The main problem with this is the private key being delivered in the email header. Given the effort of spammers to create spam-engine trojans, without the emails themselves also being encrypted, this is a serious concern. Admittedly I've only read a few low-tech articles on the subject, so maybe I'm reading the situation incorrectly.
Anyway, I was just thinking of a scheme last night to verify the origin of emails.
The idea is that a domain holder runs an server which maintains an index of valid emails for that domain, which receiving servers may verify a message against.
In summary, this is how it would work:
The domain holder adds a DNS record which identifies his index server(s). Let's call it a MI (Mail Index) record for now.
When a user sends an email, his client creates a checksum of some sort, and uploads that checksum to the index server. The user must authenticate himself to the index server, either with username+password, certs, or whatever.
When the recipient mailserver receives the message, it checks to see if there is a MI record for the sender's domain. If so, it creates a checksum of the message, and queries the index server to see if such a message exists, and rejects it if it has not.
Now to expand on the above points.
The MI record: In reality, this would be a TXT record of some sort, no need to rewrite DNS. If a domain holder does not run this service, it does not interfere with SMTP delivery of his emails. It does allow the recipient to discriminate against those them, but that is the recipient's perogative.
The user authentication: The manner in which the checksum gets added to the index is by and large irrelevant, and may not actually be done by the client at all. If, for example, the outgoing mailserver already authenticates the sender, then it would be the mailserver itself which adds the checksum to the index. Also, given that corporate networks often add disclaimers to the message, it would be impossible for the client to create a checksum for the message body. The key thing is that once the email leaves the control of the domain holder, it's checksum will reside on the index server. This allows maximum flexability, as users whose ISP restricts port 25 can still participate. This is the main weakness in the method of publishing 'authorised' server lists.
It is, of course, vital that the checksum be added to the index *before* the mail is sent. The checksum should be held on the index server for a certain amount of time, maybe 5+1 days, or whatever the RFCs say about max deliver attempts.
The verification: Ideally this would be carried out by the recipient's mailserver. This verification need not be done during the SMTP transmission, again, this is really up to the policy of the recipient, and might be left to spam scanners. The important thing though is to try to validate it as soon as possible, before the checksum expires on the index server.
The end-user *could* carry out the authentication himself, should his ISP not support it for example, but this would not be ideal.
When verifying, the index server would be queried with the checksum, and optionally the current datetime.
The option to include the current datetime is to allow end-users' email clients/spam filters to carry out the check. Since somebody may have been on holiday for a week, the checksum will have expired before the client checks it.
For this reason, the client should only check those emails which have a date less than the expiry time. Should the local clock be slow however, this would lead to expired mails being checked. By including the current datetime, the index server can detect an offset, and respond with a positive should the client be too far behind. It is of course imperitive that the index server have the correct time.
Mailservers would normally have no need to worry about this, so the datetime would not be included in their request,
Forget perl scripts and so on... surely people are *reading* the comments, and thus could edit them at the same time? They received both emails (cut + paste), and faxes (photocopy + magic marker).
Unless, of course, they only actually read a sample of the submissions...
The company is still investigating why and how the patch was reissued.
That is why it's slashdot news.
From the looks of it, a patch made it's way onto the update service without correct approval.
When you're issuing patches that affect millions of users, your procedures must be watertight to avoid broken/malicious patches screwing with your customers' systems.
On another matter, I don't understand the pressure from some admins which apparently forced Microsoft to adapt the monthly release rule. It's explained that the admins wanted to be able to schedule when they are going to patch their systems.
Surely, if the adminions can't deal with an unexpected patch, they should just reserve every 3rd Monday (or whatever) for applying whatever patches have been newly released.
It seems to me that it's purely to reflect blame when they become compromised. They can now blame MS for not issuing the patch, instead of themselves for not getting around to patching the system. In reality though, they are just as vulnerable as they were before, and don't give me that crap about reverse-engineering patches to create exploits.
The fire services don't expect people's houses to ignite on schedule, admins should learn to put the fire out when it appears.
I just had a thought. Given the nature of hashes, where it is possible for more than one input to result in the same hash, wouldn't it be really annoying if my password of 'Th!$,1sA]T0&gh(Pa^S$WoRd~9' came to the same hash as 'secret'.
Are there any statistical or other methods which can be employed to determine the likelyhood of your strong password matching a simple one>
Fox Television Entertainment Group chairman Sandy Grushow said a decision is expected soon and called the series a late-blooming phenomenon that may have aired before its time.
And after it's time, but never aired *at* it's scheduled time...
"Netscape once threatened Microsoft with a software browser that promised to be an alternative to its overwhelmingly dominant computer operating system."
I'm still FreeBSD 4.9 prelease on my laptop, even though the 5.x alpha releases have been out for almost a year!
And it's does what I need just fine!
Seriously though, a hosting company I used to work for had an old 486 providing web, email, and database services for about 500 domains. I think the main reason they got rid of it was it didn't fit in the co-lo's rack too well...
We've been using Request Tracker since it came about, both for ourselves for tech support and for a number of clients, including a car dealer who use it both in their sales department, and their services department.
The one good thing about SoBig is the fact that it runs it's own SMTP engine, and has predictable subjects. This let sendmail check the subject and reject it during the SMTP session, resulting in zero bounces.
If is infinitely dumb on the part of the virus vendors to send out bounces when they *know* the virus fakes the from address.
Michael lumped two submissions into the one story - first the submission from stieglmant about the nuclear plant, then the submission from Russell about the trains. The comments about the firewall are part of Russell's submission, not Michael's.
In case you're new here, editors one-liners are in normal font, users submissions are in italics. And stylewise, it would probably be better if editors stuck a <br> between each submission.
I'm just amazed that two moderators thought this informative. Two points for overrated methinks:)
First off, accessibility is not just an issue for blind people. There are many disabilites which the WCAG guidelines try to cater for.
Second, the web is not a visual medium, it is a mechanism to interconnect information. Markup languages structure this information which makes it easier to present in non-standard, but sensible, manners. That is why we should take on the web this way.
Finally, most of the recommendations are common sense pointers, the fact that you found them highly frustrating indicates that you did not design the site well in the first place. Just having correct markup, and doing sensible things like filling in the alt tags in images pretty much ensure level 1 compliance.
Check the devices' manuals to see if they have any advice over which batteries to use.
I bought a battery powered alarm clock a few months back, and the leaflet supplied with it explicitly warned against using any type rechargable batteries, although no reason was provided.
Also, I'm pretty sure the manual for my MP3 player advised against using alkaline batteries.
What are the valid reasons for not using rechargable batteries with certain devices? Or do the manufacturers in question just happen to hold shares in a battery making company..?
the patent specifically says that the output is formatted into HTML
Inforunately not, to quote:
For example, a domain name search may be implemented by a command line instruction.
and
The foregoing description of an implementation of the invention has been presented for purposes of illustration and description. It is not exhaustive and does not limit the invention to the precise form disclosed.
So it doesn't matter how the results are presented, it's the fact that the results were gathered in the desribed manner that counts. Which is a shame, if they did specify HTML formatted output, I could throw in an unclosed <b> tag at the end, and it wouldn't be valid HTML:)
What I want to know, is when the 'Collectors Edition' will be released, and what'll come with it. The Fellowship came with two daff Arrgonath bookends, I'm wondering if the Two Towers will have Orthanc and Isengard bookends...
Funny thing, I thought Forbes was part of the people in charge... Steve Forbes, President, CEO and Editor-in-Chief of Forbes, happens to be one of the people behind the 'Project for the New American Century', being a co-signee of it's Statement of Principles along with, among others, Donald Rumsfeld, Dick Cheney, and Jeb Bush.
Slashdot Mirror
Anyway, I was just thinking of a scheme last night to verify the origin of emails.
The idea is that a domain holder runs an server which maintains an index of valid emails for that domain, which receiving servers may verify a message against.
In summary, this is how it would work:
Now to expand on the above points.
It is, of course, vital that the checksum be added to the index *before* the mail is sent.
The checksum should be held on the index server for a certain amount of time, maybe 5+1 days, or whatever the RFCs say about max deliver attempts.
The end-user *could* carry out the authentication himself, should his ISP not support it for example, but this would not be ideal.
When verifying, the index server would be queried with the checksum, and optionally the current datetime.
The option to include the current datetime is to allow end-users' email clients/spam filters to carry out the check. Since somebody may have been on holiday for a week, the checksum will have expired before the client checks it.
For this reason, the client should only check those emails which have a date less than the expiry time. Should the local clock be slow however, this would lead to expired mails being checked. By including the current datetime, the index server can detect an offset, and respond with a positive should the client be too far behind. It is of course imperitive that the index server have the correct time.
Mailservers would normally have no need to worry about this, so the datetime would not be included in their request,
You know, for a news site, you'd expect them to do a little sleuthing *the whole damn time*...
Forget perl scripts and so on... surely people are *reading* the comments, and thus could edit them at the same time? They received both emails (cut + paste), and faxes (photocopy + magic marker).
Unless, of course, they only actually read a sample of the submissions...
You didn't cite any open-source helpdesk software, so I'll just mention RT.
The company is still investigating why and how the patch was reissued.
That is why it's slashdot news.
From the looks of it, a patch made it's way onto the update service without correct approval.
When you're issuing patches that affect millions of users, your procedures must be watertight to avoid broken/malicious patches screwing with your customers' systems.
On another matter, I don't understand the pressure from some admins which apparently forced Microsoft to adapt the monthly release rule. It's explained that the admins wanted to be able to schedule when they are going to patch their systems.
Surely, if the adminions can't deal with an unexpected patch, they should just reserve every 3rd Monday (or whatever) for applying whatever patches have been newly released.
It seems to me that it's purely to reflect blame when they become compromised. They can now blame MS for not issuing the patch, instead of themselves for not getting around to patching the system. In reality though, they are just as vulnerable as they were before, and don't give me that crap about reverse-engineering patches to create exploits.
The fire services don't expect people's houses to ignite on schedule, admins should learn to put the fire out when it appears.
I just had a thought.
Given the nature of hashes, where it is possible for more than one input to result in the same hash, wouldn't it be really annoying if my password of
'Th!$,1sA]T0&gh(Pa^S$WoRd~9' came to the same hash as 'secret'.
Are there any statistical or other methods which can be employed to determine the likelyhood of your strong
password matching a simple one>
More important. Make it illegal to advertise through spam, and kill the market.
My sentiments exactly. I would say more, but you've said all that needs to be said on the matter.
:)
And I'm not even karma-whoring
Sadly, I caught it too.
Fox Television Entertainment Group chairman Sandy Grushow said a decision is expected soon and called the series a late-blooming phenomenon that may have aired before its time.
And after it's time, but never aired *at* it's scheduled time...
"Netscape once threatened Microsoft with a software browser that promised to be an alternative to its overwhelmingly dominant computer operating system."
Need I say more?
But if you do that, so will everyone else, and that would be sad.
Doh!
I'm still FreeBSD 4.9 prelease on my laptop, even though the 5.x alpha releases have been out for almost a year!
And it's does what I need just fine!
Seriously though, a hosting company I used to work for had an old 486 providing web, email, and database services for about 500 domains.
I think the main reason they got rid of it was it didn't fit in the co-lo's rack too well...
We've been using Request Tracker since it came about, both for ourselves for tech support and for a number of clients, including a car dealer who use it both in their sales department, and their services department.
The one good thing about SoBig is the fact that it runs it's own SMTP engine, and has predictable subjects. This let sendmail check the subject and reject it during the SMTP session, resulting in zero bounces.
If is infinitely dumb on the part of the virus vendors to send out bounces when they *know* the virus fakes the from address.
Wow! You didn't even read the slashdot story!
:)
Michael lumped two submissions into the one story - first the submission from stieglmant about the nuclear plant, then the submission from Russell about the trains. The comments about the firewall are part of Russell's submission, not Michael's.
In case you're new here, editors one-liners are in normal font, users submissions are in italics. And stylewise, it would probably be better if editors stuck a <br> between each submission.
I'm just amazed that two moderators thought this informative. Two points for overrated methinks
Yes lets...
The Canadian PM is reported to be blaming lightning in Niagra as the primary cause.
Maybe they can generate some power off the blushes of the engineers...
First off, accessibility is not just an issue for blind people. There are many disabilites which the WCAG guidelines try to cater for.
Second, the web is not a visual medium, it is a mechanism to interconnect information. Markup languages structure this information which makes it easier to present in non-standard, but sensible, manners. That is why we should take on the web this way.
Finally, most of the recommendations are common sense pointers, the fact that you found them highly frustrating indicates that you did not design the site well in the first place.
Just having correct markup, and doing sensible things like filling in the alt tags in images pretty much ensure level 1 compliance.
Check the devices' manuals to see if they have any advice over which batteries to use.
I bought a battery powered alarm clock a few months back, and the leaflet supplied with it explicitly warned against using any type rechargable batteries, although no reason was provided.
Also, I'm pretty sure the manual for my MP3 player advised against using alkaline batteries.
What are the valid reasons for not using rechargable batteries with certain devices? Or do the manufacturers in question just happen to hold shares in a battery making company..?
You forgot to apologise to anybody reading it...
You don't have by mission ton of ACCESS/mycpu g.htm on this servers.
Unfortunately, Google's cache is empty, and it hasn't made it onto the wayback machine either...
Anybody grab a copy?
It's generally known that smaller and more aggressive memory timings combined with higher clock speeds leads to higher performance
Inventive use of the term "generally known"...
the patent specifically says that the output is formatted into HTML
:)
Inforunately not, to quote:
For example, a domain name search may be implemented by a command line instruction.
and
The foregoing description of an implementation of the invention has been presented for purposes of illustration and description. It is not exhaustive and does not limit the invention to the precise form disclosed.
So it doesn't matter how the results are presented, it's the fact that the results were gathered in the desribed manner that counts.
Which is a shame, if they did specify HTML formatted output, I could throw in an unclosed <b> tag at the end, and it wouldn't be valid HTML
What I want to know, is when the 'Collectors Edition' will be released, and what'll come with it.
The Fellowship came with two daff Arrgonath bookends, I'm wondering if the Two Towers will have Orthanc and Isengard bookends...
Funny thing, I thought Forbes was part of the people in charge...
Steve Forbes, President, CEO and Editor-in-Chief of Forbes, happens to be one of the people behind the 'Project for the New American Century', being a co-signee of it's Statement of Principles along with, among others, Donald Rumsfeld, Dick Cheney, and Jeb Bush.