Well, and to boot, we're talking about a group of people who have made it their business to circumvent communication blocking attempts, including blacklists. They'll find new ways of communicating with their clients, all that will happen is the 'net will become a little less free and open.
Having an advertising / services based website is hardly against anyone's (reasonable) terms of service, and ISP's have made it a point to be common carriers, ignorant of the content they are providing. IMO, it's not up to the ISP to decide whether services being advertised on a site are in their customers' best interests.
You can't block these guys by IP, we already know that successful spammers have networks of infected zombie slaves, they'll use this network to host their website. Blocking by domain name has its obvious shortcomings also. How difficult would it be for a spammer to set up an IRC channel that advertises this week's (or today's) IP address and port number for accessing their spam contact page.
Or maybe they just send a spam out every 12 hours with a new IP address advertised. They could just put their current IP address on the bottom of every spam they send, or in the headers.
No, the solution proposed here is simply another speed bump for any determined spammer, and as lucrative as spamming turns out to be, it won't be long until all that's happened is that netizens have unwittingly (and happily) given up another net liberty in the form of website censorship.
Don't bother to raise a stink. In many corporate workplaces, especially the less forward-thinking places (which this appears to be), raising a stink like this will blacklist you, and you'll suddenly find yourself being passed up for promotions in favor of your subordinates, now boss.
Write an email to whomever makes this policy, and request a meeting with them and your boss. Make it clear in the email that forcing you to turn off your cell phone will jeopardize your ability to perform your job, and that downtimes could easily go from 10 minutes to many hours as you might be unaware that anything needs fixing. Explain, both in the email (for documentation) and in person (for impact and question answering) that the policy, when applied to you, precludes you from diligent performance of your job tasks.
If this all falls on def ears, and you're required to turn off comm devices anyhow, there's nothing you can do. This is a business decision they have made. You might get burnt for it, because when the server is down for 5 hours while you're in a basement fishing wires or something, they're going to be more concerned with scape-goating you than with looking for where the blame lies. But this is why you have your documentation. If things blow up, and you get fired, you get a lawyer, and whip out your documentation. You'll end up getting a nice package in settlement of this case, depending on how the dice fall, from 6 months up to 2 years pay.
This is what happened to a buddy of mine that had a corporate policy introduced which prevented him from timely performance of his job (very much like your situation, except his was dealing with virus detection software -- it was his job to keep people free of virii). It hit the fan, the corporate network went down for a lot of hours (it was over a day), and they fired him. He called a lawyer, got out his documentation showing where he disagreed with the policy, and explained how the policy unduly exposed the company, and that the company risked this sort of downtime in the face of this policy, for the reasons he listed there, all of which turned out to be true in actual practice, and because they thus unjustly fired him, they ended up giving him a package of 18 months pay.
He's currently spending the first 10 months of it with his kid before he starts going to school in the fall.
I switched from Cingular to Verizon some months back, and pay MORE for the "same service" under Verizon. Except I'm getting tons more service, the dead spots are almost non existant, and when they are, it's usually only for the span of 100 yards or so, not miles like Cingular.
Also, Cingular screwed up my billing on almost a monthly basis. They kept claiming that I was delinquent on my payments, only my payments go out automatically 5 days in advance (I never incurred extra charges, so it was a flat fee every month). I know they got the payments on time, but they'd feed me the "You have to allow us 5 business days to process your payment" BS. My bill is paid the day you receive the check, not the day you get around to telling your computer system that it's paid. Heck, they cash the checks before they enter them in to their system, all of my checks were cashed 1-2 days before the due date, but they still told me I was delinquent.
I'd call every month, and every month, they'd take off the late fees when I complained about it, but do you know how old this gets? Every single month calling them to get them to correct their errors. I switched off of them and evaluated AT&T and Verizon as potential new service providers, and decided on Verizon only because of the glowing testimony given by a coworker, who also lent me his phone for a day so I could check to see if those dead spots (eg, my house and my work) in Cingular's network were there for Verizon, when they were non existant under Verizon.
If I had switched instead to AT&T, I'd be canceling my service right away even if it meant I had to suck down the early termination fee.
bleh, that was supposed to have [/shamelessselfpromotion] in it, using greater and less than signs, but I guess Slashdot thought I was really trying to post HTML:-D My bad.
I second the "Good" for another reason: the quality of writing in Star Trek: Enterprise was worse than the original series. Frankly, Enterprise sucks. They need to get it off the air before it permanantly taints the incredible work done in TNG, DS9, and Voyager.
This is an example of file wrapping, and one of the big reasons that no fingerprinting technique will ever succeed. Each time the software became wise to a particular wrapping scheme, the users would convert to a new wrapping scheme. It's fairly conceivable though that the software also fingerprints all the variations of files, including zips and whatnot.
Sorry slightly changing the amplitude by flipping the low bit. Or changing a few low bits per second throughout the file. However you want to look at it, the point is that you can toggle low bits with out seriously affecting quality, but while having a significant impact on fingerprinting.
Slightly changing the low bit of the amplitude of various sound waves snippets in the file, or low bit on pixels within a video will have negligible effects on the overall quality of the file, but significantly impact on any electronic fingerprinting you can do on the piece. It'd look like a Photoshop file with a low durability watermark on it. Eg, a little bit of noise, but if it's noticable at all, it'd require very hi-fi speakers, or a lot of scrutinous comparison against the original.
Of course, you could choose to ignore the low bits, and fingerprint the upper bits, but this requires the software that trades files to be able to decode any type of file going over the network. This isn't feasible because it wouldn't be hard for someone to write a strongly encrypted proprietary wrapper on existing codecs which "garbages" the data, and distribute a free package which ungarbages it. Even if it was simple for Kazaa or other services to break this and include it in the software, it would not be legal for them to distribute the decryption with their software. If somehow it became legal, it would be simple for someone else to release a new one next week. And another new one the week after that.
The point is that this would start a tit-for-tat war. I guarantee any fingerprinting technique someone can think of, someone else can can defeat it with ease, and the concept of wrapping files in another program will put the highest volume copyright traders a few steps ahead of content filtering, ad nauseum.
It still "demonstrates" his "bad faith" in purchasing the domain name, that he's willing to sell it.
As I stated elsewhere, I have around 7 domain names I own for various reasons, all purchased in good faith, but any of which I'd easily sell for $10G's. To me, this doesn't demonstrate bad faith, but I'm not a lawyer.
I own maybe 7 domain names for various reasons. None of them were purchased with bad faith (eg, they're not designed to be similar to other companies or names, and as far as I know, none are). However, if someone came to me and claimed that I was infringing on their trademark, and offered me $10,000 for it, none of them are important enough to me that I wouldn't take it.
Likewise, if they came and offered me an absurd fee such as $10, it'd be a natural conclusion for me to counter offer something that I *would* be willing to sell it for. I'd say that there are few privately held domain names that there isn't some purchasing price for. Even corporately held domain names would come with a purchase price, though that price might lump in the corporation. Eg, if I offered Adobe $700 billion, I'm guessing I'd come away with a shiny new domain name, and probably a new office building filled with employees to go with it.
My point is that just because the kid *was* willing to sell the domain doesn't make it a bad faith offering. None of mine are bad faith, and I'd easily sell any of them for 10 grand.
I think prior art is pretty provable: the pattent was filed in 1999. I seem to recall this whole dot com boom happening at least 6 months before that. heh.
BestBuy didn't ask him to do a security audit of their site. Any such audit he chose to do therefore was of his own accord, and he could present it to BestBuy, and request that they compensate him, but they'd have no obligation to do such.
Since BestBuy doesn't release their site software for sale to other parties, this falls outside of responsible disclosure practices. Responsible discloser permits users of software packages to evaluate the risk to their organization of continuing to run said package. In fact, truly responsible disclosure would *not* include details on how to reproduce the attack, but only details on the level of difficulty in reproducing, and information exposure level. There's lots of irresponsible disclosure that goes on, and those making that sort of disclosure open themselves to a civil suit.
Irresponsible disclosure becomes extortion when you demand money or else you'll expose the flaw to the public. It wasn't extortion when he suggested setting up a business relationship, since this could have meant, "Hire me to do a more in-depth audit of your site," and it would have questionably been extortion if he had asked only for compensation for his time. But when he asked for $2.5M, there's no conclusion that it's now extortion.
It should be noted, since the BestBuy site's software isn't for sale, there's no legal way he can even identify a vulnerability in the software, since he cannot own a copy of it locally to do his testing. Just discovering the vulnerability makes him fodder for their lawyers, unless he could prove that he discovered the vulnerability totally by accident, in which case he cannot request any compensation since he did not invest any time in to the discovery of the vulnerability. Once the vulnerability was identified, he was obligated to *not* explore the vulnerability and learn more details about it, since as soon as he does this, he's committing a digital trespass.
To my knowledge, no one in the security community at large ever charges a vendor for vulnerabilities they discover, and if they *did* charge after the unrequested discovery, this too could be considered extortion.
Most people who would make a smart criminal are smart enough to realize that even the best laid plans sometimes go awry, and so are not terrifically likely to actually become a criminal. They'll ply their intelligence in more ethical, even if less productive ways.
Then there are the others. These are called The Mafia. They use their intelligence to make sure that they don't do the actual crime commission, but rather have lackeys do it. The lackeys who are smart enough not to get caught get promoted within the organization, and the overall organization becomes more powerful. The lackeys who *do* get caught won't squeal out of fear of what will happen to them if they do (committed by other lackeys, so the bosses and other smart ones still don't get caught). It's natural selection of the criminal sort.
I'm of the opinion that there are very few smart criminals outside of organized crime. I've thought of many scenarios in my life where I could perpetrate some crime with extreme excellence, and very low likelihood of getting caught. But given that my back door is exit only, that low likelihood is not worth the risk, and so I don't perpetrate the crime.
More likely they looked at his headers and saw he was using Outlook or Outlook Express, and sent a 1x1 iframe or gif which pointed at a FBI address used to track the user./me takes a moment to hug his Thunderbird.
or break the law by taking over millions of zombie machines.
This, they already do. I have a program I wrote which tracks my spam for me, and stores it in a database so that I can easily identify the biggest abusers. I also have a variety of email addresses aliased to the same account, which are obviously on many of the same lists as each other based on the spam they receive. Even across the addresses, it is rare that I see the same spam come from the same IP more than once, nor even the same network. I might get 24 copies of one new spam in a 24 hour period to 8 different accounts, and they'll come from 24 distinct networks, many of which I've never received spam from before, and of those which come from networks that I've received spam from before, many are from differing class C or even class B portions of the network (Class C: 192.168.100.X, Class B: 192.168.X.X) than I've received spam from before.
A lot of spam filters already work this way. If you're not in a whitelist of genuine emailers, you get a verification email back for *any* email you send out. If you verify yourself one time, it'll add you to the whitelist for that recipient, and accept emails that appear to come from your address. Though I haven't heard of anyone pairing it with other spam filtering software, and only verifying spam that tripped a threshold.
The biggest problem with this (that I've experienced) is that when such users participate on discussion lists, anyone who posts to the list gets a pile of emails back requesting action on the sender's part.
It also makes it hard or impossible to receive auto-generated emails that the recipient actually wants. Simple examples: order confirmation or email validation. Plus, if the sending side uses such a technique, the validation request email from the recipient might never get received (another auto-generated email). This is true of other error messages also. Both sides could then blindly email each other, not receive any error messages, and thinking their email is getting through when it is not.
I know this was a joke, but some people took it seriously. To that end, let me say, if he *did* do this, not only would he have a big new girlfriend named "Bubba," but he'd also *validate* the claims of the external auditors.
These auditors have an obvious conflict of interest.
I was excited to see only a 5% fee also. However, this is a little inaccurate. Since SourceForge takes the donations over PayPal, PayPal also sticks in its surcharges. So it's 5% less good (for the developer) than just using PayPal to accept donations. I'm not sure what the benefit is here. My project already accepts donations through PayPal, and I'd been watching out for a new means as not everyone who has wanted to donate could or wanted to use PayPal.
I think the real problem to this approach is that this would reduce the profit margin on sent emails. That means that spammers would be forced to send even more email to counter the reduced profits.
The spammers would lose some of their borderline legitimate customers (such as the mortgage people) because the increased overhead would be too much for them to cope with.
Unfortunately, although this hurts their current business model, what it would do ultimately is shift their business model. I predict that we'd start receiving a lot of spam for porno sites and the like, who consider any traffic at all to be good traffic, and if nothing else, it would get impressions made on their ad banners. Now (especially if these systems are automated) the spammers are richly rewarded for sending more emails.
I think the appeal of the original suggestion is that it gives us an opportunity to feel like we're actually accomplishing something and taking a personal part in the fight against spam. Too often we feel like no matter how aggressive we are at fighting spam, there are spams getting past our Bayesian filters, and past our SpamAssassin filters, and past our Realtime Black Lists, and past our Hash Spam Checkers. The ability of spam to get past all of these things demonstrates the versatility and willingness to think on their feet of our spamming enemies.
The problem is really and truly one of a fault in the inherrent trust model of the current email system. There is only one answer to spam, and that is an email system with reverse MX lookup capability, where a DNS entry says what server(s) are permitted to send email where the from address is a particular domain. Then we can filter entire from domains in RBL's rather than individual spamming machines, which are more likely than not simply trojaned unsuspecting random individuals.
Oh, and the purpose to the human readable output is that the theory is that the voter verifies the printout before it's dumped in to the box. This way, if all technology fails, you know that the human readable output is going to be as close to accurate as you can get, because the voter has confirmed that it reflects their desires.
On the contrary, you can (and should) do an audit purely of the accuracy of machine code compared against "human code". This is simple enough to check by randomly selecting a few hundred random vote slips from each district, passing them through the interpreting machine, and compare the read results against the printed results.
If any inaccuracies were found, this is when you'd reach the "failing that" clause, realize that there was either tampering with the system, or other errors with the system, and a hand count could be performed on the human readable portion of the output.
The reason you should take this approach over doing dual purpose human-computer readable output is that this type of output typically requires some level of intelligence on the part of the human, which makes it more difficult to read, and thus more prone to error, particularly for those with bad sight, or other disability. Rather, print the choices in large, easy to read text, intended purely for human consumption, and duplicate this information in an easily verifiable format in machine code.
Slashdot Mirror
Well, and to boot, we're talking about a group of people who have made it their business to circumvent communication blocking attempts, including blacklists. They'll find new ways of communicating with their clients, all that will happen is the 'net will become a little less free and open.
Having an advertising / services based website is hardly against anyone's (reasonable) terms of service, and ISP's have made it a point to be common carriers, ignorant of the content they are providing. IMO, it's not up to the ISP to decide whether services being advertised on a site are in their customers' best interests.
You can't block these guys by IP, we already know that successful spammers have networks of infected zombie slaves, they'll use this network to host their website. Blocking by domain name has its obvious shortcomings also. How difficult would it be for a spammer to set up an IRC channel that advertises this week's (or today's) IP address and port number for accessing their spam contact page.
Or maybe they just send a spam out every 12 hours with a new IP address advertised. They could just put their current IP address on the bottom of every spam they send, or in the headers.
No, the solution proposed here is simply another speed bump for any determined spammer, and as lucrative as spamming turns out to be, it won't be long until all that's happened is that netizens have unwittingly (and happily) given up another net liberty in the form of website censorship.
Don't bother to raise a stink. In many corporate workplaces, especially the less forward-thinking places (which this appears to be), raising a stink like this will blacklist you, and you'll suddenly find yourself being passed up for promotions in favor of your subordinates, now boss.
Write an email to whomever makes this policy, and request a meeting with them and your boss. Make it clear in the email that forcing you to turn off your cell phone will jeopardize your ability to perform your job, and that downtimes could easily go from 10 minutes to many hours as you might be unaware that anything needs fixing. Explain, both in the email (for documentation) and in person (for impact and question answering) that the policy, when applied to you, precludes you from diligent performance of your job tasks.
If this all falls on def ears, and you're required to turn off comm devices anyhow, there's nothing you can do. This is a business decision they have made. You might get burnt for it, because when the server is down for 5 hours while you're in a basement fishing wires or something, they're going to be more concerned with scape-goating you than with looking for where the blame lies. But this is why you have your documentation. If things blow up, and you get fired, you get a lawyer, and whip out your documentation. You'll end up getting a nice package in settlement of this case, depending on how the dice fall, from 6 months up to 2 years pay.
This is what happened to a buddy of mine that had a corporate policy introduced which prevented him from timely performance of his job (very much like your situation, except his was dealing with virus detection software -- it was his job to keep people free of virii). It hit the fan, the corporate network went down for a lot of hours (it was over a day), and they fired him. He called a lawyer, got out his documentation showing where he disagreed with the policy, and explained how the policy unduly exposed the company, and that the company risked this sort of downtime in the face of this policy, for the reasons he listed there, all of which turned out to be true in actual practice, and because they thus unjustly fired him, they ended up giving him a package of 18 months pay.
He's currently spending the first 10 months of it with his kid before he starts going to school in the fall.
I switched from Cingular to Verizon some months back, and pay MORE for the "same service" under Verizon. Except I'm getting tons more service, the dead spots are almost non existant, and when they are, it's usually only for the span of 100 yards or so, not miles like Cingular.
Also, Cingular screwed up my billing on almost a monthly basis. They kept claiming that I was delinquent on my payments, only my payments go out automatically 5 days in advance (I never incurred extra charges, so it was a flat fee every month). I know they got the payments on time, but they'd feed me the "You have to allow us 5 business days to process your payment" BS. My bill is paid the day you receive the check, not the day you get around to telling your computer system that it's paid. Heck, they cash the checks before they enter them in to their system, all of my checks were cashed 1-2 days before the due date, but they still told me I was delinquent.
I'd call every month, and every month, they'd take off the late fees when I complained about it, but do you know how old this gets? Every single month calling them to get them to correct their errors. I switched off of them and evaluated AT&T and Verizon as potential new service providers, and decided on Verizon only because of the glowing testimony given by a coworker, who also lent me his phone for a day so I could check to see if those dead spots (eg, my house and my work) in Cingular's network were there for Verizon, when they were non existant under Verizon.
If I had switched instead to AT&T, I'd be canceling my service right away even if it meant I had to suck down the early termination fee.
and I'm even Canadian
I'm so sorry for you.
bleh, that was supposed to have [/shamelessselfpromotion] in it, using greater and less than signs, but I guess Slashdot thought I was really trying to post HTML :-D My bad.
Yes, of course it is.
I second the "Good" for another reason: the quality of writing in Star Trek: Enterprise was worse than the original series. Frankly, Enterprise sucks. They need to get it off the air before it permanantly taints the incredible work done in TNG, DS9, and Voyager.
This is an example of file wrapping, and one of the big reasons that no fingerprinting technique will ever succeed. Each time the software became wise to a particular wrapping scheme, the users would convert to a new wrapping scheme. It's fairly conceivable though that the software also fingerprints all the variations of files, including zips and whatnot.
Sorry slightly changing the amplitude by flipping the low bit. Or changing a few low bits per second throughout the file. However you want to look at it, the point is that you can toggle low bits with out seriously affecting quality, but while having a significant impact on fingerprinting.
Slightly changing the low bit of the amplitude of various sound waves snippets in the file, or low bit on pixels within a video will have negligible effects on the overall quality of the file, but significantly impact on any electronic fingerprinting you can do on the piece. It'd look like a Photoshop file with a low durability watermark on it. Eg, a little bit of noise, but if it's noticable at all, it'd require very hi-fi speakers, or a lot of scrutinous comparison against the original.
Of course, you could choose to ignore the low bits, and fingerprint the upper bits, but this requires the software that trades files to be able to decode any type of file going over the network. This isn't feasible because it wouldn't be hard for someone to write a strongly encrypted proprietary wrapper on existing codecs which "garbages" the data, and distribute a free package which ungarbages it. Even if it was simple for Kazaa or other services to break this and include it in the software, it would not be legal for them to distribute the decryption with their software. If somehow it became legal, it would be simple for someone else to release a new one next week. And another new one the week after that.
The point is that this would start a tit-for-tat war. I guarantee any fingerprinting technique someone can think of, someone else can can defeat it with ease, and the concept of wrapping files in another program will put the highest volume copyright traders a few steps ahead of content filtering, ad nauseum.
It still "demonstrates" his "bad faith" in purchasing the domain name, that he's willing to sell it.
As I stated elsewhere, I have around 7 domain names I own for various reasons, all purchased in good faith, but any of which I'd easily sell for $10G's. To me, this doesn't demonstrate bad faith, but I'm not a lawyer.
I own maybe 7 domain names for various reasons. None of them were purchased with bad faith (eg, they're not designed to be similar to other companies or names, and as far as I know, none are). However, if someone came to me and claimed that I was infringing on their trademark, and offered me $10,000 for it, none of them are important enough to me that I wouldn't take it.
Likewise, if they came and offered me an absurd fee such as $10, it'd be a natural conclusion for me to counter offer something that I *would* be willing to sell it for. I'd say that there are few privately held domain names that there isn't some purchasing price for. Even corporately held domain names would come with a purchase price, though that price might lump in the corporation. Eg, if I offered Adobe $700 billion, I'm guessing I'd come away with a shiny new domain name, and probably a new office building filled with employees to go with it.
My point is that just because the kid *was* willing to sell the domain doesn't make it a bad faith offering. None of mine are bad faith, and I'd easily sell any of them for 10 grand.
I think prior art is pretty provable: the pattent was filed in 1999. I seem to recall this whole dot com boom happening at least 6 months before that. heh.
Ye... oooh, nice try feds! Almost got me on that one!
BestBuy didn't ask him to do a security audit of their site. Any such audit he chose to do therefore was of his own accord, and he could present it to BestBuy, and request that they compensate him, but they'd have no obligation to do such.
Since BestBuy doesn't release their site software for sale to other parties, this falls outside of responsible disclosure practices. Responsible discloser permits users of software packages to evaluate the risk to their organization of continuing to run said package. In fact, truly responsible disclosure would *not* include details on how to reproduce the attack, but only details on the level of difficulty in reproducing, and information exposure level. There's lots of irresponsible disclosure that goes on, and those making that sort of disclosure open themselves to a civil suit.
Irresponsible disclosure becomes extortion when you demand money or else you'll expose the flaw to the public. It wasn't extortion when he suggested setting up a business relationship, since this could have meant, "Hire me to do a more in-depth audit of your site," and it would have questionably been extortion if he had asked only for compensation for his time. But when he asked for $2.5M, there's no conclusion that it's now extortion.
It should be noted, since the BestBuy site's software isn't for sale, there's no legal way he can even identify a vulnerability in the software, since he cannot own a copy of it locally to do his testing. Just discovering the vulnerability makes him fodder for their lawyers, unless he could prove that he discovered the vulnerability totally by accident, in which case he cannot request any compensation since he did not invest any time in to the discovery of the vulnerability. Once the vulnerability was identified, he was obligated to *not* explore the vulnerability and learn more details about it, since as soon as he does this, he's committing a digital trespass.
To my knowledge, no one in the security community at large ever charges a vendor for vulnerabilities they discover, and if they *did* charge after the unrequested discovery, this too could be considered extortion.
Most people who would make a smart criminal are smart enough to realize that even the best laid plans sometimes go awry, and so are not terrifically likely to actually become a criminal. They'll ply their intelligence in more ethical, even if less productive ways.
Then there are the others. These are called The Mafia. They use their intelligence to make sure that they don't do the actual crime commission, but rather have lackeys do it. The lackeys who are smart enough not to get caught get promoted within the organization, and the overall organization becomes more powerful. The lackeys who *do* get caught won't squeal out of fear of what will happen to them if they do (committed by other lackeys, so the bosses and other smart ones still don't get caught). It's natural selection of the criminal sort.
I'm of the opinion that there are very few smart criminals outside of organized crime. I've thought of many scenarios in my life where I could perpetrate some crime with extreme excellence, and very low likelihood of getting caught. But given that my back door is exit only, that low likelihood is not worth the risk, and so I don't perpetrate the crime.
Sure you do. This is regularly referred to as "The Mafia."
More likely they looked at his headers and saw he was using Outlook or Outlook Express, and sent a 1x1 iframe or gif which pointed at a FBI address used to track the user. /me takes a moment to hug his Thunderbird.
or break the law by taking over millions of zombie machines.
This, they already do. I have a program I wrote which tracks my spam for me, and stores it in a database so that I can easily identify the biggest abusers. I also have a variety of email addresses aliased to the same account, which are obviously on many of the same lists as each other based on the spam they receive. Even across the addresses, it is rare that I see the same spam come from the same IP more than once, nor even the same network. I might get 24 copies of one new spam in a 24 hour period to 8 different accounts, and they'll come from 24 distinct networks, many of which I've never received spam from before, and of those which come from networks that I've received spam from before, many are from differing class C or even class B portions of the network (Class C: 192.168.100.X, Class B: 192.168.X.X) than I've received spam from before.
A lot of spam filters already work this way. If you're not in a whitelist of genuine emailers, you get a verification email back for *any* email you send out. If you verify yourself one time, it'll add you to the whitelist for that recipient, and accept emails that appear to come from your address. Though I haven't heard of anyone pairing it with other spam filtering software, and only verifying spam that tripped a threshold.
The biggest problem with this (that I've experienced) is that when such users participate on discussion lists, anyone who posts to the list gets a pile of emails back requesting action on the sender's part.
It also makes it hard or impossible to receive auto-generated emails that the recipient actually wants. Simple examples: order confirmation or email validation. Plus, if the sending side uses such a technique, the validation request email from the recipient might never get received (another auto-generated email). This is true of other error messages also. Both sides could then blindly email each other, not receive any error messages, and thinking their email is getting through when it is not.
I know this was a joke, but some people took it seriously. To that end, let me say, if he *did* do this, not only would he have a big new girlfriend named "Bubba," but he'd also *validate* the claims of the external auditors.
These auditors have an obvious conflict of interest.
I was excited to see only a 5% fee also. However, this is a little inaccurate. Since SourceForge takes the donations over PayPal, PayPal also sticks in its surcharges. So it's 5% less good (for the developer) than just using PayPal to accept donations. I'm not sure what the benefit is here. My project already accepts donations through PayPal, and I'd been watching out for a new means as not everyone who has wanted to donate could or wanted to use PayPal.
I think the real problem to this approach is that this would reduce the profit margin on sent emails. That means that spammers would be forced to send even more email to counter the reduced profits.
The spammers would lose some of their borderline legitimate customers (such as the mortgage people) because the increased overhead would be too much for them to cope with.
Unfortunately, although this hurts their current business model, what it would do ultimately is shift their business model. I predict that we'd start receiving a lot of spam for porno sites and the like, who consider any traffic at all to be good traffic, and if nothing else, it would get impressions made on their ad banners. Now (especially if these systems are automated) the spammers are richly rewarded for sending more emails.
I think the appeal of the original suggestion is that it gives us an opportunity to feel like we're actually accomplishing something and taking a personal part in the fight against spam. Too often we feel like no matter how aggressive we are at fighting spam, there are spams getting past our Bayesian filters, and past our SpamAssassin filters, and past our Realtime Black Lists, and past our Hash Spam Checkers. The ability of spam to get past all of these things demonstrates the versatility and willingness to think on their feet of our spamming enemies.
The problem is really and truly one of a fault in the inherrent trust model of the current email system. There is only one answer to spam, and that is an email system with reverse MX lookup capability, where a DNS entry says what server(s) are permitted to send email where the from address is a particular domain. Then we can filter entire from domains in RBL's rather than individual spamming machines, which are more likely than not simply trojaned unsuspecting random individuals.
Oh, and the purpose to the human readable output is that the theory is that the voter verifies the printout before it's dumped in to the box. This way, if all technology fails, you know that the human readable output is going to be as close to accurate as you can get, because the voter has confirmed that it reflects their desires.
On the contrary, you can (and should) do an audit purely of the accuracy of machine code compared against "human code". This is simple enough to check by randomly selecting a few hundred random vote slips from each district, passing them through the interpreting machine, and compare the read results against the printed results.
If any inaccuracies were found, this is when you'd reach the "failing that" clause, realize that there was either tampering with the system, or other errors with the system, and a hand count could be performed on the human readable portion of the output.
The reason you should take this approach over doing dual purpose human-computer readable output is that this type of output typically requires some level of intelligence on the part of the human, which makes it more difficult to read, and thus more prone to error, particularly for those with bad sight, or other disability. Rather, print the choices in large, easy to read text, intended purely for human consumption, and duplicate this information in an easily verifiable format in machine code.