Running an e-mail system is trivial compared to all the other software used by a modern university. In fact it is so easy that it can be outsourced.to the lowest bidder. That way we (the IT-departement) can focus our attention on the difficult systems.
Would you go to a school that hires some other company to clean its toilets or to mow the lawn? Would eat at a university-restaurant that does not bake its own bread? Then why do you care who runs the e-mail front-end?
You got it wrong, it's not a matter of hardware. Our three year old mailservers handle the load without every blinking. They could probably handle ten times more without any noticable load.
No matter what user-interface you use, people still need support. Both software and users are getting better but we are still far away from an email-system that does not need support.The university is full of young and bright people but even that group needs a lot of support. The older part of our population would be lost without support. Moving only a small fraction of those calls to an external party saves a ton of time that can be spent on more important issues.
It's not my preferred solution either, but it's not as bad as it sounds. Not everything will be out-sourced, we continue to manage most of the mail ourselves. We decide how the mail is routed and we manage authentication (google/microsoft never sees our passwords). Every employee has at least one local mailbox.
The expensive part of running an e-mail service is not the backend, it's dealing with user-support. Why waste those intelligent and skilled people on something as simple as webmail? Each year we give out thousands of mailboxes to students that are only used to receive schedule updates and stuff like them. There's not much of a privacy issue their. Anyone has the possibility of getting a local mailbox and we encourage people to do so. It doesn't even have to be on our systems. If you ask for it we will happily route your mail to your own mailserver or anywhere else. Nobody is forced to use the outsourced mailboxes.
Besides, most of our students forward their mail to gmail anyway:/ By offering such mailboxes our selves we get at least some control.
My employer (a university) decided to outsource the e-mail-facilities for students. Microsoft and Google both made compelling offers, however Google could not promise that our data would never leave Europe. Microsoft did make that promise and was awarded the contract because of it. A few months later MS had to confess that they couldn't keep that promiss. As the migration was not going smooth at all we are now back talking with Google.
Oh, come on. The source code is not going to tell you a whole lot, it would be only comprehensible to experts and it says nothing about the little hardware bits.
Experst are for hire.
I'm not an architect. The blueprints of my house are useless to me, but I can hire an architect to read them for me. That architect can than tell me if the house I'm living in is well designed or not. He won't be able to tell if the building-materials are of sufficient quality, but if the design is not sound the materials used don't even matter.
I'm dissappointed in Slashdot. One would expect that over here people would see the value of having access to the source of the software that keeps you alive.
For every linked-list ever written in C there are a thousand JavaScript implementations of the Like+1-button. You don't need to be star-programmer to land yourself a good job as a website-developer.
But no end-user ever does. The only people that actually do this are the DNS-adminstrators themselves.
How is that a reason to ignore the problem?
DNS-administrators have direct access to their own DNS-servers and can work around the problem. In fact, many DNS-servers prohibit zone-tranfers. While I realize that it is a very usefull feature, it is not something that interferes with consumer-grade internet. We are talking about a DNS-block targeted at home-users, enforced at the leaves of the DNS-network. I do not like it, but I fail to see how consumers are effected other than not being able to resolve certain addresses.
As long as you don't ask for the broken records you will not be affected.
Nonsense.
Let's come back from this for a second and realize what DNSSEC is for. Let's suppose there is an attacker who compromises a webserver, say www2.example.com. It turns out that it's the failover backup for www.example.com, and nobody will use www2 as long as www.example.com is available. So in order to do some damage, the attacker has to divert people from www.example.com. DNS poisoning is a traditional way that attackers do this: If you make www not resolve, clients configured to automatically retry with www2 will do so. So the attacker compromises some upstream DNS server and either deletes the record for www.example.com or makes it point to the compromised server rather than the uncompromised one. DNSSEC prevents this, because the NXDOMAIN record won't be signed and so the next DNS server will detect the attempted fraud and retry against some alternative upstream DNS server or go direct to the authoritative server for that domain. If you mandate blocking by legislation, the DNS server can't do this anymore, because if it does, it will make the blocking ineffective, which the legislation prohibits. So the attacker diverts unsuspecting users to the compromised server, because the user's DNS server is prohibited from taking effective countermeasures against the DNSSEC failure.
All this is still possible if you provide a blacklist to the DNS-resolver of blocked domains that should not be worked around. It's not very nice from a technical point of view, but it's certainly feasible.
SOPA and DNSSEC are not mutually exclusive. They might lead to draconion rules that are hard to enforce, but when has that ever stopped anybody?
In what way does changing 1 record invalidate the entire zone? Nobody tranfers entire zones.
First of all, the capability for zone transfers exists, and some people do it.
But no end-user ever does. The only people that actually do this are the DNS-adminstrators themselves.
But what does that have to do with anything anyway? The problem exists just as much with even a single record.
As long as you don't ask for the broken records you will not be affected.
The problem is that the only secure response to a DNSSEC failure must be to raise hell: Warn the user that their DNS server is compromised and that they must change it immediately, take expensive countermeasures such as retrying against a published list of arbitrary alternative DNS servers or going straight to the root servers, etc. Effective countermeasures will be just as effective at defeating the block as at defeating fraudsters. For that reason the bill prohibits such countermeasures, which enables fraud.
End-users don't run DNS-servers, they use a server provided by their provider. If such a server detects a failed DNSSEC-request it will just ignore it completly. End-users do not validate DNSSEC. That could and should change, but will take many years to complete. Right now there is no usefull way to inform the user of a DNSSEC-problem.
Removing the domain would break DNSSEC, since the removal would not be signed and the signing entity may not be subject to US jurisdiction (or may refuse on first amendment grounds etc.)
More than that, the user can trivially work around the removal of the DNS entry merely by using a DNS server in another country. Effectively preventing the user from communicating with servers in other countries would severely break the internet, which is part of the problem that people are concerned about.
In what way does changing 1 record invalidate the entire zone? Nobody tranfers entire zones. You just query for the records that you need. If they are modified the DNSSEC will fail for those records, but I can't see how the rest of the zone would be affected.
The pharmaceutical claims that their 15% R&D gives them the right to all of the profits of a medicine and they use the law to sell it at a an inflated price. They even refuse to sell medicines to some countries because they can't afford these prices.
The remaining 85% of the R&D is done by universities who are paid for by public money. It stands to reason that 85% of the profits should go back to the public/state. Furthermore, there is pressure on universities to get external funding. This typically involves getting a share of the 15% from the industry. In turn the industry gets to influence the research done at universities. This is why so many researchers are working on 'luxury' diseases instead of the disease that decimate the third-world, even in universities that should do fundamental research.
From a strictly economical point of view: Way to much time and energy is spent on restricting the usage of culture. It does not make sense to spend money on protecting works for over a hundred years if most of them don't bring in any revenue.
Not being able to reuse once cultural heritage also raises the barrier for new artists to enter the market, especially in the world of electronic music. Most musicians don't have the resources to validate every sample. Furthermore, the artists that do enter the market will also have to pay for the protection of the old works, as those don't bring in any revenue themselves. Additionally, the only way of dealing with these restrictions is by joining a music label that takes care of it. Obviously they want a share of the revenue in return, lowering the overall profits of the budding artist.
From a social/cultural point of view: Once basic economic needs have been met the human spirit longs for social contact. Culture is an important way of sharing thoughts, feelings, knowledge and experiences. Culture lasts only as long as it's being used. Once a book is no longer read or a song no longer sung it will be forgotten. If we are not allowed to keep the culture from our childhood alive, our children will never learn about it and it will be gone by the time our grandchildren get the right to use it.
There is no such thing as a free phone, you will pay for it either way. The difference is that a subsidized phone hides the price. As consumers are not paying directly for the phone, there is far less competition on price. The network-operators will not pay the list price anyway. They'll get a massive discount and then use the inflated list price to justify their high prices.
A few weeks ago I asked a railway-technician why my train had not yet departed. As I suspected the engine had broken down. However, this being a real technician and not some kind of manager he did not just say "it's broken" but started explaining that the 2 out of 4 propulsion-units where below 50% of there optimal capacity, or something along that line. After a few seconds my mind blocked and I presume my eyes glazed over. I thanked the man and made myself scarce.
It took me a few minutes to realize what just had happened. I'm a nerd with a passion for technology. I'm usually fascinated with every machine I encounter. Yet this tiny bit of pressure (a late train) was enough to completely eradicate that and turn me into a "I don't care about your technology, just fix it" zombie.
From what I've read about it the work they did was not very hard (for an experienced scientist). It is a rather classic case of evolutionary improvement. Take a bunch of ferrets, infect them with the flu, take the most effective strain of the virus and feed it to the next group of ferrets. Repeat until you get a virus with the desired properties.
It takes some time and some experience but it is well within the reach of any sufficiently funded and properly motivated organisation.
When somebody in my organisation requires a new password the user is either required to walk to our office to collect it. When that happens we explain PGP-encryption to the user and help him/her to set up a key. The next time this user needs a password we offer to send it through PGP-encrypted mail, to any mail address under the users control.
If a user is unwilling/unable to come over to our office we suggest to find a few colleagues with PGP (we know people in most departements) and get a key into our web-of-trust.
You should try the Enigmail-plugin which does exactly that. If the recipients PGP-key is in its addressbook it will use that, otherwise it won't encrypt the mail (allthough it may still sign the mail).
For what it's worth, my first step was also to simplify * 75/25 to *3 . The second step was also 50 * 3. However, my third step was to look at the answers. Only one answer (141) was in the right ballpark. All the others were off by so much that they couldn't be right.
The 'guestimation' strategy fails at question 5 that has two answers that are very close to each other ($203.00 and $208.80). However, my mathematical instincts tell me that 203.00 is an unlikely outcome when multiplying with 29. I used a calculator to confirm my guess (as allowed by the test).
Do these users know that they are being monitored? Obviously they know that some piece of software is active, they've installed it themselves, but do they realize how intense this monitoring is? I would imagine that they think it's some kind of collaboration tool whilethe details are hidden in the fine print of the contract.
That is why they also monitor keyboard and mouse activity.
Of course that can be faked / simulated as well. A dedicated programmer will always be able to out-program such systems but at a certain point it becomes work to avoid surveillance than to just do the job at hand.
Slashdot Mirror
No other company responded that could meet all our requirements.
Google was honest, Microsoft made a promise that it couldn't keep and were incompetent to boot (what a surprise). We reward honesty.
Running an e-mail system is trivial compared to all the other software used by a modern university. In fact it is so easy that it can be outsourced.to the lowest bidder. That way we (the IT-departement) can focus our attention on the difficult systems.
Would you go to a school that hires some other company to clean its toilets or to mow the lawn? Would eat at a university-restaurant that does not bake its own bread? Then why do you care who runs the e-mail front-end?
You got it wrong, it's not a matter of hardware. Our three year old mailservers handle the load without every blinking. They could probably handle ten times more without any noticable load.
No matter what user-interface you use, people still need support. Both software and users are getting better but we are still far away from an email-system that does not need support.The university is full of young and bright people but even that group needs a lot of support. The older part of our population would be lost without support. Moving only a small fraction of those calls to an external party saves a ton of time that can be spent on more important issues.
It's not my preferred solution either, but it's not as bad as it sounds.
Not everything will be out-sourced, we continue to manage most of the mail ourselves. We decide how the mail is routed and we manage authentication (google/microsoft never sees our passwords). Every employee has at least one local mailbox.
The expensive part of running an e-mail service is not the backend, it's dealing with user-support. Why waste those intelligent and skilled people on something as simple as webmail? Each year we give out thousands of mailboxes to students that are only used to receive schedule updates and stuff like them. There's not much of a privacy issue their. Anyone has the possibility of getting a local mailbox and we encourage people to do so. It doesn't even have to be on our systems. If you ask for it we will happily route your mail to your own mailserver or anywhere else. Nobody is forced to use the outsourced mailboxes.
Besides, most of our students forward their mail to gmail anyway :/
By offering such mailboxes our selves we get at least some control.
Unless they are old and sick, sheep shouldn't worry about getting eaten by wolves.
Unfortunately the definition of 'terrorism' has been stretched in recent years. Once you are accused it's nearly impossible to clear your name.
My employer (a university) decided to outsource the e-mail-facilities for students. Microsoft and Google both made compelling offers, however Google could not promise that our data would never leave Europe. Microsoft did make that promise and was awarded the contract because of it.
A few months later MS had to confess that they couldn't keep that promiss. As the migration was not going smooth at all we are now back talking with Google.
I'll let you in on a little secret: "Earl Grey tea" is not some Sci-Fi invention but something you can buy in any supermarket right now!
Oh, come on. The source code is not going to tell you a whole lot, it would be only comprehensible to experts and it says nothing about the little hardware bits.
Experst are for hire.
I'm not an architect. The blueprints of my house are useless to me, but I can hire an architect to read them for me. That architect can than tell me if the house I'm living in is well designed or not. He won't be able to tell if the building-materials are of sufficient quality, but if the design is not sound the materials used don't even matter.
I'm dissappointed in Slashdot. One would expect that over here people would see the value of having access to the source of the software that keeps you alive.
For every linked-list ever written in C there are a thousand JavaScript implementations of the Like+1-button. You don't need to be star-programmer to land yourself a good job as a website-developer.
But no end-user ever does. The only people that actually do this are the DNS-adminstrators themselves.
How is that a reason to ignore the problem?
DNS-administrators have direct access to their own DNS-servers and can work around the problem. In fact, many DNS-servers prohibit zone-tranfers. While I realize that it is a very usefull feature, it is not something that interferes with consumer-grade internet.
We are talking about a DNS-block targeted at home-users, enforced at the leaves of the DNS-network.
I do not like it, but I fail to see how consumers are effected other than not being able to resolve certain addresses.
As long as you don't ask for the broken records you will not be affected.
Nonsense.
Let's come back from this for a second and realize what DNSSEC is for. Let's suppose there is an attacker who compromises a webserver, say www2.example.com. It turns out that it's the failover backup for www.example.com, and nobody will use www2 as long as www.example.com is available. So in order to do some damage, the attacker has to divert people from www.example.com. DNS poisoning is a traditional way that attackers do this: If you make www not resolve, clients configured to automatically retry with www2 will do so. So the attacker compromises some upstream DNS server and either deletes the record for www.example.com or makes it point to the compromised server rather than the uncompromised one. DNSSEC prevents this, because the NXDOMAIN record won't be signed and so the next DNS server will detect the attempted fraud and retry against some alternative upstream DNS server or go direct to the authoritative server for that domain. If you mandate blocking by legislation, the DNS server can't do this anymore, because if it does, it will make the blocking ineffective, which the legislation prohibits. So the attacker diverts unsuspecting users to the compromised server, because the user's DNS server is prohibited from taking effective countermeasures against the DNSSEC failure.
All this is still possible if you provide a blacklist to the DNS-resolver of blocked domains that should not be worked around. It's not very nice from a technical point of view, but it's certainly feasible.
SOPA and DNSSEC are not mutually exclusive. They might lead to draconion rules that are hard to enforce, but when has that ever stopped anybody?
In what way does changing 1 record invalidate the entire zone? Nobody tranfers entire zones.
First of all, the capability for zone transfers exists, and some people do it.
But no end-user ever does. The only people that actually do this are the DNS-adminstrators themselves.
But what does that have to do with anything anyway? The problem exists just as much with even a single record.
As long as you don't ask for the broken records you will not be affected.
The problem is that the only secure response to a DNSSEC failure must be to raise hell: Warn the user that their DNS server is compromised and that they must change it immediately, take expensive countermeasures such as retrying against a published list of arbitrary alternative DNS servers or going straight to the root servers, etc. Effective countermeasures will be just as effective at defeating the block as at defeating fraudsters. For that reason the bill prohibits such countermeasures, which enables fraud.
End-users don't run DNS-servers, they use a server provided by their provider. If such a server detects a failed DNSSEC-request it will just ignore it completly. End-users do not validate DNSSEC. That could and should change, but will take many years to complete. Right now there is no usefull way to inform the user of a DNSSEC-problem.
Removing the domain would break DNSSEC, since the removal would not be signed and the signing entity may not be subject to US jurisdiction (or may refuse on first amendment grounds etc.)
More than that, the user can trivially work around the removal of the DNS entry merely by using a DNS server in another country. Effectively preventing the user from communicating with servers in other countries would severely break the internet, which is part of the problem that people are concerned about.
In what way does changing 1 record invalidate the entire zone? Nobody tranfers entire zones. You just query for the records that you need. If they are modified the DNSSEC will fail for those records, but I can't see how the rest of the zone would be affected.
The pharmaceutical claims that their 15% R&D gives them the right to all of the profits of a medicine and they use the law to sell it at a an inflated price. They even refuse to sell medicines to some countries because they can't afford these prices.
The remaining 85% of the R&D is done by universities who are paid for by public money. It stands to reason that 85% of the profits should go back to the public/state. Furthermore, there is pressure on universities to get external funding. This typically involves getting a share of the 15% from the industry. In turn the industry gets to influence the research done at universities. This is why so many researchers are working on 'luxury' diseases instead of the disease that decimate the third-world, even in universities that should do fundamental research.
From a strictly economical point of view:
Way to much time and energy is spent on restricting the usage of culture. It does not make sense to spend money on protecting works for over a hundred years if most of them don't bring in any revenue.
Not being able to reuse once cultural heritage also raises the barrier for new artists to enter the market, especially in the world of electronic music. Most musicians don't have the resources to validate every sample.
Furthermore, the artists that do enter the market will also have to pay for the protection of the old works, as those don't bring in any revenue themselves.
Additionally, the only way of dealing with these restrictions is by joining a music label that takes care of it. Obviously they want a share of the revenue in return, lowering the overall profits of the budding artist.
From a social/cultural point of view:
Once basic economic needs have been met the human spirit longs for social contact. Culture is an important way of sharing thoughts, feelings, knowledge and experiences. Culture lasts only as long as it's being used. Once a book is no longer read or a song no longer sung it will be forgotten. If we are not allowed to keep the culture from our childhood alive, our children will never learn about it and it will be gone by the time our grandchildren get the right to use it.
There is no such thing as a free phone, you will pay for it either way. The difference is that a subsidized phone hides the price. As consumers are not paying directly for the phone, there is far less competition on price.
The network-operators will not pay the list price anyway. They'll get a massive discount and then use the inflated list price to justify their high prices.
A few weeks ago I asked a railway-technician why my train had not yet departed. As I suspected the engine had broken down. However, this being a real technician and not some kind of manager he did not just say "it's broken" but started explaining that the 2 out of 4 propulsion-units where below 50% of there optimal capacity, or something along that line.
After a few seconds my mind blocked and I presume my eyes glazed over. I thanked the man and made myself scarce.
It took me a few minutes to realize what just had happened. I'm a nerd with a passion for technology. I'm usually fascinated with every machine I encounter. Yet this tiny bit of pressure (a late train) was enough to completely eradicate that and turn me into a "I don't care about your technology, just fix it" zombie.
How many fingers are on a normal human hand? The answer is 1111111111.
On one (1) hand? You should see a doctor (or drink less).
From what I've read about it the work they did was not very hard (for an experienced scientist). It is a rather classic case of evolutionary improvement. Take a bunch of ferrets, infect them with the flu, take the most effective strain of the virus and feed it to the next group of ferrets. Repeat until you get a virus with the desired properties.
It takes some time and some experience but it is well within the reach of any sufficiently funded and properly motivated organisation.
When somebody in my organisation requires a new password the user is either required to walk to our office to collect it. When that happens we explain PGP-encryption to the user and help him/her to set up a key. The next time this user needs a password we offer to send it through PGP-encrypted mail, to any mail address under the users control.
If a user is unwilling/unable to come over to our office we suggest to find a few colleagues with PGP (we know people in most departements) and get a key into our web-of-trust.
You should try the Enigmail-plugin which does exactly that. If the recipients PGP-key is in its addressbook it will use that, otherwise it won't encrypt the mail (allthough it may still sign the mail).
For what it's worth, my first step was also to simplify * 75/25 to *3 .
The second step was also 50 * 3.
However, my third step was to look at the answers. Only one answer (141) was in the right ballpark. All the others were off by so much that they couldn't be right.
The 'guestimation' strategy fails at question 5 that has two answers that are very close to each other ($203.00 and $208.80). However, my mathematical instincts tell me that 203.00 is an unlikely outcome when multiplying with 29. I used a calculator to confirm my guess (as allowed by the test).
Do these users know that they are being monitored?
Obviously they know that some piece of software is active, they've installed it themselves, but do they realize how intense this monitoring is? I would imagine that they think it's some kind of collaboration tool whilethe details are hidden in the fine print of the contract.
That is why they also monitor keyboard and mouse activity.
Of course that can be faked / simulated as well. A dedicated programmer will always be able to out-program such systems but at a certain point it becomes work to avoid surveillance than to just do the job at hand.
DNSSEC is probably going to change that anyway.