I fully agree if the user is distributing the software, they should be nuked, but I'd love to see the AUP/ToS for any ISP that dictated what software you could or could not run on your own machine.
If anyone actually read the documents (and does anyone still read EULAs, AUPs, and other such cruft?), they'd run so fast the ISP wouldn't see them go.
ISPs are responsible for, and thus should worry about, what their customers do WITH THE SERVICE THEY PROVIDE. That does not apply in your pot smoking example, or in the example given in the parent article.
Microsoft also do this with Office for the Mac. In a corporate LAN, this means that cloning amchines for swift deployment is not an easy option.
I personally (asides from the above caveat) have zero problem with this level of detection, as it leaves it up to the LAN manager or user to deal with licensing issues. I do, however, have a problem with having a phone-home algorithm built in to software to send out proprietory information if some random case happens to be met.
Considering most software companies seem to have problems getting the core functions of their software to work, the assumption there can be a totally bug-free detection of legal use is laughable. This means that legal users of software are going to be spied upon. Would you spy on your legitimate users, or should they expect to be spied upon?
What happens if I typo when entering my registration details? What happens if [insert any number of things that can happen to an executable] happens and the CRC doesn't match?
Surely the 'intelligent' thing would be to tell the user 'Hey, something's not right, please fix it', and only if they click the 'fuck you, I don't care' button does it report them. Or just not start the program! After all, isn't the aim of 'protection' such as this to only allow legitimate use?
Think ones and zeros. They predate a whole bunch of things, and are the primary building blocks used by software engineers.:P
Engineering software is not the same as writing software. Software Engineering involves far more than just coding, in the same way that civil or structural engineers do more than just go out and build bridges.
Amazed not even one person has posted in response to this; normally there's loads of them.
For processors, motherboards and hard drives, I normally go to NewEgg, who have both a great track record on DOAs for me (4 or 5 in 2 years and several thousand dollars of gear), and they've handled those in a pretty competant manner.
They're not always the cheapest, but they're certainly in the top tier for processors/disks. They have pretty shitty pricing on memory unless they're having a special, and everything else is about average street-price.
Those commuting 150 miles a day pay a hell of a lot more in fuel tax than you do. That in theory is why they tax fuel (like any of it goes to roads...).
Why set up a brand new peering point in Minneapolis?
Get the university to join already established peering points (such as AADS in Chicago). Your traceroutes will look MUCH better when they don't go all the way out to the west coast first!
I've gone with a OnStream ADR50 drive. 50GB compressed per tape will set you back a couple hundred for the drive and about 150 or so for a three pack of tapes.
Bought mine on eBay and went for the ADR equipment, not the newer more expensive (but faster) ADR2, and ended up getting 250GB backup space for $300 or so.
4MB/s transfer speed isn't too shabby either for a cheap tape drive, and the system works perfectly under Linux with Arkeia, who have just released version 5 of a damn good enterprise-level backup system. Their current free-for-3-linux-server version (4.2) is not quite as good, but they've said version 5 free will be available soon.
If I want to make a backup copy of my music, I can buy a copy on CD since I'm not going to be able to make a copy of a SACD myself anytime soon.
SACDs supposedly play in regular CD players as a regular CD, and are only 'fully featured' in SACD players.
How long will it be I wonder before you can't buy a 'regular' CD?
If the only way to purchase a digital copy (can you even buy cassettes any more?) of an artist's work is on SACD, and to most consumers it's the same difference, I would venture not long.
Nope, the big delay wasn't vendors didn't believe 'it' was real, they had no clue what 'it' was.
They were told to release an upgrade to a version that broke existing functionality, was largely untested, and were also told that it didn't directly fix the issue anyhow. The were told this without any details of what the vulnerability was, or even if it would affect them (and it turns out that nearly every distro will be unaffected).
I don't blame any distro for being a little wary and asking for more information. I believe Debian summed it up very well in their advisory.
The particular open relay listing service that the article mentioned is ORBZ. ORBZ required a mail to actually be received before it appeared on the blacklist.
Anyone using a blacklist that lists a server based on acceptance of a message (for passing to a virus scanner, for example) deserves not to get ANY mail, much less just your mail.
I'd contact the ISPs/organisations using the blacklist, not the blacklist itself. Educate the users of the crap lists that there are better alternatives (sadly, one of the finer ones just left town), and it's unlikely they'll continue to use it. After all, surely they want real mail to arrive, too?
Re:What about currently Blackholed domains
on
ORBZ Shuts Down
·
· Score: 1
That's incorrect.
ORBZ is(was) a DNS-based system, which is about as close to real time as you can get. No DNS server, no lookup, no blacklisting.
ORBZ and ORDB are examples of how open relay lists SHOULD be run; fully automated, with no human 'opinions' causing the sort of grief that MAPS and ORBS generated.
You are 100% correct. However, I think that it's the responsibility of the sysadmin who subscribes to a blackhole list to keep the database current and to make sure that the list has a decent policy for removal from the list.
I'd say it's the responsibility of the sysadmin to analyse those factors way before they even started to use the list. I know we checked over a period of months that the two services we used we well maintained.
I'd like to counter a couple of the points you mentioned:
Mail is sent to an administrative account at the mail-server (or at least to common addresses like abuse@[mail-server], root@[mail-server]. Making admins manually subscribe does not satisfy this requirement.
Related to the above, such mail must contain a full itemized list of tests performed (or at least any and all items which were failed). The point of these lists is not to punish admins, but to educate them and make a better internet.
This was one of the stumbling blocks we came up against. We'd prefer the systems used a notification method like you described. However, the TXT on the lookup clearly points you to a web page detailing exactly what failed. Our reject message is also customised to suggest why the mail is being rejected.
I find ORBZ's reason for not emailing notifications somewhat amusing though.
There must be a period of sufficient length (24 hours sounds good to me) to allow the admin to fix the problem, before the host is added to the list.
I disagree. One of the bonuses of both systems is their automatic notification feature. I can submit a relay for checking on the first spam from a server, and have it reject future attempts that same day.
There must be a free means of checking the lists.
The current database of blocked addresses must be available for use and editing by myself.
If IP blocking is enabled, it must possible to disengage, on a per-host basis.
Any server capable of limiting using RBLs is also capable of whitelisting IPs or IP ranges. We have many IPs in our whitelists, but it should be up to us to add to that whitelist. If you allow general access to the blacklists you will get moron spammers de-listing relays and then using them.
Any IP address which submits a list of open relays must be banned from submitting more relays for a reasonable period of time (3 years, maybe?) if one, when tested, is found to be adequate. Otherwise, these DBs are just DDOS attacks waiting to happen.
ORBZ will not retest within 24hrs unless requested from the IP of the blocked server.
ORDB does not have such a limit to my knowledge, but I agree it should have.
Correct.
There are numerous ISPs out there; you are not required to use any one ISP.
If an ISP doesn't fulfil your specific needs, or has policies you disagree with, then there is nothing preventing you from using a different one.
Similarly, if you're an ISP, there's nothing/requiring/ you to use one transit provider. If you have an issue with RBL filtering, don't use that transit provider.
Nope, the usual way to do it is:
1. Filter the open relay checker's IP.
2. Click 'check me now'.
3. Spam as usual.
This is a retarded, but effective way of avoiding the automatic blacklist generators.
You'll still get on a lot of the automatic+human checkers like MAPS' open relay list.
You don't seem to understand how SMTP works. I would hope that the server connecting to me was listening on port 25, as that indicates it is an SMTP server itself.
If it's NOT listening on port 25, I'd be more likely to ignore it than if it were, as that might indicate a spammer sending mail direct-to-server.
Open and secure relays would both respond to port 25 connections. Correctly secured relays would reject any message you tried to send through their mail server to another destination, whilst still accepting mail for local users (if it's not just an outgoing relay).
It's possible to connect to the mail server for the address supplied and verify that the user exists, but in most cases, due to server configuration, that would require actually sending a message (thus putting you at risk of getting into a bizarre authentication loop).
It would also seriously add to the overhead of sending a message, something larger sites would not be able to cope with.
From the article: I could draw a bunch of analogies here, but isn't the bottom line that no one owns the internet e-mail system?
This is a fallacy that continues to be propagated. I own my own mail server. The company I work for owns its mail servers. We can both decide who we want to allow to send mail to our users.
At work, we use two open relay lists; ORDB and ORBZ. Nobody forces us to use them; it's our server cluster, and our choice.
The reason we use those two systems, however, is due to the reasons pointed out in the article. Some blacklists are far too easy to get onto, or hosts are arbitrarily added by humans. The only way to get onto either of those lists is to be an open relay. The only way off is to be automatically retested and found to not be an open relay.
Actually, the white space is what tends to get the cheaters caught.
If there's 6 extra spaces at the end of a few lines and there are exactly the same extra spaces on the same lines (variable names aside), then there's an extremely good chance it's the same code, or a cut and paste of that section at the very least.
In addition, you'd want to strip comments in your above example.
The difference in size between a decent 15" LCD ($500-$600 currently) and your 15.9" viewable '17 inch' screen is not massive.
The problem with getting that lower price is that the manufacturers are seeing LCD as a cash cow, and a quick and easy method of getting their development costs back.
Disclaimer: I actually work for the above-mentioned company.
Something that a lot of potential customers have discovered is that getting a landlord to agree to a 'satellite dish' is easier than mentioning wireless Internet at all.
I used this approach for my own install, but they'd still only let me put the dish on my balcony which faces completely the opposite direction:(
The RIAA must be rubbing its proverbial hands with glee.
Gone are the legal defenses that music/file-sharing systems have used.
Gone are the methods of avoiding detection used to date.
Even if this detection has no way to discern between the original and a cover of the song, I can see the RIAA and major labels nailing a bunch of people, and using this system as proof.
SpamCop is a useful tool, both from a user's and from a system administrator's point of view.
Having used SpamCop from both sides (I work for a national ISP), I can't recommend it enough. The admin gets all of the pertinent information in a single mail, and the user can get feedback as to whether the issue has already been solved.
Julian (the guy who runs the service) is particularly helpful, and open to suggestions.
Use whichever language you feel comfortable with.
There's been a lot of comments in this thread suggesting you should use x for y job. Whilst this is true to an extent, if you can get something that works using C++, or spend an extra few hours (days?) doing the same thing in {other language}, use C++. It may be less elegant, but most PHBs don't give a crap about that.
Whether you use multiple languages or not, modular programming is essential if your project isn't a single one-off deal.
Incidentally, even if it is a one-off deal, it's often handy to modularise programs, as there's always the time someone from sales will wander in and say 'can I get a report kinda like that one I had yesterday, but in [blue|mauve|cyan]?',
Slashdot Mirror
Wish I still had mod points for this one.
I fully agree if the user is distributing the software, they should be nuked, but I'd love to see the AUP/ToS for any ISP that dictated what software you could or could not run on your own machine.
If anyone actually read the documents (and does anyone still read EULAs, AUPs, and other such cruft?), they'd run so fast the ISP wouldn't see them go.
ISPs are responsible for, and thus should worry about, what their customers do WITH THE SERVICE THEY PROVIDE. That does not apply in your pot smoking example, or in the example given in the parent article.
Microsoft also do this with Office for the Mac. In a corporate LAN, this means that cloning amchines for swift deployment is not an easy option.
I personally (asides from the above caveat) have zero problem with this level of detection, as it leaves it up to the LAN manager or user to deal with licensing issues. I do, however, have a problem with having a phone-home algorithm built in to software to send out proprietory information if some random case happens to be met.
Considering most software companies seem to have problems getting the core functions of their software to work, the assumption there can be a totally bug-free detection of legal use is laughable. This means that legal users of software are going to be spied upon. Would you spy on your legitimate users, or should they expect to be spied upon?
Great if this is truly the case.
What happens if I typo when entering my registration details? What happens if [insert any number of things that can happen to an executable] happens and the CRC doesn't match?
Surely the 'intelligent' thing would be to tell the user 'Hey, something's not right, please fix it', and only if they click the 'fuck you, I don't care' button does it report them.
Or just not start the program! After all, isn't the aim of 'protection' such as this to only allow legitimate use?
The problem is that by the time the copyright expires, finding a copy of the game is going to be tricky unless people copy the ROMs now...
This will be especially true if the Disney Senators keep extending copyrights.
Ah, but do their bootleg grandmas have those great Engrish subtitles?
Think ones and zeros. They predate a whole bunch of things, and are the primary building blocks used by software engineers. :P
Engineering software is not the same as writing software. Software Engineering involves far more than just coding, in the same way that civil or structural engineers do more than just go out and build bridges.
For processors, motherboards and hard drives, I normally go to NewEgg, who have both a great track record on DOAs for me (4 or 5 in 2 years and several thousand dollars of gear), and they've handled those in a pretty competant manner.
They're not always the cheapest, but they're certainly in the top tier for processors/disks. They have pretty shitty pricing on memory unless they're having a special, and everything else is about average street-price.
Hope that helps.
You already do pay less.
Those commuting 150 miles a day pay a hell of a lot more in fuel tax than you do. That in theory is why they tax fuel (like any of it goes to roads...).
Get the university to join already established peering points (such as AADS in Chicago). Your traceroutes will look MUCH better when they don't go all the way out to the west coast first!
Details on AADS at least available at AADS' site.
Bought mine on eBay and went for the ADR equipment, not the newer more expensive (but faster) ADR2, and ended up getting 250GB backup space for $300 or so.
4MB/s transfer speed isn't too shabby either for a cheap tape drive, and the system works perfectly under Linux with Arkeia, who have just released version 5 of a damn good enterprise-level backup system. Their current free-for-3-linux-server version (4.2) is not quite as good, but they've said version 5 free will be available soon.
If I want to make a backup copy of my music, I can buy a copy on CD since I'm not going to be able to make a copy of a SACD myself anytime soon.
SACDs supposedly play in regular CD players as a regular CD, and are only 'fully featured' in SACD players.
How long will it be I wonder before you can't buy a 'regular' CD?
If the only way to purchase a digital copy (can you even buy cassettes any more?) of an artist's work is on SACD, and to most consumers it's the same difference, I would venture not long.
They were told to release an upgrade to a version that broke existing functionality, was largely untested, and were also told that it didn't directly fix the issue anyhow. The were told this without any details of what the vulnerability was, or even if it would affect them (and it turns out that nearly every distro will be unaffected).
I don't blame any distro for being a little wary and asking for more information. I believe Debian summed it up very well in their advisory.
The particular open relay listing service that the article mentioned is ORBZ. ORBZ required a mail to actually be received before it appeared on the blacklist. Anyone using a blacklist that lists a server based on acceptance of a message (for passing to a virus scanner, for example) deserves not to get ANY mail, much less just your mail. I'd contact the ISPs/organisations using the blacklist, not the blacklist itself. Educate the users of the crap lists that there are better alternatives (sadly, one of the finer ones just left town), and it's unlikely they'll continue to use it. After all, surely they want real mail to arrive, too?
That's incorrect.
ORBZ is(was) a DNS-based system, which is about as close to real time as you can get. No DNS server, no lookup, no blacklisting.
ORBZ and ORDB are examples of how open relay lists SHOULD be run; fully automated, with no human 'opinions' causing the sort of grief that MAPS and ORBS generated.
Ian, your service will be greatly missed.
I'd say it's the responsibility of the sysadmin to analyse those factors way before they even started to use the list. I know we checked over a period of months that the two services we used we well maintained. I'd like to counter a couple of the points you mentioned:
Mail is sent to an administrative account at the mail-server (or at least to common addresses like abuse@[mail-server], root@[mail-server]. Making admins manually subscribe does not satisfy this requirement.
Related to the above, such mail must contain a full itemized list of tests performed (or at least any and all items which were failed). The point of these lists is not to punish admins, but to educate them and make a better internet.
This was one of the stumbling blocks we came up against. We'd prefer the systems used a notification method like you described. However, the TXT on the lookup clearly points you to a web page detailing exactly what failed. Our reject message is also customised to suggest why the mail is being rejected.
I find ORBZ's reason for not emailing notifications somewhat amusing though.
There must be a period of sufficient length (24 hours sounds good to me) to allow the admin to fix the problem, before the host is added to the list.
I disagree. One of the bonuses of both systems is their automatic notification feature. I can submit a relay for checking on the first spam from a server, and have it reject future attempts that same day.
There must be a free means of checking the lists. The current database of blocked addresses must be available for use and editing by myself. If IP blocking is enabled, it must possible to disengage, on a per-host basis.
Any server capable of limiting using RBLs is also capable of whitelisting IPs or IP ranges. We have many IPs in our whitelists, but it should be up to us to add to that whitelist. If you allow general access to the blacklists you will get moron spammers de-listing relays and then using them.
Any IP address which submits a list of open relays must be banned from submitting more relays for a reasonable period of time (3 years, maybe?) if one, when tested, is found to be adequate. Otherwise, these DBs are just DDOS attacks waiting to happen.
ORBZ will not retest within 24hrs unless requested from the IP of the blocked server. ORDB does not have such a limit to my knowledge, but I agree it should have.
Correct.
/requiring/ you to use one transit provider. If you have an issue with RBL filtering, don't use that transit provider.
There are numerous ISPs out there; you are not required to use any one ISP.
If an ISP doesn't fulfil your specific needs, or has policies you disagree with, then there is nothing preventing you from using a different one.
Similarly, if you're an ISP, there's nothing
Nope, the usual way to do it is:
1. Filter the open relay checker's IP.
2. Click 'check me now'.
3. Spam as usual.
This is a retarded, but effective way of avoiding the automatic blacklist generators.
You'll still get on a lot of the automatic+human checkers like MAPS' open relay list.
You don't seem to understand how SMTP works. I would hope that the server connecting to me was listening on port 25, as that indicates it is an SMTP server itself.
If it's NOT listening on port 25, I'd be more likely to ignore it than if it were, as that might indicate a spammer sending mail direct-to-server.
Open and secure relays would both respond to port 25 connections. Correctly secured relays would reject any message you tried to send through their mail server to another destination, whilst still accepting mail for local users (if it's not just an outgoing relay).
It's possible to connect to the mail server for the address supplied and verify that the user exists, but in most cases, due to server configuration, that would require actually sending a message (thus putting you at risk of getting into a bizarre authentication loop).
It would also seriously add to the overhead of sending a message, something larger sites would not be able to cope with.
This is a fallacy that continues to be propagated. I own my own mail server. The company I work for owns its mail servers. We can both decide who we want to allow to send mail to our users.
At work, we use two open relay lists; ORDB and ORBZ. Nobody forces us to use them; it's our server cluster, and our choice.
The reason we use those two systems, however, is due to the reasons pointed out in the article. Some blacklists are far too easy to get onto, or hosts are arbitrarily added by humans. The only way to get onto either of those lists is to be an open relay. The only way off is to be automatically retested and found to not be an open relay.
Actually, the white space is what tends to get the cheaters caught.
If there's 6 extra spaces at the end of a few lines and there are exactly the same extra spaces on the same lines (variable names aside), then there's an extremely good chance it's the same code, or a cut and paste of that section at the very least.
In addition, you'd want to strip comments in your above example.
The difference in size between a decent 15" LCD ($500-$600 currently) and your 15.9" viewable '17 inch' screen is not massive.
The problem with getting that lower price is that the manufacturers are seeing LCD as a cash cow, and a quick and easy method of getting their development costs back.
Something that a lot of potential customers have discovered is that getting a landlord to agree to a 'satellite dish' is easier than mentioning wireless Internet at all. :(
I used this approach for my own install, but they'd still only let me put the dish on my balcony which faces completely the opposite direction
Gone are the methods of avoiding detection used to date.
Even if this detection has no way to discern between the original and a cover of the song, I can see the RIAA and major labels nailing a bunch of people, and using this system as proof.
Having used SpamCop from both sides (I work for a national ISP), I can't recommend it enough. The admin gets all of the pertinent information in a single mail, and the user can get feedback as to whether the issue has already been solved.
Julian (the guy who runs the service) is particularly helpful, and open to suggestions.
Use whichever language you feel comfortable with.
There's been a lot of comments in this thread suggesting you should use x for y job. Whilst this is true to an extent, if you can get something that works using C++, or spend an extra few hours (days?) doing the same thing in {other language}, use C++. It may be less elegant, but most PHBs don't give a crap about that.
Whether you use multiple languages or not, modular programming is essential if your project isn't a single one-off deal.
Incidentally, even if it is a one-off deal, it's often handy to modularise programs, as there's always the time someone from sales will wander in and say 'can I get a report kinda like that one I had yesterday, but in [blue|mauve|cyan]?',