"This image allows the user to sign up for a foobar.com e-mail account. If you see this image on another site please enter the word: fakeword"
Where fakeword is a random captcha style word, that the site recognizes as an attempt by a third party to get the user to solve the captcha.
The captcha site behaves as if it allowed the fakeword, except it doesn't actually create the account. Once a fakeword is used the site can take all sorts of measures like putting that IP address on a fakeword list. Thus it would not depend on every user of an image to enter the fakeword, just one honest user. One would need more than an IP list to deal with NAT, but you get the idea.
The user who entered the fakeword is rewarded, because the spammer site doesn't know that the fakeword is entered. They will need to attempt to login to the account to verify it. Sites could use either: 1) New accounts are not active for one hour. 2) Actually create fakeword accounts, but then delete them after an hour.
Just some rough ideas, but I am sure someone can come up with a solution to this spammer activity.
First of all, make sure you are not "powered by" anyone. Earthlink and AOL resell the service and most people quickly want to get out of that situation. Earthlink and AOL have really bad support and slower downloads speeds then DirectWay directly.
It is 128kbps up and 400kbps down peak (For reference a T1 is 1540kbps up and down). It's expensive. I didn't realize it was $100/month for the first year and $60/month after that, but it is a two way Satellite system and those are still expensive. Most users seem to get better than 400kbps down, but somewhere around 30-80kbps up. With the one-way (dial-up systems) most users get 18-28kbps up due to the overhead in their protocol.
No phone line is required with the two-way system. There are one-way and two-way services offered.
This is something I wrote when I had the system and using it over SSH:
"I am typing this e-mail over our new DirectWay system, and it is extremely painful. It is far worse than dial-up. Every character I type takes about one second to appear. I have to count the number of backspaces I want, number of arrow keys, etc.
C:\>ping [My ssh box hosted at Hurricane Electric]
Pinging [My ssh box] [1.2.3.4] with 32 bytes of data:
Reply from 1.2.3.4: bytes=32 time=1012ms TTL=242 Reply from 1.2.3.4: bytes=32 time=861ms TTL=242 Request timed out. Request timed out.
Ping statistics for 1.2.3.4:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss), Approximate round trip times in milli-seconds:
Minimum = 861ms, Maximum = 1012ms, Average = 468ms
Ignore the average, Microsoft apparently counts dropped packets as 0ms.
I seem to be getting about 900ms ping times on average to most fast sites. We are getting about 750ms on average to the first hop.
The speeds vary a lot. When I did a speed test earlier I got 252kbps down/18kbps up. Right now I am getting a lot better:
CA server:
Test running......... **Speed 827(down)/25(up) kbps ** (At least 16 times faster than a 56k modem)
LA server:
Test running......... ** Speed 653(down)/51(up) kbps ** (At least 13 times faster than a 56k modem)
(For comparison to what I got when I was on cable modem: 2002-03-05 23:03:40 Speed test (la) 780/124 kbps 2002-03-05 22:58:28 Speed test (wc) 772/109 kbps )
I also did the toast.net speed test and got a bit worse results, you can see them here: My toast results
I disabled their proxy server to speed up Web browsing, but their software comes up with annoying pop-ups that tell me that I am not using their proxy. I will set it back when I am done. Speed tests do not work through proxies, so that is the main reason I disabled it.
It took me about 20 minutes to write this e-mail and the connection dropped once during writing it."
I use SSH so much that I went back to dial-up before the trial period ended. I get about 150ms over a 56K connection so SSH is about 6 times slower. Web browsing wasn't improved enough to make the service worth it. Some sites seemed slower even. I believe it was any HTTPS sites like checking my bank account were terrible.
DSL reports has a FAQ available. It is a good site to check out when looking at new ISPs. DSL Reports Satellite FAQ
None of AOLs DNS servers are currently publishing TXT records.
% host -t txt aol.com dns-01.ns.aol.com aol.com has no TXT record at dns-01.ns.aol.com (Authoritative answer) % host -t txt aol.com dns-02.ns.aol.com aol.com has no TXT record at dns-02.ns.aol.com (Authoritative answer) % host -t txt aol.com dns-06.ns.aol.com aol.com has no TXT record at dns-06.ns.aol.com (Authoritative answer) % host -t txt aol.com dns-07.ns.aol.com aol.com has no TXT record at dns-07.ns.aol.com (Authoritative answer)
So it isn't a matter of propagation. Either they put them out and decided to remove them or Slashdot failed to check that the article was correct -- but that would never happen.
Simple Authentication and Security Layer allows a user to identify themselves to a mail server. POBOX just needs to set up a mail server that uses SASL and then their users use that to send mail.
This is often referred to as SASL auth or sometimes SMTP auth.
They probably need to set it up on both port 25 and another port generally 587 in case users ISPs block connections to port 25.
Alternatively there are older solutions that may work for some mail services like POP before send. Where any IP address that has successfully logged into the POP server can send e-mail through the mail server for a certain period of time.
Basically once SPF catches on public mail services need to run their own mail servers. This makes sense, it's their e-mail and they should be responsible for sending it.
In the case of pobox.com seems to already be running SASL:
% host -t a sasl.smtp.pobox.com sasl.smtp.pobox.com A 64.71.166.114
pobox.com is already publishing SPF records so it looks like they think it will work for them.
They are specifying the loose "? = unknown" for servers other than their own, but it is up to the receiving MTA to allow or deny "unknown".
They are following the SPF adoption strategy:
"Initially, domain owners can set ?all, which means "default unknown". They start educating their users to switch to SASL AUTH, and maybe set a local sunrise date.
When the vast majority of users are doing the right thing (sending mail out only through the domain's designated mailers) they change the default to -all, which means "default deny". That tells SPF-aware receiving servers that it's safe to reject SPF violations rather than classify them as spam."
The biggest crap is their constant claim that they are providing a service.
If they wanted to provide a service they could setup public name servers that did recursive lookups and returned sitefinder for non-existent domains. Anyone who wanted the service could change their DNS server to use theirs. Then it would be a service and they wouldn't be forcing anyone to use it.
VeriSign could offer a patch or replacement DNS server to any ISP that wanted the service or allow them to forward all DNS lookups.
I'm sorry but forcing things upon everyone is not offering a service. I'm keeping my patched djbdns not only in case Verisign brings back sitefinder, but to continue to block the *.ac, *.cc, *.cx, *.museum, *.nu, *.ph, *.sh, *.tm, and *.ws wildcards, not that I really use those domains.
Wizard's First Rule: "People are Stupid. Given the proper motivation, people will believe anything because they either fear it is true, or because they want to believe it is true. People's heads are filled with knowledge, facts, and beliefs, and most of it is not true, but they think it is true. People can rarely tell the difference between the truth and a lie, yet they think they can, so they are fooled more easily. People want to believe, so they do."
I owned the 48G for about a year before getting the GX, which was a huge improvement. When I first got the 49G I kept going back to my 48GX for a while until I got used to the 49G. However, once I learned all the new features and got used to the new keyboard layout I really liked the 49G.
The 49G is faster than the 48GX, and its handling of some Calculus and higher level math is better. If I was buying a new calculator choosing between the 48GX and the 49G, I would go with the 49G.
That said the keys on the 48GX are definitely better, and the 49G has this annoying bug where it will just sit there every once in a while and do nothing for about a minute. This was really scary a few times when I was taking exams in College, is my calculator going to come back? From what I have read it has to do with a memory cleanup routine that runs every once in a while. I never noticed it on the 48G or 48GX.
The 49G+ is supposed to be coming out this or next month. If you aren't in a hurry I would see how that one turns out before spending the money.
But he isn't a bystander. The attacker is attempting to steal his passwords (and credit card numbers for those who don't notice and sending it unencrypted). I would consider myself under attack in such a situation.
That said I am not surprised by Charter's response. I had @Home for almost two years with out technical issue (one double billing, which they resolved quickly), until they went under and I was switched to Charter's service. I spent over 40 hours on tech support with them trying to get them to finally find the missing entry in their database that was causing my service to be interrupted (I was down for 18 days). From my experience, I doubt one could find a more incompetent ISP.
A friend of mine posted this article to a private mailing list yesterday. I had the following to say.
Come on, don't buy into the media's interpretation of things. I am not
saying the research is bogus, just the article makes things sound
different then things are. If a physical wire operates at 1.5MHz serial,
there is no way to transmit more than 1.5Mbit/s over that link.
Obviously anyone who attempts to sell you software that does so is pulling
your chain. That said, Fast TCP is about four times faster than Linux's
TCP stack on a 1Gbit/s link (how many people do you know that have one of
those). That is because most existing TCP stacks do not perform well at
high speeds over long distances, because the demand hasn't been there yet.
Now with that said, different TCP's do make a big difference because of
TCP's built in congestion control. The basic idea of congestion control
is that a computer shouldn't send data faster than the routers along the
path can handle. There are formal proofs that also show that TCP's
congestion control guarentees that all TCP connections (using the same
implementation and equal round trip times) are given equal priority. The
basic idea is to pull back the transmit rate when a packet is dropped.
If all the Internet used UDP, which doesn't have congestion control, our
routers would be more overwhelmed than they currently are and everything
would slow down.
One can improve one's performance by pulling back less or by taking more
than one's fair share.
The statement that all the Internet uses the TCP developed in the 1970's
(called TCP Tahoe) is very much false. Most of the Internet runs TCP Reno
(1990) now days which includes Jacobson's modification of TCP Tahoe (1988)
and added fast recovery and fast retransmit. A number of improvements to
that have been discussed in TCP/IP Illustrated by Stevens (1994) and in
RFC 2581.
A newer version called TCP Vegas (1995) has been proposed which speeds up
performance dramatically and provides a more consistent transmission rate.
TCP Vegas hasn't really caught on yet. Fast TCP is a competitor to TCP
Vegas.
If you are still reading at this point I will give a more thorough
explanation. Whenever a recipient receives a packet it sends an ACK to
the sender with the packet it is expecting next.
When TCP starts out it starts in a mode called "slow start." It starts
off with a window size of 1, meaning it sends one packet and then waits
for the ACK. In slow start mode it increases the window size by one each
time an ACK is received until a packet is dropped. So next round it
transmits 2, then 4, then 8, until it hits the threshold (Stevens[1994]
suggests 65Kbytes). Once it hits the threshold it enters "collision
avoidance" mode and increases the window size by one each round (each ACK
by 1/window size).
If a sender transmits packets and does not receive any ACKs by the time
the timeout for the first packet occurs it pulls back all the way to a
windows size of one and drops the threshold in half in both TCP Tahoe and
Reno. After going back to one, they start "slow start" again growing the
window size exponentially. The difference lies when one packet is dropped
but the next few packets are received in a timely manner. In this
situation the receiver will send back what is called a triple-ACK all
stating it is expecting the missing packet. When a triple-ACK is received
TCP Tahoe behaves the same as a timeout (window size to one, threshold in
half, slow start), while TCP Reno cuts both the window and the threshold
in half, then enters collision avoidance mode.
TCP Vegas works totally differently. It measures round trip time and
keeps track of the difference between expected and actual round trip time.
If the difference is more than a certain amount it adjusts the window size
in the appropriate direction. This method even detects router congestion
before the routers start dropping packets in some cases. TCP Vegas also
retransmits at a double-ACK
I'm not sure why the first post got a +4 informative as it was just a cut and paste of the CDN Web page.
JBoss (project page project page is a Java Application Server for Enterprise Java Beans (EJB's). They are working on a free implementation of J2EE. It includes JBossServer which is the application server, JBossCX for JCA, JBossCMP for persistence, JBossMQ for JMS, JBossMail (obvious), JBossSX for JAAS, JBossTX for JTA/JTS, and more that you can see on the project page.
This is particularly true of programming, which I am beginning to suspect is never actually taught anywhere, because everyone has theories about programming, but no one has any science. All that exists in the programming world are fads and baseless dogmatic assertions.
May I suggest Introduction to Algorithms by Cormen, Leiserson, Rivest, and Stein? If you like the material, The Art of Computer Programming (three volumes) by Knuth is very detailed and very heavy on the math. If one does a thorough read of The Art of Computer Programming and take the time to understand it, I don't see how one could not improve one's programming.
I was skimming over the responses to this article and the above is the first one I saw that addresses the real issues.
If we want reliable operating systems the above issues need to be solved.
Race conditions can be avoided using semaphores, but most modern operating systems and firmware are loaded with them. Most companies seem to feel that if it won't happen very often it is not worth the time and money to fix. Using semaphores then can create deadlocks.
I do not see a good way to solve the deadlocks problem. From Tanenbaum, there are four conditions that have to be met for a Deadlock to occur (I am rephrasing them here):
Mutual exclusion: Only one process may use a resource. Some resources can be spooled, but no solution to this exists for most resources.
Hold and wait: A process can request a resource while keeping a hold on another. We would need to develop a way to predict what resources a process will need. A lot of programs resources depend on what input they receive. A program can't predict what will happen in the future.
No preemption condition: Resources may not be taken away from a process; the process must release them. There is no good way to take resources away.
Circular wait condition: More than one process, each waiting for a resource held by another process, where the order is such that they form a circular wait. One would have to come up with an order that programs have to request resources in to solve this issue, and because programs vary in functionality, no one order would work for all programs.
So unless someone can come up with a better way to manage resources, we will always have crashes.
As far as the application issues go, I believe that on a good operating system, no user level application should be able to crash the system. If it is possible, then the user is being given access they should not be given.
That leaves driver stability. One can standardize the driver API and provide templates. Microsoft takes the approach of driver certification. Open source operating systems take the approach that anyone with the skill can fix a broken driver.
Don't get me wrong, google is my favorite search engine. I just don't think they deserve any awards for Web page design.
The basic features of google are easy to access, but there are a whole bunch of google features that are not available from their main page. Google has their own features page (try getting to that from the front page), but there are all sorts of third party Web pages explaining some of the "hidden" features of google. Their "Advanced search" really does not offer many of their features. A better Web page design would have a link on the front page to all their other features. Some Web sites off a site map, but I have not found one for Google.
A good user interface makes the basic functionality easy to use: google does this. But also makes the advanced functionality easy to find for those who want it: google does not do this.
First ISP created. Business is slow due to the fact that the Internet has no purpose, nobody knows about it, and more people own Betamax machines than computers.
Hobbe's lists:
1990:
The World comes on-line (world.std.com), becoming the first commercial provider of Internet dial-up access
The Internet wasn't offically cleared for commercial use until 1990 and I believe Software Tool & Die did some of the pushing and received some of the backlash for commercializing the Internet. But both UUNet and Netcom were around first weren't they? When ARPAnet officially became the commercial "Internet", I believe UUNet changed their name to "Alternet." Netcom kept the same name.
As I recall I got my first Netcom shell account in 1990. I used e-mail, usenet, fsp, and ftp (and archie). Around 1991 or 1992 I think I started using irc. I recall using dipd(?) and later slirp(I think this link is to the same program, just a newer version) to turn my shell account into a slip/ppp account, but I didn't really start doing that until the Web came out as there wasn't much point prior.
Netcom was bought out by ICG, then Mindspring bought it from ICG, then Earthlink bought out Mindspring.
I lost Netcom my shell account around 1994, but some people still have their original 1988 @netcom.com e-mail address still maintained by Earthlink.
They reported it to their supervisor. Then the company has the ability to handle it how they like.
I don't see why anyone should get in trouble for reporting an illegal activity going on at work to their supervisor. I could understand if the employees directly went to the police or media and not giving the company the ability to handle it.
Maybe I've had the experience of working at better companies. A coworker and I had the wonderful experience of walking into work late one night and all the lights were off and one of the employees was sitting at a computer... well you get the idea. I reported it to my boss and the employee was fired the next day. Their were logs that verified what was going on. Some things just aren't appropriate at work.
As a system administrator, I always make sure that their is a message drawn up by the legal department that we may discover things in the normal duties of our job. I have never poked around people's stuff. But I have had to go into people's home directories to fix things for them (my general policy is I don't touch your home directory unless you ask me to). However, I do go through system logs occasionally. If something turns up in system logs that shouldn't be there, I will report it to my boss.
One company I worked for had a policy that we were to ignore any porn found. That was fine with me, it's their decision. This was done after management decided to crack down on it, and it was found that the largest downloaders of porn were some of the vice presidents. After those results, the policy was quickly put in place.
Corporation A: "All employees must show up on election day when polls open (say 7:00am) and stay until polls close (say 8:00pm). Group A will go to vote at 10:00am, Group B will vote at 11:00am, etc. While waiting in line, if any member of your group requests fake cards, it shall be reported to management. A certain number of each group has been ordered to request fake ballots, we expect them to be reported. When returning to work, please return your ballot and report and suspicious behavior to your supervisor."
The solution:
The fake cards are available inside the voting booths themselves. No one other than the voter, knows if they took any, or how many. The only problem is that the staff would need to make sure that the booths did not run out of fake cards.
I realized, that the fake cards still does allow auditing. Voters know which card is real and which isn't. If an organization wants to audit and can get enough people to give them the correct cards, it should match the election results. If the organizations audit fails, it could be due to two situations. 1) enough people gave the organization their fake cards instead of real cards, or 2) the election was tampered with. A court order for the real database will determine which is involved.
So any organization can still do a preliminary audit that will allow them to get the court order if the election fails the audit.
There is also another issue that needs to be addressed with fake cards. When the front desk is handed a card, "I messed up my ballot." They need to scan it and verify that it is a real card and not a fake card, before handing a new real card to the person.
This also creates the situation, where an employer could bribe to gain access to a poll booth during the election and gain access to the machine. The employer takes a certain percentage of their employees returned cards and scans them (which wipes the vote, but tells them if they were given real or fake cards). If the employer could threaten that a certain percentage of employees will be checked up on, it creates a problem.
The only solution to this I can see, is to remove the ability to request a new card and thus, remove the ability to scan for real vs. fake cards. Once the voter prints out their vote to the card, it is finished. If enough voters say their printout did not match what they voted for, they would have to push for an investigation.
There are many places where the vote could be corrupted at the polling place (such as handing voters fake cards instead of real cards in certain districts, or handing all non-caucasian voters fake cards) or inside the database. As far as I can tell, all of these would fail an organization audit.
The problem with two sets of votes on the same card is that there are more than one choice for a vote. To avoid coercion the fake vote would need to be what the voter was told to vote. But allowing the voter to choose the fake votes would not solve the problem. The coercing agent could tell the voter, "I want you to enter this for the real vote and this for the fake vote." If you prevented the real and fake votes from matching, the coercing agent could have the voter use their first and second choices. They would not know if they got their first or second choices, but they would get one of the two. Neither could be what the voter wanted.
So as I discussed in the other post, I think the only option is to allow the voter to come up with as many fake vote cards as they want. It does create problems with accounting as discussed in the other post.
If one counts enough of the printed cards and it does not add up to the results from the database, then the audit fails. It would be quite possible to determine that the database has been tampered with.
I don't think that votes should be changed. It is to verify that the system works. If we find that the system is not working, we should find out why it is not working, and it should be fixed.
You are right. I missed the coercion problem and that is at least as serious as the accountability problem. This is very hard to come up with a accountable system that is also immune to coercion.
How about this idea: make it possible to have fake votes entered into the system. The system knows they are fake votes, but when looked up after the fact they look like real votes. One can hand a card to one's boss that is a fake vote, they can look it up in the system and it shows them what they want to see. Only the voter knows which card is their real vote and which card is a fake vote.
This would also require either the ability to request a fake voter card at a polling place. This would most likely make the voter feel uncomfortable and what is stopping the polling place from handing out real voter cards when fake voter cards are requested. An alternative would be to allow the voter to print as many fake cards as they want after the vote, from home. One goes to a government Web site and you fill out a fake vote, it enters the vote into the system as a fake vote, and then allows the voter to print out the card. The cards would then have to be printable from standard printers. I don't see this as a real problem, because the serial numbers on the cards are the primary means to prevent people from bringing fake cards to the voting booths.
But then this makes the accountability much more difficult. Any organization trying to do accounting would have no way of telling fake votes from real votes. The system could also be corrupted into using the fake votes as real votes.
It would still be better than having no ability for any group that wanted to do some accounting of votes to be able to.
The only way I see of accomplishing this would be to have a way for the government to grant access to some organizations to do accounting and give them access to the real database. This then places trust on the government that I would rather not place. A corrupt government could then give access to the real database to large corporations who could monitor their employees.
The problem with not being able to bring the cards home, is it requires the government to cooperate with any accounting that is to be done. It requires that trust be placed on the government that the ballot boxes are not tampered with. In most districts most registered voters don't vote. What prevents the government from stuffing the ballot box? Even if the government did choose to allow an organization to count the ballot box after the vote, there is no way to know that it has not been tampered with. Right now the government only seems to grant access to the ballot boxes by court order. There is not much accountability on the ballot boxes themselves.
I think if there is some way that voters could bring home their vote with out being coerced it would make voters feel more involved with the voting process. It would allow the voter to see that their vote was actually counted. It allows some accountability. The fake vote is one idea; do you have any better ideas?
I thought that preprinting the cards would make it more difficult to tie the cards to a particular voter. If the cards were printed after the voter signed in, the cards could be tied to a particular voter. I wanted it so that only the voter would know how they voted.
The problem I missed is the coercion problem. I will reply to one of those threads with a possible solution.
When one goes to the polls, you do the signup sheet thing. They hand you a card with a barcode on it. The barcode is not tied to the voter in any way. Only the voter knows their number.
Of course some algorithm would be used to generate the numbers and they would have large gaps. A good algorithm should prevent people bringing their own cards and hiding them in their pants, right? Smart chips could be used if people want to be paranoid (that would get expensive).
You go to a machine, insert the card. You place your votes on a touch screen. The software confirms your votes. Then it prints the results onto the card.
If you look at the card and see a mistake or for whatever reason, you go back to the main desk. They swipe the barcode, which cancels the vote and hand you a new card. If someone starts swiping invalid numbers the front desk is notified.
One can then bring the card home. After the election you can enter the barcode and check to make sure the database matches what is printed on the card.
This last one is important to me, because I feel it adds some accountability. If someone can get enough people to hand over their cards after an election an audit should be possible.
I've been up all night so this probably has holes in it, but what do you think of the overall process?
One could take the barcode thing a little farther and when the voter pamphlets are handed out there is a barcode printed on them that one can bring to the polls to make it easier for them to find the voter's name. One would still be required to sign (this isn't really any security, I assume it is allows some legal protection). If the voter does not have the barcode they would be required to provide some form of identification. I don't flat out like requiring identification, but this provides a way out.
Slashdot Mirror
"This image allows the user to sign up for a foobar.com e-mail account. If you see this image on another site please enter the word: fakeword"
Where fakeword is a random captcha style word, that the site recognizes as an attempt by a third party to get the user to solve the captcha.
The captcha site behaves as if it allowed the fakeword, except it doesn't actually create the account. Once a fakeword is used the site can take all sorts of measures like putting that IP address on a fakeword list. Thus it would not depend on every user of an image to enter the fakeword, just one honest user. One would need more than an IP list to deal with NAT, but you get the idea.
The user who entered the fakeword is rewarded, because the spammer site doesn't know that the fakeword is entered. They will need to attempt to login to the account to verify it. Sites could use either: 1) New accounts are not active for one hour. 2) Actually create fakeword accounts, but then delete them after an hour.
Just some rough ideas, but I am sure someone can come up with a solution to this spammer activity.
First of all, make sure you are not "powered by" anyone. Earthlink and AOL resell the service and most people quickly want to get out of that situation. Earthlink and AOL have really bad support and slower downloads speeds then DirectWay directly.
It is 128kbps up and 400kbps down peak (For reference a T1 is 1540kbps up and down). It's expensive. I didn't realize it was $100/month for the first year and $60/month after that, but it is a two way Satellite system and those are still expensive. Most users seem to get better than 400kbps down, but somewhere around 30-80kbps up. With the one-way (dial-up systems) most users get 18-28kbps up due to the overhead in their protocol.
No phone line is required with the two-way system. There are one-way and two-way services offered.
This is something I wrote when I had the system and using it over SSH:
"I am typing this e-mail over our new DirectWay system, and it is extremely painful. It is far worse than dial-up. Every character I type takes
about one second to appear. I have to count the number of backspaces I want, number of arrow keys, etc.
C:\>ping [My ssh box hosted at Hurricane Electric]
Pinging [My ssh box] [1.2.3.4] with 32 bytes of data:
Reply from 1.2.3.4: bytes=32 time=1012ms TTL=242
Reply from 1.2.3.4: bytes=32 time=861ms TTL=242
Request timed out.
Request timed out.
Ping statistics for 1.2.3.4:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 861ms, Maximum = 1012ms, Average = 468ms
Ignore the average, Microsoft apparently counts dropped packets as 0ms.
I seem to be getting about 900ms ping times on average to most fast sites. We are getting about 750ms on average to the first hop.
The speeds vary a lot. When I did a speed test earlier I got 252kbps down/18kbps up. Right now I am getting a lot better:
CA server:
Test running.........
**Speed 827(down)/25(up) kbps **
(At least 16 times faster than a 56k modem)
LA server:
Test running.........
** Speed 653(down)/51(up) kbps **
(At least 13 times faster than a 56k modem)
(For comparison to what I got when I was on cable modem:
2002-03-05 23:03:40 Speed test (la) 780/124 kbps
2002-03-05 22:58:28 Speed test (wc) 772/109 kbps )
I also did the toast.net speed test and got a bit worse results, you can
see them here:
My toast results
I disabled their proxy server to speed up Web browsing, but their software comes up with annoying pop-ups that tell me that I am not using their proxy. I will set it back when I am done. Speed tests do not work through proxies, so that is the main reason I disabled it.
It took me about 20 minutes to write this e-mail and the connection dropped once during writing it."
I use SSH so much that I went back to dial-up before the trial period ended. I get about 150ms over a 56K connection so SSH is about 6 times slower. Web browsing wasn't improved enough to make the service worth it. Some sites seemed slower even. I believe it was any HTTPS sites like checking my bank account were terrible.
DSL reports has a FAQ available. It is a good site to check out when looking at new ISPs.
DSL Reports Satellite FAQ
None of AOLs DNS servers are currently publishing TXT records.
% host -t txt aol.com dns-01.ns.aol.com
aol.com has no TXT record at dns-01.ns.aol.com (Authoritative answer)
% host -t txt aol.com dns-02.ns.aol.com
aol.com has no TXT record at dns-02.ns.aol.com (Authoritative answer)
% host -t txt aol.com dns-06.ns.aol.com
aol.com has no TXT record at dns-06.ns.aol.com (Authoritative answer)
% host -t txt aol.com dns-07.ns.aol.com
aol.com has no TXT record at dns-07.ns.aol.com (Authoritative answer)
So it isn't a matter of propagation. Either they put them out and decided to remove them or Slashdot failed to check that the article was correct -- but that would never happen.
For example on my domain dszd0g.org the record looks like:
'dszd0g.org:v=spf1 include\072dragonpaw.org -all
The only pain is the need to use \072 for the : in the text record.
Simple Authentication and Security Layer allows a user to identify themselves to a mail server. POBOX just needs to set up a mail server that uses SASL and then their users use that to send mail.
This is often referred to as SASL auth or sometimes SMTP auth.
They probably need to set it up on both port 25 and another port generally 587 in case users ISPs block connections to port 25.
Alternatively there are older solutions that may work for some mail services like POP before send. Where any IP address that has successfully logged into the POP server can send e-mail through the mail server for a certain period of time.
Basically once SPF catches on public mail services need to run their own mail servers. This makes sense, it's their e-mail and they should be responsible for sending it.
In the case of pobox.com seems to already be running SASL:
% host -t a sasl.smtp.pobox.com
sasl.smtp.pobox.com A 64.71.166.114
pobox.com is already publishing SPF records so it looks like they think it will work for them.
% host -t txt pobox.com
pobox.com TXT "v=spf1 mx mx:fallback-relay.pobox.com a:emerald.pobox.com ?all"
They are specifying the loose "? = unknown" for servers other than their own, but it is up to the receiving MTA to allow or deny "unknown".
They are following the SPF adoption strategy:
"Initially, domain owners can set ?all, which means "default unknown". They start educating their users to switch to SASL AUTH, and maybe set a local sunrise date.
When the vast majority of users are doing the right thing (sending mail out only through the domain's designated mailers) they change the default to -all, which means "default deny". That tells SPF-aware receiving servers that it's safe to reject SPF violations rather than classify them as spam."
The biggest crap is their constant claim that they are providing a service.
If they wanted to provide a service they could setup public name servers that did recursive lookups and returned sitefinder for non-existent domains. Anyone who wanted the service could change their DNS server to use theirs. Then it would be a service and they wouldn't be forcing anyone to use it.
VeriSign could offer a patch or replacement DNS server to any ISP that wanted the service or allow them to forward all DNS lookups.
I'm sorry but forcing things upon everyone is not offering a service. I'm keeping my patched djbdns not only in case Verisign brings back sitefinder, but to continue to block the *.ac, *.cc, *.cx, *.museum, *.nu, *.ph, *.sh, *.tm, and *.ws wildcards, not that I really use those domains.
Wizard's First Rule: "People are Stupid. Given the proper motivation, people will believe anything because they either fear it is true, or because they want to believe it is true. People's heads are filled with knowledge, facts, and beliefs, and most of it is not true, but they think it is true. People can rarely tell the difference between the truth and a lie, yet they think they can, so they are fooled more easily. People want to believe, so they do."
Terry Goodkind's Wizard's First Rule.
I owned the 48G for about a year before getting the GX, which was a huge improvement. When I first got the 49G I kept going back to my 48GX for a while until I got used to the 49G. However, once I learned all the new features and got used to the new keyboard layout I really liked the 49G.
The 49G is faster than the 48GX, and its handling of some Calculus and higher level math is better. If I was buying a new calculator choosing between the 48GX and the 49G, I would go with the 49G.
That said the keys on the 48GX are definitely better, and the 49G has this annoying bug where it will just sit there every once in a while and do nothing for about a minute. This was really scary a few times when I was taking exams in College, is my calculator going to come back? From what I have read it has to do with a memory cleanup routine that runs every once in a while. I never noticed it on the 48G or 48GX.
The 49G+ is supposed to be coming out this or next month. If you aren't in a hurry I would see how that one turns out before spending the money.
But he isn't a bystander. The attacker is attempting to steal his passwords (and credit card numbers for those who don't notice and sending it unencrypted). I would consider myself under attack in such a situation.
That said I am not surprised by Charter's response. I had @Home for almost two years with out technical issue (one double billing, which they resolved quickly), until they went under and I was switched to Charter's service. I spent over 40 hours on tech support with them trying to get them to finally find the missing entry in their database that was causing my service to be interrupted (I was down for 18 days). From my experience, I doubt one could find a more incompetent ISP.
A friend of mine posted this article to a private mailing list yesterday. I had the following to say.
Come on, don't buy into the media's interpretation of things. I am not saying the research is bogus, just the article makes things sound different then things are. If a physical wire operates at 1.5MHz serial, there is no way to transmit more than 1.5Mbit/s over that link. Obviously anyone who attempts to sell you software that does so is pulling your chain. That said, Fast TCP is about four times faster than Linux's TCP stack on a 1Gbit/s link (how many people do you know that have one of those). That is because most existing TCP stacks do not perform well at high speeds over long distances, because the demand hasn't been there yet.
Now with that said, different TCP's do make a big difference because of TCP's built in congestion control. The basic idea of congestion control is that a computer shouldn't send data faster than the routers along the path can handle. There are formal proofs that also show that TCP's congestion control guarentees that all TCP connections (using the same implementation and equal round trip times) are given equal priority. The basic idea is to pull back the transmit rate when a packet is dropped.
If all the Internet used UDP, which doesn't have congestion control, our routers would be more overwhelmed than they currently are and everything would slow down.
One can improve one's performance by pulling back less or by taking more than one's fair share.
The statement that all the Internet uses the TCP developed in the 1970's (called TCP Tahoe) is very much false. Most of the Internet runs TCP Reno (1990) now days which includes Jacobson's modification of TCP Tahoe (1988) and added fast recovery and fast retransmit. A number of improvements to that have been discussed in TCP/IP Illustrated by Stevens (1994) and in RFC 2581.
A newer version called TCP Vegas (1995) has been proposed which speeds up performance dramatically and provides a more consistent transmission rate. TCP Vegas hasn't really caught on yet. Fast TCP is a competitor to TCP Vegas.
If you are still reading at this point I will give a more thorough explanation. Whenever a recipient receives a packet it sends an ACK to the sender with the packet it is expecting next.
When TCP starts out it starts in a mode called "slow start." It starts off with a window size of 1, meaning it sends one packet and then waits for the ACK. In slow start mode it increases the window size by one each time an ACK is received until a packet is dropped. So next round it transmits 2, then 4, then 8, until it hits the threshold (Stevens[1994] suggests 65Kbytes). Once it hits the threshold it enters "collision avoidance" mode and increases the window size by one each round (each ACK by 1/window size).
If a sender transmits packets and does not receive any ACKs by the time the timeout for the first packet occurs it pulls back all the way to a windows size of one and drops the threshold in half in both TCP Tahoe and Reno. After going back to one, they start "slow start" again growing the window size exponentially. The difference lies when one packet is dropped but the next few packets are received in a timely manner. In this situation the receiver will send back what is called a triple-ACK all stating it is expecting the missing packet. When a triple-ACK is received TCP Tahoe behaves the same as a timeout (window size to one, threshold in half, slow start), while TCP Reno cuts both the window and the threshold in half, then enters collision avoidance mode.
TCP Vegas works totally differently. It measures round trip time and keeps track of the difference between expected and actual round trip time. If the difference is more than a certain amount it adjusts the window size in the appropriate direction. This method even detects router congestion before the routers start dropping packets in some cases. TCP Vegas also retransmits at a double-ACK
99,999 bogus patents on the wall, 99,999 bogus patents. If one of those patents should happen to fall, 99,998 bogus patents on the wall...
I'm not sure why the first post got a +4 informative as it was just a cut and paste of the CDN Web page.
JBoss (project page project page is a Java Application Server for Enterprise Java Beans (EJB's). They are working on a free implementation of J2EE. It includes JBossServer which is the application server, JBossCX for JCA, JBossCMP for persistence, JBossMQ for JMS, JBossMail (obvious), JBossSX for JAAS, JBossTX for JTA/JTS, and more that you can see on the project page.
There is always the Google cache too.
This is particularly true of programming, which I am beginning to suspect is never actually taught anywhere, because everyone has theories about programming, but no one has any science. All that exists in the programming world are fads and baseless dogmatic assertions.
May I suggest Introduction to Algorithms by Cormen, Leiserson, Rivest, and Stein? If you like the material, The Art of Computer Programming (three volumes) by Knuth is very detailed and very heavy on the math. If one does a thorough read of The Art of Computer Programming and take the time to understand it, I don't see how one could not improve one's programming.
Haven't you always wanted to know how loud your classmates snore during class? Or your coworkers during a meeting?
Seriously though, adjusting volume based on background noise is a nice feature.
I was skimming over the responses to this article and the above is the first one I saw that addresses the real issues.
If we want reliable operating systems the above issues need to be solved.
Race conditions can be avoided using semaphores, but most modern operating systems and firmware are loaded with them. Most companies seem to feel that if it won't happen very often it is not worth the time and money to fix. Using semaphores then can create deadlocks.
I do not see a good way to solve the deadlocks problem. From Tanenbaum, there are four conditions that have to be met for a Deadlock to occur (I am rephrasing them here):
Mutual exclusion: Only one process may use a resource. Some resources can be spooled, but no solution to this exists for most resources.
Hold and wait: A process can request a resource while keeping a hold on another. We would need to develop a way to predict what resources a process will need. A lot of programs resources depend on what input they receive. A program can't predict what will happen in the future.
No preemption condition: Resources may not be taken away from a process; the process must release them. There is no good way to take resources away.
Circular wait condition: More than one process, each waiting for a resource held by another process, where the order is such that they form a circular wait. One would have to come up with an order that programs have to request resources in to solve this issue, and because programs vary in functionality, no one order would work for all programs.
So unless someone can come up with a better way to manage resources, we will always have crashes.
As far as the application issues go, I believe that on a good operating system, no user level application should be able to crash the system. If it is possible, then the user is being given access they should not be given.
That leaves driver stability. One can standardize the driver API and provide templates. Microsoft takes the approach of driver certification. Open source operating systems take the approach that anyone with the skill can fix a broken driver.
Don't get me wrong, google is my favorite search engine. I just don't think they deserve any awards for Web page design.
The basic features of google are easy to access, but there are a whole bunch of google features that are not available from their main page. Google has their own features page (try getting to that from the front page), but there are all sorts of third party Web pages explaining some of the "hidden" features of google. Their "Advanced search" really does not offer many of their features. A better Web page design would have a link on the front page to all their other features. Some Web sites off a site map, but I have not found one for Google.
A good user interface makes the basic functionality easy to use: google does this. But also makes the advanced functionality easy to find for those who want it: google does not do this.
The Lemon lists in 1990:
First ISP created. Business is slow due to the fact that the Internet has no purpose, nobody knows about it, and more people own Betamax machines than computers.
Hobbe's lists:
1990:
The World comes on-line (world.std.com), becoming the first commercial provider of Internet dial-up access
UUnet started in 1987 and Netcom started in 1998.
The Internet wasn't offically cleared for commercial use until 1990 and I believe Software Tool & Die did some of the pushing and received some of the backlash for commercializing the Internet. But both UUNet and Netcom were around first weren't they? When ARPAnet officially became the commercial "Internet", I believe UUNet changed their name to "Alternet." Netcom kept the same name.
As I recall I got my first Netcom shell account in 1990. I used e-mail, usenet, fsp, and ftp (and archie). Around 1991 or 1992 I think I started using irc. I recall using dipd(?) and later slirp(I think this link is to the same program, just a newer version) to turn my shell account into a slip/ppp account, but I didn't really start doing that until the Web came out as there wasn't much point prior.
Netcom was bought out by ICG, then Mindspring bought it from ICG, then Earthlink bought out Mindspring.
I lost Netcom my shell account around 1994, but some people still have their original 1988 @netcom.com e-mail address still maintained by Earthlink.
They reported it to their supervisor. Then the company has the ability to handle it how they like.
I don't see why anyone should get in trouble for reporting an illegal activity going on at work to their supervisor. I could understand if the employees directly went to the police or media and not giving the company the ability to handle it.
Maybe I've had the experience of working at better companies. A coworker and I had the wonderful experience of walking into work late one night and all the lights were off and one of the employees was sitting at a computer... well you get the idea. I reported it to my boss and the employee was fired the next day. Their were logs that verified what was going on. Some things just aren't appropriate at work.
As a system administrator, I always make sure that their is a message drawn up by the legal department that we may discover things in the normal duties of our job. I have never poked around people's stuff. But I have had to go into people's home directories to fix things for them (my general policy is I don't touch your home directory unless you ask me to). However, I do go through system logs occasionally. If something turns up in system logs that shouldn't be there, I will report it to my boss.
One company I worked for had a policy that we were to ignore any porn found. That was fine with me, it's their decision. This was done after management decided to crack down on it, and it was found that the largest downloaders of porn were some of the vice presidents. After those results, the policy was quickly put in place.
O.K., I found a flaw in this idea and a solution.
The flaw:
Corporation A: "All employees must show up on election day when polls open (say 7:00am) and stay until polls close (say 8:00pm). Group A will go to vote at 10:00am, Group B will vote at 11:00am, etc. While waiting in line, if any member of your group requests fake cards, it shall be reported to management. A certain number of each group has been ordered to request fake ballots, we expect them to be reported. When returning to work, please return your ballot and report and suspicious behavior to your supervisor."
The solution:
The fake cards are available inside the voting booths themselves. No one other than the voter, knows if they took any, or how many. The only problem is that the staff would need to make sure that the booths did not run out of fake cards.
I realized, that the fake cards still does allow auditing. Voters know which card is real and which isn't. If an organization wants to audit and can get enough people to give them the correct cards, it should match the election results. If the organizations audit fails, it could be due to two situations. 1) enough people gave the organization their fake cards instead of real cards, or 2) the election was tampered with. A court order for the real database will determine which is involved.
So any organization can still do a preliminary audit that will allow them to get the court order if the election fails the audit.
There is also another issue that needs to be addressed with fake cards. When the front desk is handed a card, "I messed up my ballot." They need to scan it and verify that it is a real card and not a fake card, before handing a new real card to the person.
This also creates the situation, where an employer could bribe to gain access to a poll booth during the election and gain access to the machine. The employer takes a certain percentage of their employees returned cards and scans them (which wipes the vote, but tells them if they were given real or fake cards). If the employer could threaten that a certain percentage of employees will be checked up on, it creates a problem.
The only solution to this I can see, is to remove the ability to request a new card and thus, remove the ability to scan for real vs. fake cards. Once the voter prints out their vote to the card, it is finished. If enough voters say their printout did not match what they voted for, they would have to push for an investigation.
There are many places where the vote could be corrupted at the polling place (such as handing voters fake cards instead of real cards in certain districts, or handing all non-caucasian voters fake cards) or inside the database. As far as I can tell, all of these would fail an organization audit.
In Re:Your proposal is Dangerous I came up with a similar idea.
The problem with two sets of votes on the same card is that there are more than one choice for a vote. To avoid coercion the fake vote would need to be what the voter was told to vote. But allowing the voter to choose the fake votes would not solve the problem. The coercing agent could tell the voter, "I want you to enter this for the real vote and this for the fake vote." If you prevented the real and fake votes from matching, the coercing agent could have the voter use their first and second choices. They would not know if they got their first or second choices, but they would get one of the two. Neither could be what the voter wanted.
So as I discussed in the other post, I think the only option is to allow the voter to come up with as many fake vote cards as they want. It does create problems with accounting as discussed in the other post.
If one counts enough of the printed cards and it does not add up to the results from the database, then the audit fails. It would be quite possible to determine that the database has been tampered with.
I don't think that votes should be changed. It is to verify that the system works. If we find that the system is not working, we should find out why it is not working, and it should be fixed.
You are right. I missed the coercion problem and that is at least as serious as the accountability problem. This is very hard to come up with a accountable system that is also immune to coercion.
How about this idea: make it possible to have fake votes entered into the system. The system knows they are fake votes, but when looked up after the fact they look like real votes. One can hand a card to one's boss that is a fake vote, they can look it up in the system and it shows them what they want to see. Only the voter knows which card is their real vote and which card is a fake vote.
This would also require either the ability to request a fake voter card at a polling place. This would most likely make the voter feel uncomfortable and what is stopping the polling place from handing out real voter cards when fake voter cards are requested. An alternative would be to allow the voter to print as many fake cards as they want after the vote, from home. One goes to a government Web site and you fill out a fake vote, it enters the vote into the system as a fake vote, and then allows the voter to print out the card. The cards would then have to be printable from standard printers. I don't see this as a real problem, because the serial numbers on the cards are the primary means to prevent people from bringing fake cards to the voting booths.
But then this makes the accountability much more difficult. Any organization trying to do accounting would have no way of telling fake votes from real votes. The system could also be corrupted into using the fake votes as real votes.
It would still be better than having no ability for any group that wanted to do some accounting of votes to be able to.
The only way I see of accomplishing this would be to have a way for the government to grant access to some organizations to do accounting and give them access to the real database. This then places trust on the government that I would rather not place. A corrupt government could then give access to the real database to large corporations who could monitor their employees.
The problem with not being able to bring the cards home, is it requires the government to cooperate with any accounting that is to be done. It requires that trust be placed on the government that the ballot boxes are not tampered with. In most districts most registered voters don't vote. What prevents the government from stuffing the ballot box? Even if the government did choose to allow an organization to count the ballot box after the vote, there is no way to know that it has not been tampered with. Right now the government only seems to grant access to the ballot boxes by court order. There is not much accountability on the ballot boxes themselves.
I think if there is some way that voters could bring home their vote with out being coerced it would make voters feel more involved with the voting process. It would allow the voter to see that their vote was actually counted. It allows some accountability. The fake vote is one idea; do you have any better ideas?
I thought that preprinting the cards would make it more difficult to tie the cards to a particular voter. If the cards were printed after the voter signed in, the cards could be tied to a particular voter. I wanted it so that only the voter would know how they voted.
The problem I missed is the coercion problem. I will reply to one of those threads with a possible solution.
Any opinions on the following:
When one goes to the polls, you do the signup sheet thing. They hand you a card with a barcode on it. The barcode is not tied to the voter in any way. Only the voter knows their number.
Of course some algorithm would be used to generate the numbers and they would have large gaps. A good algorithm should prevent people bringing their own cards and hiding them in their pants, right? Smart chips could be used if people want to be paranoid (that would get expensive).
You go to a machine, insert the card. You place your votes on a touch screen. The software confirms your votes. Then it prints the results onto the card.
If you look at the card and see a mistake or for whatever reason, you go back to the main desk. They swipe the barcode, which cancels the vote and hand you a new card. If someone starts swiping invalid numbers the front desk is notified.
One can then bring the card home. After the election you can enter the barcode and check to make sure the database matches what is printed on the card.
This last one is important to me, because I feel it adds some accountability. If someone can get enough people to hand over their cards after an election an audit should be possible.
I've been up all night so this probably has holes in it, but what do you think of the overall process?
One could take the barcode thing a little farther and when the voter pamphlets are handed out there is a barcode printed on them that one can bring to the polls to make it easier for them to find the voter's name. One would still be required to sign (this isn't really any security, I assume it is allows some legal protection). If the voter does not have the barcode they would be required to provide some form of identification. I don't flat out like requiring identification, but this provides a way out.