As one of the first users of this site (yes, I know my UID number, it's not my original one), I fully support this.

Moreover, IF the people running this site are so obstinate, stupid, and ignorant that they persist anyway: then the boycott needs to be permanent. We ALL need to leave. We need to teach a lesson, and if the only way that lesson can be communicated is over the bleak, abandoned corpse of slashdot, then that's how it has to be.

I could warn you of course, but you would not listen. I could kill you, but someone would take your place. So I do the only thing I can. I go."

You're correct but it's not obvious that the law will actually be applied in this case. Clearly, the NZ and US both really, REALLY want to crucify Dot Com and are willing to break the law, cheat, lie, steal, defraud and everything else in order to do it.

Meanwhile, Slashdot Beta is absolute crap, and if the morons, idiots, and assholes pushing it persist in this stupidity, then they should expect a boycott.

As everyone knows, there was and is no actual need for these TLDs. Just like there was no need for .xxx. Just like there was no need for .mobi. Just like there was no need for .info. The entire process is driven NOT by the communal needs of the Internet, but by ICANN, which is now completely controlled by registrars -- registrars who are always looking for new/expanded revenue streams.

There WAS a time, as I'm sure some folks will remember, that "one entity-one domain" was the rule. That time is long gone, as it drastically restricts registrar profits. Now? It's not uncommon for single entities to control hundreds to hundreds of thousands of domains. I've been researching this issue, and have looked at about 60M domains so far: EASILY 90% of them are crap. They're owned by speculators, typosquatters, "landing page" operators, clickthrough scammers, and on and on and on. I suspect that as I expand my work, that percentage won't change much. In other words: we could delete 90% of the domains out there with no appreciable effect on the Internet.

This latest expansion is merely an attempt to continue the same game -- but with outrageously prices and profits.

Here is my recommendation: learn how to use DNS RPZ. As each one of these TLDs is introduced, add it to the list so that you effectively make it disappear from your view of the Internet. Encourage others to do the same. After all, you aren't required to resolve any domain or group of domains -- so don't. If enough of us do this, we will make these domains essentially worthless. (Why? Because without DNS resolution in place, end users won't be able to reach them with web browsers. MTAs that check for domain existence -- which they should -- will reject all mail to/from them. And so on.)

The Internet doesn't need this junk. YOU don't need this junk. So make it vanish.

I've been saying this for years -- here and elsewhere. Yet their foolish supporters continue to insist on using them, despite the steady parade of demonstration proofs showing that they're easily defeated. (I'm not going to bother with the catalog of links this time. Use a search engine. Read the items that show up on the first two pages of results -- that should be enough.)

Either you're defending an important resource or you're not. If you're not, then you don't need captchas and shouldn't use them. If you are, then the first person who decides that your resource is worth the trouble will break your captchas, either by code, by brute force, by co-opted masses or by some combination of those. You have no shot. NONE. If you think so, then you didn't perform the exercise I suggest in the last paragraph.)

A defense that is known-broken is not a defense at all.

In one of the great ironies of our time, those arguing for or supporting creationism are actually providing clinching proof that they themselves have failed to evolve into human beings: they're not members of homo sapiens, as they have clearly failed part of the qualifying intelligence test.

Given that they are -- at best -- inferior primates, why should those of us who are clearly superior grant them human rights -- which, as the label indicates, are exclusive to humans? I certainly see no reason why we should be so generous.

Instead, I think, we should strip of them of the franchise, of the right to own property, of their financial assets, and of their citizenship. They should be treated decently, of course, for the same reasons that we should treat horses or dogs decently. But certainly they don't merit consideration as peers, as by their own actions, they've shown they aren't. I envision vast farms where they're lovingly tended until it is time to harvest their organs -- painlessly, of course, but inevitably. Their meat is the only value that they have to the human race, and it would be a pity to waste or damage it.

There are a large number of reasonably well-understood methods for dealing with this.

First, you have a working RFC 2142 role account address: abuse@ your domain. You pay attention to what shows up there. You reply promptly. You engage. After all, if someone is doing your job for you and doing it on THEIR dime, the least you can do is take advantage of it. Moreover, if you manage to do this reasonably well, word will get out, you'll earn the respect of your peers, and they will reward you with more reports -- again, doing your work for you for free.

Worth noting is that Amazon makes it nearly impossible to communicate with their abuse desk and fails to respond to reports in any way, let alone a timely one. And it's well known that GoDaddy frequently forwards them to the abusers.

Second, you pay attention to netflows. If a virtual host instance is opening up TCP connections on port 25 to a kazillion hosts/hour, then it's spamming. Any kind of perfunctory monitoring will spot this and a hundred other similar things in real time.

Third, you pay attention to who's behind the incidents. If you don't, then they'll just sign up over and over and over again. So you work to avoid that, by looking at the who, what, where, when patterns -- and you ban repeat offenders. This isn't watertight, of course -- but it doesn't need to be. If you raise the bar high enough, they'll just go somewhere else, which reduces your workload and lets you focus more tightly on what's left.

Fourth, you look at usage patterns. Most web sites do NOT display global usage patterns, particularly those which are connected to a domain registered yesterday. (Think about it.) If you observe that, then something's up: it might be legitimate. It's almost certainly not. The same thing applies to other services and other protocols.

Fifth, if you're Amazon, you have a highly paid legal staff. Use them. Smack the crap out of a few particulaly egregious offenders in court. Make it noisy so that everyone else knows you're doing it. Again, this doesn't have to be watertight; it just has to discourage miscreants.

Finally (and I'm stopping here for brevity, there's a lot more), do all this publicly. Encourage your peers to do the same. Challenge them. Raise the collective bar, not just your own. Cooperate with your competitors.

All of this costs money. Not a stupid amount of money, but it does cost. Which is why it almost never gets done (see previous post).

Your comment is funny, but misses the point about economics of scale.

Amazon, with its immense resources, should be one of the cleanest hosts on the planet. They can afford, using their spare change, to staff a 24x7 abuse desk with very senior people. The budgetary impact wouldn't even be a blip. And with the right people, suitably empowered, they could keep their operation nearly free of malware, phishing, spam, and other forms of abuse. They're far better positioned to do this than many smaller operations, who couldn't possibly afford it.

But they haven't. Why not? Is it because they don't know? Unlikely. Of course they know. Is it because they don't know how to address it? Equally unlikely. Of course they do. They have some smart people on staff. No, they know what the problem is AND they know how to fix it.

They just don't want to.

Because even as (relatively) small as those costs would be, it's still cheaper for them to externalize them to the entire rest of the Internet, and let all of us deal with it. So rather than taking professional responsibility for their own operation, they've decided to just blow it off. After all: who's going to make them?

I would say the same about GoDaddy, but it's not true. They actively support, encourage, and endorse spam, malware, phishing and every other form of abuse. They have from the beginning, only their method of lying about it has changed. (And don't forget GoDaddy's own history of self-promoting spam.) But once again: who's going to make them do anything differently?

Until operations are held accountable for their actions -- which is something that we USED to do on this network, a long time ago -- most won't bother. And that is, in large part, why problems like spam and phishing and malware are epidemic.

That's not to that they aren't problems: Unity is shit. Mir's design displays profound ignorance of X's design, including both its features and its liabilities. And so on. It's obvious that Canonical is ramming these down users' throats because they have to, as only the ignorant newbies who don't know any better would actually choose them.

But the real problem is that Canonical has now clearly demonstrated its committment to embedding spyware in the distribution. (YES, I know that there's putatively an "off" switch for it. That is an unimportant and irrelevant distraction undeserving of discussion.) By doing so, Shuttleworth has clearly signalled that he's willing to sell out the security and privacy of Ubuntu users for revenue. And now that the user base is declining, expect an escalation of this strategy to compensate for it.

THAT is why the community is no longer relevant to Canonical. The community is standing in the way of their pursuit of profit, and profit (along with ego gratification) is Shuttleworth's priority. Wait and watch: this is only the beginning.

I'm one of those older people being shoved aside because I'm (pick one) too old, too expensive, too inflexible, too whatever.

Never mind my degrees, my experience, my continuing education, my track record of success, my ability to adapt, or my insight. None of that matters, because someone 30 years my junior can (putatively) do the same job -- they'll cost half as much and work twice as many hours, until, of course, their time comes and they're replaced just like I've been.

The fact that I bring incredible value to the table doesn't matter: in a position I recently held, I was asked to evaluate a project that had already sucked down $1.8M. I studied it carefully for several months, and concluded that it was so badly and fundamentally flawed that it had no chance of success -- the best course of action was to dump it and start over. Management didn't want to hear that, so they discarded my careful analysis and eliminated my position. Four years later, after spending $12M, they finally axed the project -- after achieving nothing. It would have been more cost-effective for them to (a) take my advice and (b) pay me $100K/year for those four years to do nothing: they'd have saved $11.6M.

My point being that those of us who are older sometimes have very finely-tuned instincts about failure: we've experienced it enough to know what it looks like when it's still a long way off. Simply listening to us when we say "ummm...no, that's a bad idea" EVEN IF WE DO NOTHING ELSE is likely to result in an enormous payoff, since it'll help avoid wasted effort and budgets. But of course it rarely works out this way: it's easier to hire 20-somethings, underpay them, work them to death, and enjoy the chorus of "yes" "yes" and "YES" that they generate because they don't yet realize that's the wrong answer.

Webmail is a trendy, attractive idea: it's also truly stupid. Every single implementation to date -- and yes, I've tried them all -- sucks. I could spend the next three hours typing in a litany of reasons why, from UI to standards compliance, security to features, but I presume that everyone with even a passing familiarity with email already knows this. So Yahoo's feeble attempts to coerce its employees into using their particular brand of suckage, while no doubt driven by an edict from above, run against the best interests of their own staff.

Which brings me to Outlook, the mail client of choice for the ignorant, the incompetent and the inferior. Nobody, and I do mean, NOBODY, of any worth would even consider lowering their professional standards this far. It speaks volumes about the very low quality of the personnel at Yahoo that they actually prefer this client over the many superior alternatives. That, in turn, explains in part why Yahoo's mail system is riddled with security holes and overrun by spammers, phishers, and abusers of all descriptions: there is nobody there intelligent enough to stop them.

So what this really comes down to is whether Yahoo personnel are using M$ or Yahoo garbage; I wonder if there are any whose feeble intelligence is sufficient to allow them to figure out that the only correct answer is "neither". There DO exist mail clients that -- while not perfect by any means -- are clearly, markedly better than either of these.

Shuttleworth/Canonical are just using the Facebook playbook:

1. Engage in an outrageous overreach.

2a. If there's no reaction: proceed.

2b. If there's a negative reaction, then walk it back just far enough to quell the outrage. Use weasel words. Pretend that you were just kidding. Call it an unfortunate oversight, a lapse, a mistake -- but be sure not to admit that it was deliberate and calculated.

3. Wait for outrage to die down.

4. Return to step 1.

This works beautifully on an audience that isn't paying attention, that can't generalize from specifics, that doesn't remember what happened yesterday, let alone last year or last decade.

It really doesn't matter if IE does or doesn't render anything, as using it exposes one to the gaping security-hole-of-the-day. I'm not talking about the ones that make it to slashdot or even full-disclosure; I'm talking about the ones that show up on blackhat sites with pricetags attached. I'd call it a "parade", but it's more like an angry mob rushing through the streets: it's constant and pervasive.

Second, the Outlook service is an enormous source of spam. (Citation? Run a major email site, one with at least a million users. Pay attention to what arrives on port 25 from Outlook.) One of the things we've learned over the past couple of decades is that outbound abuse is a surface indicator of underlying security issues, thus the inference is that Outlook has been launched (in Microsoft's usual fashion) without a rigorous security audit.

Third, the entire concept of webmail is wrong, stupid, and broken. Every attempt to date, and I do mean EVERY attempt, to shoehorn SMTP/POP/IMAP into something that works in a browser, has failed miserably. That includes the freemail services and the open-source projects, the commercial offerings, and the homegrown ones. One would think that given the landscape of uninterrupted failure that stretches all the way to the horizon that people would stop long enough to realize that the problem isn't the implementation: it's the concept. But no, web sites and mailing lists are filled with endless debate over how to "improve webmail". The required improvement is to abandon it entirely.

Finally, "using Google products" is an increasingly bad idea, as it's obvious that they're been thoroughly backdoored at least once -- which means that it won't be long until they've been backdoored again. And again. Yes, for many lazy and inferior people, "using Google products" is a fast answer -- but it's the wrong one.

Not since he sold out to the spammers at Marketo and turned Ubuntu into spyware.

Both of which are a pity, as it was a distribution that many people, including me, found quite useful for deployment in environments where we were trying to ease people away from their addictions to Microsoft and Apple products. But given our requirements (among which security and privacy are paramount) we simply couldn't justify using a distribution that was known to be compromised.

Yes, yes, I know we could turn off the malware features, but that's hardly the point: once a distribution maintainer is known to be inserting spyware, they can never be trusted again. Nothing at all stops them from silently including the same thing (or something similar) in a routine update. Shuttleworth and Canonical have provided an existence proof that they cannot and must not be trusted: they should be ostracized from the Linux and open-source world, as they are clearly unfit to be any part of it.

The worst part of the damage done by this isn't technical. It's human.

The reporting on this latest disclosure reveals that the NSA has systematically inserted itself into the standard-crafting process, in order to deliberately weaken those standards. It also reveals that the NSA has bypassed the management of communications providers and recruited technical staff directly. In both cases it's reasonable to assume that the people involved have been through a security clearance process and are thus barred for life from disclosing what they know.

I must now ask myself how many people I've worked with weren't doing so in good faith. When they argued that such-and-such a fine point of a network protocol standard didn't need improvement or that it should be changed in a certain way, were they doing so because it was their principled engineering opinion, or because it served some other purpose? Or when they were recommending that one of the many operations I've run move its colocation point or change its router hardware, was that good customer service, or was it to facilitate easier traffic capture?

Will anyone be asking themselves the same questions about me? (They probably should.)

The Internet was built on, and runs on, trust. Every postmaster, every network engineer, every webmaster, every system admin, every hostmaster, everyone crafting standards, everyone writing code, trusts that everyone else -- no matter how vehemently they disagree on a technical point -- is acting in good faith. The NSA, in its enormous arrogance, has single-handedly destroyed much of that trust overnight.

If spam has made it far enough that it's actually reached your personal instance of procmail, then there's been a problem earlier in the chain. Procmail rulesets should be a last resort, and they should only be asked to deal with minor issues that aren't dealt with via earlier rulesets.

The first line of defense are your perimeter routers. They should implement BCP 38, they should block bogons, and they should bidirectionally deny all traffic to/from the Spamhaus DROP list. In addition, they should block inbound port 25 traffic from everywhere on the planet that you don't need email from. In other words; the fact that someone in country X wants to email you is unimportant unless you actually wish to receive mail from them. Yes, this is a reversal of default-permit, for a simple reason: default-permit for SMTP stopped being reasonable around 2000. Use http://www.ipdeny.com/ to pick up the ranges per-country and only permit what you need. (Obviously a major research university can't do this. But Joe's Furniture, which does not have customers in Peru or Pakistan or Greece, can.)

Then use blacklists, the best defense against spam we've ever developed. (Source: 30+ years of email experience) Spamhaus's Zen blacklist is a good one with a low FP rate and a tolerable FN rate. Augment these with local blacklists based on domains and network allocations. Augment those with as much blocking of generic hostnames and dynamic IP space as possible: real mail servers have real hostnames and are on static addresses.

Then enforce RFC requirements: sending host must have rDNS, that PTR must resolve, what it resolves to should be the sending host's IP. Sending host must HELO as FQDN or bracketed dotted-quad; if FQDN, must resolve. Sending host must not send traffic pre-greeting. And so on. Enforcing these DOES mean occasionally you block mail sent by non-spamming entities: but since they are incompetent non-spamming entities, why would you want mail from them?

Add greylisting. It'll handle a lot of annoying hosts that haven't learned to retry yet.

Rate-limit based on normative values for your site. For example: if analysis of a year's worth of mail logs shows that during that time you never received more than 10 messages a day from ANY host, then rate-limit at 30 or 40. You'll never hit in normal practice; but if you get hammered by a fast-sending host, you'll blunt the attack. Note that these don't have to be perfect to work: provided you send deferrals (SMTP response codes 4xx) instead of refusals (5xx) the worst that happens is that you will mistakenly impose a delay.

There's more -- it's possible to get quite crafty about this. But note that NONE of these measures pay any attention to content. There's a reason for that: spammers can defeat content-based measures at will. They won't have it so easy with these.

Deployed in production in various setups ranging from a dozen to eight million users, these steps yield a FP rate of about 10e-6 to 10e-7 and a FN rate around 10e-5 to 10e-6. Tuning helps, of course: initial rates can be higher but log analysis (which all sensible postmasters do) readily brings them down. If you have the luxury of running your own mail server just for yourself, then you can REALLY tune this setup: you should be able to get the FN rate down to 10e-7 after a few months.