This smells bad. Sun have been forcing the monopoly thing down microsofts throat for so long, and now there they are victim of themselves again.
The note is certain to be used by Microsoft in their appeal against the Java injunction.
In particular the points about Java code being tied to a particular runtime completely negates Sun's claims about the need to distribute in the O/S base. Clearly that is not going to help much since Sun have no clue about dependency management.
Consider the following thought experiment. Microsoft distribute 30Mb of Java 1.3 with XP. Then Sun upgrade to 1.4, what does Microsoft do? Do they distribute 1.4 on the new O/S versions only, add it to the current release of XP or put it on instant update. None of these work. The instant update option will break existing java applets on the system. Mixed versions of java will mean that consumers buying a Java based progam will not be able to rely on the release number of XP to decide whether the program works on their machine. Waiting till the next O/S version is released will result in a lawsuit from sun.
The note shows clear similarities to the early articles on C# explaining the difference in approach between Java and dotNet. If the Java lobby was not so convinced that Java was the end of program language design they would have realised their significance.
To give one example, the version incompatibility problem is known to Windows developers as 'DLLHell'.
My company uses Java for a lot of projects. I would not be suprised however if we didn't end up on.NET server with the applications compiled down to native code through J# and IL.
Unfortunately Sun don't have a level 5 leader in charge. They have an egotistical idiot who is concentrated like a laser on another companies business instead of his own.Antics like those of McNeally and Ellison play well in the press but measured by the success of the companies stock price leaders like Jack Welch or Lee Iaccoca don't do as well as their PR would have it. Iaccoca may have saved Chrysler (it might also have been the government loans) but once he started concentrating his energies on being a folk hero Chrysler's performance went back down the tubes. Similarly Jack Welch's performance does not look that hot if you look at the growth in GE earnings rather than the stock price - which is certain to shrink as GE returns to its old P/E multiple.
One of the things a level 5 leader does is to encourage comment. The memo only says what others outside Sun have been saying for eight years.
My take on the Sun/Microsoft Java war is based on a lot of time working in standards groups with both groups of engineers. I think that the Microsoft engineers thought they could improve Java and got frustrated because the Sun engineers behaved - well like Microsoft engineers sometimes do.
Of course this will all be rationalised away. Of course it was all the fault of the Redmond club's evil schemes. Nobody outside Sun has any ideas of any value and Sun's JCM is genuinely open and not a proprietary farce.
Actually the opt-out list approach is being pushed by the DMA as a way to try to avoid other measures.
The first problem is whether the list will be used as a source of email addresses to spam. This can be avoided if Phill Hallam-Baker's proposal of a one way encrypted opt-out list was used. The proposal was made 6-8 years ago and I don't think he applied for a patent. He has been hawking the idea arroud policy circles from time to time.
Another issue is the tripwire offense effect. The fact is that the vast bulk of spam is sent with criminal intent or close to it. The Nigerian letters and multi-level marketing schemes are fraud pure and simple. That leaves the quack medicines whose sales pitches are rarely FDA compliant.
One justification for legislation would be if email spam provided a clear cut case for prosecuting these scam artists. Instead of a costly to the taxpayers jury trial on the question of whether the FDA rules were broken a quick and cheap bench rulling that the scum don't have any case.
Another more pragmatic point is that it is a good plan to give legislators something to do that is OK raqther than leave them to invent something really clueless.
Your recent email to me re: $subject was identified as spam and has been deleted unread. If this message was important please make it less spam-like and then resend it.
That is not an appropriate response. You are effectively telling the sender to censor what they write because you have a stupid filter.
It is pretty easy to set up a system that allows you to attach a password to the post so that they can resend it with the password and get through.
For example to take the simplest approach take a secret password "flobalobadob", take the sha1 hash of the password and store it as the key K.
When a suspicious message arrives from alice@bongo.org use a standard crypto library to calculate HMAC-SHA1 of ("alice@bongo.org", K). Encode the result as Base32 or hexadecimal, truncate to a manageable length if you wish, that is the password for that user.
The user can simply resend the message with the passphrase and your filter can check the passphrase by recalculating it against the sender address.
Telling people to avoid HTML because you have a broken scheme is bush league. We should not allow these spam sending bastards to reduce the quality of our environment. That is giving in to them.
The idea is that you send out an email confirmation, similar to tmda, for only that email which is considered spam (by SpamAssassin). This means that most of your regular communications would go unhindered.
I was actually just proposing the exact same idea, but in combination with authentication.
I think that the idea of indescriminate callback loop requests is pretty rude and insulting. It is basically saying that you are too important to bother to read just any mail sent to. Folk who do this on a repeat offender basis are just psychopaths.
However I like it as an alternative to just putting the email into the bit bucket unread. Essentially what you are doing is adding a last ditch attempt to salvage the email.
I would however suggest some slight tweakage. First I would suggest that you support sender authentication mechanisms as a whitelist mechanism in addition to filtering. The problem with filtering is that lots of useful content like newsletters also gets filtered even if specifically requested by the user.
Second I think there is a need to make sure that there is a mechanism that allows someone who did not send the original message to automatically identify your challenge message as such and deep six it without having to view it. There are techniques that could be used in the construction of the password that would facilitate this.
Clearly these types of measures require modification to some of the Internet infrastructure, but getting that to happen is my job.
If the message is signed then you know that it came from that individual. You should not require further authentication, you might however decide to use authorization.
So by that logic, if a spammer sends me mail that is signed, I am obliged to accept it. I don't think so.
Seems you don't bother to read what other people write either.
Your callback loop is performing authentication. What you are talking about is authorization.
If spamers start signing their messages an appropriate response would be to have a whitelist of people who you have authorized to send you email. If you have a strong authentication mechanism you can include or exclude people on the basis of their domains, for example allow mail from anyone in mit.edu, exclude anything from goatse.cx etc.
It makes you look like an asshole to make assumptions about people. Despite your rude presentation
I happen to consider your callback hack rude so now you know.
I use a similar this method as a filter, and could care less wether or not an email is signed or not
Read, could care less how much aggravation you cause others.
If the message is signed then you know that it came from that individual. You should not require further authentication, you might however decide to use authorization.
I have had lots of people use this over the last couple of years. I have only recieved positive feedback about it,
Duuhhh, hardly suprising since you filter out any negative responses.
The point is that this type of scheme is only going to be socially acceptable if few people use them. As soon as lots of people do so they will rapidly become an annoyance. In effect you are reducing your spam by .
It looks like you are also one of the major assholes who sends a callback message every time they get a message from someone you consider insufficiently important. Most people would think that responding to one callback should be enough to be whitelisted by default.
Regarding the mailing list archives.. I have been a member of mailing lists for years and never recieved spam masquerading as one. That is not to say that it can't or won't happen though.
It probably just means that you have been lucky. This behavior has been happening for quite some time. Of course, since you claim to have an email hack to stop spam the problem would be hitting everyone else.
It's the union's fault that I have to pay a 4 man crew a minimum of 4 hours pay each to unload 3 cases from my personal vehicle. It's the union's fault I have to pay a separate 4 man crew to carry the cases to my booth. (
And you pay the crew directly? No didn't think so.
What you are saying is that the conference organizers gouge you for a minimum of 4 hours on the unload and then gouge you again for carrying it.
Don't blame the workers for being better at bargaining than you appear to be.
It seems that Spam Interceptor [si20.com] has a solution for this stated here [si20.com] where you replace a mailto link with a link to the authorization
Hardly, had you read my post rather than being a rather obvious shill for the product you mention you would have seen that I don't think that bombarding everyone with callback messages is an acceptable solution. There are better forms of authentication available than email callback loops that do not require end user intervention.
If everyone used this method the spam senders would simply extend a technique they are already using, taking email archives from the internet and forging messages purporting to come from one of the people on the list to the other list members. The person whose address was stolen would then get a massive attack of loopback messages.
If you want to authenticate senders the solution is S/MIME, an IETF specification that is designed to do email authentication without user intervention.
As stated lower in this thread, if you have to manually check your spam folder for "false positives", the filter is utterly useless since you are still checking for spam
I attended the conference on spam at MIT. The conference would have been more accurately labelled a 'solving spam with the hammer we know about' conference since no other solutions were accepted - although several people besides myself submitted authentication based papers.
The big problem with the Bayes approach is false positives. Lots of great statistics were quoted but the claims were simply not credible. I don't believe that Spam is such a simple problem that the performance of naive Bayesian techniques is several orders of magnitude better on that problem than any other.
So really the trick is to swing the problem arround. START from the problem of making sure that anyone with a legitimate reason to contact me can do so without interference from statistical filtering techniques. The proper place to apply those is on the mail I cannot authenticate in that way.
I dislike the bounce-back loop as a filter for personal correspondence. I think it is great for the purpose of a lightweight authentication mechanism for mailing list subscriptions. I get very irritated when people use it to filter email, particularly since all my email is signed. People should not substitute their ad hoc authentication mechanisms without first supporting deployed standards.
The other problem with call back loops is that if they are used widely they will become a bigger problem than the spam, this is why I have been urging Microsoft et. al. NOT to support them. The trick that the spammers have developed to get round the callback loop is to steal addresses off mailing list archives and send forged messages to the other members of the list. So work out the effect that deployment of the naive bounceback hack would have.
As an IT professional for the past 10 years, I can tell you that my employer has stopped expensing people's trips to Comdex.
We had a similar but opposite problem. Basically the sales people who would normally go to Comdex en-masse were not going because they were not going to meet enough customers to make it worthwhile. So as a result the field marketing people were finding that their booth roster which would normally be oversubscribed was actually short of people.
I think that Comdex have just discovered that they are in a cyclic business - which in part explains the ludicrously high margins that they could make in the good times.
Another area that saw the same sort of effect was training. I used to wonder just how the training companies could charge such huge amounts. Then when the crash came the reason became obvious, training budgets were the first to go. So a training company with 50 people making gross margins of 50% would see their revenue cut by 75% overnight, suddenly they are making a huge loss.
So basically the training companies and the conference companies work in the same type of mode. The companies that succeed do so because they hit exactly the right spot in the business cycle. The market never matures sufficiently to become a commodity business because the market leaders get chopped back or go bankrupt every 10 years or so with the business cycle.
Preach it, brother. And in a few years when trade shows in general are decimated, I bet we'll see these same unions whine about the unfairness of it all and demanding a taxpayer handout in the billions,
That is utter crap. It isn't Union labor that is responsible for the conference hall charging $20/day for an $8 chair. The conference hall charges have nothing at all to do with what they pay their employees, they are simply gouging on the part of the conference hall operators.
If you have a meeting in a hotel the hotel will charge you $20 a piece for an 'executive meeting maker', that is a 5"x7" pad of 10 sheets of cheap paper with the hotel logo crudely printed on it and a cheap pen which together cost perhaps $5 cents. Add in another 5 cents worth of hard boiled sweets and thats it.
Of course it is much easier to blather on about evil unions. Predjudice is sooo much easier than thinking for yourself.
But it should have, because it clearly gave the user more access (command line equivalence) to a (presumably) privileged account.
I was stating the facts and leaving the reader to draw normative conclusions.
The problem was that 'security' was seen as applying cryptography to the HTTP protocol. The idea that security might mean not implementing braindamaged features never occurred...
CGI was one of those quick and dirty hacks that just stuck. The problem was that at the time the implementation of shares libraries on UNIX was very new and on many platforms did not really work. So creating server plug-ins meant you had to relink the server each time which was painfully slow.
It sounds like (at the press conference today)they are getting a lot of military involved in the investigation panels. Why military?
That is not too suprising since NASA is a quasi-military outfit. All the early astronauts were test pilots, all the shuttle commanders and pilots are military officers.
The shuttles are built by military contractors and much of the design is classified as military secrets. Basically if you understand how to build those booster rockets you understand a good deal that would help you build an ICBM.
Basically the military is the main place outside of NASA you would find the expertise to examine the issues. The other place would be the elite engineering universities like MIT.
However expertise is not everything. Feynman did not find out about the rubber O rings himself, he just knew how to ask the right questions to get to the bottom of things. He was actually tipped off about the O rings. However the panel could dissmis the peons who were suggesting an O ring failure but there was no way they could dismiss Dick Feynman.
It will be interesting to see how 'independent' the investigation ends up being. If its like the 9/11 investigation we will know there is something they need to hide.
My top pick to head the committee would be Ted Postol of MIT. I doubt he is the administrations pick. Although the Democrats in Congress might possibly get a clue and select him as one of their picks.
Baird invented the television, blah blah blah, Turing invented the computer, blah blah blah, Lukas invented shitty car parts, blah blah blah...
Actually Baird was a poseur.
The first real TV system was assembled by the engineering dept of the BBC in a bake off that was set up essentially to shut Baird up.
They used a bunch of ideas that had been developed by others, in particular the cathode ray tube. They get the claim to invent TV because they were the first to do it over radio signals at a distance (as in Tele...)
When Rob and ARI hacked up CGI it was done as an overnight hack in about 18 hours total. It was not a protocol change so it got no security review.
My first response was 'you what?'
Over the next few years we saw countless exploits of the form 'add this to the command line arguments, execute an arbitrary command'.
This is one reason why I so hate 'its only like what we do before' type security arguments. What you are already doing may be braindamaged.
People like to complain about IIS security but they fail to acknowledge that the single architectural issue that has led to those exploits is structurally similar to CGI. The game is to persuade a script to execute an arbitrary command.
Apache has had fewer exploits simply because the bugs are attributed to the braindamaged scripts written by the users.
If you want to run a secure Web server the thing to do is to turn off all scripting. Compiling the scripts and linking them into the server as a plug in is a lot more satisfactory as an architectural approach, especially if you have ways to reduce the privilleges of that module to least priv.
Like Sun makes a profit from selling their workstation line... They offer inexpensive workstations to drum up support for the bigger fish. Sun's bread and butter is from the mid-range on up to the E10k/12k/15k.
That market is owned by Symoblics
oops... make that, that market is owned by DEC
oops... make that, that market is owned by SGI
oops...
There is no high end. Companies in that bracket tend to die. Universities dont teach their students on sun boxes any more. Well not unless they are given away.
You're not likely to see 128- or 512-bit general-purpose computers in your lifetime, I'm afraid. The increase from 32-bits to 64-bits isn't for performance reasons, it's for memory addressing.
Actually Very Long Instruction Word machines were in vogue about ten years ago. Yale built a 512-bit machine. The compiler technology ended up being the most interesting stuff however, it was bought by cray and resold to various companies ending up in the Intel compilers.
DNS is not supposed to be a "lookup service for http transfers". Assuming that every lookup will be because of web browsing (by IE no less) is stupid. It's not even a good hack. As someone else who has replied to this article has pointed out it may not even cover the majority users. What about all those email servers bouncing email all over the place? What about all the peer-to-peer users? VeriSign would end up getting an enormous amount of non-web related connections hitting their "default IP".
First off email is going to be afected very little because there won't be MX records in the zone and port 25 won't answer. So the end user will get back an error message. Life will go on without bad things happening. Peer to peer will be much the same.
Secondly, in the real world IE won the browser wars, live with it. The end users voted with their mice.
Ad hoc configurations to ease in infrastructure transitions have always taken place in the real world and the old farts of the IAB have mostly resisted them. They stuck their heads in the sand on the 32 bit address problem issuing notices about how dreadful NAT is. Fact is that without NAT the Internet would already be out of addresses. But don't expect the IAB to pro-actively investigate ways of making NAT really work well. They have decided not to bother with that until IPv6.
Bruce Schneier for Security Chief!!!!
Bruce would be a lousy choice, there is no way he would toe the administration line. He would say policitally incorrect things like John Ashcroft stinks as AG. He might even beleive in that quaint document called the constitution or due process. He also has quaint ideas about counting the votes in elections.
Oh you mean Bruce might be good at securing things rather than being a shill for whatever line Karl Rove thinks will play in the opinion polls?
I understand that having non-ascii characters in host/domain names would be desirable, however if they can't do it without breaking the DNS protocol, then they should get their ass right back to the R&D lab and try harder.
If the IAB were not almost exclusively American academics this whole spec would have been finished four years ago. Instead they are happy to discuss any issue for years so long as there is no danger of a resolution.
It is particularly ironic that they are waffling about DNSSEC since it is the timidity and ineffectiveness of the IAB and IESG that has caused that spec to be delayed so long. It has taken three years for them to accept that the original DNSSEC spec was broken.
Internationalization and DNSSEC have been going on for ten years. The IAB seem quite content for them to go on for another ten years.
So don't get too excited by IPV6. It does not look likely that anyone is going to kick the IAB and IESG into action.
So now the only meaning for name resolving is to use IE, no other browsers, nor other protocols (i.e mail).
The I18N specification has been published by the IETF for a long time.
The point is to drive deployment of I18N through the existing root infrastructure. The IE plug in means that 90% of the browsers in use can use the international names today.
There is not much point in doing a Mozilla plug in. The Mozilla user base tends to upgrade pretty regularly and will pick up the internationalization code soon enough. That is meant to be the whole point of open source.
I can't wait to see the next O'Reilly book: "Verisign DNS vs BIND"
BIND also supports the international names.
The real story here is people who actually want to deploy stuff versus the foot draggers in ICANN and the IETF. The IETF has been dicking arround for at least six years on this issue and no closer to a resolution.
I know it's present in some legacy systems, and supported by Compaq for that reason. But why would we want VMS on new hardware? What new stuff runs on VMS these days?
Pretty much anyone serious about process control or mission critical stuff uses VMS. UNIX simply cannot compete with the levels of reliability those systems routinely achieved. Uptime measured in years is normal. Unscheduled downtime is due to hardware failure - PERIOD.
No. I am not. It is my opinion that there were a lot of good systems before (you know who) starts
to create unmanageable from the security point of view systems like
Fortunately it does not appear that anyone takes much notice of your opinion.
VMS had very tight isolation between the processes, each of which ran in a completely separate address space.
When people start holding up VM as an example of how to structure an O/S for anything you know they are blowing smoke. VM was so disfunctional that users could not even share files without major aggravation. This led to account sharing on a massive scale at CERN.
Slashdot Mirror
The note is certain to be used by Microsoft in their appeal against the Java injunction.
In particular the points about Java code being tied to a particular runtime completely negates Sun's claims about the need to distribute in the O/S base. Clearly that is not going to help much since Sun have no clue about dependency management.
Consider the following thought experiment. Microsoft distribute 30Mb of Java 1.3 with XP. Then Sun upgrade to 1.4, what does Microsoft do? Do they distribute 1.4 on the new O/S versions only, add it to the current release of XP or put it on instant update. None of these work. The instant update option will break existing java applets on the system. Mixed versions of java will mean that consumers buying a Java based progam will not be able to rely on the release number of XP to decide whether the program works on their machine. Waiting till the next O/S version is released will result in a lawsuit from sun.
The note shows clear similarities to the early articles on C# explaining the difference in approach between Java and dotNet. If the Java lobby was not so convinced that Java was the end of program language design they would have realised their significance.
To give one example, the version incompatibility problem is known to Windows developers as 'DLLHell'.
My company uses Java for a lot of projects. I would not be suprised however if we didn't end up on .NET server with the applications compiled down to native code through J# and IL.
Unfortunately Sun don't have a level 5 leader in charge. They have an egotistical idiot who is concentrated like a laser on another companies business instead of his own.Antics like those of McNeally and Ellison play well in the press but measured by the success of the companies stock price leaders like Jack Welch or Lee Iaccoca don't do as well as their PR would have it. Iaccoca may have saved Chrysler (it might also have been the government loans) but once he started concentrating his energies on being a folk hero Chrysler's performance went back down the tubes. Similarly Jack Welch's performance does not look that hot if you look at the growth in GE earnings rather than the stock price - which is certain to shrink as GE returns to its old P/E multiple.
One of the things a level 5 leader does is to encourage comment. The memo only says what others outside Sun have been saying for eight years.
My take on the Sun/Microsoft Java war is based on a lot of time working in standards groups with both groups of engineers. I think that the Microsoft engineers thought they could improve Java and got frustrated because the Sun engineers behaved - well like Microsoft engineers sometimes do.
Of course this will all be rationalised away. Of course it was all the fault of the Redmond club's evil schemes. Nobody outside Sun has any ideas of any value and Sun's JCM is genuinely open and not a proprietary farce.
The first problem is whether the list will be used as a source of email addresses to spam. This can be avoided if Phill Hallam-Baker's proposal of a one way encrypted opt-out list was used. The proposal was made 6-8 years ago and I don't think he applied for a patent. He has been hawking the idea arroud policy circles from time to time.
Another issue is the tripwire offense effect. The fact is that the vast bulk of spam is sent with criminal intent or close to it. The Nigerian letters and multi-level marketing schemes are fraud pure and simple. That leaves the quack medicines whose sales pitches are rarely FDA compliant.
One justification for legislation would be if email spam provided a clear cut case for prosecuting these scam artists. Instead of a costly to the taxpayers jury trial on the question of whether the FDA rules were broken a quick and cheap bench rulling that the scum don't have any case.
Another more pragmatic point is that it is a good plan to give legislators something to do that is OK raqther than leave them to invent something really clueless.
That is not an appropriate response. You are effectively telling the sender to censor what they write because you have a stupid filter.
It is pretty easy to set up a system that allows you to attach a password to the post so that they can resend it with the password and get through.
For example to take the simplest approach take a secret password "flobalobadob", take the sha1 hash of the password and store it as the key K.
When a suspicious message arrives from alice@bongo.org use a standard crypto library to calculate HMAC-SHA1 of ("alice@bongo.org", K). Encode the result as Base32 or hexadecimal, truncate to a manageable length if you wish, that is the password for that user.
The user can simply resend the message with the passphrase and your filter can check the passphrase by recalculating it against the sender address.
Telling people to avoid HTML because you have a broken scheme is bush league. We should not allow these spam sending bastards to reduce the quality of our environment. That is giving in to them.
I was actually just proposing the exact same idea, but in combination with authentication.
I think that the idea of indescriminate callback loop requests is pretty rude and insulting. It is basically saying that you are too important to bother to read just any mail sent to. Folk who do this on a repeat offender basis are just psychopaths.
However I like it as an alternative to just putting the email into the bit bucket unread. Essentially what you are doing is adding a last ditch attempt to salvage the email.
I would however suggest some slight tweakage. First I would suggest that you support sender authentication mechanisms as a whitelist mechanism in addition to filtering. The problem with filtering is that lots of useful content like newsletters also gets filtered even if specifically requested by the user.
Second I think there is a need to make sure that there is a mechanism that allows someone who did not send the original message to automatically identify your challenge message as such and deep six it without having to view it. There are techniques that could be used in the construction of the password that would facilitate this.
Clearly these types of measures require modification to some of the Internet infrastructure, but getting that to happen is my job.
So by that logic, if a spammer sends me mail that is signed, I am obliged to accept it. I don't think so.
Seems you don't bother to read what other people write either.
Your callback loop is performing authentication. What you are talking about is authorization.
If spamers start signing their messages an appropriate response would be to have a whitelist of people who you have authorized to send you email. If you have a strong authentication mechanism you can include or exclude people on the basis of their domains, for example allow mail from anyone in mit.edu, exclude anything from goatse.cx etc.
It makes you look like an asshole to make assumptions about people. Despite your rude presentation
I happen to consider your callback hack rude so now you know.
Read, could care less how much aggravation you cause others.
If the message is signed then you know that it came from that individual. You should not require further authentication, you might however decide to use authorization.
I have had lots of people use this over the last couple of years. I have only recieved positive feedback about it,
Duuhhh, hardly suprising since you filter out any negative responses.
The point is that this type of scheme is only going to be socially acceptable if few people use them. As soon as lots of people do so they will rapidly become an annoyance. In effect you are reducing your spam by .
It looks like you are also one of the major assholes who sends a callback message every time they get a message from someone you consider insufficiently important. Most people would think that responding to one callback should be enough to be whitelisted by default.
Regarding the mailing list archives.. I have been a member of mailing lists for years and never recieved spam masquerading as one. That is not to say that it can't or won't happen though.
It probably just means that you have been lucky. This behavior has been happening for quite some time. Of course, since you claim to have an email hack to stop spam the problem would be hitting everyone else.
And you pay the crew directly? No didn't think so.
What you are saying is that the conference organizers gouge you for a minimum of 4 hours on the unload and then gouge you again for carrying it.
Don't blame the workers for being better at bargaining than you appear to be.
Hardly, had you read my post rather than being a rather obvious shill for the product you mention you would have seen that I don't think that bombarding everyone with callback messages is an acceptable solution. There are better forms of authentication available than email callback loops that do not require end user intervention.
If everyone used this method the spam senders would simply extend a technique they are already using, taking email archives from the internet and forging messages purporting to come from one of the people on the list to the other list members. The person whose address was stolen would then get a massive attack of loopback messages.
If you want to authenticate senders the solution is S/MIME, an IETF specification that is designed to do email authentication without user intervention.
I attended the conference on spam at MIT. The conference would have been more accurately labelled a 'solving spam with the hammer we know about' conference since no other solutions were accepted - although several people besides myself submitted authentication based papers.
The big problem with the Bayes approach is false positives. Lots of great statistics were quoted but the claims were simply not credible. I don't believe that Spam is such a simple problem that the performance of naive Bayesian techniques is several orders of magnitude better on that problem than any other.
So really the trick is to swing the problem arround. START from the problem of making sure that anyone with a legitimate reason to contact me can do so without interference from statistical filtering techniques. The proper place to apply those is on the mail I cannot authenticate in that way.
I dislike the bounce-back loop as a filter for personal correspondence. I think it is great for the purpose of a lightweight authentication mechanism for mailing list subscriptions. I get very irritated when people use it to filter email, particularly since all my email is signed. People should not substitute their ad hoc authentication mechanisms without first supporting deployed standards.
The other problem with call back loops is that if they are used widely they will become a bigger problem than the spam, this is why I have been urging Microsoft et. al. NOT to support them. The trick that the spammers have developed to get round the callback loop is to steal addresses off mailing list archives and send forged messages to the other members of the list. So work out the effect that deployment of the naive bounceback hack would have.
We had a similar but opposite problem. Basically the sales people who would normally go to Comdex en-masse were not going because they were not going to meet enough customers to make it worthwhile. So as a result the field marketing people were finding that their booth roster which would normally be oversubscribed was actually short of people.
I think that Comdex have just discovered that they are in a cyclic business - which in part explains the ludicrously high margins that they could make in the good times.
Another area that saw the same sort of effect was training. I used to wonder just how the training companies could charge such huge amounts. Then when the crash came the reason became obvious, training budgets were the first to go. So a training company with 50 people making gross margins of 50% would see their revenue cut by 75% overnight, suddenly they are making a huge loss.
So basically the training companies and the conference companies work in the same type of mode. The companies that succeed do so because they hit exactly the right spot in the business cycle. The market never matures sufficiently to become a commodity business because the market leaders get chopped back or go bankrupt every 10 years or so with the business cycle.
That is utter crap. It isn't Union labor that is responsible for the conference hall charging $20/day for an $8 chair. The conference hall charges have nothing at all to do with what they pay their employees, they are simply gouging on the part of the conference hall operators.
If you have a meeting in a hotel the hotel will charge you $20 a piece for an 'executive meeting maker', that is a 5"x7" pad of 10 sheets of cheap paper with the hotel logo crudely printed on it and a cheap pen which together cost perhaps $5 cents. Add in another 5 cents worth of hard boiled sweets and thats it.
Of course it is much easier to blather on about evil unions. Predjudice is sooo much easier than thinking for yourself.
I was stating the facts and leaving the reader to draw normative conclusions.
The problem was that 'security' was seen as applying cryptography to the HTTP protocol. The idea that security might mean not implementing braindamaged features never occurred...
CGI was one of those quick and dirty hacks that just stuck. The problem was that at the time the implementation of shares libraries on UNIX was very new and on many platforms did not really work. So creating server plug-ins meant you had to relink the server each time which was painfully slow.
That is not too suprising since NASA is a quasi-military outfit. All the early astronauts were test pilots, all the shuttle commanders and pilots are military officers.
The shuttles are built by military contractors and much of the design is classified as military secrets. Basically if you understand how to build those booster rockets you understand a good deal that would help you build an ICBM.
Basically the military is the main place outside of NASA you would find the expertise to examine the issues. The other place would be the elite engineering universities like MIT.
However expertise is not everything. Feynman did not find out about the rubber O rings himself, he just knew how to ask the right questions to get to the bottom of things. He was actually tipped off about the O rings. However the panel could dissmis the peons who were suggesting an O ring failure but there was no way they could dismiss Dick Feynman.
It will be interesting to see how 'independent' the investigation ends up being. If its like the 9/11 investigation we will know there is something they need to hide.
My top pick to head the committee would be Ted Postol of MIT. I doubt he is the administrations pick. Although the Democrats in Congress might possibly get a clue and select him as one of their picks.
Actually Baird was a poseur.
The first real TV system was assembled by the engineering dept of the BBC in a bake off that was set up essentially to shut Baird up.
They used a bunch of ideas that had been developed by others, in particular the cathode ray tube. They get the claim to invent TV because they were the first to do it over radio signals at a distance (as in Tele...)
My first response was 'you what?'
Over the next few years we saw countless exploits of the form 'add this to the command line arguments, execute an arbitrary command'.
This is one reason why I so hate 'its only like what we do before' type security arguments. What you are already doing may be braindamaged.
People like to complain about IIS security but they fail to acknowledge that the single architectural issue that has led to those exploits is structurally similar to CGI. The game is to persuade a script to execute an arbitrary command.
Apache has had fewer exploits simply because the bugs are attributed to the braindamaged scripts written by the users.
If you want to run a secure Web server the thing to do is to turn off all scripting. Compiling the scripts and linking them into the server as a plug in is a lot more satisfactory as an architectural approach, especially if you have ways to reduce the privilleges of that module to least priv.
That market is owned by Symoblics
oops... make that, that market is owned by DEC
oops... make that, that market is owned by SGI
oops...
There is no high end. Companies in that bracket tend to die. Universities dont teach their students on sun boxes any more. Well not unless they are given away.
Methinks that the reason McNeally spends all his time bitching about Microsoft is that he knows the ship is sinking and wants to prepare his alibi.
Actually Very Long Instruction Word machines were in vogue about ten years ago. Yale built a 512-bit machine. The compiler technology ended up being the most interesting stuff however, it was bought by cray and resold to various companies ending up in the Intel compilers.
First off email is going to be afected very little because there won't be MX records in the zone and port 25 won't answer. So the end user will get back an error message. Life will go on without bad things happening. Peer to peer will be much the same.
Secondly, in the real world IE won the browser wars, live with it. The end users voted with their mice.
Ad hoc configurations to ease in infrastructure transitions have always taken place in the real world and the old farts of the IAB have mostly resisted them. They stuck their heads in the sand on the 32 bit address problem issuing notices about how dreadful NAT is. Fact is that without NAT the Internet would already be out of addresses. But don't expect the IAB to pro-actively investigate ways of making NAT really work well. They have decided not to bother with that until IPv6.
Oh you mean Bruce might be good at securing things rather than being a shill for whatever line Karl Rove thinks will play in the opinion polls?
The DNS protocol has been extended to support non-ascii characters years ago. There is no real disagreement over the general approach, you simply use an approach similar to Base64 encoding on the domain name with a prefix of '--' which is safe because leading dashes are not permitted in DNS names, although the servers are required to resolve them.
If the IAB were not almost exclusively American academics this whole spec would have been finished four years ago. Instead they are happy to discuss any issue for years so long as there is no danger of a resolution.
It is particularly ironic that they are waffling about DNSSEC since it is the timidity and ineffectiveness of the IAB and IESG that has caused that spec to be delayed so long. It has taken three years for them to accept that the original DNSSEC spec was broken.
Internationalization and DNSSEC have been going on for ten years. The IAB seem quite content for them to go on for another ten years.
So don't get too excited by IPV6. It does not look likely that anyone is going to kick the IAB and IESG into action.
The I18N specification has been published by the IETF for a long time.
The point is to drive deployment of I18N through the existing root infrastructure. The IE plug in means that 90% of the browsers in use can use the international names today.
There is not much point in doing a Mozilla plug in. The Mozilla user base tends to upgrade pretty regularly and will pick up the internationalization code soon enough. That is meant to be the whole point of open source.
I can't wait to see the next O'Reilly book: "Verisign DNS vs BIND"
BIND also supports the international names.
The real story here is people who actually want to deploy stuff versus the foot draggers in ICANN and the IETF. The IETF has been dicking arround for at least six years on this issue and no closer to a resolution.
Pretty much anyone serious about process control or mission critical stuff uses VMS. UNIX simply cannot compete with the levels of reliability those systems routinely achieved. Uptime measured in years is normal. Unscheduled downtime is due to hardware failure - PERIOD.
Fortunately it does not appear that anyone takes much notice of your opinion.
VMS had very tight isolation between the processes, each of which ran in a completely separate address space.
When people start holding up VM as an example of how to structure an O/S for anything you know they are blowing smoke. VM was so disfunctional that users could not even share files without major aggravation. This led to account sharing on a massive scale at CERN.