Slashdot Mirror


User: Animats

Animats's activity in the archive.

Stories
0
Comments
14,273
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 14,273

  1. Offshoring CAPTCHA solving on Fallout From the Fall of CAPTCHAs · · Score: 5, Informative

    The spammers have a new solution to CAPTCHAs in place - offshore outsourcing. This has become a sizable operation. System status earlier today:

    Current Status: Volumes are exceedingly high. -- Automatically dispatching more labor
    Queued Captchas: 91
    Total outsourced volume: 4564301

    This service is integrated with Craigslist auto posting tools, allowing high-speed spamming of Craigslist. It's also used for other services, like obtaining GMail accounts.

    Even Craigslist's callback-by-phone system is starting to crack. Temporary phone numbers for Craiglist verification, provided by marginal telephony providers, have dropped to $1.50 in bulk.

    The overall effect of Craigslist's new protections is that the cost of spamming has gone up, enough to slow down the low-rent operators but not by enough to stop it.

    As I've pointed out previously, Google plays a central role in this. Google's services provide a facade of anonymity for scammers to hide behind. GMail for anonymous mail, YouTube for anonymous infomercials, AdWords for anonymous advertising, Checkout for anonymous money transfer, and Blogger/Blogspot for anonymous redirectors to zombie machines are all valuable services for scammers and spammers. All those services are used heavily by Craigslist spammers.

    Others have provided some of the same services, but the competing services had bad reputations. Anybody trying to do business via Hotmail just had to be phony. Many mail agents just block all Hotmail mail. Anyone running a business off of "freewebpage.org" probably wasn't someone you'd want to deal with. So you had some strong indications of lack of legitimacy there.

    Google, though, still has a good reputation. The combination of Google's reputation and low customer standards offers a great opportunity for scammers, and they're taking it.

  2. Not going to happen on NASA Engineers Work On Alternative Moon Rocket · · Score: 3, Insightful

    The US can't afford a manned space program any more. The Iraq war has cost $3 trillion, we're headed into a recession, and it's going to take years to unwind the housing bubble. The next administration is going to have to focus on digging out of the hole left by the Bush administration.

    And, face it, sending a few more people to the Moon on chemical rockets doesn't really get us anywhere. Been there, done that, know what the Lunar surface is like.

    If fusion power ever works, space is worth revisiting, but with chemical rockets, we hit the limits a long time ago.

  3. The central role of Google on Cybercrime Organizational Structures Evolve · · Score: 3, Insightful

    Google is an integral part of today's online scams. Google provides material support to scammers, and helps collect the money.

    Google's proliferation of low-security services makes it easier for scammers to operate, and to hide. If they had to buy those services from a hosting company, there'd be a money trail to follow back to the source. Using Google's free, unauthenticated services makes it easier for the operator to conceal their identity.

    It's full-service evil.

  4. 10 things Microsoft should take out on 20 Features Windows 7 Should Include · · Score: 1

    10 Things Microsoft should take out of Windows 7

    • The 16-bit subsystem. It's time. Ten years ago you could run NT 3.51 without loading the 16 bit subsystem, and it worked fine. Some legacy apps wouldn't run. Any of those left?
    • Trusted drivers other than ones that need to do DMA directly. Drivers for USB devices should be running as user level services, without the ability to crash the machine. Printer "drivers" have no need for privileges; they're just filters. Only drivers that need to do DMA should have any special memory access privileges.
    • Non-USB mouse and keyboard port support. Again, it's time.
    • Codecs running in kernel mode. No, the codecs and the DRM do not need to run in kernel mode.
    • Frantic polling for hardware and software tampering. Vista got carried away. If you have to do it more than once a minute, the system is too vulnerable. None of this 60Hz tamper testing.
    • Silverlight It solves a problem nobody has.
    • Implicit Internet Explorer invocation. The user's browser of choice is invoked when necessary, not IE.
    • Multiple ways to start programs at startup. There should be exactly one list of stuff that starts at startup, it should be entirely visible to the user, and every entry in the list must be tied to something in Add/Remove Programs.
    • Hidden files. More of a headache than a feature, and too popular with attackers.
    • Autorun for media. No running stuff from an inserted disk until a dialog has asked the user if they want to run it.
  5. Now there's someone that doesn't get it. on Data Harvesting From a Developer's Perspective · · Score: 3, Insightful

    That game developer has no clue about privacy.

    First, if the game has online registration, that's the one time to collect, with the user's permission and knowledge, basic system configuration info. That's useful to have if they call for support. It doesn't require a continuous connection to a server.

    Second, if more data is required for game tuning, that's what play testers are for. Or free beta users. It's reasonable to have a free beta that sends back play data, if the developer is up front about it. It's not reasonable to have it in a paid product.

    Third, if you can't meet basic EU privacy regulations, your market is much smaller.

  6. 1000 lines of good code on How To Show Code Samples? · · Score: 5, Funny

    I used to ask applicants for 1000 lines of C++ they were proud of. Sometimes you get something really beautiful. Something that's at least decently designed and looks reliable is essential.

    I've been known to send such samples back with "Your first buffer overflow is on line 42. Thank you for your interest." I couldn't afford to deal with sloppy coders in a hard real time environment.

  7. It's a relaunch of an old API with a new TOS on Yahoo's Build Your Own Search Service · · Score: 5, Informative

    BOSS is not really new. Yahoo already had the Yahoo Search API, which does essentially the same thing. BOSS is essentially the Yahoo Search API with different terms of service. In particular, BOSS will, in future, allow "monetization". BOSS also allows users to intersperse their own search results with Yahoo's and run ads.

    Google used to have a SOAP-based API, but they stopped allowing new users in 2006. It didn't force the caller to display ads. There's still a Google search API, but it's tied to their widgets and has restrictive terms of service.

    We support both with SiteTruth. Yahoo search API version Google AJAX search version. The interface code is quite different but the end results are similar.

    It's not about technology. It's about what you're allowed to do with the data:

    • The Yahoo search API terms of service have a rate limit, don't allow you to add ads, but do allow reordering of results.
    • The Google AJAX API terms of service don't have a rate limit, restrict presentation to Google's format, and don't allow reordering of results.
    • The first rule of the BOSS Terms of Use is that you don't talk about the BOSS terms of use. "You shall not issue a press release or other written public statement regarding this TOU without Yahoo!'s written approval."
  8. Re:Paper still vague, but sounds like TDM on Photonic Switching to Boost Internet Speeds · · Score: 1

    By developing a photon based switch they hope to reduce or eliminate the switching as the bottleneck.

    They don't seem to be developing a true photon-based switch, just a dumb multiplexer. A real photonic router would be much more complicated. Luxcore made claims in that direction, but their web site is now a parking page. There are some "photonic switches", but they're mostly either reconfigurable circuit switches using MEMS mirrors, or fan-out devices that don't have any packet storage. There are pure optical storage devices (mostly delay lines, but some RAM-like devices), so we're getting closer.

  9. Paper still vague, but sounds like TDM on Photonic Switching to Boost Internet Speeds · · Score: 1

    It sounds like they're is bit-interleaving multiple data streams onto one faster data stream. It's bit-level time-division multiplexing, like the 16 voice channels on a T1 line. That's useful for pumping more data through expensive long-haul fibers like undersea cables, and thus a good project for Australia. It's a better way to make a big pipe, but it doesn't do anything for switching and routing.

    There's interest in building a pure photonic router, but this isn't it. Not yet.

  10. 20% wind is about right. on Pickens Plans On Wind Power · · Score: 5, Insightful

    20% wind is about right. More than that, and there are problems during periods of no wind. There's a study on wide area wind averaging (need source) which has a table of percent of installed wind capacity vs. percentage of time available. Even averaging over the entire midwestern US only gets something like 80-90% uptime.

    Base load should be nuclear, since that's all fixed cost. Peak air conditioning load should be solar. In between, whatever works.

    California needs a major effort to install enough solar panels to power the Southern California air conditioning load. The numbers actually work for this. The nice thing about solar is that you get the power during peak hours. You're guaranteed that bright sun and peak air conditioning load come at the same time. Wind is somewhat random on an hourly scale, and hydro is somewhat random on a seasonal scale.

  11. ASN.1 encoded with BER/DER just needs tools on Google Open Sources Its Data Interchange Format · · Score: 3, Informative

    ASN.1, from 1985, really is very similar. Here's a message defined in ASN.1 form:

    Order ::= SEQUENCE {
    header Order-header,
    items SEQUENCE OF Order-line}

    Order-header ::= SEQUENCE {
    number Order-number,
    date Date,
    client Client,payment Payment-method }

    Order-number ::= NumericString (SIZE (12))
    Date ::= NumericString (SIZE (8)) -- MMDDYYYY

    Client ::= SEQUENCE {
    name PrintableString (SIZE (1..20)),
    street PrintableString (SIZE (1..50)) OPTIONAL,postcode NumericString (SIZE (5)),
    town PrintableString (SIZE (1..30)),
    country PrintableString (SIZE (1..20))
    DEFAULT default-country }
    default-country PrintableString ::= "France"

    Payment-method ::= CHOICE {
    check NumericString (SIZE (15)),
    credit-card Credit-card,
    cash NULL }

    Credit-card ::= SEQUENCE {
    type Card-type,
    number NumericString (SIZE (20)),
    expiry-date NumericString (SIZE (6)) -- MMYYYY -- }

    Card-type ::= ENUMERATED { cb(0), visa(1), eurocard(2),
    diners(3), american-express(4) }

    Note that this has almost exactly the same feature set as Google's representation. There are named, typed field which can be optional or repeated. It just looks more like Pascal, while Google's syntax looks more like C.

  12. Nature of the attack on Massive, Coordinated Patch To the DNS Released · · Score: 5, Informative

    It's reasonably obvious from the CERT advisory how an attack would work. The CERT advisory tells us that the vulnerable systems are ones where the 16-bit DNS transaction ID and the 16-bit port number for a transaction are not randomly chosen. The CERT advisory also tells us that the attacker must be able to spoof IP addresses, that is, they must not be behind some ISP with egress filtering. CERT also tells us that it's a DNS poisoning attack.

    So it looks like a form of this attack documented in 2003 at "Cache Poisoning using DNS Transaction ID Prediction". Back in 2003, it took a large number of packets to make this attack work, and even then it wasn't reliable. But there may be a more cost-effective attack strategy if you know how the DNS server assigns transaction numbers and ports.

    The fundamental problem comes from 1) the fact that source IP addresses can be forged, and 2) the DNS transaction ID, at 16 bits, is far too short to be considered a useful random key. Any key with security implications should be at least 64 bits and be generated by a crypto-grade random number generator.

  13. How does memory access work? on Larrabee Based On a Bundle of Old Pentium Chips · · Score: 1

    So how does memory access work? Does each little CPU have its own memory, like the Cell? Do they all work through interlocked caches, as a symmetrical shared-memory multiprocessor? Or is there some partially-shared scheme?

    What do you run as an OS on this thing? Something like VXworks? Real time Linux? Windows CE? You're going to need some kind of OS to manage resource allocation, even if the OS isn't exposed to the customer.

    And the real question: is this a useful mainstream graphics architecture? This sounds like one of Intel's "build it and they will come" architectures, like the Itanic and the IXP series of network processors.

  14. But is it secure? on The Next Browser Scripting Language Is — C? · · Score: 4, Informative

    If the "byte array mapped to RAM" installed in Tamarin allows the code to store anywhere in the interpreter's space, that's a huge security hole. It can do anything the user process can do. If you're going to allow that, you may as well just load executable machine code directly, as with Active-X.

    Anyway, the article is a blog post that rehashes an interview from last year. The info in that article is better.

  15. Another recipe book on Head First C# · · Score: 3, Interesting

    These 700+ page books on programming languages have too much bloat. Usually because they're full of recipes, plus a rehash of introductory programming material.

    A really well written 50 page book on C# would be more useful. Especially if it came with a little summary card with the syntax. Code examples should be on an associated web site.

    Of course, it's a Microsoft product, so it has "strategic complexity", not minimalism.

  16. Let's see what we can do about JLove on How to Fight Name Scraping Scammers? · · Score: 1

    OK, the site has an "about" page with a Toronto address, and an address for a US office:

    269 S. Beverly Drive, #1070
    Beverly Hills, CA 90212

    This turns out to be Beverly Hills Postal Place, a mail drop. It's in California, so they're subject to California law.

    California has a right of publicity law: (a) Any person who knowingly uses another's name, voice, signature, photograph, or likeness, in any manner on or in products, merchandise, or goods, or for purposes of advertising or selling, or soliciting purchases of products, merchandise, goods or services, without such person's prior consent, ... shall be liable for any damages sustained by the person or persons injured as a result thereof. In addition, in any action brought under this section, the person who violated the section shall be liable to the injured party or parties in an amount equal to the greater of seven hundred fifty dollars ($750) or the actual damages suffered by him or her as a result of the unauthorized use, and any profits from the unauthorized use that are attributable to the use and are not taken into account in computing the actual damages.... Punitive damages may also be awarded to the injured party or parties. The prevailing party in any action under this section shall also be entitled to attorney's fees and costs.

    That seems to apply here.

    Small claims court would seem to be appropriate. Once you file a suit, you can send a subpoena to the mail drop company to get the actual name and address of the box owner.

    "JLove" is supposedly a unit of "Only Media Group LLC" in Toronto, but neither JLove nor Only Media are listed with California corporation search or Dun and Bradstreet for the US or Canada. But a contact page for JLove affiliates leads to "Billing Provided By: Only Media UK LTD, 7 Petworth Road, Haslemere, Surrey, GU272JB". That doesn't match the address filed with Companies House (UK), but that address is an accountant and is also the contact for other companies. The address in Surrey leads to a secondhand furniture shop.

  17. Who let Roland the Plogger in again? on Giant Snake-Shaped Generators Could Capture Wave Power · · Score: 1

    Another Roland the Plogger low-end story.

    There's not much solid info on this. They've done some experiments in a wave tank, but nothing in the open sea yet. The Checkmate Group, which does specialty flexible devices, is doing the hose design, so at least they have competent engineering support. It's certainly a more promising idea than the various mechanical nightmares of floats and levers proposed by some other wave energy proponents. It's all underwater, which is good. ("Remember that the free surface is neither ocean nor air and man cannot walk upon it nor will equipments remain stable in its presence. So design your equipments so that they tarry not long and that they need neither servicing nor repair at this unseemly interface." - John Craven, U.S. Navy ocean engineering expert.)

    But it's vaporware until someone puts a reasonable-sized prototype in a real ocean and gets some power out. In particular, cost and power output estimates should be viewed with extreme skepticism at this stage.

  18. Re:Intercourse the penguins on Giant Snake-Shaped Generators Could Capture Wave Power · · Score: 4, Informative

    Windmills smack birds out of the air. ... The "smacking birds out of the air" is due to birds flying into the windmills as if they were a stationary object. The blades don't spin nearly fast enough to do any "smacking."

    Actually, they do. Blade tip speeds for big wind machines are upwards of 100 MPH.

    The Altamont Pass wind farm is especially bad, because it's in a narrow valley on a major bird migration route, a valley full of row after row of relatively small windmills close to the ground. It's a meat-grinder for birds.

    Reasonably accurate bird death numbers for the larger birds are available for Altamont Pass. Currently about a thousand big raptors a year, including over 100 golden eagles, are lost to the blades.

  19. Blackstart capability on Keeping an Eye Out When Sites Go Down · · Score: 4, Interesting

    What with the "software as a service" and "outsourcing system administration" fads, more sites are relying on other sites being up when they power up. This could become a problem in bringing a site back up after an outage. It's important to know which sites have "black start" capability; they can start up without any resources from the outside.

    You can save money by outsourcing Linux system administration to Tomsk, Russia, or Lotus system administration to India. "Remote System Administration for your Lotus Notes/Domino Servers, Infrastructure". But can you then restart your data center from a cold start, when the offshore admin people can't yet get in?

  20. The Iraqi nuclear program in the 1980s. on 550 Metric Tons of Uranium Removed From Iraq · · Score: 5, Informative

    Yes, Iraq did have a nuclear program, back in the 1970s and 1980s. It didn't go well. They couldn't get any of the separation processes to work. A mid-level physicist in the program defected to the US and wrote a book about it, which gives a view of the strange world of working for Saddam Hussein. If he was annoyed at a manager, he sent them to a torture camp to be tortured for a while, then put them back to work. If they did well, he gave them one of his ex-mistresses.

    Iraq tried to build calutrons, which do isotope separation in one or two steps but can process only tiny amounts of material. So it's necessary to build a large number of them to enrich enough uranium for a weapon. The US built some sizable calutron plants during WWII, but they were too slow to be useful when fed with natural uranium. They were used as a final upgrade step for uranium partially enriched in the gaseous diffusion plants. None of the other nuclear powers ever bothered much with calutrons, except little research-sized units. Iraq never actually built enough calutron capacity to accomplish much.

    Iraq's yellowcake (uranium oxide, unenriched) is left over from that era. Extraction of yellowcake from raw ore is an ordinary chemical process, usually performed somewhere near the mine. It's the first and easiest step of the process, and that's as far as Iraq got.

  21. "Cloud computing" is an Xmas artifact on Scaling Large Projects With Erlang · · Score: 4, Interesting

    The enthusiasm for "cloud computing" may evaporate when Xmas rolls around.

    I went to a talk at Stanford by the architect of Amazon's web services. It came out in questioning that the real motivation between Amazon's low-priced web services is that their load in the Xmas shopping season is about 4x the load for the rest of the year. Their infrastructure is sized for the November-December peak, so for ten months of the year they have vast excess capacity. That's why Amazon's web services are so cheap.

    Don't expect good response time during the shopping season. Although this Xmas might be OK, due to the recession.

  22. Dasani concentrate on There's a Sucker Converted Every Minute · · Score: 2, Interesting

    There really is "Dasani concentrate". "Dasani" is purified tap water to which some minerals have been added. The mineral mix is sold to bottlers by the Coca-Cola Company in Atlanta. This is the standard Coca-Cola business model; Coke works the same way.

  23. It's going to take a lot of cleanup. on Lost Footage of "Metropolis" Found · · Score: 4, Informative

    There are a few stills on line. The film is badly streaked. It's going to take a lot of cleanup.

    Worse, when you run bad old film through modern video compression, the results are awful, as vast amounts of the bandwidth are sucked up following the artifacts.

  24. Stupid phony alarm signs on Irrigation Controller Stolen, Wirelessly Rescues Itself · · Score: 2, Informative

    Phony alarm signs are just stupid. A few years back, I was walking by a house near me and saw water coming out of the garage, down the driveway, and into the gutter. Nobody answered the door. They had a big sign for an alarm company, so I called the number on the sign. The alarm company told me they'd never had service there. One window had a sticker for a different alarm company. That, too, was phony. They even had a "Protected by ELECTRONIC alarm system" sticker, the one you can buy at Radio Shack.

    I called the water utility emergency service number; they cut off all water to the house and left a note on the door.

  25. Remember Java applets? on Is Today's Web Still 'the Web'? · · Score: 1

    Bogus article. Adobe must have made a big PR push to get so much attention paid to their indexing tool for Flash. Google has been indexing .swf files for most of a year.

    As for "Web 2.0" adding execution capability, Java applets have been doing that for years. They work pretty well, and most browsers can run them. Most of the unpopularity of Java applets seems to stem from the fact that most of them look ugly, but that's not an inherent problem with applets. (Sun just has no clue about fonts.)

    The big win with Flash is that it standardized video formats. There's a lot less of "download our annoying proprietary player to play this video." That's really YouTube's doing. Real has taken a big hit over this, and it's cutting into Microsoft's player. Today, if something starts downloading a codec, you probably hit "Cancel".