So, when is the FBI going to accounce their special task force to track down these dangerous hackers? After all, isn't that what they did when the Microsoft code was leaked? Something tells me this won't even make the FBI's radar, though...
I use Enigmail on Mozilla Thunderbird. Enigmail uses GNU Privacy Gaurd (GPG) to do the actual PGP related stuff (which means that other applications that also use GPG have access to the same keyring and trust rules). GPG is a little hard to use, but I don't typically interact with it except when I need to setup something. Enigmail takes care of all the signing, verifying, encrypting, and decrypting for me. When it needs my passphrase, it asks me. When it can't find a key to verify, it prompts to download it from the keyserver. The only thing it doesn't do is help manage trust relationships.
It takes a little to setup and understand, but once it's working, it is just as efficient as regular email, and certainly doesn't triple the amount of time I spend working on email. I'm sure there are other solutions for other mail clients, and if not then you should lean on the vendor to provide them.
I don't know why people are so averse to using security technologies when it comes to email. They don't have any problem accepting SSL to secure HTTP or using ssh over telnet (well, most people don't). But all I can say is that the solution begins with you. Only you can prevent spam, lophophore. Hmm... maybe that would make a good public service announcement:)
I'm really hoping the decision to not save Hubble was really a brilliant diversionary tatic to get more money for NASA. If NASA had originally committed to servicing Hubble, then they probably would have had to cut somewhere else, where probably very few people would have cared. But if they decide to scrap it, and everyone (including Congress, with all the money) rallies to save it, then NASA gets to keep the other projects and Hubble.
The other possibility is that they just decided to dump it and didn't think people would react like this. I guess it depends on whether O'Keefe is really smart or really stupid.
When email gets fixed (through authenticated access)...
Email has been fixed for quite some time -- people just refuse to use the solution. I'm speaking of course of PGP email signatures (and also encryption). If everyone signed their emails, then worms like this could simply not propogate through email (unless people were negligent with their private keys). And spam would be easily authentacable (and then dropped to/dev/null), or (worst case) filterable (if it wasn't signed). Plus the signing of email will slow down the spammers, much like things like hashcash do. But no, people won't accept that. Instead they complain that SMTP needs to be replaced, or some other silliness. Instead of doing something themselves to improve the situation, they demand others change to fit them.
*sigh* sorry for the rant... I don't mean to single out you in particular. Just whenever someone says something like that, I feel obliged to point out that fixing the problem is up to you and not everyone else.
The difference between a worm and a virus is not user interaction, but whether the malware is an executable by itself. Code that infects a word document (or winword.exe itself), but can only be run by Word is a virus. Code that is a complete program is a worm (like these latest email worms). Viruses and worms by definition spread themselves.
If user interaction is required to spread, then the malware is a trojan (like the horse). Since these emails both spread and require user interaction, they are trojan worms. A trojan that didn't spread (say, it just deleted all your files) would just be a trojan.
HTH!
Re:Ugh, these aren't viruses...
on
The Virus Squad
·
· Score: 2, Informative
Interesting point about viruses being a type of parasite. I'm not a biologist myself (any more than high school Biology), but I can see why you would say that. I was referring to larger, multi-celled parasites in my example.
However, you didn't take issue with my assertion that a biological virus is barely alive, and it essentially a bunch of specific DNA in a container. This is much like a computer virus and the biggest distinction between a virus and a worm (though at some point, this analogy becomes stretched). A worm is a piece of malware that is a complete program that is run by the startup scripts (or registry keys) of a system and gernally spreads from one machine to another across a network. A virus is a piece of malware that "infects" other programs and gets *them* to run the virus code whenever the program is run. A computer virus cannot run by itself and generally spreads from program to program (possibly over a network). Of course, a specific piece of malware could exhibit qualities of both (such as a worm that expoits a hole in a server is somewhat like a virus), so the lines can become blurry.
Email "worms" come in two variants -- worms and trojans. Email worms exploit a flaw in the mail handler or mail reader to propogate without user interaction (your brain-dead mail client example). They could be considered true viruses if the exploit was run entirely inside the process space of the exploited program (and didn't download the actual worm code and run that). The second type (MyDoom fits into this category) is a trojan. Much like the Trojan Horse, a trojan program is a program that looks like it should be one thing, but is in fact another. The user is the exploit in this case, and should possibly be beaten with a LART. Trojans are by far the easiest to write, and there is no real defense at the system level against them, since the system must assume that when the user says to run this program, they really want to run this program (though poor interfaces may make it easier to run a trojan).
To get to your question, worms and especially trojans are more independent in computer terms because they execute as separate processes. You say that yourself when you state that the computer virus is only active when you run the infected program. A worm or trojan is active from when it is started. It may use an exploit to get to that point, but that is the crucial difference. This also means that the original program isn't "infected", and thus won't run the malware code if you run the program later (i.e., Outlook won't run MyDoom every time you start Outlook).
HTH!
Re:Ugh, these aren't viruses...
on
The Virus Squad
·
· Score: 3, Informative
Who modded this up as *insightful*? Translate this to biology: "parasites are exactly the same thing as biological viruses except at a bigger scale -- instead of merely infecting cells in one body, it (sic) infects bodies in a group (or city/colonly/ecosystem, etc)".
Worms and viruses are both forms of malware, but they are not the same! They may have similar qualities, but they are not "exactly the same". Here's the critical difference -- a virus is not executable by itself. It is just some executable code that knows how to spread itself by infecting other executables (or in some cases, documents that contain executable code, like Word macro viruses). This is analogous to the biological world, where biological viruses are not full (as in independent) life forms (as I understand at least), but just a small amount of DNA in a container cell that knows how to infect a cell and replicate itself. A worm, like a parasite, is a distinct executable (organism) that just happens to need a host in order to run and spread. They are both bad, but they are distictly different.
And the original poster is right -- there hasn't been a large scale outbreak of a real virus in quite some time (probably a combination of malware authors getting lazy, virus scanners getting better, and viruses being more difficult to transmit over the Internet).
No competitor to MS can look at the code and expect to survive a lawsuit (at least if they compete well enought with MS). So, MS isn't going to lose any money like that.
Piracy isn't an issue -- Windows is already pirated enough, and MS probably profits from it in the end anyway.
As far as new vulnerabilities being discovered, well, MS already gets a mostly free ride from 90% of the population (who think they're computer viruses, not Outlook worms), so it doesn't matter that much, and probably won't hurt their bottom line (all they really care about in the end).
In the end, MS gets lots of free publicity as the victim. I don't see a downside for them.
Isn't failure to release modifications to GPLed code against the license, or am I missing something?
Not in this case because Transmeta isn't distributing their hacked up version of gcc. Sure, if they started distributing that version of gcc, they'd have to make the code available. The GPL only requires that you give code (actually just offer to give code) to the people you distribute the binary to. Just because a tool (like gcc) is GPL doesn't mean the output of that tool must be GPL. Otherwise, no one could use gcc to compile proprietary code, and as much as we all like Free software, that would be bad in the end.
I agree in part, but disagree in part as well. Certainly, if Linux had 98% of the market, there would be more worms (especially stupid user worms like MyDoom) targetting Linux. However, there is a substantial design difference between Linux (and other UNIX variants) and Windows. Linux only executes files whose execute bit is set. Windows only executes files with the right extension. Basically, what this means is that it is harder on Linux to accidently execute a file sent to you. And any mail client that automatically set the execute bit would be considered insecure. Thus it would be harder, especially for stupid users, to propogate these worms.
At least this would force worm writers to exploit actual vulerabilities in software, which can be fixed. It's much harder to fix stupid (or careless) users.
Oh, it'll reduce the amount of mail sent, just not the amount of spam mail. That's not strictly true, since the amount of spam sent would go down as well, but not as much as the amount of legitmate mail.
But I'll continue running my SMTP server as long as I'm able. Maybe I'll just start telling people about my "freemail" address that doesn't require a payment to send to.
It's not exactly a flaw in Outlook, per se. When the user double clicks on the attachment (in this case a zip file), it's opened by the zip handler (probably a pirated copy of winzip). Then, the user can double click on the worm in Winzip to run it. The problem doesn't really exist in Outlook, the problem exists between the keyboard and the chair:)
I wonder how long it will be until some of these worms contain EULAs that make them perfectly legal. As other people have said, stupid users would probably still happily propogate it. Or maybe they would have to popup ads and spy on the user's actions to be legal?
Care to offer any real facts and not just hyperbole? I'm not sure why you think that the central infastructure of the Internet is broken. It's not broken for me and the hundreds of millions of other people who use it daily. What security problems are caused by the infrastructure of the Internet? At most, things like DDoS attacks, but IPv6 won't really solve those.
IPv6 may be a good thing for the Internet, but to think that just because IPv4 is older it is therefore not working, is just plain wrong. In fact, because it's older, it's inheritently better because it's had more time to flush out problems, both in design and implementation. You sound just like the idiots who call for the replacement of SMTP (because, you know, it's old, and like delivers spam and stuff), though at least you have a solution to your perceived problem.
My family has this on (at least) one of their computers. I'm suspicious of it, but I've never found anything for certain saying it was bad. It has a banner ad in it, but it doesn't seem to popup anything. So, is it malware, or just ad-supported software (like Opera)?
First of all, there is no "its'". Second it is exteremely easy to know which to use: whenever you're writing and you don't know which to use, think "could I use 'it is' instead?" If so, then use "it's". If not, then use "its". A little though now and again when you're writing is not a bad thing, and grammer rules do play an important part in conveying your message. If you do not follow them, then others will tend to discount what you're saying (less so on the Internet, but more so in formal coursework -- even by engineering professors).
option 1: just a signature.
that's the same problem as an email address. easy for a spammer to use someone else's.
If someone's that careless with their private key and spammers get a hold of it, then they deserve to be joe-jobbed.
option 2: what i think you intended: pr-key signed message digest.
who checks the signature before dropping it in the bit bucket? each end-user? could work, but how does the proggy know where to get the public key?
The end user for now, though as it gets more and more accepted, it could be even automated at the SMTP server level. It could also be used as another rule in a spamassassin type system. Also, some people (not me) want a whitelist email system, so they might deny all emails not signed by those on the list.
keygen for each spam doesn't really matter if you are a spammer. who cares if someone fakes your fake signature? make fake key pairs that aren't really sets of primes. or just gen 1415 real primes and use each x,y combo to generate 1,000,405 key pairs. sure, that would be cryptographic suicide, but again, why would a spammer care if they are just going to ignore the existing laws?
That's an interesting point. It does still raise the spammers cost of doing business. If this becomes a problem, then perhaps filters could be written smarter to deal with poorly constructed keys.
okay, so maybe you then slow down the servers that register pks so that people can't register keys so quickly. but just one "rogue" signature server and you are SOL. don't have all the signature servers in your list--well, then you start dropping legimate mail. and, you create a chokepoint like DNS for people to start holding you up for charges.
That was actually another thought I had that I didn't put into my post. Delaying the appearance of public keys on the keyservers would slow down spammers without significantly hurting everyone else (in theory, people wouldn't need to register new keys all that often). I think right now, the keyservers do have a built in time delay like that, just because of how they replicate the keys across the various servers (though I could be wrong). You're right, however, about what to do with mail that doesn't pass verification. Do you just kill it, or drop it in a folder to look at later, or send an automated reply to the sender (can be bad when we're dealing with spam)? That sort of policy decison will probably be best left up to each individual. I'd probably err on the side of caution, and glance at those emails. Others may just toss them.
what's wrong with SPF? that seems like an idea that can work.
SPF is a neat idea, but it's not something I can easily do. It may be another weapon in the fight against spam, but it's not one I can wield. It also makes it harder to send email (you have to send from the right IP, or relay through that right IP). I almost mentioned it in my original post as well (as another tool), but decided not to.
tech-based solutions (like verifying the sender, etc)
I fear this will never happen either, unfortunately. I say this because there is already (and has been around for years) a way to do this, but very few people use it. The very simple solution is to sign all your messages. No changes to SMTP or DNS or other mail infastructure are required, so all it takes is for individuals to start doing it. If everyone starts signing their email, then Spammers will have to as well, or risk getting sent to the bit bucket. Just the act of signing will increase their costs (CPU time to compute the sign), but it also causes them to be easily identified. It wouldn't take long for people to start a list of known spamming keys (signed, of course, so the spammers couldn't mess that up). In theory, spammers could generate a key for each spam (or groups of spam), but that would still increase their costs.
As an added bonus, people would have an easy way to start encrypting messages sent to one another. I'm still waiting to hear why this wouldn't work (and it's too hard doesn't count -- the existing anti-spam methods already make my life too hard).
I sign all my outgoing email messages. If you do as well, that's great! If not, why not?
If I want to store money in some bank under whatever name I want, why shouldn't I be able to do it?
Well, if it's an interest bearing account, then the IRS may want to know about it, since IIRC, dividends are taxable income (though with current rates, it's not very much).
Also, the bank wants to know it's you, so that when you come back later for your money, they can still verify it's you:)
Finally, there's the crime issue. Criminals would love to be able to just store their money under any name, as that would make it much harder for the authorities to find it.
drive letters are primarily provided for backwards compat. They're slowly going away.
Really? That must be why you still have a %HOMEDRIVE% environment variable (the $ syntax doesn't work in MS shells).
NT is unix compatible enough that you can clean compile many userland unix things form source...
Yes, that must be why I never have to curse NT when it doesn't do even basic things correctly. I work on a large (10000+ file) software baseline that was written for UNIX but does compile on win32. We have a great many workarounds for Windows oddities (everything from backslashes instead of slashes to threading issues). You're right, it does mostly work, but it's that 10% of the time that basic things are broken that just make me want to scream (one of our unit tests fails because Windows refuses to delete a file, no matter how many times we call unlink() on it).
Please let me know when you find something where NT differs from unix where the unix design is "obviously better to everyone".
Symlinks. They aren't hard to implement. But Windows doesn't support them (shortcuts don't count because they don't work transparently or at a filesystem level). Cygwin helps with this (fairly well, actually), but only for cygwin applications.
Spaces in file names. Sure, most unixes support them, but no one really thinks they're that great of an idea. And going out of your way to add spaces to common directories is just rediculous. "Program Files" is redundant -- "Programs" would have sufficed. What else (besides directories, which are in there) am I going to put there? It just makes Windows hard to use from the command line. "My Documents" is another example. Of course they're my documents -- they wouldn't be on my computer if they weren't! Added to that, if I do store someone else's documents, I can't very well put them under "My Documents" and have it appropriate, now can I? And while I'm on the topic, is "home" just too short for MS? Why "Documents and Settings"?/home/theCoder is much easier that/Documents\ and\ Settings/theCoder.
Backslashes. Everyone else uses forward slashes for directory separators. Can't MS get with the program? Backslashes are used to escape characters. Though here it's not obviously better, just the convention.
Semicolons as path separators. Semicolons separate statements on the command line -- not paths in your PATH environment variable (colons separate paths). Again, not better or worse as a matter of course, just the convention of every other system!
Console applications popping up message boxes. I have over 400 automated unit tests in my project at work. If something fails to compile in the development workspace, chances are the unit test isn't going to be able to be run (missing DLL). But when the unit test is run, instead of writing an error to the error stream (and thus to the output file), I get a message box telling me it can't find the DLL. Which is really nice when I come back and find that test 82 can't find the required DLL and testing is stopped. On UNIX, I just get a report of which tests failed (missing libraries can be one of those failures). And if one test fails like this on Windows, chances are more will (missing libraries cause lots of tests to fail). So, I either have to set there pressing return a lot, or lock the screen and leave a stapler on the "Enter" key (which will press return for me). Annoying though.
Signals are apparently just plain broken on win32. I have yet to figure out the definitive reason why the unit test that deals with signals in our baseline breaks on win32, other than that signals (especially catching signals) are just plain broken on win32.
How about a/proc filesystem? Granted, not every UNIX is the same here, but 'cat/proc/cpuinfo' or 'cat/proc/meminfo' on
I don't know about gaming, but (un)installing software on Linux is so much easier and better than Windows it's not even funny. Everyone always complains about different package managers in Linux being difficult to use, but they forget that Windows has no package management system to speak of at all! Sure, there are some unstallation registry keys that can be set, but there's no depdency management, and (un)installation consists of running some 3rd party binary.
That's not to say that Linux package management is perfect, but when compared to Windows (which has practically nothing), it's much better, and it (portage in my case) is one of the big benefits to using Linux.
Slashdot Mirror
One of the PhD students is teaching our cs426 class right now...
:P
Heh, I had CS426 taught by Spaf himself
Do they still have the lab where you get to play around with a UNIX shell script
virus?
At least your bug may be fixed. I don't think anyone is working on the two bugs that bug (heh) me the most:
6 left and right arrow keys in a textarea don't move cursor properly on very long lines2 Focus is not set correctly when closing tabs
:(
http://bugzilla.mozilla.org/show_bug.cgi?id=18870
http://bugzilla.mozilla.org/show_bug.cgi?id=23811
The first bug can be a real problem when using Thunderbird (or posting to slashdot). The second one no one has even acknowledged
So, when is the FBI going to accounce their special task force to track down these dangerous hackers? After all, isn't that what they did when the Microsoft code was leaked? Something tells me this won't even make the FBI's radar, though...
I use Enigmail on Mozilla Thunderbird. Enigmail uses GNU Privacy Gaurd (GPG) to do the actual PGP related stuff (which means that other applications that also use GPG have access to the same keyring and trust rules). GPG is a little hard to use, but I don't typically interact with it except when I need to setup something. Enigmail takes care of all the signing, verifying, encrypting, and decrypting for me. When it needs my passphrase, it asks me. When it can't find a key to verify, it prompts to download it from the keyserver. The only thing it doesn't do is help manage trust relationships.
:)
It takes a little to setup and understand, but once it's working, it is just as efficient as regular email, and certainly doesn't triple the amount of time I spend working on email. I'm sure there are other solutions for other mail clients, and if not then you should lean on the vendor to provide them.
I don't know why people are so averse to using security technologies when it comes to email. They don't have any problem accepting SSL to secure HTTP or using ssh over telnet (well, most people don't). But all I can say is that the solution begins with you. Only you can prevent spam, lophophore. Hmm... maybe that would make a good public service announcement
I'm really hoping the decision to not save Hubble was really a brilliant diversionary tatic to get more money for NASA. If NASA had originally committed to servicing Hubble, then they probably would have had to cut somewhere else, where probably very few people would have cared. But if they decide to scrap it, and everyone (including Congress, with all the money) rallies to save it, then NASA gets to keep the other projects and Hubble.
The other possibility is that they just decided to dump it and didn't think people would react like this. I guess it depends on whether O'Keefe is really smart or really stupid.
When email gets fixed (through authenticated access)...
/dev/null), or (worst case) filterable (if it wasn't signed). Plus the signing of email will slow down the spammers, much like things like hashcash do. But no, people won't accept that. Instead they complain that SMTP needs to be replaced, or some other silliness. Instead of doing something themselves to improve the situation, they demand others change to fit them.
Email has been fixed for quite some time -- people just refuse to use the solution. I'm speaking of course of PGP email signatures (and also encryption). If everyone signed their emails, then worms like this could simply not propogate through email (unless people were negligent with their private keys). And spam would be easily authentacable (and then dropped to
*sigh* sorry for the rant... I don't mean to single out you in particular. Just whenever someone says something like that, I feel obliged to point out that fixing the problem is up to you and not everyone else.
That's probably true.
If it needs human help to spread (between machines), it's a virus. If it spreads itself, it's a worm.
ARGH! Look at your own link! Page 1, slide 6, "Worm vs Virus" [emphasis added]:
Or, you could go for the actual, direct link to the trailer.
Please see my previous post on this topic.
The difference between a worm and a virus is not user interaction, but whether the malware is an executable by itself. Code that infects a word document (or winword.exe itself), but can only be run by Word is a virus. Code that is a complete program is a worm (like these latest email worms). Viruses and worms by definition spread themselves.
If user interaction is required to spread, then the malware is a trojan (like the horse). Since these emails both spread and require user interaction, they are trojan worms. A trojan that didn't spread (say, it just deleted all your files) would just be a trojan.
HTH!
Interesting point about viruses being a type of parasite. I'm not a biologist myself (any more than high school Biology), but I can see why you would say that. I was referring to larger, multi-celled parasites in my example.
However, you didn't take issue with my assertion that a biological virus is barely alive, and it essentially a bunch of specific DNA in a container. This is much like a computer virus and the biggest distinction between a virus and a worm (though at some point, this analogy becomes stretched). A worm is a piece of malware that is a complete program that is run by the startup scripts (or registry keys) of a system and gernally spreads from one machine to another across a network. A virus is a piece of malware that "infects" other programs and gets *them* to run the virus code whenever the program is run. A computer virus cannot run by itself and generally spreads from program to program (possibly over a network). Of course, a specific piece of malware could exhibit qualities of both (such as a worm that expoits a hole in a server is somewhat like a virus), so the lines can become blurry.
Email "worms" come in two variants -- worms and trojans. Email worms exploit a flaw in the mail handler or mail reader to propogate without user interaction (your brain-dead mail client example). They could be considered true viruses if the exploit was run entirely inside the process space of the exploited program (and didn't download the actual worm code and run that). The second type (MyDoom fits into this category) is a trojan. Much like the Trojan Horse, a trojan program is a program that looks like it should be one thing, but is in fact another. The user is the exploit in this case, and should possibly be beaten with a LART. Trojans are by far the easiest to write, and there is no real defense at the system level against them, since the system must assume that when the user says to run this program, they really want to run this program (though poor interfaces may make it easier to run a trojan).
To get to your question, worms and especially trojans are more independent in computer terms because they execute as separate processes. You say that yourself when you state that the computer virus is only active when you run the infected program. A worm or trojan is active from when it is started. It may use an exploit to get to that point, but that is the crucial difference. This also means that the original program isn't "infected", and thus won't run the malware code if you run the program later (i.e., Outlook won't run MyDoom every time you start Outlook).
HTH!
Who modded this up as *insightful*? Translate this to biology: "parasites are exactly the same thing as biological viruses except at a bigger scale -- instead of merely infecting cells in one body, it (sic) infects bodies in a group (or city/colonly/ecosystem, etc)".
Worms and viruses are both forms of malware, but they are not the same! They may have similar qualities, but they are not "exactly the same". Here's the critical difference -- a virus is not executable by itself. It is just some executable code that knows how to spread itself by infecting other executables (or in some cases, documents that contain executable code, like Word macro viruses). This is analogous to the biological world, where biological viruses are not full (as in independent) life forms (as I understand at least), but just a small amount of DNA in a container cell that knows how to infect a cell and replicate itself. A worm, like a parasite, is a distinct executable (organism) that just happens to need a host in order to run and spread. They are both bad, but they are distictly different.
And the original poster is right -- there hasn't been a large scale outbreak of a real virus in quite some time (probably a combination of malware authors getting lazy, virus scanners getting better, and viruses being more difficult to transmit over the Internet).
I don't think this situation is good for anyone.
You're wrong -- it's good for Microsoft.
No competitor to MS can look at the code and expect to survive a lawsuit (at least if they compete well enought with MS). So, MS isn't going to lose any money like that.
Piracy isn't an issue -- Windows is already pirated enough, and MS probably profits from it in the end anyway.
As far as new vulnerabilities being discovered, well, MS already gets a mostly free ride from 90% of the population (who think they're computer viruses, not Outlook worms), so it doesn't matter that much, and probably won't hurt their bottom line (all they really care about in the end).
In the end, MS gets lots of free publicity as the victim. I don't see a downside for them.
Isn't failure to release modifications to GPLed code against the license, or am I missing something?
Not in this case because Transmeta isn't distributing their hacked up version of gcc. Sure, if they started distributing that version of gcc, they'd have to make the code available. The GPL only requires that you give code (actually just offer to give code) to the people you distribute the binary to. Just because a tool (like gcc) is GPL doesn't mean the output of that tool must be GPL. Otherwise, no one could use gcc to compile proprietary code, and as much as we all like Free software, that would be bad in the end.
I agree in part, but disagree in part as well. Certainly, if Linux had 98% of the market, there would be more worms (especially stupid user worms like MyDoom) targetting Linux. However, there is a substantial design difference between Linux (and other UNIX variants) and Windows. Linux only executes files whose execute bit is set. Windows only executes files with the right extension. Basically, what this means is that it is harder on Linux to accidently execute a file sent to you. And any mail client that automatically set the execute bit would be considered insecure. Thus it would be harder, especially for stupid users, to propogate these worms.
At least this would force worm writers to exploit actual vulerabilities in software, which can be fixed. It's much harder to fix stupid (or careless) users.
Oh, it'll reduce the amount of mail sent, just not the amount of spam mail. That's not strictly true, since the amount of spam sent would go down as well, but not as much as the amount of legitmate mail.
But I'll continue running my SMTP server as long as I'm able. Maybe I'll just start telling people about my "freemail" address that doesn't require a payment to send to.
It's not exactly a flaw in Outlook, per se. When the user double clicks on the attachment (in this case a zip file), it's opened by the zip handler (probably a pirated copy of winzip). Then, the user can double click on the worm in Winzip to run it. The problem doesn't really exist in Outlook, the problem exists between the keyboard and the chair :)
I wonder how long it will be until some of these worms contain EULAs that make them perfectly legal. As other people have said, stupid users would probably still happily propogate it. Or maybe they would have to popup ads and spy on the user's actions to be legal?
[emphasis added]
Care to offer any real facts and not just hyperbole? I'm not sure why you think that the central infastructure of the Internet is broken. It's not broken for me and the hundreds of millions of other people who use it daily. What security problems are caused by the infrastructure of the Internet? At most, things like DDoS attacks, but IPv6 won't really solve those.
IPv6 may be a good thing for the Internet, but to think that just because IPv4 is older it is therefore not working, is just plain wrong. In fact, because it's older, it's inheritently better because it's had more time to flush out problems, both in design and implementation. You sound just like the idiots who call for the replacement of SMTP (because, you know, it's old, and like delivers spam and stuff), though at least you have a solution to your perceived problem.
...or WeatherBug...
:)
My family has this on (at least) one of their computers. I'm suspicious of it, but I've never found anything for certain saying it was bad. It has a banner ad in it, but it doesn't seem to popup anything. So, is it malware, or just ad-supported software (like Opera)?
At least they do use Mozilla
First of all, there is no "its'". Second it is exteremely easy to know which to use: whenever you're writing and you don't know which to use, think "could I use 'it is' instead?" If so, then use "it's". If not, then use "its". A little though now and again when you're writing is not a bad thing, and grammer rules do play an important part in conveying your message. If you do not follow them, then others will tend to discount what you're saying (less so on the Internet, but more so in formal coursework -- even by engineering professors).
option 1: just a signature.
that's the same problem as an email address. easy for a spammer to use someone else's.
If someone's that careless with their private key and spammers get a hold of it, then they deserve to be joe-jobbed.
option 2: what i think you intended: pr-key signed message digest.
who checks the signature before dropping it in the bit bucket? each end-user? could work, but how does the proggy know where to get the public key?
The end user for now, though as it gets more and more accepted, it could be even automated at the SMTP server level. It could also be used as another rule in a spamassassin type system. Also, some people (not me) want a whitelist email system, so they might deny all emails not signed by those on the list.
keygen for each spam doesn't really matter if you are a spammer. who cares if someone fakes your fake signature? make fake key pairs that aren't really sets of primes. or just gen 1415 real primes and use each x,y combo to generate 1,000,405 key pairs. sure, that would be cryptographic suicide, but again, why would a spammer care if they are just going to ignore the existing laws?
That's an interesting point. It does still raise the spammers cost of doing business. If this becomes a problem, then perhaps filters could be written smarter to deal with poorly constructed keys.
okay, so maybe you then slow down the servers that register pks so that people can't register keys so quickly. but just one "rogue" signature server and you are SOL. don't have all the signature servers in your list--well, then you start dropping legimate mail. and, you create a chokepoint like DNS for people to start holding you up for charges.
That was actually another thought I had that I didn't put into my post. Delaying the appearance of public keys on the keyservers would slow down spammers without significantly hurting everyone else (in theory, people wouldn't need to register new keys all that often). I think right now, the keyservers do have a built in time delay like that, just because of how they replicate the keys across the various servers (though I could be wrong). You're right, however, about what to do with mail that doesn't pass verification. Do you just kill it, or drop it in a folder to look at later, or send an automated reply to the sender (can be bad when we're dealing with spam)? That sort of policy decison will probably be best left up to each individual. I'd probably err on the side of caution, and glance at those emails. Others may just toss them.
what's wrong with SPF? that seems like an idea that can work.
SPF is a neat idea, but it's not something I can easily do. It may be another weapon in the fight against spam, but it's not one I can wield. It also makes it harder to send email (you have to send from the right IP, or relay through that right IP). I almost mentioned it in my original post as well (as another tool), but decided not to.
tech-based solutions (like verifying the sender, etc)
I fear this will never happen either, unfortunately. I say this because there is already (and has been around for years) a way to do this, but very few people use it. The very simple solution is to sign all your messages. No changes to SMTP or DNS or other mail infastructure are required, so all it takes is for individuals to start doing it. If everyone starts signing their email, then Spammers will have to as well, or risk getting sent to the bit bucket. Just the act of signing will increase their costs (CPU time to compute the sign), but it also causes them to be easily identified. It wouldn't take long for people to start a list of known spamming keys (signed, of course, so the spammers couldn't mess that up). In theory, spammers could generate a key for each spam (or groups of spam), but that would still increase their costs.
As an added bonus, people would have an easy way to start encrypting messages sent to one another. I'm still waiting to hear why this wouldn't work (and it's too hard doesn't count -- the existing anti-spam methods already make my life too hard).
I sign all my outgoing email messages. If you do as well, that's great! If not, why not?
If I want to store money in some bank under whatever name I want, why shouldn't I be able to do it?
:)
Well, if it's an interest bearing account, then the IRS may want to know about it, since IIRC, dividends are taxable income (though with current rates, it's not very much).
Also, the bank wants to know it's you, so that when you come back later for your money, they can still verify it's you
Finally, there's the crime issue. Criminals would love to be able to just store their money under any name, as that would make it much harder for the authorities to find it.
Really? That must be why you still have a %HOMEDRIVE% environment variable (the $ syntax doesn't work in MS shells).
NT is unix compatible enough that you can clean compile many userland unix things form source...
Yes, that must be why I never have to curse NT when it doesn't do even basic things correctly. I work on a large (10000+ file) software baseline that was written for UNIX but does compile on win32. We have a great many workarounds for Windows oddities (everything from backslashes instead of slashes to threading issues). You're right, it does mostly work, but it's that 10% of the time that basic things are broken that just make me want to scream (one of our unit tests fails because Windows refuses to delete a file, no matter how many times we call unlink() on it).
Please let me know when you find something where NT differs from unix where the unix design is "obviously better to everyone".
I don't know about gaming, but (un)installing software on Linux is so much easier and better than Windows it's not even funny. Everyone always complains about different package managers in Linux being difficult to use, but they forget that Windows has no package management system to speak of at all! Sure, there are some unstallation registry keys that can be set, but there's no depdency management, and (un)installation consists of running some 3rd party binary.
That's not to say that Linux package management is perfect, but when compared to Windows (which has practically nothing), it's much better, and it (portage in my case) is one of the big benefits to using Linux.