Seems like Cowon (aka iAudio) has figured these problems out. Many of their players support Ogg and FLAC. I nag them from time to time to add Matroska to the list of formats their video players support.
There are already portable video players (or "video ipods") that can record television programs. My Cowon A2 even has timer recording so it can work like a DVR. If you have something that produces composite video (the familiar yellow RCA plug with its red and white audio counterparts), you can push the signal into the Cowon. I'm pretty sure Archos makes similar products, and maybe Creative does as well.
These devices all come with 16:9 screens these days as well. My Cowon plays Divx/Xvid at resolutions up to 720x576. I watched some episodes of the "Bartender" anime that I rescaled from 1280x720 to 704x396 while flying, and they look great. Now if the A2 would only support the Matroska and MP4 containers as well as the Windows ones (AVI, WMA), it would be ideal. At least it supports Ogg audio.
Don't blame Zonk; I asked that question when I submitted the story.
I asked the question because I suspect that the version of Ubuntu that they'll be shipping may not be identical to the version available for free. People buying a pre-installed version of Ubuntu on a Dell are going to expect support, so it's natural to suspect that its package manager may not have the full range of software that's in the current repositories. It's not hard to imagine that the Dells might point to a custom repository of software that Dell and Canonical have chosen to support. Then there are the non-free items, about which I've heard mostly silence from Austin and South Africa.
I think the persistent, "why is this hard, just use apt-get, or synaptic, or add a repository," type of comments neglect the fact that some of the people buying these systems may well never have used a Linux distribution in their lives. For them, such suggestions are essentially meaningless and would prompt a number of questions like "Apt to what?" "What's a repository?" "What's a command prompt?"
"Open source lacks compliance with many standards when compared with proprietary solutions"
I admit I didn't read the report all that carefully, but this particular observation made my jaw drop. How can anyone argue that open-sourced programs lack compliance with standards when many of the most significant programs were written precisely to conform to well-established standards. Doesn't sendmail comply with RFC2822? Doesn't ISC bind comply with the various DNS standards? Don't MySQL and PostgreSQL comply with SQL standards? Some of these programs (e.g, the DBMSs) might have additional non-compliant extensions, but really how can anyone say that a program like Firefox is less compliant with what passes for the standards on the web than Internet Explorer?
Or are we talking here about "standards" like NTFS or, perhaps worse, "standards" like.doc or.xls?
My prediction is that in twenty years these types of arguments will have faded away as an entire new generation of IT people brought up on open source will be filling these suits rather than the guys around this table. Oh, and I'm at least as old as most of them if not older, but I haven't been put through the corporate mill like these folks, thank the gods, or I'd be writing stupid things like this myself.
On a somewhat-related note, did any of you see the list of the supposedly "most important open-source products of all time" at eWeek? How this list could have excluded X, sendmail, bind, or kerberos is beyond me. Firefox is nice and all, but how much of an Internet would we have had without name services or mail exchange? Heck, even Microsoft decided to adapt Kerberos when it created Active Directory.
Mine switches to "Tape 2" when I put the device in the slot, but then it stays there. I'm using a device from Monster Cable in my '99 VW Passat. Reading reviews for this device on Amazon suggests that a lot of people have problems with all these devices including the competing items from Sony and Belkin. Some of the reviewers describe problems similar to yours. Some of these devices don't seem to work with certain brands of car stereos; some display weird behavior and mechanical noise; some work just fine. Maybe I'm just lucky, or maybe I haven't used it enough to start creating the problems others have encountered.
We use the type of device that fits into the tape player. I searched around on the net before buying this, and most reviewers said these devices had better performance than the FM transmitters. The tape device seems to work well, but I have no FM transmitter for comparison. Ogg audio (from our Cowon A2) sounds especially nice over the car speakers.
Why do I get the feeling that this guy just bought stock in a training company?
I think he'd like you to buy his book. The blurb at the bottom of the article reads:
"Ben Rothke, CISSP, is a senior security consultant at International Network Services and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill, 2006)."
Actually the judge decided that there was not a sufficient basis to issue a preliminary injunction against enforcement of the registry. The case itself is headed to trial on the merits.
I heard a former executive at Nickelodeon speak at Anime Boston recently about ratings for kids programming. Whereas before advertisers wanted to know how shows were doing in the 6-11 year-old demographic, some advertisers are now asking about how popular shows are with two-year-olds!
I guess this just means that the editors have come to realize that, since no one actually reads the stories posted here before bloviating, it's just more efficient to omit the story entirely.
Maybe I missed something, but where in the Business Week story does it say Microsoft is "getting something for every PC sold with Linux?" The Microsoft/Novell deal was a mutual agreement not to sue each others customers for potential patent infringements. I don't recall anything in that agreement about Microsoft getting paid for each copy of SuSE Linux that gets sold either.
I'm not denying what you said is true, but I just haven't seen any evidence for this statement in the public media.
I heard an interesting comment on NPR the other day by a criminal defense attorney. He argued that victims right laws add a second "thumb" to the scales of justice, one obviously not on the defendant's side of the scale. The state already represents society's interest in criminal matters. Why do crime victims need additional representation?
Only because it is a natural extension of the time shifting right. What makes broadcast (or cable, including premium cable) so different that the rights deemed fair with them are not deemed fair with anything else?
You might want to read John Paul Stevens decision in Sony v. Universal, specifically footnote 2 which reads, "This case involves only the home recording for home use of television programs broadcast free over the airwaves. No issue is raised concerning cable or pay television, or the sharing or trading of tapes."
The Court ruled that time-shifted viewing of programs on advertiser-supported broadcasting imposes no harm to the rights holders of those programs. Because time shifting enables advertisers to reach additional viewers, broadcasters are thus able to charge more for these larger audiences. Copyright holders should thus be able to capture some of this additional revenue by charging a higher rights fee to the broadcaster. So, in theory, the rights holders benefit financially from time-shifting. Without financial harm to the rights holders, it's tough to argue against a "fair-use" right for the time-shifting viewer.
Pay television was still in its childhood in 1984 when Sony v. Universal was handed down. Stevens excluded pay television because it wasn't so obvious whether the rights holders were harmed by your taping a movie off HBO. Time-shifted viewing of a movie doesn't increase either HBO's revenues or the revenues of the movie's copyright owner, but it does offer a potential for harm if you share that movie cassette with someone else. In practice, of course, the studios never asked that the pay-TV part of the decision be reconsidered. Once the Court ruled that video recorders could be sold legally in the US, the case was lost.
Like all fair-use cases, there is no guaranteed "time-shifting right." Fair-use is a right that must be balanced against the rights of the copyright owner. In this case Stevens decided that the studios failed to show sufficient harm to restrict the public's right to time-shift advertiser-supported broadcast programming.
As an aside, this case also raised what Stevens then called a "novel" legal argument, namely that Sony's decision to market VCRs as devices designed to record televised copyrighted works itself constituted an act of "contributory infringement" which required the devices to be banned. While the Court ruled against the studios in 1984, they took the opposite view in the Grokster case a few years back. There the Court ruled that Grokster had engaged in contributory infringement by providing and encouraging the use of its software to exchange copyrighted works, and that the use of this sofware directly benefitted Grokster since it drove people to visit Grokster's advertiser-supported website.
In the concluding paragraph, the author at Ars states:
"Despite the lack of specificity, Glickman's speech marks a step forward for the MPAA, which says it is now committed to allowing content to play on any device, from any manufacturer."
The operative phrase here seems to be "on any device, from any manufacturer." I think the real meaning emerges if we remove the comma. The MPAA represents businesses who want to sell content playable on devices built by manufacturers that have licensed this hypothetical DRM system. What the Ars article didn't cover was how this could apply to "devices" built with open and free tools. I can see how these systems could be implemented on Vista using the existing Intel/Microsoft DRM system. I can also imagine implementations for portable media players like the iPod or Cowon through some combination of firmware and software. What I can't imagine is an open implementation for Linux or BSD that would not run afoul of the DMCA's "no-circumvention" clause just like DeCSS. It would still be illegal to distribute such implementations into or within the United States.
Now if someone could build a commercial product that plugged into a USB port and gave you the same freedoms as the other platforms offer, that might have a market. In fact, it might even help level the playing field against the proprietary platforms since you'd have less incentive to buy into the Intel+Microsoft or Intel+Apple solutions. Of course, there'd be a substantial segment of the Linux market that would refuse to purchase such a device on political grounds. However, if desktop Linux ever takes off, those people will represent a smaller and smaller share of Linux users. I could imagine many Linux users who wouldn't mind paying $29.95 for a device that would let them do the same things with DVDs as their friends running Windows and OS X can do. In fact, if I were the MPAA, it might better business sense to license the technology only to dongle makers and avoid having to deal with Intel/Microsoft/Apple. Just sell the dongles and a driver disk that supports Windows/Mac/Linux.
You realize, of course, that this has nothing to do with supporting multiple browsers and everything to do with the movie studios' regionalized distribution systems. A theater owner in a foreign country where movies are rolled out behind the US would be quite annoyed to discover it was possible to download a movie from a website before it was available for theatrical distribution in his or her country.
I'm not justifying the regional distribution model, nor do I expect it will survive the expansion of the Internet over the next few decades. At the moment, however, distribution is carefully staged around the world, and no studio is going to change that behavior just to satisfy a few people outside the US who want to download the latest release over the Internet.
no blacklist is idiotic enough to still believe the "from:" is reliable
That might be true of RBL maintainers, but it's hardly true of mail admins in general. Unfortunately there are still providers who believe their users' reports of spam. My SMTP server is blacklisted on some server in Canada, though we have SPF records and are not on any public RBL. A visit to their website shows that they employ users' reports, among other things, to determine what to block. I've even had a problem with Verizon blacklisting my server. After searching their website for hours, I finally found the form required to report an incorrect blacklisting. I'll add that I needed to do this three times because they'd correct the problem, then reinstitute the blocking six months later.
If companies the size of Verizon can't tell the difference between spammers and legitimate servers, you can bet there are a lot of other people managing e-mail systems with little knowledge in these areas. Smaller ISPs and overworked admins in businesses who know little about email other than how to set up an Exchange server are common examples. As for users, they are always amazed to hear that nearly every single feature of an email message can be forged. If it says it's "From: joe@example.com" then it must really be from Joe.
Most of the domains I manage have been "Joe-Jobbed" at some point or another.
While it's interesting that he has an Ubuntu laptop, I'm more surprised that none of the four other machines are running Vista. They're all still using various flavors of XP.
I do use those as well. I'd just prefer not to have to process mail through SA that I can drop at the doorstep. Getting an email from some cable internet host in a foreign country that alleges to be from aol.com is pretty much a dead give-away that it's not legitimate. For the few times when such messages are real, the bounce message we send in reply gives instructions on how to contact us and report an error in blocking. This happens at most once or twice a month.
As for SPF, yes it might be an industry standard, but many, many domains do not have SPF implemented. Most of our traffic is with businesses that run their own servers, not large ISPs. Most of those places don't have SPF implemented.
Having just started replaying Final Fantasy VIII this weekend, I'd say this needs to go on the list, too. After all, Rinoa's "Forest Owls" resistance group is essentially a bunch of terrorists attempting to overthrow the established Galbadian regime.
I block a lot of mail at the SMTP level (about 40% of attempted connections), but I never use RBLs to accomplish this. Mostly I maintain an ever-growing list of IP blocks and reverse domains that routinely send spam. Where I do use RBLs is at the SpamAssassin level. Being listed on an RBL gives a message a big SA score boost here, but typically not enough per se to have that message get tagged unless it has one or more additional spammy features. Avoiding false positives (tagging legitimate mail as spam) is a serious no-no if you're filtering mail for others.
I still get legitimate messages that run afoul of the SMTP rules from time to time. Usually these are people who violate my "no mail from someone@aol.com unless it comes from a server named *.aol.com" type of rules. They're the ones who configure their home email client to send a message over their cable ISP's server with a From address in aol.com. If only we could educate people on the value of the "Reply-To" header....
The first article covers unsecured taxpayer information on IRS laptops, a problem the audit agency raised in 2003 which has yet to be addressed fully by the IRS. The second discusses more general security issues and reports that, "The tax agency experiences gaps in access controls related to user identification and authentication, authorization, encryption, monitoring, and physical security. Data is at risk from weaknesses in configuration management, segregation of duties, media destruction and disposal, and personnel security controls." For instance, the IRS backup tapes were unencrypted and stored at facilities where they were physically available to non-IRS personnel.
I recently had a first-hand experience with the quality of IT procedures at the IRS. One of my clients is a well-known consumer law organization whose inbound mail I scan for viruses and spam. One of their attorneys contacted me the other day saying that she was unable to receive email from attorneys at the IRS. Now some of you may have encountered the various forms of viruses and phishing scams that use forged @irs.gov addresses. In an effort to combat such stuff, I added a rule to my inbound mail server requiring that messages claiming to from someone@irs.gov actually be sent from a server in *.gov. Notice I didn't limit these messages just to servers in irs.gov; to cut down on the potential for false positives the rule allowed any such messages that originated on any server in the Federal government. Most of the illegitimate "irs.gov" messages I've seen come from spambots on residential and office networks and would be blocked by this otherwise quite permissive rule.
Well, these legitimate IRS messages were blocked because they originated on a server that had no reverse-DNS resolution configured. Without reverse-DNS my server couldn't determine the sending server's domain and thus blocked these legitimate irs.gov messages. Even if I hadn't had this rule in place, these messages might well have been tagged as spam. I give hosts with no reverse-DNS entries a pretty high SpamAssassin score, though not one that alone would result in the message being tagged as spam.
We later confirmed that this server was, in fact, an official outbound mail server for the IRS's attorneys, and perhaps for many other of its bureaucrats as well. Having reverse resolution configured for an SMTP server is pretty much de rigueur these days if you want to insure your messages get delivered. Apparently this knowledge did not extend to the IT staff at the Internal Revenue Service.
We should also note that there is a difference between monitoring and intercepting communications. In essence, the former is looking at things like where an e-mail going from and to or the addresses of web sites visited, while the latter involves observing the content. This ruling seems to refer only to monitoring communications.
The article explicitly states that this is precisely what happened. The contents of her communications were not monitored, but their destinations (telephone numbers, web sites, etc.) I know people on Slashdot don't like to hear this, but I don't have any problem with this at all. People working on their employer's premises using their employer's systems should not have free rein to surf to their hearts' content, chat with dozens of friends on IM, or send emails to all their closest friends. Now most employers I work with tend to ignore such activities when it doesn't interfere with working or put the employers at risk. On the other hand, one of my clients recently fired someone who worked the night shift and spent his time downloading porn onto one of the machines in the office. I have no sympathy for such people.
Slashdot Mirror
Seems like Cowon (aka iAudio) has figured these problems out. Many of their players support Ogg and FLAC. I nag them from time to time to add Matroska to the list of formats their video players support.
There are already portable video players (or "video ipods") that can record television programs. My Cowon A2 even has timer recording so it can work like a DVR. If you have something that produces composite video (the familiar yellow RCA plug with its red and white audio counterparts), you can push the signal into the Cowon. I'm pretty sure Archos makes similar products, and maybe Creative does as well.
These devices all come with 16:9 screens these days as well. My Cowon plays Divx/Xvid at resolutions up to 720x576. I watched some episodes of the "Bartender" anime that I rescaled from 1280x720 to 704x396 while flying, and they look great. Now if the A2 would only support the Matroska and MP4 containers as well as the Windows ones (AVI, WMA), it would be ideal. At least it supports Ogg audio.
Don't blame Zonk; I asked that question when I submitted the story.
I asked the question because I suspect that the version of Ubuntu that they'll be shipping may not be identical to the version available for free. People buying a pre-installed version of Ubuntu on a Dell are going to expect support, so it's natural to suspect that its package manager may not have the full range of software that's in the current repositories. It's not hard to imagine that the Dells might point to a custom repository of software that Dell and Canonical have chosen to support. Then there are the non-free items, about which I've heard mostly silence from Austin and South Africa.
I think the persistent, "why is this hard, just use apt-get, or synaptic, or add a repository," type of comments neglect the fact that some of the people buying these systems may well never have used a Linux distribution in their lives. For them, such suggestions are essentially meaningless and would prompt a number of questions like "Apt to what?" "What's a repository?" "What's a command prompt?"
"Open source lacks compliance with many standards when compared with proprietary solutions"
I admit I didn't read the report all that carefully, but this particular observation made my jaw drop. How can anyone argue that open-sourced programs lack compliance with standards when many of the most significant programs were written precisely to conform to well-established standards. Doesn't sendmail comply with RFC2822? Doesn't ISC bind comply with the various DNS standards? Don't MySQL and PostgreSQL comply with SQL standards? Some of these programs (e.g, the DBMSs) might have additional non-compliant extensions, but really how can anyone say that a program like Firefox is less compliant with what passes for the standards on the web than Internet Explorer?
Or are we talking here about "standards" like NTFS or, perhaps worse, "standards" like .doc or .xls?
My prediction is that in twenty years these types of arguments will have faded away as an entire new generation of IT people brought up on open source will be filling these suits rather than the guys around this table. Oh, and I'm at least as old as most of them if not older, but I haven't been put through the corporate mill like these folks, thank the gods, or I'd be writing stupid things like this myself.
On a somewhat-related note, did any of you see the list of the supposedly "most important open-source products of all time" at eWeek? How this list could have excluded X, sendmail, bind, or kerberos is beyond me. Firefox is nice and all, but how much of an Internet would we have had without name services or mail exchange? Heck, even Microsoft decided to adapt Kerberos when it created Active Directory.
Mine switches to "Tape 2" when I put the device in the slot, but then it stays there. I'm using a device from Monster Cable in my '99 VW Passat. Reading reviews for this device on Amazon suggests that a lot of people have problems with all these devices including the competing items from Sony and Belkin. Some of the reviewers describe problems similar to yours. Some of these devices don't seem to work with certain brands of car stereos; some display weird behavior and mechanical noise; some work just fine. Maybe I'm just lucky, or maybe I haven't used it enough to start creating the problems others have encountered.
We use the type of device that fits into the tape player. I searched around on the net before buying this, and most reviewers said these devices had better performance than the FM transmitters. The tape device seems to work well, but I have no FM transmitter for comparison. Ogg audio (from our Cowon A2) sounds especially nice over the car speakers.
Why do I get the feeling that this guy just bought stock in a training company?
I think he'd like you to buy his book. The blurb at the bottom of the article reads:
"Ben Rothke, CISSP, is a senior security consultant at International Network Services and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill, 2006)."
Actually the judge decided that there was not a sufficient basis to issue a preliminary injunction against enforcement of the registry. The case itself is headed to trial on the merits.
I heard a former executive at Nickelodeon speak at Anime Boston recently about ratings for kids programming. Whereas before advertisers wanted to know how shows were doing in the 6-11 year-old demographic, some advertisers are now asking about how popular shows are with two-year-olds!
I guess this just means that the editors have come to realize that, since no one actually reads the stories posted here before bloviating, it's just more efficient to omit the story entirely.
Maybe I missed something, but where in the Business Week story does it say Microsoft is "getting something for every PC sold with Linux?" The Microsoft/Novell deal was a mutual agreement not to sue each others customers for potential patent infringements. I don't recall anything in that agreement about Microsoft getting paid for each copy of SuSE Linux that gets sold either.
I'm not denying what you said is true, but I just haven't seen any evidence for this statement in the public media.
Ed Felten has an excellent series of posts about AACS on his freedom-to-tinker blog. Here's the URL for the first post in the series: http://www.freedom-to-tinker.com/?p=1104.
I heard an interesting comment on NPR the other day by a criminal defense attorney. He argued that victims right laws add a second "thumb" to the scales of justice, one obviously not on the defendant's side of the scale. The state already represents society's interest in criminal matters. Why do crime victims need additional representation?
Only because it is a natural extension of the time shifting right. What makes broadcast (or cable, including premium cable) so different that the rights deemed fair with them are not deemed fair with anything else?
You might want to read John Paul Stevens decision in Sony v. Universal, specifically footnote 2 which reads, "This case involves only the home recording for home use of television programs broadcast free over the airwaves. No issue is raised concerning cable or pay television, or the sharing or trading of tapes."
The Court ruled that time-shifted viewing of programs on advertiser-supported broadcasting imposes no harm to the rights holders of those programs. Because time shifting enables advertisers to reach additional viewers, broadcasters are thus able to charge more for these larger audiences. Copyright holders should thus be able to capture some of this additional revenue by charging a higher rights fee to the broadcaster. So, in theory, the rights holders benefit financially from time-shifting. Without financial harm to the rights holders, it's tough to argue against a "fair-use" right for the time-shifting viewer.
Pay television was still in its childhood in 1984 when Sony v. Universal was handed down. Stevens excluded pay television because it wasn't so obvious whether the rights holders were harmed by your taping a movie off HBO. Time-shifted viewing of a movie doesn't increase either HBO's revenues or the revenues of the movie's copyright owner, but it does offer a potential for harm if you share that movie cassette with someone else. In practice, of course, the studios never asked that the pay-TV part of the decision be reconsidered. Once the Court ruled that video recorders could be sold legally in the US, the case was lost.
Like all fair-use cases, there is no guaranteed "time-shifting right." Fair-use is a right that must be balanced against the rights of the copyright owner. In this case Stevens decided that the studios failed to show sufficient harm to restrict the public's right to time-shift advertiser-supported broadcast programming.
As an aside, this case also raised what Stevens then called a "novel" legal argument, namely that Sony's decision to market VCRs as devices designed to record televised copyrighted works itself constituted an act of "contributory infringement" which required the devices to be banned. While the Court ruled against the studios in 1984, they took the opposite view in the Grokster case a few years back. There the Court ruled that Grokster had engaged in contributory infringement by providing and encouraging the use of its software to exchange copyrighted works, and that the use of this sofware directly benefitted Grokster since it drove people to visit Grokster's advertiser-supported website.
In the concluding paragraph, the author at Ars states:
"Despite the lack of specificity, Glickman's speech marks a step forward for the MPAA, which says it is now committed to allowing content to play on any device, from any manufacturer."
The operative phrase here seems to be "on any device, from any manufacturer." I think the real meaning emerges if we remove the comma. The MPAA represents businesses who want to sell content playable on devices built by manufacturers that have licensed this hypothetical DRM system. What the Ars article didn't cover was how this could apply to "devices" built with open and free tools. I can see how these systems could be implemented on Vista using the existing Intel/Microsoft DRM system. I can also imagine implementations for portable media players like the iPod or Cowon through some combination of firmware and software. What I can't imagine is an open implementation for Linux or BSD that would not run afoul of the DMCA's "no-circumvention" clause just like DeCSS. It would still be illegal to distribute such implementations into or within the United States.
Now if someone could build a commercial product that plugged into a USB port and gave you the same freedoms as the other platforms offer, that might have a market. In fact, it might even help level the playing field against the proprietary platforms since you'd have less incentive to buy into the Intel+Microsoft or Intel+Apple solutions. Of course, there'd be a substantial segment of the Linux market that would refuse to purchase such a device on political grounds. However, if desktop Linux ever takes off, those people will represent a smaller and smaller share of Linux users. I could imagine many Linux users who wouldn't mind paying $29.95 for a device that would let them do the same things with DVDs as their friends running Windows and OS X can do. In fact, if I were the MPAA, it might better business sense to license the technology only to dongle makers and avoid having to deal with Intel/Microsoft/Apple. Just sell the dongles and a driver disk that supports Windows/Mac/Linux.
Maybe somebody there was reading Slashdot?!
You realize, of course, that this has nothing to do with supporting multiple browsers and everything to do with the movie studios' regionalized distribution systems. A theater owner in a foreign country where movies are rolled out behind the US would be quite annoyed to discover it was possible to download a movie from a website before it was available for theatrical distribution in his or her country.
I'm not justifying the regional distribution model, nor do I expect it will survive the expansion of the Internet over the next few decades. At the moment, however, distribution is carefully staged around the world, and no studio is going to change that behavior just to satisfy a few people outside the US who want to download the latest release over the Internet.
no blacklist is idiotic enough to still believe the "from:" is reliable
That might be true of RBL maintainers, but it's hardly true of mail admins in general. Unfortunately there are still providers who believe their users' reports of spam. My SMTP server is blacklisted on some server in Canada, though we have SPF records and are not on any public RBL. A visit to their website shows that they employ users' reports, among other things, to determine what to block. I've even had a problem with Verizon blacklisting my server. After searching their website for hours, I finally found the form required to report an incorrect blacklisting. I'll add that I needed to do this three times because they'd correct the problem, then reinstitute the blocking six months later.
If companies the size of Verizon can't tell the difference between spammers and legitimate servers, you can bet there are a lot of other people managing e-mail systems with little knowledge in these areas. Smaller ISPs and overworked admins in businesses who know little about email other than how to set up an Exchange server are common examples. As for users, they are always amazed to hear that nearly every single feature of an email message can be forged. If it says it's "From: joe@example.com" then it must really be from Joe.
Most of the domains I manage have been "Joe-Jobbed" at some point or another.
While it's interesting that he has an Ubuntu laptop, I'm more surprised that none of the four other machines are running Vista. They're all still using various flavors of XP.
How about knocking on the door and asking the owner if you can connect?
I do use those as well. I'd just prefer not to have to process mail through SA that I can drop at the doorstep. Getting an email from some cable internet host in a foreign country that alleges to be from aol.com is pretty much a dead give-away that it's not legitimate. For the few times when such messages are real, the bounce message we send in reply gives instructions on how to contact us and report an error in blocking. This happens at most once or twice a month.
As for SPF, yes it might be an industry standard, but many, many domains do not have SPF implemented. Most of our traffic is with businesses that run their own servers, not large ISPs. Most of those places don't have SPF implemented.
Having just started replaying Final Fantasy VIII this weekend, I'd say this needs to go on the list, too. After all, Rinoa's "Forest Owls" resistance group is essentially a bunch of terrorists attempting to overthrow the established Galbadian regime.
I block a lot of mail at the SMTP level (about 40% of attempted connections), but I never use RBLs to accomplish this. Mostly I maintain an ever-growing list of IP blocks and reverse domains that routinely send spam. Where I do use RBLs is at the SpamAssassin level. Being listed on an RBL gives a message a big SA score boost here, but typically not enough per se to have that message get tagged unless it has one or more additional spammy features. Avoiding false positives (tagging legitimate mail as spam) is a serious no-no if you're filtering mail for others.
I still get legitimate messages that run afoul of the SMTP rules from time to time. Usually these are people who violate my "no mail from someone@aol.com unless it comes from a server named *.aol.com" type of rules. They're the ones who configure their home email client to send a message over their cable ISP's server with a From address in aol.com. If only we could educate people on the value of the "Reply-To" header....
I'd imagine that the monitoring around those systems is massive, and the security/setup is top-notch
t s/200720048fr.htmlt Layout
You'd think so, but what evidence we have doesn't confirm your optimism:
http://www.treas.gov/tigta/auditreports/2007repor
http://www.fcw.com/article98135-04-03-07-Web&prin
The first article covers unsecured taxpayer information on IRS laptops, a problem the audit agency raised in 2003 which has yet to be addressed fully by the IRS. The second discusses more general security issues and reports that, "The tax agency experiences gaps in access controls related to user identification and authentication, authorization, encryption, monitoring, and physical security. Data is at risk from weaknesses in configuration management, segregation of duties, media destruction and disposal, and personnel security controls." For instance, the IRS backup tapes were unencrypted and stored at facilities where they were physically available to non-IRS personnel.
I recently had a first-hand experience with the quality of IT procedures at the IRS. One of my clients is a well-known consumer law organization whose inbound mail I scan for viruses and spam. One of their attorneys contacted me the other day saying that she was unable to receive email from attorneys at the IRS. Now some of you may have encountered the various forms of viruses and phishing scams that use forged @irs.gov addresses. In an effort to combat such stuff, I added a rule to my inbound mail server requiring that messages claiming to from someone@irs.gov actually be sent from a server in *.gov. Notice I didn't limit these messages just to servers in irs.gov; to cut down on the potential for false positives the rule allowed any such messages that originated on any server in the Federal government. Most of the illegitimate "irs.gov" messages I've seen come from spambots on residential and office networks and would be blocked by this otherwise quite permissive rule.
Well, these legitimate IRS messages were blocked because they originated on a server that had no reverse-DNS resolution configured. Without reverse-DNS my server couldn't determine the sending server's domain and thus blocked these legitimate irs.gov messages. Even if I hadn't had this rule in place, these messages might well have been tagged as spam. I give hosts with no reverse-DNS entries a pretty high SpamAssassin score, though not one that alone would result in the message being tagged as spam.
We later confirmed that this server was, in fact, an official outbound mail server for the IRS's attorneys, and perhaps for many other of its bureaucrats as well. Having reverse resolution configured for an SMTP server is pretty much de rigueur these days if you want to insure your messages get delivered. Apparently this knowledge did not extend to the IT staff at the Internal Revenue Service.
We should also note that there is a difference between monitoring and intercepting communications. In essence, the former is looking at things like where an e-mail going from and to or the addresses of web sites visited, while the latter involves observing the content. This ruling seems to refer only to monitoring communications.
The article explicitly states that this is precisely what happened. The contents of her communications were not monitored, but their destinations (telephone numbers, web sites, etc.) I know people on Slashdot don't like to hear this, but I don't have any problem with this at all. People working on their employer's premises using their employer's systems should not have free rein to surf to their hearts' content, chat with dozens of friends on IM, or send emails to all their closest friends. Now most employers I work with tend to ignore such activities when it doesn't interfere with working or put the employers at risk. On the other hand, one of my clients recently fired someone who worked the night shift and spent his time downloading porn onto one of the machines in the office. I have no sympathy for such people.