A good mail scanner will block ANY executable content - not just those that have a viral signature.
Configuring your mail server to either drop mails that contain executables or running something like MimeDefang to change the type of such items so that they are no longer executable (by converting an executable into a ZIP archive, for example) will stop such programs.
As for stupid users who mindlessly follow directions in UCE - all you can do about these geniuses is catch them after the fact (with the above solutions). Unfortunately, the real solution to this problem (involving about US$0.02 worth of.22LR to the back of the head) is not allowed. Pity.
They do not use my servers, they are not my users, but still we get black-listed. What's the point on securing my users then?
"Hmm. I've severed an artery. Oh well, I was going to die someday anyway, what's the point of trying to stop the bleeding now?"
True, you are suffering because of something not your fault, and that sucks. However, most GOOD blacklists will look at where the REAL sender is, not the faked headers - those blacklists won't list you because of these faked emails, but WILL list you if your users spam.
The problem of email propagating viruses is SO easy to correct:
JUST RUN A DAMN VIRUS SCANNER ON THE FREAKING EMAIL SERVER!
The mathematics of the spread of viruses is the same as the mathematics of the spread of disease or the mathematics of a nuclear fission chain reaction - if the expected value of the number of hosts any given infected host can infect is greater than one, the reaction will go supercritical. If the expected value is one, the reaction will be critical and will continue. If the expected value is less than one, the reaction will damp out.
Filtering viruses at the servers is like lacing a reactor with cadmium - the servers with scanners absorb the "neutrons" (infected emails) and prevent hosts from being infected.
However, too damn many sites refuse to deploy virus scanners on their email servers. I have been receiving a constant stream of viruses from Israel's main ISP, Netvision (netvision.net.il) as well as the University of Durban-Westville in South Africa. I have repeatly contacted both sites. Neither has done anything about this - they don't want to install virus scanners because it will cost THEM cycles on their mail server (ignoring the cycles that handling a flood of viruses costs).
And of course, when you try to go to their upstream providers, the upstreams do a fine Sgt. Schultz impression - they see nothing, NOTHING! And since usually the upstreams are Bastard Backbone Baboons, there is little you can do about it.
Were ISPs to be held accountable for taking action - were continuing to allow infected mails to be sent grounds for getting port 25 blocked at their upstream, and IF failing to institute such a block were legally actionable (since that is the only way to force a BBB to take action), then the rate at which these infections would drop to close to zero. And with there being no egobo to writing this crap, the trolls^Wvirus writers would get bored and go find some other way to increase the entropy of the universe.
Does either of your providers use SMTPS (SMTP over SSL - port 465)? This would solve the authentiction problem quite handily.
Do either of them use SMTP-AUTH?
If not, then perhaps rather than not paying attention to posts on Slashdot (had you BEEN paying attention you would have seen that I explicitly stated that the ISP should allow port 25 through IF THE CUSTOMER ASKS FOR IT) your time would be better spent trying to get your mail providers to adopt more recent means of preventing abuse.
To be accurate, WRS Never "supported" BSD - their OS is completely different.
They bought Walnut Creek, a distributor of, among other things, BSD.
As to why not support Linux - simple. The WRS mindset is "Screw them for the money, screw them for more money, then screw them for money again." Supplying a product that others can get in on would be a violation of that model.
Keep this in mind: WRS aims to be the Microsoft of the embedded realm.
Sorry, but I have the misfortune of using Wind Rivers' VxWorks real time OS. I've have very little luck getting support from them (usually I have figured out the problem myself long before they can respond). Their hardware support is poor, their disk I/O layer is abysmal, their compilers out of date, and they are way too expensive for what you get. They don't have USB drivers (unless you want to be a printer, not a controller), they don't have SMB drivers, they killed their embedded X server (guess what I needed!), their board support packages don't (imaging a BSP for a Strongarm that does not even enable the cache!)
If I had it all to do over again, I would have used an embedded Linux rather than VxWorks. Granted, I work on some pretty large and complex systems that are just too much for VxWorks.
If you are doing a smaller system, use something like eCOS or RTXC. If you are doing a larger system or a system that must be networked, use QNX , BSD or Linux.
There are pyramids in my head There's one underneath my bed And my lady's getting cranky Every possible location Has a simple explanation And it isn't hanky-panky
I had read Somewhere in a book, they improve all your food and your wine It said, that everything you grow in your garden would taste pretty fine Instead, all I ever get is a pain in the neck and a Yap yap yap yap yap yap yap
I've consulted all the sages I could find in the yellow pages But there aren't many of them And the myan panoramas On my pyramid pajamas Haven't helped my little problem
I've been told Someone in the know can be sure that his luck is as Good as gold, money in the bank and you don't even pay for it If you fold, a dollar bill in the shape of the pyramid that's printed on the back It's no lie You can keep the edge of a razor as sharp as an Eagle's eye, you can grow a hedge that is vertically straight over Ten feet high, all you really need is a pyramid and just a little luck I had read, somewhere in a book, they improve all your food and wine I'd been told, someone in the know can be sure of his good luck It's no lie, all you need is a little bit of pyramidic help
Pay especial attention to the bold faced section....
It sounds like you've done an admirable job securing YOUR system. What about your USERS?
There are far too many morons who run what I call "Spammer@Home" (a play upon Seti@Home) - software that downloads a list of addresses from a spammer, then uses direct-to-MX from the luser's machine to send spam. Thus spammers get around blacklists.
So the luser on your system pisses off the world, and gets your netblock blacklisted. If you catch them, you can terminate them (or at least their account) and maybe get back, but....
Now, I know this is an unpopular suggestion with many SlashTrollBots, but have you considered blocking outbound SMTP from your customers? You can always allow the customers with a real need out (they just have to let you know), but by default block SMTP to anyplace other than your server (or better still, redirect it to your server).
The average user will not notice if they cannot send directly to other servers. If you redirect to your server, programs that do direct-to-MX will still work - you will just have a chance to check the mail (or at least log it). And anybody too 31337 to use your mail server can call you and ask you to change the settings to allow them out.
(Sits back to watch the morons bitch about this...)
It is a shame they won't do this for the DirecTivo sat receiver.
However, since that would allow you to in effect grab the high-grade MPEG data stream the sat service puts out without any degradation, it is roughly as probable they release a DTivo with DVD (a DVDDTivo?) as Bill Gates giving RMS a big French^WFreedom Kiss.
(and you cannot easily use TivoNET to extract the video from a DTivo - it is stored in an encrypted form on the HD and is decrypted by hardware upon playback, and as far as I know nobody has created a module that will play the video back through the crypto chip then stream it to your computer. Additionally, while hacking the stand-alone Tivo's isn't much of a problem, the DTivos will overwrite any changes you make on the next reboot.)
So I just grab the video using my Firewire capture device, then encode it. One step of analog loss (and I can go throught SVideo if needed). Fair use lives (though is on life support).
It's due to the complexity of the operations done by a video card.
Consider what must happen every frame of your frag-fest in UT2003:
1) The game must hand a list of polygons to the card. This poly-list contains the position of the poly in 3 dimensional space and what texture map to use. 2) The game must also tell the card where the camera is looking, how wide the field of view is, and the rate at which depth changes effect the view. 3) The card must then transform the 3D polys into a list of 2D poly. 4) The card must then try to eliminate as many of the polys as possible - the ones that won't be seen. This gets more complicated because some polys are translucent, so you CANNOT eliminate what's behind them. 5) The card must then fill in the texture, applying any bump mapping and other alterations.
There are several places "magic" happens. For example, the triangle setup (step 3) - that requires multiplying a 5x5 matrix against a 5 vector (if my memory serves - it's been awhile since I've written a transform routine like this). If you try to do this in floating point, it makes the work rather more difficult (read: a LOT more transistors). So, many venders use a simpler fixed-point representation here - and the details of that representation give a lot away about how the card works.
Then there is hidden surface removal - that is VERY complicated, and is usually done by the CPU in the driver rather than the card. More magic.
Sure, one day it may be possible to embed all those things into the card, so that all the hardware driver sees is a GLX interface, but that day is unto todays graphics cards what a modern DSP based sound card is unto a Soundblaster 8-bit.
(and yes, I've skipped a few steps in the graphics pipeline - this post is long enough as it is!)
It wasn't that long ago that the machine you've described would have been as powerful as the machine running Slashdot.
Perhaps one of the/crew would care to give an exact date, but hell, I could run a web server written in TCL that would meet your usage specs given the hardware you've spec'ed.
I don't think you can draw parallels between an audio processing card and a video card:
In an audio processing card, the "magic" is in the DSP firmware loaded onto the card, which a GPL driver will simply treat as a binary blob of data stuffed in by a user space program when the driver module is loaded.
Once that "blob" is loaded, the audio streams are fairly simple, and the "magic" of the DSP is not reveiled by feeding the audio streams in - you feed in 44.1kS/s 16x2 audio, you get an MPEG stream - that operation reveils nothing about how the MPEG algorithm is implemented. Additionally, the MPEG algorithm is well documented and public knowledge (NOT public DOMAIN - public KNOWLEDGE!)
In a video card, the "magic" is in the chip's hardware design - in that respect it is simillar to the audio card.
With one significant exception: the way you "feed" the data into the card reveils MUCH about the implementation of the underlying algorithms, many of which are trade secrets.
So while I applaud AudioScience for this move, and while this move provides a good example to the video card makers, their situation is sufficiently different from AudioScience that, at this time, I doubt this will make much difference to them.
Now, if things progress to the point where Linux is a significant fraction of the video card manufacturer's market....
Personally, I am glad to hear of web site designers who understand that the best person to decide upon the formatting of their site upon my screen is ME!.
I can understand this being put into a cellphone, and I can see the utility of it.
However, what I want is a nice 10 Mpixel camera with this in it - record when the shot was taken, where, and what the bearing was.
Add that and perhaps a short, low-rate voice note, and maintaining my photo collection would become a great deal easier.
OT: If you have a photo collection, do those who come after you a favor and LABEL your pictures - date, names of the people in them, event, and why you felt this was important enough to take a picture of. I had to go through both my mother and my grandmother's estates, and it was sad to see the number of pictures of somebody somewhere at sometime - I'm sure some of them had some meaning to the family, but what has been lost to time....
The Atari I/O chip (POKEY, for POrts and KEYboard), was fed a row/column matrix from the keyboard, and then read directly by the CPU.
In order to make the keyboard compatible with a PC, you would need a microcontroller that scanned the row/column matrix and then generated the serial data stream that a PC's 8042 keyboard controller wanted to see.
Not really a very difficult task for a hardware guy - a PIC would probably do quite nicely.
I wonder if the guy was able to use the interior potmetal shield of the Atari - the 800 was designed back when "Class B computing device" MEANT something - Atari took no chance that the computer would fail to pass FCC regulations. The 800 was the quietest (in the RF sense of the word) computer I'd ever seen - ANYTHING that could generate RF was on the inside of a eight-of-an-inch thick metal box.
But using a Star Raiders cart as a mouse?!?!
BLASPHEMER! SINNER! YOU SHALL BURN IN HELLFIRE ETERNAL!
Not quite - the IF out on most ham rigs is 10.7 MHz. You are going to have a problem sampling that with your soundcard, as your soundcard's inputs will filter that right out.
You'd need to bring that down with another mixer to below about 20 kHz so that the filters on the soundcard won't trash it, or you would have to bypass the filters on your soundcard and subsample it.
Obviously, you will need special gear to receive this - they are using COFDM so your normal shortwave rig is unlikely to give you anything meaningful.
I suppose IF you had a single-sideband rig with a wide enough filter set, and IF you then used your computer, you COULD decode this, but the usual means is going to be a dedicated receiver.
(Hmmm. Have to see if I can get the spec, and see if I can write a decoder for it....)
"Alright, who loaded a prepatch kernel on the penguins?!"
Seriously, consider this strange behavior observed in certain primates: They spend hours swimming back and forth in pools of water, lifting heavy weights only to put them down again, until muscular exhaustion, running for hours in place, and pulling clumps of hair from their bodies with resinous substances. Obviously, they must be deranged.
Or health fanatics.
Consider: the penguins would normally spend all day swimming to catch fish. Now, they don't have to - fish are provided with no effort. But some part of the penguin's brain is telling it to swim, so swim they do.
Have you ever watched any other captive animal? Horses will gallop across the field for no visible reason, dogs will run around the back yard, cats will suddenly run full tilt from room to room.
Slashdot Mirror
A good mail scanner will block ANY executable content - not just those that have a viral signature.
.22LR to the back of the head) is not allowed. Pity.
Configuring your mail server to either drop mails that contain executables or running something like MimeDefang to change the type of such items so that they are no longer executable (by converting an executable into a ZIP archive, for example) will stop such programs.
As for stupid users who mindlessly follow directions in UCE - all you can do about these geniuses is catch them after the fact (with the above solutions). Unfortunately, the real solution to this problem (involving about US$0.02 worth of
"Hmm. I've severed an artery. Oh well, I was going to die someday anyway, what's the point of trying to stop the bleeding now?"
True, you are suffering because of something not your fault, and that sucks. However, most GOOD blacklists will look at where the REAL sender is, not the faked headers - those blacklists won't list you because of these faked emails, but WILL list you if your users spam.
The mathematics of the spread of viruses is the same as the mathematics of the spread of disease or the mathematics of a nuclear fission chain reaction - if the expected value of the number of hosts any given infected host can infect is greater than one, the reaction will go supercritical. If the expected value is one, the reaction will be critical and will continue. If the expected value is less than one, the reaction will damp out.
Filtering viruses at the servers is like lacing a reactor with cadmium - the servers with scanners absorb the "neutrons" (infected emails) and prevent hosts from being infected.
However, too damn many sites refuse to deploy virus scanners on their email servers. I have been receiving a constant stream of viruses from Israel's main ISP, Netvision (netvision.net.il) as well as the University of Durban-Westville in South Africa. I have repeatly contacted both sites. Neither has done anything about this - they don't want to install virus scanners because it will cost THEM cycles on their mail server (ignoring the cycles that handling a flood of viruses costs).
And of course, when you try to go to their upstream providers, the upstreams do a fine Sgt. Schultz impression - they see nothing, NOTHING! And since usually the upstreams are Bastard Backbone Baboons, there is little you can do about it.
Were ISPs to be held accountable for taking action - were continuing to allow infected mails to be sent grounds for getting port 25 blocked at their upstream, and IF failing to institute such a block were legally actionable (since that is the only way to force a BBB to take action), then the rate at which these infections would drop to close to zero. And with there being no egobo to writing this crap, the trolls^Wvirus writers would get bored and go find some other way to increase the entropy of the universe.
Does either of your providers use SMTPS (SMTP over SSL - port 465)? This would solve the authentiction problem quite handily.
Do either of them use SMTP-AUTH?
If not, then perhaps rather than not paying attention to posts on Slashdot (had you BEEN paying attention you would have seen that I explicitly stated that the ISP should allow port 25 through IF THE CUSTOMER ASKS FOR IT) your time would be better spent trying to get your mail providers to adopt more recent means of preventing abuse.
To be accurate, WRS Never "supported" BSD - their OS is completely different.
They bought Walnut Creek, a distributor of, among other things, BSD.
As to why not support Linux - simple. The WRS mindset is "Screw them for the money, screw them for more money, then screw them for money again." Supplying a product that others can get in on would be a violation of that model.
Keep this in mind: WRS aims to be the Microsoft of the embedded realm.
Sorry, but I have the misfortune of using Wind Rivers' VxWorks real time OS. I've have very little luck getting support from them (usually I have figured out the problem myself long before they can respond). Their hardware support is poor, their disk I/O layer is abysmal, their compilers out of date, and they are way too expensive for what you get. They don't have USB drivers (unless you want to be a printer, not a controller), they don't have SMB drivers, they killed their embedded X server (guess what I needed!), their board support packages don't (imaging a BSP for a Strongarm that does not even enable the cache!)
If I had it all to do over again, I would have used an embedded Linux rather than VxWorks. Granted, I work on some pretty large and complex systems that are just too much for VxWorks.
If you are doing a smaller system, use something like eCOS or RTXC. If you are doing a larger system or a system that must be networked, use QNX , BSD or Linux.
Pay especial attention to the bold faced section....
But that is exactly what the hardware venders DON'T want to do, and that is why they don't open their drivers.
It sounds like you've done an admirable job securing YOUR system. What about your USERS?
There are far too many morons who run what I call "Spammer@Home" (a play upon Seti@Home) - software that downloads a list of addresses from a spammer, then uses direct-to-MX from the luser's machine to send spam. Thus spammers get around blacklists.
So the luser on your system pisses off the world, and gets your netblock blacklisted. If you catch them, you can terminate them (or at least their account) and maybe get back, but....
Now, I know this is an unpopular suggestion with many SlashTrollBots, but have you considered blocking outbound SMTP from your customers? You can always allow the customers with a real need out (they just have to let you know), but by default block SMTP to anyplace other than your server (or better still, redirect it to your server).
The average user will not notice if they cannot send directly to other servers. If you redirect to your server, programs that do direct-to-MX will still work - you will just have a chance to check the mail (or at least log it). And anybody too 31337 to use your mail server can call you and ask you to change the settings to allow them out.
(Sits back to watch the morons bitch about this...)
It is a shame they won't do this for the DirecTivo sat receiver.
However, since that would allow you to in effect grab the high-grade MPEG data stream the sat service puts out without any degradation, it is roughly as probable they release a DTivo with DVD (a DVDDTivo?) as Bill Gates giving RMS a big French^WFreedom Kiss.
(and you cannot easily use TivoNET to extract the video from a DTivo - it is stored in an encrypted form on the HD and is decrypted by hardware upon playback, and as far as I know nobody has created a module that will play the video back through the crypto chip then stream it to your computer. Additionally, while hacking the stand-alone Tivo's isn't much of a problem, the DTivos will overwrite any changes you make on the next reboot.)
So I just grab the video using my Firewire capture device, then encode it. One step of analog loss (and I can go throught SVideo if needed). Fair use lives (though is on life support).
It's due to the complexity of the operations done by a video card.
Consider what must happen every frame of your frag-fest in UT2003:
1) The game must hand a list of polygons to the card. This poly-list contains the position of the poly in 3 dimensional space and what texture map to use.
2) The game must also tell the card where the camera is looking, how wide the field of view is, and the rate at which depth changes effect the view.
3) The card must then transform the 3D polys into a list of 2D poly.
4) The card must then try to eliminate as many of the polys as possible - the ones that won't be seen. This gets more complicated because some polys are translucent, so you CANNOT eliminate what's behind them.
5) The card must then fill in the texture, applying any bump mapping and other alterations.
There are several places "magic" happens. For example, the triangle setup (step 3) - that requires multiplying a 5x5 matrix against a 5 vector (if my memory serves - it's been awhile since I've written a transform routine like this). If you try to do this in floating point, it makes the work rather more difficult (read: a LOT more transistors). So, many venders use a simpler fixed-point representation here - and the details of that representation give a lot away about how the card works.
Then there is hidden surface removal - that is VERY complicated, and is usually done by the CPU in the driver rather than the card. More magic.
Sure, one day it may be possible to embed all those things into the card, so that all the hardware driver sees is a GLX interface, but that day is unto todays graphics cards what a modern DSP based sound card is unto a Soundblaster 8-bit.
(and yes, I've skipped a few steps in the graphics pipeline - this post is long enough as it is!)
Also, they will probably lose half the cameras....
It wasn't that long ago that the machine you've described would have been as powerful as the machine running Slashdot.
/crew would care to give an exact date, but hell, I could run a web server written in TCL that would meet your usage specs given the hardware you've spec'ed.
Perhaps one of the
I don't think you can draw parallels between an audio processing card and a video card:
In an audio processing card, the "magic" is in the DSP firmware loaded onto the card, which a GPL driver will simply treat as a binary blob of data stuffed in by a user space program when the driver module is loaded.
Once that "blob" is loaded, the audio streams are fairly simple, and the "magic" of the DSP is not reveiled by feeding the audio streams in - you feed in 44.1kS/s 16x2 audio, you get an MPEG stream - that operation reveils nothing about how the MPEG algorithm is implemented. Additionally, the MPEG algorithm is well documented and public knowledge (NOT public DOMAIN - public KNOWLEDGE!)
In a video card, the "magic" is in the chip's hardware design - in that respect it is simillar to the audio card.
With one significant exception: the way you "feed" the data into the card reveils MUCH about the implementation of the underlying algorithms, many of which are trade secrets.
So while I applaud AudioScience for this move, and while this move provides a good example to the video card makers, their situation is sufficiently different from AudioScience that, at this time, I doubt this will make much difference to them.
Now, if things progress to the point where Linux is a significant fraction of the video card manufacturer's market....
So, the probe will go to Mecury, circle 'round it, inspect it, and start to leave.
Then it will turn around, and say,
"There's just one thing that puzzles me, sir..."
Personally, I am glad to hear of web site designers who understand that the best person to decide upon the formatting of their site upon my screen is ME!.
I can understand this being put into a cellphone, and I can see the utility of it.
However, what I want is a nice 10 Mpixel camera with this in it - record when the shot was taken, where, and what the bearing was.
Add that and perhaps a short, low-rate voice note, and maintaining my photo collection would become a great deal easier.
OT: If you have a photo collection, do those who come after you a favor and LABEL your pictures - date, names of the people in them, event, and why you felt this was important enough to take a picture of. I had to go through both my mother and my grandmother's estates, and it was sad to see the number of pictures of somebody somewhere at sometime - I'm sure some of them had some meaning to the family, but what has been lost to time....
The Atari I/O chip (POKEY, for POrts and KEYboard), was fed a row/column matrix from the keyboard, and then read directly by the CPU.
In order to make the keyboard compatible with a PC, you would need a microcontroller that scanned the row/column matrix and then generated the serial data stream that a PC's 8042 keyboard controller wanted to see.
Not really a very difficult task for a hardware guy - a PIC would probably do quite nicely.
I wonder if the guy was able to use the interior potmetal shield of the Atari - the 800 was designed back when "Class B computing device" MEANT something - Atari took no chance that the computer would fail to pass FCC regulations. The 800 was the quietest (in the RF sense of the word) computer I'd ever seen - ANYTHING that could generate RF was on the inside of a eight-of-an-inch thick metal box.
But using a Star Raiders cart as a mouse?!?!
BLASPHEMER! SINNER! YOU SHALL BURN IN HELLFIRE ETERNAL!
Wally has so much caffine in his system that he can "coast" for a few minutes.
However, look at it like this: the Pointy Haired Boss is also down, so there may be good to come out of this....
I am well aware of GnuRadio - in fact, if you look at the FAQ, you will see I am quoted in it.
Also, I do Software Defined Radio for a living.
However, the point of my previous message is that the average person with the average receiver is not going to be able to receive this signal.
Not quite - the IF out on most ham rigs is 10.7 MHz. You are going to have a problem sampling that with your soundcard, as your soundcard's inputs will filter that right out.
You'd need to bring that down with another mixer to below about 20 kHz so that the filters on the soundcard won't trash it, or you would have to bypass the filters on your soundcard and subsample it.
Obviously, you will need special gear to receive this - they are using COFDM so your normal shortwave rig is unlikely to give you anything meaningful.
I suppose IF you had a single-sideband rig with a wide enough filter set, and IF you then used your computer, you COULD decode this, but the usual means is going to be a dedicated receiver.
(Hmmm. Have to see if I can get the spec, and see if I can write a decoder for it....)
In other words, the planes will be flying cubical farms!
Excuse me, but what do you think cross-breeding is?
Crossbreeding IS genetic engineering - just because no gene splicing is involved does not change that.
"Alright, who loaded a prepatch kernel on the penguins?!"
Seriously, consider this strange behavior observed in certain primates: They spend hours swimming back and forth in pools of water, lifting heavy weights only to put them down again, until muscular exhaustion, running for hours in place, and pulling clumps of hair from their bodies with resinous substances. Obviously, they must be deranged.
Or health fanatics.
Consider: the penguins would normally spend all day swimming to catch fish. Now, they don't have to - fish are provided with no effort. But some part of the penguin's brain is telling it to swim, so swim they do.
Have you ever watched any other captive animal? Horses will gallop across the field for no visible reason, dogs will run around the back yard, cats will suddenly run full tilt from room to room.
Boredom can make animals do strange things.
Want more proof??