I haven't used Firefox or IE's anti-phishing stuff, and I may have a different view of how whitelisting should work than others do, but I'll try to explain how I would approach it. You have a trusted 3rd party compile a list of domains (or IP addresses) that are known to be phishing sites, as is currently being done by Google and used in Firefox. Similarly, you compile a list of known good banking sites (e.g. use yellow pages and call management at established companies to find out what domain names they use, or require banking sites to fax a copy of their articles of incorporation with a list of domains). When a user goes to a site on the known-good list, the browser indicates that it is a legit business in some way, perhaps a green location bar or a green edge around the browser window. If the user goes to a known-bad site, things turn red. If the site isn't on either list, maybe it is yellow. You don't have to "know the intent of the user" -- you aren't prohibiting them from doing anything, you are just giving them a warning that something might be wrong if they get something other than the green light they expect.
Maintaining the whitelist would certainly require some work, but I think it's doable. You don't need to track ALL of the good sites -- people won't fear using slashdot.org if it has yellow instead of green. But if their bank has always had green, and one day they get an email professing to be from their bank, but they see yellow or red when they click the link, they will hopefully realize something is wrong. If the whitelist was only banks, it would be a fairly small, nearly-static list. If it included all companies accepting credit cards, it would be significantly bigger. The study found 1040 phishing sites over 2 weeks, and most were probably only up for a few days. So your blacklist adds about 500 sites per week. I doubt there are 500 new banks incorporated every week. While adding a domain to the whitelist may take much more effort for verification than adding a domain to the blacklist, it should be a more rare event.
Finally, let me note that the whitelist could have a significant impact even if the list is very small. Suppose the list only contains the 100 largest banks, and suppose those banks have 80% of the customers (I have no idea what the actual percentage is). If we have whitelisting, 80% of the Internet users (assuming each user only has one bank) are unphishable if they heed their browser's warning because the phishing sites will NEVER have the green light they expect. The other 20% of Internet users will expect a yellow light from their browser, and will have some risk of being phished by the phishing sites that aren't red-lighted by the filter (with current browsers that's 20-30% of phishing sites, according to the article). If we have only blacklisting, all Internet users have a risk of being phished, not just the 20% that use small banks. The whitelist makes things much harder for phishers, since they have to target smaller banks, which means each email they send has a much smaller chance of being received by someone with an account at the bank they are targeting.
The problem, as always, is trusting the data. If you request it from a known source via a secure channel you're good. Once you save it you expose it to other attacks.
If you have a virus on your computer, what keeps it from routing all TCP/IP traffic through a proxy to intercept the transmissions to the secure channel? What keeps it from modifying the browser executable to cut out the phishing check? What keeps it from keylogging your password when you visit a legitimate banking site? If you've got a virus on your computer, you can't trust anything that is going on on it -- local files aren't the only problem.
First, it would be a list of domain names rather than webpages, so millions instead of billions. Second, it is only really important to whitelist sites where sensitive information is entered (banks, sites taking credit cards, etc.), so even fewer sites. Finally, the browser could cache the lookup results for the sites you've visited in the past, so it would only need to do a lookup when you visit a site you haven't been to before, like when you accidently go to mybanc.com when you should be at mybank.com. Not really worse than the lookups your browser does to translate domain names into IP addresses.
Looks like a great piece of work. One important note from the article: Problem: Why doesn't the driver work on 64-bit and bigendian systems? Answer: We have no resource for that. Neither hardware, nor workforce. Status: Low priority.
We have been using INetU for 6 years and have been very happy with them. We are hosted on FreeBSD/Apache, but INetU offers Windows/IIS too. Tech support has always been very responsive (usually can get someone on the phone immediately) for FreeBSD, and the machines have been very reliable.
You can calculate with strings -- it treats them as 0 instead of giving an error.
Correction - I should have said that it ignores them (not treats as 0) instead of giving an error. To see that that is the case, try using a function like var(), where a 0 generally has a different impact than a missing value would.
I think OO.o does the RIGHT thing: "Text is Text, and you can't calculate with text. So the bug is not on our side, it's Excels."
Except that that isn't what happens. You can calculate with strings -- it treats them as 0 instead of giving an error. As some people pointed out in the bug report, if it gave an error people would know that something needs to be fixed. As it is, they get a "wrong" answer with no indication that there was a problem.
I agree. This is the second time in two days that I've come across a site with some custom scrolling thing that worked terribly. I just want to hit the "page down" key to scroll, like I've been doing for years. Is that asking too much?
If I actually wanted to run an ad with this service, I would go to adcenter.msn.com, click the "Sign up today" link and get "Microsoft adCenter does not currently support the web browser you are using. Please sign in using Internet Explorer 6+." If I then click the "More about system requirements" link nothing happens. I guess I'll just keep my money.
I may buy/build a workstation soon that will need the capability of holding a large amount of RAM (say 32GB - calculations requiring a lot of memory but not a huge amount of CPU) at some point down the road (I can probably put off fully populating the memory for a while). I came across this post, which seems to say that motherboards for DDR2 will allow more DIMMs (16 2GB sticks is a lot cheaper than 8 4GB sticks right now, at least for DDR). It is talking about DDR2 with Opterons. Is there a launch date for DDR2 on Opteron? Is the capacity actually greater with DDR2? Is DDR likely to become scarce down the road, causing DDR2 to be a cheaper option for future expansion? Any opinions are appreciated (I haven't had an excuse to buy hardware in a long time, so I haven't kept up on such things).
Sidenote: Yes, I am aware of the iWill DK88 (16 DIMMs DDR) - anybody have any experience with it (especially with Linux)?
But doesn't the fact that they were discussing it within earshot make it seem pretty sleazy?
Sleazy? Not in my opinion. Insensitive, perhaps. I would be more concerned about something sleazy (like trying to buy from the heirs at an unfair price or diluting the shares) going on if Allen was kept in the dark about it. Smart people usually keep their mouths shut when they are picking your pockets.
How would Balmer and Gates have "gotten them back"?
Buy them. If you have a company with a small number of owners (Microsoft didn't IPO until 1986), you don't want to have 36% of the voting rights suddenly go to someone that knows nothing about the company (or technology in general) -- they could wreck the place. It's pretty common for companies to have rules spelled out for handling such situations (e.g. terms for other owners to buy out) when a key person leaves/dies. Cringely seems to be making a mountain out of a molehill (and I'm not a MS fanboy).
For what it's worth, here are the statistics for MagPortal.com (excluding search engine spiders and other browsers) for December 2005 compared to December 2004: MSIE 6.0: 81.35% (down from 83.39% in Dec 2004) Mozilla/5.0: 15.17% (up from 8.82% in Dec 2004) MSIE 5.0 + 5.01 + 5.5: 2.75% (down from 7.22% in Dec 2004) Mozilla/4.0: 0.75% (up from 0.56% in Dec 2004)
Seriously, how many times have we heard this before?
It might actually be different this time. A few years ago AMD's advantage over Intel was just price, so Intel could always cut Dell a good deal on price and get exclusivity. If AMD manages to maintain a lead in performance (with less power consumption), Intel simply can't offer Dell anything that is going to please Dell customers looking for the best server performance. Add to that the antitrust lawsuit against Intel and maybe it is AMD's time to get a foot in the door at Dell.
Have you ever seen a "refund" on your AdWords account due to some AdSense advertiser generating "invalid clicks" for your ad?
Yes, I have. As per Google's documentation, you can click on the "My Account" tab and look for "Service Adjustment" in your billing summary. I have received some small refunds.
Shouldn't the cost of maintaining each domain name decline as they add more domains? Sure, they have some variable costs like salaries for staff, but the cost of server equipment is plummeting and their fixed costs should be diluted across an increasing number of domain names.
Slashdot Mirror
I touch on some of the issues you bring up in this post.
I haven't used Firefox or IE's anti-phishing stuff, and I may have a different view of how whitelisting should work than others do, but I'll try to explain how I would approach it. You have a trusted 3rd party compile a list of domains (or IP addresses) that are known to be phishing sites, as is currently being done by Google and used in Firefox. Similarly, you compile a list of known good banking sites (e.g. use yellow pages and call management at established companies to find out what domain names they use, or require banking sites to fax a copy of their articles of incorporation with a list of domains). When a user goes to a site on the known-good list, the browser indicates that it is a legit business in some way, perhaps a green location bar or a green edge around the browser window. If the user goes to a known-bad site, things turn red. If the site isn't on either list, maybe it is yellow. You don't have to "know the intent of the user" -- you aren't prohibiting them from doing anything, you are just giving them a warning that something might be wrong if they get something other than the green light they expect.
Maintaining the whitelist would certainly require some work, but I think it's doable. You don't need to track ALL of the good sites -- people won't fear using slashdot.org if it has yellow instead of green. But if their bank has always had green, and one day they get an email professing to be from their bank, but they see yellow or red when they click the link, they will hopefully realize something is wrong. If the whitelist was only banks, it would be a fairly small, nearly-static list. If it included all companies accepting credit cards, it would be significantly bigger. The study found 1040 phishing sites over 2 weeks, and most were probably only up for a few days. So your blacklist adds about 500 sites per week. I doubt there are 500 new banks incorporated every week. While adding a domain to the whitelist may take much more effort for verification than adding a domain to the blacklist, it should be a more rare event.
Finally, let me note that the whitelist could have a significant impact even if the list is very small. Suppose the list only contains the 100 largest banks, and suppose those banks have 80% of the customers (I have no idea what the actual percentage is). If we have whitelisting, 80% of the Internet users (assuming each user only has one bank) are unphishable if they heed their browser's warning because the phishing sites will NEVER have the green light they expect. The other 20% of Internet users will expect a yellow light from their browser, and will have some risk of being phished by the phishing sites that aren't red-lighted by the filter (with current browsers that's 20-30% of phishing sites, according to the article). If we have only blacklisting, all Internet users have a risk of being phished, not just the 20% that use small banks. The whitelist makes things much harder for phishers, since they have to target smaller banks, which means each email they send has a much smaller chance of being received by someone with an account at the bank they are targeting.
The problem, as always, is trusting the data. If you request it from a known source via a secure channel you're good. Once you save it you expose it to other attacks.
If you have a virus on your computer, what keeps it from routing all TCP/IP traffic through a proxy to intercept the transmissions to the secure channel? What keeps it from modifying the browser executable to cut out the phishing check? What keeps it from keylogging your password when you visit a legitimate banking site? If you've got a virus on your computer, you can't trust anything that is going on on it -- local files aren't the only problem.
First, it would be a list of domain names rather than webpages, so millions instead of billions. Second, it is only really important to whitelist sites where sensitive information is entered (banks, sites taking credit cards, etc.), so even fewer sites. Finally, the browser could cache the lookup results for the sites you've visited in the past, so it would only need to do a lookup when you visit a site you haven't been to before, like when you accidently go to mybanc.com when you should be at mybank.com. Not really worse than the lookups your browser does to translate domain names into IP addresses.
my apologies to example.com which is now in the process of getting heavily spammed
No need to worry. example.com is a special domain that was reserved specifically for stuff like this.
Have you tried the latest GParted? This article says a new version was released on July 9.
Looks like a great piece of work. One important note from the article:
Problem: Why doesn't the driver work on 64-bit and bigendian systems?
Answer: We have no resource for that. Neither hardware, nor workforce.
Status: Low priority.
We have been using INetU for 6 years and have been very happy with them. We are hosted on FreeBSD/Apache, but INetU offers Windows/IIS too. Tech support has always been very responsive (usually can get someone on the phone immediately) for FreeBSD, and the machines have been very reliable.
The table of contents has an entry Stable Power Supply: 400 Watts Is Plenty, but the page says "...which is why we chose a 550-Watt unit." Huh?
You can calculate with strings -- it treats them as 0 instead of giving an error.
Correction - I should have said that it ignores them (not treats as 0) instead of giving an error. To see that that is the case, try using a function like var(), where a 0 generally has a different impact than a missing value would.
I think OO.o does the RIGHT thing: "Text is Text, and you can't calculate with text. So the bug is not on our side, it's Excels."
Except that that isn't what happens. You can calculate with strings -- it treats them as 0 instead of giving an error. As some people pointed out in the bug report, if it gave an error people would know that something needs to be fixed. As it is, they get a "wrong" answer with no indication that there was a problem.
I agree. This is the second time in two days that I've come across a site with some custom scrolling thing that worked terribly. I just want to hit the "page down" key to scroll, like I've been doing for years. Is that asking too much?
If I actually wanted to run an ad with this service, I would go to adcenter.msn.com, click the "Sign up today" link and get "Microsoft adCenter does not currently support the web browser you are using. Please sign in using Internet Explorer 6+." If I then click the "More about system requirements" link nothing happens. I guess I'll just keep my money.
I may buy/build a workstation soon that will need the capability of holding a large amount of RAM (say 32GB - calculations requiring a lot of memory but not a huge amount of CPU) at some point down the road (I can probably put off fully populating the memory for a while). I came across this post, which seems to say that motherboards for DDR2 will allow more DIMMs (16 2GB sticks is a lot cheaper than 8 4GB sticks right now, at least for DDR). It is talking about DDR2 with Opterons. Is there a launch date for DDR2 on Opteron? Is the capacity actually greater with DDR2? Is DDR likely to become scarce down the road, causing DDR2 to be a cheaper option for future expansion? Any opinions are appreciated (I haven't had an excuse to buy hardware in a long time, so I haven't kept up on such things).
Sidenote: Yes, I am aware of the iWill DK88 (16 DIMMs DDR) - anybody have any experience with it (especially with Linux)?
I was looking at wanted posters, and each one had an SS number on it.
Yeah, but were you really tempted to steal the identity of someone the police were looking for?
But doesn't the fact that they were discussing it within earshot make it seem pretty sleazy?
Sleazy? Not in my opinion. Insensitive, perhaps. I would be more concerned about something sleazy (like trying to buy from the heirs at an unfair price or diluting the shares) going on if Allen was kept in the dark about it. Smart people usually keep their mouths shut when they are picking your pockets.
How would Balmer and Gates have "gotten them back"?
Buy them. If you have a company with a small number of owners (Microsoft didn't IPO until 1986), you don't want to have 36% of the voting rights suddenly go to someone that knows nothing about the company (or technology in general) -- they could wreck the place. It's pretty common for companies to have rules spelled out for handling such situations (e.g. terms for other owners to buy out) when a key person leaves/dies. Cringely seems to be making a mountain out of a molehill (and I'm not a MS fanboy).
There is more info about the legislation proposed to stop this sort of thing in the article Congress mulls Internet-freedom bill
For what it's worth, here are the statistics for MagPortal.com (excluding search engine spiders and other browsers) for December 2005 compared to December 2004:
MSIE 6.0: 81.35% (down from 83.39% in Dec 2004)
Mozilla/5.0: 15.17% (up from 8.82% in Dec 2004)
MSIE 5.0 + 5.01 + 5.5: 2.75% (down from 7.22% in Dec 2004)
Mozilla/4.0: 0.75% (up from 0.56% in Dec 2004)
Seriously, how many times have we heard this before?
It might actually be different this time. A few years ago AMD's advantage over Intel was just price, so Intel could always cut Dell a good deal on price and get exclusivity. If AMD manages to maintain a lead in performance (with less power consumption), Intel simply can't offer Dell anything that is going to please Dell customers looking for the best server performance. Add to that the antitrust lawsuit against Intel and maybe it is AMD's time to get a foot in the door at Dell.
Have you ever seen a "refund" on your AdWords account due to some AdSense advertiser generating "invalid clicks" for your ad?
Yes, I have. As per Google's documentation, you can click on the "My Account" tab and look for "Service Adjustment" in your billing summary. I have received some small refunds.
Shouldn't the cost of maintaining each domain name decline as they add more domains? Sure, they have some variable costs like salaries for staff, but the cost of server equipment is plummeting and their fixed costs should be diluted across an increasing number of domain names.
To top it off, wedding photographers are ranked #10 on the list of most overpaid professions
I'll second that. I don't know how it compares to the other options, but kalarm does the job for me.
You forgot "all websites that only work with Internet Explorer."