It can (and often does). However, there is only so much room for data inside each TCP packet, and, IMHO, SMB is very wasteful of that space. Therein lies the problem. Wasteful -> more packets -> slower speed.
Well, I found it valuable. I learned 2 new things I may not have found on my own (at least any time soon) from the comments, the fish protocol and LUFS. My web host recently disabled sftp, but not ssh (I have no idea why), so I was back to command line scp (I haven't found a good scp gui for Linux I like yet). Now, I can do GUI file work again. And if not for the article, the comments would have never been posted.
Sigh. So much to learn! If only I could break this addiction to sleep:)
Maybe it's just me, but I've tried this and gave up. Yes, it works, but performance was horrible, even for a WAN link. SMB was just never designed for WAN work. TCP, OTOH, is a different story.
Not to mention almost all credit cards say on the back "NOT VALID UNLESS SIGNED" which means by putting that "check ID" crap (which does annoy anyone who works with credit cards BTW.. also not signing your card because you think it protects you) does NOTHING and I don't have to take your card since you are in violation of your credit card agreement.
Three counter points:
Signed means "to make a sign upon; to mark with a sign." ("kdict signed" for kde users.) Have I done that: yes. It may be different, but it is signed.
As I mentioned in my original post, I did check with Discover (the card I use 99% of the time) and they do not have a problem with this. If the card owner doesn't have a problem, why should you?
As for the annoying people part, I've yet to hear any negative comments, but I've heard many positive ones.
If there were an easy, simple, cheap way to make credit cards secure, it probably would have been done a long time ago. While it's true any merchant has the right to refuse any credit card for any reason, I have the right to take my business elsewhere.
...Fake ID's are much easier to obtain than signatures are to copy...
True. However, if fake ID's (such as driver's license) were sooo easy to get, they would be worthless as ID's. Yet, they are accepted as such almost everywhere. Strange. Hmmm...
Now, how many people are handwriting experts and would be able to make a meaningful comparison (assuming they even tried)? In any case, a handwriting sample is available to compare to (the "Please ask for ID" - ask me to write that if you want the same phrase.) And oh yes, my signature is on my driver's license, so there you have another thing to check against.
I've never seen anyone do this, although you are correct, it would help. Of course, no signature will match exactly, so comparison will be anything but an exact science.
...When it comes to secure computing, this is one industry that actually keeps it on the front burner...
I beg to differ. Credit card fraud runs in the billions of $ every year. One article claims the losses will be about (2002 figures) "$285 million over the holiday season in the United States." And that's just about 1 month's worth. Credit cards are anything but secure. Since consumers don't see the cost of the fraud directly, most are barely aware it exists. Of course, the cost is passed on in the form of higher fees and interest.
Merchants (and their employees) don't help matters any either. On all my cards, in the signature block, I put "Please ask for ID". (I've checked with Discover and they have no problems with that, BTW). Rarely do I get asked for ID.
Then there are merchants, such as the USPS, which won't accept the card without an actual signature. Don't need to show ID (I tested this), but it must have a signature or they won't accept it. It's an actual federal rule (I checked), so the clerk isn't doing anything wrong. Maybe it's just me, but I would trust a driver's license MORE than a signature with nothing to compare it too.
...People in corporations get FIRED if they sit around all day and do nothing.
Obviously you've never worked at a company where the department managers are son-in-laws of the company president, the office manager is black-mailing the company president (I don't know over what), and racism is rampant.
...Either result could have disasterous implications...
Actually, only if the court decides in Monsanto's favor will it be a disaster. This isn't some inanimate matter patented, but life. And life will find a way to spread. Once released, if it doesn't die out, it will spread. Look at various insects (killer bees, fire ants, mosquitos).
Static controls copied the comments in the program too from what I've read, not just the key. That isn't reverse engineering, but copyright infringement. Admittedly, I don't think the DMCA has any business being cited in this case.
...Lexmark are using DMCA against a company that sells chips that allow third-party cartridges to be used...
Those reporting on this case often leave an important detail out. Static Controls (the company Lexmark is suing) just copied the program on the chip, rather than reverse engineering it. I hate to say it, but that is copyright infringement.
In fact, the court found the problem was not Static Control's result, but its process. If a reverse engineering process produces the same result - the same kind of chip as the Smartek chip - that's fine from a legal standpoint.
5. In minutes, millons of DSL/Cable users running spammerSucker are downloading every byte out of their server, initiating millions of sockets per second.
Step 5 is probably easier than you would think. I worked briefly with a company that spammed intentially (don't flame until you read paragraph 2!). Their servers were located in Tunisa and China, and I've got more bandwidth than those servers did (I'm on DSL). I was told they had to move them off shore due to the anti-spam people. (You ARE making a difference; I heard more than one impolite comment about you!) The people that set up the servers (i.e. physical access) did a very poor job. One server was rooted before I first SSH'd in. No updates applied at all either. They are easy targets for some wanting to knock them off-line.
BTW, I didn't work there long because there were always problems with the systems. One delay after another under me. They couldn't launch any "marketing" campaigns. All accidental of course;^) Since they never actually paid me anything (I don't believe they would have anyway, but it was interesting to a see a spam operation from the inside), I don't feel too bad about it professionally.
Don't run attachments from mails if you don't trust the sender...
And don't run strange attachments from emails if you DO trust the sender. After all, unless you're both using gpg (I've got only one person I talk with that does), the email address could be faked. Then there are the trojans...
Actually, if 20% of the US population supported a view, and actually voted that way, a lot of elections would have very different results. Remember, maybe 40% of the eligible population does vote (in good years). Figure roughly half will vote each party. That's 20%. Now a third party, supported by the original 20% mentioned above, could definately win some elections. And that would send a strong message to the 2 major parties.
Admittedly, it would probably several election cycles of doing this to really drive the point home and teach the main parties we are serious, but it can be done. Remember, only about 1/3 of the original colonists favored independence. A minority, properly organized, can make a difference. Right now we geeks aren't organized enough, and the file sharing population at large (and it is large) isn't motivated to join us even if we were organized, but it's not impossible.
BTW, I've voted in every general election since I've been eligible, and I've never voted main party (nobody I've ever voted for in a national election has ever won either:( ). If enough joined me, reform would happen.
...laws like this ARE going to result in worse security...
My thoughts exactly (for quite some time now). The true criminals won't care it's illegal. They will get and USE the information anyway, leaving someone else to take the blame. (Honest officer, it wasn't me who swiped the card to break into the dorm and rob people.) And since the system is <sarcasm> so secure</sarcasm>, who's going to believe the victim? Of course, defending yourself without access to the information that shows how insecure the system really is is going to be a <sarcasm>cake walk</sarcasm>.
It's been my experience (and looking at history, I'm not alone) that trying to ignore a problem (bring in the lawyers!) only makes it worse and more expensive. Sadly, common sense seems so uncommon nowadays.
This reads like a troll. In case it wasn't meant like that...
...MySQL is such a half-assed database that it's embarrassing...
Then why do major sites use it? From the Mysql website (quickest reference I could find): "Customers such as Yahoo! Finance, MP3.com, Motorola, NASA, Silicon Graphics, and Texas Instruments use the MySQL server in mission-critical applications." I believe/. uses it too.
Is MySQL the perfect solution for every database need? No. There is certainly a place in the world for other databases such as PostgreSQL. The best tool for the job sort of thing. But, MySQL is still a serious player.
... Could you please give some examples of hosting companies that charge $1/gig or less?...
Sure, hostrocket . Their basic plan includes 20 gigs for $10/month (and right now they are running a special of 37 gigs for $10/month). They include php and 10 mysql db's (plus perl, ssh access [although it is not enabled by default], real unlimited pop3 email, and several other goodies at no additional cost.
I've been with them about a year now and have 2 other clients with them. Service is good. The only problem some of my clients have had is with AOL. AOL's new spam blocker seems to randomly block messages sent through hostrocket's servers. Sometimes the email gets through, sometimes it doesn't. However, this problem is not unique to hostrocket from what I know about AOL. BTW, AOL is doing the blocking, not hostrocket.
...It's also surprising that addresses harvested from the web fall into disuse rather quickly, and that the harvesting programs aren't clever enough to overcome very simple obfuscation...
It's also surprising they didn't mention something very simple to do so you don't have to obfuscate. Put the line <meta name="robots" content="noindex,nofollow"> on any webpage with the addresses. The spambots will ignore that page.
Of course, the search engines won't index it either, but that can be worked around. For instance, make a contact page with prominent links on the home page. Who cares if a contact page isn't indexed so long as the home page is? And any luser who's not bright enough to find that contact page probably wouldn't be able to figure out the obfuscation anyway.
I'm part of the harvester project (an anti-spambot group; google it to learn more), and my results compare with others in the group, and some of the webpoison users I've talked to. Since we've been feeding poison to the harvester bots, the bots have evolved to ignore any page with the above meta tag, since we always put that tag to keep the search engines out. My webstats have shown no looks at the second page in the tarpit since I've been a member (about a year, roughly 24-30K visitors).
We can't stop the spammers (yet), but can be a thorn in their side!
I'll agree on the brain dead part. From what I've learned from my host, AOL has put in a new system that automatically blocks based on complaints from AOL users. The more complaints, the longer the block stays in place. Apparently no human ever looks at it (until something goes wrong). This means AOL can be unreachable pretty much at random, and it can happen several times a day.
I remember one instance not too long ago where AOL even admitted that address had been forged and they were blocking incorrectly, but they couldn't figure out how to unblock manually. This was straight from an AOL represenative's mouth.
...what if there was a national "do no email" list?...
There already is, of sorts. See http://www.dmaconsumers.org/optoutform_emps.shtml. As I understand it, the spammer sends their email list to the DMA, the DMA then returns the list with opt-out addresses removed.
Of course, this isn't too effective. How many spammers are members of the DMA? How many break current laws (think fraud), and therfore, wouldn't think twice about breaking other laws? And why should I have to opt-out in the first place?!?!
I think this is a great idea, especially if we can get more than a few ISPs to implement it. I think of perhaps a version of spamassassin on the sending SMTP server which will bounce any email back to the customer it detects as spam. The bounce would eliminate some of the collateral damage (which from own experiences with spam-assassin, would be few).
If the customer objects, a dispute procedure could be set up. Say a $5 charge, up-front, to start the dispute procedure and if the email is not spam, the money is refunded (and maybe a bonus for all the trouble-few would collect).
Certainly a mechanism could be set up to whitelist any email coming from ISPs who use this filter (verification would be the tricky part). This would reduce the collateral damage.
A side benefit of such a system would be the spammers would be forced to adapt. They would find it difficult to impossible to use an ISP on the whitelist, and therefore either figure out a way to break through the filters (not likely, and the filters can be adapted to the new techniques), or move to an ISP that doesn't use egress spam filtering. This would tend to concentrate the spammers in a smaller ip space, making them easier to blacklist, again with less collateral damage.
What is a release candidate if it is not something that is considered possibly ready for release?
Something to see if they have all the bugs worked out (they don't, I've filed bug reports on rc1 personally) before they release it on non-testers. That said, a release candidate is something that should be fairly stable, so the more timid beta-testers can start helping with the QA.
To decode the an IP address, say 3232236545, do the following:
1. Convert the number 3232236545 to binary. Using a program to do the conversion is easiest. The binary form of the number is 11000000101010000000010000000001
2. The number you got should be 32 digits long. If it isn't, add enough 0's at the beginning to make it 32 digits long. In our example, it is already 32 digits long.
3. Break the binary number up into 4 groups (or octets) of 8 digits each: 11000000.10101000.00000100.0000001
4. Now convert each octet into its decimal equivalent: 11000000 => 192; 10101000 => 168; 00000100 => 4; 00000001 => 1
5. The "mysterious" IP address is 192.168.4.1
Slashdot Mirror
I thought SMB run over TCP...
It can (and often does). However, there is only so much room for data inside each TCP packet, and, IMHO, SMB is very wasteful of that space. Therein lies the problem. Wasteful -> more packets -> slower speed.
Well, I found it valuable. I learned 2 new things I may not have found on my own (at least any time soon) from the comments, the fish protocol and LUFS. My web host recently disabled sftp, but not ssh (I have no idea why), so I was back to command line scp (I haven't found a good scp gui for Linux I like yet). Now, I can do GUI file work again. And if not for the article, the comments would have never been posted.
Sigh. So much to learn! If only I could break this addiction to sleep :)
Maybe it's just me, but I've tried this and gave up. Yes, it works, but performance was horrible, even for a WAN link. SMB was just never designed for WAN work. TCP, OTOH, is a different story.
Not to mention almost all credit cards say on the back "NOT VALID UNLESS SIGNED" which means by putting that "check ID" crap (which does annoy anyone who works with credit cards BTW.. also not signing your card because you think it protects you) does NOTHING and I don't have to take your card since you are in violation of your credit card agreement.
Three counter points:
If there were an easy, simple, cheap way to make credit cards secure, it probably would have been done a long time ago. While it's true any merchant has the right to refuse any credit card for any reason, I have the right to take my business elsewhere.
True. However, if fake ID's (such as driver's license) were sooo easy to get, they would be worthless as ID's. Yet, they are accepted as such almost everywhere. Strange. Hmmm...
Now, how many people are handwriting experts and would be able to make a meaningful comparison (assuming they even tried)? In any case, a handwriting sample is available to compare to (the "Please ask for ID" - ask me to write that if you want the same phrase.) And oh yes, my signature is on my driver's license, so there you have another thing to check against.
I've never seen anyone do this, although you are correct, it would help. Of course, no signature will match exactly, so comparison will be anything but an exact science.
I beg to differ. Credit card fraud runs in the billions of $ every year. One article claims the losses will be about (2002 figures) "$285 million over the holiday season in the United States." And that's just about 1 month's worth. Credit cards are anything but secure. Since consumers don't see the cost of the fraud directly, most are barely aware it exists. Of course, the cost is passed on in the form of higher fees and interest.
Merchants (and their employees) don't help matters any either. On all my cards, in the signature block, I put "Please ask for ID". (I've checked with Discover and they have no problems with that, BTW). Rarely do I get asked for ID.
Then there are merchants, such as the USPS, which won't accept the card without an actual signature. Don't need to show ID (I tested this), but it must have a signature or they won't accept it. It's an actual federal rule (I checked), so the clerk isn't doing anything wrong. Maybe it's just me, but I would trust a driver's license MORE than a signature with nothing to compare it too.
Obviously you've never worked at a company where the department managers are son-in-laws of the company president, the office manager is black-mailing the company president (I don't know over what), and racism is rampant.
Actually, only if the court decides in Monsanto's favor will it be a disaster. This isn't some inanimate matter patented, but life. And life will find a way to spread. Once released, if it doesn't die out, it will spread. Look at various insects (killer bees, fire ants, mosquitos).
The linux pre-built binary opens the preferences window just fine for me.
Static controls copied the comments in the program too from what I've read, not just the key. That isn't reverse engineering, but copyright infringement. Admittedly, I don't think the DMCA has any business being cited in this case.
Those reporting on this case often leave an important detail out. Static Controls (the company Lexmark is suing) just copied the program on the chip, rather than reverse engineering it. I hate to say it, but that is copyright infringement.
In fact, the court found the problem was not Static Control's result, but its process. If a reverse engineering process produces the same result - the same kind of chip as the Smartek chip - that's fine from a legal standpoint.
5. In minutes, millons of DSL/Cable users running spammerSucker are downloading every byte out of their server, initiating millions of sockets per second.
Step 5 is probably easier than you would think. I worked briefly with a company that spammed intentially (don't flame until you read paragraph 2!). Their servers were located in Tunisa and China, and I've got more bandwidth than those servers did (I'm on DSL). I was told they had to move them off shore due to the anti-spam people. (You ARE making a difference; I heard more than one impolite comment about you!) The people that set up the servers (i.e. physical access) did a very poor job. One server was rooted before I first SSH'd in. No updates applied at all either. They are easy targets for some wanting to knock them off-line.
BTW, I didn't work there long because there were always problems with the systems. One delay after another under me. They couldn't launch any "marketing" campaigns. All accidental of course ;^) Since they never actually paid me anything (I don't believe they would have anyway, but it was interesting to a see a spam operation from the inside), I don't feel too bad about it professionally.
Don't run attachments from mails if you don't trust the sender...
And don't run strange attachments from emails if you DO trust the sender. After all, unless you're both using gpg (I've got only one person I talk with that does), the email address could be faked. Then there are the trojans...
Actually, if 20% of the US population supported a view, and actually voted that way, a lot of elections would have very different results. Remember, maybe 40% of the eligible population does vote (in good years). Figure roughly half will vote each party. That's 20%. Now a third party, supported by the original 20% mentioned above, could definately win some elections. And that would send a strong message to the 2 major parties.
Admittedly, it would probably several election cycles of doing this to really drive the point home and teach the main parties we are serious, but it can be done. Remember, only about 1/3 of the original colonists favored independence. A minority, properly organized, can make a difference. Right now we geeks aren't organized enough, and the file sharing population at large (and it is large) isn't motivated to join us even if we were organized, but it's not impossible.
BTW, I've voted in every general election since I've been eligible, and I've never voted main party (nobody I've ever voted for in a national election has ever won either :( ). If enough joined me, reform would happen.
Well, there's some small hope in product liability laws, although I suspect the only ones to ever get any real compensation will be the lawyers.
My thoughts exactly (for quite some time now). The true criminals won't care it's illegal. They will get and USE the information anyway, leaving someone else to take the blame. (Honest officer, it wasn't me who swiped the card to break into the dorm and rob people.) And since the system is <sarcasm> so secure</sarcasm>, who's going to believe the victim? Of course, defending yourself without access to the information that shows how insecure the system really is is going to be a <sarcasm>cake walk</sarcasm>.
It's been my experience (and looking at history, I'm not alone) that trying to ignore a problem (bring in the lawyers!) only makes it worse and more expensive. Sadly, common sense seems so uncommon nowadays.
This reads like a troll. In case it wasn't meant like that...
Then why do major sites use it? From the Mysql website (quickest reference I could find): "Customers such as Yahoo! Finance, MP3.com, Motorola, NASA, Silicon Graphics, and Texas Instruments use the MySQL server in mission-critical applications." I believe /. uses it too.
Is MySQL the perfect solution for every database need? No. There is certainly a place in the world for other databases such as PostgreSQL. The best tool for the job sort of thing. But, MySQL is still a serious player.
Sure, hostrocket . Their basic plan includes 20 gigs for $10/month (and right now they are running a special of 37 gigs for $10/month). They include php and 10 mysql db's (plus perl, ssh access [although it is not enabled by default], real unlimited pop3 email, and several other goodies at no additional cost.
I've been with them about a year now and have 2 other clients with them. Service is good. The only problem some of my clients have had is with AOL. AOL's new spam blocker seems to randomly block messages sent through hostrocket's servers. Sometimes the email gets through, sometimes it doesn't. However, this problem is not unique to hostrocket from what I know about AOL. BTW, AOL is doing the blocking, not hostrocket.
It's also surprising they didn't mention something very simple to do so you don't have to obfuscate. Put the line <meta name="robots" content="noindex,nofollow"> on any webpage with the addresses. The spambots will ignore that page.
Of course, the search engines won't index it either, but that can be worked around. For instance, make a contact page with prominent links on the home page. Who cares if a contact page isn't indexed so long as the home page is? And any luser who's not bright enough to find that contact page probably wouldn't be able to figure out the obfuscation anyway.
I'm part of the harvester project (an anti-spambot group; google it to learn more), and my results compare with others in the group, and some of the webpoison users I've talked to. Since we've been feeding poison to the harvester bots, the bots have evolved to ignore any page with the above meta tag, since we always put that tag to keep the search engines out. My webstats have shown no looks at the second page in the tarpit since I've been a member (about a year, roughly 24-30K visitors).
We can't stop the spammers (yet), but can be a thorn in their side!
I'll agree on the brain dead part. From what I've learned from my host, AOL has put in a new system that automatically blocks based on complaints from AOL users. The more complaints, the longer the block stays in place. Apparently no human ever looks at it (until something goes wrong). This means AOL can be unreachable pretty much at random, and it can happen several times a day.
I remember one instance not too long ago where AOL even admitted that address had been forged and they were blocking incorrectly, but they couldn't figure out how to unblock manually. This was straight from an AOL represenative's mouth.
There already is, of sorts. See http://www.dmaconsumers.org/optoutform_emps.shtml.
As I understand it, the spammer sends their email list to the DMA, the DMA then returns the list with opt-out addresses removed.
Of course, this isn't too effective. How many spammers are members of the DMA? How many break current laws (think fraud), and therfore, wouldn't think twice about breaking other laws? And why should I have to opt-out in the first place?!?!
I think this is a great idea, especially if we can get more than a few ISPs to implement it. I think of perhaps a version of spamassassin on the sending SMTP server which will bounce any email back to the customer it detects as spam. The bounce would eliminate some of the collateral damage (which from own experiences with spam-assassin, would be few).
If the customer objects, a dispute procedure could be set up. Say a $5 charge, up-front, to start the dispute procedure and if the email is not spam, the money is refunded (and maybe a bonus for all the trouble-few would collect).
Certainly a mechanism could be set up to whitelist any email coming from ISPs who use this filter (verification would be the tricky part). This would reduce the collateral damage.
A side benefit of such a system would be the spammers would be forced to adapt. They would find it difficult to impossible to use an ISP on the whitelist, and therefore either figure out a way to break through the filters (not likely, and the filters can be adapted to the new techniques), or move to an ISP that doesn't use egress spam filtering. This would tend to concentrate the spammers in a smaller ip space, making them easier to blacklist, again with less collateral damage.
What is a release candidate if it is not something that is considered possibly ready for release?
Something to see if they have all the bugs worked out (they don't, I've filed bug reports on rc1 personally) before they release it on non-testers. That said, a release candidate is something that should be fairly stable, so the more timid beta-testers can start helping with the QA.
To decode the an IP address, say 3232236545, do the following:
1. Convert the number 3232236545 to binary. Using a program to do the conversion is easiest. The binary form of the number is 11000000101010000000010000000001
2. The number you got should be 32 digits long. If it isn't, add enough 0's at the beginning to make it 32 digits long. In our example, it is already 32 digits long.
3. Break the binary number up into 4 groups (or octets) of 8 digits each: 11000000.10101000.00000100.0000001
4. Now convert each octet into its decimal equivalent: 11000000 => 192; 10101000 => 168; 00000100 => 4; 00000001 => 1
5. The "mysterious" IP address is 192.168.4.1