The link, however, looks like it is an image file:
I wrote a small windows program called popURL that let's you quickly get info on a URL such as the file size, MIME type (important obviously), even software running on web server (IIS etc.)
Most companies are already archiving those as Portable Document Format (pdf) files
Yup, PDF is storage/archival/transfer defacto. If you're going to email someone a document and you want it to look like the original, you send them a PDF. The best part is, OpenOffice conveniently can save documents as PDF. Just do File | Export as PDF and you're done. I've been using this for technical reports and academic papers, even submitting for final publishing.
The SPF/SenderID group understands exactly what it is doing. It is not making the claims you are asserting
I was an SPF supporter (had TXT records for my domains, even) until I took a look at their objections page. Take a look at it yourself.
"Second, to handle bounces, I propose a rewriting scheme as follows" -- as Vernon points out, this scheme is terribly broken. It is not a generic solution, and is definitely not going to work globally.
"Domains that refuse to publish SPF or publish global-allow SPF out of political principle, malice, or incompetence will simply have to accept the penalty of a higher spam score." -- but many domains are simply unsuitable for using with SPF! What about a provider who provides a mail forwarding service, even universities, etc. They want their addresses to be used as return paths outside their own systems. The SPF people are saying that these domains must be punished for their unwillingness to adopt SPF. Internet email is a flexible thing, and there are a zillion instances in which SPF is unworkable.
"What do the customers want? They want to communicate with their friends and family; and they want to not get spam. They do not particularly care if a few eggs are broken along the way." -- this shows a severe misunderstanding of their own system. SPF does not prevent spam, but rather provides a domain owner with the power to prevent their return paths from being forged. This is very different from addressing a spam issue. It's not a bad goal, but it's not addressing spam.
Those quotes are directly taken from the SPF proponents at pobox.com; you can see the major flaws in their thinking. Especially unfortunate is their expectation that everyone must adopt SPF. There is no way SPF will be adopted by all domains, and penalizing domains for refusing to participate in the scheme is senseless. This is why I have lost faith in SPF.
SPF (http://spf.pobox.com) is the current email authentication protocol that is dominating the world.
SPF is dominating nothing. It's a neat idea, but the way the SPF people are pushing it is purely ludicrous. The emailexperts of the world are not onside, I'm sorry to say. Reasons? SPF champions are making fools of themselves by saying that everyone should adopt SPF, and non-adopters are also the kinds of people who support spam and open relays. Totally wrong. The SPF people are also pushing a crazy solution to envelop path rewriting, that will never work due to overcomplexity. The SPF community has to understand that SPF is (1) not a solution to spam, (2) can offer limited protection of domain use but only if it is purely optional - not pushed on everyone. SPF just won't work with some domains.
to vote with your wallets? I'm suggesting, not buying DVDs of MPAA products. If the industry thinks it's losing money because of chips that are too feature-rich, wait til they lose money due to lack of sales period.
Java is slow - This is a myth. A long-running Java app running under HotSpot will over time grow to be faster than nearly any simmilar C or C++ app.
I certainly believe what you are saying here, but my problem with Java is that for servers, we typically use small units of software that execute, do their jobs, and terminate. Java programs are just unsuitable for that model; the initial overhead is high (loading or configuring VM) and the programs don't run long enough to make it worthwile. Sure, you could convert every program to a 'daemon' style but this truly is unnecessary and flies in the face of simplicity most of the time.
Earlier this summer I posted this article on USENET describing why ReiserFS is an incredible file system. That was version 3, so I'm curious how version 4 improves on this. Stability is key and v3 has reached stability. We can expect v4 to take longer, so be ready for growing pains -- but I'm very optimistic about ReiserFS in general. I think Hans has the right idea about what a filesystem 'should' do!
no hole in IE can cause the privledge escilation you describe.
This is just not true. There has been more than one instance of an ActiveX vulnerability allowing an unscrupulous software developer access to privileged execution. These types of intrusions can be made through Internet Explorer; it's perfectly possible that a spyware vendor use such a mechanism to install their software deeper into the OS than should be allowed by normal privileges.
I volunteered to look after a student computer lab at university. We did a fresh install of Windows 2000 on all the workstations, set up NTFS, applied all security patches and turned on the auto updater. The lab is firewalled and NATed through a Linux server that's running Samba as a primary domain control for an NT domain. All users have low priv accounts, authorized through the PDC on the local network.
In other words, this is a pretty secure setup, except for the local machines (everyone has physical access). But regular users don't have admin privileges.
There was something I found quite odd. After running for a year or so, I discovered that when I launched IE from my own account, it came up with the Yahoo bar installed. That's weird, I thought, since I'm the only admin and regular users don't have that kind of privileges.
I double checked the patches and hotfixes, yup, we're still up to date...
Fast forward... things started to fall apart after 1.5 years. Some how, spyware entering via IE from one account was able to 'infect' other accounts. Launching IE would immediately pop up ads - even in accounts that were never used before. Whole system-wide applications and spyware seemed to be installed by low privilege users. It's a bloody mess, I don't want to touch it any more.
I'm not sure whether Windows or IE is to blame (my guess is: both) but if they want me to volunteer my efforts to admin the lab next year, a bunch of 1st year students are going to walk in and find a bunch of dumb consoles running stripped down X interfaces to a FreeBSD server.
Civil liberties people prepare to be shocked. Not only are RFID chips in your shoes, but according to the July 2004 IEEE Spectrum, they're also in
All Dockers khaki pants
All Colgate Shave Cream packages
All Trojan Ultra Ribbed condom boxes
Some Gilette razors
While I'm sure that nobody is tracking you right now, RFID tags can be read by several meters away and contain unique identifiers. If you thought the Pentium chip unique IDs were bad, this should (rightly so) worry you considerably more.
As a first measure, running Windows with non-admin privileges would go a long way to limiting the power of viruses to infect and spread. From the description of the worm,
When first run, W32/Rbot-GR copies itself to the
Windows system folder as SYSTEMC32.EXE and runs this copy of the worm . . . will set the following registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ . ..
All impossible to do without admin privileges on an NT-style system. Do yourself a favour, create a low privilege account for yourself:) This measure is obviously not a substitute for a brain, but it's pretty basic and helps immensely.
Apache impressed people with its English-style configuration directives that have influenced other developers to switch to such logical formats. Another example: the Postfix MTA is becoming more popular and many users say they enjoy using it because of the straightforward configuration, compared to the m4 mess of sendmail. "It has to be complicated to be powerful" is no longer an excuse.
It's safe to say that Google is an internet search used by everyone. This means they have some of the most valuable information for a consumer world. They could easily make billions packaging this data properly and selling it to marketing firms.
Following up to my own post... what's interesting about this business direction, should Google decide to go that route, is that they won't have to litter their search engine with ads. They could keep it running exactly as it currently is, with the efficiency and simplicity we enjoy. After all, it's the information obtained via regular searches that is valuable, not any direct actions (ad-clicking) by the users themselves.
Information about consumer habits and desires drives product development. Knowledge is power, and many companies are driven by marketing initiatives. In other words, marketers determine the need and direct product development.
Credit cards provide a useful way to track consumers and build files on their habits. Other electronic cards (club card memberships, air miles, etc.) provide similar ways to gather consumer information. The companies that gather this information then sell it out to other marketing firms.
It's safe to say that Google is an internet search used by everyone. This means they have some of the most valuable information for a consumer world. They could easily make billions packaging this data properly and selling it to marketing firms.
With respect to the media industries, remember that we definitely don't have a free market. The industrial lobby has been pressuring governments around the world to enforce via law what they can't possibly enforce in a free market economy (I'm talking DMCA here, and its EU equivalent).
In other words, the media and content distribution industries are genuinely screwed without government being there to "make the scary things go away". I don't want to see the government holding the RIAA and MPAA's hand, I say let these companies 'battle it out' and survive if they're meant to.
The first step is obviously to check the headers of an email you receive. Just see who sent you the damn thing (from Received headers). Was it actually an IP belonging to.paypal.com? This is easy to check using 'whois'. If the whois lookup shows the IP delivering you the email is from the company you expect (VISA, Paypal, Ebay) then it's fine.
OK, how about an example. Take this US Bank phishing scam, here are the Received headers:
Received: by mail.pc9.org (Postfix, from userid 82) id 2E7E6AC1B; Tue, 17 Aug 2004 07:13:50 -0700 (PDT) Received: from usbank.com (unknown [211.209.208.87]) by mail.pc9.org (Postfix) with SMTP id BCF24AC03 for <bigberk@users.pc9.org>; Tue, 17 Aug 2004 07:13:47 -0700 (PDT) Received: from 0.212.252.18 by 211.209.208.87; Tue, 17 Aug 2004 09:08:18 -0600
The first Received hop is my ISP. The second Received hop is the only important one; it describes the connecting host. Note that the host here pretended to be usbank.com but that name is a sender-supplied ID; it's worthless. What you're looking for is the IP address between square brackets, which can not be forged. Now just check 211.209.208.87 using whois
$ whois 211.209.208.87 ... [ Organization Information ] Organization ID : ORG3930 Org Name : Hanaro Telecom Inc. State : SEOUL Address : Shindongah Bldg., 43 Taepyeongno2-Ga Jung-Gu Zip Code : 100-733 ...
See, easy. This email came from Korea, not US Bank. It's a scam!
When used properly, One Time Pad is impossible to break. Of course, carrying around enough truely random characters/bytes for all of your encrypting needs without getting caught is another story
Yes, the OTP is the way to go -- sequence of random bytes, which you simply XOR with your message. Dump out/dev/random to a CD-R or DVD-R, make a copy for your friend, and you've both got nice one-time-pads that will probably last you quite some time.
What's interesting is that quantum physics offers several new things that will help implement excellent OTP systems... over existing fiberoptic telecom systems, no less! This is really exciting stuff.
First, quantum physics offers us a new way to generate truly random numbers for your OTP. Your rand() function sucks, I guarantee you./dev/random is very good, but slow.../dev/urandom uses hash mixing so isn't nearly as random. Both rely on physical events, time intervals, and possibly thermal noise. In comparison, a quantum random number generator in theory gives you random bits that are totally un-influencable.
So now you've got your random bitstream... what do you do with it? Well, you hook up the OTP stream to a laser-based system that sends essentially single photons down an optical fiber. The idea being that single photons are either received by your friend or intercepted (absorbed) by your enemy. They can't be copied. Anyway several factors complicate this process but the basic idea remains. It's for real.
So your computer can generate a random OTP, securely send it to your friend (without fear of interception), and now you can both exchange classical data encrypted with your OTP. Repeat as necessary. If the physics behind this is sound, we shouldn't have to worry about algorithmic attacks in the future. Here's a rather complete article describing everything.
First of all, the technology used in a product like this is not radically different from existing flash solutions. The big problems are cost and limited use -- flash memory (transistors with high voltage-forced states) can only be toggled a limited number of times. So there is a limited number of write cycles for the faster types of non-volatile solid state memories.
That problem can be reduced by padding devices with large amounts of RAM (write caching). But the breakthrough is coming soon, with new flash technologies that are better designed for continual writes (without compromising speed). From what I've read in IEEE Spectrum, the better technologies suited for mass storage are in research labs right now, meaning maybe 5 or 10 years til market.
Although I think it's a good thing that the US is willing to work with an international effort, I am becoming more skeptical as time passes about the need to pursue new power sources. The assumption being that Fusion power won't so much replace oil, coal, and nuclear but rather just become a new way to generate power.
We already generate enough power world-wide. The reason we worry about power needs is because, (1) development perpetually accelerates industry's demands, and (2) we don't take energy conservation seriously.
The clue that something is wrong is in the words "perpetually accelerates". How can one earth, a closed system, sustain ever-increasing amounts of wastes produced by industrial throughputs? This is obviously not a sustainable practice. In other words it's not the lack of energy that's going to kill us, but rather the byproducts of what we process using that energy.
If we could just replace all 'dirtier' power sources with newer cleaner technologies, that would be great but I suspect that the more practical direction will be to just add new power facilities on top of existing ones. More power for the world means quicker resource consumption. This is not something we should be happy about, because it compromises our ability to live on earth in the long term.
FWIW, the built in firewall is better than the firewall in my router, in that it can open ports based on program, instead of statically keeping them open
I still prefer keeping the firewall to an independent, stripped down system (definitely not on the same host I'm trying to protect). Linux 2.4 and later, with netfilter (iptables) do support opening up ports dynamically based on program access.
iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Simply, default action is to drop packets. But if the packet is part of an established or related connection (i.e. ftp, irc) then the packet is permitted. With iptables you should never just "open up" a range of userland ports, this is an improper firewalling method.
Because of the extensive use of Linux in shell hosting enviroments Linux is fairly robust against local exploits. Windows is still terribly weak to local privlage escilation.
You're really wrong about this. Linux has a terrible record for local root exploits, due to flaws in the kernel itself. In order to keep your systems secure you had better be upgrading your kernel on average about every 2 months. Many of the root privilege escalations are trivial to carry out... this is an embarassment to Linux. Now, Linux is popular in web hosting packages but that's because people like to see the word Linux, not necessarily because it's secure.
Web hosting companies could easily lag for a day or two when new exploits are published, leaving plenty of time to get root. I'd venture to guess that you would have a couple of easy root opportunities a year.
Linux is still a more secure kernel than Microsoft's NT, but not significantly. For security I trust FreeBSD or OpenBSD.
Mod parent up. Turn out your science caps, people and think of isolated systems. Think of the world as a civilization under a sealed glass dome. Sunlight inputs radiant energy; water mass is a constant, etc. We really have to learn to make do with what's in the dome, because wastes remain in the dome too.
Pumping oil from the ground means that we're adding things from outside the primary cycle into our sealed dome (because of the considerable time required to renew fossil fuels, oil should be considered outside the cycle). It's the wastes from consumption that can upset the balances.
Also helps, as a mental exercise, to consider the impact of commercialization and exploitation of all our natural resources. You're trapped in the goddam bubble. Trust me, there's no easy way out. We all have to deal with the wastes! They don't "disappear"!
Slashdot Mirror
Of, well, slashdoting the solution to slashdotting? Really cool idea though. Nice!
- "Second, to handle bounces, I propose a rewriting scheme as follows" -- as Vernon points out, this scheme is terribly broken. It is not a generic solution, and is definitely not going to work globally.
- "Domains that refuse to publish SPF or publish global-allow SPF out of political principle, malice, or incompetence will simply have to accept the penalty of a higher spam score." -- but many domains are simply unsuitable for using with SPF! What about a provider who provides a mail forwarding service, even universities, etc. They want their addresses to be used as return paths outside their own systems. The SPF people are saying that these domains must be punished for their unwillingness to adopt SPF. Internet email is a flexible thing, and there are a zillion instances in which SPF is unworkable.
- "What do the customers want? They want to communicate with their friends and family; and they want to not get spam. They do not particularly care if a few eggs are broken along the way." -- this shows a severe misunderstanding of their own system. SPF does not prevent spam, but rather provides a domain owner with the power to prevent their return paths from being forged. This is very different from addressing a spam issue. It's not a bad goal, but it's not addressing spam.
Those quotes are directly taken from the SPF proponents at pobox.com; you can see the major flaws in their thinking. Especially unfortunate is their expectation that everyone must adopt SPF. There is no way SPF will be adopted by all domains, and penalizing domains for refusing to participate in the scheme is senseless. This is why I have lost faith in SPF.to vote with your wallets? I'm suggesting, not buying DVDs of MPAA products. If the industry thinks it's losing money because of chips that are too feature-rich, wait til they lose money due to lack of sales period.
Earlier this summer I posted this article on USENET describing why ReiserFS is an incredible file system. That was version 3, so I'm curious how version 4 improves on this. Stability is key and v3 has reached stability. We can expect v4 to take longer, so be ready for growing pains -- but I'm very optimistic about ReiserFS in general. I think Hans has the right idea about what a filesystem 'should' do!
True story.
I volunteered to look after a student computer lab at university. We did a fresh install of Windows 2000 on all the workstations, set up NTFS, applied all security patches and turned on the auto updater. The lab is firewalled and NATed through a Linux server that's running Samba as a primary domain control for an NT domain. All users have low priv accounts, authorized through the PDC on the local network.
In other words, this is a pretty secure setup, except for the local machines (everyone has physical access). But regular users don't have admin privileges.
There was something I found quite odd. After running for a year or so, I discovered that when I launched IE from my own account, it came up with the Yahoo bar installed. That's weird, I thought, since I'm the only admin and regular users don't have that kind of privileges.
I double checked the patches and hotfixes, yup, we're still up to date...
Fast forward... things started to fall apart after 1.5 years. Some how, spyware entering via IE from one account was able to 'infect' other accounts. Launching IE would immediately pop up ads - even in accounts that were never used before. Whole system-wide applications and spyware seemed to be installed by low privilege users. It's a bloody mess, I don't want to touch it any more.
I'm not sure whether Windows or IE is to blame (my guess is: both) but if they want me to volunteer my efforts to admin the lab next year, a bunch of 1st year students are going to walk in and find a bunch of dumb consoles running stripped down X interfaces to a FreeBSD server.
While I'm sure that nobody is tracking you right now, RFID tags can be read by several meters away and contain unique identifiers. If you thought the Pentium chip unique IDs were bad, this should (rightly so) worry you considerably more.
Apache impressed people with its English-style configuration directives that have influenced other developers to switch to such logical formats. Another example: the Postfix MTA is becoming more popular and many users say they enjoy using it because of the straightforward configuration, compared to the m4 mess of sendmail. "It has to be complicated to be powerful" is no longer an excuse.
Information about consumer habits and desires drives product development. Knowledge is power, and many companies are driven by marketing initiatives. In other words, marketers determine the need and direct product development.
Credit cards provide a useful way to track consumers and build files on their habits. Other electronic cards (club card memberships, air miles, etc.) provide similar ways to gather consumer information. The companies that gather this information then sell it out to other marketing firms.
It's safe to say that Google is an internet search used by everyone. This means they have some of the most valuable information for a consumer world. They could easily make billions packaging this data properly and selling it to marketing firms.
With respect to the media industries, remember that we definitely don't have a free market. The industrial lobby has been pressuring governments around the world to enforce via law what they can't possibly enforce in a free market economy (I'm talking DMCA here, and its EU equivalent).
In other words, the media and content distribution industries are genuinely screwed without government being there to "make the scary things go away". I don't want to see the government holding the RIAA and MPAA's hand, I say let these companies 'battle it out' and survive if they're meant to.
The first step is obviously to check the headers of an email you receive. Just see who sent you the damn thing (from Received headers). Was it actually an IP belonging to .paypal.com? This is easy to check using 'whois'. If the whois lookup shows the IP delivering you the email is from the company you expect (VISA, Paypal, Ebay) then it's fine.
OK, how about an example. Take this US Bank phishing scam, here are the Received headers:
The first Received hop is my ISP. The second Received hop is the only important one; it describes the connecting host. Note that the host here pretended to be usbank.com but that name is a sender-supplied ID; it's worthless. What you're looking for is the IP address between square brackets, which can not be forged. Now just check 211.209.208.87 using whois
See, easy. This email came from Korea, not US Bank. It's a scam!
Yes, the OTP is the way to go -- sequence of random bytes, which you simply XOR with your message. Dump out /dev/random to a CD-R or DVD-R, make a copy for your friend, and you've both got nice one-time-pads that will probably last you quite some time.
What's interesting is that quantum physics offers several new things that will help implement excellent OTP systems... over existing fiberoptic telecom systems, no less! This is really exciting stuff.
First, quantum physics offers us a new way to generate truly random numbers for your OTP. Your rand() function sucks, I guarantee you. /dev/random is very good, but slow... /dev/urandom uses hash mixing so isn't nearly as random. Both rely on physical events, time intervals, and possibly thermal noise. In comparison, a quantum random number generator in theory gives you random bits that are totally un-influencable.
So now you've got your random bitstream... what do you do with it? Well, you hook up the OTP stream to a laser-based system that sends essentially single photons down an optical fiber. The idea being that single photons are either received by your friend or intercepted (absorbed) by your enemy. They can't be copied. Anyway several factors complicate this process but the basic idea remains. It's for real.
So your computer can generate a random OTP, securely send it to your friend (without fear of interception), and now you can both exchange classical data encrypted with your OTP. Repeat as necessary. If the physics behind this is sound, we shouldn't have to worry about algorithmic attacks in the future. Here's a rather complete article describing everything.
- wuftpd
- sunrpc, portmapper
- imapd
- sendmail!!
- bind!!!
- openssh
- openssl
- apache
- php
- samba
I'm sure I forgot a dozen other common packages, but you get the idea. Any outdated, Internet-connected system is a disaster waiting to happen.First of all, the technology used in a product like this is not radically different from existing flash solutions. The big problems are cost and limited use -- flash memory (transistors with high voltage-forced states) can only be toggled a limited number of times. So there is a limited number of write cycles for the faster types of non-volatile solid state memories.
That problem can be reduced by padding devices with large amounts of RAM (write caching). But the breakthrough is coming soon, with new flash technologies that are better designed for continual writes (without compromising speed). From what I've read in IEEE Spectrum, the better technologies suited for mass storage are in research labs right now, meaning maybe 5 or 10 years til market.
Although I think it's a good thing that the US is willing to work with an international effort, I am becoming more skeptical as time passes about the need to pursue new power sources. The assumption being that Fusion power won't so much replace oil, coal, and nuclear but rather just become a new way to generate power.
We already generate enough power world-wide. The reason we worry about power needs is because, (1) development perpetually accelerates industry's demands, and (2) we don't take energy conservation seriously.
The clue that something is wrong is in the words "perpetually accelerates". How can one earth, a closed system, sustain ever-increasing amounts of wastes produced by industrial throughputs? This is obviously not a sustainable practice. In other words it's not the lack of energy that's going to kill us, but rather the byproducts of what we process using that energy.
If we could just replace all 'dirtier' power sources with newer cleaner technologies, that would be great but I suspect that the more practical direction will be to just add new power facilities on top of existing ones. More power for the world means quicker resource consumption. This is not something we should be happy about, because it compromises our ability to live on earth in the long term.
You're really wrong about this. Linux has a terrible record for local root exploits, due to flaws in the kernel itself. In order to keep your systems secure you had better be upgrading your kernel on average about every 2 months. Many of the root privilege escalations are trivial to carry out... this is an embarassment to Linux. Now, Linux is popular in web hosting packages but that's because people like to see the word Linux, not necessarily because it's secure.
Web hosting companies could easily lag for a day or two when new exploits are published, leaving plenty of time to get root. I'd venture to guess that you would have a couple of easy root opportunities a year.
Linux is still a more secure kernel than Microsoft's NT, but not significantly. For security I trust FreeBSD or OpenBSD.
Mod parent up. Turn out your science caps, people and think of isolated systems. Think of the world as a civilization under a sealed glass dome. Sunlight inputs radiant energy; water mass is a constant, etc. We really have to learn to make do with what's in the dome, because wastes remain in the dome too.
Pumping oil from the ground means that we're adding things from outside the primary cycle into our sealed dome (because of the considerable time required to renew fossil fuels, oil should be considered outside the cycle). It's the wastes from consumption that can upset the balances.
Also helps, as a mental exercise, to consider the impact of commercialization and exploitation of all our natural resources. You're trapped in the goddam bubble. Trust me, there's no easy way out. We all have to deal with the wastes! They don't "disappear"!