Perhaps it would have also seemed silly to try to save many the scrolls from the destruction of the Library of Alexandria. No doubt many of those covered mundane details of ordinary life -- land transactions, farming methods, political deals. Certainly it would not be apparent to those who lived at that time that such trivia would hold any interest even a few years later, let alone centuries hence.
But it does. And there is no way for us to know, in 2015, whether or not the manual for a Tektronix 545 oscilloscope (circa 1955) will be of interest to anyone in 2055. But we should know that if we let all the copies disappear, that the question will be moot: we'll have removed the possibility...and thus the possibility of whatever insight could be gained.
I stood in that room and held that manual in my hands yesterday. Then I put it in one of the many (many!) boxes headed for storage, against the day when it can be pulled out and scanned. Perhaps I'll be the last person to ever glance through it; or perhaps, sometime in the future, someone else will come across it and say a silent thank-you to those responsible for preserving it from oblivion.
This is part of our history -- encapsulated in voltage meters and PROM programmers, broadcast amplifiers and 68000 development boards. It is not disposable. It is not expendable. And so if you'll excuse me, I'm going to head over there and get back to work.
If you support LinkedIn or have an account there, then YOU are part of the problem. You're not only implicitly endorsing spam, you're generating it, supporting it, and funding it.
If you don't support LinkedIn and have blacklisted or firewalled them: good. That's the correct professional response to any abuser/attacker.
If you haven't blacklisted/firewalled them, then you'll want this:
Remember to block all IP traffic bidirectionally so that LinkedIn can't reach your network and so that anyone on your network can't reach them. This is especially important if you run mailing lists, since LinkedIn will spam those too. I also recommend checking to see any of the spammers who work for LinkedIn have managed to get on your mailing lists: if so, unsubscribe and ban them.
There's zero reason to believe the NSA's version of this and every reason to believe Snowden's
Why?
Because, so far, every single thing that Snowden has said has turned out to be true
when cross-checked. And, so far, every NSA official spokesperson has been caught repeatedly
lying.
The inferior people at Dice -- you know, the same ones trying to shove their shitty Beta site down our throats -- are actually not clueful enough to realize that this is a very old idea. Whitelisting OS resources, applications, networks, IP addresses, etc. has long been an effective security measure, and I've deployed everywhere I've been for the past 15 years or so.
It appears that the Dicedroids think everyone is as stupid and clueless as they are.
The teachable moment for Dice is RIGHT NOW. They can either admit what everyone knows (that Beta is a horrible
downgrade and should be killed immediately) or they can let their massive out-of-control egos continue to drive their
decision making...and drive Slashdot right off a cliff.
The question that remains is whether they're smart enough to realize that, or whether they will persist on
the path they've chosen -- which leads inexorably to a future where people talk about Slashdot in the past
tense and catalog its downfall alongside that of other sites whose operators failed to listen to their masters: US.
My money is on the latter. Every response I've seen so far from them is full of PR happytalk and bullshit. I think
they truly believe that they can pull this off if they lie about it long enough and consistently enough. After all,
that's how business is done these days, for the most part.
That's absolutely true. The editors here are young, inexperienced, naive, and largely clueless. Which is to
be expected, we were all that once upon a time. However, the commenters include a good number
of older people with significant experience and knowledge, and THEY are clearly a thousand times more
important than any of the interchangeable, expendable editors.
The most important thing that this fucked-up Beta teaches us is that Dice does not understand that
previous paragraph. It proves to us that they're arrogant, self-important, egotistical assholes who think
we're sheep to be herded as they see fit. It's probably going to be necessary to teach them a lesson,
and I suspect that the form the lesson will take is the rotting carcass of Slashdot nailed to the wall,
because they are clearly LYING when they claim to be listening.
Which is not surprising: MBAs are stupid people, that's why they don't have real degrees. But It is
disappointing to see how spineless Timothy and the others are. If they actually had any backbone at
all, the editors would side with the users and resign en masse in protest.
That's an excellent point. This is clearly management happytalk bullshit being
fed to Timothy, who is obediently regurgitating it to us and hoping that we're naive
and stupid enough to believe that they're "listening".
They're not listening. If they were listening, Beta would already be completely
abandoned and we would be reading a full public apology from the
people responsible.
The ONLY acceptable response is the instant and permanent removal of the Beta. Period.
All other responses are lies.
I hope it was enough to make being an obedient little corporate toady worth it.
The ONLY acceptable response from Slashdot is the immediate and permanent abandonment of
the Beta project. Everything and anything else is just happytalk bullshit from cowards and liars.
As a long-time (VERY long-time) veteran of Usenet, I'd like to point out that it's
quite viable. The anti-spam methods now in place are quite a bit better than what
we had just a few years ago. There are a number of newsgroups that are doing
very well (including a lot of technical ones), some that are languishing, and some
that are on hold.
Usenet has a lot of architectural features that make it very good for these kinds of
discussions: it is privacy-friendly. It's text-based. it's easily gatewayed to and from
email. It's easily archived. (I have many, many years of certain newsgroups.) It
requires modest resources. It's resilient in the face of broken sites and broken
network links. It's bandwidth-friendly. It runs on relatively lightweight hardware.
The software is mature. And so on.
Not that it's perfect: of course it's not, and I can probably enumerate its flaws
better than all but a handful of other people. But it works, and it works well
even when other allegedly more sophisticated mechanisms fail. I've long said
that Usenet proficiency is one of the basic qualifications for system and
network administrators: they don't need to know the ins/outs of NNTP
nor do they need to admin a node, but they do need to know how to use it.
Since/. appears to be intent on committing public suicide via this idiotic Beta,
supported exclusively by the imbicles and morons at Dice, perhaps it's
time to start migrating back to Usenet, where corporations can't exert
the kind of control they can here.
As one of the first users of this site (yes, I know my UID number, it's not my original one),
I fully support this.
Moreover, IF the people running this site are so obstinate, stupid, and ignorant that they
persist anyway: then the boycott needs to be permanent. We ALL need to leave. We need
to teach a lesson, and if the only way that lesson can be communicated is over the bleak,
abandoned corpse of slashdot, then that's how it has to be.
I could warn you of course, but you would not listen. I could
kill you, but someone would take your place. So I do the only
thing I can. I go."
You're correct but it's not obvious that the law will actually be applied in this case. Clearly,
the NZ and US both really, REALLY want to crucify Dot Com and are willing to break
the law, cheat, lie, steal, defraud and everything else in order to do it.
Meanwhile, Slashdot Beta is absolute crap, and if the morons, idiots, and assholes
pushing it persist in this stupidity, then they should expect a boycott.
As everyone knows, there was and is no actual need for these TLDs. Just like there was
no need for.xxx. Just like there was no need for.mobi. Just like there was no need for.info.
The entire process is driven NOT by the communal needs of the Internet, but by ICANN,
which is now completely controlled by registrars -- registrars who are always looking for
new/expanded revenue streams.
There WAS a time, as I'm sure some folks will remember, that "one entity-one domain"
was the rule. That time is long gone, as it drastically restricts registrar profits. Now?
It's not uncommon for single entities to control hundreds to hundreds of thousands of
domains. I've been researching this issue, and have looked at about 60M domains
so far: EASILY 90% of them are crap. They're owned by speculators, typosquatters,
"landing page" operators, clickthrough scammers, and on and on and on. I suspect
that as I expand my work, that percentage won't change much. In other words: we could
delete 90% of the domains out there with no appreciable effect on the Internet.
This latest expansion is merely an attempt to continue the same game -- but with
outrageously prices and profits.
Here is my recommendation: learn how to use DNS RPZ. As each one of these
TLDs is introduced, add it to the list so that you effectively make it disappear from
your view of the Internet. Encourage others to do the same. After all, you aren't
required to resolve any domain or group of domains -- so don't. If enough
of us do this, we will make these domains essentially worthless. (Why? Because
without DNS resolution in place, end users won't be able to reach them with web
browsers. MTAs that check for domain existence -- which they should -- will reject
all mail to/from them. And so on.)
The Internet doesn't need this junk. YOU don't need this junk. So make it vanish.
I've been saying this for years -- here and elsewhere. Yet their foolish supporters continue to
insist on using them, despite the steady parade of demonstration proofs showing that they're
easily defeated. (I'm not going to bother with the catalog of links this time. Use a search
engine. Read the items that show up on the first two pages of results -- that should be enough.)
Either you're defending an important resource or you're not. If you're not, then you don't need
captchas and shouldn't use them. If you are, then the first person who decides that your resource
is worth the trouble will break your captchas, either by code, by brute force, by co-opted masses
or by some combination of those. You have no shot. NONE. If you think so, then you didn't
perform the exercise I suggest in the last paragraph.)
A defense that is known-broken is not a defense at all.
In one of the great ironies of our time, those arguing for or supporting creationism are actually providing clinching proof that they themselves have failed to evolve into human beings: they're not members of homo sapiens, as they have clearly failed part of the qualifying intelligence test.
Given that they are -- at best -- inferior primates, why should those of us who are clearly superior grant them human rights -- which, as the label indicates, are exclusive to humans? I certainly see no reason why we should be so generous.
Instead, I think, we should strip of them of the franchise, of the right to own property, of their financial assets, and of their citizenship. They should be treated decently, of course, for the same reasons that we should treat horses or dogs decently. But certainly they don't merit consideration as peers, as by their own actions, they've shown they aren't. I envision vast farms where they're lovingly tended until it is time to harvest their organs -- painlessly, of course, but inevitably. Their meat is the only value that they have to the human race, and it would be a pity to waste or damage it.
There are a large number of reasonably well-understood methods for dealing with this.
First, you have a working RFC 2142 role account address: abuse@ your domain.
You pay attention to what shows up there. You reply promptly. You engage. After
all, if someone is doing your job for you and doing it on THEIR dime, the least you
can do is take advantage of it. Moreover, if you manage to do this reasonably well,
word will get out, you'll earn the respect of your peers, and they will reward you with
more reports -- again, doing your work for you for free.
Worth noting is that Amazon makes it nearly impossible to communicate with their
abuse desk and fails to respond to reports in any way, let alone a timely one. And it's
well known that GoDaddy frequently forwards them to the abusers.
Second, you pay attention to netflows. If a virtual host instance is opening up TCP
connections on port 25 to a kazillion hosts/hour, then it's spamming. Any kind of
perfunctory monitoring will spot this and a hundred other similar things in real time.
Third, you pay attention to who's behind the incidents. If you don't, then they'll
just sign up over and over and over again. So you work to avoid that, by looking
at the who, what, where, when patterns -- and you ban repeat offenders. This
isn't watertight, of course -- but it doesn't need to be. If you raise the bar high
enough, they'll just go somewhere else, which reduces your workload and lets
you focus more tightly on what's left.
Fourth, you look at usage patterns. Most web sites do NOT display global
usage patterns, particularly those which are connected to a domain registered
yesterday. (Think about it.) If you observe that, then something's up: it might
be legitimate. It's almost certainly not. The same thing applies to other
services and other protocols.
Fifth, if you're Amazon, you have a highly paid legal staff. Use them. Smack
the crap out of a few particulaly egregious offenders in court. Make it noisy so
that everyone else knows you're doing it. Again, this doesn't have to be watertight;
it just has to discourage miscreants.
Finally (and I'm stopping here for brevity, there's a lot more), do all this publicly.
Encourage your peers to do the same. Challenge them. Raise the collective
bar, not just your own. Cooperate with your competitors.
All of this costs money. Not a stupid amount of money, but it does cost.
Which is why it almost never gets done (see previous post).
Your comment is funny, but misses the point about economics of scale.
Amazon, with its immense resources, should be one of the cleanest hosts on
the planet. They can afford, using their spare change, to staff a 24x7 abuse desk
with very senior people. The budgetary impact wouldn't even be a blip. And with
the right people, suitably empowered, they could keep their operation nearly free of
malware, phishing, spam, and other forms of abuse. They're far better positioned
to do this than many smaller operations, who couldn't possibly afford it.
But they haven't. Why not? Is it because they don't know? Unlikely. Of course
they know. Is it because they don't know how to address it? Equally unlikely.
Of course they do. They have some smart people on staff. No, they know what
the problem is AND they know how to fix it.
They just don't want to.
Because even as (relatively) small as those costs would be, it's still cheaper for
them to externalize them to the entire rest of the Internet, and let all of us deal with it.
So rather than taking professional responsibility for their own operation, they've decided
to just blow it off. After all: who's going to make them?
I would say the same about GoDaddy, but it's not true. They actively support,
encourage, and endorse spam, malware, phishing and every other form of abuse.
They have from the beginning, only their method of lying about it has changed.
(And don't forget GoDaddy's own history of self-promoting spam.) But once
again: who's going to make them do anything differently?
Until operations are held accountable for their actions -- which is something
that we USED to do on this network, a long time ago -- most won't bother.
And that is, in large part, why problems like spam and phishing and malware
are epidemic.
That's not to that they aren't problems: Unity is shit. Mir's design displays profound ignorance of X's design, including both its features and its liabilities. And so on. It's obvious that Canonical is ramming these down users' throats because they have to, as only the ignorant newbies who don't know any better would actually choose them.
But the real problem is that Canonical has now clearly demonstrated its committment to embedding spyware in the distribution. (YES, I know that there's putatively an "off" switch for it. That is an unimportant and irrelevant distraction undeserving of discussion.) By doing so, Shuttleworth has clearly signalled that he's willing to sell out the security and privacy of Ubuntu users for revenue. And now that the user base is declining, expect an escalation of this strategy to compensate for it.
THAT is why the community is no longer relevant to Canonical. The community is standing in the way of their pursuit of profit, and profit (along with ego gratification) is Shuttleworth's priority. Wait and watch: this is only the beginning.
I'm one of those older people being shoved aside because I'm (pick one) too old, too expensive, too inflexible, too whatever.
Never mind my degrees, my experience, my continuing education, my track record of success, my ability to adapt, or my insight.
None of that matters, because someone 30 years my junior can (putatively) do the same job -- they'll cost half as much and work twice as many hours, until, of course, their time comes and they're replaced just like I've been.
The fact that I bring incredible value to the table doesn't matter: in a position I recently held, I was asked to evaluate a project
that had already sucked down $1.8M. I studied it carefully for several months, and concluded that it was so badly and fundamentally
flawed that it had no chance of success -- the best course of action was to dump it and start over. Management didn't want to hear that, so they discarded my careful analysis and eliminated my position. Four years later, after spending $12M, they finally axed the project -- after achieving nothing. It would have been more cost-effective for them to (a) take my advice and (b) pay me $100K/year for those four years to do nothing: they'd have saved $11.6M.
My point being that those of us who are older sometimes have very finely-tuned instincts about failure: we've experienced it enough to know what it looks like when it's still a long way off. Simply listening to us when we say "ummm...no, that's a bad idea" EVEN IF WE DO NOTHING ELSE is likely to result in an enormous payoff, since it'll help avoid wasted effort and budgets. But of course it rarely works out this way: it's easier to hire 20-somethings, underpay them, work them to death, and enjoy the chorus of "yes" "yes" and "YES" that they generate because they don't yet realize that's the wrong answer.
Webmail is a trendy, attractive idea: it's also truly stupid. Every single implementation to date -- and yes, I've tried them all -- sucks. I could spend the next three hours typing in a litany of reasons why, from UI to standards compliance, security to features, but I presume that everyone with even a passing familiarity with email already knows this. So Yahoo's feeble attempts to coerce its employees into using their particular brand of suckage, while no doubt driven by an edict from above, run against the best interests of their own staff.
Which brings me to Outlook, the mail client of choice for the ignorant, the incompetent and the inferior. Nobody, and I do mean, NOBODY, of any worth would even consider lowering their professional standards this far. It speaks volumes about the very low quality of the personnel at Yahoo that they actually prefer this client over the many superior alternatives. That, in turn, explains in part why Yahoo's mail system is riddled with security holes and overrun by spammers, phishers, and abusers of all descriptions: there is nobody there intelligent enough to stop them.
So what this really comes down to is whether Yahoo personnel are using M$ or Yahoo garbage; I wonder if there are any whose feeble intelligence is sufficient to allow them to figure out that the only correct answer is "neither". There DO exist mail clients that -- while not perfect by any means -- are clearly, markedly better than either of these.
Shuttleworth/Canonical are just using the Facebook playbook:
1. Engage in an outrageous overreach.
2a. If there's no reaction: proceed.
2b. If there's a negative reaction, then walk it back just far enough to quell the outrage. Use weasel words. Pretend that you were just kidding. Call it an unfortunate oversight, a lapse, a mistake -- but be sure not to admit that it was deliberate and calculated.
3. Wait for outrage to die down.
4. Return to step 1.
This works beautifully on an audience that isn't paying attention, that can't generalize from specifics, that doesn't remember what happened yesterday, let alone last year or last decade.
It really doesn't matter if IE does or doesn't render anything, as using it exposes one to the gaping security-hole-of-the-day.
I'm not talking about the ones that make it to slashdot or even full-disclosure; I'm talking about the ones that show up on
blackhat sites with pricetags attached. I'd call it a "parade", but it's more like an angry mob rushing through the streets:
it's constant and pervasive.
Second, the Outlook service is an enormous source of spam. (Citation? Run a major email site, one with at least
a million users. Pay attention to what arrives on port 25 from Outlook.) One of the things we've learned over the
past couple of decades is that outbound abuse is a surface indicator of underlying security issues, thus the inference
is that Outlook has been launched (in Microsoft's usual fashion) without a rigorous security audit.
Third, the entire concept of webmail is wrong, stupid, and broken. Every attempt to date, and I do mean EVERY attempt,
to shoehorn SMTP/POP/IMAP into something that works in a browser, has failed miserably. That includes the
freemail services and the open-source projects, the commercial offerings, and the homegrown ones. One would
think that given the landscape of uninterrupted failure that stretches all the way to the horizon that people would
stop long enough to realize that the problem isn't the implementation: it's the concept. But no, web sites and mailing
lists are filled with endless debate over how to "improve webmail". The required improvement is to abandon it entirely.
Finally, "using Google products" is an increasingly bad idea, as it's obvious that they're been thoroughly backdoored
at least once -- which means that it won't be long until they've been backdoored again. And again. Yes, for
many lazy and inferior people, "using Google products" is a fast answer -- but it's the wrong one.
Not since he sold out to the spammers at Marketo and turned Ubuntu into spyware.
Both of which are a pity, as it was a distribution that many people, including me,
found quite useful for deployment in environments where we were trying to ease people
away from their addictions to Microsoft and Apple products. But given our requirements
(among which security and privacy are paramount) we simply couldn't justify using
a distribution that was known to be compromised.
Yes, yes, I know we could turn off the malware features, but that's hardly
the point: once a distribution maintainer is known to be inserting spyware, they can
never be trusted again. Nothing at all stops them from silently including the same
thing (or something similar) in a routine update. Shuttleworth and Canonical have
provided an existence proof that they cannot and must not be trusted: they should
be ostracized from the Linux and open-source world, as they are clearly unfit to
be any part of it.
The worst part of the damage done by this isn't technical. It's human.
The reporting on this latest disclosure reveals that the NSA has systematically inserted itself
into the standard-crafting process, in order to deliberately weaken those standards. It also reveals
that the NSA has bypassed the management of communications providers and recruited technical
staff directly. In both cases it's reasonable to assume that the people involved have been through
a security clearance process and are thus barred for life from disclosing what they know.
I must now ask myself how many people I've worked with weren't doing so in good faith. When they
argued that such-and-such a fine point of a network protocol standard didn't need improvement or
that it should be changed in a certain way, were they doing so because it was their principled
engineering opinion, or because it served some other purpose? Or when they were recommending
that one of the many operations I've run move its colocation point or change its router hardware,
was that good customer service, or was it to facilitate easier traffic capture?
Will anyone be asking themselves the same questions about me? (They probably should.)
The Internet was built on, and runs on, trust. Every postmaster, every network engineer,
every webmaster, every system admin, every hostmaster, everyone crafting standards,
everyone writing code, trusts that everyone else -- no matter how vehemently they disagree
on a technical point -- is acting in good faith. The NSA, in its enormous arrogance, has
single-handedly destroyed much of that trust overnight.
If spam has made it far enough that it's actually reached your personal instance of procmail,
then there's been a problem earlier in the chain. Procmail rulesets should be a last resort,
and they should only be asked to deal with minor issues that aren't dealt with via earlier rulesets.
The first line of defense are your perimeter routers. They should implement BCP 38, they
should block bogons, and they should bidirectionally deny all traffic to/from the Spamhaus
DROP list. In addition, they should block inbound port 25 traffic from everywhere on the
planet that you don't need email from. In other words; the fact that someone
in country X wants to email you is unimportant unless you actually wish to receive
mail from them. Yes, this is a reversal of default-permit, for a simple reason: default-permit
for SMTP stopped being reasonable around 2000. Use http://www.ipdeny.com/ to pick
up the ranges per-country and only permit what you need. (Obviously a major research
university can't do this. But Joe's Furniture, which does not have customers in Peru or
Pakistan or Greece, can.)
Then use blacklists, the best defense against spam we've ever developed. (Source:
30+ years of email experience) Spamhaus's Zen blacklist is a good one with a low
FP rate and a tolerable FN rate. Augment these with local blacklists based on domains
and network allocations. Augment those with as much blocking of generic hostnames
and dynamic IP space as possible: real mail servers have real hostnames and are
on static addresses.
Then enforce RFC requirements: sending host must have rDNS, that PTR must
resolve, what it resolves to should be the sending host's IP. Sending host must
HELO as FQDN or bracketed dotted-quad; if FQDN, must resolve. Sending host
must not send traffic pre-greeting. And so on. Enforcing these DOES mean
occasionally you block mail sent by non-spamming entities: but since they are
incompetent non-spamming entities, why would you want mail from them?
Add greylisting. It'll handle a lot of annoying hosts that haven't learned to retry yet.
Rate-limit based on normative values for your site. For example: if analysis of a year's
worth of mail logs shows that during that time you never received more than 10 messages
a day from ANY host, then rate-limit at 30 or 40. You'll never hit in normal practice;
but if you get hammered by a fast-sending host, you'll blunt the attack. Note that
these don't have to be perfect to work: provided you send deferrals (SMTP response
codes 4xx) instead of refusals (5xx) the worst that happens is that you will
mistakenly impose a delay.
There's more -- it's possible to get quite crafty about this. But note that NONE of
these measures pay any attention to content. There's a reason for that: spammers
can defeat content-based measures at will. They won't have it so easy with these.
Deployed in production in various setups ranging from a dozen to eight million
users, these steps yield a FP rate of about 10e-6 to 10e-7 and a FN rate around
10e-5 to 10e-6. Tuning helps, of course: initial rates can be higher but log analysis (which
all sensible postmasters do) readily brings them down. If you have the luxury of
running your own mail server just for yourself, then you can REALLY tune this
setup: you should be able to get the FN rate down to 10e-7 after a few months.
Slashdot Mirror
Perhaps it would have also seemed silly to try to save many the scrolls from the destruction of the Library of Alexandria. No doubt many of those covered mundane details of ordinary life -- land transactions, farming methods, political deals. Certainly it would not be apparent to those who lived at that time that such trivia would hold any interest even a few years later, let alone centuries hence. But it does. And there is no way for us to know, in 2015, whether or not the manual for a Tektronix 545 oscilloscope (circa 1955) will be of interest to anyone in 2055. But we should know that if we let all the copies disappear, that the question will be moot: we'll have removed the possibility...and thus the possibility of whatever insight could be gained.
I stood in that room and held that manual in my hands yesterday. Then I put it in one of the many (many!) boxes headed for storage, against the day when it can be pulled out and scanned. Perhaps I'll be the last person to ever glance through it; or perhaps, sometime in the future, someone else will come across it and say a silent thank-you to those responsible for preserving it from oblivion.
This is part of our history -- encapsulated in voltage meters and PROM programmers, broadcast amplifiers and 68000 development boards. It is not disposable. It is not expendable. And so if you'll excuse me, I'm going to head over there and get back to work.
If you support LinkedIn or have an account there, then YOU are part of the problem. You're not only implicitly endorsing spam, you're generating it, supporting it, and funding it.
If you don't support LinkedIn and have blacklisted or firewalled them: good. That's the correct professional response to any abuser/attacker.
If you haven't blacklisted/firewalled them, then you'll want this:
8.22.120.0/24
69.28.147.0/24
199.101.161.0/24
199.101.162.0/24
199.101.163.0/24
216.52.242.0/24
Remember to block all IP traffic bidirectionally so that LinkedIn can't reach your network and so that anyone on your network can't reach them. This is especially important if you run mailing lists, since LinkedIn will spam those too. I also recommend checking to see any of the spammers who work for LinkedIn have managed to get on your mailing lists: if so, unsubscribe and ban them.
There's zero reason to believe the NSA's version of this and every reason to believe Snowden's
Why?
Because, so far, every single thing that Snowden has said has turned out to be true when cross-checked. And, so far, every NSA official spokesperson has been caught repeatedly lying.
The inferior people at Dice -- you know, the same ones trying to shove their shitty Beta site down our throats -- are actually not clueful enough to realize that this is a very old idea. Whitelisting OS resources, applications, networks, IP addresses, etc. has long been an effective security measure, and I've deployed everywhere I've been for the past 15 years or so.
It appears that the Dicedroids think everyone is as stupid and clueless as they are.
This. One hundred times this.
The teachable moment for Dice is RIGHT NOW. They can either admit what everyone knows (that Beta is a horrible downgrade and should be killed immediately) or they can let their massive out-of-control egos continue to drive their decision making...and drive Slashdot right off a cliff.
The question that remains is whether they're smart enough to realize that, or whether they will persist on the path they've chosen -- which leads inexorably to a future where people talk about Slashdot in the past tense and catalog its downfall alongside that of other sites whose operators failed to listen to their masters: US.
My money is on the latter. Every response I've seen so far from them is full of PR happytalk and bullshit. I think they truly believe that they can pull this off if they lie about it long enough and consistently enough. After all, that's how business is done these days, for the most part.
The solution is simple: can Beta as a failure. Be grown-up enough to admit that it did not work [...[
They are either too stupid to realize that (despite the overwhelming evidence) or too afraid to admit it.
So take your pick: idiots or cowards. Maybe both.
No one comes to /. to read the stories.
That's absolutely true. The editors here are young, inexperienced, naive, and largely clueless. Which is to be expected, we were all that once upon a time. However, the commenters include a good number of older people with significant experience and knowledge, and THEY are clearly a thousand times more important than any of the interchangeable, expendable editors.
The most important thing that this fucked-up Beta teaches us is that Dice does not understand that previous paragraph. It proves to us that they're arrogant, self-important, egotistical assholes who think we're sheep to be herded as they see fit. It's probably going to be necessary to teach them a lesson, and I suspect that the form the lesson will take is the rotting carcass of Slashdot nailed to the wall, because they are clearly LYING when they claim to be listening.
Which is not surprising: MBAs are stupid people, that's why they don't have real degrees. But It is disappointing to see how spineless Timothy and the others are. If they actually had any backbone at all, the editors would side with the users and resign en masse in protest.
That's an excellent point. This is clearly management happytalk bullshit being fed to Timothy, who is obediently regurgitating it to us and hoping that we're naive and stupid enough to believe that they're "listening".
They're not listening. If they were listening, Beta would already be completely abandoned and we would be reading a full public apology from the people responsible.
The ONLY acceptable response is the instant and permanent removal of the Beta. Period. All other responses are lies.
I hope it was enough to make being an obedient little corporate toady worth it.
The ONLY acceptable response from Slashdot is the immediate and permanent abandonment of the Beta project. Everything and anything else is just happytalk bullshit from cowards and liars.
As a long-time (VERY long-time) veteran of Usenet, I'd like to point out that it's quite viable. The anti-spam methods now in place are quite a bit better than what we had just a few years ago. There are a number of newsgroups that are doing very well (including a lot of technical ones), some that are languishing, and some that are on hold.
/. appears to be intent on committing public suicide via this idiotic Beta,
supported exclusively by the imbicles and morons at Dice, perhaps it's
time to start migrating back to Usenet, where corporations can't exert
the kind of control they can here.
Usenet has a lot of architectural features that make it very good for these kinds of discussions: it is privacy-friendly. It's text-based. it's easily gatewayed to and from email. It's easily archived. (I have many, many years of certain newsgroups.) It requires modest resources. It's resilient in the face of broken sites and broken network links. It's bandwidth-friendly. It runs on relatively lightweight hardware. The software is mature. And so on.
Not that it's perfect: of course it's not, and I can probably enumerate its flaws better than all but a handful of other people. But it works, and it works well even when other allegedly more sophisticated mechanisms fail. I've long said that Usenet proficiency is one of the basic qualifications for system and network administrators: they don't need to know the ins/outs of NNTP nor do they need to admin a node, but they do need to know how to use it.
Since
As one of the first users of this site (yes, I know my UID number, it's not my original one), I fully support this.
Moreover, IF the people running this site are so obstinate, stupid, and ignorant that they persist anyway: then the boycott needs to be permanent. We ALL need to leave. We need to teach a lesson, and if the only way that lesson can be communicated is over the bleak, abandoned corpse of slashdot, then that's how it has to be.
I could warn you of course, but you would not listen. I could kill you, but someone would take your place. So I do the only thing I can. I go."
You're correct but it's not obvious that the law will actually be applied in this case. Clearly, the NZ and US both really, REALLY want to crucify Dot Com and are willing to break the law, cheat, lie, steal, defraud and everything else in order to do it.
Meanwhile, Slashdot Beta is absolute crap, and if the morons, idiots, and assholes pushing it persist in this stupidity, then they should expect a boycott.
As everyone knows, there was and is no actual need for these TLDs. Just like there was no need for .xxx. Just like there was no need for .mobi. Just like there was no need for .info.
The entire process is driven NOT by the communal needs of the Internet, but by ICANN,
which is now completely controlled by registrars -- registrars who are always looking for
new/expanded revenue streams.
There WAS a time, as I'm sure some folks will remember, that "one entity-one domain" was the rule. That time is long gone, as it drastically restricts registrar profits. Now? It's not uncommon for single entities to control hundreds to hundreds of thousands of domains. I've been researching this issue, and have looked at about 60M domains so far: EASILY 90% of them are crap. They're owned by speculators, typosquatters, "landing page" operators, clickthrough scammers, and on and on and on. I suspect that as I expand my work, that percentage won't change much. In other words: we could delete 90% of the domains out there with no appreciable effect on the Internet.
This latest expansion is merely an attempt to continue the same game -- but with outrageously prices and profits.
Here is my recommendation: learn how to use DNS RPZ. As each one of these TLDs is introduced, add it to the list so that you effectively make it disappear from your view of the Internet. Encourage others to do the same. After all, you aren't required to resolve any domain or group of domains -- so don't. If enough of us do this, we will make these domains essentially worthless. (Why? Because without DNS resolution in place, end users won't be able to reach them with web browsers. MTAs that check for domain existence -- which they should -- will reject all mail to/from them. And so on.)
The Internet doesn't need this junk. YOU don't need this junk. So make it vanish.
I've been saying this for years -- here and elsewhere. Yet their foolish supporters continue to insist on using them, despite the steady parade of demonstration proofs showing that they're easily defeated. (I'm not going to bother with the catalog of links this time. Use a search engine. Read the items that show up on the first two pages of results -- that should be enough.)
Either you're defending an important resource or you're not. If you're not, then you don't need captchas and shouldn't use them. If you are, then the first person who decides that your resource is worth the trouble will break your captchas, either by code, by brute force, by co-opted masses or by some combination of those. You have no shot. NONE. If you think so, then you didn't perform the exercise I suggest in the last paragraph.)
A defense that is known-broken is not a defense at all.
In one of the great ironies of our time, those arguing for or supporting creationism are actually providing clinching proof that they themselves have failed to evolve into human beings: they're not members of homo sapiens, as they have clearly failed part of the qualifying intelligence test.
Given that they are -- at best -- inferior primates, why should those of us who are clearly superior grant them human rights -- which, as the label indicates, are exclusive to humans? I certainly see no reason why we should be so generous.
Instead, I think, we should strip of them of the franchise, of the right to own property, of their financial assets, and of their citizenship. They should be treated decently, of course, for the same reasons that we should treat horses or dogs decently. But certainly they don't merit consideration as peers, as by their own actions, they've shown they aren't. I envision vast farms where they're lovingly tended until it is time to harvest their organs -- painlessly, of course, but inevitably. Their meat is the only value that they have to the human race, and it would be a pity to waste or damage it.
There are a large number of reasonably well-understood methods for dealing with this.
First, you have a working RFC 2142 role account address: abuse@ your domain. You pay attention to what shows up there. You reply promptly. You engage. After all, if someone is doing your job for you and doing it on THEIR dime, the least you can do is take advantage of it. Moreover, if you manage to do this reasonably well, word will get out, you'll earn the respect of your peers, and they will reward you with more reports -- again, doing your work for you for free.
Worth noting is that Amazon makes it nearly impossible to communicate with their abuse desk and fails to respond to reports in any way, let alone a timely one. And it's well known that GoDaddy frequently forwards them to the abusers.
Second, you pay attention to netflows. If a virtual host instance is opening up TCP connections on port 25 to a kazillion hosts/hour, then it's spamming. Any kind of perfunctory monitoring will spot this and a hundred other similar things in real time.
Third, you pay attention to who's behind the incidents. If you don't, then they'll just sign up over and over and over again. So you work to avoid that, by looking at the who, what, where, when patterns -- and you ban repeat offenders. This isn't watertight, of course -- but it doesn't need to be. If you raise the bar high enough, they'll just go somewhere else, which reduces your workload and lets you focus more tightly on what's left.
Fourth, you look at usage patterns. Most web sites do NOT display global usage patterns, particularly those which are connected to a domain registered yesterday. (Think about it.) If you observe that, then something's up: it might be legitimate. It's almost certainly not. The same thing applies to other services and other protocols.
Fifth, if you're Amazon, you have a highly paid legal staff. Use them. Smack the crap out of a few particulaly egregious offenders in court. Make it noisy so that everyone else knows you're doing it. Again, this doesn't have to be watertight; it just has to discourage miscreants.
Finally (and I'm stopping here for brevity, there's a lot more), do all this publicly. Encourage your peers to do the same. Challenge them. Raise the collective bar, not just your own. Cooperate with your competitors.
All of this costs money. Not a stupid amount of money, but it does cost. Which is why it almost never gets done (see previous post).
Your comment is funny, but misses the point about economics of scale.
Amazon, with its immense resources, should be one of the cleanest hosts on the planet. They can afford, using their spare change, to staff a 24x7 abuse desk with very senior people. The budgetary impact wouldn't even be a blip. And with the right people, suitably empowered, they could keep their operation nearly free of malware, phishing, spam, and other forms of abuse. They're far better positioned to do this than many smaller operations, who couldn't possibly afford it.
But they haven't. Why not? Is it because they don't know? Unlikely. Of course they know. Is it because they don't know how to address it? Equally unlikely. Of course they do. They have some smart people on staff. No, they know what the problem is AND they know how to fix it.
They just don't want to.
Because even as (relatively) small as those costs would be, it's still cheaper for them to externalize them to the entire rest of the Internet, and let all of us deal with it. So rather than taking professional responsibility for their own operation, they've decided to just blow it off. After all: who's going to make them?
I would say the same about GoDaddy, but it's not true. They actively support, encourage, and endorse spam, malware, phishing and every other form of abuse. They have from the beginning, only their method of lying about it has changed. (And don't forget GoDaddy's own history of self-promoting spam.) But once again: who's going to make them do anything differently?
Until operations are held accountable for their actions -- which is something that we USED to do on this network, a long time ago -- most won't bother. And that is, in large part, why problems like spam and phishing and malware are epidemic.
That's not to that they aren't problems: Unity is shit. Mir's design displays profound ignorance of X's design, including both its features and its liabilities. And so on. It's obvious that Canonical is ramming these down users' throats because they have to, as only the ignorant newbies who don't know any better would actually choose them.
But the real problem is that Canonical has now clearly demonstrated its committment to embedding spyware in the distribution. (YES, I know that there's putatively an "off" switch for it. That is an unimportant and irrelevant distraction undeserving of discussion.) By doing so, Shuttleworth has clearly signalled that he's willing to sell out the security and privacy of Ubuntu users for revenue. And now that the user base is declining, expect an escalation of this strategy to compensate for it.
THAT is why the community is no longer relevant to Canonical. The community is standing in the way of their pursuit of profit, and profit (along with ego gratification) is Shuttleworth's priority. Wait and watch: this is only the beginning.
I'm one of those older people being shoved aside because I'm (pick one) too old, too expensive, too inflexible, too whatever.
Never mind my degrees, my experience, my continuing education, my track record of success, my ability to adapt, or my insight. None of that matters, because someone 30 years my junior can (putatively) do the same job -- they'll cost half as much and work twice as many hours, until, of course, their time comes and they're replaced just like I've been.
The fact that I bring incredible value to the table doesn't matter: in a position I recently held, I was asked to evaluate a project that had already sucked down $1.8M. I studied it carefully for several months, and concluded that it was so badly and fundamentally flawed that it had no chance of success -- the best course of action was to dump it and start over. Management didn't want to hear that, so they discarded my careful analysis and eliminated my position. Four years later, after spending $12M, they finally axed the project -- after achieving nothing. It would have been more cost-effective for them to (a) take my advice and (b) pay me $100K/year for those four years to do nothing: they'd have saved $11.6M.
My point being that those of us who are older sometimes have very finely-tuned instincts about failure: we've experienced it enough to know what it looks like when it's still a long way off. Simply listening to us when we say "ummm...no, that's a bad idea" EVEN IF WE DO NOTHING ELSE is likely to result in an enormous payoff, since it'll help avoid wasted effort and budgets. But of course it rarely works out this way: it's easier to hire 20-somethings, underpay them, work them to death, and enjoy the chorus of "yes" "yes" and "YES" that they generate because they don't yet realize that's the wrong answer.
Webmail is a trendy, attractive idea: it's also truly stupid. Every single implementation to date -- and yes, I've tried them all -- sucks. I could spend the next three hours typing in a litany of reasons why, from UI to standards compliance, security to features, but I presume that everyone with even a passing familiarity with email already knows this. So Yahoo's feeble attempts to coerce its employees into using their particular brand of suckage, while no doubt driven by an edict from above, run against the best interests of their own staff.
Which brings me to Outlook, the mail client of choice for the ignorant, the incompetent and the inferior. Nobody, and I do mean, NOBODY, of any worth would even consider lowering their professional standards this far. It speaks volumes about the very low quality of the personnel at Yahoo that they actually prefer this client over the many superior alternatives. That, in turn, explains in part why Yahoo's mail system is riddled with security holes and overrun by spammers, phishers, and abusers of all descriptions: there is nobody there intelligent enough to stop them.
So what this really comes down to is whether Yahoo personnel are using M$ or Yahoo garbage; I wonder if there are any whose feeble intelligence is sufficient to allow them to figure out that the only correct answer is "neither". There DO exist mail clients that -- while not perfect by any means -- are clearly, markedly better than either of these.
Shuttleworth/Canonical are just using the Facebook playbook:
1. Engage in an outrageous overreach.
2a. If there's no reaction: proceed.
2b. If there's a negative reaction, then walk it back just far enough to quell the outrage. Use weasel words. Pretend that you were just kidding. Call it an unfortunate oversight, a lapse, a mistake -- but be sure not to admit that it was deliberate and calculated.
3. Wait for outrage to die down.
4. Return to step 1.
This works beautifully on an audience that isn't paying attention, that can't generalize from specifics, that doesn't remember what happened yesterday, let alone last year or last decade.
It really doesn't matter if IE does or doesn't render anything, as using it exposes one to the gaping security-hole-of-the-day. I'm not talking about the ones that make it to slashdot or even full-disclosure; I'm talking about the ones that show up on blackhat sites with pricetags attached. I'd call it a "parade", but it's more like an angry mob rushing through the streets: it's constant and pervasive.
Second, the Outlook service is an enormous source of spam. (Citation? Run a major email site, one with at least a million users. Pay attention to what arrives on port 25 from Outlook.) One of the things we've learned over the past couple of decades is that outbound abuse is a surface indicator of underlying security issues, thus the inference is that Outlook has been launched (in Microsoft's usual fashion) without a rigorous security audit.
Third, the entire concept of webmail is wrong, stupid, and broken. Every attempt to date, and I do mean EVERY attempt, to shoehorn SMTP/POP/IMAP into something that works in a browser, has failed miserably. That includes the freemail services and the open-source projects, the commercial offerings, and the homegrown ones. One would think that given the landscape of uninterrupted failure that stretches all the way to the horizon that people would stop long enough to realize that the problem isn't the implementation: it's the concept. But no, web sites and mailing lists are filled with endless debate over how to "improve webmail". The required improvement is to abandon it entirely.
Finally, "using Google products" is an increasingly bad idea, as it's obvious that they're been thoroughly backdoored at least once -- which means that it won't be long until they've been backdoored again. And again. Yes, for many lazy and inferior people, "using Google products" is a fast answer -- but it's the wrong one.
Not since he sold out to the spammers at Marketo and turned Ubuntu into spyware.
Both of which are a pity, as it was a distribution that many people, including me, found quite useful for deployment in environments where we were trying to ease people away from their addictions to Microsoft and Apple products. But given our requirements (among which security and privacy are paramount) we simply couldn't justify using a distribution that was known to be compromised.
Yes, yes, I know we could turn off the malware features, but that's hardly the point: once a distribution maintainer is known to be inserting spyware, they can never be trusted again. Nothing at all stops them from silently including the same thing (or something similar) in a routine update. Shuttleworth and Canonical have provided an existence proof that they cannot and must not be trusted: they should be ostracized from the Linux and open-source world, as they are clearly unfit to be any part of it.
The worst part of the damage done by this isn't technical. It's human.
The reporting on this latest disclosure reveals that the NSA has systematically inserted itself into the standard-crafting process, in order to deliberately weaken those standards. It also reveals that the NSA has bypassed the management of communications providers and recruited technical staff directly. In both cases it's reasonable to assume that the people involved have been through a security clearance process and are thus barred for life from disclosing what they know.
I must now ask myself how many people I've worked with weren't doing so in good faith. When they argued that such-and-such a fine point of a network protocol standard didn't need improvement or that it should be changed in a certain way, were they doing so because it was their principled engineering opinion, or because it served some other purpose? Or when they were recommending that one of the many operations I've run move its colocation point or change its router hardware, was that good customer service, or was it to facilitate easier traffic capture?
Will anyone be asking themselves the same questions about me? (They probably should.)
The Internet was built on, and runs on, trust. Every postmaster, every network engineer, every webmaster, every system admin, every hostmaster, everyone crafting standards, everyone writing code, trusts that everyone else -- no matter how vehemently they disagree on a technical point -- is acting in good faith. The NSA, in its enormous arrogance, has single-handedly destroyed much of that trust overnight.
If spam has made it far enough that it's actually reached your personal instance of procmail, then there's been a problem earlier in the chain. Procmail rulesets should be a last resort, and they should only be asked to deal with minor issues that aren't dealt with via earlier rulesets.
The first line of defense are your perimeter routers. They should implement BCP 38, they should block bogons, and they should bidirectionally deny all traffic to/from the Spamhaus DROP list. In addition, they should block inbound port 25 traffic from everywhere on the planet that you don't need email from. In other words; the fact that someone in country X wants to email you is unimportant unless you actually wish to receive mail from them. Yes, this is a reversal of default-permit, for a simple reason: default-permit for SMTP stopped being reasonable around 2000. Use http://www.ipdeny.com/ to pick up the ranges per-country and only permit what you need. (Obviously a major research university can't do this. But Joe's Furniture, which does not have customers in Peru or Pakistan or Greece, can.)
Then use blacklists, the best defense against spam we've ever developed. (Source: 30+ years of email experience) Spamhaus's Zen blacklist is a good one with a low FP rate and a tolerable FN rate. Augment these with local blacklists based on domains and network allocations. Augment those with as much blocking of generic hostnames and dynamic IP space as possible: real mail servers have real hostnames and are on static addresses.
Then enforce RFC requirements: sending host must have rDNS, that PTR must resolve, what it resolves to should be the sending host's IP. Sending host must HELO as FQDN or bracketed dotted-quad; if FQDN, must resolve. Sending host must not send traffic pre-greeting. And so on. Enforcing these DOES mean occasionally you block mail sent by non-spamming entities: but since they are incompetent non-spamming entities, why would you want mail from them?
Add greylisting. It'll handle a lot of annoying hosts that haven't learned to retry yet.
Rate-limit based on normative values for your site. For example: if analysis of a year's worth of mail logs shows that during that time you never received more than 10 messages a day from ANY host, then rate-limit at 30 or 40. You'll never hit in normal practice; but if you get hammered by a fast-sending host, you'll blunt the attack. Note that these don't have to be perfect to work: provided you send deferrals (SMTP response codes 4xx) instead of refusals (5xx) the worst that happens is that you will mistakenly impose a delay.
There's more -- it's possible to get quite crafty about this. But note that NONE of these measures pay any attention to content. There's a reason for that: spammers can defeat content-based measures at will. They won't have it so easy with these.
Deployed in production in various setups ranging from a dozen to eight million users, these steps yield a FP rate of about 10e-6 to 10e-7 and a FN rate around 10e-5 to 10e-6. Tuning helps, of course: initial rates can be higher but log analysis (which all sensible postmasters do) readily brings them down. If you have the luxury of running your own mail server just for yourself, then you can REALLY tune this setup: you should be able to get the FN rate down to 10e-7 after a few months.