I've got 2 Gmail invites up for grabs for the first 2 to email me offlist.
Josh Brady
All gone
I've got a few to give out as well. Email me off-list and if I have
any left, I'll send an invite.
Brett
WOW! Overwhelming response. Haven't sent them all out yet, but all
accounted for.
Brett
Joshua Brady wrote:
I've got 2 Gmail invites up for grabs for the first 2 to email me offlist.
You know, I'm having trouble finding people that *don't* have gmail.com accounts already. 
-Jonathan "G-mail-less" Nichols
You know, I'm having trouble finding people that *don't* have gmail.com accounts already.
-Jonathan "G-mail-less" Nichols
If we are all network operators, exactly what is the benefit of having a 1GB mailbox operated by another network?
Deepak "150GB and growing" Jain
Gmail seems to be in Beta stage. I got a Gmail account
months ago, but I do not use it by now.
The reason is it does not solve two bugs I met.
The first is, after logining into gmail it will prompt
with "Ooops, the system was unable to perform your
operation. Please try again in a few seconds" if I
click "Compose Mail". Sometime this message comes up
after I FINALLY succeed with "Compose MAIL" and click
"Send".
Another thing I met is, when trying to log in. After
typing in username/password, it shows "Gmail is not
available by now", and I have to reload one or two
times to log in.
This is really contrast to what Yahoo! could provide.
Joe
--- Brett <bretton@gmail.com> wrote:
Deepak Jain [Thu, Aug 19, 2004 at 01:37:54AM -0400]:
>You know, I'm having trouble finding people that *don't* have gmail.com
>accounts already.
>
>-Jonathan "G-mail-less" Nichols
>If we are all network operators, exactly what is the benefit of having a
1GB mailbox operated by another network?
What exaclty is the benefit of having a g-point-mail account?
It's the same benefit you have when joining Orkut:
You are 31337 if you have an account, as not everybody can
participate.
The most interesting thing is how many people still are giving
all their personal data out to big companies for data mining.
Sincerly,
Nico
P.S.: If you are interested in the background of this story, read
http://nico.schotteli.us/papers/net/orkut-diary for more information.
1) sending test mail to your internal network requires access to a
remote network/postoffice?
2) when users complain about failures, you can check it out?
3) get your favorite username/handle while it's still available?
I've got a handful of extras if anybody else still needs one btw
All gone
> If we are all network operators, exactly what is the benefit of having a
> 1GB mailbox operated by another network?
Offsite backup. Just encrypt and point your backup device to your E-mail
box 
I've not seen any of the problems you're speaking of, but then again
I'm in a later stage in the beta than you were (I'm assuming)...
I have 5 invites that I'm willing to part with, if anyone would like
one let me know off list 
Uh, could we _please_ get back to something with operational content, or
nothing at all?
Anyone have anything concrete on the SHA-0 / MD5 compromise, for instance?
Any operational impact there, that we need to worry about in the near
term?
-Bill
Bill Woodcock <woody@pch.net> writes:
> I have 5 invites that I'm willing to part with...
Uh, could we _please_ get back to something with operational content, or
nothing at all?Anyone have anything concrete on the SHA-0 / MD5 compromise, for instance?
Any operational impact there, that we need to worry about in the near
term?
Here's the overview I sent to IAB/IESG:
As you may or may not have heard, this year's CRYPTO conference
has been very interesting:
* Joux has found a single collision in SHA-0--an algorithm that nobody
uses but that is very similar to SHA-1. However, SHA-0 was changed to
fix a flaw (later found by Joux), thus becoming SHA-1 so we can hope
that this attack can't be extended to SHA-1. The attack was fairly
expensive, requiring about 2^51 operations the brute force attack
would take about 2^80).
* Biham and Chen can find collisions in a reduced round version of SHA-1
(40 rounds). The full SHA-1 is 80 rounds. It's hard to know whether
this can be extended to full SHA-1 or not. NSA (who designed SHA-1)
seems to be generally pretty good at tuning their algorithms so that
they're just complicated enough to be secure.
* Weng, Fang, Lai, and Yu have what appears to be a general method for
finding collisions in MD4, MD5, HAVAL-128, and RIPEMD. They
haven't published any details.
What does this mean for us? I'll be writing up full details hopefully
soon, but here's a short overview...
WHAT'S BEEN SHOWN?
An attacker can generate two messages M and M' such that Hash(M) = Hash(M').
Note that he cannot (currently) generate a message M such that Hash(M)
is a given hash value, nor can he generate a message M' such that it hashes
the same as a fixed message M. Currently this is possible for MD5
but we have to consider the possibility that it will be eventually
possible for SHA-1.
USES OF HASH FUNCTIONS
We use hash algorithms in a bunch of different contexts. At minimum:
1. Digital signatures (you sign the hash of a message).
(a) On messages (e.g. S/MIME).
(b) On certificates.
(c) In authentication primitives (e.g., SSH)
2. As MAC functions (e.g. HMAC)
3. As authentication functions (e.g. CRAM-MD5)
4. As key generation functions (e.g. SSL or IPsec PRF)
THE POTENTIAL ATTACKS
The only situation in which the current attacks definitely apply is
(1). The general problem is illustrated by the following scenario.
Alice and Bob are negotiating a contract. Alice generates two
messages:
M = "Alice will pay Bob $500/hr"
M' = "Alice will pay Bob $50/hr" [0]
Where H(M) = H(M').
She gets Bob to sign M (and maybe signs it herself). Then when it
comes time to pay Bob, she whips out M' and says "I only owe
$50/hr", which Bob has also signed (remember that you sign the
hash of the message).
So, this attack threatens non-repudiation or any kind of third
party verifiability. Another, slightly more esoteric, case is
certificates. Remember that a certificate is a signed message
from the CA containing the identity of the user. So, Alice
generates two certificate requests:
R = "Alice.com, Key=X"
R' = "Bob.com, Key=Y"
Such that H(R) = H(R') (I'm simplifying here).
When the CA signs R, it's also signing R', so Alice can present
her new "Bob" certificate and pose as Bob. It's not clear that
this attack can work in practice because Alice doesn't control
the entire cert: the CA specifies the serial number. However,
it's getting risky to sign certs with MD5.
WHAT'S SAFE?
First, anything that's already been signed is definitely safe. If you
stop using MD5 today, nothing you signed already puts you at risk.
There is probably no risk to two party SSH/SSL-style authentication
handshakes.
It's believed that HMAC is secure against this attack (according to Hugo
Krawczyk, the designer) so the modern MAC functions should all be
secure.
I worry a bit about CRAM-MD5 and HTTP Digest. They're not as well
designed as HMAC and you might potentially be able to compromise them to
mount some kind of active cut-and-paste attack, though I don't have one
in my pocket.
The key generation PRFs should be safe.
-Ekr
[0] In practice, the messages might not be this similar, but there
turn out to be lots of opportunities to make subtle changes in any
text message.
3 invites to hawk here. Email me offlist.
Joshua Brady wrote:
>I've got 2 Gmail invites up for grabs for the first 2 to email me offlist.
>You know, I'm having trouble finding people that *don't* have gmail.com
accounts already.
Because G-mail scans INCOMING mail without the sender's consent, we will NEVER
have a G-mail account and have considered blocking them. We actively discourage
our clients from using this service. If you want to let a service scan YOUR mail,
it is your perogative, but you cannot give them permission to scan MY mail to you.
YMMV.
I believe your last statement is factually incorrect. I absolutely _can_ do anything I please with "your" e-mail you send to me. Not only that, I also believe I _may_ do it. You send me e-mail, the e-mail is now mine. I can post it publicly, put it into a search engine, or deleted it, and you have no say in the matter. Might not be polite, but it certainly it not illegal. Don't like it, don't send me e-mail. (Please.
Google is simply indexing mail for their users as a service - an unobtrusive, completely benign service just like virus checking or procmail scripts which have been used for years. And it certainly does not require the consent of the sender. How I manage my mailbox is MY business. You have exactly zero say over whether I let Google do it or Mail.app.
Perhaps you are worried that Google will read your e-mail? Or maybe let others read it? Well, I hope you never send e-mail to anyone who does not run their own dedicated mail server on their own dedicated hardware and encrypt the SMTP session. 'Cause you are worried about something that has been happening for decades. (Plus I think you have to be more than a little arrogant to think anyone at Google gives a fart about the e-mail you send.)
But hey, it's your e-mail, send it or not as you please. I like the idea behind G-mail, I just can't deal with a web-based e-mail client. You don't, then don't use it.
Just please don't spout factual fallacies like saying I can't give someone permission to do things to my inbox.
I believe your last statement is factually incorrect. I absolutely _can_ do anything I please with "your" e-mail you send to me. Not only that, I also believe I _may_ do it. You send me e-mail, the e-mail is now mine. I can post it publicly, put it into a search engine, or deleted it, and you have no say in the matter. Might not be polite, but it certainly it not illegal. Don't like it, don't send me e-mail. (Please.
A dozen routers processed the packets for his message to nanog, postfix processed it at merit, it went through the headers and checked it against some files on on their side probably, then it went through some more routers and maybe the FBI's carnivore system along the way, then it hit my postfix which ran it against some more files.. then spam assassin took a whack at it, then procmail took hold of it and scanned the mail.. then it was sent to pine, and then pine read it.. then I finally read it. Merit runs a mailing list, they chose to do some of those things, then i run my mail server, I chose to do some of those thingslooks like you're right.. he has no control over what happens to his mail once he sends it.
Perhaps you are worried that Google will read your e-mail? Or maybe let others read it? Well, I hope you never send e-mail to anyone who does not run their own dedicated mail server on their own dedicated hardware and encrypt the SMTP session. 'Cause you are worried about something that has been happening for decades. (Plus I think you have to be more than a little arrogant to think anyone at Google gives a fart about the e-mail you send.)
This is all of the information google states that advertisers get:
'Advertisers receive a record of the total number of impressions and clicks for each ad'
That's it.. nothing more. If the guy is scared of robots/computers reading his mail or any of his information.. The internet is not the place for him.
He can choose not to email gmail directly, but he better not ever mail a mailing list.. and hope his friends never bounce a message of his to google.
But hey, it's your e-mail, send it or not as you please. I like the idea behind G-mail, I just can't deal with a web-based e-mail client. You don't, then don't use it.
Same here.. pine has served me well for years, and will continue to. I got a gmail account like many others, just to check it out.. It seems nice, easy.. the interface even works well under Firefox and Mozilla. I would select gmail over yahoo, just because their ads are non-intrusive and there isn't flashing crap all over my screen.
I'm not sure if it's even worth responding to you, but here I go anyway....
All mail servers scan your email when you send to one of their users. Mine scanned your below message several times in a row - first to look for certain headers that I don't want coming through (like that subject prefix that adult-oriented sites are required to use, for example), then again to look words in the body that I don't want to come through (for various things, from links to sites that could harm my users, to signatures of specific viruses, to stuff about mortgages that nobody should be using their work email to take care of), then again to see if the message was addressed to the postmaster (at which point all other rules are stopped and the message goes straight to the postmaster account), then again to check for attachments and add headers for certain kinds, then again to check those headers and block certain kinds of attachments, then again to check for viruses, etc...etc...etc...
Given that all of the above is standard mail procedure (maybe not at an ISP, but certainly at a corporation with specific strict usage policies, and even at an ISP many of the above are standard) I hope you can understand how pathetic your argument is.