Unfortunately, I do tend to agree that we can't fix stupid or the inability to read the RFCs. :-(

Thanks for providing a balanced view

I particularly don't understand the constant fanfare around discussions of SPF/DKIM/DMARC. They're widely understood, published RFCs that have been around for at least 10-15 years, some of them longer. They're not obscure folk wisdom passed down through generations of sysadmins, yet I read so many documents and articles that make it sound like a proprietary trade secret that the authors of such articles are graciously revealing to the world.

I was torn between explaining and letting them believe it :-)

Most of the time, folks just don’t understand why their company name is in the address and they think it’s a mistake.

To be honest, I do tend to avoid this for anything other than throwaways because it causes too much confusion when I have to phone up, and I’m not really doing it out of a misguided belief it helps with spam (at least, it doesn’t help any more than security by obscurity is unsuitable as a singular defence, but maybe has a tiny role when layered into a broader strategy…)

I’m not concerned about the leaking as my address is out there anyway and Bayesian spam filtering is still decent enough, but as an aside, I have had two companies this year whose user databases must have been leaked on the basis of spam received at company-specific addresses. I reported it to their privacy people and pointed out it’s highly unlikely this “spam” originated as their (tiny company name) being chosen by chance by a spammer who figured out my catch all domain.

They never replied, and I probably should have followed up with the local information regulatory commission in each case. Hopefully, my note helped them identify they had a leak and to secure their systems.

I do run similar infrastructure professionally for a living, which probably helps with getting it right first time. Competent VPS hosts care about IP reputation for mail; e.g. Hetzner only allows outbound port 25 for “trusted” customers, which somewhat helps with abuse reports. Some hosting providers may even let you relay via their own outbound hosts if you have a VPS with them, which simplifies the operational aspect.

I rarely need to send from the catch all address, but Postfix can easily be configured to allow my user to send from other addresses, and then it’s just a case of adding as an alias in your mail user agent.

Although more recently I’ve moved to a catch all domain for throwaway, which is even better. It confuses agents on the phone though when I give my email address as {their company name}@mydomain.com

Yeah, most people don’t understand how the ownership and control varies before and after the @ symbol.

The token was recently used? No problem! Must be a duplicate click, or a refresh, or the user left the browser tab open and their mobile device refreshed when they reopened the browser app, etc.

Depends on the frame of reference of “single point-of-failure”.

In the context of technical SPOFs, sure. It’s a distributed system across multiple geographies and failure domains to mitigate disaster in the event any one of those failure domains, well, fails.

It doesn’t fix that technology is operated by humans who form part of the sociotechnical system and build their own feedback loops (whose failures may not be, in fact are likely not going to be, independent events).

SPOFs also need to contemplate the resilience and independence of the operators of the system from the managing organisation. There is one company that bears accountability for operating CF infra. The pressures, headwinds, policies and culture of that organisation can still influence a failure in their supposedly fully distributed and immune system.

For most people hosting behind Cloudflare probably makes sense. But you need to understand what you’re giving up in doing so, or what you’re sacrificing in that process. For others, this will lead to a decision _not_ to use them and that’s also okay.

The other reason I hypothesise is that corporate big brother snooping systems that have whitelists for their trusted services – with entries like mail.google.com or calendar.google.com – are simply too painful at this point for big tech to break for their customers by dropping the .com suffix, so big tech doesn’t bother.

No hard data on any of that, though.

Sorry, we all have our opinions and perspective, but money isn't the only value judgement.

I want my speedo in my easy line of vision on any vehicle I drive. I want to be able to demist my windscreen by reaching for a button I can find without taking my eyes off the road.

The A380 is one of my favourite aircraft. I never flew on a 747 and likely never will now, so it's the next best thing I've got for a two-deck experience.

Comments URL: https://news.ycombinator.com/item?id=39989626

Points: 8

# Comments: 7

His dry sense of wit and humour, his uncompromising pursuit of injustice and his loathing of foolhardy decisions made by the political or moneyed elites were evident in all he did and said. Misunderstood by some, I came to respect most his tenacity; at fighting the big guy – and, more often than not, prevailing with his typical grit, logic and determination. His work continues to inspire, especially since three decades after he founded the field he would go on to be recognised for internationally, in many business and industrial circles we are still making the same basic security mistakes, driven by the same flawed economic models as Ross predicted. His work is timeless.

When he spoke, I listened, and on those rare occasions he complimented my work, I did not take that for granted. It is a regret that I did not take the opportunity to do a PhD with him. Rest in peace.