Any executable attachment or other problematic attachment, the entire e-mail is filtered out and saved so that if it is something the user really wants, he can request it.
Users can request no filtering, but noone has done that. Only one user has requested that no executable attachments be removed for one particular sender and the rest are as usual.
Our own employees are not allowed to request that for any account they may access from a company computer.
In the last two years, nobody using that e-mail server has acquired a virus/worm from e-mail.
Now if we could do something like that with spyware.
What I'd rather see is every e-mail transmitted be digitally signed.
When the e-mail client is set up, it could generate a GPG key set to use for signing the e-mail.
The recipient's computer, if verification is required, could send a standardized e-mail back to the sender's computer asking for the sender's public GPG key. If and when it arrives, check the digital signature and either deliver the e-mail or/dev/null it.
By caching the keys, you really wouldn't even have to have a white list. Or, more accurately, the white list would be by digital signature rather than the Reply-to or From address.
This could even be implemented on the server itself and with better results.
When adding the user, create a GPG key for that user on the server.
Require authorization for each incoming e-mail that is to be relayed. Digitally sign the e-mail with that key if it sender has not already done so on the client side.
The recipient's server or the recipient's client may then request the public key. If the public key used was the server's key used on behalf of the client, then return that. Otherwise, send the request on to the client for his public key.
Of course, this could be abused, but then the e-mail addresses have to be real and could then be used for blocking.
The traffic itself should be relatively small. The data portion of the request would just identify the public key desired based on what was used on the message (sender's key maintained by the server or the sender's key maintained by the client) and the data portion of the response would contain that id and the key.
For those who use multiple e-mail clients, allowing the server to handle the key would be preferable since the multiple clients would generally use different keys.
If the cached public key for that user failed, a request for the public key would be sent in case the public key had been changed. If the new key was different, the cached public key could be expired after a set period of time (in case there were any yet to be delivered e-mails from the old key around) and the new public key added to the cache.
You'd have the benefits of challenge-response systems without the users being annoyed.
One problem with challenge response systems is with mailing lists. With this method, there would be no problem since the mailing list's server would react to requests for the public key by providing it.
This would also take care of the automated e-mail case, say when you place an order and the sender sends an e-mail telling you the order has been fulfilled.
Bothe, Samii, Eckmiller, Neurobionics - An Interdisciplinary Approach to Substitute Impaired Functions of the Human Nervous System, Amsterdam : Elsevier, 1993.
One of the relatively recent cases on this kind of issue involves an old friend of mine, Evan Brown.
Evan was already working on an idea on his own time when he went to work for DSC. When he had the idea ready to proceed further, DSC claimed it belonged to them, not to Evan.
That was in 1997. The case is still dragging on.
There's even been a Dilbert comic strip that referred to the case.
I sometimes can't find copies of ivoices when I need them. I have some equipment to send back for warranty repairs, but the seller requires a copy of the original invoice be included in the box with the shipment.
Yesterday, I handed her an invoice we received for $3,600 worth of equipment.
She didn't want the invoice. It was my responsiblity to keep up with it, not hers.
When I asked her if that was why she couldn't find the invoices I needed to return the equipment, she replied that I never give her the invoices for her to file.
Stereotypes do apply, but anti-stereotypes are plenty, as well. You will find the organized Greek, the warm German, the shy Italian, the Brazilian who does not like soccer and the American who knows world geography.
What's the difference between heaven and hell?
In heaven, you have British cops, French chefs, German mechanics, Swiss organizers, and Italian lovers.
In hell, you have British chefs, French mechanics, German cops, Italian organizers, and Swiss lovers.
For what it's worth, the biggest laugh I've seen anyone get out of that joke (I think it was in The Economist years ago) was the president of Hasselblad Engineering. But I think that's the only European I've ever told the joke.
Gates is to be awarded an honorary knighthood for "services to global enterprise". It is believed the recommendation was made by Chancellor of the Exchequer, Gordon Brown.
Maybe I missed this earlier, maybe not. This is the first I heard about it.
If you really wanted to hide it, disguise the building as a whore house next door to a police station.
The hookers and the johns could really be Verisign employees running the root server.
In case a real customer showed up and was unfazed by the police station next door, tell him that most of the girls are at the doctors office for their tuberculosis test and the rest are being treated for various venereal diseases.
Or you could disguise it as a crack house. The neighbors would assume that everyone running around with machine guns were drug smugglers.
Or just disguise it as a police station. When someone comes in seeking assistance, tell them "We don't handle those kind of cases any more."
Try the paste made from mithril mined by the local dwarves.
Re:I'm sort of working on this same problem.
on
RIAA Files 532 Lawsuits
·
· Score: 2, Informative
The big thinng here is, you have to stop worrying about the student and users rights. They have NONE. The only holder of rights in your situation is the University. If the University chose to hand that information over to RIAA, and no binding agfreement prohibited them from doing so, they can.
(3)
a provider of remote computing service or electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by paragraph (1) or (2)) to any governmental entity.
...
(c) Exceptions for Disclosure of Customer Records. -
A provider described in subsection (a) may divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by subsection (a)(1) or (a)(2)) -
(1)
as otherwise authorized in section 2703;
(2)
with the lawful consent of the customer or subscriber;
(3)
as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service;
(4)
to a governmental entity, if the provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information; or
(5)
to any person other than a governmental entity
In any event, I don't see anything in it mandating that ISPs keep any kind of records of their customer's activity. Section 212 does discuss the disclosure of customer records, but I don't see anything there that mandates that records be kept.
On a quick reading, the sections referred to don't seem to require any records be kept.
Sec. 2709. - Counterintelligence access to telephone toll and transactional records
(a) Duty to Provide. -
A wire or electronic communication service provider shall comply with a request for subscriber information and toll billing records information, or electronic communication transactional records in its custody or possession made by the Director of the Federal Bureau of Investigation under subsection (b) of this section.
So, if you are asked for records, you must provide those records in your custody or possession. I don't see anything there mandating that you keep any such records.
The other sections are pretty interesting, but they seem to be more interested in keeping ISPs from providing confidential records without proper authorization.
The real question is, "Just what records must be kept?"
My guess is that you don't have to keep any records unless ordered to keep such records by a court of law.
In summary, it is very clear that if you have such records, you may be required to provide them under some circumstances. But I don't see anything mandating that you keep such records at all. I suspect that a judge could order the ISP to keep particular records, but what if there is no such order?
I have yet to see any requirement to keep any logs. I've asked, but noone has ever had an answer.
Re:This is one area the US could get left behind..
on
The State of IPv6
·
· Score: 3, Interesting
If we had been on IPv6, it would have taken the Code Red worm years, decades, or maybe even centuries to find the first vulnerable Microsoft IIS web server to infect.
Switching to IPv6 would just about halt any scanning of large blocks of IP addresses for vulnerable computers.
Lee's Marlborough, Mass., firm specializes in silica aerogels -- "puffed up sand," as he calls it. He calls aerogels the original nanotechnology because the hair-like structures are only a nanometer -- a billionth of a meter -- in diameter and separated by only 20 nanometers.
The spacing is so tight, Lee said, that air molecules don't have much room to vibrate. And if an air molecule can't vibrate, it has trouble exciting other air molecules. And that means, he concluded, that heat and sound are not transmitted readily through an aerogel.
Normally,
the blankets are a pricey $45 per square foot.
... The price should drop to about $3 per square foot when a larger production plant is opened. The blankets already are being used in some high-end winter clothing and, if the price comes down, could find their way into hundreds of products, including building insulation, he added.
Slashdot Mirror
I thought .COM was for commercial, not corporation.
So are you saying that, for example, Lance Armstrong should not be allowed to have lancearmstrong.com?
We do it a bit different.
Any executable attachment or other problematic attachment, the entire e-mail is filtered out and saved so that if it is something the user really wants, he can request it.
Users can request no filtering, but noone has done that. Only one user has requested that no executable attachments be removed for one particular sender and the rest are as usual.
Our own employees are not allowed to request that for any account they may access from a company computer.
In the last two years, nobody using that e-mail server has acquired a virus/worm from e-mail.
Now if we could do something like that with spyware.
What I'd rather see is every e-mail transmitted be digitally signed.
/dev/null it.
When the e-mail client is set up, it could generate a GPG key set to use for signing the e-mail.
The recipient's computer, if verification is required, could send a standardized e-mail back to the sender's computer asking for the sender's public GPG key. If and when it arrives, check the digital signature and either deliver the e-mail or
By caching the keys, you really wouldn't even have to have a white list. Or, more accurately, the white list would be by digital signature rather than the Reply-to or From address.
This could even be implemented on the server itself and with better results.
When adding the user, create a GPG key for that user on the server.
Require authorization for each incoming e-mail that is to be relayed. Digitally sign the e-mail with that key if it sender has not already done so on the client side.
The recipient's server or the recipient's client may then request the public key. If the public key used was the server's key used on behalf of the client, then return that. Otherwise, send the request on to the client for his public key.
Of course, this could be abused, but then the e-mail addresses have to be real and could then be used for blocking.
The traffic itself should be relatively small. The data portion of the request would just identify the public key desired based on what was used on the message (sender's key maintained by the server or the sender's key maintained by the client) and the data portion of the response would contain that id and the key.
For those who use multiple e-mail clients, allowing the server to handle the key would be preferable since the multiple clients would generally use different keys.
If the cached public key for that user failed, a request for the public key would be sent in case the public key had been changed. If the new key was different, the cached public key could be expired after a set period of time (in case there were any yet to be delivered e-mails from the old key around) and the new public key added to the cache.
You'd have the benefits of challenge-response systems without the users being annoyed.
One problem with challenge response systems is with mailing lists. With this method, there would be no problem since the mailing list's server would react to requests for the public key by providing it.
This would also take care of the automated e-mail case, say when you place an order and the sender sends an e-mail telling you the order has been fulfilled.
I considered sending them e-mails congratulating them on not having them on there any more.
We used to run an entire company on a computer with 32K.
Check out the book:
Bothe, Samii, Eckmiller, Neurobionics - An Interdisciplinary Approach to Substitute Impaired Functions of the Human Nervous System, Amsterdam : Elsevier, 1993.
One of the relatively recent cases on this kind of issue involves an old friend of mine, Evan Brown.
Evan was already working on an idea on his own time when he went to work for DSC. When he had the idea ready to proceed further, DSC claimed it belonged to them, not to Evan.
That was in 1997. The case is still dragging on.
There's even been a Dilbert comic strip that referred to the case.
You can read more about it at Who Owns Evan Brown's Brain?
There is an article (pdf format) in a law journal about the case you can download from Evan's web site at: Lai, Jim C, Alcatel USA, Inc. v. Brown: Does Your Boss Own Your Brain?, The John Marshal Journal of Computer & Information Law, Vol XXI No 3, pp 295-324.
I sometimes can't find copies of ivoices when I need them. I have some equipment to send back for warranty repairs, but the seller requires a copy of the original invoice be included in the box with the shipment.
Yesterday, I handed her an invoice we received for $3,600 worth of equipment.
She didn't want the invoice. It was my responsiblity to keep up with it, not hers.
When I asked her if that was why she couldn't find the invoices I needed to return the equipment, she replied that I never give her the invoices for her to file.
I've received several in the last couple of days telling me that an e-mail from me contained the recent Norvag/Mydoom virus.
At least two of those notifications included complete copies of the e-mail including the virus.
I was asked by the president of one company about whether the web was ever going to amount to anything.
I said no way. We already had gopher and ftp and that's all we'll ever need.
You sure got that right.
I was ordered by my boss once to install Front Page extensions on a Windows web server.
I absolutely refused to do it.
But I did write some software that inspects every single web request it receives and decides whether or not to permit it.
Three years later, I'm still stuck with that web server. It's run along the whole time without a hitch in spite of all the worms and attacks.
In retrospect, I think the boss was right. I should have installed the Front Page extensions and not written the filter.
Maybe we'd be running a *BSD web server instead, now.
Being right is sometimes its' own punishment.
There's also a Japanese version of the joke.
In the best of all possible worlds, we live in American houses, eat Chinese food, and have Japanese wives.
In the worst of all possible worlds, we live in Japanese houses, eat British food, and have American wives.
What's the difference between heaven and hell?
In heaven, you have British cops, French chefs, German mechanics, Swiss organizers, and Italian lovers.
In hell, you have British chefs, French mechanics, German cops, Italian organizers, and Swiss lovers.
For what it's worth, the biggest laugh I've seen anyone get out of that joke (I think it was in The Economist years ago) was the president of Hasselblad Engineering. But I think that's the only European I've ever told the joke.
There is a web site called Long Bets where people can place long term bets that may not be settled until long after they are dead.
For example, the longest bet is Long Bet #7 - The universe will eventually stop expanding. I don't suppose any of us will be around to empirically determine the answer.
One candidate for a bet is/was Long Bet #26 - By the end of 2012, more than 50% of the root servers on the internet will be located outside the United States.
But noone accepted the bet.
Maybe we should learn a lesson from this.
For example, suppose you had a distributed computing project you wanted to do that needed lots of computing power.
Break the next level of RSA for example.
Set up a porn site and allow people to view the porn only after they downloaded and installed client software to aid in the factorization.
In another story on the issue, Gates plans an end to spam in two years, is an interesting sentence:
Maybe I missed this earlier, maybe not. This is the first I heard about it.
Or, more to the point, who modded it as "Insightful"?
If you really wanted to hide it, disguise the building as a whore house next door to a police station.
The hookers and the johns could really be Verisign employees running the root server.
In case a real customer showed up and was unfazed by the police station next door, tell him that most of the girls are at the doctors office for their tuberculosis test and the rest are being treated for various venereal diseases.
Or you could disguise it as a crack house. The neighbors would assume that everyone running around with machine guns were drug smugglers.
Or just disguise it as a police station. When someone comes in seeking assistance, tell them "We don't handle those kind of cases any more."
Forget silver paste.
Try the paste made from mithril mined by the local dwarves.
In short, NO.
From TITLE 18 > PART I > CHAPTER 121 > Sec. 2702. - Voluntary disclosure of customer communications or records:
I did read the entire sentence.
Here is a link to the Patriot Act: To deter and punish terrorist acts in the United States and around the world, to enhance law enforcement investigatory tools, and for other purposes., but what is not clear is whether that is a preliminary version or the final version.
In any event, I don't see anything in it mandating that ISPs keep any kind of records of their customer's activity. Section 212 does discuss the disclosure of customer records, but I don't see anything there that mandates that records be kept.
On a quick reading, the sections referred to don't seem to require any records be kept.
At TITLE 18 > PART I > CHAPTER 121 - STORED WIRE AND ELECTRONIC COMMUNICATIONS AND TRANSACTIONAL RECORDS ACCESS, you can find the sections referring to the records.
For example, from Section 2709,
So, if you are asked for records, you must provide those records in your custody or possession. I don't see anything there mandating that you keep any such records.
The other sections are pretty interesting, but they seem to be more interested in keeping ISPs from providing confidential records without proper authorization.
The real question is, "Just what records must be kept?"
My guess is that you don't have to keep any records unless ordered to keep such records by a court of law.
In summary, it is very clear that if you have such records, you may be required to provide them under some circumstances. But I don't see anything mandating that you keep such records at all. I suspect that a judge could order the ISP to keep particular records, but what if there is no such order?
What laws, for example?
I have yet to see any requirement to keep any logs. I've asked, but noone has ever had an answer.
If we had been on IPv6, it would have taken the Code Red worm years, decades, or maybe even centuries to find the first vulnerable Microsoft IIS web server to infect.
Switching to IPv6 would just about halt any scanning of large blocks of IP addresses for vulnerable computers.
From What's an aerogel?:
I was curious about the prices, too.
At What's an aerogel?, there is this: