"Dictionary search" is a term of art, but they don't really bother using dictionaries anymore - they just go sequentially from "Aaa" to "Zzzzzz...". Actually, they don't go *sequentially* anymore, because that's too easy to detect, but they do cover the full address space fairly easily and quickly.
So there's really no such thing as an obscure, unguessable address to a spammer.
I saw a site several years ago that used CAPTCHAs (before they were common on small sites), but let you in whether or not the captcha was correct. I did not inquire further with the owner, but it certainly bears all the marks of your "urban legend".
I think this one would be difficult to prove, as the only people who know for sure aren't going to tell. Frankly, to me it seems so obvious that someone has to have tried it, much like the outsourcing and Amazon solutions.
There are so many idiots in this state of the affairs:
You forgot the idiots who don't remember/were never aware of a time when there was no common platform, OS, hardware, or even, for that matter, alphabet encoding, and when nearly all files were saved as a dump of the in-memory structure for efficiency.
At my old print shop, we used to save all the cool/funny business cards that came through the door. And one of the nicest Helvetica versions I've ever seen ("Helios").
Someone probably still has all that. On 8" floppies for a CompuGraphic typesetting machine. Who's the idiot who didn't save the CompuGraphic machine? In 100 years, will anyone have software to read the files? How about sixbit, or Fieldata? How about something much more obscure which surely exists?
(Side note: When my school district sold off its PDP-10s in the late 1980s for scrap, I tried to convince my folks to let me bring one home. Sadly, I failed.)
I think they may try to ratchet things down, but I also think that if/when that fails, and people can't reliably get the e-mail they want, they'll switch providers. That's been true in the past, and I see nothing different about this scheme. There have always been multiple "tiers" of mail - heck, at AOL, for a while, there weren't even any filters on AOL-to-AOL mail, because the spammers hadn't figured out how to spam from AOL clients. And I'm sure the filtering systems are still very different - it's pretty easy to tell when an AOL account is spamming if you're AOL - yet most mailing list mail still gets through. So just because there's now another trusted path to AOL, I don't think that spells doom to all, no.
Ah, but you still have to know the public key, and their servers might only allow whitelisted IPs to check the hash.
Their site's all marketing stuff, no real deep technical info. They're clearly not thinking about getting small-time ISPs on board right now. But Dave Crocker, Martin Hellman and Avi Rubin are all consulting for them, so you gotta think someone will bring it up in a meeting...
Ah, sorry - I was thinking as a recipient mail server, not a sender, and I wasn't thinking about exclusivity (AOL only accepts Goodmail, Hotmail only accepts MicrosoftHappy).
Yes, you're absolutely right. If a thousand accreditation flowers bloom, and each recipient domain is exclusive, it becomes a real pain for senders. You wouldn't want to "cross-sign" your messages, because that would be expensive, so you'd have to keep track of which recipient domains accept which accreditation schemes, and partition your recipient lists accordingly - HotMail addresses get signed by MicrosoftHappy, etc.
I wonder if there's an incentive for recipients to be "exclusive" like that, though. Obviously, the fewer schemes they have to implement, the cheaper it is for them - but the more schemes they implement, the larger the ratio of signed-to-unsigned, and the more accurate their spam filters can be.
It's hard to predict, since this is the first message-signing implementation. My instincts say that there's a critical-mass effect, and that (other than small ISPs toying with shiny new products) there will be only a few major players. Why sign up with a service that nobody uses? Why start a service if nobody will pay you for your cryptographic time? Remember that costs are per-message, not just per-domain, so there's a much higher barrier to entry than starting up a DNSBL, of which there are 150 or so. Starting a mail-signing service would be more like starting a non-interoperable IM service, which doesn't happen very often.
Then again, in 1996, my instincts said that spam wasn't worth worrying about.
I'm not sure why multiple vendors should be a problem. If you're an ISP, and you've become a partner of Goodmail, you agree to deliver 100% of mail that's signed by Goodmail. So you do. Just because it isn't signed by ReallyGoodMail doesn't mean you HAVE to trash it.
That's like saying believing movie recommendations from your friends is problematic, because what if all your friends haven't seen the movie that one friend recommended?
So now all of those sites and services and lists either: A) Stop sending email and/or go out of business, or B) Start charging for the stuff you used to get for free.
Or C) keep doing what they're doing and keep being delivered like they're being delivered now, mostly OK, occasionally trapped by errant spam filters.
Of course, Goodmail can't guarantee that the *recipient* isn't filtering. And it doesn't blacklist anyone. It's just an accreditation scheme like DKIM, but at the per-message level instead of the per-domain level. It does three things, from what I can tell:
1. At the sender side, for those senders who are paying Goodmail, it adds a token to the e-mail that recipients can verify. This part could be great, if they open up a public way to validate that token (and it's in their interest to, I think). Spam filters like SpamAssassin could then score the e-mail differently. Either Goodmail is useless, or it's useful. If it's useless, recipients can ignore the token. If it's useful, recipients can decide to apply less filtering - or they can apply all the usual filters, and just (using SpamAssassin as an example) apply a negative point or two to Goodmail so it's less likely to get filtered.
2. At the recipient side for those recipients who are Goodmail "partners", it guarantees that your mail will bypass all other filters. This part is dubious. Will they regret becoming partners? Maybe, if people start sending spam that's signed by Goodmail. Can they get out of their partnership or change the terms? Dunno. Will the market sort this out? You bet. If Goodmail partners start delivering more spam than non-partners, people will switch to the non-partners.
2. Also at the recipient side for those recipients who are Goodmail "partners", it adds a pretty blue ribbon, etc. to the "chrome" of the e-mail. Yes, the chrome is unforgeable. No, users can't tell the difference between a blue ribbon in the chrome and a blue ribbon in the body. AOL tried this years ago with "Certified E-Mail", so you could tell when a message was REALLY from AOL. Did it stop phishing? No. This part is security theater.
Nobody gets blacklisted. Right now, ALL our mail is essentially second-class mail, subject to all sorts of filters. GoodMail creates a first-class tier that potentially bypasses all that if you pay for the "postage" (which is only 1/20th of a cent for non-profits). Again, the market will sort out whether or not that postage is useful. In fact, "postage" is probably the wrong word - it's more like "notarized" e-mail.
Re:What ever happened to 2AM, $3 overnight shippin
on
A Look Inside Newegg
·
· Score: 1
That lasted well into the dot-com boom; in 1999, Outpost.com announced free overnight shipping until midnight (I believe PST!). How did they do it? They kept their inventory AT the Airborne Express hub, and had Airborne do the fulfillment for them.
But there were also weekly articles in Wired, C-Net, etc. talking about how all these companies were losing money on shipping. Most of the companies that offered this either went out of business or got bought out by someone else who didn't share the business model - I remember one "lowest price guarantee" site that was bought out by a major retail chain and, overnight, raised their prices nearly to street level.
I don't think that charging $6 for overnight would have reduced their costs enough to keep them in business, especially now that fuel surcharges have increased so drastically. I'm sure shipping in bulk, and with logistical assistance, costs a fraction of what an individual pays, but FedEx can cost $30 to $40 for a lightweight overnight package. I don't think the software and hardware retailers have high enough margins to absorb that.
I think it's funny that people assume Google wouldn't have the storage space to keep desktop search data around longer than absolutely necessary.
People... this company keeps multiple cached copies of the entire Internet. Adding a few opted-in hard drives to the mix is simply not a problem.
It's good that they claim to only keep the data for a month. But are they guaranteeing it'll be deleted after a month? Are there backups? Mirrors? Old index copies that might be subpoenable?
This article shows that engineers of competing products usually respect each other
Absolutely. When the HTML-in-email and I18N standards were being developed, we had people from AOL, Netscape (then a separate company), Microsoft, Qualcomm, and probably others involved, and we got along great. And remember, companies that are competitors on one front are often cooperating on another; AOL was working with Microsoft techies on interoperability at the same time we were suing their bosses.
You're assuming that all NAT implementations (and all routers, for that matter) are default-allow.
The Cisco PIX firewall router, for one, is default-deny, and in fact, to set up static IPs, you actually set up "static (1-to-1) NAT" - even though the IPs aren't translated, by default it still only allows inbound traffic that corresponds to outbound-initiated traffic.
I'm sure that an IPv6 firewall would and could have the same feature, even if it's not called NAT.
screening every single name as they are created would require paying someone or more likely multiple people to hand-check every single name to prevent violation
Hmm. In the early days of AOL, when people were afraid that computers wouldn't be family-friendly, we used to print out all the screen names created that day and just give them a quick visual scan. Talk about tedious! Eventually, I wrote a DOS program to remove all the "common" name forms - FirstLxxxx, where "first" was one of the names I got from some baby list somewhere. Suddenly, the ordeal was reduced to a 5-minute chore.
I wonder if there are similar patterns of WoW names that would make such a task manageable?
You mean you never knew? AppleLink Personal Edition (nee AOL) and PC-Link ran on many of the same servers as Q-Link, and used the same protocol. In fact, those gen2-2 clients shared far more with gen-1 than they did with the current Windows and Mac AOL clients.
AppleLink -was- AOL; the name was changed when Apple dropped out as a partner, two months after launch. PC-Link was run as a separate service, but eventually we realized the benefit of getting a "critical mass", and we'd already bridged the platform divide with AOL for PCs, so they were "commingled" into AOL as well.
Is P3 your baby? Yep, as far as I can recall P3 is still supported for some of those older clients. I remember in the late 90s there was work to talk to some clients via L2TP instead, and of course servers never send the whole input packet around to each other anymore; it gets abstracted much closer to the edge. But at some level, I suspect vestiges of P3 are still in daily use; the two-character routing token the most obvious one.
I am pretty sure I have a file or two around here that uses 0x7F as a line feed (or was it FF?)
Yep, and it handles about 4,000 messages per second (not counting all the spam that gets filtered)...:) But it's not available, not standards-compliant, and had to be designed to support a lot of special AOL features that don't exist in the rest of the world, and that make a distributed mail system hellish: unsend, check status, instant validation instead of bounces, etc.
But one thing we did learn: If you've got a high volume of messages, managing outbound queues is going to be a full time job for you. Mail will back up in your queue for downed sites, and that slows down sendmail, slowing down the rest of your outbound mail in a vicious circle. Newer versions of sendmail let you partition by outbound host; you're going to want to use that.
Other than that, make sure you use a file system that can handle lots of inodes without slowing down logarithmically.
Indeed I did, and when it got too big to for me to change that anymore, I left. Sorry about your experience, and read elsewhere in the thread for who I blame... we just had the wrong customer-service philosophy. Mod parent up.
Ah, those were the good old days, weren't they? I remember the 911 failures too. Pretty damned scary. I hadn't heard of a town where 1/3 of the lines were modem banks, though! That's a cool perspective.
Ah, ok - we're talking about two different things, I think. You're talking about whether extra modems were installed before the price change.
They were - we were always adding modems, trying to stay ahead of the curves, monitoring busy-signal counts from RBOCs in every city, setting up banks of test computers dialing all the access numbers to see oursleves - but obviously we didn't plan well enough. We simply had no idea just how much pent-up demand there was for unlimited AOL service, and we weren't ready for the onslaught of calls.
Then again, if we had waited till Verizon, Sprint, et al. could build up the infrastructure to handle the load - and if they would have even done that based on supposition and Excel projections - it would have been a year or two before we could offer unlimited pricing, and we'd be out of business by then. So though I don't like the business decision to go ahead, and nobody liked the results, I understand the thinking.
Certainly, once the busy-signals hit the fan, we were getting modems added daily, and Steve Case himself was posting updates to the welcome screen - I can't remember anymore if the actual numbers were up there, or just listings of what cities had been upgraded.
And yeah, if they were simply gonna transfer you permanently to the cancel/save queue, that sucks - I thought you meant "for the day". That's just a prime example of the management problems that stemmed from your best friend and mine, KB "and the ladies can go shopping" J. So I retract my flame for that part; I would have done the same thing.
But you might wanna rethink what "know for a fact" means!
Slashdot Mirror
"Dictionary search" is a term of art, but they don't really bother using dictionaries anymore - they just go sequentially from "Aaa" to "Zzzzzz...". Actually, they don't go *sequentially* anymore, because that's too easy to detect, but they do cover the full address space fairly easily and quickly.
So there's really no such thing as an obscure, unguessable address to a spammer.
I saw a site several years ago that used CAPTCHAs (before they were common on small sites), but let you in whether or not the captcha was correct. I did not inquire further with the owner, but it certainly bears all the marks of your "urban legend".
I think this one would be difficult to prove, as the only people who know for sure aren't going to tell. Frankly, to me it seems so obvious that someone has to have tried it, much like the outsourcing and Amazon solutions.
What makes you this this wasn't a standard dictionary attack, which spammers have been doing for a decade?
There are so many idiots in this state of the affairs:
You forgot the idiots who don't remember/were never aware of a time when there was no common platform, OS, hardware, or even, for that matter, alphabet encoding, and when nearly all files were saved as a dump of the in-memory structure for efficiency.
At my old print shop, we used to save all the cool/funny business cards that came through the door. And one of the nicest Helvetica versions I've ever seen ("Helios").
Someone probably still has all that. On 8" floppies for a CompuGraphic typesetting machine. Who's the idiot who didn't save the CompuGraphic machine? In 100 years, will anyone have software to read the files? How about sixbit, or Fieldata? How about something much more obscure which surely exists?
(Side note: When my school district sold off its PDP-10s in the late 1980s for scrap, I tried to convince my folks to let me bring one home. Sadly, I failed.)
I think they may try to ratchet things down, but I also think that if/when that fails, and people can't reliably get the e-mail they want, they'll switch providers. That's been true in the past, and I see nothing different about this scheme. There have always been multiple "tiers" of mail - heck, at AOL, for a while, there weren't even any filters on AOL-to-AOL mail, because the spammers hadn't figured out how to spam from AOL clients. And I'm sure the filtering systems are still very different - it's pretty easy to tell when an AOL account is spamming if you're AOL - yet most mailing list mail still gets through. So just because there's now another trusted path to AOL, I don't think that spells doom to all, no.
Ah, but you still have to know the public key, and their servers might only allow whitelisted IPs to check the hash.
Their site's all marketing stuff, no real deep technical info. They're clearly not thinking about getting small-time ISPs on board right now. But Dave Crocker, Martin Hellman and Avi Rubin are all consulting for them, so you gotta think someone will bring it up in a meeting...
Ah, sorry - I was thinking as a recipient mail server, not a sender, and I wasn't thinking about exclusivity (AOL only accepts Goodmail, Hotmail only accepts MicrosoftHappy).
Yes, you're absolutely right. If a thousand accreditation flowers bloom, and each recipient domain is exclusive, it becomes a real pain for senders. You wouldn't want to "cross-sign" your messages, because that would be expensive, so you'd have to keep track of which recipient domains accept which accreditation schemes, and partition your recipient lists accordingly - HotMail addresses get signed by MicrosoftHappy, etc.
I wonder if there's an incentive for recipients to be "exclusive" like that, though. Obviously, the fewer schemes they have to implement, the cheaper it is for them - but the more schemes they implement, the larger the ratio of signed-to-unsigned, and the more accurate their spam filters can be.
It's hard to predict, since this is the first message-signing implementation. My instincts say that there's a critical-mass effect, and that (other than small ISPs toying with shiny new products) there will be only a few major players. Why sign up with a service that nobody uses? Why start a service if nobody will pay you for your cryptographic time? Remember that costs are per-message, not just per-domain, so there's a much higher barrier to entry than starting up a DNSBL, of which there are 150 or so. Starting a mail-signing service would be more like starting a non-interoperable IM service, which doesn't happen very often.
Then again, in 1996, my instincts said that spam wasn't worth worrying about.
Taco, why will Goodmail spell the end of non-cost-based delivery?
I'm not sure why multiple vendors should be a problem. If you're an ISP, and you've become a partner of Goodmail, you agree to deliver 100% of mail that's signed by Goodmail. So you do. Just because it isn't signed by ReallyGoodMail doesn't mean you HAVE to trash it.
That's like saying believing movie recommendations from your friends is problematic, because what if all your friends haven't seen the movie that one friend recommended?
So now all of those sites and services and lists either: A) Stop sending email and/or go out of business, or B) Start charging for the stuff you used to get for free.
Or C) keep doing what they're doing and keep being delivered like they're being delivered now, mostly OK, occasionally trapped by errant spam filters.
Of course, Goodmail can't guarantee that the *recipient* isn't filtering. And it doesn't blacklist anyone. It's just an accreditation scheme like DKIM, but at the per-message level instead of the per-domain level. It does three things, from what I can tell:
1. At the sender side, for those senders who are paying Goodmail, it adds a token to the e-mail that recipients can verify. This part could be great, if they open up a public way to validate that token (and it's in their interest to, I think). Spam filters like SpamAssassin could then score the e-mail differently. Either Goodmail is useless, or it's useful. If it's useless, recipients can ignore the token. If it's useful, recipients can decide to apply less filtering - or they can apply all the usual filters, and just (using SpamAssassin as an example) apply a negative point or two to Goodmail so it's less likely to get filtered.
2. At the recipient side for those recipients who are Goodmail "partners", it guarantees that your mail will bypass all other filters. This part is dubious. Will they regret becoming partners? Maybe, if people start sending spam that's signed by Goodmail. Can they get out of their partnership or change the terms? Dunno. Will the market sort this out? You bet. If Goodmail partners start delivering more spam than non-partners, people will switch to the non-partners.
2. Also at the recipient side for those recipients who are Goodmail "partners", it adds a pretty blue ribbon, etc. to the "chrome" of the e-mail. Yes, the chrome is unforgeable. No, users can't tell the difference between a blue ribbon in the chrome and a blue ribbon in the body. AOL tried this years ago with "Certified E-Mail", so you could tell when a message was REALLY from AOL. Did it stop phishing? No. This part is security theater.
Nobody gets blacklisted. Right now, ALL our mail is essentially second-class mail, subject to all sorts of filters. GoodMail creates a first-class tier that potentially bypasses all that if you pay for the "postage" (which is only 1/20th of a cent for non-profits). Again, the market will sort out whether or not that postage is useful. In fact, "postage" is probably the wrong word - it's more like "notarized" e-mail.
And the advantage over RFID passcards is... what?
That lasted well into the dot-com boom; in 1999, Outpost.com announced free overnight shipping until midnight (I believe PST!). How did they do it? They kept their inventory AT the Airborne Express hub, and had Airborne do the fulfillment for them.
But there were also weekly articles in Wired, C-Net, etc. talking about how all these companies were losing money on shipping. Most of the companies that offered this either went out of business or got bought out by someone else who didn't share the business model - I remember one "lowest price guarantee" site that was bought out by a major retail chain and, overnight, raised their prices nearly to street level.
I don't think that charging $6 for overnight would have reduced their costs enough to keep them in business, especially now that fuel surcharges have increased so drastically. I'm sure shipping in bulk, and with logistical assistance, costs a fraction of what an individual pays, but FedEx can cost $30 to $40 for a lightweight overnight package. I don't think the software and hardware retailers have high enough margins to absorb that.
I think it's funny that people assume Google wouldn't have the storage space to keep desktop search data around longer than absolutely necessary.
People... this company keeps multiple cached copies of the entire Internet. Adding a few opted-in hard drives to the mix is simply not a problem.
It's good that they claim to only keep the data for a month. But are they guaranteeing it'll be deleted after a month? Are there backups? Mirrors? Old index copies that might be subpoenable?
astronomers have photographed the close companion of Polaris
Waitaminute. Polaris is GAY?
This article shows that engineers of competing products usually respect each other
Absolutely. When the HTML-in-email and I18N standards were being developed, we had people from AOL, Netscape (then a separate company), Microsoft, Qualcomm, and probably others involved, and we got along great. And remember, companies that are competitors on one front are often cooperating on another; AOL was working with Microsoft techies on interoperability at the same time we were suing their bosses.
The size shouldn't matter anyway, as you can put it anywhere you want - the cable that it comes with is as long as a piece of string!
You're assuming that all NAT implementations (and all routers, for that matter) are default-allow.
The Cisco PIX firewall router, for one, is default-deny, and in fact, to set up static IPs, you actually set up "static (1-to-1) NAT" - even though the IPs aren't translated, by default it still only allows inbound traffic that corresponds to outbound-initiated traffic.
I'm sure that an IPv6 firewall would and could have the same feature, even if it's not called NAT.
screening every single name as they are created would require paying someone or more likely multiple people to hand-check every single name to prevent violation
Hmm. In the early days of AOL, when people were afraid that computers wouldn't be family-friendly, we used to print out all the screen names created that day and just give them a quick visual scan. Talk about tedious! Eventually, I wrote a DOS program to remove all the "common" name forms - FirstLxxxx, where "first" was one of the names I got from some baby list somewhere. Suddenly, the ordeal was reduced to a 5-minute chore.
I wonder if there are similar patterns of WoW names that would make such a task manageable?
You mean you never knew? AppleLink Personal Edition (nee AOL) and PC-Link ran on many of the same servers as Q-Link, and used the same protocol. In fact, those gen2-2 clients shared far more with gen-1 than they did with the current Windows and Mac AOL clients.
AppleLink -was- AOL; the name was changed when Apple dropped out as a partner, two months after launch. PC-Link was run as a separate service, but eventually we realized the benefit of getting a "critical mass", and we'd already bridged the platform divide with AOL for PCs, so they were "commingled" into AOL as well.
Is P3 your baby? Yep, as far as I can recall P3 is still supported for some of those older clients. I remember in the late 90s there was work to talk to some clients via L2TP instead, and of course servers never send the whole input packet around to each other anymore; it gets abstracted much closer to the edge. But at some level, I suspect vestiges of P3 are still in daily use; the two-character routing token the most obvious one.
I am pretty sure I have a file or two around here that uses 0x7F as a line feed (or was it FF?)
Yep, and it handles about 4,000 messages per second (not counting all the spam that gets filtered)... :) But it's not available, not standards-compliant, and had to be designed to support a lot of special AOL features that don't exist in the rest of the world, and that make a distributed mail system hellish: unsend, check status, instant validation instead of bounces, etc.
But one thing we did learn: If you've got a high volume of messages, managing outbound queues is going to be a full time job for you. Mail will back up in your queue for downed sites, and that slows down sendmail, slowing down the rest of your outbound mail in a vicious circle. Newer versions of sendmail let you partition by outbound host; you're going to want to use that.
Other than that, make sure you use a file system that can handle lots of inodes without slowing down logarithmically.
You sir, worked for a bastard of a company.
Indeed I did, and when it got too big to for me to change that anymore, I left. Sorry about your experience, and read elsewhere in the thread for who I blame... we just had the wrong customer-service philosophy. Mod parent up.
Ah, those were the good old days, weren't they? I remember the 911 failures too. Pretty damned scary. I hadn't heard of a town where 1/3 of the lines were modem banks, though! That's a cool perspective.
Ah, ok - we're talking about two different things, I think. You're talking about whether extra modems were installed before the price change.
They were - we were always adding modems, trying to stay ahead of the curves, monitoring busy-signal counts from RBOCs in every city, setting up banks of test computers dialing all the access numbers to see oursleves - but obviously we didn't plan well enough. We simply had no idea just how much pent-up demand there was for unlimited AOL service, and we weren't ready for the onslaught of calls.
Then again, if we had waited till Verizon, Sprint, et al. could build up the infrastructure to handle the load - and if they would have even done that based on supposition and Excel projections - it would have been a year or two before we could offer unlimited pricing, and we'd be out of business by then. So though I don't like the business decision to go ahead, and nobody liked the results, I understand the thinking.
Certainly, once the busy-signals hit the fan, we were getting modems added daily, and Steve Case himself was posting updates to the welcome screen - I can't remember anymore if the actual numbers were up there, or just listings of what cities had been upgraded.
And yeah, if they were simply gonna transfer you permanently to the cancel/save queue, that sucks - I thought you meant "for the day". That's just a prime example of the management problems that stemmed from your best friend and mine, KB "and the ladies can go shopping" J. So I retract my flame for that part; I would have done the same thing.
But you might wanna rethink what "know for a fact" means!