If there's one thing we can generalize about truly intelligent people is that they are always curious. The geniuses can come up with questions nobody else can.
How about doing a dd of the entire drive from the current system to a virtual disk and trying to make that work? Is the Unisys hardware that special? If not, you might be able to get it working by manipulating the virtual hardware of your VM.
I don't like Firefox because they try to take Windows-isms and force them on Mac users. My user experience is one thing in 99% of the programs on my computer - why should how I select text be different for Firefox? Or why can't I launch Firefox normally by holding command-option and hitting the down arrow like I do for every other program but which sends Firefox into some special "safe" mode?
Firefox shouldn't proselytize specific OS behavior.
Isn't this exactly what happens elsewhere, but in the other direction? After all, many people think that KDE, GNOME and other large programs are written for GNU/Linux and just happen to be ported elsewhere. Try to Google something about setting up Apache or bash and you'll find Linux this, Linux that even though neither are exclusive to GNU/Linux in the least.
Expecting rDNS is pretty common. Expecting PROPER rDNS, on the other hand, is another thing altogether.
If a machine doesn't have rDNS, then it can't send email to anyone at AOL, for instance. It'd be quite disingenuous to say that people who send email through a machine without rDNS would be surprised if they couldn't contact you.
On the other hand, there are too many ISPs who have rDNS, but broken rDNS (doesn't resolve in the forward direction, uses names which don't belong to them, et cetera). I block email from all connecting machines which have rDNS (or HELO/EHLO strings) which say yahoo.com, hotmail.com, gmail.com, or google.com, which cuts down on a LOT of spam. The real services always have blahblah.something.yahoo.com, for instance.
I also block HELO/EHLO names which don't resolve in DNS, and on my backup MX I also block when the HELO/EHLO doesn't resolve back to the connecting IP. This, IMHO, is much more effective than only rDNS checking. People don't always control their own rDNS, but they damned well better control whether their mail server is lying or not.
The bottom line is this: are you expecting email from just anyone? If so, you can't block it but you can increase its spam score. If you generally correspond with the same people and occasionally start corresponding with someone new, you could take the time when someone new has a broken mail server. This is what I've done for years (with HELO/EHLO) and most people thank me once I explain why it's in their best interest to fix it.
Slashdot Mirror
Come on - people here should know better. It's 2015 and the "Oooh! Linux sounds cool, so let's use that word for everything!" fad should be over now.
Everything open source is NOT Linux. Linux is a friggin' kernel. This is open source software. It coincidentally gets used with GNU/Linux often. BUT IT'S OPEN SOURCE SOFTWARE.
Repeat after me: open source does not mean Linux. Linux does not mean open source.
Assume that everything MIGHT be insecure. Your Internet connection is wide open. Your upstream routers may be controlled by governments. Hard drives might have malicious firmware payloads. Typical PC hardware might have a BIOS that does nefarious things and may have intentional back doors. Your OS and the software you run might have had backdoors introduced.
I personally don't trust anything with the word "cloud". It just means that a ton of people are responsible for it, so if anything goes wrong, there's no specific person to blame. The NSA could and probably does have people working at any given "cloud" provider.
Virtual server hosting is also completely insecure. Hypervisors can be manipulated without you knowing, so even if your OS is 100% secure (obviously nothing is, but for argument's sake), people can read your OS' memory and access your data without you knowing.
If you want to try to keep your data secure, you need your own hardware. Using something completely different helps - a hard drive infected with some form of firmware Trojan won't do any harm to an UltraSPARC or PowerPC machine, for instance. Next, you need to use a minimal OS without the proverbial kitchen sink, which rules out most GNU/Linux distros since they want to include everything. Try a nice BSD where you can compile the entire OS yourself from a local copy of the source tree. Then, compile the OS itself again on the newly compiled and running OS. This reduces the chance that any given toolchain has been compromised. Make sure it's stable and colocate it somewhere that has excellent privacy laws.
Encrypt everything.
While someone could pull a drive (or drives) from your machine and can image them, it's hard to fake uptime on non-mainstream machines, so you'll definitely notice if someone is playing with the hardware.
Don't log in to it from a Windows machine or from any machines you don't control.
If some state actor wanted to spend virtually limitless resources, there's nothing they can't fake, but you can feel pretty secure knowing that your data is most likely safe unless someone cares so much about your data that they're willing to spend a heck of a lot of money and resources.
"I want to do this thing. Please help."
"Don't do that thing because I wouldn't."
Not very helpful, and it also isn't in the spirit of Ask Slashdot.
Perhaps some people here wanted to see the movie without knowing what it's about ahead of time. We're not all Americans with zero attention span, after all.
Next tiime, DON'T put a major plot point in the introductory paragraph, please.
It would be nice if phone vendors didn't treat old phones as if only good for landfills. I know I'll never go back to Android because there's no assurance that even a brand new phone will be upgradable to the latest software even a month later (it's already happened to me). So the idea of just installing the latest OS and installing some specific apps doesn't seem doable.
The inability to upgrade Android phones is a HUGE problem.
Perhaps some enterprising people will create dedicated OS images for various hardware that remove all the cruft and just run specific things. For instance, I'd love to use an old phone as just a navigation system for my car - nothing else. I'd pay for that software if it existed.
Now only if Android vendors and developers knew about software portability...
This seems to be a big problem - large companies seem to be completely unaware of how to hire people to do technical work. Instead, some dumb admin who's been doing Windows for ages said, "Hey! Let's use Windows in our new iSafe!", and this is why they have the worst example of problematic code running in something that's supposed to keep belongings safe.
I don't care how many people claim Windows can be made secure. It simply should not be used for anything sensitive.
I get it - when someone knows some of your secrets and many of your weaknesses, you "keep" that someone indefinitely.
But Geek Squad? That's the most ridiculous comparison ever - no organization would keep around a bumbling wanna-be IT person who could just barely install Windows and would be lucky to finish a new installation without also installing a Trojan. No, if this guy were like the Geek Squad for a cartel, they'd have killed him pretty quickly when they realized he was completely useless.
Uber has got to have a LOT of drivers if 50,000 of them are also licensed DIVERS. What're they going to do - launch an amphibious assault with 50,000 divers?
Seriously, people have got to start proofreading their posts. Come on - it's not that hard.
How about no extra browser extensions? Or even an extension or two which limits the other browser extensions?
Browser plugins have the WORST security surface. If you want to do something, do it outside of a browser so that you're not giving every and any site you visit the opportunity to exploit something you only run once in a great while.
Netflix no longer requires Silverlight, so we can remove that. Once Hulu moves away from the crapstorm which is Adobe Flash, it'll be more realistic to completely trash that forever (I will have a party when that happens!) Don't get me started on Adobe Acrobat and PDFs in browsers... Java - shit - what a MESS! Who the hell wants to run Java in a browser anyway? There has to be a better way. Keep around an old Windows machine if you want to feel dirty by trolling around for the latest disease and let Java die.
It'd be nice if something like ClickToPlugin were available for all the browsers (it's for Safari), but I learned from The Register how to make plugins click-to-play on Firefox and Chrome. See the bottom of this article:
http://www.theregister.co.uk/2...
Ignore the idiots who are dismissive. Just because someone is highly technical in one area doesn't mean there's something wrong if they're not very technical in others.
I personally use NetBSD because I use different hardware in different places for NAT / IPv6 routing / DNS / all that. In homes I use a PogoPlug or Seagate Dockstar with a USB flash or SD card and a USB-ethernet and / or USB-wireless. In businesses I use amd64, sparc64 and powerpc systems. NetBSD uses the same configurations regardless of the architecture.
OpenBSD and FreeBSD are just as good, and, as I'm sure you're realizing while you learn BSD, all three BSDs are much cleaner and better organized, generally speaking, than GNU/Linux distros. The other thing that keeps me using them is that they don't try to be like Windows, so there aren't a zillion extra packages and gratuitous changes from one version to the next.
A BSD NAT router / firewall / IPv6 router / DNS / Samba / web / whatever server can be set up pretty quickly and easily, and keeping track of the configuration files and reproducing a running system is very straightforward.
That's not true. The sources for hpcarm (the port for ARM-based handheld PCs) compile and run just fine. Every version of NetBSD has hpcarm binaries (6.1.5, NetBSD-7_BETA, sources compiled from -current). I think you just don't understand how NetBSD works.
It's simple. C is self hosting and extremely portable, and the amount of extra stuff needed to run C can be none (in the case of kernels, everything can come with the binary), little (shared libraries) or lots (a whole OS). There aren't many other languages which can self-host and can create binaries which can run on bare metal.
Other supposedly portable languages like Java, Perl and PHP require an OS and environment to do anything, which makes them unsuitable for running on small embedded systems, for high performance applications, or for talking intimately to hardware.
The languages also change too much over time. You can't just take old code and run it in a new interpreter. If Java wasn't in the hands of a megacompany, it MIGHT be more portable and less bug-ridden, but right now it's write once, run only in certain places, deal with a zillion security issues. Many companies I support have to keep around a VM or an older machine to run an older JVM because new Java is not compatible with old Java.
C has changed, but not so much that K&R C is unrecognizable to someone learning C now. A program written in the 1970s can be compiled by a CS student today without much more than, perhaps, changing a few #includes. This is what makes it lasting and worth learning.
Like Columbus? Does that mean they're planning genocide and exploitation of a race of people as slave labor?
I don't cling to the old because I'm unafraid of change - I keep using it because nothing better has come along.
Shell-based email is still the quickest and easiest way to keep email in one place and have it be accessible even if I'm on a connection the speed of dialup. No matter how many times I try email clients, nothing works as quickly and as seamlessly. The same goes for ytalk instead of IM programs (luckily, many of the people with whom I want to chat have shell accounts, too).
Until someone comes up with something better, like a protocol which allows for downloading just the text of what I want to see, I'll happily ssh and do email on the server, like I've been doing for twenty years.
Sun's slogan for Java used to be, "Write once, run anywhere." Remember that? Sun didn't make JVMs for many platforms, and didn't even have an official JVM for GNU/Linux for ages. Add to that the fact that each major version of the JVM deprecated features and introduced incompatible ways to do things previously done other ways, and it's no wonder it has become the case that we (meaning IT folks) have to keep around an older (perhaps virtual) machine which has an older and certainly insecure JVM to talk to some hardware device or application which requires older Java. Qlogic switches come to mind.
Since the JVM isn't portable, Java isn't portable. Since software written for one JVM version can't necessarily run on another version, it's not very backwards compatible. Since it has so many security issues, you either have to hope that whoever makes your JVM keeps it up to date or that you're very careful about how it's deployed.
I can't personally think of anything more precarious than trying to deploy real software using Java.
I have long advocated for separating everything - the cable modem / DSL modem should JUST be an interface to the upstream provider, with no NAT and DEFINITELY with no wireless. See the issues with Xfinity and other providers who are now piggybacking their "free" Wifi on customers' connections - I bet it'll be shown in the near future that the already existing NAT table size issues, which already cause many consumer devices to be problematic, are being exacerbated by trying to maintain state entries for the "free" wireless, too.
So you have a cable / DSL modem which is in bridge mode. Then you have some sort of NAT device. If you like running your own OS, a Raspberry Pi or some other tiny StrongARM device is cheap and can run whatever GNU/Linux or BSD you like. Heck, you can even still use your WRT54GL if the CPU in it isn't limiting the speed of your upstream connection.
Then, you have your wireless device. Again, I strongly recommend something that just does bridging - you have the simplest setup because you're not using the wireless device for NAT or any other "features". With all the stories about consumer devices having poor security and intentional back doors, the less exposure, the better. Personally, I pay extra for Apple because the 802.11ac Airport Extreme does wonders with existing 802.11n clients.
The great thing about this is that you can have as many segments as you want without needing a switch which does VLANs. You can plug two USB-ethernets into a Raspberry Pi, for instance, and keep your wireless and wired networks on completely different segments. Or three, and you can have your old device provide a completely separate guest network.
The best thing about this setup is that if one device fails or is shown to be insecure and the manufacturers won't fix it, you can just replace that one device.
It's much better to assume that a server may be or is exposed to malicious traffic than it is to assume not. Even if there's only ever a direct ethernet connection between two machines, assume someone may compromise one of the machines and protect the other. Using a username and password is one thing; if you can filter based on IP address, use software firewall rules to only allow connections on certain interfaces and from certain addresses (or, better yet, localhost), et cetera, you're always better off.
Hope for the best, plan for the worst.
No. BIOS code only gets run at boot time.
People have been predicting the death of Unix and the command line for ages. Most people don't care about long term because they're accustomed to a constant cycle of upgrades to make money for large corporations - it's what they're conditioned to do. If we don't want to run browsers that can get infected, email clients that render whatever they're told to render and systems that have poorly written third party software (I'm talking about you, Flash and Java), then who's the smart one?
I keep wondering if I'm doing old school things just because, but every time I try something new, I find that there aren't enough compelling reasons to modernize and at the same time there are enough good reasons to use what works well.
If there's one thing we can generalize about truly intelligent people is that they are always curious. The geniuses can come up with questions nobody else can.
How about doing a dd of the entire drive from the current system to a virtual disk and trying to make that work? Is the Unisys hardware that special? If not, you might be able to get it working by manipulating the virtual hardware of your VM.
I don't like Firefox because they try to take Windows-isms and force them on Mac users. My user experience is one thing in 99% of the programs on my computer - why should how I select text be different for Firefox? Or why can't I launch Firefox normally by holding command-option and hitting the down arrow like I do for every other program but which sends Firefox into some special "safe" mode?
Firefox shouldn't proselytize specific OS behavior.
Isn't this exactly what happens elsewhere, but in the other direction? After all, many people think that KDE, GNOME and other large programs are written for GNU/Linux and just happen to be ported elsewhere. Try to Google something about setting up Apache or bash and you'll find Linux this, Linux that even though neither are exclusive to GNU/Linux in the least.
Expecting rDNS is pretty common. Expecting PROPER rDNS, on the other hand, is another thing altogether.
If a machine doesn't have rDNS, then it can't send email to anyone at AOL, for instance. It'd be quite disingenuous to say that people who send email through a machine without rDNS would be surprised if they couldn't contact you.
On the other hand, there are too many ISPs who have rDNS, but broken rDNS (doesn't resolve in the forward direction, uses names which don't belong to them, et cetera). I block email from all connecting machines which have rDNS (or HELO/EHLO strings) which say yahoo.com, hotmail.com, gmail.com, or google.com, which cuts down on a LOT of spam. The real services always have blahblah.something.yahoo.com, for instance.
I also block HELO/EHLO names which don't resolve in DNS, and on my backup MX I also block when the HELO/EHLO doesn't resolve back to the connecting IP. This, IMHO, is much more effective than only rDNS checking. People don't always control their own rDNS, but they damned well better control whether their mail server is lying or not.
The bottom line is this: are you expecting email from just anyone? If so, you can't block it but you can increase its spam score. If you generally correspond with the same people and occasionally start corresponding with someone new, you could take the time when someone new has a broken mail server. This is what I've done for years (with HELO/EHLO) and most people thank me once I explain why it's in their best interest to fix it.
How does one get Linux shell access on BSD servers? ;)