No, it wasn't in the public domain. It had a license, and they retained the copyright. To be in the public domain, you can't have any copyright over it.
It was put under an original BSD style license (BSD w/ advertising), which is incompatible with the GPL. Thus no, no code from there could be used in Linux. However, it was shown that the code was pulled in from *BSD under the current BSD license.
Technically speaking, that's not true. The license that Caldera released it under was the original BSD license (the BSD license w/ the advertising clause). That license is incompatible with the GPL, thus no code from the Caldera release of "Ancient UNIX" can be in the kernel.
Given that a lot of that exact same code was released with the new BSD license way back in the day (or had the license retroactively applied to it). There was a legitimate way of getting a copy, just not from "Ancient UNIX". I am not sure what the origin of the copy is, I'm pretty sure it isn't "Ancient UNIX". My guess is it came from a proprietary UNIX, or a *BSD.
I've written C++ for a living for about 5 years, and I'm reasonable well read about the subject.... I didn't consider that it was all templated code (I was thinking about cutting down the binary size, I rarely use templates). I use g++ for a living, every day of the week. It might be pretty smart about it, but I all I know is that it takes about 5 times as long to compile the code using 2.96 as when you leave things in the header. The binaries are twice the size, and if you do it while leaving optimization on, you'll really, really regret it. Compiling will become a get up and go get lunch on a rebuild of a decent sized project. I optimize my code for development time, not for run time. I'm pretty expensive, computers are cheap....:-) I found that my reference counting base class was the only thing that was important enough to leave in the headers. Everything else was a waste of compile time.
As a general rule, I've found that if you are using that many templates, you are doing it "wrong". I very rarely use templates for anything but storage classes (which means I almost always use the STL ones). Templates are pretty useful, but in a lot of cases, you can design templates as inheritance, and make your stuff more OO like (Bjarne even mentions that most people don't use inheritance with their templates, as a tool they work well hand in hand). Heck, I could even implement most of the STL as something you have to inherit from and no templates (it'd be awkward to use, but it'd work).
Oh, I'd love to upgrade compilers, but I've got several problems. One of which is, I'll have to rework a lot of my code base (the std namespace gave me fits last time I tried). Oh, and my release platform is RH6.2, so until I upgrade my production machine, I'm using a 2.91 compiler to deploy. So it's not terrible source compatible with g++ 3.2.
Uhhh, use your favorite scripting language. Doing the demangle might be a bit tricky, but nm or obj dump should do either of those for you. Then just parse the class names.
Use a map or a hash. Oh, and lastly, move all the code in headers out into the.cxx/.cpp file, your code will compile faster, and probably run nearly as fast, with the exception of a handful of performance critical classes (finding them is important).
I'm not sure if that's true or not. I'm sure your more into the legalease them I am. I thought copyright was a by default thing. I know that started sometime after the Berne Convention (sometime in the 70's). I didn't know if that was retro-active or not.
I figured it might be that the sound quality was lower, but I still thought that the way MP3 compression worked, you'd still lose quality (it's my rough understanding that it compresses by removing certain sounds that are hard to hear).
Just get it in writing. If they ever sell their soul to the devil, never know what the devils lawyers will do to you...:-)
Just how many records do you own from prior to 1923? Isn't that the magic year copyright stops? I'm reasonable close I think, its some time in the early part of this century. I was unaware that they had that many that are a) worth owning, and b) still exist in a playable format.
I'm kinda surprised that somebody who collects old albums doesn't insist on CD quality audio for the digital masters. I'd figure your a serious audiophile if you collect old/rare albums. Personally, I'd turn each album into a CD (full CD quality), and turn the CD's into MP3's. Maybe use FLAC or whatever it is that the Ogg guys put out as a lossless audio compression, and then convert them to Ogg. That's just me though.
If the script kiddies are on your network and take down their own network connection, probably not a bad idea. If they are external script kiddies who are spoofing all the way to your internal dorm switches... Probably a good idea to shutdown the network.
Yeah, I just got my first set of Gigabit cards a while back... You are way out of my realm of experience. Linux can easily route a T1, probably could do a T3. It can route simple situations pretty darn fast. Two network cards, anything that comes in on one gets passed to the other, modulo a spoof filter.
I really meant it could do BGP/OSPF and get you real redundant backup links. It can easily do the Multi-homing. It can easily do all the filtering. It can easily do stateful firewalling (with 2.4 at least). It can do pretty sophisticated IP configuration (local/global IP's/Links, the same IP on several cards). It can do policy routing. It can do bandwidth shaping. It can do channel bonding. It can do redundant failover (vrrpd). It can do VLAN's. It can do VPN. It can do IPv6. I can do IPSec (with patches). It can do tunneling. It can do virtually anything you want it to, that involves relatively low bandwidth. If you are talking about slower then T3 speeds, and you trust the Linux drivers for your hardware, there is very little need for Cisco equipment. I wonder when someone will finally build out the hardware and put Linux on it, and leverate Linux as the software and give Cisco a run for their money.
Well, I know that there have been ATM drivers in the kernel since 1.2 series at least (when I started using Linux). I believe that there are any number of comercial routers based on linux which do ATM. The old LRP (Linux Router Project), always talked about how you could use it to do anything from ATM to dialup banks, to firewalling. That it could handle a T1, or ATM if you had the proper card.
LRP died a while ago (at least thats the impression I get), and some guys followed it up with LEAF. I'd check that out. I believe it's leaf.sourceforge.net.
I have no idea where you would get cards for it, but I'd buy 3 or 4 of them (to have redundant cards, and a one in a failover machine). I'd imagine the leadtime on a part like that could be a bit brutal (it's not like you just go pick one up down at the local CompUSA). So it's at least a day out, possibly two at the soonest.
If the driver is good, Linux is easily up to the task of doing nearly anything you want it to in terms of routing. Other then the proprietary Cisco protocols, it does nearly everything other good routers can on similar hardware.
Well, geez, if the US gov't didn't want us to see it, they'd just get the site shut down. Iran can't pull that off, so instead they just block all access.
Oh, and I'm not sure that the US gov't doesn't get access to the anonymozier logs. I think Anonymizer is supposedly pretty miltant about logs. I know there are several others out there that are pretty up front with the facts that they don't keep logs, and if you don't have a court order don't even ask to bother asking if you can look for the logs that don't exist.
Oh, and your still assuming, that everyone has perfect security. That just isn't a fact. I might be willing to tolerate a system where when my security is broken, I have to deal with spam. I'm unwilling to accept a spam solution where I have to trust the security of the internet at large. I've been around that block before, as a general rule people will in fact have piss poor security. I accept this fact. I want to account for it in a spam solution.
The only solution to spam is to make it economically infeasible for the spammer to do untargetted messages. You won't every stop them by making hoops they have to jump thru, they will find a way to defeat the defense. Make it so they can't make a living doing it any more, and it should stop.
First, CC info is pretty hard to steal via e-mail. It's hard to know when someone types it into an e-mail (In my 8 years online, I've never put CC info into an e-mail ever). I've seen or heard of a number of scams that try and get you to enter in passwords to your bank at a false front site, by using a confusing link or by DNS posioning. I've seen ones that try and get you buy from Amazon look alikes. It's not that hard. When you take away the money supply from spammers some of them are going to get desperate. They'll do crazy stuff, clearly they lack anything that resembles ethics or morals that are in line with mine.
Second, Mailing lists are a problem. Mailing lists alter the message (they alter important headers that you want authenticated, and they normally change the subject line and/or alter the header/footer to tell you how to unsubscribe from them. That won't just pass thru a signature check. Otherwise as a spammer, I just take a known good message signed message I received then put my spam before or after it like a header or footer. So the mailing list will in fact have to sign it for me to authenticate it.
Hmmm, curious. I always thought the most effective way of stopping spam was to make it a money losing proposition....
Blocking mail might do that, but there are any number of ways to stop spam, every last one of them involves making the price of spam a price no one is willing to pay.
Using Baysian filtering to build a set of IP's which have a threashold (say 90% of e-mail) is spam, then it gets added to your black list (Mailserver or router blacklist).
I didn't both to read the article. Go read the Appendix that Richard Feynman essentially demanded be added to the Challenger report. He says that part of the fundamental flaws the the Shuttle design, hinge on the fact that we don't understand each individual piece. Instead we understand the whole.
He says that each piece should be tested seperately, then put the pieces in small subsystems, and test them. Then put the small subsystems together and test them. Putting larger, and larger pieces together.
Turns out, we were in such a hurry when building the Apollo and Space Shuttle, that we didn't have time to do the proper individual testing. So we don't necessarily have all of the basic data about how each individual piece would handle a given situation.
This sounds like what you are saying Carmack is subscribing to. Makes some sense, and has the backing of on the the finest scientific minds the world has ever known (Feynman).
It's easy to penetrate as a spammer. Having secrets will create a black market, end of story. Look at identity theft. Look at Credit card fraud. Look at any number of computer security problems. The next worm that comes along will hook into your Mom's e-mail client, wait until she sends an e-mail so her private key is decrypted, then the worm forwards that home. Lets say they get 1000 of them out of a worm. The worm phones home, and removes itself everytime that happens, and stops spreading. Now they have a worm they can release anytime they want to send 1000 spams. They spam until the key gets revoked.
Your Mom is now officially classified as a spammer. Congratulations.
Insert my Mom, if that makes the story less offensive. In your situation, you assume that there is perfect security, and that everyone you trust (via your key ring), and all of theISP's they use perfect security. That's simply not the case. I don't want to have to trust them. Things I sign with my private key, get signed after being sneaker net'ed to a machine that has never been connected to a network. Not even an internal only network. Then I can be very, very sure my private key has never been compromised.
Plus how many people will get tricked out of their public key. Just send mail your e-mail address, and this file off of your machine, and I'll send you $500? Getting into the web of trust isn't that hard. Just go to public key signing events. Everyone will sign your key, and your on the web of trust. Everytime your key gets broken, find another set of people to sign them. Wow, there you are back on the web of trust. Goodie...
Plus your system requires work on behalf of the mail client, and the mail user. Technically, mine could easily be implemented in the SMTP protocol, and my ISP does it for me. (You could also do at the client if your client supported). If you wanted to prove you aren't spam friendly, don't allow non-signed e-mail off your network.
In my system, I don't need to trust anybody. I don't need to secure anything. I can leave the public key in the clear, with no passphrase. Technically speaking it doesn't need to be private at all. I could post both keys to the world, and I couldn't care less (obviously, I wouldn't use that key as my sigature to prove I wrote it then, I'd only use it to verify that you did the work I requested to read the e-mail).
Sorry if I wasn't clear. You aren't using your private key to send me e-mail. You are using my public key to sign the e-mail. In the system I describe, there are no secrets. Anything that is a secret, that gets you onto the "in" list will just create a black market.
I'd like to get to a point in life, where SPAM is economically infeasible. Right now, spam costs money, time and effort. Right now, paying a person to follow me around telling me about your wonderful products all day is economically infeasible. I'd like SPAM to be roughly in that same category. I want to stop SPAM, because it's incredibly inefficient waste of my time for the benefit of the spammer. I'd like to encourage them to come up with a different way to make a living.
That is my proposed filter. I'll still accept e-mail that isn't signed, but it'll get dumped in my high probability spam folder. You'll white list straight to my Inbox if you sign it with a key on a list of keys I trust in my procmailrc/e-mail client. The first time you send an unsigned e-mail, I'll personally write you an e-mail explaining the situation if getting email from you in a timely manner is important (no I won't use a crappy auto-repsonder).
Eventually, the hope is to bootstrap to a point where all legitimate e-mail clients automatically sign with a public key I make available on the MIT PGP server (or via the SMTP protocol on the other end). Heck that the sending SMTP server automatically signs it for you at the server (so that legit ISP's could just do it for you, if your client doesn't).
Mailing list software could just auto-sign with a private key that cooresponds to the public key they distribute to add to your trusted key list.
It'll take years of time to get into full use, but early adopters who communicate with other early adopters, and a couple of ISP's who offer mail service that will do this, would have a great deal of appeal. Once the software is available, I'd easily pay $10 a month to an ISP that would do the auto-signatures of e-mails. Even if it was an e-mail only account (not IP connectivity, just mail service). I'd happily pay for it, knowing that it was an investment in creating a final solution for e-mail.
If that e-mail provider also added Baysian filtering, and offered the CPU power to do the signatures with off the shelf clients. I'd be up for it.
That will make e-mail still be an option for targetted marketing (which I've got a lot fewer problems with then SPAM). Eventually, just black listing e-mail servers that allow non-signed, or mis-signed messages will solve the problem and have it expire in 48 hours. No bandwidth wasted (other then once every 48 hours), and no more of my time playing games categorizing mail, as spam or not. It's completely automated, it leverages economics to ensure that nobody wastes my time because wasting my time is a cheap thing for them to do.
I care mainly because I subscribe a lot of mailings lists that aren't funded by major money holders. In a perfect world, I can subscribe to a list that has 200 Million people on it, that isn't funded by a fortune 500 company, or a world gov't.
A lot of lists could then use this as a reason to charge for a subscription. Say BugTracker, or the LKML, or any number of other high volume lists, that have an huge number of subscribers who merely lurk. merely lurk on a number of lists to read interesting material periodically. I try and read the lists from a lot of different projects I am interested in.
I suppose this could re-invigorate the Email to Usenet Gateways (where the group is moderated only things that are sent on e-mail are allowed to post).
In the end, I'd like a solution that means running a large mailing list is cheap, but running a spam house is expensive. Essentially a large mailing list is a very small spammer. A lot of lists are run out the goodness of someones heart. However, nearly all mailing lists opt in, not opt out.
I'd like to create a way for it to be cheap for companies to send lots of e-mail. If I want their e-mail, I want it to be cheap to get it to me. Then the cost won't be passed onto me as a consumer. E-mail is a very efficient way to get the word out, and is a cheap way to do business. I think lower the cost of business is good. (In that sense spammers have the right idea).
Aren't you clever enough to consider the fact that the virus would wait until you have decrypted the key, and steal it? That it would hook into the prompt that requests your passphrase?
How would you run a mailing list? That mailing list would have to have a trusted private key that is decrypted in memory at all times.
If I want your private key, I'll get it if the computer is on the internet. (Okay, I can't do it, but I know the proper techniques, and know that people with the proper skills exist).
The only network that can secure a private key, is sneaker net, and that's unacceptable for something I use for e-mail.
NO, THEIR KEY, is useless. Unless there is a finite number of them, I am screwed. I've signed up for public keys before. All I had to do was run a couple of PGP commands, then submit it to MIT, now I have a PGP key.
I can't track down who it is, if they use bogus e-mail addresses and create a new key every couple of days. Then just throw away the private key. Now how do I track them down? They had a bogus e-mail address, and a private key that they don't have any more. Plus, I really want to make damn sure they have to re-encrypt it every single time the mail leaves the server. Otherwise some the CPU power will be trivial. Well, encrypt this 1, send it 5 Million times. It's just another hoop to make a spammer jump thru.
Beyond all that, that will just create a black market for private keys of known trusted users.
If you create a system where there are a limited number of private keys (not sure how you accomplish that), then they will just compromise a large enough percentage of them, that it's useless. It'll just create identity theft with e-mail.
If you want my trust, you'll have to use an object I have control of. Namely my public key. It will ensure, you wanted me to have it, and that you had to expend CPU time to get that mail accepted by me. I'll read all of the e-mail that gets signed by my public key. I won't bother if you sign it with a key I've never heard of.
Now, possibly, we can say you have both, but if I wanted to stop spam to my Inbox, I'd require anything that didn't originate off my e-mail server to be signed with my public key (and I'd white list in some e-mail addresses, mostly mailing lists, and my non-technical friends). Possibly I would include other people's keys as e-mails I'm willing to accept signatures for.
Remember identifing the spammer, and proving he sent the e-mail will not stop spam. Making spam a money losing operation, will cause spam to stop. The spammers are pretty well known (it's my understanding). We know who they are, and what spams they send. Still it hasn't stopped.
Make it computationally infeasible to have no targetting involved in your e-mail, and it'll be all spams will at the very least be more targetted, if you make it incredibly expensive, they will stop. The collateral damage is that people will stop using e-mail for a lot of things.
I know we just paid ~$800 for a 2 year certificate from Verisign a couple of years ago. Not sure why ours is special, but it's not impossible to pay extra for it. Ours was for a secure site.
Yeah, and spammers will be in the business of using trusted keys. Verisign will sell a key to anybody, and everybody who wants one. A big spammer, could easily afford to sign new keys. If you think Verisign will turn away their money, you are nuts.
If that doesn't work, spammers will start stealing keys and ruining them, thus making it easy to expediate the process of getting a new key. So the spammers will have an easy time a new key by claiming a spammer broke in and stole the key. If you tie it to IP, you'll wreak havoc on a number of load balancing mail solutions.
This isn't if counting the fact stopping a spammer involves making sending mail to other people expensive. If you don't do that, you can't make money. Period. SMTP-SSL will have to be computationally very, very expensive in order to stop spammers, which will make running a good sized mailing list pretty expensive.
The trick is making unknown users expensive, and making known users cheap. Keys and signatures are a good way to do it, but they will just be come tokens to be stolen, just like Credit Card numbers are now.
Hell, at some point, spammers will over to buy the tokens from stupid users. For $100, I'll by your bits, just send this file as an attachment please. They'll be something people steal off of old computers, or buy old mail servers at chapter 11 auctions. Users will send it right off. Alternatively, they will use a clever hack, like construction a virus that will latch onto your system after the key is decoded, and encrypt a set of known texts with your private key making it easy to decrypt, or to just send your private key if it can manage to get enough privledge.
Somewhat that is true. However, what constitutes trust of the origin of e-mail? One of the replys says to use PGP or S/MIME.
That only works if I require them to sign mail they send to me, with my public key.
Possibly having a key system of public keys and private keys. You put your own private key out there, saying you'll accept mail with anything that signs their mail with the public key. You add any mailing lists you want public key, they sign all outgoing messages with their private key. Thus you'll accep their mail.
You can white list on anybody else you're willing, using a Web of Trust from PGP if they are considered "trusted" enough. However, that will lead to problems.
However, public and private keys will suddenly become tokens of value to spammers. Suddenly people will start creating worms, and scripted attacks to pull peoples keys. They will start trying to break into machines. It'll create a black market for trusted keys the world over. They'll just be new attacks, and new problems. Creating a large scale web of trust, won't work. A worm can easily go steal the tokens of trust, and then start using them to spam with. It'll just be another arms race.
Now letting forcing people to sign with your key is probably the most doable, but it also means that running mailing list software is a real, real CPU intensive application. I'm not particularly thrilled with that.
The only way to stop spam is to make it stop being cost effective, that involves causing e-mail to be an expensive operation if it involves untrusted e-mail servers.
You are incorrect. Under absolutely no circumstances did you "have" to give up your intellectual property rights. It was well within your power to keep your property rights, however, you willfully chose that employer.
My employer tried to get me to assign them IP rights to all kinds of stuff. I just refused, and refused to sign it. They never fired me. We finally came to an agreement where they own everything I do if it is, during company time, or was created on company property (computers, or in their offices). Everything else is mine. I made it really clear, I wasn't signing the IP agreement until that was crystal clear.
I would have quit before signing the agreement. There are other jobs, and if their aren't, you can always be a contractor. You CHOSE to give up your property rights in exchange for your employment. You made that choice, and you are getting the compensation you are for it. If you aren't happy about it, either re-negociate or quit.
If you went and became a High School Janitor for years while you created your master work of programming, hats off to you, you've earned your IP rights. If you chose to sit in a cubical all day, and make good money, and you exchanged your IP rights for that, don't bitch about it. It's the choice you made. That's like complaining because you can't make as much money as your buddies because you dropped out of High School, and they finished college.
In my opinion, this should be an Ask Slashdot story, and that as such, you should ask google. Ironically, I really mean, you should read up on the environment that Google has setup. I know that it's part of their corporate culture to have a pretty relaxed environment, with a lot of perks. My guess is that they have a very good gaming/recreactional computer room in their offices.
Oh, and also look for stories about the height of the dot.com.
My personal opinion, is that it should be as relaxed a room as you can manage. Someplace that is relatively sound proofed from where people would be doing "real" work. So don't put it right next to where a call center is. That'd sorta destroy moral for that department if they didn't get to use it regularly.
Get very comfortable chairs, good lighting. The desks or tables don't need to be anything more then flat, and avoid sharp edges that cut into your arms. I'd arrange it in a circular fashion around the outside (that's where I'd put computers), also having a "strategy" table in the middle for meetings. White board walls everywhere. If you are going whole hog, have a video splitter on each computer, and allow for any given computer to be projected on a wall, so you could have spectators without crowding the individual players. Possible with a video demuxer so you could project everyones screen onto the wall. If you want competitive play, obviously, you might need two rooms, or a way to divide into two different relatively private sessions. So possibly have enclosed spaces adjoining them (hmmm, conference rooms that are used for other meetings adjoining it might work).
Have a supply of food there, possibly a refrigarator.
Slashdot Mirror
It was put under an original BSD style license (BSD w/ advertising), which is incompatible with the GPL. Thus no, no code from there could be used in Linux. However, it was shown that the code was pulled in from *BSD under the current BSD license.
Kirby
Given that a lot of that exact same code was released with the new BSD license way back in the day (or had the license retroactively applied to it). There was a legitimate way of getting a copy, just not from "Ancient UNIX". I am not sure what the origin of the copy is, I'm pretty sure it isn't "Ancient UNIX". My guess is it came from a proprietary UNIX, or a *BSD.
Kirby
As a general rule, I've found that if you are using that many templates, you are doing it "wrong". I very rarely use templates for anything but storage classes (which means I almost always use the STL ones). Templates are pretty useful, but in a lot of cases, you can design templates as inheritance, and make your stuff more OO like (Bjarne even mentions that most people don't use inheritance with their templates, as a tool they work well hand in hand). Heck, I could even implement most of the STL as something you have to inherit from and no templates (it'd be awkward to use, but it'd work).
Oh, I'd love to upgrade compilers, but I've got several problems. One of which is, I'll have to rework a lot of my code base (the std namespace gave me fits last time I tried). Oh, and my release platform is RH6.2, so until I upgrade my production machine, I'm using a 2.91 compiler to deploy. So it's not terrible source compatible with g++ 3.2.
Kirby
Use a map or a hash. Oh, and lastly, move all the code in headers out into the .cxx/.cpp file, your code will compile faster, and probably run nearly as fast, with the exception of a handful of performance critical classes (finding them is important).
Kirby
I figured it might be that the sound quality was lower, but I still thought that the way MP3 compression worked, you'd still lose quality (it's my rough understanding that it compresses by removing certain sounds that are hard to hear).
Just get it in writing. If they ever sell their soul to the devil, never know what the devils lawyers will do to you... :-)
Kirby
I'm kinda surprised that somebody who collects old albums doesn't insist on CD quality audio for the digital masters. I'd figure your a serious audiophile if you collect old/rare albums. Personally, I'd turn each album into a CD (full CD quality), and turn the CD's into MP3's. Maybe use FLAC or whatever it is that the Ogg guys put out as a lossless audio compression, and then convert them to Ogg. That's just me though.
Kirby
Kirby
I really meant it could do BGP/OSPF and get you real redundant backup links. It can easily do the Multi-homing. It can easily do all the filtering. It can easily do stateful firewalling (with 2.4 at least). It can do pretty sophisticated IP configuration (local/global IP's/Links, the same IP on several cards). It can do policy routing. It can do bandwidth shaping. It can do channel bonding. It can do redundant failover (vrrpd). It can do VLAN's. It can do VPN. It can do IPv6. I can do IPSec (with patches). It can do tunneling. It can do virtually anything you want it to, that involves relatively low bandwidth. If you are talking about slower then T3 speeds, and you trust the Linux drivers for your hardware, there is very little need for Cisco equipment. I wonder when someone will finally build out the hardware and put Linux on it, and leverate Linux as the software and give Cisco a run for their money.
Kirby
LRP died a while ago (at least thats the impression I get), and some guys followed it up with LEAF. I'd check that out. I believe it's leaf.sourceforge.net.
I have no idea where you would get cards for it, but I'd buy 3 or 4 of them (to have redundant cards, and a one in a failover machine). I'd imagine the leadtime on a part like that could be a bit brutal (it's not like you just go pick one up down at the local CompUSA). So it's at least a day out, possibly two at the soonest.
If the driver is good, Linux is easily up to the task of doing nearly anything you want it to in terms of routing. Other then the proprietary Cisco protocols, it does nearly everything other good routers can on similar hardware.
Kirby
Oh, and I'm not sure that the US gov't doesn't get access to the anonymozier logs. I think Anonymizer is supposedly pretty miltant about logs. I know there are several others out there that are pretty up front with the facts that they don't keep logs, and if you don't have a court order don't even ask to bother asking if you can look for the logs that don't exist.
Kirby
The only solution to spam is to make it economically infeasible for the spammer to do untargetted messages. You won't every stop them by making hoops they have to jump thru, they will find a way to defeat the defense. Make it so they can't make a living doing it any more, and it should stop.
Kirby
Second, Mailing lists are a problem. Mailing lists alter the message (they alter important headers that you want authenticated, and they normally change the subject line and/or alter the header/footer to tell you how to unsubscribe from them. That won't just pass thru a signature check. Otherwise as a spammer, I just take a known good message signed message I received then put my spam before or after it like a header or footer. So the mailing list will in fact have to sign it for me to authenticate it.
Kirby
Blocking mail might do that, but there are any number of ways to stop spam, every last one of them involves making the price of spam a price no one is willing to pay.
Using Baysian filtering to build a set of IP's which have a threashold (say 90% of e-mail) is spam, then it gets added to your black list (Mailserver or router blacklist).
Kirby
He says that each piece should be tested seperately, then put the pieces in small subsystems, and test them. Then put the small subsystems together and test them. Putting larger, and larger pieces together.
Turns out, we were in such a hurry when building the Apollo and Space Shuttle, that we didn't have time to do the proper individual testing. So we don't necessarily have all of the basic data about how each individual piece would handle a given situation.
This sounds like what you are saying Carmack is subscribing to. Makes some sense, and has the backing of on the the finest scientific minds the world has ever known (Feynman).
Kirby
Your Mom is now officially classified as a spammer. Congratulations.
Insert my Mom, if that makes the story less offensive. In your situation, you assume that there is perfect security, and that everyone you trust (via your key ring), and all of theISP's they use perfect security. That's simply not the case. I don't want to have to trust them. Things I sign with my private key, get signed after being sneaker net'ed to a machine that has never been connected to a network. Not even an internal only network. Then I can be very, very sure my private key has never been compromised.
Plus how many people will get tricked out of their public key. Just send mail your e-mail address, and this file off of your machine, and I'll send you $500? Getting into the web of trust isn't that hard. Just go to public key signing events. Everyone will sign your key, and your on the web of trust. Everytime your key gets broken, find another set of people to sign them. Wow, there you are back on the web of trust. Goodie...
Plus your system requires work on behalf of the mail client, and the mail user. Technically, mine could easily be implemented in the SMTP protocol, and my ISP does it for me. (You could also do at the client if your client supported). If you wanted to prove you aren't spam friendly, don't allow non-signed e-mail off your network.
In my system, I don't need to trust anybody. I don't need to secure anything. I can leave the public key in the clear, with no passphrase. Technically speaking it doesn't need to be private at all. I could post both keys to the world, and I couldn't care less (obviously, I wouldn't use that key as my sigature to prove I wrote it then, I'd only use it to verify that you did the work I requested to read the e-mail).
Kirby
Make it part of the e-mail servers job, if the mail isn't signed, then sign it. If it is signed, whoopie, just send it.
I'd like to get to a point in life, where SPAM is economically infeasible. Right now, spam costs money, time and effort. Right now, paying a person to follow me around telling me about your wonderful products all day is economically infeasible. I'd like SPAM to be roughly in that same category. I want to stop SPAM, because it's incredibly inefficient waste of my time for the benefit of the spammer. I'd like to encourage them to come up with a different way to make a living.
That is my proposed filter. I'll still accept e-mail that isn't signed, but it'll get dumped in my high probability spam folder. You'll white list straight to my Inbox if you sign it with a key on a list of keys I trust in my procmailrc/e-mail client. The first time you send an unsigned e-mail, I'll personally write you an e-mail explaining the situation if getting email from you in a timely manner is important (no I won't use a crappy auto-repsonder).
Eventually, the hope is to bootstrap to a point where all legitimate e-mail clients automatically sign with a public key I make available on the MIT PGP server (or via the SMTP protocol on the other end). Heck that the sending SMTP server automatically signs it for you at the server (so that legit ISP's could just do it for you, if your client doesn't).
Mailing list software could just auto-sign with a private key that cooresponds to the public key they distribute to add to your trusted key list.
It'll take years of time to get into full use, but early adopters who communicate with other early adopters, and a couple of ISP's who offer mail service that will do this, would have a great deal of appeal. Once the software is available, I'd easily pay $10 a month to an ISP that would do the auto-signatures of e-mails. Even if it was an e-mail only account (not IP connectivity, just mail service). I'd happily pay for it, knowing that it was an investment in creating a final solution for e-mail.
If that e-mail provider also added Baysian filtering, and offered the CPU power to do the signatures with off the shelf clients. I'd be up for it.
That will make e-mail still be an option for targetted marketing (which I've got a lot fewer problems with then SPAM). Eventually, just black listing e-mail servers that allow non-signed, or mis-signed messages will solve the problem and have it expire in 48 hours. No bandwidth wasted (other then once every 48 hours), and no more of my time playing games categorizing mail, as spam or not. It's completely automated, it leverages economics to ensure that nobody wastes my time because wasting my time is a cheap thing for them to do.
Kirby
A lot of lists could then use this as a reason to charge for a subscription. Say BugTracker, or the LKML, or any number of other high volume lists, that have an huge number of subscribers who merely lurk. merely lurk on a number of lists to read interesting material periodically. I try and read the lists from a lot of different projects I am interested in.
I suppose this could re-invigorate the Email to Usenet Gateways (where the group is moderated only things that are sent on e-mail are allowed to post).
In the end, I'd like a solution that means running a large mailing list is cheap, but running a spam house is expensive. Essentially a large mailing list is a very small spammer. A lot of lists are run out the goodness of someones heart. However, nearly all mailing lists opt in, not opt out.
I'd like to create a way for it to be cheap for companies to send lots of e-mail. If I want their e-mail, I want it to be cheap to get it to me. Then the cost won't be passed onto me as a consumer. E-mail is a very efficient way to get the word out, and is a cheap way to do business. I think lower the cost of business is good. (In that sense spammers have the right idea).
Kirby
How would you run a mailing list? That mailing list would have to have a trusted private key that is decrypted in memory at all times.
If I want your private key, I'll get it if the computer is on the internet. (Okay, I can't do it, but I know the proper techniques, and know that people with the proper skills exist).
The only network that can secure a private key, is sneaker net, and that's unacceptable for something I use for e-mail.
Kirby
I can't track down who it is, if they use bogus e-mail addresses and create a new key every couple of days. Then just throw away the private key. Now how do I track them down? They had a bogus e-mail address, and a private key that they don't have any more. Plus, I really want to make damn sure they have to re-encrypt it every single time the mail leaves the server. Otherwise some the CPU power will be trivial. Well, encrypt this 1, send it 5 Million times. It's just another hoop to make a spammer jump thru.
Beyond all that, that will just create a black market for private keys of known trusted users.
If you create a system where there are a limited number of private keys (not sure how you accomplish that), then they will just compromise a large enough percentage of them, that it's useless. It'll just create identity theft with e-mail.
If you want my trust, you'll have to use an object I have control of. Namely my public key. It will ensure, you wanted me to have it, and that you had to expend CPU time to get that mail accepted by me. I'll read all of the e-mail that gets signed by my public key. I won't bother if you sign it with a key I've never heard of.
Now, possibly, we can say you have both, but if I wanted to stop spam to my Inbox, I'd require anything that didn't originate off my e-mail server to be signed with my public key (and I'd white list in some e-mail addresses, mostly mailing lists, and my non-technical friends). Possibly I would include other people's keys as e-mails I'm willing to accept signatures for.
Remember identifing the spammer, and proving he sent the e-mail will not stop spam. Making spam a money losing operation, will cause spam to stop. The spammers are pretty well known (it's my understanding). We know who they are, and what spams they send. Still it hasn't stopped.
Make it computationally infeasible to have no targetting involved in your e-mail, and it'll be all spams will at the very least be more targetted, if you make it incredibly expensive, they will stop. The collateral damage is that people will stop using e-mail for a lot of things.
Kirby
Kirby
If that doesn't work, spammers will start stealing keys and ruining them, thus making it easy to expediate the process of getting a new key. So the spammers will have an easy time a new key by claiming a spammer broke in and stole the key. If you tie it to IP, you'll wreak havoc on a number of load balancing mail solutions.
This isn't if counting the fact stopping a spammer involves making sending mail to other people expensive. If you don't do that, you can't make money. Period. SMTP-SSL will have to be computationally very, very expensive in order to stop spammers, which will make running a good sized mailing list pretty expensive.
The trick is making unknown users expensive, and making known users cheap. Keys and signatures are a good way to do it, but they will just be come tokens to be stolen, just like Credit Card numbers are now.
Hell, at some point, spammers will over to buy the tokens from stupid users. For $100, I'll by your bits, just send this file as an attachment please. They'll be something people steal off of old computers, or buy old mail servers at chapter 11 auctions. Users will send it right off. Alternatively, they will use a clever hack, like construction a virus that will latch onto your system after the key is decoded, and encrypt a set of known texts with your private key making it easy to decrypt, or to just send your private key if it can manage to get enough privledge.
Kirby
That only works if I require them to sign mail they send to me, with my public key.
Possibly having a key system of public keys and private keys. You put your own private key out there, saying you'll accept mail with anything that signs their mail with the public key. You add any mailing lists you want public key, they sign all outgoing messages with their private key. Thus you'll accep their mail.
You can white list on anybody else you're willing, using a Web of Trust from PGP if they are considered "trusted" enough. However, that will lead to problems.
However, public and private keys will suddenly become tokens of value to spammers. Suddenly people will start creating worms, and scripted attacks to pull peoples keys. They will start trying to break into machines. It'll create a black market for trusted keys the world over. They'll just be new attacks, and new problems. Creating a large scale web of trust, won't work. A worm can easily go steal the tokens of trust, and then start using them to spam with. It'll just be another arms race.
Now letting forcing people to sign with your key is probably the most doable, but it also means that running mailing list software is a real, real CPU intensive application. I'm not particularly thrilled with that.
The only way to stop spam is to make it stop being cost effective, that involves causing e-mail to be an expensive operation if it involves untrusted e-mail servers.
Kirby
My employer tried to get me to assign them IP rights to all kinds of stuff. I just refused, and refused to sign it. They never fired me. We finally came to an agreement where they own everything I do if it is, during company time, or was created on company property (computers, or in their offices). Everything else is mine. I made it really clear, I wasn't signing the IP agreement until that was crystal clear.
I would have quit before signing the agreement. There are other jobs, and if their aren't, you can always be a contractor. You CHOSE to give up your property rights in exchange for your employment. You made that choice, and you are getting the compensation you are for it. If you aren't happy about it, either re-negociate or quit.
If you went and became a High School Janitor for years while you created your master work of programming, hats off to you, you've earned your IP rights. If you chose to sit in a cubical all day, and make good money, and you exchanged your IP rights for that, don't bitch about it. It's the choice you made. That's like complaining because you can't make as much money as your buddies because you dropped out of High School, and they finished college.
Kirby
Oh, and also look for stories about the height of the dot.com.
My personal opinion, is that it should be as relaxed a room as you can manage. Someplace that is relatively sound proofed from where people would be doing "real" work. So don't put it right next to where a call center is. That'd sorta destroy moral for that department if they didn't get to use it regularly.
Get very comfortable chairs, good lighting. The desks or tables don't need to be anything more then flat, and avoid sharp edges that cut into your arms. I'd arrange it in a circular fashion around the outside (that's where I'd put computers), also having a "strategy" table in the middle for meetings. White board walls everywhere. If you are going whole hog, have a video splitter on each computer, and allow for any given computer to be projected on a wall, so you could have spectators without crowding the individual players. Possible with a video demuxer so you could project everyones screen onto the wall. If you want competitive play, obviously, you might need two rooms, or a way to divide into two different relatively private sessions. So possibly have enclosed spaces adjoining them (hmmm, conference rooms that are used for other meetings adjoining it might work).
Have a supply of food there, possibly a refrigarator.
Kirby