I think if you spent that much effort on getting a better paying job instead of stealing other people's work products you could afford to buy all the music you'd ever want or need and still have time left over to listen to it.
Actually.. I have never yet downloaded a single mp3 or music file that I haven't had direct permission from the band directly (and I've helped quite a few bands promote themselves by helping them get.mp3/.ogg files online for their sites; Kerry Lauder Band, Seryn, etc.). I don't support the RIAA, and I don't purchase albums in the store that are backed by the RIAA.
"Encryption" is not always about hiding anything, it's about retaining privacy, or in some cases, verifying the identity or source (ala gpg signing an email or a gpg key for a released tarball).
I'm not sure who your response was targeted to, but it certainly was not me. I don't need to "circumvent" any mp3/illegal sharing methods, because I don't personally use them.. that being said, I think a solid network predicated upon the basis of privacy, is an important thing, and this is precisely why I came up with this solution back 4-5 years ago, well before the whole p2p/RIAA madness was even a speck on the radar.
One thing that's unique to your proposal, though, is the idea of sending every block to every node - creating a system that cannot possibly scale beyond a trivial number of nodes.
Actually... that shouldn't have been what I said. The point is that for any node's blocks, you can't possibly assemble the entire file, because:
You don't have the key to decode the blocks (assuming a one-way encoding)
You don't know where the next 'n' blocks are, or even how many blocks comprise the entire file
You don't know what order the blocks belong in
No node has all the blocks, and that part of the design is critical, and must be enforced by the protocol
The whole benefit of the system is that someone out there has the next block (or blocks) you'll need, and only they know how to get the next block beyond the block(s) that they carry for you.
Think of it like "Odo" from DS9. He lives in a "collective", where his entire race lives on a planet, which is entirely "water". Parts of everyone float and coalesce among all the other parts.
Ideally, the "file" (series of blocks) would be moved around all the time, dispersed across the nodes, so that there is never the same number of blocks, or files, or ordering on any one node... like liquid.
I proposed this solution about 4 years ago to one of the gnome-vfs guys at a Helixcode party in San Francisco "back in the day".
Basically you have a section of your local storage that is specifically set aside for this purpose, say a 5gb slice of your partition. This storage area is strongly encrypted with hashes that only you know (Blowfish, AES, whatever), via your own passphrase or private key.
When you send a file "to the network", that file is split into blocks, and encrypted with your public key, and those blocks are dispersed to everyone else on the network, in that encrypted fashion, and the "map" to reassemble them is dispersed likewise.
Every node with block #1, has a map which tells them how to get block #2, but not block #3. System with block #2 (which knows that block as block #1 to itself), knows how to get block #3, and so on. Sort of like the "Triad" mob system in Japan.
Your system requests a file, which is dispersed as a series of encrypted blocks, across hundreds, thousands, millions of other systems, and those blocks are reassembled, using those systems to find "The Next Block", and send it to you. You could also arrange it so that each "node" could know about the next 5 or 10 or 20 blocks, etc.
It is sort of a mesh between PKI + BitTorrent (which didn't exist when I came up with the idea), and the methodologies of common peer-to-peer networks.
You could further strenghthen the network by only accepting blocks from nodes you "trust" (via your own public keyring). Facilities to "swap blocks" across systems on a regular (or irregular) schedule, to keep the network "self-healing" would also be a good idea.. or keeping duplicate blocks in different parts of the "storage slice" for redundancy, etc. Storage is cheap.
In the end, this means that nobody can be accused of having "the full file", nor can anyone figure out what is in those encrypted blocks. Even if they had 1 block, there is no way to get all of them, or to accuse someone of distributing the material, since it would be moved around at irregular intervals.
What do you think?
There are plenty of GPL violations going on..
on
Injunction to Enforce GPL
·
· Score: 3, Interesting
Back in January, I "accidentally" stumbled upon a company in Germany who was using some of our LGPLs code in their proprietary Windows products. I contacted them, and contacted the FSF, and started asking questions. They claimed they didn't use any of our code in their products (despite the fact that strings and other tools reveals exact function names being copied, etc.), but claimed that they DID use our code as a basis for an API, where they decided to "rewrite" their own version of it, for Windows. A fishy description from the start. Paraphrasing code to write an identical copy in another language, is still a copyright violation.
Fast-forward 3 months...
I let it lie for awhile (honestly, I was busy with other things, like trying to bring in paid work), until I read a story on Slashdot about the iptables/ipfilter team getting an injunction in Germany.
I decided to revisit our old friends, to see what they've been up to. I caught up with a friend on ICQ who lives in France, and he tells me that he knows a guy in Germany who wrote $APPLICATION entirely from scratch, and that it competed with his own product. Curiously, the guy he knows, is the same one that claims he didn't take any of our code (small world, huh?).
So I mentioned my issues with the "guy", and his company, and as I'm talking on ICQ, I start digging through the code again, and I find our functions littered through their codebase again. I also find an SDK that they've "written" to allow other developers to write "modules" that plug into their proprietary product (questionably using our code).
As I look through their SDK, I have this eerie feeling of deja-vu. I've seen this code before. I start grepping my source tree, and sure enough, the functions in their SDK are byte-for-byte identical to our own, including the comments. Of course, this portion of their code claims to be covered by the LGPL, but the copyright header has the author marked as this "guy", not the original authors who actually wrote the functions he's ripped off from us.
Needless to say, I reopened the issue with the FSF, and gave them the additional information they needed to have to make sure this incident does not get dropped this time.
Not only did this developer ("guy") in Germany lie to us about the nature of his code, he lied to my friend in France by telling him he wrote it all from scratch, and he is openly, and knowingly ripping off the hard work of others, by removing their copyright notice from their code (OUR code), and replacing it with his own name and company name, and are shipping it in an SDK, that they claim as their own. I wonder how many other companies and developers have downloaded this SDK, and are unknowingly also in violation of copyright?
Now I'm pissed. This is the third violation of our code, OUR code, by commercial companies in the last 6 months, without even a single "Thank you for all you've done" from any of them.
You'll also start to see things like "Javascript decryption" and other techniques to prevent machines from figuring out which, exactly, URL it is that is being advertised, rather then random noise.
This is precisely why my milter contains the following little filter, which strips anything inside Javascript and style blocks, including the tags themselves:
# Strip <script [..]>..</script> and <style>..</style> $content =~ s!<(s(?:cript|tyle))[^>]*>.*?</\1>!!gi s;
If you want to go one step further, you can strip out all HTML, and convert it to plain, human-readible text, using the following:
use File::Slurp; use HTML::Parse; use HTML::FormatText;
At least 80% of our incoming spam, brute-force attacks, and other SMTP violations are coming from behind legitimate hosts like AOL, Verizon, Blueyonder, RoadRunner, and so on. Not forged IPs that pretend to be those hosts, but actual IPs that return to those MXs.
Every single one of these lists gets collected and reported, per day, per provider, and to date, not a single one of them has done anything to stop the abuse. In fact, it keeps increasing every day. The more we block, the faster they come at us.
I'm selling my SuperServer 6010H on eBay... feel free to make me an offer.
The award-winning SuperServer 6010H is Supermicros best-selling server product. Its robust and sleek ultra-thin 1U design is critically acclaimed within the industry. It provides build-as-you-grow scalability for Internet, ISP, and application computing needs.
Featuring dual 1.0GHz with 256K cache Pentium III Flip/Chip processors (FCPGA) and up to 4GB of 133MHz ECC registered SDRAM memory (Note: no processors, drives, or memory is included in this auction), SuperServer 6010H promises satisfaction for companies of any size.
Known for superior performance and product quality, Supermicro offers a comprehensive set of density-optimized solutions that are proven to solve any challenges that customers encounter when they deploy servers in a racked environment.
This server is in mint-condition, unracked from a production facility and treated with the utmost care during its use and operation.
I wonder how this will fare against Knoppix STD? Knoppix, as the world knows, is an awesome LiveCD distro of Linux that comes with an assortment of tools.
If you haven't already downloaded and burned/mounted this, this IS KNOPPIX with some slightly different branding. It still boots up and says KNOPPIX all over it.
Move along now, the Linuxcare BBC did more than this, and was much more integrated and tested.
I don't want to get any bullsh*t spam, but I *do* want to get all the bits that person X or company Y, whom I trust, wants to - or has to - send to me.
That is what whitelists are for. Learn to use them.
I'm not saying that you should use this exclusively, but it should be part of your antispam arsenal. I have never lost an email that I expected to receive.
With 7 RBLs being used on our networks, we are blocking 95% of the incoming spam with just that alone.
If anything gets beyond that, SpamAssassin catches and files 99% of those.
Anything else that gets through that, and is formatted with HTML content, and not in the whitelists, gets the HTML stripped. If that is unintended, then we can whitelist the sender, and it doesn't happen again.
Anything that gets filed into the SPAM folder, and is honestly spam, gets reported to abuse@domain.tld. Any site that rejects that email, gets their domain blocked on port 25.
So far, out of 5k emails a day, we haven't lost a single email in years, and 1 or 2 "legit" spam emails sneak their way through to user mailboxes. We deal with those on a case-by-case basis.
Just strip HTML out at the milter/MTA side
on
Hidden Messages in Spam
·
· Score: 2, Interesting
If you don't want to get any of these annoying webbug/spam/trojans buried in HTML emails, simply strip them out at the MTA level, with procmail or your milter or whatever else you trigger them in.
Safe for you, safe for your users, and brings email back the way it ought to be, 7-bit ascii text.
use File::Slurp; use HTML::Parse; use HTML::FormatText;
(b) more money is spent on Viagra and plastic surgery than research into Alzheimers, so when we're old and clunky, the women will have superb breasts, the men iron-hard equipment, but no-one will remember what it's all for.
Actually, Viagra (sildenafil citrate) was originally an arrhythmia treatment (i.e. heart medicine, to help people with strokes and frequent heart attacks). ALL of the money that went into the research of (what is now called) Viagra was there to support a drug for cardiac patients.
Only when some of the clinical trials had less-than-optimal results as a cardiac treatment, and an additional "side effect" of erectile sustainment, was it recast as an erectile dysfunctant treatment. They weren't going to pour the millions they spent on researching the cardiac drug, down the drain, so they recast it as Viagra, and that is what you know today.
I know this, because I used to work with the group responsible for doing the purity/potency testing of this specific compound within $PHARMA.
Also, contrary to popular belief, Viagra does not produce erections. It increases blood flow (hence the original cardiac target). The increased bloodflow helps you sustain an existing erection longer than you normally could. It does not give you an erection.
As you no-doubt already know, many of the kernel maintainers are electively omitting the details from their log entries, due to DMCA pressure. Publishing fixes that close exploitable holes, or describe security measures that were worked around or closed, is a potential violation.
I did a talk at Linuxworld back in the beginning of last year (one of several I did that week at LWE), that focused on the business savings of using Free Software on Windows instead of the more-expensive Microsoft alternatives. The room was jam-packed, and ever spare bit of space was taken up by standees. Most of these people were IT managers and upper-management people.
The cost savings are enormous. Think about the current Microsoft Office paradigm; $450/desktop at retail rates (slightly lower for volume purchases). Now, compare that to OpenOffice.org on the same Windows desktop at a cost of $0.00/desktop. Multiply that out over say... 3,000 desktops, for a medium-sized installation. Let's say that you have a volume price of $200/copy of Microsoft Office in this case. You just saved yourself $600,000 in just licensing costs, and just for one application. Multiply that out across many more Free Software applications that run on Windows natively. Do you think you could use a spare $600k to improve your business, or hire some more staff, or upgrade the existing computers, or buy new applications for your core business process? I bet you could.
That's just for a small-to-medium sized business. Take a Pfizer Pharmaceutical for example... 70,000 desktops, most of them running Microsoft Office. If they get a nice cheap volume price of $100/copy of Microsoft Office vs. the $0.00/copy of Oo.org, they just saved $7,000,000 (yes, million) dollars by moving to Free Software on their existing Microsoft Windows desktops. $7 million dollars saved, in just licensing costs! Yes, there are some advanced things that Oo.org doesn't do yet, but it will fit the needs of 90% or more of "office users".
But wait, that's not all (insert catchy As-Seen-On-TV jingle). If you ever decide to switch your users to a Linux desktop, they can continue to use the same exact applications that they were used to on the Microsoft Windows desktop; i.e. OpenOffice.org in this example. There is zero training curve, downtime, or lack of productivity.
Also, Oo.org provides MUCH more functionality, in terms of file formats, usability, interoperability, than the current Microsoft Office suite, and Oo.org is improving every single day in leaps and bounds. Is Microsoft Office improving this fast? Unlikely.
The switch is a no-brainer, and you don't even have to run Linux to reap the benefits.
(Note: I don't work for or endorse OpenOffice.org in any way, I just believe in Free Software very strongly, both as an author of Free Software, and an evangelist in the community)
"I'm trying to picture someone juggling a modern-day cell phone on their shoulder while using both hands to enter something on a PDA. Maybe if you're agile enough it would work, but I'd bet you'd flip your cell phone to speaker mode or hook up a headset anyway."
That's exactly what I'm trying to avoid by staying away from converged devices.
I'd rather have my cellphone (ANY cellphone, or multiple cellphones) on my hip, wireless bluetooth headset, and my PDA, linked to the phone(s) over Bluetooth, so I can initiate calls from the PDA (I do this now, with my Tungsten T2 and my Nokia 3600), talk on the headset, and continue typing into the PDA from a bluetooth keyboard, wirelessly.
Converge any of those, and I am severely reduced in functionality, and you cripple all of the devices, and you end up restricting it to one device, which is going to be sub-par in ALL areas that it tries to converge.
Speakerphone is not an option, especially for confidential things like voice mail, company-specific conversations (think, on a train or in a public area), nor is having to juggle between phone functionality and PDA functionality, specificlly for my time/project tracking, logging, browsing, and so on.
Re:And this is why device convergence is bad...
on
Toshiba's Wristwatch PDA
·
· Score: 2, Insightful
"Ooops, technical standards improve next year? What! Just buy a new gadget every year or so."
Don't fall into this trap. This is exactly what these vendors want you to do.
Remember when CDs used to last 50-100 years? Do you know why they don't last that long now? Because vendors decided to reduce their production costs by not adding the additional layer of plastic on the CD, preventing oxidation. Now CDs last 5-10 years, and cost 1/2 as much. Hence, you just go out and buy a new CD, rip your old one to the new one, and throw away the old one. You're caught in the "leasing" model of technology, which is exactly where the vendors want you to be. If they made products that lasted, they'd put themselves out of business. It happens with CDs, DVDs, players, cars, and lots of other technology.
What about all of the other technology which is engineered to "degrade" in a very specific timeframe? You simply go out and repurchase a replacement, and move on. People don't seem to have a problem with this. But I do. Technology shouldn't "expire". It is happening all over the place.
Just because it is cheaper, doesn't mean you should have to go out and buy a new one every 2 years. After 10 replacements at 49.95, you've purchased the equivalent of that $499.95 device that should have lasted just that long in the first place.
"Now if you were carrying both a seperate cellphone and a PDA, their sum would be much larger than the 7135."
Now show me how you can use the PDA, say to type some notes into a document or memo, while you're actively talking on the phone, or checking your voice mail at the same time.
And this is why device convergence is bad...
on
Toshiba's Wristwatch PDA
·
· Score: 2, Insightful
And this, my dear friends, is why device convergence is, and has always been, a bad idea.
Not only do you get coupled to one device, vendor, or service (think Treo600 + Sprint cell service), but you can't decouple parts of the hardware to improve it as technology advances.
Built-in 802.11b WiFi. Oops, now 802.11g is the standard, and your device is no longer current.
USB 1.1 capable. Oops, now USB 2.0 and later is the standard, and your device is no longer current.
Want to get another Bluetooth headset to use with your PDA? Sorry, this one is built-in, and you can't connect any others. You can buy a new device though...
Device convergence is a bad, bad bad idea. The technology (Bluetooth for example) was originally proposed to "connect devices together". It does nothing of the sort, when your devices are converged.
I'd love to see a PDA, with a Bluetooth attachment, talking to a cellphone (bluetooth enabled, either internally or via attachment), talking to a bluetooth-enabled laptop/desktop, and so on. If you decide to upgrade your phone, the rest of the devices still keep working perfectly. It is the Unix philosophy. Replace one small part, and the process keeps working. You don't have to rip everything out and replace it all, because one small part merits an upgrade.
What do you do when you want to upgrade a portion of this watch's capabilities? Throw it out and get a new one? Unacceptable.
This goes for PDAs with phones, or phones with PDAs built into them. Either you get:
A "big" phone, capable of holding a useful PDA screen and keyboard, which can no longer be comforatably worn on a belt or in a pocket, or..
A "tiny" PDA, with an equally "tiny" keyboard to tap on to type in messages, with a screen you have to squint at to read.
Building a PDA into a wristwatch, while at first seems "cool", in the real world of practical devices and people who use this technology, is an incredibly bad idea.. especially at this size.
...and I hope most of the technology in it is buit around some sort of updatable firmware, so you can update the OS, apps, and other software bits to help it remain compatible with other technology.
I want my existing, bought-this-year devices to work with current technology. I don't want to have to throw them all away and replace every part, just to get a new connectivity option.
I bid on an auction for a Thinkpad T23 from a buyer calling himself "electro_depot" on eBay. After several emails to the seller asking for details, I "won" the bid.
Basically the scam was that this seller puts a laptop model for sale on eBay, dozens of times. Dozens of people bid on the item and he picks the 'n' number of highest bidders to "win" the auction. At no time does he own these laptop models he is selling. He requires that all payment be sent to him within 5 days of the auction close.
After 4-6 weeks of delays, people start sending emails, getting pissed, and mad. "Brian Silverman" emails them back, with excuses about delays at the "warehouse" and other excuses.
Meanwhile, 2-2.5 months later, he purchases the laptop model, at quite a discounted price from the vendor (not being the "newest" model on the market anymore).
So he keeps hundreds of thousands of dollars in auction buyers' money in his account, accruing interest, and then he purchases the laptops, at roughly 30-40% less than his original auction price.
But wait, it gets better... Brian decided that the whole "send the item to the buyer" part of the scam was eating into his profits too much, so he decided to just not send any laptops to anyone.
I was the last person he ever sent a laptop to. I actually tracked him down, and called him at home one night to demand my laptop, or the FBI would be at his door in 30 minutes. He claimed he would send it out that night, and double the RAM "for my troubles". A week later, I did indeed receive the laptop.
But I posted all of the details in my Advogato diary entries. Hundreds of other people who were being scammed by Brian Silverman googled for his "electro_depot" name, and my diary entry was the only one to come up. They would email me directly asking for more details.
I then received a call from the NY Cyber Crime division, asking me if I had any details on the "scam" with Brian Silverman, and if anyone else had contacted me, because they had a "few calls".
I said I had 141 separate people who had emailed me to complain. 141 people!!!
The end result, was that Mr. Silverman was tracked down out of the country, and the FTC caught and nailed him. I even received a nice little letter from the FTC praising me for my efforts in catching him.
My diary entry was THE reason people were brought together, and the FTC and NYPD took notice in the matter.
Vigilante justice does definately work, but you have to be very careful about how you go about it. After people found my diary entry, they created all of those other websites to track and report on Mr. Silverman's scams.
(And that T23 that I "won" is currently at IBM repair, for the 6th time in 2 years, so it wasn't exactly a "win" in my case).
"Now we use about 8 RBL checks at the gateway, this helps block about 90-95% of the incoming connections but still the spam gets past that, if we open the floodgates the users go nuts on us."
What are the RBLs you use? I'd love to add more RBLs here to reduce the number of firewall-based blocks I need to implement.
This is from the last 6 days of mail logs here, and filtered for only one domain we host. Multiply that by about 20 for the domains we host, and then multiply that by the number of hacked providers (comcast.net, cox.com, verizon.net, etc.) and you begin to see an enormous amount of abuse and bandwidth being consumed by these hosts.
Report it to Carl Hutzler (cdhutzler at aol dot com) and let him know your concerns. He is the director of AOL's anti-spam measures.
I've emailed the requisite 'abuse@aol.com' address hundreds of times, with copies of the spam emails, log entries, dates, times, and so on. Has anything changed? No.
I even emailed Carl Hutzler, Director of Anti-spam at AOL, and he hasn't returned my emails or my calls. The same goes for the hundreds of thousands of spams we get from *.verizon.net, comcast.net, voyager.net, compaq.com, and others. Clearly people inside the business infrastructure have infected systems propagating spam on the weekends, using the corporate bandwidth to do it.
At this point, this is what I do:
Sendmail as my MTA, blocks a significant amount of spam, before receiving it, with some custom antispam rulesets I've cooked up.
blackholes.us is set to block known-spammers from Argentina, Brazil, China, HongKong, Japan, Korea, Russia and Taiwan.
virtusertable in the MTA chain blocks attempts at some common internal system accounts.
SpamAssassin is tuned down to 3.5, and catches a significant portion of the emails that make it past the above measures.
AV is done through procmailrc, with some custom heuristics in the recipes (contact me if you want these)
Anything that SA catches, is tagged and put into/var/spool/mail/SPAM
I manually go through that SPAM folder, and report every entry there to the 'abuse@address' for the resolved provider (not the forged provider in the From: line, of course)
For hosts that do not resolve, they are permanently blocked at the firewall.
For providers that do not support the 'abuse@address' address, they are permanently blocked at the firewall.
I then go through the mail logs themselves, and catch the brute-force attempts at sending mail to the dozen-or-so domains I host, and block them at the firewall.
So far, the more I block, the faster the spam comes in, and the more I block, ad nauseum.
Here is today's counts. At 5:30am, this was 164 hosts, and now it is 109 more than that.
iptables-save | grep "dport 25" | wc -l
273
Spam is definately getting worse, as more and more machines are hijacked for the purposes of propagating it, with these trojans.
"Whoah! So they will terminate your friend if they have a mobile phone with a camera...that's pretty severe!"
No, YOU are terminated if your onsite visitor or friend is found using a cameraphone (or camera or other recording device, audio or video) onsite.
It is pretty harsh, and these cellphone vendors are making it harder and harder to get a useful phone, without having all kinds of battery-draining cruft on it (camera, big color screen, etc.)
Slashdot Mirror
Actually.. I have never yet downloaded a single mp3 or music file that I haven't had direct permission from the band directly (and I've helped quite a few bands promote themselves by helping them get .mp3/.ogg files online for their sites; Kerry Lauder Band, Seryn, etc.). I don't support the RIAA, and I don't purchase albums in the store that are backed by the RIAA.
"Encryption" is not always about hiding anything, it's about retaining privacy, or in some cases, verifying the identity or source (ala gpg signing an email or a gpg key for a released tarball).
I'm not sure who your response was targeted to, but it certainly was not me. I don't need to "circumvent" any mp3/illegal sharing methods, because I don't personally use them.. that being said, I think a solid network predicated upon the basis of privacy, is an important thing, and this is precisely why I came up with this solution back 4-5 years ago, well before the whole p2p/RIAA madness was even a speck on the radar.
Actually... that shouldn't have been what I said. The point is that for any node's blocks, you can't possibly assemble the entire file, because:
The whole benefit of the system is that someone out there has the next block (or blocks) you'll need, and only they know how to get the next block beyond the block(s) that they carry for you.
Think of it like "Odo" from DS9. He lives in a "collective", where his entire race lives on a planet, which is entirely "water". Parts of everyone float and coalesce among all the other parts.
Ideally, the "file" (series of blocks) would be moved around all the time, dispersed across the nodes, so that there is never the same number of blocks, or files, or ordering on any one node... like liquid.
Does that make more sense?
I'm aware of the difference between encryption and encoding, but thank you for pointing it out for the others who may not know the difference...
I proposed this solution about 4 years ago to one of the gnome-vfs guys at a Helixcode party in San Francisco "back in the day".
Basically you have a section of your local storage that is specifically set aside for this purpose, say a 5gb slice of your partition. This storage area is strongly encrypted with hashes that only you know (Blowfish, AES, whatever), via your own passphrase or private key.
When you send a file "to the network", that file is split into blocks, and encrypted with your public key, and those blocks are dispersed to everyone else on the network, in that encrypted fashion, and the "map" to reassemble them is dispersed likewise.
Every node with block #1, has a map which tells them how to get block #2, but not block #3. System with block #2 (which knows that block as block #1 to itself), knows how to get block #3, and so on. Sort of like the "Triad" mob system in Japan.
Your system requests a file, which is dispersed as a series of encrypted blocks, across hundreds, thousands, millions of other systems, and those blocks are reassembled, using those systems to find "The Next Block", and send it to you. You could also arrange it so that each "node" could know about the next 5 or 10 or 20 blocks, etc.
It is sort of a mesh between PKI + BitTorrent (which didn't exist when I came up with the idea), and the methodologies of common peer-to-peer networks.
You could further strenghthen the network by only accepting blocks from nodes you "trust" (via your own public keyring). Facilities to "swap blocks" across systems on a regular (or irregular) schedule, to keep the network "self-healing" would also be a good idea.. or keeping duplicate blocks in different parts of the "storage slice" for redundancy, etc. Storage is cheap.
In the end, this means that nobody can be accused of having "the full file", nor can anyone figure out what is in those encrypted blocks. Even if they had 1 block, there is no way to get all of them, or to accuse someone of distributing the material, since it would be moved around at irregular intervals.
What do you think?
Fast-forward 3 months...
I let it lie for awhile (honestly, I was busy with other things, like trying to bring in paid work), until I read a story on Slashdot about the iptables/ipfilter team getting an injunction in Germany.
I decided to revisit our old friends, to see what they've been up to. I caught up with a friend on ICQ who lives in France, and he tells me that he knows a guy in Germany who wrote $APPLICATION entirely from scratch, and that it competed with his own product. Curiously, the guy he knows, is the same one that claims he didn't take any of our code (small world, huh?).
So I mentioned my issues with the "guy", and his company, and as I'm talking on ICQ, I start digging through the code again, and I find our functions littered through their codebase again. I also find an SDK that they've "written" to allow other developers to write "modules" that plug into their proprietary product (questionably using our code).
As I look through their SDK, I have this eerie feeling of deja-vu. I've seen this code before. I start grepping my source tree, and sure enough, the functions in their SDK are byte-for-byte identical to our own, including the comments. Of course, this portion of their code claims to be covered by the LGPL, but the copyright header has the author marked as this "guy", not the original authors who actually wrote the functions he's ripped off from us.
Needless to say, I reopened the issue with the FSF, and gave them the additional information they needed to have to make sure this incident does not get dropped this time.
Not only did this developer ("guy") in Germany lie to us about the nature of his code, he lied to my friend in France by telling him he wrote it all from scratch, and he is openly, and knowingly ripping off the hard work of others, by removing their copyright notice from their code (OUR code), and replacing it with his own name and company name, and are shipping it in an SDK, that they claim as their own. I wonder how many other companies and developers have downloaded this SDK, and are unknowingly also in violation of copyright?
Now I'm pissed. This is the third violation of our code, OUR code, by commercial companies in the last 6 months, without even a single "Thank you for all you've done" from any of them.
This is precisely why my milter contains the following little filter, which strips anything inside Javascript and style blocks, including the tags themselves:
If you want to go one step further, you can strip out all HTML, and convert it to plain, human-readible text, using the following:
Problem solved.
At least 80% of our incoming spam, brute-force attacks, and other SMTP violations are coming from behind legitimate hosts like AOL, Verizon, Blueyonder, RoadRunner, and so on. Not forged IPs that pretend to be those hosts, but actual IPs that return to those MXs.
Look at today's list of brute-force attacks so far.. (as of Mon Apr 12 17:55:53 EDT 2004)
Every single one of these lists gets collected and reported, per day, per provider, and to date, not a single one of them has done anything to stop the abuse. In fact, it keeps increasing every day. The more we block, the faster they come at us.
If you haven't already downloaded and burned/mounted this, this IS KNOPPIX with some slightly different branding. It still boots up and says KNOPPIX all over it.
Move along now, the Linuxcare BBC did more than this, and was much more integrated and tested.
That is what whitelists are for. Learn to use them.
I'm not saying that you should use this exclusively, but it should be part of your antispam arsenal. I have never lost an email that I expected to receive.
With 7 RBLs being used on our networks, we are blocking 95% of the incoming spam with just that alone.
If anything gets beyond that, SpamAssassin catches and files 99% of those.
Anything else that gets through that, and is formatted with HTML content, and not in the whitelists, gets the HTML stripped. If that is unintended, then we can whitelist the sender, and it doesn't happen again.
Anything that gets filed into the SPAM folder, and is honestly spam, gets reported to abuse@domain.tld. Any site that rejects that email, gets their domain blocked on port 25.
So far, out of 5k emails a day, we haven't lost a single email in years, and 1 or 2 "legit" spam emails sneak their way through to user mailboxes. We deal with those on a case-by-case basis.
Safe for you, safe for your users, and brings email back the way it ought to be, 7-bit ascii text.
I'll contine to take my webpages on port 80, and my mail on port 25, thank you very much.
Actually, Viagra (sildenafil citrate) was originally an arrhythmia treatment (i.e. heart medicine, to help people with strokes and frequent heart attacks). ALL of the money that went into the research of (what is now called) Viagra was there to support a drug for cardiac patients.
Only when some of the clinical trials had less-than-optimal results as a cardiac treatment, and an additional "side effect" of erectile sustainment, was it recast as an erectile dysfunctant treatment. They weren't going to pour the millions they spent on researching the cardiac drug, down the drain, so they recast it as Viagra, and that is what you know today.
I know this, because I used to work with the group responsible for doing the purity/potency testing of this specific compound within $PHARMA.
Also, contrary to popular belief, Viagra does not produce erections . It increases blood flow (hence the original cardiac target). The increased bloodflow helps you sustain an existing erection longer than you normally could. It does not give you an erection.
The lack of detail, is intentional.
The cost savings are enormous. Think about the current Microsoft Office paradigm; $450/desktop at retail rates (slightly lower for volume purchases). Now, compare that to OpenOffice.org on the same Windows desktop at a cost of $0.00/desktop. Multiply that out over say... 3,000 desktops, for a medium-sized installation. Let's say that you have a volume price of $200/copy of Microsoft Office in this case. You just saved yourself $600,000 in just licensing costs , and just for one application . Multiply that out across many more Free Software applications that run on Windows natively. Do you think you could use a spare $600k to improve your business, or hire some more staff, or upgrade the existing computers, or buy new applications for your core business process? I bet you could.
That's just for a small-to-medium sized business. Take a Pfizer Pharmaceutical for example... 70,000 desktops, most of them running Microsoft Office. If they get a nice cheap volume price of $100/copy of Microsoft Office vs. the $0.00/copy of Oo.org, they just saved $7,000,000 (yes, million) dollars by moving to Free Software on their existing Microsoft Windows desktops. $7 million dollars saved, in just licensing costs ! Yes, there are some advanced things that Oo.org doesn't do yet, but it will fit the needs of 90% or more of "office users".
But wait, that's not all (insert catchy As-Seen-On-TV jingle). If you ever decide to switch your users to a Linux desktop, they can continue to use the same exact applications that they were used to on the Microsoft Windows desktop; i.e. OpenOffice.org in this example. There is zero training curve, downtime, or lack of productivity.
Also, Oo.org provides MUCH more functionality, in terms of file formats, usability, interoperability, than the current Microsoft Office suite, and Oo.org is improving every single day in leaps and bounds. Is Microsoft Office improving this fast? Unlikely.
The switch is a no-brainer, and you don't even have to run Linux to reap the benefits.
(Note: I don't work for or endorse OpenOffice.org in any way, I just believe in Free Software very strongly, both as an author of Free Software, and an evangelist in the community)
That's exactly what I'm trying to avoid by staying away from converged devices.
I'd rather have my cellphone (ANY cellphone, or multiple cellphones) on my hip, wireless bluetooth headset, and my PDA, linked to the phone(s) over Bluetooth, so I can initiate calls from the PDA (I do this now, with my Tungsten T2 and my Nokia 3600), talk on the headset, and continue typing into the PDA from a bluetooth keyboard, wirelessly.
Converge any of those, and I am severely reduced in functionality, and you cripple all of the devices, and you end up restricting it to one device, which is going to be sub-par in ALL areas that it tries to converge.
Speakerphone is not an option, especially for confidential things like voice mail, company-specific conversations (think, on a train or in a public area), nor is having to juggle between phone functionality and PDA functionality, specificlly for my time/project tracking, logging, browsing, and so on.
Don't fall into this trap. This is exactly what these vendors want you to do.
Remember when CDs used to last 50-100 years? Do you know why they don't last that long now? Because vendors decided to reduce their production costs by not adding the additional layer of plastic on the CD, preventing oxidation. Now CDs last 5-10 years, and cost 1/2 as much. Hence, you just go out and buy a new CD, rip your old one to the new one, and throw away the old one. You're caught in the "leasing" model of technology, which is exactly where the vendors want you to be. If they made products that lasted, they'd put themselves out of business. It happens with CDs, DVDs, players, cars, and lots of other technology.
What about all of the other technology which is engineered to "degrade" in a very specific timeframe? You simply go out and repurchase a replacement, and move on. People don't seem to have a problem with this. But I do. Technology shouldn't "expire". It is happening all over the place.
Just because it is cheaper, doesn't mean you should have to go out and buy a new one every 2 years. After 10 replacements at 49.95, you've purchased the equivalent of that $499.95 device that should have lasted just that long in the first place.
Now show me how you can use the PDA, say to type some notes into a document or memo, while you're actively talking on the phone, or checking your voice mail at the same time.
Not only do you get coupled to one device, vendor, or service (think Treo600 + Sprint cell service), but you can't decouple parts of the hardware to improve it as technology advances.
Device convergence is a bad, bad bad idea. The technology (Bluetooth for example) was originally proposed to "connect devices together". It does nothing of the sort, when your devices are converged.
I'd love to see a PDA, with a Bluetooth attachment, talking to a cellphone (bluetooth enabled, either internally or via attachment), talking to a bluetooth-enabled laptop/desktop, and so on. If you decide to upgrade your phone, the rest of the devices still keep working perfectly. It is the Unix philosophy. Replace one small part, and the process keeps working. You don't have to rip everything out and replace it all, because one small part merits an upgrade.
What do you do when you want to upgrade a portion of this watch's capabilities? Throw it out and get a new one? Unacceptable.
This goes for PDAs with phones, or phones with PDAs built into them. Either you get:
Building a PDA into a wristwatch, while at first seems "cool", in the real world of practical devices and people who use this technology, is an incredibly bad idea.. especially at this size.
...and I hope most of the technology in it is buit around some sort of updatable firmware, so you can update the OS, apps, and other software bits to help it remain compatible with other technology.
I want my existing, bought-this-year devices to work with current technology. I don't want to have to throw them all away and replace every part, just to get a new connectivity option.
Hrmph!
Brian Silverman lived in New York. He ran out of the country to try to evade prosecution.
Full details on the event are in my advogato diary.
Basically the scam was that this seller puts a laptop model for sale on eBay, dozens of times. Dozens of people bid on the item and he picks the 'n' number of highest bidders to "win" the auction. At no time does he own these laptop models he is selling. He requires that all payment be sent to him within 5 days of the auction close.
After 4-6 weeks of delays, people start sending emails, getting pissed, and mad. "Brian Silverman" emails them back, with excuses about delays at the "warehouse" and other excuses.
Meanwhile, 2-2.5 months later, he purchases the laptop model, at quite a discounted price from the vendor (not being the "newest" model on the market anymore).
So he keeps hundreds of thousands of dollars in auction buyers' money in his account, accruing interest, and then he purchases the laptops, at roughly 30-40% less than his original auction price.
But wait, it gets better... Brian decided that the whole "send the item to the buyer" part of the scam was eating into his profits too much, so he decided to just not send any laptops to anyone.
I was the last person he ever sent a laptop to. I actually tracked him down, and called him at home one night to demand my laptop, or the FBI would be at his door in 30 minutes. He claimed he would send it out that night, and double the RAM "for my troubles". A week later, I did indeed receive the laptop.
But I posted all of the details in my Advogato diary entries. Hundreds of other people who were being scammed by Brian Silverman googled for his "electro_depot" name, and my diary entry was the only one to come up. They would email me directly asking for more details.
I then received a call from the NY Cyber Crime division, asking me if I had any details on the "scam" with Brian Silverman, and if anyone else had contacted me, because they had a "few calls".
I said I had 141 separate people who had emailed me to complain. 141 people!!!
The end result, was that Mr. Silverman was tracked down out of the country, and the FTC caught and nailed him. I even received a nice little letter from the FTC praising me for my efforts in catching him.
My diary entry was THE reason people were brought together, and the FTC and NYPD took notice in the matter.
Vigilante justice does definately work, but you have to be very careful about how you go about it. After people found my diary entry, they created all of those other websites to track and report on Mr. Silverman's scams.
(And that T23 that I "won" is currently at IBM repair, for the 6th time in 2 years, so it wasn't exactly a "win" in my case).
What are the RBLs you use? I'd love to add more RBLs here to reduce the number of firewall-based blocks I need to implement.
This is from the last 6 days of mail logs here, and filtered for only one domain we host. Multiply that by about 20 for the domains we host, and then multiply that by the number of hacked providers (comcast.net, cox.com, verizon.net, etc.) and you begin to see an enormous amount of abuse and bandwidth being consumed by these hosts.
Report it to Carl Hutzler (cdhutzler at aol dot com) and let him know your concerns. He is the director of AOL's anti-spam measures.
I even emailed Carl Hutzler, Director of Anti-spam at AOL, and he hasn't returned my emails or my calls. The same goes for the hundreds of thousands of spams we get from *.verizon.net, comcast.net, voyager.net, compaq.com, and others. Clearly people inside the business infrastructure have infected systems propagating spam on the weekends, using the corporate bandwidth to do it.
At this point, this is what I do:
So far, the more I block, the faster the spam comes in, and the more I block, ad nauseum.
Here is today's counts. At 5:30am, this was 164 hosts, and now it is 109 more than that.
Spam is definately getting worse, as more and more machines are hijacked for the purposes of propagating it, with these trojans.
The more I block, the more incoming spam we get.
Heh, you said 'pr0n' and 'trojans' in the same sentence. -Beavis
(..for those who grok the condom reference)
No, YOU are terminated if your onsite visitor or friend is found using a cameraphone (or camera or other recording device, audio or video) onsite.
It is pretty harsh, and these cellphone vendors are making it harder and harder to get a useful phone, without having all kinds of battery-draining cruft on it (camera, big color screen, etc.)