Spoofing URLs With Unicode

Embedded Geek writes: "Scientific American has an interesting article about how a pair of students at the Technion-Israel Institute of Technology registered "microsoft.com" with Verisign, using the Russian Cyrillic letters "c" and "o". Even though it is a completely different domain, the two display identically (the article uses the term "homograph"). The work was done for a paper in the Communications of the ACM (the paper itself is not online). The article characterizes attacks using this spoof as "scary, if not entirely probable," assuming that a hacker would have to first take over a page at another site. I disagree: sending out a mail message with the URL waiting to be clicked ("Bill Gates will send you ten dollars!") is just one alternate technique. While security problems with Unicode have been noted here before, this might be a new twist."

Scoring FP

[Strom+Thurmond+(R-SC]

Eat it sluts.

Re:Scoring FP

[handybundler]

hi Strom! good work! Enjoy.

Cntrlled Cntur Trlling and Slipping Cntur trlling is smething that I really enjy. Cntur trlling will allw yu t present yur bait right in frnt f the walleyes nse. In cld frnt cnditins this is essential. What yu're trying t d is stay n a particular depth, r cntur, where it lks like the walleyes are hlding. Walleyes are a structure riented fish, mst f the time. Yu might find large schls n sme Great Lakes that dn't relate t specific structure, but by an large they seek ut structure. These walleyes will be tight t the bttm, laying in the hles between rck and cuts in the bttm. They may be feeding, r waiting in ambush t find an easy meal that cmes their way. When fishing structure, yu have t be able t stay tight t the structure r yur lure presentatin will nt be in the strike zne f the fish. Mve just a bat length away and yu will be ut f luck. The key t lcating walleyes in the river in the spring and early summer starts with lcating a series f bstacles and then allwing yur bait r lure t present itself in a natural manner s the walleye can race frm behind the bstructin t acquire the ffering and then race back int the slack water area t digest his meal and await anther. In the spring f the year the turbidity f the water subsides and walleyes are mre visually stimulated as they see fd flating by the slack water areas. This is nt t say that all walleyes see their fd befre they strike and in sme cases they strike mre ut f vibratin and smell than they d frm visual identificatin. Althugh the backtrlling technique is still ideal fr vertical jigging and live-bait rigging in deep water, walleye prfessinals tday favr trlling frward with a small ?kicker,? typically a 9.9 t 15 hp utbard. Why? It allws them t fish large bdies f water such as reservirs mre effectively at higher speeds that electric trlling mtrs can sustain. Trllers cmmnly use crankbaits, bttm buncers r weighted three-way rigs with crankbaits, spinners r spns. T really slw dwn and fllw the cnturs I use the sea anchr tied ff the bw r starbard side f the bat. This acts like a brake and if I have t keep the rpm?s up a little n my kicker r big mtr it still gives me cntrl t make an inside curve r t allw the lure t track evenly behind the bat n the cntur. If I want t jig a prductive area fr walleyes the Drift Cntrl sea anchr cmes inhandy here als. It gives me cntrl ver the stern f my bat s I can fish a given cntur perpendicularly. By attaching the Drift Cntrl t the stern cleat adjacent t the current it gives me a brake that slws dwn the drift f the back end f my bat and I can crrect the angle with the bw munt trlling mtr. r I can als attach anther ne t the same side f bat in the bw giving me mre drag and a slwer presentatin when I vertically jig this cntur. ne reasn that I like t use jigs while fishing fr spring walleyes in a river system is the cntrl an angler has. Vertically jigging fr walleyes gets my bld pumping and believe me n thse cl crisp spring days when it wuld be nice t be n shre burning a campfire. I need all f my bld pumping just t stay warm. With the prper head design and weight, jigs are the mst versatile f all river techniques, frm the shallwest flded cver t the deepest, fastest current. The majrity f river fishing with jigs invlves either slipping the current r drift fishing the current breaks. The presentatin is a simple lift-drp-pause methd f jigging, raising the jig sme 3 t 6-inches as yu slip dwnstream. The jigs that I prefer t use are Fireball jigs because f the runded head. The runded head allws the jig t bump alng the bttm and nt get hung up in snags r brush. If yu are as vertical as pssible, the jig will stand up allwing the hk t be expsed away frm the flr f the river. When yu tip the jig with a flathead minnw the minnw stands up and lks like it is trying t pick up the jig. As the minnw struggles against the weight f the jig it sends ff wunded signals and the natural scent attracts the walleyes and allws them t hang n just that much lnger. If the walleyes seem t be just biting the tails ff the minnws the Fireball ffers an additinal eye s yu can easily attach a stinger hk. The stinger hk is a great additin in thecld waters f spring and summer. Clrs f the jigs shuld be bright in dingy water. Clrs such as flurescent range, chartreuse and my all time favrite gld are great fr fishing thse spring walleyes. Anytime that yu can bring attentin t yur bait it will help yu up yur dds fr catching thse spring walleyes. Weights may range frm 1/8 t 1/2 unces, but yu shuld stay with the weight that is the lightest that will allw yu have cntact with the bttm. River walleyes have a tendency nt t suspend as much as the walleyes in the lake and yu dn?t have t wrry abut missing a strike zne that is in the fish clumn. I will tip my jig with sme plastic if I want t slw dwn the rate f fall, but current usually fights gravity faster and defeats the purpse f vertical jigging. Slack water fish can als be fund by pitching jigs f 1/16 t 1/8 unce t shreline r cver like flded wd r bulders. The angler in this situatin shuld use a lift drp retrieve t slip r quarter the jig dwnstream as it is retrieved back t the bat. This is a super tactic fr fishing eddies, wing dams r shallw mid river shals. Even in slack water areas I will use the Drift Cntrl sea anchr t slw dwn my presentatin and t stay with active feed walleyes. This same technique is als ne that I use when I fish large bdies f water like Lake Erie. When yu find the feeding fish and there is nt a structural element t stay with yu really want t thrw a Drift Cntrl sea anchr ut and stay with thse fish. therwise yu culd be blwn ff the spt and away frm the active fish. Being in cntrl whether yu are fishing a trlling a cntur, slipping the current r wind r fishing slack water r big expansive waters is the key t catching mre fish. I hpe these techniques prduce fr yu and hpe t see yu n the water sn!

Re:Scoring FP

[L.Torvalds]

Your comment smacks of linux!!!!

Re:Scoring FP

[ArchieBunker]

What the fuck was it?

Re:Scoring FP

[L.Torvalds]

He used LINUX to hax0r up that fine fishing article. LINUX lets you do anything you want, except get a date or take a shower.

Re:Scoring FP

LOL! Keep up the good work!

i see great potential

[vsync64]

microsoft.com :P

Re:i see great potential

[ANY5546]

Dont go to it unless you are into sick nasty pr0n....

WHATEVER FLOATS YOUR BOAT!

Re:i see great potential

?!? !?!? !?!! ?!!? !?! ?!?!?!

This is ON-TOPIC. Read the ARTICLE. MORONS.

Re:i see great potential

Baxter the Cat says: Meowmix is good.

And this fucking post was on topic. You fucking crack moderators read the article.

Crack smoke wafts through air
Humorless moderator
Why do you hate me?


AND NBSP THIS BITCH.

ep

This early post for Ida! I love you!

Re:ep

[Strom+Thurmond+(R-SC]

I ass raped Ida with a toilet plunger.

You're welcome to sloppy seconds.

Re:ep

Wrong Ida, congressman. He's talking about Ida, not Ida Asi Apu, the young bangladeshi boy slave you keep chained to your desk for those times when you need to add your "pork barrel" to somebody's "bill". How do I know about this? Ashcroft broke down at the therapy session and told all. He won't be at your party wednesday night, of course.

fp

[SMN]

w00t. I've got karma to burn.

Eric Bin Raymond: The Sept 11th Conspiracy Reveale

Eric Bin Raymond: The September 11th Conspiracy Revealed

When you have a crime to investigate, and you have no suspects, where do you start? Obviously you begin by looking at the person or persons who have the most to gain by perpetrating the crime.

This is why we must consider: who had something to gain from the disasterous crimes of September 11th? Obviously not Osama Bin Laden, who would net no financial windfall from the destruction of the World Trade Center and the Pentagon. Although he has loudly applauded the "terrorist" acts of September 11th and even tacitly taken credit for them, there is no reason to believe that he is anything more than a bandwagon jumper. Being blamed for the destruction of the World Trade Center has done more for his image than any amount of militant Islamic rhetoric.

But if not Bin Laden, then who?

It so happens that on December 11th, "coincidentally" 2 months after the tragedy, Credit Suisse First Boston quietly agreed to pay out US$100 million in order to settle an 18 month old investigation into its handling of certain high-profile technology IPOs (Initial Public Offerings). One of the most controversial amongst these being the IPO of VA Linux Systems, Inc. (LNUX) .

VA Linux Systems, Inc., now known as VA Software, is widely derided as a poster child of the dot-com bust, though inexplicably still in business. At the time of the IPO, VA Linux (Software) shares opened trading at nearly 10 times their $30 offer price, closing the first day of trading at $239.25. This meteoric rise made many early investors rich, strangely on account of a company which purports to sell a hobbyist operating system which can be obtained for free on the Internet. "The It was then that Eric S. Raymond suggested something he had read in a book by Tom Clancy. Crashing two planes into the World Trade Center Plaza would guarantee the destruction of the SEC offices, killing the operatives and possibly a number of SEC investigators at the same time. The plan seemed flawless, and would cost little more than the price of a few plane tickets. In a secret session, the board voted unanimously in favour of Eric's suggestion, and began to put it into action.

VA Software/Linux, at the time of planning the attacks, had no shortage of H1-B visa workers, who they employed for the purpose of writing and improving hacking, encryption, and other terrorist tools for the Linux operating system. It had been decided that a hand-picked few of these foreign H1-B workers would be used as the "patsies" in the operation. A contest was held, and the most zealotous Linux advocates were chosen for this secret assignment, direct from the board of directors. They accepted their mission after being told that, if successful, it would guarantee the adoption of Linux in the desktop market.

Alan Cox was brought into the fold to provide some planning and logistics for the mission. It was he who determined that since there was no adequate flight simulator software for Linux, the patsies would need to train at a flight school in order to pull off the plan successfully. It was also his idea to hijack a third and fourth plane for the purpose of crashing them into Washington D.C., to express his extreme rage over the DMCA, or Digital Millenium Copyright Act. The board of directors agreed with this addition to the plan in the hopes that it would help divert attention from the purpose of the WTC attack.

The H1-B workers were given false identities by using Linux hacking tools. Once they had attended the necessary flight training, they stayed at the Massachusetts home of Richard M. Stallman for a brief "faith building" retreat. During this time spent at the house of Stallman, between the nauseating stench of patchouli, Stallman's incessant, pitiful recorder playing, and Stallman's droning seminars on the grammatical and syntactical accuracy of various statements by Microsoft representatives, the H1-B workers were effectively hypnotized to the point that they were ready to lay down their lives for Free Software. It was then that they departed for Boston's Logan International Airport to board the planes.

(The preceding inside information has been obtained from a credible source close to the VA Linux/Software Board of Directors. He/she is in hiding for obvious reasons in light of this damning evidence, but has presented hard, physical evidence of VA Software/Linux's complicity in the events of 9/11 to federal investigators.)

I fail to see

[ANY5546]

how this is that important. I mean, who cares if you can register a similar address? www.yahii.com is a typo just like any other mistyped address. I am sure they get a lot of hits from it but I dont think this kind of 'hack' will be that big of a deal.

Re:I fail to see

[NanoGator]

It's important because at least with yahii.com you know that there's something wrong with the address, ie the typo.

But with this unicode spoof, then you could go to a site you think is legitimate, and you'd have no way of knowing it's not.

Re:I fail to see

[bergeron76]

I think you're missing the point... they registered the exact address. Not a "similar" one. I think this is actually quite scary. Hopefully, it's been fixed or will be very soon. If not I may have to go register gOOgle.com.

:)

Re:I fail to see

[Gaccm]

There is a key failure. If someone tried to copy and paste the text into the URL and they weren't using the trick language, it wouldn't work. However if there is a link that says "microsoft.com" then that could send you to a different page. And as everyone knows, people are much more likely to click a link than to copy & paste it in the address bar.

Re:I fail to see

What the hell are you talking about? The clipboard doesn't do OCR on a screenshot or automagically decide that the Russian Cyrillic Unicode character that happens to look like a "c" is equivalent to an ASCII "c"... that would be a pointless programming task. It copies the encoded representation of the characters, Unicode and all, not their rendering in some arbitrary font.

Re:I fail to see

This is true.

Re:I fail to see

[AndyElf]

Domain spoofing is one are. But what if you see an email address on a business card, say @mirsft.com? How do you know what encodings are those 'c', 'a' and 'o' are in (for those with UNICODE brain-damaged browsers the address above should look like ca@microsoft.com)? Same goes for URLs, etc. Another option -- say a Swedish company registers an URL that perfectly represent the name of the comapny in Swedish. With all those umlauts and whatever-they-are-called-those-circles-over-A. And you are sitting there with a US_en keyboard -- how are you expected to type that URL into a location field in your browser?

For the use-cases like this I think that multilingual URLs are a Bad Idea (TM).

Re:I fail to see

[bursch-X]

On a Mac it's pretty simple to find and type any special character, or to switch keyboard layouts on the fly.

Re:I fail to see

[dvdeug]

But what if you see an email address on a business card, say ñà@miñrîsîft.com? How do you know what encodings are those 'c', 'a' and 'o' are in[...]?

Since the surrounding characters are Latin, I think it safe to assume they are 'c', 'a' and 'o'. (BTW: encodings are things like ISO-8859-*, KOI8-R, and so on, which the IDN will only use Unicode. The question should be what script they are in.)

Same goes for URLs, etc.

You've never been prohibitied from using non-ASCII stuff in URLs.

Another option -- say a Swedish company registers an URL that perfectly represent the name of the comapny in Swedish. With all those umlauts and whatever-they-are-called-those-circles-over-A. And you are sitting there with a US_en keyboard -- how are you expected to type that URL into a location field in your browser?

Depending on your system, you can use ALT- or SHIFT-CTRL- combinations and the character numbers. Character Map or the equivelent will also let you enter the characters in.

OTOH, why is this a problem? If they have a large non-Swedish audience, they ought to register an all-ASCII name. If they chose not to, then that's their problem. Odds are any such site will be in Swedish for Swedes.

Re:I fail to see

[GutBomb]

actually as it stands right now you can not have åöä in your address, a large complaint of people in sweden. å is not just an a with a ring over it. å is actually another letter entirely, something lots of english speakers can't get the grasp of.

Re:I fail to see

[dvdeug]

actually as it stands right now you can not have åöä in your address

You can't have it in the domain name. You can have it in the part of the URL following the domain name.

å is actually another letter entirely, something lots of english speakers can't get the grasp of.

I would be surprised to find many English speakers who couldn't learn that. I would expect that most of them just don't know that fact right now, and that many of them really don't care.

Re:I fail to see

[GutBomb]

actually you can not have it anywhere in the url. i tried it. first using cute ftp i tried to create a directory on my web site called "pål" cute wouldn't let me, so i had to ssh in and do it. i created the directory, put i file in there, but when i go to http://www.mydomain.com/pål i get a 404. so you can't have thoe symbols in URLs at all.

Re:I fail to see

[dvdeug]

W3C has a page on the subject. I don't know why it doesn't work in your case; I suspect you're dealing with character set issues, but you didn't mention what webbrowser you were using or anything, so it's hard to tell what went wrong.

Re:I fail to see

What I fail to see is why no-one pointed out that this research was from Israel, America's $3 billion a year welfare state to fund the more backward relatives of certain media and Hollywood giants.

A country which is hated by the Left and can only be hated by a true Right winger because of welfare market, racist immigration policy and foundation on a British mandate which ignored property rights, the idea that any of its insitutes should produce any report worthy even of spilling coffee on is absurd.

Taking this report seriously is akin to reading research on Nazi electric shock treatment and concluding it to be scientifically sound. Actually, at least Nazi experimentation (though as morally reprehensible) involved effort, while most Jewish work involves:

1. Pointing out that you are Jewish.
2. Getting a large grant from one of several Zionist foundations.
3. Buying a large house and car with the grant, and spending 5 minutes on real work (e.g. registering a domain).
4. Pointing out that you are Jewish, again.
5. Waiting for Fox to pick up your story, and getting a favourable interview.
6. Pointing out an association with Israel during your interview, guaranteeing you future TV time.
7. Bathing in a sea of payments while anticipating impending criticism for having done no real work.
8. Point out that you are Jewish, again, and that all your critics are anti-Semitic, that your whole race and religion is the subject of abuse, and that you are a true Israeli^WAmerican.

Re:I fail to see

[$0+31337]

Just because it didn't work for you must mean that your not an idiot and that it must not work for anyone else. I find it amusing that you base your amazing discovery on what works and what doesn't work with CuteFTP and whatever web server your using (I'm assuming IIS.. am I correct?).

Loser.

Re:I fail to see

[GutBomb]

how thew fuck do i ssh uin and create a directory with fucking IIS. i tried mozilla and netscape on linux and i tried mozilla, opera, and IE on win32. none worked. oh yeah, i used apache.

Re:I fail to see

[sbrown123]

Im curious if Verisign can be spoofed similiarly. This would mean I could get a certificate that says "www.microsoft.com". The evil I could do....

Re:I fail to see

I fail to see whatdoes all this nonsense have to do with the topic.

Did you know that Egypt and Saudi Arabia get 5 billion/year from US?

Re:I fail to see

Did you know that Egypt and Saudi Arabia get 5 billion/year from US?

(combined) Yes, I agree, Israel and Saudi Arabia should certainly be lumped together as backward, prejudiced, rights-denying nations. I'm not sure that total payments to Saudi Arabia in the past 50 years have quite reached the well over $100 billion of Israel, but it would be equally shaming if so.

Re:I fail to see

[$0+31337]

You mentioned nothing about SSH in the first post hence I had to judge what type of use you are based on the things that you did actually remember to mention. Apparently you don't grasp web design, apache, or any of the other tools that you would need to do what you want to do (IE: using a search engine).

http://www.w3.org/International/O-URL-code.html

Thanks for playing.

Idiot.

Re:I fail to see

[GutBomb]

actually i clearly stated that cute didn't work so i had to ssh in. read it again before you complain about it. second, i don't really care what the w3c has to say about it. it simply doesn't work. using standard server software and standard client software, it simply does not work.

Re:I fail to see

[$0+31337]

Yeah.. I guess your right... The international web standards group probably wouldn't know what they're talking about while you clearly do. Hey, maybe you should release your own version of apache seeing how the current version is apparently lacking the kind of support you need. Hmmm... Or, wait... Maybe it would just be easier to setup the current version of apache correctly... yeah... that's probably the answer.

GO RED WINGS

DIE AVS!

Re:GO RED WINGS

HAHA, your precious wings got their asses kicked (again)...

Forsberg 0wnZ J00!!

Re:GO RED WINGS

actually, we didnt really get our asses kicked....it went into overtime, and any true fan knows that in this series, the away team is always going to score the overtime goal

so watch out next game if it goes into overtime....there will be a game 7

BTW, FUCK THE CELTICS

Re:GO RED WINGS

I predict the cup will go to Canada this year! O Canadaa!

Re:GO RED WINGS

anyone who really thinks a team in the east is going to beat a team on the west should be shot on the spot

The Futility of Slashdot's Business Model.

Fuck Subscription!

J U N K B U S T E R

Just say NO to annoying StinkGeek banners and in-line 200x200 pixel "Do YOU have reliable [foo]...? Then you NEED SourceForge(TM) Enterprise 2002...! Order today."-esque ads.

CmdrTaco, Homos, Gayme, CowboiKneel, et. al...:GET REAL FUCKING JOBS!

Thank you.

Re:The Futility of Slashdot's Business Model.

[NanoGator]

I don't want to say no to the ads. I've seen 3 ads for stuff I was looking for. It sure beats watching Tampon ads during Star Trek.

Re:The Futility of Slashdot's Business Model.

Senate Majority Leader Tom Daschle yesterday recanted his May 16 charge that President Bush had advance warning of the September 11 terror attacks, the latest example of a top Democrat backing off from such a claim.

"We were told on that particular morning that the president had received a particular set of facts that he may or may not have received. He has denied having received that information. And we accept that," the South Dakota Democrat said on NBC's "Meet the Press."
Mr. Daschle added: "If he says he didn't receive it, I'm not going to challenge that. What I'm going to say is, why didn't he receive it?"
His statement yesterday was in marked contrast to what he said on May 16, when he declared: "I'm gravely concerned about the information provided us just yesterday that the president received a warning in August about the threat of hijackers by Osama bin Laden."
The backtracking by Mr. Daschle came one week after House Minority Leader Richard A. Gephardt, Missouri Democrat, walked away from his earlier statements suggesting that Mr. Bush had warnings before September 11 that might have prevented the deadly terrorist attacks.
Mr. Daschle and other senators appearing on network talk shows yesterday criticized the FBI's handling of pre-September 11 intelligence. Mr. Daschle was particularly critical of what he called "fouled-up information sharing" between the FBI and CIA.
"I don't think anyone implicates the president in this. The question is, why didn't he have this information?" asked Mr. Daschle.
The Senate leader insists he still has confidence in FBI Director Robert S. Mueller III. But he said Mr. Mueller's attempts to reorganize the FBI must go beyond "shuffling the chairs." There must be a "change of attitude, a change of environment, a change in the mentality," Mr. Daschle said.
"That lack of sharing [of intelligence between agencies] is something we've got to address," said Mr. Daschle, who renewed his call for an independent blue-ribbon commission to investigate intelligence lapses before September 11. The Bush administration opposes such a commission.
After Mr. Daschle claimed on May 16 that the president had advance knowledge of the September 11 attacks, Vice President Richard B. Cheney said it was "incendiary," "thoroughly irresponsible" and false for anyone to suggest Mr. Bush had information that could have prevented the attacks.
Asked if he felt his patriotism was being questioned by the vice president, Mr. Daschle said, "Sometimes, I think the administration steps over the line when they make these kinds of accusations."
Pressed as to whether Mr. Cheney's remarks were "over the line," Mr. Daschle said: "I think it's getting close to the line. I think we have a responsibility to ask questions."
In the NBC interview, Mr. Daschle said Democrats and Republicans alike need to "tone down" the "incendiary rhetoric" they've displayed about media leaks or other issues related to September 11.
Mr. Daschle was asked several times if he viewed statements by Rep. Cynthia A. McKinney, Georgia Democrat, as being incendiary and irresponsible. She charged that people died needlessly on September 11 because administration officials had advance warnings about the danger but did not act because they stood to gain financially.
Sen. Zell Miller, Georgia Democrat, has characterized Miss McKinney's comments as "looney, dangerous and irresponsible." But Mr. Daschle yesterday declined to say if he shared that opinion.
Mr. Daschle said he does not know if he has the 60 votes necessary to overcome a filibuster and pass the legislation to create a blue-ribbon commission to investigate missed intelligence opportunities prior to September 11.
"But I'm encouraged by the growing number of Republicans in the Senate who have come forth to say they now support it," he said, adding that he is "reasonably confident" the votes will be there to pass the legislation when it comes to the floor sometime next month.
But key Republicans who appeared on talk shows yesterday, such as Senate Minority Leader Trent Lott and Rep. Porter J. Goss, chairman of the House intelligence committee, opposed the idea of an outside investigation.
On "Fox News Sunday," Mr. Goss, Florida Republican, said he thinks it would be hard to pull together an independent panel, and he worries it could be responsible for "egregious leaks."
Mr. Lott, who appeared on CBS' "Face the Nation," said that in the past six years, "something like six commissions" have studied aviation safety and other security issues. He suggested Congress read those reports, which cost "millions of dollars" to prepare, before creating yet another commission.
Mr. Daschle said Mr. Bush asked him on Jan. 28 not to seek an outside commission to investigate the September 11 attacks. Mr. Daschle said previously that Mr. Cheney made a similar request Jan. 24.
"They were concerned about the diversion of resources," Mr. Daschle said on NBC, adding that the request was repeated on other dates.
Mr. Bush and Mr. Cheney said last week that Congress' intelligence committees -- which can keep secret the classified information supplied by the administration -- are the proper panels for an investigation.
National Security Advisor Condoleezza Rice reinforced that position yesterday, saying the administration worries "about anything that would take place outside of the intelligence committees."
Miss Rice said ongoing FBI investigations shouldn't be jeopardized by information "spread to the first pages of the newspapers."

Our Task is Obvious

[donnacha]

So, what would be the cyrillic for Slashdot.org?

Re:Our Task is Obvious

slashdotski.org

Re:Our Task is Obvious

[SEWilco]

...and will Slashcode allow Unicode in a new Hemos or timothy user?

old trick

[krokodil]

It is widely used on russian-language IRC
networks like RusNet. http://www.irc.net.ru/

HAHA

[paz5]

Sounds a bit amusing to me.... anybody have a link to the website they made to give us a demo of the displayed link?

The web is a disaster

It's time that we do away with the web as a medium to exchange information. A plain text file on an ftp server will do away with all of these hassles. Netscape 4.x need will never die.

homograph

Huh huh, he said homograph

Re:homograph

[dangermouse]

The quotes are there because he's talking about the term itself, not the meaning that it conveys.

If I tell you that the word "word" has four letters, I have to put it in quotes. Otherwise I'm saying that the word word has four letters, and you're left wondering what a "word word" is.

Re:homograph

[ComputerSlicer23]

Homograph is a real word (spelled identically, but have different meanings think fair ( just or morally right (life isn't fair), appealling appearance (fair skinned), a market place), but they are using it a new context. The occurance of using Unicode to do bad things with domains is so uncommon there is no word for it, they coined a word to make it something they could actually talk about.

In this case, they high-jacked another word that had roughly the right meaning. Homograph had a meaning long before Unicode or IE, or Microsoft existed, so the strict English definition has nothing to do with where they used it. Assuming it becomes a common enough usage, it won't rate quotes. I'm sure an expression like "surfing the 'net", and other terms that were coined started life out with quotes.

Of course, this site's name has been turned into a verb, and nobody blinks an eye. As a general rule geeks grok overloading a word quite well, so this is all me being redundent in explaining it.

Re:homograph

It's in quotes so as not to offend any narrow-minded pseudo-liberals who think that the "homo" part's only meaning concerns someone's sexual preference.

Re:homograph

[GMontag451]

Homograph is a real word (spelled identically, but have different meanings think fair ( just or morally right (life isn't fair), appealling appearance (fair skinned), a market place), but they are using it a new context. The occurance of using Unicode to do bad things with domains is so uncommon there is no word for it, they coined a word to make it something they could actually talk about.

I would think a better term to coin would be "homoglyph", because that is what it is. Two different characters with the same glyph. Plus this has the advantage of not being a word already in use (to my knowledge).

Re:homograph

[Guru2Newbie]

Or is it in reference to an record player that can only play the same record over & over?

Good idea for trolling

[propstoalldeadhomiez]

Register a slashdot.org, using the different characters, and link it to goatse.cx. Now _that's_ a scary thought.

Deodorant

Gel, stick, or spray?

Re:Deodorant

Tim and Jane got married and
she was at the drug store
looking at the men's toiletries.

A clerk comes up to help her
and asks if she needs assistance.

"I'm looking for some deodorant
for my new husband Tim, but I
don't know what type he uses."

The clerk says, "Is it the ball
type?"

"No," says Jane, "it's for his
underarms."

Re:Deodorant

What the HELL are you doing posting this!?

This is a LINUX advocacy site. Linux users don't use deodorant, take showers, shave, or any other grooming.

My God, man. Are you new here or just thick-headed?

Re:Deodorant

I use roll-on. Where does it land?

Done in DOS a long time ago

[aoihai]

Anyone else remember using alt+255 and other special characters to make hard to open directories (idiot proof anyway) on shared command line systems?

Re:Done in DOS a long time ago

It still works today. It's especially cool in Windows Explorer, which returns neat-o errors like "the file cannot be deleted" when trying to work with them.

~~~

Re:Done in DOS a long time ago

[larry+bagina]

I recently created some DOS files with embedded :s in their names (from BeOS). Windows wouldn't touch em at all.

On a similar note, "...", ".. ", etc were common directory names for hiding warez, etc, on unix servers, at least back when I was an admin.

Re:Done in DOS a long time ago

[Hollinger]

There was something from way back when that would effectively "lock" a folder in explorer in Win95 and make it damn hard to open in DOS. I think you had to go to a prompt and tag an +255 or something to the leading or trailing edge of the folder name.

Re:Done in DOS a long time ago

I remember

Re:Done in DOS a long time ago

We used to use techniques like this when I was back in first and second year university.

If I recall correctly we had Duke Nukem, Warcraft2 and Quake all stored on the business faculties netware server so we could download them into whichever lab we were in and have a LAN session.

Re:Done in DOS a long time ago

[chabotc]

Tabs, spaces, dots and even backspaces... *sigh* those were the days directories could still be confusing, hidden and full of illegal software.. On second thought, nothing changed realy, except that now nothing on the net is hidden anymore ;-)

Re:Done in DOS a long time ago

[achurch]

Yes! I remember making a whole tree of directories like that on my parents' 286 back when I was a kid, to keep my stuff hidden (I very conveniently ignored the fact that my dad had about 15 years of computer experience even then, because I was obviously being so clever). In order to remember where it was myself, I used the digits of pi, so the top directory had 3 Alt-255's, the next one had 1, the next 4, and so on. For a fifth grader I sure was proud of myself--my very own passworded directory, that no one could possibly guess at!

. . .

Sure is a good thing that computer isn't still hanging around . . .

Re:Done in DOS a long time ago

Someone has created a couple of directories on my machine via ftp I can't get rid of (until I reinstalled):

- one was called 'com'. This is an obviois attempt o crash an unpatched win95 box. Doesn't work on 2000, but you can't delete the directory.
- the other was a single (?) character that looked like a space. It could not be deleted, renamed, moved, deleted with parent, from dos, from safe mode. It gave a weird error when you tried to delete it, not the usual permission denied after you click OK in the Confirm dialog; it appeared even BEFORE that point.

A cookie for anyone who can help with either one of those.

Re:Done in DOS a long time ago

[GutBomb]

boot from a linux floppy, mount the hard drive, and deltete it from there.

Re:Done in DOS a long time ago

Yeah, I remember using backspace to completely hide the directory with 'ls' on a MUD-system. Some years later, I heard the admins found it out during shell-scripting (bet 'find' was the perpetrator ;). I never used the illegal commands for anything later, but it was nice to have secretly stored somewhere. In my experience, it's more fun to hack into the system than using the tools actively.

Re:Done in DOS a long time ago

[Jugalator]

You mean this one: ""

Ha! Still possible in Windows 2000. That's so much MS when you think about it. :)

Re:Done in DOS a long time ago

[Richard_at_work]

On second thought, nothing changed realy, except that now nothing on the net is hidden anymore ;-)

Hmmm i think there is something hidden on the net, usefull stuff on /. :)

Re:Done in DOS a long time ago

[LadyLucky]

That's brilliance. One hopes you turned out ok, not some broken, hollow, shell of a man(?).

Re:Done in DOS a long time ago

[Dahan]

The directory's probably not "com", since there's nothing wrong at all with that as a file or directory name. Maybe you mean "com1" or "con"? In any case, those names are reserved, since they're DOS device names--you can't name a directory that. However, you can make "com1 " (trailing space), which Explorer doesn't know how to handle.

Anyways, an easy way to get rid of directories with leading/trailing spaces in their names is to open a command prompt and do "dir /x" to show the short names, then "rd /s shortn~1"

Re:Done in DOS a long time ago

Well, at least until he used XTree and your directories showed up in plain site. :-)

Re:Done in DOS a long time ago

[the_real_tigga]

yes, and on the probably most virus-plagued system ever, good old AMIGA, there were some viruses whose executable names consisted of non-printable characters, so they would not show in the LIST and DIR commands (well, as "empty" lines anyway).

IIRC the infamous "Lamer Exterminator" series used this, among others.

yes I know its virii

Re:Done in DOS a long time ago

[egreB]

No offence, but I think you missed the point. The parent poster was talking about locking a folder for access from others, not for himself.. If he wanted to delete it, he would do that from DOS (by typing the name and the Alt+255-combination he had to remember).. And you could always use other file managers. IIRC, the Norton Commander could do that.

Re:Done in DOS a long time ago

[stevey]

I wrote a lot of software for DOS systems which would display a screenfull of random rants/information when called with cmd "/?+ALT+255"

I've often wondered how many people discovered this ... (Fair enough the text of the rant would have been visible in the binary itself; I didn't use any encrption initially, then later I discovered rot13 and started using that).

Re:Done in DOS a long time ago

I have found that the old DOS file list program (list.com funnily enough) can delete otherwise intractable directories.

Still...

[NickRob]

How many people can type the cryllic letters? I'm not sure what option and control keys invoke them. It'll be fun for spoof and protest sites, but not much else.

Re:Still...

Probably not as many as could click on a link in an email purporting to be from Microsoft, that needs, say, their credit card number to continue their XP activation.

Re:Still...

[arivanov]

In windows (the EU edition) - anyone. Just add the language. Your only problem is that the idiots in Redmond have yet to add a keyboard editor (something that has been present in all third party internationalisation packages since Windows 3.10). As a result you will be stuck with some extremely obscene keymap inherited from a cyrillic typewriter. Alternatively you can pick up dlls from third party cyrillisation packages made for older windows versions and violate the sanctity of the MSFT sertificate by slapping it on top of the current ones. It usually works. And you get a proper keymap.

Under unix it is usually a bit more p*** in the a*** because most internationalisations rely on Xmodmap and it no longer works nowdays. Once again by default you will get stuck with something you cannot use unless you have a keyboard that is engraved with the alternate characters. Once again you will need to spend half an hour with vi swearing at whoever made Xmodmap not to work any more in order to get a less obscene keymap.

Re:Still...

[ncc74656]

How many people can type the cryllic letters?

The Alt-keypad trick only works for 8-bit characters, AFAIK. You can copy characters out of Character Map (in Win2K/XP, not Win9x...Win9x's Character Map doesn't grok Unicode) and paste them into whatever you're typing, though: , , etc. (I think the first is "da" and the second is "nyet"...saw something that looked like that in a banner ad on a Russian website recently.)

If all else fails and you're editing HTML, you can escape the character entries, so that (for instance) gets entered as да.

Re:Still...

[WWWWolf]

XEmacs and MULE-UCS + GNU Recode, oh my =)

MULE is nice because it has "cyrillic-translit" input mode; I don't need a keyboard overlay, I just type the Latin approximation and out comes Cyrillic!

, ? (Sorry, my Russian is hopelessly rusted =)

Re:Still...

With the Mandrake 8.2 default keymap I can type a lot of odd characters by using AltGr+char sequences. If I got off my lazy ass and remapped the right Windoze key to 'compose' then I probably could type pretty much anything I wanted (Sorry, can't do eny examples here, I'm not at my home box).

Re:Still...

Guys, he said the "option and control" keys, so give him some Mac-based options...

I gave m1cr0s0ft.com my credit card number!!!!

Should I be concerned?

Re:I gave m1cr0s0ft.com my credit card number!!!!

[Roosey]

No, not at all. In fact, it's probably more secure there than with Passport. :]

Re:I gave m1cr0s0ft.com my credit card number!!!!

[NoMoreNicksLeft]

No. Thieves are alot less likely to steal from you than M$, and if they do, it will still be for less.

Re:I gave m1cr0s0ft.com my credit card number!!!!

[Have+Blue]

Don't worry, I'll take good care of it.

Re:I gave m1cr0s0ft.com my credit card number!!!!

[Dr.+Awktagon]

Whew, good thing you caught it in time! Don't worry, the credit card companies can take care of it, no worries, just enter your name,credit card number, social security number, and mother's maiden name at each of the following URLs:

• AMERlCANEXPRESS.COM
• ClTlBANK.COM
• FlRSTUSA.COM
• DlSCOVERCARDS.COM

(Those all use "ell" instead of "eye" when possible.. they look exactly the same with my fonts.. Since there already "homographs" in plain ASCII, and plus Javascript mouseovers can be used to change the browser status area, and plus many people don't even fully understand the difference between "microsoft.com" and "microsoft.evil.com", this Unicode trick is nothing to worry (more) about!)

Re:I gave m1cr0s0ft.com my credit card number!!!!

I wondered why my m1cr0s0ft.com registered version of W0rd and 0utl00k required an Amiga emulator and comes up in Malaysian.

Re:I gave m1cr0s0ft.com my credit card number!!!!

[stud9920]

We, at m1cr0s0ft, have always felt concerned about our customers' privacy protection. Drop us a mail with your coordinates and creditcard references, and we'll gladly remove you from our files.

Re:I gave m1cr0s0ft.com my credit card number!!!!

[Tet]

Javascript mouseovers can be used to change the browser status area

Not in my browser they can't. Edit -> Preferences -> Advanced -> Scripts & Windows -> Allow webpages to change status bar text.

Workaround

[neolazer]

What is InterNic and such doing in the meantime to help prevent spoofs such as this? The Legal ramifications of this are interesting. One could also post stories with false links, that most people would never even realize weren't true.

Re:Workaround

[larry+bagina]

are you suggesting the slashdot editors are lazy and/or incompetent?

Re:Workaround

[wo1verin3]

It doesn't take that much effort to fool people.

I took a call from a customer who got Windows with his pc and wanted a refund because he was going to use linux.... (i think he's smart)

While we're talking about my recent install of xfree86 4.2.0 he mentions MS is taking over linux now with MS Linux and belives it's real. (i realize he's dumb)

I spent the required time to guide him to the domain whois to show him this page isn't owned by Microsoft. He thought the quotes on the page are real....

sigh, anyway it's not hard to fool people

Re:Workaround

Somehow, the "Microsoft Invades Cuba" and "Microsoft Monkey Colony on Mars" articles didn't clue him in?

double sigh.

Re:Workaround

>> What is 1nterN1c and such doing to prevent

They could give a shit. Could mean more domains to sell (mostly out of fear to the same companies).

Re:Workaround

Consider spoofs of Credit Bureau domains for a minute and you'll see how serious this is.

Re:Workaround

Ars Technica, of all people, got caught with the "@" trick, spoofing a cnn site a while back. Stopping spoofing altogether will be very tricky.

Big risk my arse!

"One example is a homograph of microsoft.com incorporating the Russian Cyrillic letters "c" and "o," which are almost indistinguishable from their Latin alphabet counterparts. The two students who registered it, Evgeniy Gabrilovich and Alex Gontmakher of the Technion-Israel Institute of Technology in Haifa did so to make a point: they suggest that a hacker could register such a name and take advantage of users' propensity to click on, rather than type in, Web links"

Umm...[a href=http://www.foo.com]http://www.microsoft.com[/ a]

Do you think granny is looking in her Status bar?

Re:Big risk my arse!

[prizzznecious]

This is a good point. Slashdotters should realize this, considering all the trouble that the management here has done to make Goatse links more obvious. If the paranoid open-sourcers don't look where they click, it's highly improbable that granny is either, and there are far more grannies than open sourcers. The above respondent obviously didn't understand the point of the parent post.

Re:Big risk my arse!

uhh, he was talking about how easy it is to fool people, even without using this new russian character trick

Re:Big risk my arse!

[Chacham]

Do you think granny is looking in her Status bar?

It's not getting there that they are so worried about. I don't believe the article tackles that at all. It talks more about when following a link, and getting there, that the page looks like the real one. Yes, anyone can spoof a page, but this is looking in the address bar. And people who do banking or other sensitive activities, are likely to look in the address bar, or at least notice it should something be incorrect.

Further, if the link is hacked on a legitimate site, it would be much harder for a reviewer to easily notice the bad HTML.

Lunix saves the day!

[Serial+Troller]

But all I see is ?????????.com. Fortunately this "superior" Lunix operating system's complete lack of Unicode support protects me from these evil hackers!

Re:Lunix saves the day!

[John+Hasler]

"...this "superior" Lunix operating system's complete lack of Unicode support..."

Try Linux. It's had Unicode for years.

Re:Lunix saves the day!

But he'll have to wait until they have a C64 port of Linux!

Re:Lunix saves the day!

[geogeek6_7]

I'll confirm this. Unicode characters show up brilliantly in my filesystems and webbrowser....

Terminology whine

[tulare]

"Russian Cyrillic?"
The Cyrillic alphabet was developed a long time ago by a religious man (guess what his name was), because the Russian peoples he was trying to convert had no written alphabet. So it could be said that "Russian Cyrillic" is redundant. However, the cyrillic alphabet is in use by various languages today, and I seriously doubt the the "c" and "o" characters mentioned in the article are unique to the K018R charset.
'Course, I could be wrong. If someone out there is a Unicode nerd and knows different, I will bow to the higher authority.

Re:Terminology whine

[os2fan]

Russian Cyrillic is not redundant. The other languages that use cyrillic letters have different letters, (eg Ukrainian has an "I", instead of the back-to-front N), and some of the Russian letters are uniquely Russian.

Re:Terminology whine

[RelliK]

The Cyrillic alphabet was developed a long time ago by a religious man (guess what his name was), because the Russian peoples he was trying to convert had no written alphabet

That is false. Russian people had alphabet long before Cyrillic. Incidentally, that should really be proto-Russian, or Eastern Slavic since the people diverged into Russian, Ukrainian, and Belorussian much later.

So it could be said that "Russian Cyrillic" is redundant.

It is not. There are several "dialects" of the Cyrillic alphabet. They are mostly the same but a few letters are different. I already mentioned three of them above. There's also Bulgarian, Serbian, and I'm not sure what else.

I seriously doubt the the "c" and "o" characters mentioned in the article are unique to the K018R charset

The charset is called KOI8-R. Or are you using the l33t sp3lling?

Re:Terminology whine

[tulare]

That is false. Russian people had alphabet long before Cyrillic. Incidentally, that should really be proto-Russian, or Eastern Slavic since the people diverged into Russian, Ukrainian, and Belorussian much later.

Fair 'nough. The good bishop simply wanted a written language that he understood, so that he could teach his religion. So the creation of the Cyrillic alphabet is a matter of convenience for the religious powers-that-be of the time. Not a new story, unfortunately. And your point about proto-Russian is well-taken.

It is not. There are several "dialects" of the Cyrillic alphabet. They are mostly the same but a few letters are different. I already mentioned three of them above. There's also Bulgarian, Serbian, and I'm not sure what else.

While in the broadest sense, you are right (I have a great story outside the context of this article on a miscommunication on my part with a Ukranian individual who I mistakenly thought was speaking Russian) in the context of my point about those two specific characters, I disagree. Again, a Unicode geek could prove me wrong.

The charset is called KOI8-R. Or are you using the l33t sp3lling?

Lol, heh. You are right on there. I was just dashing off a reply to the article, and wasn't paying enough attention to the niceties. l33t sp311ing was farthest from my mind, b3 a55ur3d.

Re:Terminology whine

[VP]

St. Cyrill developed the Glagolic alphabet, based on the slavic dialects spoken on the Balkan peninsula, and used it in translating the Christian holly scriptures for the slavic tribes in Moravia (today's Hungary/Slovakia). His student, St. Clement, developed the improved Cyrillic alphabet and spread its use in Bulgaria, from where it was adopted by Russia, Serbia, and others...

Today there are several variants of Cyrillic - Bulgarian, Serbian, Macedonian, Russian, Ukrainian, and it was used even in some of the former soviet republics and Mongolia, whose languages are very far from Slavic.

Also, KOI8 is not considered the Cyrillic codeset by other cyrillic-using nations, it is rather considered the Russian cyrillic code set. Other codesets are the Windows 1251, and ISO-8859-5. The latter would arguably be the standard Cyrillic code set.

Re:Terminology whine

[RelliK]

St. Cyrill developed the Glagolic alphabet

Uhhm, no. Glagolic is the alphabet that was used before Cyrill came along. It looks nothing at all like Cyrillic.

and it was used even in some of the former soviet republics and Mongolia, whose languages are very far from Slavic.

Yeah, that was really weird. You can recognize the letters but the words look like total abracadabra.

Re:Terminology whine

Georgians (next to Turkey, and the best part of old Russia) still use the original alphabet. No Cyrillic here, thanks.

Re:Terminology whine

[tulare]

Er, no. Cyril developed the "Cyrillic" alphabet, although your statement of his intentions is correct. (I don't believe he was much of a saint, btw)
I do thank you for the correction on the charsets. I kind of knew that would happen :)

Re:Terminology whine

[markov_chain]

Actually, no. Glagolitic was indeed invented by Cyrill and Methodius, in the 9th century. I don't know where the previous poster got the St. Clement reference. See here for the character set and a bit of history.

These two also invented cyrillic. The difference is that glagolitic didn't survive very long, while the cyrillic is still in use today. The last country to use glagolitic in any quantity is Croatia, up to the end of the 19th century.

Re:Terminology whine

OP had it right Cyril and Methodius pre dated the Cyrillic Alphabet by quite a few years. Their adaptation of the Greek Alphabet to slavic languages was Glagolitic.

Re:Terminology whine

[markov_chain]

I found out about Clement after more digging. For example according to this link, Clement took the glagolitic, invented by Cyrill and Methodius, rewrote it into cyrillic, and spread in Bulgaria. Later it spread further east and north.

Re:Terminology whine

[VP]

I said:
St. Cyrill developed the Glagolic alphabet

RelliK said:
Uhhm, no. Glagolic is the alphabet that was used before Cyrill came along. It looks nothing at all like Cyrillic.

I am sorry, but you are wrong. The Glagolic did not look anything like the Cyrillic, but it was the alphabet created by St. Cyrill and his brother Methodius. The Glagolic looked somewhat like the ancient Armenian, Georgian, and Ethiopian alphabets, also developed by Byzanthine missionaries for the native languages in these areas.

The Cyrillic was created by St. Clement, a student of St. Cyrill. Thew alphabet was much simpler - for all the common sounds, it used the Greek letters, and only made up new letters for the sounds specific to the Slavs.

Here is a link, although not everything there is historically accurate (if there is such a thing):
http://www.volgawriter.com/VW Cyrillic.htm

Another, with a definitive set of Cyrillic encodings is here: http://czyborra.com/charsets/cyrillic.html.

Re:Terminology whine

[VP]

Er, no. Cyril developed the "Cyrillic" alphabet, although your statement of his intentions is correct. (I don't believe he was much of a saint, btw)

I am sorry, but you are wrong - please see my other post for some links. Here is another: http://education.yahoo.com/search/be?lb=t&p=url%3A c/cyrillic_alphabet

IMO, the major contribution of St. Cyrill and Methodius is not the creation of an alphabet, but their disputes with the Western church and the Pope regarding the right for the different peoples to learn and practice Christianity in their own language. Up to that point only Latin, Greek and Hebrew was used in church services...

Re:Terminology whine

[RelliK]

Can you perhaps explain why KOI8 characters are out of order? This is so stupid and I'm amazed KOI8 is still in use. How do you sort stuff alphabetically if you can't just do an integer comparison? Would be really slow to use some funky custom sorting routine.

Re:Terminology whine

[dvdeug]

How do you sort stuff alphabetically if you can't just do an integer comparison?

Unicode Sorting Algorithm.

Would be really slow to use some funky custom sorting routine.

What are you running? There are massive databases that use binary compare, and bitty boxes that use binary compare, but even my 386 should be able to do decent sorting in a negligable amount of time.

I don't know of many character sets that put the characters in sort order. ASCII doesn't work for English, because capital letters and lower case letters don't sort together. Latin-1 puts all its characters after ASCII, when some of them should sort with the ASCII characters.

As for why, the fact is it's not an option in a multilingual enviroment. Lithuanian sorts y after j; Swedish, German and Danish use some of the same accented characters, but sort them differently. The whole concept of binary sorting fails for some languages; Maltese and traditional Spanish both sort two letters ("ch" and "ll" for Spanish) as if they were one, and German sorts one letter ("ß") as if it were two ("ss").

Re:Terminology whine

[VP]

Can you perhaps explain why KOI8 characters are out of order?

Because they were ordered as a transliteration for the Latin alphabet (sorry, can't put it in Cyrillic): ABCDEF instead of ABVGDE.

My guess is that this was done to easily transform Russian text written using the Latin alphabet into Cyrillic by simply flipping a bit.....

Re:Terminology whine

[Governerd]

Well, there is a monument in Moscow to two monks, Cyril and Methodius. They may have been canonized in the Russian Orthodox Church, but I am not sure -- pardon me for omitting the "St." if so. The cyrillic alphabet is indeed used by a number of languages, with variations, but is based on writing used in Byzanthium.

Re:Terminology whine

[arivanov]

Excuse me...

I think your knowledge of the subject is a bit off...

It was not developed for russian use at all. It was developed in Moravia which spanned most of current Chech Republic and bits of Slovakia. In other words it was developed for what has become Chech nowdays. The people who developed it were fairly high in the hierarchy of the Moravian church but got nailed for herecy by their superiors in Rome.

After that they fled to Bulgaria and from there on the alphabet spread to Russia. Considering that at that time the Bulgarian Empire span most of the Balkan peninsula and both bulgarians and serbians claim it to be in their ancestry I will skip on where did Serbians get the alphabet to avoid a Balkan flame war. Let's say once upon a time it was one country.

After that the alphabet went through at least several simplifications and changes of the writing. One around 9-10th century, one during the church reform in the middle ages in russia and one more in most slavic countries just before the first world war.

In any case:

• It took several senturies between the invention of the alphabet and it landing in Russia. Russians have actually started selebrating the origins of their alphabet in 1991. Before that it was a topic that was usually skipped in their history books.
• All nations using it have different versions. That includes Serbs, Bulgarians, Russians, Bellorussians, Ukrainians,etc and the eastern ortodox church (the latter uses an ancient dialekt corresponding to 9-10th century south slavic). So saying Russian cyrillic is not redundant. It is a different alphabet from Bulgarian, Ukrainian, etc. Most of them contains letters specific only to the particular language. The computer encodings are different as well.

Re:Terminology whine

[zBoD]

> The charset is called KOI8-R.

Who cares ??

_
BoD

Re:Terminology whine

[Reziac]

As an aside, to me the various flavours of Cyrillic look like the character set was ultimately derived mostly from Greek, which seems reasonable if it was developed in the Balkan region. Anyone know any further-back history on it??

Re:Terminology whine

[Kaa]

Err... RelliK, how about attributing your .sig?

x509 good

[Moosifer]

Yet another reason why everything should run over ssl/tls. Like my grandmother always used to say "encryption good, gangrene bad."

Re:x509 good

[vegetablespork]

Because goodness knows, everybody critically evaluates that popup from their browser saying there's a problem with the site's SSL certificate, and doesn't just click "OK"

Re:x509 good

How does encryption solve the problem of VeriSign giving away certificates that say "microsoft.com" in Cyrillic? The browser/mailer would tell you the cert was 100% valid.

Viruses

Imagine launching a virus from this domain and calling it a "Windows Patch". All the brain dead end users look to the message properties, "oh yea it resolves to "microsoft.com" it must be legit!" Next thing you knoew bewm you're infected. The ultimate virus.

Re:Viruses

You act as if there is a difference between a Windows Update and a virus. This reasoning is, unfortunately, flawed.

Re:Viruses

I woke up this morning, and my finger smelled like pussy. Yep, sure enough, I got drunk last night and woke up next to some skanky bitch.

Aw, well, beats recompiling a linuxkernel any day!

Re:Viruses

[woboz]

you could send a virus claiming to be a microsoft update from virusthatwillcrashyourcomputer.com and half the idiots running windows would still download it.

Re:Viruses

LOLOL! You made a Microsoft joke!

WHY THIS IS IMPORTANT

people seem to be missing the point in this thread. Here is why this is very important.

When you pay money, say with paypal.com, you always want to check the URL. Of course someone could have fake link like: "click here to pay with paypal" and then redirect you to their bogus site with the intention of stealing your passwords. But it would be fairly obvious from the location bar in the broswer that the URL was not paypal.com. But if unicode can be used to spoof the location bar then it will rope in even cautious users.

Re:WHY THIS IS IMPORTANT

[larry+bagina]

cautious users don't user paypal

Re:WHY THIS IS IMPORTANT

[Teknogeek]

>> people seem to be missing the point in this thread. Here is why this is very important.

>> When you pay money, say with paypal.com, you always want to check the URL. Of course someone could have fake link like: "click here
>> to pay with paypal" and then redirect you to their bogus site with the intention of stealing your passwords. But it would be
>> fairly obvious from the location bar in the broswer that the URL was not paypal.com. But if unicode can be used to spoof the location
>> bar then it will rope in even cautious users.

Finally, someone gets it.

Figures it'd be an AC, and so this'd probably get ignored.

While I'm savvy enough to check the URL for that sort of thing, I'd probably miss it if they encoded it like that.

Imagine...a security hole that has NOTHING to do with Microsoft. (Proof-of-concept notwithstanding, of course.)

Re:WHY THIS IS IMPORTANT

[Compuser]

I wish browsers showed IPs as well as URLs in
the location box. Can I get Mozilla to do this?

Re:WHY THIS IS IMPORTANT

[cybermage]

But if unicode can be used to spoof the location bar then it will rope in even cautious users

Ewww.....

I wonder if unicode is even supposed to be allowed in domain names. If not, maybe this will prompt Microsoft, Mozilla, and the like to error when the host/domain contains unicode.

Until then, I guess I'll retype the host/domain of any site I intend to log into before doing so. What a pain.

If unicode is valid, heaven help us. With registrars charging as little as $8 for a domain, you know they aren't checking these things.

You're my hero, AC.

Re:WHY THIS IS IMPORTANT

[Da+Web+Guru]

So basically, you are going to ask someone (most likely a computer illiterate user) who already doesn't bother to verify the letters in a URL to now compare the hostname to the IP address?

Re:WHY THIS IS IMPORTANT

[dirgotronix]

> But it would be fairly obvious from the location bar in the broswer that the URL was not paypal.com.

Actually, it takes very little knowledge of javascript to fool the browser into changing the status bar text. window.status I believe. If one were anal, like myself, either turn off javascript completely, or copy the link location into a text editor first.

Re:WHY THIS IS IMPORTANT

[RussGarrett]

Unicode IS valid in domains now, so the Russians and the Chineese, etc. can have domains in their own character set, instead of having to live with latin characters.

Re:WHY THIS IS IMPORTANT

[Permission+Denied]

I wonder if unicode is even supposed to be allowed in domain names.

Absolutely. click here for a demonstration. I haven't yet used a browser that could handle the links on that page. I share your disgust.

Re:WHY THIS IS IMPORTANT

[weatherboy]

Worked for me - I went to the page and clicked the "pi.cr.yp.to" link, went to the site, no problemo. Using IE 5.1 for Mac OS X 10.1.4.

Re:WHY THIS IS IMPORTANT

> Until then, I guess I'll retype the host/domain of any site I intend to log into before doing so. What a pain.

Well, no. Type it in once and use bookmarks. No pain :-)

Re:WHY THIS IS IMPORTANT

[jeffy210]

Yes, but why would you be doing something such as an online transaction without using SSL. SSL certificates are bound to the server and the domain name. VeriSign and most other CAs are not going to give them a certificate that easily. Even if they use their own CA to issue a certificate, the browser would recognize it's not from a trusted source. So even the cautious browser should be fine assuming they exert a little bit of common sense.

Re:WHY THIS IS IMPORTANT

[GMontag451]

Wouldn't work for me. I'm using Opera for Mac. I have to say, Opera for Mac has got to be one of the shittiest browsers I've ever used. The UI is so slow that half the time I make spelling errors when typing URLs because I can't see what I'm typing until I stop typing and wait for Opera to catch up.

The only reason I use it at all is because my favorite browser, iCab, doesn't display nested comments on Slashdot correctly for some strange reason. The show up unindented.

Re:WHY THIS IS IMPORTANT

But it would be fairly obvious from the location bar in the broswer that the URL was not paypal.com.

I seem to recall some exploit on SecurityFocus where the browser bar URL was spoofed with JavaScript. So the Unicode exploit isn't needed, but it makes things easier (can get people who don't run JavaScript). Of course, if you type the URLs in by hand....

Re:WHY THIS IS IMPORTANT

[Compuser]

No, I'd just like this feature for myself.

I would have thought it wasn't a problem except...

[SwellJoe]

I recently received an email from a confused user who had received an email that appeared to be from Apple, and was selling Apple products using Apple logos, Apple website concepts and images, etc., but was not from Apple. He didn't sign up for the list, and though it appeared to be a legitimate Apple affiliate as far as I could tell (though perhaps one that used somewhat shaky methods to reach customers), he was confused why Apple was sending him email that he didn't ask for. It was his belief that the mail had actually come from Apple, because it looked like it was from Apple.

Non-nerds have proven to be extremely difficult to educate on the concept that "what email claims to be is not always what email is, and where it claims to come from is not always where it really came from". During the recent Klez outbreak, I even received a message from a nerd-friend saying that he thought my machine might be infected, because he received an infected message from "me". Of course it was spoofed, because I happen to be in a lot of peoples address books, but since I haven't used Windows on the desktop in over three years, it clearly didn't actually originate with my box.

Folks are just kinda thick about questioning the veracity of claims (hell, astrology still sells books and 900-number phone calls). And this could definitely be used for nasty purposes...and certainly will. Spammers will have a field day with this, because they can't help but seem 'fly by night' because they cannot establish a real brand name due to the disgusting nature of their busines. If they stand still, they'll get lynched. But if they can, even for a short time, hijack a real name that people trust, and offer up a too-good-to-be-true scam under that trusted name...well, you see where I'm going with this.

Of course, everyone here knows that unsolicited "business offers" by email are always scams run by filthy people...but my grandmother doesn't know it, nor do my parents or many of my non-nerd friends for that matter.

Just a thought. We'll see how it plays out, I reckon...

spray

spray

Comment removed

[account_deleted]

Comment removed based on user account deletion

Unicode Environments

[saveth]

I develop applications for a DSP company, and we've recently switched to using Unicode in our products. Unicode certainly has its quirks, and this is one of the more obvious ones. I fail to see why it has been implemented so widely, without very, very rigorous testing.

Actions like the one described in this article could bring down a company, if a person tried hard enough. Of course, Microsoft could just call Verisign and ask them to remove the Cyrillic domain, with no problems. But, for a small company, it could be hell. An entire user group using the same character set to access a certain website would be sent to a different site. In a worst case scenario, anti-company propaganda might be posted on the spoofing site, and it would deter people from visiting the "real" site in the future.

The only solution I can imagine is to simply prevent the translation of characters among character sets, especially in this sort of environment.

A Russian site, such as The Moscow Times, could have its site spoofed in exactly the same manner, and everyone using the Cyrillic character set (obviously, widely used in Russia, for example) would be sent to some other site, possibly indefinitely, knowing how registrars have been acting lately. This would create havoc for the newspaper and significant hurt revenue.

Re:Unicode Environments

What is a "themos cow" and why does it have its own newspaper?

Re:Unicode Environments

[cuyler]

What I wonder about isn't someone registering a domain and making a spoof site similar to its victim but rather making an identical site changing minor things such as announcements (products and performance).

Would a false announcement coming from a domain that looks like microsoft.com trick anyone? Could any newspapers, news stations, magazines, etc...(except slashdot...they'll post pretty much anything) actually be fooled. Could that have any impact to stock pricing?

Just a thought...

Re:Unicode Environments

[saveth]

Would a false announcement coming from a domain that looks like microsoft.com trick anyone? Could any newspapers, news stations, magazines, etc...(except slashdot...they'll post pretty much anything) actually be fooled. Could that have any impact to stock pricing?

Maybe not from a domain like microsoft.com, but certainly from a smaller company's domain. So many people are influenced by Microsoft and its market droids that it would be difficult to circulate false information.

Re:Unicode Environments

[bani]

"we've recently switched to using Unicode in our products."

...why?

Re:Unicode Environments

[saveth]

"we've recently switched to using Unicode in our products."

...why?

It started out with a weirdness in Windows 2000 we had to work around, and it involved using the Win32 API TCHAR data type, so that it could compile on both Unicode-enabled systems and ANSI character systems.

To make a long story short, we were forced to enable Unicode in one of our products; then, we thought it a good idea to have all our products capable of internationalised data.

Yeah. That. :P

Re:Unicode Environments

[dvdeug]

Unicode certainly has its quirks, and this is one of the more obvious ones. I fail to see why it has been implemented so widely, without very, very rigorous testing.

It was tested; this is considered acceptable, as there are no workarounds.

There will be look alikes in Unicode, just like there are in ASCII. Prior character sets, including KOI8-R, ISO-8859-5, ISO-8859-7, and JIS X0213 - pretty much every character set with either Cyrillic or Greek in it - have the Cyrillic or the Greek A seperate from the Latin A. Besides backward compatibility, proper multilingualization calls for them to be kept seperate; what's the lowercase A look like, if
the Greek and Latin A are merged?

Re:Unicode Environments

Warning! Parent post contains a link to goatse.cx! Do not click on it. Te link looks like "themoscowtimes.com"

Re:Unicode Environments

[spoon42]

In a worst case scenario, anti- company propaganda might be posted on the spoofing site, and it would deter people from visiting the "real" site in the future.

Yeah. Nice perspective on the issue. Far worse that someone doesn't believe the lies a company presents in its advertising than someone giving their password and credit card number to a scammer.

Comment removed

[account_deleted]

Comment removed based on user account deletion

homograph

[Supergrass]

(the article uses the term "homograph")

Is there some kind of problem with this term? Or are the quotes there just because the term may be unfamiliar to some?

The site

[Newtonian_p]

When I go to the site in question, (slashcode won't let me copy cyrillic characters in links) , it just redirects me to http://www.bq--at7w373jih7xepx7om7p6zx7oq.mltbd.co m/

Re:The site

[Servo5678]

Hey, that URL is infringing on my copyrights! It's similar to my business's name, Bq--at77w373jih7xepx7om7p6zx7oq Enterprises, Inc.

Lousy cybersquatters...

Re:The site

[Indras]

Yes, but you're forgetting, "Bq--at77w373jih7xepx7om7p6zx7oq" cannot be trademarked, because it is a common word, like "door" and "window."

Re:The site

[PurpleBob]

Domain names starting with bq-- are Unicode domain names mangled back into ASCII, so you were probably in the right place.

Re:I would have thought it wasn't a problem except

[neuroticia]

Hm. Is your friend a slashdotter, too by any chance? I've gotten approximately 10 klezzy's in the past 10 days from various user-of-slashdot email addresses (most of which contain slashdot's anti-spam garbungling) I've also apparently had a lot of klez sent out using a spoofed address containing the domain which I primarily use as my email address when I post to /.

Meethinks Klez likes getting email addresses from /. Talk about a stupid virus--most of us don't even use windows. :p

-Sara

Translation

[Shriek]

But experience shows that the Internet's majority of unsophisticated users "are vulnerable to all kinds of simple things because they have no concept of what's actually going on," explains Lauren Weinstein, co-founder of People for Internet Responsibility.

This must mean...

A) The majority of Internet users are f'ing clueless.

B) Lauren is not only the president of the unsophicated Internet users club, but also a member.

C) We must hold the Internet responsible for such irresponsibility.

DNS was, and is, an ugly kludge

[Sanity]

Amazing how many comments betray the fact that people haven't read the article.

At the moment these unicode domain names will not be displayed correctly by web-browsers, rather you will see a bunch of cunfusing control codes, so this threat isn't really a problem yet.

Of course, the underlying problem is that DNS is an ugly kludge which has long-outgrown itself. The administrative cost of constructing a massive global namespace is vast, and we can all see the opportunities for cyber-squatting it creates, to the detriment of the public interest.

These days I am more likely to go to Google and type in a few words, rather than try to guess the URL. The task of finding the website you are interested in should be left to the specialists (like Google and other search engines), we shouldn't try to maintain an ugly, broken, monopolistic, and expensive "first come first serve" architecture like DNS.

There is no good reason why a web user should ever need to see a URL (except perhaps momentum), any more than they need to see the HTML which makes up a document.

Re:DNS was, and is, an ugly kludge

[BakaMark]

Of course, the underlying problem is that DNS is an ugly kludge which has long-outgrown itself.

This is one of the things that "RealNames" was trying to fix/exploit. Of course it has since gone out of business.

The main problem with developing a replacement for the DNS function/service, is getting everyone to agree on how the service will be provided and operate.

The last thing you really want is a single organisation (private/government), or a group of individuals, being responsible for the entire replacement, because that gives them the ability to "control" the operation of the system.

The current DNS system has it's flaws, but it is something that has been working for a while now, and will continue to do so. The sort of decentralised nature of the namespace management means that it is not that bad.

Nothing wrong with using a search engine either. Basically it is each to their own.

The whole idea behind the problem highlighed by the original article was the ability to confuse people. Unfortunately it is still possible to put addtional information into search engines such as google so you have addtional matches (that are not intended).

Re:DNS was, and is, an ugly kludge

[NoMoreNicksLeft]

Oh, and we should instead rely on a search engine scheme, where a company may never get the users that are searching for it, because of a million idiots (Sadly, they turn out to be non-idiots more often than idiots. My apologies) ranting about XYZ Inc. ?

The ironic thing is, I'm rabidly anti-corporate. But if I need to see something about IBM, it's a sure bet starting at ibm.com puts me within 3 clicks of where I want to be. Google, or any other search engine technology that I've ever heard of, just isn't good for this sort of thing.

You want to know what the real problem is?

First off, it's laziness on the part of morons like yourself, that lust after AOL keywords and are pissed that the internet doesn't bend itself to fit your warped little design philosophies.

Secondly, not everything is the web. Not even close. DNS and domain names aren't about identifying your lousy porn site, they are about identifying a particular host. Done well though (which isn't the case), it's pretty decent at getting you within a few clicks of where you want to be.

Thirdly, how the fuck do you expect to ever type in the first URL, google.com or whatnot, if it's hidden from you on your brand new Dell? I can see the horror that would be inevitable in such a scheme. microsoft-search.com as a nice little button on the toolbar, that never ever brings up a link to click on for google or yahoo, no matter how you phrase the keywords.

Finally, the problem is the fact that the vast majority of ISP's view their customers as users of content that they provide, rather than participants in the first, and largest, p2p network ever devised. At best, you'll recieve a lousy homepage with no ftp, cgibin, or any other goodies, and a lousy url like "http://www.smalltown-isp.net/users/~dumbfart/". Of course it sucks. Hell, they even screwed up the .US namespace with a similar scheme (what was the highest level you could get, 3rd level subdomain?). Since anything a customer can get is necessarily a lousy url that is cryptic and says little about the site, what do you expect? They often have draconian ToS's that forbid running servers, so that's not a fix, and even if you press on after that, they only offer dynamic IP's, so you still can't get a decent domain. They refuse to offer something along the lines of mysite.smalltown-isp.net either. Which further forces a person onto third-party webhosts, making it necessary to put up banners just to pay expenses. See how bad ISP policy just makes all the shit roll downhill, until you have an avalanche of it?

Sen. Hollings wants to know why there isn't enough compelling content to drive demand for broadband? Well, it's because AT&T Broadband goes out of their way to make sure I can't put any decent content up, unless I'm willing to have it polluted by their own self-serving ads, chop it down til it fits in 10megs, and refuse to do anything other than the simple static html/javascript pages that is all that they'll allow.

Re:DNS was, and is, an ugly kludge

[Mandelbrute]

Of course, the underlying problem is that DNS is an ugly kludge

Will IPv6 use DNS or something different?

Obviously with IPv7 we'll just have to ask lain to send us to the right site.

Re:DNS was, and is, an ugly kludge

[Sanity]

Oh, and we should instead rely on a search engine scheme, where a company may never get the users that are searching for it, because of a million idiots (Sadly, they turn out to be non-idiots more often than idiots. My apologies) ranting about XYZ Inc. ?

If there is a demand for a service which locates the authorative websites of corporations, then capitalism will provide. This is a lame argument specific to the way Google happens to work.

First off, it's laziness on the part of morons like yourself, that lust after AOL keywords and are pissed that the internet doesn't bend itself to fit your warped little design philosophies.

Actually, it is insulting wannabe-elitist morons like you that are ruining Slashdot - but that is a different argument. If you think my design philosophy is flawed, why don't you explain why rather than wasting my time with Ad Hominem (look it up) attacks.

Secondly, not everything is the web. Not even close. DNS and domain names aren't about identifying your lousy porn site, they are about identifying a particular host. Done well though (which isn't the case), it's pretty decent at getting you within a few clicks of where you want to be.

What about the cyber-sqatting, cost, and creation of private monopolies? DNS is an ugly ugly solution to the problem of finding IP addresses.

Thirdly, how the fuck do you expect to ever type in the first URL, google.com or whatnot, if it's hidden from you on your brand new Dell? I can see the horror that would be inevitable in such a scheme. microsoft-search.com as a nice little button on the toolbar, that never ever brings up a link to click on for google or yahoo, no matter how you phrase the keywords.

Market forces will create a demand for comprehensive search-engines which aren't biased, in fact, they already have.

Finally, the problem is the fact that the vast majority of ISP's view their customers as users of content that they provide, rather than participants in the first, and largest, p2p network ever devised. At best, you'll recieve a lousy homepage with no ftp, cgibin, or any other goodies, and a lousy url like http://www.smalltown-isp.net/users/~dumbfart/.

What the hell are you ranting about? This has nothing todo with whether your ISP supports cgi.

Sen. Hollings wants to know why there isn't enough compelling content to drive demand for broadband?

Are you just ranting mindlessly or did you actually have a point?

Re:DNS was, and is, an ugly kludge

[Sanity]

This is one of the things that "RealNames" was trying to fix/exploit. Of course it has since gone out of business.

The main problem with developing a replacement for the DNS function/service, is getting everyone to agree on how the service will be provided and operate.

Not really, for example, Google is a great replacement for DNS, not functionally equivalent, but basically does the same thing but much more effectively.

Re:DNS was, and is, an ugly kludge

[great+throwdini]

For example, Google is a great replacement for DNS, not functionally equivalent, but basically does the same thing but much more effectively.

No, not really. You seem to support replacing one 'middleman' with another [DNS -> Google]. Google is good and all as a search engine, but I don't really understand why you think indexing existing pages and ranking content based on some scheme (a la Google) somehow improves upon rational DNS entries or eliminates the risk of underhanded manipulation of whatever system is in use.

Yes, there are flaws with most DNS naming schemes. No, it's not perfect. I'm skeptical of your claims that a Google-ish system somehow fixes things for everyone. It certainly would eliminate the ability to go directly to a known resource without there first being a 'search' ... and a resource that was 'known' to be within the first n results might not be a day, week, or month later. Maybe I'm missing something, but where's the progess there?

Meanwhile, hosts would be identified how? Simply by numeric address? I think earlier in-thread comments need to be emphasized: DNS is for naming hosts, not Web sites.

Much as I favor Google for blind Web searches, it really hasn't attained a level of perfection as a search engine alone and nothing else. I'm at a loss to grasp what insight you possess into the workings of Google and the nature of the Web as a whole to believe -- as you must -- that there is complete certainty/symmetry in what is 'out there' on the Web and what Google presents to users.

Google certainly doesn't function in a way analogous to DNS, and I don't think that you should claim that something "not fuctionally equivalent" could be seen fairly as a "great replacement."

Think about it.

Re:DNS was, and is, an ugly kludge

[NoMoreNicksLeft]

If there is a demand for a service which locates the authorative websites of corporations, then capitalism will provide. This is a lame argument specific to the way Google happens to work.

If there is a demand for something that we already have at this time, for free and with no effort? In other words, you would like it if I paid for something I already get now for free... well, if you can't find a good business model, why not create an artificial one?

What about the cyber-sqatting, cost, and creation of private monopolies? DNS is an ugly ugly solution to the problem of finding IP addresses.

Cyber-squatting is simple. Outlaw domain parking, domain transfers, false advertising (which is what registering www.books.com and pointing it at a porn site is), and enforce trademarks. If you want a domain, then use it. Use it for something other than pointing yet another name at your lame web site. Only allow registrations and de-registrations... if someone wants to try and sell the domain and someone else wants to pay money for it fine. But they don't get it, it just goes back into the unregistered pool. And if someone has a valid trademark (microsoft is valid, computers.com isn't) by all means give it back to the trademark holder. Duh. DNS is pretty handy for finding IP's, actually. It just isn't as good at making websurfing as effortless as you'd prefer. Or for keeping people from being assholes and polluting the namespace, I should add.

Market forces will create a demand for comprehensive search-engines which aren't biased, in fact, they already have.

Dumbass. On a fresh install of the browser of your choice (or lack thereof), you can't get everywhere you want to go only by clicking links. If the url field is hidden or disabled, which you advocate, you'll be reduced to clicking a toolbar button or a pre-loaded bookmark. I'm sure one such will be a searh engine... but with M$ can you count on its integrity?

What the hell are you ranting about? This has nothing todo with whether your ISP supports cgi.

So sorry, I thought you might have the ability to understand non-monosyllabic words. Let me try again...

I-S-P bad. No like us have nice web names. Must use bad homepage **DAMN* ... It can't be done.

I'm tired, so I'll try to make this clearer. If users are only ever allowed to use crappy homepage webspace, of course half the URL's on the net will be long and ugly. I also failed to mention that many commercial sites have bad web design... this accounts for the other half being ugly.

And if I got off on a rant, so what? I see someone like you talk out of your ass, I become a little bit upset. Well, guess what? If you want to add another protocol, pick a port number and get to work. I won't stop you. But stop ranting yourself about how the current ones are ugly, when you have no clue why they are even like they are.

DNS isn't broken, and it isn't ugly. As a protocol, it is highly distributable, robust, and solves the IP-human readable name problem as well as anything that has ever been published. It is the foundation of many protocols and services available on the internet, only one of which is the web. We don't need a seperate, incompatible system for the web, and you've offered nothing that would suffice for anything but that, and even then only poorly.

Re:DNS was, and is, an ugly kludge

[Permission+Denied]

There are potentially two uses for domain names:

1. Guessing a company's domain. Eg, I want to see if there are any recalls on my Pontiac Grand Am, so I type in pontiac.com. As you've noted, this usage of domain names is pointless - instead, I'll go to google and type in "pontiac grand am recalls."
2. Recalling a domain name. I go to a cyber café and want to check slashdot. I type in slashdot.org into the browser and I read slashdot.

Now, I agree that use (1) is dead. However, I don't want to have to remember 64.28.67.150 to read slashdot, nor do I want to be dependent on google to find slashdot. Think of the pontiac example, where I'm looking for a specific page: google rankings change, but domain names change less often. If google decides they don't like the American Communist Party, I may have a hard time finding their website without DNS, whereas google does not control the cpusa.org domain name.

There are also other, less obvious, uses for DNS. For example, I can type in ftp11.freebsd.org and see if that's faster than ftp6.freebsd.org, without having to search for the FreeBSD mirrors page. You can also publish spammer's IP addresses to DNS tables, like what RBL does. That means when I write my MTA, I don't need a full HTTP engine in it along with an XML/SGML/HTML/WHATEVERML parser, but I can just do a simple "gethostbyname()" and see if that returns an error. There are lots of other creative abuses for DNS.

Anyway, I think there's still a real need for DNS; however, DNS administration leads to so many politics...this article mentions a technical problem, but the real problems are social/political. These problems are much harder to solve.

Re:DNS was, and is, an ugly kludge

top google search result for "ibm" is ibm.com. f00.

Re:DNS was, and is, an ugly kludge

[NoMoreNicksLeft]

Generic example. Idiot.

Re:DNS was, and is, an ugly kludge

[NoMoreNicksLeft]

Actually, it is insulting wannabe-elitist morons like you that are ruining Slashdot

Christ, I must be tired to not have caught that the first time round.

Actually, it's strange that you say that I'm ruining it for you, rather than the other way around. Let me explain. The internet is a big shit hole, but it didn't use to be that way. Then people like you arrived, with much bleeting and moo'ing, shepherded here by marketdroids and buzzwordologists. And things keep getting worse. Why? Because you came here, never bothering to learn the rules, and then wondering, bitching about, and crying why things don't work. If you want "content" served up to you with 0.0 effort, go watch TV. They waste untold millions figuring out what lazy idiots like to watch, and all for free! No browsers or anything, just a remote control.

Re:DNS was, and is, an ugly kludge

Mod Parent Up !
THis comment (and rest of the thread) made actually log into slashdot again to see if I had any moderator points waiting for me. (sadly no)

NoMoreNicks is right on and Sanity is a pure phuqtard. Not just a phuqtard - a phuqtard so dumb he imagine the vast size of what is unkenned by his cluoshpere. And he is gratuitously insulting, when he is clearly the one without an idea of what he's talking about.
Moderators, this is your chance to do a good deed for the day.
Vindicate the righteous and smite the phuqtarded!

Re:DNS was, and is, an ugly kludge

[NoMoreNicksLeft]

If you bothered to log in, why not post as such, so they could see this wasn't just a lame attempt by me to make it look like I had some support? Besides, I garbled half my arguments... been up 26 hours straight at this point, not exactly articulate. Maybe not even coherent.

Re:DNS was, and is, an ugly kludge

[sparcv9]

Will IPv6 use DNS or something different?

IPv6 won't use DNS any more than IPv4 uses DNS. In other words, Neuther IPv4 nor IPv6 "use" DNS at all. DNS is just a single mechanism for resolving hostnames to IP addresses, and vice-versa. I think what you may have meant to ask was if DNS will be used to resolve IPv6 addresses/hosts, and the answer is, at least on the Internet, yes. The RFCs for DNS have included IPv6 record types (type AAAA) for a long time, and most DNS servers support them. However, anyone is still free to use DNS, NIS/NIS+ or even /etc/hosts (or any other name-resolution service you can think of) on their own networks. Just don't expect the world to be able to see it.

Re:DNS was, and is, an ugly kludge

[Sanity]

If there is a demand for something that we already have at this time, for free and with no effort? In other words, you would like it if I paid for something I already get now for free...

DNS isn't free, it costs money to register a domain name, and it costs money to maintain the DNS infrastructure (which you indrectly pay for once a month to your ISP). Now Google is free, they don't ask for money, they simply ask for you to pay a-little attention to unobtrusive advertising.

Cyber-squatting is simple. Outlaw domain parking, domain transfers, false advertising (which is what registering www.books.com and pointing it at a porn site is), and enforce trademarks.

Oh, and that all magically happens for free? You are suggesting a very expensive band-aid for a completely broken system, and it is the Internet's users that will pay for it, directly or indirectly.

Dumbass. On a fresh install of the browser of your choice (or lack thereof), you can't get everywhere you want to go only by clicking links. If the url field is hidden or disabled, which you advocate, you'll be reduced to clicking a toolbar button or a pre-loaded bookmark. I'm sure one such will be a searh engine... but with M$ can you count on its integrity?

Even if that were the situation now, it need not be the situation in the future, and certainly doesn't justify the expense and inefficency of the DNS system.

I-S-P bad. No like us have nice web names. Must use bad homepage **DAMN* ... It can't be done.

Er, and exactly how does the DNS system help to solve this problem? With DNS you get the domain that you can afford (if someone else doesn't get there first), and only if your ISP wants you to. With Google, they try to allow those who want to find your website, to find it, irrespective of your ISPs preference.

But stop ranting yourself about how the current ones are ugly, when you have no clue why they are even like they are.

It is pretty clear that I probably know a-lot more about the current Internet's architecture than you do, you certainly don't know enough about me to claim that I have "no clue" - and if you did know anything about me, you would be feeling pretty stupid right now.

DNS isn't broken, and it isn't ugly. As a protocol, it is highly distributable, robust, and solves the IP-human readable name problem as well as anything that has ever been published.

It is broken and it is ugly, and Google is an excellent example of how it could be done while avoiding all of the problems I have pointed out with DNS.

Re:DNS was, and is, an ugly kludge

[Sanity]

Then people like you arrived, with much bleeting and moo'ing, shepherded here by marketdroids and buzzwordologists. And things keep getting worse. Why? Because you came here, never bothering to learn the rules, and then wondering, bitching about, and crying why things don't work.

Christ, you are such an idiot. I feel pretty comfortable in saying that I know a lot more about the Internet (including DNS), and how it works than you do. I have written articles for publications like IEEE Internet Computing on communication protocols, lectured at a number of universities (most of which I doubt you could get into as a janitor, let alone a lecturer), and pretty-much done all of the things that would allow me to be as arrogant as you try to be, that you haven't.

Re:DNS was, and is, an ugly kludge

[dvdeug]

[...]pretty-much done all of the things that would allow me to be as arrogant as you try to be, that you haven't.

And at the grand old age of 25 (according to your webpage), too.

Re:DNS was, and is, an ugly kludge

[NoMoreNicksLeft]

He's also incredibly humble, if you haven't noticed.

Re:DNS was, and is, an ugly kludge

[NoMoreNicksLeft]

Not to belittle Google, which is the best damn search engine ever, but it's not the answer to the non-problem you're trying to invent.

Your opinion itself speaks volumes about what you know and understand. You're the clueless suit touring the factory, wondering why the steam pipes aren't chromed.

No one has ever charged me for typing in "ibm.com". My use of DNS is either free, or depending on how you look at it, the cost is rolled into my ISP subscription. They're not going to give me a refund if somehow stooges like you gut DNS.

DNS doesn't solve your "URL's are ugly" problem, because 1) it isn't DNS's problem to solve, 2) it is largely the result of either bad web design or bad ISP policy and 3) only idiots are complaining about this.

The expense of the domain name squabbling solutions I outlined, is either already being paid for (we have a system to settle trademark disputes), or could be done realtively inexpensively with what amount to a few shell scripts (do the parked domains all bounce to a single site). All that would have to happen is for ICANN to pull its collective ass, and make some sensible policy. Simple as that.

Oh, and one last thing. How do you expect google to index websites, if there is no DNS? Are we all supposed to go back to using IP's? Do we embed those in the hyperlinks instead of domain names?

Re:DNS was, and is, an ugly kludge

[sql*kitten]

Actually, it's strange that you say that I'm ruining it for you, rather than the other way around. Let me explain. The internet is a big shit hole, but it didn't use to be that way. Then people like you arrived, with much bleeting and moo'ing, shepherded here by marketdroids and buzzwordologists. And things keep getting worse.

That's mighty fine talk coming from someone with a 6-digit User# :-P

Re:DNS was, and is, an ugly kludge

Computing on communication protocols, lectured at a number of universities (most of which I doubt you could get into as a janitor, let alone a lecturer),

If he's done nothing else, he's made you look like a complete twat.

Re:DNS was, and is, an ugly kludge

[PatientZero]

No worries, you've more than covered belligerent. ;)

Your arguments make sense so far, but it took a lot of restraint on my part not to dismiss you entirely due to your attitude. You'll convince far more people in the future if you drop the name-calling.

Re:DNS was, and is, an ugly kludge

Well instead of arguing with people who do not matter, why not go and rest? And plus, WHO CARES? It's not like the opinion of anyone here is important.

Re:DNS was, and is, an ugly kludge

[deepchasm]

Christ, you are such an idiot. I feel pretty comfortable in saying that I know a lot more about the Internet (including DNS), and how it works than you do.

Yet still you seem to have a fundamental misunderstanding of the reasons for having (and the differences between) DNS and search engines.

Ever wondered why books of names (the kind that expecting parents buy) are so popular? To put it into computing jargon: we like to give our children 'meaningful identifiers'.

So it is with computers, not least because system administrators in charge of large sites would have a hard time remembering all the individual IP addresses.

The fact that well chosen names can sometimes help you guess the identity of a machine (or, in this case, a website on a machine), is irrelevant - DNS is purely to provide *memorable* and *meaningful* identifiers.

In contrast search engines are there specifically to help you *find* websites, and on the whole they do their job quite well.

Imagine you were looking for a date. DNS is the telephone directory, and the search engine is a dating agency. Looked at in this way, your claim that the telephone directory is a kludge because it doesn't help you find the woman of your dreams is somewhat....well....ludicrous. However, if you had found a date, but lost her number (gasp!), the telephone directory might just save your bacon.

Furthermore, I find it quite insulting to the inventors of DNS (both the protocol and the associated daemons like bind) that you refer to it as a 'kludge' because it does not fulfill a purpose that it wasn't designed for (finding rather than remembering).

People think it's understandable when a site goes down because it is slashdotted - how many more people use DNS every hour than read Slashdot in a day? In fact, it wouldn't surprise me if the DNS system is the largest distributed database in the world. It is a testament to the inventors that they came up with such an expandable, distributed, hierarchial system.

Re:DNS was, and is, an ugly kludge

Christ, you are such an egotist. I feel pretty comfortable in saying that you believe you know a lot more about the Internet (including DNS) and how it works than its creators did. Based on the fact that you've written articles for publications like IEEE Internet Computing on communications protocols, lectured at a number of universities (most of which apparently hired the janitor rather than a lecturer), and pretty much impressed the hell out of yourself (but not anybody else).

Have a nice day, now :-)

Re:DNS was, and is, an ugly kludge

[MrHat]

Your DNS name will be banned
When the lobbyists have you outmanned
Flat namespace their goal
To assert brand control
I fear you've read too much Ayn Rand

Re:DNS was, and is, an ugly kludge

[NoMoreNicksLeft]

Why? Because I didn't bother to register until recently? Maybe you'd like me to show you a few AC's from December '97 that look suspiciously like my writing style...

Besides, I can show you usenet posts of mine going back to at least '88. Not exactly ancient, but just a bit older than User #1 here.

Re:DNS was, and is, an ugly kludge

[Just+Some+Guy]

Of course, the underlying problem is that DNS is an ugly kludge which has long-outgrown itself.

This blatantly ignorant post got modded up?

Search engines only map content to hosts, and DNS provides the "last mile" mapping of hosts to addresses. What would you do when your IP changes if DNS no longer exists? My server has moved at least 4 times in the last three years, but thanks to DNS, all content is still available at the exact URL it's always been at. What's your workaround? Telling Google about every page I host every time I switch providers, move, or upgrade my connectivity?

Second, what will you use to replace MX record functionality? Or are you also advocating replacing SMTP with something new?

No, DNS is still pretty damn handy. You may not like it, but those of us working in non-ideal worlds can still find a use or two for it.

Re:DNS was, and is, an ugly kludge

[Aiwendil]

There is no good reason why a web user should ever need to see a URL (except perhaps momentum), any more than they need to see the HTML which makes up a document.

Oh nice idea, no really, all of the sudden the entire world can get to one's personal image-directory since we no longer are able to type, for example, http://www.example.com/<CODE>/images that we have one have for that closed company of people that actually are on the pictures...

DNS isn't perfect but until everyone has a static IP (and people learns how to use their memory) that will do unless something better actually comes around.

And yes, I know you wrote momentum, but still, when it gets past the 20times a day when you receive only a URI from friends the address is really nice to see, especially since I seldom browse pages from the same machine as I IRC or email from.

Just my thoughts...

Re:DNS was, and is, an ugly kludge

[HiThere]

There is no good reason why a web user should ever need to see a URL ...

When I see some of the URL's, I almost agree with you, e.g.:
...&op=Reply&threshold=-1&commentsort=3&tid = . .

But normal URLs are an important concept in learning to use the web, and hiding it from people does them a disservice. Those who want to can easily ignore them (I usually do), but they can be a crucial part of the learning experience. So people need to have the exposure to them, so they know that they exist, and have the chance to learn what they mean.

It is, in a way, cognate to your example of HTML (though at an earlier part of the learning curve). If the view option removed the ability to observe the HTML of web pages, then learning to code HTML would be much more difficult. And learning URLs is right at the beginning of the process. By hiding them, you would be doing a gross disservice to everyone who is starting to learn how to use the web.

Re:DNS was, and is, an ugly kludge

[Inthewire]

I've followed this thread, and I think I love you.
In the "he's got the right idea" sense, of course.

Re:DNS was, and is, an ugly kludge

[Sanity]

Ever wondered why books of names (the kind that expecting parents buy) are so popular? To put it into computing jargon: we like to give our children 'meaningful identifiers'. So it is with computers, not least because system administrators in charge of large sites would have a hard time remembering all the individual IP addresses.

The problem is not where DNS is being used as some form of UID, but where DNS is being used as a tool to allow people to locate information relevant to a particular concept, such as "www.dictionary.com" etc. That was never DNSs intended purpose. It is the fact that DNS is being used well beyond its initial intended purpose that makes it a kludge.

It is a testament to the inventors that they came up with such an expandable, distributed, hierarchial system.

Perhaps your head has been buried in the sand, but haven't you been paying attention to the problems created by the Internet's centralized architecture (do a search for ICANN here on slashdot for some good pointers).

Re:DNS was, and is, an ugly kludge

[Sanity]

Your opinion itself speaks volumes about what you know and understand. You're the clueless suit touring the factory, wondering why the steam pipes aren't chromed.

Don't be a dick, you have no idea what I know and understand, but if you did, you would be feeling rather stupid right now. I have been a qualified software engineer for years, on slashdot for a lot longer than you (judging by your user number), so please don't pull that patronising crap on me.

Re:DNS was, and is, an ugly kludge

[Sanity]

He's also incredibly humble, if you haven't noticed.

Hey, you are the one who started with the accusations that I am some sort of newbie, unworthy of debating with your holiness, yet even by your own admission (your journal) you are a poor programmer. I simply pointed out the stupidity of taking an elitist attitude with someone who, for all you know, could be a well respected software developer in the open source community.

Re:DNS was, and is, an ugly kludge

That's a problem with the people *managing* DNS, not a problem with DNS itself.

Who has $200/yr to pay a CA for an SSL cert?

[yerricde]

Yet another reason why everything should run over ssl/tls.

Who has upwards of $200 per year for an SSL certificate? AFAIK, VeriSign along with its Thawte subsidiary has a near monopoly on issuing the certificates required to run secure SSL connections.

Re:Who has $200/yr to pay a CA for an SSL cert?

you make your own, easy with openssl, the usere clicks ok i know i dont know this cert

Re:Who has $200/yr to pay a CA for an SSL cert?

and just like magic, the whole purpose of a certificate is defeated!

fucking brilliant.

Re:Who has $200/yr to pay a CA for an SSL cert?

Its still encrypted

Easy

[devphil]

If you're serious about typing in Russian, you don't type the control-meta-alt-whacky sequences.

You spend $15 and buy a plastic keyboard overlay, one of those little flexible jobs with the alternate characters printed on them. Change your keymapping -- they make keymap files to match the popular overlay's plastic sheets, I'm told -- and you're done.

Re:slightly related

[MrDelSarto]

I always thought these stories were made up until it happened to me ...

We had an external party complain that they were receiving filthy emails from the place I was working for about "male sex changes". A terrible business that.

Turns out the problem was the header had been stamped by our mail server, msexchange.corp.com.au, and was somehow showing up in her client.

Here, it's pretty simple...I'm Russian

Sex Tips For Hackers: On Being Good In Bed

Like being sexy and picking up women, being good in bed is a skill that will never develop if you fear failure too much. Rather, it feeds on its own success. So the most important thing you need to know about being good in bed is that it's not really very complicated or difficult at all.
Oh, sure, if you're an accomplished sexual athlete/aesthete you can pore over the Kama Sutra and try exotic positions and dabble in sex toys and scented oils and variations for more than two people. These things have their place and you'll get to them. But they are really the last 10% of the experience; the first 90% percent consists of learning how to have basic satisfying sex face-to-face with one partner, factory equipment only.

Guys, a few simple techniques and the right attitude will get you most of the way to that goal. And, by the way, part of the reason is today's girls; it has been long enough since really effective and easy contraception was first deployed in the early 1960s, and I doubt that so many women have ever been more sexually sophisticated or less inhibited in the whole prior history of the world than they are today. You have it easier than you know. So begin with confidence...

Let's start with attitude. Remember that you're there to have fun with your partner. Joy and satisfaction are the goals, whether the two of you are just scratching a mutual itch or affirming a lifelong bond. So be generous to your partner -- the satisfaction you give her will come back to you. (This advice isn't quite as true for her, unfortunately -- but we'll cover that below.)

There are three basic ways in which male and female sexual response are different in bed that you'll need to keep in mind. These differences determine the basic rhythm and pacing of good sex.

First: under ordinary circumstances she can have multiple orgasms in fairly rapid succession, while you can't. This is the most important difference and the one least affected by psychology, mental attitude, or self-training.

Second: under ordinary circumstances, she will take more time to warm up to the point where a really satisfying orgasm is possible than you will. Intimacy and trust can shrink the difference but aren't likely to erase it completely.

Third: her response will vary in subtler and less predictable ways than yours. The best places to stimulate her will wander around; also, women vary as to whether they want progressively heavier or progressively lighter stimulation as they approach orgasm. Her attitude and self-training matter here; women with more experience and/or fewer inhibitions tend to have a simpler and more robust response to stimulation, more like a man's.

These three differences set your basic policy. Unless you know differently about the specific woman you're in bed with, the two basic things you need to do to be a good lover are slow down and pay attention.

The classic male failure mode is to jump on the woman, rush through foreplay, plug a cock into her pussy, and gallop to orgasm before she's even completely warmed up. If she comes at all under that kind of treatment, it's going to be just a shadow of the rip-snortin' multiorgasmic joyride a good lover would take her on.

Cathy: "Yes, and she is likely to be angry with you for leaving her hung up."

So slow down. You've got hands and lips. Use them. A few minutes of good old-fashioned lip-to-lip smooching is always an appropriate starter even if that's what you were doing before the clothes came off. Run your hands gently over her body; women love the feeling of being caressed all over, of being explored and owned by a lover's hands. Try different levels of pressure from light to very firm. Pay attention to the way her breathing and muscle tension changes as you touch different parts of her in different ways; her body will tell you what she likes, so you can do more of it.

Cathy: "If she wants you to speed up, she will probably say so."

The erotic sensitivity of her body is more diffused than yours, less exclusively centered on her genitals. Use this fact. Where your hands find a good response (especially a good response to light or teasing touches) it is often wise to follow up with your lips and tongue. Dial in on areas where the skin is naturally sensitive; the neck, ears, the inner surfaces of arms and legs.

Cathy: "And if you get no response, or a confusing one, ask her how she likes what you're doing! The message that you want to please her will get through (even if the sex isn't perfect)."

Women dig men who exhibit this same kind of whole-body sensitivity as much as men dig women who are readily satisfied by simple intercourse; it's reassuring to them, it's a response they can identify with. So cultivate whole-body sensitivity if you can. Your nipples are good places to start; encourage her to tease them, and let it be known when that's turning you on. She'll love you for this.

Cathy: "Allow me to emphasize the `let it be known when that's turning you on' part. The most frustrating sexual encounter I ever had was with a guy who did not react at all to anything I did."

In general, make noise when she's pleasing you. Feedback should go both ways; she'll please you more, and enjoy you more, if she knows which things she's doing right.

OK, so you've been doing horny things to each other for a while now and she seems hot enough to fuck. Do you immediately perform a genital docking maneuver? Nope. Not if you're smart. At this point, dear hacker, my advice for you is learn to love cunnilingus.

Remember, she's capable of multiple orgasms. Your unassisted cock is going to give her approximately one. I say `approximately' because some women have trouble orgasming from genital intercourse alone (though nowadays this is much less a problem than formerly; the appropriate qualifier used to be "many women"). On the other hand, if you're a stud with serious arousal control you may be able to avoid popping while she has several (but this is wearing, and even those of us who can do it tend to reserve it for special occasions). It averages out to about one.

Cathy: "But that `one' is okay if both of you have a great time with your erection while it lasts, and with the encounter in general. Women don't really expect men to be sex gods -- they just want the guys to try to meet their needs."

(Women: There's a flip side to this. If you just lie there waiting to be aroused and penetrated, you are short-changing him. Maybe he can't have as many orgasms as you, but that's all the more reason to let your hands and lips roam. Tease him. Thrill him. Rub your body against his. Be active. Make noise. Be aggressive, even -- put his hands where you want them, squeeze his cock or do something else to reward him when he does something you like. If the classic male error is being too fast, the classic female error is being too passive and expecting him to do all the work. Many guys are so starved for decent feedback that they'll love you for avoiding this mistake alone.)

The basic disparity between a man's typical single-peak response and a woman's multiorgasmic capability is why cunnilingus is your friend, and why (if you want to be remembered as a hot lover) the right lead-in to genital sex is often some serious muff-diving. When a woman has had several orgasms on the tip of your tongue, she's likely to be forgiving even if you're so aroused that you explode immediately on entry. Think of it as defensive programming...

Your basic good cunnilingus technique is to lap at her labia and clitoris as if you were licking an ice-cream cone. Women vary a good deal in their response to this kind of stimulation, so unless you know your partner's preferences start light and slow and gradually crank up the intensity until you find where she responds best. Note that some women find direct tongue stimulation of the clitoris unbearably intense at low arousal levels -- so, though it makes a tempting target, you should sneak up on it gradually and be preparted to back off if she shows signs of distress. Breaking off occasionally to kiss and lick her inner thighs will tease her a bit and give you a rest. Be creative!

(Women: when a man gives you a thorough licking, it's only courteous to return the favor with some hearty fellatio just before he enters you. It's also smart; a man concentrating hard on giving you pleasure can lose some arousal levels, and you may well enjoy his cock more if you polish up that erection a bit.)

Cathy: "Agreed. This is especially if the guy has had to lick you a long time because it was hard for you to get aroused for some reason. You kept him waiting, and fair is fair."

If you've set up your no-lose situation properly, you can safely let instinct pretty much take over after the point of penetration. Paying attention and slowing down is still a good idea, though. There are various techniques for slowing down; one that I find effective is to thrust deep and then just freeze, no genital or body motion at all for a few seconds. (If your partner likes deep penetration this will drive her berserk, so you'll get a double benefit).

Cathy: "Be careful about that thrust-and-hold maneuver if you're built large. Some guys have this idea that they can't be good in bed if they are not hung like a horse. Untrue! In fact, I have sad memories of real pain that I suffered from well-meaning lovers who were so well-endowed that each thrust hurt. You don't need to be thick and long. Thick and short will fill her up quite nicely in most cases, because the vagina doesn't have very many nerve endings and much of the sensation comes from the lateral stretching a thick cock provides. And if you're short and thin...well, as Eric said, you still have lips and hands. One of the best lovers I ever had was short and thin, but his mouth and hands made up for it."

Sensible women will tell you when they're reaching the big-thunderclap final orgasm; in fact, enthusiastic ones not infrequently scream it loudly enough to scandalize the neighbors. If you're paying attention, you'll get fairly clear indications even when she's not vocal; whole-body tremors are a common sign. If you can pace things so you let go just after she begins to climax, that's about ideal.

If you arranged things properly, the two of you are having a thumping good mutual orgasm about now. Enjoy your reward. If you feel so inclined, roaring and bellowing in harmony with her cries of ectasy is quite good manners at this point. She'll feel appreciated.

Cathy: "However, don't bellow directly in her ear..."

Congratulations. But you are not quite done yet, stud. Never underestimate the importance of the post-coital cuddle. Chicks dig this amazingly. Just hold her gently for a while (murmured endearments and light kisses are optional but usually much appreciated). Let the afterglow happen. You will score serious points for this, even if you wander off to hack a few minutes later.

Cathy: "This can be a good time to talk quietly about personal things, if you are trying to get to know her better."

Note: I have just laid out a template for good basic sex. It works -- if you follow it you won't go far wrong. However, beware of taking it too literally. As in other kinds of art, over-reliance on technique tends to produce mechanical, joyless results. No woman wants to feel like a paint-by-numbers diagram or an obstacle course; if you find yourself mentally checking off boxes on a rote grand tour of her erogenous zones, it's not likely to work well for either of you.

Tastes differ, and you need to adapt to local conditions with each partner. Some women will really get off on having their nipples sucked; others are almost indifferent to it. A few prefer shallow penetration to deep. Notice these differences (and others) and use them.

You will also occasionally run into special situations in which her particular needs are so pressing that your own gratification runs a very distant second to satisfying her. The most common of these is virginity. If the woman tells you she is a virgin, or you discover it through the presence of an intact hymen (a membrane half-blocking access to the vagina), feel extremely honored that she has trusted you to help her have a good first experience. A woman's first time is more difficult than a man's and may involve minor pain and bleeding as the hymen ruptures. Accordingly, you need to be extra gentle and extra careful that she is extremely aroused before penetration, so that any discomfort will quickly be washed away by pleasure. The post-coital cuddle is especially important with a virgin; you could literally shape her attitude towards men and sex for the rest of her life with that few minutes of kindness.

In general, remember the objectives: joy and satisfaction. Pay attention to her feedback and tune your behavior accordingly. Answer her desires, and let her know when she's answering yours. That, not physical equipment or fancy moves, is what will make you terrific in bed.

Re:Here, it's pretty simple...I'm Russian

Troll? Try offtopic, or even informative.

Obligatory observation

[jvmatthe]

Quote from the story:

registered "microsoft.com" with Verisign, using the Russian Cyrillic letters "c" and "o"

Of course, one has to observe that goatse.cx has both an o and a c in it...

Yes, I know that the c is in the extension, but still... :^)

Re:Obligatory observation

Yes, I know that the c is in the extension, but still... :^)

You sick, sick man.

Re:Obligatory observation

[BrookHarty]

If a domain needed to be hijacked, thats it.
-
The only way to get rid of a temptation is to yield to it. Resist it, and your soul grows sick with longing for the things it has forbidden to itself. - Oscar Wilde (1854 - 1900)

Re:Obligatory observation

[aardvarkjoe]

Well, there goes all the security of being able to find your gay porn when you want it.

It shouldn't really be a problem.

[Martin+Marvinski]

If you purchase something online, they usually redirect you to an https connection. The site has to go through verisign or someother certificate authority or else your browser will warn you. This is not a serious problem. :-)

Re:It shouldn't really be a problem.

[GigsVT]

Most people just blindly click OK, because it is usually OK.

A lot of small e-business sites want to use their hosting provider's cert, but don't want the user's browser to display the hosting company's domain rather than their own. (Yes I know it's stupid, people are picky as fuck when you are making web pages).

Anyway, that causes the browser to warn that the cert is not valid for the domain it is being used in.

It's kinda possible to get around this using frames, but then the browser might say something about mixed secure and unsecure items on a page. The only real way to do it right is to just let the users see the hosting provider's address, as far as I know, or have the site buy their own cert.

Re:It shouldn't really be a problem.

[jenkin+sear]

Umm, you could just buy a cert for your micr0s0ft company- as long as you can produce legal documentation stating you were entitled to use that name (and you may be able to do so in .ru, different legal system and all), then the cert would validate- there would be no probs with the DNS. Remember, there can be several companies with the same name as long as they are in different industries- and that's just in the US. Cross a couple borders and you can probably get any name you want- 'specially if it's spelled with letters in the local alphabet.

Re:It shouldn't really be a problem.

The whole point of the Cert is what it certifies - it says that the site who's domain name you can see in the location bar really is the site named in the certificate (assuming the CA did it's job correctly *and the site takes good care of it's private key*).

Any kind of warning (or hiding the location in frames) means that the SSL connection is useless.

Some people think it's OK to 'accept', because you're still getting encryption, but you're not really protected at all - you could be (assume *are*) being 'Man in the Middled'. Someone can read your traffic and then forward it to the original site (if that helps convince you that you're not being monitored).

(I've built various systems to do 'man in the middle' on https, including transparently proxying SSL connections, with the collusion of one or other of the ends - e.g. access to a private CA key or user participation).

It's really important not to train users to 'accept' the only likely warning they get that their session security is being compromised. If more users called site operations into question, there'd be much more point to using SSL.

(Practical SSL/PKI security has little to do with the encryption algorithms, most of which can be demonstrated on the back of an envelope, but is really down to what all those certificates and processes actually mean in the real world!)

Re:It shouldn't really be a problem.

[GigsVT]

You are absolutely correct, but try explaining that to a customer that insists they want their own domain name to be on the "check out" screen, and not their hosting provider, but also refuses to buy their own cert. They won't understand, and they won't listen. Maybe allowing hosting providers to sign certs for the domains they host could be a solution.

solution--eliminate unicode fonts

[blastedtokyo]

There's a pretty easy solution here. Just get rid of unicode fonts. They're bloated, buggy, slow down your machine and lots of people just don't need it (western europe/americas). When was the last time you felt like writing a letter in russian? While you can still link to a site, it's pretty clear when you see mi-r-s-ft.--m (where you usually get square boxees instead of dahses).

While that definately doesn't solve the problem for asia/eastern europe, if most asian/eastern european hackers are targetting big capitalists and money centers, it would take some of the incentive out of it. After all they'd likely be hurting their own countries.

Now if some silly yuppie script kiddie uses this attack to screw over asia and eastern europe, I guess the russian mafia can take care of him.

i know you're being funny, but...

I believe it would be something along the lines of .

Re:i know you're being funny, but...

you'd need an accent mark over the 'o' to keep it from sounding like an 'a', fyi. other than that, you're absolutely correct.

Re:i know you're being funny, but...

Umm, that holds true ... if you were talking about a dictionary. The accent mark is for such purposes only (or for books for foreigners). It would be like spelling English with ä, ë, etc. to describe vowel lengths and values. This holds true even for foreign words. You just don't see accent marks in normal Russian text (unless it is dire necessity involving verbal aspect and such) ... but for a name? Nah ...

Re:i know you're being funny, but...

[arivanov]

That is in russian. In bulgarian and serbian you do not need it. The stress is at the other syllable so it sound correct.

The spoofable letters are a and o.

Re:i know you're being funny, but...

[mumkin]

> I believe it would be something along the lines of

. . . for which the homograph "craw rot" seems most apropos :)

Re:I would have thought it wasn't a problem except

[SwellJoe]

No offense intended, but if you associates aren't smart enough to distinguish between a scam and a legitimate e-mail, than you need to let thme get burnt a few times. Either that or get them off the Internet.

Yep, you're right. Let's make all the grandmothers stay in their rocking chairs where they belong. The internet is for young, savvy nerds. Knitting is for old people.

Seriously, I understand your perspective, and it isn't as though I'm suggesting legislation or something stupid like that (I'm anti-government on all issues)...I'm just saying I think people will get scammed using this method. And I think it may be damaging to legitimate companies as well. This is unfortunate on two counts...it is bad for my grandmother, and yours, and it is bad for honest businesses who would never use spam marketing or pull some kind of bait-and-switch, or just plain ol' scam.

That's all...I don't have solutions. I'm just griping about the problem. Isn't that what slashdot is for, hand-wringing and griping?

Consider the spam potentials

What's to stop someone from going out, registering a spoof of Amazon.com, etc. and similar "trusted" e-commerce sites, and using them for scamming and spamming?

Re:Eric Bin Raymond: The Sept 11th Conspiracy Reve

Senate Majority Leader Tom Daschle yesterday recanted his May 16 charge that President Bush had advance warning of the September 11 terror attacks, the latest example of a top Democrat backing off from such a claim. Top Stories
rebels face crackdown
"We were told on that particular morning that the president had received a particular set of facts that he may or may not have received. He has denied having received that information. And we accept that," the South Dakota Democrat said on NBC's "Meet the Press."
Mr. Daschle added: "If he says he didn't receive it, I'm not going to challenge that. What I'm going to say is, why didn't he receive it?"
His statement yesterday was in marked contrast to what he said on May 16, when he declared: "I'm gravely concerned about the information provided us just yesterday that the president received a warning in August about the threat of hijackers by Osama bin Laden."
The backtracking by Mr. Daschle came one week after House Minority Leader Richard A. Gephardt, Missouri Democrat, walked away from his earlier statements suggesting that Mr. Bush had warnings before September 11 that might have prevented the deadly terrorist attacks.
Mr. Daschle and other senators appearing on network talk shows yesterday criticized the FBI's handling of pre-September 11 intelligence. Mr. Daschle was particularly critical of what he called "fouled-up information sharing" between the FBI and CIA.
"I don't think anyone implicates the president in this. The question is, why didn't he have this information?" asked Mr. Daschle.
The Senate leader insists he still has confidence in FBI Director Robert S. Mueller III. But he said Mr. Mueller's attempts to reorganize the FBI must go beyond "shuffling the chairs." There must be a "change of attitude, a change of environment, a change in the mentality," Mr. Daschle said.
"That lack of sharing [of intelligence between agencies] is something we've got to address," said Mr. Daschle, who renewed his call for an independent blue-ribbon commission to investigate intelligence lapses before September 11. The Bush administration opposes such a commission.
After Mr. Daschle claimed on May 16 that the president had advance knowledge of the September 11 attacks, Vice President Richard B. Cheney said it was "incendiary," "thoroughly irresponsible" and false for anyone to suggest Mr. Bush had information that could have prevented the attacks.
Asked if he felt his patriotism was being questioned by the vice president, Mr. Daschle said, "Sometimes, I think the administration steps over the line when they make these kinds of accusations."
Pressed as to whether Mr. Cheney's remarks were "over the line," Mr. Daschle said: "I think it's getting close to the line. I think we have a responsibility to ask questions."
In the NBC interview, Mr. Daschle said Democrats and Republicans alike need to "tone down" the "incendiary rhetoric" they've displayed about media leaks or other issues related to September 11.
Mr. Daschle was asked several times if he viewed statements by Rep. Cynthia A. McKinney, Georgia Democrat, as being incendiary and irresponsible. She charged that people died needlessly on September 11 because administration officials had advance warnings about the danger but did not act because they stood to gain financially.
Sen. Zell Miller, Georgia Democrat, has characterized Miss McKinney's comments as "looney, dangerous and irresponsible." But Mr. Daschle yesterday declined to say if he shared that opinion.
Mr. Daschle said he does not know if he has the 60 votes necessary to overcome a filibuster and pass the legislation to create a blue-ribbon commission to investigate missed intelligence opportunities prior to September 11.
"But I'm encouraged by the growing number of Republicans in the Senate who have come forth to say they now support it," he said, adding that he is "reasonably confident" the votes will be there to pass the legislation when it comes to the floor sometime next month.
But key Republicans who appeared on talk shows yesterday, such as Senate Minority Leader Trent Lott and Rep. Porter J. Goss, chairman of the House intelligence committee, opposed the idea of an outside investigation.
On "Fox News Sunday," Mr. Goss, Florida Republican, said he thinks it would be hard to pull together an independent panel, and he worries it could be responsible for "egregious leaks."
Mr. Lott, who appeared on CBS' "Face the Nation," said that in the past six years, "something like six commissions" have studied aviation safety and other security issues. He suggested Congress read those reports, which cost "millions of dollars" to prepare, before creating yet another commission.
Mr. Daschle said Mr. Bush asked him on Jan. 28 not to seek an outside commission to investigate the September 11 attacks. Mr. Daschle said previously that Mr. Cheney made a similar request Jan. 24.
"They were concerned about the diversion of resources," Mr. Daschle said on NBC, adding that the request was repeated on other dates.
Mr. Bush and Mr. Cheney said last week that Congress' intelligence committees -- which can keep secret the classified information supplied by the administration -- are the proper panels for an investigation.
National Security Advisor Condoleezza Rice reinforced that position yesterday, saying the administration worries "about anything that would take place outside of the intelligence committees."
Miss Rice said ongoing FBI investigations shouldn't be jeopardized by information "spread to the first pages of the newspapers."

Are international domain names even necessary?

[ukryule]

From the article:

But are international domain names even necessary? Kuhn, who is German, doesn't think so: "Familiarity with the ASCII repertoire and basic proficiency in entering these ASCII characters on any keyboard are the very first steps in computer literacy worldwide."

That's like saying basic numeracy is the first step for computer literacy worldwide, so we should go back to using IP addresses!

Currently email addresses and URLs are the only reason a native Chinese speaker needs to use ASCII. For someone from Germany, ASCII is pretty easy to handle, but for a lot of languages, Unicode URLs & email addresses are very necessary ...

Re:Are international domain names even necessary?

yeah but of course Kuhn would say that -- because he's german, ascii covers pretty much all of his native alphabet.

Re:Are international domain names even necessary?

[Val314]

but how can you (or a avarage user) send an email to say müller@müller.de using an english keyboard?

i think we should stick to ASCII

Re:Are international domain names even necessary?

[erikdalen]

That's a pretty bad thing with the English keyboard. I have a swedish keyboard, and even though swedish only has the special characters åäö. I can still type most other charaters using two keystrokes, like: üñëíá...

/Erik

Re:Are international domain names even necessary?

[dvdeug]

but how can you (or a avarage user) send an email to say müller@müller.de using an english keyboard?

Yes, with the right ALT- combinations. Or you can cut and paste.

Sure, one might want to think twice about using müller@müller.de as an email address if you want to communicate with people who won't find that easy to type from their keyboard. But I don't think that's choice that should be imposed from the outside.

Re:Are international domain names even necessary?

[plumby]

What if the Internet had started in China? Would you be happy to learn the Chinese alphabet in order to enter URLs?

Re:Are international domain names even necessary?

[Dephex+Twin]

What if the Internet had started in China? Would you be happy to learn the Chinese alphabet in order to enter URLs?

First of all, if the Internet had started in China (which would have been absolutely bizarre), they probably would have used ascii characters, or some set of latin characters. Or, if they used Chinese symbols, then it wouldn't have gone outside the country until a different format came about. No matter what you say, Latin characters are easier to recognize and use than Chinese symbols (there are only 26 of them!). And just about every computer-aware culture is familiar with these 26 letters (since before the Internet).

Also important to note, the Chinese language isn't an alphabet. It is logographic.

mark

Re:Are international domain names even necessary?

[dvdeug]

if the Internet had started in China (which would have been absolutely bizarre)

What's so bizzare about the idea? It's an alternate history idea, and there will of course be different events (I'd make the divergence China a republic sometime in the 50 years before 1930 . . .)

they probably would have used ascii characters, or some set of latin characters.

If your alternate history still calls for the predominance of US computing and ASCII/ISO-646, then they probably would have used some ASCII based system. Otherwise I see no reason for that; if an alphabet was needed, they could have used Bopomofo (Chinese phonetic characters), or Cyrillic or Katakana.

if they used Chinese symbols, then it wouldn't have gone outside the country until a different format came about.

Depends on the economic importance of the Chinese net. If Chinese was the language of computing, there wouldn't be a problem. Even if it wasn't, it's possible that people would have put it up with it and added ad-hoc changes to make it work with their languages.

Latin characters are easier to recognize and use than Chinese symbols (there are only 26 of them!). And just about every computer-aware culture is familiar with these 26 letters (since before the Internet).

But Chinese characters are more concise than Roman characters. In any case, everything you've said applies with equal power to Cyrillic; a Sino-Russian web would probably have used Cyrillic as a base.

Re:Are international domain names even necessary?

[BlueGecko]

No, but I'm sure we would. The dominant culture at the time of a field's inception tends to define that particular field. Have you noticed that biology is still heavily Latin, that music is heavily Italian, that a number of math symbols are French (natural log as ln being the best example), and that martial arts are almost all Asian languages? In those fields, Americans must familiarize themselves at least with the foreign terminology, if not with the languages themselves, and I'm sure that if the Chinese had developed the Internet that we would add whatever Chinese words to our language that we had to in order to use the technology.

As for the alphabet itself: I think that the Chinese use the Roman alphabet when they need to write a word phonetically, and at any rate know that there is a specific way to write Chinese sounds in roman. Regardless, however, I suspect that we would probably simply familiarize ourselves with their alphabet, or, better yet, nonsensically map our characters onto theirs, so that an "m" was this glyph and a "y" was that one, thus allowing us to use the system but with our words. In other words, do exactly what we are doing, only the other way around...

Re:Are international domain names even necessary?

[Dephex+Twin]

It's an alternate history idea, and there will of course be different events (I'd make the divergence China a republic sometime in the 50 years before 1930 . . .)

Well, I wasn't really considering going back that far in history. What I thought would be bizarre would be if other events happened along the same lines, except China got an equivalent to the Internet going first.

If your alternate history still calls for the predominance of US computing and ASCII/ISO-646, then they probably would have used some ASCII based system.

I was simply thinking of Latin-based dominance in terms of international communication.

But Chinese characters are more concise than Roman characters.

Certainly not in terms of the number of characters!

In any case, everything you've said applies with equal power to Cyrillic; a Sino-Russian web would probably have used Cyrillic as a base.

Or Korea could have used its letters, yes. Or what if German had been made the national language of the United States? What if? Again, when responding the the comment about "what if China had created the Internet", I didn't know it was fair game to also imply "what if China became a Republic in the 1800s", "what if Russia/China/etc. had pioneered computing" and so on.

In response to Cyrillic and such, I went by the notion of "what language(s)/alphabet(s) are/were most widespread during the development of the Internet?" In the early 1900s, one might say that French was the "international language", and nowadays it is English-- both are Latin-based alphabets.

Yes, English dominated computing, as well as the Internet, but don't you think part of the reason for that could be because just about everyone was familiar in some way with these characters? On the other hand, if all of Western Europe and the Americas had to start learning katakana, cyrillic or Korean letters (let alone Chinese(!), which is what I was responding to), I think they would have rather developed their own way of handling the Internet, keeping the Chinese(or whatever) "Internet" confined within China.

mark

Re:Are international domain names even necessary?

[Alanus]

No matter what you say, Latin characters are easier to recognize and use than Chinese symbols (there are only 26 of them!).

Reducing the symbol set is not always making things easier. Even if a binary dump of text uses only 2 symbols, it is much harder to read. Japanese for example is harder and much slower to read if transcribed using ASCII (romanji) since Japanese has a terrible lot of homophones.

Re:Are international domain names even necessary?

[Dephex+Twin]

Reducing the symbol set is not always making things easier. Even if a binary dump of text uses only 2 symbols, it is much harder to read.

Hey, that's a slippery-slope argument.

My point was not even readability anyway. It was being able to tell things apart and use them. Think about this situation. If I speak Japanese as my native language, I probably see English characters often, and am at least familiar with the 26 letters (and probably have studied a Latin-based language at some point). And this holds true before the Internet's popularity. Also, I probably have some known way to easily type Roman characters into my keyboard. The Internet comes around, I just go along with these English characters without much extra learning, although it can be a bit of a pain.

Now take Chinese as the language of the Internet. Say I speak English/Russian/Swedish/Portugese/whatever as a native language. It's likely that I can't tell Chinese from Japanese (or even Korean for some people), and it's also likely I can't even write a single Chinese character (maybe I memorized one or two for fun). Imagine the undertaking required to even tell characters apart, regardless of meaning. There would have to be a fundamental restructuring of schooling in the West just to get people acquainted enough with the language to use it for web addresses, email, etc. I mean, people wouldn't even be able to transcribe an email address. More likely would be the creation of a Latin-based Internet in the West.

This is the problem that causes it to be very unlikely to have ever been universally adopted in the Internet.

I don't think one language is better than another, but it's just a fact that Chinese (as well as Japanese) takes much longer to learn than Latin-based languages and is much less widespread geographically.

mark

Re:Are international domain names even necessary?

[dvdeug]

Certainly not in terms of the number of characters!

But in terms of number of characters per text or sq. cm. of paper. The "What is Unicode" page is smaller byte-size in Chinese than any other language, IIRC, even with each Chinese character taking 3 bytes and most Latin character taking 1.

Again, when responding the the comment about "what if China had created the Internet", I didn't know it was fair game to also imply "what if China became a Republic in the 1800s", "what if Russia/China/etc. had pioneered computing" and so on.

Any scenario where China created the Internet naturally presuposses major changes in what China was, as China was in no position to build a large network of computers at the time the Internet was created.

On the other hand, if all of Western Europe and the Americas had to start learning katakana, cyrillic or Korean letters (let alone Chinese(!), which is what I was responding to), I think they would have rather developed their own way of handling the Internet, keeping the Chinese(or whatever) "Internet" confined within China.

Had the shoe been on the other foot, and April 1st, 1983 carried a message about WashVAX instead of KremVAX, I think they would have happily jumped on board whatever was in place. What self-respecting geek is going to let a language - much less a writing system - get in the way of getting hooked up to the Internet?

Re:Are international domain names even necessary?

[Dephex+Twin]

But in terms of number of characters per text or sq. cm. of paper. The "What is Unicode" page is smaller byte-size in Chinese than any other language, IIRC, even with each Chinese character taking 3 bytes and most Latin character taking 1.

I know that this is what you meant, but I wasn't talking about complexity in terms of size on paper or byte-wise. I'm sure you are correct on that. But the complexity of learning the language is far greater. And that complexity is the crux of my viewpoint.

What self-respecting geek is going to let a language - much less a writing system - get in the way of getting hooked up to the Internet?

Maybe a few geeks would learn Chinese in order to get on the Chinese Internet. Just like a some really hardcore gamers study up on Japanese because Japan has great games that don't come out in the US. Geeks make up a *very* small minority, especially ones that learn a language like this. How long was the Internet around in some form to computer geeks before it was really a "thing"? I'd say 96-97 was when the Internet really took off (although it was building throughout the 90s). It would have just stagnated like this if one had to learn Chinese to even see what was going on. Do you know how much more time and effort it takes to learn (even basic) Chinese compared to learning (even fairly advanced) Perl? It is for this reason that Western geeks would learn protocols and technology to build their own Internet rather than study languages for years!

Here's the big difference I was trying to explain before. Lots of people in China and Japan already know English or are in some way familiar with Roman characters. They see and use them every day. When the Internet was coming about, even if they didn't speak English, they could at least see more than incomprehensible gibberish (of course it isn't really this at all, but it is to most Westerners, honestly).

How would the Chinese Internet ever take off in the West, if the West would not even be able to recognize a single character, of which there are over 10,000 (5,000 common)?

Yes, people would begin learn Chinese, *if* the Internet was a big thing. But the Internet wouldn't be big enough to warrant years of study if only Chinese people used it. So you have a catch-22. At this point in time, instead of people saying "we want to be part of China's Internet, so let's all learn Chinese!" (which requires huge changes in social and educational structures), I think it is far more likely that people would say "we want an Internet too, let's make one (and connect it with China?)"

This is why I think a Chinese Internet that is a world standard almost could not exist.

Unless you go back and completely change the political and economic structures of the entire world for the past few hundred years. But then there would be so many changed factors that it's almost pointless to speculate. I mean, being expansionist goes against the very nature of China, which has always been isolationist (sometimes to great extremes). Would the USA even exist? Would widespread use of Chinese cause a total reform of the language (I feel it would)?

Although Chinese may not be harder for the native Chinese speaker than English is to the native English speaker, I still believe it is much easier and more productive for a Chinese speaker to "dabble" in English than it is for an English speaker to "dabble" in Chinese. Much higher learning curve.

mark

Re:Are international domain names even necessary?

[ukryule]

if the Internet had started in China (which would have been absolutely bizarre)

What's so bizzare about the idea? It's an alternate history idea, and there will of course be different events (I'd make the divergence China a republic sometime in the 50 years before 1930 . . .)

Well of course the Republic of China was formed in 1912, so that fits in with your timescale :-). So perhaps your divergence is that the communist revolution failed.

But if the internet had been Chinese based, then the character set would have been multi-byte based, and so would almost certainly have included Latin characters along with the Chinese characters, and Chinese phonetic characters. Thus it would have been much easier for a Westerner to use, as they just use the Latin subset and ignore the rest. The development of something akin to unicode would have been fundamental, not an afterthought.

What we're doing now, trying to expand from a small (1-byte) set of characters is much more complicated ...

Re:Are international domain names even necessary?

[dvdeug]

Well of course the Republic of China was formed in 1912, so that fits in with your timescale :-).

Oops. Asian history isn't really my forte . . .

So perhaps your divergence is that the communist revolution failed.

I'd think it be more important that whatever problems let it get started disappear.

The development of something akin to unicode would have been fundamental, not an afterthought.

One of my personal annoyances, and something I don't entirely understand, is that China, Taiwan and Japan all had multibyte character since at least 1980, but none of them really tried to be multilingal; the impetus behind Unicode was largely American. (To be fair, America had multibit character sets since the 50's, but expanding the number of bits to include the everyone didn't really occur to us until the mid-80s.) Looking at history, a multibyte character set would have been used, but I don't think something like Unicode would have appeared until the world just plain shrunk enough and people got tired of dealing with dozens of different character sets everywhere.

Re:Are international domain names even necessary?

[plumby]

Think about this situation. If I speak Japanese as my native language, I probably see English characters often, and am at least familiar with the 26 letters (and probably have studied a Latin-based language at some point).

Japanese, probably. Chinese, not necessarily. Most highly educated Chinese will have studied English (or some other Western language), but there are still vast amounts of Chinese people who have never seen a Western alphabet (or at least any more than you have seen Chinese on a Chinese menu etc). The Chinese equivilent of Mom & Dad USA usually speaks not one word of English.

More likely would be the creation of a Latin-based Internet in the West.

Which is almost exactly the route that is being taken by creating Unicode URLs.

but it's just a fact that Chinese (as well as Japanese) takes much longer to learn

If you want an easier alphabet, would you expect everyone in the US to learn Korean (24 letters, my wife picked up the basics in a week or so)?

but it's just a fact that Chinese (as well as Japanese) takes much longer to learn than Latin-based languages and is much less widespread geographically.


Geographically, possibly, population-wise, Chinese is spoken as a first (and usually only) language by almost 1/4 of the worlds population. When you take into account other non-Western languages (Cyrillic, Japanese, Korean, Arabic, etc), it's probably getting on for (if not more than) half the world's population.

Re:Are international domain names even necessary?

[plumby]

No, but I'm sure we would. The dominant culture at the time of a field's inception tends to define that particular field. Have you noticed that biology is still heavily Latin, that music is heavily Italian,

This is true, for people who work within that field. I suspect that your average person in the street wouldn't know what adagio meant. Also a better comparison is actually Greek symbols in maths, as they are in a different alphabet. I suspect that most people would recognise the pi symbol, but few of them (unless they are mathematicians) would recognise, or be prepared to learn, any of the others. This use of other languages/symbols in particular fields is almost universally seen by outsiders as a mechanism to stop them understanding that particular field. And if you had to learn a different alphabet/set of symbols to get on the internet, this would be a huge barrier to the the average person ever figuring out how to use it. I suspect that if we had to use ip addresses instead of urls to access sites, my parents (and most people like them) would never be able to get anywhere on the internet, and ip addresses are at least made up of symbols that they can read.

Re:Are international domain names even necessary?

[ukryule]

One of my personal annoyances, and something I don't entirely understand, is that China, Taiwan and Japan all had multibyte character since at least 1980, but none of them really tried to be multilingal;

I think the reason for this is the same reason that ASCII doesn't cover the French/German/Scandiwegian extra characters despite it being easy to do. Any country is only going to standardise on their own character set until there's a reason to be multilingual. That reason is the internet: You don't see other languages until the internet takes off, by which time you've already standardised on the protocols it uses (DNS,HTTP,SMTP et al) - and it's too late!

So whatever language the internet was developed in, it would need internationalisation after it has become successful.

Re:Are international domain names even necessary?

[Dephex+Twin]

but there are still vast amounts of Chinese people who have never seen a Western alphabet (or at least any more than you have seen Chinese on a Chinese menu etc). The Chinese equivilent of Mom & Dad USA usually speaks not one word of English.

That might be true, although it is a lot less likely that the poorer and more rural areas would have much exposure to computers or the Internet. And I would say a lot more Chinese are reasonably familiar with the Roman letters than non-Chinese are with Chinese characters.

More likely would be the creation of a Latin-based Internet in the West.

Which is almost exactly the route that is being taken by creating Unicode URLs.

I'm not arguing that. I'm only saying if China had developed an Internet before the Internet as we know it existed, it would not have gotten as widespread as the "English" Internet has throughout the world.

If you want an easier alphabet, would you expect everyone in the US to learn Korean (24 letters, my wife picked up the basics in a week or so)?

Well, I happen to have studied Korean myself, and it isn't very difficult to learn. However, Korean has some slight disadvantages. The first is that it is mostly spoken only by Koreans (either within the country or elsewhere in the world). So, while Roman character languages are already widespread, 99% of those who would already be familiar with Roman characters would now have to learn Korean characters. The other problem with Korean is that it is a more complicated matter to display. Roman characters go left to right, and the letters do not need to cross or connect (except maybe oe, ae...). Korean groups each syllable together into a single "symbol" where the letters within that symbol can connect right to left and/or up to down.

For the sake of having just 2 less letters, I don't think these problems make Korean a simpler or more convenient option for anyone, except Koreans of course.

I'm not trying to do a nickle-and-dime comparison like that (Hawaiian has only 12 letters, but it's not twice as easy as Korean or something). But 26 (English) compared to 5-10,000 (Chinese)-- that is a significant difference and I see meaning in that.

mark

Re:Are international domain names even necessary?

[plumby]

That might be true, although it is a lot less likely that the poorer and more rural areas would have much exposure to computers or the Internet.

To some extent true, but I have at least one Chinese friend who's parents speak not one word of any language except Chinese, but who keep in contact with him via email.

There will always be people that the Internet won't reach, in the same way that many people have never used a phone, but seeing the way it has taken off amongst people like my parents (the first time my father ever used a mouse was 6 months ago, but he's now addicted to the Internet), and the way new technology like mobile phones have taken off in China (and not just amongst the 'educated', it's not unreasonable to expect that there is a good likelihood that usage could start to pick up amongst the 'average' Chinese in the near future, and having to learn another alphabet in order to use it would be a barrier to this.

For the sake of having just 2 less letters, I don't think these problems make Korean a simpler or more convenient option for anyone, except Koreans of course.

The point about Korean was not a suggestion that it becomes the default language for the internet, just that if it had been the language that needed to be used to access anything, then this would be a barrier to the takeup of the Internet by average people in the West, and most people would not be prepared to learn it, even though it is not that complex, just for this purpose.

Re:Are international domain names even necessary?

[Dephex+Twin]

The point about Korean was not a suggestion that it becomes the default language for the internet, just that if it had been the language that needed to be used to access anything, then this would be a barrier to the takeup of the Internet by average people in the West, and most people would not be prepared to learn it, even though it is not that complex, just for this purpose.

Oh, so you are kind of agreeing with me but saying that even an easy language like Korean would be a barrier if it was a Korean Internet? Yes, this might be true.

However, I did originally say that English worked not because it is easy to learn, but because a lot of people already knew it or were regularly exposed to it by the time the Internet came about. And there is a good chance that those who don't know English know some Roman-based language (this doesn't cover everybody of course).

So it is this advantage of being widespread and similar to other widespread languages that makes it IMO easier to adopt in other countries than Korean. That is to say, if Roman-based languages weren't already so widespread and Korean dialects were, and a Korean Internet came about, it would have no more difficulty in the West.

Anyway, this is getting very far from reality. But you have an interesting point about Korean.

mark

Re:The web is a disaster

Senate Majority Leader (and pre-eminent asshole) Tom Daschle yesterday recanted his May 16 charge that President Bush had advance warning of the September 11 terror attacks, the latest example of a top Democrat backing off from such a claim. Top Stories rebels face crackdown "We were told on that particular morning that the president had received a particular set of facts that he may or may not have received. He has denied having received that information. And we accept that," the South Dakota Democrat said on NBC's "Meet the Press." Mr. Daschle added: "If he says he didn't receive it, I'm not going to challenge that. What I'm going to say is, why didn't he receive it?" His statement yesterday was in marked contrast to what he said on May 16, when he declared: "I'm gravely concerned about the information provided us just yesterday that the president received a warning in August about the threat of hijackers by Osama bin Laden." The backtracking by Mr. Daschle came one week after House Minority Leader Richard A. Gephardt, Missouri Democrat, walked away from his earlier statements suggesting that Mr. Bush had warnings before September 11 that might have prevented the deadly terrorist attacks. Mr. Daschle and other senators appearing on network talk shows yesterday criticized the FBI's handling of pre-September 11 intelligence. Mr. Daschle was particularly critical of what he called "fouled-up information sharing" between the FBI and CIA. "I don't think anyone implicates the president in this. The question is, why didn't he have this information?" asked Mr. Daschle. The Senate leader insists he still has confidence in FBI Director Robert S. Mueller III. But he said Mr. Mueller's attempts to reorganize the FBI must go beyond "shuffling the chairs." There must be a "change of attitude, a change of environment, a change in the mentality," Mr. Daschle said. "That lack of sharing [of intelligence between agencies] is something we've got to address," said Mr. Daschle, who renewed his call for an independent blue-ribbon commission to investigate intelligence lapses before September 11. The Bush administration opposes such a commission. After Mr. Daschle claimed on May 16 that the president had advance knowledge of the September 11 attacks, Vice President Richard B. Cheney said it was "incendiary," "thoroughly irresponsible" and false for anyone to suggest Mr. Bush had information that could have prevented the attacks. Asked if he felt his patriotism was being questioned by the vice president, Mr. Daschle said, "Sometimes, I think the administration steps over the line when they make these kinds of accusations." Pressed as to whether Mr. Cheney's remarks were "over the line," Mr. Daschle said: "I think it's getting close to the line. I think we have a responsibility to ask questions." In the NBC interview, Mr. Daschle said Democrats and Republicans alike need to "tone down" the "incendiary rhetoric" they've displayed about media leaks or other issues related to September 11. Mr. Daschle was asked several times if he viewed statements by Rep. Cynthia A. McKinney, Georgia Democrat, as being incendiary and irresponsible. She charged that people died needlessly on September 11 because administration officials had advance warnings about the danger but did not act because they stood to gain financially. Sen. Zell Miller, Georgia Democrat, has characterized Miss McKinney's comments as "looney, dangerous and irresponsible." But Mr. Daschle yesterday declined to say if he shared that opinion. Mr. Daschle said he does not know if he has the 60 votes necessary to overcome a filibuster and pass the legislation to create a blue-ribbon commission to investigate missed intelligence opportunities prior to September 11. "But I'm encouraged by the growing number of Republicans in the Senate who have come forth to say they now support it," he said, adding that he is "reasonably confident" the votes will be there to pass the legislation when it comes to the floor sometime next month. But key Republicans who appeared on talk shows yesterday, such as Senate Minority Leader Trent Lott and Rep. Porter J. Goss, chairman of the House intelligence committee, opposed the idea of an outside investigation. On "Fox News Sunday," Mr. Goss, Florida Republican, said he thinks it would be hard to pull together an independent panel, and he worries it could be responsible for "egregious leaks." Mr. Lott, who appeared on CBS' "Face the Nation," said that in the past six years, "something like six commissions" have studied aviation safety and other security issues. He suggested Congress read those reports, which cost "millions of dollars" to prepare, before creating yet another commission. Mr. Daschle said Mr. Bush asked him on Jan. 28 not to seek an outside commission to investigate the September 11 attacks. Mr. Daschle said previously that Mr. Cheney made a similar request Jan. 24. "They were concerned about the diversion of resources," Mr. Daschle said on NBC, adding that the request was repeated on other dates. Mr. Bush and Mr. Cheney said last week that Congress' intelligence committees -- which can keep secret the classified information supplied by the administration -- are the proper panels for an investigation. National Security Advisor Condoleezza Rice reinforced that position yesterday, saying the administration worries "about anything that would take place outside of the intelligence committees." Miss Rice said ongoing FBI investigations shouldn't be jeopardized by information "spread to the first pages of the newspapers."

IDNC3

[Russ+Nelson]

Dan Bernstein has a proposal for internationalized domain names which solves this problem and many other problems. It's called IDNC3. IDN stands for ``internationalized domain name.'' C3 stands for ``clean, careful, conservative.''

Re:IDNC3

Once again, Dan makes a convincing and worthwhile argument.

Re:IDNC3

[jmalicki]

UTF-8, which IDNC3 uses, is merely an alternate encoding of the Unicode character set. Thus, his proposal uses Unicode and still has said problem. And he doesn't seem to justify his assertion that "PunyCode" is any worse than UTF-8, and personally I can't see how it is.

Use that URL...

[Teknogeek]

...to link to the latest Slackware distro.

Who needs a paper... this is irrelevant

[wadetemp]

1) Some people are not good at spelling, and wouldn't know microsoft.com from microssoft.com, especially if it's just seen in a few quick glances.

2) There are more TLDs out now, and the same name at a .biz or .info TLD does not mean it is the same company... but no doubt alot of people think that's true.

3) There's always the old numeral "1" swapped for the lowercase "L" or the uppercase "I", trick, among other similar things that never involved Unicode, but rather human vision and high-resolutions.

4) The "@" symbol in the URL trick, like http:\\microsoft.com\moneyfrombil@haxor.com?action =allyourmoneyarebelongtous

So if you haven't figured out my point yet, a good percentage of people that use the internet are going to be fooled by far simpler feats of social engineering. Who needs Unicode to do it?

Re:Who needs a paper... this is irrelevant

A lovely example of this was http://www.paypall.com
Back in the day when PayPal was giving $5 per referral, somebody registered that one and had a link in the middle saying "Click to continue to X.Com's PayPal"
Of course, it was click-through to pass the referral to the owner of paypall.com.
Now, it's some bogus "Portal" site with pop-ups and pop-unders. You've been warned, curious clicker!

Re:Who needs a paper... this is irrelevant

[Grax]

The @ symbol may be a social engineering trick but Opera has a pop-up warning that probably nullifies its effectiveness. I think all browsers should do that. (especially since I don't use Opera)

Re:Who needs a paper... this is irrelevant

[weinerdog]

3) There's always the old numeral "1" swapped for the lowercase "L" or the uppercase "I", trick, among other similar things that never involved Unicode, but rather human vision and high-resolutions.

Since browsers (and possibly Outlook and other HTML-enabled mail manglers) support downloadable fonts, it shouldn't be all that tricky to just create a custom font with glyphs in the 'wrong' position. microsoft.com might be taken, but I bet that mzcyoqoxp.com is free. You wouldn't have to rely on similarities between glyphs in sans-serif fonts; you could spoof most any address through selective use of downloaded fonts.

This capability has existed for a while.

Hello

Allo comrade.

Client-side fix?

[igbrown]

Shouldn't a unicode-enabled application display a slightly different glyph (italicized or something) for a cyrillic "c" character vs. an western "c" char?

Re:Client-side fix?

[bani]

Not necessarily.

Unicode defines character code points, but doesn't specify their appearance.

There's nothing preventing an application from using lame fonts for glyphs, and in fact many do.

On average, unicode implementations vary from bad to utterly horrible.

Re:Client-side fix?

Actually, if the glyph is the same, why does it need a seperate unicode spot for each instance?

Re:Client-side fix?

[dvdeug]

(1) Which glyphs are the same are entirely font dependent.

(2) Greek letter A lowercased should look like ; Latin letter A lowercase should look like a. There are 23 o-like characters, some symbols, some alphabetic characters, 1 ideograph; each of them has their own properies, and many of them may or may not look the same depending on the font.

what the...

Somebody actually got a *paper* out of this?

"Things I didn't know:

Tree bark does not have a shell
Tree bark does not taste good with butter
Tree bark does not come from space"

-C. Seggelin

Isn't fraud illegal?

[anthony_dipierro]

If you buy something online without using a credit card, you deserve to get scammed.

If you buy something with a credit card, not only will you get your money back (actually never lose it in the first place), but the scammers will likely go to jail.

Besides, why are you clicking on links in your spam anyway?

Re:Isn't fraud illegal?

[WWWWolf]

*sigh*

You realize that not everyone can - or are willing - to get a credit card?

In some countries, it is entirely possible to live without having a credit card! We have this low-level concept of "cash"; you know, pieces of hard-to-forge paper and circular metal thingies that can be exchanged for goods and services.

Many many many interesting sites out there offer excellent services, but I can't pay them because I don't have a credit card - and international money transfers (particularly those to outside EU) are *painful*. So, I'm mostly limited to domestic stores with cash-on-delivery.

Re:Isn't fraud illegal?

[anthony_dipierro]

You realize that not everyone can - or are willing - to get a credit card?

Anyone 18 or over living in the U.S. can get a credit card. Those under 18 can still get one, they just need a coapplicant. As for those not living in the U.S., a solution to relatively secure electronic transactions is there, it's up to those countries to implement them.

In some countries, it is entirely possible to live without having a credit card! We have this low-level concept of "cash"; you know, pieces of hard-to-forge paper and circular metal thingies that can be exchanged for goods and services.

If you want to live without the convenience and security of credit cards, be my guest. But don't come complaining to me when your disk drive gets jammed when you try putting your currency into it. Or when you pay using anonymous e-cash and get scammed.

Many many many interesting sites out there offer excellent services, but I can't pay them because I don't have a credit card - and international money transfers (particularly those to outside EU) are *painful*. So, I'm mostly limited to domestic stores with cash-on-delivery.

That's not my problem. It's yours - and that of your government. Assuming you live in a free country, and can come up with a low cost secure way to transfer money to U.S. merchants, get some investors and implement it, and make millions (or billions or trillions depending on your exchange rate).

Re:WHY THIS IS IMPORTANT - It's already been done

[JesterOne]

Even better... I seem to recall a scam that did just that with paypal. They sent out bulk mail about updating your account or something but the link was not paypa(lower case 'L').com but paypa(Capital 'I').com and had made a carbon-copy of paypal's website, hoping you would log in. The address in the location bar looks identical for both. This sounds like the same kind of thing but using Unicode to make the spoof.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Reminds me of my friend

[quantaman]

My friend told me that a few years ago he was looking for a domain name to register. After some poking around he discovered that microsoft.net was up for grabs. He then proceeded to go to his dad to ask for the $10-$15 (don't remember the exact amount) he needed to register the domain, needless to say his dad refused!!

Think of the fun you could have with this!

[chabotc]

Ok, first take microsoft.com (alternate spelling), name your mail gateways identitcal to microsoft's, and then send out emails (as balmer@microsoft.com?) to a lot of MS employees, telling them to remove IE from XP ..

From there on, it only gets better and better. Think of the countries you would be able to influance, technology developement you could steer, and leaked memo's you could fabricate..

Damn i wish i had thought of it ;-)

Re:Think of the fun you could have with this!

don't waist your idea, go, registor!

Ohh and set up a religion,
The Believers of The Mighty M1 Ros 0fts; Lord And Savour of us all. so you can't be done for squatting.

Ha ha, loser

Avs are up 3 games to 2.

fa!

Interesting. I wouldn't have guessed that name servers would be so dumb as to accept anything other than [a-z0-9]

Different behaviour on different TLDs

[ukryule]

One way to control this would be to restrict the valid characters based on the TLD.

So for example '.uk'/'.au'/'.us' etc. can ONLY have ASCII 2nd level domains. '.de' Can only have German characters, '.fr' only French, and so on ...

Then for completely different character sets, you have new Unicode TLDs (Arabic, Greek, Chinese), which can only have their relevant characters.

I guess you leave .com/.org./.net as ASCII, although they are meant to be global they are based on the Latin character set.

Of course, this adds complexity - but you can do all the testing for validity when the domain is registered (i.e. a web client can request any URL, but dodgy mixed character set domain names cannot be registered).

Re:Different behaviour on different TLDs

Alas the problem with this is the problem with Unicode, some buggers copy-righted it.

still encrypted, but...

[MenTaLguY]

It's impossible to prove that someone hasn't inserted themselves in between you and the server, giving you a bogus cert, and pretending to be you to the server.

This is the reason for trusted signatures on certs.

Hit google for "man in the middle attack" if you want to know more.

Re:still encrypted, but...

i don't understand

i tried 'man in the middle attack' but there is no man page for 'in the middle attack'

how can this be, linux is infallible, how could free software fail me?

another good russian news site

nns.ru (russian language), if anyone is curious. i did a lot of reading off of there back when i was taking russian in school. it's still fun to look through to find a picture that matches up with something off of, say, dailynew's reuters or AP wire feeds, feed the russian text through the Fish and get a feel for how the russian press and the "western" press are looking at the same event... one thing that was markedly different as I recall was the dimitri sklyarov DMCA case, they were PISSED about that... (and rightfully so, imho, just like americans would be pissed if an american got arrested in china for speaking about democracy)

Re:I would have thought it wasn't a problem except

[cabbey]

if you associates aren't smart enough to distinguish between a scam and a legitimate e-mail, than you need to let thme get burnt a few times.

This is family we're talking about, not "associates"... you let family get burnt and you're getting fruitcake for christmass... for life.

Either that or get them off the Internet.

Ah, but then you couldn't get the pictures of the cousin's sister's kids emailed every time they get an award at school. Or the forward of the forward of the quoted forward of the latest monster joke to wander the 'net.

more information...

[mnot]

This was discussed on RISKS some time back. They provide a link to a copy of the article.

Also, from draft-masinter-url-i18n-08:

6. Security Considerations

If IRI entry software normalizes the characters entered, but the resource names on the interpreting side are not normalized accordingly, and the interpreting software does not take this into account, there is a possibility of "spoofing". Similar possibilities turn up when interpreting software accepts URIs in various native encodings or allows accents and similar things to be ignored.

"Spoofing" means that somebody may add a resource name that looks the same or similar to the user while actually being different, or a resource name that contains the same characters, but in a different encoding. The added resource may pretend to be the real resource by looking very similar, but may contain all kinds of changes that may be difficult to spot but can cause all kinds of problems.

Conceptually, this is no different from the problems surrounding the use of case-insensitive web servers. For example, a popular web page with a mixed case name (http://big.site/PopularPage.html) might be "spoofed" by someone who obtains access to (http://big.site/popularpage.html).

However, the introduction of character normalization, of additional mappings for user convenience, and of mappings for various encodings may increase the number of spoofing possibilities. In some cases, in particular for Latin-based resource names, this is usually easy to detect because UTF-8-encoded names, when interpreted and viewed as legacy encodings, produce mostly garbage. In other cases, when concurrently used encodings have a similar structure, but there are no characters that have exactly the same encoding, detection is more difficult. A good example may be the concurrent use of Shift_JIS and EUC-JP on a Japanese server.

Administrators of large sites which allow independent users to create subareas may need to be careful that the aliasing rules do not create chances for spoofing.

Nothing new

[Florian+Weimer]

The same risks exist today with ASCII domain names: transposed letters "1lI", "O0", playing tricks with "@" and most user agents.

You just must not take anything for granted which you see or read on the web.

cyrillic trivia Re:Terminology whine

[StandardDeviant]

The soviets actually changed the russian cyrillic alphabet when they came into power, dropping four characters (in the very early 1920s iirc). (They did a lot of other societal things that didn't last, such as switching to a five day week.) 'I' was replaced with 'backwards n' (sorry, no way to input cyrillic on this terminal), 'lower case b melded with a capital T' by 'E', 'almost greek nu' (i think, v-shaped) by 'backwards n', and 'greek theta' was replaced by 'greek phi' (i think). [Source material: page 8 of Scientific Russian, J. Perry, 1950 Interscience Publishing]

Re:cyrillic trivia Re:Terminology whine

[os2fan]

I'm aware of all of this. But even in the soviet empire, there were extra letters. Compare this in the west, where Icelandic still uses thorn and etha. Thorn was used in english before the latin alphabet arrived, and continued afterwards. edda or etha is a crossed d. Capital thorn looked something a Y with a vertical left stroke. Hence "Ye Olde Shoppe".

Ohter english letters to fade is yoch [looks like a 3] - this is the z in Menzies = Men3ies "Menges".

Also of note is digamma. In the greek number system, this is 6, that is, the 6th letter of the alphabet. As a letter, it appear between epsilon and zeta. Since our alphabet is derived from the greek, one notes the letter here not only looks like digamma, but preserves much of the original sound: F. Phi was an asperated p.

Cyrillic bears a much closer resemblance to the classical greek letters, and the theta, indeeds represents an f here.

Unicode reflects current realities. There is more than one Cyrillic Alphabet, just as there is more than one Latin alphabet.

Re:cyrillic trivia Re:Terminology whine

[phoenix123]

oh man, that was way cool!

never before have i had such interesting language insights.
where can i get more info like that?
playing with language is fun - and a good way to impress your friends ;)

obligatory joke

[circletimessquare]

"640 Characters should be enough for anyone."

sorry, couldn't resist ;-P

Re:I would have thought it wasn't a problem except

Yeah, right, and if you buy a brand new something from SEARZ and it doesn't work, let thou get burnt and buy from SEARZ no more. There's LEGAL and ILLEGAL. And scams like this aren't legal (unless you live in Pwanda or Tomalia, where they don't have scams anyway).

Disclaimer: "SEARZ", "Pwanda", "Tomalia", as used above, do not denote any real entities. Any similarities with real persons, events, locations are purely accidental and unintentional.

KOI8-R

I never understood what K0I8-R stood for. And why choose such a stupid name???

The name for the standard (or whatever the fuck it is) is fucking lame.

In my language, it means "testicle". But because some programs I use are developed in Russia, I have to see this shit of a name, on my screen, every day.

I have nothing agains Russian people, but for those that gave the name to "KOI8-R": FUCK YOU, FUCK YOU, FUCK YOU, FUCK YOU!

Re:KOI8-R

[shepd]

>In my language, it means "testicle"

I didn't know there were languages that used numbers in the spelling of words. Wonders will never cease to amaze...

Well, at least your name doesn't translate to New Ching Shit in another language.

Re:KOI8-R

Russian uses a "3" for a "z" sound.

Re:KOI8-R

[shepd]

However, it appears to be written a bit differently from a normal 3, and I doubt one would push the number 3 on a Russian keyboard to create the letter unless it was broken.

Just as myself, a born English speaker, do not type the number 1 for l or i, and I do not type the number 0 for o, or 5 for S, the Russian keyboard does not use 3 for "z".

If you're Russian, feel free to correct me on that.

Re:I would have thought it wasn't a problem except

[blight2c]

so, you're saying only those trained in using the web should feel safe using it? sounds fair, maybe we can have an online training course for using the . . . oh wait that wouldn't work would it. maybe we can have like a quasi-web software app. (like training wheels or somethng) and maybe some moderators to guide them. and then they could take a certifaction test down at the . . . the . . . what's that place where they keep all the books with information and stuff in them . . .

Difficult?

[Hugonz]

Sure, like PayPai.com a couple of years ago?

crystal

What, you don't think programmers are crystal deodorant using hippies too?

paypai

Doesn't anyone remember some russians spoofing paypal.com by registering paypai.com. The two domains look similar (especially with an uppercase i). They were able to steal account information by sending offical looking email to unknowing users asking them to click a link and log in, giving away their username and password. I remember Paypal using x.com for a while to prevent this.

http://zdnet.com.com/2100-11-522401.html?legacy=zd nn&chkpt=zdhpnews01

Sorry to butt in, but

[trauma]

So you're saying that, because a person is uninformed about a particular aspect of online communication, he should be immediately stripped of his right to use the internet rather than, oh, educated? You're drawing some very broad conclusions about a person's intelligence and learning ability based on his not being properly informed (by your standards) on one little issue. That is to me an offensively elitist attitude.

Scenario absurdum: You (yes, you) fall victim to an exploit of some kind, which has been published but only on forums you do not frequent. By your logic you should immediately throw your hands into the air, crying "This darn internet is just too complex for me to use! I shall give it up immediately and, furthermore, I shall forever protect this secret from my friends and family, for clearly if they can't discover it for themselves then they are idiots like me. But at least I get to be an idiot with an air of superiority about me."

Being uninformed does not equal being unable to "handle" something, and to assume so is foolish.

Re:Sorry to butt in, but

[Ozymandias_KoK]

Obviously in this case, the fact that it is email is only relevant is as the distribution medium. These kinds of scams are nothing new (ok, in general, that is) but it's now very easy to reach a much wider audience.

You gotta love this quote...

[ncc74656]

Certification agencies (which include VeriSign) ensure that encoded names are not misleading and that the registration corresponds with the correct real-world entity.

Yeah, that's why a couple of Israeli college students were unable to register mirsoft.com (spelled "mi&#1089;r&#1086;soft")...oh wait a minute, what were they saying again?

Re:You gotta love this quote...

[Anonymvs+Cowardvs]

They were saying that certification agencies ensure that encoded names are not misleading and that the registration corresponds with the correct real-world entity. (Oh, wait, that's what they wrote, too. Whaddyaknow.)

The students registered the domain name, they didn't get an SSL certificate containing data suggesting that they were Microsoft.

The Link

[ragnarok]

Here it is:

http://www.miñrîsîft.com

What, no /. Unicode support? foo.

Re:old tricky-dicky

[annalojic]

I remember the old days of spoofing using double ROT13.

Verisign -- the company you can trust!

[Corgha]

Verisign never ceases to amaze me. The first sentence on their website is:

VeriSign, Inc. (Nasdaq:VRSN) is the leading provider of digital trust services that enable businesses and consumers to engage in commerce and communications with confidence.

... so it seems safe to say that trust is the foundation of their business. Essentially, we trust Verisign to ensure that we're communicating with whom we think we're communicating, and to protect us from various forms of spoofing. They should therefore, IMHO, actively avoid even the appearance of impropriety.

However, we all remember the Microsoft certificates they mistakenly gave out to a third party.

Now we've got them registering another domain to someone that looks just like "microsoft.com." While it's tempting to absolve Verisign of guilt in this, I think they were asking for it. After all, even I thought of this possibility when I first heard about Unicode domain names, and I'm not the sharpest knife in the drawer. You've got to think someone at Verisign raised the possibility, but they chose not to deal with it.

Again, one might be tempted to say that this isn't their problem, if not for the fact that they are in the trust business. As the article says, "Certification agencies (which include VeriSign) ensure that encoded names are not misleading and that the registration corresponds with the correct real-world entity." It should not be technically difficult, for instance, to build a set of lists of visually similar Unicode characters and to refuse to register domains visually identical to existing ones. Maybe they should decide to forgo a relatively small amount of revenue and to refuse to sully their reputation with such inevitably deceptive domain registrations, especially considering that they interfere with Verisign's core business.

Of course, none of this compares to the letters they sent out trying to fool people into switching their domains over to Verisign. The other two were negligence and foolishness, but that was an active attempt to deceive from a company that's selling trust.

It all leaves me in a bit of shock. It's not that I'm shocked to see a company doing stupid and deceitful things; it's that trust is Verisign's primary asset. Hearing about these (colossally, in my mind) stupid decisions is like hearing that GM decided to torch all its manufacturing plants and assasinate all its employees. It leaves me with two questions: "what they hell are they thinking?" and "why does anyone continue to do business with Verisign?"

IPs and URIs?

Um.. easy. Just copy (gpm for consoles) the URI and type "host ", then hit the right mouse button. Press enter. Wait a second. Compare. Rejoice.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Eric Bin Raymond: The Sept 11th Conspiracy Reve

[ShawnDoc]

I'm sorry, but what the he** does this have to do with the story at hand? Where are the moderators when you need them?

Re:Not a big deal

[boky]

I don't know about you guys, but in my part of the country you always have at least one keyboard layout installed (for your locale), in most cases two (yours and English).

I can tell you for a fact, that all people using 'alternative' (as in non-ASCII) character sets always have two locales installed.

For example, in Serbia, both character sets are used - cyrillic and latin. So, to type in www.microsoft.com with cyrillic c (by the way, 'c' is 's' in cyrillic) and o, one would have to:

1. Type www.mi
2. Switch to Cyrillic
3. Type s
4. Swich to latin
5. Type r
6. Switch to Cyrilic
7. Type o
8. Swich to Latin
9 .Type soft.com

Don't think that's very likely, do you? And of course, people who use 'alternative' character sets can also quickly see if the domain is in latin or in (for example) cyrillic and switch keyboards accordingly.

The only real problem I see (which was mentioned in some other post) is with emails - someone might send you an email instructing you to click to www.microsoft.com, where you could be fooled into thinking you came to the right site.

Moderators Please attend to this matter.

[ObitMan]

Somebody mod this fool down as "-1 Ignorant".
How bored out of your skull do you have to be to jump all over an obvious troll and make your suggestion.
This site has the FINEST moderators and system available.
Just because they didn't move fast enough for you is no reason to waste everyones time with this.
Moderators please mod ShawnDoc down so that those browsing at 0 do not have to see his reply to a post that was already modded down.

Thank you.

Shush, the filter here doesn't know about cekc!!!!

[Slashamatic]

We have a http filter here that protects against things such as www.sex.com (being PC, it also stops theOnion and fuckedcompany). They even filter out the fish, in case you use it as a proxy to get non-PC pages.

Unfortunately, it doesn't protect against 'cekc' (I can't be bothered to get type this in Cyrillic here).

Also discussed in "Secure Programming" HOWTO

[dwheeler]

This issue was also discussed in my book Secure Programming for Linux and Unix HOWTO. Look at the section on semantic attacks.

Yea right.

[reynolds_john]

Oh, like we'd all fall for Bill Gates giving us $10.00. Maybe $10.00 off the next Office XP^2 which might retail for $499 for an upgrade. Hmmph.

Right.. excpet.. SSL

[mindstrm]

This is the EXACT reason we have certificate authorities like Verisign, and why a system using these certificates is built into common web browsers.

IT is NOT so that you can use encryption; that is a side effect engineered into the system so that they can sell more certificates.

Re:Right.. excpet.. SSL

[Alan]

Isn't the point of the article that now you can go to a Verisign approved website for (unicode of some big company) and have it check out properly because there is a verisign cert for the site (unicode of some big company)?

People now seem to be good at knowing that if you get funny pop ups about self signed certs or certificates not matching the url that they don't put in their credit card number... now suddenly that doesn't apply, because you won't get that, and the differences aren't as obvious as those for something like paypaI.com or micros0ft.com :)

Re:Right.. excpet.. SSL

[Simon]

Isn't the point of the article that now you can go to a Verisign approved website for (unicode of some big company) and have it check out properly because there is a verisign cert for the site (unicode of some big company)?

No actually. Certs are meant to be part of a solution to the problem because Verisign are not going to issue certs that have misleading (unicode) names in them.

The problem is URLs that look like the real site you want. Mind you, I think that 80% of users never look at the location bar anyway. Not to mention how easy it is to hide the location bar. (Open a new window for your site using javascript window.open() and tell it not to put a location bar on the new window.)

People now seem to be good at knowing that if you get funny pop ups about self signed certs or certificates not matching the url that they don't put in their credit card number...

They are?!?! Which country do you live in? I want to move there!

--
Simon

Re:Right.. excpet.. SSL

> Not to mention how easy it is to hide the location bar.

Don't forget that you could hide the location bar and display a fake bar. Same applies to the status bar: Somebody could make it fake, with a fake lock icon and a fake "certificate" window popping up on demand.

Scary! :-(

Re:Right.. excpet.. SSL

[mindstrm]

No. THe point of hte article is to try to blame this on verisign when in fact they are doing nothing wrong.

It sounds like you don't really understand how certificates work. Verisign will NOT issue you a certificate for www.microsoft.com using some cyrillic characters. So there is no way a site can present a certificate, signed by verisign, indicating the site is microsoft.com

The article tries to make it out that because verising issues certificates, it shoudl ALSO be verifying domains people register.

Think of the enormous lawsuit!

[mindstrm]

Just because it's a technical no-brainer doesn't mean it's legal, and doens't mean it even treads on laws that have anything to do with the internet.

If you pretend to be someone else, or if someone registered an alternate lookalike domain for microsoft.com and used it to in any way whatsoever to benefit from the fact.. they'd be in deep sheep.

Re:Think of the enormous lawsuit!

[TurboThy]

How would I benefit from conning M$ employees (G0d have mercy on their souls) into removing IE from their computers? I mean, "physically" benefit, as I do not believe the "mental" beneficial aspect of schadefreude counts.

Link to the paper and example HTML

Here's the link to the paper:

Paper Online

[AstroMage]

Inspite of what the heading says, the original paper is online- you can find it on Evgeniy Gabrilovich's homepage.

That is, if you are interested in the dry, technical details... ;-)

Re:Paper Online

[pne]

Looks like the authors don't know the difference between UTF-16 (which the page is coded in) and UTF-8 (which the page claims to be coded in, according to the meta tag).

Re:Paper Online

[Embedded+Geek]

AstroMage: Thanks for posting the link. I poked around the school's website but wasn't able to find the paper. I tried the CS Dept.'s index of papers by author (admittedly, only for Gabrilovich) and came up dry. After that, I simply submitted the story as-is. Maybe I should've tried in Google, too. ;)

Were you familiar with the paper already or did you find it another way? Just curious.

You are mixing things up.

[mindstrm]

Verisign's activites as a domain registrar are NOT the same thing as their CA business.

They are not required to, nor do they claim to, verify domain registrants UNLESS those registrants apply for digital certificates.

Yes, verisign are scum.. but you are barking up the wrong tree here. They are not at all requred or expected to verify domain registrars.

Hey. I wish they were. Imagine how many domains would have to be revoked? Literally millions.

Re:You are mixing things up.

[Corgha]

They are not required to, nor do they claim to, verify domain registrants

I'm not mixing things up. You're misunderstanding me. Where did I say that they are required to verify domain registrants?

I said that maybe they should refuse to register domains that are visually similar to existing domains. That has nothing to do with verification of the identity of the person attempting to register it -- if you're refusing, who cares?

Nor did I try to make the claim that there was some legal requirement for them to do so. While I'm at it, note that I did not say that people should not be allowed to register such domains, only that Verisign should refuse to sully their hands with them.

Yes, verisign are scum.

And the fact that their lack of integrity is without question is what is so weird! Since I've pointed out what my point isn't, here's what it is:

If I were Verisign, I would work very hard to ensure that my integrity was above question, and to that end, I would refuse to facilitate obvious attempts to deceive. I would do this not because of some legal or techincal requirement, but because of an ethical one.

Normally, businesses do not have to be ethical, and even with Verisign, ethical behavior is not a legal or techincal requirement. However, since unethical behavior makes them less trustworthy, and trust is their primary asset and business (as they themselves say), unethical behaviour should carry a special cost for them.

Verisign's activites as a domain registrar are NOT the same thing as their CA business.

Neither was Caesar's wife's supposed affair with Clodius directly related to Caesar's ability to govern. Trust works in funny ways. Consider this: I am a sysadmin. People have to trust me not to snoop through their files and email. If my users discovered that I were engaging in some shady scam on the side, or even that I hung around with a bunch of con artists, it might make them trust me a bit less, even though those activities have nothing, prima facie, to do with my role as a sysadmin.

Similarly, Bill Clinton's sexual activities or George Bush's supposed connection to Enron may have very little to do with their activities as President, but engaging in deceitful behavior or even associating with those that do damages trust, an important asset for politicians as well. That's why their opponents are always searching for such scandals.

The fact that Verisign has allowed themselves to be involved in yet another scandal that says "you can't trust that you're talking to whom you think you're talking" is sort of crazy, considering that they identify that very trust as their core business. That the news came from another division of the company is not really that mitigating -- it's still the Verisign name in the headline: "Verisign gives away microsoft.com domain" (printed with Cyrillic "c" and "o" ;)

Re:WHY THIS IS IMPORTANT - It's already been done

[Ark42]

My Mozilla 1.0rc3 at least, makes if very obvious the differences between L and i in opposite cases. I think its because Win2000 uses Tahoma instead of MS Sans Serif all over the place now though.

What needs to be done to solve this

[Hellkitten]

Solution: Make brovsers default to displaying links to sites with non-ascii address different from regular links

Also since link display mey be overridden by style sheets, either make the browser override stylesheets for these links.

Display a warning when user follows one of these links

If this warning is displayed as a popup, if the user checks the "never show this warning again" display a text that explains why this is a bad idea

The only true way to security is to annoy your users into submission

Re:What needs to be done to solve this

[dvdeug]

Solution: Make brovsers default to displaying links to sites with non-ascii address different from regular links

You're treating Unicode URL's as something wrong. They aren't, and a program should not usually annoy users using normal features of the standard.

A much better solution is to detect anomalous URL's (those with mixed scripts) and display them differently in the address box. Since a website can't do anything bad to your computer (and if it can, then that's a serious bug in the browser that needs to be fixed), you don't need to worry about links; just telling whether a site isn't authentic. If your users won't check the address bar, then ASCII links will have no problem spoofing them, either.

The only true way to security is to annoy your users into submission

It tends to make people not want to use your products. It induces random fear and doubt in others. What popping up random boxes for normal events tends not to do, is help users be any safer. It's amazing how fast I can click [yes] on Windows' dialog boxes, before I can even really check what they say.

Re:What needs to be done to solve this

[Da+Web+Guru]

Solution: Make brovsers default to displaying links to sites with non-ascii address different from regular links

Now all you have to do is get millions and millions of users to upgrade to the latest version of their web browser...

Good luck, because I know of users that still use Netscape 4.5 (or earlier...)

Re:What needs to be done to solve this

[grahamm]

Or require that that DNS entries be unique on glyph rather than character code. So that if 2 codes generate the same glyph make DNS treat them as the same character.

Re:What needs to be done to solve this

[ethereal]

But then you have to muck with DNS every time somebody makes a new popular font, in any language in the world. Seems a little extreme to me, although I agree that it would really get to the root of the problem.

Re:What needs to be done to solve this

[FuzzyBad-Mofo]

I want no part of Unicode. Give me ASCII or give me death!

Or buy a keyboard

You might have to look around, but they shouldn't cost more than $10-20, and have both english/cyrillic letters on them.

sure they get the domain name, what about hosting?

[GutBomb]

unless they run thier own servers, hosting is gonna be a little hard to get. I run a web hosting company. When a user signs up for hosting they are immediately ushered to the credit card processor, then after that it askes them what passowrd they wish to use on the system. after that the domain name, password, and other stuff are stuck into a database and an email is fired off to me to let me know someone signed up, containing the url of the page that will give me the details. anyway, i open up an ssh session to the server and start setting it up. when i enter the domain name into the httpd.conf i am not typing in cyrillic. I simply fire up vi, and type the domain name in there using regular latin characters. Same when I set up the DNS zone files, email, and other such stuff. Sure they can get the domain name there, but actually getting the page to show up is another matter all together. I believe even russian ISPs would assume the letters were latin characters and not thier cyrillic counterparts if they are used to spell english words (as in known company names to be used in some sort of scam)

Set up your own root CA

[Cardbox]

No need to go to Verisign or anyone else. Be your own certificate authority. Create a self-signed root certificate and use it to sign any site certificates that you want.

The root certificate won't be built in to IE, of course, so the first time the user clicks on the link, IE will ask him if he wants to accept it. To which the answer will be "Of course I do, dummy, or I wouldn't have clicked on that link! Honestly, IE missing out one of the Microsoft root certs: typical MS incompetence".

Or, more simply, "Help, a dlg box has popped up, which button do I press to get to the site?".

Either way, you can spend the rest of your life after that inventing ever more interesting spoof domain names...

MODERATION ON CRACK ?

Read the article this is ontopic

Re:MODERATION ON CRACK ?

[MattCohn.com]

Yah, well I read the article... and although it did claim stupid users were click-happy, the main point is that someone could confuse a user into thinking that some site was actualy AOL's order page.
And this is a user that is bright enough to distinguish aol.dns2go.com from www.aol.com. Now, if this person had linked to micr0soft.com, then it might have been on topic.
But as it stands, I still have respect for slashdot moderation.
So, please think before you post and claim that a link to porn is on-topic...

Why not stick with English?

[evilviper]

I'm trying not to sound like a lingual elite-ist by any means, but can anyone really say that we shouldn't standardize on English/ASCII? Just about every country where English is not the native language, English is taught to their school children from early on.

The internet has shrunk the barrier to exchange information, which has made diverse languages even more significant of a barrier. If we use UNICODE and just let accept that everyone wants to use their own language, then the internet will end up as a group of national islands of information. Each group will surf their set of native language web sites. When you search the web, the information on that Nokia phone might not be readable by you (Babblefish isn't a solution).

Language has always been a barrier, and I hope the internet will be the tool by which that barrier is torn down; not the tool which escalates the problem.

Re:Why not stick with English?

[dvdeug]

I'm trying not to sound like a lingual elite-ist by any means, but can anyone really say that we shouldn't standardize on English/ASCII?

The 5 billion people in the world who don't have English as their native language might. Some would argue that language is a cornerstone of culture, and that when a society loses their language, they lose a significant part of their culture. I've read parts of Shakespeare in German, and was very unhappy about the destruction of the writing. I know several poets of my native tongue (Poe, in particular) would be lost completely in translation. I have no interest in condeming other people to reading the great literature of their cultures in translation.

In any case, ASCII isn't good enough for English writing. French accents are used in English writing, as well as the ae and oe ligatures. Even in modern writing, proper quotes and apostraphes are needed, and footnote daggers often show up in English writing. For specialized work, mathematics, linguistics (even of English), historical English writing and APL all have thier own body of characters outside ASCII that need supported.

Re:Why not stick with English?

[ukryule]

I'm trying not to sound like a lingual elite-ist by any means, but can anyone really say that we shouldn't standardize on English/ASCII?

Yes. It's ridiculous to ask people to learn (admitedly a small part of) a new language to use a computer. Just because English is taught in a lot (not all) of schools around the world, it doesn't mean that everyone is comfortable using it. A truely usable computer should be one which allows you to interact with it 100% in your own langauge.

The internet has shrunk the barrier to exchange information, which has made diverse languages even more significant of a barrier.

The main barrier to computer usage in a large part of the world is that it is still an elitist medium - only useable (and affordable) by the well-educated. If you are actually interested in making it easier for everyone to communicate, then the main technical issue to be solved is how to make the internet useable by anyone from any background.

If we use UNICODE and just let accept that everyone wants to use their own language, then the internet will end up as a group of national islands of information. Each group will surf their set of native language web sites.

This already happens. Of course people surf websites in their own language! Because you (and I) only surf the English-speaking fraction of the web, you don't see it. All that international domain names adds is that a Russian accessing a Russian website can do so via a Russian URL. What could be more sensible or obvious than that?

If no standard is agreed upon, proprietory standards will pop up all over the place, and it'll be a huge mess. In fact this is already happening - although he's the current anti-Christ of Slashdot, the big selling point of RealNames was for non-English languages, and if you believe Keith Teare's account, he was shafted by Microsoft because they wanted to control (via their browser) the translation of non-ASCII names to ASCII URLs.

Re:Why not stick with English?

[david+duncan+scott]

Shakespeare in German? But it's so much better in the original Klingon!

Re:Why not stick with English?

[Nept]

Shakespeare in German is good.

Re:Why not stick with English?

Und du, Brutus?

Re:Why not stick with English?

[HiThere]

But perhaps it would be reasonable to require that URL's should be interpreted in ASCII (or at least that the ASCII interpretetion should be the official one).

There is a reason why all airline pilots are required to speak the same language. It happens to be English, but that's not what's important.

I don't see anything wrong with requiring all URLs to be in ASCII. Conventions could be adopted to convert their display into other character sets, but the ASCII version should be the official one. So a URL like:
http://chnEi3ReY/...
would have, say, an interpretation in Hiragana, but the ASCII version would be the official one.

Re:Why not stick with English?

[davejenkins]

Aah... nothing like a good bash of the perceived 'English Language Oligarchy' that rules the planet.

You are confusing issues of literary expression, and URLs. URLs must be standardized on a universally recognizable (and unconfused) character-set. If that is ASCII, then great. The ASCII letters show up in every major culture/country on the planet:Japan, China, Korea, Europe, India, Arabia. Every literate person on the planet can read them. That makes for a pretty strong argument.

Re:Why not stick with English?

[dvdeug]

nothing like a good bash of the perceived 'English Language Oligarchy' that rules the planet.

You're saying the _American_ Standard For Information Interchange should be the _universal_ standard for URLs, and so far, more or less, it has been. Of any non-invented language in the world, English has the most people who say "why don't they all speak my language". How many American journals publish in a non-English language? How many Japanese journals publish in a non-Japanese language? And what language is that usually? It's not an overt thing; no oligarchy exists per se. But there are distinct biases towards English, and it's very frustrating when those biases are gratitious.

URLs must be standardized on a universally recognizable (and unconfused) character-set.

Why must the character set be universally recognizable? Yes, I'm not likely to type in www..com. So what? If they want my business, they probably need to register an ASCII domain name. If they don't want my buisness, they can go on being www..com.

Every literate person on the planet can read them.

Um, no? At best, _many_ people literate in languages using non-Latin scripts can recognize them. That's a far cry from reading them. That's important; part of the point of a URL is that www.slashdot.org is memorable. But if I'm not fluent in English, even if I can recognize individual characters, it won't be. How frustrating would it be if you had to transliterate English into Greek or Cyrillic everytime you wanted to write a URL? I want my name in my email address, not some mangled foreign version.

Re:Why not stick with English?

[dvdeug]

There is a reason why all airline pilots are required to speak the same language. It happens to be English, but that's not what's important.

Yes, but airline pilots are highly trained professionals who may kill people if there's a communication problem. The Internet should be accessable to everyone, not just those who know English.

Conventions could be adopted to convert their display into other character sets, but the ASCII version should be the official one.

That's what they're doing - I believe a leading bq-- will signal that it's supposed to be Unicode. How is bq--asdiv8nern.com much better than 129.22.21.99, though?

Re:Why not stick with English?

[HiThere]

That's what they're doing - I believe a leading bq-- will signal that it's supposed to be Unicode. How is bq--asdiv8nern.com much better than 129.22.21.99, though?

It wouldn't be better, if you were browsing in English. But it also wouldn't get confused with something else. E.g. bq--rusMicroSoft.com wouldn't be confused with Microsoft.com. But you wouldn't usually go to a page with a Russian URL unless you were conversant with Russian. The thing is, if a unicode representation is the official version, then one will need to use hex editors to pry apart similar looking glyphs. If it's ASCII, all you need is a text box, with an option to force the URL into lower (or upper) case. Much more convenient for most people than parsing the hex.

Re:Why not stick with English?

[dvdeug]

E.g. bq--rusMicroSoft.com wouldn't be confused with Microsoft.com

Yes, but bq--asdiv8nern.com could easily get confused with bq--adiv8narn.com. No one's going to want to look at the ASCII mangled names.

Re:Why not stick with English?

[evilviper]

The ae and oe to which you refer are indeed ASCII... just because they don't appear on your keyboard doesn't mean they don't exist.

Mathematics has it's own language which I doubt Unicode can rival.

As far as culture, you can keep your native language... Just keep one language standard on the internet!

Re:Why not stick with English?

[evilviper]

It's ridiculous to ask people to learn (admitedly a small part of) a new language to use a computer.

Why? We require all the sciences to use the metric system.

A truely usable computer should be one which allows you to interact with it 100% in your own langauge.

I happen to know a 4 year-old who knows how to use Windows better than some post-grad students I know. Knowing the definition of a word is not even necessary for computer use.
Besides, you haven't proven that those who speak a different language have a harder time using a computer in English. I learned how to use DOS with no idea waht DIR or CD meant...I learned how to program in C without C as my native language!

The main barrier to computer usage in a large part of the world is that it is still an elitist medium - only useable (and affordable) by the well-educated.

Send me $10 and I'll send you a 486. A little more for a 100MHz Pentium. As far as well educated, I refer back to the 4 year-old. Besides, I had no training on how to use a computer, I was taught how to double-click and the rest I learned becase of weak restrictions.

Of course people surf websites in their own language!

Well, not exclusively in most cases. At least because most information is in English, people learn that they need to know english well enough to ask a question, read a manual, read a book on programming, etc.

Re:Why not stick with English?

[dvdeug]

The ae and oe to which you refer are indeed ASCII...

If you use Linux, try man ascii. That will show you all the characters in ascii. See Roman Czyborra's character set page for more detail than you could ever want. As a point, ae and oe are not in ASCII; oe isn't even in Latin-1.

Mathematics has it's own language which I doubt Unicode can rival.

Huh? What's that supposed to mean?


As far as culture, you can keep your native language... Just keep one language standard on the internet!

You can keep your language, as long as we don't see it, then? Use our language where we can see it. That's not arrogant? What if you were asked to learn Mandarian Chinese (the language of more people than any other) before you could use the Internet?

One of the amazing things about the Internet are when grandparents can communicate with grandchildren; forcing old dogs to learn new tricks and young kids to pick up a second language before they've fully learned their first isn't going to make the Internet more accessable to everyone.

Re:Why not stick with English?

[dvdeug]

We require all the sciences to use the metric system.

The metric system - all the average person needs to use - is describable on one small page at normal size print. No language comes close, especially not English. In any case, if you want to be a scientist, you have to take 10 years of college; there should be no unnessecary requirements on what you have to learn to use a computer.

most information is in English,

Most people use the Internet more for communication than information. It's like comparing the amount of water in two lakes when you're looking to water your roses. It doesn't matter how much information there is, so long as there's enough. I would guess there's enough information out there in Spanish or German or Chinese or most other major languages.

people learn that they need to know english well enough to ask a question, read a manual, read a book on programming, etc.

Right. Most people don't go around reading manuals (that didn't come with their computer) or books on programming (at all).

Again, we aren't talking about hackers here. People seriously into any field are going to pick up the language common in that field, and computers are no exception. You're asking the masses to learn a language to use computers, which is entirely different.

You don't sound like someone who's tried to learn languages here. I've taken years of classes to learn German, and can still only stutter through. Reading a half-page of technical information in German took me a hour, at which point I gave up trying to read it. I can't imagine ordering everyone in the world to learn a language to use a computer.

Re:sure they get the domain name, what about hosti

[Edmund+Blackadder]

Many ISPs do the whole sign up process automaticaly.

Maybe you would like to save some time as well - check out - www.rodopi.com.

Discussed on Unicode in February

[absurd_spork]

This has been known for quite some time. It was in February discussed in a series of threads on the Unicode mailing list, started by this message by Gaspár Sinai who developed the Yudit Unicode editor.

Basically, the consensus in the end was that it is impossible to avoid this sort of problem as long as you have a standard that encodes characters instead of glyphs (that means that Latin "o" and Cyrillic "o" are different characters, even though they look the same).

A character set that encoded glyphs instead of characters could avoid this. However, such charsets are extremely tedious to implement. It has been tried with the Adobe glyph registry and has been found insufficient.

In practice, glyph-based character sets are unusable. The reason is that they cannot be made fully round-trip compatible with existing character sets, such as ISO 8859 or the Windows codepages, because these legacy character sets encode characters instead of glyphs. If URLs were encoded in such a glyph-based character set, it would be impossible to embed URLs in any document in a legacy character set. No URLs in e-mails.

As a result, the only solution is to have application and operating system vendors implement checks for such situations and to have URL registries reject such obvious spoofing attempts (e.g. no mixed-alphabet URLs). Since the problem is not fundamentally different from registering slashdot.org, it is not even a problem that we weren't already aware of.

Re:Discussed on Unicode in February

[pne]

Mixed-alphabet URLs need not necessarily imply spoofing. That would be like saying URLs with both upper and lower case are all spoofs -- but some people write URLs with mixed case for legibility (e.g. www.SomeLongDomainName.com vs www.somelongdomainname.com). There are undoubtedly legitimate uses for mixed-alphabet domain names as well (perhaps something like "www.team-xxxxxxx.com", with the x's standing for Greek/Cyrillic/whatever letters?).

There should be special unicode domains

[nniillss]

Isn't the problem very similar to snail mail? If a japanese or russian family lives in the states, they better use an ascii address (including transscriptions for their own names). The post office just can't handle japanese or cyrillic characters properly. For foreign addresses, however, it suffices if the country designation "Japan" or "Russia" is in ascii; then, the mail is just forwarded to that domain where the rest of the address can be deciphered.

Obviously, the problem for email/IP is not completely analogous since (in digital form) unicode is unambiguous. As stated in the article, this fact does not help for recognition and transmission of rendered characters on-screen (or in printed form).

---
Proud holder of a mensa / cafeteria card

Your Email Idea Won't Work

[Hylander]

Sending a link in an email isn't as straightforward as you make out - it would require the recipients to have Unicode enabled mail readers for them to see the link as it really is.

At the moment, this is only really supported in HTML (and even then the support is patchy).

If you are going to send out HTML, there is no real need for that level of sophistication - a link like:

http://www.microsoft.com

will fool enough people.

This is potentially more of a problem in the future for those who use large character sets regularly, and therefore support Unicode natively on their platform in things like MUAs.

MOD PARENT UP!!!!!!!!

+741098 insightful, YEAH microsoft sux0rs!!!!!!!!!!1111111111

umm....email?

[corian]

Haven't they forgotten the more obvious use, which is to make people think that they are getting an email from microsoft.com/amazon.com/someothermerchant.com
wh ich they could reply to, check the headers, etc., without noticing the difference?

Re:sure they get the domain name, what about hosti

[GutBomb]

yeah, i really did not think of that. i prefer to do it manually instead of something doing it automatically, A) because i don't want to pay for a tool that helps me do it automatically B) I am too lazy to do one up for myself C) I use plesk server administrator on some of the servers and i don't think i want to play plesk to develop something for me since all thier php source code is encrypted.

Google is your friend

[Luminous+Coward]

The work was done for a paper in the Communications of the ACM (the paper itself is not online).

I doubted that statement as I'd read the paper online several days ago. I think it was linked to from Bruce Schneier's Crypto-Gram Newsletter. Anyway a simple Google search with homographic attack dns yields one and only one result:

The Homograph Attack

Re:Google is your friend

[rob_from_ca]

If it was in ACM communications, it should also be in their digital library on www.acm.com. Although it is only open for subscribers. Something I'd recommend though; there's hundreds of papers and articles there and you can get lost reading for a very long time.

tangential ask slashdot...

[Graspee_Leemoor]

This is slightly tangential, but seems a good place to ask: does anyone know how to get Microsoft IME under Windows XP to use a Dvorak layout for romanji input when typing Japanese ?

For English I just use the US Dvorak input method, but when the language is set to Japanese there seems to be no way to use Dvorak other than tediously modifying the romanji->kana input table, which is clearly the wrong way to go about things.

graspee

Re:tangential ask slashdot...

(Troll)

What's "romanji"? Any relation to "romaji", that is, Latin transcription of Japanese?

Re:tangential ask slashdot...

simple typing mistake - get over it

Unicode and security

[eversonm]

The fact that "Microsoft" can be spoofed by replacing up to five of its letters with Cyrillic lookalikes is *not* a fault of Unicode. Unicode seeks to encode all of the world's writing systems. That there is glyphic similarity between Latin letter o, Cyrillic letter o, Greek letter omicron, and Myanmar letter wa is an accident of that cultural abundance. Bashing Unicode for this "security flaw" is, hm, shall I say, pernicious, and attacks the Good Guys, not the Bad. Michael Everson www.evertype.com

I know I should have bought an App1e

M1cint0sh instead.

Re:ASCII FUN!

[darekana]

Currently email addresses and URLs are the only reason a native Chinese speaker needs to use ASCII.

Actually they are probably using ASCII on their keyboards whenever they enter ANYTHING! Unless they happen to be doing char recognition with the mouse.... which I doubt.

so what if u add in .........

an off the shelf script to add said link into your bookmarks. Granted most problems that this can cause would be minorly annoying, but the potential for mischief is their. Give someone a hammer and it's guaranteed they will hit a finger sooner or later.

R�:� f��l t� s��

[JCCyC]

hôw thïs ìs thãt ïmpörtânt.

Sõrrý, cöùldn't rêsîst. Thè Dëvîl màdê më dò ît.

goatse

[diesel_jackass]

oh geez, i can see the creative Goatse links now.

Are ActiveX controls subject to this?

Installation of an ActiveX control requires the use to "trust" the given company/URL. Seems this could be used now to make an ActiveX control look like it came from Microsoft.

Re:WHY THIS IS IMPORTANT - It's already been done

[ptbarnett]

They sent out bulk mail about updating your account or something but the link was not paypa(lower case 'L').com but paypa(Capital 'I').com

DNS lookups are case-insensitive, so mucking wth capitalization in the domain name will have no effect.

I'm not questioning the existence of the scam -- only that they must have perpetrated it in a different way (such as whitehouse.com vs. whitehouse.gov), since capitalization won't make any difference.

Beyond the domain name, the rest of the URL may be case sensitive. But, you can't use that to direct someone to a completely different site.

RTFC, more carefully this time

[fizbin]

The point of the comment is that - hold on here - I and L are different letters. Despite that, in a sans-serif font, a capital I and a lowercase L look nearly identical. (Exactly identical, depending on font) Note that most url bars on web browsers use a sans-serif font.

The real site is written as paypal.com, while the fake site was written as paypaI.com. Note that those are different - in all uppercase one is PAYPAL.COM while the other is PAYPAI.COM

Re:WHY THIS IS IMPORTANT - It's already been done

http://slashdot.org/articles/00/07/21/1343231.shtm l

the reason that it fooled so many people is because
www.paypaI.com and www.paypal.com look very similar if you
a) aren't paying attention, and
b) you are using crappy fonts

or just boot to DOS and delete from DOSSHELL

Contrary to popular belief, Linux isn't always The Way(tm).

:boot from a linux floppy, mount the hard drive, :and deltete it from there.

Re:WHY THIS IS IMPORTANT - It's already been done

[The_Sock]

He's saying they used I (Capitol i) instead of l (Lowercase L) to fool people, so it was a different domain, it just appeared the same because of the similarity between I and l with some fonts.

It's already been done (sort of)

[WarGeek]

The government white house site, is white.gov, and the humor site is whitehouse.org, while whitehouse.com is pr0n. Now, why wasn't the government smart enought to register all the whitehouse domain names? Oh, never mind, I think I just answered my own question.

Its not the same

[Srin+Tuar]

The average literate chinese person has to know upwards of 3000 unique characters. Picking up the ~30 ascii glyphs needed to use the current internet is trifling in comparison.

Knowing a sufficient number of english words is much more difficult, but completely unnecessary for using email/DNS.

Also, I imagine if the "internet started in china", they would have included the measly 26 uppercase latin letters, as they are kanji's too. Most of the sites youd be interested in as an english speaker would stick to those anyway...

Farsight seems to be scarce

[gweihir]

I have had numerous discussions (or better: fights) with people about this. Usually they feel the security problems can be solved without real effort (by somebody else of course), but feel what I really wanted is to discriminate against them.

It never ceases to amaze me that some people rather risk an entirely working system, like the DNS, than accept that technology cannot accomodate their personal needs that fast and that some of their personal needs may be very difficult to fulfill, and that this is not the fault of the engineers but rather a consequence of the fact that the technology they now want adapted to their needs was invented by people from another culture! If the WWW was a russian invention, of course everybody participation in it would have to learn russian language at first! Maybe even still some decades later. Now it was mostly american so it is ASCII and english. Those that cannot adapt to that should wait until their needs can be safely and cost-effectively accommodated or do the nedded extensions from thier own ressources!

But obviously many people just "want" without any willingness to contribute or invent or implement by themselves. I foresee interessting times for anybody using text-based identities, like names.

What about (micro)soft?

[mmol_6453]

I know there's an SI(metric) character for the unit modifier "micro"...Is that covered in Unicode?

Hats off to the first person who grabs THAT domain combination. (I hope it's another OSS junkie)

Re:What about (micro)soft?

Its the greek letter 'mu'.

Re:What about (micro)soft?

Or '\u00B5'.

That's nothing

[Carrion]

I remember using a diskette with a FAT editor to change my directory names to combinations of characters that were illegal in FAT, and therefore completely unopenable by normal means.
That means my directory stayed until I got back to the computer no matter if the admin found them unless he reformatted the disk... ;)
Gotta love a system where user level programs have raw access to devices.

The Answer is Simple

[jakub_sad]

Why don't we go back to just using IP's instead of DNS names?

Bill: "Hey Jim, I just found this awesome website!"

Jim: "Oh yeah? What's the name?"

Bill: "64.28.67.150"

Jim: "One of those easy to remember ones, eh?"

Bill: "Yep! Oh and by the way, are you Canadian?"

Jim: "Watcha talkin aboot?"

Re:I would have thought it wasn't a problem except

[Tony-A]

Taken to its logical conclusion, if you can't handle life (all of it?), then you shouldn't be alive.
The thing is that people do have to cope with things that they do not understand. Societal norms should be such that minimal damage is inflicted due to lack of understanding of consequences. This applies to adults as well as children and infants.

[OT] not quite correct

[brokeninside]

IMO, the major contribution of St. Cyrill and Methodius is not the creation of an alphabet, but their disputes with the Western church and the Pope regarding the right for the different peoples to learn and practice Christianity in their own language. Up to that point only Latin, Greek and Hebrew was used in church services...

This was only true in Western Christendom and then only true to a limited extent. For example, in the west, the first Christian missionaries to the British Isles translated the service books of the early Church to Gaelic and other Celtic languages. In the east, the the generally accepted practice was to use the venacular. This is why some of the oldest extent copies of the Bible are in one of the Ethiopic languages, Coptic, Syrian, etc.

The Roman canon that the liturgy could only be practiced in one of the tongues spoken by the apostles was of relatively late invention and only applied to congregations under the sole apostolic see of the west, Rome. Congregations under the apostolic sees of the east always used the venacular.

Hence it is somewhat ironic that many eastern Churches refuse to update the liturgy from being in liturgical Greek or old Slavonic into their modern equivalents.

Regards,

-l

Multicode... Any other solutions?

[TGZubby]

http://www.cs.aucegypt.edu/mudawwar/publications/M ulticode_IEEEComputer97.pdf

Re:I would have thought it wasn't a problem except

[HiThere]

The first time I got a Klez message, I sent a reply saying that I thought their machine was infected. I only discovered the forgery problem when I started reading up on it. That's probably what happened to your friend.

If you aren't really bothered by viruses (i.e., keep you system reasonably secure and don't use MS), then their new tricks can sneak up on you.

This is a job for...

[qwerpoiu]

Quick! Call Adobe!

Damn those Russians! messing with our alphabet

.

Damn those Russians messing with our alphabet!

.

Because they're smart

[GCP]

Nobody who understands text data would use anything other than Unicode except for legacy handling. Using different encodings for different languages is as ridiculous today as using different encodings for English on different platforms used to be before everyone agreed to exchange data in ASCII.

Re:Because they're smart

[bani]

For many language encodings the conversion to unicode is a one-way ticket, there is no roundtrip possible -- so you sometimes lose critical information about the characters.

It's also disappointing that unicode forum dropped their official JISUTF tables. There is no longer any official translation table for japanese encodings to unicode. It's the wild west for asian languages in unicode (ever wonder why no asian data systems use unicode?)

Re:Because they're smart

[dvdeug]

For many language encodings the conversion to unicode is a one-way ticket, there is no roundtrip possible

Really? Name a few. The Unicode consortium and ISO 10646 went through a lot of trouble to round trip everything through Unicode. They recently added ARABIC TAIL FRAGMENT to roundtrip some ancient IBM Arabic character sets through Unicode. There are hundreds of characters in Unicode whose only point is roundtrip other character sets through Unicode.

There is no longer any official translation table for japanese encodings to unicode.

Those were never official. Two different systems didn't always agree on the definition of various characters in those encodings, making it hard to make an accurate universal translation table. Also, Unicode doesn't consider the defintion of various Japanese standards its business.

Re:Because they're smart

[bani]

"Those were never official. Two different systems didn't always agree on the definition of various characters in those encodings"

Thank you for making my point for me! You can't have a reliable roundtrip conversion, when you don't even have a reliable freaking one way conversion!

"making it hard to make an accurate universal translation table."

And there is no longer any translation table at all. The impetus for asians to use unicode has all but evaporated, the only people using unicode for asian data interchange is westerners. The asians have largely abandoned it, and it is hardly suprising given these problems.

"Also, Unicode doesn't consider the defintion of various Japanese standards its business."

And this has absolutely nothing to do with translation tables. Unicode isn't defining JIS or EUC.

Re:Because they're smart

[dvdeug]

You can't have a reliable roundtrip conversion, when you don't even have a reliable freaking one way conversion!

How can you have a reliable conversion if the origin is ill-defined?

And there is no longer any translation table at all.

All Unicode did was move it into the OBSOLETE directory. They certainly didn't search the web and destroy every copy they could find.

The impetus for asians to use unicode has all but evaporated,

Which is why all operating systems sold in China must support GB18030, a format of Unicode.

the only people using unicode for asian data interchange is westerners.

Sure, the email may be in ISO-2022-JP; but the emailer that sent it probably stored it in Unicode and displayed it using a Unicode text display engine. This is true for Outlook Express, Mozilla, and anything written for KDE or Gnome 2.

Re:ASCII FUN!

[drewness]

Actually, as far as I know, the main way Chinese enter text is with keyboards that have BoPoMoFo characters on them. (Scroll down the page a bit to see the BoPoMoFo part). The one Chinese keyboard I have seen did also have latin characters on the keycaps too, so they at least have exposure to latin characters. Plus, I wouldn't be surprised if there also existed a system for Chinese similar to the sometimes used Japanese system of Romaji->Kana->Kanji for input.

Sideswiped with a limerick!

[NoMoreNicksLeft]

MrHat, I've missed you. I had started to think I was unworthy of your limericks.

Tell me the truth though, is it, or is it not incredibly sad, that nearly every topic/conversation on this site can be reduced to a 5 line poem? It tells the lie of just how shallow most of this is...

Unicode is not the problem...

[GCP]

...but it will have to be part of the solution.

The problem is the diversity of characters used by people around the world, regardless of how they are encoded. Encoding them in anything other than Unicode would make the problem dramatically worse because no group will sit back for long and allow their language to be excluded from global naming protocols on this shared "worldwide" platform.

Having everyone share an ASCII-only system is no longer a viable option, so either everyone shares a single system that covers all languages (Unicode is the only viable option), or the system breaks up into a composite of conflicting encodings. (.com could be registered as half a dozen different byte sequences by different registrars.)

The Unicode solution is the only one that makes sense, then you have to look at rules for the use of characters. You would have to look at the rules for the use of characters even without Unicode. It's just that Unicode makes it so much simpler than the composite alternative that a solution is probably possible.

This IDNC3 proposal is a good start, but there are even more issues. People who wave their arms about the "problems of Unicode" aren't helping, though. Almost all of them are really just advocating "let's keep it simple by limiting it to the characters I need and disallowing yours", and that won't fly any longer.

Re:Unicode is not the problem...

[Russ+Nelson]

IDNC3 prohibits the use of visually identical characters in domain names. There's really no alternative to doing that.
-russ

Keyboards

[GCP]

Yes, and it's a lot harder for you to write the characters needed for programming in C++ or Perl. I'd rather have my English keyboard.

HOWEVER, what I'd like best of all would be to replace the dumb keyboard (hit a key, get the character printed on the key cap) with smart input methods at the OS level (maybe keyboard driver level if you don't have a GUI).

For example, I should be able to type user-defined abbreviations and have the OS replace them with what they represent. I should be able to type "deja vu" and have the OS input dictionary automatically replace it with "déjà vu" and so on. We should be able to use the tab key for autocompletion and substitution, so if I type e/ then tap the tab key, it might replace e/ with é, and so on.

Yes, I know we have some of this functionality in unix shells like bash, some in emacs, some in word processors like MS-Word, etc. I'd like it at the OS level so that no matter what I was typing into, I would have a virtual keyboard much more powerful than my simple physical keyboard and one that I could optimize for the characters/words/phrases I needed most often.

Re:Keyboards

[dvdeug]

HOWEVER, what I'd like best of all would be to replace the dumb keyboard (hit a key, get the character printed on the key cap) with smart input methods at the OS level (maybe keyboard driver level if you don't have a GUI).

Will the X input manager framework not support this? I've looked at it repeatedly, but I read none of the CJK languages XIM is primarily designed for and primarily documented in.

I know it's only X, but I've given up any hope of Linux and X agreeing on the keyboard.

Re:Keyboards

[The+DOS+Guy]

For example, I should be able to type user-defined abbreviations and have the OS replace them with what they represent. I should be able to type "deja vu" and have the OS input dictionary automatically replace it with "déjà vu" and so on. We should be able to use the tab key for autocompletion and substitution, so if I type e/ then tap the tab key, it might replace e/ with é, and so on.

Microsoft introduced that functionality into DOS when they added ANSI.SYS, the device driver that replaces the CONsole device to allow techs to use the same escape codes they used for terminal sessions for example ^[(control-left bracket, the Escape key)[2J to clear the screen or ^[[33;44m to change colors. Although you need to go through the process of setting up the driver, it's just a one-time addition of one line to CONFIG.SYS and just a few to AUTOEXEC.BAT.

Also, you could simply switch keyboard layouts in DOS without going through the same change for your monitor. I remember memorizing those "dead keys" where you could enter é by pressing 'e and ' by pressing ' twice.

I gave microsoft.com my credit card number!

I gave microsoft.com my credit card number!

Should I be even more concerned?

Spoofing URLs Without Unicode

Nu, so how does this change anything? No Unicode was killed to produce this link:

<a href="http://slashdot.org">Microsoft.com</a& gt;

Re:Eric Bin Raymond: The Sept 11th Conspiracy Reve

I am glad that someone else knows the truth!

Done in Unix also...

[dghcasp]

Back in my old Unix Admin days, working at a company where everyone knew the root password, People would sometimes try to hide directories by putting non-printing control characters in the name, e.g. ". ^hfoo"

Of course, this is easy to defeat with a simple combination of backticks, ls -1 and wc.

The best way I discovered to hide the contents of a directory in unix is:

use fsdb(8) to change the first character of the directory name to "/"

Unix is rather unhappyful trying to cd to a directory that has a / as part of its file name. Shell quoting tricks won't get you past it, since it's the kernel handling the /

Of course, you had to un-/-ify the directory every time you wanted in, but hey, the price of security...

wtf?

[Chessucat]

by the looks of this I say anyone can do it, 'eh?

whois -h whois.crsnic.net slashdot.org

Whois Server Version 1.3

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

SLASHDOT.ORG.SUCKS.COMPARED.TO.JIMPHILLIPS.ORG
SLASHDOT.ORG.SHOULD.BEESECURE.ORG
SLASHDOT.ORG

To single out one record, look it up with "xxx", where xxx is one of the
of the records displayed above. If the records are the same, look them up
with "=xxx" to receive a full display for each record.

>>> Last update of whois database: Tue, 28 May 2002 16:51:10 EDT

Re:WHY THIS IS IMPORTANT - It's already been done

capitol? wtf?

Telling Japanese from Korean [OT]

[Broccolist]

It's likely that I can't tell Chinese from Japanese (or even Korean for some people)

Ha. There's a restaurant in my city that proclaims "Japanese restaurant", but the signs are filled with Korean characters. Apparently so few people can tell the difference that these people are basing their business on pretending to be Japanese :).

Re:Telling Japanese from Korean [OT]

[Dephex+Twin]

Ha, I can definitely believe that.

The other day at work I scribbled a couple of words in Korean on my notepad (I studied Korean a bit). Later my boss came by and saw it and asked what it meant. I told him and then showed it to the *Chinese* guys who work in my area to see if I had it right. They glanced and said "oh that's Korean" and my boss said "oh, I see, but can't you read it at all?" Errrr, no.

With Chinese, I can understand there is a huge learning curve, but a lot of people don't know that they could pick up basic Korean (alphabet and making words) in about a day.

I guess when people look at Chinese/Japanese/Korean they see "Chicken Scratch language" and don't really look for the obvious distinctions among them.

mark

This is not a scandal.

[mindstrm]

It is a totally legitimate domain. There is nothing WRONG with it.

It's particular uses of it that can be wrong, but not the domain itself.

And as to what you said, you, directly or indirectly, implied that Verisign should not allow domains like this to be registered because they are in the certificate authority business.
Totally different things.

I don't see the connection you are drawing.
No, bill clinton's relationship with his wife has nothing to do with his ability to govern, and I cannot *believe* that people actually think it has an effect.
Actually, what I realy think (read this carefullY) is that it's a big deal because people THINK that other people think that it has some effect, and don't want to appear different.

Finally....

[rodionpunk]

Whitehouse.gov can fight back against Whitehouse.com!

What the fuck happened to Adequacy??

The new slashdotsucks.com sucks, I liked the old one (the "Adequacy" one) better. Bring it back!!!

Re:WHY THIS IS IMPORTANT - It's already been done

[bay43270]

Someone once sent an email to my yahoo account that looked just like the yahoo login message. I would have fell for it, but IE didn't auto-fill my login into their fake text field.

Comm of the ACM article online

[plcurechax]

The Communications of the ACM article, is available online, at <http://www.csl.sri.com/users/neumann/insideris ks.html#140> (Inside Risks 140, CACM 45, 2, February 2002).

Re:WHY THIS IS IMPORTANT - It's already been done

[Captain+Chad]

I'm using Mozilla 1.0rc2 (not 3, but...) under WinNT and they look the same. So I think your conjecture about the font change for Win2K may be the correct reason.

Why not discredit Christianity and Judaism, too?

[Karma+To+Burn]

Folks are just kinda thick about questioning the veracity of claims (hell, astrology still sells books and 900-number phone calls).

So... you can't respect other people's personal decisions on spirituality? Granted, the 900-numbers are gimmicky. But why should Astrology books be discredited as non-sense? Most mature people respect other's religious beliefs.

Although Astrology isn't a religion, it is faith-based, as religion is. Is Astrology scientific? No. Niether is the Bible (etc.). You might as well have worded that sentence to say "hell, astrology, christianity, and paganism still sell books...".

All I ask is that you respect other people's personal spiritual beliefs, whether that involves Astrology, Judaism, Wicca, or what have you. An exception is when you're discussing/debating spirituality or religion, but this isn't the case.

I don't believe in Christianity, but I don't attack a Christian's personal beliefs because I don't agree with them. I expect others to respect my personal beliefs the same way.

Re:Why not discredit Christianity and Judaism, too

[dvdeug]

So... you can't respect other people's personal decisions on spirituality? Granted, the 900-numbers are gimmicky. But why should Astrology books be discredited as non-sense?

So you feel it's all right to knock 900-numbers, but astrology books are something that everyone should respect, eh?

You can't just call something faith, and say that no one should say anything about it. Astrology makes certain checkable statements, which tend to found wrong. Most branchs of Christianity and Judaism make few checkable statements; belief in them is a matter of faith.

Reality Check

1. You (read: an average user) successfully typed or obtained müller@müller.de, therefore you can e-mail the address you just typed!
2. Can someone say, "Character Map"? If not, can someone say "Insert > Symbol" and "Copy and Paste"?

FYI: the CACM article *is* online

[creynolds]

The homograph attack in Communications of the ACM 45(2) by Evgeniy Gabrilovich and Alex Gontmakher is online but access to the full text requires paid membership.