Intention means nothing when the actions are the same.
Bullshit.
Let's take a simple situation: Man 'A' pulls out a gun and shoots man 'B'.
You mean to tell me there is no difference between the following scenarios:
1) Man 'A' is mentally disturbed, and not taking his medication. He thinks man 'B' is an alien. Man 'A' pulls out a gun and shoots man 'B'.
2) Man 'A' is a cop. He sees a punk (man 'B') beating up an old lady. he tells 'B' to dtop. 'B' reaches into his pocket and yells "I'll kill you, pig!" Man 'A' pulls out a gun and shoots man 'B'.
3) Man 'A' is a punk. He's beating a little old lady when a cop (man 'B') shows up. Man 'A' pulls out a gun and shoots man 'B'.
You cannot put 180 degree coffee in your mouth without getting burned.
I do all the time. It's called SIPPING.
The NCAUSA is at best an authority on flavor.
They are an authority on how to PROPERLY prepare their product.
They put the quality of their coffee over the safety of their patrons. If they wanted to serve dangerously hot coffee, they needed to take appropriate steps to keep it off their customers.
They did- they poured it into a cup. After that, it's the customer's responsibility.
You can fire a rifle a thousand times out your car window as you drive down the street and not hit anyone. If on the 1001st shot you plug someone between the eyes, you just try arguing that it wasn't unreasonably dangerous because those first 1000 rounds didn't hit anyone.
Worst analogy evar.
McDonalds was not performing criminal acts like 'shooting out their window'. They were properly preparing and serving a beverage. A beverage that virtually no one had a problem with. If you insist on a gun analogy:
If you sell rifle ammunition, and 23,999,999 rounds fire perfectly, but the 24,000,000th round misfires, causing injury, should you have to shut down your production line besause of that one bad round? (And that's ignoring the point that it was the customer's own mishandling of the ammo that caused her injury, not some sort of in-built flaw.)
Stella Liebeck sat in a car, pinched the cup of HOT coffee between her knees, and pulled the lid. This caused the cup to pivot and spill the coffee on her crotch. All these things were HER doing, not McDonalds. She chose to not use a cup holder. She chose to hold the cup betweenher knees. She chose to pull the lid.
Yes, the coffee was hot. It was advertised and sold as hot coffee. There was a warning on the cup saying it was hot.* Common sense says coffee (unless purchased iced) is hot. Common sense also says that you need to treat hot liquids carefully. Which she failed to do.
Not just hot coffee. Undrinkably hot coffee capable of causing 3rd degree burns.
Coffee is supposed to be served in the range of 185 degrees! The National Coffee Association recommends coffee be brewed at "between 195-205 degrees Fahrenheit for optimal extraction" and drunk "immediately". If not drunk immediately, it should be "maintained at 180-185 degrees Fahrenheit." (Source: NCAUSA.) Exactly what, then, did McDonald's do wrong?
The plaintiffs were apparently able to document 700 cases of burns from McDonald's coffee over 10 years, or 70 burns per year. But that doesn't take into account how many cups are sold without incident. A McDonald's consultant pointed out the 700 cases in 10 years represents just 1 injury per 24 million cups sold! For every injury, no matter how severe, 23,999,999 people managed to drink their coffee without any injury whatever. Isn't that proof that the coffee is not "unreasonably dangerous"?
That is absolutely frightening. That means that if I have a legitimate legal beef with a government or commercial entity that spends tens of thousands of dollars per day on an army of powerful lawyers for months on end and the judge or jury eventually rules in their favor that I'm going to be bankrupt and my entire life will be ruined from that point forward.
Simple solution: The loser pays the winner what they (the loser) paid for legal representation.
If BigCompany spends $100000 on lawyers, while LittleGuy spends $1000, then if LittleGuy wins, he gets $100000. If BigCompany wins, they get $1000.
"There are folders on your computer that Microsoft has tried hard to keep secret. Within these folders you will find two major things: Microsoft Internet Explorer has not been clearing your browsing history after you have instructed it to do so, and Microsoft's Outlook Express has not been deleting your e-mail correspondence after you've erased them from your Deleted Items bin. (This also includes all incoming and outgoing file attachments.) And believe me, that's not even the half of it. "
the plane will be flown by a live person on the ground.
Fine. From where? It'll have to be relatively nearby, or the communications delay would cause problems. That means, at least one East Coast and one West Coast center. These centers would have to in (gasp) airports, most likely in or near the tower.
So, now all a turrist needs to do is jump the fence at an airport with a few of his buddies, shoot the door guard, and walk into the Remote Control center. Where they can now crash ALL the planes in the sky.
Okay, okay, that's exaggerated. After all, it's not possible to get past perimeter security
http://transcripts.cnn.com/TRANSCRIPTS/0308/12/s e.09.html "Three boaters got caught in rough water and washed ashore on airport property. For an hour, they wandered across one mile of JFK, past a runway where taxiing jets were just several hundred feet away. "
And it's certainly not possible for anyone to gain access to the Control tower....:
http://www.lcnclosers.com/whats_new_10_10_03.asp...a door leading to the control tower was not adjusted properly, preventing the magnetic lock from engaging. Instead of adjusting it, someone simply put a sign that read "Be Sure to Pull This Door Shut So the Alarm Doesn't Go Off."
or to the jetway...
In one case, the magnetic locks that controlled access to jet bridges were routinely turned off....During one... TSA inspection, a lock was turned off and then accidentally left unattended most of the time for 48 hours.
And it's not like a Air traffic Controller is EASY to bribe. Nope, no discontented personell here:
http://www.denverpost.com/colleges/ci_4604717 If air traffic controllers at Denver International Airport want to leave the tower for a lunch or dinner break, they have to go on vacation. Or they can use accumulated personal time. Otherwise, they have to stay in the 327-foot tower... Just like airline passengers, controllers can't bring liquids or semi solid food items through security checkpoints.......controllers can't leave the tower during their shift unless they use vacation or other personal time. In some cases, controllers who want to bring a lunch or dinner of say, beef stew, can ask their manager... to drive a government vehicle across the airfield to pick up a controller's Thanksgiving leftovers of mashed potatoes and gravy and cranberry sauce.
Modern navigation systems are amazingly advanced things. I can, with the press of a button, have the $250 handheld GPS unit in my car direct me to the nearest gas station. I don't have to program a list of them in and then decide which one will be "closest" for this road trip.
Because, after all, Nav systems are foolproof. They never try to take you the wrong way down a one-way street, or tell you to 'turn left' where there is no street.
I personally have seen a (quite popular and well-used) online mapping system that was so f'd up it told people to make hundreds of Uturns on a simple trip. Reverse the source and destination, and the trip is shown normally.
So, don't even suggest that 1) Automated systems are foolproof and 2) Automated systems can't be hacked. (What if they simply add a '100% available', 'best choice' landing site that's in the middle of a city?)
Is "Eye for an Eye, Tooth for a Tooth" the kind of society we're going for here?
Sounds good to me.
The victims end up blind and toothless, *just like they would anyway*.
The attackers end up blind and toothless, as well, *teaching them a lesson*.
OF course, with "Eye for an Eye, Tooth for a Tooth"in place, I beleive there would be fewer attackers, because people would think twice before attacking. Which means there would be fewer victims. Which is a good thing.
As long as the police can show that they in no way requested or encouraged this private individual to make these searches on their behalf, then the hacker is not an agent of the police and the evidence is admissible.
But, if the police make a habit of accepting evidence in such a manner, then does it not "encourage" people to offer evidence? If you stand there with arms open,is it not a form of 'request' for someone to hug you?
Folks, this is an organized bootleg operation that got shut down
From TFA:
"Mixtapes also feature unreleased songs, often "leaked" to the D.J. by a record label that wants to test an artist's popularity or build hype for a coming album release. Record labels regularly hire mixtape D.J.'s to produce CDs featuring a specific artist."
"...when label employees send [mix DJs] tracks to include on his mixtapes, they request a copy of the mixtape so that they can show their bosses the track is "getting spin from the street." He also said record-label promoters want sales figures for his mixtapes so they can chart sales patterns, which they use in marketing their own releases. "
"But even in the days immediately following the raid,... and major labels continued to e-mail them new tracks."
SO, the tracks are provided BY THE MAJOR RECORD LABELS (aka the RIAA members), and they get a copy of the resulting mix and sales figures for it, AND they keep sending stuff to the DJs, even after the bust.
walking into a store, taking something to the cashier, having the cashier just put it in a bag and leaving without paying. Even if the cashier says "just go ahead and take it", that doesn't make it right.
Sure it does. I am a Regular at the local Starbucks. Once every week or two, they make my drink and don't charge me for it. And I happily accept.
A powered device has been mounted in a public place. It is big enough to contain an explosive charge and projectiles
No, it's not. The only 'container' it had was just big enuf for 4 D batteries. And with the 4 D batteries in it, there was no other room for your "explosive charge and projectiles".
Your answer is to have someone mess with it as people walk by. If you're wrong and it explodes, the person messing with it definitely dies.
By all means, if you really think it suspicious, have the bomb squad clear the area and check it out. Personally, I think it's an over-reaction, but....
The problem came after the bomb squad check out the first one, confirmed it WAS NOT a bomb, and they continued to freak out about the others. That's why everyone thinks Boston (Officials, not the entire city) is stupid- they continued to over-react to things that had already been proven harmless.
Put yourself in the position where if it is a bomb, but it gets anyone, you're on the rack. If it isn't, but you've inconvenienced people, you're on the rack.
I'll choose "It's not a bomb, but I have it checked out. Once it's determined to be safe, I STOP FREAKING OUT."
The maker of the bus, who failed to put in a meteorite-proof roof. The maker of the bus, who failed to put in dead-man switch for cases like this where the driver is killed. The maker of the bus, who failed to put in supplimental restraint systems to keep the passengers safe when the bus goes over a cliff.
2) The money comes from people who either want to read the spam because they want cheap rolex knockoffs, larger genitalia, penny stock tips, etc. ane/or people who are technologically ignorant and are easily defrauded.
And, with certification, the people who want ot read the spam can filter it into a seperate folder, and read all they want!
Unfortunately, there is no cure for stupidity.
Spammers don't care about getting spam through to you and me. We don't buy anything.
But, they do. Why the emphasis on beating Baysian filters (like Spam Assasin uses?) Why the 'real' sounding subject lines designed to fool a HUMAN into opening the email?
My point is that the users the spammer is interested in (#2 above) WILL NOT understand certified/uncertified email (particularly not when 95% of valid mail is still uncertified), will not install client filters, will not upgrade their email client unless MS does it for them, etc
Like I said- there is no cure for stupidity. Let the idiots get the spam, but I don't want it anymore.
What do you propose Microsoft do, while 95% of legitimate email is uncertified?
Well, a 'safe' default would be to sort the email by cert status. That way, the user can clearly see that the 'certified inbox' contains mo spam, while the 'uncertified inbox' has lots. No emails are lost, and the user, IF THEY WANT, has reason to convince others to certify.
Umm, a Big Red Button in their email client labeled "Report this uncertified email as spam"?? Right, so -- what would that button do, again? Exactly? How would you code this function?
I'm no programmer. Ask one.
Investment needs some hope of return. Flagging 95% of all email as uncertified != return.
You seem stuck in the early stages. WHat about later, when it's 50%, 0r 25%?
What about putting out a Open SOurce project that implements this, and letting us 'nonspam targets' use it? Then, as we start bragging to friends about how we get no spam, it can spread to the rest of the people? Or, how about getting Microsoft behind it, so the next update to Outlook/Exchange includes it by default? That'll push it well past the 5% mark.
Look, you don't think the idea will work? Fine. But, why not help make it better, instead of bitching about all the perceived problems?
they cannot turn on any such filter by default until certification saturation, because Grandma won't see Junior's valid (but uncertified) messages, and she won't know why.
You seem to think that the uncertified emails will automatically be deleted. I specifically made the point thatthe email client would handle the 'certified/uncertified' flag on it's own. UNcertified email can be handled ANY WAY THE USER WANTS. It can be deleted, dropped into a 'spam' folder, flagged, or have nothing done to it.
In the above case, the third option mentioned, flagging the email as 'uncertified', would be the best option. Outlook already flags emails as 'important', 'read/unread', etc. This would be one more flag.
I obviously don't want spam, but I couldn't filter on this added field when 95% of my valid email is uncertified. Or when 50% of my valid email is uncertified.
Why not? Why not flag the email, as mentioned above? Or subject the uncertified emails to extra-strong spam detection? Or filter then into a seperate 'uncertified inbox' folder? Or use the uncertified status to fire back an automated message explaining that they are uncertified, and explaining what to do to get certified (or to get on your white-list).
You DON'T have to just delete the emails. Duh.
So... the spam targets (who all have certification UNaware clients) continue to receive spam.
Yup. And when they complain about spam to their friends, their friends will tell them about certification, and they will update to a certification-aware client. What's the problem?
And the pressure to upgrade email servers for some benefit still isn't there, particularly when you look at overly-busy server admins PLUS servers that don't even *have* proper admins, etc. etc..
If a server does not have a "proper admin", then it probably does not deserve certification.
Your system... must be automated, but also because you're expecting abuse attempts it will need human supervision.
Kinda like a lot of other systems out there. ie.: Traffic lights are automated, but (in large cities), they have human supervision.
Walk through the process of certificate application, and see what that requires for the server admin
Client wants to set up their own certified email server. Client goes to the ISP's home page and click the right links, ends up at the application page. Client fills in the required info, which includes His name/address/phone, the company name/address/phone, credit card info, etc. A captcha can be used to eliminate automated signups. ISP's system charges the client a nominal fee (verification #1: it's a real CC#) ISP's system prints up a letter (or postcard) that gets mailed to the client's address. It contains a login/password that the client needs to use to access the Key Generation page on the ISP site. (verification #2: it's a real street address) Optional step: The ISP calls the client at the given phone number to verify (verification #3: it's a real phone number) Client logs in, creates a public/private key pair and finishes setup.
See? Completely automated. Nothing required of the ISP personell, except dropping the postcards in the mail after they are printed, and possibly making one phone call.
As for what the 'server admin' needs to do- he needs to install the software. Nothing more then he does for every other software upgrade.
We're talking end users here, so we cannot expect them to know to only report certified-but-unsolicited email, and to copy the source code and headers of the offending email into the regular ISPs ticketing system. How will they even know the certification system exists, and how to file a report?
Umm, a Big Red Button in their email client labeled "Report this uncertified email as spam"??
Also assume that spammers, if they start to be affected as saturation arrives, will do everything they can to subvert the system, and file fa
Now by your system the ISP should lose its certification, which means that any legitimate users of the system also lose their certification, which means they can't send certified e-mail to anyone.
Exactly. I don't see the problem. If it is an inconvenience to use an ISP that is not certified, then that will spur people into either changing ISPs, or changing the ISP.
This system is also expensive, not so much in bandwidth, but in human time. Verifying someone's identity and intentions is expensive and time consuming,
Not really. A callback, or letter (that needs to be replied to) sent to the address of the applicant will verify the person adequately.
hotmail or gmail, which people use for perfectly legitimate reasons, it's be pretty much impossible
You get what you pay for. In this case, you pay nothing for these free webmail services, so you get nothing back. Hotmail/gmail would be uncertified (unless the company decided their advertising revenue was enough to fund the certification). Again, I don't see a problem.
People who DO have a compatible client will not enjoy the spam blocking until they can unilaterally reject anything that is not certified. That won't happen until the servers that typically send them email switch over to your protocol.
Not true. A simple combination of white-listing, black-listing, and certification would work fine. In other words, what people need to do NOW. Eventually, the white- and blick-listing would become unnecessary.
That's exactly my point. Of course they won't have your personal info on file. That's what you give them when you first call them up.
They won't have your info, because you gave it to them??
Also, you don't call the ISP. In this case it's the spammer that wants to be an ISP. So they either certify themselves (how ridiculous is that?) or they call up a centralized certification authority like Verisign to get certified.
No- they call up the company that gives them internet access- in other words, their ISP. Like I said.
Do you have any idea how easy it is to present fake information--even with a credit card? You can go down to Walgreen's, pick up a Visa gift card, log onto a web site and enter any personal info you want.
So the ISP will have to, you know, VERIFY the data before certifying you. Like, spend a minute calling you back at your supposed phone number. Or sending you a letter at your supposed address (not a PO box) that you need to respond to. These things are trivial procedural issues.
Regardless of that, large key-signing authorities (eg Verisign) have a reputation for not checking up on any of the information presented to them.
Procedural issue. Besides, if an ISP gets a reputation of not checking their clients, and their clients are spammers, they risk getting their certification pulled by their upstream provider. IOr possibly their internet connection itself pulled.
By the time your key can be revoked (and note that key revocation is still a huge problem in PKI) you can send more than enough spam to make up for the cost of the certificate.
the certifying servers can set time limits on when the certifications expire, and need to be re-downloaded (kind of like DHCP leases). A 'new' company that just applied for certification might have it's certificate set to expire almost instantly. This way, every email they send requires a download of the certificate. This allows the certificate to be pulled rapidly if they start spamming. After a month or two, it could be set to expire weekly or monthly.
To be plain, when I say 'the key is revoked', I mean "the certifying server is set to NOT hand out the public key anymore". Joe receives an email, his client/server connects to the certifying server, the certifying server says "Nope, I don't know that sender", and the email is marked 'uncertified', and trashed (Or whatever).
Anyway, if you set up blacklists like this, identity theft will become a common means of retribution where someone gets certified with your name, then sends some spam and gets you blacklisted. Spammers will do it for no other reason than to introduce noise into the system.
1) Identity theft is illegal. 2) It's not possible if the ISPs perform even basic confirmation of the user.
And you accuse me of not reading your post! This matter is not disputed, just the issue of how quickly the zombie machine can be shut down and how quickly new zomies can come into play.
12:00 1000000 Spams Sent from a zombie machine owned by 'SomeIdiot@someplace.net' 12:01 Spam received by JoeBlow@whatever.com 12:01:05 Joe clicks the 'Report Spam' button' 12:02 whatever.com (Joe's ISP) runs the spam thru automatic verification. It matches a known spam pattern. 12:03 whatever.com sends a report to the someplace.net (the sender's ISP) (cc: the certifier) 12:04 someplace.net automatically re-verifies the reported email is spam. It is. 12:05 someplace
Spam filtering at the client level doesn't affect spam -- the suckers who the spam targets are NOT configuring filters at home.
They will, if the setup wizard for the email software makes it a required step. So... all we have to do is get Microsoft behind the idea, and poof, the next version of Outlook will include it.
So -- can you imagine an ISP filtering out email at the server level based on certification? No -- because all grandma cares about is getting Junior's emails, and when they stop coming (because his ISP's servers are in the 95% still uncertified) she gets on the phone and starts costing them money...
Read what I wrote:
When email arrives at the recipients server (or this could be done at the client level, as well), the server sees the certification, and connects to the certifying server to get your public key. It attempts to decrypt the header line. If it does it marks the email as 'certified', if it cannot, it marks the email as 'uncertified', and the email client can be programmed to filter messages based on that.
See? If you have a certification-UNaware email client, it receives email completely normally. If you have a certification-aware client, it can (not 'must') filter incoming emails by certification status.
The last link is the upstream access provider. They would need to implement the system and hire the staff for accepting complaints (online? via phone?), filtering out the sabotage from the real complaints, collecting evidence of abuse, dealing with angry ISPs on the phone, establishing/expiring/revoking certification, etc..
You're right, it'll never work. The ISP would need a bunch of people sitting there, in some sort of center, at some sort of desk where they can help people, waiting for calls to come in. The people would have to answer the phone, take information from the customer, start some sort of record of the incident (a 'help desk ticket', if you will), and take certain actions based upon the data they collect.
It'd never happen. Nope. No such 'call center' could ever exist. Stupid idea.
Seriously, the reporting scheme can be almost completely automated. Simply use the current spam-recognition technology to scan the incoming complaints, and kick out any non-spam or questionable reports. Those get reviewed and classified. Real complaints launch an automated email to the certifying ISP. The ISP can automatically receive those reports, double-check them for spam, and take a varity of actions, from auto-emailing the sender with a warning, to turning off the senders email capability.
And how do you stop spammers from just using everybody elses key?
Um, the whole point of Private Key Encryption is that there are 2 keys: a Public key which everyone knows, and a private key only you know. In this case, only your certifier's email server has you private key. Therefore, only your certifier's email server can use it.
Now, I suppose the spammers can all become hackers too, and crack into an email server and use the keys stored there....
People on mailing lists would have to set up whitelists to participate. Also, it doesn't address the issue of spam from mailing lists
Yes, people from mailing lists that post from UN-certified servers would have to set up a whitelist. This is trivial, and a tiny price to pay for no more spam.
Spam from mailing lists is handled like any other spam is.
There are holes in the approach which will allow spam to continue and we would still be stuck with this annoying protocol.
Again, as I said at the end of my post, why not try to work out the bugs in the idea, instead of just dismissing it out-of-hand?
And the protocol is not 'annoying'. It's invisible to the end user, with the possible exception of creating the key pair.
This plan will be totally useless unless everyone switches over.
No, No , NO! Now I know you didn't even bother to actually read the idea. This idea does NOT need to be universally adopted, nor does it need to be adopted by everyone all at once. Peopel who do not have compatable client will simply not enjoy the spam blocking. They can still send and receive email.
Somebody has to perform the certification. It must be possible to certificy quickly and cheaply. Yet those two requirements mean it is fairly easy for spammers to commit fraud and get themselves certified.
"Hello, ISP. Joe Speaking. How may I help you?" "You want to get certified to send emails? No problem. We have your personal info (name, address and phone number) on file, as well as your Credit Card. If this is for a business, we just need the name/address/phone of the Business. Otherwise, please log onto our home page and upload your private key. Someone will contact you by phone tomorrow to confirm you are set up." "Thank you for calling ISP"
Not that tough, is it?? (Heck, the whole thing could be done online!) And with that information (name/address/phone), the ISP knows exactly who you are. If you send spam, they pull you certification, and blacklist you. (The old-fashioned blacklist, where they place you on a list that other ISPs have access to, as a warning that you broke your agreement with them.)
Spammers will circumvent the rules for certification, take over end-user machines, or take action to get legitimate mail servers decertified.
If a spam complaint comes in to an ISP, they can check their own email server logs and find out who send the spam. They then have several choices: 1) Do nothing, which means they might shortly lose their certification, depending on their agreement with their upstream. 2) Stop accepting mail fron the user, contact them(remember, they have contact info!) and find out what is going on. 3) Pull the users certification.
Here is the achilies heal of your proposal. Spammers will take over end-user machines and send out tons of spam (as they already do). This is already the biggest problem is blocking spam. We can already go upstream and tell the ISP about the problem. The ISP can already tell the client about the problem. Nevertheless, spammers take over machines faster than they can be fixed.
This is a policy matter to discuss with the ISPs, not wih me. If the zombies are sending spam thru the ISPs email server, then the ISPs need to BLOCK these zombie users from sending email. Then contact the users and inform them that, since they have violated the TOS, they cannot send email until their machine is un-zombified. On the other hand, if the zombies are sending email directly (ie, NOT thru the ISP email server), then they are already uncertified, and no one is receiving the spam anyway.:-)
Spammers will get themselves certified...
And the minute they send spam, they will get their certification pulled, and their names on a blacklist. Which means no other (legitimate) ISP will certify them in the future (and the illegitimate ISPs should already be un-certified and/or blocked).
Anyone can generate the key pair and set up a server if they own a domain.
And anyone can have their email client filter out self-certifying senders. This can be done by tracing the chain of certification to the top (or at least up a few levels).
For instance, let's assume "Fred Klein Inc" has an email server. I get my Internet service from "Local ISP Inc", they get theirs from "Regional ISP Inc", who gets it from UUNET. Email I send would have an encrypted header and a header that points to 'Local ISP'. An email client would connect to the 'Local' ISP server and get my public key. It themn sucessfully unencrypts the header, which contains a link to the 'Regional' ISP. Etc. A client recurses up the chain until it reaches the top, or a known-good certifier. If someone tried to self- certify, the links will never actually go anywhere 'proven', and the email can be flagged as bad.
the script will just need to search for the public key.
The PRIVATE key (held only on the sending server) is used to encrypt a header. Knowing the Public key will not help a spammer.
If implemented well, this scheme drives up the cost of sending spam for all spammers regardless of whether they respect the law, are in a legal jurisdiction that would cooperate with the recipient's jurisdiction, etc., because their messages simply won't get through if they don't front the money, and any recipients who they targeted may choose to keep the fronted money to compensate for their wasted time and annoyance. ...and so, spammer will turn to Identiry Theft and using other peoples credit cards to pay for their spam.
Slashdot Mirror
Intention means nothing when the actions are the same.
Bullshit.
Let's take a simple situation: Man 'A' pulls out a gun and shoots man 'B'.
You mean to tell me there is no difference between the following scenarios:
1) Man 'A' is mentally disturbed, and not taking his medication. He thinks man 'B' is an alien. Man 'A' pulls out a gun and shoots man 'B'.
2) Man 'A' is a cop. He sees a punk (man 'B') beating up an old lady. he tells 'B' to dtop. 'B' reaches into his pocket and yells "I'll kill you, pig!" Man 'A' pulls out a gun and shoots man 'B'.
3) Man 'A' is a punk. He's beating a little old lady when a cop (man 'B') shows up. Man 'A' pulls out a gun and shoots man 'B'.
You cannot put 180 degree coffee in your mouth without getting burned.
I do all the time. It's called SIPPING.
The NCAUSA is at best an authority on flavor.
They are an authority on how to PROPERLY prepare their product.
They put the quality of their coffee over the safety of their patrons. If they wanted to serve dangerously hot coffee, they needed to take appropriate steps to keep it off their customers.
They did- they poured it into a cup. After that, it's the customer's responsibility.
You can fire a rifle a thousand times out your car window as you drive down the street and not hit anyone. If on the 1001st shot you plug someone between the eyes, you just try arguing that it wasn't unreasonably dangerous because those first 1000 rounds didn't hit anyone.
Worst analogy evar.
McDonalds was not performing criminal acts like 'shooting out their window'. They were properly preparing and serving a beverage. A beverage that virtually no one had a problem with. If you insist on a gun analogy:
If you sell rifle ammunition, and 23,999,999 rounds fire perfectly, but the 24,000,000th round misfires, causing injury, should you have to shut down your production line besause of that one bad round? (And that's ignoring the point that it was the customer's own mishandling of the ammo that caused her injury, not some sort of in-built flaw.)
Stella Liebeck sat in a car, pinched the cup of HOT coffee between her knees, and pulled the lid. This caused the cup to pivot and spill the coffee on her crotch. All these things were HER doing, not McDonalds. She chose to not use a cup holder. She chose to hold the cup betweenher knees. She chose to pull the lid.
Yes, the coffee was hot. It was advertised and sold as hot coffee. There was a warning on the cup saying it was hot.* Common sense says coffee (unless purchased iced) is hot. Common sense also says that you need to treat hot liquids carefully. Which she failed to do.
IT's not McDonalds fault she's clumsy.
Not just hot coffee. Undrinkably hot coffee capable of causing 3rd degree burns.
Coffee is supposed to be served in the range of 185 degrees! The National Coffee Association recommends coffee be brewed at "between 195-205 degrees Fahrenheit for optimal extraction" and drunk "immediately". If not drunk immediately, it should be "maintained at 180-185 degrees Fahrenheit." (Source: NCAUSA.) Exactly what, then, did McDonald's do wrong?
The plaintiffs were apparently able to document 700 cases of burns from McDonald's coffee over 10 years, or 70 burns per year. But that doesn't take into account how many cups are sold without incident. A McDonald's consultant pointed out the 700 cases in 10 years represents just 1 injury per 24 million cups sold! For every injury, no matter how severe, 23,999,999 people managed to drink their coffee without any injury whatever. Isn't that proof that the coffee is not "unreasonably dangerous"?
Thus the porn sites will now have 2 addresses: [pornsitehere].com and [pornsitehere].xxx.
.com will redirect to .xxx. At which point it would be blocked by those who block .xxx sites.
And the
What's the problem?
the bad rap that, say, Microsoft would get from microsoft.xxx being a porn site.
Image the lawsuit for using their name without their permission.
That is absolutely frightening. That means that if I have a legitimate legal beef with a government or commercial entity that spends tens of thousands of dollars per day on an army of powerful lawyers for months on end and the judge or jury eventually rules in their favor that I'm going to be bankrupt and my entire life will be ruined from that point forward.
Simple solution:
The loser pays the winner what they (the loser) paid for legal representation.
If BigCompany spends $100000 on lawyers, while LittleGuy spends $1000, then if LittleGuy wins, he gets $100000. If BigCompany wins, they get $1000.
http://www.microsuck.com/content/ms-hidden-files.s html
"There are folders on your computer that Microsoft has tried hard to keep secret. Within these folders you will find two major things: Microsoft Internet Explorer has not been clearing your browsing history after you have instructed it to do so, and Microsoft's Outlook Express has not been deleting your e-mail correspondence after you've erased them from your Deleted Items bin. (This also includes all incoming and outgoing file attachments.) And believe me, that's not even the half of it. "
"All the way down... to WHAT?"
Fine. From where? It'll have to be relatively nearby, or the communications delay would cause problems. That means, at least one East Coast and one West Coast center. These centers would have to in (gasp) airports, most likely in or near the tower.
So, now all a turrist needs to do is jump the fence at an airport with a few of his buddies, shoot the door guard, and walk into the Remote Control center. Where they can now crash ALL the planes in the sky.
Okay, okay, that's exaggerated. After all, it's not possible to get past perimeter security
And it's certainly not possible for anyone to gain access to the Control tower....:
or to the jetway...
And it's not like a Air traffic Controller is EASY to bribe. Nope, no discontented personell here:
And don't even get me started on the TSA...
Just fucking Google it:
e r+french
http://news.google.com/news?hl=en&ned=us&q=hijack
Modern navigation systems are amazingly advanced things. I can, with the press of a button, have the $250 handheld GPS unit in my car direct me to the nearest gas station. I don't have to program a list of them in and then decide which one will be "closest" for this road trip.
Because, after all, Nav systems are foolproof. They never try to take you the wrong way down a one-way street, or tell you to 'turn left' where there is no street.
I personally have seen a (quite popular and well-used) online mapping system that was so f'd up it told people to make hundreds of Uturns on a simple trip. Reverse the source and destination, and the trip is shown normally.
So, don't even suggest that 1) Automated systems are foolproof and 2) Automated systems can't be hacked. (What if they simply add a '100% available', 'best choice' landing site that's in the middle of a city?)
Is "Eye for an Eye, Tooth for a Tooth" the kind of society we're going for here?
Sounds good to me.
The victims end up blind and toothless, *just like they would anyway*.
The attackers end up blind and toothless, as well, *teaching them a lesson*.
OF course, with "Eye for an Eye, Tooth for a Tooth"in place, I beleive there would be fewer attackers, because people would think twice before attacking. Which means there would be fewer victims. Which is a good thing.
As long as the police can show that they in no way requested or encouraged this private individual to make these searches on their behalf, then the hacker is not an agent of the police and the evidence is admissible.
But, if the police make a habit of accepting evidence in such a manner, then does it not "encourage" people to offer evidence? If you stand there with arms open,is it not a form of 'request' for someone to hug you?
Folks, this is an organized bootleg operation that got shut down
... and major labels continued to e-mail them new tracks."
From TFA:
"Mixtapes also feature unreleased songs, often "leaked" to the D.J. by a record label that wants to test an artist's popularity or build hype for a coming album release. Record labels regularly hire mixtape D.J.'s to produce CDs featuring a specific artist."
"...when label employees send [mix DJs] tracks to include on his mixtapes, they request a copy of the mixtape so that they can show their bosses the track is "getting spin from the street." He also said record-label promoters want sales figures for his mixtapes so they can chart sales patterns, which they use in marketing their own releases. "
"But even in the days immediately following the raid,
SO, the tracks are provided BY THE MAJOR RECORD LABELS (aka the RIAA members), and they get a copy of the resulting mix and sales figures for it, AND they keep sending stuff to the DJs, even after the bust.
Doesn't sound like bootlegging to me.
walking into a store, taking something to the cashier, having the cashier just put it in a bag and leaving without paying. Even if the cashier says "just go ahead and take it", that doesn't make it right.
Sure it does. I am a Regular at the local Starbucks. Once every week or two, they make my drink and don't charge me for it. And I happily accept.
A powered device has been mounted in a public place. It is big enough to contain an explosive charge and projectiles
No, it's not. The only 'container' it had was just big enuf for 4 D batteries. And with the 4 D batteries in it, there was no other room for your "explosive charge and projectiles".
Your answer is to have someone mess with it as people walk by. If you're wrong and it explodes, the person messing with it definitely dies.
By all means, if you really think it suspicious, have the bomb squad clear the area and check it out. Personally, I think it's an over-reaction, but....
The problem came after the bomb squad check out the first one, confirmed it WAS NOT a bomb, and they continued to freak out about the others. That's why everyone thinks Boston (Officials, not the entire city) is stupid- they continued to over-react to things that had already been proven harmless.
Put yourself in the position where if it is a bomb, but it gets anyone, you're on the rack. If it isn't, but you've inconvenienced people, you're on the rack.
I'll choose "It's not a bomb, but I have it checked out. Once it's determined to be safe, I STOP FREAKING OUT."
The maker of the bus, who failed to put in a meteorite-proof roof.
The maker of the bus, who failed to put in dead-man switch for cases like this where the driver is killed.
The maker of the bus, who failed to put in supplimental restraint systems to keep the passengers safe when the bus goes over a cliff.
2) The money comes from people who either want to read the spam because they want cheap rolex knockoffs, larger genitalia, penny stock tips, etc. ane/or people who are technologically ignorant and are easily defrauded.
And, with certification, the people who want ot read the spam can filter it into a seperate folder, and read all they want!
Unfortunately, there is no cure for stupidity.
Spammers don't care about getting spam through to you and me. We don't buy anything.
But, they do. Why the emphasis on beating Baysian filters (like Spam Assasin uses?) Why the 'real' sounding subject lines designed to fool a HUMAN into opening the email?
My point is that the users the spammer is interested in (#2 above) WILL NOT understand certified/uncertified email (particularly not when 95% of valid mail is still uncertified), will not install client filters, will not upgrade their email client unless MS does it for them, etc
Like I said- there is no cure for stupidity. Let the idiots get the spam, but I don't want it anymore.
What do you propose Microsoft do, while 95% of legitimate email is uncertified?
Well, a 'safe' default would be to sort the email by cert status. That way, the user can clearly see that the 'certified inbox' contains mo spam, while the 'uncertified inbox' has lots. No emails are lost, and the user, IF THEY WANT, has reason to convince others to certify.
Umm, a Big Red Button in their email client labeled "Report this uncertified email as spam"??
Right, so -- what would that button do, again? Exactly? How would you code this function?
I'm no programmer. Ask one.
Investment needs some hope of return. Flagging 95% of all email as uncertified != return.
You seem stuck in the early stages. WHat about later, when it's 50%, 0r 25%?
What about putting out a Open SOurce project that implements this, and letting us 'nonspam targets' use it? Then, as we start bragging to friends about how we get no spam, it can spread to the rest of the people?
Or, how about getting Microsoft behind it, so the next update to Outlook/Exchange includes it by default? That'll push it well past the 5% mark.
Look, you don't think the idea will work? Fine. But, why not help make it better, instead of bitching about all the perceived problems?
they cannot turn on any such filter by default until certification saturation, because Grandma won't see Junior's valid (but uncertified) messages, and she won't know why.
... must be automated, but also because you're expecting abuse attempts it will need human supervision.
You seem to think that the uncertified emails will automatically be deleted. I specifically made the point thatthe email client would handle the 'certified/uncertified' flag on it's own. UNcertified email can be handled ANY WAY THE USER WANTS. It can be deleted, dropped into a 'spam' folder, flagged, or have nothing done to it.
In the above case, the third option mentioned, flagging the email as 'uncertified', would be the best option. Outlook already flags emails as 'important', 'read/unread', etc. This would be one more flag.
I obviously don't want spam, but I couldn't filter on this added field when 95% of my valid email is uncertified. Or when 50% of my valid email is uncertified.
Why not? Why not flag the email, as mentioned above?
Or subject the uncertified emails to extra-strong spam detection?
Or filter then into a seperate 'uncertified inbox' folder?
Or use the uncertified status to fire back an automated message explaining that they are uncertified, and explaining what to do to get certified (or to get on your white-list).
You DON'T have to just delete the emails. Duh.
So... the spam targets (who all have certification UNaware clients) continue to receive spam.
Yup. And when they complain about spam to their friends, their friends will tell them about certification, and they will update to a certification-aware client. What's the problem?
And the pressure to upgrade email servers for some benefit still isn't there, particularly when you look at overly-busy server admins PLUS servers that don't even *have* proper admins, etc. etc..
If a server does not have a "proper admin", then it probably does not deserve certification.
Your system
Kinda like a lot of other systems out there. ie.: Traffic lights are automated, but (in large cities), they have human supervision.
Walk through the process of certificate application, and see what that requires for the server admin
Client wants to set up their own certified email server.
Client goes to the ISP's home page and click the right links, ends up at the application page.
Client fills in the required info, which includes His name/address/phone, the company name/address/phone, credit card info, etc. A captcha can be used to eliminate automated signups.
ISP's system charges the client a nominal fee (verification #1: it's a real CC#)
ISP's system prints up a letter (or postcard) that gets mailed to the client's address. It contains a login/password that the client needs to use to access the Key Generation page on the ISP site. (verification #2: it's a real street address)
Optional step: The ISP calls the client at the given phone number to verify (verification #3: it's a real phone number)
Client logs in, creates a public/private key pair and finishes setup.
See? Completely automated. Nothing required of the ISP personell, except dropping the postcards in the mail after they are printed, and possibly making one phone call.
As for what the 'server admin' needs to do- he needs to install the software. Nothing more then he does for every other software upgrade.
We're talking end users here, so we cannot expect them to know to only report certified-but-unsolicited email, and to copy the source code and headers of the offending email into the regular ISPs ticketing system. How will they even know the certification system exists, and how to file a report?
Umm, a Big Red Button in their email client labeled "Report this uncertified email as spam"??
Also assume that spammers, if they start to be affected as saturation arrives, will do everything they can to subvert the system, and file fa
Now by your system the ISP should lose its certification, which means that any legitimate users of the system also lose their certification, which means they can't send certified e-mail to anyone.
Exactly. I don't see the problem. If it is an inconvenience to use an ISP that is not certified, then that will spur people into either changing ISPs, or changing the ISP.
This system is also expensive, not so much in bandwidth, but in human time. Verifying someone's identity and intentions is expensive and time consuming,
Not really. A callback, or letter (that needs to be replied to) sent to the address of the applicant will verify the person adequately.
hotmail or gmail, which people use for perfectly legitimate reasons, it's be pretty much impossible
You get what you pay for. In this case, you pay nothing for these free webmail services, so you get nothing back. Hotmail/gmail would be uncertified (unless the company decided their advertising revenue was enough to fund the certification). Again, I don't see a problem.
Not true. A simple combination of white-listing, black-listing, and certification would work fine. In other words, what people need to do NOW. Eventually, the white- and blick-listing would become unnecessary.
That's exactly my point. Of course they won't have your personal info on file. That's what you give them when you first call them up.
They won't have your info, because you gave it to them??
Also, you don't call the ISP. In this case it's the spammer that wants to be an ISP. So they either certify themselves (how ridiculous is that?) or they call up a centralized certification authority like Verisign to get certified.
No- they call up the company that gives them internet access- in other words, their ISP. Like I said.
Do you have any idea how easy it is to present fake information--even with a credit card? You can go down to Walgreen's, pick up a Visa gift card, log onto a web site and enter any personal info you want.
So the ISP will have to, you know, VERIFY the data before certifying you. Like, spend a minute calling you back at your supposed phone number. Or sending you a letter at your supposed address (not a PO box) that you need to respond to. These things are trivial procedural issues.
Regardless of that, large key-signing authorities (eg Verisign) have a reputation for not checking up on any of the information presented to them.
Procedural issue. Besides, if an ISP gets a reputation of not checking their clients, and their clients are spammers, they risk getting their certification pulled by their upstream provider. IOr possibly their internet connection itself pulled.
By the time your key can be revoked (and note that key revocation is still a huge problem in PKI) you can send more than enough spam to make up for the cost of the certificate.
To be plain, when I say 'the key is revoked', I mean "the certifying server is set to NOT hand out the public key anymore". Joe receives an email, his client/server connects to the certifying server, the certifying server says "Nope, I don't know that sender", and the email is marked 'uncertified', and trashed (Or whatever).
Anyway, if you set up blacklists like this, identity theft will become a common means of retribution where someone gets certified with your name, then sends some spam and gets you blacklisted. Spammers will do it for no other reason than to introduce noise into the system.
1) Identity theft is illegal.
2) It's not possible if the ISPs perform even basic confirmation of the user.
And you accuse me of not reading your post! This matter is not disputed, just the issue of how quickly the zombie machine can be shut down and how quickly new zomies can come into play.
12:00 1000000 Spams Sent from a zombie machine owned by 'SomeIdiot@someplace.net'
12:01 Spam received by JoeBlow@whatever.com
12:01:05 Joe clicks the 'Report Spam' button'
12:02 whatever.com (Joe's ISP) runs the spam thru automatic verification. It matches a known spam pattern.
12:03 whatever.com sends a report to the someplace.net (the sender's ISP) (cc: the certifier)
12:04 someplace.net automatically re-verifies the reported email is spam. It is.
12:05 someplace
They will, if the setup wizard for the email software makes it a required step. So... all we have to do is get Microsoft behind the idea, and poof, the next version of Outlook will include it.
So -- can you imagine an ISP filtering out email at the server level based on certification? No -- because all grandma cares about is getting Junior's emails, and when they stop coming (because his ISP's servers are in the 95% still uncertified) she gets on the phone and starts costing them money...
Read what I wrote:
See? If you have a certification-UNaware email client, it receives email completely normally. If you have a certification-aware client, it can (not 'must') filter incoming emails by certification status.
The last link is the upstream access provider. They would need to implement the system and hire the staff for accepting complaints (online? via phone?), filtering out the sabotage from the real complaints, collecting evidence of abuse, dealing with angry ISPs on the phone, establishing/expiring/revoking certification, etc..
You're right, it'll never work. The ISP would need a bunch of people sitting there, in some sort of center, at some sort of desk where they can help people, waiting for calls to come in. The people would have to answer the phone, take information from the customer, start some sort of record of the incident (a 'help desk ticket', if you will), and take certain actions based upon the data they collect.
It'd never happen. Nope. No such 'call center' could ever exist. Stupid idea.
Seriously, the reporting scheme can be almost completely automated. Simply use the current spam-recognition technology to scan the incoming complaints, and kick out any non-spam or questionable reports. Those get reviewed and classified. Real complaints launch an automated email to the certifying ISP. The ISP can automatically receive those reports, double-check them for spam, and take a varity of actions, from auto-emailing the sender with a warning, to turning off the senders email capability.
And how do you stop spammers from just using everybody elses key?
Um, the whole point of Private Key Encryption is that there are 2 keys: a Public key which everyone knows, and a private key only you know. In this case, only your certifier's email server has you private key. Therefore, only your certifier's email server can use it.
Now, I suppose the spammers can all become hackers too, and crack into an email server and use the keys stored there....
People on mailing lists would have to set up whitelists to participate. Also, it doesn't address the issue of spam from mailing lists
:-)
Yes, people from mailing lists that post from UN-certified servers would have to set up a whitelist. This is trivial, and a tiny price to pay for no more spam.
Spam from mailing lists is handled like any other spam is.
There are holes in the approach which will allow spam to continue and we would still be stuck with this annoying protocol.
Again, as I said at the end of my post, why not try to work out the bugs in the idea, instead of just dismissing it out-of-hand?
And the protocol is not 'annoying'. It's invisible to the end user, with the possible exception of creating the key pair.
This plan will be totally useless unless everyone switches over.
No, No , NO! Now I know you didn't even bother to actually read the idea. This idea does NOT need to be universally adopted, nor does it need to be adopted by everyone all at once. Peopel who do not have compatable client will simply not enjoy the spam blocking. They can still send and receive email.
Somebody has to perform the certification. It must be possible to certificy quickly and cheaply. Yet those two requirements mean it is fairly easy for spammers to commit fraud and get themselves certified.
"Hello, ISP. Joe Speaking. How may I help you?"
"You want to get certified to send emails? No problem. We have your personal info (name, address and phone number) on file, as well as your Credit Card. If this is for a business, we just need the name/address/phone of the Business. Otherwise, please log onto our home page and upload your private key. Someone will contact you by phone tomorrow to confirm you are set up."
"Thank you for calling ISP"
Not that tough, is it?? (Heck, the whole thing could be done online!) And with that information (name/address/phone), the ISP knows exactly who you are. If you send spam, they pull you certification, and blacklist you. (The old-fashioned blacklist, where they place you on a list that other ISPs have access to, as a warning that you broke your agreement with them.)
Spammers will circumvent the rules for certification, take over end-user machines, or take action to get legitimate mail servers decertified.
If a spam complaint comes in to an ISP, they can check their own email server logs and find out who send the spam. They then have several choices:
1) Do nothing, which means they might shortly lose their certification, depending on their agreement with their upstream.
2) Stop accepting mail fron the user, contact them(remember, they have contact info!) and find out what is going on.
3) Pull the users certification.
Here is the achilies heal of your proposal. Spammers will take over end-user machines and send out tons of spam (as they already do). This is already the biggest problem is blocking spam. We can already go upstream and tell the ISP about the problem. The ISP can already tell the client about the problem. Nevertheless, spammers take over machines faster than they can be fixed.
This is a policy matter to discuss with the ISPs, not wih me.
If the zombies are sending spam thru the ISPs email server, then the ISPs need to BLOCK these zombie users from sending email. Then contact the users and inform them that, since they have violated the TOS, they cannot send email until their machine is un-zombified.
On the other hand, if the zombies are sending email directly (ie, NOT thru the ISP email server), then they are already uncertified, and no one is receiving the spam anyway.
Spammers will get themselves certified...
And the minute they send spam, they will get their certification pulled, and their names on a blacklist. Which means no other (legitimate) ISP will certify them in the future (and the illegitimate ISPs should already be un-certified and/or blocked).
To participate in a maili
Anyone can generate the key pair and set up a server if they own a domain.
And anyone can have their email client filter out self-certifying senders. This can be done by tracing the chain of certification to the top (or at least up a few levels).
For instance, let's assume "Fred Klein Inc" has an email server. I get my Internet service from "Local ISP Inc", they get theirs from "Regional ISP Inc", who gets it from UUNET. Email I send would have an encrypted header and a header that points to 'Local ISP'. An email client would connect to the 'Local' ISP server and get my public key. It themn sucessfully unencrypts the header, which contains a link to the 'Regional' ISP. Etc. A client recurses up the chain until it reaches the top, or a known-good certifier.
If someone tried to self- certify, the links will never actually go anywhere 'proven', and the email can be flagged as bad.
the script will just need to search for the public key.
The PRIVATE key (held only on the sending server) is used to encrypt a header. Knowing the Public key will not help a spammer.
If implemented well, this scheme drives up the cost of sending spam for all spammers regardless of whether they respect the law, are in a legal jurisdiction that would cooperate with the recipient's jurisdiction, etc., because their messages simply won't get through if they don't front the money, and any recipients who they targeted may choose to keep the fronted money to compensate for their wasted time and annoyance. ...and so, spammer will turn to Identiry Theft and using other peoples credit cards to pay for their spam.