The Reset Button's Right Next to the Yellow Sticky
on
Writing Down Passwords?
·
· Score: 2, Interesting
This article was quite timely for me - I decided to change the DHCP range on my Linksys wired router this week (to make up for the cretinous brokenness of DHCP on my Netgear wireless router), and none of my half-dozen usual passwords or the examples in the Linksys documentation worked. So I had to break into the Linksys by pressing the reset button. And yes, I've set the password to something other than the default, and I was planning to put the new one on a yellow sticky, except I'm out of yellow stickies for the moment so I had to settle for scotch tape.
Could some visitor climb under my desk and look at the password if they wanted? Yes, but they could also climb under the desk and hit the reset button, and it's not *that* big a stretch to figure out that the DHCP is now set for 192.168.0.0/24 instead of 192.168.1.0/24.
DNS-RBLs are a great thing to feed to Greylist systems - if a site's RBLed, make it wait for a while before talking to you, and even if some P-HW gets obsessive about a site, it'll still just delay that mail 5-10 minutes - which is usually enough to make the real spammers go away.
When a given DNS-RBL gets too aggressive, but the number of people bitching about it hasn't gotten high enough to notice, you can lose real mail for a while, especially if you've got friends who run their own Linux mail systems on consumer DSL. The mailbox service I use lets you pick from several different DNS-RBLs and set a threshold for how many of them need to block a given site before it kills it, so I've got a relatively conservative setting that needs to have a bunch of lists rejecting a site to reject it. The ISP where I actually read my mail uses SpamAssassin, and DNS-RBLs can also be useful as SpamAssassin weights that get added in along with all the other cues such as LINES OF YELLING and NIGERIAN 419er and pills-that-start-with-V. Neither of those approaches completely prevents false positives, but they help, and you still need to whitelist some people (e.g. John Gilmore's a friend of mine and is on some mailing lists I'm on, and almost every RBL out there hates him because of his positions on open relays, so his machines are on my whitelists.)
Hey, the Bell System monopoly was perfectly legal - they'd done lots of work telling politicians that Regulated Monopolies would be a really good thing for the public, and the politicians got to hire lots of bureaucrats to regulate them, which politicians also liked. Some of the tradeoffs were valuable - gouging businesses and urban home phone services made it possible to reach most rural areas and provide affordable lifeline service for poor people. Some of them were clearly bad - the combination of telephone monopoly and FCC-granted broadcasting monopolies delayed the development of effective radio-based telephony by probably 40 years, and kept costs higher than they should be. On the other hand, it was better than the European-style government-run Post Office, Telegraphy, Telephony monopolies which took even longer to get rid ot.
The comparison isn't so much about the specific value of what Google's done in a couple of years vs. Bell Labs over many decades. The real comparison is that Google today and Bell Labs back in the day were Really Really Cool Places to Work. I was there from ~1978-1993 (not in Research, but I got to deal with the research folks on occasion), and there was an exciting culture of doing really amazing technical stuff. We were also The Phone Company, so there was also a culture of doing really dull gold-plated 40-year-depreciation-cycle engineering and the planning and accounting it takes to support them, so sometimes it was a bit slow moving (:-) but overall it was Really Cool. There were other places that also had that feel - some universities, some parts of some aircraft companies, probably Xerox Parc during its better years, and you'll find that a lot of the really good people from the remains of Bell Labs and/or AT&T Labs are now professors at universities near New Jersey.
OK, so they've actually announced all the DRM as "features". Doesn't mean anybody realized the damage that those features they could do, except the folks on the Dark Side.
OK, I don't have any specific evidence that they did it specifically for that purpose, but it sure looked that way - DOS and WIndows 3.1 programs or at least their installers tended to fail badly when installing into directories named "Program Files", and the runtimes often failed to find things in "My Documents". In many cases, it forced you to upgrade to a newer Win95-compatible version of Microsoft products, or junk your non-MS product and replace it with an MS product instead.
The worst problems were anything that used command lines or shell scripts, but programs imported from Unix-related operating systems also tended to fail. The mapping between "Long Name With Spaces In It" and "LONGNA~1" sometimes worked, but often failed, and at best you tended to get non-human-readable names in the install scripts and sometimes have to type them in.
Nolan's Good Restaurant - Lion and Compass
on
Chuck E. Cheese 2.0
·
· Score: 1
For about 20 years, Nolan has run a *good* restaurant, the Lion & Compass in Sunnyvale California. He built it back during the computer boom of the early-mid 80s (remember when Silicon Valley was about computers?) because there wasn't a lot of good food. It's a nice building, and serves mostly California yuppie food, doing a nice job in the fusion of Asian, Nouvelle, fresh ingredients, seafood kind of track. I don't go there very often, since Silicon Valley has since filled up with a really wide variety of excellent restaurants and adequate+inexpensive restaurants, and it's no longer a unique place filling a void the way it once was.
Back then it had the reputation of being a place where VCs and computer people would go to lunch or dinner, somewhat the way Buck's in Woodside was during the 90s. It's partly about the food, partly about the crowd.
Reading about it on the net isn't the same as experiencing it. (Run screaming..... ) I've been there with friends who were doing birthday parties for their kids - if you've got 8-10-year-olds, it's probably not a bad place to go, or at least no worse than other things intended for that age market. (Run screaming..... ) It's sort of like Disneyland, only mercifully smaller. The pizza wasn't _bad_, though in New Jersey it's impossible for a chain pizza place to compete with the quality of a random small restaurant run by actual Italians instead of animatronic imitations - I don't remember it being worse than Pizza Hut.
From: headers in spam are usually fake, but From: headers in non-spam that your filter caught by mistake are real, so logging them helps you find those messages if someone wants to look. Also, From: headers can be useful for finding trends in spam, either things that appear to be the same spammer, or people using the same spamware, or various kinds of phishing (From: security@ebay.com etc.)
If you go read the toolbar's FAQs and privacy policies, they collect two kinds of information for every lookup: full name of website, and hash of full URL. They say they'll be well-behaved with the information, but they will disclose it to cops, lawsuits, and any corporate successors (e.g. if somebody buys them, they get the whole database with no obligation to protect policies.) So if you're surfing at www.your-competitor.com, and your competitor sues you, they can find out that you've been at their site by asking Netcraft. They can't tell that you were looking at http://www.competitor.com/secretproject/file3.htm, but they do get hashes so they can confirm guesses.
While I'm not too bothered by the "Block 25 by default, enable for customers who ask" approach, if you're an inbound-email provider, you can get the same spam protection by using blocklists as you get by forcing everybody in the world to do Port 25 blocking, and as an ISP who's considering blocking outbound Port 25, you can be just as effective by working with the blocklist providers to keep them up to date on which of your users can/can't send port 25 and not have to break the end-to-end model for your users.
Some people comment about zombies doing DDOS - blocking port 25 does keep them from attacking port 25 on their targets, but they can still do all the same Port 80, Port 53, and Port 109/110 attacks, so it's not a big difference.
Also, Port 25 really was designed to support MUAs as well as MTAs - Port 587 and its competitors are later additions for MUA-only, and saying that Port 25 wasn't is purely revisionist. And as you say, malware folks will start abusing Outlook Express if that helps them.
The administrative interface for that is likely to be a web page for most ISPs for most customers. So you'll get a web page that doesn't know how to figure out that the customer's really infected, as opposed to an underpaid phone tech who doesn't think to figure out that the customer's infected....
Libertarians think that free-ipod signature lines are generally fraudulent, but sometimes they think it's fun to feed trolls....
Libertarians don't think that governments are competent enough to solve most difficult problems, so when a bill named YOU-CAN-SPAM doesn't stop spammers, we're not surprised. Some of us care enough to actually read the bill, and we're even less surprised.
Libertarians like market-based solutions, and would like someone out there in the market to develop them. And lots of people have been working on the problem, but so far the economics make spamming enormously attractive, and proposals to artificially distort the economics (e.g. postage/taxes on sending email) are either doomed to failure, or if they did succeed in distorting price structures enough to affect spam significantly, they'd cause far more havoc than they're worth. Soviet Five-Year Plans didn't work.
Market-based solutions that look like "I'll accept your email if you attach a micropayment of X cents on it" can work quite well, because they capture the fundamental economic value, which is the recipient's time, and let the recipient charge whatever price the market will bear for it. Unfortunately, they also attract the usual checkbox-responses of "Users hate these things and will never accept them", and there aren't any really good anonymity-preserving micropayment systems out there, partly because it's a difficult problem and partly because of government interference.
Libertarians think that in a world-wide network where it's extremely inexpensive to communicate with anybody else, it's difficult to interfere with spam without far more dangerous interference with free speech. We would normally suspect government proposals to do anything effective about spam to be really motivated by a desire to interfere with free speech, except that any of us who've run for office know that politicians are more strongly motivated by a desire to Look Good, and Look Like They're Leaders, so just it's incompetence (malice is the Executive Branch's job), and even the Great Firewall of China which is designed to interfere with free speech doesn't bother blocking spam.
"Guns. Lots of Guns." Libertarians believe that "Gun Control is Hitting Your Target". We don't think the authors of CAN-SPAM had very good aim, and we don't think the FTC's tweaking their work will improve it much.
Anonymous Free Speech is really important - and it's hard to reconcile that with stopping spam.
At most 1% of my spam ever bothered obeying those laws; it was too easy to filter out. I'm sure it's helpful to know that I can sue that poor Nigerian Dictator's widow who's trying to get her husband's ill-gotten gains out of the country the next time she visits California. In most cases, spammers are sending mail from outside of California, so they're not subject to California jurisdiction; it may occasionally be possible to catch a spammer who's actually sending spam from here. I've forgotten if YOU-CAN-SPAM also required that (I think it did), but it's still ignored.
The only really useful anti-spam law was S.1618 - it didn't pass, but for a few years a popular spammer trick was to include a footnote that under S.1618, their email was not spam, and S.1618 was a sufficiently unique phrase that my spam filters could automatically trash anything that included it.
Spammers will sell whatever they think they can make money on. Some of the spam is certainly fraud, but lots of it is selling people things that they want, like pr0n, or Non-prescription Herbal Viagra Substitute Pills, or real Viagra with Canadian prescriptions, or introductions to mortgage brokers with great rates (at least compared to the 1980s:-), or time-share vacations in the Caribbean, and there's not necessarily anything dishonest about it - they just don't mind annoying 99.99% of the people who receive their email in order to find the one customer who does want the product.
Of course there are also lots of spammers that *are* selling fraudulent products; one reason people advocate anti-spam laws for stopping those people is that spam is annoying, but another reason is that it's sometimes easier to catch a spammer with enough proof that he's spamming than it is to get enough proof that he's actually defrauded anybody, rather like busting Al Capone for income tax evasion.
Friends of mine have a civil liberties organization that really *does* want to hear from people in Nigeria and other parts of Africa with corrupt evil dictators, and some of the people they'd like to hear from are likely to be using the same cybercafes that other people are using to pretend to be widows or orphans of corrupt evil dictators who are trying to get money out of the country. They find the spam problem very frustrating:-)
I don't approve of ISPs automatically blacklisting spam-heavy countries. On the other hand, it's nice that my email provider does give users a checklist for countries that they don't want to receive any mail from, or that they want to have extra-heavy spam-filtering for. Cutting out China, Korea, and Nigeria really does help a lot.
That particular sender's not planning to send you any more mail, so you're automatically removed from the list. That fairly identical-looking piece of spam you got last week was sent by my evil twin Zoot, and she's promised not to do it again either.
Tony, you're in Florida, the spammers aren't that far away (though you're in Orlando, and most of them are closer to Miami.) You're just using the wrong kind of Spam Assassin....
Some states had aggressively worded anti-spam laws, but that didn't make spammers go away. Some states had laws that let spam recipients, or at least their ISPs, sue spammers, and while they had serious problems with the Interstate Commerce Clause of the US Constitution, enough spammers did send spam to people in their own states that used ISPs within the state that occasionally you could have fun with a weekend of spammer-hunting (back before states started making laws against Internet Hunting, anyways:-) It only takes one state with weak spammer laws that have easily exploitable loopholes to make other states' anti-spam laws useless, and if you could write a totally airtight bullet-proof Federal law against spammers, they'd just move their operations offshore. (Somebody set up us the corporation!) Worst case, a US spammer would need to have somebody set up a $500 off-shore corporation, buy stock in it, and earn lots of dividends from the profits from activities that aren't illegal there. Or they'd buy the stock in that corporation, which would do business with another $500 off-shore corporation in another country.
But usually a US corporation is enough legal separation, and if Evil.Example.Com gets caught spamming and gets convicted, and it not only has all its assets confiscated, but Attorney General Alberto "The Torturer" Gonzales burns its corporate charter at the stake in the Miami FBI Building's parking lot, the worst it means for Billy-Bob the Spammer is that he needs to spend another $100 registering another corporation that'll get burned the next time. And if the YOU-CAN-SPAM act hadn't interfered with state laws, the most effective of them would generally mean that there's no criminal prosecution that might have a chance of piercing the corporate veil - it's strictly limited to getting a huge judgement against a corporation that doesn't have any significant assets, just petty cash, a rental contract on a 1-U computer, and the latest batch of 100 bottles of pills that they buy for $10 and sell for $50, so the corporation goes bankrupt, paying off a small part of the judgement, and Billy-Bob's personal assets aren't touched.
Marx's critiques of capitalism, as written in that utterly dull and wildly bogus book Das Kapital, assumed that workers weren't able to afford to own the means of production and that therefore the evil nasty greedy rich capitalists who *could* afford them would be able to ruthlessly exploit them. It wasn't really true back in 1867, but it's certainly not true in 2005. You can buy a new computer for two weeks' wages at Macdonald's that's more powerful than an early 1980s mainframe or supercomputer, or a decent used computer for two weeks' worth of cigarette money, and at least five years ago, one of the stereotyped spammer categories was Bubba in his Double-Wide selling Nigerian Herbal Fake Viagra pills online, or whatever else will sell. And even if 99.99% of our national consciousness really did want spam stopped, the other 0.01% is enough for Bubba to make money off of them. There are almost certainly a thousand people in America dumb enough to fall for a Nigerian 419 scam or fake lottery or whatever, and it's cheap enough to send 100,000 emails to annoy other Americans that the profit from your first sucker will pay for it. And once you've hooked the first one, or sold your first couple of bottles of pills, it's all profit from there, unless you're one of the unlucky few who get caught.
Congress certainly is NOT the best government money can buy. You should be able to buy a MUCH better government than that.
However, it's not the spammers buying government that made this mess. It's Congress trying to create the appearance that they're Doing Something Useful, without have the skill set to *actually* do anything useful, and (if you want to give them some credit, which they may or may not deserve), they were trying to stay out of serious trouble with either the First Amendment or Legitimate Big Businesses or their cronies or other things that would get them in trouble. In other words, they were grandstanding to look good, and any of them who were competent enough to understand the problem did know that. Their measurement of success or failure isn't whether spam actually gets stopped (though they'd be happy if that happened, just as they'd be happy if Global Warming vanished overnight), it's whether they can tell their constituents that they're Doing Something Productive. And if the voters believe them, well shame on them...
IMHO, it's simply not possible for one government to write a law draconian enough to stop a significant quantity of spam on a world-wide internet without significantly interfering with civil liberties and business productivity, because enough spammers are flexible enough to restructure their activities and find countries to work from where there are service providers who are perfectly willing to take their business, and find ways to use normal corporate-structure laws to insulate themselves from prosecution. Modern Internet and computer technology means that it's nearly free to communicate with the billion-or-so people who've got the most money, and the percentage of those people who are suckers has not significantly improved since P.T.Barnum measured their birth rate, and the percentage who are greedy enough to want to exploit them hasn't gone down much either. (That's not to say that the greedy people and the suckers don't overlap - they're just not the ones who make up most of Spamhaus's Top 200 Spammers list, and in fact they're often the best customers for the spamware vendors.) So the economics are there to make spamming look profitable, and often to actually be profitable, the people who want to profit from it are willing and able, and at least a few of them are creative enough to find workarounds for most laws, even if it means setting up an occasional $100 disposable corporation or paying extra for a bullet-proof Chinese website or renting an expendable army of zombies.
Look, philosophy's a Fine Thing, and one of the theoretical advantages of Open Source is that theoretically it should be able to produce better software for everybody with less total work, and also if you don't like something you can go write it yourself (so at least you don't get to whine about it, unlike broken closed-source products like IE:-) In practice, there are a bunch of kinds of Free Beer around, so Opera's position is like Guinness competing with ten different free homebrews, as opposed to Guinness competing with Budweiser. (And yeah, some of the homebrew is total swill, and some of it hasn't finished fermenting yet, but some of it is really good stuff.)
I tried Opera when it first came out - a light fast browser that fit on half a floppy disk, and was good competition to Netscape. I liked Netscape's user interface better, so I wasn't going to pay for the non-demo version of Opera, but it really was small and fast and worked well on underpowered machines. I haven't actually used modern versions of Opera, but I gather it's no longer small and minimalist.
Historically, Republicans have had two different economic programs
Encourage business through free trade, fiscal responsibility, and minimal regulation
Encourage your big business friends and campaign contributors through protectionism, big military spending, and rampant borrowing, regardless of collateral damage to the economy and small businesses.
Unfortunately, the Bush Administration are the latter type of Republicans. (I'm not saying the Democrats are any better - they just have different friends and different special interests. The last good Republican President we had was Bill Clinton, and before him, well, we didn't elect Goldwater
So the Bush Administration may do something protectionist as retaliation, damaging more American businesses, or they may just give a bunch of speeches and not actually do anything. If we're lucky it'll be the latter.
Meanwhile, China's government have been pretty crazy, trying to pretend that they're preserving the benefits of Communist central planning and limited amounts of political repression while becoming corrupt capitalists in practice - but they're mostly Not Stupid about where the money's coming from. So yes, big foreign businesses will be able to set up Chinese subsidiaries or joint ventures to sell to the government as long as somebody's nephew or brother-in-law gets to run them. And small foreign businesses will be able to sell to Chinese wholesalers, or maybe sell their products as OEM to Chinese companies that will add value by localization.
Microsoft and Oracle probably already have Chinese "partners", or else they'll set them up, and there are Linux distributions developed in China, and possibly other Linux commercial distributors can get Chinese companies to do documentation and packaging for them.
You've either failed to read the article, or misunderstood it, though you were closer than the first checklist. A well-designed market-based solution doesn't suffer from many of the points you've checked, because it recognizes that it's the recipient's time that matters (though the article incorrectly tries to describe the time as a "property right" rather than a "service", which leads in various non-useful directions.)
() Lack of centrally controlling authority for email
-- it doesn't appear to use this - it appears to be recipient's-end charging, which can be deployed in a decentralized manner () Open relays in foreign countries
-- those don't matter here - if they sender doesn't pay, the recipient doesn't read it, and relays only make it harder to pay. (*) Mailing lists and other legitimate email uses would be affected
-- you correctly marked "whitelists suck", which is part of why it's hard to implement this one correctly. (*) Users of email will not put up with it
-- this is the big problem with TMDA, hashcash, and many similar systems (*) Many email users cannot afford to lose business or alienate potential employers
-- you missed this one too. See previous. () Requires too much cooperation from spammers
-- not a problem. This one requires cooperation from non-spammers. () Unpopularity of weird new taxes
-- unless I grossly misread the article, this doesn't apply here - the sender pays the recipient or recipient's ISP, not some third party. (*) Public reluctance to accept weird new forms of money
-- Yup. Either you need weird new money or old-fashioned real money, and the latter is usually too expensive per transaction. (??) Armies of worm riddled broadband-connected Windows boxes
-- Maybe. If enough people start using this, and there's a convenient mail-sender interface so senders don't need to pay attention very often, then worms will start to abuse it. Otherwise they won't care, and the five people who still use it will have whitelisted each other. () Dishonesty on the part of spammers themselves
-- Doesn't hurt the recipient, who sets the price high enough that he's willing to read an occasional Nigerian Herbal Fake Vi***a ad and keep their $5 just to annoy them. This proposal suffers from dishonest recipients, who convince legitimate that they should be willing to pay the money to get the recipient's attention. It's a serious enough problem that it can even lead to "Make Money Fast By Reading Email At Home" spammers inviting you to become a recipient:-) () Why should we have to trust you and your servers?
-- Because you want me to read your mail. Don't care? Don't send money, and I'll ignore you. If I'm a sufficiently interesting public figure, like Rush Limbaugh or Daily Kos or the Editor of the New York Times or Britney Spears, maybe you'll pay to get my attention. Alternatively, maybe the fact that I'm charging for my attention will make you think I'm some over-inflated ego who's not worth the effort, and my 15 minutes of fame will time out faster.
(*) Sorry dude, but I don't think it would work.
-- My conclusions's a bit more positive than yours:-)
It's still contributory infringement, even if some parts of the activity aren't direct infringement (e.g. Bob sends Alice a key to use to encrypt the movie she's sending you, and also sends you the key, but never handles the movie.) Some parts of it may also count as making an infringing derivative work (e.g. the encrypted movie probably is, the key probably isn't), so that may get Alice more penalties, and certainly won't get her off the hook.
Encryption is strictly to keep the participants from getting caught or eavesdropped on, or to help them only upload music to their friends and/or customers, or to help them make sure their customers pay them before they get to see the movie, or similar auxiliary functions. It can help the legitimate content possessors get money from customers or share contents with their friends without illegitimate access, or it can help illegitimate content possessors avoid getting caught by the Content Police.
Could some visitor climb under my desk and look at the password if they wanted? Yes, but they could also climb under the desk and hit the reset button, and it's not *that* big a stretch to figure out that the DHCP is now set for 192.168.0.0/24 instead of 192.168.1.0/24.
When a given DNS-RBL gets too aggressive, but the number of people bitching about it hasn't gotten high enough to notice, you can lose real mail for a while, especially if you've got friends who run their own Linux mail systems on consumer DSL. The mailbox service I use lets you pick from several different DNS-RBLs and set a threshold for how many of them need to block a given site before it kills it, so I've got a relatively conservative setting that needs to have a bunch of lists rejecting a site to reject it. The ISP where I actually read my mail uses SpamAssassin, and DNS-RBLs can also be useful as SpamAssassin weights that get added in along with all the other cues such as LINES OF YELLING and NIGERIAN 419er and pills-that-start-with-V. Neither of those approaches completely prevents false positives, but they help, and you still need to whitelist some people (e.g. John Gilmore's a friend of mine and is on some mailing lists I'm on, and almost every RBL out there hates him because of his positions on open relays, so his machines are on my whitelists.)
These aren't the Space Aliens you're looking for. You can move along.
Hey, the Bell System monopoly was perfectly legal - they'd done lots of work telling politicians that Regulated Monopolies would be a really good thing for the public, and the politicians got to hire lots of bureaucrats to regulate them, which politicians also liked. Some of the tradeoffs were valuable - gouging businesses and urban home phone services made it possible to reach most rural areas and provide affordable lifeline service for poor people. Some of them were clearly bad - the combination of telephone monopoly and FCC-granted broadcasting monopolies delayed the development of effective radio-based telephony by probably 40 years, and kept costs higher than they should be. On the other hand, it was better than the European-style government-run Post Office, Telegraphy, Telephony monopolies which took even longer to get rid ot.
The comparison isn't so much about the specific value of what Google's done in a couple of years vs. Bell Labs over many decades. The real comparison is that Google today and Bell Labs back in the day were Really Really Cool Places to Work. I was there from ~1978-1993 (not in Research, but I got to deal with the research folks on occasion), and there was an exciting culture of doing really amazing technical stuff. We were also The Phone Company, so there was also a culture of doing really dull gold-plated 40-year-depreciation-cycle engineering and the planning and accounting it takes to support them, so sometimes it was a bit slow moving (:-) but overall it was Really Cool. There were other places that also had that feel - some universities, some parts of some aircraft companies, probably Xerox Parc during its better years, and you'll find that a lot of the really good people from the remains of Bell Labs and/or AT&T Labs are now professors at universities near New Jersey.
OK, so they've actually announced all the DRM as "features". Doesn't mean anybody realized the damage that those features they could do, except the folks on the Dark Side.
The worst problems were anything that used command lines or shell scripts, but programs imported from Unix-related operating systems also tended to fail. The mapping between "Long Name With Spaces In It" and "LONGNA~1" sometimes worked, but often failed, and at best you tended to get non-human-readable names in the install scripts and sometimes have to type them in.
Back then it had the reputation of being a place where VCs and computer people would go to lunch or dinner, somewhat the way Buck's in Woodside was during the 90s. It's partly about the food, partly about the crowd.
Reading about it on the net isn't the same as experiencing it. (Run screaming..... ) I've been there with friends who were doing birthday parties for their kids - if you've got 8-10-year-olds, it's probably not a bad place to go, or at least no worse than other things intended for that age market. (Run screaming..... ) It's sort of like Disneyland, only mercifully smaller. The pizza wasn't _bad_, though in New Jersey it's impossible for a chain pizza place to compete with the quality of a random small restaurant run by actual Italians instead of animatronic imitations - I don't remember it being worse than Pizza Hut.
From: headers in spam are usually fake, but From: headers in non-spam that your filter caught by mistake are real, so logging them helps you find those messages if someone wants to look. Also, From: headers can be useful for finding trends in spam, either things that appear to be the same spammer, or people using the same spamware, or various kinds of phishing (From: security@ebay.com etc.)
No Thanks.
Some people comment about zombies doing DDOS - blocking port 25 does keep them from attacking port 25 on their targets, but they can still do all the same Port 80, Port 53, and Port 109/110 attacks, so it's not a big difference.
Also, Port 25 really was designed to support MUAs as well as MTAs - Port 587 and its competitors are later additions for MUA-only, and saying that Port 25 wasn't is purely revisionist. And as you say, malware folks will start abusing Outlook Express if that helps them.
The administrative interface for that is likely to be a web page for most ISPs for most customers. So you'll get a web page that doesn't know how to figure out that the customer's really infected, as opposed to an underpaid phone tech who doesn't think to figure out that the customer's infected....
Market-based solutions that look like "I'll accept your email if you attach a micropayment of X cents on it" can work quite well, because they capture the fundamental economic value, which is the recipient's time, and let the recipient charge whatever price the market will bear for it. Unfortunately, they also attract the usual checkbox-responses of "Users hate these things and will never accept them", and there aren't any really good anonymity-preserving micropayment systems out there, partly because it's a difficult problem and partly because of government interference.
The only really useful anti-spam law was S.1618 - it didn't pass, but for a few years a popular spammer trick was to include a footnote that under S.1618, their email was not spam, and S.1618 was a sufficiently unique phrase that my spam filters could automatically trash anything that included it.
Of course there are also lots of spammers that *are* selling fraudulent products; one reason people advocate anti-spam laws for stopping those people is that spam is annoying, but another reason is that it's sometimes easier to catch a spammer with enough proof that he's spamming than it is to get enough proof that he's actually defrauded anybody, rather like busting Al Capone for income tax evasion.
Friends of mine have a civil liberties organization that really *does* want to hear from people in Nigeria and other parts of Africa with corrupt evil dictators, and some of the people they'd like to hear from are likely to be using the same cybercafes that other people are using to pretend to be widows or orphans of corrupt evil dictators who are trying to get money out of the country. They find the spam problem very frustrating :-)
I don't approve of ISPs automatically blacklisting spam-heavy countries. On the other hand, it's nice that my email provider does give users a checklist for countries that they don't want to receive any mail from, or that they want to have extra-heavy spam-filtering for. Cutting out China, Korea, and Nigeria really does help a lot.
That particular sender's not planning to send you any more mail, so you're automatically removed from the list. That fairly identical-looking piece of spam you got last week was sent by my evil twin Zoot, and she's promised not to do it again either.
Tony, you're in Florida, the spammers aren't that far away (though you're in Orlando, and most of them are closer to Miami.)
You're just using the wrong kind of Spam Assassin....
But usually a US corporation is enough legal separation, and if Evil.Example.Com gets caught spamming and gets convicted, and it not only has all its assets confiscated, but Attorney General Alberto "The Torturer" Gonzales burns its corporate charter at the stake in the Miami FBI Building's parking lot, the worst it means for Billy-Bob the Spammer is that he needs to spend another $100 registering another corporation that'll get burned the next time. And if the YOU-CAN-SPAM act hadn't interfered with state laws, the most effective of them would generally mean that there's no criminal prosecution that might have a chance of piercing the corporate veil - it's strictly limited to getting a huge judgement against a corporation that doesn't have any significant assets, just petty cash, a rental contract on a 1-U computer, and the latest batch of 100 bottles of pills that they buy for $10 and sell for $50, so the corporation goes bankrupt, paying off a small part of the judgement, and Billy-Bob's personal assets aren't touched.
Marx's critiques of capitalism, as written in that utterly dull and wildly bogus book Das Kapital, assumed that workers weren't able to afford to own the means of production and that therefore the evil nasty greedy rich capitalists who *could* afford them would be able to ruthlessly exploit them. It wasn't really true back in 1867, but it's certainly not true in 2005. You can buy a new computer for two weeks' wages at Macdonald's that's more powerful than an early 1980s mainframe or supercomputer, or a decent used computer for two weeks' worth of cigarette money, and at least five years ago, one of the stereotyped spammer categories was Bubba in his Double-Wide selling Nigerian Herbal Fake Viagra pills online, or whatever else will sell. And even if 99.99% of our national consciousness really did want spam stopped, the other 0.01% is enough for Bubba to make money off of them. There are almost certainly a thousand people in America dumb enough to fall for a Nigerian 419 scam or fake lottery or whatever, and it's cheap enough to send 100,000 emails to annoy other Americans that the profit from your first sucker will pay for it. And once you've hooked the first one, or sold your first couple of bottles of pills, it's all profit from there, unless you're one of the unlucky few who get caught.
However, it's not the spammers buying government that made this mess. It's Congress trying to create the appearance that they're Doing Something Useful, without have the skill set to *actually* do anything useful, and (if you want to give them some credit, which they may or may not deserve), they were trying to stay out of serious trouble with either the First Amendment or Legitimate Big Businesses or their cronies or other things that would get them in trouble. In other words, they were grandstanding to look good, and any of them who were competent enough to understand the problem did know that. Their measurement of success or failure isn't whether spam actually gets stopped (though they'd be happy if that happened, just as they'd be happy if Global Warming vanished overnight), it's whether they can tell their constituents that they're Doing Something Productive. And if the voters believe them, well shame on them...
IMHO, it's simply not possible for one government to write a law draconian enough to stop a significant quantity of spam on a world-wide internet without significantly interfering with civil liberties and business productivity, because enough spammers are flexible enough to restructure their activities and find countries to work from where there are service providers who are perfectly willing to take their business, and find ways to use normal corporate-structure laws to insulate themselves from prosecution. Modern Internet and computer technology means that it's nearly free to communicate with the billion-or-so people who've got the most money, and the percentage of those people who are suckers has not significantly improved since P.T.Barnum measured their birth rate, and the percentage who are greedy enough to want to exploit them hasn't gone down much either. (That's not to say that the greedy people and the suckers don't overlap - they're just not the ones who make up most of Spamhaus's Top 200 Spammers list, and in fact they're often the best customers for the spamware vendors.) So the economics are there to make spamming look profitable, and often to actually be profitable, the people who want to profit from it are willing and able, and at least a few of them are creative enough to find workarounds for most laws, even if it means setting up an occasional $100 disposable corporation or paying extra for a bullet-proof Chinese website or renting an expendable army of zombies.
I tried Opera when it first came out - a light fast browser that fit on half a floppy disk, and was good competition to Netscape. I liked Netscape's user interface better, so I wasn't going to pay for the non-demo version of Opera, but it really was small and fast and worked well on underpowered machines. I haven't actually used modern versions of Opera, but I gather it's no longer small and minimalist.
Unfortunately, the Bush Administration are the latter type of Republicans. (I'm not saying the Democrats are any better - they just have different friends and different special interests. The last good Republican President we had was Bill Clinton, and before him, well, we didn't elect Goldwater
So the Bush Administration may do something protectionist as retaliation, damaging more American businesses, or they may just give a bunch of speeches and not actually do anything. If we're lucky it'll be the latter.
Meanwhile, China's government have been pretty crazy, trying to pretend that they're preserving the benefits of Communist central planning and limited amounts of political repression while becoming corrupt capitalists in practice - but they're mostly Not Stupid about where the money's coming from. So yes, big foreign businesses will be able to set up Chinese subsidiaries or joint ventures to sell to the government as long as somebody's nephew or brother-in-law gets to run them. And small foreign businesses will be able to sell to Chinese wholesalers, or maybe sell their products as OEM to Chinese companies that will add value by localization.
Microsoft and Oracle probably already have Chinese "partners", or else they'll set them up, and there are Linux distributions developed in China, and possibly other Linux commercial distributors can get Chinese companies to do documentation and packaging for them.
() Lack of centrally controlling authority for email
-- it doesn't appear to use this - it appears to be recipient's-end charging, which can be deployed in a decentralized manner
() Open relays in foreign countries
-- those don't matter here - if they sender doesn't pay, the recipient doesn't read it, and relays only make it harder to pay.
(*) Mailing lists and other legitimate email uses would be affected
-- you correctly marked "whitelists suck", which is part of why it's hard to implement this one correctly.
(*) Users of email will not put up with it
-- this is the big problem with TMDA, hashcash, and many similar systems
(*) Many email users cannot afford to lose business or alienate potential employers
-- you missed this one too. See previous.
() Requires too much cooperation from spammers
-- not a problem. This one requires cooperation from non-spammers.
() Unpopularity of weird new taxes
-- unless I grossly misread the article, this doesn't apply here - the sender pays the recipient or recipient's ISP, not some third party.
(*) Public reluctance to accept weird new forms of money
-- Yup. Either you need weird new money or old-fashioned real money, and the latter is usually too expensive per transaction.
(??) Armies of worm riddled broadband-connected Windows boxes
-- Maybe. If enough people start using this, and there's a convenient mail-sender interface so senders don't need to pay attention very often, then worms will start to abuse it. Otherwise they won't care, and the five people who still use it will have whitelisted each other.
() Dishonesty on the part of spammers themselves
-- Doesn't hurt the recipient, who sets the price high enough that he's willing to read an occasional Nigerian Herbal Fake Vi***a ad and keep their $5 just to annoy them. This proposal suffers from dishonest recipients, who convince legitimate that they should be willing to pay the money to get the recipient's attention. It's a serious enough problem that it can even lead to "Make Money Fast By Reading Email At Home" spammers inviting you to become a recipient
() Why should we have to trust you and your servers?
-- Because you want me to read your mail. Don't care? Don't send money, and I'll ignore you. If I'm a sufficiently interesting public figure, like Rush Limbaugh or Daily Kos or the Editor of the New York Times or Britney Spears, maybe you'll pay to get my attention. Alternatively, maybe the fact that I'm charging for my attention will make you think I'm some over-inflated ego who's not worth the effort, and my 15 minutes of fame will time out faster.
(*) Sorry dude, but I don't think it would work.
-- My conclusions's a bit more positive than yours
Encryption is strictly to keep the participants from getting caught or eavesdropped on, or to help them only upload music to their friends and/or customers, or to help them make sure their customers pay them before they get to see the movie, or similar auxiliary functions. It can help the legitimate content possessors get money from customers or share contents with their friends without illegitimate access, or it can help illegitimate content possessors avoid getting caught by the Content Police.