Anyone knows a good online guide to understanding how the user accounts system works on windows, that both gives practical info, but also allows one to understand what's going on? I don't refer to "click this, click that, click 7 times OK" guides, and I'm quite tired of lying to Windows wizards in different ways to try to get them to do what I want. I'm not an active programmer ot techie (I teach math now) but I did Fortran programming many years ago, so I know what computers are, and I do play a bit with things like Javascript and HTML, and I can read RFCs, but I'm looking for guides that don't treat me as either I'm computer-illiterate or have 3 years to learn everything there is to know at highest professional level. Yes, I could spend lots of time learning, but I would rather spend some of it learning something other than Windows (like linux), but I still need to use windows to handle all the things for the kids+|wife+work (word/powerpoint homework, work related word documents, employer's IE5.5+ compatible website etc.) so I want resources that would teach me how windows work without insulting my inteligence or using up too much of my time...
I setup all of my PCs with "limited" user accounts for regular use, and I usually use "run as..." option for running programs that cannot work without admin privileges, but this has its own problems. One thing is that then the program runs with the default settings of the admin account (desktop, "my documents", favorites etc.) Another really more severe problem is that I DON'T WANT TO HAVE THE KIDS "RUN AS ADMIN"!!! And there are programs they use that don't always work properly when they don't get write permissions to write their ini files that they insist on putting somewhere under "program files". For instance, Celestia doesn't save bookmarks unless "run as admin". PClogo that my son got from his logo school and looks as if made for Windows 3.x had problems accessing files under his username (limited account. plus I'm really surprised that no one has put a kids friendly interface on the open-source MSWlogo. Don'r hackers have kids? or at least nephews?) Lots of programs that are intalled using "run as admin" install themselves only under admin (I once tried to install palm desktop that I downloaded. The installer only ran under admin. It installed an icon on all accounts desktops that was never really shown (no read permission on the icon, so it always showed as the default windows file icon, and of course did nothing as it was a shortcut to a program the user couldn't start) I could only use that program when logging into admin or "running as admin", and the palm synchronization only worked when logging into admin right after reboot - otherwise it always complained that "the port is already in use").
All of these are really frustrating and even more as I am never able to understand what the problems are, or what the "helpful wizards" really do...
I don't think that disallowing "selling" of patents can work. There is no real difference between "selling" and "leasing" a patent, or any kind of "IP", as it is not property. All of these are just contracts that exchange a current payment to the "owner" in return for possible future royalties. It's just a sort of insurance. Someone else is taking the risk.
What I think might work is a limitation on the profit that can be made using patents: not a limitation on the profit that can be made from an invention, but rather on the amount that can be claimed in court due to patent laws. The patent system is a public service to allow inventors to make a living inventing things, by limiting others from using the same ideas for a while. IMO there is absolutely no reason for the public to use this tool to allow some people to make unlimited profits. Of course profit from inventions should not be limited, but public prtection (using the legal system) for this should be limited.
It might work the way insurance works: the minimum fee for registering a patent would give legal rights limited to a minimum sum that can be claimed. This would be a sum hi enough for a single average family to make a living, say for 70 years (not the term of the patent. Just the profit that can be protected using patent laws). Then an inventor that think her/his/its patent is worth more would be able to "buy" higher protection by paying a higher fee to register the patent. E.g., if M$ thinks its method of determining the sender of an email address from email headers by following RFCs is worth $2000000000, and if the minimum protection would be set to $20000000 it would consider paying say 100 times the minimum fee for registering that patent. What this kind of system would achieve is good protection for the individual inventor, and at the same time it would prevent the kind of "IP hoarding" that is going on right now. It would also reduce the number of bogus patents and make companies think more before registering patents on trivialities (like translating the RFC2822 into pseudo code). And it can reduce the load on the patent office, while at the same time perhaps increasing its income and allowing it to more thoroughly investigate patent claims.
The system might include a procedure to increase registry fees after registration, so a rejected patent claim would still cost the same as today, and the party submitting a patent claim ths\us would not have to gamble on large sums before the patent is accepted. It would still make companies more cautious about patent applications, because those patents accepted would still cost much more to give real protection to a corporation (as opposed to an individual that would get sufficient protection for the minimal fee).
This kind of patent system would leave space for the kind of companies that "collect" patents. Only they would have to be much more selective, and would then have to play a more positive role in finding promising patented technologies that were overlooked, or whose inventor is not a good enough promoter, and promote them. These companies might even make more money in this kind of environment.
> The legitimate spammers also generally get > their mail list from things that you sign up > for and choose to have your email address shared.
In this case it's not spam (though I might not know it was solcited if they don't provide the info as to the circumstances in which I agreed to receive their mail).
However, what I was thinking about when writing the grandfather post was not about the act of sending bulk mail by itself as being criminal, but rather the act of doing so despite knowing in advance that it would caertainly cause a certain amount of damage. In general, it seems to me that anyone performing some kind of operation should be responsible for the consequences of what they do, including the consequences of the "bulk" nature of the operation. So if the sending of millions of emails changes a certain risk factor from "unlikely" to "almost certain", it seems to me that the sender can be accused of knowingly causing that damage. It's not an argumant that has anything to do with sending email. it can be used with anything "bulk", i.e., any operation that is likely to cause something to happen on a "large scale".
I thought about this a few weeks ago, when on a radio in one Israeli radio station the phone number of a certain department in the Israeli ministry of treasury ws given to the public, and the public was asked to call and complain about a certain issue. Of course the number of calls made immediately after that made the phone line useless, so in fact it was a sort of a denial of service attack. It then discussed on all major Israeli news media because of the way that government office reacted: they automatically redirected all their phone conversations to the radio station that suggested calling them, so the DOS attack fired back! So then the media was mainly discussing the ethics of the government agency's response. There was quite a unanimous agreement that it is the rigth of the public to call and complain, and it is the right of the media to encourage the public to do so. But then I thought that there is another aspect to this: what mass media does when asking the public to do this has further consequences, because of the massive number of people they can reach. It is not the same as collecting signatures and sending them to that office, and it is not the same as people calling on their own time to complain. It is a coordinated effort, so perhaps the party that is coordinating this operation has a responsibility to think about the possible consequences of what they do in asking thousands of people to call the same place at the same time: i.e., the mere size of the operation changes the situation to one that carries more responsibility.
> It doesn't apply a "fairly harsh penalty for spamming"; > it applies a fairly harsh penalty for fraud
What about spam that involves no kind of fraud? Just sending several millions of messages and storing them in recipients email accounts mean that several recipients would lose email functionality (e.g., because the stored spam would push them over quota). Of course any single email sent can do that. The difference is that when I send an email message to a few recipients I know that it is highly unlikely that the particular message I send would cause that kind of damage. On the other hand, probability theory tells us that when a spammer sends out millions of messages, it is not just likely that it would cause several thousand recipients to be denied further use of email until they take action to clear that spam - it is close to certainty that this would happen. Much closer to certainty than the level of certainty courts require for sentencing a person to death.
When a spammer sends out a message to a list of millions of addresses, it is certain that it would damage a few thousands of the recipients. I wonder if this can be used to convict the spammer in court for doing that damage (to prove criminal intent).
There a re many other cases in which modern technology allows people to do things that on small scale are harmless, but on large case are harmful, and the extent of damage caused can be at least estimated in advance. I wonder hif and how criminal law can use this to convict spammers and others?
>... lack of a vigorous defense of a registered trademark is enough > to lose it, much less not registering it in the first place.
I wonder to what extent having my name registered in my passport and other official documents (birth certificate etc.) can be considered a defence for my using it for identification or network presence. Can I register my own name as a trademark for the purpose of network presence? E.G. for protecting my personal domain if and when some company decides to use it in their product? Or in case some company I don't know about already uses it? I would really like to know if anyone tried something of this sort, or if this makes legal sense at all. Do rich corporations have an advantage over individuals in using names?
The cited story (http://news.com.com/Microsoft+registers+trademark --19+years+late/2100-1012_3-5449348.html?tag=nefd. top) mentions the case of MikeRoweSoft.com, formerly owned by teenager Mike Rowe, who managed to negotiate a bit more than the $10 bucks reimbursement offered by MicroSoft for the domain. Now perhaps Mike Rowe's parents should have known better when registering the name Mike Rowe in their son's birth certificate in the early 90's or late 80's, as MicroSoft was already a well known name, and they perhaps should have taken into account the possibility that said son would perhaps one day decide to go into the software business (and what if Mike Rowe decided to sell facial tissue online? Would MicroSoft have a case then. Just kidding...)
Uzi Nissan's last name is a common Hebrew last name, derived from the name of the month in the Hebrew calendar, probably dating more than 3000 years. He registered the domain Nissan.com for use with his comuter related business around 1995, when the internet was still focused around computers, and long before Nissan motors showed any interest in network presence. Nissan Motors didn't manage to get the domain. But they did manage to deprive Uzi Nissan's use of the domain (http://64.233.183.104/search?q=cache:JH0zQdYEQ04J:www.nissan.com/+Nissan+computers&hl=en). In that case Uzi Nissan did have the right to use the trademark Nissan as it was not used in anything that has to do with the automotive industry (Actually he was even able to reproduse evidence that he already used the name Nissan in an automobile spare parts business in the 70's, and did business with Nissan motors that prefered to identify itself as Datsun, and did nothing about his use of his last name in his automobile-related business back then). All this didn't help him to retain use of his domain. Apparently he was not rich enough. Perhaps he can still use it for email...
Anyway, back to my original thought: can a name be registered as a trademark for the purpose of network presence? I use the name hadaso in many places for identification: in email accounts, in online forums, in my own domain. It is derived from my last name plus initial. I invested hundreds, perhaps thousands of hours of my life creating content thast is scattered around the web, mainly in open forums, discussion lists, talkbacks, Wikis etc., and almost all of them identify me using either my nickname (hadaso) or my full name. So I would like to protect my investment, and know that I will not be prevented in the future from freely using it. If posting on online forums was a business I could register the Trademark. Perhaps I can do it anyway (in what way? In which countries? Would it be of any use in real life? it didn't help Uzi Nissan that did register the Nissan trademark, though a bit late, like MS's registration of Excel®). To what extent is my "name already protected by something called common law trademark", a sort of protection that Excel® apparently enjoys according to the cited story?
The TurboExcel case mentioned seems clearcut to me: obviously it refers to MicroSoft's product, and no TradeMark protection is needed to see that. I'd bet that eve
Whois contact addresses are supposed to be public. They are not contact addresses for your registrar. If they are agressively filtered they might be considered invalid (perhaps if several attempts are made to contact them from several to test validity.) If they are tested for validity and found to be invalid (i.e., not accepting any email) then the domain might be taken from you (for publishung invalid contact info).
I use a sneakemail address on my whois record. I can easily change it to another sneakemail address (only I'm too lasy. I still get only about one spam message a day on that address. I get more spam on the sneakemail address I publish on slashdot posts and I still haven't replaced that one...)
An address published on whois is not immediately spammed. It takes several weeks until spammers scan the database and distribute updated mailing lists, so if you replace your whois address every week, or even just every month, you should be quite spam-clean (at least on these addresses). Of course you might be unlucky and your address harvested just after you publish it, but then, email addresses are cheap.
One thing that might be useful would be a protocol automatically update all whois contact addresses and tools to autopmate the process of creating new addresses, updating them, and then blocking the old ones (ideally, if you want to receive all mail that might be sent to an address, you would want the old address to be kept active and then automatically blocked after about a week (to account for mail delivery delays, plus perhaps a couple of days a possible sender might delay a draft before finally sending it to you).
BTW, widespread use of multiple email addresses, especially if combined with effective methods to automaically change and block old ones, can prove as a very big problem to spammers. They rely on very low response rate from mailing lists that have a reasonable percentage of valid addresses (I would call 5% valid reasonale here). If you throw in a factor of something like 99 out of 100 addresses being automatically invalidated by receiving spam (i.e., most addresses used by spammers becoming invalid soon after they start to receive spam) tehn it might make spam unprofitable. At leasy it would make life much harder for spammers,having to clean up their lists all the time.
By bank does send email alerts, but they never include any useful information. Just a notice that I have a new alert and a link to the "alerts" section in their website.
But that's not what I really want to tell you. There are ways to (at least partially) "authorise" your bank (or anyone else) to send you mail). I gave my bank a SneakEmail address that forwards the bank's mail to me, so any email from my bank has to come through this address, that is not published. The probability that a phisher can randomly produce it is very low. The only thing you need is an unpublished address that's very unlikely to be forged, and you can then have a reasonable level of sender authentication.
Now if this is not enough, consider VarA ("Verified And Recipient Authorized"). The details are not really important. The idea is that existing sender identification schemes can be used with unique recipient addresses: so say your bank published an SPF record (not that I endorse SPF as an anti-spam technique...). Then you can give the bank a unique email address, and then whenever email is received for that recipient address your server makes an SPF query on the bank's doamin name: the receiving address triggers a check that the email came from the allowed sender's domain. To be able to do that you'd need server software that does it, but then it's all doable on the recipient's side, no need for sender's cooperation. The sender just sends email to the address the intended recipient provided. No interoprerability issues. Anyone who wants to implement it on their servers can do it now, and there's no need for unifirmity: in fact, diversity in the way it is implemented is an advantage, as a uniform implementation is a bigger target for those who would want to circumvent it.
> The real point of SPF and Sender ID is to make it hard > for spammers to forge their "from" addresses
Neither SPF nor SenderID can do that without new email client software to use them, and then these specification do not specify how the info is communicated to the email client.
Both specifications DO NOT check the RFC822 "From" header, so there's no problem "forging" that, and that is what all current email clients display. SPF checks the SMTP envelope from. SenderID checks the "PRA" which is something derived in a somewhat complicated way from the email headers, and MS thinks it should be required to match the sending server because probably that is how MS does email, so everyone else should do the same.
Anyway, it is trivial to use a "sender" header with matching envelope from that passes SPF (through registering a throwaway domain, possibly with stolen credit card number) and use whatever from header one wishes.
BTW, in the older MS "CallerID for email" proposal they wanted to include a requirement that a domain owner has to keep old server info in the CllerID DNS record several months after stopping using the server. So I think this tells us how MS thinks the info should be communicated to the email client (the client performs its own tests, even if several months passed since the email was received...)
And forget about these schemes stopping spam. They will not, and they are not designed to do this. They were supposed to make it harder to forge the "from" field, but they fail even in this unless the way email clients display email is changed, and a standard is created for the email server to communicate sender validation info to the email client.
When I was young I used the WATFIV interpreter to run FORTRAN IV on an IBM system. Instructions in FORTRAN were passed to an interpreter to be interpreted and excuted (instead of first compiling the whole program). Actually we had back then another system for one program calling another one to do a job, but we called these "subroutines".
But the idea of one set of instruction getting another set of instructions as input, and then carrying out those instructions dates back at least to ~1936: Alan Turing then published a paper describing what he called a "computer". Nowadays it is refered to by the name "Turing Machine", but the original article refered to a set of instructions, not a physical machine. In modern terminology, what was described by Turing, that we now call a "Universal Turing Machine" was a set of instructions that receives any another set of instructions as input, and carries out those instructions (a universal Turing machine receives (A: description of Turing machine, B: string) as input and runs A on the input B). Then there followed others models doing the same thing, and eventually there came a model that was efficient enough to be implemented using electronics. "one application running anothjer one" is the basic principle of computing. Computing as we know it is impossible without it, and if Kodak owns this idea, then we might as well go live in caves.
I find it hard to believe that Sun programmers couldn't find 50's/60's technology that can be considered as prior art to what they did. But then, perhaps Sun's lawyers didn't cunsult them!
> The difference seems to lie in the fact that software naturally > comes in a form that can be copied and a book has to be converted > from physical to electronic...
IMO another much more important difference is that software is expected to perform some functions for you, much like an appliance, so you expect it to work, and if broken you expect it to be repaired or replaced. It seems to me that one things that licencing schemes try to do for the vendors is exempt them from this responsibility. Somehow they get away with selling things that we expect to do some functions for us (as advertised) and they don't have the responsibilities because "they are authors, or copyright owners, not manufacturers or suppliers of goods".
To read Hotmail using any client (well, at least as long as WEBDAV is provided for retrieving mail):
1. Sign up for a fastmail.fm account. 2. Configure FastMail to fetch your Hotmail account mail (they are using WEBDAV, just like OE). 3. Read your email using any IMAP capable software, or using FatMail.FM webmail interface that is more feature rich than many PC-based email clients.
I wonder if they are going to stop WEBDAV access for reading email, or just for sending.
> updates will be released, just not the sp2 "security enhancements"
That's fine for today. What does it mean 3 months from now? "enhancement" might get a broader definition by then?
Take WIN98. I have a legal copy I got with a new PC I purchased in 1999 (P3 500MHz, perfectly good for my needs after memory+HD upgrade). When the OS was new M$ promised it includes automatic online updates. Then several years later M$ announced it stops supporting this OS, which is perfectly fine. Everyone else interpreted this to mean that no more fixes are made for the OS, and basically you are stuck with the 2003 functionality. WRONG! You lose the the entire patching mechanism!
In the past, When I reinstalled the OS (WIN98 needs clean reinstalls periodically) I just had to continue the installation with visiting the windows update site. I expected that after they stopped supporting the OS it would mean that I just get the same functionality, automatically downloading and installing all OS fixes up to 2003. But it didn't work this way. First it insisted that I need to install IE6 to access windows update. After installing IE6 I could finally access the windows update site that then informed me that this functionality is no longer available.
So you might say that removing support from the OS means removing the update site. That is clearly M$'s interpretation. I think differently. The automatic update was a feature included in the OS and was a main selling point back in 98-99. I remember people that recommended upgrading from WIN95 to WIN98 just for this feature. The point was that users with almost no technical skills can apply fixes themselves. M$ didn't "stop support" for this functionality. They REMOVED the functionality. It's not the same OS anymore. I would have expected them to leave the Windows update site in "as is" condition so that anyone that needs to reinstall the OS can at least apply existing features in teh way they promised it would work when they sold the OS. They could also pack all existing fixes into one download that would replace the "automatic update". It would still apply as an "automatic update" as it would serve the same functionality from the user's point of view: have all the existing fixes without having to dig them up one by one.
Of course, you still have access to all the patches and may download them one by one. the site is specifcally designed to make you do it manually and separately for each little fix. There is no way provided to download all the patches together (at least not that I've seen in the site, and M$ customer service specifically told me on the phone there is no such mechanism). So eventually I left the system as is, in 1998 "mint condition" (except the y2k patch that I saved back then). I don't have the time to go over all the little patches and try to decide which one I need and which one I don't. This might be fine for a company that employs a professional to maintain many PCs. Not for an individual. Now that computer is stuck again, and needs a clean install. This time even upgrading to IE6 might not be available, so it's back to IE4.
Yes, I know, I should install LINUX instead. I already have downloaded a version long ago, and the only issue is time: not for the LINUX install, but for making some order in the HD and backing up. Still I would need the Windows98 installed for the kids and for some software I might want to run on that machine. So There will be a legal copy of WIN98 on that machine in "mint condition".
So, be careful when reading M$ announcements. Their lawyers probably made sure that it may mean anything they want. Today it refers to specific "enhancements". Tomorrow "enhancement" might mean fixes to malfunctions that make the OS/browser vulnerable to attack. And finally you might find out that all the fixes are available to you on older OS's but to get them you need first to upgrade to the latest IE, and to do this you need to upgrade to the latest OS. You'd claim the the fixes are not available to you. They would claim they are.
I have seen a lot of ham (legitimate email) classified as spam by gmail.
One risk of having the whois publish address subject to spam filtering is that if the registrar decides to test everybody's email addresses published on the whois, then the messages sent would certainly display spam characteristics (and would certainly be bulk mail) and might be reasonably classified as spam by spam filters (especially centralized ones that might have the additional info that the same message was received by thousands of other users).
If the email is delivered to you, then it is not a falsified address.
I would say that if spam filtered address is worse than a forwarding address that delivers everything, because a filtered address does not accept all email.
I use a sneakemail.com forwarding address in my whois record, and it receives spam about once a week. If it gets much worse I would just replace it. It would have been nicer if the address published on the whois database could have been automatically changed every once in a while, making it useless to harvest addresses from whois records.
>... registrar isn't cooperating. It's against their policy... > Your lawyer suggest... that is the best that you can do.
The lawyer can get a court to order the registrar to reveal the info in the case you describe. Most probably if registrars held identifying info that was not made public in whois then they would have policies to avoid needing court order for most things.
In fact there are ways to register a domain by proxy, that is, someone else (third party)registers the domain for your use, and your contract with that third party is what defines your right to use the domain. The third party's identity and contact info is in the whois, and in most cases the third party can also perform additional administrative stuff for you related to the domain.
I think the way whois is published can be changed so that privacy of domain owners is beeter kept, and at the same time fuller and more accurate identifying info is kept in record. It can be open to the public without being open to spambots. The only difference would be in how that info is requested.
> Ideally such attempts would be so obvious or so broad as to fail.
Displaying a graphical interface for an application in a rectangle inside a rendered web oage was not considered "obvious" or "broad" when a browser was not the number one aplication, and when rendering the grapical interface of an OS was considered something substantially different then rendering a web page. A few years passed, and now it seems obvious and certainly too broad. Is it not an idea? There's no clear distintion between "idea" and "method", even if lawyers try to tell you there is. It depends on situation and culture, and these change rapidly nowadays.
>The cost of a service (or lack there of) > doesn't/shouldn't define that service
Right! How that cost/lack of cost is used matters. In the case discussed, one hundred years ago someone has carefully compiled a list of possible customers based on their ability to pay and perhaps on info available on their lifestyle, and spent money on informing them on something. In the case of email spam no such research occurs. Every existent/nonexistent email address receives the same message regardless of the recipients need for the advertised product (size of P#|\|1$ is not taken into account B4 pressing "$3nd").
The "spam" desccribed doesn't seem to really be spam.
Two reasons: 1. "Cunard sent out telegrams to SELECTED (rich) members...". Those ads were targeted to a very specific audience. They were not sent to railroad operators. One important characteristic of email spam is that it is completely untargeted. It is sent to your email address because it is an email address, not because someone invested in research and decided that you might be more interested than the average person in what they have to sell.
2. Salesmen going from door to door trying to sell stuff probably worked much earlier than a 100 years ago. Those are much closer to email spam in my opinion because they go to every home in the area they work in, not just to a list of addresses determined by preliminary research to be possibly interested in their product. (though they probably still choose to work in neighborhoods where a higher percentage of residents would be interested. That's some king of targeting. Junk snail-mail often has this characteristics: a big chunk of it advertises local businesses, and if you look in your snail-mail junk you will find that a reasonable percentage actually advertises stuff you are planning to buy anyway, such as groceries, at perhaps lower prices.)
> In the case I guess the only option will to be use webmail > for any addresses not provided by my ISP
Not really. You would just need to have your mail user agent (your email client) to add a "Sender:" header specifying an address in the domain you are sending from.
If it doesn't have this functionality, ask the vendor to include it.
If it doesn't (and it's name start with an M and ends with a $) then use another client.
Probably if and when these sender recognition schemes become widely employed, free software email programs would include options to set a "Sender:" header configurable by server used to send (so if multiple SMTP servers are available for the client for sending, the client would automatically send to an address that may send from that server).
The problem you described already exists for example for Gmail users who use their email clients to send email to recipients in one of the few places that already implemented rejeting by SPF.
The problem is not "software patents" but obvious things being patented. That fact that something that is done in real life (such as remebering your client) can be considered an innovation just because it is applied in software, and therefore may be patented, is a flaw in the way patents are examined. The fact that any prcedure can be done by a computer (a "Turing computer") was already proved by Turing in 1936 (or at least was well known in the 30's). It doesn't mean that new procedures used in software shouldn't be patentable. But it does mean that software that just mimicks functiionality alreaddy existing not in software should not be patentable. So for example, a new method of voice recognition might be patentable, but the use of voice recognition by a computer to identify a customer shouldn't be patentable, since there is prior art: a lot of people that know me can identify me by hearing my voice on the phone (actually they can also identify me by analysis of my facial characteristics;-) ). The procedure exists. And the fact that if it can be done without a computer it can be also be done by a computer is well known. So these kind of patents should be voided.
As I see it, both SPF and SenderID cannot really prevent email address forging:
SPF only verifies the envelope from (SMTP MAIL FROM command).
SenderID has an "algorithm" for trying to determine what email address the message claims to "come from" using RFC822 "From", "Sender", "Resent-from" and "Resent-sender" (actually also "Received") headers (they call it "Purported Responsible Address"). Then the domain in this address is chacked against a DNS record defining a set of IP addresses that may be used to send for that domain.
Why doesn't it prevent Joe jobs? Because all that the spammer needs to do is provide a "Sender" header with a domain that is allows the server the spammer uses to send, and the email would get through. Replies would go to the address in the "From" header, and that would be the poor victim of the Joe job. Bounces would go to the envelope from, so with SenderID that would not be the verified address, but again the poor victim's address. "Classic" SPF at least has an advantage of avoiding real SMAP bounces from going to the Joe job victim.
The same works for phishing. a phisher might have to be more caerful about revealing her own identity by registering a domain to use in the "sender" header, but then a phisher has the advantage of belonging to the "identity theft industry", so would probably have no problem to use previously stolen identities+credit card numbers to register enough domains to be able to steal even more identities.
These "verification schemes" might allow a bit more information to be revealed about the physical system used to send spam, but that's all. And every spam message that tries to sell something already has some kind of info on how to contact the spammer in order to make a purchase, that can be used to track the spammer (and often convict the spammer for something other than sending spam, such as illegal selling of drugs, or fraud, in the case of "organ enlargement pills" etc.)
So it's doubtful whether these "verification schemes" are worth the trouble.
There rest is a bit "off topic": I have a very simple "verification scheme": different possible senders get different addresses, and the address that receives the email message should then match the sender. Theoretically I can create rules to trash whatever doesn't match, but practically there's no need, because it rarely happens that they are needed, and if they are, then in a single sender situation it's easier to replace the address and notify the single sender of the address change. (actually the only addresses where I get spam are the ones that are publicly available, such as that used in slashdot and the one in my whois record. And the spam volume they receive is low enough that for now I prefer to report the spam I get to spamcop and not change the addresses).
Perhaps a better solution to make life hard to spammers is an "address change notification protocol". This would allow creating systems that automatically create different addresses for different senders, and do it in the background making it transparent for the user. Spammers depend on pretty reliable mailing lists, and a situation where each address would receive a single piece of spam and then be automatically changed would be a nightmare for them. It would ruin their business model!
Hey! That article you copied was copyrighted! You infriged on the copyright by not including the following (copied from http://www.gnu.org/philosophy/right-to-read.html):
Copyright 1996 Richard Stallman Verbatim copying and distribution of this entire article is permitted in any medium without royalty provided this notice is preserved
>...Chief can control this by taking away, > killing, or putting social pressures onto > Random Caveman. The idea is no longer free, > but subject to force of might and social > pressure...
I like this description. I was about to try to write something as to why IP is not property in the line of: "a dog can recognize property, and would react to someone trying to take his bone away. The same wiuld happen with a baby if you take a toy away. But both would not recognize their IP being taken away from them".
But you gave the right definition: there is no such thing as property. There is violence, and its use defines ownership of objects. States and laws regulate the use of violence. And they may apply the same method to the use of ideas.
But there is still a difference: when a baby takes a toy from another baby, only one of them gets to play with it. But when a child repeats a phrase a phrase she heard, or copies some behaviour, the child learns. Copying ideas is the basis of the evolution of the human animal ("the web-surfing ape"). It's basic human nature to copy ideas, and we wouldn't have become the leading species on this planet if it wasn't our nature to copy ideas. Thus all kinds of "IP" ownership laws are basically contrary to human nature. We are learning creatures. Now I don't say that we should completely abandon IP laws. But we do have to make sure that they are used in a "minimal" setting. They are laws that use violence to control the basic human nature of copying ideas, and as such should apply only when failing to limit this would be harmful to society. And since these apply to technology that is changing rapidly, they should be periodically reassessed and revised.
Take as an example the appliation of copyright protection to audio recordings (see http://xiph.org/about.html): these were not included under copyright laws (1908 supreme court ruling). Then in 1909 congress changed the law to include them. Perhaps it was good and perhaps not. Perhaps it's time to change it now that there are cheaper methods to record and distribute recorded music.
Back to the chief and his (or her???) designer's spear: in modern terms it is much like the government allowing an individual to own a shotgun to guard his property, but disallowing the protection of the same property by surrounding it with minefields, while the government does guard some of its own instalations using minefields. It's not the idea that is not free. Any other caveman can make the same kind of spear as long as it is handed over to the Chief for his exclusive use.
The original SPF was a method to publish a TXT record with info to be used for matching with the domain part of an email address used in an SMTP "MAIL FROM:" command.
SenderID uses similar syntax but in a new type of DNS record, and uses it not with the SMTP envelope from but instead with a "purported responsible address" derived somehow from the email headers ("RFC822 headers").
As far as I see SenderID will fail with forwarded email if the forwading MTA complies with RFC2822:
"... forwarding is also used to mean when a mail transport program gets a message and forwards it on to a different destination for final delivery. Resent header fields are not intended for use with either type of forwarding." (RFC 2822 sec. 3.6.6)
For some reason SenderID authors think that forwarders should add these headers even though RFC2822 explicitly states that they are not to be added. (Perhaps MS+POBox software add these headers? It is quite clear from RFC 2822 sec. 3.6.6 that resent headers are meant to be used only when email is resent by human intervention). RFC compliant forwarders would not add these headers, so SenderID tests would fail on correctly forwarded email. For SenderID (or SPF) to work with forwarders these would have to wither be non-RFC compliant, or the meaning of resent headers in email should be formally changed and email infrastructure updated to reflect the change (or perhaps it was already chaged and RFC2822 is outdated???)
Slashdot Mirror
Anyone knows a good online guide to understanding how the user accounts system works on windows, that both gives practical info, but also allows one to understand what's going on? I don't refer to "click this, click that, click 7 times OK" guides, and I'm quite tired of lying to Windows wizards in different ways to try to get them to do what I want. I'm not an active programmer ot techie (I teach math now) but I did Fortran programming many years ago, so I know what computers are, and I do play a bit with things like Javascript and HTML, and I can read RFCs, but I'm looking for guides that don't treat me as either I'm computer-illiterate or have 3 years to learn everything there is to know at highest professional level. Yes, I could spend lots of time learning, but I would rather spend some of it learning something other than Windows (like linux), but I still need to use windows to handle all the things for the kids+|wife+work (word/powerpoint homework, work related word documents, employer's IE5.5+ compatible website etc.) so I want resources that would teach me how windows work without insulting my inteligence or using up too much of my time...
I setup all of my PCs with "limited" user accounts for regular use, and I usually use "run as..." option for running programs that cannot work without admin privileges, but this has its own problems. One thing is that then the program runs with the default settings of the admin account (desktop, "my documents", favorites etc.) Another really more severe problem is that I DON'T WANT TO HAVE THE KIDS "RUN AS ADMIN"!!!
And there are programs they use that don't always work properly when they don't get write permissions to write their ini files that they insist on putting somewhere under "program files". For instance, Celestia doesn't save bookmarks unless "run as admin". PClogo that my son got from his logo school and looks as if made for Windows 3.x had problems accessing files under his username (limited account. plus I'm really surprised that no one has put a kids friendly interface on the open-source MSWlogo. Don'r hackers have kids? or at least nephews?)
Lots of programs that are intalled using "run as admin" install themselves only under admin (I once tried to install palm desktop that I downloaded. The installer only ran under admin. It installed an icon on all accounts desktops that was never really shown (no read permission on the icon, so it always showed as the default windows file icon, and of course did nothing as it was a shortcut to a program the user couldn't start) I could only use that program when logging into admin or "running as admin", and the palm synchronization only worked when logging into admin right after reboot - otherwise it always complained that "the port is already in use").
All of these are really frustrating and even more as I am never able to understand what the problems are, or what the "helpful wizards" really do...
I don't think that disallowing "selling" of patents can work. There is no real difference between "selling" and "leasing" a patent, or any kind of "IP", as it is not property. All of these are just contracts that exchange a current payment to the "owner" in return for possible future royalties. It's just a sort of insurance. Someone else is taking the risk.
What I think might work is a limitation on the profit that can be made using patents: not a limitation on the profit that can be made from an invention, but rather on the amount that can be claimed in court due to patent laws. The patent system is a public service to allow inventors to make a living inventing things, by limiting others from using the same ideas for a while. IMO there is absolutely no reason for the public to use this tool to allow some people to make unlimited profits. Of course profit from inventions should not be limited, but public prtection (using the legal system) for this should be limited.
It might work the way insurance works: the minimum fee for registering a patent would give legal rights limited to a minimum sum that can be claimed. This would be a sum hi enough for a single average family to make a living, say for 70 years (not the term of the patent. Just the profit that can be protected using patent laws). Then an inventor that think her/his/its patent is worth more would be able to "buy" higher protection by paying a higher fee to register the patent. E.g., if M$ thinks its method of determining the sender of an email address from email headers by following RFCs is worth $2000000000, and if the minimum protection would be set to $20000000 it would consider paying say 100 times the minimum fee for registering that patent. What this kind of system would achieve is good protection for the individual inventor, and at the same time it would prevent the kind of "IP hoarding" that is going on right now. It would also reduce the number of bogus patents and make companies think more before registering patents on trivialities (like translating the RFC2822 into pseudo code). And it can reduce the load on the patent office, while at the same time perhaps increasing its income and allowing it to more thoroughly investigate patent claims.
The system might include a procedure to increase registry fees after registration, so a rejected patent claim would still cost the same as today, and the party submitting a patent claim ths\us would not have to gamble on large sums before the patent is accepted. It would still make companies more cautious about patent applications, because those patents accepted would still cost much more to give real protection to a corporation (as opposed to an individual that would get sufficient protection for the minimal fee).
This kind of patent system would leave space for the kind of companies that "collect" patents. Only they would have to be much more selective, and would then have to play a more positive role in finding promising patented technologies that were overlooked, or whose inventor is not a good enough promoter, and promote them. These companies might even make more money in this kind of environment.
> The legitimate spammers also generally get
> their mail list from things that you sign up
> for and choose to have your email address shared.
In this case it's not spam (though I might not know it was solcited if they don't provide the info as to the circumstances in which I agreed to receive their mail).
However, what I was thinking about when writing the grandfather post was not about the act of sending bulk mail by itself as being criminal, but rather the act of doing so despite knowing in advance that it would caertainly cause a certain amount of damage. In general, it seems to me that anyone performing some kind of operation should be responsible for the consequences of what they do, including the consequences of the "bulk" nature of the operation. So if the sending of millions of emails changes a certain risk factor from "unlikely" to "almost certain", it seems to me that the sender can be accused of knowingly causing that damage. It's not an argumant that has anything to do with sending email. it can be used with anything "bulk", i.e., any operation that is likely to cause something to happen on a "large scale".
I thought about this a few weeks ago, when on a radio in one Israeli radio station the phone number of a certain department in the Israeli ministry of treasury ws given to the public, and the public was asked to call and complain about a certain issue. Of course the number of calls made immediately after that made the phone line useless, so in fact it was a sort of a denial of service attack. It then discussed on all major Israeli news media because of the way that government office reacted: they automatically redirected all their phone conversations to the radio station that suggested calling them, so the DOS attack fired back! So then the media was mainly discussing the ethics of the government agency's response. There was quite a unanimous agreement that it is the rigth of the public to call and complain, and it is the right of the media to encourage the public to do so. But then I thought that there is another aspect to this: what mass media does when asking the public to do this has further consequences, because of the massive number of people they can reach. It is not the same as collecting signatures and sending them to that office, and it is not the same as people calling on their own time to complain. It is a coordinated effort, so perhaps the party that is coordinating this operation has a responsibility to think about the possible consequences of what they do in asking thousands of people to call the same place at the same time: i.e., the mere size of the operation changes the situation to one that carries more responsibility.
> It doesn't apply a "fairly harsh penalty for spamming";
> it applies a fairly harsh penalty for fraud
What about spam that involves no kind of fraud?
Just sending several millions of messages and storing them in recipients email accounts mean that several recipients would lose email functionality (e.g., because the stored spam would push them over quota). Of course any single email sent can do that. The difference is that when I send an email message to a few recipients I know that it is highly unlikely that the particular message I send would cause that kind of damage. On the other hand, probability theory tells us that when a spammer sends out millions of messages, it is not just likely that it would cause several thousand recipients to be denied further use of email until they take action to clear that spam - it is close to certainty that this would happen. Much closer to certainty than the level of certainty courts require for sentencing a person to death.
When a spammer sends out a message to a list of millions of addresses, it is certain that it would damage a few thousands of the recipients. I wonder if this can be used to convict the spammer in court for doing that damage (to prove criminal intent).
There a re many other cases in which modern technology allows people to do things that on small scale are harmless, but on large case are harmful, and the extent of damage caused can be at least estimated in advance. I wonder hif and how criminal law can use this to convict spammers and others?
> ... lack of a vigorous defense of a registered trademark is enough
:www.nissan.com/+Nissan+computers&hl=en). In that case Uzi Nissan did have the right to use the trademark Nissan as it was not used in anything that has to do with the automotive industry (Actually he was even able to reproduse evidence that he already used the name Nissan in an automobile spare parts business in the 70's, and did business with Nissan motors that prefered to identify itself as Datsun, and did nothing about his use of his last name in his automobile-related business back then). All this didn't help him to retain use of his domain. Apparently he was not rich enough. Perhaps he can still use it for email...
> to lose it, much less not registering it in the first place.
I wonder to what extent having my name registered in my passport and other official documents (birth certificate etc.) can be considered a defence for my using it for identification or network presence. Can I register my own name as a trademark for the purpose of network presence? E.G. for protecting my personal domain if and when some company decides to use it in their product? Or in case some company I don't know about already uses it? I would really like to know if anyone tried something of this sort, or if this makes legal sense at all. Do rich corporations have an advantage over individuals in using names?
The cited story (http://news.com.com/Microsoft+registers+trademark --19+years+late/2100-1012_3-5449348.html?tag=nefd. top) mentions the case of MikeRoweSoft.com, formerly owned by teenager Mike Rowe, who managed to negotiate a bit more than the $10 bucks reimbursement offered by MicroSoft for the domain. Now perhaps Mike Rowe's parents should have known better when registering the name Mike Rowe in their son's birth certificate in the early 90's or late 80's, as MicroSoft was already a well known name, and they perhaps should have taken into account the possibility that said son would perhaps one day decide to go into the software business (and what if Mike Rowe decided to sell facial tissue online? Would MicroSoft have a case then. Just kidding...)
Uzi Nissan's last name is a common Hebrew last name, derived from the name of the month in the Hebrew calendar, probably dating more than 3000 years. He registered the domain Nissan.com for use with his comuter related business around 1995, when the internet was still focused around computers, and long before Nissan motors showed any interest in network presence. Nissan Motors didn't manage to get the domain. But they did manage to deprive Uzi Nissan's use of the domain (http://64.233.183.104/search?q=cache:JH0zQdYEQ04J
Anyway, back to my original thought: can a name be registered as a trademark for the purpose of network presence? I use the name hadaso in many places for identification: in email accounts, in online forums, in my own domain. It is derived from my last name plus initial. I invested hundreds, perhaps thousands of hours of my life creating content thast is scattered around the web, mainly in open forums, discussion lists, talkbacks, Wikis etc., and almost all of them identify me using either my nickname (hadaso) or my full name. So I would like to protect my investment, and know that I will not be prevented in the future from freely using it. If posting on online forums was a business I could register the Trademark. Perhaps I can do it anyway (in what way? In which countries? Would it be of any use in real life? it didn't help Uzi Nissan that did register the Nissan trademark, though a bit late, like MS's registration of Excel®). To what extent is my "name already protected by something called common law trademark", a sort of protection that Excel® apparently enjoys according to the cited story?
The TurboExcel case mentioned seems clearcut to me: obviously it refers to MicroSoft's product, and no TradeMark protection is needed to see that. I'd bet that eve
Whois contact addresses are supposed to be public. They are not contact addresses for your registrar. If they are agressively filtered they might be considered invalid (perhaps if several attempts are made to contact them from several to test validity.) If they are tested for validity and found to be invalid (i.e., not accepting any email) then the domain might be taken from you (for publishung invalid contact info).
I use a sneakemail address on my whois record. I can easily change it to another sneakemail address (only I'm too lasy. I still get only about one spam message a day on that address. I get more spam on the sneakemail address I publish on slashdot posts and I still haven't replaced that one...)
An address published on whois is not immediately spammed. It takes several weeks until spammers scan the database and distribute updated mailing lists, so if you replace your whois address every week, or even just every month, you should be quite spam-clean (at least on these addresses). Of course you might be unlucky and your address harvested just after you publish it, but then, email addresses are cheap.
One thing that might be useful would be a protocol automatically update all whois contact addresses and tools to autopmate the process of creating new addresses, updating them, and then blocking the old ones (ideally, if you want to receive all mail that might be sent to an address, you would want the old address to be kept active and then automatically blocked after about a week (to account for mail delivery delays, plus perhaps a couple of days a possible sender might delay a draft before finally sending it to you).
BTW, widespread use of multiple email addresses, especially if combined with effective methods to automaically change and block old ones, can prove as a very big problem to spammers. They rely on very low response rate from mailing lists that have a reasonable percentage of valid addresses (I would call 5% valid reasonale here). If you throw in a factor of something like 99 out of 100 addresses being automatically invalidated by receiving spam (i.e., most addresses used by spammers becoming invalid soon after they start to receive spam) tehn it might make spam unprofitable. At leasy it would make life much harder for spammers,having to clean up their lists all the time.
But that's not what I really want to tell you. There are ways to (at least partially) "authorise" your bank (or anyone else) to send you mail). I gave my bank a SneakEmail address that forwards the bank's mail to me, so any email from my bank has to come through this address, that is not published. The probability that a phisher can randomly produce it is very low. The only thing you need is an unpublished address that's very unlikely to be forged, and you can then have a reasonable level of sender authentication.
Now if this is not enough, consider VarA ("Verified And Recipient Authorized"). The details are not really important. The idea is that existing sender identification schemes can be used with unique recipient addresses: so say your bank published an SPF record (not that I endorse SPF as an anti-spam technique...). Then you can give the bank a unique email address, and then whenever email is received for that recipient address your server makes an SPF query on the bank's doamin name: the receiving address triggers a check that the email came from the allowed sender's domain. To be able to do that you'd need server software that does it, but then it's all doable on the recipient's side, no need for sender's cooperation. The sender just sends email to the address the intended recipient provided. No interoprerability issues. Anyone who wants to implement it on their servers can do it now, and there's no need for unifirmity: in fact, diversity in the way it is implemented is an advantage, as a uniform implementation is a bigger target for those who would want to circumvent it.
> The real point of SPF and Sender ID is to make it hard
> for spammers to forge their "from" addresses
Neither SPF nor SenderID can do that without new email client software to use them, and then these specification do not specify how the info is communicated to the email client.
Both specifications DO NOT check the RFC822 "From" header, so there's no problem "forging" that, and that is what all current email clients display. SPF checks the SMTP envelope from. SenderID checks the "PRA" which is something derived in a somewhat complicated way from the email headers, and MS thinks it should be required to match the sending server because probably that is how MS does email, so everyone else should do the same.
Anyway, it is trivial to use a "sender" header with matching envelope from that passes SPF (through registering a throwaway domain, possibly with stolen credit card number) and use whatever from header one wishes.
BTW, in the older MS "CallerID for email" proposal they wanted to include a requirement that a domain owner has to keep old server info in the CllerID DNS record several months after stopping using the server. So I think this tells us how MS thinks the info should be communicated to the email client (the client performs its own tests, even if several months passed since the email was received...)
And forget about these schemes stopping spam. They will not, and they are not designed to do this. They were supposed to make it harder to forge the "from" field, but they fail even in this unless the way email clients display email is changed, and a standard is created for the email server to communicate sender validation info to the email client.
> Dating back from OS/360 and possibly before, ...
When I was young I used the WATFIV interpreter to run FORTRAN IV on an IBM system. Instructions in FORTRAN were passed to an interpreter to be interpreted and excuted (instead of first compiling the whole program).
Actually we had back then another system for one program calling another one to do a job, but we called these "subroutines".
But the idea of one set of instruction getting another set of instructions as input, and then carrying out those instructions dates back at least to ~1936: Alan Turing then published a paper describing what he called a "computer". Nowadays it is refered to by the name "Turing Machine", but the original article refered to a set of instructions, not a physical machine. In modern terminology, what was described by Turing, that we now call a "Universal Turing Machine" was a set of instructions that receives any another set of instructions as input, and carries out those instructions (a universal Turing machine receives (A: description of Turing machine, B: string) as input and runs A on the input B). Then there followed others models doing the same thing, and eventually there came a model that was efficient enough to be implemented using electronics. "one application running anothjer one" is the basic principle of computing. Computing as we know it is impossible without it, and if Kodak owns this idea, then we might as well go live in caves.
I find it hard to believe that Sun programmers couldn't find 50's/60's technology that can be considered as prior art to what they did. But then, perhaps Sun's lawyers didn't cunsult them!
> Natural material goods, like lettuce: Copying is impossible, but legal ...
Actually, copying is possible, and this is how they are produced. Farmers produce them by making copies in their fields, a rather costly method!
> The difference seems to lie in the fact that software naturally ...
> comes in a form that can be copied and a book has to be converted
> from physical to electronic
IMO another much more important difference is that software is expected to perform some functions for you, much like an appliance, so you expect it to work, and if broken you expect it to be repaired or replaced. It seems to me that one things that licencing schemes try to do for the vendors is exempt them from this responsibility. Somehow they get away with selling things that we expect to do some functions for us (as advertised) and they don't have the responsibilities because "they are authors, or copyright owners, not manufacturers or suppliers of goods".
To read Hotmail using any client (well, at least as long as WEBDAV is provided for retrieving mail):
1. Sign up for a fastmail.fm account.
2. Configure FastMail to fetch your Hotmail account mail (they are using WEBDAV, just like OE).
3. Read your email using any IMAP capable software, or using FatMail.FM webmail interface that is more feature rich than many PC-based email clients.
I wonder if they are going to stop WEBDAV access for reading email, or just for sending.
> updates will be released, just not the sp2 "security enhancements"
That's fine for today. What does it mean 3 months from now? "enhancement" might get a broader definition by then?
Take WIN98. I have a legal copy I got with a new PC I purchased in 1999 (P3 500MHz, perfectly good for my needs after memory+HD upgrade). When the OS was new M$ promised it includes automatic online updates. Then several years later M$ announced it stops supporting this OS, which is perfectly fine. Everyone else interpreted this to mean that no more fixes are made for the OS, and basically you are stuck with the 2003 functionality. WRONG! You lose the the entire patching mechanism!
In the past, When I reinstalled the OS (WIN98 needs clean reinstalls periodically) I just had to continue the installation with visiting the windows update site. I expected that after they stopped supporting the OS it would mean that I just get the same functionality, automatically downloading and installing all OS fixes up to 2003. But it didn't work this way. First it insisted that I need to install IE6 to access windows update. After installing IE6 I could finally access the windows update site that then informed me that this functionality is no longer available.
So you might say that removing support from the OS means removing the update site. That is clearly M$'s interpretation. I think differently. The automatic update was a feature included in the OS and was a main selling point back in 98-99. I remember people that recommended upgrading from WIN95 to WIN98 just for this feature. The point was that users with almost no technical skills can apply fixes themselves. M$ didn't "stop support" for this functionality. They REMOVED the functionality. It's not the same OS anymore. I would have expected them to leave the Windows update site in "as is" condition so that anyone that needs to reinstall the OS can at least apply existing features in teh way they promised it would work when they sold the OS. They could also pack all existing fixes into one download that would replace the "automatic update". It would still apply as an "automatic update" as it would serve the same functionality from the user's point of view: have all the existing fixes without having to dig them up one by one.
Of course, you still have access to all the patches and may download them one by one. the site is specifcally designed to make you do it manually and separately for each little fix. There is no way provided to download all the patches together (at least not that I've seen in the site, and M$ customer service specifically told me on the phone there is no such mechanism). So eventually I left the system as is, in 1998 "mint condition" (except the y2k patch that I saved back then). I don't have the time to go over all the little patches and try to decide which one I need and which one I don't. This might be fine for a company that employs a professional to maintain many PCs. Not for an individual.
Now that computer is stuck again, and needs a clean install. This time even upgrading to IE6 might not be available, so it's back to IE4.
Yes, I know, I should install LINUX instead. I already have downloaded a version long ago, and the only issue is time: not for the LINUX install, but for making some order in the HD and backing up. Still I would need the Windows98 installed for the kids and for some software I might want to run on that machine. So There will be a legal copy of WIN98 on that machine in "mint condition".
So, be careful when reading M$ announcements. Their lawyers probably made sure that it may mean anything they want. Today it refers to specific "enhancements". Tomorrow "enhancement" might mean fixes to malfunctions that make the OS/browser vulnerable to attack. And finally you might find out that all the fixes are available to you on older OS's but to get them you need first to upgrade to the latest IE, and to do this you need to upgrade to the latest OS. You'd claim the the fixes are not available to you. They would claim they are.
I have seen a lot of ham (legitimate email) classified as spam by gmail.
One risk of having the whois publish address subject to spam filtering is that if the registrar decides to test everybody's email addresses published on the whois, then the messages sent would certainly display spam characteristics (and would certainly be bulk mail) and might be reasonably classified as spam by spam filters (especially centralized ones that might have the additional info that the same message was received by thousands of other users).
> The email is forwarded to my real address...
If the email is delivered to you, then it is not a falsified address.
I would say that if spam filtered address is worse than a forwarding address that delivers everything, because a filtered address does not accept all email.
I use a sneakemail.com forwarding address in my whois record, and it receives spam about once a week. If it gets much worse I would just replace it. It would have been nicer if the address published on the whois database could have been automatically changed every once in a while, making it useless to harvest addresses from whois records.
> ... registrar isn't cooperating. It's against their policy ... ... that is the best that you can do.
> Your lawyer suggest
The lawyer can get a court to order the registrar to reveal the info in the case you describe. Most probably if registrars held identifying info that was not made public in whois then they would have policies to avoid needing court order for most things.
In fact there are ways to register a domain by proxy, that is, someone else (third party)registers the domain for your use, and your contract with that third party is what defines your right to use the domain. The third party's identity and contact info is in the whois, and in most cases the third party can also perform additional administrative stuff for you related to the domain.
I think the way whois is published can be changed so that privacy of domain owners is beeter kept, and at the same time fuller and more accurate identifying info is kept in record. It can be open to the public without being open to spambots. The only difference would be in how that info is requested.
> Ideally such attempts would be so obvious or so broad as to fail.
Displaying a graphical interface for an application in a rectangle inside a rendered web oage was not considered "obvious" or "broad" when a browser was not the number one aplication, and when rendering the grapical interface of an OS was considered something substantially different then rendering a web page. A few years passed, and now it seems obvious and certainly too broad. Is it not an idea? There's no clear distintion between "idea" and "method", even if lawyers try to tell you there is. It depends on situation and culture, and these change rapidly nowadays.
>The cost of a service (or lack there of)
> doesn't/shouldn't define that service
Right! How that cost/lack of cost is used matters. In the case discussed, one hundred years ago someone has carefully compiled a list of possible customers based on their ability to pay and perhaps on info available on their lifestyle, and spent money on informing them on something. In the case of email spam no such research occurs. Every existent/nonexistent email address receives the same message regardless of the recipients need for the advertised product (size of P#|\|1$ is not taken into account B4 pressing "$3nd").
The "spam" desccribed doesn't seem to really be spam.
...". Those ads were targeted to a very specific audience. They were not sent to railroad operators. One important characteristic of email spam is that it is completely untargeted. It is sent to your email address because it is an email address, not because someone invested in research and decided that you might be more interested than the average person in what they have to sell.
Two reasons:
1. "Cunard sent out telegrams to SELECTED (rich) members
2. Salesmen going from door to door trying to sell stuff probably worked much earlier than a 100 years ago. Those are much closer to email spam in my opinion because they go to every home in the area they work in, not just to a list of addresses determined by preliminary research to be possibly interested in their product. (though they probably still choose to work in neighborhoods where a higher percentage of residents would be interested. That's some king of targeting. Junk snail-mail often has this characteristics: a big chunk of it advertises local businesses, and if you look in your snail-mail junk you will find that a reasonable percentage actually advertises stuff you are planning to buy anyway, such as groceries, at perhaps lower prices.)
> In the case I guess the only option will to be use webmail
> for any addresses not provided by my ISP
Not really. You would just need to have your mail user agent (your email client) to add a "Sender:" header specifying an address in the domain you are sending from.
If it doesn't have this functionality, ask the vendor to include it.
If it doesn't (and it's name start with an M and ends with a $) then use another client.
Probably if and when these sender recognition schemes become widely employed, free software email programs would include options to set a "Sender:" header configurable by server used to send (so if multiple SMTP servers are available for the client for sending, the client would automatically send to an address that may send from that server).
The problem you described already exists for example for Gmail users who use their email clients to send email to recipients in one of the few places that already implemented rejeting by SPF.
The problem is not "software patents" but obvious things being patented. That fact that something that is done in real life (such as remebering your client) can be considered an innovation just because it is applied in software, and therefore may be patented, is a flaw in the way patents are examined. The fact that any prcedure can be done by a computer (a "Turing computer") was already proved by Turing in 1936 (or at least was well known in the 30's). It doesn't mean that new procedures used in software shouldn't be patentable. But it does mean that software that just mimicks functiionality alreaddy existing not in software should not be patentable. So for example, a new method of voice recognition might be patentable, but the use of voice recognition by a computer to identify a customer shouldn't be patentable, since there is prior art: a lot of people that know me can identify me by hearing my voice on the phone (actually they can also identify me by analysis of my facial characteristics ;-) ). The procedure exists. And the fact that if it can be done without a computer it can be also be done by a computer is well known. So these kind of patents should be voided.
As I see it, both SPF and SenderID cannot really prevent email address forging:
SPF only verifies the envelope from (SMTP MAIL FROM command).
SenderID has an "algorithm" for trying to determine what email address the message claims to "come from" using RFC822 "From", "Sender", "Resent-from" and "Resent-sender" (actually also "Received") headers (they call it "Purported Responsible Address"). Then the domain in this address is chacked against a DNS record defining a set of IP addresses that may be used to send for that domain.
Why doesn't it prevent Joe jobs?
Because all that the spammer needs to do is provide a "Sender" header with a domain that is allows the server the spammer uses to send, and the email would get through. Replies would go to the address in the "From" header, and that would be the poor victim of the Joe job. Bounces would go to the envelope from, so with SenderID that would not be the verified address, but again the poor victim's address. "Classic" SPF at least has an advantage of avoiding real SMAP bounces from going to the Joe job victim.
The same works for phishing. a phisher might have to be more caerful about revealing her own identity by registering a domain to use in the "sender" header, but then a phisher has the advantage of belonging to the "identity theft industry", so would probably have no problem to use previously stolen identities+credit card numbers to register enough domains to be able to steal even more identities.
These "verification schemes" might allow a bit more information to be revealed about the physical system used to send spam, but that's all. And every spam message that tries to sell something already has some kind of info on how to contact the spammer in order to make a purchase, that can be used to track the spammer (and often convict the spammer for something other than sending spam, such as illegal selling of drugs, or fraud, in the case of "organ enlargement pills" etc.)
So it's doubtful whether these "verification schemes" are worth the trouble.
There rest is a bit "off topic":
I have a very simple "verification scheme": different possible senders get different addresses, and the address that receives the email message should then match the sender. Theoretically I can create rules to trash whatever doesn't match, but practically there's no need, because it rarely happens that they are needed, and if they are, then in a single sender situation it's easier to replace the address and notify the single sender of the address change. (actually the only addresses where I get spam are the ones that are publicly available, such as that used in slashdot and the one in my whois record. And the spam volume they receive is low enough that for now I prefer to report the spam I get to spamcop and not change the addresses).
Perhaps a better solution to make life hard to spammers is an "address change notification protocol". This would allow creating systems that automatically create different addresses for different senders, and do it in the background making it transparent for the user. Spammers depend on pretty reliable mailing lists, and a situation where each address would receive a single piece of spam and then be automatically changed would be a nightmare for them. It would ruin their business model!
Hey! That article you copied was copyrighted!:
You infriged on the copyright by not including the following (copied from http://www.gnu.org/philosophy/right-to-read.html)
Copyright 1996 Richard Stallman
Verbatim copying and distribution of this entire article is permitted in any medium without royalty provided this notice is preserved
>...Chief can control this by taking away,
> killing, or putting social pressures onto
> Random Caveman. The idea is no longer free,
> but subject to force of might and social
> pressure...
I like this description. I was about to try to write something as to why IP is not property in the line of: "a dog can recognize property, and would react to someone trying to take his bone away. The same wiuld happen with a baby if you take a toy away. But both would not recognize their IP being taken away from them".
But you gave the right definition: there is no such thing as property. There is violence, and its use defines ownership of objects. States and laws regulate the use of violence. And they may apply the same method to the use of ideas.
But there is still a difference: when a baby takes a toy from another baby, only one of them gets to play with it. But when a child repeats a phrase a phrase she heard, or copies some behaviour, the child learns. Copying ideas is the basis of the evolution of the human animal ("the web-surfing ape"). It's basic human nature to copy ideas, and we wouldn't have become the leading species on this planet if it wasn't our nature to copy ideas. Thus all kinds of "IP" ownership laws are basically contrary to human nature. We are learning creatures. Now I don't say that we should completely abandon IP laws. But we do have to make sure that they are used in a "minimal" setting. They are laws that use violence to control the basic human nature of copying ideas, and as such should apply only when failing to limit this would be harmful to society. And since these apply to technology that is changing rapidly, they should be periodically reassessed and revised.
Take as an example the appliation of copyright protection to audio recordings (see http://xiph.org/about.html): these were not included under copyright laws (1908 supreme court ruling). Then in 1909 congress changed the law to include them. Perhaps it was good and perhaps not. Perhaps it's time to change it now that there are cheaper methods to record and distribute recorded music.
Back to the chief and his (or her???) designer's spear: in modern terms it is much like the government allowing an individual to own a shotgun to guard his property, but disallowing the protection of the same property by surrounding it with minefields, while the government does guard some of its own instalations using minefields. It's not the idea that is not free. Any other caveman can make the same kind of spear as long as it is handed over to the Chief for his exclusive use.
The original SPF was a method to publish a TXT record with info to be used for matching with the domain part of an email address used in an SMTP "MAIL FROM:" command.
SenderID uses similar syntax but in a new type of DNS record, and uses it not with the SMTP envelope from but instead with a "purported responsible address" derived somehow from the email headers ("RFC822 headers").
As far as I see SenderID will fail with forwarded email if the forwading MTA complies with RFC2822:
"... forwarding is also used to mean when a mail transport program gets a message and forwards it on to a different destination for final delivery. Resent header fields are not intended for use with either type of forwarding." (RFC 2822 sec. 3.6.6)
For some reason SenderID authors think that forwarders should add these headers even though RFC2822 explicitly states that they are not to be added. (Perhaps MS+POBox software add these headers? It is quite clear from RFC 2822 sec. 3.6.6 that resent headers are meant to be used only when email is resent by human intervention). RFC compliant forwarders would not add these headers, so SenderID tests would fail on correctly forwarded email. For SenderID (or SPF) to work with forwarders these would have to wither be non-RFC compliant, or the meaning of resent headers in email should be formally changed and email infrastructure updated to reflect the change (or perhaps it was already chaged and RFC2822 is outdated???)