I am so happy Microsoft got a taste of the problems that their own buggy software has...I wonder how many times this will have to happen to them until they get the picture.
You don't suppose this will convince them to finally switch to OSS, do you? I haven't seen my MySQL boxes taking down the Internet lately!
I don't know about your boss, but mine would be pissed if I told him I blew the budget to buy 10 extra $10.000 servers (Not including software licences) for a testbench, and then started to use 15 extra hours each week to keep every running server up to date.
Wow. It's great how you can respond while ignoring the parts of my postings you don't like. First of all, I specifically stated that there was no need to upgrade the servers every week. Second of all, I never said there was a need to mirror every server hardware combination. Thirdly, it's pretty poor IT management if all of your servers are so diametrically different that you would need to mirror each and every one of them for a testbed. Fourth, I'm pretty sure your softare vendor won't try to ram the law down your throat for using their product on a test server. Phone them and ask - they might just be reasonable about it. Remember that we are talking about a Linux distribution here; 95% of the underlying software licenses are probably GPL-based; work with the spirit of open source licensing and test your software.
I doubt that you know what you're talking about, in an ideal world your case would be true, but in the real world, it is not.
Oh, I'm perfectly aware that incompetent sysadmins run rampant in the 'real world'. BTW - thanks to all of you for disrupting the Internet over the weekend. The rest of us really appreciate you guys justifying our existance on a regular basis!
Man, I wish I had some of last week's mod points left. If you are correct (and it appears you are), this whole article/thread is a waste of time. It's almost a case of Slashdot trolling itself!
The No Electronic Theft law and the supposed "Internet Privacy Act" are two separate laws. Moreover, one was referenced in an article submission quoted from a reputable (subjective, I know) news source, and the other was an off-hand comment by one of the half-million or so Slashdot subscribers.
You've listed vulnerabilities in applications, not in the OS. No one's denying that buggy applications can (and should) be upgraded straight away.
Linux distributions are a collection of three primary factors, and a number of secondary. The primary factors are;
The Linux kernel
A Linux-based (typically GNU) userland
An installation/package management interface
Emphasis on #2. Like most other distributions, RedHat maintains their own custom packages for their software applications. That's why each distribution will in-turn address security updates on the likes of BUGTRAQ; each of them is distributing their own RPMs/DEBs/TGZz/etc. to fix the problem. That's what RedHat is ceasing; support for their custom software RPMs.
IMO, even if the kernel needed a bugfix, RH could supply a service pack, just like MS does.
You'll always be able to download/install the latest kernel, be it via RPM, SRPM, or sources from kernel.org; I don't believe that's an issue in the slightest.
What's being discussed here is why the OS should have such a short lifespan
Once you've upgraded all the packages to their current level, all that's left are the few packages (Base layout, package management interface, etc.) that comprise the "OS". If you require support but RedHat declines it on this basis, simply apply the updates and call them back.
Yes, there are testbed systems in large companies, but testing a new OS (and more importantly testing your applications work well on the new OS) is hard work and this costs the company time and money that could be applied elsewhere.
The high school I worked for had testbed systems. They're just common-sense. When you're deploying mission-critical, or even just important updates to a system, it's always adviseable to test it first. Be it a server upgrade or a workstation image, it's just good business practise to test it before you put it live.
The advantages to spending the money preemptively and having a solid software update policy in effect will save the company countless dollars, man-hours and heartache when and if that policy would have helped the most - in the case of an intrustion or major software meltdown.
BTW - Even when RedHat christens a newly released RPM that upgrades an existing package, it should be standard policy to test this upgrade on a testbed before putting it live, so the extended product life cycle won't do you any good anyways; damage done is money lost.
A testbed server doesn't have to be some kind of elaborate, highly-involved process. Essentially, you keep a 'good' image of the install base, else simply a mirror of the production server. Install this on a similar hardware platform (ideally a machine with the same hardware configuration), apply the upgrade(s), and test the robustness of the new system. Re-boot it and ensure sofware comes up. Watch for panics. Put some load on it and make sure the services don't fall over. (This, of course, will be done on a case-by-case basis, as all servers face different load scenarios). That done, migrate the changes to the production server, monitor it closely for a few days (even if you just watch Big Brother or a couple of log tails on your desktop), and call it a day.
I maintained upwards of ten separate workstation images and five servers using this methodology and virtually never had problems with any production setups as a result. We continued to stun the IBM tech reps (with whom we had a support contract, but that's a story for another day) when they'd come to the school and find themselves with absolutely nothing to do. They'd start to ask us about a problem they'd seen at other schools and we'd stop them with "Fixed that three weeks ago before it became a problem."
You're assuming that every computer on the planet is a web server. I can guarantee that web servers for most companies are less important that most secretaries' machines,
"Guarantee" is a pretty strong word, especially in a day in age where web-based software solutions are becomming very prevalent in the industry. Everything from trouble ticket systems to company Intranets to developer networks and more are hosted on web servers.
Moreover, all the vulnerabilities I referenced were not web server related. libbind affects any and all DNS resolution, for example. zlib is used in a lot of system applications, and we all know that CVS is often used for distributed software development projects.
For someone making accusations of assumptions, you're assuming a lot yourself.
BTW - I'd like to see you somehow support the notion that corporate web servers are such unimportant space-wasters, especially considering the mass hysteria of corporate tales of woe after the likes of Code Red / Nimda pummelled them. How many billions of dollars was it purported to have cost the U.S. economy again?
In the future, you may wish to substitute unquantifiable terms with less specific generalizations like "a lot of", and shy away from making far-fetched guarantees you can't possibly hope to support. And please, don't quote me figures from your last three employers, or from companies your friends work at. I'd like some real hard-line data on why corporate web servers are worthless. You can stick to the United States if it'll make your task easier.
and I can guarantee you further that there are many, many critical machines that are not on the Net.
Now there's a claim that's nice and easy to support. I can also guarantee that there are a lot of nice cars not on the road. So? We're talking maybe one in ten thousand server systems out there that fit this bill. Systems most likely owned by corporations who a) will already be paying for higher level technical support, and b) can afford an additional layer of support above and beyond that.
I highly doubt any mission-critical, non-networked machines of such import will pay any mind to a consumer-level product support document.
But, in the real world, you just don't upgrade each week. First of all, you don't have the time to do it, second many of your services are so complicated they might break seriously if a patch is applied, and ofc. all of this has to be done on a working live system in a very narrow timeframe, which leaves you very little time for errors.
Perhaps in the real world of beanie-wearing community college graduates, yes. But in the real corporate world, there are testbed servers on which to test upgrades, patches, etc. before rolling them onto the production servers. Often times there are also redundant servers which can be taken down, upgraded, tested, and put live one at a time.
Further - there's no requirement to upgrade once/week, but at the very least keep packages less than one year stale. The Internet as a whole got a kick in the goodies this past weekend by sysadmins who wouldn't patch a software vulnerability that was more than 7 months old (and by the network admins who allowed access to the servers via the public Internet, but I digress).
If you haven't upgraded your Linux systems in 6-12 months, I'd love for you to send me your IP address(es), because I'd like to send you a few packets pertaining to;
Double-Free Bug in CVS Server
ISC DHCPD Buffer Overflow
Multiple Vulnerabilities in ISC BIND
Apache/mod_ssl Worm
Multiple Vulnerabilities in OpenSSL
Vulnerability in PHP
libbind DNS Resolver Library Vulnerability
OpenSSH Challenge Response Vulnerability
Apache Web Server Chunk Handling Vulnerability
Multiple Vulnerabilities in PHP Upload
Multiple Vulnerabilities in zlib compression library
SNMP Vulnerability
etc.
Out in the "real world", systems administrators apply patches, fixes, and upgrades to their software regularly to avoid being used as a staging ground for one of our recent many DDoS attacks, or having their corporate data stolen.
It's the lazy, incompetent, certifications-are-king sysadmins out there who give us a bad name. They're the ones who adopt the theory that applying updates is "too hard", and claim that "things could break" which they use to justify their ignorance of best-practises security.
If your company's assets are riding on IT software and you're having trouble keeping up-to-date, talk to your vendor and ask for help. Have them justify the money you fork over to them every year and do something for you. If RedHat is your vendor, ask them for assistance in migrating your server farm from 6.0 to 8.0. If they won't give it to you, inform them that you'll find another vendor, and that you won't be spending $30k on another support contract. If you've already spent it, contact your lawyer.
"Real World" does not, nor should it ever be confused with or used to justify laziness, ignorance, or apathy. It's thinking like that that got us into our present state of dissaray.
Cos I hate football! (thus I'm not busy watching the game)
Do you hate football, or televised pro football?
I've been reading a lot of generalized anti-sports comments, much of which comes from people who are badmouthing/bandishing stereotypes about. What is this, thw Twilight Zone? Nerds hating sports IS a stereotype, people!
Myself, I love "football" (the American variety) and football (the "world" variety). I used to be a mean linebacker in school; took out guys twice my weight all the time ("Was that a legal tackle?" they'd mumble through the blood on their faces.. Heh..) and could kick the ball into the stratosphere. Later, I developed an affinity for football (Americans will recognize it as "soccer"); played for a former world cup champion, no less!
I was a goal tender until my eyesight became prohibitive. I also used to love getting down and dirty. I ran fast like a mo'fucker, and I could slide tackle a guy at ten yards and walk away with the ball.
Eyesight failing, I took up smoking, and running fast was no longer an option. But while I was in shape, I had a bloody ball - and I had my own home LAN at the same time. An XT and a 286 joined with a null-modem cable (paralell, for the extra speed) comprised my BBS and file server. A 286 laptop with a mono screen for reading mail and scripting the BBS.
Sure, I had a shitty time in elementary school; so did a lot of people. I got through it and found my passion in life. A lot of people can't make that claim; including a lot of the popular kids, the jocks, and any number of other stereotypes. Periodically I'll revisit my old classmates while they're serving me fries (with gravy, please).
So if you people are scorned over being called a "nerd" or a "geek" (titles I wear proudly today, because they allow me to demand a high rate of pay and respect from clients and co-workers alike), get over it. Life's a bitch. Being young can, and often does suck. That's what growing up is about - learning how to deal with things, including society.
As for the game, no, I won't be watching it. The baseball strike was the last straw for me as far as pro sports are concerned (I did love the Jays going it two years in a row, and Brazillia over Italy in the World Cup was beyond amazing). But you won't find me sitting here bitching about it.
Maybe some of you couch-potato whiners should get to a world cup, gray cup, stanley cup, world series or superbowl party some time and see what a blast social interaction can be. Then knock it, but wait until the hangover's gone first. (If you don't have one, you weren't at the right party)
I guess out big misunderstanding is the whole Win98 license. I
haven't seen used computers with OS licenses.
Schools tend to have several Win'95 and Win'98 licenses on hand. Also, there is a little-advertised educational licensing package for schools that costs about 10 of shelf-price for all Microsoft software.
A new machine with XP is ~$400
Firstly, schools don't tend to buy "eMachines" (low-quality, pre-fab machines that are good for a year or two), they buy complete systems with hardware support contracts. Simply packing up the machine and trundling it back to Future Shop or Best Buy isn't an acceptable solution. Secondly, schools can't go to a local electronics shop and buy computers by the handful. There are several layers of beaurocracy to go through, and often times schools will be tied to a hardware contract with one OEM or another. Computer equipment is purchased through the board office and delivered by internal courier; rarely ever bought directly by the school itself.
an old machine will require almost $400 in software and will be 1/10 the speed
When schools purchase software licenses they purchase them in numbers, they don't tie them to a physical workstation. Since license packages usually sell in round numbers, schools will almost always have additional licenses to allow room for growth (better to buy too many than not enough). The exception is licenses like AutoCAD which cost hundreds of dollars per machine per year, and requires hardware dongles (plural; multiple components each require their own dongle) which are the real money-eaters at several hundred dollars a piece.
Often times, new machines will be added to the network, imaged, and the software image adapted (drivers, etc.) to suit the specific needs of the machine and it'll be up and running inside of an afternoon.
As for the speed, again, schools have zero need for top of the line equipment. Realistically, 90% of consumers haev zero need for top of the line equipment. Schools don't license, or allow, modern video games to be played on their computers, and web browsers and word processing packages, though buliker by the day, still require little more than a couple hundred MHz and a few hundred megabytes of HDD space.
The long and short of it is this; if a machine can load a web browser, surf the 'net, compose a report in another (word processor) window and print said report - it's powerful enough for a school, church, or charitable organization. These places don't need to run Windows XP (in fact, I don't know that XP is being deployed en-masse yet. Win2k or Win'98 are the platforms being standardized around at present), they don't need to run Office XP or 2k - they can run Office 97, or even Word Perfect Office 8. Most of the software being sold for such markets are aimed at P133s with 32/64MB RAM.
WHAT IS A SCHOOL OR CHURCH GOING TO DO WITH AN OLD MACHINE?
... A school isn't going to teach word processing on anything less than a 500 Mh PIII.
If it will run Windows 98, they'll thank you for it and give you a receipt so you can write the donation off on your taxes.
High schools in developed countries, like those of us in North America, are hurting. A "computer in every classroom" has been met in some (many?) schools in highly developed urban areas, but they're P75s at best in a lot of cases. English labs still get stuck with 'the leftovers' which means, in a lot of cases, 486s. (Not MHz; processor type 80486. Remember those?)
Elementary schools tend to be even worse off. The high schools tend to get first crack, and if high school English departments are running 486s - can you imagine what elementary schools are running? Since the computers can't even remotely compare to what the educators are used to, many of them sit and gather dust. The potential use for computers lost on another generation of children who have to play around the desk(s) with the antique dust-collectors on them. Many of them don't even work anymore.
I can tell from your posting that you don't have much experience in high schools. That's alright, but please don't speak as if you understand the situation. High schools do, in fact, teach word processing on P133s running a server-side copy of Windows 3.1 because the computers often don't even have hard drives. They use WordPerfect/DOS 5.1.
What is net access if it doesn't include a current graphical browser and anything less than a PIII/500 isn't going to run much of a browser.
That's a wonderful idea, in theory, but in reality the students sit patiently and wait for Netscape Navigator Gold to load so they may browse to the referenced research pages. On the plus side, a lot of research oriented sites don't use ActiveX controls or Flash/Java navigation systems, so it's an acceptable trade-off. The Internet isn't in schools for student enjoyment; in fact, the students who glom onto the modern machines and pillage the bandwidth are causing many teachers to give up completely on trying to use the Internet for their studies, opting instead to make the Internet components of the course an after-school activity, or completely optional. Things are getting better in some areas, but 'better' is, of course, subjective. Now instead of 1000 warm bodies sharing a 128Kbit ISDN line, those 1000 bodies share a 1.5MBit HDSL line. Since I can saturate it by myself, imagine how an entire school must feel.
This still doesn't address the long term problem. What do we do with the old PCs in 5 more years (when all the schools have old PCs)?
Schools don't throw out five year old computers. Schools hang on to and cherish those computers for fear that if they sit too long, they may be re-allocated to another school in great need of them. Schools don't typically dispose of computers due to age, they'll often keep them in active use until they're too decrepid to power on, and all efforts have been made to salvage them.
I was personally responsible for taking three labs' worth of computers in varying states of functionality and creating two full, working labs worth of machines. I barely acheived the task, throwing out the remainder in completely dead parts.
For another two labs, we had to supplement the short supply of 1.2GB hard drives with brand-new 10GB drives; the smallest we could buy at the time. It was a shame, installing them into P120s that couldn't even enable DMA, letalone their supported level of UDMA, but atleast they were there, and they worked. Then the budget was exhausted (two months into the five-month semester) and the remainder of the machines sat, sullen, adorned with their "Out Of Order" signs. It worked out, however, since we were also in short supply of 15" SVGA monitors.
Public schools are very efficient when it comes to maximizing the return on their computer investment. They stretch every last nickel's worth out of every piece of equipment they purchase, so they're really not a terribly good target to look at when discussing PC waste management.
If you think public elementary and secondary schools are the only ones, ask me about colleges.
You know I do not know if Open Office needs to go further. I like it already now. And to be frank I am not simple user. I am a technical book author. As an experiment for this book I decided to switch and it worked out well.
In that case, would you mind sharing the secret to printing spreadsheets in landscape format? Try and try again, but it always prints in portrait (thankfully I was printing to PDF for testing, so no trees were harmed during this excersize) and as a result a two-page spreadsheet requires four pages - the last two containing two columns (the important ones - the ones with the totals).
Update: I've just been informed that there is a second, atypical way to make OpenOffice print in landscape format. I've always used the print / page setup dialog to print in landscape mode, which is non-functional. So what we have is broken duplication of code. No wonder the codebase is 136MB compressed and requires over 1GB of space to compile.
In the meantime, I solved the problem by exporting to Word 97/2k/XP, booting Win2k, and printing from MS Office.
I'd also love to be able to decrease the load time without having to keep dozens of MB worth of libs in memory. On my (respectable) Celeron 800 laptop with 256MB RAM, any of the OpenOffice components (Write, Calc, Impress,... ) take atlest 30-45 seconds to open, whereas Office 97, 2000, or XP will open any of their components in approximately 2 seconds. (I've removed the "Office Startup" from the "startup" folder; I don't believe in pre-loading all my applications to account for programmer inefficiency on any platform)
It's the work of 2 minutes to swap plates with a similar-appearing car in some parking lot... but a bit harder to swap out tires; most people keep the same set for years
A problem, however with identifying "me" by my tires; if I want new tires, I'll go to Sears and buy a couple pairs, or go to my (small) mechanic and have him install a few tires. Now, he can either install new or used tires at my behest (depending on how long I intend to keep the vehicle, and drive it in the meantime). So where's the association? I can assure you that I'm not going to let some minimum wage Sears schmuck follow me to my car and record my VIN. Hell, for all he knows I'm using my friend's van to pick up the tires. The logistics just aren't reailstic.
License plates are, by nature, assigned to a VIN. Tires are not associated, and are only slightly more difficult to interchange (give me a jack and ten minutes and I'll do it on the side of a road).
Yes, I'm sure there's value to adding tracking devices to everything worth more than $50 that we may purchase in our lifetimes, but there are also drawbacks. If the "good guys" (subjective) can track my tires, so can the "bad guys" (also subjective). What I don't like, however, is the ability of anybody to easily track me. Atleast it takes some minimal effort to track my license plate - a person has to look at every car matching my description (if I threw a rock from my driveway, it'd probably bounce off atleast four other J-Body cavaliers, so YMMV.;) )
I, personally, can't see the advantages of this outweighing the disadvantages and costs associated. Somewhere, I'm sure somebody has a great plan. Nevertheless, I think I'll stick to Goodyear
Unique IDs in the tires and a network of readers might not give up-to-the-second velocity and position data, but they might be good enough...
Yeah, but then readers would be required nation-wide which is costly to say the least. The resaon 'automated roads' have been back-burnered is the astronomical expense of implementing it in any large scale. I don't see RFID readers being implemented in a nation-wide net any time soon. All you'd have to do to escape 'the man' is to hit a concession or a country road.
That's my strategy too. I would take it one further however. Pick apart the email headers that you get bounced back to you and alert the ISPs. Many ISPs (not all) have policies against mass emails. If the email links to a website, find the domain admin and technical contacts and let their ISP know..
I've found that in my experience, ISPs aren't as responsive to SPAM-type abuse issues as are webmasters.
My homepage (vanity domain) has a "Webserver Stats" section that logs, among other things, referrers to my site. Some unscrupulous types found this out and decided to take advantage of this public advertising medium. What resulted were literally hundreds of requests per night for each of about 30 domains (almost all of them pornographic in nature) for non-existant files (I suppose they figured my 404 page was the smallest thing on my site). With their URLs in the referrer field, Webalizer dutifully added them up and created a referrers graph that, not surprisingly, was filled with the top ten of these porn sites.
These attacks (which also flooded my ADSL line's bandwidth, I might add) were carried out from two major U.S. ISPs. E-mail to the ISPs got me little more than an automated "Thanks for the heads-up" responses, so I decided to go after the websites themselves. A little whois work on the domains and I found that they were all hosted at the same hosting company who responded immediately requesting more information, and who then acted on the complaint in short order and the problem went away.
A little bit of dilligence and these people can be nailed down. Many of them don't seem to host their own websites, so use their webhosting companies against them. Track them down and have them ousted. The transition time to a new company will be real bite in the keester and should make their job a little less worthwhile. At the very worst, they'll give up on third party hosting companies and have to shoulder the cost of hosting the sites themselves.
Hmmm...This sounds a lot like X-Windows when you set your desktop to be bigger than your monitor's resolution, or when you use virtual screens. Not a particularly revolutionary idea, but could be useful if intuitively applied...
Alright then, smartguy - pick up your monitor and make X scroll sideways.:)
So what I'm hearing is that for $500 dollars ANYONE could get into a new market distributing television over the internet... interesting that. So there's a whole market out there of eyeballs that can be reached on the cheap and the geniuses at the major networks are wasting their time influencing government instead of doing their due diligence and capitalist duty by exploiting that market. They should all be shot.
I'm afraid you've missed my point.
I was speaking strictly of re-broadcasting pre-assembled signals. Vis; the major networks pay for casting, crew, locations, scripts (writers), makeup, wardrobe, lighting, equipment, and broadcast. Afterwards, I take this signal and, using comodity hardware/software combination I encode it and re-transmit the signal.
That has the effect of stealing their work without any due compensation. Even in the case where someone might re-broadcast with the comercials intact, this isn't a valid form of compensation. Sponsors don't pay to merely have their comercial shown; they pay for a timeslot in a particular broadcast at a particular date and time, aimed towards a specific demographic. Re-broadcasting a primetime show's commercials at three o'clock in the morning to a global audience may benefeit the sponsors, but it doesn't benefeit the network.
This has nothing to do with due dilligence and everything to do with people overstepping their bounds. Much as television content isn't terribly stellar nowadays, I'd hate to see networks remove the ability for people to receive that content without a subscription system.
I don't understand why this is such a shock. I mean, did you really expect that it would be LEGAL to rebroadcast television over the internet without proper permission? Do you think that would be "right"?
That was the first thing that crossed my mind when I read this story. The fact that it's combined with the blank recording media levy is disingenuous on the part of the submitter/editor responsible for posting it.
The media levy sucks, but quite honestly I can't find sympathy for companies who want to earn a living on the backs of the work of major networks. For commodity hardware at an expense of no more than $500, I could re-broadcast network television to the Internet. That's just not right.
If you don't want the public to spot your releases until they are officially announced, then you should keep them hidden. Upload your files with restricted access to the master ftp and all mirrors, issue the press release, THEN make the files public.
Thank you for that.
I just have one thing to add here;
I've been reading all these comments from the BSD crowd here in awe. I mean, all this hostility over... what? An announcement that linked to a PGP-signed release announcement. The ISOs are on the servers. The time to rejoice is nigh! But no rejoicing from this crowd. No "Awesome new features... I can't wait to test this on my home rig... " postings; just adolescent whining.
Seriously folks; you respect the FreeBSD development team, right? You respect their programming talents and their combined decades of computer, operating system, and networking experience, right? Do you really take them to be this naive? Would you really have us believe that they would roll release-grade, Version 5.0 (no RC-*) CD images and make them public when they weren't ready? Do you really think they'll be at all SURPRISED when people start to notice, download, and tell all their friends about this release? Don't you think they have a solid, stable (FreeBSD) FTP server pumping out these requests, properly configured with reasonable user/transfer limits in place, and QoS on their upstream bandwidth? If you're that unsure of FreeBSD's ability to handle high loads - why are you downloading it?
It was inevietable that this would find its way to Slashdot. That's how Slashdot works. It's been seen time and time again. KDE, GNOME, Linux Kernel, XFree86, [Open|Star]Office, or any other project of significant magnitude (and interest) - the release files are made publically available, someone notices and the Slashdot editors respond to the influx of "It's here! It's here!" submissions. As a result, Slashdot is very often the first place to find out about new software updates. Is this really 'news' to anyone?
Sure, they could link to the mirrors, but not doing so isn't by any means a conspiracy, it may be poor taste, but it's the same taste that links directly to kernel.org when a new Linux kernel is released. It's been pointed out to me more times than I can count that Slashdot readers are "IT professionals" - so stop talking about being professional and act like it. Download reaponsibly; use a mirror.
I'll download a mini-ISO later, when the tide has ebbed, and install it at my leisure.
I look at it this way... How much spam am I willing to put up with in order to prevent friends from having to (gasp) send one extra message when they switch email addresses? Answer: none.
But it's not one friend, or one e-mail message; if everybody implemented whitelists you'd have to send dozens, possibly hundreds of messages every time you changed your address. This would most likely drive people insane to the point where software would be written to automate this task, and lo and behold, the SPAMmers now have tools with which to defeat whitelists.
Whitelists may work for some people as a small, niche tool for defeating SPAM, but it's not scalable. Bayesian filters are 100% scalable, and are as-yet all but impossible to defeat, once trained.
Bayesian filtering comes with all the advantages of a whitelist without any of the inherrant disadvantages.
Re:Playing Games you don't understand.
on
Spammers Busted
·
· Score: 1
I hope you'll keep that perspective in mind if an aged parent of yours is fooled by a get rich quick scheme like this and blows half your inheritance.
I don't buy the old age as an excuse for naivette line of thining.
My paternal grandparents are 80 years old. My maternal grandmother (widowed) is 76 years old. None of the three of them have been hustled out of their money, so my 'inheritance' remains intact. Why is this, you ask? Because they don't fall for get-rich-quick schemes, they don't respond to telemarketters ("If I desire your services, I'll contact you."), they don't open, letalone respond to mailed investment "opportunities", and before making a financial investment they weigh it against their financial situation, they weigh the risks they're aware of and contrast it to the possible rewards, and for that which they aren't sure of they contact their financial advisor.
The fact of the matter is, anybody has the potential to be hustled/swindled out of their money; young or old. It takes logic and reason (often referred to as 'common sense', though I know it to be quite uncommon indeed) to avoid becomming a victim in this case. As usual, the addage "If it sounds too good to be true, it probably is." comes into play.
If you need me, I'll be firmly entrenched in the "Stupid people deserve to get screwed." camp, toasting marshmallows and hugging my wallet.:)
Mailing lists. Improperly configured whitelists can (and very often do) wreak havok on even low-traffic lists. (Infinite loops of whitelist responses to whitelist messages in response to... )
Potential employment / other avenues of potential gain. Often times, these people will be annoyed by having to confirm their identity in order to inform you of what could be a once in a lifetime opportunity.
Updates / notes from friends who aren't terribly computer-savvy. Such lists can not only confuse them, but can result in lost e-mails if they send them from, say, a web-based account they don't check regularly.
Personal taste. I greatly dislike having to essentially request permission to correspond with someone. I have upwards of a dozen e-mail addresses which I'll use at any given time depending on the hat I'm wearing, and this would require my requesting posting privileges for each of them.
As has been pointed out already, Bayesian filtering is the way of the future. You put up with SPAM for a limited amount of time and then it learns your routines and filters it for you. You don't inconvenience anybody save for yourself (initially, and the cost of downloading the SPAM, a cost incurred by the use of whitelists anyways), and they're not prone to causing public nuissance.
Also as you've alluded to, it wouldn't be terribly difficult to forge the From: identity of someone already in your whitelist; something that happens quite frequently. A popular SPAM harvesting technique is to harvest mailing lists and use the names found in this list as the From: and To: address, effectively sending people SPAM 'from' themselves, or 'from' people with whom they correspond on a regular basis.
As to digitally signed e-mails; that's fine and good for the 2% of Internet users who are remotely capable of even understanding such a concept, but I have to say, for most of the people with whom I correspond (many of them clients) this is simply not an option.
That said I am letting them know I'm unhappy and will be avoiding PCI whenever possible.
I've written a similar letter to the people referenced at this page at the time of writing (which I now understand may be slightly errant, but atleast the lawyer will receive a copy, which is the important part. I may send a follow-up to a proper leading member of the PCI-SIG group should I find a valid address to do so).
Music and Computer Companies Agree on Antipiracy Plan
By AMY HARMON
I was going to moderate this as 'Redundant' (yes, folks, watch out - I'm armed again!) but decided instead to respond.
Copyright issues aside (you didn't give credit for the source - The New York Times online edition); their servers are not likely to be Slashdotted any time soon. Granted, Joe DSL will probably be Slashdotted within his first five minutes on the front page, but the NYT have big pipes - like Adonis big pipes.
Slashdot Mirror
You don't suppose this will convince them to finally switch to OSS, do you? I haven't seen my MySQL boxes taking down the Internet lately!
(Ok, ok, that was low.. ;) )
Wow. It's great how you can respond while ignoring the parts of my postings you don't like. First of all, I specifically stated that there was no need to upgrade the servers every week. Second of all, I never said there was a need to mirror every server hardware combination. Thirdly, it's pretty poor IT management if all of your servers are so diametrically different that you would need to mirror each and every one of them for a testbed. Fourth, I'm pretty sure your softare vendor won't try to ram the law down your throat for using their product on a test server. Phone them and ask - they might just be reasonable about it. Remember that we are talking about a Linux distribution here; 95% of the underlying software licenses are probably GPL-based; work with the spirit of open source licensing and test your software.
Oh, I'm perfectly aware that incompetent sysadmins run rampant in the 'real world'. BTW - thanks to all of you for disrupting the Internet over the weekend. The rest of us really appreciate you guys justifying our existance on a regular basis!
The No Electronic Theft law and the supposed "Internet Privacy Act" are two separate laws. Moreover, one was referenced in an article submission quoted from a reputable (subjective, I know) news source, and the other was an off-hand comment by one of the half-million or so Slashdot subscribers.
Trolling about trolling. Yeesh.
For your sake, I hope none of your hardware dies on you. With no apparent DRP you'd be dead in the water.
Now you'll have to pardon me while I don't feel sorry for you. ;)
Linux distributions are a collection of three primary factors, and a number of secondary. The primary factors are;
Emphasis on #2. Like most other distributions, RedHat maintains their own custom packages for their software applications. That's why each distribution will in-turn address security updates on the likes of BUGTRAQ; each of them is distributing their own RPMs/DEBs/TGZz/etc. to fix the problem. That's what RedHat is ceasing; support for their custom software RPMs.
You'll always be able to download/install the latest kernel, be it via RPM, SRPM, or sources from kernel.org; I don't believe that's an issue in the slightest.
Once you've upgraded all the packages to their current level, all that's left are the few packages (Base layout, package management interface, etc.) that comprise the "OS". If you require support but RedHat declines it on this basis, simply apply the updates and call them back.
The high school I worked for had testbed systems. They're just common-sense. When you're deploying mission-critical, or even just important updates to a system, it's always adviseable to test it first. Be it a server upgrade or a workstation image, it's just good business practise to test it before you put it live.
The advantages to spending the money preemptively and having a solid software update policy in effect will save the company countless dollars, man-hours and heartache when and if that policy would have helped the most - in the case of an intrustion or major software meltdown.
BTW - Even when RedHat christens a newly released RPM that upgrades an existing package, it should be standard policy to test this upgrade on a testbed before putting it live, so the extended product life cycle won't do you any good anyways; damage done is money lost.
A testbed server doesn't have to be some kind of elaborate, highly-involved process. Essentially, you keep a 'good' image of the install base, else simply a mirror of the production server. Install this on a similar hardware platform (ideally a machine with the same hardware configuration), apply the upgrade(s), and test the robustness of the new system. Re-boot it and ensure sofware comes up. Watch for panics. Put some load on it and make sure the services don't fall over. (This, of course, will be done on a case-by-case basis, as all servers face different load scenarios). That done, migrate the changes to the production server, monitor it closely for a few days (even if you just watch Big Brother or a couple of log tails on your desktop), and call it a day.
I maintained upwards of ten separate workstation images and five servers using this methodology and virtually never had problems with any production setups as a result. We continued to stun the IBM tech reps (with whom we had a support contract, but that's a story for another day) when they'd come to the school and find themselves with absolutely nothing to do. They'd start to ask us about a problem they'd seen at other schools and we'd stop them with "Fixed that three weeks ago before it became a problem."
"Guarantee" is a pretty strong word, especially in a day in age where web-based software solutions are becomming very prevalent in the industry. Everything from trouble ticket systems to company Intranets to developer networks and more are hosted on web servers.
Moreover, all the vulnerabilities I referenced were not web server related. libbind affects any and all DNS resolution, for example. zlib is used in a lot of system applications, and we all know that CVS is often used for distributed software development projects.
For someone making accusations of assumptions, you're assuming a lot yourself.
BTW - I'd like to see you somehow support the notion that corporate web servers are such unimportant space-wasters, especially considering the mass hysteria of corporate tales of woe after the likes of Code Red / Nimda pummelled them. How many billions of dollars was it purported to have cost the U.S. economy again?
In the future, you may wish to substitute unquantifiable terms with less specific generalizations like "a lot of", and shy away from making far-fetched guarantees you can't possibly hope to support. And please, don't quote me figures from your last three employers, or from companies your friends work at. I'd like some real hard-line data on why corporate web servers are worthless. You can stick to the United States if it'll make your task easier.
Now there's a claim that's nice and easy to support. I can also guarantee that there are a lot of nice cars not on the road. So? We're talking maybe one in ten thousand server systems out there that fit this bill. Systems most likely owned by corporations who a) will already be paying for higher level technical support, and b) can afford an additional layer of support above and beyond that.
I highly doubt any mission-critical, non-networked machines of such import will pay any mind to a consumer-level product support document.
Perhaps in the real world of beanie-wearing community college graduates, yes. But in the real corporate world, there are testbed servers on which to test upgrades, patches, etc. before rolling them onto the production servers. Often times there are also redundant servers which can be taken down, upgraded, tested, and put live one at a time.
Further - there's no requirement to upgrade once/week, but at the very least keep packages less than one year stale. The Internet as a whole got a kick in the goodies this past weekend by sysadmins who wouldn't patch a software vulnerability that was more than 7 months old (and by the network admins who allowed access to the servers via the public Internet, but I digress).
If you haven't upgraded your Linux systems in 6-12 months, I'd love for you to send me your IP address(es), because I'd like to send you a few packets pertaining to;
Out in the "real world", systems administrators apply patches, fixes, and upgrades to their software regularly to avoid being used as a staging ground for one of our recent many DDoS attacks, or having their corporate data stolen.
It's the lazy, incompetent, certifications-are-king sysadmins out there who give us a bad name. They're the ones who adopt the theory that applying updates is "too hard", and claim that "things could break" which they use to justify their ignorance of best-practises security.
If your company's assets are riding on IT software and you're having trouble keeping up-to-date, talk to your vendor and ask for help. Have them justify the money you fork over to them every year and do something for you. If RedHat is your vendor, ask them for assistance in migrating your server farm from 6.0 to 8.0. If they won't give it to you, inform them that you'll find another vendor, and that you won't be spending $30k on another support contract. If you've already spent it, contact your lawyer.
"Real World" does not, nor should it ever be confused with or used to justify laziness, ignorance, or apathy. It's thinking like that that got us into our present state of dissaray.
Do you hate football, or televised pro football?
I've been reading a lot of generalized anti-sports comments, much of which comes from people who are badmouthing/bandishing stereotypes about. What is this, thw Twilight Zone? Nerds hating sports IS a stereotype, people!
Myself, I love "football" (the American variety) and football (the "world" variety). I used to be a mean linebacker in school; took out guys twice my weight all the time ("Was that a legal tackle?" they'd mumble through the blood on their faces.. Heh..) and could kick the ball into the stratosphere. Later, I developed an affinity for football (Americans will recognize it as "soccer"); played for a former world cup champion, no less!
I was a goal tender until my eyesight became prohibitive. I also used to love getting down and dirty. I ran fast like a mo'fucker, and I could slide tackle a guy at ten yards and walk away with the ball.
Eyesight failing, I took up smoking, and running fast was no longer an option. But while I was in shape, I had a bloody ball - and I had my own home LAN at the same time. An XT and a 286 joined with a null-modem cable (paralell, for the extra speed) comprised my BBS and file server. A 286 laptop with a mono screen for reading mail and scripting the BBS.
Sure, I had a shitty time in elementary school; so did a lot of people. I got through it and found my passion in life. A lot of people can't make that claim; including a lot of the popular kids, the jocks, and any number of other stereotypes. Periodically I'll revisit my old classmates while they're serving me fries (with gravy, please).
So if you people are scorned over being called a "nerd" or a "geek" (titles I wear proudly today, because they allow me to demand a high rate of pay and respect from clients and co-workers alike), get over it. Life's a bitch. Being young can, and often does suck. That's what growing up is about - learning how to deal with things, including society.
As for the game, no, I won't be watching it. The baseball strike was the last straw for me as far as pro sports are concerned (I did love the Jays going it two years in a row, and Brazillia over Italy in the World Cup was beyond amazing). But you won't find me sitting here bitching about it.
Maybe some of you couch-potato whiners should get to a world cup, gray cup, stanley cup, world series or superbowl party some time and see what a blast social interaction can be. Then knock it, but wait until the hangover's gone first. (If you don't have one, you weren't at the right party)
Schools tend to have several Win'95 and Win'98 licenses on hand. Also, there is a little-advertised educational licensing package for schools that costs about 10 of shelf-price for all Microsoft software.
Firstly, schools don't tend to buy "eMachines" (low-quality, pre-fab machines that are good for a year or two), they buy complete systems with hardware support contracts. Simply packing up the machine and trundling it back to Future Shop or Best Buy isn't an acceptable solution. Secondly, schools can't go to a local electronics shop and buy computers by the handful. There are several layers of beaurocracy to go through, and often times schools will be tied to a hardware contract with one OEM or another. Computer equipment is purchased through the board office and delivered by internal courier; rarely ever bought directly by the school itself.
When schools purchase software licenses they purchase them in numbers, they don't tie them to a physical workstation. Since license packages usually sell in round numbers, schools will almost always have additional licenses to allow room for growth (better to buy too many than not enough). The exception is licenses like AutoCAD which cost hundreds of dollars per machine per year, and requires hardware dongles (plural; multiple components each require their own dongle) which are the real money-eaters at several hundred dollars a piece.
Often times, new machines will be added to the network, imaged, and the software image adapted (drivers, etc.) to suit the specific needs of the machine and it'll be up and running inside of an afternoon.
As for the speed, again, schools have zero need for top of the line equipment. Realistically, 90% of consumers haev zero need for top of the line equipment. Schools don't license, or allow, modern video games to be played on their computers, and web browsers and word processing packages, though buliker by the day, still require little more than a couple hundred MHz and a few hundred megabytes of HDD space.
The long and short of it is this; if a machine can load a web browser, surf the 'net, compose a report in another (word processor) window and print said report - it's powerful enough for a school, church, or charitable organization. These places don't need to run Windows XP (in fact, I don't know that XP is being deployed en-masse yet. Win2k or Win'98 are the platforms being standardized around at present), they don't need to run Office XP or 2k - they can run Office 97, or even Word Perfect Office 8. Most of the software being sold for such markets are aimed at P133s with 32/64MB RAM.
If it will run Windows 98, they'll thank you for it and give you a receipt so you can write the donation off on your taxes.
High schools in developed countries, like those of us in North America, are hurting. A "computer in every classroom" has been met in some (many?) schools in highly developed urban areas, but they're P75s at best in a lot of cases. English labs still get stuck with 'the leftovers' which means, in a lot of cases, 486s. (Not MHz; processor type 80486. Remember those?)
Elementary schools tend to be even worse off. The high schools tend to get first crack, and if high school English departments are running 486s - can you imagine what elementary schools are running? Since the computers can't even remotely compare to what the educators are used to, many of them sit and gather dust. The potential use for computers lost on another generation of children who have to play around the desk(s) with the antique dust-collectors on them. Many of them don't even work anymore.
I can tell from your posting that you don't have much experience in high schools. That's alright, but please don't speak as if you understand the situation. High schools do, in fact, teach word processing on P133s running a server-side copy of Windows 3.1 because the computers often don't even have hard drives. They use WordPerfect/DOS 5.1.
That's a wonderful idea, in theory, but in reality the students sit patiently and wait for Netscape Navigator Gold to load so they may browse to the referenced research pages. On the plus side, a lot of research oriented sites don't use ActiveX controls or Flash/Java navigation systems, so it's an acceptable trade-off. The Internet isn't in schools for student enjoyment; in fact, the students who glom onto the modern machines and pillage the bandwidth are causing many teachers to give up completely on trying to use the Internet for their studies, opting instead to make the Internet components of the course an after-school activity, or completely optional. Things are getting better in some areas, but 'better' is, of course, subjective. Now instead of 1000 warm bodies sharing a 128Kbit ISDN line, those 1000 bodies share a 1.5MBit HDSL line. Since I can saturate it by myself, imagine how an entire school must feel.
Schools don't throw out five year old computers. Schools hang on to and cherish those computers for fear that if they sit too long, they may be re-allocated to another school in great need of them. Schools don't typically dispose of computers due to age, they'll often keep them in active use until they're too decrepid to power on, and all efforts have been made to salvage them.
I was personally responsible for taking three labs' worth of computers in varying states of functionality and creating two full, working labs worth of machines. I barely acheived the task, throwing out the remainder in completely dead parts.
For another two labs, we had to supplement the short supply of 1.2GB hard drives with brand-new 10GB drives; the smallest we could buy at the time. It was a shame, installing them into P120s that couldn't even enable DMA, letalone their supported level of UDMA, but atleast they were there, and they worked. Then the budget was exhausted (two months into the five-month semester) and the remainder of the machines sat, sullen, adorned with their "Out Of Order" signs. It worked out, however, since we were also in short supply of 15" SVGA monitors.
Public schools are very efficient when it comes to maximizing the return on their computer investment. They stretch every last nickel's worth out of every piece of equipment they purchase, so they're really not a terribly good target to look at when discussing PC waste management.
If you think public elementary and secondary schools are the only ones, ask me about colleges.
In that case, would you mind sharing the secret to printing spreadsheets in landscape format? Try and try again, but it always prints in portrait (thankfully I was printing to PDF for testing, so no trees were harmed during this excersize) and as a result a two-page spreadsheet requires four pages - the last two containing two columns (the important ones - the ones with the totals).
Update: I've just been informed that there is a second, atypical way to make OpenOffice print in landscape format. I've always used the print / page setup dialog to print in landscape mode, which is non-functional. So what we have is broken duplication of code. No wonder the codebase is 136MB compressed and requires over 1GB of space to compile.
In the meantime, I solved the problem by exporting to Word 97/2k/XP, booting Win2k, and printing from MS Office.
I'd also love to be able to decrease the load time without having to keep dozens of MB worth of libs in memory. On my (respectable) Celeron 800 laptop with 256MB RAM, any of the OpenOffice components (Write, Calc, Impress, ... ) take atlest 30-45 seconds to open, whereas Office 97, 2000, or XP will open any of their components in approximately 2 seconds. (I've removed the "Office Startup" from the "startup" folder; I don't believe in pre-loading all my applications to account for programmer inefficiency on any platform)
A problem, however with identifying "me" by my tires; if I want new tires, I'll go to Sears and buy a couple pairs, or go to my (small) mechanic and have him install a few tires. Now, he can either install new or used tires at my behest (depending on how long I intend to keep the vehicle, and drive it in the meantime). So where's the association? I can assure you that I'm not going to let some minimum wage Sears schmuck follow me to my car and record my VIN. Hell, for all he knows I'm using my friend's van to pick up the tires. The logistics just aren't reailstic.
License plates are, by nature, assigned to a VIN. Tires are not associated, and are only slightly more difficult to interchange (give me a jack and ten minutes and I'll do it on the side of a road).
Yes, I'm sure there's value to adding tracking devices to everything worth more than $50 that we may purchase in our lifetimes, but there are also drawbacks. If the "good guys" (subjective) can track my tires, so can the "bad guys" (also subjective). What I don't like, however, is the ability of anybody to easily track me. Atleast it takes some minimal effort to track my license plate - a person has to look at every car matching my description (if I threw a rock from my driveway, it'd probably bounce off atleast four other J-Body cavaliers, so YMMV. ;) )
I, personally, can't see the advantages of this outweighing the disadvantages and costs associated. Somewhere, I'm sure somebody has a great plan. Nevertheless, I think I'll stick to Goodyear
Yeah, but then readers would be required nation-wide which is costly to say the least. The resaon 'automated roads' have been back-burnered is the astronomical expense of implementing it in any large scale. I don't see RFID readers being implemented in a nation-wide net any time soon. All you'd have to do to escape 'the man' is to hit a concession or a country road.
I've found that in my experience, ISPs aren't as responsive to SPAM-type abuse issues as are webmasters.
My homepage (vanity domain) has a "Webserver Stats" section that logs, among other things, referrers to my site. Some unscrupulous types found this out and decided to take advantage of this public advertising medium. What resulted were literally hundreds of requests per night for each of about 30 domains (almost all of them pornographic in nature) for non-existant files (I suppose they figured my 404 page was the smallest thing on my site). With their URLs in the referrer field, Webalizer dutifully added them up and created a referrers graph that, not surprisingly, was filled with the top ten of these porn sites.
These attacks (which also flooded my ADSL line's bandwidth, I might add) were carried out from two major U.S. ISPs. E-mail to the ISPs got me little more than an automated "Thanks for the heads-up" responses, so I decided to go after the websites themselves. A little whois work on the domains and I found that they were all hosted at the same hosting company who responded immediately requesting more information, and who then acted on the complaint in short order and the problem went away.
A little bit of dilligence and these people can be nailed down. Many of them don't seem to host their own websites, so use their webhosting companies against them. Track them down and have them ousted. The transition time to a new company will be real bite in the keester and should make their job a little less worthwhile. At the very worst, they'll give up on third party hosting companies and have to shoulder the cost of hosting the sites themselves.
Alright then, smartguy - pick up your monitor and make X scroll sideways. :)
12:00:00 EST, the website is toast. "Document Not Found".
Somewhere, a webmaster is laughing ...
I'm afraid you've missed my point.
I was speaking strictly of re-broadcasting pre-assembled signals. Vis; the major networks pay for casting, crew, locations, scripts (writers), makeup, wardrobe, lighting, equipment, and broadcast. Afterwards, I take this signal and, using comodity hardware/software combination I encode it and re-transmit the signal.
That has the effect of stealing their work without any due compensation. Even in the case where someone might re-broadcast with the comercials intact, this isn't a valid form of compensation. Sponsors don't pay to merely have their comercial shown; they pay for a timeslot in a particular broadcast at a particular date and time, aimed towards a specific demographic. Re-broadcasting a primetime show's commercials at three o'clock in the morning to a global audience may benefeit the sponsors, but it doesn't benefeit the network.
This has nothing to do with due dilligence and everything to do with people overstepping their bounds. Much as television content isn't terribly stellar nowadays, I'd hate to see networks remove the ability for people to receive that content without a subscription system.
That was the first thing that crossed my mind when I read this story. The fact that it's combined with the blank recording media levy is disingenuous on the part of the submitter/editor responsible for posting it.
The media levy sucks, but quite honestly I can't find sympathy for companies who want to earn a living on the backs of the work of major networks. For commodity hardware at an expense of no more than $500, I could re-broadcast network television to the Internet. That's just not right.
Thank you for that.
I just have one thing to add here;
I've been reading all these comments from the BSD crowd here in awe. I mean, all this hostility over... what? An announcement that linked to a PGP-signed release announcement. The ISOs are on the servers. The time to rejoice is nigh! But no rejoicing from this crowd. No "Awesome new features ... I can't wait to test this on my home rig ... " postings; just adolescent whining.
Seriously folks; you respect the FreeBSD development team, right? You respect their programming talents and their combined decades of computer, operating system, and networking experience, right? Do you really take them to be this naive? Would you really have us believe that they would roll release-grade, Version 5.0 (no RC-*) CD images and make them public when they weren't ready? Do you really think they'll be at all SURPRISED when people start to notice, download, and tell all their friends about this release? Don't you think they have a solid, stable (FreeBSD) FTP server pumping out these requests, properly configured with reasonable user/transfer limits in place, and QoS on their upstream bandwidth? If you're that unsure of FreeBSD's ability to handle high loads - why are you downloading it?
It was inevietable that this would find its way to Slashdot. That's how Slashdot works. It's been seen time and time again. KDE, GNOME, Linux Kernel, XFree86, [Open|Star]Office, or any other project of significant magnitude (and interest) - the release files are made publically available, someone notices and the Slashdot editors respond to the influx of "It's here! It's here!" submissions. As a result, Slashdot is very often the first place to find out about new software updates. Is this really 'news' to anyone?
Sure, they could link to the mirrors, but not doing so isn't by any means a conspiracy, it may be poor taste, but it's the same taste that links directly to kernel.org when a new Linux kernel is released. It's been pointed out to me more times than I can count that Slashdot readers are "IT professionals" - so stop talking about being professional and act like it. Download reaponsibly; use a mirror.
I'll download a mini-ISO later, when the tide has ebbed, and install it at my leisure.
</RANT>
But it's not one friend, or one e-mail message; if everybody implemented whitelists you'd have to send dozens, possibly hundreds of messages every time you changed your address. This would most likely drive people insane to the point where software would be written to automate this task, and lo and behold, the SPAMmers now have tools with which to defeat whitelists.
Whitelists may work for some people as a small, niche tool for defeating SPAM, but it's not scalable. Bayesian filters are 100% scalable, and are as-yet all but impossible to defeat, once trained.
Bayesian filtering comes with all the advantages of a whitelist without any of the inherrant disadvantages.
I don't buy the old age as an excuse for naivette line of thining.
My paternal grandparents are 80 years old. My maternal grandmother (widowed) is 76 years old. None of the three of them have been hustled out of their money, so my 'inheritance' remains intact. Why is this, you ask? Because they don't fall for get-rich-quick schemes, they don't respond to telemarketters ("If I desire your services, I'll contact you."), they don't open, letalone respond to mailed investment "opportunities", and before making a financial investment they weigh it against their financial situation, they weigh the risks they're aware of and contrast it to the possible rewards, and for that which they aren't sure of they contact their financial advisor.
The fact of the matter is, anybody has the potential to be hustled/swindled out of their money; young or old. It takes logic and reason (often referred to as 'common sense', though I know it to be quite uncommon indeed) to avoid becomming a victim in this case. As usual, the addage "If it sounds too good to be true, it probably is." comes into play.
If you need me, I'll be firmly entrenched in the "Stupid people deserve to get screwed." camp, toasting marshmallows and hugging my wallet. :)
I dislike whitelists for several reasons;
As has been pointed out already, Bayesian filtering is the way of the future. You put up with SPAM for a limited amount of time and then it learns your routines and filters it for you. You don't inconvenience anybody save for yourself (initially, and the cost of downloading the SPAM, a cost incurred by the use of whitelists anyways), and they're not prone to causing public nuissance.
Also as you've alluded to, it wouldn't be terribly difficult to forge the From: identity of someone already in your whitelist; something that happens quite frequently. A popular SPAM harvesting technique is to harvest mailing lists and use the names found in this list as the From: and To: address, effectively sending people SPAM 'from' themselves, or 'from' people with whom they correspond on a regular basis.
As to digitally signed e-mails; that's fine and good for the 2% of Internet users who are remotely capable of even understanding such a concept, but I have to say, for most of the people with whom I correspond (many of them clients) this is simply not an option.
Yes, as a matter of fact it does.
More to the point; why not use SVGALib or a machine with a GUI? Otherwise, why are you even concerned with video clips on the Internet?
Why don't you download a media player and find out for yourself?
I've written a similar letter to the people referenced at this page at the time of writing (which I now understand may be slightly errant, but atleast the lawyer will receive a copy, which is the important part. I may send a follow-up to a proper leading member of the PCI-SIG group should I find a valid address to do so).
I was going to moderate this as 'Redundant' (yes, folks, watch out - I'm armed again!) but decided instead to respond.
Copyright issues aside (you didn't give credit for the source - The New York Times online edition); their servers are not likely to be Slashdotted any time soon. Granted, Joe DSL will probably be Slashdotted within his first five minutes on the front page, but the NYT have big pipes - like Adonis big pipes.
Please, people, stop aiding blatant Karma-whoring.