Stopping Spam
Paul Graham examines and evaluates all known methods of responding to spam. As an overview of possible (and also possible future) solutions and an initial assessment, it's quite useful.
sysadmin - 7.1.2003 - 16.10.2003
The Resurrection of SimplyGNUstep - OSNews.com
SimplyGNUStep is now based on Debian Sarge (the upcoming Debian version). So it's simply just a collection of Debian packages with current GNUStep applications. The previous project of the same name aimed to be a full distribution, with its own directory structure, just like NextStep was organized. I find the current incarnation much more sensible though - having yet another package system and yet another distribution doesn't really make sense, especially when Debian already offers everything in very usable form...
Loadbalancer in Python
A special feature of this load balancer (besides the fact that it's written completely in Python): it doesn't use multiple processes or threads, instead it uses asynchronous I/O. This allows many connections to be handled simultaneously in just one thread, which keeps the system load much lower than classical balancers that start a process or thread for each connection. It uses either Twisted or the asyncore module that comes with Python. And the whole thing is also blazingly fast - for example, the same approach is used in Medusa, a web server in Python that comes close to Apache's performance when serving static HTML pages. Here's the original article.
Technical Incompetence or Wishful Thinking?
When I read the linked article, I had to grin somehow. But then the head-shaking took over at so much nonsense. The article contains so many wrong ideas and interpretations of open source that you can only wonder how so many errors fit into such a short article. The biggest mistake is probably once again the mistaken assumption that open source needs a business model to function. Absurd notion - searching for a business model in the creation and distribution of open source is just as sensible as pulling on the value chain of weblogs. Of course there are companies that build a business model on the existence of open source - similar things exist with weblogs too. But the business model is absolutely irrelevant to the actual engine.
But then I thought about what it would really mean if SCO won (which apart from the article's author and maybe Darl McBride, probably nobody really believes). What would that mean for open source? Not much - the questionable sources would have to be named sooner or later and would simply be removed from the Linux kernel. Version 2.2 is according to SCO's own statements clean, it has already worked, at worst subsystems would fall back to the 2.2 level. Not fatal, at most annoying.
What would happen if the Linux kernel were banned by SCO? Wouldn't that destroy open source? Apart from the fact that this notion is quite absurd, here lies the biggest mistake in the article - a mistake, however, that is made almost consistently in the media. Open source is not Linux - Linux is only one (even relatively small, though significant) component of the entire open source field. Linux is a kernel - and thus important, but only one possible component that can easily be replaced. In the Intel processor environment, one could relatively quickly simply use the FreeBSD kernel (due to its compatibility functions for the Linux API) instead of the original Linux kernel. For other processors, just take NetBSD - much open source is not dependent on Linux anyway, but runs on almost everything that is Unix-like.
And what if companies no longer want to use open source because of the proceedings? Please what? Companies should refrain from using something they can get for free, just because there's a court case in a marginal area? Why should companies do that? How many companies use pirated software, knowing that it's illegal, knowing what that could mean, because they don't want to spend the money? As long as greed exists, open source will also find commercial use. And greed will exist as long as we have a market economy. So for a damn long time.
But surely companies won't release their own things under open source licenses anymore? Why not? It's a fairly inexpensive way for many companies to get free advertising. Besides, these companies rely on project business, less on software creation. The SCO proceedings don't change that at all. And even if it does decrease - much open source is created by individuals, originated at universities, or created in loose developer groups. Companies have contributed things - but usually only those in which they themselves had an interest for their own business fields. If companies no longer contribute to open source, they primarily harm themselves. Open source typically arises from someone having a problem that bothers them - and begins to create a solution for it. Suddenly something should change about that?
What bothers me most about what is written in the press about open source is the complete obtuseness of the authors about the facts of open source - that there is far more than just Linux, that the companies based on Linux are absolutely not necessary for the survival of open source, and that the motivation for open source has absolutely nothing to do with business models: Open source is the enthusiasm of people to create something that other people use with just as much enthusiasm. This motivation, the core of open source, cannot be stopped by court proceedings or bans. Open source would continue to exist even if it were banned by law - then just underground. Because creative achievements by people cannot be prohibited or suppressed - that applies in the software world just as much as with writers, painters, or musicians.
Open source will - no matter what the representatives of proprietary software attempt to do - continue to exist. Get ready for that. There is no going back.
VeriSign Defends Sitefinder
As suspected, Verisign shows no insight whatsoever. But the justifications are truly absurd - presenting price gouging based on a technical monopoly as innovation is quite audacious.
At heise online news you can find the original article.
The VeriSign Special Session Approaches
You could almost feel sorry for Verisign given the speakers against them. But only almost...
Update: Verisign has convened its own Technological Review Panel. Let me translate the charter here:
- Solicit and gather technical information and data regarding the implementation of the Site Finder service from interested parties. : First collect the complaints and see who among them might look important. The rest simply aren't interested parties according to our definition.
- Distill the received information and data to implementation issues. : If we have to deal with a complaint anyway because the complainant can't simply be ignored, then we can maybe just claim it has nothing to do with the implementation.
- Based on the implementation issues, determine which issues are based on fact concerning the service. : If possible, just claim it's all lies or not real.
- For each issue associated with the service, determine the likelihood of the issue arising for Internet users, and the consequences of each issue for Internet users. : If we have to acknowledge there's actually a problem, try to weasel out of it by claiming it basically never happens anyway.
- Based on the resulting factual analysis of the issues, determine what enhancements could be made to improve the service. : If there's no way around it, make non-binding concessions - we won't implement the whole thing anyway.
- Report the observed implementation issues to VeriSign along with any data supporting such issues. : All the complaints we can't simply lie about, push aside, or ignore get printed out and filed away. Guarantees of fixing problems? Commitment to follow the panel's recommendations? Yeah right, forget it.
And the panel participants even volunteer for this stuff for free. There's certainly no recognition here that SiteFinder was simply monopoly abuse and should never have existed. And no sign that the idea would be dropped.
At Wortfeld you can find the original article.
Why I hate Microsoft ...
Security holes in Internet Explorer are a dime a dozen - of course there are patches for them too. So just install them. That's quite simple, right? Wrong. IE 5.5 is installed - the patch is only available for IE 6. But you can just update the browser, right? Wrong. IE6 requires Service Pack 6a on NT4. But you can just install that, can't you? Wrong.
And now it got really wild: I have an NT4 with IE 5.5 on it. Installing the normal SP6a gave me a message that I was trying to install a normal encryption version over a high-encryption version and that wouldn't work. But there's no high-encryption SP6a - you literally have to patch the normal SP6a by hand! So unpack the service pack, search for update.inf, search for the checksecurity.system32.files section, throw out schannel.dll from there. Now you can finally install the service pack. And the first reboot, because I just want to patch a browser.
Ok, then finally install IE6. It churns away for an eternity and what comes next? Of course, the reboot. Because I just want to patch a browser. The fact that it keeps working after the reboot was clear. What the heck is it doing with all that? It's just a damn browser!
Then finally install the cumulative patch for IE6. Which, surprisingly, doesn't require a reboot. I thought. Until the question came up whether I wanted to restart now. It's just a browser! A damn browser! A crummy application program that needs to be patched because the manufacturer is too stupid to do it right!
That's just bullshit. (Side note: Of course this isn't a real Windows system, but a VMware - so I could work in parallel, namely under a real operating system
)
VeriSign Takes Site Finder Offline
Only a partial success: Verisign's whining (why is it described as an ex-monopolist in the c't article anyway? As a TLD operator for .com and .net they are an absolute monopolist; no one else could have pulled off that Sitefinder stunt) suggests they want to reintroduce the mess. Hopefully ICANN will stay tough. This silly claim that 40 million users would have used the Sitefinder is also preposterous - how could anyone have prevented it? You were forced to use it. Drawing the conclusion from that, that people would prefer that part over an error message, is pretty brazen. Verisign has proven they understood nothing and are just as much of a mess as Network Solutions was before them.
At heise online news there's the original article.
Signs of Intelligence: ICANN Demands Verisign Kill SiteFinder
Good! ICANN finally takes action.
At Morons Dot Org you can find the original article.
Replication for PostgreSQL
I didn't even notice: the commercial replication solution eRServer has been open source since the end of August! Although it seems that only one-way replication (from master to slaves) is implemented, but in any case, something like that helps.
Trojan redirects browser to fake sites
People, switch to a different browser. This one is really way too broken - Swiss cheese would be a massive wall compared to it!
At heise online news you'll find the original article.
ssh for Hires-Palms (Tungsten, Clie)
An SSH client for Palms with higher resolution such as the Tungstens and Clies. However, it can only support SSH protocol v1 - v2 support is still in the works. Unfortunately v1 is quite buggy, which is why they no longer want to make it publicly available. But still better than Telnet or similar. If I ever get a Tungsten T3, it might be quite interesting Here's the original article.
Storever Online Backup
An online backup service – that is, data backups via rsync and ssh to a central server. I was particularly struck by the following line in the waiver: Although Storever Online Backup will do the job most of the time, custommers should always consider that they have been lucky whenever they can recover lost data. That's really reassuring – that's how you sell a backup system! So you look at what the Storeever Offline Archive offers, since that's what Storever recommends when the customer wants security. And what do I find there in the waiver? Exactly: Although Storever Offline Archive is a secure and reliable service, it is not 100% reliable and involves risks which we can not control. In particular, custommers should always consider that they have been lucky whenever they can recover lost data. Wow. So with the low-cost product, I should consider myself lucky if I can restore a file. I can then pay even more per month, and I can still consider myself lucky if I can restore a file.
I don't know quite what to say, but somehow I get the impression that this is not a particularly confidence-inspiring product.
apt for RPMs
I wasn't aware of this: there's a project to make apt usable for RPMs as well. Very practical - anyone using Debian knows what apt can do. However, I doubt that all the RPMs really have useful dependencies specified (which apt relies on) ...
FTP Server ProFTPD Vulnerable
Not a good time for administrators at the moment. First the multiple holes in OpenSSH, now ProFTPd. Fortunately, Debian works quite pragmatically and delivers the patches relatively quickly - although I'm still waiting for the ProFTPd patch there (and the latest ssh patch isn't here yet either - and that's not entirely uncritical, since Debian works with PAM support).
At heise online news there's the original article.
All your .com are belong to us :: hebig.org/blog
One aspect of the latest VeriSign nonsense that I stumbled upon through Haiko Hebig is mail delivery for non-existent domains. Here's an analysis of what happens with a non-existent domain:
muenster:~# exim -bt gb@blubberfaselblubb.com gb@blubberfaselblubb.com deliver to gb@blubberfaselblubb.com router = lookuphost, transport = remote_smtp host blubberfaselblubb.com [64.94.110.11]
So an email is sent normally to the A-record (the one with the wildcard). What happens there? You can see it here:
telnet blubberfaselblubb.com smtp Trying 64.94.110.11... Connected to sitefinder-idn.verisign.com. Escape character is '^]'. 220 snubby3-wceast Snubby Mail Rejector Daemon v1.3 ready HELO blubberfaselblubb.com 250 OK MAIL FROM: blah@blubberfaselblubb.com 250 OK RCPT TO: blah@blubberfaselblubb.com 550 User domain does not exist. DATA 250 OK quit 221 snubby3-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel Connection closed by foreign host.
So there's a mail rejector running at that address that rejects every mail delivery with 550 - User domain doesn't exist. Want some paranoia? Sure? OK: it's trivial to modify the mail rejector so that it collects and archives the sender addresses provided at MAIL FROM: of the misdirected emails. I'm not saying VeriSign does that - but wildcard A-records at such a central location are an abuse waiting to happen ...
OpenSSH 3.7 closes security hole [2nd update]
That's what's great about Debian: the updated patches are already available on http://security.debian.org/, simply:
apt-get update apt-get install ssh
and the system is up to date again with all patches. That's what I like about it.
Apple has not yet released a software update for OS X ...
At heise online news you can find the original article.
VeriSign has entered a wildcard A record on *.net
That's audacious. Every query for a domain under .net is now answered with an A-record from Verisign. From there it gets redirected to a Verisign page containing a search engine and web directory. Great. Probably soon there will also be a request to register a free domain cheaply at Verisign. Verisign can of course, as the operator of .net and .com, enter something like this - but only Verisign can do it. None of the alternative .net or .com registrars can do it. That's free competition on the Internet. At Advogato there's the original article.
SenderBase
SenderBase is a server that performs evaluations of email traffic based on senders and domains. You can use it to find out which organizations and servers use domains, what belongs to organizations, which servers are mail servers, etc.
Quite an interesting thing, based on log data from (according to their own statements) approximately 9000 companies that receive email.
bash is new default terminal shell in Panther
Woah! That's almost like changing VI's default editor to Emacs
Well, I think it's good, I'll admit I'm a Bash softie (but please not Emacs. My depravity has limits somewhere!).
At The Macintosh News Network you can find the original article.
PHP under different user permissions in Apache
An Apache module that allows PHP code to run under a different user than the one Apache is running as. This would make it possible to set up a separate environment for each user on the server using Unix file permissions and restrict them to that area - safer than the normal variant where all PHP scripts run under the Apache user. However, installing it alongside normal PHP is not so straightforward, since both depend on the same MIME type. Still, I could take a look at that.
Spam filter for IMAP mailboxes
Those working with IMAP4 mailboxes instead of POP3 often get ignored by various filter programmers - many can only handle POP3. The link goes to a filter that uses SpamAssassin against an IMAP4 server: emails are sorted out and thrown into a spam folder. The nice thing about it is that this filter doesn't need to be built into the mail client, but also not into mail delivery. Instead, you can simply run it outside of the mail program - it can run on any machine that has access to the mail account. Quite practical if you have your mailbox with a hosting provider and want to run the filter from your own server, but your mail program runs on a notebook (and you want to avoid downloading spam mountains while on the go, for example).
Oh, and the fact that the little program is written in Python is also not without its advantages - instead of SpamAssassin, you could also integrate SpamBayes, for example.
And once again a little something about the SCO farce
SCO did release its old Unix sources up to 32V as open source. There was an announcement from back then by Caldera (now SCO). Allegedly, there was supposed to be a restriction to non-commercial use in this release. Needless to say, there is no restriction on use anywhere in the announcement, nor is there a restriction to 16-bit versions alone, as SCO is now claiming through Blake Stowell.
Could it be that SCO was a bit unprepared for the whole operation?
SCO Licenses Also Due for SCO Linux ...
From the SCO FAQ on Linux licensing:
If I am running SCO Linux or Caldera OpenLinux do I need to obtain a SCO IP License for Linux? - Yes.
This means that SCO itself sold products that are illegal (by their own definition). But SCO certainly sold these products to customers who in good faith purchased them from SCO believing the business was legitimate. Does this now mean these customers can sue SCO for fraud?
In any case, this should be a goldmine for any consumer protection advocate — a company that sells a product and then later comes along and tries to charge people again for the same service they already purchased.
Absurd. Completely absurd.
Sun-Chef McNealy: Hands off Open Source
As usual, he talks out of his ass instead of his head
At heise online news there's the original article.
IBM Counters in Legal Dispute with SCO
SCO's claims are becoming increasingly absurd. Now it's supposedly a breach of contract when IBM ports self-developed portions of AIX to Linux, because AIX is a Unix derivative and therefore, according to SCO, everything in it should fall under the Unix confidentiality agreement. Are they completely out of their minds?
Apart from that: where in the SCO garbage heap they call UnixWare have they got anything adequate that would even come close to comparing with the AIX components? For example jfs - where is the usable journaling filesystem in UnixWare that would even allow for any kind of secret violation?
It's really ridiculous what they're pulling off. I hope that - now that it's slowly becoming clear which portions of the source code SCO apparently thinks it has licenses for - the stock market will also react to this and reduce SCO's artificially inflated stock price back to what it's worth: nothing.
At heise online news you can find the original article.
Email Archives as Time Destroyers
Oh yes, the wonderfully absurd arguments from the marketing folks. Nobody pays the total sum (assuming it's even actually that high - the assumptions of these pseudo-experts are completely arbitrary), since it's distributed across all companies. If you break it down to the individual employee, you save a few euros per year. The 6 minutes per day certainly doesn't justify the immense investments a company would have to make in an archive system. You need other motivations for that, not just a bit of email searching. But that's much more effective for advertising ...
At heise online news there's the original article.
CD-Linux Knoppix comes to the Mac
Cool! Knoppix is my favorite emergency distribution - just insert and boot, the computer remains unchanged, but a completely functional Linux based on Debian is available. With it, you can usually get just about anything repaired, except hardware damage.
Something like that for the Mac would certainly be nice too - also to show Mac users a Linux without having to repartition their disks.
At heise online news there is the original article.
SCO vs. Linux: Linux Tax or Security [Update]
It's really outrageous what this company is getting away with. Still this lazy drivel when asked for concrete evidence. I hope that finally some company will put a stop to all this. The whole SCO action stinks miserably to high heaven.
At least here in the country, a stop has been put to this nonsense.
At heise online news you can find the original article.
Former FreeBSD Developer Launches Own Operating System
Hachja, how much that reminds me of the stories with Theo de Raadt in the NetBSD project. Especially the reasoning comes across as very familiar to me
At heise online news there is the original article.
SpamBayes Outlook Addin
Anyone who has to work with one of the devil's tools (I have to at work, for example) will be happy that the Outlook spam filter plugin written in Python now works really well with Outlook 2000 (and probably XP too). Not that I'd like to use Outlook, but I have no choice, I'm forced to ...
Microsoft can't even get an HR tag right ...
... anyway, that's what the linked article says. A buffer overflow through an overly long ALIGN attribute on the HR tag. That's really embarrassing – Microsoft can't even get a horizontal line right in Internet Explorer without producing a security hole.
Threat of Fines for Missing Website Blocks in North Rhine-Westphalia
No class. So the district government is not only unable to grasp that the blocking measures are almost ineffective, but they're also unable to oversee how they can verify their own demands. Pathetic. And downright embarrassing, this demonstration of total lack of professional expertise.
At heise online news there's the original article.
The Hercules System/370, ESA/390, and z/Architecture Emulator
Because I just talked about it in chat: the link points to an emulator for IBM /370 and /390 hardware. And IBM supplies operating systems for it - old ones of course, but completely legal. OS/360 or MVS 3.8j or even an old VM/370 version on a Linux box is really a neat toy for the geek from back then
And as I just see there's now also an OS X version. Very nice.
IP addresses sold on the black market
IP addresses that lie dormant in network blocks because they're being used up in internal networks, for example, are stolen (through forged letters, etc.) and then traded on the black market. Weird.
Renewed Dispute over Draft on Publication of Security Vulnerabilities
What? 30 days after receipt until the patch and then another 30 days to secure important infrastructure, and then - after 60 days! - only then the publication? Ridiculous! If the vendor is given any chance at all, it should be a maximum of a few days! After all, it's about security holes through which attackers can compromise a system.
At heise online news you can find the original article.
Sendmail also now protects against spam
And who protects us from sendmail?
At heise online news there is the original article.
SAP relies on MySQL
Well. So far SAPDB was quite an interesting database alternative (ok, I like PostgreSQL much better, but whatever). But if the MySQL people start tinkering with it, that can only get worse. I wonder if they'll remove outer joins from SAPDB's SQL? And throw out transactions? Because nobody needs that anyway, as they used to argue back in the day
At heise online news there's the original article.
Matrix Reloaded features nmap
Cool, in Matrix Reloaded, there's actually real hacking in a hack scene: first finding a host with nmap and then using an ssh exploit to break into the host. No more of the silly Stone Age login screens with nonsensical commands and ridiculous text, but a somewhat realistic situation with actual programs. Cool! On http://insecure.org there are a few screenshots with explanations. On bbums rants, code & references I found the original article.
Routing tables under Linux vulnerable to denial-of-service attacks
Ouch. 400 packets per second isn't much. Patching seems to be in order.
At heise online news there's the original article.
Send spam back?
To the remarks by Jutta, I'd like to add just my perspective as a system administrator. Because in addition to the problem of the data volume that accumulates (and which many still pay for based on data volume), there's another problem: bounces on bounces. The result of "contaminated" address lists is that many emails bounce. Those that bounce to forged but real user addresses land in that user's mailbox and annoy them. The others that cannot be delivered usually end up as corresponding system bounces in the mailbox of the system administrator of one of the involved mail servers.
I'm quite directly affected on several systems where I'm admin - the result is often unreadable bounce mail folders because so much flows in that you don't really want to wade through it to search for real problems. As a result, system problems that lead to mail delivery issues are often only noticed when users complain - nobody looks at the mess of bounce mail before that, just as little as the error reports of the mail server.
So if you like your system administrators (or simply want your mail to be handled properly), then think about them too when you carry out such anti-spam actions.
At Hexentanz there's the original article.
Trusted Debian 0.9
This actually sounds like I could give it a try now. It might be a path to upgrade my home firewall box to, as that currently is running an older debian release and must be upgraded. But I need to pull down all those stupid applications I have thrown at that little box, first. Because a firewall with so much applications is everything else but a firewall
Bei freshmeat.net gibts den Originalartikel.
OS X 10.2 upgrade - all software sucks
Crashing like Winblows. This is stupid. If I want crashing systems, I install something from Microsoft. Unix-based stuff is supposed to work. Yeah. This stinks.
Letters to the Editor
Yep, that's a problem with Microsoft systems, patches often don't work, conflict with each other or are just not there (or you don't know about because nobody tells you). That's why I prefer systems where the systems developers / maintainers give you a useable security feed. Like most Linux or BSD systems with working distributed software repositories. I don't quite understand why Microsoft doesn't do the obvious and set up a mechanism like the Debian apt-get stuff in their current OS and distribute working patches this way. But maybe it is too obvious ... Bei New York Times: Technology fand ich den den Originalartikel.
TINC hopelessly borken?
At least they can't resolve any .org any more. There nameservers where a bit fucked up already for some weeks, but now it's really silly. Sorry, guys, but your network of root nameservers once was a proposal to do it right, but currently it's just a show of how to do it wrong ...
Post without title
The case against crawler918.com. I saw some hits on my web site the other day from machines in crawler918.com. Always curious about new developments in web searching, I thought I'd find out about it. It's not a happy story. [ Advogato]
Nuke them from orbit ...
Found at Advogato.
Post without title
Political consultant Dick Morris wants politicians to spam. "E-mailing is the new front of political campaigning," he writes after spamming one-fourth of all residents in Arkansas last fall. [Workbench]
This deserves no comment. Only politicians and marketing guys can be that stupid.
Found at Workbench.
Beitrag ohne Titel
Rich Bowen: "After putting me on hold for a lengthy period of time, apparently talking to other experts, he came back and told me that the problem was beyond their expertise to deal with. He encouraged me to read the .htaccess file tutorial on the Apache web site at apache.org. Now, for those of you who don't already know, the reason that this was so very surreal is that I wrote the .htaccess tutorial on the Apache web site."
One to bang your head on the table over. Reminds me of the Korn-Microsoft debate. Lusers. [via Workbench]
Gefunden bei Workbench.