Because people assume that caramel coloring and caffeine are inseparable, and do things like give Mountain Dew to kids without realizing it's going to keep them up all night.
It's kind of a peculiar way to legislate it; I'd've required prominent labelling instead. At least one root beer does that (Barqs?) - they say "NO CAFFEINE" above the name. (That's because the diet is non-caffeinated and the non-diet is caffeinated (IIRC), rather than any legislative requirement, though.)
my quiet and kinda creepy fantasies of eloping with you are ruined.... ruined....;-)
Based on the number of Slashdotters who visited the Phoenyx homepage as a result of my comment, it sounds like you're not alone.
I suppose, in the interests of not getting anyone's hopes up, I should be changing my sig to something like "Yes, I'm a female geek. I'm also married, and a mommy, and probably too old for you. Sorry."
Most slashdotters will have to go with the smoking thing, though.
Re:Ads will HAVE to become better very soon
on
10 Ads The US Won't See
·
· Score: 2, Insightful
So much of the other advertisements are bland and uninteresting. They're just not trying.
It's not just that, either. It's that the same commercial gets shown every break, and occasionally twice in the same break. We have a commercial-skipping VCR, so on those rare occasions when we actually watch something non-timeshifted, we're boggled that anyone would voluntarily watch TV that way. Even when it's a decent commercial, by the fourth time in fifteen minutes it's just unwatchable.
it will stop spammers from forging mail that looks like it's from MY domain
Yea verily. And will (hopefully) stop rejections from people who complain that mail can't possibly be legitimate if it comes from a secondary domain on the same IP address.
most effective when combined with something like SPF
True, but if the spammers have a hijacked machine, and is already using the address book, they might as well use the domain the hijackee's allowed to use (if there's another user from the same ISP in the address book, forging their name will slow down discovery).
You'd have to combine it with ISPs throttling individual users' sending permissions to have a hope of doing any good.
Domains are so throwaway that I'm not sure SPF will help all that much, though. I'm for it (or something like it), though.
Well, maybe. There still could be a white list for cases like this.
I think that high volume mailing lists should probably actually be newsgroups anyway. But what it does do is put a crimp in people who host a lot of low volume mailing lists.
As somebody who hosts low-volume mailing lists, I have to agree.
Whitelists are nifty (we use them extensively), but what worries me on that score is that if they become frequent, I suspect we'll just see spammers hijacking address books along with machines, and forging "trusted" From lines.
Am I understanding this correctly? That you have to pay a fee for every Pentium class PC you have, even if it doesn't have Microsoft crap on it?!
Seems to be a pretty common sort of contract. If you're a Microsoft-only shop, there's really no reason not to sign that sort of contract; it makes paperwork easier (just count boxen) and I assume MS gives a discount for it.
It got moderated funny, but I'm the parent of a toddler and: that's exactly right. It was a lame tacking-together of a bunch of older footage that didn't even hold my three-year-old's interest.
On the other hand, he likes Kiki's Delivery Service a whole lot (but that wasn't 2003, so it doesn't count).
Outlook already has encryption and signatures, just no one uses them.
True, but they're not aggressively pushed. Until a lot of people use something, *anything*, it doesn't accomplish anything. And that's the problem... until everybody buys into it, it doesn't really work at all. If you reject all unsigned/unencrypted mail, you still have the false-positive problem. In particular, businesses don't want to risk missing customer mail, so nobody wants to use that method, or challenge/response, or basically *anything* that makes it the least bit difficult for prospective customers to send mail. Everybody wants to be the *last* to switch. Round and round it goes.
Automated messages and personal messages shouldn't be carried on the same system.
I didn't mean automated *messages*, I meant automation within the delivery. For instance, instead of me wasting my time presenting credentials in a challenge/response, your system queries my computer, which provides a computationally expensive response.
Sure, but then it's not really email any more.
Why wouldn't it be email anymore? You mean it wouldn't be SMTP-flavored email? Maybe not. But that's not a big deal.
AOL users represent a tiny fraction of email users.
There's no majority anywhere, but some minorities are larger than others, and probably have the largest collection of nontechnical sorts in one place.
Getting MS to put the magic feature in Outlook would be another solution. I mean, as long as I'm talking hypothetical situations anyway.
What is something which isn't "onerous" which AOL could do and still gain from this?
Good question. I suspect entire Slashdot discussions have been devoted to it. I lean toward the "these IPs/domain names are authorized to send mail on behalf of this domain name" scheme, myself.
AOL's gain, in theory, would be the reduction in unwanted traffic. I know for me as a mailing-list provider, it's darned expensive running SpamAssassin on every message. I'm down to essentially a whitelist situation... if you're not a subscriber, I silently discard the mail. This is still a problem for people who're hopping mailing lists all the time, and have forgotten to update their subscribed address before posting, but given that they can add unlimited "alternate" address (so they can post from multiple accounts without having to receive dupes), that's a loss we're pretty much forced to accept anymore.
(I'm probably not the first one to predict it, but: pretty soon spammers will start hijacking address books so they can send spam "from" your friends. It's something we've considered in the mailing list software, which is presently nearly immune to spam because not only do you have to be a subscriber, your first message has to be manually approved. But if spammers forge mail "from" approved members, we have no way of identifying it, so we'd be back to scanning everything. But I digress.)
Perhaps that's part of the problem, because you've got to get the vast majority of the world to agree on a single one of those solutions.
Quite right. Back to that "If Microsoft would implement a solution in Outlook and thereby impose a de facto standard" situation again. But Microsoft has less to gain than an ISP from doing so. Other than geek goodwill, if they did it *right*. But I don't think that's worth much to them...
I doubt it, but if so then I guess I won't get any spam, cause I'll use different software.
It's *always* possible to eliminate spam by destandardizing everything. But that eliminates any chance of automation for legitimate users.
This is much easier than an email challenge/response system.
Not in the slightest... email CR systems can be automated. Make it the least bit computationally expensive to do so, and it eliminates bulk mail's efficiency. I'm not sure that's the solution, mind, but it's got possibilities.
The people I know who use AOL are a very small percentage of my friends.
Yes, but you represent a very small percentage of the world. Like I said, it just has to get a foothold.
It'll be quite obvious that "authenticated" means the same thing as "AOL User".
Getting past that bit would be the hard part, yes. But throw AOL, Earthlink, and a couple other popular-with-nontechies services together and you might have something. I don't think it's insurmountable.
Yeah, but as long as you're not imposing onerous requirements, it's useless.
Depends on the value of "onerous." If it means "you have to buy an authentication service from AOL" it's probably too onerous for legit sites, not onerous enough for spammers. I'm not sure what you *would* use as a requirement (if I was, I'd be writing the RFCs already).
Not quite, but there are still a lot of them out there. Try keying a few spam sites into Google; eventually you'll find one that's been form-spamming. You'll get hundreds of hits that, you can tell from the URLs, all use the same guestbook or blog software.
If web forms become the standard for receiving "mail," you'll see the vast majority of people using the same software, and this'll be just as frequent.
You can use CAPTCHA to ensure that the person sending the message is a human.
And this'll be about as popular as any other manual challenge-response system, which is to say "not at all."
I'm also looking at a permanent solution. Maybe you need to better define the problem, and then tell me what your solution is.
Heh. If I had a solution, we wouldn't have any more spam.
I doubt the grandmother would mention it at all, since 90-99% of her email would similarly be marked "unauthenticated."
Not at all... all her other AOL friends would be authenticated, for starters. Grandma's going to be asking why, if her AOL is such a lousy service, *your* service can't authenticate you. And as long as they're not imposing onerous requirements to get authenticated, your service probably could.
Even to the extent that their costs would go down, so would everyone elses, so prices would have to fall accordingly.
Just like the price of CDs fell as duplicating became cheaper?
I don't see how the incentive is any different than it is now.
Right now spam email is cheap and easy, and people read email. If everyone abandons email for web forms, so will spammers.
I think we're approaching it from two different perspectives: you're looking at a personal solution, and I'm looking at a permanent, works-for-everyone-on-the-net solution.
You only asked for an example (and I gave you two).
Actually, I didn't ask for any examples at all.
Even building authentication on top of email, and getting the damn websites (Slashdot, eBay, Citibank, etc.) to use it would solve the problem.
Agreed.
I'm somewhat amused by, say, AOL's "inability" to solve the problem this way. They're big enough, and (perhaps most importantly) have the biggest subscribership of nontechnical users, to ramrod an authenticated email "standard" through. They've got a captive audience software-wise, so they could have a client that handles standard email and authenticated email simultaneously (and transparently, for outbound stuff). And all of a sudden if everybody's grandmother started saying "Why is your mail always marked 'Unauthenticated'?" then non-AOL clients might start supporting it.
On the other hand, maybe AOL (etc.) has a disincentive to actually fix the problem, however much noise they might make about it.
Duplo might be more structurally sound internally, but the bricks don't stick together particularly well. On the one hand, this makes sense, since it's for younger kids. My three-year-old wouldn't be able to take apart some of the Lego bricks. On the other hand, it means that anything non-simple collapses because the bricks won't hold together under their own weight, so it's a bit *more* frustrating than standard Legos would be.
I like the little graphics next to the guidelines that show how well each suggestion is supported by research, and the graphical examples they show of most concepts.
I like the little graphical links at the top of each section, one of which advises you to avoid using graphics for links.
The only place software goes through a formal process which includes full auditing is in a text book on software engineering.
Or in the banking industry, or certain portions of the aircraft industry. And those are just ones I've worked in.
Of course, that was strictly security, not checking to make sure none of the code was violating someone's IP. As has been pointed out here before, that's *more* likely in closed-source since nobody outside the company is likely to see the source and say "Hey, that's mine!"
In this country, even the clearest mildest foreign accent elicits reactions of "he doesn't even speek English."
My college roommate was from Sri Lanka. At one point, she called relatives in California, collect. Just getting the phone number verified was an extensive process, involving much repeating on her part.
After the conversation, she asked me if I thought her accent was really that bad. No, I explained, the problem was, she was in Oklahoma, and she was speaking far too *clearly*.
Slashdot Mirror
FYI, it's NOT Barq's that doesn't have caffeine -- quite the opposite,
Ah, but reread what I said:
(That's because the diet is non-caffeinated and the non-diet is caffeinated
And then check caffeine content listings... Barq's has 22 mg, diet Barq's has 0.
Lots of diet drinks have less caffeine than their non-diet counterparts, probably so that they require less sweetening.
As for WHY it is against the law, I have no idea.
Because people assume that caramel coloring and caffeine are inseparable, and do things like give Mountain Dew to kids without realizing it's going to keep them up all night.
It's kind of a peculiar way to legislate it; I'd've required prominent labelling instead. At least one root beer does that (Barqs?) - they say "NO CAFFEINE" above the name. (That's because the diet is non-caffeinated and the non-diet is caffeinated (IIRC), rather than any legislative requirement, though.)
you're preggers?
;-)
Well, no, that was four years ago.
my quiet and kinda creepy fantasies of eloping with you are ruined.... ruined....
Based on the number of Slashdotters who visited the Phoenyx homepage as a result of my comment, it sounds like you're not alone.
I suppose, in the interests of not getting anyone's hopes up, I should be changing my sig to something like "Yes, I'm a female geek. I'm also married, and a mommy, and probably too old for you. Sorry."
Start smoking.
Getting pregnant worked for me.
Most slashdotters will have to go with the smoking thing, though.
So much of the other advertisements are bland and uninteresting. They're just not trying.
It's not just that, either. It's that the same commercial gets shown every break, and occasionally twice in the same break. We have a commercial-skipping VCR, so on those rare occasions when we actually watch something non-timeshifted, we're boggled that anyone would voluntarily watch TV that way. Even when it's a decent commercial, by the fourth time in fifteen minutes it's just unwatchable.
I'm always going to Wikipedia -- you can't really avoid them, not if you use Google at all.
Hmm. Google's cool people, right? With a lot of hardware?
it will stop spammers from forging mail that looks like it's from MY domain
Yea verily. And will (hopefully) stop rejections from people who complain that mail can't possibly be legitimate if it comes from a secondary domain on the same IP address.
most effective when combined with something like SPF
True, but if the spammers have a hijacked machine, and is already using the address book, they might as well use the domain the hijackee's allowed to use (if there's another user from the same ISP in the address book, forging their name will slow down discovery).
You'd have to combine it with ISPs throttling individual users' sending permissions to have a hope of doing any good.
Domains are so throwaway that I'm not sure SPF will help all that much, though. I'm for it (or something like it), though.
Well, maybe. There still could be a white list for cases like this.
I think that high volume mailing lists should probably actually be newsgroups anyway. But what it does do is put a crimp in people who host a lot of low volume mailing lists.
As somebody who hosts low-volume mailing lists, I have to agree.
Whitelists are nifty (we use them extensively), but what worries me on that score is that if they become frequent, I suspect we'll just see spammers hijacking address books along with machines, and forging "trusted" From lines.
Am I understanding this correctly? That you have to pay a fee for every Pentium class PC you have, even if it doesn't have Microsoft crap on it?!
Seems to be a pretty common sort of contract. If you're a Microsoft-only shop, there's really no reason not to sign that sort of contract; it makes paperwork easier (just count boxen) and I assume MS gives a discount for it.
Should we also tell anyone with the name Nygard that they need to change it, or at least shouldn't utter it?
I wasn't sure whether to be amused or saddened that some birdseed sellers have taken to spelling "Niger" (black thistle seed) as "Nyjer."
It got moderated funny, but I'm the parent of a toddler and: that's exactly right. It was a lame tacking-together of a bunch of older footage that didn't even hold my three-year-old's interest.
On the other hand, he likes Kiki's Delivery Service a whole lot (but that wasn't 2003, so it doesn't count).
really, there's ABSOLUTELY NOTHING to bring this type of "tourism" to the state of ohio.
Two words: Cedar Point.
Outlook already has encryption and signatures, just no one uses them.
True, but they're not aggressively pushed. Until a lot of people use something, *anything*, it doesn't accomplish anything. And that's the problem... until everybody buys into it, it doesn't really work at all. If you reject all unsigned/unencrypted mail, you still have the false-positive problem. In particular, businesses don't want to risk missing customer mail, so nobody wants to use that method, or challenge/response, or basically *anything* that makes it the least bit difficult for prospective customers to send mail. Everybody wants to be the *last* to switch. Round and round it goes.
Nice talking to you.
Likewise.
Automated messages and personal messages shouldn't be carried on the same system.
I didn't mean automated *messages*, I meant automation within the delivery. For instance, instead of me wasting my time presenting credentials in a challenge/response, your system queries my computer, which provides a computationally expensive response.
Sure, but then it's not really email any more.
Why wouldn't it be email anymore? You mean it wouldn't be SMTP-flavored email? Maybe not. But that's not a big deal.
AOL users represent a tiny fraction of email users.
There's no majority anywhere, but some minorities are larger than others, and probably have the largest collection of nontechnical sorts in one place.
Getting MS to put the magic feature in Outlook would be another solution. I mean, as long as I'm talking hypothetical situations anyway.
What is something which isn't "onerous" which AOL could do and still gain from this?
Good question. I suspect entire Slashdot discussions have been devoted to it. I lean toward the "these IPs/domain names are authorized to send mail on behalf of this domain name" scheme, myself.
AOL's gain, in theory, would be the reduction in unwanted traffic. I know for me as a mailing-list provider, it's darned expensive running SpamAssassin on every message. I'm down to essentially a whitelist situation... if you're not a subscriber, I silently discard the mail. This is still a problem for people who're hopping mailing lists all the time, and have forgotten to update their subscribed address before posting, but given that they can add unlimited "alternate" address (so they can post from multiple accounts without having to receive dupes), that's a loss we're pretty much forced to accept anymore.
(I'm probably not the first one to predict it, but: pretty soon spammers will start hijacking address books so they can send spam "from" your friends. It's something we've considered in the mailing list software, which is presently nearly immune to spam because not only do you have to be a subscriber, your first message has to be manually approved. But if spammers forge mail "from" approved members, we have no way of identifying it, so we'd be back to scanning everything. But I digress.)
Perhaps that's part of the problem, because you've got to get the vast majority of the world to agree on a single one of those solutions.
Quite right. Back to that "If Microsoft would implement a solution in Outlook and thereby impose a de facto standard" situation again. But Microsoft has less to gain than an ISP from doing so. Other than geek goodwill, if they did it *right*. But I don't think that's worth much to them...
I doubt it, but if so then I guess I won't get any spam, cause I'll use different software.
It's *always* possible to eliminate spam by destandardizing everything. But that eliminates any chance of automation for legitimate users.
This is much easier than an email challenge/response system.
Not in the slightest... email CR systems can be automated. Make it the least bit computationally expensive to do so, and it eliminates bulk mail's efficiency. I'm not sure that's the solution, mind, but it's got possibilities.
The people I know who use AOL are a very small percentage of my friends.
Yes, but you represent a very small percentage of the world. Like I said, it just has to get a foothold.
It'll be quite obvious that "authenticated" means the same thing as "AOL User".
Getting past that bit would be the hard part, yes. But throw AOL, Earthlink, and a couple other popular-with-nontechies services together and you might have something. I don't think it's insurmountable.
Yeah, but as long as you're not imposing onerous requirements, it's useless.
Depends on the value of "onerous." If it means "you have to buy an authentication service from AOL" it's probably too onerous for legit sites, not onerous enough for spammers. I'm not sure what you *would* use as a requirement (if I was, I'd be writing the RFCs already).
But web forms aren't standardized like email is.
Not quite, but there are still a lot of them out there. Try keying a few spam sites into Google; eventually you'll find one that's been form-spamming. You'll get hundreds of hits that, you can tell from the URLs, all use the same guestbook or blog software.
If web forms become the standard for receiving "mail," you'll see the vast majority of people using the same software, and this'll be just as frequent.
You can use CAPTCHA to ensure that the person sending the message is a human.
And this'll be about as popular as any other manual challenge-response system, which is to say "not at all."
I'm also looking at a permanent solution. Maybe you need to better define the problem, and then tell me what your solution is.
Heh. If I had a solution, we wouldn't have any more spam.
I doubt the grandmother would mention it at all, since 90-99% of her email would similarly be marked "unauthenticated."
Not at all... all her other AOL friends would be authenticated, for starters. Grandma's going to be asking why, if her AOL is such a lousy service, *your* service can't authenticate you. And as long as they're not imposing onerous requirements to get authenticated, your service probably could.
Even to the extent that their costs would go down, so would everyone elses, so prices would have to fall accordingly.
Just like the price of CDs fell as duplicating became cheaper?
I don't see how the incentive is any different than it is now.
Right now spam email is cheap and easy, and people read email. If everyone abandons email for web forms, so will spammers.
I think we're approaching it from two different perspectives: you're looking at a personal solution, and I'm looking at a permanent, works-for-everyone-on-the-net solution.
You only asked for an example (and I gave you two).
Actually, I didn't ask for any examples at all.
Even building authentication on top of email, and getting the damn websites (Slashdot, eBay, Citibank, etc.) to use it would solve the problem.
Agreed.
I'm somewhat amused by, say, AOL's "inability" to solve the problem this way. They're big enough, and (perhaps most importantly) have the biggest subscribership of nontechnical users, to ramrod an authenticated email "standard" through. They've got a captive audience software-wise, so they could have a client that handles standard email and authenticated email simultaneously (and transparently, for outbound stuff). And all of a sudden if everybody's grandmother started saying "Why is your mail always marked 'Unauthenticated'?" then non-AOL clients might start supporting it.
On the other hand, maybe AOL (etc.) has a disincentive to actually fix the problem, however much noise they might make about it.
That's also without any major incentive for the spammers to try to get in. If web forms become the standard, that's where the spammers will hit.
In other words, it's a way for a few people to avoid getting spam, but once everybody starts it, it won't work.
Really?
There's an astonishing amount of spam anytime anyone's got an open guestbook or blog comment system. I can't imagine it's all being entered manually.
Duplo might be more structurally sound internally, but the bricks don't stick together particularly well. On the one hand, this makes sense, since it's for younger kids. My three-year-old wouldn't be able to take apart some of the Lego bricks. On the other hand, it means that anything non-simple collapses because the bricks won't hold together under their own weight, so it's a bit *more* frustrating than standard Legos would be.
I like the little graphics next to the guidelines that show how well each suggestion is supported by research, and the graphical examples they show of most concepts.
I like the little graphical links at the top of each section, one of which advises you to avoid using graphics for links.
The only place software goes through a formal process which includes full auditing is in a text book on software engineering.
Or in the banking industry, or certain portions of the aircraft industry. And those are just ones I've worked in.
Of course, that was strictly security, not checking to make sure none of the code was violating someone's IP. As has been pointed out here before, that's *more* likely in closed-source since nobody outside the company is likely to see the source and say "Hey, that's mine!"
Now that you've quoted me, I'm a little embarassed about the "speek" business. Oops.
I thought you did it for humorous effect.
In this country, even the clearest mildest foreign accent elicits reactions of "he doesn't even speek English."
My college roommate was from Sri Lanka. At one point, she called relatives in California, collect. Just getting the phone number verified was an extensive process, involving much repeating on her part.
After the conversation, she asked me if I thought her accent was really that bad. No, I explained, the problem was, she was in Oklahoma, and she was speaking far too *clearly*.