I've always felt uncomfortable with this statement
They should have x-rayed it first!
230 publicly visible posts • joined 15 Jul 2008
Recapping what I wrote here on El Reg a week or so ago is the problem I had with Mailgun SMTP, a freemium email relay service:
Your account is associated with one of Mailgun's SMTP relay servers when you sign up. Many other Mailgun customers share that server with you. Your local SMTP server relays all outgoing email to Mailgun's server, and typically, all of your incoming email comes from the relay too. If your email traffic starts getting blackholed, you can ask Mailgun's staff to switch you to another at random, which may have a better reputation than the one you had.
If you are a spammer looking to avoid being identified and trick others into paying for your deliveries, you just need to find domains which are served by Mailgun SMTP relay servers. Probably, you'll harvest this from header information in other email traffic you're collecting. Another possibility is spamming many domains with "Delivery Status Notification" turned on and looking to see if Mailgun servers convey the response. I'm not really sure. If you sign up for a bunch of Mailgun accounts, request switches, ect., you'll likely manage to acquire accounts with one of each SMTP servers which they offer. Then, all you need to do is send a payload of spam FROM one of your accounts that shares the SMTP relay server with this victim TO their local SMTP server, addressed to various addresses from your spamming list.
Since email servers like Postfix, treat an SMTP relay/gateway as a trusted peer on the local network, it does not consider email which is injected this way to be relay mail. It treats it with the same trust as your workstation or whichever local machine you send your email from. The victim's SMTP server re-sends the spam email back OUT through Mailgun under it's own reputation and quota. It skips local spam filters because since when do you scan "outgoing" email submitted by a trusted peer for spam? And so the spammer uses up your 10K free quota, and then your paid quota if you have one. It doesn't require your victim's login credentials, as Mailgun has given you your own. And, if there's any way to stop this exploit in configuration, I don't know what that is. If you take the SMTP relay server off your Postfix "local networks" list, then while it won't accept mail from there, nor will it send there any more either.
I provided Mailgun staff with every detail I had, log entries, copies of the spammer's incoming emails (which the spammer had stuffed with as many to: cc: and bcc: addresses as possible), but they pigheadedly refused to understand. I was scolded for running an open relay and they said there was no indication one of their other customers was doing anything. Oh, please! The emails I'd captured had all the headers and session data. I get the feeling one of their staff is dirty and exploiting customers who rarely use up their monthly quotas.
My workaround is to block incoming email from Mailgun, at our firewall. Our MX configuration now advertises our cable modem IP address for directly incoming email traffic. Also, Delivery Status Notification has been disabled, though that means legitimate folks won't get address bounce messages.
Chrome User: "You're grabbing our credentials and logging us into your previously-optional services without our consent or control! The only indication is an easily-overlooked color change to the "user" icon in the corner!"
Google: "What? Yes! You're welcome! We care deeply about our users and their safety, so we made a visible indicator that you were still logged in, in case you were sharing your device with someone else. Now they can log you out and then log themselves in separately! Keeping their browsing history separate from yours, and thus more accurate."
I use Mailgun for some community/volunteer organizations. We can send enough emails free for our purposes (newsletter, forum activity) or pay very little for a few additional thousands now and then.
When you sign up for Mailgun's services, you are assigned one of their half-dozen or so SMTP servers. We use Mailgun only to send out email, and not to receive it, but we are still tied to a fixed SMTP server at a particular IP address, as it is the one we must send out through. Since it is our "relay" or "gateway" address, Postfix considers that IP to be a "trusted" peer "within our network", but worse, it is treated as "trusted" mail which does not get filtered. Email is still received from that address, which is normal because most customers use it for mail both ways.
The problem is that we share that SMTP server with many other Mailgun users, and some of those other users are spammers.
Imagine my joy upon finding one day that the server was spooling a enormous amount of email, OUTGOING email, and none at all was being delivered... We had used up our free 10k ration at Mailgun somehow, which was refusing to deliver for the rest of the month!
I tracked the problem down to a small number of incoming emails, each with hundreds of "To:" recipients coming FROM mailgun, through our system, and then going back out through Mailgun, but thereby using our allotment and reputation.
I don't know how the spammers matched our domain with that particular SMTP server, but it probably isn't too hard for spammers to apply for multiple accounts on Mailgun until they have one with each of the available servers. Then, they just work through a long list of domain names until they find one which accepts relay. I could do the very same, and masquerade as any other Mailgun users if I shared their SMTP gateway. Using the email deliveries they were paying for after i'd burned through their free quota. I just need to know which SMTP gateway they were assigned, and exploit it. Anyone could grep their own server logs for email coming from Mailgun and collect a valid domain and SMTP gateway. It's practically a password to use someone else's account!
Sadly, Mailgun Support was no help, and blamed ME for the loophole. They wouldn't even investigate whom among their other users was sending spam through me, which should be a trivial task. They essentially defended the spammer and scolded me for running an open relay. But it's not an open relay. My local SMTP server rejects relay and blacklist email all day long. But it just CAN'T reject email from that particular Mailgun SMTP server, by design of Postfix!
I never found any proper solution to configuring Postfix, and had to resort to a firewall rule blocking all incoming traffic from our own SMTP relay server. We continue to accept email directly from the senders (except for China, Russia and all the other squirrely sources that hit our local blocklists).
In the early 2000's, the glorious international Wincor Nixdorf corporation didn't allow instant messengers on employee's desktops (at least not in my dept) so many people resorted to NET SEND which worked perfectly, assuming you knew your recipient's full machine name.
One evening, a new guy tried messaging his team lead, was ignored by them but engaged in a lengthy casual chat with someone who replied instead. The twist was that the new guy was messaging everyone on a whole network segment, if not everyone everywhere. Everyone in the room was simply ignoring the messages and no-one said a thing to him as the chat went on and on.
The other participant turned out to be a sysadmin overseas who simply wasn't kind enough to say "hey buddy, you're messaging everyone". NET SEND was disabled soon after the announcement made to stop using it.
I was part of a team replacing Dell motherboards for that lovely swollen capacitor issue which they denied for another decade. One member was in such a hurry to be free for lunch that he crammed the CPU into the socket and slapped down the restraint without bothering to match the pins properly. It wouldn't close properly so he opened it up again (we were all standing there, waiting for him), observed all of the squashed pins, said in his nonchalant professor expert voice "Hmmmm, how did that happen?!". He didn't come back after that day.
That begs the question of how did it manage to gather up and eat all those other black holes in so little time. They've thought of that and it still doesn't pan out. The leading theory is that the initial black hole formed and fed in an environment of high-pressure gas before the deionization of the universe took place. The inward pressure was high enough that the outward pressure of its jets and radiation still couldn't blow the gas away so it was forced to guzzle for an exceptionally long time.
I don't think there's anything improbable about a colony ship heading out for a multi-generation trip to another star. In the event that we can build such self-contained colonies in the future, it will come after we've fully matured the technology of inhabiting ones orbiting here within the solar system. Thousands, or millions of them. People living inside will already be accustomed to spending their whole lives inside one colony, just as people still grow up, age and die without ever leaving their county or shire. Sustainability will be the way of life for everyone. It won't change their lives much if the colony is orbiting Earth, Mars, among the asteroids or coasting through interstellar space.
However, no-one is going to be traveling inside a big lump of raw rock. Imagine the energy required to move such inert mass, and consider that it's probably just a big pile of loose rubble. A mountain of unprocessed asteroid rock is just a waste. Instead, spacecraft colonies will protect themselves inside a shell of already-processed and refined resources, and lots and lots of water ice. Every bit of that will be useful to maintaining life and propulsion.
Another lesson in how the law is not the same as right, fair or moral...
Since the program is provided free of charge, M$'s $25 fee is for duplication and shipping of that free software on a CD. It only works by burning it onto a boot CD. You can pay them to make you a disc, make your own disc, or you can have the kid next door to do it for you. Or anyone else.
Making the discs seem official was a dumb move though. And it seems more like they should have calculated his time based on how much he profited from the discs ($0). Or how much M$ provably "lost" in sales rather than assuming the maximum physically possible. [That's kind of funny, actually, assuming that all of the discs would surely be used. Not a good endorsement of M$... :D ]
I'm sure it comes down to the construction of the law, BUT I take a dim view of letting "victims" declare damages without providing any proof.
On the other hand, I wonder if the judge did him a favor charging him with $700k of pirate software instead of 28k instances of trademark infringement?
"I especially like jumping through several levels of pomposity to enter an area a cleaner walks in an out of via a side door with a floor polisher multiple times between nipping out for a fag."
Having worked as a janitor in a number of sensitive areas as a lad, I can vouch for this.
I worked for this semi-famous ISP, io.com, launched with money won from a lawsuit against the U.S. government. Their parent company's equipment had been seized and wrecked, based on a false claim that they were training hackers. It was just a role playing game, ya know. You rolled your dice to see if you'd "hacked" the "mainframe", etc.
Their mail cluster wasn't up to snuff and stopped delivering throughout the business day. Nothing but angry customer calls and our lies to them about "nothing we see on our end". Similar problem with newsgroups, which they gave up hosting in-house and outsourced. Their servers and fileshares weren't really set up with reasonable permissions, and you could literally telnet in, without a password, and browse customer's files. This even continued for some years after they had supposedly "hardened" so they could offer network security. Those servers were just a bunch of middling Pentium machines in cheap beige plastic cases sitting on shelves. The original modem pool was literally a bunch of 14.4 modems on a rack.
The above is an abbreviated account, you can visit this archival copy of their old website at io.fondoo.net if you like. Lots of pics!
IPv6 does not "coexist", it exists besides and outside of IPv4. It doesn't do IPv4 at all. And if we're going to switch to it, it needs to be a drop-in replacement which handles both, instead of an abstracted parallel universe where we struggle to find out what our address (or block) is, or to understand if our firewall is actually protecting us, let alone be able to choose which static IPv6 addresses we want our home web server to use.
Hurrah for everyone who found it "simple" to migrate to IPv6. Now kindly share your tutorials rather than sniffing at us old dinosaurs.
Speaking for myself, I don't care for the Glorious Republic of Gilead going over my once-legal public discussions for signs of being a compelling Influencer who would probably benefit from a Holy Redemption.
Nor do I care to accommodate today's bastards, who will be the Gilead's Commanders one day, to inject fake news into my newsstream, or monitor my fertility discussions with partner and doctors.
I guess I'm just a silly-willy.
Same way they're identifying TOR users, by matching the timing of encrypted packets to and from the user to the ones that come out various endpoints. Timing could be randomized a bit, but who wants unnecessarily delayed DNS queries? I don't think we can really trust a chain of new servers out there beyond our watchful ISPs. We need to install a new component on our devices which encrypts/tunnels all DNS queries, perhaps along with padding and random fake activity.
I can't fathom how spreadsheets from someone's workstation drive ended up in a public-accessible web folder on a server. Unless the company used a central server and web interfaces for it's document storage? Or perhaps the visible documents were placed there by extortionists to prove that they'd hacked their network and were rummaging around... ?
OK then, FINE. I *may* have brought down a big U-shaped robotic tape storage vault by feeding it a cassette which I'd just dropped on the floor. In all fairness, no-one actually told me why the vault had to be shut off the next day so someone could go inside and cut out a wad of tape which was jamming one of the readers.
Since it's only "abuse" if graphics-grade chips are used in for-profit data center services (except for the established lucrative market of graphics cards for profitable bitcoin mining), "abuse" would seem to be a synonym for "flaw in Nvidia's business model". "Abuse" is a word which also implies a privilege had been granted with conditions imposed and accepted. Otherwise, there's no line one crosses to consider an "abuse". However, what we're seeing is a manufacturer blatantly attempting to forbid an *application* which competes with another one of their products, once that application catches their attention. Nvidia is far more clearly the abuser in my eyes.
Don't do it. Nextdoor is gobbling up the world's "neighborhood" forums. USA, Netherlands, Canada... Most of the biatching (see sitejabber.com) you'll read is about people fighting with each other and admins failing to moderate properly. But it gets worse. The corporation itself is keen to treat the admins and their users as pawns in their little games. Nextdoor will watch you and kick you out for ideological reasons. You won't be free to set your own rules, or make your own allowances and follow your own culture. Plus, the platform is stuffed with ads now.
Google "dawson neighborhood seized" and read about what they did to one group who ran an "alternative" forum for it's neighborhood, to get away from the vindictively-censored Yahoo group their Neighborhood Association ran. Nextdoor said they were cool with it and would stand by free speech. The forum grew to hundreds in no time. Then, Nextdoor kicked off the admins and turned the site directly to the neighborhood association's old Yahoo forum admin.
I had high hopes for Google Groups, but unfortunately they're just... somehow really ugly. And setting up permissions is really not intuitive. Google hasn't updated them in years so we all know they'll be on the chopping block before long.
Agreed... I have some Yahoo email accounts which forward to other inboxes. For the last couple of weeks, mail arriving for a period of time will stop being forwarded. Then, I'll get newer emails. For the rest of the day, the older messages will start to gradually trickle in among them.
See, I understand the part where Ring and other IoT device hawkers spy on their customers to produce statistics to sell to other, more shadowy players.
What I don't abide in is how they lobotomized their devices so thoroughly that they don't merely send stats from the devices - the devices have to send out a signal and receive instructions from the server on how to ring the bell. That's pathetic!
I have their internet access cut off at the router so they can't call out or be reached from outside. Likewise, all of my embedded/IOT-like things are restricted to communicating with specific IP addresses on the LAN. Namely, my workstation and my web server where I run ZoneMinder to record activity.
ELP has a consumer line of laser record-players. they're "only" $4000 - $15,000 (down from $25,000). The advantage is that it has no needle to ever replace and shouldn't wear records down. The problem is that it's vastly more expense for no gain in quality. I've read that it sounds fine, but not nearly fine enough for audiophiles to fork over the big bucks.
I've read of a similar system using an ultrasonic beam which is far cheaper and also sounds decent.
I've selected the Paris Hilton icon since she's a famous DJ now, hah!
Note that all they know is that these are regions which exhibit naked gravity without detectable source. Since matter is associated with gravity, they call it "dark matter". It's just as likely that it's something that gravity does on it's own. My own pet theory is that it's a displaced gravity field caused by the matter pulled into black holes.
"And don't forget the prostate. A kind and loving God would have put that on the outside and made it easily replaceable."
Intelligent Design placed your prostate just on the other side of your rectal wall so your buddy can give it a nice massage every fortnight or so... :D
"I believe sintered rock tends to be inflexible and brittle."
I'm not aware that all "sintered rock" must have the same quality, nor that it is uniformly inadequate. Different chemistry leads to different physical properties. Think of the colony wall as an eggshell proportionately expanded to a sphere several miles across. Even if it's stronger against compression than tension, it's still up to either task. It'll be more like a ceramic. Additionally, it can be reinforced with fiberglass or carbon fiber threads mixed in, and formed in corrugated or spongy form as appropriate for flexibility and other characteristics.
"People are looking for habitable exoplanets because it's the first step to looking for exoplanets which actually have life on them"
This particular article doesn't mention colonizing other worlds, but pretty much all of them do. And most people read on through without realizing that living on alien worlds is just a sci-fi trope.
Put another way, we should stop searching the forest for comfortable caves to live in, since there is enough wood to build a city.
"While I don't disagree with you, I do wonder how orbital colonies shield the colonists from the suns radiation."
Orbital colonies will shield from radiation about as well as the nearest mountain. A concrete-like shell 30-40 feet thick, an additional layer of soil and water features, millions of cubic feet of air above that. Also, colonies can be placed at the most convenient distance from the sun to maximize cooling vs energy collection vs ionizing radiation. They'll be clustered behind any natural protection if necessary.
"Will those trillions, born and growing up in a fraction of Earth gravity still be human after a few generations?"
I most certainly did not describe life in orbital colonies as being like "The Expanse's" "Belters". An orbital colony can be spun to simulate Earth-normal gravity, or even more if you want your kids to grow up even more muscular.
We have GOT
to stop this unquestioned narrative
about colonizing Mars, searching for alien planets in the Goldilocks Zone
and all the rest of that nonsense.
None of them will have all of our basic needs as Earth provides, and at best we will have to live in domes or caves under the surface.
Landing in a gravity well is risky and expensive. Launching is even more expensive. There won't be any mining down there for anything but local needs. In fact, planet-dwellers are all-but trapped.
Terra-forming would take thousands of years, and humans just aren't capable of this kind of financial and logistical commitment.
But, we can build perfect homes almost anywhere in the form of orbital colonies. In orbit, where the easy-to reach material is in the first place. In fact, out of the tailings left over from sifting more valuable components out of comets, asteroids and the smaller moons.
Sintered rock powder makes a tough, concrete-like substance. The heat source comes from a reflective mirror. It doesn't even need to be big; a mirror a few feet across can turn sand to glass here on earth. We build up the football or cylinder-shaped habitat like it's inside a gargantuan 3D printer.
We spin it, and establish the ecology of our choice inside, and feed it with power collected from the host star through panels floating nearby.
We'll likely use the Moon for material first, then Mars's moons, then the asteroids. There is material for millions of habitats, each with the population of a county. Before long, the vast majority of Humanity will exist in colonies orbiting the Sun, population exceeding trillions of people.
ANY system that has loose floating material, and a star that is hot or bright enough, without being too irregular, will do.
The galaxy could be teeming with established intelligent life already, perhaps mostly around red dwarfs as they are the most plentiful and live many times longer than Sun-like stars.
Despite having a google+ site and getting JUNK MAIL from google addressed to my business, they took my business location off of the map and it's a struggle to "trick" google into getting it to come up in search. There was one month that I kept getting phone calls from various people pretending to be customers who would chat a bit about my services and then ask if it was a home business or not... and then abruptly hang up on me. Google has also told me to "just create a new google+ page and re-list my business". Yeah, but I can't use my current business name then, idiots. Who's going to do business with "Linden Consulting2"?
"our data team"? You sure you don't want to capitalize those words to make them sound a tad more confident? You don't need a "Data Team", you need software developers, testers and at least a security consultant. I bet someone's flipping through their Rolodex for the number to that Chinese company who made the software for them...
Live iplayer streams could be made identifiable by manipulating packet lengths. They would initially be set at a particular, unusual length. After a set interval, they would change to another. And another. It would be a unique pattern like a serial number. One even could sniff encrypted packets and simply measure them by size and note the pattern. This would tell the spy exactly what program was being watched.
I'd go with the Ethernet option, but the Faraday cage works, too. One might be able to confuse the spy by playing two separate iplayer streams at the same time.
Yes, all joking aside, some printer cartridges literally, actually DO have expiration dates built in. There's a whole community of folks working out ways to circumvent this. Printer mfgrs are/were actually pressing to make this sort of thing illegal too. The reason for the expiration? Benevolent, kind-hearted printer mfgrs simply want to ensure you have "the best possible experience" heh. Also, when the inkjet cartridge is officially "empty" there's still hundreds of pages worth of ink throughout the capillary tunnels within it. If petrol cost the same as printer ink, a fill-up would cost half a million dollars. What is printer ink? Dirty water.