I still don't understand why people fall for these scams. As far as I'm concerned, it's a litmus test for stupidity. Anyone foolish enough to ship $30k worth of equipment to a person they don't know in a foreign country without checking the integrity of the transaction deserves to lose their money and learn from the experience.
One of the sites on my server is a classified ad site, and we've had several reports of people getting fleeced with the Nigerian forged-cashiers check overpayment scam. Again, why someone selling something would accept overpayment and then wire the difference back to the party or their agent is beyond stupidity. Ironically the best thing that could happen to these people is for them to get ripped off so some of that naivety will be summarily stripped from their barnacle-encrusted brains.
I'm not saying the scammers should be allowed to operate, but any action taken by "authorities" should be considered more of a favor for stupid people, than a responsibility. No amount of enforcement or technology will ultimately keep a fool and his money from being separated.
From C to PHP & Admin Responsibilities
on
PHP and SQL Security
·
· Score: 3, Informative
Being a low-level programmer, and specifically working on advanced CGI, awhile back I bowed to pressure to offer some of my web clients scripting abilities on their servers. I went with PHP/MySQL and started the process of learning about the language and its caveats.
The first thing that completely freaked me out was the register_globals setting in PHP. I invited a PHP programming friend to come hang out and give me a little intro-tutorial into how he developed so that I could understand where these guys were coming from when developing apps. He proceeded to show me this "neat feature" called register_globals that makes it super easy to access passed parameters from the outside world. Of course it also makes it super easy for anyone on the planet to overload internal variables that could be used just about anywhere in the scripts. I've never seen such a dangerous "feature" [in a non-Microsoft product].
And this all ties into the number one rule of programming. When you're coming from C/C++, 80% of your job involves data/input validation, so it's second nature to cover your ass. I found myself very confused at first over the dozens of different functions available to escape, unescape, tokenize and otherwise mangle input from/to various forms. No wonder developers are confused.
But above all, there are basic tenets that the server admin should enforce that have the most impact on security. First off, NOBODY should be enabling register_globals - it's just a crutch for crappy programmers IMO. Second, safe_mode is a must. If you have an app that needs safe_mode to be disabled, then you are better off isolating that app to its own private server. Third, every application should have its own private database work area. I am amazed at developers who run multiple applications in a single database space. Fourth, the configuration of the web server needs to be such that PHP code is properly protected, with.htaccess restrictions in code lib directories and careful consideration over other virtualhosts that might have php disabled in a higher-level directory.
Safe_mode is a good tool. It also creates annoyances for the customers, especially those who are writing apps that create files in their work area... this requires the admin's intervention to set up the proper permissions (and gives them a chance to give the client code a once-over for glaring errors).
One thing I haven't quite figured out, and maybe I just need the proper Apache mod, but when a PHP app creates a file, it's owned by the web process and not the script user process, so in safe_mode, to get things working you either have to change permissions or give liberal directory permissions in order for things to work with user-uploaded code.
Ultimately, the server admin should bit the bullet and refuse to give users access to certain dangerous "features" such as register_globals or non-safe_mode. It's just too easy to open a Pandora's box.
Interesting topic, but I don't think the problem lies with PHP or MySQL. You can create insecure apps in any development environment. Yes, some are more problem-prone than others, but I'd rank Perl much higher than PHP/MySQL in terms of being conducive to allowing vulnerabilities.
I attribute much of this problem to something I call "fuzzy developing". It's the latest trend. The crux of this problem involves Web designers, who know very little about programming who are deploying more and more complicated applications in a cut-and-paste manner. These fuzzy developers have no concept of proper programming skills. Many of them can't program at all, but they can snarf someone else's "free" code online, change a few config parameters, whine to an admin for access, and compromise entire servers.
This new breed of developer relies on existing code, following the fallacy that if it's on the net, it must work. They use sites like experts-exchange to get other people to code for them when they get in a snag, and don't contemplate the priorities involved when you put something on a public system.
If you really don't care about califiyng thousands of sites as spammers when they are not, you should add your server to the list, otherwise your opinion is just a pose.
You don't understand. This is about DUL IP space, which shouldn't be running SMTP servers. It's much easier to blacklist 65,000 address and let the 3-4 people contact you and prove their legitimacy than it is to do it the other way around.
The latest problem I've been having with local lists is that there have been a small, but significant migration of certain ISPs, particularly HOTMAIL/MSN, YAHOO, COMCAST, RoadRunner and SBC, who are putting up legitimate mail servers in what has previously been dial-up space.
I haven't heard of this happening, but if they're foolish enough to do that, they'll have to deal with the wrath of their customers.
When I get reports of legitimate mail blocked, I will often remove the rule, but I emphasize that the problem is with the ISP the person is using and urge them to complain. In the case of hotmail or comcast, they can jump off a cliff. I am not going to cater to those spam havens.
What I do as a work around is direct those who were rejected to a web page with a form mailing script. And I urge all my web hosting clients to use (secure) web-based e-mail forms as a primary if not at least optional method of contact in cases such as this.
From my experience as ISP sysadmin, I thing blacklisting is a stupid way to fight spam. Is like raiding all the houses of a town because you don't know in house lives the criminal.
I'm sorry you're caught in the RBL, but I'm not that sorry. What you fail to leave out is the fact that the blocks were blacklisted only after an untold number of complaints were summarily ignored. TDE brought it upon themselves and this is the only way to get them to act responsibly.
As an ISP, you also have a responsibility, just like as a person, to be aware that who you choose to associate yourself with may have consequences. If there's a guy in your neighborhood that's a criminal and you know it, and you don't do anything about it, you won't get much sympathy when your house is raided.
It's a bad situation for people like you. Sorry about that. But you're in the wrong [IP] block. You might want to move to a different neighborhood or clean up your own.
A better analogy would be: I live in a nice neighborhood that is clean, but the nearby town trucks all their garbage over to my town. I'm sure there are some fine people in that neighboring town that have nothing to do with it, but repeated complaints have gone on deaf ears. So now we're going to build a big wall around that town so they can stop dumping their trash elsewhere.
The Internet is a revolutionary communications medium. It is, as we speak, reshaping the way the entire human world interacts. It is unethical and immoral to deny anyone, anywhere, the opportunity to access the Internet.
So is it immoral to be denied the opportunity to watch television if you don't have a TV? Is it unethical to deny someone the right to use a telephone if they don't have the change for the pay phone?
You're obviously living in IdealWorld(tm). And it's a nice place. I've talked about it many times myself. The problem is I can't find it anywhere. Please tell me where it is if you'd be so kind.
We do not ban people from public spaces simply because they are rude.
Be rude to a police officer in most areas of the world and see how welcome you are to stay in that public space. See how many rights you have and how much the authorities care about your idealistic sense of morality and access.
We do not limit the freedom of people to express themselves as they wish. Be that messages of peace or Nazi hate propaganda.
Maybe not in IdealWorld(tm). But in America, you have to have permits in many cases to assemble and exercise your right to express yourself. You may be protected by the First Amendement in many cases, but that won't protect you from a plethora of other substantive disciplinary actions that would undoubtedly be exercised against your freedom should you employ questionable judgement in your use of those "rights."
Spam wastes bandwidth, yes. But to cut it off at the mouthpiece, to censor entire nations (be that censorship lawfully ordained or not), goes against all the principles of free speech and individual freedom we uphold in the USA and which also exist in many other countries.
That seems analagous to respecting the right of a person with an infectious disease to mingle with non-infected people where he chooses because the alternative or sanctioning his behavior by limiting exposure is otherwise immoral. Again, another interesting difference between here and IdealWorld(tm).
Wanadoo.fr is the worst, followed by TDE, Comcast, SWBell and PacBell. I don't even list the Korean and Chinese IP blocks because it was too easy to wholesale block them at every level.
Another problem we're running into are probes apparently trying to hammer the ftp server into giving them access:
Apr 26 08:15:01 inetd[1513]: ftp from 213.254.69.237 exceeded counts/min (limit 2/min) Apr 26 08:15:28 last message repeated 190 times
You gotta love 190+ connection attempts in 27 seconds. And lookie where it's coming from! We have no customers in Spain needing to ftp into this server.
As a result, we've implemented a wider policy of refusing connections from most of the foreign IP space. Then we allow connections on a request basis. Here's the hosts.allow: ALL:61.0.0.0/255.0.0.0:deny ALL:80. 0.0.0/255.0.0.0:deny ALL:81.0.0.0/255.0.0.0:deny ALL:82.0.0.0/255.0.0.0:deny ALL:83.0.0.0/255.0.0 .0:deny ALL:142.0.0.0/255.0.0.0:deny ALL:164.0.0 .0/255.0.0.0:deny ALL:193.0.0.0/255.0.0.0:deny A LL:194.0.0.0/255.0.0.0:deny ALL:195.0.0.0/255.0.0 .0:deny ALL:196.0.0.0/255.0.0.0:deny ALL:200.0.0 .0/255.0.0.0:deny ALL:201.0.0.0/255.0.0.0:deny A LL:202.0.0.0/255.0.0.0:deny ALL:210.0.0.0/255.0.0 .0:deny ALL:211.0.0.0/255.0.0.0:deny ALL:213.0.0 .0/255.0.0.0:deny ALL:217.0.0.0/255.0.0.0:deny A LL:218.0.0.0/255.0.0.0:deny ALL:219.0.0.0/255.0.0 .0:deny ALL:220.0.0.0/255.0.0.0:deny ALL:221.0.0 .0/255.0.0.0:deny
configure your mail servers to drop mails from ip addresses that do not have associated valid MX records.
Bellsouth started implementing this technique about a week ago. It wreaked havoc with local server-generated e-mails from us which were stamped with 127.0.0.1 as the source system, so I had to reconfigure some things on my end to work around it. At first I was pretty annoyed because their system should have looked at the gateway address instead, but now I can see why it's effective.
However, I believe it's more productive to maintain a large RBL of IP space that is designated "no SMTP source" - it's faster and less resource-intensive. Bellsouth's entire mail system has slowed down even more due to them checking the MX record of every inbound communique.
I do like the idea however, that you shouldn't be allowed to run SMTP services unless you also control the reverse and forward DNS for the block you're operating under, but I suspect a lot of Slashdotters don't have that level of access and would protest.
See my journal for a portion of my sendmail blocklist.
We too have been compiling a pretty substantive internal RBL and it works very well. It stops as much mail as Spamcop's RBL.
I think non-essential nets should start creating wider nets, blocking all of 218.*, 24.* 61.* 219.* and others. Eventually the ISPs will stop the spam when their legit customers can't send mail. It's a crappy approach if you're caught in the blocked IP space, but it's the only method that has proven effective thus far.
This is what happens when you don't control your users.
I've blocking most of this out-of-control ISP's address space for more than a year and I and my clients are the better for it.
The funny thing is that many of these broadband ISPs, especially the ones that spam, have their legitimate SMTP relays on completely different IP blocks so large-scale blocking generally tends to stop their DUL l^Husers from running their own SMTP relay. Too bad. My heart bleeds for these people.
Block them all. Watch how fast they start controlling their spamming. It's the ONLY WAY!
IPO signals more World Poker Tour participants
on
How does Google do it?
·
· Score: 2, Interesting
I can understand how in some cases an IPO can help generate revenue necessary to operate and break into new markets, but does this apply to Google? I really don't think so. They have market share; they have resources. Any infusion of funds to the company is more likely to give them the ability to further diversify and enter different markets, which history has shown is more often than not, a bad business idea.
So one has to assume the IPO is the first phase of the principals "cashing out". The press will probably signal this as a sign of the next dot com boom, and a bunch of nerds within the company will suddenly become millionaires, and subsequently quit their job and open up a Bed & Breakfast in some obscure town or join the World Poker Tour. There goes the talent.
I'm wondering why all the hooplah about this, especially after steps were taken to deal with it before publicizing it... unless at the same time, systems were put in place to ID attempts to exploit the vulnerability.
That would make a lot more sense. Protect against the exploit, publicize it, then watch what happens to determine which groups are most adept at quickly exploiting published vulnerabilities and raid their location. Neat idea for a large-scale honeypot.
Although, most of us know that the majority of exploits are now being deployed by spammers. They don't have any incentive to take major backbones down so this effort might just reveal a few more script kiddies that aren't really the problem.
just for reference: if I weren't planning to stay home in protest of the weak presidential slate
If you don't vote, then you have no right to talk about politics! With all due respect, that type of attitude totally disgusts me. The notion that any person's vote doesn't count (despite the most recent zupreme kort installation) is a bunch of propagandist drivel barfed out by those with insideous agendas. It's because of that type of mentality we're in this mess.
It doesn't matter if we're talking about politics or business, the meek aren't going to inhereit anything, or if they do, it won't be in any condition to have value. Maybe you've had your idealism beaten into submission but that's no excuse to spread your disease of apathy to others.
Oh, and it wasn't the "right wingers" that got anybody canceled, it was the audience who didn't want to hear that shrill crap, made it unsellable to advertisers, and therefore killed it.
Yea, right. That explains why Mahaer's show is a huge hit on HBO.
I know better than to get into a pointless circular argument on this issue. I'm sorry I brought it up.
I'm really less interested in generalizing about political ideologies than I am pointing out larger-scale sociological patterns which IMO create these closed-minded groups. I generally think all politicians have 90% of the same modus operandi regardless of their affilliation so I don't want to continue the partisian babble.
The problem is that an RBL that aims for too much collateral damage isn't going to be used enough that the damage will matter.
This is why you choose the RBLs you use carefully. Some are more responsible than others. I love RBLs but there are some that I would never use because they're run by BOFH's that have little rhyme or reason to their listing/de-listing procedures, but others are different.
First, what have YOU done to stand up for what you believe in? It's amazingly hypocritical how armchair pundits are so quick to condemn everyone else, yet only in a benign virtual forum will they even speak up. Weak.
If Moore gave away every penny he made to charity, his opponents would still find some reason to trash him.
The fact that he's rich has no bearing on his integrity, even though it's a relatively safe assumption that MOST people (with the exception of Moore) would rather sell out and cash in than stand up for what they believe in.
There's a difference between the right wingers and the left wingers. The left don't go out of their way to destroy the livelihood of their ideological opponents; they don't seek to shunt opposing opinion - merely enlist a debate. The right on the other hand, are boycott-happy, and not merely content with being "superior" but seek to sew the mouth shut and destroy anybody's ability to even publicly disagree with them.
There is a difference.
Rush Limbaugh. Drug-addicted, pill-popping hypocrite is still on the air. Bill Mahaer says he doesn't like the "war with Iraq" on his show, "Politically Incorrect" and *WHAM* the right wingers push a few buttons and get his show cancelled.
If Michael Moore's documentaries are such BS, why are you so afraid of people watching them?
It never ceases to amuse me how the right-wingers laud "freedom", yet brew up so much hatred, contempt and hostility towards anyone who stands up for what they believe in when it doesn't jive with their self-righteous agenda.
This guy exercised his right to stand up for what he believes in. He exercised his influence as head of LUG to get attention. His reasoning may be called into question, but I'd call him more of a patriot than an ignorant-generalization-spewing AC.
Obviously the guy is a very intelligent Linux coder. But socially he is unable to realize that the wider world doesn't even know his LUG EXISTS.
They do now.
His quitting will have no effect whatsoever on the Military's use of linux.
I'd venture to guess despite what he might have said on the record, his intent probably wasn't to dissuade the Military's use of Linux. Personally, as much as I'm against the war, I'd rather have our troops running Linux than Windows - especially if they have an occasion to actually act in their role of protecting our country.
Ultimately, this was a brilliant ploy on his part to get publicity. With the mainstream media being historically apprehenasive about calling attention to the larger-than-reported numbers of those who opposed the Iraqi invasion, his effort is just another technique to counter that. I'd say Linux is just a tool he used to get the word out that there are more people who aren't happy with the middle east situation than one might gather after watching network TV. Nowadays, there are many more voices of dissent than there used to be and it's getting harder for the mainstream media to ignore, but if you want to call attention to something you think is wrong, it's always more effective to find a gimmick to deploy. That's what this guy did.
Let's be honest. If you're an articulate, intelligent opponent of any cause which isn't in mega-corporate-america or the media's best interest, your chances of getting attention are slim. If you hold up a sign in front of a political rally, it will not make the news. If you strip naked and run across the field at the world series with a message on your ass, you just might. As dumb as his "cause" seems to be, I think it's secondary to his very effective and successful attempt to call attention to something he feels is wrong, and from that perspective, it worked perfectly.
While a lot of people are flaming the guy thinking that politics and technology shouldn't intermingle, I disagree.
Nowhere is the necessity of this more obvious than when you examine the problem with spam on the Internet.
The tech community continues to explore science-related "solutions" to the spam problem when it's really become a political problem. Maybe back in the day when open relays were exploited, it was a tech problem, but now it's clearly a political issue. The authorities have de-prioritized the enforcement of numerous existing laws which spammers are breaking. Tech people are finding they have to compensate to an excessive degree for the inadequacy of responsibility on the part of large corporations, government, regulatory agencies, and the judicial/enforcement system.
Lack of political action on the part of the tech community has allowed numerous issues to become much more destructive to this industry, not the least of which is the awarding of ridiculous, vague patents and IP restrictions.
While the issue of the army using Linux is probably more of a shallow and symbolic cause, and I'd put that somewhere around #87 on my list of political-technical gripes, I'm pleased to see any tech people taking a stand on politics. We need more of this, and not just in the form of fringe web sites.
There are some good tech-centric lobbying groups out there, such as the EFF, but I'd like to see more people become proactive. Every tech person should be a member of the EFF - their committment to those causes should be not unlike how every SCUBA diver understands the necessity of being a member of DAN (An organization that helps educate and provide medical services for divers).
4. A tight, clean system that isn't bloated with crap that is superfluous to its main objective.
5. A package that doesn't morph into a different product every six months with a new, catchy name, or divided into umpteen modules scientifically designed to require you to get every possible option in order to finish your application.
6. A software package that isn't so ridiculously complicated to install and use that companies make more money selling training and support than they do implementing applications.
I hate to say this, but being an ass gets things done. You can't "reason" with a big, money-grubbing, faceless corporate entity.
Case in point: I had an ISP today (HOSTWAY.COM - lame-ass scam-artist ISP) hold a client's domain hostage and refuse a registrar transfer. After more than a month of trying to get their slimy, grimy hands off the client's domain, we had to request an investigation with ICANN and e-mail half the corporate directory bitching about how BAD THEY SUCK before I got an e-mail from the bigwigs after which they finally released the domain they were holding hostage.
Being nice doesn't make things happen. Companies like PacBell and Comcast are banking on the fact that corporate clientele are sharing IP space with DULs and won't be block blacklisted. Well, they're about to find out that scheme won't work.
With all due respect, fuck Hostway, fuck the dumbass ISPs that shit on their customers and pollute the Internet. WE OWN THE NET. Not the companies. I'm tired of yapping about "worst case scenarios". It's time to create "worst case scenarios" for these companies that are polluting this resource. Discussion is over. Action is at hand.
If that's the case, then being blacklisted isn't a disincentive any more either. RBLs that list DSL systems are good to use in filters; they're no good at all for putting pressure on ISPs. To do that, you need to harass the ISP in some other way, but that's hard, and frankly, not worth the trouble.
Which emphasizes the effectiveness of blacklisting large blocks so the paying corporate customers suffer because their ISP SUCKS DICK.
Slashdot Mirror
I still don't understand why people fall for these scams. As far as I'm concerned, it's a litmus test for stupidity. Anyone foolish enough to ship $30k worth of equipment to a person they don't know in a foreign country without checking the integrity of the transaction deserves to lose their money and learn from the experience.
One of the sites on my server is a classified ad site, and we've had several reports of people getting fleeced with the Nigerian forged-cashiers check overpayment scam. Again, why someone selling something would accept overpayment and then wire the difference back to the party or their agent is beyond stupidity. Ironically the best thing that could happen to these people is for them to get ripped off so some of that naivety will be summarily stripped from their barnacle-encrusted brains.
I'm not saying the scammers should be allowed to operate, but any action taken by "authorities" should be considered more of a favor for stupid people, than a responsibility. No amount of enforcement or technology will ultimately keep a fool and his money from being separated.
Being a low-level programmer, and specifically working on advanced CGI, awhile back I bowed to pressure to offer some of my web clients scripting abilities on their servers. I went with PHP/MySQL and started the process of learning about the language and its caveats.
.htaccess restrictions in code lib directories and careful consideration over other virtualhosts that might have php disabled in a higher-level directory.
The first thing that completely freaked me out was the register_globals setting in PHP. I invited a PHP programming friend to come hang out and give me a little intro-tutorial into how he developed so that I could understand where these guys were coming from when developing apps. He proceeded to show me this "neat feature" called register_globals that makes it super easy to access passed parameters from the outside world. Of course it also makes it super easy for anyone on the planet to overload internal variables that could be used just about anywhere in the scripts. I've never seen such a dangerous "feature" [in a non-Microsoft product].
And this all ties into the number one rule of programming. When you're coming from C/C++, 80% of your job involves data/input validation, so it's second nature to cover your ass. I found myself very confused at first over the dozens of different functions available to escape, unescape, tokenize and otherwise mangle input from/to various forms. No wonder developers are confused.
But above all, there are basic tenets that the server admin should enforce that have the most impact on security. First off, NOBODY should be enabling register_globals - it's just a crutch for crappy programmers IMO. Second, safe_mode is a must. If you have an app that needs safe_mode to be disabled, then you are better off isolating that app to its own private server. Third, every application should have its own private database work area. I am amazed at developers who run multiple applications in a single database space. Fourth, the configuration of the web server needs to be such that PHP code is properly protected, with
Safe_mode is a good tool. It also creates annoyances for the customers, especially those who are writing apps that create files in their work area... this requires the admin's intervention to set up the proper permissions (and gives them a chance to give the client code a once-over for glaring errors).
One thing I haven't quite figured out, and maybe I just need the proper Apache mod, but when a PHP app creates a file, it's owned by the web process and not the script user process, so in safe_mode, to get things working you either have to change permissions or give liberal directory permissions in order for things to work with user-uploaded code.
Ultimately, the server admin should bit the bullet and refuse to give users access to certain dangerous "features" such as register_globals or non-safe_mode. It's just too easy to open a Pandora's box.
Interesting topic, but I don't think the problem lies with PHP or MySQL. You can create insecure apps in any development environment. Yes, some are more problem-prone than others, but I'd rank Perl much higher than PHP/MySQL in terms of being conducive to allowing vulnerabilities.
I attribute much of this problem to something I call "fuzzy developing". It's the latest trend. The crux of this problem involves Web designers, who know very little about programming who are deploying more and more complicated applications in a cut-and-paste manner. These fuzzy developers have no concept of proper programming skills. Many of them can't program at all, but they can snarf someone else's "free" code online, change a few config parameters, whine to an admin for access, and compromise entire servers.
This new breed of developer relies on existing code, following the fallacy that if it's on the net, it must work. They use sites like experts-exchange to get other people to code for them when they get in a snag, and don't contemplate the priorities involved when you put something on a public system.
If you really don't care about califiyng thousands of sites as spammers when they are not, you should add your server to the list, otherwise your opinion is just a pose.
You don't understand. This is about DUL IP space, which shouldn't be running SMTP servers. It's much easier to blacklist 65,000 address and let the 3-4 people contact you and prove their legitimacy than it is to do it the other way around.
The latest problem I've been having with local lists is that there have been a small, but significant migration of certain ISPs, particularly HOTMAIL/MSN, YAHOO, COMCAST, RoadRunner and SBC, who are putting up legitimate mail servers in what has previously been dial-up space.
I haven't heard of this happening, but if they're foolish enough to do that, they'll have to deal with the wrath of their customers.
When I get reports of legitimate mail blocked, I will often remove the rule, but I emphasize that the problem is with the ISP the person is using and urge them to complain. In the case of hotmail or comcast, they can jump off a cliff. I am not going to cater to those spam havens.
What I do as a work around is direct those who were rejected to a web page with a form mailing script. And I urge all my web hosting clients to use (secure) web-based e-mail forms as a primary if not at least optional method of contact in cases such as this.
From my experience as ISP sysadmin, I thing blacklisting is a stupid way to fight spam. Is like raiding all the houses of a town because you don't know in house lives the criminal.
I'm sorry you're caught in the RBL, but I'm not that sorry. What you fail to leave out is the fact that the blocks were blacklisted only after an untold number of complaints were summarily ignored. TDE brought it upon themselves and this is the only way to get them to act responsibly.
As an ISP, you also have a responsibility, just like as a person, to be aware that who you choose to associate yourself with may have consequences. If there's a guy in your neighborhood that's a criminal and you know it, and you don't do anything about it, you won't get much sympathy when your house is raided.
It's a bad situation for people like you. Sorry about that. But you're in the wrong [IP] block. You might want to move to a different neighborhood or clean up your own.
A better analogy would be: I live in a nice neighborhood that is clean, but the nearby town trucks all their garbage over to my town. I'm sure there are some fine people in that neighboring town that have nothing to do with it, but repeated complaints have gone on deaf ears. So now we're going to build a big wall around that town so they can stop dumping their trash elsewhere.
The Internet is a revolutionary communications medium. It is, as we speak, reshaping the way the entire human world interacts. It is unethical and immoral to deny anyone, anywhere, the opportunity to access the Internet.
So is it immoral to be denied the opportunity to watch television if you don't have a TV? Is it unethical to deny someone the right to use a telephone if they don't have the change for the pay phone?
You're obviously living in IdealWorld(tm). And it's a nice place. I've talked about it many times myself. The problem is I can't find it anywhere. Please tell me where it is if you'd be so kind.
We do not ban people from public spaces simply because they are rude.
Be rude to a police officer in most areas of the world and see how welcome you are to stay in that public space. See how many rights you have and how much the authorities care about your idealistic sense of morality and access.
We do not limit the freedom of people to express themselves as they wish. Be that messages of peace or Nazi hate propaganda.
Maybe not in IdealWorld(tm). But in America, you have to have permits in many cases to assemble and exercise your right to express yourself. You may be protected by the First Amendement in many cases, but that won't protect you from a plethora of other substantive disciplinary actions that would undoubtedly be exercised against your freedom should you employ questionable judgement in your use of those "rights."
Spam wastes bandwidth, yes. But to cut it off at the mouthpiece, to censor entire nations (be that censorship lawfully ordained or not), goes against all the principles of free speech and individual freedom we uphold in the USA and which also exist in many other countries.
That seems analagous to respecting the right of a person with an infectious disease to mingle with non-infected people where he chooses because the alternative or sanctioning his behavior by limiting exposure is otherwise immoral. Again, another interesting difference between here and IdealWorld(tm).
Wanadoo.fr is the worst, followed by TDE, Comcast, SWBell and PacBell. I don't even list the Korean and Chinese IP blocks because it was too easy to wholesale block them at every level.
. 0.0.0/255.0.0.0:deny 0 .0:deny0 .0/255.0.0.0:deny
A LL:194.0.0.0/255.0.0.0:deny0 .0:deny0 .0/255.0.0.0:deny
A LL:202.0.0.0/255.0.0.0:deny0 .0:deny0 .0/255.0.0.0:deny
A LL:218.0.0.0/255.0.0.0:deny0 .0:deny0 .0/255.0.0.0:deny
Another problem we're running into are probes apparently trying to hammer the ftp server into giving them access:
Apr 26 08:15:01 inetd[1513]: ftp from 213.254.69.237 exceeded counts/min (limit 2/min)
Apr 26 08:15:28 last message repeated 190 times
You gotta love 190+ connection attempts in 27 seconds. And lookie where it's coming from! We have no customers in Spain needing to ftp into this server.
As a result, we've implemented a wider policy of refusing connections from most of the foreign IP space. Then we allow connections on a request basis. Here's the hosts.allow:
ALL:61.0.0.0/255.0.0.0:deny
ALL:80
ALL:81.0.0.0/255.0.0.0:deny
ALL:82.0.0.0/255.0.0.0:deny
ALL:83.0.0.0/255.0.
ALL:142.0.0.0/255.0.0.0:deny
ALL:164.0.
ALL:193.0.0.0/255.0.0.0:deny
ALL:195.0.0.0/255.0.
ALL:196.0.0.0/255.0.0.0:deny
ALL:200.0.
ALL:201.0.0.0/255.0.0.0:deny
ALL:210.0.0.0/255.0.
ALL:211.0.0.0/255.0.0.0:deny
ALL:213.0.
ALL:217.0.0.0/255.0.0.0:deny
ALL:219.0.0.0/255.0.
ALL:220.0.0.0/255.0.0.0:deny
ALL:221.0.
This covers a ton of the most-abused IP space.
configure your mail servers to drop mails from ip addresses that do not have associated valid MX records.
Bellsouth started implementing this technique about a week ago. It wreaked havoc with local server-generated e-mails from us which were stamped with 127.0.0.1 as the source system, so I had to reconfigure some things on my end to work around it. At first I was pretty annoyed because their system should have looked at the gateway address instead, but now I can see why it's effective.
However, I believe it's more productive to maintain a large RBL of IP space that is designated "no SMTP source" - it's faster and less resource-intensive. Bellsouth's entire mail system has slowed down even more due to them checking the MX record of every inbound communique.
I do like the idea however, that you shouldn't be allowed to run SMTP services unless you also control the reverse and forward DNS for the block you're operating under, but I suspect a lot of Slashdotters don't have that level of access and would protest.
See my journal for a portion of my sendmail blocklist.
We too have been compiling a pretty substantive internal RBL and it works very well. It stops as much mail as Spamcop's RBL.
I think non-essential nets should start creating wider nets, blocking all of 218.*, 24.* 61.* 219.* and others. Eventually the ISPs will stop the spam when their legit customers can't send mail. It's a crappy approach if you're caught in the blocked IP space, but it's the only method that has proven effective thus far.
This is what happens when you don't control your users.
I've blocking most of this out-of-control ISP's address space for more than a year and I and my clients are the better for it.
The funny thing is that many of these broadband ISPs, especially the ones that spam, have their legitimate SMTP relays on completely different IP blocks so large-scale blocking generally tends to stop their DUL l^Husers from running their own SMTP relay. Too bad. My heart bleeds for these people.
Block them all. Watch how fast they start controlling their spamming. It's the ONLY WAY!
I can understand how in some cases an IPO can help generate revenue necessary to operate and break into new markets, but does this apply to Google? I really don't think so. They have market share; they have resources. Any infusion of funds to the company is more likely to give them the ability to further diversify and enter different markets, which history has shown is more often than not, a bad business idea.
So one has to assume the IPO is the first phase of the principals "cashing out". The press will probably signal this as a sign of the next dot com boom, and a bunch of nerds within the company will suddenly become millionaires, and subsequently quit their job and open up a Bed & Breakfast in some obscure town or join the World Poker Tour. There goes the talent.
I'm wondering why all the hooplah about this, especially after steps were taken to deal with it before publicizing it... unless at the same time, systems were put in place to ID attempts to exploit the vulnerability.
That would make a lot more sense. Protect against the exploit, publicize it, then watch what happens to determine which groups are most adept at quickly exploiting published vulnerabilities and raid their location. Neat idea for a large-scale honeypot.
Although, most of us know that the majority of exploits are now being deployed by spammers. They don't have any incentive to take major backbones down so this effort might just reveal a few more script kiddies that aren't really the problem.
just for reference: if I weren't planning to stay home in protest of the weak presidential slate
If you don't vote, then you have no right to talk about politics! With all due respect, that type of attitude totally disgusts me. The notion that any person's vote doesn't count (despite the most recent zupreme kort installation) is a bunch of propagandist drivel barfed out by those with insideous agendas. It's because of that type of mentality we're in this mess.
It doesn't matter if we're talking about politics or business, the meek aren't going to inhereit anything, or if they do, it won't be in any condition to have value. Maybe you've had your idealism beaten into submission but that's no excuse to spread your disease of apathy to others.
Oh, and it wasn't the "right wingers" that got anybody canceled, it was the audience who didn't want to hear that shrill crap, made it unsellable to advertisers, and therefore killed it.
Yea, right. That explains why Mahaer's show is a huge hit on HBO.
I know better than to get into a pointless circular argument on this issue. I'm sorry I brought it up.
I'm really less interested in generalizing about political ideologies than I am pointing out larger-scale sociological patterns which IMO create these closed-minded groups. I generally think all politicians have 90% of the same modus operandi regardless of their affilliation so I don't want to continue the partisian babble.
The problem is that an RBL that aims for too much collateral damage isn't going to be used enough that the damage will matter.
This is why you choose the RBLs you use carefully. Some are more responsible than others. I love RBLs but there are some that I would never use because they're run by BOFH's that have little rhyme or reason to their listing/de-listing procedures, but others are different.
The same tired old arguments. Booooring.
First, what have YOU done to stand up for what you believe in? It's amazingly hypocritical how armchair pundits are so quick to condemn everyone else, yet only in a benign virtual forum will they even speak up. Weak.
If Moore gave away every penny he made to charity, his opponents would still find some reason to trash him.
The fact that he's rich has no bearing on his integrity, even though it's a relatively safe assumption that MOST people (with the exception of Moore) would rather sell out and cash in than stand up for what they believe in.
There's a difference between the right wingers and the left wingers. The left don't go out of their way to destroy the livelihood of their ideological opponents; they don't seek to shunt opposing opinion - merely enlist a debate. The right on the other hand, are boycott-happy, and not merely content with being "superior" but seek to sew the mouth shut and destroy anybody's ability to even publicly disagree with them.
There is a difference.
Rush Limbaugh. Drug-addicted, pill-popping hypocrite is still on the air. Bill Mahaer says he doesn't like the "war with Iraq" on his show, "Politically Incorrect" and *WHAM* the right wingers push a few buttons and get his show cancelled.
There is a difference.
Will the server be taken offline on Saturdays?
If Michael Moore's documentaries are such BS, why are you so afraid of people watching them?
It never ceases to amuse me how the right-wingers laud "freedom", yet brew up so much hatred, contempt and hostility towards anyone who stands up for what they believe in when it doesn't jive with their self-righteous agenda.
This guy exercised his right to stand up for what he believes in. He exercised his influence as head of LUG to get attention. His reasoning may be called into question, but I'd call him more of a patriot than an ignorant-generalization-spewing AC.
Obviously the guy is a very intelligent Linux coder. But socially he is unable to realize that the wider world doesn't even know his LUG EXISTS.
They do now.
His quitting will have no effect whatsoever on the Military's use of linux.
I'd venture to guess despite what he might have said on the record, his intent probably wasn't to dissuade the Military's use of Linux. Personally, as much as I'm against the war, I'd rather have our troops running Linux than Windows - especially if they have an occasion to actually act in their role of protecting our country.
Ultimately, this was a brilliant ploy on his part to get publicity. With the mainstream media being historically apprehenasive about calling attention to the larger-than-reported numbers of those who opposed the Iraqi invasion, his effort is just another technique to counter that. I'd say Linux is just a tool he used to get the word out that there are more people who aren't happy with the middle east situation than one might gather after watching network TV. Nowadays, there are many more voices of dissent than there used to be and it's getting harder for the mainstream media to ignore, but if you want to call attention to something you think is wrong, it's always more effective to find a gimmick to deploy. That's what this guy did.
Let's be honest. If you're an articulate, intelligent opponent of any cause which isn't in mega-corporate-america or the media's best interest, your chances of getting attention are slim. If you hold up a sign in front of a political rally, it will not make the news. If you strip naked and run across the field at the world series with a message on your ass, you just might. As dumb as his "cause" seems to be, I think it's secondary to his very effective and successful attempt to call attention to something he feels is wrong, and from that perspective, it worked perfectly.
While a lot of people are flaming the guy thinking that politics and technology shouldn't intermingle, I disagree.
Nowhere is the necessity of this more obvious than when you examine the problem with spam on the Internet.
The tech community continues to explore science-related "solutions" to the spam problem when it's really become a political problem. Maybe back in the day when open relays were exploited, it was a tech problem, but now it's clearly a political issue. The authorities have de-prioritized the enforcement of numerous existing laws which spammers are breaking. Tech people are finding they have to compensate to an excessive degree for the inadequacy of responsibility on the part of large corporations, government, regulatory agencies, and the judicial/enforcement system.
Lack of political action on the part of the tech community has allowed numerous issues to become much more destructive to this industry, not the least of which is the awarding of ridiculous, vague patents and IP restrictions.
While the issue of the army using Linux is probably more of a shallow and symbolic cause, and I'd put that somewhere around #87 on my list of political-technical gripes, I'm pleased to see any tech people taking a stand on politics. We need more of this, and not just in the form of fringe web sites.
There are some good tech-centric lobbying groups out there, such as the EFF, but I'd like to see more people become proactive. Every tech person should be a member of the EFF - their committment to those causes should be not unlike how every SCUBA diver understands the necessity of being a member of DAN (An organization that helps educate and provide medical services for divers).
4. A tight, clean system that isn't bloated with crap that is superfluous to its main objective.
5. A package that doesn't morph into a different product every six months with a new, catchy name, or divided into umpteen modules scientifically designed to require you to get every possible option in order to finish your application.
6. A software package that isn't so ridiculously complicated to install and use that companies make more money selling training and support than they do implementing applications.
As opposed to what? Oracle? ROFL!
I hate to say this, but being an ass gets things done. You can't "reason" with a big, money-grubbing, faceless corporate entity.
Case in point: I had an ISP today (HOSTWAY.COM - lame-ass scam-artist ISP) hold a client's domain hostage and refuse a registrar transfer. After more than a month of trying to get their slimy, grimy hands off the client's domain, we had to request an investigation with ICANN and e-mail half the corporate directory bitching about how BAD THEY SUCK before I got an e-mail from the bigwigs after which they finally released the domain they were holding hostage.
Being nice doesn't make things happen. Companies like PacBell and Comcast are banking on the fact that corporate clientele are sharing IP space with DULs and won't be block blacklisted. Well, they're about to find out that scheme won't work.
With all due respect, fuck Hostway, fuck the dumbass ISPs that shit on their customers and pollute the Internet. WE OWN THE NET. Not the companies. I'm tired of yapping about "worst case scenarios". It's time to create "worst case scenarios" for these companies that are polluting this resource. Discussion is over. Action is at hand.
If that's the case, then being blacklisted isn't a disincentive any more either. RBLs that list DSL systems are good to use in filters; they're no good at all for putting pressure on ISPs. To do that, you need to harass the ISP in some other way, but that's hard, and frankly, not worth the trouble.
Which emphasizes the effectiveness of blacklisting large blocks so the paying corporate customers suffer because their ISP SUCKS DICK.