Another option is to encrypt the mail with Bob's public key (assuming that spammers' scripts won't be clever enough to get your public key from your web page).
How about all e-mail addresses have a public key associated with them? This causes some pain in that SMTP messages can no longer have multiple recipients (because the body for each recipient will be different) but infinite pain for spammers who have to send 10,000 individually encrypted messages instead of one message with 10,000 envelope recipients.
Non-encrypted messages result in a response from the server behind the MX record which says "please resend your message using the attached public key" with the public key of the recipient as a MIME attachment.
This means that unsolicited mail has to give a legit return address to obtain the public key and as stated before it has to be encrypted differently for each recipient. Furthermore, the solution is completely backward compatible with the existing e-mail infrastructure.
If you look closely, you'll find that there are quite a number of completely different programs now that are called "sendmail".
No there aren't. There is one program called sendmail that you can obtain from sendmail.org. It's an open source program that has suffered from source code forks in the past. But there is pretty much only one source tree that counts now.
It has been widely understood that the original sendmail program was an overly-complex beast that tried to do everything for everyone, and was probably not fixable in any general sense.
It hasn't been a serious security risk for at least five years. Yes it's a complex piece of software, but providing the full functionality required of modern SMTP MTA is a complex task.
Because there has been so much software installed that knows how to talk to the original sendmail, it has been common to make new mailers present the same UI to the world. This way, a new mailer can just be dropped in as a replacement for sendmail, and everything works.
Providing a sendmail compatible command line interface does not make an MTA sendmail. Do not call other MTAs "sendmail" or the sendmail consortium lawyers may sue you. In fact to be a true drop in replacement a program would have to understand the sendmail config file. Since most replacements have tried to get away from using the config file aka programming language used by sendmail, I'd be surprised if any of them could be described as a true drop in.
In effect, "sendmail" is now just a description of a set of command-line options used in the rc and cron scripts.
No it isn't.
If a mail daemon implements these, it can be dropped in as a replacement for whatever "sendmail" is there, and it'll do the job required on your system.
Do you even know what the job of sendmail (or another MTA) is?
On several systems, I've replaced sendmail with a small (100-200 lines) perl script that mimics all the functionality in use there. This has given me a large number of geek points among non-perl-hackers. I just grin and say something like "That's trivial for a true perl guru." They don't have to know that it doesn't take a perl guru to do such a job.
I haven't seen your code, but I'm guessing you have just replaced the command line functionality that allows you to inject a text file as an SMTP message into port 25 of a real MTA. You probably haven't implemented proper queuing, background delivery, prioritisation, alias handling, masquerading, routing, TLS, SMTP AUTH, LDAP routing etc etc etc.
This does bring up a significant question about this news item. When they talk about a "sendmail flaw", which sendmail are they talking about? Presumably it only effects one of the N sendmails that are in use.
They are talking about sendmail. It apparently affects several releases of that package, see sendmail.org for more details.
Of course, one interpretation of the push to install a "patch" is that this purported patch is merely a way of getting one specific sendmail clone installed as widely as possible. I'd guess that this "patch" is not, say, a set of source diffs, but is a binary. When you install it, you are replacing your current sendmail with a completely different program. Since the article refers to the Sendmail Consortium, this "patch" is probably a version of the original, sendmail. When you install it, you have reverted to a version of the old, bloated sendmail, which probably now has zillions of security holes waiting to be discovered.
There are so many inaccurate statements in this paragraph, I almost don't know where to begin. The only true statement in it is: "Since the article refers to the Sendmail Consortium, this "patch" is probably a version of the original, sendmail" The article is only a news story about the way the flaw has been reported. If you want information on the patch go to sendmail.org where you will find a description of the problem and a patch in source diff format and sendmail 8.12.8 which is the new release with the patch applied. Note that they only distribute it in source code format.
A few years ago George Martin (produced all the Beatles albums except Let It Be) did an interview on BBC radio to mark the release of the first Beatles albums on CD (mid 1980s as I recall). His remarks were that the early albums were recorded in mono because they did not have stereo recording equipment. When they did get stereo equipment at first they used it to effectively double the number of tracks that they could record (each stero channel was treated like a separate track).
Moving on, even when they got to Sergeant Pepper, the mono version was mixed differently to the stereo version with the mono version taking priority (they spent three weeks mixing it against three days for the stereo apparently). When you think about it, this makes complete sense - almost their entire target audience would have been using mono turntables.
BTW the first album (Please Please Me) was recorded in 13 hours of studio time.
It's because proprietary (which is not quite the same as closed source) applications tend to work more or less out of the box.
If you build your own app where an off the shelf solution already exists (be it closed or open source), you are letting yourself in for whole heaps of trouble. You have to fund the entire development yourself and let's be honest: bespoke software delvelopments haven't exactly got a good reputation for being delivered on time to budget and in reasonable working condition.
With closed source solutions you may have to spend money on forced upgrades every couple of years and there is the risk of the company going bust or simply discontinuing the product (escrow agreements might help there). However, if you are rolling your own you have to pay the entire dev costs (i.e. the salaries of lots of developers and a PM), you have to pay for a team of people to maintain the code after its finished and you're as vulnerable there with people getting bored and leaving as with companies deciding to stop supporting their products.
Theoretically, open source off the shelf products are better in some respects than proprietary products. e.g. if the official maintenance team gets wound up, you still have the source code. But in reality, no end user is going to hire the staff to maintain an out-of-support product even if they do have the source code.
The reason GPS tracks are sometimes not on the roads is more likely due to poor reception of the satellite signal. There's nothing like a few tall buildings to mung your GPS receiver.
2. Receiving an SMS is far less intrusive than receiving a phone call. So you don't need to think twice before messaging someone about something totally trivial. Its a great way to stay in touch with people.
Uh, so you consider the promotion of trivial relationships a selling point of SMS? I can do without, but if that's all you have to hold on to then enjoy (I guess).
Why don't you try reading the comment? There is a difference between a trivial comment and a trivial relationship.
Yet another amusing line of reasoning. Allow me to translate: "My cellular provider ass rapes me for voice calls, so I don't feel so bad being charged somewhat less to type out in 5 minutes what I could have said in 5 seconds."
You can make a five second international phone call that a) conveys any information whatsoever and b) only costs 2 cents. I'm impressed.
SMS messages are asynchronous which means that the person at the other end does not have to answer the phone for the message to get through.
In most of the World, SMS messages are much more reliable than 93%. It's just in the USA that the mobile phone infrastructure is a total abortion.
In the UK most mobile phone contracts come with a certain number of free text messages per month. This means that I can send more messages than I actually do totally free of charge (I am not charged for receiving text messages). I am OTOH charged for accessing my voice mail.
Agree with you about the bastardised spelling though.
New Powerbooks like the one I have on order have a 64Mb Radeon 9000 in them. The reason I have one on order is because my old 500MHz Powerbook is showing its age a bit (I dropped it and now the DVD-ROM and one screen hinge is broken). Other than that, it would still be a fine machine. It's easily fast enough for my purposes (office type work, development type work), so I'm looking forward to the new one.
Even though it's two years old, people still comment on what a fab laptop it is. Looks count I guess:)
The Word problem is far worse than that. The "fast save" facility just tacks amendments onto the end of the original document. you can often find earlier drafts of documents (or even completely different documents) by doing strings on them.
What you describe is sendmail as it existed about 5 years ago. Any reasonably intelligent sysadm could get a simple sendmail config downloaded from the distro site and running in a couple of hours.
The security problems are largely a thing of the past too. Apart from a couple of minor obscure and possibly unexploitable problems (and that embarrassing trojan in the build process), there have been no security problems with sendmail for years.
Sendmail might not be the fastest, but how fast does your mail server have to be? I was able to get eight messages / second out of my G4 powerbook without any tuning whatsoever. This is not really a lot, but otoh represents nearly 30,000 messages per hour. How many do you get every day?
If your SMTP server has to route mails to different mail servers depending on the recipient address, LDAP support is very useful. You can also do things like move your alias tables into the LDAP server, use the LDAP server to authenticate people for routing (SMTP AUTH), use the LDAP server to masquerade senders etc etc etc.
LDAP is supported out of the box with sendmail, no need to download extra patches and stuff.
I think that the Java programmers should calm down and admit that the language is not very fast. The number of times I've seen them write "it's fast if you write your code carefully" and fail to see the irony of the statement is amazing. The whole point of Java is that you don't *have* to write things "carefully". C and C++ programs don't have issues with memory leaks and buffer overflows if you write them carefully.
Anyway, hand optimisation is often a bad thing. Good compilers / interpreters are written by people with a much better understanding of the machine architecture than the average high level language application programmer and attempted hand optimisations can actually make performance worse. The other thing is that hand optimisation can increase the complexity of the code making it slower and harder to maintain.
Java programmers should realise that outright run time speed is really not that important for most applications and point out that if their app is only half the speed that represents 18 months of computer development (according to Moore's Law) but on the other hand it took three weeks less dev, only costs 50% of the maintainance and has fewer security holes (I made the numbers up - I leave it to the Java zealots to provide some real figures). Some of the money saved can be used to buy the extra hardware needed.
It doesn't matter if something is fast, only that it is fast *enough*.
Repeat after me: X is a protocol. It doesn't use memory or anything unless you put the protocol definition into a PDF. You are complaining about a specific implementation of the protocol (XFree86 probably).
It's obvious from your description above that XFree86 is not what is eating all the RAM ("X is using 82Mb, the system is using 452Mb"), so that's 370Mb in use that is *not* being used by XFree86. In fact, what it is is Linux grabbing all the free RAM for disk buffers etc. In my last job one of our customers was claiming our product was doing something similar. Their servers with 1 Gb physical RAM were running with about 900Mb usage. We were able to demonstrate that there was no real problem by writing a C program that malloced 800Mb, wrote data to every single page in that 800Mb and then exited. After the program exited, memory usage dropped to about 200Mb for a while.
Also, it probably isn't XFree86 that makes it slow for you to get a login prompt. In my experience, it's the Gnome/KDE environment that takes most of the time in starting up the windowing environment. Gnome is not part of XFree86.
You coul fix the MD5 thing if you are a distributor by maintaining copies of the MD5 sigs on a secure internal server and automatically comparing them to the ones on the distribution server every few minutes. If a compromise is detected, the distro server is shut down and somebody is paged to fix it. Meanwhile everybody who has downloaded the software since the last integrity check is informed by e-mail (anonymous ftp captures e-mail addresses).
Consider also, that people these days are much more bothered when email goes down than when the phones stop working.
I really don't believe this. People might say that, but it's not true.
For a start, you're e-mail might be effectively down, but you won't even notice unless it's the server your PC talks to e.g. your local Exchange server or POP server. It'll just look like you haven't had any e-mails for a while.
Secondly, phone systems just don't go down any more. In my entire working life (14 years) I can think of only one occasion when I had a degraded phone service from my office (not down, just degraded). People generally have no experiece of the phone system being down and how bad that is.
The point is you don't run the GUI stuff on the server even if you use graphical tools. The graphical admin tools are just X clients and the really processor expensive stuff (i.e. the X server) runs on the admin's PC in his office.
Sometimes I think all of Windows problems wrt Linux are because the GUI is so tightly bound to the OS. e.g. performance: you can't disable the GUI, stability: it's the graphics driver for your network card that's crashing your system. Somebody once told me that the best way to get a stable NT system was to only install the standard VGA drivers.
Re: It certainly is more evil than commercials
on
The Economics of Spam
·
· Score: 2
No it isn't. Advertising pays for all free to air television except the BBC. It pays for a lot of very useful web sites. It reduces the price of magazines and newspapers. It pays for expensive sporting and arts events. Effective advertising leads to increased product sales directly benefitting the company's shareholders and sometimes its employees. For certain products such as software the price is related to the number of units sold so effective advertising can lead to cheaper prices for the consumer.
I don't know about the EU, but Britain will not extradite anybody for a crime where they'll get the death penalty if found guilty, which is probably why they wouldn't extradite terrorists to the US unless GWB asked Tony nicely (although I don't know what case you are referring to there). Quite a lot of Brits take the view that the death penalty is morally unacceptable.
For the record the Government offered plenty of support to the plane spotters in Greece for writing down aircraft numbers. Unfortunately, they were arrested in Greece, so extradition didn't come into it and they were up on a charge of spying so if they had got back to the UK, they may have been extradited on the grounds that we expect our citizens to be responsible for their actions when abroad.
Asylum seekers are another question altogether. People seek asylum here for two reasons a) they think they'll be richer, b) they might get killed if they stay in their own country. We can't send them back until we know that their reason for being here is definitely (a).
Yes, a hacker is a person that breaks into computer systems or is simply good at programming. A cracker is a dry flat biscuit that goes nicely with cheese.
Unfortunately, English is a living language which means that the meanings of words depends on a consensus of the people that use them. The word "hacker" means "person who breaks into computer systems".
Slashdot Mirror
Another option is to encrypt the mail with Bob's public key (assuming that spammers' scripts won't be clever enough to get your public key from your web page).
How about all e-mail addresses have a public key associated with them? This causes some pain in that SMTP messages can no longer have multiple recipients (because the body for each recipient will be different) but infinite pain for spammers who have to send 10,000 individually encrypted messages instead of one message with 10,000 envelope recipients.
Non-encrypted messages result in a response from the server behind the MX record which says "please resend your message using the attached public key" with the public key of the recipient as a MIME attachment.
This means that unsolicited mail has to give a legit return address to obtain the public key and as stated before it has to be encrypted differently for each recipient. Furthermore, the solution is completely backward compatible with the existing e-mail infrastructure.
What is the point of distributing a package if nobody can figure out how to use it?
Please get a clue before your next post.
A few years ago George Martin (produced all the Beatles albums except Let It Be) did an interview on BBC radio to mark the release of the first Beatles albums on CD (mid 1980s as I recall). His remarks were that the early albums were recorded in mono because they did not have stereo recording equipment. When they did get stereo equipment at first they used it to effectively double the number of tracks that they could record (each stero channel was treated like a separate track).
Moving on, even when they got to Sergeant Pepper, the mono version was mixed differently to the stereo version with the mono version taking priority (they spent three weeks mixing it against three days for the stereo apparently). When you think about it, this makes complete sense - almost their entire target audience would have been using mono turntables.
BTW the first album (Please Please Me) was recorded in 13 hours of studio time.
It's because proprietary (which is not quite the same as closed source) applications tend to work more or less out of the box.
If you build your own app where an off the shelf solution already exists (be it closed or open source), you are letting yourself in for whole heaps of trouble. You have to fund the entire development yourself and let's be honest: bespoke software delvelopments haven't exactly got a good reputation for being delivered on time to budget and in reasonable working condition.
With closed source solutions you may have to spend money on forced upgrades every couple of years and there is the risk of the company going bust or simply discontinuing the product (escrow agreements might help there). However, if you are rolling your own you have to pay the entire dev costs (i.e. the salaries of lots of developers and a PM), you have to pay for a team of people to maintain the code after its finished and you're as vulnerable there with people getting bored and leaving as with companies deciding to stop supporting their products.
Theoretically, open source off the shelf products are better in some respects than proprietary products. e.g. if the official maintenance team gets wound up, you still have the source code. But in reality, no end user is going to hire the staff to maintain an out-of-support product even if they do have the source code.
No, Palm OS is a lot smaller than the equivalent Pocket PC or whatever Microsoft is calling it now.
32Mb is a lot for the average Palm device. Mine only has 8Mb and I've never got close to filling it.
However, 32Mb is smallish for GPS mapping. I have a Garmin GPS receiver with 24Mb which is not enough to get the Garmin maps for the whole UK in.
The reason GPS tracks are sometimes not on the roads is more likely due to poor reception of the satellite signal. There's nothing like a few tall buildings to mung your GPS receiver.
Why don't you try reading the comment? There is a difference between a trivial comment and a trivial relationship.
You can make a five second international phone call that a) conveys any information whatsoever and b) only costs 2 cents. I'm impressed.
SMS messages are asynchronous which means that the person at the other end does not have to answer the phone for the message to get through.
In most of the World, SMS messages are much more reliable than 93%. It's just in the USA that the mobile phone infrastructure is a total abortion.
In the UK most mobile phone contracts come with a certain number of free text messages per month. This means that I can send more messages than I actually do totally free of charge (I am not charged for receiving text messages). I am OTOH charged for accessing my voice mail.
Agree with you about the bastardised spelling though.
New Powerbooks like the one I have on order have a 64Mb Radeon 9000 in them. The reason I have one on order is because my old 500MHz Powerbook is showing its age a bit (I dropped it and now the DVD-ROM and one screen hinge is broken). Other than that, it would still be a fine machine. It's easily fast enough for my purposes (office type work, development type work), so I'm looking forward to the new one.
:)
Even though it's two years old, people still comment on what a fab laptop it is. Looks count I guess
The best software people I know are the ones that finish the job and don't leave the company with an incomplete solution.
The Word problem is far worse than that. The "fast save" facility just tacks amendments onto the end of the original document. you can often find earlier drafts of documents (or even completely different documents) by doing strings on them.
Nowadays I send all docs out in pdf format.
You have no idea what you are talking about.
What you describe is sendmail as it existed about 5 years ago. Any reasonably intelligent sysadm could get a simple sendmail config downloaded from the distro site and running in a couple of hours.
The security problems are largely a thing of the past too. Apart from a couple of minor obscure and possibly unexploitable problems (and that embarrassing trojan in the build process), there have been no security problems with sendmail for years.
Sendmail might not be the fastest, but how fast does your mail server have to be? I was able to get eight messages / second out of my G4 powerbook without any tuning whatsoever. This is not really a lot, but otoh represents nearly 30,000 messages per hour. How many do you get every day?
If your SMTP server has to route mails to different mail servers depending on the recipient address, LDAP support is very useful. You can also do things like move your alias tables into the LDAP server, use the LDAP server to authenticate people for routing (SMTP AUTH), use the LDAP server to masquerade senders etc etc etc.
LDAP is supported out of the box with sendmail, no need to download extra patches and stuff.
I think that the Java programmers should calm down and admit that the language is not very fast. The number of times I've seen them write "it's fast if you write your code carefully" and fail to see the irony of the statement is amazing. The whole point of Java is that you don't *have* to write things "carefully". C and C++ programs don't have issues with memory leaks and buffer overflows if you write them carefully.
Anyway, hand optimisation is often a bad thing. Good compilers / interpreters are written by people with a much better understanding of the machine architecture than the average high level language application programmer and attempted hand optimisations can actually make performance worse. The other thing is that hand optimisation can increase the complexity of the code making it slower and harder to maintain.
Java programmers should realise that outright run time speed is really not that important for most applications and point out that if their app is only half the speed that represents 18 months of computer development (according to Moore's Law) but on the other hand it took three weeks less dev, only costs 50% of the maintainance and has fewer security holes (I made the numbers up - I leave it to the Java zealots to provide some real figures). Some of the money saved can be used to buy the extra hardware needed.
It doesn't matter if something is fast, only that it is fast *enough*.
He doesn't realy address all security either unless you say security equals avoiding buffer overflows and memory leaks.
Repeat after me: X is a protocol. It doesn't use memory or anything unless you put the protocol definition into a PDF. You are complaining about a specific implementation of the protocol (XFree86 probably).
It's obvious from your description above that XFree86 is not what is eating all the RAM ("X is using 82Mb, the system is using 452Mb"), so that's 370Mb in use that is *not* being used by XFree86. In fact, what it is is Linux grabbing all the free RAM for disk buffers etc. In my last job one of our customers was claiming our product was doing something similar. Their servers with 1 Gb physical RAM were running with about 900Mb usage. We were able to demonstrate that there was no real problem by writing a C program that malloced 800Mb, wrote data to every single page in that 800Mb and then exited. After the program exited, memory usage dropped to about 200Mb for a while.
Also, it probably isn't XFree86 that makes it slow for you to get a login prompt. In my experience, it's the Gnome/KDE environment that takes most of the time in starting up the windowing environment. Gnome is not part of XFree86.
You coul fix the MD5 thing if you are a distributor by maintaining copies of the MD5 sigs on a secure internal server and automatically comparing them to the ones on the distribution server every few minutes. If a compromise is detected, the distro server is shut down and somebody is paged to fix it. Meanwhile everybody who has downloaded the software since the last integrity check is informed by e-mail (anonymous ftp captures e-mail addresses).
Haven't figured out what to do about mirrors yet.
Douglas Adams wrote lots of Dr Who episodes many of which were aired.
Consider also, that people these days are much more bothered when email goes down than when the phones stop working.
I really don't believe this. People might say that, but it's not true.
For a start, you're e-mail might be effectively down, but you won't even notice unless it's the server your PC talks to e.g. your local Exchange server or POP server. It'll just look like you haven't had any e-mails for a while.
Secondly, phone systems just don't go down any more. In my entire working life (14 years) I can think of only one occasion when I had a degraded phone service from my office (not down, just degraded). People generally have no experiece of the phone system being down and how bad that is.
The point is you don't run the GUI stuff on the server even if you use graphical tools. The graphical admin tools are just X clients and the really processor expensive stuff (i.e. the X server) runs on the admin's PC in his office.
Sometimes I think all of Windows problems wrt Linux are because the GUI is so tightly bound to the OS. e.g. performance: you can't disable the GUI, stability: it's the graphics driver for your network card that's crashing your system. Somebody once told me that the best way to get a stable NT system was to only install the standard VGA drivers.
No it isn't. Advertising pays for all free to air television except the BBC. It pays for a lot of very useful web sites. It reduces the price of magazines and newspapers. It pays for expensive sporting and arts events. Effective advertising leads to increased product sales directly benefitting the company's shareholders and sometimes its employees. For certain products such as software the price is related to the number of units sold so effective advertising can lead to cheaper prices for the consumer.
I don't know about the EU, but Britain will not extradite anybody for a crime where they'll get the death penalty if found guilty, which is probably why they wouldn't extradite terrorists to the US unless GWB asked Tony nicely (although I don't know what case you are referring to there). Quite a lot of Brits take the view that the death penalty is morally unacceptable.
For the record the Government offered plenty of support to the plane spotters in Greece for writing down aircraft numbers. Unfortunately, they were arrested in Greece, so extradition didn't come into it and they were up on a charge of spying so if they had got back to the UK, they may have been extradited on the grounds that we expect our citizens to be responsible for their actions when abroad.
Asylum seekers are another question altogether. People seek asylum here for two reasons a) they think they'll be richer, b) they might get killed if they stay in their own country. We can't send them back until we know that their reason for being here is definitely (a).
He meant the UK. Lots of people have trouble telling the difference (including many of us English).
Yes, a hacker is a person that breaks into computer systems or is simply good at programming. A cracker is a dry flat biscuit that goes nicely with cheese.
Unfortunately, English is a living language which means that the meanings of words depends on a consensus of the people that use them. The word "hacker" means "person who breaks into computer systems".