Slashdot Mirror


User: billstewart

billstewart's activity in the archive.

Stories
0
Comments
7,948
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 7,948

  1. Sandblasters worked for us on Cheap Bulk Eraser for Hard Disks? · · Score: 1
    Many years ago, when I was working as a tool of the military-industrial complex, we had a computer lab that was used for classified applications, and when we had dead disk drives (RM05 removable packs) or later when we decommissioned the lab, we had to wipe the disks.
    • In theory we could have used NSA-approved software, but I don't think there was any for that machine and we'd have had to prove that it could handle things like mapped-out bad sectors and such.
    • We could have used an NSA-approved Big Magnet, but not near *my* lab, thank you :-)
    • Destruction with acid would have been an option, but we didn't choose it.
    • The machine shop in the basement had a sandblaster. Just the trick!
      • So that's what we wrote in our plans, and when my successor at the job retired the Vax, she got to disassemble the disk packs and take them to the machine shop folks who sandblasted them.

        Remember how sysadmins used to have head-crash-scratched disk platters as wall decoration? She had one that was shiny clean metal, with not a trace of magnetic media left :-)

  2. Email bandwidth is free - attention is expensive on Virginia Spammers Go To Jail, And Pay For It · · Score: 1
    Unless you're strictly in the business of providing email service, or paying by the kbyte on some overpriced cellphone data service or dialing a long-distance call, the bandwidth consumed by receiving spam costs so little that it's essentially free, to you and your ISP, and certainly costs a small fraction of what you're using for web browsing.

    What costs you time and virtual money is dealing with the amount of junk in your mailbox, building filters to kill it and deleting the stuff that got through, and losing the occasional real message that got caught in all the noise, all because some miscreant doesn't mind wasting 100,000 people's time to reach the one sucker who really would buy Nigerian Herbal Fake Viagra.

    My email addresses probably receive 1000 spams a day, almost all of which are blocked automatically. That's 10 MB/day. If all of them actually got carried on my DSL line, instead of blocking at my ISP, that'd be under 100 seconds/day, or about 0.1% of the bandwidth I have. In reality, I probably actually receive 10 spams/day that get through my filters (mostly to the admin address of a mailing list I run, which I don't filter heavily because most of the real traffic is from unknown addresses, e.g. the work address of somebody whose home address is on the list.) That would still be mildly annoying on dialup, and my ISP still pays for the bandwidth on some of the 1000 spams (unless they got rejected at the IP or SMTP header levels), and the CPU power consumed by SpamAssassin is contributing to Global Warming and the Heat Death of the Universe.

  3. Infecting thousands of Virtual Machines on Botnet Business Model Comes to Life · · Score: 1
    Unfortunately, at a maximum of $0.30 per machine, you're not going to make much money infecting yourself. Maybe with a few thousand virtual machines you can, and you've got the advantage that it's much faster and cheaper to clean a virtual machine than a real one :-) The problem there is that usually a virtual machine is going to cost you an IP address, so unless the DollarRevenue scumwaremeisters are going to accept lots of machines behind the same NAT, most people don't have the necessary resources except at universities.

    If you can reverse engineer the way that the scumware reports that it's got another victim, you may not even need a virtual machine, if you don't mind making money defrauding scum. This is likely to be hard, though - the kinds of people who develop new techniques for installing scumware (as opposed the the script kiddies who use them) are just as likely to be willing to reverse-engineer scumware, so there are probably several sets of verification methods designed to make it hard for them.

  4. Mod Parent Up, Please. 5xx Reject is exactly right on How To Fight Spam Using Your Postfix Configuration · · Score: 1
    I just used up my mod points on the IPv6 DNS discussion, but please mod up the parent article.

    As long as the receiving mail server rejects the message with a permanent failure notice, a correctly configured sending mail server will give the user an appropriate response, and if it rejects it with a temporary failure notice, a correctly configured sending server will keep trying, and eventually let the user know if delivery hasn't happened in some time period.

    If the receiving mail server accepts the message, it's obligated to send a reject email if it fails. That doesn't mean you *actually* do that with spam, but it means you either fail to notify a legitimate sender that the mail has been dropped, or else successfully notify a forged sender that the spam with his name forged on it has been dropped, or do something else inappropriate.

    This doesn't mean the reject code needs to be *honest* - your smtp receiver can lie to the sender about the recipient's mailbox not existing, or being full, or about the sender's mail server smelling of elderberries. If the email really was sent by a human, and the sender's mail server correctly notifies the human of problems sending it, it's up to the human to decide what to do.

  5. Joe Bob says "Check it out!" on Will Solve Captcha for Money? · · Score: 1

    Sorry about your rules, but Joe Bob's a movie critic, and John-Boy's a farm kid and/or author, depending on how you interpret the time scales of the Waltons. And if the name's _really_ long, it's probably something Indonesian, or at least not European like those short example names you suggested :-)

  6. Of *course* they're lying on You Have Been 'Randomly' Selected? · · Score: 1

    Sure, there's probably some random component to their process, like whether they decide they don't like your face or your attitude, but fundamentally the TSA has always been dishonest, and the policies have always been designed so that the person who's enforcing them on you can pretend that it's somebody else's responsibility, and to claim that things that are totally unConstitutional are either "random" or "have always been the policy" or are mandated in some policy that you're not allowed to see.

  7. Did it sell Spamming Services to stock-scammers? on Subliminal Spam Using an Animated GIF · · Score: 1
    Rule 3: Spammers are stupid.

    Subliminal advertising doesn't have to successfully sell spamvertised products to end-users (in this case, stock to gullible investors.) If you're in the Spamming Services business, and somebody has a product they want to sell but doesn't have their own mail-sending infrastructure, subliminal messages are yet another trick to get them to hire you instead of hiring some other spammer to deliver their mail.

    After a while, the spammers will figure out that it's not working, but after a while, customers will figure out that Nigerian Herbal Fake Viagra doesn't work and that they haven't really won the Internet Lottery. Meanwhile, you've got their money, and when that trick stops working, you can find another one, and Rule 3 says there's some spammer out there who'll be happy to pay you to run it for him.

  8. Cool! It's expensive entertainment. So what? on When Is a Con Not a Con? · · Score: 1
    The customers pay their money for the chance to play around in an artificial universe where the rules are different, and they can hack and slash and blow stuff up and have a good time. In Real Life, one major reason we have police is that if somebody gets ripped off, and hunts down the person he thinks did it, society doesn't want the victim taking revenge on the wrong person or taking revenge that's way out of proportion with the original offense that was committed. And in Real Life, most people don't hurt other people, because that would be wrong and because they understand how it would feel to be the victim.

    But in Gamer-World, you're paying whatever subscription fees the game charges to have an environment where you can kill monsters, frag your buddies, or do other things that might not be appropriate in Real Life. You pay money for your subscription time, and if you take things way too seriously you can buy and sell your game loot on eBay. If the Non-player-character monsters kill you because you didn't see them sneaking behind the +2 Shrubbery or because you're not good enough at shooting that BFG9000, too bad, you've had your fun and get reincarnated in a puff of greasy orange smoke. And if some guild of teenage hoodlums thinks it's fun to frag people and steal their stuff, well, they get to feel R337 31337 and k3wl and laugh at you, and you can deal with them in your next incarnation.

    This is just another case of the same thing. The guy's pulled off a really cool hack, which everybody who played in it should have understood what it was. If they don't like it, they can go frag him, because this is a game, and you get to do that in Games. If the game company manages it correctly, whichever of the 5000 angry suckers frags him first should be able to steal his bank account and become the new target unless he does something social like give back the money, maybe less a self-appointed 10% Bounty Hunter's Fee.

    This is a lot different from A Rape In Cyberspace, where the perp did something really unconscionable for a MUD - while I haven't played in the particular game universe that the event happened in, pulling off a Big Con in most Gamer-Worlds successfully sounds wildly appropriate, and the perp now has a big red round target painted on his chest.

  9. Key handling is more important than AES on Crypto Snake Oil · · Score: 1
    Sure, if it used 40-bit RC4, it'd be easy to crack, while AES-128 is good enough that anybody who doesn't have the key won't be able to crack it this century, and maybe not this millenium. The problem is what Apple or some other vendor does with the keys - are they protected, or is there an "emergency backup copy" in plaintext on the disk, or an emergency backup copy public-key encrypted with a private key only known to the Apple Store Genius helpdesk, or is there no backup copy on disk but a trojan-horse program can steal it out of kernel RAM? Or is the key just the passphrase that you type in, which is an easy dictionary search if it's just your dog's name spelled backwards, as opposed to a hashword made from 128 coin-flips?

    None of this is an insult against Apple's product - I don't know what they're using. I've seen a wide variety of similar applications over the years, and saying that they use AES-128 only says they've done the obvious parts well, so the product runs as fast as a well-oiled snake. It doesn't say whether it's secure or not.

  10. Peer review, One-Time Pads, and Strong Crypto on Crypto Snake Oil · · Score: 1
    "It's even worse than it appears", as Master Hunter tells us...


    If lots of smart people *haven't* reviewed a system, then it probably wasn't interesting enough to review, so don't bother with it. This includes commercially distributed systems like GSM cell-phone encryption and WEP, both of which collapsed when a couple of smart people at Berkeley looked at them (IIRC, GSM's algorithm took three hours to crack instead of two, because the Chinese lunch Ian was having was interesting that day, but I may have the details backwards.)

    Microsoft's PPTP used RC4, which lots of smart people had looked at. Problem was, the smart people all said "It looks pretty strong as long as you don't do this or that with it", and Microsoft's design found a couple of different ways to do this and that, as well as recycling some other weaknesses from older products.

    That's why the kinds of people you're giving advice to definitely should *not* use OTPs. The rules for using them are very simple - the pads have to be purely information-theoretically random, and you have to make sure they can only be used once. Those rules make OTPs operationally annoying to use, which results in clever (as opposed to smart) people "fixing" the problem by generating their one-time pad using some algorithm or other, or sloppy (as opposed to stupid) people doing things that let pads be reused or stored or copied or whatever. The Venona decryptions were successful due to Soviet operators reusing "one-time" pads when they ran out of new ones, and also because the randomization methods (clerks banging on typewriters that had original and carbon-paper copy) weren't really good enough randomness.

    Cryptography's harder problems are mostly implementation-related. There are enough really strong algorithms out there to make good crypto possible, though occasionally there'll be attacks on important algorithms like MD5, and Moore's Law means that you need to be careful that key lengths are good enough for the length of time you need to protect your information, and strong keys won't usually protect you against the KGB installing a bug in your computer's keyboard or pointing a ceiling camera at your monitor. But design of intermediate problems like key exchange or user authentication can still be difficult, and integrating them into applications and operations is still hard. We're at the point that you can build a nice solid steel front door to your building with an unpickable lock on it, but that doesn't mean that the side windows aren't open, or that the parking-lot valet didn't make a copy of your keys.

  11. Using another server easier than setting one up on EarthLink Establishes Their Own "Site Finder" · · Score: 1

    The customers that care about the problem don't need to know how to set up their own DNS server - they just need to know how to set their system to use some other DNS server's address. On Windows, you go into Control Panel and set up the network stuff; on Linux you set your resolv.conf file. Much easier.

  12. Broken DNS Servers vs. Broken Web Caching on EarthLink Establishes Their Own "Site Finder" · · Score: 2, Informative

    Most of the PR from Earthlink is extremely fuzzy about what it's actually doing. The pages it points to at Barefruit say that they're doing web-proxy manipulation, not DNS manipulation, and that if their web-proxy caching server detects a DNS miss, it'll go to the substitution advertising page. That means that if you try email, or ssh, or telnet, or ping or traceroute, or some other non-http protocol to a mistyped domain, you should still see the correct DNS message, though it's not clear whether they're doing it with https (that'd be very evil) or http on ports other than 80 (e.g. www.example.com:8080, which would be a relatively bad idea). They do say that they're not messing with email, but it's not clear that they're really doing it through the web proxy or whether they're doing something else instead.

  13. There are other dialup providers out there on EarthLink Establishes Their Own "Site Finder" · · Score: 1

    AT&T provides dialup around the world, including extremely widespread dialup in the US. I've mainly dealt with the business service rather than the consumer service, but I assume the consumer DSL still provides similar coverage to Earthlink's.

  14. Waiting for Dwarf Planet Photos on Pluto Making a Comeback · · Score: 1

    If the photos show dwarves, then it's a Dwarf Planet. Otherwise it's just a regular planet.

  15. Hardware Tuner is ~$20 on F(OS)S for Learning a Musical Instrument ? · · Score: 2, Interesting
    I've never played instruments like violins, trombones, or fretless basses that require you to find your own pitch (other than voice) - it's hard enough on guitars, dulcimers, ukes, and baritone horns that play the notes you tell them to :-)

    For stringed instruments, I've found it really really helpful to have a hardware tuner, and most of them run about $20-30, and they're pocket-sized and last forever on a battery and fit in the accessories pockets of instrument cases or music folders. You _can_ also use them to find your note on a continuous-pitch instrument. The Korg model that I use has a meter (well, an LCD simulation of one) that shows how far above or below the nearest note you are, as well as red and green LEDs that tell you if you're sharp or flat. There are other shapes of tuners that clamp onto instruments, and some of them have backlights which can be helpful.

    I've used PC software versions in the past, mostly with names like "Guitar Tuner" or whatever, but dragging a laptop around was more trouble than spending the $20 for the tuner - your mileage may vary. On the other hand, with a dulcimer you tune it once and it stays in tune for a whole session until you want retune to change modes, and with a uke you tune it once and it stays only slightly out of tune for at least a little while, so either way you're not trying to get the feedback while you're actually playing, so you may need something different.

  16. Relakks provides Diversity against Police Attacks on New Auto-Seeding Torrent Server Released · · Score: 1

    Sure, it's only anonymous until the police come, and if they're ordered to provide information under Swedish law they'll rat you out to the extent that they're required to. But if you're not Swedish, you're not likely to be causing enough of an international incident to get the Swedish police after you. (Doesn't mean that the RIAA won't try, and it's possible that they'll occasionally succeed. ) And the NSA may be able to eavesdrop on their internet connections, they can't force Relakks to give them any other information without going through formal channels.

  17. Invite her as a coworker or newbie, not as a girl on Breaking Gender Cliques at Work? · · Score: 2, Insightful
    Treat her as another person and you'll be fine. Treating her as either a scary alien or a potential future date because she's a woman will not help anything. That's not to say that potentially dating her in the future, after you know her, is out of the question, or that you're not going to have some coworkers of either sex who *are* scary aliens, but it usually takes a while to figure out either one. Also, if you're nervous about the social interaction, rather than chickening out, you can always resort to emailing the group announcing a lunch or beer run. (Local conventions will influence whether beer's an option or whether there's anywhere nearby for lunch.)

    Any time you're the newbie in the group, it takes a while to figure out the social situation and build relationships with people, and while we should have gotten over this as a society, I suppose that's still harder if you're female. Sigh. Working with more mature people usually helps, and working with geeks can be ok if you're the type that shares geeky interests. Fortunately, as a newbie in an organization, there are *lots* of things to initiate conversations with people about if you need an excuse to do that, ranging from what's going on with your projects to where the staplers are to how the bureaucracies work to where people go out for lunch.

  18. Yes, but the Army's insane about that on Breaking Gender Cliques at Work? · · Score: 1
    The military's always been really weirdly insane about personal relationships. That isn't necessarily a bad thing - there are lots of things about the miltary that are abnormal compared to civilized society, such as the way drill sergeants treat new recruits, which are designed to condition people to act in ways that make sense in a battlefield, which is an abnormal insane environment that requires behaviour that's different from the real world. The military also has to deal with the fact that even outside of war, they're taking people away from their families and putting them in environments that are isolated and either high-stress or boring or both, and moving them around every couple of years, and allowing normal relationships to form often leads to all sorts of trouble.


    I've worked for a big paternalistic company where things were far different - this was the phone company ~1980, which looked a lot like academia. Dating coworkers was just fine, marrying them was just fine, having your kids join the company was just fine - as long as you didn't have one person in a couple able to influence the salary and work assignments of their partner (or one person in an ex-couple influencing the salary of their ex-partner.) There were lots of group social activities - music, dancing, outing club, ski club, softball, etc., and a group that wasn't *officially* the singles club. There were still lots of issues with the old sexist and racist cultural values, and we were doing a lot of affirmative action things to deal with diversity values, and some of our customers were old-style companies (one 25-year-old female coworker found it really strange doing a project at a company where the engineers were all over-fifty white-shirt-wearing men and having to get them to take her seriously.) But we got through it. (Boy, times have changed - I haven't had a male boss in the last decade, except for a month when were were reshuffling territories, though occasionally my bosses have had a male boss.)

  19. Without USB video, it's nearly useless on Ultra Wideband Hub Coming in October · · Score: 2, Insightful
    If you're trying to do a docking station, and you need to plug in a monitor cable and the USB wireless dongle, you can just as well plug in a monitor cable and a real wired USB-hub cable. And if you're trying to reduce tangle for connections from your under-the-desk PC to your desktop peripherals, you still need a cable for the monitor, so why not run one more USB cable to a wired hub on the desktop (especially if it lets you use a non-powered hub on the desktop, avoiding the need for a power-cord for the UWB USB hub.)

    Except for a few specific removable devices, like cameras and iPods, and the usual keyboard and mouse that have other wireless solutions, most of the applications people have discussed really belong to be on LAN connections, not USB connections. Printers belong on LANs. USB isn't made for sharing peripherals, so if you're trying to share a disk drive, it needs to be associated with a computer, and you can use a wireless LAN to reach the computer.

  20. Re:Watching their hard drive light? Mozilla users on How Much Virtual Memory is Enough? · · Score: 1

    Er, yeah, so it was 640MB. Either way, it ought to be enough for anybody....

  21. Lots, or None, or Enough for Laptop Hibernation on How Much Virtual Memory is Enough? · · Score: 1
    Disk is cheap, so if you need the stuff, you should do lots.

    But it's nice not to have to swap at all, if you've got enough RAM, and there are applications and OS's that do a lousy job of managing virtual memory; sometimes you're better off with none (e.g. if the thing's going to memory-leak anyway, then it'll use up all your virtual memory just as easily as all your RAM, so you'd be better off letting the thing choke and die early.) I get really annoyed when I'm running Firefox on Windows with lots of tabs open - if I need to do something else, and then come back to Firefox, it acts like it's decided to swap the whole thing out and needs to swap it all in again before it'll show me any pages, which is just Dog City.

    On laptops, you may need enough swap for hibernation to be able to store anything, unlike desktops where there's usually no need to be that aggressive about energy-saving, so maybe you want to have, say, 1.1 - 1.5x as much swap as RAM so that it'll be there if you need to hibernate but won't waste too much time swapping otherwise.

  22. Disk space is free - so use lots or none. on How Much Virtual Memory is Enough? · · Score: 1
    Build a Big swap partition, and if you don't need it, then turn it off, or tune it down.


    Look, disk space is nearly free, and disk drives are Big Enough these days that you can waste however much space you need on swap. For a production environment, you don't want to waste time swapping unless something really requires it, in which case you should make sure to have all your application needs. (In an interactive server, you can play around and add swap files if you find you really need them.) So build yourself a swap partition that's at least 2x RAM, or if you're running a database or similar application that gives you some guidance about wanting more, give it more. If you think you might want 8GB, build an 8GB partition; even if you build a 16GB partition on your 160GB disk drive, it's only 10%. If you find you've got a really strange usage pattern that wants less, you'll have room to shrink it.

    16GB of disk drive costs $16, or maybe $32 on some blazingly fast Ultra-SCSI 15krpm drive. As they used to say on Usenet, your posting costs the net hundreds or thousands of dollars; you've probably spent more than $32 of salary in reading the responses and thinking about them, and you'd certainly waste far more than that by making a small partition and having to resize it to larger, whereas making it too big and then shrinking it or turning it off entirely is much less trouble.

    The real question is whether you need to put your swap on a separate spindle, or on something fast like Flash. (Yes, I know that flash has limits on how many times you can write to it, but those limits are a lot higher these days than a couple of years ago, and if $100 for a 4GB flash stick lasts you a year, you've probably saved a chunk of money compared to buying a faster CPU or more RAM or more electricity for the rotating disk drives or for the opportunity costs of making users wait. It's especially useful for reducing power-up time, though of course you're not going to have typical servers go into laptop-hibernation mode.)

  23. Watching their hard drive light? Mozilla users on How Much Virtual Memory is Enough? · · Score: 2, Insightful
    "But who ever sits there watching their hard drive light?"

    I do - any time I'm running Mozilla with a lot of tabs open and it decides to go into annoying-swapping-mode (on WinXP and predecessors) for no obviously good reason, so I've got to wait for Mozilla to swap itself in or out before I can see the web page or other application I want. It doesn't help that I mainly use it on a laptop, where the drive is slow and the RAM is a fairly large 384MB, but it also happens on my home desktop, where the drives are faster and there's 640GB of RAM, which ought to be enough for anybody.

  24. Commercial Fishermen, not just Environmentalists on The Light Bulb That Can Change the World · · Score: 1
    Much of the world's fish population is in serious trouble - partly from overfishing, but also largely from habitat destruction such as damming rivers where various species of fish spawn and clear-cutting forests near streams and rivers. It's an especially serious problem in North America, where many traditional fishing communities can no longer catch enough fish for fishing to be a viable business. There are a number of commercially important species where populations have declined 90%, and it's not just the tree-huggers who care about it.

    Unfortunately, the Bush Administration has found that it's politically useful to promote anti-tree-hugger-ism, partly because big lumber interests support them, but partly because anti-environmentalism sells well not only in the Red States but in the lumbering parts of Blue States like Washington and Oregon, and the Bush political forces need the votes as well as needing the political support for oil drilling and other environmentally risky industrial businesses. And it's much more visible and obvious that a lumberjack is out of work because the Feds won't let his company cut down a chunk of forest than it is that a fisherman is out of work because the salmon he used to catch used to spawn in streams that a lumber company messed up.

    US Federal forestry policies have also been bad economics - traditionally the Forest Service has spent about 10 times as much money building logging roads for the logging companies than they receive in timber revenues from the areas they build roads in, so effectively they're paying the logging companies to cut down our forests.

  25. Re:How many... on The Light Bulb That Can Change the World · · Score: 1

    I paid $400,000 for a VAX 11/780 with 4 MB in it, and a gigabyte of removable disks. :-) (Ok, technically I wrote a purchase order, and my employer paid for it.) Computer prices have dropped radically for all the usual Moore's Law kinds of reasons. There were a few years where the computer you probably really wanted cost $5000, and the one you'd actually buy was more like $2000, but even that's long gone, though it's still possible to pay $2000 for a higher-end laptop.