I don't think any blacklist group is worthy of such trust.
Do we really know that isn't being run by some group of spammers bent on making sure only their spam gets through? It might operate reliably for a while, then start to get compromize itself slowly...
Those who are operating real blocklists need to do something to earn trust besides putting a blocklist forward, that's the suspicious package we're trying to investigate the contents of.
Oh, TDE addressing the Spam issues would be great... but the collateral damage of blocking e-mail you want to get is not something you should be taking chances with.
If you have a large number of customers in Spain, and you're configured to use this blacklist... you're screwed. It'll take several hours before you realize why you stopped getting customer e-mails.
Using these blocklists in an automated mode is a very dangerous thing. You never know what collateral group of non-spammers will be blocked next.
Blackholes.us does not list spammers, spam supporters or vulnerable hosts at the present time. These lists are meant to contain all known networks assigned or allocated to the respective provider or organizations within the respective country. Lists are created for research purposes, primarily, and are made public for any use others see fit.
Really, all they're giving you is a list of IPs assosicated with the named nation or company. If you were to use all of those blacklists at once, you will have blocked out nearly every major hosting firm in the USA, and a good chunk of the world. Not just the spammers, but everything within those ranges. This is definitely a "We can't find the criminals, so we're nuking the town!" defense plan.
These lists are valuable if you want to lock out an entire provider... but realize that you're going to throw out a lot of legitimate servers in your quest to block a few Spammers. Unless you're sure you're never going to have customers in Mexico, don't throw out all of Mexico's IP space in one swipe.
Also, beware that these lists don't sort datacenters from customers. EV1's IP space for example is mostly servers, but they do operate a regional ISP as well. Block that whole range, and some dial-up customers might try to reach you and fail.
It seems to me like this whole concept of Spam blacklisting is a matter of the blind leading the blind.
If you trust your mailservers to automatically block whoever's on a blacklist, you've basically handed control of your mailserver's main function over to somebody else... but those somebody else's are just self-appointed dimwits who eventually get drunk with power and do something crazy like blocking a whole country worth of IP space.
Sorry. This ain't the solution to Spam. It's a band-aid on a system that's much too wounded, but we use it anyway...
A good example of how Gibson entirely missed the point. Raw Sockets are restricted to Administrator users. The real issue is that XP gives users Admin access by default, not that it has raw sockets.
If he had flamed MS for their poor out-of-box user configuration, he would have had 100% of the techie world behind him.
He is constantly harping on Microsoft's poor-out-of-the-box configuration, it's just the way he goes about it that seems a bit Tabloid-ish.
For example, his tool called "Shoot The Messenger" simply turns the Messenger Service off, which should be its default setting on XP Home since the average user doesn't need it and it only gets used to annoy. By comparison, TechTV hosts just regularly remind people how to turn off the service by going through the Control Panel. Same net result, the same flags in the registry get changed no matter what way you attack it in the GUI.
Instead of calling on Microsoft to make changes, he writes assembly-coded programs to do the changes and convinces people that there's such a gaping hole in their systems that need to be fixed by his magic bullets. For him, security is a side interest... his real business is built around SpinRite, the definitive hard-drive testing tool.
So, really, he's in line with the main stream community in his beliefs on security, it's just that he has an unusual way to promote them which is more aimed at the "dumb public" than the secuirity elite.
Tim O'Reilly and friends have yet to publish a book about OpenOffice.org, so the indullable assignment of an animal from that method remains yet to be determined.
You don't have to provide the file. You'd just have to be civilally disobediant and accept your punishment for not providing the file when duly ordered to. It might be a good deal, the punishment for that could be well less than the punishment of the other crime that you're covering up.
However, to compensate for that, the rules of hearsay have a nice gaping hole for admissions against interest. They can't ask you what you said, but they can ask what other people heard you say if the expected answer is something incriminating.
Your hard disk isn't your testimony. It's physical evidence. There's far too many cases where the defendant's own words found on a computer have been used against him.
The point is that if a defendant refuses to hand over the encryption key, they're not automatically guilty of the crime they were being investigated for, but they become guilty of complying with an investigation.
It's the same principle in drunk driving cases. They can't make you blow into the breathalizer if you don't want to. They can, however, give you the same punishment as drunk driving if you refuse to take the test when when you are suspected of drunk driving. You wouldn't be guilty of drunk driving, you'd be guilty of refusing to take a test of your blood's alcohol content when asked after driving.
If you think about it, giving them our encryption keys is kind of like guilty until proven innocent isn't it, if they assume we are all criminals and ask us to prove we are not (by showing them our cards). I don't really understand how any country can justify this...
You only have to give your encryption keys if they've managed to get a warrant for them. That means you're not "guilty" yet, but they've gotten enough on you to prove you're a "suspect".
What does Illegal Interception mean? Does that mean if I'm running ethereal on a network I admin, I can be put in jail for illegally intercepting packets?
Well, according to the proposed treaty.... "when committed intentionally, the interception without right, made by technical means, of non-public transmissions of computer data to, from or within a computer system, including electromagnetic emissions from a computer system carrying such computer data. A Party may require that the offence be committed with dishonest intent, or in relation to a computer system that is connected to another computer system."
So, if you're the owner of the network, and you haven't promised your users privacy, then you're perfectly in the clear. It clearly applies only to situations where you've gotten your admin status without permission to have it, or you've promised your users that you weren't going to use it that way.
1. a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with Article 2 - 5;
2. a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed with intent that it be used for the purpose of committing any of the offences established in Articles 2 - 5; and
Hmm... that doesn't say "Hacking"... "the offences established in Articles 2 - 5". What are those?
Article 2 - Illegal access Article 3 - Illegal interception Article 4 - Data interference Article 5 - System interference
Those are four nicely defined crimes that should be criminal. That's not quite all of hacking...
However, being forced to turn over your encryption key is not forcing you to confess to a crime. And any data you have on your hard drive is evidence rather than testimony so the 5th Amendment already doesn't apply to that.
However, a treaty cannot create a US law. It can create a promise to pass a law... but most of these treaties say nothing about what happens if we break the treaty and don't pass the law as promised.
So, a treaty-promised law would still need to go though House just like anything else. It'd be presume that the President and Senate are going to approve the law, otherwise they'd be inconsistant with themselves, but well, the Senate does have the authority to do inconsistant things...
Why should the government have access to my files without any suspiscion nor complaint of wrongdoing on my part.
They shouldn't and they don't. They still would need a search warrant to demand your decryption key. The treaty is clear in saying that all local standards for judicial review must be applied to any searches.
That amounts to being asked to incriminate oneself. They'd only *need* to ask for that if they didn't have enough evidence against you to convict you.
However, they can only ask for that if they have enough evidence to get the warrant. And no, it's not self incrimination to force somebody to turn over their own records... because that's evidence. The only thing the protection against self-incrimination is good for is allowing you to refuse to be called to the stand at your own trial if you don't want to be.
if I'm standing across the mexican border, and you are on the US side, and I take you out with a high-powered rifle... and then I head on over to disneyland....
I have broken no US laws, right? Because I wasn't in the US at the time?
Right. You would have broken Mexican laws. The American authorities would arrest you and return you to Mexico for trial.
Why should they cooperate for something that's not a crime in America? Should they cooperate if, say, the Saudi police were investigating you for putting pictures of your girlfriend in a bikini on your web site, for example?
If you did so from within Saudi Arabia, sure. In order to break the laws of a another land, you have to be there at the time. Otherwise, their laws don't apply to you.
This really doesn't sound like that bad of a bad thing...
- If you're selling Nazi-era items on eBay, you might as well just put "Offer void in Germany and where prohibited by law, bids from such places will be disqualified." in your description. You just can't sell that kind of stuff to Germany, so don't even try. - The encryption keys issue sounds fair to me. If you have the keys to an encrypted file and you refuse to decode it and a judge issues a warrant for that data, you have to turn it over or pay the penality for obstructing an investigation. - The NMAP issue seems like one of FUD to me. The word "hacking" is nowhere in the actual text of the document. Of course, Slashdot would run a story that debates a treaty with a link to the treaty language itself because we reject all government actions without even needing to read what they're proposing.:)
Police can't tell a newspaper that they cannot publish information, but they can tell them that they shouldn't and they can also threaten to deny any media-access rights that they don't have to give the paper but only do so out of courtesy.
And really, that's what a DMCA Takedown notice equates to... "We swear that we own the copyright to this and we want it taken down right away." The ISP doesn't have to comply, but they have to serve that notice to the user, or be liable for contributing to the infringment. They also have to put it back if the user swears back that they do have the right to put that piece of work up, which will also shield the ISP for being responsible and put all the responsiblity on the user, who has now steped forward and identified themselves for easy suing...
Slashdot Mirror
I don't think any blacklist group is worthy of such trust.
Do we really know that isn't being run by some group of spammers bent on making sure only their spam gets through? It might operate reliably for a while, then start to get compromize itself slowly...
Those who are operating real blocklists need to do something to earn trust besides putting a blocklist forward, that's the suspicious package we're trying to investigate the contents of.
Oh, TDE addressing the Spam issues would be great... but the collateral damage of blocking e-mail you want to get is not something you should be taking chances with.
If you have a large number of customers in Spain, and you're configured to use this blacklist... you're screwed. It'll take several hours before you realize why you stopped getting customer e-mails.
Using these blocklists in an automated mode is a very dangerous thing. You never know what collateral group of non-spammers will be blocked next.
Uh... the site says:
Blackholes.us does not list spammers, spam supporters or vulnerable hosts at the present time. These lists are meant to contain all known networks assigned or allocated to the respective provider or organizations within the respective country. Lists are created for research purposes, primarily, and are made public for any use others see fit.
Really, all they're giving you is a list of IPs assosicated with the named nation or company. If you were to use all of those blacklists at once, you will have blocked out nearly every major hosting firm in the USA, and a good chunk of the world. Not just the spammers, but everything within those ranges. This is definitely a "We can't find the criminals, so we're nuking the town!" defense plan.
These lists are valuable if you want to lock out an entire provider... but realize that you're going to throw out a lot of legitimate servers in your quest to block a few Spammers. Unless you're sure you're never going to have customers in Mexico, don't throw out all of Mexico's IP space in one swipe.
Also, beware that these lists don't sort datacenters from customers. EV1's IP space for example is mostly servers, but they do operate a regional ISP as well. Block that whole range, and some dial-up customers might try to reach you and fail.
Think before you block...
It seems to me like this whole concept of Spam blacklisting is a matter of the blind leading the blind.
If you trust your mailservers to automatically block whoever's on a blacklist, you've basically handed control of your mailserver's main function over to somebody else... but those somebody else's are just self-appointed dimwits who eventually get drunk with power and do something crazy like blocking a whole country worth of IP space.
Sorry. This ain't the solution to Spam. It's a band-aid on a system that's much too wounded, but we use it anyway...
A good example of how Gibson entirely missed the point. Raw Sockets are restricted to Administrator users. The real issue is that XP gives users Admin access by default, not that it has raw sockets.
If he had flamed MS for their poor out-of-box user configuration, he would have had 100% of the techie world behind him.
He is constantly harping on Microsoft's poor-out-of-the-box configuration, it's just the way he goes about it that seems a bit Tabloid-ish.
For example, his tool called "Shoot The Messenger" simply turns the Messenger Service off, which should be its default setting on XP Home since the average user doesn't need it and it only gets used to annoy. By comparison, TechTV hosts just regularly remind people how to turn off the service by going through the Control Panel. Same net result, the same flags in the registry get changed no matter what way you attack it in the GUI.
Instead of calling on Microsoft to make changes, he writes assembly-coded programs to do the changes and convinces people that there's such a gaping hole in their systems that need to be fixed by his magic bullets. For him, security is a side interest... his real business is built around SpinRite, the definitive hard-drive testing tool.
So, really, he's in line with the main stream community in his beliefs on security, it's just that he has an unusual way to promote them which is more aimed at the "dumb public" than the secuirity elite.
Tim O'Reilly and friends have yet to publish a book about OpenOffice.org, so the indullable assignment of an animal from that method remains yet to be determined.
You don't have to provide the file. You'd just have to be civilally disobediant and accept your punishment for not providing the file when duly ordered to. It might be a good deal, the punishment for that could be well less than the punishment of the other crime that you're covering up.
However, to compensate for that, the rules of hearsay have a nice gaping hole for admissions against interest. They can't ask you what you said, but they can ask what other people heard you say if the expected answer is something incriminating.
Your hard disk isn't your testimony. It's physical evidence. There's far too many cases where the defendant's own words found on a computer have been used against him.
The point is that if a defendant refuses to hand over the encryption key, they're not automatically guilty of the crime they were being investigated for, but they become guilty of complying with an investigation.
It's the same principle in drunk driving cases. They can't make you blow into the breathalizer if you don't want to. They can, however, give you the same punishment as drunk driving if you refuse to take the test when when you are suspected of drunk driving. You wouldn't be guilty of drunk driving, you'd be guilty of refusing to take a test of your blood's alcohol content when asked after driving.
If you think about it, giving them our encryption keys is kind of like guilty until proven innocent isn't it, if they assume we are all criminals and ask us to prove we are not (by showing them our cards). I don't really understand how any country can justify this...
You only have to give your encryption keys if they've managed to get a warrant for them. That means you're not "guilty" yet, but they've gotten enough on you to prove you're a "suspect".
What does Illegal Interception mean? Does that mean if I'm running ethereal on a network I admin, I can be put in jail for illegally intercepting packets?
Well, according to the proposed treaty....
"when committed intentionally, the interception without right, made by technical means, of non-public transmissions of computer data to, from or within a computer system, including electromagnetic emissions from a computer system carrying such computer data. A Party may require that the offence be committed with dishonest intent, or in relation to a computer system that is connected to another computer system."
So, if you're the owner of the network, and you haven't promised your users privacy, then you're perfectly in the clear. It clearly applies only to situations where you've gotten your admin status without permission to have it, or you've promised your users that you weren't going to use it that way.
Guess I underestimated the number of /. readers who comment without reading the original story.
/. readers who comment without reading the original story.
Never underestimate the number of
1. a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with Article 2 - 5;
2. a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed with intent that it be used for the purpose of committing any of the offences established in Articles 2 - 5; and
Hmm... that doesn't say "Hacking"... "the offences established in Articles 2 - 5". What are those?
Article 2 - Illegal access
Article 3 - Illegal interception
Article 4 - Data interference
Article 5 - System interference
Those are four nicely defined crimes that should be criminal. That's not quite all of hacking...
However, being forced to turn over your encryption key is not forcing you to confess to a crime. And any data you have on your hard drive is evidence rather than testimony so the 5th Amendment already doesn't apply to that.
However, a treaty cannot create a US law. It can create a promise to pass a law... but most of these treaties say nothing about what happens if we break the treaty and don't pass the law as promised.
So, a treaty-promised law would still need to go though House just like anything else. It'd be presume that the President and Senate are going to approve the law, otherwise they'd be inconsistant with themselves, but well, the Senate does have the authority to do inconsistant things...
Why should the government have access to my files without any suspiscion nor complaint of wrongdoing on my part.
They shouldn't and they don't. They still would need a search warrant to demand your decryption key. The treaty is clear in saying that all local standards for judicial review must be applied to any searches.
That amounts to being asked to incriminate oneself. They'd only *need* to ask for that if they didn't have enough evidence against you to convict you.
However, they can only ask for that if they have enough evidence to get the warrant. And no, it's not self incrimination to force somebody to turn over their own records... because that's evidence. The only thing the protection against self-incrimination is good for is allowing you to refuse to be called to the stand at your own trial if you don't want to be.
That's because murder is already against the law in Mexico, asshat. Suppose it weren't.
Then the USA would finally get around to building that wall we need between us and Mexico...
Here's the text of the treaty.
Please cite the section that makes it criminal to posess a "hacking device".
if I'm standing across the mexican border, and you are on the US side, and I take you out with a high-powered rifle... and then I head on over to disneyland....
I have broken no US laws, right? Because I wasn't in the US at the time?
Right. You would have broken Mexican laws. The American authorities would arrest you and return you to Mexico for trial.
This breaks democracy in so many ways!
Could you be more specific on at least a few of those reasons?
Why should they cooperate for something that's not a crime in America? Should they cooperate if, say, the Saudi police were investigating you for putting pictures of your girlfriend in a bikini on your web site, for example?
If you did so from within Saudi Arabia, sure. In order to break the laws of a another land, you have to be there at the time. Otherwise, their laws don't apply to you.
This really doesn't sound like that bad of a bad thing...
:)
- If you're selling Nazi-era items on eBay, you might as well just put "Offer void in Germany and where prohibited by law, bids from such places will be disqualified." in your description. You just can't sell that kind of stuff to Germany, so don't even try.
- The encryption keys issue sounds fair to me. If you have the keys to an encrypted file and you refuse to decode it and a judge issues a warrant for that data, you have to turn it over or pay the penality for obstructing an investigation.
- The NMAP issue seems like one of FUD to me. The word "hacking" is nowhere in the actual text of the document. Of course, Slashdot would run a story that debates a treaty with a link to the treaty language itself because we reject all government actions without even needing to read what they're proposing.
None.
United Media is a Scripps Ventures company, part of the E.W. Scripps empire.
Scripps operates some Newspapers, TV stations, and cable networks, and a well-known spelling bee. They trade under ticker SSP on the NYSE, and no major media companies show up on their major holders list on Yahoo.
Is this the utility that reverses changes made by RMS-Lint?
Doubtful... seeing that project was an April Fool's Joke.
Police can't tell a newspaper that they cannot publish information, but they can tell them that they shouldn't and they can also threaten to deny any media-access rights that they don't have to give the paper but only do so out of courtesy.
And really, that's what a DMCA Takedown notice equates to... "We swear that we own the copyright to this and we want it taken down right away." The ISP doesn't have to comply, but they have to serve that notice to the user, or be liable for contributing to the infringment. They also have to put it back if the user swears back that they do have the right to put that piece of work up, which will also shield the ISP for being responsible and put all the responsiblity on the user, who has now steped forward and identified themselves for easy suing...