Thanks for that link; fortunately, I get access to that through work so I didn't need to pay for it. Not sure I would have if I had to though, as I don't like my slashdot *that* much...
Most interesting reading. However, that still required the physical movement of the check from one location to another for payment to be completed, and that's why there were problems when all the planes were grounded. My understanding of the post-9/11 changes and the disputed patent is that it's now possible for clearance to occur before the actual physical transfer back to the writer's bank has occurred - that a standard means of scanning and archiving the checks has now been devised that can be done anywhere, with the check itself meandering its way through the banking system for return to its writer rather than for physical clearance and then return.
MICR and all those other cool technologies meant that it was possible for banks to know how much their customers had written in checks and avoid "kiteing" and other similar practices - and to signal back to the bank in which the check was deposited that it was indeed okay to release the funds once the check had physically traversed the banking system. They're very valuable technologies that save all kinds of data entry issues and make possible things like automated physical routing of checks. But it still relied on the check getting from A to B in a certain period of time.
Should further enhancements to check processing have been done by the banking industry or a technical committee? Probably - it's been done before, in the 1950's as you quite rightly pointed out with regard to MICR and all the automated routing stuff . Were enhancements like a standardized scanning and data transfer mechanism to facilitate check processing, and allow the checks themselves to be transferred simply for return to their writers rather than as part of the clearance process, done by the banking industry or a technical committee? It looks more like that was invented privately, and either those standards or others that infringed on that patent were adopted by the banks.
I have modpoints, but unfortunately I can't mod up a reply to my own posts. Can someone else please give this AC some more prominence?
Several banks thought Ballard's company offered the tech at reasonable terms - or, at least, at terms they felt they couldn't refuse or that it wasn't worth refusing - so I wonder what exactly stopped the other banks entering into such arrangements.
I'm going to assume, for the sake of argument, that Ballard is completely in the right and those banks that didn't licence the tech - "stole it", let's say - are completely in the wrong. That may or may not be the case, in reality, but it makes for some interesting thoughts.
Even if Ballard's licencing terms had been ramped up in the face of constant bad-faith dealings by the banks, shouldn't those banks be penalised for that behaviour? What dis-incentive is there for others who might try the same thing in future if the penalty for stealing the tech for X years is having to pay less when the government recovers through taxation whatever relative pittance the banks convince it to pay Ballard's company for the compulsory acquisition of his invention? Sure, lower costs may be good for society-at-large, but so is more responsible and ethical corporate behaviour.
If I understand correctly, Ballard claims to have developed these techniques and methods in the mid-90's, at a time when physical transfer of checks was required - federal law would not have allowed those methods at that time.
Then, the world turned upside-down - and his invention became a necessity.
DataTreasury has negotiated licencing with some financial institutions, but there are others that seem to feel that they shouldn't have to pay and aren't afraid to try to make the US taxpayer pay instead.
While it may be possible to characterise DataTreasury as a "patent troll" by some readings of the term, Ballard appears to be the first to have come up with and documented those methods and techniques and that's been upheld by the USPTO. DataTreasury claims to have attempted to sell the patent-protected system to the banks, who went ahead and ran with their own implementations. Isn't the patent system supposed to be about providing a limited-term monopoly for those who come up with ideas, whether it's an idea for a better mousetrap or a method of performing financial transfers? Isn't it possible that the banks are trying to use their sheer size and influence to avoid paying for something that they really ought to?
Everybody likes horses and other farm animals, right?
Maybe his kids will appreciate seeing pictures of others their own age with similar interests. Plus, most kids these days don't get to see anywhere near enough of Grandma.
...you Guilty of Paedophilia, because your iris code - as identified from the metadata of images you have shared on Flickr - has been found in images taken by a Kiddie-Fiddler in Thailand and posted to irootkids.com
Your protestations that such data is insecure and easily manipulated is nonce-sense, for you are a nonce - as proven by the facts that someone with a hex-editor and too much time on his hands has implicated you in such heinous acts, your credit card records that show that you ate at a Thai restaurant, the half-remembered recollection of the waitress that you ordered Tom-Yum soup and the fact that your son's name is Tom.
And now, on a more serious note...
Surely anyone involved in professional production of such materials these days would "file the serial numbers off" before distribution, meaning they'd strip as much of the metadata off as they could and would turn such features off in cameras they used. However, there would be a sufficient number of people who didn't do that to make it worth pursuing leads that identified a particular camera or photographer. My question is, how easy would it be to forge such incriminating photographs? If you knew a particular politician owned a particular camera model, and you could get a couple of sample images from it, would it be worth your while having someone in Thailand take pervy pics with the same model and passing all that information over to someone who could produce a believable hybrid file with the pervy images and the real meta-data?
Are you aware of a remote arbitrary code execution bug in an SSH server that we missed?
Right now? No, of course not. My point is that there have been such beasties in the past, and it's dangerous to assume that there couldn't possibly be such issues in the future, so it's best to ensure that all locally-exploitable problems are patched just in case they do manage to get in. With SSH it's probably less likely than with something like the PHP or mail scanning examples because it has hard-core security experts going over it all the time, but I'd never assume that it couldn't happen.
I, for one, trust myself and am the sole user of my heavily-password-protected computer. Looks like I'm fine, and it sounds like the easiest solution in a private setting to me.
Indeed, it's only exploitable if someone can get at it. If you don't offer any services whatsoever to the outside world, then you should be okay.
The problem is, even though you're the sole user, that if other exploits appear they could piggyback this to escalate from, say, access as www-user to access as root. Got any http services on that box for your own convenience, and any of those use PHP? Based on past experiences, this might hose you. Got SSH on there? Again, based on past experiences, this might hose you. Sendmail and some kind of mailscanning? Again, this might hose you.
It's not just a matter of whether or not you trust your users - it's also a matter of whether or not you trust anyone who attempts to exploit some other service your box offers to not try for root access once they get in. "Please, Mr Blackhat, you've gained access to my box, but please don't elevate that to root!" sounds more than a little naieve, and even a little stupid, but that's exactly what people who leave a whole lot of locally exploitable vulnerabilities on their boxes are saying. By not leaving this kind of thing laying around, you are making it a little bit more difficult for anyone who does manage to gain access to your box to gain full access to it.
Security is all about healthy paranoia, and a belt AND braces AND duct tape approach can pay dividends.
Am I personally worried about this? On my work machine and servers I administer, hell yeah - always on, always connected, running various things that in the past have had vulnerabilities - of course I am, I'd be stupid not to be. At home (dial-up, behind a firewall with NAT, nothing much in the way of services, turned off most of the time even though I don't usually bother turning off my WEP-protected wireless access point), not so much - and not just because the only accounts are held by me. I don't broadcast the SSID, I have a couple of neighbors with no security on their broadband-connected wireless access points, and I don't run an awful lot in the way of remote services when I do have my home machines running. If I had broadband at home and a machine that was running anything that was remotely accessible, or if I didn't have a vertiable smorgasbord of less security-conscious neighbours - I'd fix this at home in a heartbeat.
...and open your mail, and tap your phone, and monitor your internet traffic, because you have different views and aren't afraid to state them. All quite legally. And in many others, they'd probably do it anyway if they felt it was "right" to do so.
Parent raises a fair and intersting point, that Bush considers the FISC to be an impediment to those who are simply trying to protect the American People. If the FISC was merely rubber-stamping whatever the U.S. Government wanted to do, then how could its oversight prevent government from protecting the American People? How come this deserves the "Troll" mod it got?
They say those who don't understand history are doomed to repeat it. Seems to me like a lot of Americans need to bone up on things like the Church Committee.
Oh - and, if it is porn... why the heck are you blocking/getting up set at your teenage kid from watching porn?
In my case, it'd be because I don't trust them to steer clear of adware/spyware-laden sites and I don't want to be forever clearing up their computers. Also, while there is some porn out there that could be considered "tasteful" and "non-demeaning" (to either the participants or the viewers), there's a lot that is pretty offensive - I don't want them learning about human relationships from bangbros or teenagedykeswhoeatshit.com
Plus, there's the fact that I'm scared of their mother.
It makes an excellent L.A.R.T. and has a very nice feel to the keys
Personally, I keep a hand-crafted Cat-5 o' Nine Tails (or two, or three, or...) on the coat rack just inside my office door. Each was lovingly crafted from bundles of cable ripped out during data centre renovations. The implied menace in that display is more than enough to solve most problems without the need for physical exertion. Of course, if I ever did need to do so, I could beat someone to death with either of the two Model M keyboards on my desk while they're distracted by my somewhat disturbing handicrafts.
The depressing thing is, as a man I can't really think of why we should be allowed to stick around.
Oh, me, me, me! I'll field this one.
Creating sperm from stem cells requires careful application of technology, and that technology is potentially pretty costly. We're no longer talking about most people reproducing by, well, a Barry White album and inserting tab A in slot B and squirting - at least, not until we can guarantee production of not just an artificial sperm cell but also of fully artificial semen, which is a pretty complicated mixture that ensures nutrition and protection for the little swimmers in what's a really hostile environment for them. What we're talking about here, at least for the foreseeable future, is a technique that will require costly production of artificial sperm cells, fertilization in vitro, and implantation of the embryo. We're talking about application of IVF techniques, and probably in people who would be biologically capable of conceiving in the usual manner but who choose not to. You know what the drugs involved in stimulating ovulation so a number of ova can be harvested cost? Enough to put them out of the reach of most in countries like the United States. Add to that the cost of procedures like harvesting ova, harvesting bone marrow and producing sperm, laboratory fertilization, implantation etc, and we're talking about huge amounts of money.
Now, what happens if that technology suddenly becomes unavailable for some reason, to some or all? Disaster, economic collapse, deliberately pricing it out of the reach of those who choose a subsistence agricultural lifestyle, deliberately making it unavailable to some for some reason or other (religious/cultural/political beliefs, racial/eugenic arguments like "Red-heads are more susceptible to skin cancer and threfore shouldn't breed, but the racially-superior Africans can and must", etc). If we lose the ability to reproduce without technological assistance, we're in deep shit if we lose that technology - or entire groups could be bred out of existance by denying them access to that technology.
I believe women have the right to control their reproductive destiny, and the right to make all kinds of choices about their bodies and what they stick in them or take out of them. I also believe that humanity has an obligation to consider the survival of our own species, and for that reason we ought to keep men around for at least the next few thousand years - just in case we find ourselves needing to start our industrial civilization up from scratch, or in case some future government or company wants to regulate who gets to breed.
My own children were conceived with technological assistance, so personally I have a problem with anyone being denied the right to have their own biolical children if the technology for that is available - and yes, that includes not having a problem with whatever their geneders or sexual preferences may be. I do, however, have a problem with a possible future in which reproductive choices have been removed, including the one that is most cost-effective in the majority of cases - just having tab-a-in-slot-b sex for a while without contraception. Removing that from our reproductive repertoire could just be asking for trouble.
Perhaps. But the really annoying thing is that many ISPs will just bounce such an email, with a generic, uninformative mesage "could not send" or the like, leaving the user with no fucking clue as to the problem.
That's actually two of my pet peeves.
The first is that some mail systems - and some mail clients - don't adequately display rejection data that's been passed back to them when the message was refused. Hotmail immediately springs to mind - the rejection data is buried in an attachment that most users won't know to open for diagnostic info, and many users have been actively educated to not open attachments. Gmail does this better - rejection data is displayed in a more usable manner. Sometimes rejection data is adequately displayed in Outlook, sometimes its not. The info could be available to the mail system that creates the non-delivery notification, but for various reasons it might not be visible to the sender of the problem message.
The second is that sometimes the organisation that blocked the message is providing info that's too brief and too cryptic. EVERY rejection my mail system issues contains reasons for the block and an invitation to contact postmaster at my work domain (which is completely unfiltered, apart from virus scanning...). There is no reason, apart from laziness or incompetence, for other mail systems to just say "550 Blocked, Nyah-Nyah!" and leave it at that.
Or worse, just silently dropping the message, leaving you to find out days later that your email did not get through.
That's just plain evil. I don't drop anything, ever. I'd go so far as to say that only the lazy or incompetent, or a few who have no other choice as a result of the laziness/cheapness/incompetenece of those they work for, do that. However, there are things that can look like messages being dropped, but in fact are not. Anything where a whole lot of suspected crap goes over somewhere where the recipient is expected to check it can look like messages are being dropped - whether it's a server-side separate quarantine, or a "Suspected Spam" folder that's filled by either the server or the user's own mail client. Who the hell reads through all that crap? That's actually one of the reasons why I have rejection messages that are as informative as I can make them - at one time we rejected very little and relied on SpamAssassin scoring at the desktop to shift suspected spam, but that's no good when you have high-scoring-but-legitimate webmail coming from Chinese universities in a folder full of Penis Patch spam. Lots of noise, very little signal, and wanted stuff just got lost. It's far more productive for a couple of senders to get bounces and for me to either help the sender send messages that won't bounce or re-think my filters than for potentially hundreds or thousands of messages to go "missing" because my users are too damn lazy to adequately check their junk before deleting it.
All of which makes it important that senders do everything they can to avoid tripping various tests. Just as you wouldn't send important personal correspondance in an envelope that made the message look like it was from Readers Digest, you should avoid sending email that might look in any way like it's not going to be wanted. Some of us mail admins will do everything we can to help out people who can't communicate with our users, others won't give a flying fsck and won't even tell you that stuff is being lost, but you can avoid the problem all together by thinking carefully about what and how you send. I agree you shouldn't have to, but that's the way things are. No wonder a lot of people (especially younger users) are abandoning email and are moving to that new-fangled IM stuff and some of the social networking sites for keeping up with friends - in some ways, email is just getting too damn hard and too much to think about.
If what was blocked was a URL that contained his home IP address, then yes, that sounds more than reasonable to me. Hell, it makes sense for ISPs to not only block outbound email that contains a link to IP addresses in their own DSL ranges but also to IP addresses listed as dynamic by various RBLs - as a mail admin at a University, who sees all kinds of problems caused by crap coming out of ISP mail relays, I applaud this effort. Maybe they should start looking at using a few URIBLs to filter outbound mail too, as that would catch things that have been picked up elsewhere as being spamvertised. That might upset a few of their users with links in their signatures to the pyramid-marketing fruitjuice or e-marketing scheme they're trying to sucker people into, but that's not a big deal IMO (every couple of months I get an external sender complaining that we've blocked their mail for what turns out to be just such a URL - we've got thousands of rejections per day that are at least in part due to URIBLs, and that's almost exclusively the kind of "false-positive" I get from URIBLs. I've had the occasional "real business" with polluted lists, but for the most part they're effective and painless. Makes it hard to discuss spam or viruses with the raw URLs though, which I assume is part of why [whatever]CERT munges URLs in its notifications)
I don't consider this censorship - I consider it risk-minimisation. Almost all email that contains a numeric URL is likely to be spam, but probably not all of it - so it makes sense, to me, to block outbound mail that contains either one one of your organisation's DSL IP addresses or the ISP-assigned PTR for that IP address. There are lots of dynamic DNS providers out there, so why not use one of them?
Anyway, in this day and age anyone sending mail with an IP address in a URL needs their head examined - unless they know for a FACT that it will get through to their intended recipient, and they have VERY good reasons to do so. There are lots of different filtering systems out there, and some of them do things that you or I might consider odd or inappropriate. Maybe some organisation's mail system has a spam quarantine system, and messages with numeric URLs go there - along with every other one of the several thousand pieces of junk some users get per week. Who has time to check that? As a result, real messages WILL get lost amongst the garbage. Same deal with local filtering.
At least with a good, honest block (at either your ISP's end, or the recipient's), you *know* there's a problem and can do something about it. Quarantining, routing to/dev/null (which is close enough in practice to what happens in practice for quarantined messages for heavily spammed users), local filtering at the desktop and the like can all result in a recipient never seeing a message and the sender not knowing that it wasn't seen. This is *NOT* your Grandpa's Internet - it's a terrific example of the Tragedy of the Commons, where the spammers and scammers and fuckwits have ruined things for everybody. We can whine about the unfairness of these kinds of measures and their effects, much as we might whine about the unfairness of driving tests or three-day waits to purchase handguns or the limits to the quantity of pseudoephedrine we can purchase over the counter, or we can look at the reasons why such measures might be appropriate and try to find ways to ensure we can work within the limits that are there. You want to drive, spend time at the pistol range or treat your hayfever? Fine, you can do that, but there are some things you need to do to ensure others are protected from arsehats. You want to send mail? Fine, you can do that, but again there may be some things you need to take into account that protect you and others from arsehats too.
And what about places like Hawaii, where there were no mosquitoes until they were introduced by man? Hawaiian biota managed to do just fine before mosquitoes were introduced. Surely it wouldn't be a terrible thing to eradicate them there?
Eradicating mosquitoes in Hawaii probably wouldn't cause a major ecological disruption - unless the mosquitoes themselves had completely displaced some other organism in some niche (as either prey or predator) - but it's harder to say what would happen elsewhere. What happens to all the things that eat mosquitoes and mosquito larvae if there aren't any mosquitoes? Also, for much of the time, mosquitoes are nectar-feeders too - so if there are plants that depend primarily on mosquitoes for pollination, there could be an impact on organisms that depend on those plants. Sure, life adjusts, and a new equilibrium is established - eventually. That still doesn't mean we shouldn't be damn careful, because in the meantime there's a chance that we could do something that we'd find extremely inconvenient or unfortunate.
We'll be able to genetically replicate those soon too
Maybe we will, at that. It all depends on how the guys working on bringing the mammoth and dodo back make out, and on whether or not any of the various Jesus-Relics turn out to be real and have useable DNA.
There might be skin cells on the Shroud of Turin, but by now any original ones would probably be adrift in a sea of others from all those who've handled it over the years. There have been a number of foreskins, an umbilical cord, blood specimens and milk teeth that have been claimed to be holy relics over the centuries. There's also the supposed ossuary containing the bones of James, brother of Jesus, which would make for interesting comparisons - as would the contents of one of the ossuaries from the Talpiot tomb, which supposedly claims to contain the bones of Jesus, son of Joseph.
Actually, now that I think about it, we probably won't see a JesusClone(TM)- unless some weird cult decides to follow practices similar to those seen in Marc Laidlaw's novel, Dad's Nuke, and feed their followers cloned blood plasma derived from the Holy Foreskin. More likely than not, those in control of the various relics will do whatever they can to stop those pesky molecular geneticisists doing anything that might disprove the resurrection. Not that it's disprovable by anything earthly, of course - it's all a matter of faith, and the Bible tells us all we need to know on the matter, as you should well know;-) - but there's no point confusing the sinners further.
It looks like you too have been misled by the code.
Looks like I just didn't look hard enough, or didn't have enough coffee or smoked too much crack - thanks for that.
I have to wonder, though, just how many sets of results he gets at the hotmail.fr or yahoo.fr addresses - it isn't hard to imagine a scenario in which one of the kiddies forgets to make the necessary changes, and ends up phishing for Mr Brain's benefit alone.
Naturally Netcraft won't tell you the real site name:-)
Naturally. And who can blame them? I certainly don't - who knows what kind of nasties they might have lurking on those pages waiting for unsuspecting CEO's and CIO's and security experts who ought to know better?
However, Google is your friend. Within 30 seconds of looking over the Netcraft article for helpfully unique strings, I found it. And went looking with lynx:-) I won't give the URL, to protect the stupid from themselves, but it's not that hard to find.
They've got ready-rolled scams for abbey.co.uk, bankofamerica.com, cahoot.co.uk, chase.com, egold.com, ebay.com, hsbc,co.uk, lloydstsb.com, moneybookers.com, nationwide.co.uk, nbk.com.kw, paypal.com, regions.com, stgeorge.com.au, wachovia.com and westernunion.com - and in some cases, they have more than one for particular organisations.
Cool. Now who has a spare botnet, is willing to wade through this arsehole's source, and is willing to send garbage values to al-brain@hotmail.fr and albrain08@yahoo.fr?
I have had my 360 since a few months after the lauch and I have never had any RROD problems with it either.
Then again, I'm having good luck with Vista so I guess I'm inversely jinxed.
There's a Mr Satan on Line 2, Mr Chrutil. Something about coming over to collect payment.
Was that an errant "like"? Or did you really mean to say that a giant monster is going to befriend two farmers in the middle of Kansas?
mlingojones actually meant to say that the giant monster is going to have sex with two farmers in the middle of Kansas, but was too coy to write "know" and used "like" instead. He has a screenplay in development at the moment, and didn't want to frighten off potential backers with talk of sex.
Me, I'm not so frightened of scaring backers. I have a screenplay in development at the moment too. An alien starship develops catastrophic engine trouble and crashes in Siberia in 1908, but not before two lifepods are ejected. Due to the odd workings of the ship's drive, and as a convenient plot-device, the pods end up landing in different decades. The first one, which this story doesn't concern, lands in New Mexico in the late 1940s. The second one lands in Deliverance-country in the 1970s...
If the site was detecting the user agent or using some other method of determining platform and delivering targeted malware based on it, I doubt they would have also been delivering a fake Mac scan to a Windows browser as they did in the article.
Depends on their intentions, and they could have different plans for different targets.
With Mac users, their intentions might be to sell a product to remove a problem that the user doesn't have... or to give them a problem that can be removed through the purchase of their "remover" product. Or they could be phishing for credit card numbers...
With Windows users, they could be hoping for an influx of people who've received the link from a friend, with the obligatory "I can't believe how stupid spammers think we are - look, it tells me my Windows machine has Mac spyware!" comments... and then installing a Windows rootkit through browser defects. Making themselves look stupid has caused at least one journalist to let their guard down and visit the site.
Slashdot Mirror
Thanks for that link; fortunately, I get access to that through work so I didn't need to pay for it. Not sure I would have if I had to though, as I don't like my slashdot *that* much...
Most interesting reading. However, that still required the physical movement of the check from one location to another for payment to be completed, and that's why there were problems when all the planes were grounded. My understanding of the post-9/11 changes and the disputed patent is that it's now possible for clearance to occur before the actual physical transfer back to the writer's bank has occurred - that a standard means of scanning and archiving the checks has now been devised that can be done anywhere, with the check itself meandering its way through the banking system for return to its writer rather than for physical clearance and then return.
MICR and all those other cool technologies meant that it was possible for banks to know how much their customers had written in checks and avoid "kiteing" and other similar practices - and to signal back to the bank in which the check was deposited that it was indeed okay to release the funds once the check had physically traversed the banking system. They're very valuable technologies that save all kinds of data entry issues and make possible things like automated physical routing of checks. But it still relied on the check getting from A to B in a certain period of time.
Should further enhancements to check processing have been done by the banking industry or a technical committee? Probably - it's been done before, in the 1950's as you quite rightly pointed out with regard to MICR and all the automated routing stuff . Were enhancements like a standardized scanning and data transfer mechanism to facilitate check processing, and allow the checks themselves to be transferred simply for return to their writers rather than as part of the clearance process, done by the banking industry or a technical committee? It looks more like that was invented privately, and either those standards or others that infringed on that patent were adopted by the banks.
I have modpoints, but unfortunately I can't mod up a reply to my own posts. Can someone else please give this AC some more prominence?
Several banks thought Ballard's company offered the tech at reasonable terms - or, at least, at terms they felt they couldn't refuse or that it wasn't worth refusing - so I wonder what exactly stopped the other banks entering into such arrangements.
I'm going to assume, for the sake of argument, that Ballard is completely in the right and those banks that didn't licence the tech - "stole it", let's say - are completely in the wrong. That may or may not be the case, in reality, but it makes for some interesting thoughts.
Even if Ballard's licencing terms had been ramped up in the face of constant bad-faith dealings by the banks, shouldn't those banks be penalised for that behaviour? What dis-incentive is there for others who might try the same thing in future if the penalty for stealing the tech for X years is having to pay less when the government recovers through taxation whatever relative pittance the banks convince it to pay Ballard's company for the compulsory acquisition of his invention? Sure, lower costs may be good for society-at-large, but so is more responsible and ethical corporate behaviour.
If I understand correctly, Ballard claims to have developed these techniques and methods in the mid-90's, at a time when physical transfer of checks was required - federal law would not have allowed those methods at that time.
Then, the world turned upside-down - and his invention became a necessity.
DataTreasury has negotiated licencing with some financial institutions, but there are others that seem to feel that they shouldn't have to pay and aren't afraid to try to make the US taxpayer pay instead.
While it may be possible to characterise DataTreasury as a "patent troll" by some readings of the term, Ballard appears to be the first to have come up with and documented those methods and techniques and that's been upheld by the USPTO. DataTreasury claims to have attempted to sell the patent-protected system to the banks, who went ahead and ran with their own implementations. Isn't the patent system supposed to be about providing a limited-term monopoly for those who come up with ideas, whether it's an idea for a better mousetrap or a method of performing financial transfers? Isn't it possible that the banks are trying to use their sheer size and influence to avoid paying for something that they really ought to?
...you Guilty of Paedophilia, because your iris code - as identified from the metadata of images you have shared on Flickr - has been found in images taken by a Kiddie-Fiddler in Thailand and posted to irootkids.com
Your protestations that such data is insecure and easily manipulated is nonce-sense, for you are a nonce - as proven by the facts that someone with a hex-editor and too much time on his hands has implicated you in such heinous acts, your credit card records that show that you ate at a Thai restaurant, the half-remembered recollection of the waitress that you ordered Tom-Yum soup and the fact that your son's name is Tom.
And now, on a more serious note...
Surely anyone involved in professional production of such materials these days would "file the serial numbers off" before distribution, meaning they'd strip as much of the metadata off as they could and would turn such features off in cameras they used. However, there would be a sufficient number of people who didn't do that to make it worth pursuing leads that identified a particular camera or photographer. My question is, how easy would it be to forge such incriminating photographs? If you knew a particular politician owned a particular camera model, and you could get a couple of sample images from it, would it be worth your while having someone in Thailand take pervy pics with the same model and passing all that information over to someone who could produce a believable hybrid file with the pervy images and the real meta-data?
I've been married for 18 years - enough said.
The problem is, even though you're the sole user, that if other exploits appear they could piggyback this to escalate from, say, access as www-user to access as root. Got any http services on that box for your own convenience, and any of those use PHP? Based on past experiences, this might hose you. Got SSH on there? Again, based on past experiences, this might hose you. Sendmail and some kind of mailscanning? Again, this might hose you.
It's not just a matter of whether or not you trust your users - it's also a matter of whether or not you trust anyone who attempts to exploit some other service your box offers to not try for root access once they get in. "Please, Mr Blackhat, you've gained access to my box, but please don't elevate that to root!" sounds more than a little naieve, and even a little stupid, but that's exactly what people who leave a whole lot of locally exploitable vulnerabilities on their boxes are saying. By not leaving this kind of thing laying around, you are making it a little bit more difficult for anyone who does manage to gain access to your box to gain full access to it.
Security is all about healthy paranoia, and a belt AND braces AND duct tape approach can pay dividends.
Am I personally worried about this? On my work machine and servers I administer, hell yeah - always on, always connected, running various things that in the past have had vulnerabilities - of course I am, I'd be stupid not to be. At home (dial-up, behind a firewall with NAT, nothing much in the way of services, turned off most of the time even though I don't usually bother turning off my WEP-protected wireless access point), not so much - and not just because the only accounts are held by me. I don't broadcast the SSID, I have a couple of neighbors with no security on their broadband-connected wireless access points, and I don't run an awful lot in the way of remote services when I do have my home machines running. If I had broadband at home and a machine that was running anything that was remotely accessible, or if I didn't have a vertiable smorgasbord of less security-conscious neighbours - I'd fix this at home in a heartbeat.
...and open your mail, and tap your phone, and monitor your internet traffic, because you have different views and aren't afraid to state them. All quite legally. And in many others, they'd probably do it anyway if they felt it was "right" to do so.
Parent raises a fair and intersting point, that Bush considers the FISC to be an impediment to those who are simply trying to protect the American People. If the FISC was merely rubber-stamping whatever the U.S. Government wanted to do, then how could its oversight prevent government from protecting the American People? How come this deserves the "Troll" mod it got?
They say those who don't understand history are doomed to repeat it. Seems to me like a lot of Americans need to bone up on things like the Church Committee.
Plus, there's the fact that I'm scared of their mother.
Q. Why do network admins prefer low-fibre diets?
A. Do *you* really want a backhoe in *your* colon?
Creating sperm from stem cells requires careful application of technology, and that technology is potentially pretty costly. We're no longer talking about most people reproducing by, well, a Barry White album and inserting tab A in slot B and squirting - at least, not until we can guarantee production of not just an artificial sperm cell but also of fully artificial semen, which is a pretty complicated mixture that ensures nutrition and protection for the little swimmers in what's a really hostile environment for them. What we're talking about here, at least for the foreseeable future, is a technique that will require costly production of artificial sperm cells, fertilization in vitro, and implantation of the embryo. We're talking about application of IVF techniques, and probably in people who would be biologically capable of conceiving in the usual manner but who choose not to. You know what the drugs involved in stimulating ovulation so a number of ova can be harvested cost? Enough to put them out of the reach of most in countries like the United States. Add to that the cost of procedures like harvesting ova, harvesting bone marrow and producing sperm, laboratory fertilization, implantation etc, and we're talking about huge amounts of money.
Now, what happens if that technology suddenly becomes unavailable for some reason, to some or all? Disaster, economic collapse, deliberately pricing it out of the reach of those who choose a subsistence agricultural lifestyle, deliberately making it unavailable to some for some reason or other (religious/cultural/political beliefs, racial/eugenic arguments like "Red-heads are more susceptible to skin cancer and threfore shouldn't breed, but the racially-superior Africans can and must", etc). If we lose the ability to reproduce without technological assistance, we're in deep shit if we lose that technology - or entire groups could be bred out of existance by denying them access to that technology.
I believe women have the right to control their reproductive destiny, and the right to make all kinds of choices about their bodies and what they stick in them or take out of them. I also believe that humanity has an obligation to consider the survival of our own species, and for that reason we ought to keep men around for at least the next few thousand years - just in case we find ourselves needing to start our industrial civilization up from scratch, or in case some future government or company wants to regulate who gets to breed.
My own children were conceived with technological assistance, so personally I have a problem with anyone being denied the right to have their own biolical children if the technology for that is available - and yes, that includes not having a problem with whatever their geneders or sexual preferences may be. I do, however, have a problem with a possible future in which reproductive choices have been removed, including the one that is most cost-effective in the majority of cases - just having tab-a-in-slot-b sex for a while without contraception. Removing that from our reproductive repertoire could just be asking for trouble.
The first is that some mail systems - and some mail clients - don't adequately display rejection data that's been passed back to them when the message was refused. Hotmail immediately springs to mind - the rejection data is buried in an attachment that most users won't know to open for diagnostic info, and many users have been actively educated to not open attachments. Gmail does this better - rejection data is displayed in a more usable manner. Sometimes rejection data is adequately displayed in Outlook, sometimes its not. The info could be available to the mail system that creates the non-delivery notification, but for various reasons it might not be visible to the sender of the problem message.
The second is that sometimes the organisation that blocked the message is providing info that's too brief and too cryptic. EVERY rejection my mail system issues contains reasons for the block and an invitation to contact postmaster at my work domain (which is completely unfiltered, apart from virus scanning...). There is no reason, apart from laziness or incompetence, for other mail systems to just say "550 Blocked, Nyah-Nyah!" and leave it at that.
That's just plain evil. I don't drop anything, ever. I'd go so far as to say that only the lazy or incompetent, or a few who have no other choice as a result of the laziness/cheapness/incompetenece of those they work for, do that. However, there are things that can look like messages being dropped, but in fact are not. Anything where a whole lot of suspected crap goes over somewhere where the recipient is expected to check it can look like messages are being dropped - whether it's a server-side separate quarantine, or a "Suspected Spam" folder that's filled by either the server or the user's own mail client. Who the hell reads through all that crap? That's actually one of the reasons why I have rejection messages that are as informative as I can make them - at one time we rejected very little and relied on SpamAssassin scoring at the desktop to shift suspected spam, but that's no good when you have high-scoring-but-legitimate webmail coming from Chinese universities in a folder full of Penis Patch spam. Lots of noise, very little signal, and wanted stuff just got lost. It's far more productive for a couple of senders to get bounces and for me to either help the sender send messages that won't bounce or re-think my filters than for potentially hundreds or thousands of messages to go "missing" because my users are too damn lazy to adequately check their junk before deleting it.
All of which makes it important that senders do everything they can to avoid tripping various tests. Just as you wouldn't send important personal correspondance in an envelope that made the message look like it was from Readers Digest, you should avoid sending email that might look in any way like it's not going to be wanted. Some of us mail admins will do everything we can to help out people who can't communicate with our users, others won't give a flying fsck and won't even tell you that stuff is being lost, but you can avoid the problem all together by thinking carefully about what and how you send. I agree you shouldn't have to, but that's the way things are. No wonder a lot of people (especially younger users) are abandoning email and are moving to that new-fangled IM stuff and some of the social networking sites for keeping up with friends - in some ways, email is just getting too damn hard and too much to think about.
Thank you, thank you, I'll be here all week...
If what was blocked was a URL that contained his home IP address, then yes, that sounds more than reasonable to me. Hell, it makes sense for ISPs to not only block outbound email that contains a link to IP addresses in their own DSL ranges but also to IP addresses listed as dynamic by various RBLs - as a mail admin at a University, who sees all kinds of problems caused by crap coming out of ISP mail relays, I applaud this effort. Maybe they should start looking at using a few URIBLs to filter outbound mail too, as that would catch things that have been picked up elsewhere as being spamvertised. That might upset a few of their users with links in their signatures to the pyramid-marketing fruitjuice or e-marketing scheme they're trying to sucker people into, but that's not a big deal IMO (every couple of months I get an external sender complaining that we've blocked their mail for what turns out to be just such a URL - we've got thousands of rejections per day that are at least in part due to URIBLs, and that's almost exclusively the kind of "false-positive" I get from URIBLs. I've had the occasional "real business" with polluted lists, but for the most part they're effective and painless. Makes it hard to discuss spam or viruses with the raw URLs though, which I assume is part of why [whatever]CERT munges URLs in its notifications)
/dev/null (which is close enough in practice to what happens in practice for quarantined messages for heavily spammed users), local filtering at the desktop and the like can all result in a recipient never seeing a message and the sender not knowing that it wasn't seen. This is *NOT* your Grandpa's Internet - it's a terrific example of the Tragedy of the Commons, where the spammers and scammers and fuckwits have ruined things for everybody. We can whine about the unfairness of these kinds of measures and their effects, much as we might whine about the unfairness of driving tests or three-day waits to purchase handguns or the limits to the quantity of pseudoephedrine we can purchase over the counter, or we can look at the reasons why such measures might be appropriate and try to find ways to ensure we can work within the limits that are there. You want to drive, spend time at the pistol range or treat your hayfever? Fine, you can do that, but there are some things you need to do to ensure others are protected from arsehats. You want to send mail? Fine, you can do that, but again there may be some things you need to take into account that protect you and others from arsehats too.
I don't consider this censorship - I consider it risk-minimisation. Almost all email that contains a numeric URL is likely to be spam, but probably not all of it - so it makes sense, to me, to block outbound mail that contains either one one of your organisation's DSL IP addresses or the ISP-assigned PTR for that IP address. There are lots of dynamic DNS providers out there, so why not use one of them?
Anyway, in this day and age anyone sending mail with an IP address in a URL needs their head examined - unless they know for a FACT that it will get through to their intended recipient, and they have VERY good reasons to do so. There are lots of different filtering systems out there, and some of them do things that you or I might consider odd or inappropriate. Maybe some organisation's mail system has a spam quarantine system, and messages with numeric URLs go there - along with every other one of the several thousand pieces of junk some users get per week. Who has time to check that? As a result, real messages WILL get lost amongst the garbage. Same deal with local filtering.
At least with a good, honest block (at either your ISP's end, or the recipient's), you *know* there's a problem and can do something about it. Quarantining, routing to
I mean, c'mon, about ten years ago, subject line of "ILOVEYOU"...
What? You don't remember? Okay then, GIT OF MA LAWN!
There might be skin cells on the Shroud of Turin, but by now any original ones would probably be adrift in a sea of others from all those who've handled it over the years. There have been a number of foreskins, an umbilical cord, blood specimens and milk teeth that have been claimed to be holy relics over the centuries. There's also the supposed ossuary containing the bones of James, brother of Jesus, which would make for interesting comparisons - as would the contents of one of the ossuaries from the Talpiot tomb, which supposedly claims to contain the bones of Jesus, son of Joseph.
Actually, now that I think about it, we probably won't see a JesusClone(TM)- unless some weird cult decides to follow practices similar to those seen in Marc Laidlaw's novel, Dad's Nuke, and feed their followers cloned blood plasma derived from the Holy Foreskin. More likely than not, those in control of the various relics will do whatever they can to stop those pesky molecular geneticisists doing anything that might disprove the resurrection. Not that it's disprovable by anything earthly, of course - it's all a matter of faith, and the Bible tells us all we need to know on the matter, as you should well know
I have to wonder, though, just how many sets of results he gets at the hotmail.fr or yahoo.fr addresses - it isn't hard to imagine a scenario in which one of the kiddies forgets to make the necessary changes, and ends up phishing for Mr Brain's benefit alone.
However, Google is your friend. Within 30 seconds of looking over the Netcraft article for helpfully unique strings, I found it. And went looking with lynx
They've got ready-rolled scams for abbey.co.uk, bankofamerica.com, cahoot.co.uk, chase.com, egold.com, ebay.com, hsbc,co.uk, lloydstsb.com, moneybookers.com, nationwide.co.uk, nbk.com.kw, paypal.com, regions.com, stgeorge.com.au, wachovia.com and westernunion.com - and in some cases, they have more than one for particular organisations.
Cool. Now who has a spare botnet, is willing to wade through this arsehole's source, and is willing to send garbage values to al-brain@hotmail.fr and albrain08@yahoo.fr?
Me, I'm not so frightened of scaring backers. I have a screenplay in development at the moment too. An alien starship develops catastrophic engine trouble and crashes in Siberia in 1908, but not before two lifepods are ejected. Due to the odd workings of the ship's drive, and as a convenient plot-device, the pods end up landing in different decades. The first one, which this story doesn't concern, lands in New Mexico in the late 1940s. The second one lands in Deliverance-country in the 1970s...
With Mac users, their intentions might be to sell a product to remove a problem that the user doesn't have... or to give them a problem that can be removed through the purchase of their "remover" product. Or they could be phishing for credit card numbers...
With Windows users, they could be hoping for an influx of people who've received the link from a friend, with the obligatory "I can't believe how stupid spammers think we are - look, it tells me my Windows machine has Mac spyware!" comments... and then installing a Windows rootkit through browser defects. Making themselves look stupid has caused at least one journalist to let their guard down and visit the site.