Reports of new security holes that rip Windows wide open have become a weekly, even sometimes daily, occurrence. Don't you think it's only a matter of time before the Department of Homeland Security gets it through their thick skulls that any data stored on a Microsoft Windows system is simply not secure at all, and takes action to make Windows less relevant?
I thought people would learn their lesson after Melissa. I thought they would learn after ILoveYou, and Blaster, and Bugbear, and Sobig, and Swen. It's only a matter of time. One of these days people will get wise to the pattern.
When will you people stop acting indignantly shocked by everything Microsoft does? We already KNOW it throws its lawyers at anyone who threatens its bottom line.
Slashdot's 'Microsoft is Evil' stories are like someone who posts every time his cat does something cute. Yes, we KNOW it behaves that way, we know it will *continue* to behave that way, we don't need headlines about it any more.
And Microsoft itself is like a T.Rex at the end of the Mesozoic era: it's big, it's powerful, but its world is changing and its days are numbered. It isn't worth our attention any more. Let's please get back to stuff that matters?
Fifty million people submitted their phone numbers for the national do-not-call list. Telemarketers were required to download a copy of this list so they could make sure they didn't call any numbers on it.
But now the law has been put on hold, and there's a possibility that telemarketers will be allowed to continue phonecalling people.
Meanwhile, the telemarketers have this new list of fifty million people who submitted their phone numbers!
My guess is that if this law doesn't hold up in the courts, then the people who signed up for the do-not-call list are going to be getting a lot more telemarketing calls, for the same reason that you're never supposed to email spammers to ask to be taken off their lists.
The names 'Thunderbird' and 'Firebird' have nothing whatsoever to do with the software's functionality, and can only help make less-technical users out there even more hopelessly confused. Even I still can't remember sometimes which is which. Who chose these names, and why were they chosen instead of something maybe a little more descriptive like 'Thundermail' or 'Fireweb'?
No, I'm not trolling. I know why people should test pre-release kernels. What I *don't* know is why people should have to compile them on their own.
How hard is it to automatically, each night, roll the latest test kernel into a Debian package and a Redhat RPM? That way, people don't have to go to the trouble of compiling their own copy of it -- and, more importantly, they don't run the risk of screwing up the compile and making their system unbootable and/or introducing problems which might be mistaken for bugs.
Lots of people test nightly builds of Mozilla; what's so different between Mozilla and the kernel which prevents kernel binaries from being downloadable?
The Tao says: the perfect piece of paper is unmarked by pen; the perfect flower is unpruned by shears; the perfect operating system is untouched from its default installation.
I've had to support, debug, fix, and otherwise un-screw-up many computers in my time. Inevitably, the closer a system is to what everybody else is using, the more likely it is that any problems with it will have been seen and solved countless times before.
That's why the idea of countless legions of users out there each recompiling his own kernel just makes my blood run cold. This is the twenty-first century, peoples! Why is it necessary for anyone other than a kernel developer to compile the kernel sources? Why haven't all the optional pieces been broken out into modules yet?
They need to be shown, without any doubt, that they are indeed breaking the law.
And then they'll stop, just like all those people who used to download music, right?
Legal action can help curb spammers, *if* it's pursued aggressively -- but technology still has a lot more it can do. For example:
- Why do mail servers accept email whose sender address is invalid (malformed) or gives a domain which isn't resolvable?
- Why do mail servers accept email which is sent in violation of the SMTP protocol -- for example, 'spam blasters' which dump a whole lot of commands on the receiving server then disconnect without waiting for a response?
- Why don't mail servers automatically check services such as Razor? If an incoming message happens to have the same checksum as a message which has been reported to Razor several thousand times within the past half-hour, why accept the message for delivery?
- Why don't mail servers have a built-in 'tarpit' feature? In other words: if there's an incoming message, and if system resources aren't tight, the mail server could sit on it for sixty seconds before accepting it. If the sender disconnects before sixty seconds, the mail will be rejected. This obeys the SMTP protocol, and it will be unnoticed by anyone except people who want to blast tens of thousands of emails in one shot -- suddenly it becomes more time-consuming to spam, and the spammer can be stopped before he can get very far.
I do not want my ISP deciding what is and what isn't spam for me.
Why not?
If you get an email whose checksum matches the checksum of a message which has recently gotten multiple reports on several spam-tracking services -- or an email delivered from a server which violates the SMTP protocol by blasting all its commands then dropping the connection -- or an email with a sender domain which doesn't even exist -- why would you want to receive it?
I don't see what the problem is. I don't get spam any more.
Now, granted, I run my own mail server: Exim, attached to SpamAssassin via SA-Exim. And this combination is highly effective. I have it set up to be more aggressive than most people would want their spam filter to be; if an incoming message even *smells* like spam, my server refuses to accept it and instead gives a failure message with an alternate non-filtered address to use if the email wasn't actually spam. In a year of running it, it's rejected 100 spams per day on average, with only one known false positive in the entire year (it was someone forwarding a spam to me). And if a spam is sent to one of the addresses which I haven't used for years, then I perform the added courtesy of tarpitting the spammer.
But there are a lot of tactics that an ISP's mail server can use to cut down on a huge amount of spam without risking false positives. Check the mail against Razor and the other services which keep track of mass-mailings which have been reported as spam, for example. Refuse mail from a server which pipelines its SMTP commands then drops its connection without waiting for a response. Verify that the sending mail server's address actually can be resolved.
ISP's could go a long way towards making spam much less of an annoyance if they'd just use software to filter out the obvious spams. Hook the mail server up to SpamAssassin, set the threshold high enough to avoid false positives.
I'm sick and tired of software companies saying that such-and-such product will be "released when it's done" or "done when it's finished."
Since when has any software product ever been FINISHED when it's released? Usually -- and *especially* with PC games -- the release is full of bugs and requires a couple of quick patch cycles to bring up to par, followed by a few more patch cycles over the following months to make it solid.
Aie... leaving DNS/Mail/routers/firewalls/etc. running 'forever' is an extremely bad idea. Exploits are found, security patches are released, these patches must be installed. And if they break existing functionality, someone needs to troubleshoot them.
It's the 'deploy and forget' mentality which is responsible for old worms living on far beyond when the bugs they exploit have been fixed...
I'm a libertarian, and I'd fight for J.K. Rowling's right to defend her intellectual property.
What happens when Disney World opens up a new Russian exhibit featuring Tanya Grotter, complete with a flying broomstick ride and a line of plastic toy wand souvenirs, and Rowling never sees one cent of the profits?
Agreed. And what's anybody gonna go about it? Ooooh, Microsoft broke the law again, now in three or four years the DOJ might bring legal action against 'em and in another eight or ten years they might get slapped with another settlement to ignore. Ooooooooohhh. Like, they're really scared.
'm content, however, with a directory structure that has been used with little variation on any number of flavours of Unix systems for 30-odd years, because it works.
It doesn't work that well any more. I'm frustrated with KDE because I have to keep all of my applications in the K menu in order to know they're on my system -- the actual binaries live in/usr/bin and have crypticly short names. I'd love to have a directory where all of my KDE applications live with properly descriptive names, just like/Applications on my Mac.
LCD displays don't get burn-in, but if you leave a static high-contrast image up on the display for a long period of time, then that image can become a 'ghost' which is visible even when it's gone. A good example is the menu bar at the top of a Mac desktop; if you reboot your Mac, you can see a ghost of the menu bar during the boot-up sequence.
This ghost isn't a permanent thing. Leaving the display off for as long as the image was there will get rid of the ghost.
I think Apple has a tech note on this, but I wasn't able to find it just now.
Related question: what's a good cheap progressive-scan component-output DVD player these days? I've seen some for under $100; are any of these at all decent?
Re:But 1 false positive is unacceptable
on
WLANs As Spam Conduit
·
· Score: 2, Informative
I have my mail server set up to automatically recognize incoming spam and reject it with an error message which says 'this is being rejected because it looks like spam; if it's not, please resend it to notspam@mydomain.com.' That's an address which I've set up to completely bypass my spam filters and come directly to my inbox.
In the past six months I have never received even a single piece of spam at my 'notspam' address, which is only advertised through this error messages. And even if any spammers did get hold of it, I could just change the address to something else.
I've had one or two people who sent me a message which was bounced (in both cases it was an email greeting card), and they saw this error message and re-sent to my 'notspam' address. I see this as a MUCH better approach than making me review my spam-bucket email every day.
Actually, as I've posted here on Slashdot before, tarpits are VERY useful.
Run an Exim mail server, and link it to SpamAssassin via the SA-Exim software. Set the tarpit timeout to a couple of days. Make sure your mail server's process limit is bumped up to a couple hundred; don't worry, tarpit processes use shared memory and consume very little of their own.
Then sit back and let the spammers tarpit themselves. Stupid spammers will have their connections held open for long periods of time, eating up resources on their servers (or on the open relays they hijacked); once they hit enough tarpits, they'll be dead in the water.
Smart spammers will recognize you as a tarpit and drop your address from their lists. Hooray!
Once email takes as much time as calling someone, and requires me to check back periodically to make sure it's actually been sent, ALONG with assumptions about how I'm viewing my email (pictures enabled, html enable, or perhaps javascript enabled) it just gets as bad as spam.
It's already this bad, because of all the varied and not-always-reliable methods being used in an attempt to distinguish spam from legitimate email. Already my email is taking a long time to get through due to mail servers being choked by spam, so that I often have to check and make sure my mail actually got through.
If I could whitelist myself with a recipient and have the assurance that my email WILL get to him, that'd be worth the slight trouble.
Is it possible to install Mandrake over the network, bootstrapping it with a floppy then downloading the packages from an ftp or http site like Debian can do? I looked on the Mandrake site but all I see are CD images. The laptop I want to try Mandrake on has a busted CD drive.
Also, doing a floppy-based network install (if possible), how good is Mandrake at autodetecting and autoconfiguring hardware? My biggest problem with Debian was that I had to configure video, audio, network, PCMCIA, etc. all by hand. I still haven't gotten audio to work properly with KDE.
E-mail addresses harvested from the public Web appear to have a relatively short "shelf life." When e-mail addresses we posted on the public Web were removed, there was a pronounced drop in the amount of spam they received each day. The change was not absolute -- on a given day, an address might receive a few spam messages even months after it had been removed from the public Web. But such spam was on the order of 2 or 3 messages per day, compared to the thirty or more messages received by addresses still on the public Web.
Is this just referring to recently-posted email addresses which don't exist on the web for more than a couple of weeks? Do the address harveters focus their attention on web sites which change often?
Or are those of us who have been on the Internet for many years and have our email addresses all over the place just screwed, even if our addresses aren't appearing in any new places?
My email address shows up most frequently in discussions on web sites, and on Google's newsgroup archive. I don't want to have to go asking them to delete all of my old news postings...
The latest version of SpamAssassin also has a Bayesian junk mail filter in it. Tie this together with Exim and SA-Exim, and you've got a tarpit which can learn from the kind of spam which it receives.
Tarpits rule. Why just reject spam, when you can hold the spammer's connection open and continue to suck up resources on his mail server for days? And when the spammer hits enough tarpits, he'll be dead in the water... even quicker if he's stupid enough to try a dictionary attack. If you run a mail server, stick a tarpit on it, and you'll be doing a lot to help stop spammers.
Slashdot Mirror
Reports of new security holes that rip Windows wide open have become a weekly, even sometimes daily, occurrence. Don't you think it's only a matter of time before the Department of Homeland Security gets it through their thick skulls that any data stored on a Microsoft Windows system is simply not secure at all, and takes action to make Windows less relevant?
I thought people would learn their lesson after Melissa. I thought they would learn after ILoveYou, and Blaster, and Bugbear, and Sobig, and Swen. It's only a matter of time. One of these days people will get wise to the pattern.
When will you people stop acting indignantly shocked by everything Microsoft does? We already KNOW it throws its lawyers at anyone who threatens its bottom line.
Slashdot's 'Microsoft is Evil' stories are like someone who posts every time his cat does something cute. Yes, we KNOW it behaves that way, we know it will *continue* to behave that way, we don't need headlines about it any more.
And Microsoft itself is like a T.Rex at the end of the Mesozoic era: it's big, it's powerful, but its world is changing and its days are numbered. It isn't worth our attention any more. Let's please get back to stuff that matters?
Something just occurred to me.
Fifty million people submitted their phone numbers for the national do-not-call list. Telemarketers were required to download a copy of this list so they could make sure they didn't call any numbers on it.
But now the law has been put on hold, and there's a possibility that telemarketers will be allowed to continue phonecalling people.
Meanwhile, the telemarketers have this new list of fifty million people who submitted their phone numbers!
My guess is that if this law doesn't hold up in the courts, then the people who signed up for the do-not-call list are going to be getting a lot more telemarketing calls, for the same reason that you're never supposed to email spammers to ask to be taken off their lists.
The names 'Thunderbird' and 'Firebird' have nothing whatsoever to do with the software's functionality, and can only help make less-technical users out there even more hopelessly confused. Even I still can't remember sometimes which is which. Who chose these names, and why were they chosen instead of something maybe a little more descriptive like 'Thundermail' or 'Fireweb'?
Speaking of Debian, where's the Debian package version of Thunderbird, and when will it appear in Debian-unstable?
Yes, but you don't have to reassemble water from its hydrogen and oxygen atoms before you can use it...
No, I'm not trolling. I know why people should test pre-release kernels. What I *don't* know is why people should have to compile them on their own.
How hard is it to automatically, each night, roll the latest test kernel into a Debian package and a Redhat RPM? That way, people don't have to go to the trouble of compiling their own copy of it -- and, more importantly, they don't run the risk of screwing up the compile and making their system unbootable and/or introducing problems which might be mistaken for bugs.
Lots of people test nightly builds of Mozilla; what's so different between Mozilla and the kernel which prevents kernel binaries from being downloadable?
The Tao says: the perfect piece of paper is unmarked by pen; the perfect flower is unpruned by shears; the perfect operating system is untouched from its default installation.
I've had to support, debug, fix, and otherwise un-screw-up many computers in my time. Inevitably, the closer a system is to what everybody else is using, the more likely it is that any problems with it will have been seen and solved countless times before.
That's why the idea of countless legions of users out there each recompiling his own kernel just makes my blood run cold. This is the twenty-first century, peoples! Why is it necessary for anyone other than a kernel developer to compile the kernel sources? Why haven't all the optional pieces been broken out into modules yet?
They need to be shown, without any doubt, that they are indeed breaking the law.
And then they'll stop, just like all those people who used to download music, right?
Legal action can help curb spammers, *if* it's pursued aggressively -- but technology still has a lot more it can do. For example:
- Why do mail servers accept email whose sender address is invalid (malformed) or gives a domain which isn't resolvable?
- Why do mail servers accept email which is sent in violation of the SMTP protocol -- for example, 'spam blasters' which dump a whole lot of commands on the receiving server then disconnect without waiting for a response?
- Why don't mail servers automatically check services such as Razor? If an incoming message happens to have the same checksum as a message which has been reported to Razor several thousand times within the past half-hour, why accept the message for delivery?
- Why don't mail servers have a built-in 'tarpit' feature? In other words: if there's an incoming message, and if system resources aren't tight, the mail server could sit on it for sixty seconds before accepting it. If the sender disconnects before sixty seconds, the mail will be rejected. This obeys the SMTP protocol, and it will be unnoticed by anyone except people who want to blast tens of thousands of emails in one shot -- suddenly it becomes more time-consuming to spam, and the spammer can be stopped before he can get very far.
I do not want my ISP deciding what is and what isn't spam for me.
Why not?
If you get an email whose checksum matches the checksum of a message which has recently gotten multiple reports on several spam-tracking services -- or an email delivered from a server which violates the SMTP protocol by blasting all its commands then dropping the connection -- or an email with a sender domain which doesn't even exist -- why would you want to receive it?
I don't see what the problem is. I don't get spam any more.
Now, granted, I run my own mail server: Exim, attached to SpamAssassin via SA-Exim. And this combination is highly effective. I have it set up to be more aggressive than most people would want their spam filter to be; if an incoming message even *smells* like spam, my server refuses to accept it and instead gives a failure message with an alternate non-filtered address to use if the email wasn't actually spam. In a year of running it, it's rejected 100 spams per day on average, with only one known false positive in the entire year (it was someone forwarding a spam to me). And if a spam is sent to one of the addresses which I haven't used for years, then I perform the added courtesy of tarpitting the spammer.
But there are a lot of tactics that an ISP's mail server can use to cut down on a huge amount of spam without risking false positives. Check the mail against Razor and the other services which keep track of mass-mailings which have been reported as spam, for example. Refuse mail from a server which pipelines its SMTP commands then drops its connection without waiting for a response. Verify that the sending mail server's address actually can be resolved.
ISP's could go a long way towards making spam much less of an annoyance if they'd just use software to filter out the obvious spams. Hook the mail server up to SpamAssassin, set the threshold high enough to avoid false positives.
I'm sick and tired of software companies saying that such-and-such product will be "released when it's done" or "done when it's finished."
Since when has any software product ever been FINISHED when it's released? Usually -- and *especially* with PC games -- the release is full of bugs and requires a couple of quick patch cycles to bring up to par, followed by a few more patch cycles over the following months to make it solid.
Aie... leaving DNS/Mail/routers/firewalls/etc. running 'forever' is an extremely bad idea. Exploits are found, security patches are released, these patches must be installed. And if they break existing functionality, someone needs to troubleshoot them.
It's the 'deploy and forget' mentality which is responsible for old worms living on far beyond when the bugs they exploit have been fixed...
I'm a libertarian, and I'd fight for J.K. Rowling's right to defend her intellectual property.
What happens when Disney World opens up a new Russian exhibit featuring Tanya Grotter, complete with a flying broomstick ride and a line of plastic toy wand souvenirs, and Rowling never sees one cent of the profits?
Never needing support?
With Linux?
Sure, maybe if you're Linus...
Agreed. And what's anybody gonna go about it? Ooooh, Microsoft broke the law again, now in three or four years the DOJ might bring legal action against 'em and in another eight or ten years they might get slapped with another settlement to ignore. Ooooooooohhh. Like, they're really scared.
'm content, however, with a directory structure that has been used with little variation on any number of flavours of Unix systems for 30-odd years, because it works.
/usr/bin and have crypticly short names. I'd love to have a directory where all of my KDE applications live with properly descriptive names, just like /Applications on my Mac.
It doesn't work that well any more. I'm frustrated with KDE because I have to keep all of my applications in the K menu in order to know they're on my system -- the actual binaries live in
LCD displays don't get burn-in, but if you leave a static high-contrast image up on the display for a long period of time, then that image can become a 'ghost' which is visible even when it's gone. A good example is the menu bar at the top of a Mac desktop; if you reboot your Mac, you can see a ghost of the menu bar during the boot-up sequence.
This ghost isn't a permanent thing. Leaving the display off for as long as the image was there will get rid of the ghost.
I think Apple has a tech note on this, but I wasn't able to find it just now.
Related question: what's a good cheap progressive-scan component-output DVD player these days? I've seen some for under $100; are any of these at all decent?
I have my mail server set up to automatically recognize incoming spam and reject it with an error message which says 'this is being rejected because it looks like spam; if it's not, please resend it to notspam@mydomain.com.' That's an address which I've set up to completely bypass my spam filters and come directly to my inbox.
In the past six months I have never received even a single piece of spam at my 'notspam' address, which is only advertised through this error messages. And even if any spammers did get hold of it, I could just change the address to something else.
I've had one or two people who sent me a message which was bounced (in both cases it was an email greeting card), and they saw this error message and re-sent to my 'notspam' address. I see this as a MUCH better approach than making me review my spam-bucket email every day.
Actually, as I've posted here on Slashdot before, tarpits are VERY useful.
Run an Exim mail server, and link it to SpamAssassin via the SA-Exim software. Set the tarpit timeout to a couple of days. Make sure your mail server's process limit is bumped up to a couple hundred; don't worry, tarpit processes use shared memory and consume very little of their own.
Then sit back and let the spammers tarpit themselves. Stupid spammers will have their connections held open for long periods of time, eating up resources on their servers (or on the open relays they hijacked); once they hit enough tarpits, they'll be dead in the water.
Smart spammers will recognize you as a tarpit and drop your address from their lists. Hooray!
Once email takes as much time as calling someone, and requires me to check back periodically to make sure it's actually been sent, ALONG with assumptions about how I'm viewing my email (pictures enabled, html enable, or perhaps javascript enabled) it just gets as bad as spam.
It's already this bad, because of all the varied and not-always-reliable methods being used in an attempt to distinguish spam from legitimate email. Already my email is taking a long time to get through due to mail servers being choked by spam, so that I often have to check and make sure my mail actually got through.
If I could whitelist myself with a recipient and have the assurance that my email WILL get to him, that'd be worth the slight trouble.
Is it possible to install Mandrake over the network, bootstrapping it with a floppy then downloading the packages from an ftp or http site like Debian can do? I looked on the Mandrake site but all I see are CD images. The laptop I want to try Mandrake on has a busted CD drive.
Also, doing a floppy-based network install (if possible), how good is Mandrake at autodetecting and autoconfiguring hardware? My biggest problem with Debian was that I had to configure video, audio, network, PCMCIA, etc. all by hand. I still haven't gotten audio to work properly with KDE.
Here's a question. The report says:
E-mail addresses harvested from the public Web appear to have a relatively short "shelf life." When e-mail addresses we posted on the public Web were removed, there was a pronounced drop in the amount of spam they received each day. The change was not absolute -- on a given day, an address might receive a few spam messages even months after it had been removed from the public Web. But such spam was on the order of 2 or 3 messages per day, compared to the thirty or more messages received by addresses still on the public Web.
Is this just referring to recently-posted email addresses which don't exist on the web for more than a couple of weeks? Do the address harveters focus their attention on web sites which change often?
Or are those of us who have been on the Internet for many years and have our email addresses all over the place just screwed, even if our addresses aren't appearing in any new places?
My email address shows up most frequently in discussions on web sites, and on Google's newsgroup archive. I don't want to have to go asking them to delete all of my old news postings...
The latest version of SpamAssassin also has a Bayesian junk mail filter in it. Tie this together with Exim and SA-Exim, and you've got a tarpit which can learn from the kind of spam which it receives.
Tarpits rule. Why just reject spam, when you can hold the spammer's connection open and continue to suck up resources on his mail server for days? And when the spammer hits enough tarpits, he'll be dead in the water... even quicker if he's stupid enough to try a dictionary attack. If you run a mail server, stick a tarpit on it, and you'll be doing a lot to help stop spammers.