Microsoft are trying to strong-arm the internet community into using their technology as a standard by pushing Sender ID. From November email sent to MSN or Hotmail that does not comply with the controversial method will be marked as spam.
Will this turn Hotmail into a walled garden rejecting mail from users of other systems who refuse to comply?
Marcus Ranum set up and managed the US President’s email server (whitehouse.gov) during its first year of operation. No one could doubt his security credentials. In this insightful Security Focus interview he shares his worries about the state of computer security and alleges that “80% of corporate desktops are infected with spyware, 15% of them are infected with keystroke loggers”.
The interview is depressing reading. He’s damning about the current state of computer security and fatalistic about the future.
I believe we’re making zero progress in computer security, and have been making zero progress for quite some time. Consider this: it’s 2005 and people still get viruses. How much progress are we making, really? If we can’t get a handle on relatively simple problems such as controlled execution and filesystem/kernel permissions, how much progress are we going to make on the really hard problems of security, such as dealing with transitive trust?
Before Linux users start congratulating themselves on their choice of operating system, we need to get Marcus Ranum to sit down with Linspire CEO Michael Robertson.
Linux, like Mac OS X, is championed as a secure operating system in comparison to Windows XP that, unpatched, will become infected within 20 minutes of connecting to the internet. Michael Robertson is threatening that reputation. He believes that running as root for daily tasks is not dangerous. Desktop users of his company’s distribution will be doing exactly that by default.
Creating a distro targetted at the less technologically literate that allows them to run as root as standard is a disaster waiting to happen.
Robertson defends himself by pointing out that they do have the option of creating non-root users but anyone who would consider that option is unlikely to be installing Linspire in the first place. It will make for disastrous PR for Linux as a desktop operating system when one of his target audience installs some malware in the near future thinking it’s a sexy videoclip of the latest tabloid pin-up and then wonders how their credit card details got stolen. Does anyone think that people will understand that Linspire isn’t Linux? All distributions will be tarred with the same brush in the popular imagination.
It’s as if Robertson has heard the words “running as root” enough times to think he knows what it means only to reveal a fatal ignorance with his decision. I want to say Marcus Ranum is to Planck what Michael Robertson is to Planck’s chauffer but it is not true. Robertson is a very intelligent man but for some reason he is flying in the face of conventional security advice.
Unix/Linux got to grips with controlled execution and filesystem/kernel permissions a long while ago. Dragging Linux back to the insecure by default model of Windows to make it easier to use seems foolishly short-sighted.
Still it might be nice to have some native viruses for Linux at last. So far, they’ve proved difficult to run under Wine.
I’ve been inspired and encouraged by Dougal and Michael to tie together their respective spamblocking scripts. I’m testing the hybrid now.
Assuming all works as planned, if a spambot is detected and blocked by Bad Behavior, SpamValve will also take its IP address and log the abuse. Five offences from the same IP and the address will be blocked at the firewall for a couple of days. Any bots missed by Bad Behaviour that trigger the heuristics built into Wordpress will also have their IP passed to SpamValve.
My changes are crude and can definitely be improved. Consider this a proof of concept. If anyone wants a copy please contact me via =timhardy or leave a comment below.
NB a new update is available for Bad Behavior (which I notice I’ve been misspelling “Behaviour” in the English fashion until now) bringing it up to version 1.1.1.
Just my luck. In the week I’ve been testing spamvalve I’ve had no comment spam… until 5am this morning.
The spammed post was viewed by one IP address then, moments later, a comment was left on that post from a second IP address which then (re)loaded the entry. My traffic is low enough to make it highly probable that the first IP address and the second belong to the same person: neither IP address resolves to a known host so I assume they’re both spoofed.
The post was clearly spam: a vague meaningless statement along the lines of “great info guys thanks” linked to a portal site. It didn’t trigger Wordpress’s built-in spam defences nor the spamvalve plug-in.
By default any comments on this site have to be approved by me before they show up, unless you’ve been whitelisted following a previously approved comment. Clearly this little spambot is designed to move on and spam elsewhere if its comments are held in a moderation queue. A well behaved spambot, who would’ve thought it?
So, I’ve just had one spam to delete manually but the reminder that there’s nothing to stop a spammer from spoofing a different IP for every request thus preventing blocking by address from working. Spamvalve will prevent a less well behaved spambot that makes multiple spam posts from one IP from bringing down your site with unwanted traffic but it’s not a magic bullet.
(To be fair, Dougal never claimed otherwise:
The plan I’m proposing won’t do anything to stop a large number of hosts who only send a couple of spams each. Those will have to be caught by the other anti-spam measures such as content filtering. What I’m primarily aiming for is to keep the worst of the repeat-offenders from tying up my resources for no good reason.
Comment #16 on Spammers should all DIE DIE DIE)
I’m just fortunate that I’m not yet on the spammers radar: obscurity has its advantages. But it’s annoying not to have the chance to properly test out my defences. I’ll regret those words when the storm hits.
There’s a new update for Michael Hampton’s Bad Behaviour anti-spam plug-in out today for anyone using it. I’m going to update and re-enable it from today and keep it running in parallel with spamvalve. I think it’s safest to have several different anti-spam tools in your arsenal.
Of course, the only sure way of blocking comment spam is to blacklist based on the sites the comments link to but that seems an unrealistic goal. Or is it?
Hot on the heels of yesterday’s post comes this news:
Microsoft and the entertainment industry’s holy grail of controlling copyright through the motherboard has moved a step closer with Intel Corp. now embedding digital rights management within in its latest dual-core processor Pentium D and accompanying 945 chipset.
Intel quietly adds DRM to new chips (via Bruce Schneier). Let’s just hope Don Marti is right.
When catching up with an old friend, I told him about my recent fascination with open source. He confided that he didn’t see the need: “My brother’s really into that too, but…” He lowered his voice. “Personally I’m happy to use pirate software.”
GNU/Linux is free software in two senses of the word: it doesn’t cost anything for the right to use it (”free as in beer” as the perplexing cliche has it); and it is supplied with the source code and the right to change it as you desire (”free as in freedom” - or, as Edward Felten puts it, “the freedom to tinker”.)
Pirate software is free as in beer. To the non-programmer with no qualms about the legality and morality of their actions, that is the only thing that mattters.
Open source demystifies software and encourages everyone to participate in its creation by giving them the tools and information with which to do so. But most users are frightened of machines. To someone fascinated with finding out how things work, open source is a great gift. To someone who wants an invisible computer that “just works” it is irrelevent.
Or is it?
I use linux as my desktop OS but I’m not a purist. I have been quite happy to install a free but closed source binary on a laptop for a friend who would never think of writing a macro let alone grepping through code to tweak a feature he didn’t like. I’m happy to taint my own kernel with Nvidia’s closed 3D drivers. But when I see the politicians throwing their weight behind calls for Digital Rights Management, encouraged by old media with deep pockets, I am reminded of the political side of open source and that “free as in freedom” means more than “the freedom to tinker”.
Perhaps zealots like Richard Stallman are society’s last defence against a creeping reduction of rights. The dystopian in me can only too easily imagine a future in which only government licenced software engineers are permitted to own programmable computers and the rest of the population make do with dumb consoles that are little more than fancy televisions.
Don Marti, editor in chief of Linux Journal has no time for such elaborate pessimism. DRM is doomed he thinks because of the free market. It doesn’t make good business sense to develop it or invest in it. If You Don’t Believe in DRM, It Can’t Hurt You.
Dr. Ari Jaaksi of Nokia explains their choice of operating system for the forthcoming Nokia 770 Internet Tablet:
We get our kernel from kernel.org. The processes and package management [come] from Debian. We consider Debian to be the most advanced and most alive, truly open-source distribution.
It is important that Linux for the 770 is not controlled by any company. We go straight to the source. None of the distros were ready for Nokia hardware anyway, and we have internal expertise, so why go through a commercial vendor?
We are in this for the long run. Too many middle men is not a good strategy.
The 770 looks like it will be a beautiful device.
Dougal Campbell has created a potent weapon in the fight against comment spammers with a tool that blocks them at the firewall level. If you have root access on your server, then you should consider trying SpamValve. It’s designed to work with ipfw on FreeBSD but with his help I’ve crudely hacked it to work with iptables on linux. I’m going to try it out for the next week and see how well it works. If anyone wants to have a look at my changes, please drop me a line via =timhardy. I had the Llama book open and was teaching myself Perl as I made them so they’re pretty clumsy but I think they’ll work.
Michael Hampton, producer of the Bad Behaviour anti-spam plug-in for Wordpress has posted a convincing attack on the rel=”no follow” code proposed by google and implemented by MovableType, WordPress, Blogger, Flickr, and Slashdot.
This code gets added to any links left in comments on a site and is an instruction to search engines to ignore the link.
The supposed benefit? It stops link spammers from gaining google ranking from your site. The major side-effect? It breaks the structure of comments and links back-and-forth with which weblogs maintain their position in search rankings.
The post effectively dismantles any claims about the effects of rel=”no follow” on link spammers, showing how in fact it is likely to lead to an increase in spamming attempts. Its only effect will be to make blogs drop lower in search results.
If I’m looking for information I’d rather read a post written by an interested individual who has taken time to research it for themselves than a press release reprinted verbatim by a lazy hack or marketing copy that deceives to sell. People who complain about “blognoise” in search results are misguided. If you keep find irrelevent blog posts about someone’s new diet when you’re looking for something else, then learn how to use a search engine. Taking blogs out of google won’t make poorly constructed attempts to search the internet any more precise.
There’s a nonofollow plugin for Wordpress that removes rel=”no follow” from comments after a configurable number of days, allowing you to reward your true readers with a splash of googlejuice but giving you time to dump freeloading Texas Hold-em and his Viagra-toting buddies.
There are better ways to stop spammers. Michael is working on a real-time DNS-based blacklist to monitor the open proxies used to hammer websites with link spam so you can block any comments, pings or trackbacks sent via these anonymising machines. A Wordpress plug-in is now available.
A slashdot posting warning of a future shortage of Computer Science graduates led me to this site: www.jobstats.co.uk/.
Every week, site creator Nick Wells parses job adverts in the UK and publishes an analysis breaking them down by skills, salary and region. Comparisons with past data enable you to see changing trends in the industry too.
In the face of so much “My job went to India and all I got was this lousy t-shirt” doomsaying, it’s good to see that there is still demand for IT professionals. My gut instinct tells me that a lot of people jumped onto the Information Technology bandwagon during the internet boom, lured by the insane money being thrown at inane ideas, and that these opportunists have now all jumped ship. I believe that people who are genuinely passionate about the possibilities of technology will find a way to make a good living from something they care about.
Then again, I have to believe in that. But that doesn’t mean it’s not true.