>> The big problem with this approach is that every system that originates email has to cooperate.
And to point out the problem even more, most of the virus out there (maybe all of them now?) use their own SMTP internal server. They don't send through a big host like AOL or Yahoo.
So when you can get the virus writers to throttle their output the rest of world can follow along.
I thinnk Compuware uses a public rbl, and it is probably your ip address that is listed somewhere. So a new sub-domain on the same ip address probably won't help much.
What does Windows have to do with the string my OSS email server uses for HELO? Is MS watching the network packets and changing it?
I can see complaining about the DNS problems though. You are right in that MS should be running the entire DNS system to make sure that forward and reverse lookups work. That is what you want right?
>>How long would it take for a spam bot to cultivate through the database, pick-up all the numbers and spam them?
Why bother go through the database? Why not just spend a message to every number possible? It doesn't cost them anything to send the message, so they don't care if it is really in use or not.
Are you implying that my neighbor does not have free speach becuase of what might happen to me?
I guess that might be true in some parts of the world, I didn't take that into account. I am in the US and we are not restricted or threatened by what our neighbors say/do.
I provide anyone a blank check to to use their own backbone, and I give them nothing if they don't have one (no matter what the excuse).
>> Free speech cannot exist without a degree of anonymity
Why is that? I don't see how they are tied together.
Not wishing to be help accountable for your speech might make you want to be anonymous. Not wanting to be held responsible for what you say might make you want to be anonymous.
But neither of those are infringing on your right to free speech. You are given the right to speak freely, you are not given the backbone to do it.
At most he managed to take a fix to the buffer overflow and figure out where it was and how to exploit it.
Or he took the proof-of-concept that was released and used it for a guide.
Why do you think he couldn't do this before the patch was released? All he did was show people don't patch their computer fast enough, he didn't show any skill or new knowledge of holes.
But they don't care about bandwidth. Their problem is being able to send to real people. Those are the ones that might complain and force them to get another provider.
But the bad addresses that no one gets, those are free to send to.
There is no reason to care if an address is good or bad, the cost to send is the same flat rate. No incremental costs.
In fact it will take them time or effort to remove bad addresses, and there is no gain in it. So leave them there and someday someone else might get that email address.
>>fairly complex machine but it's certainly more resistant to tampering then software
Do you really believe this? Could you tell if the machine had been tampered with to skip a vote every 100 or 1000? Could you tell if the counter always incremented the correct way?
Not saying that eletronic voting is the answer, but it is no easier to fix an election with it then with mechanical or any other voting means.
And, remember, dead people still vote. And they can do it just as easy with any method.
>>I know, this is against the old rule "never respond to spam, Spamers will pick it up and use it for spamming"
I hear this a lot, like people saying the 'remove' link is to just verify your email address.
I don't think I buy it. I don't think they care or have a reason to care if the address is good or not.
What happens if they don't get a response? They just send more. They don't care if the address is valid or not.
It doesn't cost them any more to send to them, in fact once they have a connection to send spam they don't have any reason to purge the bad addresses. Why spend time doing something that won't save you money?
I really think the 'remove' hits are just ignored, doesn't make any difference if they are valid or not. And, they can always claim they have the 'un-subscribe' that many laws require.
The cable company pays for more then just delivering the content to you. They also have to pay for the content to deliver. And some channels cost more then others, that is up to who has the channels.
And we are also assuming that the cable company can get just the channels they want, and not have to buy the content in batches the same way we do.
If they want to provide ESPN, what else to also have to buy to provide it?
Or I might have a wreck and just happen to driving over the skid marks from someone else. And without the box the police officier uses them to calculate how fast I was going.
Which would you rather trust? The black box or some officier with a pencil and paper figuring out how fast you were going?
I don't think they can tell if you have been speeding or not. It might say that you drove 50 this amount of time and 100 some other amount, but they won't know what the speed limit was during those times.
>>The human factor should be ignore in most cases and >>We can safetly assume both hypothetical environments are managed by knowledgeable professionals.
I think this is the problem, it can not be ignored.
As it becomes easier to use, the less knowledgeable people will be using it.
Administrators who administrate other computers probably do pretty well. These are "professional" administrators on the whole. They believe a command line is usable.
Administrators who adminstrate only their own computer (Joe Blow Six Pack), do not do as well. They want something more then a command line. These are your home users who don't even know that Windows is just one of many OS's.
So, as things become more usable (or easier to use) the more users without the knowledge will be using it. And that leads to poorer administration.
And we all know that leads to less secure systems.
The only gotcha I see in the answer would be that the original question was asking if you could write a virus that would run on any (or multiple) OS's. That takes the requirement of a executable file out of it.
If somehow you could get a buffer overflow or something that jumped to your code (which would be OS specific I guess) you could then execute any "pure" x86 code you wanted. I just don't see it being able to do a whole lot. Best/Worst case would be directly talk to an IDE interface and corupt drive 0. That would probably take the original exploit to be in the kernal of the infected OS otherwise I think pretty much all OS block user code from that low level access.
But you are right, there is probably going to have to be some OS dependant code in there somewhere to get it started. And it would be some pretty nasty code.
Slashdot Mirror
Try this site, enter your ip and see if any of them have you listed.
http://rbls.org/
Getting off the list is different for each list, you will have to read their site to see.
Just that in itself would cut my spam by about 75%. Seems like a worth while investment to me.
>> The big problem with this approach is that every system that originates email has to cooperate.
And to point out the problem even more, most of the virus out there (maybe all of them now?) use their own SMTP internal server. They don't send through a big host like AOL or Yahoo.
So when you can get the virus writers to throttle their output the rest of world can follow along.
I thinnk Compuware uses a public rbl, and it is probably your ip address that is listed somewhere. So a new sub-domain on the same ip address probably won't help much.
You lost me.
What does Windows have to do with the string my OSS email server uses for HELO? Is MS watching the network packets and changing it?
I can see complaining about the DNS problems though. You are right in that MS should be running the entire DNS system to make sure that forward and reverse lookups work. That is what you want right?
>>How long would it take for a spam bot to cultivate through the database, pick-up all the numbers and spam them?
Why bother go through the database? Why not just spend a message to every number possible? It doesn't cost them anything to send the message, so they don't care if it is really in use or not.
Are you implying that my neighbor does not have free speach becuase of what might happen to me?
I guess that might be true in some parts of the world, I didn't take that into account. I am in the US and we are not restricted or threatened by what our neighbors say/do.
I provide anyone a blank check to to use their own backbone, and I give them nothing if they don't have one (no matter what the excuse).
>> Free speech cannot exist without a degree of anonymity
Why is that? I don't see how they are tied together.
Not wishing to be help accountable for your speech might make you want to be anonymous. Not wanting to be held responsible for what you say might make you want to be anonymous.
But neither of those are infringing on your right to free speech. You are given the right to speak freely, you are not given the backbone to do it.
He did NOT find the buffer overflow in RPC.
At most he managed to take a fix to the buffer overflow and figure out where it was and how to exploit it.
Or he took the proof-of-concept that was released and used it for a guide.
Why do you think he couldn't do this before the patch was released? All he did was show people don't patch their computer fast enough, he didn't show any skill or new knowledge of holes.
Why do you assume that all Microsoft did was study the executable? They could easily of had all sorts of other logs and reports from around the world.
Yes they do have keys, and yes they can upgrade and patch.
But they don't care about bandwidth. Their problem is being able to send to real people. Those are the ones that might complain and force them to get another provider.
But the bad addresses that no one gets, those are free to send to.
There is no reason to care if an address is good or bad, the cost to send is the same flat rate. No incremental costs.
In fact it will take them time or effort to remove bad addresses, and there is no gain in it. So leave them there and someday someone else might get that email address.
Quit trying to confuse the issue with facts! We are technical here, we don't need to be accurate here.
I think that was when WP5.2 was out.
I agree totally.
I really hated to give up my reval codes, but I had to use something that wouldn't crash.
It wasn't that Word killed WP, it was WP commiting suicide.
>>fairly complex machine but it's certainly more resistant to tampering then software
Do you really believe this? Could you tell if the machine had been tampered with to skip a vote every 100 or 1000? Could you tell if the counter always incremented the correct way?
Not saying that eletronic voting is the answer, but it is no easier to fix an election with it then with mechanical or any other voting means.
And, remember, dead people still vote. And they can do it just as easy with any method.
>>I know, this is against the old rule "never respond to spam, Spamers will pick it up and use it for spamming"
I hear this a lot, like people saying the 'remove' link is to just verify your email address.
I don't think I buy it. I don't think they care or have a reason to care if the address is good or not.
What happens if they don't get a response? They just send more. They don't care if the address is valid or not.
It doesn't cost them any more to send to them, in fact once they have a connection to send spam they don't have any reason to purge the bad addresses. Why spend time doing something that won't save you money?
I really think the 'remove' hits are just ignored, doesn't make any difference if they are valid or not. And, they can always claim they have the 'un-subscribe' that many laws require.
The cable company pays for more then just delivering the content to you. They also have to pay for the content to deliver. And some channels cost more then others, that is up to who has the channels.
And we are also assuming that the cable company can get just the channels they want, and not have to buy the content in batches the same way we do.
If they want to provide ESPN, what else to also have to buy to provide it?
Or I might have a wreck and just happen to driving over the skid marks from someone else. And without the box the police officier uses them to calculate how fast I was going.
Which would you rather trust? The black box or some officier with a pencil and paper figuring out how fast you were going?
I don't think they can tell if you have been speeding or not. It might say that you drove 50 this amount of time and 100 some other amount, but they won't know what the speed limit was during those times.
With as many wrecks as there are caused by (or just involving) DRUNK drivers, I think this would be a VERY good idea.
I don't want anyone to have the right or ability to drive drunk.
>> I have a windows box down stairs that is highly usable for my customers (my family)
The catch is they have you. What would that box be like if you never touched it, or explained how to secure it? Would they be doing it as well?
That is what the vast majority of users are, without an administrator and without knowledge.
How many people would change the oil in their car if someone didn't tell them to? It's in the manual, but none of them ever read that.
How many will update their OS if someone doesn't tell them to? It's in the documentation but they never read that.
>>The human factor should be ignore in most cases
and
>>We can safetly assume both hypothetical environments are managed by knowledgeable professionals.
I think this is the problem, it can not be ignored.
As it becomes easier to use, the less knowledgeable people will be using it.
Administrators who administrate other computers probably do pretty well. These are "professional" administrators on the whole. They believe a command line is usable.
Administrators who adminstrate only their own computer (Joe Blow Six Pack), do not do as well. They want something more then a command line. These are your home users who don't even know that Windows is just one of many OS's.
So, as things become more usable (or easier to use) the more users without the knowledge will be using it. And that leads to poorer administration.
And we all know that leads to less secure systems.
AND a few billion in the bank.
We should all be so dumb.
>> They used their monopoly and bullying tactics to try to frighten investors away from Go.
This was in 1993.
Were they a monopoly then? When did they become a monopoly? I find it hard to think that Windows 3.x was a monopoly.
I pretty much agree with you.
The only gotcha I see in the answer would be that the original question was asking if you could write a virus that would run on any (or multiple) OS's. That takes the requirement of a executable file out of it.
If somehow you could get a buffer overflow or something that jumped to your code (which would be OS specific I guess) you could then execute any "pure" x86 code you wanted. I just don't see it being able to do a whole lot. Best/Worst case would be directly talk to an IDE interface and corupt drive 0. That would probably take the original exploit to be in the kernal of the infected OS otherwise I think pretty much all OS block user code from that low level access.
But you are right, there is probably going to have to be some OS dependant code in there somewhere to get it started. And it would be some pretty nasty code.