The actual firewall backend - ipfw, inbuilt and inherited from FreeBSD - is sufficiently sophisticated to enable per interface rules, but to access this functionality you need to completely disable the GUI firewall front-end and configure ipfw yourself using the command line.
Actually, it's slightly simpler than this. You can add rules via the command line interface or via other tools and the Apple firewall config panel simply becomes non-functional with a note added that other firewall software is in use. IOW: no need to explicitly turn the Apple GUI off.
I think you need to read the proposal more carefully and to look at the less formally worded materials at Spamhaus regarding the plan for use of the TLD. It is inaccurate to look at this as a means of fighting spam, much less a FUSSP
because it is in fact a way to address the issues of legitimate mail getting caught by various imperfect approaches to spam detection.
Because it is designed to provide a sort of 'bus lane' for mail servers whose operators are willing to meet the rather stringent conditions and the hefty price of a domain in the TLD to get their mail servers into the TLD, it does not require universal acceptance. It also has literally NOTHING to do with SMTP headers, is designed to be useless as a pure whitelist (eliminating the related objections,) does not depend on spammer honesty, is totally unrelated to the lack of a central controlling authority for email, and is significantly resistant to 'joe jobs' and identity theft for the entities with.mail domains because any mail not coming from their.mail machines would be readily repudiable.
In short, your comment might have deserved the 'funny' moderation if you were the first person to come up with a checklist response, but all you have really shown is that you did not bother to dig any deeper than the rather misleading/. blurb.
It would definitely be 'different with planets' (or at least with the one we are primarily concerned with) because of the existing natural defense: atmosphere. An astounding number of tiny objects complete a collision course with Earth per day, and nearly all of them never come within a mile of the ground. The smaller objects have more aerodynamic cross-section (the precise term used is escaping me...) relative to total mass, so they are subject to relatively more drag and a relatively faster rate of burn-off as they enter the atmosphere.
In addition to the burn-off, objects of identical density (i.e. a BIG rock vs. the same one shattered into tiny rocks) will have very different terminal velocities because (again) they have more aerodynamic cross-section relative to their mass. They experience more drag from the air relative to their mass and so end up striking at a slower speed.
Finally, the rifle vs. shotgun analogy is generally inapt because you are talking there of the effects of penetrating impacts on the human body which is made up of many highly specialized discrete systems, any one of which would be severely threatened by a penetrating impact of any kind. Put a random 2-mm hole in a human and you are pretty certain to do significant damage something that human needs. Obliterate the surface features of a random half-acre of the Earth'ssurface and you will probably not notice in a few minutes (because the waves move anyway) and if you do (i.e. if the piece hits land) it is very likely that nothing more important to the Earth than a few rodents, insects, and plants will suffer. There are meteorite strikes every day in which fist-size rocks manage to make it to the surface of the Earth, and no one ever notices most of them.
The gun analogy also has a problem of comparing effects of shots with radically different total kinetic energies, where the single vs. fragmented asteroid strike would be a comparison of taking a hit from the same total energy in one place vs. taking it split into millions of constituent strikes. A punch vs. a slap.
Unnecessary. Sender's mail-client places an "e-stamp" in the mail. It can then travel over ordinary SMTP. Addressee's mail-client first checks sender against whitelist, if not then it tries to verify the stamp (if any) against the stamp-verification server (clearing house). If it fails both tests then then mail-client can choose to discard it.
Ah, I see... You are completely ignorant of then article referenced or the system it describes and are just talking about Something Else Altogether.
This also points up a deeper problem with the entire model: knowing who a sender really is.
Not a problem, cryptographic signature.
forge well-known senders
You can't forge the signature unless you have that person's key.
Yes, of course. but that's a solution that exists in your head, and not one that is widely deployed in any way useful to the proposed system. The invention of concrete does not equate to the building of the Coliseum. To be useful, sender authentication (which would OF COURSE involve cryptographic signatures) has to happen synchronously in the mail transport conversation, because the rest of the model involving the hopeless idea of micropayments depends on having a positive ID before the micropayment is accepted. It has to reliably be done at every mail-accepting site in something less than 30 seconds (i.e. while the sender is waiting for the final ACK to DATA) even at peak times. Consider that even today there are some qmail users who insist that they cannot even validate the existence of a machine-local user synchronously in SMTP, and many sites where the complexity behind the external mail accepting machine is so complex that it is impossible even on paper to come up with a way to confirm or denty the exisstence of an internal user during SMTP. Now mail systems will be asked to check a signature on every message and compare the sender against an internal user's whitelist? What are the security and logistical problems there?
(Hint: they are kinda big)
It depends on a financial clearinghouse to which all senders and all recievers have access... Will a million people like me sign up with a central micropayment clearinghouse?
Yes, that is an issue. First, there can be any number of clearing houses, no need to all sign up with the same one. Second, the vast majority of this could be handled by the ISP's. Sign up for ISP service and they add a few dollars deposit if you want e-stamps included. ISP's can pre-create accounts with a clearing house and simply hand you a key.
That ignores the reality of most bidirectional SMTP participants (i.e. "mail servers" )today. Most of them are run by non-ISP businesses who buy nothing but IP connectivity from their ISP's. Being dependent on an ISP for anything more is simply not acceptable for many businesses, and ISP's generally do a lousy job with email. Being dependent on an ISP for 'e-postage' isn't a workable solution.
Could any existing financial service provider build a system capable of handling millions of users with the speed needed to make this system deployable? I doubt it.
Challenging, but I think doable.
You then go on to talk about the crypto verification system, which was not what I meant.
Any micropayment FUSSP depends on a financial clearinghouse system akin to the one used to clear paper bank checks. That system is the product of systemic evolution over centuries of growth and efficiency improvements to the point where there are now scores of thousands of direct participants and the median time to finally complete a transaction is on the order of a day. A clearinghouse system for micropayments to every mail server operator today would require about the same number of transactions from day one, but would have to directly serve an order of magnitude more direct users (i.e. mail server operators) and operate about 3 orders of magnitude faster.
And incidentally, the existing check clearinghouse system only works at all because of the regulatory oversight and core systems provided by governments, such as the Fedwire settlements system. Everywhere that checks have to cross regulatory jurisdictions they are slowed or excised, and in
IMHO this means the end of mailing lists - what would prevent me from signing up (automatically, of course) to thousands of mailing lists and collecting all the bonds placed for messages posted through these lists ?
The theory is that for known senders (i.e. anything you ASKED for) there would be no payment. The result is that mailing lists would have to all send with predictable and constant identities, which is not now the case. (see VERP)
This also points up a deeper problem with the entire model: knowing who a sender really is. Currently the biggest senders of unwanted email on the net are not people like Alan Ralsky (who forges all sender addresses) or Scott Richter (who sometimes sends identifiably) but rather Swen and Mydoom: worms. Swen uses the email address configured in the infected machine's mailer for the SMTP envelope sender and a bogus Microsoft address in the From header. Mydoom takes any addresses it can find on the infected machine or put together from a list of names and any domains it finds, and uses them at random. Some of us with usernames that match the mydoom list have more bounces of Mydoom mail than actual worm messages. Thousands in the past week. The whitelisting model presented in this paper would pass all the Mydoom messages claiming to be from me through to people who 'know' my address. For worms like Swen that send from a real address to names pulled from an address book and elsewhere, the mail would frequently sail through as well. Beyond the issue of worm mail, this points out to spammers how to get through the system: forge well-known senders. With mailing lists being forced to abandon tools like VERP and publish their senders as part of the initial signup process, a wealth of widely-whitelisted senders would be available to spammers.
The only solution to that would be an authentication mechanism for all mail that operates at SMTP time. People have been playing with that idea for years, but none yet exists in anything like wide use. Creating such a system is a must before any any anti-spam tactic based on whitelisting can be successful in wide use. The continued failure of the IRTF ASRG to come up with anything in that realm is a sign of just how hard that really is.
Even after someone waves a magic wand to invent and universally deploy a sender authentication system, this model has problems. It depends on a financial clearinghouse to which all senders and all recievers have access. While it is true that a few hundred commercial entities (AOL, MSN, Earthlink, Demon, Wanadoo, etc...) collectively handle both ends of the overwhelming majority of non-spam email transactions, it is also true that there are hundreds of thousands, possible millions, of other legitimate participants in cross-domain SMTP transactions. For example, I run my own mail server, handling mail for less than a dozen people and accepting about 300 messages per day (and rejecting thousands of pieces of spam...) Will a million people like me sign up with a central micropayment clearinghouse? I don't think so. Could any existing financial service provider build a system capable of handling millions of users with the speed needed to make this system deployable? I doubt it.
too many non-technical people (e.g. CTOs and CIOs)
you know, phrases like that are a worrying sign of modern business. does it strike anyone else as odd that a cheif *technical* officer should have no technical background?
Being 'non-technical' in 2003 and 'having no technical background' are rather different things. CIO/CTO jobs in older companies are likely to be filled with people who were technical stars of some IT department in the 80's. The relevance of that technical background to current technical issues varies, but it is useful for people toiling in the trenches (and for companies like Apple trying to retain headshare and regain a foothold in business environments) to remember that today's IT decisionmakers are more likely to think in terms if being a "$VENDORNAME shop" than they are to consider issues of interop at all, because interop anywhere above the lower network layers is still something of a novelty in large environments. Fortunately (for the folks in the trenches and for non-MS platform vendors) people who have some hands-on with *x systems as *x systems (i.e. Unix-ish systems working smoothly with each other) are starting to make it to the upper layers of IT management, replacing the retirees whose last technical experience was pre-PC.
For the record on AlRal, he has just been in 'shady business dealings' but is a felon: convicted of insurance fraud, served time, had his license to sell insurance pulled.
They are already there, whether you mean acting like a business while engaged in complex criminal endeavors like organizing platoons of zombied machines to send spam and DDoS-attack places like Spamhaus OR if you mean working with the less online-focused organized criminal operations. Gambling, porn, drugs, and money-lending are the biggest backends for spam: do you really think the traditional Mafia-like organizations are NOT involved???
Until recently, private small-time enforcement of private property rights against these slimeballs has been a very rough battle because the government and the really big private property owners like MS have chosen to ignore the issue. We have had solid legal grounds for the principle that spam is 'trespass to chattel' since Cyberpromo lost their cases in the mid-90's, but the scum who think that everyone else's mailservers and mailboxes are some sort of public property despite those cases have enough friends in 'respectable' organizations like the DMA and Congress that they've kept the big boys in business and government from acting. Until now.
The analogy to Prohibition is cliched, simplistic, and just plain wrong. It might be at least a little less so if the overwhelming majority of people occasionally enjoyed a little spamming in moderation, but that's simply not the case. Prohibition of theft and murder does a fairly decent job of keeping those behaviors minimized, and a real Prohibition on spamming could to, if any such law were ever passed or even if law enforcement had the guts to enforce existing laws against unauthorized computer use.
"As today's demonstration shows, we are quickly reaching the time when anyone with a standard desktop PC can potentially pose a real threat to systems relying on such vulnerable security," said Jim Bidzos, president of RSA Data Security, Inc.
It is wise to note that Mr. Bidzos had very strong personal financial incentives in making everyone believe that the above statement was true when he said it, well before the expiration of the RSA patent. He likely believed it sincerely, but he was by no measure an unbiased source. The more free encryption seemed to be weak, the more his company could milk from their patents. It is no accident that the record for brute-forcing a DES key is still the one set 4 years ago before the RSA patent expiration or that there has been a slowing of the pace of new decryption feats since then.
A fact that is often ignored (in what seems like an endemic cryptography fetish) is that the 'weak' encryptions like DES are in fact strong enough for many uses simply because the information they protect is far less valuable than the resources needed to break the encryption. It is also commonly the case for situations where crypt() is the only protection that positive social engineering presents a far higher hurdle than the technical ones: if the people who can ypcat passwd know that running crack against what they get will run a strong risk of rendering them them jobless, unemployable, and fighting a lawsuit which will destitute them and their heirs, they tend to not do it.
You asinine troll. Windows is quite simply broken. Want proof? If something is f*cked up on your Windows system, and you reboot it, it frequently fixes the problem. Try that with another operating system. A reboot shouldn't fix anything, it's a symptom of the operating system breaking itself.
Ever seen a badly hung automount on Solaris?
Not that you are wrong in that general sense: any OS should have the means to reinitialize nearly any subsystem into a 'pristine' state without bringing down the running kernel and reloading the whole thing, but in practice Windows is not the only system that fails to meet that ideal.
on the other hand, I'm afraid that down the line, some gov't or corp will use these rulings to stiffle legitimate email/free speach/ or whatever - DMCA anyone?
I'm just concerned about the long-term legal tamifications of these actions. That's all.
Not really possible. The only precedent that is set here is that "EMarketersAmerica" and probably any set of spammers who look like they might be the ones behind that false front cannot revive that suit in that court. NOTHING of the merits of the case was decided in any way, since the spammers sued, ran into a harder fight than they expected, and managed to get the judge to allow them to drop the case before anything real got done. In the end, the suit served no long-term purpose other than to cost the defendants (operators and supporters of various anti-spam blacklists) money and hopefully to make spammers think twice about such silly suits in the future.
By luck of getting the right judge (and filing in a state where costs are rarely awarded) the spammers involved escaped this with nothing but embarrassment. The defendants COULD have gotten costs had the judge chosen to award them, and they WOULD have had the right to dig pretty deeply into how the spammers behind the suit operated and what sorts of ISP deals they had and so forth had the case gone forward, but they escaped because the judge granted the spammers request to simply drop the case./p
I don't know about government 'sanction' but anyone running XP has given up their right to control their own computer to MS. The EULA includes language that essentially surrenders compuer owners' rights to decide for themselves whether and when to update their system.
When DHS sends some guys in cheap suits and sunglasses to Redmond, to discuss updating every XP machine with their special patches, what do you think Gates would say?
All.com domains are resolving with an authoratitive section of Verisign's server.. and.net's with the list of root servers. It would seem that no domain should ever resolve with either of those as an authority.. The real dns server for the domain should. Hopefully BIND and other DNS packages will start blocking domains that have a root server or a verisign server as the authoratitive dns server.
Look more carefully. The response is an A record for the queried name plus a bunch of additional records for the net zone itself, pointing at the gtld-servers.net machines. The gtld-servers.net domain belongs to Verisign. Those ARE the authorities for *.net names, and it is reasonable for a query of a *.net name to return them as additional records.
The reason Verisign can do this(in the 'technically capable of' sense) is that they ARE the authority for everything under com and net. If your resolver starts shunning the gtld-servers.net machines, it will simply cease to resolve *.com or *.net names at all.
More like DoC where C=Commerce. ICANN is pretty much a useless talking shop with an unhealthy affection for NSI/Verisign. ICANN masquerades as a global community entity, but in fact it is a creature of the USDoC and it seems extremely unlikely that ICANN will do anything useful to curb Verislime without a threat of death.
Not that I really think that will happen... The alternative to the current system of registries for profit is to return them to the status of public trusts contracted out purely for rote service, and that's where the incompetent, surly, and plodding quality of service notable at NSI comes from: they built it up over years of being The InterNIC and not having anyone competing with them. if the Clinton Administration could not bring itself to proclaim the DNS root and existing gTLD's as a public trust, Halliburton East ^W^WThe Bush Administration surely won't.
I don't see a likely solution. The best case would be for ICANN to stand up to the incompetent amoral liars at Verisign and reassign the.com and.net registries to a new operator with a tougher contract. ICANN has yet to show themselves capable of saying NO to Verisign in regards to those registries and I doubt they ever will.
The IE rediect to the MSN search mess is configurable: you can turn it off AND turn off the stupid useless 'all errors are one thing' error page and make IE actually give you something useful, at least with IE 5.5 and 6.
HOWEVER, you can bet that MS and AOL and everyone else who does something interesting and useful with HTTP queries that look for bad domain names (like some ISP's that have proxies for users and some companies that have proxies for employers) will be pissed off. Different people like to do different things with their NXDOMAIN responses, and Verisign has just made sure that a lot of those responses never happen and that only Verisign gets to choose what the user sees instead.
There essentially are no more unregistered.(com|net) domains. Verisign has just in effect registered all unregistered domains in those TLD's and pointed them at their own little cash-spinner.
FWIW, I know from professional acquaintances here in Detroit that Ford also has Solaris machines. In the end, there is no such thing as a one-platform company of the Fortune 100 scale. Even MS has people who use Macs and they probably have at least experimental machines running just about every other OS.
For an 'old economy' business, switching 'primary' platforms isn't something that CAN be done in less than a few years and is something that is not usually done without a lot of planning and in very small steps. I would expect their engineering software to switch platforms on the sort of timeframe that engineering jobs turn over at Ford (i.e. not terribly fast.)
I have to admit that I'm skeptical of the sourcing of this (El Reg and The Scotsman???) but it is a significant shift when you consider that Ford is one of the largest corporate entities in the world AND that they have a sigtnificant history of being visibly cozy to MS. For example, they were apparently happy to be used by MS ( for example, here) as a marketing tool.
In addition, as recently as 1999 Ford IT was promoting a "Microsoft-centric strategy" to the extent that using Microsoft technology was more important than using functional technology for new projects.
"Please tell me more about these ISP-critical machines that don't affect innocent users. But then why are they critical?"
These would be the sorts of machines that Spamhaus targets when it does its (rare) escalations: corporate mail servers and the IP space around them. The machines that the ISP needs to conduct business, not the machines of their customers.
You will note that the SBL escalations tend to last only a matter of hours before ISP's have a change of heart about ejecting their spammers.
"He did, several weeks ago."
Can you cite something public to support that? I can't find a post from Joe in any of the public fora focused on spam for months. I suppose one could consider the increasingly poor availability of DNS under osirusoft.com a message of some sort, but it surely wasn't a very clear one.
(Note that I do not use Joe's DNSBL and have not and would argue that Joe Jared has been making DNSBL's look bad for a long time. )
For both points, you are referring to problems that have to be opened up explicitly. By default, all those excellent remote user capabilities are turned off, and the one place that uses fb_realpath() (the FTP server) is off by default.
The situation on X is not as good as it was with, for example, 7.0, where getting anything remotely exploitable up demanded a multi-digit number of clues, but it is still many steps back from the default Windows situation. After all, who outside of Redmond is conscious of the fact that every Windows machine is running a DCOM RPC endpoint mapper?
Slashdot Mirror
Actually, it's slightly simpler than this. You can add rules via the command line interface or via other tools and the Apple firewall config panel simply becomes non-functional with a note added that other firewall software is in use. IOW: no need to explicitly turn the Apple GUI off.
I think you need to read the proposal more carefully and to look at the less formally worded materials at Spamhaus regarding the plan for use of the TLD. It is inaccurate to look at this as a means of fighting spam, much less a FUSSP because it is in fact a way to address the issues of legitimate mail getting caught by various imperfect approaches to spam detection.
Because it is designed to provide a sort of 'bus lane' for mail servers whose operators are willing to meet the rather stringent conditions and the hefty price of a domain in the TLD to get their mail servers into the TLD, it does not require universal acceptance. It also has literally NOTHING to do with SMTP headers , is designed to be useless as a pure whitelist (eliminating the related objections,) does not depend on spammer honesty, is totally unrelated to the lack of a central controlling authority for email, and is significantly resistant to 'joe jobs' and identity theft for the entities with .mail domains because any mail not coming from their .mail machines would be readily repudiable.
In short, your comment might have deserved the 'funny' moderation if you were the first person to come up with a checklist response, but all you have really shown is that you did not bother to dig any deeper than the rather misleading /. blurb.
It would definitely be 'different with planets' (or at least with the one we are primarily concerned with) because of the existing natural defense: atmosphere. An astounding number of tiny objects complete a collision course with Earth per day, and nearly all of them never come within a mile of the ground. The smaller objects have more aerodynamic cross-section (the precise term used is escaping me...) relative to total mass, so they are subject to relatively more drag and a relatively faster rate of burn-off as they enter the atmosphere.
In addition to the burn-off, objects of identical density (i.e. a BIG rock vs. the same one shattered into tiny rocks) will have very different terminal velocities because (again) they have more aerodynamic cross-section relative to their mass. They experience more drag from the air relative to their mass and so end up striking at a slower speed.
Finally, the rifle vs. shotgun analogy is generally inapt because you are talking there of the effects of penetrating impacts on the human body which is made up of many highly specialized discrete systems, any one of which would be severely threatened by a penetrating impact of any kind. Put a random 2-mm hole in a human and you are pretty certain to do significant damage something that human needs. Obliterate the surface features of a random half-acre of the Earth'ssurface and you will probably not notice in a few minutes (because the waves move anyway) and if you do (i.e. if the piece hits land) it is very likely that nothing more important to the Earth than a few rodents, insects, and plants will suffer. There are meteorite strikes every day in which fist-size rocks manage to make it to the surface of the Earth, and no one ever notices most of them.
The gun analogy also has a problem of comparing effects of shots with radically different total kinetic energies, where the single vs. fragmented asteroid strike would be a comparison of taking a hit from the same total energy in one place vs. taking it split into millions of constituent strikes. A punch vs. a slap.
whatever.
Yes, of course. but that's a solution that exists in your head, and not one that is widely deployed in any way useful to the proposed system. The invention of concrete does not equate to the building of the Coliseum. To be useful, sender authentication (which would OF COURSE involve cryptographic signatures) has to happen synchronously in the mail transport conversation, because the rest of the model involving the hopeless idea of micropayments depends on having a positive ID before the micropayment is accepted. It has to reliably be done at every mail-accepting site in something less than 30 seconds (i.e. while the sender is waiting for the final ACK to DATA) even at peak times. Consider that even today there are some qmail users who insist that they cannot even validate the existence of a machine-local user synchronously in SMTP, and many sites where the complexity behind the external mail accepting machine is so complex that it is impossible even on paper to come up with a way to confirm or denty the exisstence of an internal user during SMTP. Now mail systems will be asked to check a signature on every message and compare the sender against an internal user's whitelist? What are the security and logistical problems there?
(Hint: they are kinda big)
That ignores the reality of most bidirectional SMTP participants (i.e. "mail servers" )today. Most of them are run by non-ISP businesses who buy nothing but IP connectivity from their ISP's. Being dependent on an ISP for anything more is simply not acceptable for many businesses, and ISP's generally do a lousy job with email. Being dependent on an ISP for 'e-postage' isn't a workable solution.
You then go on to talk about the crypto verification system, which was not what I meant.
Any micropayment FUSSP depends on a financial clearinghouse system akin to the one used to clear paper bank checks. That system is the product of systemic evolution over centuries of growth and efficiency improvements to the point where there are now scores of thousands of direct participants and the median time to finally complete a transaction is on the order of a day. A clearinghouse system for micropayments to every mail server operator today would require about the same number of transactions from day one, but would have to directly serve an order of magnitude more direct users (i.e. mail server operators) and operate about 3 orders of magnitude faster.
And incidentally, the existing check clearinghouse system only works at all because of the regulatory oversight and core systems provided by governments, such as the Fedwire settlements system. Everywhere that checks have to cross regulatory jurisdictions they are slowed or excised, and in
The theory is that for known senders (i.e. anything you ASKED for) there would be no payment. The result is that mailing lists would have to all send with predictable and constant identities, which is not now the case. (see VERP)
This also points up a deeper problem with the entire model: knowing who a sender really is. Currently the biggest senders of unwanted email on the net are not people like Alan Ralsky (who forges all sender addresses) or Scott Richter (who sometimes sends identifiably) but rather Swen and Mydoom: worms. Swen uses the email address configured in the infected machine's mailer for the SMTP envelope sender and a bogus Microsoft address in the From header. Mydoom takes any addresses it can find on the infected machine or put together from a list of names and any domains it finds, and uses them at random. Some of us with usernames that match the mydoom list have more bounces of Mydoom mail than actual worm messages. Thousands in the past week. The whitelisting model presented in this paper would pass all the Mydoom messages claiming to be from me through to people who 'know' my address. For worms like Swen that send from a real address to names pulled from an address book and elsewhere, the mail would frequently sail through as well. Beyond the issue of worm mail, this points out to spammers how to get through the system: forge well-known senders. With mailing lists being forced to abandon tools like VERP and publish their senders as part of the initial signup process, a wealth of widely-whitelisted senders would be available to spammers.
The only solution to that would be an authentication mechanism for all mail that operates at SMTP time. People have been playing with that idea for years, but none yet exists in anything like wide use. Creating such a system is a must before any any anti-spam tactic based on whitelisting can be successful in wide use. The continued failure of the IRTF ASRG to come up with anything in that realm is a sign of just how hard that really is.
Even after someone waves a magic wand to invent and universally deploy a sender authentication system, this model has problems. It depends on a financial clearinghouse to which all senders and all recievers have access. While it is true that a few hundred commercial entities (AOL, MSN, Earthlink, Demon, Wanadoo, etc...) collectively handle both ends of the overwhelming majority of non-spam email transactions, it is also true that there are hundreds of thousands, possible millions, of other legitimate participants in cross-domain SMTP transactions. For example, I run my own mail server, handling mail for less than a dozen people and accepting about 300 messages per day (and rejecting thousands of pieces of spam...) Will a million people like me sign up with a central micropayment clearinghouse? I don't think so. Could any existing financial service provider build a system capable of handling millions of users with the speed needed to make this system deployable? I doubt it.
Being 'non-technical' in 2003 and 'having no technical background' are rather different things. CIO/CTO jobs in older companies are likely to be filled with people who were technical stars of some IT department in the 80's. The relevance of that technical background to current technical issues varies, but it is useful for people toiling in the trenches (and for companies like Apple trying to retain headshare and regain a foothold in business environments) to remember that today's IT decisionmakers are more likely to think in terms if being a "$VENDORNAME shop" than they are to consider issues of interop at all, because interop anywhere above the lower network layers is still something of a novelty in large environments. Fortunately (for the folks in the trenches and for non-MS platform vendors) people who have some hands-on with *x systems as *x systems (i.e. Unix-ish systems working smoothly with each other) are starting to make it to the upper layers of IT management, replacing the retirees whose last technical experience was pre-PC.
For the record on AlRal, he has just been in 'shady business dealings' but is a felon: convicted of insurance fraud, served time, had his license to sell insurance pulled.
They are already there, whether you mean acting like a business while engaged in complex criminal endeavors like organizing platoons of zombied machines to send spam and DDoS-attack places like Spamhaus OR if you mean working with the less online-focused organized criminal operations. Gambling, porn, drugs, and money-lending are the biggest backends for spam: do you really think the traditional Mafia-like organizations are NOT involved???
Until recently, private small-time enforcement of private property rights against these slimeballs has been a very rough battle because the government and the really big private property owners like MS have chosen to ignore the issue. We have had solid legal grounds for the principle that spam is 'trespass to chattel' since Cyberpromo lost their cases in the mid-90's, but the scum who think that everyone else's mailservers and mailboxes are some sort of public property despite those cases have enough friends in 'respectable' organizations like the DMA and Congress that they've kept the big boys in business and government from acting. Until now.
The analogy to Prohibition is cliched, simplistic, and just plain wrong. It might be at least a little less so if the overwhelming majority of people occasionally enjoyed a little spamming in moderation, but that's simply not the case. Prohibition of theft and murder does a fairly decent job of keeping those behaviors minimized, and a real Prohibition on spamming could to, if any such law were ever passed or even if law enforcement had the guts to enforce existing laws against unauthorized computer use.
It is wise to note that Mr. Bidzos had very strong personal financial incentives in making everyone believe that the above statement was true when he said it, well before the expiration of the RSA patent. He likely believed it sincerely, but he was by no measure an unbiased source. The more free encryption seemed to be weak, the more his company could milk from their patents. It is no accident that the record for brute-forcing a DES key is still the one set 4 years ago before the RSA patent expiration or that there has been a slowing of the pace of new decryption feats since then.
A fact that is often ignored (in what seems like an endemic cryptography fetish) is that the 'weak' encryptions like DES are in fact strong enough for many uses simply because the information they protect is far less valuable than the resources needed to break the encryption. It is also commonly the case for situations where crypt() is the only protection that positive social engineering presents a far higher hurdle than the technical ones: if the people who can ypcat passwd know that running crack against what they get will run a strong risk of rendering them them jobless, unemployable, and fighting a lawsuit which will destitute them and their heirs, they tend to not do it.
No, it does not. I am still able to get the password past the screen saver/login window with 10.3.1
Ever seen a badly hung automount on Solaris?
Not that you are wrong in that general sense: any OS should have the means to reinitialize nearly any subsystem into a 'pristine' state without bringing down the running kernel and reloading the whole thing, but in practice Windows is not the only system that fails to meet that ideal.
Not really possible. The only precedent that is set here is that "EMarketersAmerica" and probably any set of spammers who look like they might be the ones behind that false front cannot revive that suit in that court. NOTHING of the merits of the case was decided in any way, since the spammers sued, ran into a harder fight than they expected, and managed to get the judge to allow them to drop the case before anything real got done. In the end, the suit served no long-term purpose other than to cost the defendants (operators and supporters of various anti-spam blacklists) money and hopefully to make spammers think twice about such silly suits in the future.
By luck of getting the right judge (and filing in a state where costs are rarely awarded) the spammers involved escaped this with nothing but embarrassment. The defendants COULD have gotten costs had the judge chosen to award them, and they WOULD have had the right to dig pretty deeply into how the spammers behind the suit operated and what sorts of ISP deals they had and so forth had the case gone forward, but they escaped because the judge granted the spammers request to simply drop the case. /p
I don't know about government 'sanction' but anyone running XP has given up their right to control their own computer to MS. The EULA includes language that essentially surrenders compuer owners' rights to decide for themselves whether and when to update their system.
When DHS sends some guys in cheap suits and sunglasses to Redmond, to discuss updating every XP machine with their special patches, what do you think Gates would say?
Look more carefully. The response is an A record for the queried name plus a bunch of additional records for the net zone itself, pointing at the gtld-servers.net machines. The gtld-servers.net domain belongs to Verisign. Those ARE the authorities for *.net names, and it is reasonable for a query of a *.net name to return them as additional records.
The reason Verisign can do this(in the 'technically capable of' sense) is that they ARE the authority for everything under com and net. If your resolver starts shunning the gtld-servers.net machines, it will simply cease to resolve *.com or *.net names at all.
ICANN and DoJ
More like DoC where C=Commerce. ICANN is pretty much a useless talking shop with an unhealthy affection for NSI/Verisign. ICANN masquerades as a global community entity, but in fact it is a creature of the USDoC and it seems extremely unlikely that ICANN will do anything useful to curb Verislime without a threat of death.
Not that I really think that will happen... The alternative to the current system of registries for profit is to return them to the status of public trusts contracted out purely for rote service, and that's where the incompetent, surly, and plodding quality of service notable at NSI comes from: they built it up over years of being The InterNIC and not having anyone competing with them. if the Clinton Administration could not bring itself to proclaim the DNS root and existing gTLD's as a public trust, Halliburton East ^W^WThe Bush Administration surely won't.
I don't see a likely solution. The best case would be for ICANN to stand up to the incompetent amoral liars at Verisign and reassign the .com and .net registries to a new operator with a tougher contract. ICANN has yet to show themselves capable of saying NO to Verisign in regards to those registries and I doubt they ever will.
The IE rediect to the MSN search mess is configurable: you can turn it off AND turn off the stupid useless 'all errors are one thing' error page and make IE actually give you something useful, at least with IE 5.5 and 6.
.(com|net) domains. Verisign has just in effect registered all unregistered domains in those TLD's and pointed them at their own little cash-spinner.
HOWEVER, you can bet that MS and AOL and everyone else who does something interesting and useful with HTTP queries that look for bad domain names (like some ISP's that have proxies for users and some companies that have proxies for employers) will be pissed off. Different people like to do different things with their NXDOMAIN responses, and Verisign has just made sure that a lot of those responses never happen and that only Verisign gets to choose what the user sees instead.
There essentially are no more unregistered
FWIW, I know from professional acquaintances here in Detroit that Ford also has Solaris machines. In the end, there is no such thing as a one-platform company of the Fortune 100 scale. Even MS has people who use Macs and they probably have at least experimental machines running just about every other OS.
For an 'old economy' business, switching 'primary' platforms isn't something that CAN be done in less than a few years and is something that is not usually done without a lot of planning and in very small steps. I would expect their engineering software to switch platforms on the sort of timeframe that engineering jobs turn over at Ford (i.e. not terribly fast.)
I have to admit that I'm skeptical of the sourcing of this (El Reg and The Scotsman???) but it is a significant shift when you consider that Ford is one of the largest corporate entities in the world AND that they have a sigtnificant history of being visibly cozy to MS. For example, they were apparently happy to be used by MS ( for example, here) as a marketing tool.
In addition, as recently as 1999 Ford IT was promoting a "Microsoft-centric strategy" to the extent that using Microsoft technology was more important than using functional technology for new projects.
"Please tell me more about these ISP-critical machines that don't affect innocent users. But then why are they critical?"
These would be the sorts of machines that Spamhaus targets when it does its (rare) escalations: corporate mail servers and the IP space around them. The machines that the ISP needs to conduct business, not the machines of their customers.
You will note that the SBL escalations tend to last only a matter of hours before ISP's have a change of heart about ejecting their spammers.
"He did, several weeks ago." Can you cite something public to support that? I can't find a post from Joe in any of the public fora focused on spam for months. I suppose one could consider the increasingly poor availability of DNS under osirusoft.com a message of some sort, but it surely wasn't a very clear one. (Note that I do not use Joe's DNSBL and have not and would argue that Joe Jared has been making DNSBL's look bad for a long time. )
For both points, you are referring to problems that have to be opened up explicitly. By default, all those excellent remote user capabilities are turned off, and the one place that uses fb_realpath() (the FTP server) is off by default.
The situation on X is not as good as it was with, for example, 7.0, where getting anything remotely exploitable up demanded a multi-digit number of clues, but it is still many steps back from the default Windows situation. After all, who outside of Redmond is conscious of the fact that every Windows machine is running a DCOM RPC endpoint mapper?