New Essay on Autoresponder practices

I wrote earlier this week on the discovery that people were blacklisting sites with email autoresponders. More thought and debate on the issue has led to a number of thoughts over how to solve the issues around autoresponders, in particular the concern that they will respond to messages with forged From addresses.

These thoughts have been laid out in this essay on practices for autoresponders which starts off by pointing to RFC3834, and goes further in a world where people might want to blacklist sites just for autoresponding.

The RFC specfies a way for an autoreponse to be reliabily identified as such. Those who are blacklisting or filtering autoresponders can use this so that if they are going to go about blacklisting a site for running an autoresponder (as is required in the SMTP spec) that they only blacklist further autoresponses, and not ordinary mail from the same server. While some blacklisters, unfortunately, have a capricious disregard for the consequences of their actions, most of them agree that they should wish to block as little legitimate, desired mail as possible, ideally zero, so techniques which can make this happen deserve their attention.

There are many other techniques outlined in my essay on challenge-response best practices which are still not followed (admittedly in a few cases even by my own code, since I never put it into public distribution.) These techniques make C/R not only workable, but I believe a must in any good anti-spam system. If somebody’s anti-spam system is going to block my mail, I want the ability to know about it and reverse that decision by proving I’m not a robot. While it is annoying to have to respond to a challenge, if the alternative is not having your mail read, most people would take the challenge — if it was really necessary. C/R systems allow systems to have no false positives, at least for non-anonymous mailers, and that should be the goal for everybody.

Why can't a gas tank feed from both sides?

We risked running low on fuel today, and saw the car sputter briefly while going up a hill. Made it to the gas station fine, in fact with a gallon to spare, it seems.

I presume the gas lines in this car drain from one low spot in the gas tank, but when it's on a slope and very low, there's no fuel there. Why can't we have a series of drains at both back and front (and even all 4 corner points.) It would have to go down from there to stop air getting into the fuel line from the exposed fuel outlet, which may be the reason this isn't done, since the tank is usually down low for various good reasons. Could a smart valve allow for any hose exposed to air to close so that air doesn't get in the line?

I guess stalling going up a hill might not be the end of the world in most places, since you can go down to a flat part and start again, but in a "U" you would be trapped.

Student annotated video of lectures

Today many universities are doing video of their lectures, and making it available on the campus LAN (or older campus cable TV.) In some cases students are not going to class, but many just find it a useful addition.

I suggest an application where students, while watching the lecture, could press keys on their computer synced in timestamp with the video. They don't need to be online, they just need a modestly good clock. Buttons like "This is important, review this for the final." Or even comments like "I already know this" and "I'm lost."

Students might use the timestamps themselves to build a "best of" video of the lectures, since you could not possibly watch all the lectures to review for the exam. The combined votes of students could be merged to produce a consensus vote on the best and worst parts of the lecture.

The professor could even review these things to see where the students are getting lost, what material they think is most valuable etc.

Of course this could also be done with plain audio of the classes but video would show the course materials and blackboards.

Perhaps one student in the class might take it upon herself to edit together a study video for others to use. They could even charge for it if it were really good.

Spamcop blacklists autoresponders

I learned a couple of days ago my mail server got blacklisted by They don’t reveal the reason for it, but it’s likely that I was blacklisted for running an autoresponder, in this case my own custom challenge/response spam filter which is the oldest operating one I know of.

I understand the debate about the merit of C/R spam filters. Like all autoresponders, they can generate unwanted mail when spammers and viruses send mail with a forged From address, and the responder annoys the innocent victim. However, this is a problem common to all autresponders, and unlike the even-more-hated open-relay, it doesn’t magnify the spam problem — there is one possibly annoying response per spam, not hundreds.

I am bothered because I don’t want to see anti-spam advocates fighting other anti-spam methods because they don’t agree with them, or blacklists in general used to punish people you don’t agree with. Spamcop should be fighting spammers, not anti-spammers.

In addition, e-mail autoresponse is an important mail tool. In fact, anti-spammers insist that mailing lists do a confirmed opt-in (also known as double opt-in), generally by autoresponse, before adding a person to a mailing list. When a mail server bounces directly delivered mail it can avoid doing an autoresponse, but if mail comes in through an MX — a vital feature of mail — it requires an autoresponse to bounce it. Vacation programs and many other tools use this ability.

Check to see if your mail system uses as a blacklist. If it does, disable it or switch to something else until they change this policy. Otherwise you won’t receive mail from me, and many others.

Update: My server is no longer blacklisted. I didn’t do anything (other than this blog post and a few complaints to people using the spamcop BL) so perhaps they auto remove. But it could happen again at any time until they change their policy. This is also a nasty DOS attack. Find anybody with any autoresponder, including a bounce of MX’d mail. Send forged mail to it with a From set to a spamtrap address — and they’re blacklisted. Also can be used against any sites that have you enter an E-mail address on a web page and then email that address to confirm you own it — you can get these sites blacklisted trivially. Every web form that can enter an E-mail address is at risk.

Rethinking household/office power, beyond 60hz

I’ve written before about the desire for a new universal dc power standard. Now I want to rethink our systems of household and office power.

These systems range from 100v to 240v, typically at 50 or 60hz. But very little that we plug in these days inherently wants that sort of power. Most of them quickly convert it to something else. DC devices use linear and switched mode power supplies to generate lower voltage DC. Flourescent lights convert to high voltage AC. Incandescent bulbs and heating elements use the voltage directly, but can be designed for any voltage and care little about the frequency. There are a dwindling number of direct 60hz AC motors in use in the home. In the old days clocks counted the cycles but that’s very rare now.

On top of that, most of what we plug in uses only modest power. The most commonly plugged in things in my house are small power supplies using a few watts. Most consumer electronics are using in the 50-200w range. A few items, such as power tools, major appliances, cooking appliances, heatters, vacuum cleaners and hairdryers use the full 1000 to 1800 watts a plug can provide.

So with this in mind, how might we redesign household and office power…  read more »

How much must we keep the obvious from stupid criminals

One particularly interesting argument seen in the Underwatergate scandal is the one that the NYT, by revealing the existence of warrantless wiretaps on international communications lines, compromised national security.

Reporters asked how that can be. After all, surely the bad guys knew the U.S. had the ability to perform surveillance on them, and has a secret intelligence court, and was presumably getting lots of secret warrants to watch them, and was furthermore watching them overseas without being subject to the 4th amendment.

The White House response was effectively, "Well, we're catching some of them with this program. So obviously in spite of the fact that they should know we are listening, they forget, and we learn things." In other words, the bad guys are sometimes stupid, and by bringing a lot of publicity on the surveillance (legal or illegal) we're reminding them not to be stupid.

I've seen this issue talked about before. Many members of the mafia have been caught with wiretaps, saying things on phones that you think they would know are probably tapped. This argument is used to counter the claim that since encrypting communications are readily available (such as in Skype) the smart criminals will not get caught with wiretaps.

Furthermore, in this case, while the White House revealed only minimal details of the program, security experts in blogs and other media around the world engaged in all sorts of informed speculation about what's really going on. While the NYT didn't reveal any technical details, kernels in the discussion almost surely do.

I'm willing to accept that even the smart criminals make mistakes, and get caught this way, and this will continue. So indeed, heavy publicity around the surveillance techniques and issues probably does, as they claim, instruct or remind some bad guys not to use certain communications that could put them at risk for being caught.

The harder question is this: Does that imply we must keep silent on these issues? I think the answer is clearly no. The standard the spooks and White House suggest is untenable, and there is no clear way to draw the line. Because if we use the stupidity of criminals as a standard, then it's hard to see what public discourse might not be considered potentially harmful to the exploitation of the criminal's mistakes. Yes, it's clear to see that a massive public debate with constant articles in all major media is more likely to remind a bad guy to watch what he says on the phone, more than a single blog posting would. But this is a difference of degree, not of kind.

In the end, it's a security through obscurity argument of a particularly high order. Not only must we not let the bad guys know that we can wiretap, we must not remind them after it is presumed they already know. It's hard to imagine a rule against this that would not chill speech at an extreme level.

Crash-avoiding cars

I’ve written before about automatic self-driving cars, both their risks (overregulation due to fear of their use by terrorists) and possible driving forces (oil companies excited by people taking longer trips) and more.

Generally, except for a few specialized applications (such as the automatic parking lot) such cars, if they are to be used where people or cars that may not under network control are present, must start with a basic ability to avoid accidents. In a vigourous debate with friend Charles Merriam last night, the question came up about where the value will lie. Charles is a big proponent of worrying first about crash-avoiding cars.

Right now we all pay from $250 to $500 per year, and often much more, for insurance to cover the risk of accidents. Of course, that’s just the financial cost, and financial proxies for suffering, so the real value we would put on an accident resistent car might be much higher. Perhaps $5,000 to $10,000 over the life of the car.

That seems like a highly lucrative market on its own. While the self-driving car has many other long term merits (because you can do other work while moving, and you don’t have to park it, and it can appear on demand as a taxi for you) we should be very close to financially justifying the accident-avoiding car today…  read more »

How to deal with illegal, classified operations?

The AP reports that the DoJ is going to investigate the Underwatergate "leak" to the New York Times. Many of course wish they would investigate the program instead, but since the AG was involved in it, that's difficult.

But this puts forward the complex problem of how to deal with, and stop, illegal classified programs. Because they are classified, they lack many of the checks and balances that exist for other government operations. Indeed, it is suspected that many programs get classified entirely or in part in order to avoid scrutiny.

In theory, one does not have to obey an illegal order. But in practice it takes a lot of guys to defy one. And it's hard to be certain an order is illegal when your superiors and their lawyers are insisting it is.

Senator Rockefeller is one of the people elected to provide oversight over intelligence activities, and he was told about the NSA spying. He was also told he could not consult with the advisors he needed on technical and legal issues to make proper judgements. This is an unacceptable situation. There must be checks and balances.

I don't like secret courts, but they are better than having no courts at all. There should be a secret court with auditing power over all secret activities of the government. Anybody should be able to file a complaint with this court that the government is engaging in illegal secret activities. The identity of the whistleblower must be fully protected, as well. The court should have full power to investigate any and all classified and secret programs to find out if they are engaging in illegal activity. And it should have full power and duty to punish illegal activity by anybody, including the President. (Judgements against the President and other top officials would be subject to appeal by the Supreme Court.)

Furthermore, when the court finds wrongdoing, details of this wrongdoing should be declassified as soon as possible and as much as possible. Even at risk to national security. That's because illegal covert activities by the government are a greater risk to the security of the people and the nation than most disclosures are.

How much auditing of secret programs does the GAO get to do? Can its role be expanded? This seems more a judicial idea than a congressional one but there's no reason that auditing of illegal secret activity should not go on in all branches, of all branches.

Absent such a process, the leak to the New York Times is the only answer. The whistleblowers who revealed this program did the right thing for the nation, and should be rewarded, not punished.

MMORPG for Seniors and Shut-ins

I was visiting a senior citizen today who rarely leaves her house due to lack of mobility. Like many her age, she is not connected to the net, nor interested in it. Which makes the following idea a challenge.

Could we design a really engaging game/online community for seniors? Especially those who have had to give up much of their old community because of infirmity? They don’t want to slay monsters like in Evercrack or Warcraft. They won’t build objects like in Second Life.

It must be a killer app — so compelling that they are willing to learn a bit about computers in order to get it. For some seniors, they killer app has been emails and photos from grandchildren.

The game would have to be aimed at the fantasies that seniors have, and it must also be deliberately aimed at the computer novice with less desire to learn new technology than average. (Not that there aren’t seniors with full ability to learn new tech — many of them are already online.)

Thus it would not necessarily require the hottest new graphics cards or fastest net connection. It might try to avoid typing or require fast reaction times. It might use audio for socializing, and focus on the topics most dear to these players. (I jokingly wonder if avatars should be surrounded by pictures of grandkids.) Obviously research is needed to see what they want to play about, and how to deliver it.

There are also questions of levels of ability. Some people become mentally infirm with age and their skills and desires are limited. But is there nothing in the way of interactive community entertainment we can offer them?

Giftwrapping Robot

Here’s a festive idea for a robotics company — a giftwrapping robot, able to take a standard, not particularly fragile rectangular box and perfectly giftwrap it.

This might be a viable product for online stores that offer giftwrapping options, but I think one decent market would be malls at Christmastime. Aside from making money charging for wrapping, it would be an attraction (expecially in Japan where they love gifts) that brought in shoppers. I suppose some might worry it could deprive the charities that sometimes do giftwrapping in malls of a fundraising opportunity.

The robot would presumably grab the gift by its sides, and spin it or the paper roll to place a perfectly cut ring of paper around it with adhesive dabbed in the right places by a robot arm. The trickier part would be arms to fold the end folds.

Do you sense the fact that I just spent a lot of time wrapping? Due to the fear of customs and the TSA, I wrap my presents after I arrive in Toronto. The TSA did indeed open my box of gifts and one gift inside, providing the gift of TSA inspection tape for my nephew.

Shipping redirection and order editing

All the shipping companies today support very nice package tracking with web interfaces that let you see your package move through all the depots. Some day they might even send you an alert when it’s half an hour before delivery.

However, more than a few times I’ve wished for something else — package redirection, either at the behest of the recipient or the shipper. I talked earlier about my Addresscrow system, which would let you change your alias to mean different addresses as you move around, but this is more than that.

For example, when there is a problem ( screwed up on a 2-day shipping order and sent it ground, so I won’t get it for Christmas) they often tell you to refuse the shipment. That’s your easiest way of returning a product that arrives too late. Why not let me, or failing that the shipper, do that via the net? Or let the shipper convert the in-transit item from ground to 1-day or 2-day when it’s clear that it won’t arrive in the right place or at the right time? Yes, I realize that Fedex Ground was an entirely different company from Fedex air, but they do meet from time to time, and at worst case one could redirect a package to the nearest shipping office for the alternate service to be scanned and re-coded.

Ideally though one would just change the meaning of the barcode, and the next routing station would spit it down a different channel.

To make this even better, internet retailers should really do a better job of not finalizing orders until they are truly shipped. Often I’ve made a purchase at an internet retailer, and after paying been shown a special offer, or at least a link to “continue shopping.” Indeed, when I do change my mind, or realize I want to add something to the order, it’s tough. In many cases you must cancel the entire order and re-enter it all. Some let you cancel individual non-shipped items. A few will let you add an item but that’s very rare.

It should all be done just-in-time now. In the old days, you could just phone the place and they would amend the order sitting in the warehouse because they were in contact. Today that personal contact is gone but the computers should be able to do it. Yes, it might cost extra but as long as it costs less than doing a whole new order, it makes sense.

Underwatergate: How many E-mails tapped?

A lot of new developments in the warrantless wiretap scandal. A FISA judge has resigned in disgust. A Reagan-appointed former DoJ official calls the President a clear and present danger. And the NSA admits they have on rare occasions tapped entirely domestic phone calls, because sometimes people calling to or from international cell phones while those phones are in the USA would see the traffic go overseas and come back again. I have made such calls to Europeans and Australians visiting the USA.

So they can’t spot those calls as domestic and thus are performing surveillance on them. But what about E-mail? With E-mail, it’s a great deal harder to identify where the parties are, and what citizenship they hold. In some cases, almost impossible.

And more to the point, E-mails between two U.S. persons will quite often go through international servers. Unlike phones, where it’s expensive, anybody who travels outside the USA for long enough to warrant an E-mail address out there can easily keep it and many do. There’s not even a big reason for multinational ISPs to avoid routing messages to servers in Canada or other places. I maintain aliases on my own domain for all my family, for example, though most of them are not in the same country as the server. I am not alone.

Further, it’s likely that the order of surveillance they have done on E-mail is vastly greater than on phones. For the NSA, monitoring of all unencrypted E-mail — all of it — would be only a modest amount of work. We used to joke in the old days about putting NSA traps in our messages, see this thread from 21 years ago on the topic, and many others if you search for it. If enough people put those in messages, it would overload the systems, we mused.

Back then we were mostly kidding around. Today we have reason to be scared. And it’s time to put opportunistic crypto into E-mail as I detailed years ago, by default. (Since then, some projects to do this have popped up — One from Simson Garfinkel and another from PGP. MS Outlook also does it, but with an untenable user interface.

Scandal name: Underwatergate

Seeing as this scandal seems to be revolving around the tapping, without warrants, of signals over the undersea telecom cables, I propose we call it Underwatergate.

What the NSA is doing with warrantless searches

It’s long, but I can strongly recommend the transcript of today’s press briefing on the NSA warrentless wiretaps. It’s rare to see the NSA speak about this topic.

One can read a fair bit between the lines. The reporters were really on the ball here, far more than one usually sees.

Particularly interesting notes include:

  • General Hayden of the NSA describes many reasons why they don’t use the FISA court, citing mostly “efficiency”
  • Reporters ask if they are listening for the word “bomb” — The AG says there is no blanket surveillance
  • The general states that the “physics” of the intercepts require one end be outside the USA

Independently, Senator Rockefeller’s letter where he wrote that he felt he needed “technical” advice to understand the issues, and that it reminded him of Poindexter’s TIA is very telling.

The efficiency claim is a smokescreen. They would not have taken this level of legal risk, no matter how much they feel what they did was legal, just to gain a little efficiency. It’s clear to me that they are telling the truth when they say they could not use the FISA court — they are performing surveillance that the FISA court would not authorize for them.

The question is, what? The AG says it is not “blanket” but clearly there is some fancy computerized surveillance going on here, something secret, beyond Carnivore. I can readily believe that all sorts of fancy broad surveillance could take place and not be considered “blanket” by the AG. (The AG actually says, “The President has not authorized blanket surveillance of communications here in the United states.”) I certainly hope he has not authorized that. But has he authorized it on all communications coming in and out of the USA?

Or something less, like computer search of all E-mails or phone calls to or from entire towns or nations? Perhaps speaker recognition to look for certain people’s voices on all international calls, no matter what number they use? Perhaps looking for all arabic calls, and then doing blanket surveillance on them?

So much is possible, and all of this would not be authorized by the FISA court.

They knew they would get in legal trouble, so it’s also possible the intercepts, which the General says are on the international cables, are even placed outside the USA, either with or without the permission of foreign governments. (In extremes, they send submarines down to make taps.) Taps outside the USA are not under the rules of the wiretap act, though the 4th amendment still applies to US persons.

Spooky stuff. More to come.

P.S. If you have not been following it, it has now come out that the New York Times sat on this story for over a year, since before the 2004 election, whose outcome might have changed based on this news.

Major chains agree to end "war on white people"

Major retail chains Target, Wal-Mart and others announced today they will end the so-called war on white people that had resulted in most stores posting signs welcoming “shoppers” or “customers” instead of “white patrons”, even though white people represented a considerable majority of their business.

“I’m white, and I’m here shopping for gifts for my white friends, and I’m offended that the store has been pressured into making some generic greeting that doesn’t reflect me.” said William O’ Reilly, a concerned caucasian shopper. “If they’re not going to welcome me and my race, I am going to take my business somewhere else.”

O’Reilly’s complaint, echoed by dozens, perhaps scores of other shoppers, has led the chains to alter their policies. Signs declaring “Look good with today’s colors” will be replaced next year with “Look good in colors designed for white skin.” The “Happy holidays” sign, recently changed to “Merry Christmas” will be further changed to “Merry Christmas for White America” to reflect the ethnicity and religion of 80% of the shoppers in the stores.

Glacier National Park / Montana Panoramas

In the summer we did a road trip in the northwest, up to Calgary, through Banff in the summer and then to Oregon Country Fair. The photojournal is not yet ready, but I have prepared some of the panos. First, here is the Montana section, which means the Going to the Sun road through Glacier National Park. Truly one of the world’s great roads, I’m afraid the panos don’t do it justice.

Support our goddamned piece of paper ribbon

Ok, so this story is almost surely just an unconfirmed rumour, but the graphic I designed below still makes a nice ribbon.

Can I get a dishwasher with soft edges?

I don't know how many times I've gotten a scrape or cut from hitting a dishwasher door, while it's down, with my leg. It's very annoying how the sides are always sharp. They don't make the seal, that's on the front, so there's no reason these sides couldn't be soft, or even hard rubber that won't cut you. Perhaps some dishwashers I haven't owned do this, but I have yet to get one!

Smarter headsets, smarter headset jacks

Millions now use PCs for VoIP and online audio chat, and you soon realize the quality is vastly better if everybody uses a headset.

But there’s a problem on PCs. If you plug in headphones, it usually disables the regular speakers, often in hardware. So if you leave a headset connected, the system can’t play a ring sound when somebody calls you.

So time to rethink the design of the headset jacks, and the headsets themselves. Instead of disabling the main speakers, the presence of a plug in the jack should just be a software signal. Both the jack, and the speakers/speaker jack should be independent software-selectable outputs in the sound driver. Plugging in a headset should just change the default output. VoIP software, however, should be aware of this and know to send call audio to the headset, and ringing sounds to the speakers.

However, it could be even smarter than this. It might change its mind if it knows you are at the computer, or at least change the volume of the ringing on the speakers if you are at the computer. And make it louder if you haven’t touched the computer in a while.

Beyond that, we could make headsets smarter. They should be able to easily know if you have them on, due to tension in the headband or ear-strap. Earbuds could use a small temperature sensor to know if they are on. This could also effect where we direct sounds. Of course, this involves either a new headset jack, or perhaps more cleverly, a small and inaudible data protocol (or even something as simple as a click protocol) over the existing plugs. Many cell phones use a non-standard headset jack to include extra wires for button signals (such as to answer the phone. This should be formalized.

Of course, with bluetooth headsets and USB headsets, you have the potential for all sorts of additional communication with no change to the jack. A bluetooth headset should be able to tell, via temperature and pressure, if it is on the ear or not. It can even tell quite readily if you’re speaking or have spoken recently. Though I doubt most of the world is ready to wear their bluetooth headset all the time, though I do see people doing this more and more.

The fourth Wednesday is the best weekday to have your event

I just got an invitation to a new event series that I was told would take place on the First Tuesday of the month. However, I already go to two different dinners that take place on the First Tuesday, and I suspect that was no accident. For social events, people use the weekends, and for other events people prefer the weekdays. They have a psychological desire for the first week of the month.

So I ran a quick set of yahoo queries to find out how many hits there were on the web for "first monday" and similar strings. I figured that would tell when the most events do occur, and help people pick a day that is likely to have the least conflicts.

The results are below:  read more »

Syndicate content