Slashdot Mirror


User: 0x0d0a

0x0d0a's activity in the archive.

Stories
0
Comments
6,986
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 6,986

  1. Re:It's not a matter of A or B on Yahoo and Unilateral Anti-Spam Technology? · · Score: 1

    How?

    Argh. I've been posting these in the SPF discussions multiple times earlier. Okay, here goes again.

    SMTP uses TCP, which requires a round trip packet exchange to simply establish the connection begore any data is exchanged. So the receiving MTA definately knows the senders IP number.

    There's little point in spoofing the SMTP connection. Spammers don't bother today. The authentication, which is what's important takes place over DNS, with *no anti-spoofing features* beyond base DNS.

    DNS can be spoofed, but that is a difficult and risky attack for spammers.

    DNS spoofing is not difficult. It's done with an automated tool, just like other attacks. It's difficult in the sense that running an automated tool is difficult, which is to say not at all.

    I have no idea what you mean by "risky".

    It's pretty safe to assume that 99% of DNS lookups performed to obtain SPF records will receive the information published by the domain name owner, and not a spoofed response from the spammer.

    *confusion* So? If 99% of HTTP queries to an IIS server are not buffer overflow attacks that compromise the thing, how is this any kind of testimonial as to the security of that IIS server?

    If the IP matches one that the domain's DNS says is authorized to send, then it's a pretty strong indication that the email is not forged.

    No, not if people deploy SPF. Then spammers will simply always work around SPF.

    Remember than SPF (and other authentication proposals) stop forgey, not spam directly. It only hurts spammers by making forgey much more difficult.

    SPF is roughly on the level of the evil bit. It means that if someone is not interested in lying to any systems involved, it works fairly well. If someone is interested in attacking it, however, it quickly breaks down.

    Fill out the web-based SPF Publisher Wizard, and then copy the result into your DNS zone file. No new server software to install or update, no changes to email clients, no email server configuration changes, nothing to download. Looks pretty trivial to me (I did it for my site in just a few minutes).

    Not at the "providing SPF" end, at the usage end, where you have patching servers and writing something to handle non-SPF domains.

    Yes, please explain?

    Instead of repeating the list of problems with SPF, I'm just going to provide a link pointing to the last discussion.

    Thousands of sites don't seem to share your view, including AOL:

    Thousands of sites use unpatched servers for various security vulnerabilities. Furthermore, AOL is not what I would call a paragon of technical virtue. I will grant that AOL is desperate for some way of reducing spam. However, they're going for what is, at best, a very short term hack to reduce spam -- it's a hell of a lot easier to get past SPF than it is to, say, defeat Baysian filtering, and spammers are pretty busily chewing up Baysian filtering.

  2. Re:Signed Email on Yahoo and Unilateral Anti-Spam Technology? · · Score: 1

    It doesn't, at least as things are. My guess is that they're going to add "premium" services at some point.

    They don't do everything that eBay does, though.

  3. Re:police will be happy on Yahoo and Unilateral Anti-Spam Technology? · · Score: 1

    I need to read up on Yahoo's system, but I do not believe that it is usable as a tracking system (or, at least, I am certain it is possible to build a system that provides the benefits that Yahoo is claiming that is *not* usable as a tracking system, and I would expect Yahoo to be implementing the system in such a way).

    Frankly, it's already more than easy for three-letter agencies to obtain email. Yes, you have an extremely weak defense now that would be weakened by mandatory signing -- you can *claim* that someone happened to forge three years of email (just as you can claim that someone forged all the snail mail sent from your mailbox), but it'd be a tough time unless you had incredibly tight informational separation between your emails and the rest of your life.

  4. Re:Signed Email on Yahoo and Unilateral Anti-Spam Technology? · · Score: 1

    B. CRLs don't scale. Period. There's a reason why PKIs hardly ever get past 100K users

    Force cert expiry, which lets you also purge obsolete CRLs. Use a distributed, caching mechanism to distribute CRLs.

    D. Sure, but most users are unlikely to get savvy enough to understand the distinction. The proposed scheme takes that decision out of the user's hand.

    I don't understand the water distribution system that services my house. I do know that it's reasonably well put together, provides clean water reliably, and that it fills a wide number of needs without too much expense.

    Folks may not understand all the benefits of signed email. That's no justification for not implementing this in a manner that requires essentially no user involvement (Hell, does your average user understand Windows Metafile Format? How about the signal processing involved in Ethernet chipsets? He uses both!).

    Sure, for that .001% of transactions where conventional forms of contract aren't good enough. Most people wouldn't sign a binding contract without legal advice, at which point they have access to a notary, etc., and the signature feature on email has no value.

    That's not the point. Congress, desperate for a solution to allow companies to deal with licenses and contracts over the web, allowed e-signatures to be legally binding a few years back. Unfortunately, an e-signature does not entail a cryptographic signature, a standard method of presenting to the user or logging signed contracts. It even allows a software agent to sign legally binding documents. The only thing that is required is intent on the signer's part to produce a legally binding document. Currently, I am theoretically bound by clicking an "I Agree" button in a web browser. This is, frankly, idiotic. Email signing is no more than a mechanism saying that it's unlikly that someone forged a document. It's not an e-signature mechanism in itself, since you want to make it clear to people that *this* particular email is a legally binding document (that happens to be authenticated), and *this* email is not legally binding (and also happens to be authenticated).

    Email signing is a good thing, almost without caveat.

  5. Re:It's not a matter of A or B on Yahoo and Unilateral Anti-Spam Technology? · · Score: 1

    Actually Eric has been supporting the SPF spec which is public, has an open discussion group and is currently in pole position wrt other schemes.

    If SPF is really "in pole position", the spammers are going to have a field day. SPF is easy to defeat. Plus, it has non-trivial deployment issues and a set of drawbacks associated with it.

  6. Because it has security issues on Yahoo and Unilateral Anti-Spam Technology? · · Score: 1

    This approach has already been proposed in the form of SPF. While theoretically, with some additional infrastructure (modifications to both DNS and more significant modifications to mail servers), it's probably possible to do this in a secure manner, the approach SPF advocates is easily defeated. It also introduces reliability and performance issues.

  7. SPF is broken on Yahoo and Unilateral Anti-Spam Technology? · · Score: 1

    I can't agree that SPF is particularly useful here.

    So in order for a spammer to spam someone using your actual e-mail address they have to:

    1) hack into your domain's outbound mail server and send e-mail from there (nothing new in this risk)


    Okay, fair enough.

    2) hijack/trojan your machine or a machine in your organization and then route e-mails through the official SMTP server (same as what happens now, except that the mail admin is more likely to notice that customer 32432's account is sending gobs of e-mail)

    Note that the only way a spammer would be forced to go through the local SMTP server is if *everyone* is properly implementing SPF everywhere. It only takes a single misconfigured server. Frankly, the problem of making SPF work Internet-wide is a superset of solving the open relay problem (i.e. ensuring that all mail servers that can send you mail are properly configured not to allow non-customers to dump mail through them). Solving the open relay problem provides all the benefits that SPF does. SPF hides the actual costs of its implementation with a lot of discussion of interesting features, but ultimately, it's not a particularly useful proposal.

    3) poison the DNS SPF information (tough attack to pull off, can be combatted and might lead to new security in the DNS system)

    This may be used in a positive (authorizing additional servers) or negative (deauthorizing authorized servers) manner. In the negative manner, it takes the form of a DoS. It is only hard to pull off for heavily-used mail routes (since only one lookup in a bazillon will actually generate a DNS query). It's still possible, and difficult and expensive to defend against, and a single success can have catastrophic results. It may also be used in a positive manner, to falsify SPF information. This is not particularly tough to pull off, as tools to automate the procedure will inevitably pop up shortly after folks start using SPF.

    spammer goes in search of a domain that doesn't have reverse-MX info and forges that domain onto their e-mails

    Another flaw in SPF. Much like the open relay problem, it requires *correct implementation Internet-wide* to work without holes. Every time someone's proposed a security system based on this, it has failed.

    5) spammer starts to use throw-away domains at $X each

    Trivial issue to bypass. Spammers frequently lose their accounts after a spam incident, which means they have to pay for a throwaway account. That's $20-$40. A throwaway domain adds only $10 to that cost. It just isn't significant -- spammers make more money than that per spam run.

  8. This is called SPF and is broken on Yahoo and Unilateral Anti-Spam Technology? · · Score: 1

    This is called SPF. It has a number of security flaws and shortcomings. You can find my comments on it during the last few Slashdot SPF stories. During the last Slashdot discussion, someone brought up a new DoS attack that could be executed using it.

    I would *strongly* advise against implementing SPF. I consider the system fundamentally flawed, but even if someone can deal with that, at least some of the more glaring problems, like using DNS as a transport mechanism, should be fixed before anyone considers using it.

    The Yahoo approach (apparently PKI, need to read up on it) is probably more work to implement, but also probably fixes the problem properly.

    At the best, SPF is another hack that will grant a decrease in spam for a few months (and then leave cruft and mucked-up mailservers around for years and years to come).

  9. Yahoo might be doing us a big favor on Yahoo and Unilateral Anti-Spam Technology? · · Score: 4, Insightful

    I don't believe this is proprietary. Yahoo is releasing a patch for Sendmail. AFAI can tell, while they're funding the dev work (because the spam rate is killing them), they aren't trying to milk this for more money.

    One major problem with standards groups is that people like Verisign are on most security standards groups. Verisign has extremely strong motivations to ensure that email uses a Web-like interface, where one purchases an (expiring) Verisign cert for each email server one runs. They have strong incentive to block competing solutions. If you want to come out with a good system that prevents existing folks from milking a market, both industry consortiums and standards groups are pretty much useless. You need to do what happened with PNG -- have a bunch of talented, aggravated engineers sit down, write up a technically good spec, and put out reference code. Later on, let standards committees follow what's in place.

    I can't figure out why replay attacks are an issue. I, personally, would suggest, off the cuff, including any To: or CC: lines in the message body (just for signing purposes, not actually sending either header in the body). This way, a replay attack would only allow resending the same email to the same destination from the same source. It's also pretty easy to include a timestamp, if folks are *really* concerned about replays.

    Yahoo is pretty much doing what ESR and RMS have been hoping for for years -- contributing to open source systems because there's an itch that needs scratching.

    Paul Vixie (disclaimer -- I don't move in his circles, and what I know about him is entirely secondhand) seems to be involved a great deal in politics, rather than technology. He leaves a bit of the same bitter tang in the mouth that Verisign does. He is, apparently, the source of at least some of the IETF objections. Vixie has also made a number of antispam statements that I tend to disagree with, including advocating mass blocking of mail servers on home email connections by netblock.

  10. Re:Piracy on PC RPGs - Time To Man The Lifeboats? · · Score: 1

    And do more than 50% of the PC game players you know use pirated software?

  11. Re:it's not East vs West on PC RPGs - Time To Man The Lifeboats? · · Score: 1

    I'm sure that this doesn't appeal to most folks -- there are far fewer graphics and sound effects than mainstrain commercial, but the Mac has enjoyed some of the best independently-produced open-ended RPGs in existence, thanks to the prolific efforts of Jeff Vogel at Spiderweb Software. He writes all the game text himself, in addition to doing the coding and game design. I doubt this post will convert many folks that haven't already played Spiderweb games, but particularly among Mac gamers, Vogel games (the Exile, Avernum, Nethergate, and Geneforge series) enjoy a pretty large list of fans.

    There's a quite distinctive dry humor in his writing, and at least one of his games, Exile 3, has been ported to Linux. I was never too impressed with the porting company's work, but kudos to Jeff for going for the port anyway.

  12. Re:Piracy on PC RPGs - Time To Man The Lifeboats? · · Score: 2, Interesting

    Sure -- and you're absolutely right, I should correct what I said. If fewer sales were lost due to piracy, publishers might be more interested in PC releases. :-) There's also some degree correlation. There's a potential market of some size. Some portion of the people pirating a given game would have purchased that game had they not pirated the game, and some portion of those people would have not purchased that game had they not pirated the game.

    The problem for publishers is that the first group is non-zero in magnitude, and based on things like Ambrosia Software's study of piracy, one notices that sales are much, much better when software can't be easily bypassed. (And Ambrosia had an *extremely* positive situation, where they had few competitors, a good deal of loyalty, a generally affluent market...)

    Take Counterstrike. Counterstrike *was* popular. Very popular. However, a major reason it sold well is that it used a proxied auth method. Yes, you could crack it and play only on cracked servers, or play single-player-only, but it was enough of an impediment that an awful lot of folks just handed over the money to Valve -- it wasn't worth their time or effort.

    Note that this is also a factor in the surprising success of MMORPGs. Sure, folks play MMORPGs, but not *that* huge a chunk of the gaming world. More than currently play MUDs, perhaps, but I'd be very surprised (based on the folks I know) if the number of folks playing, say, Everquest even begins to approach the number of folks that played Quake. However, since it's difficult and unpleasant to bypass Everquest protection (one might manage it, I suppose, through credit card fraud and having one character "help out" other new characters), Everquest enjoyes a much larger purchasing rate.

    This is not a post coming from someone who's trying to argue against piracy on some kind of ethical grounds or adopt a holier-than-thou attitude. I've probably cracked more software than most people use on their computers (though I don't distribute my cracks), and have certainly pirated software myself. However, I do want to point out that piracy certainly does have a decidedly negative impact -- many folks don't realize quite how much -- on software publishers, which ends up in fewer games getting funded.

    There are a few times that piracy can be beneficial. In the case of Quake, multiplayer had a network effect, increasing value of the game. It's likely that id actually gained sales due to widespread piracy, though obviously nobody can say for sure. There were lots of good players out there playing it and producing more material for it, increasing the game's value. However, the same does not apply very well to PC RPGs. Due to the nature of the games, these are generally played by single players, and generally aren't particularly player-moddable. They receive little sales benefit from being spread around. Furthermore, I would like to point out that attention span for games tends to shorten when one gets into adult years. Many hours of gameplay is less of a big deal if you aren't trying to maximize bang for your buck. If you're a kid, dropping $40 and getting a game that you beat in two days is disappointing. An adult with a job has less worries about costs, and more interest in maximizing the enjoyment they get in their free time. I would venture to guess that RPGs, as a genre, are probably more likely played by a group of folks who have a lower median income than the group that plays, say, Max Payne 2, and hence has a greater financial incentive to pirate a given game.

    When one adds this to the fact that RPGs do not sell particularly well in the comparatively PC-centric United States, and *do* sell well in the comparatively console-centric Japan, and the fact that most modern RPGs require a *lot* of expensive content creation to produce, you have some compelling answers to the question of why there aren't a lot of PC-based RPGs released.

  13. Re:Piracy on PC RPGs - Time To Man The Lifeboats? · · Score: 1

    I said "as heavily pirated", not "not pirated".

    The ratio of pirated to legitimate console games is a lot lower than the ratio of pirated to legitimate PC games.

  14. Re:Why you ask? on NASA Scientists Get Custom 24h39m-per-day Watches · · Score: 1

    I'll tell you why they got mechanical watches and didn't hack up a Linux watch:

    Because mechanical watches are traditionally expensive and hence a status symbol.

    Generally speaking digital watches are fugly. There's no Movado Digital Watch for a reason.

    I suppose I spend time with the wrong crowd. I wouldn't think twice about wearing my watch -- my one, ordinary, beat-it-up-until-it-dies-and-get-another digital watch -- anywhere. Heck, I've never even heard of a Movado.

    2. Commitment. This watch will ALWAYS run ~24h39m.

    Okay, now that's silly. A digital watch could do the same.

    You can give it to your grandkids.

    The reason watches are heirlooms at all is because they used to be phenomenally expensive to make. It took a huge amount of human labor to produce a mechanical watch. Now, you can have a machine churn them out, or an even more accurate entirely solid-state digital watch.

    Your crap-ass programmable digital watch won't make it that far.

    Well, it probably won't, because I tend to beat the bajeezus out of watches from smacking them into things. However, I don't really see any reason that it *couldn't* last that long.

  15. Piracy on PC RPGs - Time To Man The Lifeboats? · · Score: 0, Flamebait

    If PC games weren't as heavily pirated, publishers might be more interested in the PC.

  16. Novel isn't hurting us on Novell Offers Linux Users Legal Indemnity · · Score: 2, Insightful

    Look, there are two categories of companies. Those that think that SCO is completely full of it (and I suspect that Novell is among this group) and those that think that there is some actual chance that SCO might be right.

    The first group of companies doesn't give a damn about Novell's indemnification, and will happily use whatever Linux distro they want.

    The second group of companies has been avoiding Linux because they're unsure. As it happens, they're probably just uninformed, but Novell will happily take their money and welcome them to the Linux fold. That means more Linux users, which is probably a good thing.

  17. Re:Are you people happy with nothing? on Novell Offers Linux Users Legal Indemnity · · Score: 1

    Because you aren't liable for infringing on the Swallowzak's copyright. Spitzak is.

    Now, technically, you can sue for anything. You can make ridiculous claims. I can sue you for damaging my property by rolling a giant tomato into my house. But judges can also throw ridiculous claims out.

    Now, on the other hand, you *would* lose the right to use the software, and would have to stop using it. However, Novell isn't offering a guarantee that would fix this issue -- just the first.

  18. Re:Red Hat on Microsoft Extends Win98/SE Support · · Score: 1

    Well, let's see.

    With Windows, I get free service packs for a couple of years. These include bug fixes, and relatively minor new features.

    With Red Hat Linux, I get the distribution free (unless I want pressed CDs and a nice manual). I also get future updates free. My computer is Red Hat Linux 5.2. With free updates (Microsoft calls them "Service Packs") to RHL 6.0, RHL 6.1, RHL 6.2, RHL 7.0, RHL 7.1, RHL 7.2, RHL 7.3, RHL 8.0, RHL 9, and Fedora Core 1. I'm expecting to get my free update to Fedora Core 2 shortly. Of course, you could say that I pay for this -- I help mirror the CD image using my broadband connection. I also submit patches to a number of open source projects. However, my experience using Red Hat's products is far more pleasant than with Microsoft's products.

  19. Re:OEM support in other industries. on Microsoft Extends Win98/SE Support · · Score: 1

    Important difference that you may be ignoring -- you probably spent, oh, I don't know, $25k on the car as that lump sum. You spent $100 on the piece of software. It's a lot easier to be able to include support fees in $25k than in $100.

  20. Re:One story per week on this is enough on Lego Goes Back to the Basics: Building Blocks · · Score: 1

    Believe it or not there are people on this site who care about Lego but don't want the site stuffed full of information about Lego's latest business plans. This is not "Slashdot-News only about Lego. Stuff that only matters to Lego shareholders".

    Given the number of people criticizing Lego's first move, and happy about the fact that Lego is going "back to basics", I would say that this thread is, in fact, worthwhile.

    Look at the comment count -- it's up there, higher than a typical story. People are clearly interested in it.

  21. Re:Call me blasphemous, perhaps on Lego Goes Back to the Basics: Building Blocks · · Score: 1

    Actually, assuming friction isn't too much of an issue, the things could be geared down to spin an 18 foot blade. Then you not only have a tip zipping around at some ungodly speed, but a hell of a lot of inertia trying to keep it going that way, finger in the way or not.

  22. Re:what about the girls? on Lego Goes Back to the Basics: Building Blocks · · Score: 1

    Speaking of Babbage, Lady Ada, the mother of all of us programmers, wasn't exactly adverse to engineering.

  23. The myth of gender neutrality on Lego Goes Back to the Basics: Building Blocks · · Score: 2, Interesting

    The reason your sons migrates to "boy" toys and your daughter migrates to "girl" toys is most likely because of the advertising of the toys, how they're perceived in society, and the role they play in social interaction.

    At *less than two*? No, I don't buy it. I agree that social things in school have a phenomenal impact on how girls and guys intract, but before that...no.

    Perhaps. Of course, this rhetoric is also fairly recent feminist stuff, probably around the 1700s or so or later.

    There *are* plausible biological justifications for girls and guys being different at mental levels. Almost anyone says "awww...cute" when looking at a baby. I cannot believe that this is entirely propagated via memes through society. The same thing is true of sexual attractiveness -- there clearly is a possibility for gense to pattern-match and attach to mental thought fairly high-level concepts.

    Now, that being said, women get pregant. It's damned hard to run and hunt, say, a deer if you're pregnant. I'm not a woman, but I'd also suspect that it's a bit of a pain to be running when one has breasts heavy from lactating. Plus, a mother needs to be around to feed a kid milk for his infancy. This means that it's not exactly unreasonable to expect women to evolve traits beneficial to being around babies. Since there's clearly a benefit to having *someone* able to run out and get meat, and the only free person in a two-person-pairing is the male, it makes sense to expect men to evolve trais beneficial to hunting (and perhaps even to making war). Hunting can involve being away from a baby for a long time, and at least later forms of war, the same. There are clearly physical differences -- men are decidedly larger and more muscular.

    Now, that doesn't mean that there isn't a positive feedback loop, where someone might be *slightly* inclined towards some set of interests and society tends to shove him (or her) faster and faster down a path. That doesn't mean that a girl must inevitably have "girlish" interests or a guy must have "guy" interests. However, it *does* mean that it's quite reasonable to treat claims that roles and interests derive *entirely* from society with skepticism.

  24. Re:I'm 30, in my office, and... on Lego Goes Back to the Basics: Building Blocks · · Score: 1

    Houses (well, properly cared for) are pretty tough. I suppose you could burn one down, and might manage to flood one badly enough that it has to be destroyed, but the house-building industry is always there, always making money...

  25. Re:I don't get the Slashdot fascination with Legos on Lego Goes Back to the Basics: Building Blocks · · Score: 1

    Seriously, come on. Get some circuit boards, some metal, and an arc welder. You're ADULTS now.

    Couldn't resist an ad hominem -- you sound *exactly* like the kids I remember trying to prove themselves superior in middle school by insulting others. Ah, yes, criticizing the shoe choices of others.

    I don't happen to have Legos around at the moment, and open source projects tend to eat free time these days. However, they really are neat -- they let you construct all sorts of interesting things very quickly. Sure, you can't make very tough, heavy things. However, you can't make tough, heavy things out of glass either, and glass sculpting is hardly a child's task. Industrial modularization and improvements in interchangeability has been going on for centuries -- "adult" things are mirroring Legos *more*, not less.

    Building things with Legos is certainly a better use of your free time than drinking beer in front of CNN or playing a video game.