Brielle's Ramblings

Just an FYI to all users, over the next few days, we'll be doing some upgrades to the servers.  Shiny new large hard drives, upgraded Xen software, and other good stuff.  If we are down at times, please be patient as these types of upgrades take time.

[ Update 7/27/2010 ]

Good news everyone! (I've always wanted to say that)

99% of the upgrades are already complete thanks to efficent and quick work, two days earlier then expected.  Please let us know of any website issues you may run into.

Just a quick note to everyone, version 0.9.3 of Firewall/SOSDG has been released.  This update features a new ability to create files with custom commands to inject at specific places during the file loading.  I've also tweaked the coloring of the output a bit prettier.

Sometimes, people/companies do things which leave me scratching my head.  In this case, Orange Internet of France wants us to whitelist or at least monitor for listings and spam from their network.  Normally, this kinda request isn't all that unusual, however in this case, it looks like Orange Internet sent a mass mailing to DNSbl maintainers and possibly large ISPs.

Subject: Orange introduces new MTA servers
Date: Mon, 12 Jul 2010 18:43:33 +0200
From: Service Abuse Orange Internet <abuse@orange.fr>
Reply-To: abuse@orange.fr
To: abuse@orange.fr

Miss, Sir,

Orange Internet is the major ISP in France where it provides about 6
million individual Internet accesses and about 16 million email accounts.

By the end of this month, Orange will put on line few new email
equipments (MTA) with new outgoing IP addresses.
Therefore, we would like to share these new IP addresses since you could
be able to observe a sudden raise of email traffic coming from them.

Our new IP addresses will be :

 80.12.242.123
 80.12.242.124
 80.12.242.125
 80.12.242.126
 80.12.242.127
 80.12.242.128
 80.12.242.129
 80.12.242.130
 80.12.242.131
 80.12.242.132
 80.12.242.133
 80.12.242.134
and
 193.252.23.210
 193.252.23.211
 193.252.23.212
 193.252.23.213
 193.252.23.214
 193.252.23.215

Please, let us quickly remind you of our policy to fight, under our
national laws, against Internet abuses from our subscribers:
- All email traffic sent from a dynamic IP address is driven to our
"subscribers MTA"
- Legal measures of protection against spam are applied
- Known compromised accounts are suspended and blocked
- Every complaint, documented with the headers of the abusive emails, is
treated by Orange abuse team (abuse@orange.fr) within 24h

Complaints being a essential source of information about our customers'
behaviour, thank you to let us know if you have a complaint feedback
loop that we could register. You are also welcome to send us all
complaints and all questions you may have at abuse@orange.fr.

Finally, considering the specific role of our MTAs, we would be very
grateful if you could whitelist their associated IP addresses or, at
least, offer them the usual protection you offer to large ISPs SMTP servers.

Regards,

Abuse Orange Internet technical role.

*sigh*

They probably should have run this by someone who actually has dealt with DNSbl maintainers before.

Recently on the NANOG list, there was discussion going on about IPv6 and e-mail, and it slightly diverged into SMTP TLS.  After some off-list discussion about SMTP level security and what a Debian system will do on a default install, I've made some observations I'd like to share.

• The default install of Debian unstable with EXIM4 will have TLS support enabled by default thanks to the options in /etc/exim4/conf.d/main - its not the most optimal setup, but it will work for basic TLS support.
• SMTP TLS security can't really easily be compared to HTTP SSL/TLS security.  When you browse to a HTTPS website, its an entirely interactive process, which gives you a chance to see the certificate in question and respond.  In an SMTP TLS session, its done entirely by the MTA in an automated matter
• Depending on TLS to give security, authentication, and reliability to SMTP is a long, and probably fruitless process.  Unless you are going to refuse connections to every server which you can't verify their certificate or which doesn't have a certificate, you aren't really solving anything.  In tests, I've yet to have a system refuse to talk to my SMTP server because its using a self signed certificate.
• TLS will provide wire level security when talking to another mail server - however, your message will most likely be stored plain text on the sending server, receiving server, and places in between, including the MUA, completely defeating the purpose of keeping the contents of the message secret.  PGP/GPG is the proper answer to the message security issue.

Given how easy its been for people in the past to get valid but fake certs from Verisign and similar companies, is dependng on TLS/SSL certificates to guarantee the identity of the person you are communicating with really such a great idea?

We all are pretty well aware of the fact that Christians have this tendancy to allow violations of their own commandments as long as they can somehow justify it in the name of their imiginary friends, but its not often we see ones that post about how they think its okay and try to justify their position.

In this case, Chrissy Satterfield posted a commentary on WorldNetDaily about how she applauds whoever vandalized the atheist billboard in North Carolina.

Some bits from the commentary I thought were interesting...

Chrissy, I'd like to point out that you seem to be confusing truth with opinion.  What you consider 'truth' is actually a rather limited and tunnel vision view of what some people believe in, rather then what the world and country believe in as a whole.  I know its very easy to bob your head back and forth like a cheerleader and scream "la la la!" whenever someone happens to bring it to your attention that there are people in this world who don't believe the same way you do, but for once, do mature a little.

But, Chrissy, you did just encourage vandalism!  It comes back to the Christian way of 'law' (I use this term loosely, considering Christians, if they could write laws, would make being gay and being black an executable offense) where as long as its claimed to be in the name of your imaginary friend, its okay.

One must ask, how would you feel if someone defaced a church billboard?  Oh wait, that issue is next!

Atheists vandalizing Christian billboards?  Chrissy, please, you really think that atheists are really that desperate to get their message across?  We've got other ways to get our message across - some of them are quite humorous and intellegent in nature - but then again, most of the people who would find phrases like "One nation indivisible" offensive, are the ones who can't think for themselves because of what the chruch has done to them.

Only the strongest survive in the world today, it's not my fault you choose to be feeble and weak.  You think the priests and such call you the "shepherds flock" because you can think for yourselves and lead?

Its not abuse to try and share your views with others - in fact, your 'modern' Christian doctrine makes you force your views onto other people even if they don't want it.  Every time I answer my door, and its someone trying to sell me 'the saving power of jesus', I find that abusive, offensive, and a waste of my time.

Being oppressed is the rallying cry of Christians who don't like being told that they aren't special and above everyone else.  Forget the fact that throughout history, Christians have been the oppressers of others, rather then the opposite way around.

I doubt you've had many 'conversations' with atheists - I'm sure it was pretty one sided, with you doing a cheerleader head bobbing "la la la, I can't hear you!" the entire time.  I suggest you speak with Hemant from the Friendly Atheist - he's one of the coolest, bad ass, friendly, and logical atheists I've ever come across.  I can guarantee you, that he will never not be civil and polite to you.

*ghasp* You might just like him!

Atheists and LGBT people alike have to do that on a daily basis - stand up against Christian oppression and bigotry, and say "To hell with what anyone thinks.".  Of course, the difference is, when we do it to you, you call for us to be executed or beaten to death.  On the other hand, we just laugh at your supposed 'openness' and 'good Christian nature' knowing full well that the 'open hand of god' is actually grasping a AK-47 pointed right at us.

Chrissy, I always welcome you proving what i've said wrong.  Please don't hesitate to contact me - unlike most Christians, I welcome constructive feedback.

(Update: James @ Cubik's Rube also blogged about this as well and is an excellent read)

As if this couldn't have been predicted, Laurie Higgins of the IFI is attacking Hemant (The Friendly Atheist) again.  Last year, she called him charismatic, funny, kind, and iconoclastic, now she's saying he's uncivil and disreputable.

Can't she just make up her mind already?

Damn Hemant and his socialist teachings of maths! :-P