What you have to do is migrate in a series of stages. First you configure your desktop Outlook clients to listen to a POP3 server. Then you set up a new mail server with something like exim and qpopper. Then you reconfigure Outlook to send via SMTP. Then you turn off the Exchange server altogether. Then you migrate your desktops from Outlook on Windows to Thunderbird on Windows. Then to Thunderbird on GNU/Linux.
That displays a profound ignorance of real Exchange/Outlook captive environments. Your gaps:
Unified mail-integrated scheduling. If I want to set up a meeting with 6 people in a conference room near me using Outlook talking to Exchange, I can toss them all into a new meeting request and hunt down shared free time, even if I can't see the details of what they are doing when busy or out. When I find a time, I save it and they all get mail with accept/decline/tentative buttons. This is NOT a MS invention and ion fact in some ways they do it worse than Notes or PROFS/OfficeVision, but it is simply Not There in your migration suggestion. People really use this and rely on it.
Server-based mail storage and organization. POP3 can't do this. IMAP can, and Outlook is not a hopeless IMAP client. Unfortunately, IMAP servers are painful to set up and manage.
Server-based rules and auto-responses. These suck terribly in Exchange compared to what you can do with open source tools, but they are in a sense cheaper: Exchange comes with the crap all put together in one big shit sandwich, no assembly required. Handing users the functional equivalent in open source tools takes serious work. Users won't learn regex for procmail. They probably won't learn sieve. They might not even learn how to set up vacation. This means that duplicating Exchange functionality is a lot of really crappy work, even if you're only functionally recreating crap.
Auto-archive. This is a highly useful and widely used feature that MS has actually implemented reasonably well. Why this isn't a standard feature in every mail client in existence, I don't understand. For corporate systems, it is indispensible.
I should note that I'm no fan of Microsoft and use no Microsoft software unless someone pays me to do so, on their machines. I particularly despise Microsoft's mail software. Maybe a peek at a rant of mine will help back that up. Unfortunately, knowing that overall Exchange, Outlook, and Outlook Express are responsible for a large slice of the mess that has been made of mail does not make eliminating these toxic bits of software easy. The Exchange/Outlook combination might have gotten into many places based on deception, monopoly abuse, and bullying, but it has stayed in place long enough and evolved far enough that at this point many users and organizations have let themselves become dependent on a set of integrated features that are very hard to replicate with any other set of software, free or commercial.
I'm guessing you didn't bother with reading the article.
There was no premature report of anything. There was a peer-reviewed article published in Cell Thursday, 7 months after it was submitted. Human trials are likely to start in about a year. The Slashdot headline seems to be a complete invention of some idiot at Slashdot: nothing in the referenced National Post article or the actual Cell article says anything about human treatment (or any other milestone) in two years. If you think a Slashdot headline is anything more than loosely connected to the meat of the referenced story, you have not been paying much attention.
Publishing in peer-reviewed journals like Cell is how communication between scientists about current work is done. We didn't hear about this work 7 months ago (when the paper was submitted) we heard about it now. Scientists do sometimes make premature announcements (see Cold Fusion) but this is not such a case.
As for venture capital, that's not a huge issue in this case as there's no new drug and no particularly special mode of administration. Nothing to be hoarded by "intellectual property" trolls.
Yes, from a legal standpoint they have just 'opened' up the flood waters. If you sensor even one message/data/item/etc passing through a system under your control, you loose common carrier/neutral party status and are held liable for everything that now occurs.
WRONG!
That legal urban legend has been wandering around the net for many years, but it has never actually been true, at least under US law. ISP's have never been common carriers as ISP's (which is part of why the ISP/ILEC wall exists in ILEC-owned ISP's) but they are generally treated as non-publishers of material even when they pick and choose what they allow quite severely.
There is a surviving piece of the CDA and a clause in CAN-SPAM that quite explicitly give ISP's the power to filter content as they please without liability.
Verizon is a "common carrier" only in the businesses that the FCC says they are, and the FCC has repeatedly refused to regulate Internet service OF ANY SORT as a "common carrier" service. The implication in the article title that Verizon has "common carrier status" for their Internet services that could be lost is a lie.
Some shred of relevance to the post you are responding to would help too.
The relevance of the article's topic to the current situation is that CO2 as the mediator for precipitous global warming has a precedent. The explanation of how the planet got from Snowball Earth to the Cambrian steambath is based in the same science as the predominant modern theories about the effect of humans turning large quantities of sequestered carbon back into CO2. The theories look a lot more plausible with a very long timescale map that is consistent with the models developed from basic physical facts (like CO2 thermal opacity, he albedo of ice, etc.) and much shorter-time sets of evidence. Snowball Earth looks like an inevitable path to a very dead end except for the fact that it effectively shuts down CO2 sequestration, allowing volcanic release to build levels high enough to counter the self-reinforcing deep freeze with the Greenhouse Effect.
Of course, the problem with this seems to be related to Clarke's Law, that sufficiently advanced technology is indistinguishable from magic (by those who don't understand it.) If you don't understand the science behind modern theories of human-driven global warming, it looks like so much religious bullshit, and more science you don't understand confirming past precipitous warming just looks like more reason to see the whole thing as mystical and beyond understanding. Beyond yours? Apparently so. That's not true for people who do understand the science that is behind both the explanation for why Snowball Earth melted and for why we are now seeing warming that has no precedent in the brief period of civilized history and which runs counter to where natural cycles should be taking the climate.
In all seriousness though, how can the Earth being an axial dipole (2 magnetic poles along a single axis) hundreds of millions of years ago suggest an Earth that was covered by up to a kilometer of ice?
You missed the other parts.
There is a pattern of evaporite and carbonate rocks that implies rather cold conditions.
The magnetic alignments in the various trace minerals (i.e. ferrites etc.) in that rock imply that it was formed at the magnetic equator, i.e. the rotational and climatic equator IFF the Earth's magnetic field was much like it is now in relationship to rotation and solar orientation.
The new data is that during the relevant period the orientation of the magnetic and rotational axes were close and aligned to roughly the orbital (i.e. heating relevant) axis. Like now. Like most of the time in the past 4 billion years, but not really all of the time. Combined with the prior data, it nails down the hypothesis that the hottest latitudes on Earth for a score or so of centuries was transitioning from the balmy clime of today's Northern Greenland to today's torrid Newfoundland. At the equator. Brrr.
I use -all and I stuck it in there on purpose. SPF's page says: -all No other servers are allowed to send mail from xxxxxx.com. This is a good default for sites particularly concerned about forgery.
The promoters of SPF are not always up-front and clear about the risks. They do mean well.
What in your opinion is wrong with using -all?
It is not necessarily wrong, but it does carry risks. The traditional (and still by far most common) mechanisms for email forwarding, such as the use of sendmail alias entries and.forward files, do not modify the SMTP envelope or headers when passing along messages. The result is mail that fails an SPF check. The "Sender Rewriting" scheme that was proposed with SPF is implemented by approximately one forwarder (pobox.com, whose boss is the most prominent SPF cheerleader) while all of the professional organizations (e.g. acm.org) forwarding for members and colleges ( e.g. Cornell, UMich, UCBerkley) forwarding for alumni basically have ignored that bad idea as they have ignored SPF. If you mail to a forwarded address from a -all domain, your correspondent's final delivery system needs to be ignoring SPF altogether or specially for the forwarding site, or the mail will seem bogus to them.
Is see a bunch of domains using ~all which I view as fudging on their part.
It's an admission of reality. Aside from the forwarder issue, there are a number of other edge cases where for some domains it is impossible to say with certainty where non-forged mail may be coming from. A lot of people with freemail accounts regularly send their mail via relay systems of convenience (i.e. access provider mail relays) but with SMTP envelope senders and From headers that use their Yahoo or Hotmail or GMail addresses. Using a -all default in SPF implies a policy that all of your users must exclusively use your defined outbound relays at all times for all of their mail, no matter where in the world they may be sitting. That's not a bad policy per se, and is quite suitable for many domains, but it is a nightmare to make possible for many others. There is also a widespread and chronic bit of minor misbehavior (not universally recognized as such...) practiced by various service providers (including resume services, clipping services, and news services) where the service provider sends mail to their user or to arbitrary third parties using the address provided by their user as the SMTP sender and the From header. The most common places a recreational user would see that would be in the "mail a friend this story" gadgets at many online news sites and "electronic greeting card" systems, but modern businesses use a surprising collection of other online outsourcing services that use similar approaches.
As an example... One mail system I run serves a few thousand business users for one company with multiple brand identities and hence about a dozen email domains. For a year I tried to keep track of the places we legitimately received mail from using one or more of those domain names as senders, essentially building an address list serving the same function as an SPF record. It never stopped changing and growing, and at the end of that year it was dozens of distinct address ranges for dozens of business partners and between new partners and network flux of existing partners the list was never stable for more than a week and was not slowing its rate of change at the end of that year. Puiblishing that list as an SPF record would have published to the world some relationships that are not suitable for such universal announcement, and would have required ongoing maintenance with no hope of ever stabilizing. We can't publish an SPF record for the world at large with *any* derogatory default (even ?all, which some sites will interpret as derogatory in the context of positive entries) without keeping track of which relationships are fully public and which are relevant to whi
I run mail systems professionally for others and I have my own little domains. I use SPF, and for my personal domains use -all defaults. I played a minor role in a precursor idea to SPF (the "Designated Sender" protocol.) I have tried to investigate whether that claim (or ANY positive claim about SPF) is fact both directly with systems I manage and by seeking out all of the data I can find, and have been looking for such evidence for a couple years now with little success. I have never been able to find any convincing evidence that what you claim is true, although many people have claimed it baed on hypotheticals. If you have any hard data , I would sincerely love to see it.
1) Fewer mail systems produce bounces. Not none, but fewer.
Here's a short version of the message you are replying to, since you clearly missed the point of my long-winded version:
Systems that generate bogus bounces are obsolete by design. They are extremely unlikely to be looking at SPF and are unlikely to do in the future so except as part of redesigns that would eliminate the bogus bounces without SPF. SPF provides nothing in the area of reducing bogus bounces that can have a significant effect in a wisely designed modern mail system.
Rather than having fewer systems generate bogus bounces, SPF can be used in a marginal way to identify situations where a bounce should not be sent vs. those where the message at least seems to be not have a forged sender. In other words: to assure bounce quality rather than trying to re-architect a system to reduce them. That's more a matter of theory than practice, but it COULD be done. I've not seen any sign that a detectable number of mail systems ARE doing it.
2) An increasing number of mail systems reject or at least flag mail from domains with mismatching SPF records as spam. Therefore spammers try to avoid sending from domains with strict SPF records.
The first sentence is demonstrably true, although that number remains very small. The second claim is not supported by my own testing (I have some very heavily forged domains that I have used to test the hypothesis) but I am always eager to see hard evidence of something actually working to drive away forgery.
So? The important thing is that I can use SPF to protect myself from thousands of bounces when a spammer uses one of my email addresses in the From: header.
That's a false hope. I know from very direct experience that it does not work today, and logically it is unlikely to ever work.
The underlying reason that "blowback" from forged spam is a problem is that a lot of people are still running mail systems that are designed (to whatever degree they are designed rather than thrown together) with mid-90's assumptions that are no longer true:
Most mail is legitimate
An insignificant fraction of junk mail uses SMTP envelope or From header sender addresses that exist but don't belong to anyone associated with the sending of the crap
Enough legit mail is innocently mis-addressed that having a few percent of address-typo'd mail silently dropped is unacceptable damage.
Exposing the (in)validity of recipient addresses at your external border at RCPT time in SMTP is a significant information leak.
The system complexity and fragility added by making as much rejection as possible happen synchronously at the SMTP border is too high a cost for its benefits
The result is mail systems that accept mail rather promiscuously, storing and queueing it up for steps like filtering or forwarding to other internal systems for delivery. Those later steps can result in failure, and the mid-90's assumptions about mail lead to the decision to follow the traditional ruiles and generate a bounce for any failed message. SPF (or any other sender authentication scheme) can only help if those systems that are living in the past implement its use in deciding whether to accept mail and/or whether to generate a bounce for mail. Many blowback-generating mail systems can eliminate blowback completely (or for less cost: 5-nines complete) simply by rearchitecting for modern realities, without bringing SPF into the picture.
Being in the position of running largish mail systems, I can see quite starkly that SPF alone as a blowback control would do more harm than it is worth. Real mail systems get legitimate mail from domains run by fools who can't get their SPF records right and use "-all" as a trailing default. Real mail systems get mail transparently forwarded to them through sites that do not modify the SMTP sender, no matter how much the SPF cheerleaders would like them to. Real mail systems can't absolutely trust SPF when it is derogatory unless they are willing to accept occasional loss of otherwise perfectly legitimate mail.
From the point of view of the banks or the customers as a whole its not a big enough problem to put a lot of effort into. The small fraction of people who are impacted can be devastated, but they aren't a big enough voice to encourage banks to take actions that would minimize fraud.
The market is moving a lot of financial institutions towards better security and a few even towards harder lines with bozo customers (as the article points out....) More of that would be better. Making all customers pay for the very few who fall for phishes is not exactly fair. Ideally, financial institutions would have serious security requirements for their customer-facing systems, but that's a bit unrealistic to ask for in the US for the foreseeable future. It is more likely that banks will be allowed to screw the customers who earn their screwing. You can bet that they will do so more as they make it harder for customers to blame the banks after they hand authentication information to phishers.
For that matter, customers as a whole probably aren't the best people to decide how to minimize fraud. The banks or the experts they hire would be the ones with the expertise, so let them do it.
Customers don't need to know how to make systems phish-resistant to make up an informed market. They only need to recognize the expert judgment of the phishers about what systems are or are not attractive targets. Anyone doing business with a chronically heavily-phished bank should be looking for a new bank. (or maybe a credit union instead, but that's a different rant... ) Not all financial institutions get targeted, and not all of those who have been heavily targeted in the past remain so.
You just need to give them an incentive, and paying for fraud is it.
It's good to read more than the headline... The point of the article, mentioned in the/. summary, is that a bank almost made phishees pay for their own mistakes. That's somewhat novel.
For the most part, financial institutions do cover consumer fraud losses and have done so for a long time. In the US they are required to cover most consumer account fraud (even that which is due to customer carelessness) and many cover the last $50 that they could make phished fools pay. Often banks even extend that consumer protection to cover small businesses, although not always. Similar laws and practices exist elsewhere. Years of that approach have kept phishing healthy, because it allows the banks institutions to paper over their part of the root causes and it fails to make stupid carelessness a costly problem for the phishees. If you could make the bank managers and directors and shareholders pay out of their personal pockets, maybe that would have an incentive effect to make phishing harder, but that's not the way corporate capitalism works.
A useful incentive to better security would be to establish security standards that would allow them to flip the presumption of responsibility for phishes back on the idiots falling for them. Not a likely change in the US given that the current bozos in power reflexively oppose telling businesses what to do in any way, and both major parties cater to the careless fool vote.
The customer is incapable of forcing the bank to make even the most basic and obvious gestures to security.
Individual customers can't, particularly if they don't speak up but large numbers of customers being vocal and moving on send a message banks will listen to.
Putting the financial burden of fraud on the consumer give the banks every incentive to ignore the problem.
Where do you think the 'burden' will fall for banks that are for-profit companies? The shareholders? Management? Are you high?
There are really just two options for recovering phishing costs that can't be recovered from the phisher: spread the cost among all of a bank's customers or make each phishing "victim" bear the cost of their stupidity. Unless you're an imbecile, the latter is probably better for you.
And don't point to market forces because no one bank is going to be able to single-handedly shoulder the burden of handling fraud and pushing the other banks to do so, especially when they don't have to.
The bottom line is that corporations don't protect consumers unless they're forced to by financial incentives or legal disincentives against wrongdoing.
I think you don't understand how the market forces can work here. Having phish-resistant online systems attracts smarter customers and reduces phishing successes even with the idiots. Banks don't all have to all do the right things at once and they don't have to do globally effective things 'single-handedly' to fix their own indivual situations. Clueful customers and those who fear that they themselves might fall for phishes both have reasons to pick banks that are hard to phish, and phishing costs inevitably include some that start with the bank and cannot be pushed back on the victim. Smart bank managers make their systems phish-resistant because it is good business for competitive reasons, not because it is the 'right thing.' They have financial incentives to be phish-resistant.
I should probably add that there are phish-resistant financial institutions. No level of diligence can completely protect a system from gullible customers, but with the market being rich with idiotic organizations that aim for the heavy side of Sturgeon's Law as a customer base, it is not terribly hard for a financial institution to avoid being the low-hanging fruit for phishers.
The article clearly mentions a partnership with "Mazda, Ford, and GM."
They're 3 different companies. (Though Mazda is 1/3 owned by Ford.)
Of course Ford and GM are quite distinct, but Mazda is virtually a Ford division. Ford's ownership is a 33% plurality, not a majority, but Ford effectively controls Mazda, and product development cooperation between the Ford brands these days is very tight. Ford considers Maxda one of their brands. (see www.ford.com)
So, the proper headline would be about Apple making deals with both Ford and GM. I expect Slashdot's amateur editors to screw up headlines and blurbs badly, but it's rather remarkable that BusinessWeek buried the strategic significance of this 3 paragraphs down. Apple has now done iPod deals with all of the big German automakers, all of the big US automakers, and all of the big Japanese automakers. There will be *iPod* connectors available in most cars for the 2007 model year, and they are on the same path we've seen for power windows, CD players, and air conditioning. Unlike those features, the iPod connector is a proprietary tie-in to a single manufacturer's specific product.
No I don't mean about Vista, I mean about what Thurrott has to say. I've RTFA about a half-dozen times this year to his articles, and have become convinced that he's just not very bright. I don't get why his stuff gets linked to at all.
Example from this time: the whine about IE7 and his employer's use of ActiveX. This is a problem of Microsoft's? I'm all for punishing them for their past sins, and ActiveX qualifies, but to use them doing the right thing to kill off dangerous controls in IE7 (which is what his description sounds like) as ammo in talking about Vista being broken is unfair, and worse: it's shallow. A deeper thinker might note that their choice to DTRT in IE7 will cause pain, but it really isn't part of a case for whether Vista is or is not ready.
So is this guy capable of writing anything that isn't a waste of the reading time, or are the things/. links to indicative, and if so, what keeps him visible? Is he buying off editors? (j/k)
I personally use Fink (and love it, for all of its flaws), but it's sad to me to see a good alternative source for OSS on OS X bite the dust.
That points out why it is shutting down. Not much of anyone outside of a handful of core developers ever cared to understand what OpenDarwin was intended to be. DarwinPorts (e.g. the Fink alternative) was not it.
Apple doesn't really want an independent developer community hacking on Darwin and defining what Darwin is. So now, they won't even have anyone trying to do that.
That ignores a decade of specific facts about Apple and the norms of the industry.
Everyone in the industry reports units shipped. The way independent retailers work, a manufacturer selling through them can't nail down a 'sold to end user' number for months with any solidity.
Jobs' big concrete business contribution when he returned to Apple was to smash the old tempting retail pipeline that could get stuffed and which Apple *had* stuffed to their own delusion and eventual distress a few times in the early to mid 90's. Apple no longer has independent Apple dealers worth speaking of, and their own stores are kept very thin on inventory. The also sdell a large fraction of their systems directly through the online store, where 'shipped' is identical to 'sold'
The original comparison to Sony stuffing the pipeline with PSP's points up a key reason that Apple can't play that trick any more: Apple's product cycle on the Mac side is too fast for a stuffing event to wind out before the stuffed hardware is discontinued.
Think about this more carefully. The story says "load WGA or you will; be shut off."
Q: How does that work, exactly?
A: Obviously, Microsoft has shipped the killswitch in some other part of the base OS (XP and maybe 2000) and it knows to look for WGA approval in Fall 2006.
Q: What was the original target ship date for the next major revision of Windows (then called Longhorn?)
A: For about 2 years, the date was "2 years from now" and that included a lot of time before Fall 2006 for people to be running Longhorn/Vista.
If this story is true (and I have my doubts, even though I am not a fan or even a customer of MS and do not think that any sort of misbehavior is beneath them) then the killswitch clearly went into the OS (not WGA, WGA is the anti-killswitch) before the phrase "Longhorn Release Date" became a bad joke and "Vista Release Date" a worse one.
EETimes did a fact-rich article in March. The first paragraph of the second page is most illuminating. It seems the "startup" that owns the secret encryption mechanism lacks any visible means of support, and it is a "spinoff" of a government body.
IMHO there is far too much polite gentility and benefit of the doubt shown in the media, and ISO, and WTO and even/. to the thugs who run China. There's no moral or technical equivalency involved here. The Chinese government presented WAPI late accompanied by protectionist threats and has been whining disingenuously about the world mistreating it in the process ever since. WAPI has received over 2 years of special treatment because the rest of the world relies on Chinese de facto slave labor to build its electronic goods. If the ISO process was being run honestly with a legitimate goal of defining a trustworthy secure standard that can be widely implemented in interoperable and competitive ways, WAPI would have been dismissed when first proposed.
It was only about 20 years ago that Z-D tasked Dvorak with trolling Mac users as the inside back cover columnist for the old MacUser, where he openly admitted to writing things to inflame Mac users enough that they'd have to buy the magazine just to have reference for their 10-page crayon screeds to the editors against him. And if ancient history and paper is too hard, he has said what he said to Winer oon at least a half-dozen TWiT podcasts over the past year. This is not news, it is Dvorak stating an obvious truth for the umpteenth time. He is apparently still getting a chuckle from the fact that some people who take everything too seriously (e.g. Dave Winer) still don't get the joke after having it explained to them repeatedly over decades. If Winer really thinks this is some great revelation of sin, he's got his head further inserted than ever.
It is the job of anyone who writes for ad-supported media to attract eyeballs, and Dvorak has never been ashamed of doing that job. Being scandalized by his honesty says a lot more about the intelligence (or maybe integrity) of those who are scandalized than it says about Dvorak.
There's no way Apple could have had any real quality determination yet. They had hired 5% of their 1-year headcount and had not fully trained managers yet.
It is clear that you're speaking of Canada, maybe. Not the US. Aside from the tiny minority of US workers represented by unions, most of us could only dream to have the sort of generous treatment Apple provided to its Indian workers. 2 months severence? Sweet. When I was part of a "reduction in force" in 2001 there was absolutely nothing illegal about the fact that we had no notice and no severence. Most US workers are "at will" and our tenure of employment is not covered by any law at all.
Why do you say that? All I could see in the article was: Representatives of Microsoft and Adobe were not immediately reachable for comment. - that's not refusing to comment.
Given El Reg's usual journalistic and editorial standards (nearly as high in quality as/.) that statement could easily mean nothing more than that there were no Adobe or MS representatives sharing the restroom stall from whose wall this rumor was read.
Slashdot Mirror
That displays a profound ignorance of real Exchange/Outlook captive environments. Your gaps:
I should note that I'm no fan of Microsoft and use no Microsoft software unless someone pays me to do so, on their machines. I particularly despise Microsoft's mail software. Maybe a peek at a rant of mine will help back that up. Unfortunately, knowing that overall Exchange, Outlook, and Outlook Express are responsible for a large slice of the mess that has been made of mail does not make eliminating these toxic bits of software easy. The Exchange/Outlook combination might have gotten into many places based on deception, monopoly abuse, and bullying, but it has stayed in place long enough and evolved far enough that at this point many users and organizations have let themselves become dependent on a set of integrated features that are very hard to replicate with any other set of software, free or commercial.
I'm guessing you didn't bother with reading the article.
There was no premature report of anything. There was a peer-reviewed article published in Cell Thursday, 7 months after it was submitted. Human trials are likely to start in about a year. The Slashdot headline seems to be a complete invention of some idiot at Slashdot: nothing in the referenced National Post article or the actual Cell article says anything about human treatment (or any other milestone) in two years. If you think a Slashdot headline is anything more than loosely connected to the meat of the referenced story, you have not been paying much attention.
Publishing in peer-reviewed journals like Cell is how communication between scientists about current work is done. We didn't hear about this work 7 months ago (when the paper was submitted) we heard about it now. Scientists do sometimes make premature announcements (see Cold Fusion) but this is not such a case.
As for venture capital, that's not a huge issue in this case as there's no new drug and no particularly special mode of administration. Nothing to be hoarded by "intellectual property" trolls.
of course not, silly.
It's the thought that counts.
WRONG!
That legal urban legend has been wandering around the net for many years, but it has never actually been true, at least under US law. ISP's have never been common carriers as ISP's (which is part of why the ISP/ILEC wall exists in ILEC-owned ISP's) but they are generally treated as non-publishers of material even when they pick and choose what they allow quite severely.
There is a surviving piece of the CDA and a clause in CAN-SPAM that quite explicitly give ISP's the power to filter content as they please without liability.
Verizon is a "common carrier" only in the businesses that the FCC says they are, and the FCC has repeatedly refused to regulate Internet service OF ANY SORT as a "common carrier" service. The implication in the article title that Verizon has "common carrier status" for their Internet services that could be lost is a lie.
Some shred of relevance to the post you are responding to would help too.
The relevance of the article's topic to the current situation is that CO2 as the mediator for precipitous global warming has a precedent. The explanation of how the planet got from Snowball Earth to the Cambrian steambath is based in the same science as the predominant modern theories about the effect of humans turning large quantities of sequestered carbon back into CO2. The theories look a lot more plausible with a very long timescale map that is consistent with the models developed from basic physical facts (like CO2 thermal opacity, he albedo of ice, etc.) and much shorter-time sets of evidence. Snowball Earth looks like an inevitable path to a very dead end except for the fact that it effectively shuts down CO2 sequestration, allowing volcanic release to build levels high enough to counter the self-reinforcing deep freeze with the Greenhouse Effect.
Of course, the problem with this seems to be related to Clarke's Law, that sufficiently advanced technology is indistinguishable from magic (by those who don't understand it.) If you don't understand the science behind modern theories of human-driven global warming, it looks like so much religious bullshit, and more science you don't understand confirming past precipitous warming just looks like more reason to see the whole thing as mystical and beyond understanding. Beyond yours? Apparently so. That's not true for people who do understand the science that is behind both the explanation for why Snowball Earth melted and for why we are now seeing warming that has no precedent in the brief period of civilized history and which runs counter to where natural cycles should be taking the climate.
You missed the other parts.
The new data is that during the relevant period the orientation of the magnetic and rotational axes were close and aligned to roughly the orbital (i.e. heating relevant) axis. Like now. Like most of the time in the past 4 billion years, but not really all of the time. Combined with the prior data, it nails down the hypothesis that the hottest latitudes on Earth for a score or so of centuries was transitioning from the balmy clime of today's Northern Greenland to today's torrid Newfoundland. At the equator. Brrr.
The promoters of SPF are not always up-front and clear about the risks. They do mean well.
It is not necessarily wrong, but it does carry risks. The traditional (and still by far most common) mechanisms for email forwarding, such as the use of sendmail alias entries and .forward files, do not modify the SMTP envelope or headers when passing along messages. The result is mail that fails an SPF check. The "Sender Rewriting" scheme that was proposed with SPF is implemented by approximately one forwarder (pobox.com, whose boss is the most prominent SPF cheerleader) while all of the professional organizations (e.g. acm.org) forwarding for members and colleges ( e.g. Cornell, UMich, UCBerkley) forwarding for alumni basically have ignored that bad idea as they have ignored SPF. If you mail to a forwarded address from a -all domain, your correspondent's final delivery system needs to be ignoring SPF altogether or specially for the forwarding site, or the mail will seem bogus to them.
It's an admission of reality. Aside from the forwarder issue, there are a number of other edge cases where for some domains it is impossible to say with certainty where non-forged mail may be coming from. A lot of people with freemail accounts regularly send their mail via relay systems of convenience (i.e. access provider mail relays) but with SMTP envelope senders and From headers that use their Yahoo or Hotmail or GMail addresses. Using a -all default in SPF implies a policy that all of your users must exclusively use your defined outbound relays at all times for all of their mail, no matter where in the world they may be sitting. That's not a bad policy per se, and is quite suitable for many domains, but it is a nightmare to make possible for many others. There is also a widespread and chronic bit of minor misbehavior (not universally recognized as such...) practiced by various service providers (including resume services, clipping services, and news services) where the service provider sends mail to their user or to arbitrary third parties using the address provided by their user as the SMTP sender and the From header. The most common places a recreational user would see that would be in the "mail a friend this story" gadgets at many online news sites and "electronic greeting card" systems, but modern businesses use a surprising collection of other online outsourcing services that use similar approaches.
As an example... One mail system I run serves a few thousand business users for one company with multiple brand identities and hence about a dozen email domains. For a year I tried to keep track of the places we legitimately received mail from using one or more of those domain names as senders, essentially building an address list serving the same function as an SPF record. It never stopped changing and growing, and at the end of that year it was dozens of distinct address ranges for dozens of business partners and between new partners and network flux of existing partners the list was never stable for more than a week and was not slowing its rate of change at the end of that year. Puiblishing that list as an SPF record would have published to the world some relationships that are not suitable for such universal announcement, and would have required ongoing maintenance with no hope of ever stabilizing. We can't publish an SPF record for the world at large with *any* derogatory default (even ?all, which some sites will interpret as derogatory in the context of positive entries) without keeping track of which relationships are fully public and which are relevant to whi
I run mail systems professionally for others and I have my own little domains. I use SPF, and for my personal domains use -all defaults. I played a minor role in a precursor idea to SPF (the "Designated Sender" protocol.) I have tried to investigate whether that claim (or ANY positive claim about SPF) is fact both directly with systems I manage and by seeking out all of the data I can find, and have been looking for such evidence for a couple years now with little success. I have never been able to find any convincing evidence that what you claim is true, although many people have claimed it baed on hypotheticals. If you have any hard data , I would sincerely love to see it.
Here's a short version of the message you are replying to, since you clearly missed the point of my long-winded version:
Systems that generate bogus bounces are obsolete by design. They are extremely unlikely to be looking at SPF and are unlikely to do in the future so except as part of redesigns that would eliminate the bogus bounces without SPF. SPF provides nothing in the area of reducing bogus bounces that can have a significant effect in a wisely designed modern mail system.
Rather than having fewer systems generate bogus bounces, SPF can be used in a marginal way to identify situations where a bounce should not be sent vs. those where the message at least seems to be not have a forged sender. In other words: to assure bounce quality rather than trying to re-architect a system to reduce them. That's more a matter of theory than practice, but it COULD be done. I've not seen any sign that a detectable number of mail systems ARE doing it.
The first sentence is demonstrably true, although that number remains very small. The second claim is not supported by my own testing (I have some very heavily forged domains that I have used to test the hypothesis) but I am always eager to see hard evidence of something actually working to drive away forgery.
That's a false hope. I know from very direct experience that it does not work today, and logically it is unlikely to ever work.
The underlying reason that "blowback" from forged spam is a problem is that a lot of people are still running mail systems that are designed (to whatever degree they are designed rather than thrown together) with mid-90's assumptions that are no longer true:
The result is mail systems that accept mail rather promiscuously, storing and queueing it up for steps like filtering or forwarding to other internal systems for delivery. Those later steps can result in failure, and the mid-90's assumptions about mail lead to the decision to follow the traditional ruiles and generate a bounce for any failed message. SPF (or any other sender authentication scheme) can only help if those systems that are living in the past implement its use in deciding whether to accept mail and/or whether to generate a bounce for mail. Many blowback-generating mail systems can eliminate blowback completely (or for less cost: 5-nines complete) simply by rearchitecting for modern realities, without bringing SPF into the picture.
Being in the position of running largish mail systems, I can see quite starkly that SPF alone as a blowback control would do more harm than it is worth. Real mail systems get legitimate mail from domains run by fools who can't get their SPF records right and use "-all" as a trailing default. Real mail systems get mail transparently forwarded to them through sites that do not modify the SMTP sender, no matter how much the SPF cheerleaders would like them to. Real mail systems can't absolutely trust SPF when it is derogatory unless they are willing to accept occasional loss of otherwise perfectly legitimate mail.
The market is moving a lot of financial institutions towards better security and a few even towards harder lines with bozo customers (as the article points out. ...) More of that would be better. Making all customers pay for the very few who fall for phishes is not exactly fair. Ideally, financial institutions would have serious security requirements for their customer-facing systems, but that's a bit unrealistic to ask for in the US for the foreseeable future. It is more likely that banks will be allowed to screw the customers who earn their screwing. You can bet that they will do so more as they make it harder for customers to blame the banks after they hand authentication information to phishers.
Customers don't need to know how to make systems phish-resistant to make up an informed market. They only need to recognize the expert judgment of the phishers about what systems are or are not attractive targets. Anyone doing business with a chronically heavily-phished bank should be looking for a new bank. (or maybe a credit union instead, but that's a different rant... ) Not all financial institutions get targeted, and not all of those who have been heavily targeted in the past remain so.
It's good to read more than the headline... The point of the article, mentioned in the /. summary, is that a bank almost made phishees pay for their own mistakes. That's somewhat novel.
For the most part, financial institutions do cover consumer fraud losses and have done so for a long time. In the US they are required to cover most consumer account fraud (even that which is due to customer carelessness) and many cover the last $50 that they could make phished fools pay. Often banks even extend that consumer protection to cover small businesses, although not always. Similar laws and practices exist elsewhere. Years of that approach have kept phishing healthy, because it allows the banks institutions to paper over their part of the root causes and it fails to make stupid carelessness a costly problem for the phishees. If you could make the bank managers and directors and shareholders pay out of their personal pockets, maybe that would have an incentive effect to make phishing harder, but that's not the way corporate capitalism works.
A useful incentive to better security would be to establish security standards that would allow them to flip the presumption of responsibility for phishes back on the idiots falling for them. Not a likely change in the US given that the current bozos in power reflexively oppose telling businesses what to do in any way, and both major parties cater to the careless fool vote.
Individual customers can't, particularly if they don't speak up but large numbers of customers being vocal and moving on send a message banks will listen to.
Where do you think the 'burden' will fall for banks that are for-profit companies? The shareholders? Management? Are you high?
There are really just two options for recovering phishing costs that can't be recovered from the phisher: spread the cost among all of a bank's customers or make each phishing "victim" bear the cost of their stupidity. Unless you're an imbecile, the latter is probably better for you.
I think you don't understand how the market forces can work here. Having phish-resistant online systems attracts smarter customers and reduces phishing successes even with the idiots. Banks don't all have to all do the right things at once and they don't have to do globally effective things 'single-handedly' to fix their own indivual situations. Clueful customers and those who fear that they themselves might fall for phishes both have reasons to pick banks that are hard to phish, and phishing costs inevitably include some that start with the bank and cannot be pushed back on the victim. Smart bank managers make their systems phish-resistant because it is good business for competitive reasons, not because it is the 'right thing.' They have financial incentives to be phish-resistant.
I should probably add that there are phish-resistant financial institutions. No level of diligence can completely protect a system from gullible customers, but with the market being rich with idiotic organizations that aim for the heavy side of Sturgeon's Law as a customer base, it is not terribly hard for a financial institution to avoid being the low-hanging fruit for phishers.
Of course Ford and GM are quite distinct, but Mazda is virtually a Ford division. Ford's ownership is a 33% plurality, not a majority, but Ford effectively controls Mazda, and product development cooperation between the Ford brands these days is very tight. Ford considers Maxda one of their brands. (see www.ford.com)
So, the proper headline would be about Apple making deals with both Ford and GM. I expect Slashdot's amateur editors to screw up headlines and blurbs badly, but it's rather remarkable that BusinessWeek buried the strategic significance of this 3 paragraphs down. Apple has now done iPod deals with all of the big German automakers, all of the big US automakers, and all of the big Japanese automakers. There will be *iPod* connectors available in most cars for the 2007 model year, and they are on the same path we've seen for power windows, CD players, and air conditioning. Unlike those features, the iPod connector is a proprietary tie-in to a single manufacturer's specific product.
No I don't mean about Vista, I mean about what Thurrott has to say. I've RTFA about a half-dozen times this year to his articles, and have become convinced that he's just not very bright. I don't get why his stuff gets linked to at all.
/. links to indicative, and if so, what keeps him visible? Is he buying off editors? (j/k)
Example from this time: the whine about IE7 and his employer's use of ActiveX. This is a problem of Microsoft's? I'm all for punishing them for their past sins, and ActiveX qualifies, but to use them doing the right thing to kill off dangerous controls in IE7 (which is what his description sounds like) as ammo in talking about Vista being broken is unfair, and worse: it's shallow. A deeper thinker might note that their choice to DTRT in IE7 will cause pain, but it really isn't part of a case for whether Vista is or is not ready.
So is this guy capable of writing anything that isn't a waste of the reading time, or are the things
That points out why it is shutting down. Not much of anyone outside of a handful of core developers ever cared to understand what OpenDarwin was intended to be. DarwinPorts (e.g. the Fink alternative) was not it. Apple doesn't really want an independent developer community hacking on Darwin and defining what Darwin is. So now, they won't even have anyone trying to do that.
That ignores a decade of specific facts about Apple and the norms of the industry.
Everyone in the industry reports units shipped. The way independent retailers work, a manufacturer selling
through them can't nail down a 'sold to end user' number for months with any solidity.
Jobs' big concrete business contribution when he returned to Apple was to smash the old tempting retail pipeline that
could get stuffed and which Apple *had* stuffed to their own delusion and eventual distress a few times in the early to
mid 90's. Apple no longer has independent Apple dealers worth speaking of, and their own stores are kept very thin on
inventory. The also sdell a large fraction of their systems directly through the online store, where 'shipped' is identical to 'sold'
The original comparison to Sony stuffing the pipeline with PSP's points up a key reason that Apple can't play that trick
any more: Apple's product cycle on the Mac side is too fast for a stuffing event to wind out before the stuffed hardware is
discontinued.
Think about this more carefully. The story says "load WGA or you will; be shut off."
Q: How does that work, exactly?
A: Obviously, Microsoft has shipped the killswitch in some other part of the base OS (XP and maybe 2000) and it knows to look for WGA approval in Fall 2006.
Q: What was the original target ship date for the next major revision of Windows (then called Longhorn?)
A: For about 2 years, the date was "2 years from now" and that included a lot of time before Fall 2006 for people to be running Longhorn/Vista.
If this story is true (and I have my doubts, even though I am not a fan or even a customer of MS and do not think that any sort of misbehavior is beneath them) then the killswitch clearly went into the OS (not WGA, WGA is the anti-killswitch) before the phrase "Longhorn Release Date" became a bad joke and "Vista Release Date" a worse one.
EETimes did a fact-rich article in March. The first paragraph of the second page is most illuminating. It seems the "startup" that owns the secret encryption mechanism lacks any visible means of support, and it is a "spinoff" of a government body.
IMHO there is far too much polite gentility and benefit of the doubt shown in the media, and ISO, and WTO and even /. to the thugs who run China. There's no moral or technical equivalency involved here. The Chinese government presented WAPI late accompanied by protectionist threats and has been whining disingenuously about the world mistreating it in the process ever since. WAPI has received over 2 years of special treatment because the rest of the world relies on Chinese de facto slave labor to build its electronic goods. If the ISO process was being run honestly with a legitimate goal of defining a trustworthy secure standard that can be widely implemented in interoperable and competitive ways, WAPI would have been dismissed when first proposed.
It was only about 20 years ago that Z-D tasked Dvorak with trolling Mac users as the inside back cover columnist for the old MacUser, where he openly admitted to writing things to inflame Mac users enough that they'd have to buy the magazine just to have reference for their 10-page crayon screeds to the editors against him. And if ancient history and paper is too hard, he has said what he said to Winer oon at least a half-dozen TWiT podcasts over the past year. This is not news, it is Dvorak stating an obvious truth for the umpteenth time. He is apparently still getting a chuckle from the fact that some people who take everything too seriously (e.g. Dave Winer) still don't get the joke after having it explained to them repeatedly over decades. If Winer really thinks this is some great revelation of sin, he's got his head further inserted than ever.
It is the job of anyone who writes for ad-supported media to attract eyeballs, and Dvorak has never been ashamed of doing that job. Being scandalized by his honesty says a lot more about the intelligence (or maybe integrity) of those who are scandalized than it says about Dvorak.
Ms. Rosen is apparently unaware of what the phrase "intellectual property" means.
There's no way Apple could have had any real quality determination yet. They had hired 5% of their 1-year headcount and had not fully trained managers yet.
It is clear that you're speaking of Canada, maybe. Not the US. Aside from the tiny minority of US workers represented by unions, most of us could only dream to have the sort of generous treatment Apple provided to its Indian workers. 2 months severence? Sweet. When I was part of a "reduction in force" in 2001 there was absolutely nothing illegal about the fact that we had no notice and no severence. Most US workers are "at will" and our tenure of employment is not covered by any law at all.
Can you cite any instance where Adobe has done so?
xpdf? no. MacOS X? no. OpenOffice? no.
Have you read the PDF license?
How I saw eWeek citing the WSJ and though Register, I can't imagine. Just stpid, I guess...
Given El Reg's usual journalistic and editorial standards (nearly as high in quality as /.) that statement could easily mean nothing more than that there were no Adobe or MS representatives sharing the restroom stall from whose wall this rumor was read.