Because most domains still don't have an SPF record, and worse: many domain registration & DNS services do not offer the creation of TXT records. So even when the owner of the domain knows about SPF, they cannot install it.
Unfortunately some broadband ISPs here in the Netherlands have completely misunderstood the problem, and when blocking port 25 they blocked it on traffic from the Internet to the customer, instead of the other way around... Maybe this was done after they read about the "open relay used for spamming" problem, mostly something of the past. Anyway, blocking port 25 on outgoing connects would have solved that just as well.
So when you ask them to filter port 25, make sure they understand which direction you mean!
Some time ago there was a betatest program for the Linux version, with a forum. This is the first question I asked them. Why not a web application.
While I did not get a clear answer, there are some things that you should realize:
1. in the last weekend before the deadline, there will be a very high usage. most people wait until the last practical moment.
what will happen when 2 million people start to fill in their tax form on the last sunday before the deadline?
2. there seems to be some legal requirement where at some point a finalized and signed form is sent from the submitter, and a confirmation of receipt is sent back.
this may of course be different in every country, but they seemed to be more comfortable with an offline program that sends one single batch of data and gets an OK, than with an online app that processes the pages one by one.
the same may be true for some users. maybe you don't want the tax department to be able to see all your attempts, but only your final form.
3. not everyone has a flatrate connection, so people may not be comfortable with a solution where they have to be online for an hour or so.
Here in the Netherlands the tax department now also offers a Linux version of the income tax software. It even is a native implementation, not Java.
This happened after a lot of lobbying. I hope it is well used, as I fear that next year it would be dropped again "due to lack of interest". They publish a Windows, Mac, and now Linux version but even the number of Mac users was tiny compared to Windows in the past years.
It would be better when a form description language powerful enough to describe this program would be available cross-platform. Then only a single implementation of that language would have to be written for each platform, and a single form for each country. A while ago I looked at the state of things (XML forms etc) but it seemed that it still was a "promising technology" that you could not put into use right away, certainly not in a mixed closed/opensource environment. But hopefully that will change.
That is a big problem with every MSIE release, but even bigger because it is a beta... Who wants to install a beta version that overrides the stable version? Did Microsoft never hear of separate test and production environments?
The browser should be installable as a separate application, with as many different versions installable as you like, and at worst selectable via some version number menu. Better would be to be able to run different versions in parallel.
I have another type of Philips TV with ambilight, which I bought not because of ambilight but because of the very good picture quality on an LCD screen, but I should say the ambilight is a really nice feature indeed. Even though my set is not flat against a wall, but angled in a corner where it lights a wall and a curtain, it really gives a good effect, which astonishes especially when you turn it off and you notice what is missing.
It also occurred to me that this must be easy to fabricate as an add-on to existing sets. However, I would not use a camera or other light sensor, but use the video-out from the TV to watch the average video brightness electronically. This should not be that difficult to do.
(european TVs have SCART connectors which nearly always provide video-out. on a US TV with all those separate cinch connectors, it may be that video out is not so easily available)
The usual scenario is: You hand the card to the cashier who swipes it and asks you to enter your pin. The next person in line watches you enter the pin. After you entered it (and he saw it) he taps you on the shoulder and asks you a question. You look back and the cashier swipes the card through is personal reader.
Of course the person behind you and the cashiers are cooperating in the same crime. After you leave, the cashier makes a copy on a fresh card and gives it to him. He leaves for an ATM and plunders your card. You only notice when your account is empty and you still have your card an PIN.
as a customer, how can you tell if the device itself is genuine?
By entering an incorrect pincode. When it is accepted, the device apparently is not validating the pincode. Of course this does not work when the fraudulent device is in fact a real one with addition of a tap of client information, but the real devices are supposed to be designed in such a way that this is not easily possible.
The banks could be adding an extra confidence message to online devices, like displaying your date of birth after you have swiped the card and before entering the PIN. This makes it easier to confirm that the device is actually communicating with the bank and is not a standalone device (which you should avoid).
This whole design where there is a cardreader in the terminal and a separate pinpad is severely flawed. You have to hand your card to the cashier, who may swipe it through another reader while you are busy entering your pin and shielding the pad.
The keypad and reader should be integrated into one, customer-accessed device, and this unit should only send a "valid" signal to the terminal, not a pincode in whatever form.
The problem with the Dutch system is that in any case where money is taken from your card and a PIN code was entered on the device, the bank assumes the customer guilty of giving away his PIN, and this customer has to prove that he/she didn't. Of course it is IMPOSSIBLE TO PROVE that you did NOT give your PIN to someone else!
It happens many times that cards are stolen, and money is taken a few minutes afterwards and with a correct PIN on first attempt. Very often the customer claims that he did not give away his PIN, but I am not aware of any case where the customer has been able to PROVE this. It may be that criminal groups already have the pin validation keys, and can check (and thus easily recover) a PIN for a card they have stolen. But there is nothing a customer can do about this, because banks can simply claim that it is not true without having to prove it (which they, similarly, would not be able to do).
So, it is a very biased scheme, where all the risk is at the customers and banks can quietly lay back keeping an ancient and insecure system with a magnetic stripe and 4-digit code in place. Which system administrator would allow his users to use a 4-digit password??? Or would use a magnetic card that anyone can copy as an identity device?
A router is not comparable to only a kernel. It is like a kernel plus networking applications. I wonder how people would feel if their Linux or Windows system was delivered like this. A 500MB "system image" that includes the kernel, the system startup services, networking utilities, the shell, many commandline utilities, etc. And when a flaw is found somewhere, you need to get a new image and test and evaluate everything from scratch. Even Microsoft does not work that way.
In the early days, Linux kernels were compiled with drivers, but today drivers are loadable modules that you activate only when you have the corresponding piece of hardware. Even parts of the protocol stack are handled this way. Services like routing protocols are external to the kernel and also selectable and replaceable.
What we have now is a jungle of different IOS versions and feature sets, many of which are clearly made to fix one minor problem, add one minor feature that an important customer requested, etc. We as an unimportant customer have to wait for important bugs to be fixed, and when they are fixed we can only upgrade the entire image, risking (and having) new issues in other areas that worked well before. And when the process takes long enough, the new versions overfill the flash and/or ram, and the hardware needs to be upgraded. Just to fix a bug.
How much better could this be when things were not as intertwined as they are now...
Interesting that you mention "modules". I find one of the major disadvantages of Cisco routers (the range that I have experience with, running 12.3 or 12.4 IOS) is the complete lack of modularization. You get an "IOS image" which is built according to one of a few "feature sets", and that gets you a monolitic configuration without any flexibility. A system where you could pick a couple of modules out of a 250-module collection would be very nice indeed. I hear that it is being offered on the high-end systems, but the usual 1700 and 3700 routers we use do not have that. XORP is positioned in that range, not in the high end.
What do you think Cisco sells more, small routers with a couple of interfaces or big iron with hundreds of gigabit interfaces? Maybe they make more money on the latter, but they surely would not like to be cut out of the entire low to midrange market.
But look at the flaw in awstats, which is written in Perl. Perl has this powerful open() function that not only opens files, but can start whole process pipelines. Any cgi-bin written in Perl has to be very careful not to allow user-passed data to be used to construct pathnames for file opens without very stringent checking of bad characters in names, and this checking can be difficult in environments that support Unicode. Ask Microsoft. Sure it may be that more Perl developers are aware of this than PHP developers are, but that does not make the problem less tricky.
With that reasoning you could subpoena all companies that release software or drivers for Windows and not for Linux, or release drivers for Linux that do not offer the same functionality as the Windows drivers have.
Maybe you should ask yourself how many American people have set a different DNS server, or have installed an alternative application for a common task (say, a webbrowser, a wordprocessor) against "the mainstream".
Sure, some geeks may do this. But (certainly after some time) the vast majority of users just has the system configured "as it is supposed to be" (or as it comes by default).
Some time before the big internet bubble, the Dutch telecom company KPN created a an AOL-like provider named HetNet. ("TheNet" in English) Users could select their own username, as long as it was not taken.
There was a root@hetnet.nl and an info@hetnet.nl that were quite active in newsgroups. Especially the second one was confusing, as he was frequently pretending to be speaking as some authority at this provider.
But after some time, the fun was over and HetNet withdrew these accounts, suddenly claiming that it had been an error that they were allowed to be taken by customers and that HetNet wanted to respect Internet standards for mail addresses. This left root@ confused, as there does not seem to be any standard that reserves this address for some purpose. The thread is still available in Google Groups.
In those days I had an account at the Dutch provider Knoware, which used the domain knoware.nl It only had my first name as a username.
Sometime I started to receive lots of junk. It was addressed at my name @nowhere.nl, which turned out to be registered by the same company. I asked for an explanation, and the helpdesk told me that so many users complained that when telling their e-mail address to friends they misunderstood the "knoware" for "nowhere" that they decided to register that domain and alias all mail to knoware.nl
Needless to say, I was not amused. Apparently lots of people having the same name had entered this @nowhere.nl address as their fake mail address and I got lots of spam, subscription confirmation messages, etc.
After some time, they turned it off. And I see they later (in or before 1999) released the domain and it is now registered by someone else.
The cartoons were published last september, and nothing happened. A local imam tried everything he could, but nobody reacted. So, the moved the case to egypt and showed the published cartoons, and some extra ones he found that did not appear in the papers at all, to extremists there. It was only then that an uproar resulted.
This explains the delay. It is all the fault of this imam, who now washes his hands in innocence.
The article fails to discuss malware that causes the user to lose real money. For example a rogue dialler program that gets installed on a Windows system and starts calling expensive international or 900 numbers at night. This costs typical Windows victims hundreds of euros/dollars before it gets noticed and hopefully removed. Only to re-appear the next time the user makes an unfortunate decision when clicking on a dialog box.
This does not happen so easily in a wellsecured system. That could be Windows as well, but by default a Unix system usually is more secure (today).
A key problem with a flash site is that it is not a html hyperlinked site. You have found one of the problems. There are others, like accessability.
Now restyle your site so that it is not a flash-only site. For example, you can add 'link' elements to the head section with rel=contents or rel=chapter and others. This will give the search engine something to follow, and the better browsers also use those links to build a site navigation bar.
It will not be long before incoming mail from hotmail and msn will be auto-junked here unless they pay for filtering all the 419.
Are those Microsoft guys clueless.... they allow new scammers on their network every day and allow them to start spamming at full rate, with an outsourced abuse desk closing the accounts 2 weeks later. It should be possible to do better than that, but they are not interested.
Slashdot Mirror
Because most domains still don't have an SPF record, and worse: many domain registration & DNS services do not offer the creation of TXT records. So even when the owner of the domain knows about SPF, they cannot install it.
Unfortunately some broadband ISPs here in the Netherlands have completely misunderstood the problem, and when blocking port 25 they blocked it on traffic from the Internet to the customer, instead of the other way around...
Maybe this was done after they read about the "open relay used for spamming" problem, mostly something of the past.
Anyway, blocking port 25 on outgoing connects would have solved that just as well.
So when you ask them to filter port 25, make sure they understand which direction you mean!
Some time ago there was a betatest program for the Linux version, with a forum.
This is the first question I asked them. Why not a web application.
While I did not get a clear answer, there are some things that you should realize:
1. in the last weekend before the deadline, there will be a very high usage. most people wait until the last practical moment.
what will happen when 2 million people start to fill in their tax form on the last sunday before the deadline?
2. there seems to be some legal requirement where at some point a finalized and signed form is sent from the submitter, and a confirmation of receipt is sent back.
this may of course be different in every country, but they seemed to be more comfortable with an offline program that sends one single batch of data and gets an OK, than with an online app that processes the pages one by one.
the same may be true for some users. maybe you don't want the tax department to be able to see all your attempts, but only your final form.
3. not everyone has a flatrate connection, so people may not be comfortable with a solution where they have to be online for an hour or so.
Here in the Netherlands the tax department now also offers a Linux version of the income tax software.
It even is a native implementation, not Java.
This happened after a lot of lobbying. I hope it is well used, as I fear that next year it would be dropped again "due to lack of interest".
They publish a Windows, Mac, and now Linux version but even the number of Mac users was tiny compared to Windows in the past years.
It would be better when a form description language powerful enough to describe this program would be available cross-platform.
Then only a single implementation of that language would have to be written for each platform, and a single form for each country.
A while ago I looked at the state of things (XML forms etc) but it seemed that it still was a "promising technology" that you could not put into use right away, certainly not in a mixed closed/opensource environment.
But hopefully that will change.
You can't have both installed at the same time.
That is a big problem with every MSIE release, but even bigger because it is a beta...
Who wants to install a beta version that overrides the stable version? Did Microsoft never hear of separate test and production environments?
The browser should be installable as a separate application, with as many different versions installable as you like, and at worst selectable via some version number menu. Better would be to be able to run different versions in parallel.
I have another type of Philips TV with ambilight, which I bought not because of ambilight but because of the very good picture quality on an LCD screen, but I should say the ambilight is a really nice feature indeed.
Even though my set is not flat against a wall, but angled in a corner where it lights a wall and a curtain, it really gives a good effect, which astonishes especially when you turn it off and you notice what is missing.
It also occurred to me that this must be easy to fabricate as an add-on to existing sets. However, I would not use a camera or other light sensor, but use the video-out from the TV to watch the average video brightness electronically. This should not be that difficult to do.
(european TVs have SCART connectors which nearly always provide video-out. on a US TV with all those separate cinch connectors, it may be that video out is not so easily available)
And don't forget IDE Flash drives!
The usual scenario is:
You hand the card to the cashier who swipes it and asks you to enter your pin.
The next person in line watches you enter the pin. After you entered it (and he saw it) he taps you on the shoulder and asks you a question.
You look back and the cashier swipes the card through is personal reader.
Of course the person behind you and the cashiers are cooperating in the same crime. After you leave, the cashier makes a copy on a fresh card and gives it to him. He leaves for an ATM and plunders your card. You only notice when your account is empty and you still have your card an PIN.
as a customer, how can you tell if the device itself is genuine?
By entering an incorrect pincode. When it is accepted, the device apparently is not validating the pincode.
Of course this does not work when the fraudulent device is in fact a real one with addition of a tap of client information, but the real devices are supposed to be designed in such a way that this is not easily possible.
The banks could be adding an extra confidence message to online devices, like displaying your date of birth after you have swiped the card and before entering the PIN. This makes it easier to confirm that the device is actually communicating with the bank and is not a standalone device (which you should avoid).
This whole design where there is a cardreader in the terminal and a separate pinpad is severely flawed.
You have to hand your card to the cashier, who may swipe it through another reader while you are busy entering your pin and shielding the pad.
The keypad and reader should be integrated into one, customer-accessed device, and this unit should only send a "valid" signal to the terminal, not a pincode in whatever form.
Maybe they wanted to avoid confusion about units this time?
When it says gigabyte, who knows if it is 10^9 or 2^30 ???
The problem with the Dutch system is that in any case where money is taken from your card and a PIN code was entered on the device, the bank assumes the customer guilty of giving away his PIN, and this customer has to prove that he/she didn't.
Of course it is IMPOSSIBLE TO PROVE that you did NOT give your PIN to someone else!
It happens many times that cards are stolen, and money is taken a few minutes afterwards and with a correct PIN on first attempt.
Very often the customer claims that he did not give away his PIN, but I am not aware of any case where the customer has been able to PROVE this.
It may be that criminal groups already have the pin validation keys, and can check (and thus easily recover) a PIN for a card they have stolen. But there is nothing a customer can do about this, because banks can simply claim that it is not true without having to prove it (which they, similarly, would not be able to do).
So, it is a very biased scheme, where all the risk is at the customers and banks can quietly lay back keeping an ancient and insecure system with a magnetic stripe and 4-digit code in place.
Which system administrator would allow his users to use a 4-digit password??? Or would use a magnetic card that anyone can copy as an identity device?
This sounds like a soekris box, an iBase network appliance, or a mini-ITX PC board.
A router is not comparable to only a kernel. It is like a kernel plus networking applications.
I wonder how people would feel if their Linux or Windows system was delivered like this. A 500MB "system image" that includes the kernel, the system startup services, networking utilities, the shell, many commandline utilities, etc. And when a flaw is found somewhere, you need to get a new image and test and evaluate everything from scratch.
Even Microsoft does not work that way.
In the early days, Linux kernels were compiled with drivers, but today drivers are loadable modules that you activate only when you have the corresponding piece of hardware. Even parts of the protocol stack are handled this way. Services like routing protocols are external to the kernel and also selectable and replaceable.
What we have now is a jungle of different IOS versions and feature sets, many of which are clearly made to fix one minor problem, add one minor feature that an important customer requested, etc. We as an unimportant customer have to wait for important bugs to be fixed, and when they are fixed we can only upgrade the entire image, risking (and having) new issues in other areas that worked well before. And when the process takes long enough, the new versions overfill the flash and/or ram, and the hardware needs to be upgraded. Just to fix a bug.
How much better could this be when things were not as intertwined as they are now...
Interesting that you mention "modules".
I find one of the major disadvantages of Cisco routers (the range that I have experience with, running 12.3 or 12.4 IOS) is the complete lack of modularization.
You get an "IOS image" which is built according to one of a few "feature sets", and that gets you a monolitic configuration without any flexibility.
A system where you could pick a couple of modules out of a 250-module collection would be very nice indeed. I hear that it is being offered on the high-end systems, but the usual 1700 and 3700 routers we use do not have that.
XORP is positioned in that range, not in the high end.
What do you think Cisco sells more, small routers with a couple of interfaces or big iron with hundreds of gigabit interfaces?
Maybe they make more money on the latter, but they surely would not like to be cut out of the entire low to midrange market.
But look at the flaw in awstats, which is written in Perl.
Perl has this powerful open() function that not only opens files, but can start whole process pipelines.
Any cgi-bin written in Perl has to be very careful not to allow user-passed data to be used to construct pathnames for file opens without very stringent checking of bad characters in names, and this checking can be difficult in environments that support Unicode. Ask Microsoft.
Sure it may be that more Perl developers are aware of this than PHP developers are, but that does not make the problem less tricky.
With that reasoning you could subpoena all companies that release software or drivers for Windows and not for Linux, or release drivers for Linux that do not offer the same functionality as the Windows drivers have.
Maybe you should ask yourself how many American people have set a different DNS server, or have installed an alternative application for a common task (say, a webbrowser, a wordprocessor) against "the mainstream".
Sure, some geeks may do this. But (certainly after some time) the vast majority of users just has the system configured "as it is supposed to be" (or as it comes by default).
Some time before the big internet bubble, the Dutch telecom company KPN created a an AOL-like provider named HetNet. ("TheNet" in English)
Users could select their own username, as long as it was not taken.
There was a root@hetnet.nl and an info@hetnet.nl that were quite active in newsgroups. Especially the second one was confusing, as he was frequently pretending to be speaking as some authority at this provider.
But after some time, the fun was over and HetNet withdrew these accounts, suddenly claiming that it had been an error that they were allowed to be taken by customers and that HetNet wanted to respect Internet standards for mail addresses. This left root@ confused, as there does not seem to be any standard that reserves this address for some purpose. The thread is still available in Google Groups.
In those days I had an account at the Dutch provider Knoware, which used the domain knoware.nl
It only had my first name as a username.
Sometime I started to receive lots of junk. It was addressed at my name @nowhere.nl, which turned out to be registered by the same company.
I asked for an explanation, and the helpdesk told me that so many users complained that when telling their e-mail address to friends they misunderstood the "knoware" for "nowhere" that they decided to register that domain and alias all mail to knoware.nl
Needless to say, I was not amused. Apparently lots of people having the same name had entered this @nowhere.nl address as their fake mail address and I got lots of spam, subscription confirmation messages, etc.
After some time, they turned it off. And I see they later (in or before 1999) released the domain and it is now registered by someone else.
The cartoons were published last september, and nothing happened.
A local imam tried everything he could, but nobody reacted.
So, the moved the case to egypt and showed the published cartoons, and some extra ones he found that did not appear in the papers at all, to extremists there.
It was only then that an uproar resulted.
This explains the delay. It is all the fault of this imam, who now washes his hands in innocence.
The article fails to discuss malware that causes the user to lose real money.
For example a rogue dialler program that gets installed on a Windows system and starts calling expensive international or 900 numbers at night.
This costs typical Windows victims hundreds of euros/dollars before it gets noticed and hopefully removed. Only to re-appear the next time the user makes an unfortunate decision when clicking on a dialog box.
This does not happen so easily in a wellsecured system. That could be Windows as well, but by default a Unix system usually is more secure (today).
A key problem with a flash site is that it is not a html hyperlinked site.
You have found one of the problems. There are others, like accessability.
Now restyle your site so that it is not a flash-only site.
For example, you can add 'link' elements to the head section with rel=contents
or rel=chapter and others. This will give the search engine something to
follow, and the better browsers also use those links to build a site navigation
bar.
It will not be long before incoming mail from hotmail and msn will be auto-junked here unless they pay for filtering all the 419.
Are those Microsoft guys clueless.... they allow new scammers on their network every day and allow them to start spamming at full rate, with an outsourced abuse desk closing the accounts 2 weeks later. It should be possible to do better than that, but they are not interested.