While older versions of Real's media players (RealPlayer 8, older RealOne players, RealJukebox) were notorious for nagging you with content you didn't want, tracking your usage information, and making it hard to disable the above "features", the latest incarnation of RealOne Player is actually...
<are you sitting down?>
...much politer and less slimy than previous versions!
Well, OK, maybe not right out of the box. But at least you don't have to resort to modifying registry entries, deleting executable helper apps, or deciphering ambiguously-worded menu items to make it behave.
This sounds like a good thing, but I heard that they're going to replace the regular buttons with chiclet buttons, and you'll have to attach bulky sidecars to it if you want any kind of expansion capability. Plus the headphones will only communicate with the main unit via a poorly designed IR port.
On the plus side, I heard they'll have some great games for it, like "Jumpman", "Zyll" and "King's Quest" by some company called "Sierra On-Line".
It's interesting that Verizon won more or less on a single point. ISPs who discover that people are storing pirated content on their (the ISP's) servers can avoid getting in trouble by "respond[ing] expeditiously to remove, or disable access to, the material that is claimed to be infringing." That part of the law hasn't changed.
However, Verizon successfully argued that the responsibility to "remove or disable access to the material" does not apply to ISPs that do not store the data, but instead act as mere conduits through which the pirated files travel. And that's exactly what's going on in the case of P2P file sharing - the illegal file is stored on the pirate's computer, not the ISP's servers.
Verizon argued that under the DMCA, in order for a subpoena to be valid, it has to contain information about infringing material "to be removed or access to which is to be disabled". Verizon argued that it can't remove the material or disable access to it. And since that requirement for issuing a subpoena cannot be met, the subpoena process does not apply to Verizon. The court agreed.
The RIAA unsucessfully argued that Verizon could remove access to the infringing material by simply cutting off access to the pirate, but the judge disagreed that that's what the DMCA was talking about when it uses the phrase "diable access".
From the ruling... No matter what information the copyright owner may provide, the ISP can neither "remove" nor "disable access to" the infringing material because that material is not stored on the
ISP's servers. Verizon can not remove or disable one user's access to infringing material resident on another user's computer because Verizon does not control the content on its subscribers' computers.
The ruling concludes with some sympathy by the judges for what the RIAA is trying to do, but a refusal to extend the DMCA to technology like P2P that didn't even exist when the DMCA was written. The court said that if the RIAA wants to subpoena ISPs for information about P2P file traders, it will need to get that additional authority from Congress. A good demonstration of judicial restraint, IMHO.
Ok, that's it. I will award my mod points to the next insightful comment on any topic that uses the phrase "pot calling the kettle black" without resolving to cutsiness like "Pot, this is kettle - just thought I'd give you a call!"
(Fine, mod me down, offtopic, whatever; I'm just tired of oh-so-clever phrases that... well, aren't.)
> If they're going to do it right, they should allow entire domains to be added to the list.
As nice as that might be, it would put the bill on very shaky legal ground. Who has the right to put, say, earthlink.net on the do-not-spam list? What if some of Earthlink's customers want to get spam? They won't be able to, because Earthlink Corp. will have decided that none of their customers are allowed to receive spam. In fact that's why most ISPs (including the one I work for) only *tag* suspected spam, instead of deleting it. Unilaterally deciding that a customer isn't going to get a certain type of e-mail makes the lawyers nervous, and rightly so. Ditto for if we put our entire domain onto the Do-Not-Spam list.
> I think I've shown that an encrypted Do-Not-Spam list is just as useful as an unencrypted one.
Actually, you've shown that with a bit of work, you can write a program that will generate a list of common dictionary words mapped to common domain names and run it against the Do-Not-Spam list. That's great. Now let's go a step further - after all, you won't find the word "fred" in a dictionary. So we'll have to add a list of common first names (maybe English-only, maybe not).
Next, you'll have to deal with double names like "PeggySue@example.com". Or is that "peggy_sue@example.com"? Or maybe "peggysue@example.com"? (after all, upper- and lower-case variations on a name will produce a different hash). Could even be Peggy-Sue@example.com, or Peggy.Sue@example.com. Or maybe PSue@example.com . Or something like my address: g_adams27@example.com .
Maybe we'd better generate all possible addresses. Let's just pretend all e-mail addresses are 10 characters long (ignoring for the moment the countless millions of other addresses of different lengths). And let's assume they can contain any of the characters A-Z, a-z, 0-9, underscore, dash, and period. That's 65 characters.
So we have 65^10 = 1,346,274,334,462,890,625 possible combinations of 10-character e-mail addresses to try.
> I handle 450,000,000,000 combinations in less than 3 days.
Now you're up to 8,975,162 days. And that's just for the "name" part of the address. Don't forget to multiply that by the number of domains you're trying.
Or you could try a shortcut and assume that an e-mail address will be based on the person's name. So you'll want to generate as many possible email addresses from, say "George Adams" as you can. You'll need to try all possible combinations of every common first name with every common last name (GeorgeAdams, georgeadams, George.Adams, George-Adams, George_Adams, g_adams, george_a), and don't forget to tack on digits at the end of each combo you come up with.
And while you're considering whether it's worth the effort, keep in mind that you can buy a CD of "millions of e-mail addresses!" from countless other spammers. Sure, a lot of them will be junk, but the ratio of valid-addresses to amount-of-work is much higher with the CD.
And don't forget what I said earlier - a brute-force decrypted FTC list will give you a list of the least desirable people to market to. Not much of a Holy Grail for spammers.
> Or they can use the match as confirmation that the address is valid.
Perhaps, but if you're an evil spammer and you have g_adams27@example.com on your spam list already, chances are you're just going to fire off an email anyway and let the dead ones bounce, rather than go to the work of verifying it.
> Ever hear of a dictionary attack?
> Now how many email addresses do you think are random strings of characters, and how many do you think are names or words, possibly with a number or two at the end?
Probably a lot. Now let me try a thought-experiment of my own:
Let's say I'm an evil spammer and I want to create an evil spamming list out of the FTC's list (of, let's just say, 1,000,000 encrypted addresses). So I decide I'm going to brute force attack it.
I'll need a list of common words to attack with. My/usr/dict/words has about 45,000 words in it, so I'll use that. Now I need a list of common domains to add to the end of each list (msn.com, yahoo.com, hotmail.com, earthlink.net) Let's just say I pick the 10 top domains. So now I have 45000*10 = 450,000 made-up addresses that I want to try to verify by brute-force attacking the FTC's list.
Now all I have to do is encrypt each of my 450,000 made-up addresses. Once I've done that, all I need to do is compare each of those 450,000 addresses to the FTC's 1,000,000 addresses and look for a match. That's 450,000,000,000 different combinations that I'm going to have try.
Might want to get a pizza or something while you wait... and wait... and wait.
Sure, you can do some other things to optimize it (maybe take your encrypted list and the FTC's list and do some diff(1) tricks with it)... but the bottom line is, it's gonna be a whole lot harder for spammers to get any usable info from an encrypted FTC Do-Not-Spam list than it will be to either just 1) buy a list from another spammer or 2) just make stuff up and fire e-mail messages to your list scatter-shot fashion, ignoring any bounced messages.
Add to that the further disincentive that spending countless hours decrypting the FTC list would give you a list of people least likely to buy your product... and you can see why I still don't think spammers will gain any advantage from having an encrypted Do-Not-Spam list.
Please see my previous posting on why this is actually very workable.
There's no reason you can't give a spammer an encrypted list of addresses. All they have to do take one of their addresses, encrypt it, and compare the encrypted address with each address on the Do-Not-Spam list. If they match, then the address must be removed.
> Putting your address will give foreign spammers a list of lots of active US email addresses.
It doesn't have to. Consider the Unix/Linux password system. When your account is created, your password is encrypted and stored in/etc/shadow. When you login, the password you enter is encrypted and compared with the password stored on disk. If they match, then the system knows you typed in the right password and lets you in. At no point does your stored password have to be decrypted.
Applying that concept to the FTC's Do-Not-Spam list is left as (an easy) exercise for the reader. (hint: it should be obvious that the spammer need never decrypt the Do-Not-Spam list in order to be able to use it.)
> Also what about security for these Don't-emails-lists(if they are created)?
> what are they going to do give the spammer a list of email address he shouldn't email?
> yeah right. I bet the spammers would support this bill.
That part's easy enough to handle. The FTC takes their list of addresses and encrypts it using a one-way hash, of which there are many good choices. Then it gives the encrypted list to the spammer, who then takes each of his addresses, encrypts it with the same hash, and compares it to the list to see if that encrypted address is on the list. If it is, then that's a match and the spammer must remove that address from their spam-list. The spammer never needs to see the plaintext list.
You know, just like any Unix/Linux password encryption scheme?
> But isn't this really indicitive of a societal problem? You have grown up in a culture that has ingrained
> upon you that there are no consequences to your actions, and as a result, you prefer games that reflect this.
I don't think so - I mean, I was in my early teens and mom/dad certainly made sure I was painfully aware of the consequences when I did something wrong in real life. I think it was more an issue of deciding, "do I want to play a game that includes at least one way of dying on every screen, or a game where you're encouraged to try even the craziest possible solutions, without fear of dying for no good reason."
You could have a middle ground, and I think later games (even Sierra games) finally found it - kill players for doing something really dumb or ignoring an obvious bit of information they should have noticed earlier, but don't kill/penalize them just for climbing a tree, walking too far off the "edge" of the world (desert, swamp, etc.), or picking up a piece of glass. ("OUCH! That glass was sharp! Roger Wilco has bled to death!")
> I remember games like Starflight, where there was no "Save As"; you had to copy the entire game
> to another directory if you wanted to branch off and try something. Now THAT was a hardcore game.
Oh man, you ain't kidding! I'd like to think that they would have had a different save-game method if our computers had had, say, hard drives back then. (I'm sure my two 5.25" SF1 Saved Game discs are still somewhere in my parent's attic:-) ) But yes, it did make you very hesitant to do anything too wild and crazy (or to put it less perjoratively, anything too exotic and adventuresome). That was a good thing sometimes, but it could make you overly cautious too.
I remember the exact scene the author describes, with Guybrush Threepwood falling off a cliff, the dreaded "YOU HAVE DIED! Restore/Restart/Quit?" box appearing briefly, only to disappear as Guybrush boooiiings back onto the cliff ("Rubber Tree"). And even though I was only 14 or so, I knew exactly what it was - a satire of Sierra On-Line's games.
I know exactly when I starting hating the programmers at Sierra On-Line. It was Space Quest 2. You crash onto a planet and begin looking around for a way to escape. Only problem is that every single thing on that planet is trying to kill you. Let's see, I think I'll walk over here... oops! Didn't see those faint dotted lines that marked a trap door over a spike pit! Here's a maze of vines I have to carefully manuever, pixel by pixel with the keyboard arrows... whooops! I touched a vine, and now the plant is eating me! Hmmmmm, I wonder if I should take some of these berries to eat. Nope! I guess my convulsing, and now dead body indicates I shouldn't have!
But here's the worst puzzle on that planet - every single tree is too slippery to climb except for one which has a slightly different description, indicating you can probably climb it. So you type "climb tree" and guess what? Roger Wilco gets his hands and feet stuck on the tree, critters descend from the tree limbs, and eat him.
GAAAAHHHHHHH!! Not only did Sierra On-line games kill you for making a wrong move - they killed you for doing something entirely logical! End result? You creep through the game with a trembling hand, expecting death at every step, stabbing the "Save" key every 30 seconds or so.
LucasArts was a breath of fresh air. In "The Secret of Monkey Island" there was only one way to die. One! You had to be foolish enough to stay underwater for more than twenty minutes. And in "Monkey Island 2" you couldn't die at all!
And even better, you couldn't do anything in either game to permanently ruin your chances of winning. What's that, you forgot to read the combination at the beginning of the game in Space Quest? Too bad for you, when you need it 10 hours later! Hope you saved that game! But what's that, you insulted Governer Elaine Marley so much that she threw you out of her room in the mansion of "Monkey Island 2"? No problem! Go back in and she'll sigh and give you another chance! Try all the funny conversation choices! It's OK, you can always do the right thing later!
Of course certain LucasArts games had elements of risk (you could kill Indy in "Indiana Jones and the Last Crusade" if you weren't a good fighter), but for the most part their philosophy was "Explore - solve - have fun! Don't worry about trying different things - you can't mess anything up permanently."
Which, IMHO, made for a much more fun adventuring experience than wondering if you're die the very second you step onto the next screen because you wandered out into the desert one screen too far. Thank you so much, Sierra On-Line.
Another problem, IMHO, is that there are no great "edutainment" games anymore that can help pique interest in programming in younger children. I'm a professional programmer today and I trace a good part of my interest in programming back to the excellent Rocky's Boots and Robot Odyssey games, in which you build machines and circuits out of AND, OR, XOR, and NOT gates (and other components) to solve problems. They were truly fantastic games.
Sure, I can fire up an Apple II emulator and give those games to my kids today, but can blocky graphics and minimal sounds really sustain their interest in this day and age? And yet there's nothing equivalent to those games today... at least not that I know of.
> The email you sent to Sen. Starr (and I hope all of the committee
> members) helped to stop this dangerous legislation. Good job!
Wow! I guess maybe one guy writing his congressman can make a difference! I'm glad that there are some sponsors of bills like this who don't supporting super-DMCA-type bills because they're eeeeeeeeevil, but because they simply don't recognize the consequences of their legislation and are willing to change when they realize what they're actually sponsoring. I'm also glad this senator apparently had a legislative aid with some sense to oppose the bill!
Barebones laptop without a display?
on
Barebones Notebook
·
· Score: 5, Funny
I'm all for bare-bones, but I at least want all the bones!
Could it possibly be that maybe the RIAA has over-extended themselves this time? Up till now, they've mostly gone after individuals and small, poor companies. And geeks on their own haven't had much success in getting DMCA-restricting laws passed. DMCA abuses have probably been largely under-the-radar for most congressmen, and for those who have noticed them, there's probably been plenty of RIAA lobbyists (and cash!) to convince them that these really aren't abuses.
But now, with this one-two punch aimed at ISPs (see http://yro.slashdot.org/article.pl?sid=03/01/18/21 16255&mode=thread&tid=141)they've started annoying the big boys - corporations with real money. No ISP in their right mind wants to have to give up their user's personal info without a fight - it makes them look bad and generates a lot of bad will with their customers.
So might it be that Verizon, AT&T, BellSouth, Earthlink, etc. will start some counter-lobbying on the Hill to get the DMCA limited? Sure, they're not really doing it for the best reasons... but you know what they say about "the enemy of my enemy."
> This is not a "huge legal win" by any stretch of the word
I disagree. Take another look at the last paragraph of the article:
The judge told jurors...[that] merely offering a product that could violate copyrights was not enough to warrant a conviction
That's a huge statement! One of the big, big sticks wielded by the RIAA/MPAA and others against software makers is that they can be held liable if their programs merely have the capability of being used to violate copyrights, even if the programmer had the best of intentions and never intended that it be used for that purpose. This guidance from the judge significantly reduces the ability of RIAA/MPAA to swing that stick.
It's made by the same guys who made those lovely clicking IBM keybords, and one of their models is (apparently) designed to give you a similar tactile feel but with less noise. (IIRC from my e-mails to/from one of their sales guys a few years back, they accomplished it by putting a noise-dampening shim into the spring).
Bret, you use the word "vigilante" so much when talking about blackhole list operators, but I really don't see much difference between those groups maintaining lists of people with open relays and, say, other groups like Cybersitter maintaining lists of offensive sites.
Both groups maintain lists that are optional for subscribers. Are you willing to trust Cybersitter's judgement in what is offensive or not? Fine, buy their software and use it. Want to tweak the definition of what's "offensive"? Cybersitter lets you do that too. The most important word here is "optional" - you don't have to use Cybersitter if you don't agree that their list is fair, accurate, or otherwise useful.
Similarly, you and/or your ISP don't have to subscribe to blackhole lists if you/they don't want. You ask what would happen if someone (say, the Chinese government) starts making a blackhole list of sites that deal with something they they consider offensive? (say, western media, Falun Gong, etc.) The answer is that you and most ISPs probably won't subscribe to such a list. They can blackhole as many sites as they want... but most of the world won't care, or even notice.
Open-relay blackhole lists thrive not because "vigilantes" are cramming their brand of justice down our throat, but because enough people agree with their philosophies that they're freely willing to make use of the product they're offering.
Both groups contain ways to get off the list. Was your site mistakenly identified by CyberSitter or some other filter software? Most of them have ways to get in touch with the list maintainers and have your site re-evaluated. Similarly, most blackhole list operators feature prominent instructions on how to get yourself removed from their list.
You didn't mention the rest of the story in your New Architect followup, but what happened after you updated your mail software? Did you contact the blackhole list operator again? Did they test your server again and find it secure? Did they remove you from their list?
If not, then you may still have a legitimate complaint. But if they did, then I think the system worked the way it was supposed to.
You said that your "software and your definition are now upgraded". The opportunity for you to upgrade both your software and your understanding of what an open relay have been around for a very long time now. I think that by running your own mail server, you raise yourself to a higher level of Internet citizen. No longer just a casual web user, you have to take the responsibility of maintaining your server, keeping up with security patches and issues, and just generally being a good Net citizen. Blackhole lists are something of a last resort for people who won't/can't take care of the problem in any other way. Now that you've solved the problem and your site has emerged from the blackhole, I would take it as a lesson learned and go on from there - not spend 1/3 of a magazine column trying to figure out what the best way to sue a Danish company is.
P.S. Here's a quick, automated way for anyone to check and see if their mail server is an open relay:
As others have pointed out, the author not only had an out-of-date definition of "open relay" - he also had a very out-of-date mail server. His short reply appears in the latest issue of New Architect, underneath all the letters that point out the inaccuracies of his article. He says:
When it comes to mail administration, it appears I've been several years behind the curve. My mail server software, circa 1996, was purring along quietly, so I never upgraded it to a version capable of a higher degree of authentication. I'm also old enough to remember when an "open relay" was a relay intentionally left open, not one merely susceptible to misuse. Thanks to all of the readers who wrote to bring me into the new millennium. Both my software and my definition are now upgraded.
At the same time, I labeled the blackhole list operators "vigilantes" for good reason. It was always my understanding that if you lie about your identity to gain access to something that would be closed to you if you told the truth, you've done something wrong. That's true wheteher you intend to send spam of prevent it. As vile as spam is, the ends don't justify the means. Regardless of whether my mail server used to be "open" or not, I stand by my analysis that placed legal responsibility on the blackhole operators who forged their identity.
(emphasis mine)
I still think the author is confused. Yes, it's possible he might be able to make a legal case that they're blacklisting him because his server is an unintentional open relay, but just because he doesn't know it's easily-exploited doesn't mean he doesn't have to take some responsibility. Consider this fable:
Homeowner: Why have you put my phone number on a list of unsecured phones!?!?
Locksmith: Well, there's a criminal running around in the neighborhood - he's sneaking into open houses and using their phones to make obscene phone calls. We can't stop him, so some of us in the neighborhood are trying to make a list of all the phones in houses that aren't protected, so people can avoid receiving calls from those phones if they want.
Homeowner: But that's not fair! And you're wrong, too! My house is always locked.
Locksmith: Well, it is a voluntary list - people don't have to block incoming calls from phones on the list if they don't want. But I'll take a look at your house anyway, to see if it's secure. If it is, I'll take your number off the list.
Homeowner: See!? The door is locked tight. No robbers are getting into my house!
Locksmith: Uh... how old is this front door?
Homeowner: Well, it was probably installed in the 1920's or so.
Locksmith: Oh, well that's the problem. See, old door latches like this can be pretty easily opened... like this. See how I can just slide a credit card here and the latch pops open? Now modern doors don't have this problem - the latches have a locking mechanism that...
Homeowner: You swine!
Locksmith: Pardon?
Homeowner: You filty crook! I can't believe you just trespassed on my house like that!
Locksmith: Uh... but, I was just showing you how a criminal could...
Homeowner: What kind of vigilante justics are you running here? Breaking into my house
and blaming me for the problem! And blocking my phone calls as well! You'll be hearing from me as soon - I'm filing a lawsuit this week!
Slashdot Mirror
p.s.
Star Wars III: An Old Hope
<are you sitting down?>
Well, OK, maybe not right out of the box. But at least you don't have to resort to modifying registry entries, deleting executable helper apps, or deciphering ambiguously-worded menu items to make it behave.
Even better, a senior RealNetworks engineer has taken the time to provide a step-by-step guide detailing how to turn of all the annoying RealOne features!
On the plus side, I heard they'll have some great games for it, like "Jumpman", "Zyll" and "King's Quest" by some company called "Sierra On-Line".
It's interesting that Verizon won more or less on a single point. ISPs who discover that people are storing pirated content on their (the ISP's) servers can avoid getting in trouble by "respond[ing] expeditiously to remove, or disable access to, the material that is claimed to be infringing." That part of the law hasn't changed.
However, Verizon successfully argued that the responsibility to "remove or disable access to the material" does not apply to ISPs that do not store the data, but instead act as mere conduits through which the pirated files travel. And that's exactly what's going on in the case of P2P file sharing - the illegal file is stored on the pirate's computer, not the ISP's servers.
Verizon argued that under the DMCA, in order for a subpoena to be valid, it has to contain information about infringing material "to be removed or access to which is to be disabled". Verizon argued that it can't remove the material or disable access to it. And since that requirement for issuing a subpoena cannot be met, the subpoena process does not apply to Verizon. The court agreed.
The RIAA unsucessfully argued that Verizon could remove access to the infringing material by simply cutting off access to the pirate, but the judge disagreed that that's what the DMCA was talking about when it uses the phrase "diable access".
From the ruling...
No matter what information the copyright owner may provide, the ISP can neither "remove" nor "disable access to" the infringing material because that material is not stored on the ISP's servers. Verizon can not remove or disable one user's access to infringing material resident on another user's computer because Verizon does not control the content on its subscribers' computers.
The ruling concludes with some sympathy by the judges for what the RIAA is trying to do, but a refusal to extend the DMCA to technology like P2P that didn't even exist when the DMCA was written. The court said that if the RIAA wants to subpoena ISPs for information about P2P file traders, it will need to get that additional authority from Congress. A good demonstration of judicial restraint, IMHO.
(Fine, mod me down, offtopic, whatever; I'm just tired of oh-so-clever phrases that... well, aren't.)
As nice as that might be, it would put the bill on very shaky legal ground. Who has the right to put, say, earthlink.net on the do-not-spam list? What if some of Earthlink's customers want to get spam? They won't be able to, because Earthlink Corp. will have decided that none of their customers are allowed to receive spam. In fact that's why most ISPs (including the one I work for) only *tag* suspected spam, instead of deleting it. Unilaterally deciding that a customer isn't going to get a certain type of e-mail makes the lawyers nervous, and rightly so. Ditto for if we put our entire domain onto the Do-Not-Spam list.
> I think I've shown that an encrypted Do-Not-Spam list is just as useful as an unencrypted one.
Actually, you've shown that with a bit of work, you can write a program that will generate a list of common dictionary words mapped to common domain names and run it against the Do-Not-Spam list. That's great. Now let's go a step further - after all, you won't find the word "fred" in a dictionary. So we'll have to add a list of common first names (maybe English-only, maybe not).
Next, you'll have to deal with double names like "PeggySue@example.com". Or is that "peggy_sue@example.com"? Or maybe "peggysue@example.com"? (after all, upper- and lower-case variations on a name will produce a different hash). Could even be Peggy-Sue@example.com, or Peggy.Sue@example.com. Or maybe PSue@example.com . Or something like my address: g_adams27@example.com .
Maybe we'd better generate all possible addresses. Let's just pretend all e-mail addresses are 10 characters long (ignoring for the moment the countless millions of other addresses of different lengths). And let's assume they can contain any of the characters A-Z, a-z, 0-9, underscore, dash, and period. That's 65 characters.
So we have 65^10 = 1,346,274,334,462,890,625 possible combinations of 10-character e-mail addresses to try.
> I handle 450,000,000,000 combinations in less than 3 days.
Now you're up to 8,975,162 days. And that's just for the "name" part of the address. Don't forget to multiply that by the number of domains you're trying.
Or you could try a shortcut and assume that an e-mail address will be based on the person's name. So you'll want to generate as many possible email addresses from, say "George Adams" as you can. You'll need to try all possible combinations of every common first name with every common last name (GeorgeAdams, georgeadams, George.Adams, George-Adams, George_Adams, g_adams, george_a), and don't forget to tack on digits at the end of each combo you come up with.
And while you're considering whether it's worth the effort, keep in mind that you can buy a CD of "millions of e-mail addresses!" from countless other spammers. Sure, a lot of them will be junk, but the ratio of valid-addresses to amount-of-work is much higher with the CD.
And don't forget what I said earlier - a brute-force decrypted FTC list will give you a list of the least desirable people to market to. Not much of a Holy Grail for spammers.
Perhaps, but if you're an evil spammer and you have g_adams27@example.com on your spam list already, chances are you're just going to fire off an email anyway and let the dead ones bounce, rather than go to the work of verifying it.
> Ever hear of a dictionary attack?
> Now how many email addresses do you think are random strings of characters, and how many do you think are names or words, possibly with a number or two at the end?
Probably a lot. Now let me try a thought-experiment of my own:
Let's say I'm an evil spammer and I want to create an evil spamming list out of the FTC's list (of, let's just say, 1,000,000 encrypted addresses). So I decide I'm going to brute force attack it.
I'll need a list of common words to attack with. My /usr/dict/words has about 45,000 words in it, so I'll use that. Now I need a list of common domains to add to the end of each list (msn.com, yahoo.com, hotmail.com, earthlink.net) Let's just say I pick the 10 top domains. So now I have 45000*10 = 450,000 made-up addresses that I want to try to verify by brute-force attacking the FTC's list.
Now all I have to do is encrypt each of my 450,000 made-up addresses. Once I've done that, all I need to do is compare each of those 450,000 addresses to the FTC's 1,000,000 addresses and look for a match. That's 450,000,000,000 different combinations that I'm going to have try.
Might want to get a pizza or something while you wait... and wait... and wait.
Sure, you can do some other things to optimize it (maybe take your encrypted list and the FTC's list and do some diff(1) tricks with it)... but the bottom line is, it's gonna be a whole lot harder for spammers to get any usable info from an encrypted FTC Do-Not-Spam list than it will be to either just 1) buy a list from another spammer or 2) just make stuff up and fire e-mail messages to your list scatter-shot fashion, ignoring any bounced messages.
Add to that the further disincentive that spending countless hours decrypting the FTC list would give you a list of people least likely to buy your product... and you can see why I still don't think spammers will gain any advantage from having an encrypted Do-Not-Spam list.
> This is unworkable
Please see my previous posting on why this is actually very workable.
There's no reason you can't give a spammer an encrypted list of addresses. All they have to do take one of their addresses, encrypt it, and compare the encrypted address with each address on the Do-Not-Spam list. If they match, then the address must be removed.
No decryption of the Do-Not-Spam list required.
It doesn't have to. Consider the Unix/Linux password system. When your account is created, your password is encrypted and stored in /etc/shadow. When you login, the password you enter is encrypted and compared with the password stored on disk. If they match, then the system knows you typed in the right password and lets you in. At no point does your stored password have to be decrypted.
Applying that concept to the FTC's Do-Not-Spam list is left as (an easy) exercise for the reader. (hint: it should be obvious that the spammer need never decrypt the Do-Not-Spam list in order to be able to use it.)
> what are they going to do give the spammer a list of email address he shouldn't email?
> yeah right. I bet the spammers would support this bill.
That part's easy enough to handle. The FTC takes their list of addresses and encrypts it using a one-way hash, of which there are many good choices. Then it gives the encrypted list to the spammer, who then takes each of his addresses, encrypts it with the same hash, and compares it to the list to see if that encrypted address is on the list. If it is, then that's a match and the spammer must remove that address from their spam-list. The spammer never needs to see the plaintext list.
You know, just like any Unix/Linux password encryption scheme?
> upon you that there are no consequences to your actions, and as a result, you prefer games that reflect this.
I don't think so - I mean, I was in my early teens and mom/dad certainly made sure I was painfully aware of the consequences when I did something wrong in real life. I think it was more an issue of deciding, "do I want to play a game that includes at least one way of dying on every screen, or a game where you're encouraged to try even the craziest possible solutions, without fear of dying for no good reason."
You could have a middle ground, and I think later games (even Sierra games) finally found it - kill players for doing something really dumb or ignoring an obvious bit of information they should have noticed earlier, but don't kill/penalize them just for climbing a tree, walking too far off the "edge" of the world (desert, swamp, etc.), or picking up a piece of glass. ("OUCH! That glass was sharp! Roger Wilco has bled to death!")
> I remember games like Starflight, where there was no "Save As"; you had to copy the entire game
> to another directory if you wanted to branch off and try something. Now THAT was a hardcore game.
Oh man, you ain't kidding! I'd like to think that they would have had a different save-game method if our computers had had, say, hard drives back then. (I'm sure my two 5.25" SF1 Saved Game discs are still somewhere in my parent's attic :-) ) But yes, it did make you very hesitant to do anything too wild and crazy (or to put it less perjoratively, anything too exotic and adventuresome). That was a good thing sometimes, but it could make you overly cautious too.
What a great game, though. Hurry up, Starflight III !
I know exactly when I starting hating the programmers at Sierra On-Line. It was Space Quest 2. You crash onto a planet and begin looking around for a way to escape. Only problem is that every single thing on that planet is trying to kill you. Let's see, I think I'll walk over here... oops! Didn't see those faint dotted lines that marked a trap door over a spike pit! Here's a maze of vines I have to carefully manuever, pixel by pixel with the keyboard arrows... whooops! I touched a vine, and now the plant is eating me! Hmmmmm, I wonder if I should take some of these berries to eat. Nope! I guess my convulsing, and now dead body indicates I shouldn't have!
But here's the worst puzzle on that planet - every single tree is too slippery to climb except for one which has a slightly different description, indicating you can probably climb it. So you type "climb tree" and guess what? Roger Wilco gets his hands and feet stuck on the tree, critters descend from the tree limbs, and eat him.
GAAAAHHHHHHH!! Not only did Sierra On-line games kill you for making a wrong move - they killed you for doing something entirely logical! End result? You creep through the game with a trembling hand, expecting death at every step, stabbing the "Save" key every 30 seconds or so.
LucasArts was a breath of fresh air. In "The Secret of Monkey Island" there was only one way to die. One! You had to be foolish enough to stay underwater for more than twenty minutes. And in "Monkey Island 2" you couldn't die at all!
And even better, you couldn't do anything in either game to permanently ruin your chances of winning. What's that, you forgot to read the combination at the beginning of the game in Space Quest? Too bad for you, when you need it 10 hours later! Hope you saved that game! But what's that, you insulted Governer Elaine Marley so much that she threw you out of her room in the mansion of "Monkey Island 2"? No problem! Go back in and she'll sigh and give you another chance! Try all the funny conversation choices! It's OK, you can always do the right thing later!
Of course certain LucasArts games had elements of risk (you could kill Indy in "Indiana Jones and the Last Crusade" if you weren't a good fighter), but for the most part their philosophy was "Explore - solve - have fun! Don't worry about trying different things - you can't mess anything up permanently."
Which, IMHO, made for a much more fun adventuring experience than wondering if you're die the very second you step onto the next screen because you wandered out into the desert one screen too far. Thank you so much, Sierra On-Line.
I think it's much more important to have a source of deterministic non-random numbers. And fortunately someone has stepped up to the plate with a solution!
Sure, I can fire up an Apple II emulator and give those games to my kids today, but can blocky graphics and minimal sounds really sustain their interest in this day and age? And yet there's nothing equivalent to those games today... at least not that I know of.
> members) helped to stop this dangerous legislation. Good job!
Wow! I guess maybe one guy writing his congressman can make a difference! I'm glad that there are some sponsors of bills like this who don't supporting super-DMCA-type bills because they're eeeeeeeeevil, but because they simply don't recognize the consequences of their legislation and are willing to change when they realize what they're actually sponsoring. I'm also glad this senator apparently had a legislative aid with some sense to oppose the bill!
I'm all for bare-bones, but I at least want all the bones!
But now, with this one-two punch aimed at ISPs (see http://yro.slashdot.org/article.pl?sid=03/01/18/21 16255&mode=thread&tid=141)they've started annoying the big boys - corporations with real money. No ISP in their right mind wants to have to give up their user's personal info without a fight - it makes them look bad and generates a lot of bad will with their customers.
So might it be that Verizon, AT&T, BellSouth, Earthlink, etc. will start some counter-lobbying on the Hill to get the DMCA limited? Sure, they're not really doing it for the best reasons... but you know what they say about "the enemy of my enemy."
Dissenting opinion (Stevens): http://cyberlaw.stanford.edu/lessig/blog/archives/ 01-618d.pdf
Dissenting opinion (Breyer): http://cyberlaw.stanford.edu/lessig/blog/archives/ 01-618d1.pdf
I disagree. Take another look at the last paragraph of the article:
The judge told jurors...[that] merely offering a product that could violate copyrights was not enough to warrant a conviction
That's a huge statement! One of the big, big sticks wielded by the RIAA/MPAA and others against software makers is that they can be held liable if their programs merely have the capability of being used to violate copyrights, even if the programmer had the best of intentions and never intended that it be used for that purpose. This guidance from the judge significantly reduces the ability of RIAA/MPAA to swing that stick.
...for the US Copyright Office to consider.
The Customizer
It's made by the same guys who made those lovely clicking IBM keybords, and one of their models is (apparently) designed to give you a similar tactile feel but with less noise. (IIRC from my e-mails to/from one of their sales guys a few years back, they accomplished it by putting a noise-dampening shim into the spring).
- Both groups maintain lists that are optional for subscribers. Are you willing to trust Cybersitter's judgement in what is offensive or not? Fine, buy their software and use it. Want to tweak the definition of what's "offensive"? Cybersitter lets you do that too. The most important word here is "optional" - you don't have to use Cybersitter if you don't agree that their list is fair, accurate, or otherwise useful.
- Both groups contain ways to get off the list. Was your site mistakenly identified by CyberSitter or some other filter software? Most of them have ways to get in touch with the list maintainers and have your site re-evaluated. Similarly, most blackhole list operators feature prominent instructions on how to get yourself removed from their list.
You didn't mention the rest of the story in your New Architect followup, but what happened after you updated your mail software? Did you contact the blackhole list operator again? Did they test your server again and find it secure? Did they remove you from their list?Similarly, you and/or your ISP don't have to subscribe to blackhole lists if you/they don't want. You ask what would happen if someone (say, the Chinese government) starts making a blackhole list of sites that deal with something they they consider offensive? (say, western media, Falun Gong, etc.) The answer is that you and most ISPs probably won't subscribe to such a list. They can blackhole as many sites as they want... but most of the world won't care, or even notice.
Open-relay blackhole lists thrive not because "vigilantes" are cramming their brand of justice down our throat, but because enough people agree with their philosophies that they're freely willing to make use of the product they're offering.
If not, then you may still have a legitimate complaint. But if they did, then I think the system worked the way it was supposed to.
You said that your "software and your definition are now upgraded". The opportunity for you to upgrade both your software and your understanding of what an open relay have been around for a very long time now. I think that by running your own mail server, you raise yourself to a higher level of Internet citizen. No longer just a casual web user, you have to take the responsibility of maintaining your server, keeping up with security patches and issues, and just generally being a good Net citizen. Blackhole lists are something of a last resort for people who won't/can't take care of the problem in any other way. Now that you've solved the problem and your site has emerged from the blackhole, I would take it as a lesson learned and go on from there - not spend 1/3 of a magazine column trying to figure out what the best way to sue a Danish company is.
P.S. Here's a quick, automated way for anyone to check and see if their mail server is an open relay:
> telnet relay-test.mail-abuse.net
When it comes to mail administration, it appears I've been several years behind the curve. My mail server software, circa 1996, was purring along quietly, so I never upgraded it to a version capable of a higher degree of authentication. I'm also old enough to remember when an "open relay" was a relay intentionally left open, not one merely susceptible to misuse. Thanks to all of the readers who wrote to bring me into the new millennium. Both my software and my definition are now upgraded.
At the same time, I labeled the blackhole list operators "vigilantes" for good reason. It was always my understanding that if you lie about your identity to gain access to something that would be closed to you if you told the truth, you've done something wrong. That's true wheteher you intend to send spam of prevent it. As vile as spam is, the ends don't justify the means. Regardless of whether my mail server used to be "open" or not, I stand by my analysis that placed legal responsibility on the blackhole operators who forged their identity.
(emphasis mine)
I still think the author is confused. Yes, it's possible he might be able to make a legal case that they're blacklisting him because his server is an unintentional open relay, but just because he doesn't know it's easily-exploited doesn't mean he doesn't have to take some responsibility. Consider this fable:
Homeowner: Why have you put my phone number on a list of unsecured phones!?!?
Locksmith: Well, there's a criminal running around in the neighborhood - he's sneaking into open houses and using their phones to make obscene phone calls. We can't stop him, so some of us in the neighborhood are trying to make a list of all the phones in houses that aren't protected, so people can avoid receiving calls from those phones if they want.
Homeowner: But that's not fair! And you're wrong, too! My house is always locked.
Locksmith: Well, it is a voluntary list - people don't have to block incoming calls from phones on the list if they don't want. But I'll take a look at your house anyway, to see if it's secure. If it is, I'll take your number off the list.
Homeowner: See!? The door is locked tight. No robbers are getting into my house!
Locksmith: Uh... how old is this front door?
Homeowner: Well, it was probably installed in the 1920's or so.
Locksmith: Oh, well that's the problem. See, old door latches like this can be pretty easily opened... like this. See how I can just slide a credit card here and the latch pops open? Now modern doors don't have this problem - the latches have a locking mechanism that...
Homeowner: You swine!
Locksmith: Pardon?
Homeowner: You filty crook! I can't believe you just trespassed on my house like that!
Locksmith: Uh... but, I was just showing you how a criminal could...
Homeowner: What kind of vigilante justics are you running here? Breaking into my house and blaming me for the problem! And blocking my phone calls as well! You'll be hearing from me as soon - I'm filing a lawsuit this week!
Locksmith: [stunned silence]