Domain: roysdon.net
Stories and comments across the archive that link to roysdon.net.
Comments · 26
-
Re:As an end-user, is there some way to tell?
There is a Firefox add-on, DNSSEC Validator, which appears to work for the pir.org zone, as well as my own roysdon.net zone. Both are DNSSEC signed, although my roysdon.net is found in the DLV.
You can point the tool to use Comcast's DNSSEC trial resolver which is DLV-enabled at 68.87.68.170.
You can trial Comcast's DNSSEC trial resolved which does not have DLV support at 68.87.64.154 and rely only on the Root signature and previously published ccTLDs like .SE.pir.org is an example of a zone which you can verify just by having the root zone's key. The root signs
.ORG, and .ORG has signed pir.org.
As opposed to DLV-enabled zones, like mine, which rely on dlv.isc.org until .NET is signed. Well, also until Registrars add a way so that .ORG owners can sign their zones. -
SSL needs to be tied to domain hierarchy.
SSL CA authority needs to be tied to domain hierarchy.
This sort of domain-based-CA's should be able to be installed via DNS and DNSSEC should be continue to be rolled out, all the way to the client (browsers should have methods to verify root DNSSEC, and follow the chain).
With SSL based on domain hierarchy, you need to know only the root DNS server's DNSSEC key. Everything else flows down from that.
Then CNNIC would only control
.CN. The US Gov would theoretically only control .US, .GOV, .EDU. .COM, .NET, .ORG should be run by (as much as I hate to say it) the UN.I already put SSH key fingerprints in my DNS and verify with DNSSEC-enabled openssh/bind-resolvers. SSL and/or SSL fingerprints could easily be done, if not just the entire CA public key.
-
SSL needs to be tied to domain hierarchy.
SSL CA authority needs to be tied to domain hierarchy.
This sort of domain-based-CA's should be able to be installed via DNS and DNSSEC should be continue to be rolled out, all the way to the client (browsers should have methods to verify root DNSSEC, and follow the chain).
With SSL based on domain hierarchy, you need to know only the root DNS server's DNSSEC key. Everything else flows down from that.
Then CNNIC would only control
.CN. The US Gov would theoretically only control .US, .GOV, .EDU. .COM, .NET, .ORG should be run by (as much as I hate to say it) the UN.I already put SSH key fingerprints in my DNS and verify with DNSSEC-enabled openssh/bind-resolvers. SSL and/or SSL fingerprints could easily be done, if not just the entire CA public key.
-
Re:Video for Everyone code hack is the solution
So read up on Video for Everyone. It addresses all 3, and "just makes it work" with whatever solution you have.
FOSS folks get pure FOSS. Closed-source/license folks get that (and hosts until 2016), and IE folks with flash (com'on, you can't navigate almost any sites without flash these days). It does this right now with only two encodings and on block of code.
-
Video for Everyone code hack is the solution
For now, the Video for Everyone code hack is the solution. Works on Firefox, Opera, and Chrome natively with Ogg Theora, and Safari natively with H.264, and Internet Explorer with Flash (loading the H.264 content).
Naturally the best solution would be that everyone implements Ogg Theora as a standard fall-back solution, and use their "better/proprietary" solution when available.
-
Re:Wat
The solution to the first-time key exchange is SSHFP + DNSSEC.
-
Re:Buy a real SSL cert, with location info
I found SiteTruth's search worthless. I put in my own domain and it said it was suspect, no address listed on the website. Totally bogus information. One of the first links is to the AUP page, which contains the same address WHOIS has listed. Even if I search giving the AUP link, it cannot find the address. Further, it says no usable certification info - I could see it complain that it doesn't like my CA, but there cert works just fine in any non-Microsoft browser. I find this site worthless as it fails to provide valid information. I could see it complaining that my SSL cert (free for non-commercial, personal use) is a domain-only, but it doesn't, it just says, "No valid cert." Finally, just because something doesn't have a valid business behind it (as in a personal website/email hosting), doesn't mean it is invalid or worthless. Don't give me your money - I'm not asking for it.
-
Re:Buy a real SSL cert, with location info
I found SiteTruth's search worthless. I put in my own domain and it said it was suspect, no address listed on the website. Totally bogus information. One of the first links is to the AUP page, which contains the same address WHOIS has listed. Even if I search giving the AUP link, it cannot find the address. Further, it says no usable certification info - I could see it complain that it doesn't like my CA, but there cert works just fine in any non-Microsoft browser. I find this site worthless as it fails to provide valid information. I could see it complaining that my SSL cert (free for non-commercial, personal use) is a domain-only, but it doesn't, it just says, "No valid cert." Finally, just because something doesn't have a valid business behind it (as in a personal website/email hosting), doesn't mean it is invalid or worthless. Don't give me your money - I'm not asking for it.
-
Biometric
When I read this story, I decide to get my Thinkpad fingerprint working.
So ThinkFinger stores 3 copies of what my finger looks like on my local PC. That makes sense for auth on a local machine. How does this work on an enterprise scale? Is the fingerprint details sent to a remote central storage system which then confirms a match?
If that assumption is correct, how would OpenID-enabled websites work with that? Would your account somehow point to your OpenID "provider" which would have your fingerprint to confirm authentication against? Would the fingerprint go just from the PC you are at to the OpenID provider, which will say, "Yes, it's good" or go via the website first?
With such a single sign-on system, if it did go to the website first, wouldn't there be a danger of some "bad" (or compromised) website storing my fingerprint? I know I don't have my head around how this all works just yet - any good explanation of the technical details? The overview doesn't help much there. -
Re:Blocking
Using "SSL" over 443 has long worked for bypassing firewalls and even proxies. I wrote about this back in 2003 and have been using ever since. It works even through a proxy server, as the proxy server just has to blindly forward all "SSL" traffic over port 443. By the very nature of SSL traffic, there is nothing you can do about it. All I do is wrap my SSH (or whatever) traffic inside an "SSL" stream and you can't touch it without breaking every other https site.
The only way to block this would be to create a whitelist of SSL/https sites and allow only those access. Since every business relationship is driven online these days and everyone wants it encrypted, unless you sell tires to folks that walk in and just have a cash register, you'll still going to have to allow SSL. -
IPv6 service in the US
I've thought for a long time that IPv6 is going to be one area that the US will lag behind in networking. Cisco/Linksys will have support (Cisco routers all do now) as they compete in Asia, etc. where IPv6 is already in widespread use.
Can you name 2 ISPs in the US that you can get native IPv6 assignments from?
For some time, I had a 6-bone /48 from Sprintlink.
I know that Verio announced IPv6 service some time ago (2+ years) and that Hurricane Electric has had IPv6 service for a very long time (you can even use HE as a Tunnel Broker).
But how about small/medium businesses or home users that aren't going to pay for a dedicated T1 to one of these ISPs when a cablemodem/dsl is just as fast for downloading and works just fine? While I can tunnel to HE, I'd really like to have native IPv6 service.
Having said that, I haven't dinked with IPv6 in 2 years, and it's been 3 years since I was doing anything serious with it (hosting an IRC node and a MUD, both with native IPv6 access). I want to use it, but it's like the internet in '93 vs. '06... -
Classic example - getting Java working on FC5
Just today I was on #fedora on irc.freenode.net to get assistance / make sure I was doing things "the right way" to install Java support in RedHat Fedora Core 5. Mind you, Fedora Core is for "developers" or those who want more cutting edge and don't want to pay for RH Enterprise Linux, so it is going to have a bit of a learning curve which you always have to keep up with as things change.
I'd already done some homework in researching at a popular Fedora FAQ website. However, as with many things with Linux, things were out of date, or talking about the wrong version (in this case, that FAQ is still for Fedora Core 4, not FC5).
I checked in at #fedora and asked, "Is the method to install Java at http://www.fedorafaq.org/#java still the best way?" A few folks said yes, another guy (ignacio, who is the classic example of a linux snob with a, "Live free or die" attitude) said, "Not best, use gij" to which someone else fought the battle for me and asked, "Is there plugin support with gij?" and ignacio had to reply, "No." Well, pointless, as the only reason I need Java is for plugin support with my online bank.
So, what I did wrong was that I should have know to ask, "Is this the best way to install Sun's Java?" You already have to almost know the answer to ask the question with some folks. While I can understand trying to do a bit of research and be prepared, it's not that simple. Googling sometimes gives you the answers, but again, there is always that out of date / old version problem that gets in the way. You could spend hours following the "old" method with old versions that don't apply and won't work anymore.
Anyway, I ended up just taking the original FC4 Java install notes and modifying them and put them on my own site for others to hopefully find via my webpage when searching for Fedora Core 5 and Sun's Java: http://jason.roysdon.net/?p=819 -
Donating to the Gnucash project
I've been using Gnucash for close to two years now. It was the final step to me ditching my Windows install, since I was using Quicken before.
Gnucash isn't perfect, but it's got everything I need to keep track of things. I do all my entry manually, although I have imported a few times just testing (I prefer my own formatting and such and don't care which gas station, etc., just that it was a gas station).
I figure if I'd been upgrading Quicken versions, I'd have spent at least $50. Plus, I would like be able to link to a Windows port on my Free GPL Programs page which I list all the apps I use that others should check out on Windows.
I decided to donate to the cause. Hopefully others who use Gnucash will consider tipping the developers. I'm sure even $5, especially if it's dozens of folks, will help motivate them.
I wish I had the time to bug-test v1.9, but I don't, so I'll tip a little more ;-)' -
Re:OpenDocument
I don't argue that non-techies will learn about this soon enough. However, Donald Parris is hardly a non-techie. He wrote Pengiun in the Pew, a pro-Linux book for churches.
The book has a Creative Commons license (Attribution-NoDerivs 2.0), and I've a copy linked on my GPL Programs page.
-
Re:Fantastic!
Gas-guzzling autos and tobacco products are also a big part of certain segments of our population's economy.
I don't think either are acceptable and all need to move to another line of work, and/or adapt. Just because something lines our pocketbooks doesn't mean we should promote or endorse it.
Just offhand (as my son and I were watching C.S. Lewis' _Voyage of the Dawn Treder_ last night), I believe slavery was a big money maker, and illicit drugs still are. Of course, many ways of handling the last, but my point was that just because something makes a lot of money, doesn't mean it should remain or be propped up as some sacred cow.
Speaking of sacred cows and money... oh, wait, that's another story. -
Re:Not just for Linux
GNUWin are great projects to point folks at Win32 GNU apps, but you should point folks directly to the source, and not to GNUWin sites which haven't been updated recently... rather point them at the source. Faster mirror too.
Oh, ack, just as I was double-checking my facts, I see that GNUWin II updated to OOo 1.1.0 today (Dec/29th), but still, my point is valid if this article was posted yesterday or a new version of OOo came out tomorrow.
I also recommend for Win32 users my own list of [L]GPL apps that I use daily . -
Brainstorm - don't post your email on your website
Only just today I posted this article about how not to get spam for users of my servers. When 97% of all spam emails within a 6 month period come from website-harvested addresses, it's pretty clear that posting your email address on a website is just plain stupid. Use a form to allow users to contact you, but never allow them to be able to get your address.
-
mirror
aimath.org/primegaps/
aimath.org/primegaps/residueerror/
I'm still working on mirroring all 47 images, but the text is there, and the img tags have great alt text descriptions. -
mirror
aimath.org/primegaps/
aimath.org/primegaps/residueerror/
I'm still working on mirroring all 47 images, but the text is there, and the img tags have great alt text descriptions. -
Damn cars, ride a 'bike
-
DIVX5 mirrors [was Re:Actually at apple.com]
http://node2.callihq.net/ep2_clone_war_p640.avi
http://jason.roysdon.net/starwars/ep2_clone_war_p6 40.avi
I've got the rest of the trailers as well:
http://jason.roysdon.net/starwars/ -
DIVX5 mirrors [was Re:Actually at apple.com]
http://node2.callihq.net/ep2_clone_war_p640.avi
http://jason.roysdon.net/starwars/ep2_clone_war_p6 40.avi
I've got the rest of the trailers as well:
http://jason.roysdon.net/starwars/ -
Re:Actually at apple.com
It's simply a matter of getting the correct URL. Back when the first trailer came out, someone posted this. It worked just fine to let you grab it. Anyone know where the new URL of the clone_wars 640 version is?
Supposedly MPEG and DIVX5 versions will be posted here, but it'll be a bit if they're uploading with 128kbps.
I'll mirror them as fast as I can get them (along with the rest of the trailers I already have) here. -
Re:Yeah... old news
-
Re:DivX 5 and MPEG mirror to be hosted
I'll also mirror the files I find available online. I also have the existing 3 previews available now:
Starwars Episode II previews -
Used PCs and Wireless for low-income families
Funny how this somewhat lacking story gets approved, but yet my post with some actual substance, was rejected last week.
Anyway, here's was my original post:
I was sitting around last night and came up a pipe dream of sharing my ADSL with the rest of my low-income neighbors. I'd like some practical feedback from those of you with experience with Linksys gear (or advise another economical brand, but they seem to be pretty decent as far as low-end 5 port switches and also routers).
My main concern is being able to control any sort of topology loops (STP is used in standard bridging/switching, what about wireless?). How can I control which Linksys acting as a Bridge connects to which other bridges?
Any other design concerns in my little pilot test? What about scaling this to homes beyond... how many Bridges can be connected in series before problems occur?
Details are posted at the following (currently):
http://jason.artoo.net/#home
(now under):
http://jason.artoo.net/#hacker
If a day or two goes by and I blog more, it'll always be up at:
http://jason.artoo.net/blogger/home/2001_10_01_ind ex.html#6148163
Newest posts here:
http://jason.artoo.net/blogger/home/2001_10_01_ind ex.html#6334347
http://jason.roysdon.net/blogger/hacker/2001_10_01 _index.html#6334590