Because Vegas is a cheap airline flight from most anywhere in the contential US, and the hotel hosting apachecon was five minutes by shuttle away from the airport. Your typical indian reservation would also feature three hours in a rental car to get to a hotel with no convention facilities.
Secondarily, apachecon is hosted at a hotel with no casino -- definitely helpful, since the hotel is thus focused more on the needs of the convention and basic hospitality than steeering you into a gambling pit at every opportunity.
Remember that the DOJ is an executive-branch body; it doesn't include the judiciary. In the current system of US government, the purpose of executive agencies is to carry out those laws which correspond to the particular preferences of the administration then in power. At the moment, that's a Republican administration more friendly to (read: owned by) big business than any in recent memory.
I'm typing this on a Zaurus running OZ3 and konq/embedded; while still not as polished or featureful as it might be, and with some usability problems here and there, it's definitely better than sharp's attempt. Some nice UI tweaks, APT-style ipkg repository fetching, lots more packages. Very nice.
Silkwood died in a car accident on her way to meet with a New York Times reporter; she was carrying documents incriminating the plutonium plant at which she worked for criminial negligence. Various aspects of the accident suggest that it was likely caused by another driver deliberately running her off the road. The alleged documents then vanished from her wrecked car before the police investigation began. IOW, foul play is strongly suspected. Had Freenet-like technologies existed at the time, she could have published those documents, and even had she then been murdered on the way to talk to a reporter, some evidence would have survived.
Source: Ken Smith's _Raw Deal_, "Whistleblower"; Blast Books, 1998. Definitely a book with some axes to grind, but good nonetheless.
What's wrong with usenet for anonymous publication? Posting is over SMTP, so you can put whatever you want in the from block, and you can post through any public SMTP server you want. Once you post, the document is rapidly spread throughout the world's news servers and is permenantly cached by several servers.
It's NNTP, not SMTP, but the same technical issues apply. Every non-borked SMTP server tags on a Received: header indicating the IP of origin. Most NNTP servers add an X-Trace header to the same effect. Even if they don't, the Path will point right back to the NNTP server you used, whose logs will most likely be able to show your IP connecting at such and such a time, submitting an article with that Message-Id, etc.
That said, Usenet frequently is used for anonymous publication, and it works passably so long as you can conceal the first hop by using a public host or something. Okay for "casual" anonymity, but not something I'd rely on if I needed to post something anonymously from a heavily surveilled location or when the forensic resources of a major government were going to be called in.
BTW, usenet is great for piracy as well. They'll never shut down alt.binaries.sounds.mp3.*, alt.binaries.multimedia, alt.binaries.warez.*, and alt.binaries.pictures.erotica.*. They're hosted by the ISPs, and the ISPs can use the phone company defence (ie, "We provide a medium for legitimate communication. Not our fault if people abuse it").
That ISP defense is eroding. I suspect the only reason Usenet hasn't been attacked by the US copyright marauders is that its popularity is minescule compared to the web and its volume of illicit traffic is small (mere tens of gigabyes per day) compared to the P2P systems. It has demonstrable legitimate purposes (everything outside a.b.*). It's also much cheaper in terms of bandwidth, since the content can be transmitted approximately once along each feed, vs. once per request in the P2P systems, so ISPs and universities have less of a motive to drop the a.b.* hierarchy.
Usenet is great, sure -- it's easily the most effective, survivable conferencing system ever built. Being ignored by 99% of Internet users is actually to its benefit.:)
Hmm. If Karen Silkwood had had Freenet, she might have lived, or at worst found asleep on her keyboard the next morning.
They use it as an excuse to pass sweeping anti-encrypton (etc) laws.
Probably not anti-crypto, at least not in the US; that fight has already been had, and the government lost. A likelier tack would be for legislation to prohibit technology that could be used for anonymous piracy-with-impunity. Such legislation would inevitably be overbroad, but it would merely require some creative judicial interpretation (which wouldn't be difficult to arrange, if the 2600/DMCA case is indicative) to make it stick.
Anonymous publication and retrieval are tools for the politically oppressed. Freenet could, in theory, make any information of value unsuppressible. F'rinstance, an outlawed political group publishing a manifesto, someone reporting the actions of a corrupt government, that sort of thing. Suppose that during the demonstrations in Tiennamen Square, there had been only one camera in private hands; getting that video out would be a perfect job for Freenet.
For which reason, tools like Freenet are banned in China and a number of other nations.
There does exist a tricky bit of how to deliver such technologies to the people in need of them; possession of crypto is still a crime in much of the world, much less crypto intended to do that which oppressive regimes cannot allow.
1) I cannot control what is in my datastore. Free speech or not, I'm not going to cache your kiddieporn for you. So if I know that there's a file I don't want, give me a way to blacklist it. If it's encrypted then it's another story.
It is. The store is cryptographically opaque; you don't know what you're hosting. Whether it's possible to identify whether a particular item is in the store when you know its key, I'm not sure.
2) My files aren't shared permanently. If nobody requests the files I injected, they are thrown out after a while, even if my node is online 24/7. That's just plain stupid.
It's necessary for a distributed-storage system where the injection point needs to be distanced from the storage points. Data flows to where it's being requested, so you could keep an item in your own store by requesting it automatically every so often. It won't go anywhere else, but it will stay in the keyspace should it ever be requested later on. You could do much the same thing to prolong the longevity of someone else's data that you valued -- but again, it would tend to live only on your own node if no other nodes were requesting it.
That hardly stopped them airing The Brady Bunch. I'd have thought use of drugs and Apple products hardly disjoint. They could do passably running targets specifically intended to appeal to recreational drug users.
When I took a Software Engineering class in college about 2 years ago, one of the LASIK developers came to give a presentation about the development process. Towards the end, asked about the implementation environment, he conceded that (as of early 2000) a LASIK system is built around a windows 3.1 machine ("but we're planning to migrate to windows 95.")
Now, he had already explained their general system of hardware interlocks which abort the treatment in the event of component failure, so this doesn't really mean much. A source of amusement.
That's because adjacent channels interfere with each other. They are not completely isolated channels as would seem logical.
The three in common use you will notice are the lowest, middlemost, and highest channels. Lots of space in betwen.
Hmm, okay, that makes sense. However, as transmitter density increases, that concentration ceases to be ideal.
Devices DO indicate if they are having problems.. they give you indications of signal strength.
Insufficient specificity. It doesn't discriminate between poor signal propagation and emissive noise on the channel, which are cured in different ways.
Another approach would be for devices to make channel recommendations by checking each for round-trip signal strength and passively-sampled noise on the channel. Or simply to pick one automatically.
I might be mistaken about the significance of it, but while 802.11b at least is capable of a dozen or so channels, most 802.11 networks are using one of only three (1, 6, 11; 2.412, 2.437 and 2.462GHz respectively) of them. So there might be some overuse there.
It'd be interesting to see some mobile spectrum analysis of frequency usage over geographic areas, to see if that plans out -- map spectrum emissions and see if there's an aberrant concentration in spots. Might not be terrifically useful, but cool data.
Aside from broad deployment of spread spectrum for future RF-emitting gadgets (the ones not using it already), it'd be helpful if devices like 802.11b access points could indicate when they're having interference problems, so as to distinguish these problems from those of topography, incorrectly installed antennas, hordes of evil lurking microwave ovens, etc.
Most MTA vendors don't go out of their way to provide up-front relay-control instructions in English, much less in a selection of languages.
Though I don't buy the language barrier excuse from chronic spammers (china telecom, e.g.), the open-relay db services could help smaller ones by translating theirown
instructions for fixing an open relay into the languages spoken in problem areas. Though in Wanadoo's particular case, that language would probably need to be the language of stuffing their MTA manual down their throat sideways.
Dorkslayers , who don't run an open-relay database per se, do come right out and say "If your IP address is in the APNIC CIDR Block or APNIC CIDR Block2 (for instance) and it's running a SMTP service that has been demonstrated to allow third-party email relay... well... you may be a dork. Nothing personal. It's just business."
The big three automakers all made claims of that nature while trying to fight off alternative fuels legislation (which included a phased plan from LEV to ULEV to ZEV) in the 1990s -- they claimed the technology wasn't ready even for second-car usage (the car someone would use when they knew they were going on a short trip around town).
Arguably it wasn't, but GM used one of its own prototype electric cars as a political lever on the technological readiness issue -- claiming it couldn't manage even a hundred miles on a charge, etc. They'd contracted Ballard to build the cells; Ballard built a battery pack that could manage more than twice what GM was claiming to Congress (around 200mi), but GM's contract allowed GM to suppress the information, ultimately forcing California to roll back state legislation on ZEVs (10% of all sales by the early 2000s, IIRC).
Source: Taken for a Ride, by Jack Doyle. Sorry if I've misremembered the details, but that's the general picture.
Freenet. Not perfect, but it would cover this scenario. You can't tell what anyone else downloads, you can't tell what data on your own node is, and no one who can get your network traffic can see inside it. Send 'em a dollar and a bug report.
Drawbacks: it's not a wide open touchy-feely instantly responsive searchable distributed repository like the current file-sharing offerings. Individual nodes might be suceptible to legal attack "on suspicion." But it's also much less likely to get you incarcerated in places where crypto is legal.
One of the good bits in that service agreement is the HTML comment near the top by (I infer) the chap whose job it was to take the lawyer-generated Word document and turn it into HTML sufficiently terse as not to waste great gobs-o-flash with the wretched HTML conversion Word does. Not that it's terribly clever, but it's amusing to see something of that sort flashed into DSL routers everywhere atop a lengthy wodge of legalese.
(the same comment was in the service agreement on my telocity modem; I came across it while looking for the proper URL to avoid actually clicking an "I Agree" button)
Goes thusly:
<!--
This document was cleaned by hand, with much tender loving care, by MojoFreem.
I would like to thank the following, for giving me the courage to clean this dirty HTML,
wrongfully generated with numerous style "issues" using \/\/0r|) by the Evil Empire.
* hairless cats
* midgets
* Lorne Greene (he rocks!)
* Everyone named Corky
* Short Yellow Bus drivers
* The beings of Omicron Persiai VIII
* All those fat people on "Sweatin to the oldies"
* That guy who does that thing in that place
* People who smell like cabbage
* Donkeys
"I'm amazed that you managed to write so legibly on your own butt." - Lisa, Simpsons
"That's my Smith & Wesson. If you're gonna play with it, be careful, 'cuz it's loaded." - Grandpa, Simpsons
"Where am I now?" - Professor, Futurama
"Rectum? Damn near killed em!" - MojoFreem, Telocity
-->
fsck: No, you just replay the journal (whatever metadata writes were pending) on mount. Takes a few seconds, then the fs is ready for use. If the tree gets damaged somehow, reiserfsck can help, though it's in its infancy and nowhere near as reliable or robust as e2fsck.
features: well, it's fast, especially in edge cases like many thousands of files in a directory, where ext2 has trouble. Transaction support is coming too, which could be pretty neat. The speed used to be better than ext2, and is now slightly worse (pretty good for journalling), and will probably improve once a stable point is reached and some energy is spent reoptimizing.
32k subdirs: no, I don't believe that limitation exists. Most every limit of that sort has been pushed out to 2**32 or 2**64. I'm not sure I'm remembering properly, though.
FWIW, there are patches available for qmail such that after a configurable number of RCPTs, the smtpd turns into a tarpit (starts deliberately slowing down the connection unto unusability). It wouldn't be difficult to adapt that to count only bad RCPTs, or similar. That, or issue transient failures after a smallish number of RCPTs, so legitimate MTAs will try again in a bit. Stateful comparisons would help quite a bit too (if >75% of usernames requested are in/usr/dict/words, you're probably the target of a dict attack).
Thanks for the attention, all. The freshmeat posting was quite managable, but slashdot's is more than the 128kbit outbound can handle. Asymmetric DSL sucks in a substantial number of ways.
aqua (sugarplum's slashdotted author)
Re:On a similar note: Email "Cloaking Device"
on
Spambot Poisoner
·
· Score: 2
A nice idea -- maybe Apache2.0's filters will lend
themselves to something similar. However, of the
spambots whose behavior I've observed, they are
entirely free to provide a bogus User-Agent, or
a U-A that changes on every HTTP request. The latter is easy to detect if URLs are serviced in the same spot (as with sugarplum grafted into a document tree with mod_rewrite), but an agent that merely lies about itself is harder to detect. Remote OS fingerprinting, comparing a stated platform with the perceived one, might help, but the reliability factor would be low. AFAIK, all spammers use windoze machines, and one M$ tcp stack looks much the same as another from the outside.
A marginally better approach is to have pages with email addresses generated by php3/perl/etc, with mailto: links encoded for all requests -- s/(.)/'&#'.ord($1)/ge in document content, the same for URI-encoding in mailto: links. Still not impossible to decode, but the more spammers try to decode the content they harvest, the more bad data they get on their own. Moreover, most spammers aren't by reputation all that bright, and no self-respecting ethical programmer will work for a spammer, so their ability to adapt technologically isn't as good as ours.
I suspect we'll see a pattern resembling what's become of IRC -- quite a few networks, run well or run badly, with roughly similar characteristics. Any given piece of music can probably be found on any one of them. This especially applies since opennap includes an IRC-like chat system, which gives a slight nudge of particular appeal beyond merely trading files. Which will probably be healthy, as irritating as chat systems tend to be.
The good part being, here, that the music industry probably can't go after a mercurial system like this -- you can't clean up mercury with a flyswatter, as they've discovered here and there in the past (decss, et al).
Now I wonder if we can claim that some of the icons on that screen were released under the GPL, and that therefore that particular episode became forcibly opensource.:)
Consumers will not latch onto Linux if it's this hard to keep secure.
Consumers have latched onto a series of OSes in the past which are virtually impossible to keep secure. Lamentably, security ranks a long way down the list of priorities in purchasing decisions. Even when it ranks highly, most people lack the expertise to make a judgement about what comprises security -- WinNT says "world class security" on the box -- and that's the level of depth many people are prepared to explore.
DO NOT post exploits to the general public; insist that securityfocus, bugtraq, and others only allow legitimate developers to view them. Exploits are the equivalent of guns and ammo, and there is a great need for background checks!
I highly doubt this one will ever work -- recent piracy and weak-crypto issues have demonstrated how difficult it is to restrict the flow of information. There are legions of "my leet hax0r expl01t-4rch1v3 hou5e o p4in" sites, and it only takes a single leaking "legitimate developer" before every one of them has a 0-day exploit.
It's probably more feasible when free information flow is used as an advantage -- ready availabiliy of information and the fix, e.g. "Information wants to be free," whether right or not, is a difficult force to fight.
We need to express leadership in the open-source community to make the distros have secure default configurations, and automatically alert users of security problems, and allow them to choose to install patches. This could be integrated with policies at security sites.
No argument with this one -- most vendors are pretty bad about this, because a shiny new installation sells best when it appears to be just bursting with new functionality, and "Install Everything" is still one of the more popular options in your typical installation. Linux distros have an elevated problem with that option because they ship with a ton of software, rather than a skeletal OS-and-GUI-shell which lets you choose whether you want to play Solitaire or not. Though I look forward to the announcement of a vulnerability in Win32 Solitaire.
So, maybe: the installer offers a cronjob to check the updates site every night, or offers to subscribe you to the vendor's security-announce list. The updater (autorpm, update agent, etc) lets the user pick a notify-only, fully-automatic or run-on-request mode. To gain any acceptance, such an updater must provide anonymity (e.g. autorpm against ftp, debian's apt-get, etc), cryptographic security (e.g. autorpm's use of a gpg keyring with the vendor key) and optionality (see above).
These aren't all the comments. Leastways mine isn't there, and I endeavoured to be as calm, polite and rational as possible. Most of the comments appear similar to the ones submitted back when slashdot ran the original article on this specific issue. I'd be interested to know what portion of the comments submitted by both sides were published; the big-money media companies seem fairly well represented. Is this even the right page?
Be polite. There are secretaries on the other end
of that phone number who are not to blame for the
decisions their companies make, but whose job it
is do public-interface on behalf of their
superiors.
Same goes for digitalcreations.
Slashdot Mirror
Secondarily, apachecon is hosted at a hotel with no casino -- definitely helpful, since the hotel is thus focused more on the needs of the convention and basic hospitality than steeering you into a gambling pit at every opportunity.
Remember that the DOJ is an executive-branch body; it doesn't include the judiciary. In the current system of US government, the purpose of executive agencies is to carry out those laws which correspond to the particular preferences of the administration then in power. At the moment, that's a Republican administration more friendly to (read: owned by) big business than any in recent memory.
I'm typing this on a Zaurus running OZ3 and konq/embedded;
while still not as polished or featureful as it might be, and with some usability problems here and there,
it's definitely better than sharp's attempt. Some nice UI tweaks, APT-style ipkg repository fetching, lots more packages. Very nice.
Source: Ken Smith's _Raw Deal_, "Whistleblower"; Blast Books, 1998. Definitely a book with some axes to grind, but good nonetheless.
It's NNTP, not SMTP, but the same technical issues apply. Every non-borked SMTP server tags on a Received: header indicating the IP of origin. Most NNTP servers add an X-Trace header to the same effect. Even if they don't, the Path will point right back to the NNTP server you used, whose logs will most likely be able to show your IP connecting at such and such a time, submitting an article with that Message-Id, etc.
That said, Usenet frequently is used for anonymous publication, and it works passably so long as you can conceal the first hop by using a public host or something. Okay for "casual" anonymity, but not something I'd rely on if I needed to post something anonymously from a heavily surveilled location or when the forensic resources of a major government were going to be called in.
BTW, usenet is great for piracy as well. They'll never shut down alt.binaries.sounds.mp3.*, alt.binaries.multimedia, alt.binaries.warez.*, and alt.binaries.pictures.erotica.*. They're hosted by the ISPs, and the ISPs can use the phone company defence (ie, "We provide a medium for legitimate communication. Not our fault if people abuse it").
That ISP defense is eroding. I suspect the only reason Usenet hasn't been attacked by the US copyright marauders is that its popularity is minescule compared to the web and its volume of illicit traffic is small (mere tens of gigabyes per day) compared to the P2P systems. It has demonstrable legitimate purposes (everything outside a.b.*). It's also much cheaper in terms of bandwidth, since the content can be transmitted approximately once along each feed, vs. once per request in the P2P systems, so ISPs and universities have less of a motive to drop the a.b.* hierarchy.
Usenet is great, sure -- it's easily the most effective, survivable conferencing system ever built. Being ignored by 99% of Internet users is actually to its benefit. :)
Hmm. If Karen Silkwood had had Freenet, she might have lived, or at worst found asleep on her keyboard the next morning.
They use it as an excuse to pass sweeping anti-encrypton (etc) laws.
Probably not anti-crypto, at least not in the US; that fight has already been had, and the government lost. A likelier tack would be for legislation to prohibit technology that could be used for anonymous piracy-with-impunity. Such legislation would inevitably be overbroad, but it would merely require some creative judicial interpretation (which wouldn't be difficult to arrange, if the 2600/DMCA case is indicative) to make it stick.
For which reason, tools like Freenet are banned in China and a number of other nations.
There does exist a tricky bit of how to deliver such technologies to the people in need of them; possession of crypto is still a crime in much of the world, much less crypto intended to do that which oppressive regimes cannot allow.
It is. The store is cryptographically opaque; you don't know what you're hosting. Whether it's possible to identify whether a particular item is in the store when you know its key, I'm not sure.
2) My files aren't shared permanently. If nobody requests the files I injected, they are thrown out after a while, even if my node is online 24/7. That's just plain stupid.
It's necessary for a distributed-storage system where the injection point needs to be distanced from the storage points. Data flows to where it's being requested, so you could keep an item in your own store by requesting it automatically every so often. It won't go anywhere else, but it will stay in the keyspace should it ever be requested later on. You could do much the same thing to prolong the longevity of someone else's data that you valued -- but again, it would tend to live only on your own node if no other nodes were requesting it.
That hardly stopped them airing The Brady Bunch. I'd have thought use of drugs and Apple products hardly disjoint. They could do passably running targets specifically intended to appeal to recreational drug users.
When I took a Software Engineering class in college about 2 years ago, one of the LASIK developers came to give a presentation about the development process. Towards the end, asked about the implementation environment, he conceded that (as of early 2000) a LASIK system is built around a windows 3.1 machine ("but we're planning to migrate to windows 95.")
Now, he had already explained their general system of hardware interlocks which abort the treatment in the event of component failure, so this doesn't really mean much. A source of amusement.
The three in common use you will notice are the lowest, middlemost, and highest channels. Lots of space in betwen.
Hmm, okay, that makes sense. However, as transmitter density increases, that concentration ceases to be ideal.
Devices DO indicate if they are having problems.. they give you indications of signal strength.
Insufficient specificity. It doesn't discriminate between poor signal propagation and emissive noise on the channel, which are cured in different ways.
Another approach would be for devices to make channel recommendations by checking each for round-trip signal strength and passively-sampled noise on the channel. Or simply to pick one automatically.
It'd be interesting to see some mobile spectrum analysis of frequency usage over geographic areas, to see if that plans out -- map spectrum emissions and see if there's an aberrant concentration in spots. Might not be terrifically useful, but cool data.
Aside from broad deployment of spread spectrum for future RF-emitting gadgets (the ones not using it already), it'd be helpful if devices like 802.11b access points could indicate when they're having interference problems, so as to distinguish these problems from those of topography, incorrectly installed antennas, hordes of evil lurking microwave ovens, etc.
Most MTA vendors don't go out of their way to provide up-front relay-control instructions in English, much less in a selection of languages.
Though I don't buy the language barrier excuse from chronic spammers (china telecom, e.g.), the open-relay db services could help smaller ones by translating their own instructions for fixing an open relay into the languages spoken in problem areas. Though in Wanadoo's particular case, that language would probably need to be the language of stuffing their MTA manual down their throat sideways.
Dorkslayers , who don't run an open-relay database per se, do come right out and say "If your IP address is in the APNIC CIDR Block or APNIC CIDR Block2 (for instance) and it's running a SMTP service that has been demonstrated to allow third-party email relay ... well ... you may be a dork. Nothing personal. It's just business."
Arguably it wasn't, but GM used one of its own prototype electric cars as a political lever on the technological readiness issue -- claiming it couldn't manage even a hundred miles on a charge, etc. They'd contracted Ballard to build the cells; Ballard built a battery pack that could manage more than twice what GM was claiming to Congress (around 200mi), but GM's contract allowed GM to suppress the information, ultimately forcing California to roll back state legislation on ZEVs (10% of all sales by the early 2000s, IIRC).
Source: Taken for a Ride, by Jack Doyle. Sorry if I've misremembered the details, but that's the general picture.
Drawbacks: it's not a wide open touchy-feely instantly responsive searchable distributed repository like the current file-sharing offerings. Individual nodes might be suceptible to legal attack "on suspicion." But it's also much less likely to get you incarcerated in places where crypto is legal.
One of the good bits in that service agreement is the HTML comment near the top by (I infer) the chap whose job it was to take the lawyer-generated Word document and turn it into HTML sufficiently terse as not to waste great gobs-o-flash with the wretched HTML conversion Word does. Not that it's terribly clever, but it's amusing to see something of that sort flashed into DSL routers everywhere atop a lengthy wodge of legalese.
(the same comment was in the service agreement on my telocity modem; I came across it while looking for the proper URL to avoid actually clicking an "I Agree" button)
Goes thusly:
<!--
This document was cleaned by hand, with much tender loving care, by MojoFreem.
I would like to thank the following, for giving me the courage to clean this dirty HTML,
wrongfully generated with numerous style "issues" using \/\/0r|) by the Evil Empire.
* hairless cats
* midgets
* Lorne Greene (he rocks!)
* Everyone named Corky
* Short Yellow Bus drivers
* The beings of Omicron Persiai VIII
* All those fat people on "Sweatin to the oldies"
* That guy who does that thing in that place
* People who smell like cabbage
* Donkeys
"I'm amazed that you managed to write so legibly on your own butt." - Lisa, Simpsons
"That's my Smith & Wesson. If you're gonna play with it, be careful, 'cuz it's loaded." - Grandpa, Simpsons
"Where am I now?" - Professor, Futurama
"Rectum? Damn near killed em!" - MojoFreem, Telocity
-->
features: well, it's fast, especially in edge cases like many thousands of files in a directory, where ext2 has trouble. Transaction support is coming too, which could be pretty neat. The speed used to be better than ext2, and is now slightly worse (pretty good for journalling), and will probably improve once a stable point is reached and some energy is spent reoptimizing.
32k subdirs: no, I don't believe that limitation exists. Most every limit of that sort has been pushed out to 2**32 or 2**64. I'm not sure I'm remembering properly, though.
FWIW, there are patches available for qmail such that after a configurable number of RCPTs, the smtpd turns into a tarpit (starts deliberately slowing down the connection unto unusability). It wouldn't be difficult to adapt that to count only bad RCPTs, or similar. That, or issue transient failures after a smallish number of RCPTs, so legitimate MTAs will try again in a bit. Stateful comparisons would help quite a bit too (if >75% of usernames requested are in /usr/dict/words, you're probably the target of a dict attack).
Thanks for the attention, all. The freshmeat posting was quite managable, but slashdot's is more than the 128kbit outbound can handle. Asymmetric DSL sucks in a substantial number of ways.
aqua
(sugarplum's slashdotted author)
A marginally better approach is to have pages with email addresses generated by php3/perl/etc, with mailto: links encoded for all requests -- s/(.)/'&#'.ord($1)/ge in document content, the same for URI-encoding in mailto: links. Still not impossible to decode, but the more spammers try to decode the content they harvest, the more bad data they get on their own. Moreover, most spammers aren't by reputation all that bright, and no self-respecting ethical programmer will work for a spammer, so their ability to adapt technologically isn't as good as ours.
aqua
(sugarplum's slashdotted author)
The good part being, here, that the music industry probably can't go after a mercurial system like this -- you can't clean up mercury with a flyswatter, as they've discovered here and there in the past (decss, et al).
Now I wonder if we can claim that some of the icons on that screen were released under the GPL, and that therefore that particular episode became forcibly opensource. :)
Consumers have latched onto a series of OSes in the past which are virtually impossible to keep secure. Lamentably, security ranks a long way down the list of priorities in purchasing decisions. Even when it ranks highly, most people lack the expertise to make a judgement about what comprises security -- WinNT says "world class security" on the box -- and that's the level of depth many people are prepared to explore.
DO NOT post exploits to the general public; insist that securityfocus, bugtraq, and others only allow legitimate developers to view them. Exploits are the equivalent of guns and ammo, and there is a great need for background checks!
I highly doubt this one will ever work -- recent piracy and weak-crypto issues have demonstrated how difficult it is to restrict the flow of information. There are legions of "my leet hax0r expl01t-4rch1v3 hou5e o p4in" sites, and it only takes a single leaking "legitimate developer" before every one of them has a 0-day exploit.
It's probably more feasible when free information flow is used as an advantage -- ready availabiliy of information and the fix, e.g. "Information wants to be free," whether right or not, is a difficult force to fight.
We need to express leadership in the open-source community to make the distros have secure default configurations, and automatically alert users of security problems, and allow them to choose to install patches. This could be integrated with policies at security sites.
No argument with this one -- most vendors are pretty bad about this, because a shiny new installation sells best when it appears to be just bursting with new functionality, and "Install Everything" is still one of the more popular options in your typical installation. Linux distros have an elevated problem with that option because they ship with a ton of software, rather than a skeletal OS-and-GUI-shell which lets you choose whether you want to play Solitaire or not. Though I look forward to the announcement of a vulnerability in Win32 Solitaire.
So, maybe: the installer offers a cronjob to check the updates site every night, or offers to subscribe you to the vendor's security-announce list. The updater (autorpm, update agent, etc) lets the user pick a notify-only, fully-automatic or run-on-request mode. To gain any acceptance, such an updater must provide anonymity (e.g. autorpm against ftp, debian's apt-get, etc), cryptographic security (e.g. autorpm's use of a gpg keyring with the vendor key) and optionality (see above).
These aren't all the comments. Leastways mine isn't there, and I endeavoured to be as calm, polite and rational as possible. Most of the comments appear similar to the ones submitted back when slashdot ran the original article on this specific issue. I'd be interested to know what portion of the comments submitted by both sides were published; the big-money media companies seem fairly well represented. Is this even the right page?
Be polite. There are secretaries on the other end of that phone number who are not to blame for the decisions their companies make, but whose job it is do public-interface on behalf of their superiors. Same goes for digitalcreations.