But surely that's a legal interpretation? AFAICS it's not inherent in the bill of rights itself, and so it presumably doesn't have the same force? Yes, it is interpretation, but my understanding is that this is how the Supreme Court has interpreted the First Amendment. Until the Supreme Court reinterprets the law in a different way (which isn't likely), their interpretation has the full force of law.
Yes and no. It's not the "right" solution, but when all other available solutions have been exhausted, content filtering is better than the alternative. You're absolutely correct that it eats up resources - you can't just enable content filtering and walk away; you have to constantly keep writing new rules that will no longer work next week.
E-mail getting delayed 6 hours isn't strictly a problem with content filtering. Sure, if you eliminated content filtering, you'd probably also eliminate the 6 hour delay, but the right answer is fixing the system so that content filtering can be done without incurring a 6 hour delay. This is usually a problem of business management - the IT people want to fix the problem, but management doesn't want to pay for it, so the company loses bajillions of dollars (far more than the cost of the upgrades that IT wants) because of their unreliable e-mail service.
I personally do not use Bayesian filtering on my mail servers. Because Bayesian filtering is most effective with user participation (users have to train the filter by identifying both spam and non-spam messages, the contents of which will vary between users), I think this technology is best left to e-mail clients, not servers. Spammers have been actively fighting against Bayesian filtering for some time now, by including legitimate-sounding text at the bottom of their spam, which confuses Bayesian analysis by making the spam appear more legitimate, and legitimate messages appear more spammy (which makes false positives more likely, which make people spend more time digging through their spam folder looking for false positives, which makes people more likely to see spam that has been filtered out).
2. The Spam problem is mostly a law enforcement issue and not a technological issue.
This is absolutely 100% correct. However, since I can't actually enforce the law myself, and the government isn't (to the extent of making any noticeable difference), I have to fight it as if it were a technological issue. I will confess to not doing my part in writing my Congresscritters; one of these days I will get around to that (despite the criticism, CAN-SPAM is a very good start, because it clearly defines nearly all current spam as being illegal, so now it's just an enforcement problem, which Congress is responsible for funding).
3. Don't listen to the anti-virus/anti-spyware software companies.
Hopefully most people don't view Norton Anti-Spam et al as anything more than a Band-Aid on top of the problem, but when solving the problem is beyond your control, a Band-Aid isn't a bad idea. Of course I would point out that Mozilla Thunderbird comes with a free Band-Aid that works just as well, but most people can't be pried away from Outlook, so they have to buy something.
4. Most anti-spam methods do nothing to stop spam, except relay blacklisting.
I certainly agree that IP blacklisting should be the first defense against spam, but the term "relay blacklisting" doesn't quite cover what I assume you're referring to. For the sake of clarity, let me explain:
When an SMTP server accepts a message addressed to a local user on that system, the message will be delivered locally to that user's mailbox. However, if the server accepts a message addressed to someone else, the server will figure out where it's supposed to go, and attempt to send it there. This is called relaying. Normally, when you send a message from your e-mail client, you are sending it to a server (perhaps at your ISP) that will relay the message for you; this saves your e-mail client the trouble of having to deal with issues like figuring out where the destination server is and correctly dealing with situations like when the destination server is temporarily unavailable. Relay servers are good; they help make e-mail more reliable.
Note that a relay server uses exactly the same SMTP protocol to relay your me
Damn, I just replied to something else and lost my mod points. You've hit the nail on the head here. It's totally fine for the CIO to not know the details of the technology, and just manage the people (who in turn know the details of the technology). But it's not OK for the CIO who doesn't understand technology to make purchasing decisions without the input of the people who do understand the technology and will actually be directly working with the products and services being purchased.
It's amazing how quickly Slashdotters switch from quoting the Bill of Rights in order to defend freedom of speech that they want to ignoring the Bill of Rights in order to to condemn freedom of speech that they don't want. It's no wonder American lawyers earn so much! Commercial speech isn't protected the same way that non-commercial speech is. For example, advertisers are not legally allowed to lie about their products in television commercials, but I am legally allowed to lie about those same products all I want (as long as I'm not committing slander or libel). For example, without supporting evidence, I'm not allowed to say that drinking Coca-Cola causes cancer, but I am allowed to say that drinking Coca-Cola raises your IQ. The Coca-Cola Company is not allowed to say that.
But fraud is a form of speech that isn't protected at all. Fraud is illegal, and should be. Manipulating the stock market is also illegal, and should be. Those two categories of speech are not protected by the First Amendment, so if we could eliminate all spam in those categories, there's no First Amendment problem. And once you've eliminated all spam in those categories... really, what's left? Whatever it is, I'm sure we could find a good way to deal with it.
Customer calls up and says they want to set up DNS and web hosting. You check whois; the domain is registered, but the contact info is anonymous (most registrars offer this service now, and there are several proxy registration services). Of course your own DNS servers aren't listed as authoritative, because if the customer changes that before setting up their web site on your servers, things will break.
The customer says it's their domain. It's not cnn.com or slashdot.org or bankofamerica.com, it's something you've never heard of.
If you take the customer's word for it, it's possible it was somebody else's site and they're trying to phish personal data. But if you don't take the customer's word for it, you're making the customer jump through hoops that the customer doesn't see the need for, and which your competition won't make them jump through.
I agree that using different DNS servers for hosting and for ISP lookups is the right solution. To make sure there's no confusion, recursive queries should be disabled on the servers used for hosting.
Congratulations, morons. If I made a goof like that I'd lose my job. I wonder what it takes to get fired in politics. Being labeled by your opponent as "soft on child pornography".
WHY does this have to be so fucking complicated? In my opinion, it really doesn't have to be. If someone abused a child, whether or not he took pictures, he needs to be locked up. Same for attempting to do this. But at no point should LOOKING at a picture (especially one that may have been planted on your computer) be considered a precursor to rape. The thinking is, if you possess child porn (the kind involving actual children who were sexually abused), you must have obtained it somehow, and by doing so, you've increased the demand for child porn, and if demand goes up, the incentive to produce more child porn (by sexually abusing more children) also increases.
So, making possession (of that kind of child porn) illegal isn't completely insane. There's good reasoning behind it.
However, I completely agree with the rest of your post. Excellent point about the 1470-year-old demon. And hey, while we're at it, if we're going to ban fictional pictures, why not ban fictional stories? Shakespeare's Juliet was 13.
Unfortunately, as was indicated in the article, [downloadable] music is a very small part of the market. Small but growing, and the iTunes Store is the largest source by a wide margin. Since this is an article about the opinion of the CEO of company that owns the iTunes Store, I think that would be a good place to start.
And which market would that be? The "I'm not hurting anyone because I never would have bought it" market?* Or the present "iTunes is doing well" market? Obviously I'm talking about the millions of people who currently use the iTunes Store, who have purchased over two billion songs already. If some tracks are available with DRM, and some are available without DRM, iTunes Store customers may or may not consider that when making purchasing decisions. I am not talking about people who obtain music from other sources, because this is a story about the CEO of Apple, and Apple doesn't have any direct influence over the other ways people obtain music.
Apple needs to give record labels the choice of whether they want their music to be sold with or without DRM on the iTunes Store. Keep the same prices, keep the same format and bitrate (128kbps AAC), and keep embedding the user's ID in the file, but give the labels the choice, and indicate it to the customer before they buy (a small icon next to the "Buy" button should be enough).
Obviously most labels will continue to choose DRM. That's OK. Let them. And let the market sort it out.
Just yesterday it took a half an hour to get a mainstream quickcam out of the box and showing video. iSight? No longer than it takes to launch the app than needs it. Ah, but how long would it take you to get that same "mainstream quickcam" working on your Mac?
I did something dumb: I wanted to experiment with something (I don't remember what now) so I created a temporary user account, with the intention of deleting the account when I was done, maybe after a couple of hours. I used "temp" for the username and "temp123" for the password. Then I got distracted, and completely forgot about deleting the account.
Within a couple of weeks, an SSH worm had brute-forced the login, created a directory called "/tmp/. " (dot-space), downloaded and compiled a couple of programs, logged on to an IRC server, and started sending spam. It did not attempt to gain root access; there was no need.
So, the moral of the story is, don't assume that something like "temp123" is a complicated enough password, and if you have the option, only run sshd on a non-standard port (something other than 22). And don't assume that all malware only targets Windows.
If I was the Dictator of Internet, that's exactly what I would do until the Russian law enforcement community started thinking it'd be a swell idea to cut down on the abuse from their mobsters. Yes, well, this is part of why there is no such position.
That part isn't too unreasonable. We have considered doing just that, but more along the lines of dynamic IPs == blocked port 25, static IPs == open. The static IP customers tend to be businesses, some of which run their own legitimate mail servers (which we usually know about due to them requesting reverse DNS entries and such) That said, one of the spam complaints I got this month was a T1 customer with a couple infected PCs on their network, so nothing is foolproof. Yeah, that would be reasonable too, as long as you don't charge too much extra for a static IP and you give all your existing dynamic IP customers sufficient warning before making that kind of a change. Hopefully there aren't too many people running SMTP servers on dynamic IPs, but it will also break anyone with an MUA configured to relay through an external server on port 25, so you'll need to be prepared for that in advance.
That is a little more work, but doable. It could be problematic but you'd have better luck with looking at message rates than content. It'd be easier to pick out suspicious rates among your own customers. Grandma and Grandpa aren't going to be sending out 5 messages per minute let alone 100. Actually, that probably is a better idea (and would require significantly less processing power on your end).
The same problem with incoming scanning applies there too, maybe worse. If someone is sending out a new style of spam that filters don't know about yet, it doesn't help you anyway. If, as you suggest, you're looking at quantity rather than quality, then the style of spam doesn't matter.
We've found that just flat out turning it off is more effective than anything. Their PC could be so full of spyware and trojans that they can't even open IE let alone view a web page. It's also more effective for tech support. They may not even open up a browser, but when their mail check fails they're bound to call and if a support tech doesn't look at their account first, it'll be an interesting call.:) I've been on the receiving end of a lot of those calls, and a lot of users can be pretty unhappy with the idea that the service they're paying for has been turned off. It takes good training in your tech support department (something lacking at most ISPs I've worked for) to make sure the user comes away feeling like the ISP is on their side.
You might get a couple irate users, but once they figure out the situation (Even better if you have a fix/workaround for them) they're usually reasonable. What I was getting at was, if these ideas aren't technically problematic, why aren't more ISPs implementing them?
Think very, very early Internet. IRC access to all of Finland was cut off due to abuse. By one IRC network? That hardly constitutes cutting off all Internet access.
This is actually one of the features I like the most about Windows Vista so far.
Windows 9x had a well-deserved reputation for crashing all the time. Windows 2000 was barely usable when it first came out (because applications and drivers weren't written for NT), but once that got sorted out, it was pretty stable. Windows XP has that same level of stability, but it still crashes from time to time, not because of problems in the OS, but because of buggy drivers or third-party software - I've seen buggy drivers for a wireless NIC send a laptop into an endless BSOD loop, and video card drivers are notorious for causing problems.
Of course any OS will have trouble with bad hardware. I've killed a Linux box just by trying to read a scratched CD.
Anyway, in Windows Vista, whenever a program crashes, or you get a BSOD, Vista sends an error report to Microsoft, and a couple of days later, you get a little popup message that they've identified the problem. It tells you what caused the problem, and what to do to fix it. It actually works!
Please note that I am not a Windows fanboi - I'm typing this in Firefox on my iBook running Mac OS X, and there are three Slackware servers, an iMac, and an old laptop with Ubuntu in the next room. Also note that I wouldn't recommend Windows Vista to anyone for their primary computer until Service Pack 1 has been out for at least a month or so; not only is the OS currently rather broken, but third-party support is crap right now. By the time SP1 comes out, things should generally work (and the extra month is to account for problems and incompatibilities introduced in SP1).
In the "good old days" this problem would've been fixed in 10 seconds by cutting all of Eastern Europe off the net completely. Too bad it can't be done any more. Which "good old days" were those, exactly? When has anyone ever cut off Internet access to entire parts of the world due to network abuse? Sure, individual admins may choose to block access to their own networks from various places, but that's hardly the same thing.
They have antivirus software. It came with the computer when they bought it four years ago. Exactly, which is why they know they're safe and have nothing to worry about.
Now, if only they could get someone to fix this damn popup, something about a subscription. Oh well.
If I ran an ISP, I would set up a firewall that could allow or deny outgoing connections on port 25 on a per-customer basis, with the default being that all new customers would not be able to send out on port 25. Customers can configure their clients to relay through the ISP's mail server, or to relay through somebody else's server on port 587 (with proper authentication, hopefully), or they can call tech support and request that port 25 be opened for them (tech support would encourage them to try the first two options, but if they really want port 25 open, that's totally OK, as long as we aren't getting complaints about spam).
I would also run spam filtering software on all outgoing mail on the SMTP server, and have it quarantine (for admin review) anything above a ridiculous threshold. If you're sending spam, you get a phone call. If you don't answer the phone, you get an e-mail and we shut off your Internet access (redirecting port 80 to a web page explaining why service was shut off).
Is this ridiculous? Is it technically problematic? Does it create too much work for the ISP? Would users be pissed off enough to cancel their service?
Isn't there a way to develop a virus that can spread through these compromised computers, but instead of doing the damage, it fixes the leaks? These compromised computers have some sort of back-door left open right? Somebody suggests this every once in awhile. I think it's been attempted, but the implementation was buggy, and it ended up causing more problems than it solved.
So problem #1 is that what you're suggesting is, in fact, illegal. Breaking into someone's PC to install security patches and clean up viruses is just as illegal as breaking into someone's PC to set up a spambot.
Problem #2 is that a virus that spreads to exploitable PCs for the purpose of cleaning them up will cause just as much strain on the network as any other virus, and is just as problematic for IT departments and network administrators.
Problem #3 is that just silently cleaning up someone's PC doesn't do anything to educate the user about the problem, which is probably that they clicked an ad on a web site promising to give them another browser toolbar, or show the current weather in their taskbar, or add a million smiley faces to their e-mail, and then they clicked "I Agree" without reading the EULA that says the software will turn their PC into a spam zombie (but not in so many words).
Bots are basically just viruses and spyware, with a payload. Pretty much any time you hear about a new virus or worm, it turns your PC into a spam zombie, but nobody ever bothers to mention that detail.
Try AdAware, and your favorite antivirus software.
Slashdot Mirror
1. Content filtering is not a solution.
Yes and no. It's not the "right" solution, but when all other available solutions have been exhausted, content filtering is better than the alternative. You're absolutely correct that it eats up resources - you can't just enable content filtering and walk away; you have to constantly keep writing new rules that will no longer work next week.
E-mail getting delayed 6 hours isn't strictly a problem with content filtering. Sure, if you eliminated content filtering, you'd probably also eliminate the 6 hour delay, but the right answer is fixing the system so that content filtering can be done without incurring a 6 hour delay. This is usually a problem of business management - the IT people want to fix the problem, but management doesn't want to pay for it, so the company loses bajillions of dollars (far more than the cost of the upgrades that IT wants) because of their unreliable e-mail service.
I personally do not use Bayesian filtering on my mail servers. Because Bayesian filtering is most effective with user participation (users have to train the filter by identifying both spam and non-spam messages, the contents of which will vary between users), I think this technology is best left to e-mail clients, not servers. Spammers have been actively fighting against Bayesian filtering for some time now, by including legitimate-sounding text at the bottom of their spam, which confuses Bayesian analysis by making the spam appear more legitimate, and legitimate messages appear more spammy (which makes false positives more likely, which make people spend more time digging through their spam folder looking for false positives, which makes people more likely to see spam that has been filtered out).
2. The Spam problem is mostly a law enforcement issue and not a technological issue.
This is absolutely 100% correct. However, since I can't actually enforce the law myself, and the government isn't (to the extent of making any noticeable difference), I have to fight it as if it were a technological issue. I will confess to not doing my part in writing my Congresscritters; one of these days I will get around to that (despite the criticism, CAN-SPAM is a very good start, because it clearly defines nearly all current spam as being illegal, so now it's just an enforcement problem, which Congress is responsible for funding).
3. Don't listen to the anti-virus/anti-spyware software companies.
Hopefully most people don't view Norton Anti-Spam et al as anything more than a Band-Aid on top of the problem, but when solving the problem is beyond your control, a Band-Aid isn't a bad idea. Of course I would point out that Mozilla Thunderbird comes with a free Band-Aid that works just as well, but most people can't be pried away from Outlook, so they have to buy something.
4. Most anti-spam methods do nothing to stop spam, except relay blacklisting.
I certainly agree that IP blacklisting should be the first defense against spam, but the term "relay blacklisting" doesn't quite cover what I assume you're referring to. For the sake of clarity, let me explain:
When an SMTP server accepts a message addressed to a local user on that system, the message will be delivered locally to that user's mailbox. However, if the server accepts a message addressed to someone else, the server will figure out where it's supposed to go, and attempt to send it there. This is called relaying. Normally, when you send a message from your e-mail client, you are sending it to a server (perhaps at your ISP) that will relay the message for you; this saves your e-mail client the trouble of having to deal with issues like figuring out where the destination server is and correctly dealing with situations like when the destination server is temporarily unavailable. Relay servers are good; they help make e-mail more reliable.
Note that a relay server uses exactly the same SMTP protocol to relay your me
Damn, I just replied to something else and lost my mod points. You've hit the nail on the head here. It's totally fine for the CIO to not know the details of the technology, and just manage the people (who in turn know the details of the technology). But it's not OK for the CIO who doesn't understand technology to make purchasing decisions without the input of the people who do understand the technology and will actually be directly working with the products and services being purchased.
But fraud is a form of speech that isn't protected at all. Fraud is illegal, and should be. Manipulating the stock market is also illegal, and should be. Those two categories of speech are not protected by the First Amendment, so if we could eliminate all spam in those categories, there's no First Amendment problem. And once you've eliminated all spam in those categories... really, what's left? Whatever it is, I'm sure we could find a good way to deal with it.
It's not as simple as you think.
Customer calls up and says they want to set up DNS and web hosting. You check whois; the domain is registered, but the contact info is anonymous (most registrars offer this service now, and there are several proxy registration services). Of course your own DNS servers aren't listed as authoritative, because if the customer changes that before setting up their web site on your servers, things will break.
The customer says it's their domain. It's not cnn.com or slashdot.org or bankofamerica.com, it's something you've never heard of.
If you take the customer's word for it, it's possible it was somebody else's site and they're trying to phish personal data. But if you don't take the customer's word for it, you're making the customer jump through hoops that the customer doesn't see the need for, and which your competition won't make them jump through.
I agree that using different DNS servers for hosting and for ISP lookups is the right solution. To make sure there's no confusion, recursive queries should be disabled on the servers used for hosting.
So, making possession (of that kind of child porn) illegal isn't completely insane. There's good reasoning behind it.
However, I completely agree with the rest of your post. Excellent point about the 1470-year-old demon. And hey, while we're at it, if we're going to ban fictional pictures, why not ban fictional stories? Shakespeare's Juliet was 13.
Apple needs to give record labels the choice of whether they want their music to be sold with or without DRM on the iTunes Store. Keep the same prices, keep the same format and bitrate (128kbps AAC), and keep embedding the user's ID in the file, but give the labels the choice, and indicate it to the customer before they buy (a small icon next to the "Buy" button should be enough).
Obviously most labels will continue to choose DRM. That's OK. Let them. And let the market sort it out.
I did something dumb: I wanted to experiment with something (I don't remember what now) so I created a temporary user account, with the intention of deleting the account when I was done, maybe after a couple of hours. I used "temp" for the username and "temp123" for the password. Then I got distracted, and completely forgot about deleting the account.
Within a couple of weeks, an SSH worm had brute-forced the login, created a directory called "/tmp/. " (dot-space), downloaded and compiled a couple of programs, logged on to an IRC server, and started sending spam. It did not attempt to gain root access; there was no need.
So, the moral of the story is, don't assume that something like "temp123" is a complicated enough password, and if you have the option, only run sshd on a non-standard port (something other than 22). And don't assume that all malware only targets Windows.
Linux machines can participate in botnets too. I found this out when my ISP forwarded a complaint to me. Get off your high horse.
This is actually one of the features I like the most about Windows Vista so far.
Windows 9x had a well-deserved reputation for crashing all the time. Windows 2000 was barely usable when it first came out (because applications and drivers weren't written for NT), but once that got sorted out, it was pretty stable. Windows XP has that same level of stability, but it still crashes from time to time, not because of problems in the OS, but because of buggy drivers or third-party software - I've seen buggy drivers for a wireless NIC send a laptop into an endless BSOD loop, and video card drivers are notorious for causing problems.
Of course any OS will have trouble with bad hardware. I've killed a Linux box just by trying to read a scratched CD.
Anyway, in Windows Vista, whenever a program crashes, or you get a BSOD, Vista sends an error report to Microsoft, and a couple of days later, you get a little popup message that they've identified the problem. It tells you what caused the problem, and what to do to fix it. It actually works!
Please note that I am not a Windows fanboi - I'm typing this in Firefox on my iBook running Mac OS X, and there are three Slackware servers, an iMac, and an old laptop with Ubuntu in the next room. Also note that I wouldn't recommend Windows Vista to anyone for their primary computer until Service Pack 1 has been out for at least a month or so; not only is the OS currently rather broken, but third-party support is crap right now. By the time SP1 comes out, things should generally work (and the extra month is to account for problems and incompatibilities introduced in SP1).
Yeah, see, I wouldn't do that, because that sucks. I won't tolerate that kind of crap as a customer.
Now, if only they could get someone to fix this damn popup, something about a subscription. Oh well.
If I ran an ISP, I would set up a firewall that could allow or deny outgoing connections on port 25 on a per-customer basis, with the default being that all new customers would not be able to send out on port 25. Customers can configure their clients to relay through the ISP's mail server, or to relay through somebody else's server on port 587 (with proper authentication, hopefully), or they can call tech support and request that port 25 be opened for them (tech support would encourage them to try the first two options, but if they really want port 25 open, that's totally OK, as long as we aren't getting complaints about spam).
I would also run spam filtering software on all outgoing mail on the SMTP server, and have it quarantine (for admin review) anything above a ridiculous threshold. If you're sending spam, you get a phone call. If you don't answer the phone, you get an e-mail and we shut off your Internet access (redirecting port 80 to a web page explaining why service was shut off).
Is this ridiculous? Is it technically problematic? Does it create too much work for the ISP? Would users be pissed off enough to cancel their service?
So problem #1 is that what you're suggesting is, in fact, illegal. Breaking into someone's PC to install security patches and clean up viruses is just as illegal as breaking into someone's PC to set up a spambot.
Problem #2 is that a virus that spreads to exploitable PCs for the purpose of cleaning them up will cause just as much strain on the network as any other virus, and is just as problematic for IT departments and network administrators.
Problem #3 is that just silently cleaning up someone's PC doesn't do anything to educate the user about the problem, which is probably that they clicked an ad on a web site promising to give them another browser toolbar, or show the current weather in their taskbar, or add a million smiley faces to their e-mail, and then they clicked "I Agree" without reading the EULA that says the software will turn their PC into a spam zombie (but not in so many words).
Bots are basically just viruses and spyware, with a payload. Pretty much any time you hear about a new virus or worm, it turns your PC into a spam zombie, but nobody ever bothers to mention that detail.
Try AdAware, and your favorite antivirus software.
Yeah, hi.