All this is notwithstanding your rather debious set-theory math here.. can you actually proove that the people who post a la "MS is evil, protect the consumer" are the/exact/ same people as the "Big Brother" watchers? Yes, its true (and probably a surprise to you), slashdot does contain a range of opinions from a range of people. As such, you may be referring to two reletively (obviously not totally) discrete sets of people here: those who hate MS or are big up on consumer advocacy, and those who hate the government and are big up on civil rights. On TOP of that, both goals are essentially designed to disempower a centralized point-of-abuse for the benifit of the population at large, so it's not all that hypocrytical. At any rate, protecting consumers from MS is a goal that will ultimately protect and affect far more lives than any dent terrorism can make into the actual physical population (MS consumer base is the world, while the target of terrorism is confined to a relatively small set of symbolic geographical locations). You speak volumes about the rediculously skewed perspective on the threat terrorism truely poses as opposed to those who's lives are influenced by the world economy and its communication and data infrastructure.
I ain't arguing for either side, but I just thought I should point out that your comment is pretty rich in rheoric and glibness and short of supportive evidence.
Actually, if you read what I wrote (what a novel concept!), you'd understand that I wasn't commenting on the Ask Slashdot poster at all. I was only commenting that additional security actually/increases/ public fear, not decreases it, according to the parent post of my reply. But hey, your trolling is appreciated none of the less!:)
Since when is Apple concerned about market share? They do what capitalism was born to do. Cater to a small market, and do it the right way.
I don't have an OSX box, and consequently, no firewire and iTunes, but if I/did/ (and many do/will have OSX within the next year), this piece of gear was BORN for that market. All while keeping Apple gear at the front of the pack in terms of usability, transfer speed, and respectable battery life.
Apple has never been about selling the most number of units. Just look at the market leaders for cars, OSes, books, movies, CDs.. you'll understand why having a big market share essentially garauntees tha you you have to give up innovation. Heck, Intel shipped their latest chip with features/disabled/.. so I, for one, am glad that apple is content to own just a small slice of the pie, because its the most/delicious/ slice.
And no, I dont own any Apple gear. I wish I could justify it tho; unfortunately, MS keeps underselling quality, thus keeping wk2 on the the corperate desktop, and *nix just happens to serve the 'net industry better than anyone else.
>.. it helps to calm the fears of those who live in his community by demonstrating that the NIH is being extremely cautious
Um. People feel more scared when security is visibly higher. Any vigilence above and beyond what is neccessary only propogates fear, not a feeling of security. Fear is only a perception.. an emotion, that has, at best, a tenuous connection with reality. Simply consider that hundres of thousands die every year because of their drunk-driving neighbours, and only a handful have died from anthrax; and yet still people think drunk-driver checks along streets are major inconveniences, while everyone is willing to lay down and subject themsleves to whatever is neccessary in order to stop a few anthrax carrying letter senders.
I'm not arguing that these searches in particular are superflous, but your claim that increased security, both visible via your own experience, and to a larger extent, as broadcast by the media, only serves to furthur entrench fear and mistrust in the public psyche at large.
Would you really argue that daily searches of employess, since the first bombing of the WTC up to Sept 10th would have made all the WTC workers feel more secure? Hardly.. I'd imagine the vast magority wern't even thinking about it very often, for the simple practical reason that fear is a perception, and not a defence against any actual possible event. Just don't forget that superflous vigilence can only add to the fear. True, eventually the fear will subside into routine, but again, it only demonstrates the disconnection of the human mind with the reality of risk and gain.
Anyways, obviously, there is a line. Should we search every kindergarten student? The simple issue is that he and you are at odds over what constitutes reasonable and effictive vigilence, and seeing as he works there and you don't, I'd imagine he has a clearer picture as to the possible or perceived threats against the government. In fact, he may know alot more that you nor I know that backs up his claim of the searches being superfluous.
Before you pack KY Jelly, make sure sodomy is not illegal in MD (I'm a Canadian, so I dunno). I know that sodomy is illegal in many states. Goat porn is also illegal. Try legal things.. blow up dolls, dog poo, old folx porn. You can check out the ACLU website in order to find out what states are sexually repressed.
This is fucking bullshit.. honestly, after the DMCA, and this.. well, I may find myself taking to the streets within my lifetime afterall. Its getting clearer and clearer that Wells was only off by 8 or 9 years with respect to BigBrother.
My freedom includes being able to do whatever the fuck I want. (And for others to download and use what I make however the fuck/they/ want.) I can do this with music, art, wood, metal.. and I'm going to damn well keep going it with code, too.
sirsonic.com labs has been able to develop a sexual organ one molecule in size! His doctor is retaining the research and details, in anticipation of patenting the discovery (in RF licencing of course). A joint venture with Decode Genetics (old?) will proove if SirSlud is icelandic once and for all.
Reports have circulated suggeting SirSlud would love if he tested positive. Witness report SirSlud having mutter Bjork through a mouthfull of drool before he was carried away by security.
the twice is just that, buddy:) I got a second mail after sending the authorization one, saying that my first mail was properly delivered.. ie, a 'thanks for authorizing' message.
Really, I did. I dunno, visit the TMDA page yourself, and try the whitelist message, and then 'authorize' the communication. You should get a second.
Please, I'm not baiting you, man.. I've taken courses that deal with the relation between technology and social behviour. I was in electrical engineering. But I've alwats been a programmer at heart, and now I do that. Tthe whole deal, C++/C/whatever/CORBA on freeBSD. I'm no genius, but I'm still lightyears ahead of 99% of the population when it comes to computers. You learn where the make-and-break points are with technology, as relating to social adoption. I was just saying that it was too much of a pain to know that I had to go through some sort of confirmation process to initiate communication. Don't argue for your own values.. defeating spam is a universal problem that requires that you to cater to the lowest common denomiator. Windows wouldn't have such a dominant position in the market if it wernt for the sad fact that to penerate your market (as standards must), your interface must cater to the lowest common demoninator, mostly effort-wise, while not undermining the status-quo economically.
Really tho, TMDA provides exactly what I want, only at a level that only a few of us can use (unless those in a position of power take it upon themselves to offer the functionality to clients... which would require accepting additional responsibilities at a time that no service provider would even dream of). I want to see that as part of the general social perception of what email is. Only then does it truly become 'deployed' on a scale that is meaningful.
Anyhow, I wasn't dumping on the links you provided.. they were exactly what I wanted to see. Some push towards embedding the policy of your communication in the very contact information itself. That, in my opinion, is the holy grail of a form of communication that must, by design, exist within a logical set of well-formed rules. I think that sort of approach would lead to the best restriction of paths of communication. We wouldn't even need to rely on the government to strong-arm companies to comply. (And a fat chance of that, these days, in this plutocracy.)
well, the thing is, I am thinking purely from a 'I dont even want to think about the responsibility of maintaining multiple email addresses'.. thats where the encryption comes in, from both sides. You don't have to set anything up, server side... the 'rules' are already in the email address. if you want an email address to time out, send them the encrypted-with-the-timeout address your mail client generates for you (by talking to the mail server)
the problem with the x10 example assumes you own the domain, and if we want to defeat spam (ie, the desire to send it), we have to make rules and processes that work for EVERYBODY.. ie, down to the lowest common denominator of 'the moron user who is using the uncaring provider with the free mail client'. Otherwise, spammers will accept that they cant reach the geeks.. which is okay with the geeks anyhow, cause we dont reply to spam. Stupid people do, so you need a stupid solution. My solution proposes that your mail client simply asks your mail server: "Give me my address, but with a timeout of 2 weeks." The time you choose will depend on how much you trust who you're givin your email address to. You can never truly defeat spam (cause one mans spam is another mans treasure, etc, etc), so you what you really need is a technology that allows you to specifify the worst case. Ie, at the most, this person should not be able to contact me after X days, months, years. I subscribe to alotta porn.. I'm not worried bout x10, cause they have to honour their agreements to remain in business (they are visible enough, dontcha think?), but rather the unscrupulous advertisers. The problem is/collection/.. any place, be it a web page, or a return address on USENET.. when your email is collected and sold, it has to time out. So, for these sorts of points of presents.. like a web page, or a USENET post, its about making sure no one can contact you 10 weeks (or whatever length of time you want) after you post or show your email address.
All I want, is the ability to give my email address with what I judge is a worst case scenerio.. I'm sure I'm getting email from spammers who robot'd my email addy from my webpage 3 years ago. I just want to specifify the 'scope' of the use of my address for each medium in which I provide/publish it. I truly believe it is the best compromise between letting unknown sources contact you, and trying to stop your email from circulating via sales. Obviously, it has to be encrypted because you dont want the sender to be able to adjust that timeout value in your email, and if you make it well-formed, then you dont have to manage those timeout 'accounts' with your server, and your server doesn't have to store multple 'accounts' for you, since it just de-encrypts against a local private key and checks whether that mail is still valid.
Really tho, there are tons of client side saavy ways to deal with spam, but the problem is those who are too newbie, or, in my case, too lazy to deal with actually specifying the various contact touch points. I want a well-formed way of specifying my timeout in an address that isn't tamperable by the sender, and doesn't require me to spend more time than I do now just scanning and deleting spam.
Acutally, TMDA's whitelist confirmation method just resulted in my mailbox being 'spammed' twice. Obviously, its not really spam because in entering communication with the email address I sent to, I was consenting to 2 way communication, but its still two more messages in my mailbox that are empty of actual content. Not optimal, in my opinion. New technologies and processes are very rarely accepted by the masses if they contain more steps than the process they are meant to replace or provide a level of percieved social value that overcomes these additional steps.
Windows may be a dumb terminal.. the sad part is that the fat client might end up being 98%.. well, you know who. I'm talkin about.NOT, of course;)
But I think if MS wants to survive for years on end instead of the firey over-zealous commitment they are getting themselves into (and which, I think will end up in a crash-and-burn or at least people looking for another 'flavour' of band relationship after awhile), they should spin their empire off and keep their thin client free of vested-interest-relationships.. invariably, those sorts of things fail, because if one brick falls, it'll pull the wall down with it if only by the effects of brand-association.
this is a solution for idiots who don't want to even have to think about whats 'confirmed' and 'not confirmed'.. including me. I don't even want to 'confirm' mails; nevermind that client side, non standardized filtering systems will result in at least some people/systems not following up on a confirmation who have an opportunity (or information of value) where you're the only one who has much to lose by the sender not following up.. I want to implicitly trust the first delivery if the email address is gathered from a place I publish it, all the while blocking the mail at the/mailserver/ level.
Most people don't have access to anything other than POP, so holding it server side until confirmation isn't a particularly viable solution for the masses, IMHO. (Unless my assuption that most pop clients do not support scanning your mail server-side before you actually apply filter logic to the message isn't true?) It also doesn't help if the person who has your email address rotates their from address just to prevent you from relying on the solution of whitelisting. You'd just be spammed with 'confirmation' mails.)
I mean, if you really wanna tackle this in a large way, your method has to be fool-proof, totally controllable by most simple POP clients, and easy to understand. By embedding timeouts in addresses, and enabling the server to understand this, the user can publish an email address and just forget about it, instead of having to manage a 'valid sender' list. I think the idea of you specifying privs for senders most breaks the idea that email is a convient single-step process to contact someone. Of course, maybe I'm just drunk what I perceive to be an elegant simple solution to a complex problem, but I still maintain that having this sort of logic on the mail server would help lots of people out there who just want to apply 'trust' to a sender (be it a robot that trips of their page) only within the scope of a worst case scenario (ie, the timeout prevents unlimited abuse)...:)
I guess the general idea is that if the rules are written in stone, then it removes any power from people who collect/need your email address to leverage whatever they have against you based on your method of filtering?
I think there is always exists a simple solution that cuts down on 90% of the noise; a solution that doesn't require anymore work than you need now (which is essentially one of the priniciples of the adoption of technology by a society at large). In this case, you may want to memorize your 'one day' and 'one week' addresses for when you are in a bar, or away from a client capable of generating your timeout addresses, a negligable increase in responsibility that has to be assumed by the user of the technology.
tdma looks yummy.. any reasons why its not enforced at the mail server level (ie, not in an RFC?).. I am just thinking that it would awesome if mail servers themselves supported knowing whether a 'username' an email is addressed to that was delivered to it was a timeout-able version of a legal local user name? I mean, does this sort of thinking stand a chance of getting into some future generation mail protocal?
I dont like white-list filtering, because email is used far too often to instigate legitimate communication from a source you were previously unaware of. (Musicians, artists, freelancers.. basically, anyone selling services who cannot hire someone to filter 'incoming mail'):) And the confirmation processes, especially when time is of the essense, its an awkward, unweildly, and hopefully ultimately unnessesary processes if you can come up with a good tagged address system.
Man, spam fighting sure is subjective tho. I am aware of the level of subjectivity when trying to formalize a suitably universal process by which to cut down noise-to-signal reatios when dealing with public means of contact info.
Anyhow, I'm still interested in knowing how much work is being done to put some of these facilities lower down in the trenches of the technology that drives mail across the net.
One more nice thing: your web page would always be a one day timeout value (most sites that get trawled by email collecting robots are dynamic content anyways?)
So anyone who trawls your site would only have a way of reaching you within the next, say, six hours.. or 2 days.. or whatever you like! If you approve of the communication, you'd have your regular email (or maybe you prefer a 30 day permission, its up to you:) in your reply field on your mail client.
Also, this would force companies to be honest about the frequency of their communication with you.. they have no way of verifying or 'filtering' valid communication policies with you, so they would have to be honest if they actually wanted to, and expected to be able to reach you in 6 months. They cant verify that you are actually giving them a 6 month time out, so the responsibility of enabling communication falls into the hands of whom it should be in: you.
Requirements:
- mail servers would have to know if a message is being sent to many users, or [threshhold]
- mail servers would have to be able to decrypt addresses against a local private key specific to your email account (not your pwd, for security considerations, i think)
So, now you give you email address out to orgnizations (basically, anyone who wishes to enter a dialog with you in a one-to-many fasion) as hr435sd45kfjd@sirsonic.com (your mail client would support the ability to encrypt your normal email user name against this private key)
Now, here's the kicker:/included/ in this encryption is a timeout value. So, you might trust futureshop.ca, and give them an email address with your user name and a timeout value of 2 years, but they can't modify that value, due to the encrypted username-timeout combo on the email address you give them. And you'd give www.hotbabes.com a one month timeout.. if you dont find yourself on a zillion other lists, maybe you give them another with a 2 year timeout. Otherwise, maybe you change to 4 months. Basically, it's about EMBEDDING a timeout communication priviledge in your contact information, without giving the sender the ability to alter that timeout.
So, what has to be done? Does this work? I think once you wrap peoples heads around the idea of a timeout on communication privs, people who love this.. basically, you could say to anyone, "If this relationship works out, I'll give you lots more time to talk to me, but for now, you have a month to sell to me the notion that you are responsible with my contact information."
'blackbox' solutions are dangerous.... avergage users will never be able to infer what goes on behind the scenes. Far more useful would be a 98% successful (my guesstimate at what an acceptable fail rate should be) intelligent, learning filtering system on the client end.. where you can just scan-the-spam topics and make sure you're not missing anything important.
It would be much easier to tackle this problem if a 'pseudolution' (spam is, by its very nature, not 100% solvable) is rolled out with the next generation mail protocal. To this end, does anyone know if there are any current undertakings addressing a next generation email protocol capable of more interaction/configuration from a client?
One VERY nice feature I'd like to see is email addresses with embedded timeout values in them.. ie, you can provide email addresses that somehow 'hide' your real email address and some timeout value, such that only email servers on your end could decrypt the address and figure out if that communication priviledge has 'expired'. I think mail servers would have to know if a mailing was a 'bulk' or 'single' mailing.. single mailings could accept normal email addresses, but multiple mailings would require these encrypted addresses with built in time out values.
I havn't thought TOO deeply about it, as you can tell, and I'm not much of a privacy/encryption expert, but can anyone articulate a set of rules based on the above postulation that is technically feasible?
well, allow me to play devils advocate here.. MS is a great thin-client, unfortunately. Non-comp people have a good case in wanting to use MS on their desktop (not overall design and organization, but their widget set is unfortunately as good as it gets outside of Mac), but I'd never want to have to use a windows box on anything outside facing...
basically, security on windows shouldn't even be an issue.. they should stop making OSes and just develop the GUI layer (again, not UI design, but the UI subsystem). Thats the only thing they have going for them, IMHO.
>an administrator doesn't need to know how a vulnerability works in order to understand how to protect against it, any more than a person needs to know how to cause a headache in order to take an aspirin
OH MY GOD... yeah, and doctors should only say 'you're sick, take this'. They shouldn't disclose how you actually got sick, cause then other people would just go around 'exploiting' and making more people sick! GET REAL... saying building X is vulnerable if you have a sledge hammer is a little different than building X is vulnerable if you have a nuclear weapon. It's called 'acceptable risk', and I refuse to live in a world where I can't be crystal clear on what that risk is, and how it can occur. Even if you don't give code examples but explain the details, some smart guy will turn it into a skipt-kiddie tool anyhow, so going the extra mile and providing the code is tantamount to knowing your level of risk and the most probable netographic that will attempt to exploit it.
HAHAHAHAHAHA... oh yeah, I can just see it.. this would allow their marketing/pr department to 'fix' each and every bug.
Actually, sample code is a very good way to illustrate the severity of a bug.
A bug might be the result of absolutely brutal programming, but require a programmer to jump through hoops to exploit it. In this sense, the bug isn't so bad, and users can assess the path to patching said holes. On the other hand, a bug could be the result of complex, innocent oversight which can be exploited with 3 lines of code.
I, for one, think knowing the code to exploit the bug can give admins a good sense of addressing patch priorities.
Yeah, the security pundits will tell me 'you should be patching 10 secs after the patch comes out regardless of severity', but if you really take that route, you're living in a vacuum. The rest of the world has to worry about priorities.. ie, that old limitation of 24 hrs in a day. Hell, with MS and a large enterprise network, you'd have to assign a full-time worker just to monitor and install patches.
And I'm of the opinion that trusting MS's stance on the 'severity' of a given bug is about as big a security hole as you can have.
(Please remember to flame me on both sides, for even cooking.... )
I'm in love!.. at least her invention will help me run my 'how the hell do lush/pothead programmer/musicians meet hot molecular physicists' algorithm. (Yeah, it sucks, UD turned down my application to turn the problem into a UD Job... )
Are the judges new each year? How do they not pick up on the 'style' of the computer AI. Even humans have personalities, so even if ALICE managed to fool you into thinking she was human, isn't it feasible that you'd recognize her the next year around, and thus know that its a computer?
If the buying public continues to blindly lick the boots of MS, while governments move to *nix (for the desktop) solutions due to costs (and as well they should.. I prefer my taxes going to something like social programs rather than MS), they might just find themselves aligned with *nix geeks. Who else thinks governments would find themselves in a very good spot if they became a main source of employment for OS and *nix pundits? I don't want the tech infrastructure of my government to depend on MS's marketing strategies rather than actual need and opportunity for IS improvement.
Slashdot Mirror
All this is notwithstanding your rather debious set-theory math here .. can you actually proove that the people who post a la "MS is evil, protect the consumer" are the /exact/ same people as the "Big Brother" watchers? Yes, its true (and probably a surprise to you), slashdot does contain a range of opinions from a range of people. As such, you may be referring to two reletively (obviously not totally) discrete sets of people here: those who hate MS or are big up on consumer advocacy, and those who hate the government and are big up on civil rights. On TOP of that, both goals are essentially designed to disempower a centralized point-of-abuse for the benifit of the population at large, so it's not all that hypocrytical. At any rate, protecting consumers from MS is a goal that will ultimately protect and affect far more lives than any dent terrorism can make into the actual physical population (MS consumer base is the world, while the target of terrorism is confined to a relatively small set of symbolic geographical locations). You speak volumes about the rediculously skewed perspective on the threat terrorism truely poses as opposed to those who's lives are influenced by the world economy and its communication and data infrastructure.
I ain't arguing for either side, but I just thought I should point out that your comment is pretty rich in rheoric and glibness and short of supportive evidence.
>It's often used to aid insertion of catheters.
;) Heehee, seriously tho, I stand corrected .. my and my gutter mind.
Cool! Any chance we could use this as an argument for cannubis too?
SirSlud
Actually, if you read what I wrote (what a novel concept!), you'd understand that I wasn't commenting on the Ask Slashdot poster at all. I was only commenting that additional security actually /increases/ public fear, not decreases it, according to the parent post of my reply. But hey, your trolling is appreciated none of the less! :)
Love, sirslud.
Since when is Apple concerned about market share? They do what capitalism was born to do. Cater to a small market, and do it the right way.
/did/ (and many do/will have OSX within the next year), this piece of gear was BORN for that market. All while keeping Apple gear at the front of the pack in terms of usability, transfer speed, and respectable battery life.
.. you'll understand why having a big market share essentially garauntees tha you you have to give up innovation. Heck, Intel shipped their latest chip with features /disabled/ .. so I, for one, am glad that apple is content to own just a small slice of the pie, because its the most /delicious/ slice.
I don't have an OSX box, and consequently, no firewire and iTunes, but if I
Apple has never been about selling the most number of units. Just look at the market leaders for cars, OSes, books, movies, CDs
And no, I dont own any Apple gear. I wish I could justify it tho; unfortunately, MS keeps underselling quality, thus keeping wk2 on the the corperate desktop, and *nix just happens to serve the 'net industry better than anyone else.
> .. it helps to calm the fears of those who live in his community by demonstrating that the NIH is being extremely cautious
.. an emotion, that has, at best, a tenuous connection with reality. Simply consider that hundres of thousands die every year because of their drunk-driving neighbours, and only a handful have died from anthrax; and yet still people think drunk-driver checks along streets are major inconveniences, while everyone is willing to lay down and subject themsleves to whatever is neccessary in order to stop a few anthrax carrying letter senders.
.. I'd imagine the vast magority wern't even thinking about it very often, for the simple practical reason that fear is a perception, and not a defence against any actual possible event. Just don't forget that superflous vigilence can only add to the fear. True, eventually the fear will subside into routine, but again, it only demonstrates the disconnection of the human mind with the reality of risk and gain.
Um. People feel more scared when security is visibly higher. Any vigilence above and beyond what is neccessary only propogates fear, not a feeling of security. Fear is only a perception
I'm not arguing that these searches in particular are superflous, but your claim that increased security, both visible via your own experience, and to a larger extent, as broadcast by the media, only serves to furthur entrench fear and mistrust in the public psyche at large.
Would you really argue that daily searches of employess, since the first bombing of the WTC up to Sept 10th would have made all the WTC workers feel more secure? Hardly
Anyways, obviously, there is a line. Should we search every kindergarten student? The simple issue is that he and you are at odds over what constitutes reasonable and effictive vigilence, and seeing as he works there and you don't, I'd imagine he has a clearer picture as to the possible or perceived threats against the government. In fact, he may know alot more that you nor I know that backs up his claim of the searches being superfluous.
Before you pack KY Jelly, make sure sodomy is not illegal in MD (I'm a Canadian, so I dunno). I know that sodomy is illegal in many states. Goat porn is also illegal. Try legal things .. blow up dolls, dog poo, old folx porn. You can check out the ACLU website in order to find out what states are sexually repressed.
This is fucking bullshit .. honestly, after the DMCA, and this .. well, I may find myself taking to the streets within my lifetime afterall. Its getting clearer and clearer that Wells was only off by 8 or 9 years with respect to BigBrother.
/they/ want.) I can do this with music, art, wood, metal .. and I'm going to damn well keep going it with code, too.
My freedom includes being able to do whatever the fuck I want. (And for others to download and use what I make however the fuck
sirsonic.com labs has been able to develop a sexual organ one molecule in size! His doctor is retaining the research and details, in anticipation of patenting the discovery (in RF licencing of course). A joint venture with Decode Genetics (old?) will proove if SirSlud is icelandic once and for all.
Reports have circulated suggeting SirSlud would love if he tested positive. Witness report SirSlud having mutter Bjork through a mouthfull of drool before he was carried away by security.
the twice is just that, buddy :) I got a second mail after sending the authorization one, saying that my first mail was properly delivered .. ie, a 'thanks for authorizing' message.
.. I've taken courses that deal with the relation between technology and social behviour. I was in electrical engineering. But I've alwats been a programmer at heart, and now I do that. Tthe whole deal, C++/C/whatever/CORBA on freeBSD. I'm no genius, but I'm still lightyears ahead of 99% of the population when it comes to computers. You learn where the make-and-break points are with technology, as relating to social adoption. I was just saying that it was too much of a pain to know that I had to go through some sort of confirmation process to initiate communication. Don't argue for your own values .. defeating spam is a universal problem that requires that you to cater to the lowest common denomiator. Windows wouldn't have such a dominant position in the market if it wernt for the sad fact that to penerate your market (as standards must), your interface must cater to the lowest common demoninator, mostly effort-wise, while not undermining the status-quo economically.
... which would require accepting additional responsibilities at a time that no service provider would even dream of). I want to see that as part of the general social perception of what email is. Only then does it truly become 'deployed' on a scale that is meaningful.
.. they were exactly what I wanted to see. Some push towards embedding the policy of your communication in the very contact information itself. That, in my opinion, is the holy grail of a form of communication that must, by design, exist within a logical set of well-formed rules. I think that sort of approach would lead to the best restriction of paths of communication. We wouldn't even need to rely on the government to strong-arm companies to comply. (And a fat chance of that, these days, in this plutocracy.)
Really, I did. I dunno, visit the TMDA page yourself, and try the whitelist message, and then 'authorize' the communication. You should get a second.
Please, I'm not baiting you, man
Really tho, TMDA provides exactly what I want, only at a level that only a few of us can use (unless those in a position of power take it upon themselves to offer the functionality to clients
Anyhow, I wasn't dumping on the links you provided
well, the thing is, I am thinking purely from a 'I dont even want to think about the responsibility of maintaining multiple email addresses' .. thats where the encryption comes in, from both sides. You don't have to set anything up, server side ... the 'rules' are already in the email address. if you want an email address to time out, send them the encrypted-with-the-timeout address your mail client generates for you (by talking to the mail server)
.. ie, down to the lowest common denominator of 'the moron user who is using the uncaring provider with the free mail client'. Otherwise, spammers will accept that they cant reach the geeks .. which is okay with the geeks anyhow, cause we dont reply to spam. Stupid people do, so you need a stupid solution. My solution proposes that your mail client simply asks your mail server: "Give me my address, but with a timeout of 2 weeks." The time you choose will depend on how much you trust who you're givin your email address to. You can never truly defeat spam (cause one mans spam is another mans treasure, etc, etc), so you what you really need is a technology that allows you to specifify the worst case. Ie, at the most, this person should not be able to contact me after X days, months, years. I subscribe to alotta porn .. I'm not worried bout x10, cause they have to honour their agreements to remain in business (they are visible enough, dontcha think?), but rather the unscrupulous advertisers. The problem is /collection/ .. any place, be it a web page, or a return address on USENET .. when your email is collected and sold, it has to time out. So, for these sorts of points of presents .. like a web page, or a USENET post, its about making sure no one can contact you 10 weeks (or whatever length of time you want) after you post or show your email address.
.. I'm sure I'm getting email from spammers who robot'd my email addy from my webpage 3 years ago. I just want to specifify the 'scope' of the use of my address for each medium in which I provide/publish it. I truly believe it is the best compromise between letting unknown sources contact you, and trying to stop your email from circulating via sales. Obviously, it has to be encrypted because you dont want the sender to be able to adjust that timeout value in your email, and if you make it well-formed, then you dont have to manage those timeout 'accounts' with your server, and your server doesn't have to store multple 'accounts' for you, since it just de-encrypts against a local private key and checks whether that mail is still valid.
the problem with the x10 example assumes you own the domain, and if we want to defeat spam (ie, the desire to send it), we have to make rules and processes that work for EVERYBODY
All I want, is the ability to give my email address with what I judge is a worst case scenerio
Really tho, there are tons of client side saavy ways to deal with spam, but the problem is those who are too newbie, or, in my case, too lazy to deal with actually specifying the various contact touch points. I want a well-formed way of specifying my timeout in an address that isn't tamperable by the sender, and doesn't require me to spend more time than I do now just scanning and deleting spam.
Acutally, TMDA's whitelist confirmation method just resulted in my mailbox being 'spammed' twice. Obviously, its not really spam because in entering communication with the email address I sent to, I was consenting to 2 way communication, but its still two more messages in my mailbox that are empty of actual content. Not optimal, in my opinion. New technologies and processes are very rarely accepted by the masses if they contain more steps than the process they are meant to replace or provide a level of percieved social value that overcomes these additional steps.
Windows may be a dumb terminal .. the sad part is that the fat client might end up being 98% .. well, you know who. I'm talkin about .NOT, of course ;)
.. invariably, those sorts of things fail, because if one brick falls, it'll pull the wall down with it if only by the effects of brand-association.
But I think if MS wants to survive for years on end instead of the firey over-zealous commitment they are getting themselves into (and which, I think will end up in a crash-and-burn or at least people looking for another 'flavour' of band relationship after awhile), they should spin their empire off and keep their thin client free of vested-interest-relationships
this is a solution for idiots who don't want to even have to think about whats 'confirmed' and 'not confirmed' .. including me. I don't even want to 'confirm' mails; nevermind that client side, non standardized filtering systems will result in at least some people/systems not following up on a confirmation who have an opportunity (or information of value) where you're the only one who has much to lose by the sender not following up .. I want to implicitly trust the first delivery if the email address is gathered from a place I publish it, all the while blocking the mail at the /mailserver/ level.
... :)
Most people don't have access to anything other than POP, so holding it server side until confirmation isn't a particularly viable solution for the masses, IMHO. (Unless my assuption that most pop clients do not support scanning your mail server-side before you actually apply filter logic to the message isn't true?) It also doesn't help if the person who has your email address rotates their from address just to prevent you from relying on the solution of whitelisting. You'd just be spammed with 'confirmation' mails.)
I mean, if you really wanna tackle this in a large way, your method has to be fool-proof, totally controllable by most simple POP clients, and easy to understand. By embedding timeouts in addresses, and enabling the server to understand this, the user can publish an email address and just forget about it, instead of having to manage a 'valid sender' list. I think the idea of you specifying privs for senders most breaks the idea that email is a convient single-step process to contact someone. Of course, maybe I'm just drunk what I perceive to be an elegant simple solution to a complex problem, but I still maintain that having this sort of logic on the mail server would help lots of people out there who just want to apply 'trust' to a sender (be it a robot that trips of their page) only within the scope of a worst case scenario (ie, the timeout prevents unlimited abuse)
I guess the general idea is that if the rules are written in stone, then it removes any power from people who collect/need your email address to leverage whatever they have against you based on your method of filtering?
I think there is always exists a simple solution that cuts down on 90% of the noise; a solution that doesn't require anymore work than you need now (which is essentially one of the priniciples of the adoption of technology by a society at large). In this case, you may want to memorize your 'one day' and 'one week' addresses for when you are in a bar, or away from a client capable of generating your timeout addresses, a negligable increase in responsibility that has to be assumed by the user of the technology.
tdma looks yummy .. any reasons why its not enforced at the mail server level (ie, not in an RFC?) .. I am just thinking that it would awesome if mail servers themselves supported knowing whether a 'username' an email is addressed to that was delivered to it was a timeout-able version of a legal local user name? I mean, does this sort of thinking stand a chance of getting into some future generation mail protocal?
.. basically, anyone selling services who cannot hire someone to filter 'incoming mail') :) And the confirmation processes, especially when time is of the essense, its an awkward, unweildly, and hopefully ultimately unnessesary processes if you can come up with a good tagged address system.
I dont like white-list filtering, because email is used far too often to instigate legitimate communication from a source you were previously unaware of. (Musicians, artists, freelancers
Man, spam fighting sure is subjective tho. I am aware of the level of subjectivity when trying to formalize a suitably universal process by which to cut down noise-to-signal reatios when dealing with public means of contact info.
Anyhow, I'm still interested in knowing how much work is being done to put some of these facilities lower down in the trenches of the technology that drives mail across the net.
One more nice thing: your web page would always be a one day timeout value (most sites that get trawled by email collecting robots are dynamic content anyways?)
.. or 2 days .. or whatever you like! If you approve of the communication, you'd have your regular email (or maybe you prefer a 30 day permission, its up to you :) in your reply field on your mail client.
So anyone who trawls your site would only have a way of reaching you within the next, say, six hours
Also, this would force companies to be honest about the frequency of their communication with you .. they have no way of verifying or 'filtering' valid communication policies with you, so they would have to be honest if they actually wanted to, and expected to be able to reach you in 6 months. They cant verify that you are actually giving them a 6 month time out, so the responsibility of enabling communication falls into the hands of whom it should be in: you.
So here's my idea:
/included/ in this encryption is a timeout value. So, you might trust futureshop.ca, and give them an email address with your user name and a timeout value of 2 years, but they can't modify that value, due to the encrypted username-timeout combo on the email address you give them. And you'd give www.hotbabes.com a one month timeout .. if you dont find yourself on a zillion other lists, maybe you give them another with a 2 year timeout. Otherwise, maybe you change to 4 months. Basically, it's about EMBEDDING a timeout communication priviledge in your contact information, without giving the sender the ability to alter that timeout.
.. basically, you could say to anyone, "If this relationship works out, I'll give you lots more time to talk to me, but for now, you have a month to sell to me the notion that you are responsible with my contact information."
Requirements:
- mail servers would have to know if a message is being sent to many users, or [threshhold]
- mail servers would have to be able to decrypt addresses against a local private key specific to your email account (not your pwd, for security considerations, i think)
So, now you give you email address out to orgnizations (basically, anyone who wishes to enter a dialog with you in a one-to-many fasion) as hr435sd45kfjd@sirsonic.com (your mail client would support the ability to encrypt your normal email user name against this private key)
Now, here's the kicker:
So, what has to be done? Does this work? I think once you wrap peoples heads around the idea of a timeout on communication privs, people who love this
Am I on crack? I think its a good idea.
'blackbox' solutions are dangerous .... avergage users will never be able to infer what goes on behind the scenes. Far more useful would be a 98% successful (my guesstimate at what an acceptable fail rate should be) intelligent, learning filtering system on the client end .. where you can just scan-the-spam topics and make sure you're not missing anything important.
.. ie, you can provide email addresses that somehow 'hide' your real email address and some timeout value, such that only email servers on your end could decrypt the address and figure out if that communication priviledge has 'expired'. I think mail servers would have to know if a mailing was a 'bulk' or 'single' mailing .. single mailings could accept normal email addresses, but multiple mailings would require these encrypted addresses with built in time out values.
It would be much easier to tackle this problem if a 'pseudolution' (spam is, by its very nature, not 100% solvable) is rolled out with the next generation mail protocal. To this end, does anyone know if there are any current undertakings addressing a next generation email protocol capable of more interaction/configuration from a client?
One VERY nice feature I'd like to see is email addresses with embedded timeout values in them
I havn't thought TOO deeply about it, as you can tell, and I'm not much of a privacy/encryption expert, but can anyone articulate a set of rules based on the above postulation that is technically feasible?
well, allow me to play devils advocate here .. MS is a great thin-client, unfortunately. Non-comp people have a good case in wanting to use MS on their desktop (not overall design and organization, but their widget set is unfortunately as good as it gets outside of Mac), but I'd never want to have to use a windows box on anything outside facing ...
.. they should stop making OSes and just develop the GUI layer (again, not UI design, but the UI subsystem). Thats the only thing they have going for them, IMHO.
basically, security on windows shouldn't even be an issue
>an administrator doesn't need to know how a vulnerability works in order to understand how to protect against it, any more than a person needs to know how to cause a headache in order to take an aspirin
... yeah, and doctors should only say 'you're sick, take this'. They shouldn't disclose how you actually got sick, cause then other people would just go around 'exploiting' and making more people sick! GET REAL ... saying building X is vulnerable if you have a sledge hammer is a little different than building X is vulnerable if you have a nuclear weapon. It's called 'acceptable risk', and I refuse to live in a world where I can't be crystal clear on what that risk is, and how it can occur. Even if you don't give code examples but explain the details, some smart guy will turn it into a skipt-kiddie tool anyhow, so going the extra mile and providing the code is tantamount to knowing your level of risk and the most probable netographic that will attempt to exploit it.
OH MY GOD
HAHAHAHAHAHA ... oh yeah, I can just see it .. this would allow their marketing/pr department to 'fix' each and every bug.
.. ie, that old limitation of 24 hrs in a day. Hell, with MS and a large enterprise network, you'd have to assign a full-time worker just to monitor and install patches.
.... )
Actually, sample code is a very good way to illustrate the severity of a bug.
A bug might be the result of absolutely brutal programming, but require a programmer to jump through hoops to exploit it. In this sense, the bug isn't so bad, and users can assess the path to patching said holes. On the other hand, a bug could be the result of complex, innocent oversight which can be exploited with 3 lines of code.
I, for one, think knowing the code to exploit the bug can give admins a good sense of addressing patch priorities.
Yeah, the security pundits will tell me 'you should be patching 10 secs after the patch comes out regardless of severity', but if you really take that route, you're living in a vacuum. The rest of the world has to worry about priorities
And I'm of the opinion that trusting MS's stance on the 'severity' of a given bug is about as big a security hole as you can have.
(Please remember to flame me on both sides, for even cooking
I'm in love! .. at least her invention will help me run my 'how the hell do lush/pothead programmer/musicians meet hot molecular physicists' algorithm. (Yeah, it sucks, UD turned down my application to turn the problem into a UD Job ... )
Are the judges new each year? How do they not pick up on the 'style' of the computer AI. Even humans have personalities, so even if ALICE managed to fool you into thinking she was human, isn't it feasible that you'd recognize her the next year around, and thus know that its a computer?
If the buying public continues to blindly lick the boots of MS, while governments move to *nix (for the desktop) solutions due to costs (and as well they should .. I prefer my taxes going to something like social programs rather than MS), they might just find themselves aligned with *nix geeks. Who else thinks governments would find themselves in a very good spot if they became a main source of employment for OS and *nix pundits? I don't want the tech infrastructure of my government to depend on MS's marketing strategies rather than actual need and opportunity for IS improvement.