SPF identifies servers that are "proper" senders for a domain. If you get an email that claims to be from a domain, and it's sent from one of those servers, then you can be very confident that the email was actually from that domain. But if you get an email and it's not from one of those servers, you can't really be sure it's bogus.
It's like comparing the return address on an envelope with the postmark. If Alice lives in Anchorage, when you get a letter with her return address postmarked Anchorage, it's a reasonable bet it's really from Alice. But if you get a letter with Alice's return address that's postmarked Hawii, would you conclude that the letter was a forgery?
You might conclude that SPF would at least reduce the number of false positives, but that assumes that we don't implement something better. Digital signatures, for example.
Second I am referring to any collision, not that of a particular file.
Yes, that's known as the birthday attack, and it means that instead of needing to produce 1,461,501,637,330,902,918,203,684,832,716,283,019, 655,932,542,976 files to get a collision, you only need to produce 1,208,925,819,614,629,174,706,176
Ok, that's smaller than the number of molecules in a can of soda, but it's still a lot more than you're going to hack out over the weekend.
I suppose the instant reaction for a geek should be "anarchy! no laws!". So let's add trademarks to the copyright and patent laws that need repealing.
I don't think trademark law needs to be repealed, but I do think it should be modified. In particular, you shouldn't be allowed to get a trademark on any term or image that was in usage (by someone else) prior to your filing for a trademark. Coca Cola - ok. Xerox - ok. Microsoft Windows - ok. Windows - not ok. Apple - not ok.
Because we (stupidly IMO) allow common words and phrases to become trademarks, we end up with confusion.
The first judge ruled that "playboy" and "playmate" are words, and that they were being used as words, not trademarks. The Ninth curcuit ruled that they were trademarks, and being used as trademarks not words. The result is, we need a judge (and an appeal, and possibly a second appeal) before we can decide if using words is ok or not. I'd much prefer a world where use of a word had a clear legal standing, even if it meant I could never use that word without the trademark holders explicit permission.
I think there ought to be penalties for the use of these nuisance patents. A judge then could not only strike down the patent's validity (which will obviously happen here), but could also impose a heavy fine to deter this kind of litigious crap from happening.
How 'bout requiring a bond which is given to the first person to invalidate the patent.
"The Fort Worth Star-Telegram has an article detailing how a middle school student was suspended for three days for 'hacking.' His hack? Sending a popup message to the other computers in the school...from within the shcool."
The school is teaching this student a valuable lesson, and I feel certain he'll never get caught doing this sort of thing again.
Is anyone surprised that the 10 million promised addresses boils down to less than 7 million after removing duplicates?
I'm surprised that they aren't even attempting to maintain the pretense of quality.
I could generate 10 million addresses in a day that would withstand all but the most detailed inspection. There are plenty of domains that accept, or appear to accept email to anything in the LHS of an address (a.mailsiphon.com for example).
You could also pad the list with domains that are more restrictive in what they accept. random_firstname+randomlastname@restricti ve_domain won't work, but it would be very difficult to determine that.
Even this minimal level of effort was apparently too much.
My standard reply to this is that there are 2^128 possible hash sums which is many magnitudes more than the number of electrons in the universe!
According to my 66th edition of the handbook of chemistry and physics, the earth is 5.979 * 10^24 Kilograms, which is about 5.3 * 10^25 moleculare weights of iron. An Iron molecule (Fe2) is 55.847*2 or 111.694. Avagadro's number is 6.022 * 10^23, so the number of molecules in 5.979 * 10^24 Kilograms of iron is (6.022e23 * 5.979 * 10^24 * 1000 / 111.694) ~= 3.2 * 10^49, or roughly 2^164.
So appoxmately 2^164 molecules in the earth alone.
2^128 is more than you're going to store in your house (around 2^100 molecules), but it's nowhere near the number of electrons in the universe.
Before you chuck the entire protocol, do you have a solution for a better one?
Until you know how you're going to repair the problem, let's not get too excited about scrapping a protocol that still has a lot of flexibility. I've learned a lot about SMTP in the last few months, if there was universal agreeement as to WHAT to do, we could probably accomplish it in place.
As a matter of fact, I do have a design that's much better, and solves many of the problems in SMTP, not just spam. (Forged senders, delivery acknowledgement, errors when multiple recipients are involved, date confusion, and DNS hacking to list a few.)
But that's still not a good enough reason to chuck SMTP. If a protocol is superior, it should be able to displace the inferior one simply by existing. You just try sending using the better protocol, and if that fails, fall back to SMTP.
We didn't chuck gopher when http became available, people just stopped caring about it after a while. Hopefully, the same thing will happen to SMTP.
ASCII isn't even good enough for most text only paper back books published today. There are two many imported french words that require accents, like canape`s, or spanish words that have ~ in them somewhere.
As I understand it, hospitals are reluctant to give some construction workers MRI's as the average worker is sure to have accumulated tiny metal shards in his or her eyes, shards that go unnoticed until someone turns on the juice.
Couldn't they use a sensitive metal detector to check for this sort of thing?
I thought the GPL was a license that allowed someone, under certain circumstances and provided they do certain things, to legally make copies of something that normally copyright law would prevent.
That could stop someone from distributing Linux, but how could that possibly prevent them from releasing their own work?
-- this is not a.sig
Re:I think my form of encryption is better
on
RSA-576 Factored
·
· Score: 2, Informative
This is the classic confusion of authentication with security. Authentication does not protect against spammers. The spammers will simply authenticate and keep right on spamming, and now they won't have to do tricks to circumvent the filters because the cert makes them "trusted". (One other example of this is the illusion of security caused by cryptographic authentication on the web. That hasn't stopped spyware sleazebags such as Gator/Claria; they just get their own certs.)
I agree that digitally signed email (or any other authentication system) isn't going to stop spam, but spammers are currently hiding their identities for a reason. This promises (no matter how empty that promise might turn out to be) to raise the bar on spamming. It may remove only one tool in the spammer's box of tricks, the ability to claim to be someone you trust, but that is one of the most damaging tricks that spammers pull. It also makes systems that rely on authentication, like whitelisting, easier to implement.
Even if all it did was prevent bounces from going to the wrong people, it would be useful.
Why would you need special tools? What's wrong with Gnupg and PGP?
Several things, but I'll just mention one of the more glaring problems;
PGP and OpenPGP do not sign the Subject: line of an email. This means a spammer could take an email that joe@example.com sent to a public mailing list, change the subject to "Hot sexy coed tranvestite midgets: http://10.1.2.3/hsctm.html" and spam the world, joe-jobing poor joe.
For every message, I have to check and unpack the header, go out to some PK server, and validate the keys, before I decide to accept/reject? That introduces a big latency into SMTP.
You'd only have to fetch the key for strangers. Most (non-spam) email comes from people who have sent you email in the past, and you'd presumably cache their public keys.
The overhead's not all that big for strangers either. It probably takes about as long to do a reverse IP lookup, and lot's of servers do those.
Hell - greylisting forces strangers to retry the entire SMTP transaction. It can introduce delays of hours, and I've gotten far more compliments than complaints since implementing greylisting.
Slashdot Mirror
Opus' rule of lawsuits; Never sue poor people.
SPF won't work as a forgery prevention system.
.sig
SPF identifies servers that are "proper" senders for a domain.
If you get an email that claims to be from a domain, and it's sent from one of those servers,
then you can be very confident that the email was actually from that domain.
But if you get an email and it's not from one of those servers,
you can't really be sure it's bogus.
It's like comparing the return address on an envelope with the postmark.
If Alice lives in Anchorage, when you get a letter with her return address postmarked Anchorage,
it's a reasonable bet it's really from Alice.
But if you get a letter with Alice's return address that's postmarked Hawii,
would you conclude that the letter was a forgery?
You might conclude that SPF would at least reduce the number of false positives,
but that assumes that we don't implement something better.
Digital signatures, for example.
-- this is not a
Your internet supports spammers. Get another one, or live with the spam.
Yes I do. Infact, I think they will use SHA1.
Yes, that's known as the birthday attack, and it means that instead of needing to produce 1,461,501,637,330,902,918,203,684,832,716,283,019
1,208,925,819,614,629,174,706,176
Ok, that's smaller than the number of molecules in a can of soda, but it's still a lot more than you're going to hack out over the weekend.
-- this is not a
I don't think trademark law needs to be repealed, but I do think it should be modified.
In particular, you shouldn't be allowed to get a trademark on any term or image that was in usage (by someone else) prior to your filing for a trademark.
Coca Cola - ok.
Xerox - ok.
Microsoft Windows - ok.
Windows - not ok.
Apple - not ok.
Because we (stupidly IMO) allow common words and phrases to become trademarks, we end up with confusion.
The first judge ruled that "playboy" and "playmate" are words, and that they were being used as words, not trademarks.
The Ninth curcuit ruled that they were trademarks, and being used as trademarks not words.
The result is, we need a judge (and an appeal, and possibly a second appeal) before we can decide if using words is ok or not.
I'd much prefer a world where use of a word had a clear legal standing,
even if it meant I could never use that word without the trademark holders explicit permission.
-- this is not a
How 'bout requiring a bond which is given to the first person to invalidate the patent.
-- this is not a
DYT?
This isn't just a problem with Linux, it's a problem with the all platforms.
Bad support? Poor/buggy software? High prices and low quality?
I've heard that about everything.
Of course, not everyone says that, but the ones that don't are trying to sell you something.
-- this is not a
The judge made the statement on Decemeber 5, but it wasn't filed until December 12.
They aren't really past the deadline until January 12th.
The relvant groklaw link
The school is teaching this student a valuable lesson, and I feel certain he'll never get caught doing this sort of thing again.
-- this is not a
I'm surprised that they aren't even attempting to maintain the pretense of quality.
I could generate 10 million addresses in a day that would withstand all but the most detailed inspection.
There are plenty of domains that accept, or appear to accept email to anything in the LHS of an address (a.mailsiphon.com for example).
You could also pad the list with domains that are more restrictive in what they accept.
random_firstname+randomlastname@restrict
but it would be very difficult to determine that.
Even this minimal level of effort was apparently too much.
-- this is not a
According to my 66th edition of the handbook of chemistry and physics,
the earth is 5.979 * 10^24 Kilograms, which is about 5.3 * 10^25 moleculare weights of iron.
An Iron molecule (Fe2) is 55.847*2 or 111.694.
Avagadro's number is 6.022 * 10^23, so the number of molecules in 5.979 * 10^24 Kilograms of iron is
(6.022e23 * 5.979 * 10^24 * 1000 / 111.694) ~= 3.2 * 10^49, or roughly 2^164.
So appoxmately 2^164 molecules in the earth alone.
2^128 is more than you're going to store in your house (around 2^100 molecules),
but it's nowhere near the number of electrons in the universe.
-- this is not a
I was begining to wonder if the pcode code concept was ever going to catch on - it's what, 35 years old now?
.sig
-- this is not a
As a matter of fact, I do have a design that's much better, and solves many of the problems in SMTP, not just spam.
(Forged senders, delivery acknowledgement, errors when multiple recipients are involved, date confusion, and DNS hacking to list a few.)
But that's still not a good enough reason to chuck SMTP.
If a protocol is superior, it should be able to displace the inferior one simply by existing.
You just try sending using the better protocol, and if that fails, fall back to SMTP.
We didn't chuck gopher when http became available, people just stopped caring about it after a while.
Hopefully, the same thing will happen to SMTP.
-- this is not a
He borrowed hundreds of thousands of dollars, gave it to some one in a foreign country, and now he may go bankrupt.
.sig
Why do I feel like the real idiots in this story were the people willing to lend him the money?
-- this is not a
ASCII isn't even good enough for most text only paper back books published today.
.sig
There are two many imported french words that require accents, like canape`s, or spanish words that have ~ in them somewhere.
-- this is not a
An oldie but a goodie -
.sig
The "levy" is only for blank media.
So put a recording on the hard drive.
Not only would you avoid the tax, you also can claim to be a music distributor, and collect a portion of the tax paid by your less savy competition.
Make the recording an advertising jingle, and you can get someone to pay you to install it.
And maybe you can get a spot on the top ten best sellers list - after all, how many recording artists sell albums for the price of a hard drive?
-- this is not a
"nothing in"
Couldn't they use a sensitive metal detector to check for this sort of thing?
-- this is not a
No, it's a message that if you're still using stuff that was developed in the 1970s, you should consider upgrading to the stuff from two years ago.
-- this is not a
I thought the GPL was a license that allowed someone, under certain circumstances and provided they do certain things, to legally make copies of something that normally copyright law would prevent.
That could stop someone from distributing Linux,
but how could that possibly prevent them from releasing their own work?
-- this is not a
Sort by extension;
ls -l | rev | sort | rev
Sort by domain;
rev address_list | sort | rev
I agree that digitally signed email (or any other authentication system) isn't going to stop spam,
but spammers are currently hiding their identities for a reason.
This promises (no matter how empty that promise might turn out to be) to raise the bar on spamming.
It may remove only one tool in the spammer's box of tricks, the ability to claim to be someone you trust,
but that is one of the most damaging tricks that spammers pull.
It also makes systems that rely on authentication, like whitelisting, easier to implement.
Even if all it did was prevent bounces from going to the wrong people, it would be useful.
-- this is not a
Several things, but I'll just mention one of the more glaring problems;
PGP and OpenPGP do not sign the Subject: line of an email.
This means a spammer could take an email that joe@example.com sent to a public mailing list,
change the subject to "Hot sexy coed tranvestite midgets: http://10.1.2.3/hsctm.html"
and spam the world, joe-jobing poor joe.
-- this is not a
You'd only have to fetch the key for strangers.
Most (non-spam) email comes from people who have sent you email in the past,
and you'd presumably cache their public keys.
The overhead's not all that big for strangers either.
It probably takes about as long to do a reverse IP lookup, and lot's of servers do those.
Hell - greylisting forces strangers to retry the entire SMTP transaction.
It can introduce delays of hours, and I've gotten far more compliments than complaints since implementing greylisting.
-- this is not a
IETF doesn't have a monopoly on internet standards, they're just one of many standards bodies.
IETF is perhaps less likely to release some propritary piece of crap than a for-profit company,
but the article claims this will be open.
There's no reason the keys need to be "issued" at all - pgp keys aren't.
But since they haven't released any details, who knows?
Anything is possible, if the receiver allows it.
Prove it.
Then you didn't forge it.
A cute trick if you can manage it.
Maybe it's possible, but there are no known ways to do so.
Then it will die on the vine.
I'm willing to wait until they actually propose something concrete before I say it's broken though.
-- this is not a