Although there are some dictionary-like attacks, for example appending some characters to an existing address or subsitituting one or more characters by others, I think the vast majority of spammers just use existing addresses they get from spidering the web. When an address appears somewhere on the web, especially in discussion forums, guestbooks, and foremost: IANA listings, it is guaranteed to receive spam.
I think the "dictionary attack" story is mostly folklore. When someone receives spam on a never-used never-published address they often cry "dictionary attack" without further research.
Of course, using spamtraps is a known technique. It may work a little, but there is not much you can block as there are so many addresses in use that blocking one is bringing you almost nothing.
You will find that signals at this frequency have surprising difficulty getting through (office-building) windows! The thin metalization used to block infrared is also very effective at blocking radio signals.
I recently built a 400m (a quarter mile) link using 802.11a pointtopoint equipment (1W ERP, max legal power here). It is line-of-sight w.r.t. buildings, but there was a group of trees inbetween. The signal had to pass trough maybe 20 meters of foilage.
The link barely worked. Sometimes 6 Mbps, sometimes 12 Mbps. Relocating one of the endpoints so that those trees were out of the way (actual position lower than it was, now just skimming a building) improved the signal by about 20dB.
Result: 54Mbps link and power output decreased by 5-6dB (by TPC). Could probably gain another 6dB by having more clearance above the building.
I really did not expect this, comparing with results on 2.4 GHz. You are right that allowed ERP on 2.4 is lower, but I think there would have been a big difference in path loss in this case.
Try 802.11g and 802.11a equipment side-by-side. You will find that the 802.11a (5.5 GHz) equipment has considerably more difficulty over non-line-of-sight paths than 802.11g (2.4 GHz) has.
I wonder, if, as you say, it's something like light could it be routed through a "fiber-optic"-like material?
Yes. That is commonly called "waveguide". It operates exacty like a fiber-optic cable, but at the wavelength of these signals. Of course, the wavelength being 3-10cm it needs to be physically larger than the fiber for 800nm wavelength "light".
Waveguide often has an air dielectricum, and the dimensions for this wavelength would be slightly smaller than the wavelength. This makes it a bit less practical. But you could have a waveguide with some other core, and it would be smaller.
Hey, this is an English review of a UK model of a laptop. Of course it has DVB! That is only natural. When it would have ATSC, that would certainly have been specified. (because it would be useless)
In a way this is strange... when visiting forums I notice that on the UK market, TV sets with integrated digital receiver seem to be the norm already. Here in the Netherlands those are (almost) not available. Yet in October 2006 the analog network will be switched OFF!
We have to use set-top-boxes. The most likely reason for this is that direct reception is almost nonexistent here (the government claims the switchoff will affect less than 100,000 viewers). Almost everyone is on either cable, satellite, or digital terrestrial. And because of the "free market", different companies are active on those networks and they all use different encryption standards.
An Integrated-Decoder TV (IDTV) would only be useful when it at least supports DVB-T and DVB-C, and has Irdeto and Conax support. For DVB-S it would need Seca as well. Furthermore, the cable and terrestrial providers offer "free set-top-box with subscription" so it is hard to compete for IDTV vendors. (the only benefit being the use of a single remote, something which customers usually only find out about after they bought the equipment)
the 2012 switch from analog to digital TV broadcasting, when a significant portion of the spectrum will be freed up.
2012 switch? Here that switch is going to be made in october this year.
It is going to free up some spectrum, but I don't know if it will be a lot. We now have 3 national channels broadcast in analog, plus a lot of channels only broadcast on satellite and cable. The frequencies of analog TV will be given to digital TV broadcasting companies, who will most likely put more channels (the existing cable channels) on them, instead of reducing the spectrum requirement.
The channels that become available will most likely be used for digital radio.
You forget that the vast majority of the users does not have enough clue to realize why the client they use sucks, and thus will not switch to an alternative unless a miracle happens. Look at MSIE, Outlook Express. They have the vast majority of the market because people cannot really be explained that switching to another client is better for them. A couple of months a lot of noise was made about Firefox and some people reluctantly tried to install and use it, but when looking at a non-techie website at work the wave is mostly over and nearly everyone is back to MSIE.
Even while you can keep a development team that maintains a better client and gets a couple of thousand users to install it and be very happy, that does not mean you have done something "for email", when 99.99% of the users is mailing using other clients, that suck. Viewed this way, there really is competition. Only clients that have a respectable market share have the possibility of changing anything to "email". When I mail using mutt or pine, I can flame people sending me HTML messages whatever I like, that won't change the fact that the world mails in HTML, even when I would want to see this changed.
Disadvantage: you will not know that you have mail until either you poll all places where mail for you could wait (all people from who you could receive mail), or some mechanism is added that allows a sender to advise a receiver that mail is waiting, and where. That announcement mechanism will probably suffer from the same abuse problems that the push-based mailsystem does now.
Phishing and viruses are a combination of that problem, plus people using poorly-designed client software that tries to render content too richly (e.g. rendering html as web pages, with clickable links and everything).
You cannot control the world by saying things like that. We all know that ActiveX is a stupid idea, but that did not keep Microsoft from creating it and showing the advantages (and not the disadvantages) to their corporate customers. We know that sending an executable via mail and having it run when the user clicks on the attachment icon is dumb, but Microsoft created a mailer that did this, users loved it (because they could send programs that displayed a nice christmas tree to eachother) and other companies copied it because they did not want to release software that could not do things the customer liked and the competitor had. Similarly, people liked the idea of having nice wallpapers and background sounds with their mail, and even accept the fact that they get spyware and spam on their system as a side-effect of installing something like smileycentral or incredimail.
Just restricting the client to do things that are wise will not keep the competition from releasing software that includes options that are dumb.
when I enabled just "HELO domain must match the domain of the hostname found by reverse lookup", spam volume dropped by over half.
Of course. But probably so did the legitimate mail volume! It is easy to cut back spam. Reject one of every two mails, and your spam volume halves.
What is more difficult is to cut back spam while allowing legitimate mail to pass. Especially in a business environment, where you cannot just refuse everything that looks suspicious.
Of course software can be treated as a science, with mathematic roots and stable foundations. Of course people could look upon programmers as they look upon engineers: this is something that you need a good education and training for, and that you should not attempt as a naive bystander.
In reality, this is not happening. There have been times when unemployed people with some not-so-practical education were retrained as programmers in a couple of weeks. And we see development environments that push "trial and error" development. In such an environment it is to be expected that bad quality software is developed.
It is a natural reaction to say "we will go under when we get stricter quality control requirements". Maybe some badly managed companies will go under. Too bad for them. But a company with good quality products will survive, and the customer will profit from that.
Another difference is, that when you build a bridge and it collapses you will be held liable for it. When you build software, you just attach a EULA that says "I shall not be held liable" and that's it.
Once software makers, especially the large commercial companies, find themselves in the same boat as other industries and have to pay compensation when bad stuff is released, they will certainly step up quality control to the next level. Because it saves them money.
This supposed "freedom" of the Internet was self-proclaimed by activists (who usually were not even the ones that built the actual network). Everyone can start a network, a club, or whatever group and claim that there is absolute freedom within it. That will last only as long as the group remains insignificant and there are not too many excesses.
It was clear from the start that any "freedom" of the Internet would last only until it would become so significant that governments would want to regulate it. No government has ever stated that the Internet would be and remain free from regulation. So "the Internet was supposed to be free" is not guarding it from regulation and control in any way, and it never was.
But that (your shipping example) is already happening, isn't it? Express delivery with higher fees only works when standard shipping is slower, which can only be guaranteed by deliberatly delaying standard shipped packages. Also, when customers complain about nondelivery of packages, shipping companies will usually point to extra services they could have offered to reduce the risk. Customers expect their packages to be delivered (not lost) and be delivered in reasonable time, but when standard delivery would do that every time, nobody would pay extra. So errors need to be introduced in the standard path.
Of course it would be best to contact the consumer for payment of extra service on Internet routing, but they probably think it is easier to implement the way they propose...
I can understand this when you are talking about Internet TV stations or subscription usenet servers. But everyone always mentions Google as an example. I fail to see how Google is behind hogging bandwidth and would have to pay for that.
Sure, packet radio learned me a lot about TCP/IP and networking in general, something that became very useful lateron.
SV2AGW wrote something that does what you were interested in. I have not personally looked at it, but I hear it works.
It seems like more of the software-homebrewing amateurs were active in the Linux world, where it is easier to create something like this. Packet radio is a part of the Linux kernel, although it seems to be non-maintained for a long time and could drop out.
When having to choose between "the printf school of debugging" and "single-stepping" for teaching I would prefer the first one. Students have to learn to define pre- and postconditions of their functions and other program blocks, and to do pencil-and-paper "proofing" of their code. This leads to a global view of program code and correctness. Printing some values and then finding out why it is going wrong can be better than stepping to the actual fault. Single-stepping tends to lead to a "aha when this is occurring than that goes wrong so let's insert this if() here and it will be OK" type of fixing program bugs. It is usually better to look at larger parts of code and consider "is this code doing what I want in all possible conditions". A printed listing and a cup of coffee can actually be a better tool than an IDE with symbolic debugger for that.
Also note that testing can only prove that there are bugs. Not that there are none.
But what with notebooks that are odten work/personal system
I think any network administrator that allows notebooks on the LAN that are also used for personal purposes (allowing administrator access) is allowing serious security threats to the network. There have been many recent incidents where worms that normally would be blocked at a firewall spreaded internally in companies (e.g. those that operate over MSSQL or SMB services). We only allow one construct: a dual-boot laptop configuration where one half is fully compliant to network usage (similar to a desktop system) and the other half is the playstuff but cannot access the network (not member of the domain, not receiving IP address from DHCP etc)
But what is the point if the proxy will still relay everything?
Two points:
1. the proxy will not relay everything. It will not pass certain executable files to unprivileged systems.
2. (more important): the proxy is hard to find. Internet browsers find it via "proxy automatic configuration" which defines a URL where the browser retrieves a javascript file. This piece of javascript must be interpreted to tell the location of the proxy (and also ensures that intranet accesses don't go via the proxy). Many naive "call home" applications don't work in this environment. Either they try to do a direct TCP connect (which does not work because there is no routing to Internet) or they read the values for a fixed proxy server (which is not set). It is a "security by obscurity" setup which may fall down in the future, but it is just an extra layer. Up to now it has worked quite well. (shown by the router access list logs which log attempts from clients to connect to outside addresses)
We are reluctant to allow consultant's laptops on the network. Especially from those consultants that believe that everyday work under Windows has to be done as an administrator or else it would be too difficult to be productive. (in fact I would be reluctant to even let those into the building)
As others have confirmed, it is not difficult to set up a more secure environment under Windows and still have it usable. Those that think it can't be done and a Mac should be used instead usually have not studied the matter.
When you don't like your computer to be f*cked up by demos or other special software, have a look at VMware. Or even a simple bootselector can help.
I don't think so. The system at work has been running like described above for 5 years and there are no real problems. And we are not sitting shaking in our chairs waiting for the next trojan or virus.
many applications still rely on being able to write to their %ProgramFiles% folder
Mostly just hobbyist-in-a-garage stuff and telebanking applications. More serious developers have read Microsoft guidelines over the past years, especially when XP SP2 came out. The very few exceptions can be managed using a global group and an ACL entry.
Oh, but your only going to let them run the apps that *you* say they can.
This is the basis for any managed IT environment.
Got any remote workers?
Remote workers can only work via the VPN. Because a group policy applied firewall prevents them from connecting directly to the Internet. Via the Internet they can connect home over VPN and then back out for websurfing via the proxy. This works well.
they have to close the viewer, save the file, open in word, edit, save, email.
Maybe you need to install the viewers and have a look. They actually have a menu entry to "open this document for editing" which automatically transfers control to Office. I actually dislike the idea of opening an attachment from a basically read-only entity like an incoming mail into a read/write application by default. Users will start editing the document and forget that it cannot be saved back to the original location. Opening in a viewers shows the user that it is read-only document that they need to save elsewhere to edit it.
Slashdot Mirror
Although there are some dictionary-like attacks, for example appending some characters to an existing address or subsitituting one or more characters by others, I think the vast majority of spammers just use existing addresses they get from spidering the web.
When an address appears somewhere on the web, especially in discussion forums, guestbooks, and foremost: IANA listings, it is guaranteed to receive spam.
I think the "dictionary attack" story is mostly folklore. When someone receives spam on a never-used never-published address they often cry "dictionary attack" without further research.
Of course, using spamtraps is a known technique. It may work a little, but there is not much you can block as there are so many addresses in use that blocking one is bringing you almost nothing.
You will find that signals at this frequency have surprising difficulty getting through (office-building) windows!
The thin metalization used to block infrared is also very effective at blocking radio signals.
I recently built a 400m (a quarter mile) link using 802.11a pointtopoint equipment (1W ERP, max legal power here).
It is line-of-sight w.r.t. buildings, but there was a group of trees inbetween. The signal had to pass trough maybe 20 meters of foilage.
The link barely worked. Sometimes 6 Mbps, sometimes 12 Mbps.
Relocating one of the endpoints so that those trees were out of the way (actual position lower than it was, now just skimming a building) improved the signal by about 20dB.
Result: 54Mbps link and power output decreased by 5-6dB (by TPC). Could probably gain another 6dB by having more clearance above the building.
I really did not expect this, comparing with results on 2.4 GHz.
You are right that allowed ERP on 2.4 is lower, but I think there would have been a big difference in path loss in this case.
By clicking on the link in the summary and seeing the "UK", "Ltd." and UK Pound signs all over the place.
Try 802.11g and 802.11a equipment side-by-side. You will find that the 802.11a (5.5 GHz) equipment has considerably more difficulty over non-line-of-sight paths than 802.11g (2.4 GHz) has.
Well, it looks like in the more developed areas of the world it has largely been abandoned by now.
I wonder, if, as you say, it's something like light could it be routed through a "fiber-optic"-like material?
Yes. That is commonly called "waveguide". It operates exacty like a fiber-optic cable, but at the wavelength of these signals.
Of course, the wavelength being 3-10cm it needs to be physically larger than the fiber for 800nm wavelength "light".
Waveguide often has an air dielectricum, and the dimensions for this wavelength would be slightly smaller than the wavelength. This makes it a bit less practical.
But you could have a waveguide with some other core, and it would be smaller.
Until he bumps it a bit hard, and one of the drives dies.
Hey, this is an English review of a UK model of a laptop.
Of course it has DVB! That is only natural. When it would have ATSC, that would certainly have been specified.
(because it would be useless)
In a way this is strange... when visiting forums I notice that on the UK market, TV sets with integrated digital receiver seem to be the norm already.
Here in the Netherlands those are (almost) not available. Yet in October 2006 the analog network will be switched OFF!
We have to use set-top-boxes.
The most likely reason for this is that direct reception is almost nonexistent here (the government claims the switchoff will affect less than 100,000 viewers).
Almost everyone is on either cable, satellite, or digital terrestrial. And because of the "free market", different companies are active on those networks and they all use different encryption standards.
An Integrated-Decoder TV (IDTV) would only be useful when it at least supports DVB-T and DVB-C, and has Irdeto and Conax support. For DVB-S it would need Seca as well.
Furthermore, the cable and terrestrial providers offer "free set-top-box with subscription" so it is hard to compete for IDTV vendors.
(the only benefit being the use of a single remote, something which customers usually only find out about after they bought the equipment)
the 2012 switch from analog to digital TV broadcasting, when a significant portion of the spectrum will be freed up.
2012 switch?
Here that switch is going to be made in october this year.
It is going to free up some spectrum, but I don't know if it will be a lot. We now have 3 national channels broadcast in analog, plus a lot of channels only broadcast on satellite and cable.
The frequencies of analog TV will be given to digital TV broadcasting companies, who will most likely put more channels (the existing cable channels) on them, instead of reducing the spectrum requirement.
The channels that become available will most likely be used for digital radio.
You forget that the vast majority of the users does not have enough clue to realize why the client they use sucks, and thus will not switch to an alternative unless a miracle happens. Look at MSIE, Outlook Express. They have the vast majority of the market because people cannot really be explained that switching to another client is better for them. A couple of months a lot of noise was made about Firefox and some people reluctantly tried to install and use it, but when looking at a non-techie website at work the wave is mostly over and nearly everyone is back to MSIE.
Even while you can keep a development team that maintains a better client and gets a couple of thousand users to install it and be very happy, that does not mean you have done something "for email", when 99.99% of the users is mailing using other clients, that suck.
Viewed this way, there really is competition. Only clients that have a respectable market share have the possibility of changing anything to "email". When I mail using mutt or pine, I can flame people sending me HTML messages whatever I like, that won't change the fact that the world mails in HTML, even when I would want to see this changed.
Disadvantage: you will not know that you have mail until either you poll all places where mail for you could wait (all people from who you could receive mail), or some mechanism is added that allows a sender to advise a receiver that mail is waiting, and where. That announcement mechanism will probably suffer from the same abuse problems that the push-based mailsystem does now.
Phishing and viruses are a combination of that problem, plus people using poorly-designed client software that tries to render content too richly (e.g. rendering html as web pages, with clickable links and everything).
You cannot control the world by saying things like that. We all know that ActiveX is a stupid idea, but that did not keep Microsoft from creating it and showing the advantages (and not the disadvantages) to their corporate customers.
We know that sending an executable via mail and having it run when the user clicks on the attachment icon is dumb, but Microsoft created a mailer that did this, users loved it (because they could send programs that displayed a nice christmas tree to eachother) and other companies copied it because they did not want to release software that could not do things the customer liked and the competitor had.
Similarly, people liked the idea of having nice wallpapers and background sounds with their mail, and even accept the fact that they get spyware and spam on their system as a side-effect of installing something like smileycentral or incredimail.
Just restricting the client to do things that are wise will not keep the competition from releasing software that includes options that are dumb.
when I enabled just "HELO domain must match the domain of the hostname found by reverse lookup", spam volume dropped by over half.
Of course. But probably so did the legitimate mail volume!
It is easy to cut back spam. Reject one of every two mails, and your spam volume halves.
What is more difficult is to cut back spam while allowing legitimate mail to pass. Especially in a business environment, where you cannot just refuse everything that looks suspicious.
Of course software can be treated as a science, with mathematic roots and stable foundations.
Of course people could look upon programmers as they look upon engineers: this is something that you need a good education and training for, and that you should not attempt as a naive bystander.
In reality, this is not happening. There have been times when unemployed people with some not-so-practical education were retrained as programmers in a couple of weeks. And we see development environments that push "trial and error" development.
In such an environment it is to be expected that bad quality software is developed.
It is a natural reaction to say "we will go under when we get stricter quality control requirements". Maybe some badly managed companies will go under. Too bad for them. But a company with good quality products will survive, and the customer will profit from that.
Another difference is, that when you build a bridge and it collapses you will be held liable for it.
When you build software, you just attach a EULA that says "I shall not be held liable" and that's it.
Once software makers, especially the large commercial companies, find themselves in the same boat as other industries and have to pay compensation when bad stuff is released, they will certainly step up quality control to the next level. Because it saves them money.
This supposed "freedom" of the Internet was self-proclaimed by activists (who usually were not even the ones that built the actual network).
Everyone can start a network, a club, or whatever group and claim that there is absolute freedom within it. That will last only as long as the group remains insignificant and there are not too many excesses.
It was clear from the start that any "freedom" of the Internet would last only until it would become so significant that governments would want to regulate it. No government has ever stated that the Internet would be and remain free from regulation. So "the Internet was supposed to be free" is not guarding it from regulation and control in any way, and it never was.
But that (your shipping example) is already happening, isn't it?
Express delivery with higher fees only works when standard shipping is slower, which can only be guaranteed by deliberatly delaying standard shipped packages.
Also, when customers complain about nondelivery of packages, shipping companies will usually point to extra services they could have offered to reduce the risk.
Customers expect their packages to be delivered (not lost) and be delivered in reasonable time, but when standard delivery would do that every time, nobody would pay extra. So errors need to be introduced in the standard path.
Of course it would be best to contact the consumer for payment of extra service on Internet routing, but they probably think it is easier to implement the way they propose...
I can understand this when you are talking about Internet TV stations or subscription usenet servers.
But everyone always mentions Google as an example. I fail to see how Google is behind hogging bandwidth and would have to pay for that.
Sure, packet radio learned me a lot about TCP/IP and networking in general, something that became very useful lateron.
SV2AGW wrote something that does what you were interested in. I have not personally looked at it, but I hear it works.
It seems like more of the software-homebrewing amateurs were active in the Linux world, where it is easier to create something like this. Packet radio is a part of the Linux kernel, although it seems to be non-maintained for a long time and could drop out.
When having to choose between "the printf school of debugging" and "single-stepping" for teaching I would prefer the first one.
Students have to learn to define pre- and postconditions of their functions and other program blocks, and to do pencil-and-paper "proofing" of their code. This leads to a global view of program code and correctness. Printing some values and then finding out why it is going wrong can be better than stepping to the actual fault.
Single-stepping tends to lead to a "aha when this is occurring than that goes wrong so let's insert this if() here and it will be OK" type of fixing program bugs.
It is usually better to look at larger parts of code and consider "is this code doing what I want in all possible conditions". A printed listing and a cup of coffee can actually be a better tool than an IDE with symbolic debugger for that.
Also note that testing can only prove that there are bugs. Not that there are none.
But what with notebooks that are odten work/personal system
I think any network administrator that allows notebooks on the LAN that are also used for personal purposes (allowing administrator access) is allowing serious security threats to the network.
There have been many recent incidents where worms that normally would be blocked at a firewall spreaded internally in companies (e.g. those that operate over MSSQL or SMB services).
We only allow one construct: a dual-boot laptop configuration where one half is fully compliant to network usage (similar to a desktop system) and the other half is the playstuff but cannot access the network (not member of the domain, not receiving IP address from DHCP etc)
But what is the point if the proxy will still relay everything?
Two points:
1. the proxy will not relay everything. It will not pass certain executable files to unprivileged systems.
2. (more important): the proxy is hard to find. Internet browsers find it via "proxy automatic configuration" which defines a URL where the browser retrieves a javascript file. This piece of javascript must be interpreted to tell the location of the proxy (and also ensures that intranet accesses don't go via the proxy).
Many naive "call home" applications don't work in this environment. Either they try to do a direct TCP connect (which does not work because there is no routing to Internet) or they read the values for a fixed proxy server (which is not set).
It is a "security by obscurity" setup which may fall down in the future, but it is just an extra layer. Up to now it has worked quite well.
(shown by the router access list logs which log attempts from clients to connect to outside addresses)
We are reluctant to allow consultant's laptops on the network. Especially from those consultants that believe that everyday work under Windows has to be done as an administrator or else it would be too difficult to be productive.
(in fact I would be reluctant to even let those into the building)
As others have confirmed, it is not difficult to set up a more secure environment under Windows and still have it usable.
Those that think it can't be done and a Mac should be used instead usually have not studied the matter.
When you don't like your computer to be f*cked up by demos or other special software, have a look at VMware. Or even a simple bootselector can help.
I do understand your frustration. I really do.
I don't think so. The system at work has been running like described above for 5 years and there are no real problems. And we are not sitting shaking in our chairs waiting for the next trojan or virus.
many applications still rely on being able to write to their %ProgramFiles% folder
Mostly just hobbyist-in-a-garage stuff and telebanking applications. More serious developers have read Microsoft guidelines over the past years, especially when XP SP2 came out.
The very few exceptions can be managed using a global group and an ACL entry.
Oh, but your only going to let them run the apps that *you* say they can.
This is the basis for any managed IT environment.
Got any remote workers?
Remote workers can only work via the VPN. Because a group policy applied firewall prevents them from connecting directly to the Internet.
Via the Internet they can connect home over VPN and then back out for websurfing via the proxy. This works well.
they have to close the viewer, save the file, open in word, edit, save, email.
Maybe you need to install the viewers and have a look. They actually have a menu entry to "open this document for editing" which automatically transfers control to Office.
I actually dislike the idea of opening an attachment from a basically read-only entity like an incoming mail into a read/write application by default. Users will start editing the document and forget that it cannot be saved back to the original location.
Opening in a viewers shows the user that it is read-only document that they need to save elsewhere to edit it.