An anonymous reader quotes a report from KrebsOnSecurity: A sprawling online company based in Georgia that has made tens of millions of dollars purporting to sell access to jobs at the United States Postal Service (USPS) has exposed its internal IT operations and database of nearly 900,000 customers. The leaked records indicate the network's chief technology officer in Pakistan has been hacked for the past year, and that the entire operation was created by the principals of a Tennessee-based telemarketing firm that has promoted USPS employment websites since 2016. KrebsOnSecurity was recently contacted by a security researcher who said he found a huge tranche of full credit card records exposed online, and that at first glance the domain names involved appeared to be affiliated with the USPS. Further investigation revealed a long-running international operation that has been emailing and text messaging people for years to sign up at a slew of websites that all promise they can help visitors secure employment at the USPS.

Sites like FederalJobsCenter[.]com also show up prominently in Google search results for USPS employment, and steer applicants toward making credit card "registration deposits" to ensure that one's application for employment is reviewed. These sites also sell training, supposedly to help ace an interview with USPS human resources. FederalJobsCenter's website is full of content that makes it appear the site is affiliated with the USPS, although its "terms and conditions" state that it is not. Rather, the terms state that FederalJobsCenter is affiliated with an entity called US Job Services, which says it is based in Lawrenceville, Ga. The site says applicants need to make a credit card deposit to register, and that this amount is refundable if the applicant is not offered a USPS job within 30 days after the interview process. But a review of the public feedback on US Job Services and dozens of similar names connected to this entity over the years shows a pattern of activity: Applicants pay between $39.99 and $100 for USPS job coaching services, and receive little if anything in return. Some reported being charged the same amount monthly. Michael Martel, spokesperson for the United States Postal Inspection Service, said in a written statement that the USPS has no affiliation with the websites or companies named in this story.

"To learn more about employment with USPS, visit USPS.com/careers," Martel wrote. "If you are the victim of a crime online report it to the FBI's Internet Crime Complaint Center (IC3) at www.ic3.gov. To report fraud committed through or toward the USPS, its employees, or customers, report it to the United States Postal Inspection Service (USPIS) at www.uspis.gov/report."

A list of all the current sites selling this product can be found in Krebs' report.

"Rust" and "Cargo" are registered trademarks held by the Rust Foundation — the independent non-profit supporting Rust's maintainers. In August 1,000 people responded to the foundation's Trademark Policy Review Survey, after which the foundation invited any interested individuals to join their Trademark Policy Working Group (which also included Rust Project leaders). They've now created a draft of an updated policy for feedback...

Crate, RS, "Rustacean," and the logo of Ferris the crab are all available for use by anyone consistent with their definition, with no special permission required. Here's how the document's quick reference describes other common use-cases:

• Selling Goods — Unless explicitly approved, use of the Rust name or Logo is not allowed for the purposes of selling products/promotional goods for gain/profit, or for registering domain names. For example, it is not permitted to sell stickers of the Rust logo in an online shop for your personal profit.

• Showing Support of Rust — When showing your support of the Rust Project on a personal site or blog, you may use the Rust name or Logo, as long as you abide by all the requirements listed in the Policy. You may use the Rust name or Logo in social media handles, avatars, and emojis to demonstrate Rust Project support in a manner that is decorative, so long as you don't suggest commercial Rust affiliation.

• Inclusion of the Marks in Educational Materials — You may use the Rust name in book and article titles and the Logo in graphic components, so long as you make it clear that the Rust Project or Foundation has not reviewed/approved/endorsed your content.

There's also a FAQ, answering questions like "Can I use the Rust logo as my Twitter Avatar?" The updated policy draft says "We consider social media avatars on personal accounts to be fair use. On the other hand, using Rust trademarks in corporate social media bios/profile pictures is prohibited.... In general, we prohibit the modification of the Rust logo for any purpose, except to scale it. This includes distortion, transparency, color-changes affiliated with for-profit brands or political ideologies. On the other hand, if you would like to change the colors of the Rust logo to communicate allegiance with a community movement, we simply ask that you run the proposed logo change by us..."

And for swag at events using the Rust logo, "Merch developed for freebies/giveaways is normally fine, however you need approval to use the Rust Word and/or Logo to run a for-profit event. You are free to use Ferris the crab without permission... If your event is for-profit, you will need approval to use the Rust name or Logo. If you are simply covering costs and the event is non-profit, you may use the Rust name or Logo as long as it is clear that the event is not endorsed by the Rust Foundation. You are free to use Ferris the crab without permission."

74.48% of developers use Microsoft's Visual Studio Code, according to one survey conducted by StackOverflow. And besides GitHub Copilot, there's over 40,000 other extensions in the VSCode Marketplace.

Unfortunately, InfoWorld reports, "Researchers at Aqua Nautilus say they have found that attackers could easily impersonate popular extensions and trick unknowing developers into downloading them." It can be challenging to distinguish between malicious and benign extensions, and the lack of sandbox capabilities means that extensions could install ransomware, wipers, and other malicious code, Aqua security researcher Ilay Goldman wrote in a January 6 blog post. ["In fact, it can access and even alter all the code that you have locally and even use your SSH key to change the code in all your organization's repositories."] VS Code extensions, which provide capabilities ranging from Python language support to JSON file editing, can be downloaded from Microsoft's Visual Studio Code Marketplace.

Aqua Nautilus uploaded an extension masquerading as the Prettier code formatter and saw more than 1,000 installs in less than 48 hours, from around the world. The spoof extension has been removed.

Goldman noted that the Visual Studio Code Marketplace runs a virus scan for each new extension and subsequent updates, and removes malicious extensions when it finds them. Users can report suspicious-looking extensions via a Report Abuse link.
"While the media is full of stories about malicious packages that have been uploaded to popular package managers such as NPM and PyPI, there is very little information about malicious VSCode extension," the blog post notes. Yet it points out that a blue checkmark on a VSCode extension "merely means that whoever the publisher is has proven the ownership of a domain. That means any domain."

And even Microsoft acknowledged to InfoWorld that social engineering techniques have been used to persuade victims to download malicious extensions — though they point out that Microsoft confirms that each extension has a Marketplace certificate and verifiable signature before being installed. "To help make informed decisions, we recommend consumers review information, such as domain verification, ratings and feedback to prevent unwanted downloads."

An anonymous reader quotes a report from BleepingComputer: The Tor Project team has announced the release of Tor Browser 11.5, a major release that brings new features to help users fight censorship easier. [...] The updates in Tor Browser 11.5 focus on circumventing censorship, a process that started a year ago in version 10.5 with improving the Tor connection experience. In the new version, users no longer have to manually try out bridge configurations to unblock Tor.

Tor Browser version 11.5 comes with a new feature called "Connection Assist," which assigns automatically the bridge configuration known to work best for the user's location. "Connection Assist works by looking up and downloading an up-to-date list of country-specific options to try using your location (with your consent)," explains the release announcement. "It manages to do so without needing to connect to the Tor Network first by utilizing moat – the same domain-fronting tool that Tor Browser uses to request a bridge from torproject.org." Since Connection Assist is still in an early stage of development (v1.0), the Tor team welcomes user feedback and reports, which would help them iron out any kinks and improve on the system.

Another important new feature in version 11.5 is making 'HTTPS-Only Mode' the default browsing mode, so that the connection is through a secure tunnel. This ensures that all data exchange between the user and the server hosting the website will be encrypted, to defend against man-in-the-middle (MitM) attacks and to protect users from SSL stripping on malicious exit relays. [...] The third significant improvement in Tor Browser 11.5 is a heavily revamped Network Settings menu, now called "Connection Settings," which should make it easier to find and understand specific settings. Most notably, bridge configuration and connection options have been redesigned to enable quick and easy review and management. Using emojis on the saved Bridges, the new interface offers visualization for the configuration for the first time, making it easy to identify the right bridge and select it when needed. You can download the latest Tor Browser from the official download portal.

With the latest preview patch, Windows Server 2022 now supports WSL2 Linux distros, the Register reports: The move ends an odyssey that began with the arrival of the Windows Subsystem for Linux (WSL) 2 on Windows 10 several years ago and with users' calls for Windows Server to get the same treatment. The change is also somewhat of an about-face from Microsoft. In 2021, in response to pleas from users to backport the tech to Windows Server 2019, [Principal program manager for Windows Server Jeff] Woolsey described WSL in early 2021 as "fantastic for dev" and "perfect for Windows client" but warned: "If we put it in Windows Server, people will use it in production scenarios for which it isn't intended." The approved path was to spin up a full Linux VM. Quite a bit heftier than the lighter-weight WSL2.

Signs of Microsoft listening to feedback showed up earlier this year, as Microsoft Program Manager Craig Loewen "clarified" that WSL2 distros would work on Windows Server version 2004 and 20H2, although the LTSC versions found in many data centers remained free of WSL2. Until this week, that is.
TechRadar provides some context: WSL 2, which was originally released in May 2019 (opens in new tab), uses virtualization technology to run an open source Linux kernel inside of a lightweight utility virtual machine (VM). This empowers Windows users to run popular Linux apps such as Docker. Microsoft claims that unlike a traditional VM experience — which it says can be slow to boot up, is isolated, consumes a lot of resources, and requires your time to manage it — WSL 2 does not have these attributes....

The KB5014021 update is currently optional, but will be automatically rolled out to users next month....

Windows Server updates have not been without issues in recent months, however, with Microsoft having to address various problems caused by the January 2021 Patch Tuesday updates. The company issued an emergency out-of-band update to address bugs that forced domain controllers to reboot endlessly, broke Hyper-V, and rendered ReFS volumes inaccessible while showing them as RAW file systems.

Recently Australian developer Geoffrey Huntley announced they'd created a 20-terabyte archive of all NFTs on the Ethereum and Solana blockchains.

But one NFT startup company now says they tried downloading the archive — and discovered most of it was zeroes. Many of the articles are careful to point out "we have not verified the contents of the torrent," because of course they couldn't. A 20TB torrent would take several days to download, necessitating a pretty beefy internet connection and more disk space to store than most people have at their disposal. We at ClubNFT fired up a massive AWS instance with 40TB of EBS disk space to attempt to download this, with a cost estimate of $10k-20k over the next month, as we saw this torrent as potentially an easy way to pre-seed our NFT storage efforts — not many people have these resources to devote to a single news story.

Fortunately, we can save you the trouble of downloading the entire torrent — all you need is about 10GB. Download the first 10GB of the torrent, plus the last block, and you can fill in all the rest with zeroes. In other words, it's empty; and no, Geoff did not actually download all the NFTs. Ironically, Geoff has archived all of the media articles about this and linked them on TheNFTBay's site, presumably to preserve an immutable record of the spread and success of his campaign — kinda like an NFT...

We were hoping this was real... [I]t is actually rather complicated to correctly download and secure the media for even a single NFT, nevermind trying to do it for every NFT ever made. This is why we were initially skeptical of Geoff's statements. But even if he had actually downloaded all the NFT media and made it available as a torrent, this would not have solved the problem... a torrent containing all the NFTs does nothing to actually make those NFTs available via IPFS, which is the network they must be present on in order for the NFTs to be visible on marketplaces and galleries....

[A]nd this is a bit in the weeds: in order to reupload an NFT's media to IPFS, you need more than just the media itself. In order to restore a file to IPFS so it can continue to be located by the original link embedded in the NFT, you must know exactly the settings used when that file was originally uploaded, and potentially even the exact version of the IPFS software used for the upload.

For these reasons and more, ClubNFT is working hard on an actual solution to ensure that everybody's NFTs can be safely secured by the collectors themselves. We look forward to providing more educational resources on these and other topics, and welcome the attention that others, like Geoff, bring to these important issues.
Their article was shared by a Slashdot reader (who is one of ClubNFT's three founders). I'd wondered suspiciously if ClubNFT was a hoax, but if this PR Newswire press release is legit, they've raised $3 million in seed funding. (And that does include an investment from Drapen Dragon, co-founded by Tim Draper which shows up on CrunchBase). The International Business Times has also covered ClubNFT, identifying it as a startup whose mission statement is "to build the next generation of NFT solutions to help collectors discover, protect, and share digital assets." Co-founder and CEO Jason Bailey said these next-generation tools are in their "discovery" phase, and one of the first set of tools that is designed to provide a backup solution for NFTs will roll out early next year. Speaking to International Business Times, Bailey said, "We are looking at early 2022 to roll out the backup solution. But between now and then we should be feeding (1,500 beta testers) valuable information about their wallets." Bailey says while doing the beta testing, he realized that there are loopholes in the NFT storage systems and only 40% of the NFTs were actually pointing to the IPFS, while 40% of them were at risk — pointing to private servers.

Here is the problem explained: NFTs are basically a collection of metadata, that define the underlying property that is owned. Just like in the world of internet documents, links point to the art and any details about it that are being stored. But links can break, or die. Many NFTs use a system called InterPlanetary File System, or IPFS, which let you find a piece of content as long as it is hosted somewhere on the IPFS network. Unlike in the world of internet domains, you don't need to own the domain to really make sure the data is safe. Explaining the problem which the backup tool will address, Bailey said, "When you upload an image to IPFS, it creates a cryptographic hash. And if someone ever stops paying to store that image on IPFS, as long as you have the original image, you can always restore it. That's why we're giving people the right to download the image.... [W]e're going to start with this protection tool solution that will allow people to click a button and download all the assets associated with their NFT collection and their wallet in the exact format that they would need it in to restore it back up to IPFS, should it ever disappear. And we're not going to charge any money for that."

The idea, he said, is that collectors should not have to trust any company; rather they can use ClubNFT's tool, whenever it becomes available, to download the files locally... "One of the things that we're doing early around that discovery process, we're building out a tool that looks in your wallet and can see who you collect, and then go a level deeper and see who they collect," Bailey said. Bailey said that the rest of the tools will process after gathering lessons based on user feedback on the first set of solutions. He, however, seemed positive that the talks of the next set of tools will begin in the Spring of next year as the company has laid a "general roadmap."

A Google proposal which enables a web browser to treat a group of domains as one for privacy and security reasons has been opposed by the W3C Technical Architecture Group (TAG). From a report: Google's First Party Sets (FPS) relates to the way web browsers determine whether a cookie or other resource comes from the same site to which the user has navigated or from another site. The browser is likely to treat these differently, an obvious example being the plan to block third-party cookies. The proposal suggests that where multiple domains owned by the same entity -- such as google.com, google.co.uk, and youtube.com -- they could be grouped into sets which "allow related domain names to declare themselves as the same first-party." The idea allows for sites to declare their own sets by means of a manifest in a known location. It also states that "the browser vendor could maintain a list of domains which meet its UA [User Agent] policy, and ship it in the browser."

In February 2019, Google software engineer Mike West requested a TAG review and feedback on the proposal was published yesterday. "It has been reviewed by the TAG and represents a consensus view," the document says. According to the TAG, "the architectural plank of the origin has remained relatively steady" over the last 10 years, despite major changes in web technology. It added: "We are concerned that this proposal weakens the concept of origin without considering the full implications of this action." The group identified some vagueness in the proposal, such as whether FPS applies to permissions such as access to microphone and camera. A Google Chrome engineering manager has stated: "No, we are not proposing to change the scope for permissions. The current scope for FPS is only to be treated as a privacy boundary where browsers impose cross-site tracking limitations." But the TAG reckons that the precise scope of FPS should be laid out in the proposal. A second concern is over the suggestion that browser vendors would ship their own lists. "This could lead to more application developers targeting specific browsers and writing web apps that only work (or are limited to) those browsers, which is not a desirable outcome," said the TAG.

Though Mozilla laid off 250 people last week, the Rust Core Team wrote a blog post Tuesday reminding the world that "the Rust project as a whole is very resilient to such events..." it is a common misconception that all of the Mozilla employees who participated in Rust leadership did so as a part of their employment. In fact, many Mozilla employees in Rust leadership contributed to Rust in their personal time, not as a part of their job. Finally, we would like to emphasize that membership in Rust teams is given to individuals and is not connected to one's employer. Mozilla employees who are also members of the Rust teams continue to be members today, even if they were affected by the layoffs...
But they've still got some news: We've developed legal and financial needs that our current organization lacks the capacity to fulfill. While we were able to be successful with Mozilla's assistance for quite a while, we've reached a point where it's difficult to operate without a legal name, address, and bank account. "How does the Rust project sign a contract?" has become a question we can no longer put off....

The Rust Core Team and Mozilla are happy to announce plans to create a Rust foundation. The Rust Core Team's goal is to have the first iteration of the foundation up and running by the end of the year... The various trademarks and domain names associated with Rust, Cargo, and crates.io will move into the foundation, which will also take financial responsibility for the costs they incur.... As an immediate step the Core Team has selected members to form a project group driving the efforts to form the foundation. Expect to see follow-up blog posts from the group with more details about the process and opportunities to give feedback...

We're excited to start the next chapter of the project by forming a foundation. We would like to thank everyone we shared this journey with so far: Mozilla for incubating the project and for their support in creating a foundation, our team of leaders and contributors for constantly improving the community and the language, and everyone using Rust for creating the powerful ecosystem that drives so many people to the project. We can't wait to see what our vibrant community does next.

An anonymous reader quotes Digital Trends: With the launch of Chrome 69, Google stunned users last week with a surprising decision to no longer display the "www" and "m" part of the URL in the Chrome search bar, but user backlash forced Google to soften its stance. Google's course reversal, although welcomed by users, is only short term, and the search giant said it will change course once again with the release of the Chrome 70 browser....

Critics have argued that by not displaying the special-case subdomains, it was harder for users to identify sites as legitimate, and the move could lead to more scams on the internet. Others go as far as questioning Google's motives for not displaying the "www" and "m" portion of a web address, and these users speculated that the move may be to disguise Google's AMP -- or Accelerated Mobile Pages -- subdomain to make it indistinguishable for the actual domain....

With the launch of Chrome 70, Google plans on hiding the 'www' portion of a web address inside the search bar, but it will continue to display the 'm' subdomain. "We are not going to elide 'm' in M70 because we found large sites that have a user-controlled 'm' subdomain," Google Chromium product manager Emily Schecter said. "There is more community consensus that sites should not allow the 'www' subdomain to be user controlled."
ZDNet notes that while Chrome's billion-plus users were surprised, "Apple's Safari likewise hides the www and m but it hasn't caused as much concern, likely because of Google's outsized influence over the web and Chrome's dominance of the browser market."

TechRepublic quotes a community feedback post that had argued that "Lying about the hostname to novices and power users alike in the name of simplifying the UI seems imprudent from a security perspective."

You asked, he answered!

For Slashdot's 20th anniversary -- and the 23rd anniversary of the first release of Red Hat Linux -- here's a special treat.

Red Hat CEO Jim Whitehurst has responded to questions submitted by Slashdot readers. Read on for his answers...

GoDaddy has announced "an open set of APIs for DNS providers and web service providers," called Domain Connect. An anonymous Slashdot reader writes: "Once enabled, customers can quickly configure their domain to point to the web service of their choice with push button simplicity," according to the announcement, "streamlining and simplifying the process of connecting websites and domain names registered on different platforms." GoDaddy's submitted it for consideration as an IETF standard, where they have the support of Microsoft and Squarespace, as well as the other two largest registries, eNome and Name.com. But in the meantime, they told ProgrammableWeb, the specificaion is "out there in the public, open for feedback and adjustment."

"GoDaddy is seeking to take all the friction out of the process," the site reports, "by offering service providers like Squarepace, Wix, Google, Microsoft, Wordpress and others a registrar-agnostic API that they can use to programmatically configure all the necessary DNS entries... in lieu of making end users laboriously crawl through a bunch of forms and then praying that they've done it all correctly." Different access levels will be available based on the service being provided, and for GoDaddy's implementation of the API their senior VP of Domains Engineering "said that the program will not be open to public developers and that any service providers wanting access will have to be approved by his team at GoDaddy."

You asked, he answered!

Ruby on Rails Creator and founder/CTO of Basecamp, David Heinemeier Hansson has responded to questions submitted by Slashdot readers. Read on for his answers.

A few weeks ago you had a chance to ask author, entrepreneur, and software developer Jeff Atwood about founding Stack Overflow and the Stack Exchange Network, as well as his new endeavor, the Discourse open-source discussion platform. Below you will find his answers to your questions.

Google I/O, the company's annual developer tracking^wdevelopers conference, has opened today in San Francisco. This year the company has reduced the number of conference sessions to 80, but also promised a broader approach than in previous years -- in other words, there may be a shift in focus a bit from Google's best known platforms (Chrome/Chrome OS and Android). Given its wide-ranging acquisitions and projects (like the recent purchase of Nest, which itself promptly bought Dropcam, the ever smarter fleet of self-driving cars, the growing number of Glass devices in the wild, and the announcement of a 3D scanning high end tablet quite unlike the Nexus line of tablets and phones), there's no shortage of edges to focus on. Judging from the booths set up in advance of the opening (like one with a sign announcing "The Physical Web," expect some of the stuff that gets lumped into "the Internet of Things." Watch this space -- updates will appear below -- for notes from the opening keynote, or follow along yourself with the live stream, and add your own commentary in the comments. In the days to come, watch for some video highlights of projects on display at I/O, too. Update: 06/25 17:41 GMT by T : Updates rolling in below on Android, wearables, Android in cars, Chromecast, smart watches, etc.Keep checking back! (Every few minutes, I get another chunk in there.)

gregrolan writes "The Trousers of Reality — Volume 1, Working Life is indeed a book about finding balance and satisfaction in life work and play. The author's thesis can be applied to almost any discipline, but it is from his background as an IT consultant that most of his professional examples are drawn. He considers success in this field pretty broadly and addresses the technical, management, political, personal, and social aspects of the IT profession." Read on for the rest of Greg's review.

John B. Hare writes "Many publishers of public domain content on the Kindle are being turned away for reasons that Amazon declines to clarify. In the past two weeks any publisher posting a public domain book (or a book that appears to be a such) has received the message 'Your book is currently under review by the Kindle Operations team as we are trying to improve the Kindle customer experience. Please check back in 5 business days to see if your book was published to the store.' Amazon claims that this is a quality control issue, apparently believing that readers can't figure out on their own that a five-page Kindle book for $9.99 is a rip-off, or that yet another Kindle edition of 'Pride and Prejudice' is pointless. This was supposed to be the point of user feedback and the Kindle return policy: users can quickly decide what the best choice is, and if they don't like it, back out without any harm done." Read on for details of this reader's interaction with Amazon on the subject of public domain Kindle submissions.

Last week we asked for interview questions to help supplement our face-to-face interviews at Blizzcon. Over the course of the two-day con we were able to sit down with StarCraft II's Dustin Browder, Diablo III's Leonard Boyarsky, WoW's J. Allen Brack, and Battle.net expert Rob Pardo to answer a few questions on each of the four major camps in Blizzard at the moment. Since this wasn't a usual Slashdot-style interview, we tried to use as many of your suggestions as possible, but the conversation often took us in a unique direction once it got rolling.

inject_hotmail.com writes "Bell Canada started hijacking non-existent domains (in the same manner as Rogers), redirecting NX-response queries to themselves, of course. Before opting-out, you get their wonderfully self-promoting and self-serving search page. When you 'opt-out,' your browser receives a cookie (isn't that nice) that tells them that you don't want the search page. It will still use their broken DNS server's non-NX response, but it will show a 'Domain Not Found' mock-up page that they (I surmise) tailor to your browser-agent string. During the opt-out process, they claim to be interested in feedback, but provide no method on that page (or any other page within the 'domainnotfound.ca' site) to contact them with complaints. They note that opting-in is 'recommended' (!), and that 'In order for opt-out to work properly, you need to accept a "cookie" indicating that you have opted out of this service. If you use a program that removes cookies, you will have to repeat this opt-out process when the cookie is deleted. The cookie placed on your computer will contain the site name: "www.domainnotfound.ca."' Unfortunately most Bell Internet users won't understand the difference between their true NX domain response, and Bell's injected NX response."

dasButcher writes "Network Solutions, the domain registration and hosting service company, suffered a massive security breach that lasted three months and exposed tens of thousands of credit card numbers of its customers and of the businesses that use its hosting and online payment processing service. The company is just beginning the victim notification process. 'There is no information on how the code was planted on the sites. While examination of the code shows that it had the ability to ship data off to a third party, and Network Solutions believes that it did just that, the exact code is not available for public review. There is also no public information as to where the data believed to be stolen was sent.'"

Frequent Slashdot contributor Bennett Haselton writes "The Virginia Supreme Court has ruled that the state's anti-spam law, which prohibits the sending of bulk e-mail using falsified or forged headers, violates the First Amendment because it also applies to non-commercial political or religious speech. I agree that an anti-spam law should not outlaw anonymous non-commercial speech. But the decision contains statements about IP addresses, domain names, and anonymity that are rather basically wrong, and which may enable the state to win on appeal. The two basic errors are: concluding that anonymous speech on the Internet requires forged headers or other falsified information (and therefore that a ban on forged headers is an unconstitutional ban on anonymous speech), and assuming that use of forged headers actually does conceal the IP address that the message was sent from, which it does not." Click that magical little link below to read the rest of his story.