If you're forwarding mails from SPF tagged domains you should also be using SRS... it's kinda your own fault for forwarding without re-writing return path.
I didn't really even try it out. Why on earth would they choose DirectX over SDL (or VRML or something) if they planned to release this for more than the one crappy platform that supports DirectX (by design).
From google, I was really expecting an open product or protocol. If it's just another closed directx app I'll just go play guild wars or something.
For casual uses, you can get a really basic cert at godaddy for $10. I fail to see why that's so bad. The CAs really do check your identity for the $100 certs and that takes personnel and resources. I fail to see why that's so bad.
I disagree 50%. In practice, this is correct, but in theory it is not.
Theoretically, the CA is actually checking the identity of the orgs they sell certs to. Most actually do this to a limited extent.
Also, each of the CAs keeps a revocation list for certificates that got out of reach. In order for someone to use the certificate illegitimately, they have to gain control of the domain name *and* the certificate -- or simply the web-server I suppose.
If no major security breach is *currently* in progress, but one happened in the past, theoretically, you could simply revoke the certificate and get a new one.
The revocation works, but the problem is that nobody actually checks the revocation lists. I was going to link to it, but presently I can't even find the CRL for verisign...
Perhaps I'm just wrong and the CRL is built into my browser... I don't think so. I seem to recall actually clicking on a bunch of them to tell firefox to go check them nightly.
Yeah, in ff3 it's prefs->advanced->encryption->[revocation lists] -- mine is empty. Heh. Fat lotta good that does.
No... try setting up a bit torrent that maxes out your 1mb for a month or so. They'll talk to you about it. That 1meg they're allotting to you is concentrated too. The real cost of bandwidth is much higher, but in most situations servers and people don't really use it all. If it wasn't for that we'd all have our own crappy 360k for the money.
So you can't provide those fantastillion megabits per sec for 40 bucks. Ok, I can see that. How about... I dunno... selling what you can sell?
The problem is, that a megabit still costs $300/mo or $700/mo. There's no way around that.
You can get un-fucked-with bandwidth for that price, or you can live with the fact that your concentrated. You can't have it both ways.
The more you buy, the cheaper it gets, so you could order a T3 or something for like $5000/mo and then sell it to your neighbors for like $200/mo... (not including the cost of the routers).
... but one thing you couldn't do is sell unfiltered unconcentrated bandwidth to your neighbors for $40/mo.
I don't know about you, but I'm happy to have 3megs part of the day for $30/mo instead of my old ISDN line for $145/mo. Or maybe dialup? No thanks. I'll take the concentrated 3megs for $40.
It's just not realistic to expect to get more for your $40 than they get for their $300.
Did they study the effects of drifting along and not passing while in the passing lane on a limited access highway (a 2 point ticket, called disrupting the flow of traffic, in most states)?
I mean, really, if you did these things on foot you'd get, "Um, excuse me" and "right behindja," and "sorry there, ah, commin through."
The real source of road rage is not being able to say, "excuse me." It frustrates humans because we need to be able to express ourselves. We're pack animals and the cars isolate us.
My hunch is that inconsiderate behavior is a better predictor than bumper stickers. I haven't done a study though. Could be wrong. (Ignore my sig it's a joke.)
Yeah, seriously. Who compiles it anymore? Gentoo is pretty hardcore. I think regular people can install ubuntu in an hour or so, probably much faster than vista.
SQLite works from most languages and on most platforms (even embedded ones). It's perfect for most single user things -- although, it's... er... skewed toward SQL.
I just jumped ship this morning because of their prices. I would certainly pay more for a service that doesn't do this, although I don't have to.
... how do they do the actual inserting? Do they use a transparent web proxy setup? How do they see the cookie? I have so many technical questions I almost wish I hadn't canceled their service yet.
See, I thought this was incoming bounces, not outgoing ones. Not sending bounces won't stop incoming ones, which is why I suggested SRS. That way you can definitely tell which ones are fake.
SRS isn't about dropping incorrect addresses. It's about droping fake bounce messages (DSN) that aren't signed/generated by the server that's supposed to accept them.
I don't think it lies about who you are. It certainly shouldn't break any anti-spam measures.
It makes the return path verifiable to the sender and if you decode it the original return path is there (with exactly the same reliability as before: 0).
So I guess I don't understand your argument at all.
It seems like the solution to "backscatter" has been around for quite a few years (SRS). I'm surprised how few of the commercially available anti-spam solutions use or interpret it.
At my company, we just looked at Barracuda (PoS), Pineapp, St. Bernards ePrism, MX Force, Postini, and some other things. None of them understand SRS and only a few of the tech contacts had even heard of it. Sad Sad. But they all seem to have hand-rolled "backscatter" protection that partially works.
It seems like everyone has an SPF record these days. But it feels like relatively few actually check them and almost nobody goes the full distance and uses SRS.
The only problem I have with what you said is that that it's either false or willfully ignorant. It's otherwise ok.
You can use a private key to create a signature that was verifiable created with that private key using the public key that's paired with it. If that public key was signed by other private keys and those are signed by other private keys, then using that web of trust you can confirm the sender is who they claim to be.
That is the other purpose of asymmetric crypto. You can use it to encrypt and you can use it to authenticate. Those are two totally separate things and neither requires you give up your private key. It's private.
More, SSL is used for enryption, yes, but that's a smallish way to look at it. It has several parts. It's also used to verify identity.
There's a diffe-helman key exchange that gives you a shared secret you can use to encrypt the traffic. If anyone hears it, it doesn't matter! DH is magic, look it up. The problem is that it's subject to man in the middle attacks. Enter the X.509 certificates.
They are used to prove the sender is who they claim to be and not someone in the middle maintaining two separate encryption sessions.
You use your keyring of public keys to prove that the sender's public key is from the person it's supposed to be.
You don't get to see the sender's private key or the private key of any of the signers. You do not need to encrypt things using X.509 or pgp... you can use it purely for authentication purposes without revealing any private keys.
Cheers.
Re:would eBay sell craigslist on eBay or craigslis
on
eBay Sues Craigslist
·
· Score: 1
I suspect the justice department or the SEC would have something to day about that particular maneuver.
I very much doubt it's legal. It can't be.
At the very least, wouldn't that count as malicious prosecution?
That's silly, you don't have to distribute the private key, that's the whole point.
Take the wikileak's SSL key. How do you know that's their private key and it's not a MiM attack? You know that because verisign (or someone) signed the public key. They did that with a private key -- and wikileak doesn't have it!! Oh nos!!!
There's always a private key you don't have. That's the whole point of asymetric cryptography. PGP is no different.
Slashdot Mirror
If you're forwarding mails from SPF tagged domains you should also be using SRS... it's kinda your own fault for forwarding without re-writing return path.
I didn't really even try it out. Why on earth would they choose DirectX over SDL (or VRML or something) if they planned to release this for more than the one crappy platform that supports DirectX (by design).
From google, I was really expecting an open product or protocol. If it's just another closed directx app I'll just go play guild wars or something.
wtf is a home page?
For casual uses, you can get a really basic cert at godaddy for $10. I fail to see why that's so bad. The CAs really do check your identity for the $100 certs and that takes personnel and resources. I fail to see why that's so bad.
I disagree 50%. In practice, this is correct, but in theory it is not.
Theoretically, the CA is actually checking the identity of the orgs they sell certs to. Most actually do this to a limited extent.
Also, each of the CAs keeps a revocation list for certificates that got out of reach. In order for someone to use the certificate illegitimately, they have to gain control of the domain name *and* the certificate -- or simply the web-server I suppose.
If no major security breach is *currently* in progress, but one happened in the past, theoretically, you could simply revoke the certificate and get a new one.
The revocation works, but the problem is that nobody actually checks the revocation lists. I was going to link to it, but presently I can't even find the CRL for verisign...
CRL (knowledge)
Perhaps I'm just wrong and the CRL is built into my browser... I don't think so. I seem to recall actually clicking on a bunch of them to tell firefox to go check them nightly.
Yeah, in ff3 it's prefs->advanced->encryption->[revocation lists] -- mine is empty. Heh. Fat lotta good that does.
seems to be down to much to use for much of anything
No... try setting up a bit torrent that maxes out your 1mb for a month or so. They'll talk to you about it. That 1meg they're allotting to you is concentrated too. The real cost of bandwidth is much higher, but in most situations servers and people don't really use it all. If it wasn't for that we'd all have our own crappy 360k for the money.
So you can't provide those fantastillion megabits per sec for 40 bucks. Ok, I can see that. How about ... I dunno... selling what you can sell?
The problem is, that a megabit still costs $300/mo or $700/mo. There's no way around that.You can get un-fucked-with bandwidth for that price, or you can live with the fact that your concentrated. You can't have it both ways.
The more you buy, the cheaper it gets, so you could order a T3 or something for like $5000/mo and then sell it to your neighbors for like $200/mo... (not including the cost of the routers).
I don't know about you, but I'm happy to have 3megs part of the day for $30/mo instead of my old ISDN line for $145/mo. Or maybe dialup? No thanks. I'll take the concentrated 3megs for $40.
It's just not realistic to expect to get more for your $40 than they get for their $300.
There's still waste after that, but much less.
But if you think there's resistance to nuclear power now, just wait until you try to build a 70ft tower full of liquid sodium.
Did they study the effects of drifting along and not passing while in the passing lane on a limited access highway (a 2 point ticket, called disrupting the flow of traffic, in most states)?
I mean, really, if you did these things on foot you'd get, "Um, excuse me" and "right behindja," and "sorry there, ah, commin through."
The real source of road rage is not being able to say, "excuse me." It frustrates humans because we need to be able to express ourselves. We're pack animals and the cars isolate us.
My hunch is that inconsiderate behavior is a better predictor than bumper stickers. I haven't done a study though. Could be wrong. (Ignore my sig it's a joke.)
How would it be any different if I said women aren't as good at math as men?
This is plain old sexism and I resent it.
I have donated many times.
One time they sent me a bumper sticker I was really proud to wear (on my car); but the last time I donated, they did not.
I need a new bumper sticker for my new (well, used) car.
Yeah, seriously. Who compiles it anymore? Gentoo is pretty hardcore. I think regular people can install ubuntu in an hour or so, probably much faster than vista.
SQLite works from most languages and on most platforms (even embedded ones). It's perfect for most single user things -- although, it's ... er ... skewed toward SQL.
See, I thought this was incoming bounces, not outgoing ones. Not sending bounces won't stop incoming ones, which is why I suggested SRS. That way you can definitely tell which ones are fake.
I don't think they'd be false positives. If the SPF record is wrong, they're just regular old delivery errors.
SRS isn't about dropping incorrect addresses. It's about droping fake bounce messages (DSN) that aren't signed/generated by the server that's supposed to accept them.
It makes the return path verifiable to the sender and if you decode it the original return path is there (with exactly the same reliability as before: 0).
So I guess I don't understand your argument at all.
It seems like the solution to "backscatter" has been around for quite a few years (SRS). I'm surprised how few of the commercially available anti-spam solutions use or interpret it.
At my company, we just looked at Barracuda (PoS), Pineapp, St. Bernards ePrism, MX Force, Postini, and some other things. None of them understand SRS and only a few of the tech contacts had even heard of it. Sad Sad. But they all seem to have hand-rolled "backscatter" protection that partially works.
It seems like everyone has an SPF record these days. But it feels like relatively few actually check them and almost nobody goes the full distance and uses SRS.
They're talking about the freedom to use your computer however you like, not the freedom to distribute other people's work however you like.
The only problem I have with what you said is that that it's either false or willfully ignorant. It's otherwise ok.
You can use a private key to create a signature that was verifiable created with that private key using the public key that's paired with it. If that public key was signed by other private keys and those are signed by other private keys, then using that web of trust you can confirm the sender is who they claim to be.
That is the other purpose of asymmetric crypto. You can use it to encrypt and you can use it to authenticate. Those are two totally separate things and neither requires you give up your private key. It's private.
More, SSL is used for enryption, yes, but that's a smallish way to look at it. It has several parts. It's also used to verify identity.
There's a diffe-helman key exchange that gives you a shared secret you can use to encrypt the traffic. If anyone hears it, it doesn't matter! DH is magic, look it up. The problem is that it's subject to man in the middle attacks. Enter the X.509 certificates.
They are used to prove the sender is who they claim to be and not someone in the middle maintaining two separate encryption sessions.
You use your keyring of public keys to prove that the sender's public key is from the person it's supposed to be.
You don't get to see the sender's private key or the private key of any of the signers. You do not need to encrypt things using X.509 or pgp... you can use it purely for authentication purposes without revealing any private keys.
Cheers.
I very much doubt it's legal. It can't be.
At the very least, wouldn't that count as malicious prosecution?
That's silly, you don't have to distribute the private key, that's the whole point.
Take the wikileak's SSL key. How do you know that's their private key and it's not a MiM attack? You know that because verisign (or someone) signed the public key. They did that with a private key -- and wikileak doesn't have it!! Oh nos!!!
There's always a private key you don't have. That's the whole point of asymetric cryptography. PGP is no different.
So this argument is all very silly.
why should that be an issue?
This is all about the web of trust and authenticating data. Why does it matter that the sender keeps their private key private?
Pretty sure their SSL setup will have a private key too. I suspect they'll have to conceal that too...