You are back on whitelisting again. And with authentication certs you can whitelist but the more important thing is you can also be somewhat assured that who sent the email is who they say they are. You can then sue those people for theft of services which one of the speakers (a lawyer) has made a career out of. Spam is illegal (some states in the US directly bt indirectly via chattles or common law), especially if you request to not receive it.
Who did the abusing is irrelevant. Where the mail came from is irrelevant. All of that can be spoofed, forged,
Not with a valid cert you can't. And that is the point. If you know who it is who is sending you the crap, you can stop them without making those who are sending you unsolicited, but nonetheless worthy messages, from having to jump through hoops. Keep in mind that more than half of the spam out there is being sent by just a small number of people. They can't go and get good certs from a bad certifying agent since we (the good guys) can simply refuse to honor any cert from that certifying agent, effectively destroying their business. No certifying agent is going to risk that to let a few spammers get a certs.
...and I chose to go the route of a stand alone GPS unit (Magellan Sportrak GPS) that did not have the mapping capabilities but could track routes and dl back to my PC. I then use Delorme XMap and Topo to read in the routes to make trail maps, etc. Delorme's software does not load onto a GPS unit but it does on Palm and CE, connects to the GPS from the Palm providing all of the functionality and it is far more detailed than Magellan's Mapsend.
It also has routing capabilities (ie; MapQuest directions) and will route on both the PC and the PDA. Also, with this configuration I am not limited by the PDA's low battery capacity and only go to it when I need to look at the map (ie; I set up waypoints in advance in the GPS). I do a lot of outdoor activities mtn bike/camp etc; and this scenario, although not as elegant as an all-in-one, works for what I need it for.
And that is a valid argument (and some variation or another on it was mentioned by a few speakers) but the mechanisms to make this happen from a technical standpoint are not very mature. The prevailing choices are authentication, whitelisting, micropayments and fees between ISPs (an offshoot of micropayments AKA macropayments). Each of these has associated costs and benefits. Without rehashing each argument the aspect of each of these that I do not like is an unecccessary financial burden on small users such as myself. I run my own mailserver for five domains plus customer domains and I can tell you the big ISPs, Verisign, et al; will try to bury people like me if given the chance to do micropayments just like the big banks did to little ones with ATM fees. Yeah, you probably hate those as much as I do.
Authentication may be the best way to go but there has to be a lower cost solution since a cert is going to be needed for each domain. Also, you would then need to manage trust relationships and that is not any easy thing. A model of it is in Kerberos but it is overly simplified and is only one level deep. Just to give you an idea why Verisign is pushing that option is they own a large number of the providers out there. Thawte and others are all Verisign owned.
The only one not covered by the financial argument is whitelisting and I do not believe it is an elegent solution and I think it is more easily defeated than people think it is. However, it may come down to that as being the next step after filters.
Does that mean that I now have to pay for a cert for each domain that goes through my mail server? Keep in mind that the SMTP spec does not have a "sending_mail_for" pragma in it. When I send mail it goes out as coming from the primary domain on the machine, not necessarily the domain on the from address, which in the case of my alumni accounts, I do not have control over.
I was actually at the conference (unlike the troll who wrote the lead piece suggesting blocking port 25...) and this was suggested by, of all people, Verisign. Hmm... I wonder why, because they know that a cert for every domain name out there would be required. Contrary to the lead story's assesrtion, there was a lot of discussion about how filters are only one part of a larger arsenal of spam fighting tools. In fact the discussion resembled many of the comments posted on this discussion. ie; do filters work (yes, no, arms race...), auth SMTP, ISP filtering v. Personal filtering, etc.
There were a lot of smart people there and the discussion was solid and it gave people more than a chance to vent and regroup for the future. Some consensus was that 99.5% of all users needed to have filters to make the economics of spam work in our favor. Another consensus was that spam was, at it's core, an economic problem with, (as you put it) a technical symptom. Another one, that was not as clearly stated, was that the community needs to come together as a whole and fight the problem at it's source. On that note, a lawyer was there who has made a rather sucessfu, although probably not all that lucrative career of suing spammers into oblivion.
In conclusion, there were technical solutions, legal solutions, and each one by itself will be insufficient but al told it is a start to eliminating the problem.
I grew up in NY and was still there during the first few years of Spitzer as AG. He is way too much of an activist to be a SCJ. Although he is doing wonderful things for the folks of NY (and across the nation) he is not someone I think is even capable of taking dispassionate views of law to make unbiased judgments. A trait which I believe is essenstial in a judge to keep justice blind. Now, maybe he should run for governor and NYr's could dump Wacky Pataki. That would be a campaign I could stand behind.
Gobbles Security has posted crap like this before to security sites and this is in keeping with their other posts. (http://www.google.com/search?q=gobbles%20 security &sourceid=mozilla-search&start=0&start=0&ie=utf-8& oe=utf-8") It seems to be an obvious prank. See below for text of latest post.
[snip for lameness filter] "Putting the honey in honeynet since '98."
Introduction: Several months ago, GOBBLES Security was recruited by the RIAA (riaa.org) to invent, create, and finally deploy the future of antipiracy tools. We focused on creating virii/worm hybrids to infect and spread over p2p nets. Until we became RIAA contracters, the best they could do was to passively monitor traffic. Our contributions to the RIAA have given them the power to actively control the majority of hosts using these networks.
We focused our research on vulnerabilities in audio and video players. The idea was to come up with holes in various programs, so that we could spread malicious media through the p2p networks, and gain access to the host when the media was viewed.
During our research, we auditted and developed our hydra for the following media tools: mplayer (www.mplayerhq.org) WinAMP (www.winamp.com) Windows Media Player (www.microsoft.com) xine (xine.sourceforge.net) mpg123 (www.mpg123.de) xmms (www.xmms.org)
After developing robust exploits for each, we presented this first part of our research to the RIAA. They were pleased, and approved us to continue to phase two of the project -- development of the mechanism by which the infection will spread.
It took us about a month to develop the complex hydra, and another month to bring it up to the standards of excellence that the RIAA demanded of us. In the end, we submitted them what is perhaps the most sophisticated tool for compromising millions of computers in moments.
Our system works by first infecting a single host. It then fingerprints a connecting host on the p2p network via passive traffic analysis, and determines what the best possible method of infection for that host would be. Then, the proper search results are sent back to the "victim" (not the hard-working artists who p2p technology rapes, and the RIAA protects). The user will then (hopefully) download the infected media file off the RIAA server, and later play it on their own machine.
When the player is exploited, a few things happen. First, all p2p-serving software on the machine is infected, which will allow it to infect other hosts on the p2p network. Next, all media on the machine is cataloged, and the full list is sent back to the RIAA headquarters (through specially crafted requests over the p2p networks), where it is added to their records and stored until a later time, when it can be used as evidence in criminal proceedings against those criminals who think it's OK to break the law.
Our software worked better than even we hoped, and current reports indicate that nearly 95% of all p2p-participating hosts are now infected with the software that we developed for the RIAA.
Things to keep in mind: 1) If you participate in illegal file-sharing networks, your computer now belongs to the RIAA. 2) Your BlackIce Defender(tm) firewall will not help you. 3) Snort, RealSecure, Dragon, NFR, and all that other crap cannot detect this attack, or this type of attack. 4) Don't fuck with the RIAA again, scriptkids. 5) We have our own private version of this hydra actively infecting p2p users, and building one giant ddosnet.
Due to our NDA with the RIAA, we are unable to give out any other details concerning the technology that we developed for them, or the details on any of the bugs that are exploited in our hydra.
However, as a demonstration of how this system works, we're providing the academic security community with a single example exploit, for a mpg123 bug that was found independantly of our work for the RIAA, and is not covered under our agreement with the establishment.
Vendor Notification Status: The professional staff of GOBBLES Security believe that by releasing our advisories without vendor notification of any sort is cute and humorous, so this is also the first time the vendor has been made aware of this problem. We hope that you're as amused with our maturity as we are.;PpPppPpPpPPPpP
Exploit Available: Yes, attached below.
Technical Description of Problem: Read the source.
Credits: Special thanks to stran9er@openwall.com for the ethnic-cleansing shellcode. -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify
wlwEARECABwFAj4jBA0VHGdvYmJsZXNAaHVzaG1haWwuY29t AA oJEBzRp5chmbAP4gwA oKmMyRIxA74KZfAVv3MsEBKCZxRMAJ sFFhywKWzMoiT/Qiy4FV +r1inukA== =OjMp -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify
Parents!
Just like it is up to them check what their kids are watching and for them to know where ther kid is going when they leave the house. It is not my job, nor do I need to be inconvenienced.
You are assuming a random sampling. Do those who do not vote adequately represent the population? Or conversely do those who vote adequately... That is the hole in your argument because they do not, in either case, represent the population as a whole. Also, you are discounting the issue of perception. If a politician wins by garnering 55% of the votes these politicians then say they have a mandate. There are other issues that instead of rehashing myself I will point you to http://xocxoc.home.att.net/math/polling.htm where a much more detailed analysis of election systems is presented.
You are assuming those jackasses above the age of 18 actually voted. Don't, because they didn't. Only less than 60% of the nations elligible voters turned out to vote. Of that most were your granny and her granny friends who could not care less about that new fangled thing called the internet (or the freedoms it used to provide) and, despite being 5 and 9/10th feet in the grave, are more worried about dying in a terrorist attack then from the cancer riddling their bodies from years of breathing toxic fumes and drinking bad water.
If there is one thing that you can take from this rant, it will be that no matter who you vote for, VOTE! Even if it is a write-in for your favorite comic book character. When the politicians only win by simple majorities and most votes go to write-ins will they begin to listen.
IANAL but I do not believe prior art is limited to things from the US. The basics of prior art is that the product (prior art) has to be released publically (ie; not a trade secret) and the date of that release has to be verifiable. It is pretty straight forward really.
From Bounty Quest-> Excluded information: Unpublished or secret information, e.g., trade secrets or internal company memos (even if they describe the invention and are before the relevant date).
Information published after the "Prior Date" listed above.
The fact that they (Macromedia) are not talking to the media is one indication and if you had read the story they are hurting financially (due to their own greed and mismanagement IMHO) and are ripe for a takeover. One that the shareholders would benefit from immensely.
At that part of the hudson there is so much water moving with so much force that if there was a plane that went down, it would be out over the side of the Georges Bank by now. I was out there last year in a boat that has a top speed of 40 MPH and we had the thing gunned and were only doing 22. There is a lot of current there and anything that went down in the lower Hudson is likely gone if it was not heavy enough to sink into the mud.
...are most spammers intelligent enough to harvest email addys this way...
I would not rest on those laurels. In a crappy job market with lots of talent wasting away on unemployment rolls there will always be a smart person willing to give it up for a steady cash flow again. They may even be trolling around on/....
Re:Does this seem bass-ackward to anyone else?
on
Googling For Dates?
·
· Score: 2, Insightful
Dude, chics do it too. The last girl I dated did it to me before we even went out.
She determined I was a bit geeky. I then proceeded to ask her what she supposed someone who googled potential dates was...
Slashdot Mirror
Who did the abusing is irrelevant. Where the mail came from is irrelevant. All of that can be spoofed, forged,
Not with a valid cert you can't. And that is the point. If you know who it is who is sending you the crap, you can stop them without making those who are sending you unsolicited, but nonetheless worthy messages, from having to jump through hoops. Keep in mind that more than half of the spam out there is being sent by just a small number of people. They can't go and get good certs from a bad certifying agent since we (the good guys) can simply refuse to honor any cert from that certifying agent, effectively destroying their business. No certifying agent is going to risk that to let a few spammers get a certs.
It also has routing capabilities (ie; MapQuest directions) and will route on both the PC and the PDA. Also, with this configuration I am not limited by the PDA's low battery capacity and only go to it when I need to look at the map (ie; I set up waypoints in advance in the GPS). I do a lot of outdoor activities mtn bike/camp etc; and this scenario, although not as elegant as an all-in-one, works for what I need it for.
Unfortunately, satellite radio is already dead.
Authentication may be the best way to go but there has to be a lower cost solution since a cert is going to be needed for each domain. Also, you would then need to manage trust relationships and that is not any easy thing. A model of it is in Kerberos but it is overly simplified and is only one level deep. Just to give you an idea why Verisign is pushing that option is they own a large number of the providers out there. Thawte and others are all Verisign owned.
The only one not covered by the financial argument is whitelisting and I do not believe it is an elegent solution and I think it is more easily defeated than people think it is. However, it may come down to that as being the next step after filters.
I was actually at the conference (unlike the troll who wrote the lead piece suggesting blocking port 25...) and this was suggested by, of all people, Verisign. Hmm... I wonder why, because they know that a cert for every domain name out there would be required. Contrary to the lead story's assesrtion, there was a lot of discussion about how filters are only one part of a larger arsenal of spam fighting tools. In fact the discussion resembled many of the comments posted on this discussion. ie; do filters work (yes, no, arms race...), auth SMTP, ISP filtering v. Personal filtering, etc.
There were a lot of smart people there and the discussion was solid and it gave people more than a chance to vent and regroup for the future. Some consensus was that 99.5% of all users needed to have filters to make the economics of spam work in our favor. Another consensus was that spam was, at it's core, an economic problem with, (as you put it) a technical symptom. Another one, that was not as clearly stated, was that the community needs to come together as a whole and fight the problem at it's source. On that note, a lawyer was there who has made a rather sucessfu, although probably not all that lucrative career of suing spammers into oblivion.
In conclusion, there were technical solutions, legal solutions, and each one by itself will be insufficient but al told it is a start to eliminating the problem.
You forgot the BMW and the dishwasher...
You forgot ... </rant>
;-)
<rant>
I grew up in NY and was still there during the first few years of Spitzer as AG. He is way too much of an activist to be a SCJ. Although he is doing wonderful things for the folks of NY (and across the nation) he is not someone I think is even capable of taking dispassionate views of law to make unbiased judgments. A trait which I believe is essenstial in a judge to keep justice blind. Now, maybe he should run for governor and NYr's could dump Wacky Pataki. That would be a campaign I could stand behind.
Here is the source code attached to the original posting on Bugtraq. Due to lameness filter you will need to dl it from here.
Gobbles Security has posted crap like this before to security sites and this is in keeping with their other posts.0 security &sourceid=mozilla-search&start=0&start=0&ie=utf-8& oe=utf-8")
;PpPppPpPpPPPpP
t AA oJEBzRp5chmbAP4gwAJ sFFhywKWzMoiT/Qiy4FV +r1inukA==
v d+ GYydWzUQCgjq3Ofe2n
- ----END PGP SIGNATURE-----
(http://www.google.com/search?q=gobbles%2
It seems to be an obvious prank.
See below for text of latest post.
[snip for lameness filter]
"Putting the honey in honeynet since '98."
Introduction:
Several months ago, GOBBLES Security was recruited by the RIAA (riaa.org) to invent, create, and finally deploy the future of antipiracy tools. We focused on creating virii/worm hybrids to infect and spread over p2p nets.
Until we became RIAA contracters, the best they could do was to passively monitor traffic. Our contributions to the RIAA have given them the power to actively control the majority of hosts using these networks.
We focused our research on vulnerabilities in audio and video players.
The idea was to come up with holes in various programs, so that we could spread malicious media through the p2p networks, and gain access to the host when the media was viewed.
During our research, we auditted and developed our hydra for the following media tools:
mplayer (www.mplayerhq.org)
WinAMP (www.winamp.com)
Windows Media Player (www.microsoft.com)
xine (xine.sourceforge.net)
mpg123 (www.mpg123.de)
xmms (www.xmms.org)
After developing robust exploits for each, we presented this first part of our research to the RIAA. They were pleased, and approved us to continue to phase two of the project -- development of the mechanism by which the infection will spread.
It took us about a month to develop the complex hydra, and another month to bring it up to the standards of excellence that the RIAA demanded of us. In the end, we submitted them what is perhaps the most sophisticated tool for compromising millions of computers in moments.
Our system works by first infecting a single host. It then fingerprints a connecting host on the p2p network via passive traffic analysis, and
determines what the best possible method of infection for that host would be. Then, the proper search results are sent back to the "victim" (not the hard-working artists who p2p technology rapes, and the RIAA protects). The user will then (hopefully) download the infected media file off the RIAA server, and later play it on their own machine.
When the player is exploited, a few things happen. First, all p2p-serving software on the machine is infected, which will allow it to infect other
hosts on the p2p network. Next, all media on the machine is cataloged, and the full list is sent back to the RIAA headquarters (through specially
crafted requests over the p2p networks), where it is added to their records and stored until a later time, when it can be used as evidence in criminal
proceedings against those criminals who think it's OK to break the law.
Our software worked better than even we hoped, and current reports indicate that nearly 95% of all p2p-participating hosts are now infected with the software that we developed for the RIAA.
Things to keep in mind:
1) If you participate in illegal file-sharing networks, your computer now belongs to the RIAA.
2) Your BlackIce Defender(tm) firewall will not help you.
3) Snort, RealSecure, Dragon, NFR, and all that other crap cannot detect this attack, or this type of attack.
4) Don't fuck with the RIAA again, scriptkids.
5) We have our own private version of this hydra actively infecting p2p users, and building one giant ddosnet.
Due to our NDA with the RIAA, we are unable to give out any other details concerning the technology that we developed for them, or the details on any of the bugs that are exploited in our hydra.
However, as a demonstration of how this system works, we're providing the academic security community with a single example exploit, for a mpg123 bug that was found independantly of our work for the RIAA, and is not covered under our agreement with the establishment.
Affected Software:
mpg123 (pre0.59s)
http://www.mpg123.de
Problem Type:
Local && Remote
Vendor Notification Status:
The professional staff of GOBBLES Security believe that by releasing our advisories without vendor notification of any sort is cute and humorous, so
this is also the first time the vendor has been made aware of this problem.
We hope that you're as amused with our maturity as we are.
Exploit Available:
Yes, attached below.
Technical Description of Problem:
Read the source.
Credits:
Special thanks to stran9er@openwall.com for the ethnic-cleansing shellcode.
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify
wlwEARECABwFAj4jBA0VHGdvYmJsZXNAaHVzaG1haWwuY29
oKmMyRIxA74KZfAVv3MsEBKCZxRMA
=OjMp
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify
wj8DBQA+IwO0HNGnlyGZsA8RAuusAJ49gGSCJzKlRpn+7b9
WBnlQNf4GeyaFTit5N0=
=RBjc
Actually, there is apparently still very much of a market for whips...
...Gates Brothers Rocketry is back up finally.
Yeah, but eventually they are going to need to do something to pay back that "generosity". Not that there is a quid pro quo in politics.
Parents!
Just like it is up to them check what their kids are watching and for them to know where ther kid is going when they leave the house. It is not my job, nor do I need to be inconvenienced.
You are assuming a random sampling. Do those who do not vote adequately represent the population? Or conversely do those who vote adequately... That is the hole in your argument because they do not, in either case, represent the population as a whole. Also, you are discounting the issue of perception. If a politician wins by garnering 55% of the votes these politicians then say they have a mandate. There are other issues that instead of rehashing myself I will point you to http://xocxoc.home.att.net/math/polling.htm where a much more detailed analysis of election systems is presented.
If there is one thing that you can take from this rant, it will be that no matter who you vote for, VOTE! Even if it is a write-in for your favorite comic book character. When the politicians only win by simple majorities and most votes go to write-ins will they begin to listen.
IANAL but I do not believe prior art is limited to things from the US. The basics of prior art is that the product (prior art) has to be released publically (ie; not a trade secret) and the date of that release has to be verifiable. It is pretty straight forward really.
From Bounty Quest->
Excluded information:
Unpublished or secret information, e.g., trade secrets or internal company memos (even if they describe the invention and are before the relevant date).
Information published after the "Prior Date" listed above.
The fact that they (Macromedia) are not talking to the media is one indication and if you had read the story they are hurting financially (due to their own greed and mismanagement IMHO) and are ripe for a takeover. One that the shareholders would benefit from immensely.
Sure, just as Access was replaced by FoxPro or any of the other better packages from competitors MS bought out over the years. Keep dreaming.
Sure, just ask the RIAA. Apparently they can turn 151 CD burners into the equivelent of 436 CD burners...
-A RH-Lokkit-0-50-INPUT -i eth0 -p tcp -m tcp -s 198.116.142.34 --dport 21 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth0 -p tcp -m tcp --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -i eth0 -p udp -m udp -j REJECT
6 months later...
Uh, guys. Did we forget something? I am able to connect but data is not coming through...
At that part of the hudson there is so much water moving with so much force that if there was a plane that went down, it would be out over the side of the Georges Bank by now. I was out there last year in a boat that has a top speed of 40 MPH and we had the thing gunned and were only doing 22. There is a lot of current there and anything that went down in the lower Hudson is likely gone if it was not heavy enough to sink into the mud.
I would not rest on those laurels. In a crappy job market with lots of talent wasting away on unemployment rolls there will always be a smart person willing to give it up for a steady cash flow again. They may even be trolling around on /....
She determined I was a bit geeky. I then proceeded to ask her what she supposed someone who googled potential dates was...
Yeah, you'd think CmdrTaco was posting from his honeymoon hideaway...