When you are already in doubt that this radiation could be a serious health risk, why do you still consider buying it? When in 10 years the radiation is known to cause longterm damage, it will be too late.
if (hasCompass() && compassProbablyWorks() && !compassIsKnownBroken() && compass.type != COMPASS_GPS && a myriard of other creative stuff) {
doCompassStuff(); }
That is ~all and not -all. So linkedin is happy with any IP sending mail in their name. It will only cause a soft fail and no MTA should reject the message as fake. It's hardly the fault of mail clients here.
...that nobody uses these "I am an electronic form" features anyway. All we want is view and print documents. But then, PostScript did exactly that. Oh wait, PDF is based on PostScript. I never understood why it had to be Adobe and PDF that the world uses today. It could have been (a nice version of) Ghostview and PostScript. Hm, but then nobody could have sold PDF-Creation Add-Ons to MS Word, because you could have used a PS printer driver.
Well, the CD-ROM standard they support is "Joliet". Which is their own extension.... I wonder how long until they are going with patents after others implementing it.
Who cares, when a Youtube Flash video is eating almost 100% of your CPU because it's idiotic use of X11? Playing a plain MPG video in mplayer uses almost no CPU.
I totally agree. It's hard to believe that they even started without going cross-platform from the very beginning. Porting is so much harder! I haven't looked at the source but are they actually using at least something like a portable runtime? I know at least 2 to choose from: Apache (apr), Netscape (nspr). Did I mention Java?:-)
Actually, at work we are using a private CA (not self-signed certs) which all communicating parties trust. Also the certificates from this private CA can be issued with longer life-times, which eliminates the renewal pain. That's possible because the secured services are not available to the general public, but just a number of well-known clients. So we can distribute the private CA cert among the clients easily. And save a lot of money and maintenance overhead (cert renewal).
You are mixing up two different things: - self-signed cert: there is no CA. The public key is just signed with the private key. - private CA: there is a CA, but the CA cert is not part of the browser's repository.
Yes, DNS vulns do pose a great risk here. Because the man in the middle can easily create (forge) any new self-signed cert for the destination site from an arbitrary privat key. Only if the user verifies the finger print of the key, can he detect the forgery. I have never seen anyone publishing the finger prints of their SSL self-signed certificates. Acutally, CAs were designed to eliminate the need for finger print verification.
For another "nice" example see this post. With a self-signed certificate the user would be completely unable to detect what's going on.
You buy a purple T-Shirt and 6 months later purple is out of fashion. Clearly the manufacturer's fault, right?
Yes, SSL Certificates from a CA *are* expensive. Yes, you can encrypt with a self-signed cert. But that encryption is worth nothing at all. Because anyone (latest DNS vulnerabilities for instance) can easily forge these certificates, you don't know who you are communicating with in the first place. Of what use is point-to-point encryption if the man in the middle is undetectable?
Yes, it 4 clicks to define an exception rule are a pain in the ass. But because it's that painful it will cause people (like the author) to think twice before they use a self-signed cert next time. So making the web safer in the end. Don't make it too painful (will hurt adoption of product), but painful enough so that decision makers get worried. I think FF3 behaves perfectly in that respect.
Thanks for this post. I didn't even know what Barracude is until today. But I know that I have had the following header check in my postfix for a long time: /^From: Barracuda Spam Firewall/ REJECT Stop bouncing spam to faked sender addresses, you idiots
Well... what happens if the account runs out of quota? Or any other reason that the final delivery to the mailbox fails. What do you do with the message? You can't just delete it, can you?
Just add them to the ROKSO list and most ISPs won't route their traffic any more. Additionally this could be listed in the bogon zone at completewhois.
That means that all other compilers behave like the old GCCs in this case. Otherwise they would have exposed this bug already. So GCCs new behaviour could be seen as either non-standard or "innovative".
I still want to know why challenge response e-mail never caught on. Because it causes backscatter. And backscatter is a Bad Thing (tm). Spammers use valid email addresses as their sender address. So that poor guy is swamped by challenge emails. This has happened to me. As a result my MTA no longer accepts ANY email from that c-r service. See where that leeds to?
Surely forged mail (where the policy says -all) is summarily bounced I hope not. Forged mail should be/dev/null'ed and not bounced to (the forged) sender address.
I would say the book isn't extremely detailed about iptables. It does quite a good explaining different kind of attacks, but then doesn't really tell you how to prevent them. The second half (!) of the book discusses that log analyzer, which I personally find not very interesting.
It probably comes down to Philosophy not being popular knowlegde. I always notice that I know absolutely nothing about Philosphy when I speak to my brother, who has a bachalor degree in Philosophy...
Slashdot Mirror
When you are already in doubt that this radiation could be a serious health risk, why do you still consider buying it? When in 10 years the radiation is known to cause longterm damage, it will be too late.
We need something like autoconf for Android:
if (hasCompass() && compassProbablyWorks() && !compassIsKnownBroken() && compass.type != COMPASS_GPS && a myriard of other creative stuff) {
doCompassStuff();
}
linkedin.com text = "v=spf1 ip4:70.42.142.0/24 ip4:208.111.172.0/24 ip4:64.74.220.0/24 ip4:64.74.221.0/26 ip4:64.71.153.211 ip4:64.74.221.30 ip4:69.28.149.0/24 ip4:208.111.169.128/26 ip4:64.74.98.128/26 ip4:64.74.98.16/29 mx ~all"
That is ~all and not -all. So linkedin is happy with any IP sending mail in their name. It will only cause a soft fail and no MTA should reject the message as fake. It's hardly the fault of mail clients here.
...that nobody uses these "I am an electronic form" features anyway. All we want is view and print documents. But then, PostScript did exactly that. Oh wait, PDF is based on PostScript. I never understood why it had to be Adobe and PDF that the world uses today. It could have been (a nice version of) Ghostview and PostScript. Hm, but then nobody could have sold PDF-Creation Add-Ons to MS Word, because you could have used a PS printer driver.
Well, the CD-ROM standard they support is "Joliet". Which is their own extension.... I wonder how long until they are going with patents after others implementing it.
Who cares, when a Youtube Flash video is eating almost 100% of your CPU because it's idiotic use of X11? Playing a plain MPG video in mplayer uses almost no CPU.
I totally agree. It's hard to believe that they even started without going cross-platform from the very beginning. Porting is so much harder! I haven't looked at the source but are they actually using at least something like a portable runtime? I know at least 2 to choose from: Apache (apr), Netscape (nspr). Did I mention Java? :-)
Actually, at work we are using a private CA (not self-signed certs) which all communicating parties trust. Also the certificates from this private CA can be issued with longer life-times, which eliminates the renewal pain. That's possible because the secured services are not available to the general public, but just a number of well-known clients. So we can distribute the private CA cert among the clients easily. And save a lot of money and maintenance overhead (cert renewal).
You are mixing up two different things:
- self-signed cert: there is no CA. The public key is just signed with the private key.
- private CA: there is a CA, but the CA cert is not part of the browser's repository.
Yes, DNS vulns do pose a great risk here. Because the man in the middle can easily create (forge) any new self-signed cert for the destination site from an arbitrary privat key. Only if the user verifies the finger print of the key, can he detect the forgery. I have never seen anyone publishing the finger prints of their SSL self-signed certificates. Acutally, CAs were designed to eliminate the need for finger print verification.
For another "nice" example see this post. With a self-signed certificate the user would be completely unable to detect what's going on.
You buy a purple T-Shirt and 6 months later purple is out of fashion. Clearly the manufacturer's fault, right?
Yes, SSL Certificates from a CA *are* expensive. Yes, you can encrypt with a self-signed cert. But that encryption is worth nothing at all. Because anyone (latest DNS vulnerabilities for instance) can easily forge these certificates, you don't know who you are communicating with in the first place. Of what use is point-to-point encryption if the man in the middle is undetectable?
Yes, it 4 clicks to define an exception rule are a pain in the ass. But because it's that painful it will cause people (like the author) to think twice before they use a self-signed cert next time. So making the web safer in the end. Don't make it too painful (will hurt adoption of product), but painful enough so that decision makers get worried. I think FF3 behaves perfectly in that respect.
Even just priorizing ACK packets in your upload channel can make a tremendous difference to your ping!
Thanks for this post. I didn't even know what Barracude is until today. But I know that I have had the following header check in my postfix for a long time:
/^From: Barracuda Spam Firewall/ REJECT Stop bouncing spam to faked sender addresses, you idiots
Well... what happens if the account runs out of quota? Or any other reason that the final delivery to the mailbox fails. What do you do with the message? You can't just delete it, can you?
Yes, that's the actual list of networks that I was referring to erronousl by the term ROKSO. Cheers.
Even cooler. You own the whole 127.0.0.0/8 subnet! That's frikin 16581375 addresses!
Just add them to the ROKSO list and most ISPs won't route their traffic any more. Additionally this could be listed in the bogon zone at completewhois.
If you have control over the email server you can configure one-time passwords.
So you make a cluster and a load balancer and call it a bot net? A bit tacky.
That means that all other compilers behave like the old GCCs in this case. Otherwise they would have exposed this bug already. So GCCs new behaviour could be seen as either non-standard or "innovative".
I still want to know why challenge response e-mail never caught on.
Because it causes backscatter. And backscatter is a Bad Thing (tm). Spammers use valid email addresses as their sender address. So that poor guy is swamped by challenge emails. This has happened to me. As a result my MTA no longer accepts ANY email from that c-r service. See where that leeds to?
Surely forged mail (where the policy says -all) is summarily bounced /dev/null'ed and not bounced to (the forged) sender address.
I hope not. Forged mail should be
pretty easy to install things from CPAN
Then you have never tried to install an Oracle DBD from CPAN. When I did that last time (3 years ago maybe) it took me two days of cursing.
You wrote a perl script that reads the manual and generates the code?
:-)
Actually quite an interesting approach. This way, nobody can claim that the documentation was outdated
I would say the book isn't extremely detailed about iptables. It does quite a good explaining different kind of attacks, but then doesn't really tell you how to prevent them. The second half (!) of the book discusses that log analyzer, which I personally find not very interesting.
It probably comes down to Philosophy not being popular knowlegde. I always notice that I know absolutely nothing about Philosphy when I speak to my brother, who has a bachalor degree in Philosophy...