Broken SPF records

I have SPF verification enabled on my mail server. While SPF is no panacea for the problem of spam, it is quite effective at ensuring spammers do not forge the sending address to impersonate someone else, and cause some poor innocent soul to receive in a boomerang effect the torrent of complaints hurled at them.

Unfortunately far too many lame organizations (cough, Google) qualify their SPF record using a too permissive ?all or ~all clause, which means they have servers other than those listed, and thus their SPF record is useless for filtering purposes.

In the last month, I noticed the opposite problem: I did not receive emails from Eurostar and BookMooch because their SPF records did not list the mail servers they actually use. If they are not clueful enough to manage a simple list of IP addresses, or have basic change management discipline, they should do us all a favor and ditch the SPF record they clearly are incapable of maintaining.

Fie on parasitic US cellcos

The Economist has an excellent article on how Indian mobile phone companies cut costs. They have an ARPU of $6.50 a month yet operate with a 40% gross margin. If US cellcos were run as efficiently, they would have a 1200% gross margin on the $51 monthly ARPU!

The time has long come to stop coddling grossly inefficient and anti-competitive cellular carriers in the West. They are no longer fledgling businesses in the shadow of landlines, quite the opposite, in fact. One good place to start would be to require them to offer consumers the choice of carrier for international calls and for roaming, as is the case with landlines. Their rates are simply extortionate.

At long last real broadband in San Francisco

I upgraded my broadband connection yesterday from a puny 3-6Mbps/384-768K DSL connection to 20Mbps symmetrical Metro Ethernet service from an outfit called WebPass. My current ISP, Raw Bandwidth, has excellent service with no restrictions on hosting servers or traffic shaping shenanigans unlike the likes of Comcast, but they are still hobbled by the AT&T last-mile connection.

WebPass finesses around the incumbent monopoly by using newer buildings’ data-grade wiring plant to bring 100MBps Ethernet connections right into your home (all they had to do was change a wall plate and patch some cables in the closet) and use microwave links to backhaul traffic to their data center. They claim to use a mesh network for backhaul, but I think this just means a standard network of microwave links where some sites have to hop multiple microwave links to get to the transit connection, rather than a purely centralized hub and spoke model. In my case their offices are a mere two blocks away. This would allow me the pleasure of ditching the scumbags at AT&T altogether (were it not for the fact my building requires an entirely unnecessary landline for its security system).

AT&T is probably the worst telco in the US now, and is notorious for starving its infrastructure of investment to maximize short-term profits, unlike Verizon, who is investing heavily in its FiOS optical network. Unfortunately San Francisco is in AT&T territory and will not get true optical networks anytime soon. Municipalities can usually reassign the cable franchise every so many years, but there is no such provision for involuntary transfer of telcos that I know of.

The new service is $45 a month with no installation fee, vs. $70 a month for Raw Bandwidth, but it does not include a static IP address (they do offer it as part of their prohibitively expensive metered business service). Configuring my home router (a Cisco 877) to use both connections was incredibly painful, but I will run the two ISPs side by side for the next few months. If WebPass proves as reliable as Raw bandiwdth, I may just have to find a work-around for the static IP issue, or just rely on DHCP lease pinning.

If you live in San Francisco, or are moving there, definitely have a look at the buildings they have covered. The service is a glimpse of what people not in broadband backwater USA get.

Today is a great day for the Internet in France

The content producers’ lobby is very ancient and powerful in France (it was started by the playwright Beaumarchais in the 18th century). The fact President Sarkozy’s wife is an important rights holder may have something to do with his determination to pass the abject Hadopi law, which would cause Internet users caught illegally downloading content to be cut off from the Internet (while still having to pay their ISP fees).

The law was exceedingly stacked towards the content industry. The burden of proof was on the defendant rather than the prosecution, and an extra-judicial quango named Hadopi was to be set up to enforce these sanctions. The European Parliament, to its credit, had opposed such measures and restated that Internet access is a fundamental right that can only be curtailed by proper judicial authority. The first reading of the law led to a surprise defeat, as the majority UMP legislators were unenthusiastic about supporting a law that would alienate the young, and absenteeism was such that the minority Socialist party managed to overwhelm those few present. This is one of the exceedingly few times I actually agree with the feckless Socialists… The President brought his whip to bear and the law was put back on the agenda and voted in the second time.

Today, the Conseil Constitutionnel ruled on a challenge to the law put by Socialist parliamentarians, and gutted it in line with the European Parliament. In doing so, it affirmed that Internet access is a fundamental human right, drawing all the way back to the original Human Rights declaration of 1789, and that Internet users are innocent until proven guilty.

This is an important decision. In Roman law, judges’ discretion is much more limited than in the Anglo-Saxon Common law tradition. The US Supreme Court found in Roe vs. Wade a right to abortion in the US Constitution that is far from obvious, and such a decision by unelected judges lacked universal legitimacy. In contrast, abortion was legalized by an act of Parliament in France, which is why opposition to it is nowhere near as bitter as in the US. The Conseil Constitutionnel does not invent constitutional principles, it only censures laws or more commonly individual articles (the role of ultimate court of appeals belongs to another institution, the Cour de Cassation). The significance of it finding Internet access a fundamental right cannot be overstated.

SOCKS and SSH, two great flavors that go together

I am currently in New Orleans for a friend’s wedding, and staying at the InterContinental. The hotel has wired Internet access, but like all expensive hotels, wants to charge an extortionate fee ($7/hour) for it. This is annoying as the same hotel chains’ budget-priced hotels usually offer it as a complimentary service.

I noticed my email was going through, however. On further inspection, it turns out they only intercept port 80 HTTP traffic, but not on other ports. Security through (very thin) obscurity, in other words.

I tried using Firefox from my home machine over X and SSH port forwarding, but it was painfully slow.

At this point, I was considering setting up a HTTP proxy on my home machine and using it over SSH port forwarding, but I remembered reading something about SSH and SOCKS. I had never used a SOCKS proxy before, but it turns out this is incredibly easy: just add the -D option to ssh with a local port number, e.g. 9999, and set up your browser to use localhost:9999 as the SOCKS proxy. It worked flawlessly with my Mac OS X SSH client and Solaris 10 stock server.

This has applications beyond routing around hotel paywalls. Many public WiFi access points are unsecured. Even if they are legit (many are peer-to-peer vs. infrastructure, and presumably used by thieves to harvest passwords), they can be snooped for passwords trivially easily. Using SSH and SOCKS provides you with security when using an untrusted Internet access point, even for non-SSL sites. My email uses IMAPS and SMTP TLS so I don’t need to reconfigure it to use SOCKS, but that would also be an important protocol to secure.

All in all, a very worthwhile addition to my toolset. I can’t believe I waited so long to try it.

Update (2009-04-12):

To its credit, New Orleans’ Louis Armstrong international airport has free WiFi throughout the terminal. Chic!